├── README.md ├── Mars-V8 ├── strings.txt └── ALL_in_One.py ├── Matanbuchus ├── APIs.txt ├── dll_exports.py ├── API_resolve.py ├── strings.txt └── Decrypt_Strings.py ├── Revil 2.08 ├── dll_exports.py ├── API_resolve.py ├── Decrypt_Strings.py └── strings.txt ├── PivateLoader ├── loader_ component_strings.txt ├── PrivateLoader.py └── main_component_strings.txt ├── Squirrelwaffle ├── Decrypt_Strings.py └── strings.txt ├── Statc Stealer ├── Statc_Stealer.py └── strings.txt └── Badspace └── badspace.py /README.md: -------------------------------------------------------------------------------- 1 | # Malware-IDAPython-Scripts 2 | 3 | IDAPython scripts I use to automate analysis. 4 | -------------------------------------------------------------------------------- /Mars-V8/strings.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/X-Junior/Malware-IDAPython-Scripts/HEAD/Mars-V8/strings.txt -------------------------------------------------------------------------------- /Matanbuchus/APIs.txt: -------------------------------------------------------------------------------- 1 | ['GetTickCount64', 'lstrcatA', 'MessageBoxA', 'HeapFree', 'Sleep', 'CreateMutexA', 'PathFileExistsA', 'CreateProcessA', 'InternetCloseHandle', 'GetLastError', 'InternetCheckConnectionA', 'LoadLibraryA', 'WaitForSingleObject', 'WriteFile', 'lstrcpyA', 'InternetReadFile', 'lstrlenA', 'CreateDirectoryA', 'Beep', 'PathIsDirectoryA', 'K32EnumProcesses', 'InternetOpenA', 'GetModuleHandleA', 'ExitProcess', 'InternetOpenUrlA', 'ExpandEnvironmentStringsA', 'CloseHandle'] -------------------------------------------------------------------------------- /Matanbuchus/dll_exports.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pefile 3 | import json 4 | 5 | INTERESTING_DLLS = [ 6 | 'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', 7 | 'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', 8 | 'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', 9 | 'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', 10 | 'winhttp.dll', 'wininet.dll', 'ws2_32.dll', 'wship6.dll', 11 | 'advpack.dll', 'rstrtmgr.dll', 'combase.dll', 'mpr.dll', 12 | 'crypt32.dll','KERNELBASE.dll', 'iphlpapi.dll', 'activeds.dll', 13 | 'wow64cpu.dll', 'wtsapi32.dll', 'shcore.dll', 'ole32.dll', 14 | 'ucrtbase.dll', 'sechost.dll', 'winspool.drv' 15 | ] 16 | 17 | exports_list = [] 18 | 19 | for filename in os.listdir("C:\\Windows\\System32"): 20 | if filename.lower() in INTERESTING_DLLS: 21 | pe = pefile.PE("C:\\Windows\\System32\\" + filename) 22 | for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: 23 | try: 24 | exports_list.append(exp.name.decode('utf-8')) 25 | except: 26 | continue 27 | 28 | exports_json = {'exports': exports_list} 29 | open('exports.json', 'w').write(json.dumps(exports_json)) -------------------------------------------------------------------------------- /Revil 2.08/dll_exports.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pefile 3 | import json 4 | 5 | INTERESTING_DLLS = [ 6 | 'kernel32.dll', 'comctl32.dll', 'advapi32.dll', 'comdlg32.dll', 7 | 'gdi32.dll', 'msvcrt.dll', 'netapi32.dll', 'ntdll.dll', 8 | 'ntoskrnl.exe', 'oleaut32.dll', 'psapi.dll', 'shell32.dll', 9 | 'shlwapi.dll', 'srsvc.dll', 'urlmon.dll', 'user32.dll', 10 | 'winhttp.dll', 'wininet.dll', 'ws2_32.dll', 'wship6.dll', 11 | 'advpack.dll', 'rstrtmgr.dll', 'combase.dll', 'mpr.dll', 12 | 'crypt32.dll','KERNELBASE.dll', 'iphlpapi.dll', 'activeds.dll', 13 | 'wow64cpu.dll', 'wtsapi32.dll', 'shcore.dll', 'ole32.dll', 14 | 'ucrtbase.dll', 'sechost.dll', 'winspool.drv' 15 | ] 16 | 17 | exports_list = [] 18 | 19 | for filename in os.listdir("C:\\Windows\\System32"): 20 | if filename.lower() in INTERESTING_DLLS: 21 | pe = pefile.PE("C:\\Windows\\System32\\" + filename) 22 | for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: 23 | try: 24 | exports_list.append(exp.name.decode('utf-8')) 25 | except: 26 | continue 27 | 28 | exports_json = {'exports': exports_list} 29 | open('exports.json', 'w').write(json.dumps(exports_json)) -------------------------------------------------------------------------------- /PivateLoader/loader_ component_strings.txt: -------------------------------------------------------------------------------- 1 | ['GetCurrentProcess', 'CreateThread', 'CreateFileA', 'Sleep', 'SetPriorityClass', 'Shell32.dll', 'SHGetFolderPathA', 'null', 'rb', 'http://212.193.30.45/proxies.txt', ':1080\n', ':1080', ':...', '.', 'http://45.144.225.57/server.txt', 'HOST:', ':', 'pastebin.com/raw/A7dSG1te', 'HOST:', 'HOST:', 'http://wfsdragon.ru/api/setStats.php', 'HOST:', ':', '2.56.59.42', '/base/api/statistics.php', 'URL:', ':', 'https://', '.tmp','\\', 'kernel32.dll', 'WINHTTP.dll', 'wininet.dll', 'Winhttp.dll', 'WinHttpConnect', 'WinHttpOpenRequest', 'WinHttpQueryDataAvailable', 'WinHttpSendRequest', 'WinHttpReceiveResponse', 'WinHttpQueryHeaders', 'WinHttpOpen', 'WinHttpReadData', 'WinHttpCloseHandle', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36', 'http://', '/', '?', 'HEAD', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36', 'wininet.dll', 'InternetSetOptionA', 'HttpOpenRequestA', 'InternetConnectA', 'InternetOpenUrlA', 'InternetOpenA', 'HttpQueryInfoA', 'InternetQueryOptionA', 'HttpSendRequestA', 'InternetReadFile', 'InternetCloseHandle', 'Kernel32.dll,'HeapAlloc', 'HeapFree', 'GetProcessHeap', 'CharNextA', 'User32.dll', 'GetLastError', 'CreateFileA', 'WriteFile', 'CloseHandle'] -------------------------------------------------------------------------------- /Matanbuchus/API_resolve.py: -------------------------------------------------------------------------------- 1 | import json 2 | import idaapi 3 | import idc 4 | import idautils 5 | import ida_funcs 6 | from fnvhash import fnv1a_32 7 | 8 | # shout-out to cdong1012 https://github.com/cdong1012/IDAPython-Malware-Scripts/blob/master/Matanbuchus/API_resolve.py 9 | 10 | def hashing(name): 11 | return fnv1a_32(name.encode('utf-8')) 12 | 13 | 14 | def setup(json_file): 15 | global export_hashes 16 | exports_json = json.loads(open(json_file, 'rb').read()) 17 | exports_list = exports_json['exports'] 18 | for export in exports_list: 19 | api_hash = hashing(export) 20 | export_hashes[api_hash] = export 21 | 22 | 23 | def resolve_all_APIs(resolve_ea): 24 | global export_hashes 25 | 26 | for ref in idautils.XrefsTo(resolve_ea): 27 | ea = ref.frm 28 | API_hash = 0 29 | 30 | while True: 31 | prev_instruction_ea = idc.prev_head(ea) 32 | if idc.print_insn_mnem(prev_instruction_ea) == 'push': 33 | API_hash = idc.get_operand_value(prev_instruction_ea, 0) 34 | break 35 | ea = prev_instruction_ea 36 | 37 | if API_hash in export_hashes: 38 | idc.set_cmt(ref.frm, export_hashes[API_hash], 0) 39 | parent_func_ea = idaapi.get_func(ref.frm).start_ea 40 | idaapi.set_name(parent_func_ea, 'get_' +export_hashes[API_hash], idaapi.SN_FORCE) 41 | return 42 | 43 | 44 | export_hashes = {} 45 | setup('exports.json') 46 | 47 | resolve_all_APIs(0x100083C0) -------------------------------------------------------------------------------- /Squirrelwaffle/Decrypt_Strings.py: -------------------------------------------------------------------------------- 1 | import idautils , idc, idaapi, ida_search, ida_bytes, ida_auto 2 | import struct 3 | 4 | 5 | 6 | def set_hexrays_comment(address, text): 7 | ''' 8 | set comment in decompiled code 9 | ''' 10 | 11 | cfunc = idaapi.decompile(address) 12 | tl = idaapi.treeloc_t() 13 | tl.ea = address 14 | tl.itp = idaapi.ITP_SEMI 15 | cfunc.set_user_cmt(tl, text) 16 | cfunc.save_user_cmts() 17 | 18 | 19 | def set_comment(address, text): 20 | ## Set in dissassembly 21 | idc.set_cmt(address, text,0) 22 | ## Set in decompiled data 23 | set_hexrays_comment(address, text) 24 | 25 | def Xor(data , key): 26 | res = "" 27 | for i in range(len(data)): 28 | res += chr(data[i] ^key[i%len(key)]) 29 | return res 30 | 31 | 32 | def get_data(ea): 33 | 34 | addrs = [] 35 | while 1: 36 | ea = idc.prev_head(ea) 37 | 38 | if (idc.print_insn_mnem(ea) == "push") and idc.get_operand_type(ea, 0) == idc.o_imm: 39 | addrs.append((idc.get_operand_value(ea, 0))) 40 | 41 | if len(addrs) == 4: 42 | key = idc.get_strlit_contents(addrs[0]) 43 | data_length = addrs[3] 44 | enc_data = idc.get_bytes(addrs[2],data_length) 45 | break 46 | 47 | if key ==b'KJKLO': # c2 decryption key 48 | return "" , "" 49 | 50 | return enc_data , key 51 | 52 | 53 | 54 | fun_addr = 0x005819B0 # decryption function address 55 | 56 | for ref in idautils.XrefsTo(fun_addr): 57 | 58 | enc_data , key = get_data(ref.frm) 59 | 60 | if enc_data!= "" and key != "": 61 | decrypted_string = Xor(enc_data,key) 62 | set_comment(ref.frm, decrypted_string) 63 | -------------------------------------------------------------------------------- /Matanbuchus/strings.txt: -------------------------------------------------------------------------------- 1 | ['%PROCESSOR_LEVEL%\\', 'Shell32.dll', 'C:\\Windows\\System32\\schtasks.exe', '%PROCESSOR_REVISION%', 'rundll32.exe', 'regsvr32.exe', 'IPHLPAPI.DLL', '.ocx', 'Dll Uinstall', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml', 'WS2_32.dll', 'UnregisterServer', 'USER32.dll', '"', '%ProgramData%\\', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml', 'Wininet.dll', 'Shlwapi.dll', 'mXsAh2WNWB', ' /TR "%windir%\\system32\\regsvr32.exe -e ', ' /TR "%windir%\\system32\\regsvr32.exe -e ', 'WS2_32.dll', '%COMPUTERNAME%', 'Shell32.dll', 'Wininet.dll', 'Shlwapi.dll', 'IPHLPAPI.DLL', 'C:\\Windows\\System32\\schtasks.exe', 'USER32.dll', '"', '%PROGRAMFILES%\\Opera\\Opera.exe', '"C:\\Windows\\system32\\schtasks.exe" /Create /SC MINUTE /MO 3 /TN ', 'DllRegisterServer', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml']['%PROCESSOR_LEVEL%\\', 'Shell32.dll', 'C:\\Windows\\System32\\schtasks.exe', '%PROCESSOR_REVISION%', 'rundll32.exe', 'regsvr32.exe', 'IPHLPAPI.DLL', '.ocx', 'Dll Uinstall', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml', 'WS2_32.dll', 'UnregisterServer', 'USER32.dll', '"', '%ProgramData%\\', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml', 'Wininet.dll', 'Shlwapi.dll', 'mXsAh2WNWB', ' /TR "%windir%\\system32\\regsvr32.exe -e ', ' /TR "%windir%\\system32\\regsvr32.exe -e ', 'WS2_32.dll', '%COMPUTERNAME%', 'Shell32.dll', 'Wininet.dll', 'Shlwapi.dll', 'IPHLPAPI.DLL', 'C:\\Windows\\System32\\schtasks.exe', 'USER32.dll', '"', '%PROGRAMFILES%\\Opera\\Opera.exe', '"C:\\Windows\\system32\\schtasks.exe" /Create /SC MINUTE /MO 3 /TN ', 'DllRegisterServer', 'https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml']['GetTickCount64', 'lstrcatA', 'MessageBoxA', 'HeapFree', 'Sleep', 'CreateMutexA', 'PathFileExistsA', 'CreateProcessA', 'InternetCloseHandle', 'GetLastError', 'InternetCheckConnectionA', 'LoadLibraryA', 'WaitForSingleObject', 'WriteFile', 'lstrcpyA', 'InternetReadFile', 'lstrlenA', 'CreateDirectoryA', 'Beep', 'PathIsDirectoryA', 'K32EnumProcesses', 'InternetOpenA', 'GetModuleHandleA', 'ExitProcess', 'InternetOpenUrlA', 'ExpandEnvironmentStringsA', 'CloseHandle'] -------------------------------------------------------------------------------- /Revil 2.08/API_resolve.py: -------------------------------------------------------------------------------- 1 | import json 2 | import idaapi 3 | import idc 4 | import idautils 5 | import ida_funcs 6 | 7 | 8 | def get_api_hash(fn_name): 9 | result = 0x2b 10 | for c in fn_name: 11 | result = ord(c) + 0x10f * result 12 | return result & 0x1FFFFF 13 | 14 | 15 | def transform_hash(api_hash): 16 | result =api_hash ^ (api_hash << 16) ^ 0x97E81919 17 | return result & 0x1fffff 18 | 19 | 20 | 21 | def setup(json_file): 22 | global export_hashes 23 | exports_json = json.loads(open(json_file, 'rb').read()) 24 | exports_list = exports_json['exports'] 25 | for export in exports_list: 26 | api_hash = get_api_hash(export) 27 | export_hashes[api_hash] = export 28 | 29 | 30 | def resolve(base_address): 31 | global export_hashes 32 | for ptr in range(0,0x30c,4): 33 | hash_value = idc.get_wide_dword(base_address + ptr) 34 | api_name = export_hashes[transform_hash(hash_value)] 35 | idc.set_name(base_address + ptr,api_name ,SN_NOWARN) 36 | export_hashes = {} 37 | setup('exports.json') 38 | 39 | #resolve(0x00414D90) 40 | 41 | def resolve_with_pattern(): 42 | global export_hashes 43 | 44 | seg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in idautils.Segments()} 45 | start = seg_mapping[0x1][0] 46 | end = seg_mapping[0x1][1] 47 | 48 | api_hashing_func_pattern = " 8B ?? C1 ?? 10 33 ?? B9 B9 04 00 00 81 ?? 19 19 E8 97 8B ?? C1 ?? 15 " # a1 ^ (a1 << 16) ^ 0x97E81919 49 | api_hashing_func= ida_search.find_binary(start, end, api_hashing_func_pattern, 16, idc.SEARCH_DOWN) 50 | api_hashing_func = idaapi.get_func(api_hashing_func).start_ea 51 | print('[*] Traget fucntion found at {}'.format(hex(api_hashing_func))) 52 | 53 | for ref in idautils.XrefsTo(api_hashing_func): 54 | 55 | addr = ref.frm 56 | temp_addr = idc.prev_head(addr) 57 | 58 | if (idc.print_insn_mnem(temp_addr) == "push"): 59 | temp_addr = idc.prev_head(temp_addr) 60 | hash_val = idc.get_operand_value(temp_addr,1) 61 | api_name = export_hashes[transform_hash(hash_val)] 62 | idc.set_cmt(temp_addr, api_name, 1) 63 | 64 | else: 65 | hash_addresses = idc.get_operand_value(idc.prev_head(addr),1) 66 | resolve(hash_addresses) 67 | 68 | 69 | resolve_with_pattern() 70 | 71 | -------------------------------------------------------------------------------- /Matanbuchus/Decrypt_Strings.py: -------------------------------------------------------------------------------- 1 | import idautils , idc, idaapi, ida_search, ida_bytes, ida_auto 2 | import struct 3 | 4 | exclued_addr = [] 5 | decrypt_addrs_dict = {} 6 | 7 | 8 | def set_hexrays_comment(address, text): 9 | ''' 10 | set comment in decompiled code 11 | ''' 12 | cfunc = idaapi.decompile(address) 13 | 14 | tl = idaapi.treeloc_t() 15 | tl.ea = address 16 | tl.itp = idaapi.ITP_SEMI 17 | cfunc.set_user_cmt(tl, text) 18 | cfunc.save_user_cmts() 19 | 20 | 21 | def set_comment(address, text): 22 | ## Set in dissassembly 23 | idc.set_cmt(address, text,0) 24 | ## Set in decompiled data 25 | set_hexrays_comment(address, text) 26 | 27 | def getref(ea): 28 | for ref in idautils.XrefsTo(int(ea,16)): 29 | return ref.frm 30 | 31 | fun_addr = 0x100077D0 # decryption fucntion address 32 | 33 | def setup_dict(): 34 | for ref in idautils.XrefsTo(fun_addr): 35 | ea = ref.frm 36 | addr = idc.get_func_name(ea).replace("sub_","0x") 37 | addr = getref(addr) 38 | addr = idc.get_func_name(addr).replace("sub_","0x") 39 | addr = getref(addr) 40 | decrypt_addrs_dict[hex(addr)] = hex(ea) 41 | setup_dict() 42 | 43 | 44 | def decrypt(encrypted_buffer,key): 45 | data = "" 46 | for i in range(len(encrypted_buffer)): 47 | data += chr(encrypted_buffer[i]^((key >> (8 * (i % 8))) & 0xFF)) 48 | return data.replace('\x00','') 49 | 50 | 51 | def get_encrypted_buffer(ea,end , length): 52 | encrypted_buffer = [] 53 | for i in range(length+1): 54 | if (idc.print_insn_mnem(ea) == "mov") and (idc.get_operand_type(ea, 0) == idc.o_displ) and (idc.get_operand_type(ea, 1) == idc.o_imm): 55 | encrypted_buffer.append(idc.get_operand_value(ea, 1)) 56 | exclued_addr.append(hex(ea)) 57 | ea = idc.next_head(ea, end) 58 | return encrypted_buffer 59 | 60 | 61 | def get_16byte_decryption_key(ea): 62 | 63 | addrs = [] 64 | while len(addrs)!= 4: 65 | 66 | ea = idc.prev_head(ea) 67 | if (idc.print_insn_mnem(ea) == "push") and idc.get_operand_type(ea, 0) == idc.o_imm: 68 | addrs.append((idc.get_operand_value(ea, 0))) 69 | 70 | length = hex(addrs[0]) 71 | hexkey0_8 = "0x"+"0"*(8-len(hex(addrs[3])[2:]))+hex(addrs[3])[2:] 72 | hexkey8_16 = "0"*(8-len(hex(addrs[2])[2:]))+hex(addrs[2])[2:] 73 | key = hexkey0_8 + hexkey8_16 74 | return length , key 75 | 76 | 77 | 78 | pattern = "C6 45 ?? ?? C6 45 ?? ??" # encrypted data 79 | 80 | seg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in idautils.Segments()} 81 | start = seg_mapping[0x1][0] 82 | end = seg_mapping[0x1][1] 83 | 84 | while True: 85 | 86 | start = ida_search.find_binary(start, end, pattern, 16, idc.SEARCH_NEXT|idc.SEARCH_DOWN) 87 | if start == idc.BADADDR: 88 | break 89 | 90 | buuffer_addr = start 91 | addr = hex(start) 92 | 93 | 94 | if addr not in exclued_addr: 95 | exclued_addr.append(addr) 96 | addr = idc.get_func_name(int(addr,16)).replace("sub_","0x") 97 | addr = getref(addr) 98 | ea = addr 99 | 100 | while 1: 101 | 102 | ea = idc.next_head(ea, end) 103 | if idc.print_insn_mnem(ea) == "call": 104 | length , key = get_16byte_decryption_key(int(decrypt_addrs_dict[hex(ea)],16)) 105 | encrypted_buffer = get_encrypted_buffer(buuffer_addr,end,int(length,16)) 106 | decrypted_buffer = decrypt(encrypted_buffer,int(key,16)) 107 | set_comment(ea, decrypted_buffer) 108 | break 109 | 110 | 111 | -------------------------------------------------------------------------------- /Statc Stealer/Statc_Stealer.py: -------------------------------------------------------------------------------- 1 | import idautils , idc, idaapi, ida_search, ida_bytes, ida_auto 2 | import string , struct , base64 3 | 4 | 5 | def xor_decryption(encoded_string , xor_key): 6 | encoded_string = base64.b64decode(encoded_string) 7 | decoded_str = "" 8 | 9 | for i in range(len(encoded_string)): 10 | decoded_str += chr(encoded_string[i] ^ xor_key[i%len(xor_key)]) 11 | return decoded_str 12 | 13 | 14 | def sub_decryption(encdata, sub_byte): 15 | try: 16 | if encdata != []: 17 | out = bytearray((ord(encdata[j]) - sub_byte) % 18 | 256 for j in range(len(encdata))) 19 | return out.decode() 20 | except Exception as e : 21 | return 0 22 | 23 | def add_decryption(encdata, add_byte): 24 | try: 25 | if encdata != []: 26 | out = bytearray((ord(encdata[j]) + add_byte) % 27 | 256 for j in range(len(encdata))) 28 | return out.decode() 29 | except Exception as e : 30 | return 0 31 | 32 | def extract_key(ea): 33 | xor_key_list = [] 34 | for i in range(10): 35 | try: 36 | if (idc.print_insn_mnem(ea) == "movdqa" and (idc.get_operand_type(ea, 0) == idc.o_reg) and (idc.get_operand_type(ea, 1) == idc.o_mem) ) : 37 | temp_xor_key = idc.get_bytes(idc.get_operand_value(ea, 1),200).split(b'\x00')[0] 38 | temp_xor_key = temp_xor_key.split(b'\xff')[0] 39 | temp_xor_key.decode() 40 | xor_key_list.append(temp_xor_key) 41 | if (idc.print_insn_mnem(ea) == "mov" and (idc.get_operand_type(ea, 1) == idc.o_imm) ) : 42 | xor_key_list.append(struct.pack(' 4 : 74 | temp_name = idc.get_bytes(idc.get_operand_value(ea,1),5000).split(b'\x00')[0] 75 | enc_string_with_offset[ea] = temp_name 76 | break 77 | ea = idc.prev_head(ea) 78 | return enc_string_with_offset 79 | 80 | def set_hexrays_comment(address, text): 81 | cfunc = idaapi.decompile(address) 82 | tl = idaapi.treeloc_t() 83 | tl.ea = address 84 | tl.itp = idaapi.ITP_SEMI 85 | cfunc.set_user_cmt(tl, text) 86 | cfunc.save_user_cmts() 87 | ea = idaapi.get_screen_ea() 88 | 89 | 90 | seg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in idautils.Segments()} 91 | start = seg_mapping[0x1][0] 92 | end = seg_mapping[0x1][1] 93 | 94 | regex = "4C 89 6D ?? 4C 8B 67 ?? 48 8B F7 48 83 7F ?? ?? 72 ?? 48 8B 37" 95 | regex_addr = ida_search.find_binary(start, end, regex, 16, idc.SEARCH_DOWN) 96 | regex_addr_begin = idaapi.get_func(regex_addr).start_ea 97 | 98 | 99 | enc_string_with_offset = extract_enc_string_with_offsets(regex_addr_begin) 100 | xor_key = extract_key(regex_addr) 101 | dec_byte , dec_option = extract_dec_byte(start,end) 102 | 103 | for offset, data in enc_string_with_offset.items(): 104 | decoded_string = xor_decryption(data, xor_key) 105 | if dec_option == 0: 106 | decoded_string = sub_decryption(decoded_string ,dec_byte) 107 | else: 108 | decoded_string = add_decryption(decoded_string ,dec_byte) 109 | print(hex(offset) , decoded_string) 110 | set_hexrays_comment(offset , decoded_string) 111 | idc.set_cmt(offset, decoded_string, 1) -------------------------------------------------------------------------------- /PivateLoader/PrivateLoader.py: -------------------------------------------------------------------------------- 1 | """ 2 | Tested Samples: 3 | Main Component: 4 | 02a99e4d1d638ff0df8d018c8502203417bc6953ce0a39b33324c7884d964358 5 | 077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb 6 | 977c99590f96d970f726b080dc087d64fe46b6452c4e30d3595d9ed9e2379576 7 | 9d5de0848c98678b675d1a186677bacfea15d8bebe5902364149ef285c4f0f1b 8 | 9 | Loader Component: 10 | 6d29a14b0d37d4556a245ce7d6f5ce74c869141092ab7be79960a0667597e07b 11 | d75a7ee1a791ac1260fa1e83e6cd066dcf1446f2d52b136d226b8de8c284cd06 12 | """ 13 | 14 | import idautils , idc, idaapi, ida_search, ida_bytes, ida_auto 15 | import struct , json 16 | 17 | def rename_api(ea ,end,name): 18 | while 1: 19 | ea = idc.next_head(ea, end) 20 | if (idc.print_insn_mnem(ea) == "mov") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.get_operand_type(ea, 1) == idc.o_reg): 21 | global_var = idc.get_operand_value(ea, 0) 22 | idc.set_name(global_var, name,idaapi.SN_FORCE) 23 | break 24 | 25 | 26 | def byte_xor(ba1, ba2): 27 | return bytes([_a ^ _b for _a, _b in zip(ba1, ba2)]) 28 | 29 | exports_json = json.loads(open('exports.json', 'rb').read()) 30 | exports_list = exports_json['exports'] 31 | 32 | 33 | seg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in 34 | idautils.Segments()} 35 | start = seg_mapping[0x1][0] 36 | end = seg_mapping[0x1][1] 37 | 38 | pattern1 = "66 0f ef" 39 | pattern2 = "33 d2" 40 | 41 | def Get_Chunks(ea): 42 | 43 | ptr_addr = ea 44 | Data_Chunks = [] 45 | 46 | count = 0 47 | steps = 0 48 | steps_flag = 0 49 | flag_reg = 0 50 | 51 | for i in range(400): 52 | Data_Chunk = b'' 53 | ptr_addr = idc.prev_head(ptr_addr) 54 | steps +=1 55 | 56 | if idc.print_insn_mnem(ptr_addr) == 'call': 57 | break 58 | 59 | if idc.print_insn_mnem(ptr_addr) == 'mov'and idc.get_operand_type(ptr_addr, 0) == idc.o_reg and idc.get_operand_type(ptr_addr, 1) == idc.o_imm: 60 | flag_reg = 1 61 | 62 | if idc.print_insn_mnem(ptr_addr) == 'mov'and ( idc.get_operand_type(ptr_addr, 0) == idc.o_displ or idc.get_operand_type(ptr_addr, 0) == idc.o_reg ) and idc.get_operand_type(ptr_addr, 1) == idc.o_imm and len(hex(idc.get_operand_value(ptr_addr, 1))[2:]) >= 6: 63 | hex_data = hex(idc.get_operand_value(ptr_addr, 1))[2:] 64 | hex_data = "0" * (8 - len(hex_data)) + hex_data 65 | hex_data = hex(struct.unpack(' 6: 17 | return 1 18 | 19 | def set_hexrays_comment(address, text): 20 | cfunc = idaapi.decompile(address) 21 | tl = idaapi.treeloc_t() 22 | tl.ea = address 23 | tl.itp = idaapi.ITP_SEMI 24 | cfunc.set_user_cmt(tl, text) 25 | cfunc.save_user_cmts() 26 | 27 | 28 | def set_comment(address, text): 29 | idc.set_cmt(address, text,0) 30 | set_hexrays_comment(address, text.replace("\\" , "_")) 31 | 32 | 33 | 34 | def rc4crypt(data, key): 35 | 36 | if type(data) == str: 37 | data = data.encode('utf-8') 38 | if type(key) == str: 39 | key = key.encode('utf-8') 40 | x = 0 41 | box = list(range(256)) 42 | for i in range(256): 43 | x = (x + box[i] + key[i % len(key)]) % 256 44 | box[i], box[x] = box[x], box[i] 45 | x = 0 46 | y = 0 47 | out = [] 48 | for c in data: 49 | x = (x + 1) % 256 50 | y = (y + box[x]) % 256 51 | box[x], box[y] = box[y], box[x] 52 | out.append(c ^ box[(box[x] + box[y]) % 256]) 53 | return bytes(out) 54 | 55 | 56 | def get_reg_value(ea, reg_name): # shout-out to OALabs https://gist.github.com/OALabs/04ef6b2d6203d162c5b3b0eefd49530c 57 | e_count = 0 58 | ptr_addr = ea 59 | ## Just for safety only count back 500 heads 60 | while e_count < 500: 61 | e_count += 1 62 | ptr_addr = idc.prev_head(ptr_addr) 63 | if idc.print_insn_mnem(ptr_addr) == 'mov': 64 | if idc.get_operand_type(ptr_addr, 0) == idc.o_reg: 65 | tmp_reg_name = idaapi.get_reg_name(idc.get_operand_value(ptr_addr, 0), 4) 66 | if reg_name== tmp_reg_name: 67 | if idc.get_operand_type(ptr_addr, 1) == idc.o_imm: 68 | return hex(idc.get_operand_value(ptr_addr, 1)) 69 | if idc.print_insn_mnem(ptr_addr) == 'retn': 70 | return "" 71 | elif idc.print_insn_mnem(ptr_addr) == 'pop': 72 | ## Match the following pattern 73 | ## push 3 74 | ## pop edi 75 | if idc.get_operand_type(ptr_addr, 0) == idc.o_reg: 76 | tmp_reg_name = idaapi.get_reg_name(idc.get_operand_value(ptr_addr, 0), 4) 77 | if reg_name.lower() == tmp_reg_name.lower(): 78 | ## Get prev command 79 | tmp_addr = idc.prev_head(ptr_addr) 80 | if idc.print_insn_mnem(tmp_addr) == 'push': 81 | if idc.get_operand_type(tmp_addr, 0) == idc.o_imm: 82 | reg_value = idc.get_operand_value(tmp_addr, 0) 83 | return hex(reg_value) 84 | elif idc.print_insn_mnem(ptr_addr) == 'ret': 85 | ## We ran out of space in the function 86 | return "" 87 | 88 | 89 | 90 | def getdata(ptr_addr): 91 | 92 | args_lengths = [] 93 | args_data = [] 94 | arg_count = 0 95 | reg_name = '' 96 | jump_val = 0 97 | 98 | while arg_count < 4: 99 | ptr_addr = idc.prev_head(ptr_addr) 100 | 101 | 102 | if idc.print_insn_mnem(ptr_addr) == 'push' and idc.get_operand_type(ptr_addr, 0) == idc.o_mem : #push dword_ 103 | value = hex(idc.get_wide_dword(idc.get_operand_value(ptr_addr, 0))) 104 | if is_Data(value) : 105 | args_data.append(value) 106 | arg_count += 1 107 | else: 108 | if len(args_lengths) != 2: 109 | args_lengths.append(value) 110 | arg_count += 1 111 | 112 | if idc.print_insn_mnem(ptr_addr) == 'push' and idc.get_operand_type(ptr_addr, 0) == idc.o_imm: # push offset unk_414390 113 | value = hex(idc.get_operand_value(ptr_addr, 0)) 114 | if is_Data(value) : 115 | args_data.append(value) 116 | arg_count += 1 117 | else: 118 | if len(args_lengths) != 2: 119 | args_lengths.append(value) 120 | arg_count += 1 121 | 122 | if idc.print_insn_mnem(ptr_addr) == 'push' and idc.get_operand_type(ptr_addr, 0) == idc.o_reg: # if a paramter is pushed in reg 123 | reg_name = idaapi.get_reg_name(idc.get_operand_value(ptr_addr, 0), 4) 124 | reg_value = get_reg_value(ptr_addr,reg_name) 125 | if reg_value != "": 126 | if is_Data(reg_value) : 127 | args_data.append(reg_value) 128 | arg_count += 1 129 | else: 130 | if len(args_lengths) != 2: 131 | args_lengths.append(reg_value) 132 | arg_count += 1 133 | 134 | 135 | if idc.print_insn_mnem(ptr_addr) == 'jz' or idc.print_insn_mnem(ptr_addr) == "jnb": # trace paramters pushed before jmp 136 | if idc.print_insn_mnem(idc.prev_head(ptr_addr)) == 'push' and idc.get_operand_type(idc.prev_head(ptr_addr), 0) == idc.o_imm: 137 | jmp_dict[idc.get_operand_value(ptr_addr, 0)] = hex(idc.get_operand_value(idc.prev_head(ptr_addr), 0)) 138 | 139 | 140 | 141 | if ptr_addr in jmp_dict: # if a paramter is pushed and jmp encountered 142 | jump_val = jmp_dict[ptr_addr] 143 | if is_Data(jump_val): 144 | args_data.append(jump_val) 145 | arg_count += 1 146 | else: 147 | if len(args_lengths) != 2: 148 | args_lengths.append(jump_val) 149 | arg_count +=1 150 | 151 | if idc.print_insn_mnem(ptr_addr) == 'mov'and idc.get_operand_type(ptr_addr, 0) == idc.o_reg and idc.get_operand_type(ptr_addr, 1) == idc.o_imm: # mov ecx, offset unk_ 152 | value = hex(idc.get_operand_value(ptr_addr, 1)) 153 | if is_Data(value): 154 | args_data.append(value) 155 | arg_count += 1 156 | else: 157 | if len(args_lengths) != 2: 158 | args_lengths.append(value) 159 | arg_count += 1 160 | 161 | if ptr_addr == addresses[-2]: # if encoutered a previous decryption , then the last paramter need is pushed in esi 162 | args_lengths.append(hex(push_pop_dict["esi"])) 163 | arg_count += 1 164 | 165 | if idc.print_insn_mnem(ptr_addr) == 'pop': 166 | ## Match the following pattern 167 | ## push 3 168 | ## pop edi 169 | if idc.get_operand_type(ptr_addr, 0) == idc.o_reg: 170 | tmp_reg_name = idaapi.get_reg_name(idc.get_operand_value(ptr_addr, 0), 4) 171 | tmp_addr = idc.prev_head(ptr_addr) 172 | if idc.print_insn_mnem(tmp_addr) == 'push': 173 | if idc.get_operand_type(tmp_addr, 0) == idc.o_imm: 174 | reg_value = idc.get_operand_value(tmp_addr, 0) 175 | push_pop_dict[tmp_reg_name] = reg_value 176 | return args_lengths ,args_data 177 | 178 | def decrypt_all_strings(fn_address,end): 179 | 180 | c = 0 181 | for ref in idautils.XrefsTo(fn_address): 182 | c+=1 183 | addr = ref.frm 184 | addresses.append(addr) 185 | args_lengths , args_data = getdata(addr) 186 | args_data.sort() 187 | 188 | try: # the first length pushed is the key length , but sometimes the data length is added first in len_arg list , so i use try and catch to check both if one fails it means that we need to swap the lenghts 189 | 190 | key_data = idc.get_bytes(int(args_data[0],16),int(args_lengths[0],16)) 191 | str_data = idc.get_bytes(int(args_data[1],16), int(args_lengths[1],16)) 192 | plaintxt_str = rc4crypt(str_data, key_data).replace(b'\x00',b'') 193 | set_comment(addr,plaintxt_str.decode()) 194 | 195 | 196 | except: 197 | if c == 51 : # weird decrypted string ? "cþ¡¤ÿfæ.. [Q]:.wµAI.W3M¨ÿþrè" 198 | continue 199 | else: 200 | 201 | key_data = idc.get_bytes(int(args_data[0],16),int(args_lengths[1],16)) 202 | str_data = idc.get_bytes(int(args_data[1],16), int(args_lengths[0],16)) 203 | plaintxt_str = rc4crypt(str_data, key_data).replace(b'\x00',b'') 204 | plaintxt_str = plaintxt_str.decode() 205 | set_comment(addr,plaintxt_str) 206 | 207 | 208 | decrypt_all_strings(0x0406630 ,end) 209 | 210 | -------------------------------------------------------------------------------- /Badspace/badspace.py: -------------------------------------------------------------------------------- 1 | import idautils , idc, idaapi, ida_search, ida_bytes, ida_auto 2 | '''' 3 | Author: Mohamed Ashraf (@X__Junior) 4 | ref: https://x.com/Gi7w0rm/status/1791970049772687797 5 | 0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce 6 | 0d305291091bcb0c943c6472dce450272b2291b6287a053c5c553f082654c718 7 | 124e2b15b001eb302f0a5f43604621a001d250d42afdf353dc812f41bf249a55 8 | 1dd740062b30ce02e90238d55cb6f786496e120a40e93334fef7033e75d46d79 9 | 1ea681b79f88c2f0e9344beedb8776643d735c3f8251479c9495537c40fe5ba1 10 | 283cd2138b4f1ffef36411adee02f5d684593bdf3117c760ade04e19c958028a 11 | 2a4451ef47b1f4b971539fb6916f7954f80a6735cf75333fa9d19b169c31de2e 12 | 2a5a12cc4ef2f0f527cc072243aa27d3e95e48402ef674e92c6709dc03a0836a 13 | 2cbd9f49b2dec8a36e0961b5471bdb3266a5c061ba8784e14a193e700d156a0c 14 | 2f434cc508baac8440e95e955306ee354e76680eedca4a3ec2d87f592cfdcba7 15 | 33f81ee6d9747afe1c7c5a6ed741822749ea42bb297eb642f720fd44ae35e786 16 | 34f2fc85932f6fede57846cf2a2d55172d28e4a251bb4434a88a02ce8ec030f0 17 | 3f073189506b7ca07fb352e267699688bd3a6c11cde72217ec1ffbae211b6e15 18 | 40cdac6696e84f677d7e4817fd85f32da0f9256866bb85a25da207e3d5ca7d5c 19 | 425da6a7bd4faedc97990c6458d5e6a0635839037a99611385b77b43b443d1ec 20 | 475edfbb2b03182ef7c42c1bc2cc4179b3060d882827029a6e67c045a0c1149b 21 | 48640e2fb35f073c22937784f32c157d9a0781d61a2293f73fc3566b708205bd 22 | 4b4e27824cd349192cf0913060f1481a192f2b13d44e2787edbe8d7f0c57fa06 23 | 4e731e9e0233d53c70830011690f59b0764f61aa19e49cd10bed92b6eb81762c 24 | 53db2f135883d74dcac2e620d14d7f775876bf49d3d5d4fdb131f8fed4917434 25 | 5970ba228d2afe2031b8e8c17ba284746ebb9066f0ccb8e1fe33a6e3927a6c97 26 | 5b360b6855e87f173b4429adcca1d5f7735112119d69a5e9268673ab5ac82394 27 | 5cd47f178fd5afc2c290c77695277183df54d886f444f5993bbbe169eb3e2b12 28 | 60cd63e288c4054f85c9ea8167e0e58c1bd9998a15e3f8ed211132b42f76bdb6 29 | 613e6a8a49a61f157a8e064b7fbc7bd5d59909d47e31f6c18cd5c5659808ee89 30 | 616b1e1127902cef942cbc8ba6b89fe2e3090e992c7ae5e08c7d54b508b0caab 31 | 63537e464742099cfaf06904676e8955c0543a621e1936297e49090587a84ac1 32 | 668e1270bdb9a3aba41389777fc1ccd8759ad1316c62ea7c3f711925b44ef0b6 33 | 676cbcaa74ee8e43abaf0a2767c7559a8f4a7c6720ecc5ae53101a16a3219b9a 34 | 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f 35 | 6ac099ab5132a17bf7a492b47442f0f6776eb76d702a5c2d947dab0ab33cfc45 36 | 6fb83280ffc0feddf3f346a4d3a8914f26c097b8aef3a276590ea44ce9d70204 37 | 770cafb3fe795c2f13eb44f0a6073b8fe4fb3ee08240b3243c747444592d85ff 38 | 7c49024676be4f90d905028675d4a714311f971c099ab01e3cd26cd13c68499c 39 | 84519a45da0535087202b576391d1952a4cc81213f0e470db65f1817b65ee9d7 40 | 90b85d2ca44186de6df202abf27e3737c52691bf5dd28841fba8860bdc4483f8 41 | 927e941acb5bc42ff2050ad04fdb6e21d33f9b02cb3fc279dfee2f814557d8e5 42 | 9a27a2ad96f7676d28f99ffc4cbc51a81b42c7739fc15a0e57295b028d6c830d 43 | 9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a 44 | a1cb61abc99eb58e30ae7a9908c260be26ce072400ad771532bfe7c039ce10ef 45 | a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e 46 | a725883bd1c39e48ab60b2c26b5692f7334a3e4544927057a9ffbdabfeedf432 47 | ad2333e1403e3d8f5d9bd89d7178e85523fa7445e0a05b57fd9bc35547ec0d98 48 | b6ac7f6e3b03acd364123a07b2122d943c4111ac4786bb188d94eae0e5b22c02 49 | b9278ecce14213a1920ca9cc2b23ee18641c07a2780b693f009dcac578ffef92 50 | ba4c8be6a1eb92d79df396eea8658b778f4bc0f010da48e1d26e3fc55d83e9c7 51 | bb74c6fc0323956dd140988372c412f8b32735fb0ed1ad416e367d29c06af9cc 52 | bfcb215f86fc4f8b4829f6ddd5acb118e80fb5bd977453fc7e8ef10a52fc83b7 53 | c437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314 54 | cbd7ba0886a3e0d60b15bed0736bfaa130d47ab247e374d79c3612ce6ce049b6 55 | ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13 56 | cec5bfbbd96c9a150d740c5be7d1d86c35ade0611085de537b8d1ca4887f2780 57 | cee576f6d4d05bfb4f0e0704a4712af10b0afcb369407f5edf3526145a53a685 58 | cf2e04d01b3de16d9aaa90c0d95775c9a99e63b23cc42043046ba31725d80e2e 59 | cfa312272a7e55330855325925cc449a9ca8f80626d1003b0981c4375fad69a3 60 | d7cfd49c873810b2f3369af4f8e8d0bac57c83137b1cd173f2f79a8d5f0898b9 61 | ddbcce9bb969bda17064796c25abcc346748e7cd5d9d0460672d8d09ea97d24f 62 | de6dbd27a07500e11af05f0420902c4d172aa34f6681d3f1546cf5b5872b3310 63 | e4a9105c3c44cd3f0f975f807127aae121b67c561240fefdce215c715695d5be 64 | e79e1858fdd8cb7642f0df4b2f696126df1bd6fc5f4731af8d797e02273f307f 65 | e8ca376afa8e85fcd0487c25fd8330455cd2a5ea17aeaed95e9fd085d81035c8 66 | e94f9221944a764f220831eb421d4571b32e5b243aad4943b69ae2bcfb176737 67 | ebc0ded53cd49db7ea646bd02f391dee05f6093ec26300a7389ae2ef8d769a6f 68 | eca43317ae815a18eeaf723506c960a9b2edc39f127e5a200011e594e0ab31e2 69 | f57dcff87305797c6488b8a45b2d48c1c119cc19a316f452c04b38e30090477d 70 | 975deab236438b6d7fa3ad1be7d9c2a3fabbd6103ff5f8b7fe536205ad715508 71 | cd9aebcc686a8a2eb25bf5d75100b28f58aad6512222ade6630bbad59e877369 72 | e04562fb05388e10d6d70d4cadbec059c6c0601f8232d8699ad8a6d3ee0e75d6 73 | 9d4c80ea1d6d1ce11f9bb79d7a5a4ddfcea9f20ffe039db7215e9c57fc183476 74 | 5649dcd896bf2155e790c5f05b9fa2ba6fe5befcac85a8cb0beed23945686e02 75 | f31e28b2fd8efe63a7a2c39f7f87d895c44694d80b5fcbff91d51dc63eafa9dc 76 | d20903e4f8635fc8f8a7d1ab2330a61eb1fad29e03c353ede85bc359aa019f2c 77 | a20c9fe2888286473faea909d2f22a75a1b982387b08e2ba0bd091ae631f36fc 78 | 712738c0afe1d10f28b6aefecb44f2bc442007fdd65f8f07582120e3ec22d590 79 | 62fb7f43c677ee2fe56406e7af8876289d3751e7c001aa627dd287baf5687f06 80 | 0d2cf14d27586ff9da5832e0efaba872a1641617fdb4a47d94b645172f7d2fa6 81 | 7b340050fe9bec7024092de63d223d2a96a32d14676f6c82c9024278ae0b323e 82 | b54b42b4dfb93502646e9e8cb0eb5b65dccf2b872ab79f67641e307a08234b94 83 | 55ace018a6c4f355511ce3f6833d4b997d4323afb890520dc815aa2f916499f3 84 | 0d59c9bef911c879011f21163a083c09b759c9757f1ade9da9f87fdce27dc5f4 85 | 30a85fa1bf6df41d841efbf986beb286eb829380ebfdf0c1ac694f3d4f24315a 86 | d4c955b1db1e499ea47196b8f630205329f9277f3cc184d75a3b69a70d8c49da 87 | 41d9d1e0599b492fdb6fa2ce47f0094112799830dd8dc1c098690a500a8fa6b1 88 | 6db0d6eaff5279d815e66e1abbdd7e4159c58c7747b158659d875c369c153b89 89 | 1bcfed8b593a8a7c8b34e074aca3d4fc68a0ea3343b32eae89fdabf35ad40e7d 90 | 193cadbea116833efaaa0bc6fbea552a68c9694fb0177ad873d702001b4cef8d 91 | eec7ed30a026ba5ba82c288693bb6ad16cfc5643768bb89e5a0b17109d1fc7a6 92 | a0916d3b97c0df2ec1ed6a772dac27c24842a64d4f6e078c941fa2046cabb9ed 93 | ''' 94 | 95 | def setCommentToDecompilation(comment, address): 96 | cfunc = idaapi.decompile(address) 97 | eamap = cfunc.get_eamap() 98 | decompObjAddr = eamap[address][0].ea 99 | 100 | tl = idaapi.treeloc_t() 101 | tl.ea = decompObjAddr 102 | commentSet = False 103 | 104 | for itp in range(idaapi.ITP_SEMI, idaapi.ITP_COLON): 105 | tl.itp = itp 106 | cfunc.set_user_cmt(tl, comment) 107 | cfunc.save_user_cmts() 108 | unused = cfunc.__str__() 109 | if not cfunc.has_orphan_cmts(): 110 | commentSet = True 111 | cfunc.save_user_cmts() 112 | break 113 | cfunc.del_orphan_cmts() 114 | 115 | 116 | def rc4key_offset(data): 117 | counter = 0 118 | flag_zero_byte = 0 119 | flag_byte = 0 120 | 121 | for i in data: 122 | counter += 1 123 | if i != 0 and flag_zero_byte: 124 | flag_byte = 1 125 | 126 | if i == 0: 127 | flag_zero_byte = 1 128 | 129 | if flag_zero_byte and flag_byte: 130 | return counter - 1 131 | 132 | def rc4crypt(data, key): 133 | if type(data) == str: 134 | data = data.encode('utf-8') 135 | if type(key) == str: 136 | key = key.encode('utf-8') 137 | x = 0 138 | box = list(range(256)) 139 | for i in range(256): 140 | x = (x + box[i] + key[i % len(key)]) % 256 141 | box[i], box[x] = box[x], box[i] 142 | x = 0 143 | y = 0 144 | out = [] 145 | for c in data: 146 | x = (x + 1) % 256 147 | y = (y + box[x]) % 256 148 | box[x], box[y] = box[y], box[x] 149 | out.append(c ^ box[(box[x] + box[y]) % 256]) 150 | return bytes(out) 151 | 152 | def dec_function_addresses(start , end , pattern): 153 | func_list = [] 154 | while True: 155 | start = ida_search.find_binary(start, end, pattern, 16, idc.SEARCH_NEXT|idc.SEARCH_DOWN) 156 | if start == idc.BADADDR: 157 | break 158 | GetProcAddress_addr = idaapi.get_func(start).start_ea 159 | func_list.append(GetProcAddress_addr) 160 | return list(set(func_list)) 161 | 162 | 163 | seg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in 164 | idautils.Segments()} 165 | start = seg_mapping[0x1][0] 166 | end = seg_mapping[0x1][1] 167 | 168 | func_list = [] 169 | patterns = ["44 ?? ?? 4C" , "48 98 0F B6 44 02","48 01 D0 66 C7 00 00 00 48 83" , "D0 C6 00 00 48 83" , "D0 C6 00 00 48 83 85"] 170 | for pattern in patterns: 171 | func_list += dec_function_addresses(start,end,pattern) 172 | 173 | for func in func_list: 174 | for ref in idautils.XrefsTo(func): 175 | addr = ref.frm 176 | data_addr = addr 177 | 178 | while 1: 179 | data_addr = idc.prev_head(data_addr) 180 | if ( idc.print_insn_mnem(data_addr) == "lea" ) and (idc.get_operand_type(data_addr, 0) == idc.o_reg) and (idc.get_operand_type(data_addr, 1) == idc.o_mem): 181 | break 182 | try: 183 | data_addr = idc.get_operand_value(data_addr,1) 184 | length = int.from_bytes(idc.get_bytes(data_addr, 1),byteorder='big') 185 | data = idc.get_bytes(data_addr, 8+length) 186 | offset = rc4key_offset(data) 187 | rc4_key = data[offset:offset+4] 188 | encrypted_data = data[offset+4:offset+4+length] 189 | dec_data = rc4crypt(encrypted_data,rc4_key).replace(b'\x00',b'').decode() 190 | 191 | setCommentToDecompilation(dec_data,addr) 192 | print(hex(addr), dec_data) 193 | idc.set_name(data_addr, dec_data,idaapi.SN_FORCE) 194 | except Exception as e: 195 | continue 196 | -------------------------------------------------------------------------------- /Revil 2.08/strings.txt: -------------------------------------------------------------------------------- 1 | []['fld', 'fls', 'ext', 'SOFTWARE\\LFF9miD', 'IhnG91T', 'SOFTWARE\\LFF9miD', 'miz', 'od4U', 'U7ykk', 'landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad.onion', '{UID}', '{KEY}', '{EXT}', '{EXT}', '{UID}', '{KEY}', '{EXT}', '{USERNAME}', '{NOTENAME}', 'SYSTEM', 'USER', '{"pk":"mZ/LzIHtIGXw9sA4TcaIvpRUc6+YWuJ6yrAEOL8FOig=","pid":"75bc8eba-e23e-4135-aa09-957c6b8d8fa2","sub":"3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4","dbg":false,"wht":{"fld":["mozilla","perflogs","msocache","$recycle.bin","system volume information","tor browser","windows","programdata","appdata","boot","application data","$windows.~bt","program files","windows.old","program files (x86)","google","intel","$windows.~ws"],"fls":["autorun.inf","ntuser.dat.log","ntuser.ini","boot.ini","iconcache.db","bootfont.bin","ntuser.dat","thumbs.db","bootsect.bak","ntldr","desktop.ini"],"ext":["ics","cur","icl","lnk","hta","idx","diagpkg","exe","sys","msi","mpa","shs","nomedia","ani","diagcab","ps1","scr","cpl","bin","msstyles","ocx","msu","nls","themepack","386","wpx","icns","lock","diagcfg","cmd","mod","bat","prf","msc","key","cab","rtp","com","hlp","ldf","rom","spl","deskthemepack","dll","msp","drv","theme","adv","ico"]},"prc":["outlook","thebat","oracle","sqbcoreservice","mydesktopservice","wordpad","encsvc","infopath","sql","visio","powerpnt","mspub","thunderbird","agntsvc","xfssvccon","synctime","winword","dbsnmp","ocautoupds","onenote","msaccess","tbirdconfig","mydesktopqos","ocomm","isqlplussvc","firefox","ocssd","steam","excel","dbeng50"],"accs":["gsn_company\\\\administrator%Goldsun078","tacs.com.tw\\\\Administrator%aa12345678."],"svc":["sophos","sql","mepocs","memtas","svc$","backup","veeam","vss"],"net":false,"nbody":"LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAPgA+ACAAVwBoAGEAdABzACAASABhAHAAcABlAG4APwAgAA0ACgANAAoAWQBvAHUAcgAgAGYAaQBsAGUAcwAgAGEAcgBlACAAZQBuAGMAcgB5AHAAdABlAGQALAAgAGEAbgBkACAAYwB1AHIAcgBlAG4AdABsAHkAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUALgAgAFkAbwB1ACAAYwBhAG4AIABjAGgAZQBjAGsAIABpAHQAOgAgAGEAbABsACAAZgBpAGwAZQBzACAAbwBuACAAeQBvAHUAcgAgAHMAeQBzAHQAZQBtACAAaABhAHMAIABlAHgAdABlAG4AcwBpAG8AbgAgAHsARQBYAFQAfQAuAA0ACgBCAHkAIAB0AGgAZQAgAHcAYQB5ACwAIABlAHYAZQByAHkAdABoAGkAbgBnACAAaQBzACAAcABvAHMAcwBpAGIAbABlACAAdABvACAAcgBlAGMAbwB2AGUAcgAgACgAcgBlAHMAdABvAHIAZQApACwAIABiAHUAdAAgAHkAbwB1ACAAbgBlAGUAZAAgAHQAbwAgAGYAbwBsAGwAbwB3ACAAbwB1AHIAIABpAG4AcwB0AHIAdQBjAHQAaQBvAG4AcwAuACAATwB0AGgAZQByAHcAaQBzAGUALAAgAHkAbwB1ACAAYwBhAG4AdAAgAHIAZQB0AHUAcgBuACAAeQBvAHUAcgAgAGQAYQB0AGEAIAAoAE4ARQBWAEUAUgApAC4ADQAKAA0ACgA+AD4AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAGMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgANAAoAPgA+ACAAUwBlAG4AcwBpAHQAaQB2AGUAIABEAGEAdABhACAADQAKAA0ACgBTAGUAbgBzAGkAdABpAHYAZQAgAGQAYQB0AGEAIABvAG4AIAB5AG8AdQByACAAbgBlAHQAdwBvAHIAawAgAHcAYQBzACAARABPAFcATgBMAE8AQQBEAEUARAAuAA0ACgBJAGYAIAB5AG8AdQAgAEQATwBOACcAVAAgAFcAQQBOAFQAIAB5AG8AdQByACAAcwBlAG4AcwBpAHQAaQB2AGUAIABkAGEAdABhACAAdABvACAAYgBlACAAUABVAEIATABJAFMASABFAEQAIABpAG4AIABvAHUAcgAgAGIAbABvAGcAIAAtACAAeQBvAHUAIABoAGEAdgBlACAAdABvACAAYQBjAHQAIABxAHUAaQBjAGsAbAB5AC4ADQAKAA0ACgAhACEAIQAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABjAGgAZQBjAGsAIABvAHUAcgAgAGIAbABvAGcALAAgAHUAcwBpAG4AZwAgAFQAbwByACAAQgByAG8AdwBzAGUAcgAsACAAeQBvAHUAcgAgAGQAYQB0AGEAIABjAG8AdQBsAGQAIABhAGwAcgBlAGEAZAB5ACAAYgBlACAAcAB1AGIAbABpAHMAaABlAGQAIAAhACEAIQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGgAdAB0AHAAOgAvAC8AYgBsAG8AZwB4AHgAdQA3ADUAdwA2ADMAdQBqAHEAYQByAHYANAA3ADYAbwB0AGwAZAA3AGMAeQBqAGsAcQA0AHkAbwBzAHcAegB0ADQAaQBqAGEAZABrAGoAdwB2AGcAMwB2AHIAdgBkADUAeQBkAC4AbwBuAGkAbwBuAA0ACgANAAoARABhAHQAYQAgAGkAbgBjAGwAdQBkAGUAcwA6AA0ACgAtACAARQBtAHAAbABvAHkAZQBlAHMAIABwAGUAcgBzAG8AbgBhAGwAIABkAGEAdABhAC4ADQAKAC0AIABDAG8AbQBwAGwAZQB0AGUAIABuAGUAdAB3AG8AcgBrACAAbQBhAHAAIABpAG4AYwBsAHUAZABpAG4AZwAgAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAGYAbwByACAAbABvAGMAYQBsACAAYQBuAGQAIAByAGUAbQBvAHQAZQAgAHMAZQByAHYAaQBjAGUAcwAuAA0ACgAtACAAUAByAGkAdgBhAHQAZQAgAGYAaQBuAGEAbgBjAGkAYQBsACAAaQBuAGYAbwByAG0AYQB0AGkAbwBuACAADQAKAC0AIABNAGEAbgB1AGYAYQBjAHQAdQByAGkAbgBnACAAZABvAGMAdQBtAGUAbgB0AHMADQAKAC0AIABBAG4AZAAgAG0AbwByAGUALgAuAC4ADQAKAA0ACgA+AD4AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIAB0AG8AIAB0AGgAZQAgAHcAZQBiAHMAaQB0AGUAPwAgAA0ACgANAAoAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgAgACAAMQApACAARABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVABPAFIAIABiAHIAbwB3AHMAZQByACAAZgByAG8AbQAgAHQAaABpAHMAIABzAGkAdABlADoAIABoAHQAdABwAHMAOgAvAC8AdABvAHIAcAByAG8AagBlAGMAdAAuAG8AcgBnAC8ADQAKACAAIAAyACkAIABPAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGwAYQBuAGQAeAB4AGUAYQBmADIAaABvAHkAbAAyAGoAdgBjAHcAdQBhAHoAeQBwAHQANgBpAG0AYwBzAGIAbQBoAGIANwBrAHgAMwB4ADMAMwB5AGgAcABhAHIAdgB0AG0AawBhAHQAcABhAGEAZAAuAG8AbgBpAG8AbgANAAoAIAAgADMAKQAgAFcAaABlAG4AIAB5AG8AdQAgAG8AcABlAG4AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AIAB0AGgAZQAgAGkAbgBwAHUAdAAgAGYAbwByAG0AOgANAAoADQAKAEsAZQB5ADoADQAKAA0ACgANAAoAewBLAEUAWQB9AA0ACgANAAoADQAKAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQANAAoADQAKACEAIQAhACAARABBAE4ARwBFAFIAIAAhACEAIQANAAoARABPAE4AJwBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AJwBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AYQBnAGUAIABvAGYAIAB0AGgAZQAgAHAAcgBpAHYAYQB0AGUAIABrAGUAeQAgAGEAbgBkACwAIABhAHMAIAByAGUAcwB1AGwAdAAsACAAVABoAGUAIABMAG8AcwBzACAAYQBsAGwAIABkAGEAdABhAC4ADQAKACEAIQAhACAAIQAhACEAIAAhACEAIQANAAoATwBOAEUAIABNAE8AUgBFACAAVABJAE0ARQA6ACAASQB0AHMAIABpAG4AIAB5AG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMAIAB0AG8AIABnAGUAdAAgAHkAbwB1AHIAIABmAGkAbABlAHMAIABiAGEAYwBrAC4AIABGAHIAbwBtACAAbwB1AHIAIABzAGkAZABlACwAIAB3AGUAIAAoAHQAaABlACAAYgBlAHMAdAAgAHMAcABlAGMAaQBhAGwAaQBzAHQAcwApACAAbQBhAGsAZQAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACwAIABiAHUAdAAgAHAAbABlAGEAcwBlACAAcwBoAG8AdQBsAGQAIABuAG8AdAAgAGkAbgB0AGUAcgBmAGUAcgBlAC4ADQAKACEAIQAhACAAIQAhACEAIAAhACEAIQAAAA==","nname":"{EXT}-readme.txt","exp":false,"img":"WQBvAHUAcgAgAGYAaQBsAGUAcwAgAGEAcgBlACAAZQBuAGMAcgB5AHAAdABlAGQAIQANAAoADQAKAEYAaQBuAGQAIAB7AEUAWABUAH0ALQByAGUAYQBkAG0AZQAuAHQAeAB0ACAAYQBuAGQAIABmAG8AbABsAG8AdwAgAGkAbgBzAHQAdQBjAHQAaQBvAG4AcwAAAA==","et":2,"spsize":0,"arn":false,"rdmcnt":0}', 'pk', 'sub', 'dbg', 'wht', 'prc', 'svc', 'nbody', 'nname', 'img', 'et', 'ext', 'accs', 'none', '-nolan', '-nolocal', '-path', '-silent', '-smode', '-fast', '-full', 'SOFTWARE\\LFF9miD', 'cN86rtdI', '{"ver":%d,"pid":"%s","sub":"%s","pk":"%s","uid":"%s","sk":"%s","unm":"%s","net":"%s","grp":"%s","lng":"%s","bro":false,"os":"%s","bit":%d,"dsk":"%s","ext":"%s"}', 'program files', 'program files (x86)', 'sql', 'ntuser', '.exe', b'c\xfe\xa1\xa4\xfff\xe6\x90\x93 [Q]:\x90w\xb5AI\x99W3M\xa8\xff\xfer\xe8', 'Terminate', 'Win32_Process', '__PATH', 'Reason', 'StopService', '__PATH', 'TargetInstance', '__Class', 'Win32_Process', 'Win32_Service', 'Name', 'State', 'Running', '__PATH', 'GetOwner', 'User', 'Domain', 'Name', 'ROOT\\CIMV2', 'WQL', "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'", "SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Service'", '__ProviderArchitecture', 'ROOT\\CIMV2', 'WQL', 'select * from Win32_ShadowCopy', 'id', "Win32_ShadowCopy.ID='%s'", '\\\\?\\A:\\', '\\\\?\\UNC', 'k$U0MFKs1V', 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'DefaultPassword', 'DefaultUserName', 'AutoAdminLogon', 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce', '*aG951f', '*uTHnGD', 'bootcfg /raw /a /safeboot:network /id 1', 'bootcfg /raw /fastdetect /id 1', 'bcdedit /set {current} safeboot network', 'bcdedit /deletevalue {current} safeboot', 'Global\\8D87239A-846D-CD1A-F9C2-8B6763B3B04F', 'SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters', 'Domain', 'WORKGROUP', 'Control Panel\\International', 'LocaleName', 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion', 'productName', '%08X%08X', 'vmcompute.exe', 'vmms.exe', 'vmwp.exe', 'svchost.exe', 'ServicesActive', 'qHD96PM5QWtUAaVd1RndhQzyT7MUEXro', 'advapi32.dll', 'winmm.dll', 'crypt32.dll', 'shlwapi.dll', 'user32.dll', 'ole32.dll', 'mpr.dll', 'gdi32.dll', 'shell32.dll', 'oleaut32.dll', 'rstrtmgr.dll', 'netapi32.dll', 'wtsapi32.dll', 'CreateStreamOnHGlobal', 'CoInitializeEx', 'CoInitializeSecurity', 'CoCreateInstance', 'CoUninitialize', 'CoSetProxyBlanket', 'NetApiBufferFree', 'NetShareEnum', 'NetUserSetInfo', 'VerSetConditionMask', 'VerifyVersionInfoW', '\\\\?\\A:\\', '\\\\?\\A:\\', '\\\\?\\UNC'] -------------------------------------------------------------------------------- /PivateLoader/main_component_strings.txt: -------------------------------------------------------------------------------- 1 | ['CryptAcquireContextA', '10', 'Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden', 'CBC', 'SOFTWARE\\LilFreske', 'SOFTWARE\\LilFreske', 'Installed', 'SetPriorityClass', 'RegQueryValueExA', 'ConvertSidToStringSidA', 'LookupAccountNameA', 'GetComputerNameA', 'VerSetConditionMask', 'Wow64DisableWow64FsRedirection', 'Wow64RevertWow64FsRedirection', 'null', 'DisableAntiSpyware', 'DisableRoutinelyTakingAction', 'DisableBehaviorMonitoring', 'DisableOnAccessProtection', 'Windows Server 2012 R2', 'Windows Server 2012', 'Windows Server 2008 R2', 'Windows Server 2008', ' (x64)', ' (x32)', 'rb', 'explorer.exe', 'pid', 'path', 'md5', 'current', 'children', 'children', 'CBC', 'data=', '/base/api/getData.php', 'http://', '|', '|', 'GetLinks|', 'Error!', 'id', 'url', 'args', '|', '|', 'GetExtensions|', 'Error!', 'id', 'ext_url', 'cfg_url', 'ipinfo.io/widget', 'www.maxmind.com/geoip/v2.1/city/me', 'api.ipgeolocation.io/ipgeo?include=hostname&ip=', 'rb', 'wb', 'WW_P_7', 'WW_P_8', '-1', 'https://', 'rb', 'wb', '.exe', 'open', 'iplis.ru/1G8Fx7.mp3', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1aFYp7.mp3', 'SetIncrement|ww_starts', 'browser', 'browsers', 'os_country_code', 'country', 'os', 'AddExtensionStat|', '.exe', '\\', '\\', 'https://', 'https://', 'open', 'open', 'https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp', 'cryptoWallets_part1', 'cryptoWallets_part2', 'bankWallets_part2', 'WinHttpQueryHeaders', 'WinHttpOpenRequest', 'WinHttpReceiveResponse', 'WinHttpCloseHandle', 'http://', '/', '?', 'HEAD', 'InternetSetOptionA', 'HttpOpenRequestA', 'InternetReadFile', 'InternetCloseHandle', '.', '.dll', '#', 'IsWow64Process', 'GetModuleHandleA', 'LoadLibraryA', 'Sleep', 'GetTempPathA', 'CreateProcessA', 'GetFileAttributesA', 'CreateDirectoryA', 'CreateThread', 'CloseHandle', 'VirtualAlloc', 'VirtualFree', 'OpenProcess', 'TerminateProcess', 'GetUserGeoID', 'ntdll.dll', 'NtQuerySystemInformation', 'RtlGetVersion', 'Shell32.dll', 'Shell32.dll', 'Shell32.dll', 'ShellExecuteA', 'SHGetFolderPathA', 'Advapi32.dll', 'Advapi32.dll', 'Advapi32.dll', 'RegOpenKeyExA', 'RegSetValueExA', 'RegCloseKey', 'RegCreateKeyExA', 'RegDeleteKeyA', 'RegDeleteValueA', 'RegEnumKeyExA', 'WINHTTP.dll', 'WINHTTP.dll', 'wininet.dll', 'wininet.dll', 'VerifyVersionInfoW', 'GetGeoInfoA', 'GetCurrentProcess', 'GetVersionExA', 'MultiByteToWideChar', 'WideCharToMultiByte', 'GetCurrentProcessId', 'CreateToolhelp32Snapshot', 'Process32First', 'Process32Next', 'User32.dll', 'User32.dll', 'CharToOemA', '//Adobe Films', 'SOFTWARE\\Policies\\Microsoft\\Windows Defender', 'SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection', 'DisableScanOnRealtimeEnable', 'DisableRealtimeMonitoring', 'DisableIOAVProtection', 'DisableRawWriteNotification', 'Windows Server 2016', 'Windows Server', 'Windows 10', 'Windows 8.1', 'Windows 8', 'Windows 7', 'Windows Vista', 'Windows XP', 'SOFTWARE\\Classes\\ms-settings\\Shell\\Open\\command', 'DelegateExecute', '', '\\ComputerDefaults.exe', 'rb', 'open', 'SOFTWARE\\Classes', 'ms-settings\\Shell\\Open\\command', 'ms-settings\\Shell\\Open', 'ms-settings\\Shell', 'ms-settings', 'type', 'onlyType', 'country', 'country', 'company', 'company', 'name', 'Google LLC', 'company', 'name', 'db-ip.com', 'data-api-key="', '/self', 'api.db-ip.com/v2/', 'countryCode', 'countryCode', 'organization', 'Google LLC', 'organization', 'country', 'country', 'country', 'iso_code', 'country', 'iso_code', 'traits', 'traits', 'organization', 'Google LLC', 'traits', 'organization', 'GetIP', 'IP:', 'IP:', 'country_code2', 'country_code2', 'organization', 'Google LLC', 'organization', 'Guest Profile', 'System Profile', '\\Google\\Chrome\\Application', ' (x86)\\Google\\Chrome\\Application', '\\Google\\Chrome\\Application', ' (x86)\\Google\\Chrome\\Application', 'SOFTWARE\\Google\\Chrome\\BLBeacon', 'version', '\\resources.pak', '\\', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Secure Preferences', 'filter_browsers', 'filter_browsers', 'chrome', 'browser', 'filter_browsers', 'use_open_browser', 'use_open_browser', 'use_open_browser', 'extensions', 'settings', 'extensions', 'settings', 'install_time', 'extensions', 'settings', 'path', '\\Extensions\\', '\\/', 'extensions', 'settings', '\\u003C', '<', 'protection', 'macs', 'extensions', 'settings', 'extensions.settings.', 'protection', 'macs', 'protection', 'super_mac', 'chrome.exe', 'extensions', 'settings', 'extensions.settings.', 'ChromeRegistryHashStoreValidationSeed', '\\extensions.settings', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs\\', '\\chrome.exe', '\\Microsoft\\Edge\\Application', ' (x86)\\Microsoft\\Edge\\Application', '\\Microsoft\\Edge\\Application', ' (x86)\\Microsoft\\Edge\\Application', 'SOFTWARE\\Microsoft\\Edge\\BLBeacon', 'version', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Secure Preferences', 'filter_browsers', 'filter_browsers', 'edge', 'browser', 'filter_browsers', 'use_open_browser', 'use_open_browser', 'use_open_browser', 'extensions', 'settings', 'extensions', 'settings', 'install_time', 'extensions', 'settings', 'path', '\\Extensions\\', '\\/', 'extensions', 'settings', '\\u003C', '<', 'protection', 'macs', 'extensions', 'settings', 'extensions.settings.', 'protection', 'macs', 'protection', 'super_mac', 'msedge.exe', 'extensions', 'settings', 'extensions.settings.', 'ChromeRegistryHashStoreValidationSeed', '\\extensions.settings', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs\\', '\\msedge.exe', '\\Roaming', '\\Roaming', '\\atomic', '\\Atomic Wallet', '\\com.liberty.jaxx', '\\Electrum', '\\Exodus', '\\MultiDoge', '\\Exodus', '\\Monero', '\\binance.chain', '\\Binance', '\\Metamask', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn', '\\Local Extension Settings\\ibnejdfjmmkpcnlpebklmnkoeoihofec', '\\Local Extension Settings\\fhbohimaelbohpjbbldcngcnapndodjp', '\\Local Extension Settings\\fnjhmkhhmkbjkkabndcnnogagogbneec', '\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa', '\\Local Extension Settings\\fhilaheimglignddkjgofkcbgekhenbh', '\\Local Extension Settings\\mgffkfbidihjpoaomajlbgchddlicgpn', '\\Local Extension Settings\\aodkkagnadcbobfpggfnjeongemjbjca', '\\Local Extension Settings\\kpfopkelmapcoipemfendmdcghnegimn', '\\Local Extension Settings\\fmblappgoiilbgafhjklehhfifbdocee', '\\Local Extension Settings\\hmeobnfnfcmdkdcmlblgagmfpfboieaf', '\\Local Extension Settings\\lpfcbjknijpeeillifnkikgncikgfhdo', '\\Local Extension Settings\\dngmlblcodfobpdpecaadgfbcggfjfnm', 'robinhood.com', 'yobit.net', 'zb.com', 'binance.com', 'huobi.com', 'okex.com', 'hitbtc.com', 'bitfinex.com', 'kraken.com', 'bitstamp.net', 'payoneer.com', 'bittrex.com', 'bittrex.zendesk.com', 'gate.io', 'exmo.com', 'yobit.io', 'bitflyer.com', 'poloniex.com', 'kucoin.com', 'coinone.co.kr', 'localbitcoins.com', 'korbit.co.kr', 'cex.io', 'luno.com', 'bitkonan.com', 'jubi.com', 'koinex.in', 'koineks.com', 'kuna.io', 'koinim.com', 'kiwi-coin.com', 'leoxchange.com', 'lykke.com', 'localtrade.cc', 'magnr.com', 'lbank.info', 'itbit.com', 'gemini.com', 'gdax.com', 'gatehub.net', 'satoshitango.com', 'foxbit.com.br', 'flowbtc.com.br', 'exx.com', 'exrates.me', 'excambriorex.com', 'ezbtc.ca', 'infinitycoin.exchange', 'tdax.com', 'stex.com', 'vbtc.exchange', 'coinmarketcap.com', 'vwlpro.com', 'nocks.com', 'nlexch.com', 'novaexchange.com', 'mynxt.info', 'nzbcx.com', 'nevbit.com', 'mixcoins.com', 'mr.exchange', 'neraex.pro', 'dsx.uk', 'okcoin.com', 'liquid.com', 'quoine.com', 'quadrigacx.com', 'rightbtc.com', 'rippex.net', 'ripplefox.com', 'qryptos.com', 'ore.bz', 'openledger.info', 'omnidex.io', 'paribu.com', 'paymium.com', 'dcexchange.ru', 'dcexe.com', 'bitmex.com', 'funpay.ru', 'bitmaszyna.pl', 'bitonic.nl', 'bitpanda.com', 'bitsblockchain.net', 'bitmarket.net', 'bitlish.com', 'bitfex.trade', 'blockchain.com', 'blockchain.info', 'cryptofresh.com', 'btcmarkets.net', 'braziliex.com', 'btc-trade.com.ua', 'btc-alpha.com', 'bitspark.io', 'bitso.com', 'bittylicious.com', 'altcointrader.co.za', 'arenabitcoin.com', 'allcoin.com', '796.com', 'abucoins.com', 'aidosmarket.com', 'bitcointrade.com', 'bitcointoyou.com', 'bitbanktrade.jp', 'big.one', 'bcex.ca', 'bitconnect.co', 'coinsbank.com', 'coinsecure.in', 'coinsquare.com', 'coinspot.io', 'coinsmarkets.com', 'crypto-bridge.org', 'dcex.com', 'dabtc.com', 'decentrex.com', 'deribit.com', 'dgtmarket.com', 'btcturk.com', 'btcxindia.com', 'bt.cx', 'bitstarcoin.com', 'coincheck.com', 'coinmate.io', 'coingi.com', 'coinnest.co.kr', 'coinrail.co.kr', 'coinpit.io', 'coingather.com', 'coinfloor.co.uk', 'coinegg.com', 'coincorner.com', 'coinexchange.io', 'pancakeswap.finance', 'coinbase.com', 'livecoin.net', 'mercatox.com', 'cryptobridge.freshdesk.com', 'volabit.com', 'tradeogre.com', 'bitkub.com', 'uphold.com', 'wallet.uphold.com', 'login.blockchain.com', 'tidex.com', 'coinome.com', 'coinpayments.net', 'bitmax.io', 'bitbank.cc', 'independentreserve.com', 'bitmart.com', 'cryptopia.co.nz', 'cryptonator.com', 'advcash.com', 'my.dogechain.info', 'spectrocoin.com', 'exir.io', 'exir.tech', 'coinbene.com', 'bitforex.com', 'gopax.co.kr', 'catex.io', 'vindax.com', 'coineal.com', 'maicoin.com', 'finexbox.com', 'etherflyer.com', 'bx.in.th', 'bitopro.com', 'citex.co.kr', 'coinzo.com', 'atomars.com', 'coinfinit.com', 'bitker.com', 'dobitrade.com', 'btcexa.com', 'satowallet.com', 'cpdax.com', 'trade.io', 'btcnext.io', 'exmarkets.com', 'btc-exchange.com', 'chaoex.com', 'jex.com', 'therocktrading.com', 'gdac.com', 'southxchange.com', 'tokens.net', 'fexpro.net', 'btcbox.co.jp', 'coinmex.com', 'cryptology.com', 'cointiger.com', 'cashierest.com', 'coinbit.co.kr', 'mxc.com', 'bilaxy.com', 'coinall.com', 'coindeal.com', 'omgfin.com', 'oceanex.pro', 'bithumb.com', 'ftx.com', 'shortex.net', 'coin.z.com', 'fcoin.com', 'fatbtc.com', 'tokenize.exchange', 'simex.global', 'instantbitex.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'binance.com', 'ascendex.com', 'kraken.com', 'huobi.com', 'coinbase.com', 'kucoin.com', 'hitbtc.com', 'gate.io', 'crypto.com', 'mercatox.com', 'coins.ph', 'coins.th', 'poloniex.com', 'bittrex.com', 'bitpanda.com', 'exmo.com', 'dogechain.info', 'luno.com', 'bitkub.com', 'blockchain.com', 'livecoin.net', 'miningpoolhub.com', 'bitfinex.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'yobit.net', 'yobit.io', 'zb.com', 'okex.com', 'bitstamp.net', 'bitflyer.com', 'coinone.co.kr', 'localbitcoins.com', 'korbit.co.kr', 'bitmex.com', 'cryptobridge.freshdesk.com', 'volabit.com', 'tradeogre.com', 'uphold.com', 'tidex.com', 'coinome.com', 'bitso.com', 'coinpayments.net', 'coinexchange.io', 'bitmax.io', 'btc-alpha.com', 'bitbank.cc', 'independentreserve.com', 'bitmart.com', 'exmo.com', 'cex.io', 'coinbase.com', 'cryptopia.co.nz', 'cryptonator.com', 'advcash.com', 'spectrocoin.com', 'exir.io', 'exir.tech', 'coinbene.com', 'bitforex.com', 'gopax.co.kr', 'catex.io', 'vindax.com', 'coineal.com', 'maicoin.com', 'finexbox.com', 'etherflyer.com', 'bx.in.th', 'bitopro.com', 'lbank.info', 'citex.co.kr', 'coinzo.com', 'atomars.com', 'coinfinit.com', 'bitker.com', 'btc-trade.com.ua', 'dobitrade.com', 'btcexa.com', 'satowallet.com', 'cpdax.com', 'trade.io', 'btcnext.io', 'exmarkets.com', 'localtrade.cc', 'btc-exchange.com', 'chaoex.com', 'jex.com', 'therocktrading.com', 'gdac.com', 'southxchange.com', 'tokens.net', 'fexpro.net', 'btcbox.co.jp', 'coinmex.com', 'cryptology.com', 'kuna.io', 'cointiger.com', 'cashierest.com', 'liquid.com', 'coinbit.co.kr', 'mxc.com', 'bilaxy.com', 'coinall.com', 'coindeal.com', 'omgfin.com', 'stex.com', 'oceanex.pro', 'bithumb.com', 'ftx.com', 'shortex.net', 'coin.z.com', 'fcoin.com', 'fatbtc.com', 'tokenize.exchange', 'simex.global', 'instantbitex.com', 'btcmarkets.net', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'binance.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'etrade.com', 'schwab.com', 'fidelity.com', 'chase.com', 'morganstanley.com', 'citi.com', 'robinhood.com', 'navyfederal.org', 'ally.com', 'schoolsfirstfcu.org', 'redfcu.org', 'mtb.com', '53.com', 'easternbank.com', 'bankofamerica.com', 'santander.com', 'marcus.com', 'schools.org', 'cu.com', 'usaa.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'ncsecu.org', 'penfed.org', 'becu.org', 'schoolsfirstfcu.org', 'firsttechfed.com', 'golden1.com', 'alliantcreditunion.org', 'americafirst.com', 'suncoastcreditunion.com', 'secumd.org', 'safecu.org', 'missionfed.com', 'greendot.com', 'firsttechfed.com', 'americafirst.com', 'rbfcu.org', 'macu.com', 'dcu.org', 'ssfcu.org', 'bethpagefcu.com', 'starone.org', 'alaskausa.org', 'sdccu.com', 'aacreditunion.org', 'lmcu.org', 'teachersfcu.org', 'patelco.org', 'esl.org', 'onpointcu.com', 'logixbanking.com', 'psecu.com', 'deltacommunitycu.com', 'ent.com', 'cefcu.com', 'greenstate.org', 'unfcu.org', 'pffcu.org', 'wingsfinancial.com', 'iccu.comdesertfinancial.com', 'iccu.com', 'desertfinancial.com', 'hvfcu.org', 'wpcu.coop', 'redwoodcu.org', 'tcunet.com', 'wsecu.org', 'joviafinancial.com', 'coastal24.com', 'myeecu.org', 'gecreditunion.org', 'nymcu.org', 'affinityfcu.com', 'towerfcu.org', 'safecu.org', 'ccu.com', 'communityamerica.com', 'langleyfcu.org', 'credithuman.com', 'techcu.com', 'gecu.com', 'kfcu.org', 'applefcu.org', 'nasafcu.com', 'sfcu.org', 'genisyscu.org', 'unifyfcu.com', 'apcocu.org', 'firstcommunity.com', 'unitedfcu.com', 'fairwinds.org', 'ufcu.org', 'wescom.org', 'missionfed.com', 'bcu.org', 'vacu.org', 'citadelbanking.com', 'servicecu.org', 'summitcreditunion.com', 'secumd.org', 'gesa.com', 'chevronfcu.org', 'traviscu.org', 'uwcu.org', 'communityfirstcu.org', 'ecu.org', 'sccu.com', 'bfsfcu.org', 'bellco.org', 'dfcufinancial.com', 'msufcu.org', 'members1st.org', 'landmarkcu.com', 'kinecta.org', 'midflorida.com', 'visionsfcu.org', 'veridiancu.org', 'statefarmfcu.com', 'tinkerfcu.org', 'sefcu.com', 'americanheritagecu.org', 'robinsfcu.org', 'canvas.org', 'growfinancial.org', 'truliantfcu.org', 'fairwinds.org', 'ascend.org', 'foundersfcu.com', 'calcoastcu.org', 'ucu.org', 'connexuscu.org', 'slfcu.org', 'numericacu.com', 'eecu.org', 'georgiasown.org', 'nusenda.org', 'tvacreditunion.com', 'pcu.org', 'msgcu.org', 'nuvisionfederal.com', 'trumarkonline.org', 'navigantcu.org', 'ornlfcu.com', 'jscfcu.org', 'lgfcu.org', 'elevationscu.com', 'gtefinancial.org', 'chartway.com', 'ecu.com', 'sdfcu.org', 'apcu.com', 'schools.org', 'metrocu.org', 'campuscu.com', 'adviacu.org', 'psfcu.com', 'andrewsfcu.org', 'eglinfcu.org', 'imcu.com', 'americaneagle.org', 'ttcu.com', 'vantagewest.org', 'empowerfcu.com', 'rfcu.com', 'capcomfcu.org', 'arizonafederal.org', 'csecreditunion.com', 'communityfirstfl.org', 'bayportcu.org', 'gwcu.org', 'wecu.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'stgeorge.com.au', 'imb.com.au', 'ing.com.au', 'bankofmelbourne.com.au', 'regionalaustraliabank.com', 'suncorp.com.au', 'regionalaustraliabank.com.au', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'neofinancial.com', 'bmo.com', 'rbcroyalbank.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'usaa.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'robinhood.com', 'navyfederal.org', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'tboholidays.com', '24x7rooms.com', 'adonis.com', 'abreuonline.com', 'almundo.com.ar', 'bonotel.com', 'bookohotel.com', 'didatravel.com', 'dotwconnect.com', 'eetglobal.com', 'escalabeds.com', 'fastpayhotels.com', 'getaroom.com', 'goglobal.travel', 'hoteldo.com.mx', 'hotelspro.com', 'jumbonline.com', 'kaluahtours.com', 'lci-euro.com', 'lotsofhotels.com', 'mikinet.co.uk', 'misterroom.com', 'nexustours.com', 'olympiaeurope.com', 'paximum.com', 'restel.es', 'rezserver.com', 'rezlive.com', 'sunhotels.com', 'totalstay.com', 'travco.co.uk', 'travellanda.com', 'smyrooms.com', 'welcomebeds.com', 'yalago.com', 'hotelbeds.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'mercadolibre.com.mx', 'hsbc.com.mx', 'bbvanetcash.mx', 'scotiabank.com.mx', 'santander.com.mx', 'bbva.mx', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'opensea.io', 'plantvsundead.com', 'axieinfinity.com', 'cryptocars.me', 'bombcrypto.io', 'cryptoplanes.me', 'cryptozoon.io', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'bankalhabib.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'ruralvia.com', 'ruralvia.es', 'bankinterconsumerfinance.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'amazon.it', 'amazon.ca', 'amazon.de', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'amazon.com', 'netspend.com', 'online.citi.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'cloud.ibm.com', 'ca.ovh.com', 'account.alibabacloud.com', 'cloud.huawei.com', 'cloud.tencent.com', 'vultr.com', 'aws.amazon.com', 'portal.azure.com', 'digitalocean.com', 'console.scaleway.com', 'hetzner.com', 'linode.com', 'oracle.com', 'rackspace.com', 'phoenixnap.com', 'leaseweb.com', 'sso.ctl.io', 'ctl.io', 'lumen.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'paypal.com', 'SOFTWARE\\Google\\Chrome\\PreferenceMACs', '\\Google\\Chrome\\User Data\\', '\\Login Data', 'SOFTWARE\\Microsoft\\Edge\\PreferenceMACs', '\\Microsoft\\Edge\\User Data\\', '\\Login Data', 'SOFTWARE\\BraveSoftware\\Brave-Browser\\PreferenceMACs', '\\BraveSoftware\\Brave-Browser\\User Data\\', '\\Login Data', 'SOFTWARE\\CryptoTab Browser\\PreferenceMACs', '\\CryptoTab Browser\\User Data\\', '\\Login Data', '\\Roaming', '\\Roaming', '\\Opera Software\\Opera Stable', '\\Login Data', 'WW_P_', 'WW_P_1', 'WW_P_7', 'WW_P_8', '|', 'AddLoggerStat|', 'links', 'extensions', 'EU', 'ezstat.ru/1BfPg7', 'USA_1', 'iplis.ru/1BX4j7.png', 'iplis.ru/1BV4j7.mp4', 'USA_2', 'iplis.ru/1BC4j7.mp3', 'iplis.ru/1BV4j7.mp4', 'iplis.ru/1cC8u7.mp3', 'iplis.ru/1G8Fx7.mp3', 'WW_1', 'iplis.ru/1BNhx7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_2', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1S2Qs7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_3', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1S3fd7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_4', 'SetIncrement|ww_starts', 'false', 'iplis.ru/17VHv7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_5', 'iplis.ru/1GLDc7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_6', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1xDsk7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_7', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1xFsk7.mp3', 'US', 'iplis.ru/1BV4j7.mp4', 'WW_OPERA', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1GCuv7.pdf', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_8', 'iplis.ru/1lmex.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_9', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1Gemv7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_10', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1Gymv7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_11', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1tqHh7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_12', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_13', 'iplis.ru/1cC8u7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_14', 'iplis.ru/1cN8u7.mp3', 'WW_15', 'false', 'iplis.ru/1kicy7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_P_1', 'iplis.ru/1BMhx7.mp3', 'WW_16', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1edLy7.png', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_17', 'iplis.ru/1nGPt7.png', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_P_2', 'iplis.ru/1Bshv7.mp3', 'WW_P_3', 'iplis.ru/1Lgnh7.mp3', 'WW_P_4', 'iplis.ru/1vt8c7.mp3', 'WW_P_5', 'iplis.ru/1IcfD.mp3', 'WW_P_6', 'WW_P_7', 'iplis.ru/1eXqs7.mp3', 'WW_P_8', 'iplis.ru/1Unzy7.mp3', 'WW_18', 'iplis.ru/12hYs7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_19', 'SetIncrement|ww_starts', 'false', 'iplis.ru/12d8d7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_20', 'iplis.ru/1Uvgu7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'WW_21', 'SetIncrement|ww_starts', 'false', 'iplis.ru/1jvTz7.mp3', 'iplis.ru/1G8Fx7.mp3', 'US', 'iplis.ru/1pRXr7.txt', 'iplis.ru/1BV4j7.mp4', 'ids', 'browsers', 'id', 'extensions', 'Chrome:', 'browser', 'browsers', 'Edge:', 'ip_country', 'links', 'extensions', 'net_country_code', 'os_country_code', 'wininet.dll', 'WW_P_', 'WW_P_1', 'WW_P_1', 'WW_20', 'http://45.144.225.57/download/NiceProcessX64.bmp', '-1', 'http://45.144.225.57/download/NiceProcessX32.bmp', '-1', 'WW_20', 'iplis.ru/1Uvgu7.mp3', 'WW_P_8', 'https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp', '-1', 'WW_P_7', 'https://c.xyzgamec.com/userdown/2202/random.exe', '-1', 'http://193.56.146.76/Proxytest.exe', '-1', 'http://www.yzsyjyjh.com/askhelp23/askinstall23.exe', '-1', 'http://91.241.19.125/pub.php?pub=one', '-1', 'http://privacy-tools-for-you-780.com/downloads/toolspab3.exe', '-1', 'http://luminati-china.xyz/aman/casper2.exe', '-1', 'https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe', '-1', 'http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe', '-1', 'https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp', '1916', 'https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp', '468', 'https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp', '1920', 'http://185.215.113.208/ferrari.exe', '1750', '1927', 'https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp', '1929', 'https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp', '1946', 'https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp', '1985', 'WW_P_6', 'https://c.xyzgamec.com/userdown/2202/random.exe', '-1', 'http://mnbuiy.pw/adsli/note8876.exe', '-1', 'http://www.yzsyjyjh.com/askhelp23/askinstall23.exe', '-1', 'http://91.241.19.125/pub.php?pub=one', '-1', 'http://sarfoods.com/index.php', '-1', 'http://luminati-china.xyz/aman/casper2.exe', '-1', 'https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe', '-1', 'http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe', '-1', 'WW_P_5', 'https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe', '-1', 'https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe', '-1', 'WW_P_4', 'https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe', '-1', 'https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe', '-1', 'WW_P_3', 'https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp', '-1', 'WW_P_2', 'https://iplogger.org/2BTmf7', '-1', 'https://iplogger.org/2BAmf7', '-1', 'https://iplogger.org/2BDmf7', '-1', 'https://iplogger.org/2BFmf7', '-1', 'https://iplogger.org/2s2pg6', '-1', 'https://iplogger.org/2s3pg6', '-1', 'https://iplogger.org/2s4pg6', '-1', 'https://iplogger.org/2s5pg6', '-1', 'https://iplogger.org/2s6pg6', '-1', 'https://iplogger.org/2s7pg6', '-1', 'WW_20', 'http://185.215.113.208/ferrari4.exe', '-1', 'id', 'cold', 'browser', 'crypto_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'domain', 'cu_bank_wallets', 'links', 'id', 'domain', 'shop_wallets', 'links', 'id', 'domain', 'bank_au_wallets', 'links', 'id', 'domain', 'amazon_eu', 'links', 'id', 'domain', 'webhosts', 'links', 'id', 'domain', 'paypal', 'links', 'id', 'domain', 'bank_ca_wallets', 'links', 'id', 'cold', 'browser', 'crypto_wallets', 'links', 'id', 'browser', 'crypto_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'domain', 'browser_vbmt', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'browser', 'crypto_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'id', 'domain', 'bank_wallets', 'links', 'GetCryptoSleeping', '_', '-1', 'id', 'links', 'EU', 'USA_1', 'USA_2', 'WW_1', 'WW_2', 'WW_3', 'WW_4', 'WW_5', 'WW_6', 'WW_7', 'WW_OPERA', 'WW_8', 'WW_9', 'WW_10', 'WW_11', 'WW_12', 'WW_13', 'WW_14', 'WW_15', 'WW_P_1', 'WW_16', 'WW_17', 'WW_P_2', 'WW_P_3', 'WW_P_4', 'WW_P_5', 'WW_P_6', 'WW_P_7', 'WW_P_8', 'WW_18', 'WW_19', 'WW_20', 'WW_21', 'WW_4', 'WW_19', 'US', 'USA_2', 'WW_P_', 'WW_P_1', '|', 'IsUseDominationProject|', 'cryptoWallets', 'browser', 'status', 'cryptoWallets', 'cold', 'status', 'bankWallets', 'status', 'cuBankWallets', 'status', 'shops', 'status', 'bankAUWallets', 'status', 'amazon_eu', 'status', 'webhosts', 'status', 'paypal', 'status', 'bankCAWallets', 'status', 'status', 'status', 'bankWallets_part1', 'status', 'status', 'VBMT', 'status', 'bankMXWallets', 'status', 'cryptoGames', 'status', 'bankPKWallets', 'status', 'bankESWallets', 'status', 'SetLoaderAnalyze|', 'SetIncrement|not_elevated', '.', '.dll', '#', 'WinHttpConnect', 'Winhttp.dll', 'Winhttp.dll', 'WinHttpOpen', 'Winhttp.dll', 'Winhttp.dll', 'WinHttpQueryDataAvailable', 'Winhttp.dll', 'WinHttpSendRequest', 'Winhttp.dll', 'Winhttp.dll', 'WinHttpReadData', 'Winhttp.dll', 'Winhttp.dll', 'wb', 'InternetOpenA', 'InternetConnectA', 'InternetOpenUrlA', 'HttpQueryInfoA', 'InternetQueryOptionA', 'HttpSendRequestA'] --------------------------------------------------------------------------------