# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: JSFiretruck

# Reference: https://blog.alyac.co.kr/2347

/ChromSrch.egg
/GoogleRsv.egg
/HncCheck.egg
/IEService.egg

# Reference: https://app.any.run/tasks/26522454-b349-42db-9cbe-230b37a3c836/

/exploit.swf

# Reference: https://twitter.com/angel11VR/status/1115343202167533568
# Reference: https://pastebin.com/0bX17LaY

/out-761452637.hta

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403

/moonx.hta
/first.hta

# Reference: https://twitter.com/neonprimetime/status/1116740246790602753

/wormhta.hta

# Reference: https://twitter.com/InQuest/status/1116772541312401408

/ec470000/file.hta

# Reference: https://twitter.com/JAMESWT_MHT/status/1118088254224515072

/out-1618282703.hta

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://blog.alyac.co.kr/2299 (Korean)
# Reference: https://blog.alyac.co.kr/2243 (Korean)

/Ahfzo0.hta
/Ersrr0.hta
/first.hta
/fmaov0.hta
/fwvuj0.hta
/Htqgf0.hta
/Msgxo.hta
/Msgxo0.hta
/Mylqn0.hta
/Pkjjy.hta
/Qfnaq.hta
/Qfnaq0.hta
/Qzqrn0.hta
/second.hta
/szgfj0.hta
/Vkggy0.hta
/xtgnb0.hta
/Yluhi0.hta

# Reference: https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attacks.html

/we.hta

# Reference: https://twitter.com/pancak3lullz/status/1113084930475638784

/9Y4wOJot.hta

# Reference: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

/Vkggy0.hta
/Usoro.hta

# Reference: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

/Mzfmj.hta

# Reference: https://otx.alienvault.com/pulse/5cc85460920fb55c466d6e8d

/Second.hta
/temp.hta

# Reference: https://twitter.com/DissectMalware/status/1126384963497205762

/ihenketata2019.hta
/out-802561251.hta
/out-2069830595.hta
/out-427331541.hta
/out-270833413.hta
/out-746027731.hta
/out-890192022.hta
/out-1389213074.hta
/out-325515559.hta
/out-413662816.hta
/out-961903221.hta
/out-1719427273.hta
/out-167611131.hta
/out-642154941.hta
/out-1033585073.hta
/out-1181438660.hta
/out-43874915.hta
/out-288511419.hta
/out-1053850352.hta
/out-1841585389.hta
/task2.hta
/tk.hta

# Reference: https://twitter.com/James_inthe_box/status/1129452679250321408

/out-1081291084.hta

# Reference: https://twitter.com/HONKONE_K/status/1133205335877885952

/h.hta

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/
# Reference: https://otx.alienvault.com/pulse/5cf53cdb5089737750fab25d

/Black.hta

# Reference: https://twitter.com/James_inthe_box/status/1136631137571237888

/2VXzzTcNjTvas8r9.hta

# Reference: https://twitter.com/ViriBack/status/1136712921461997570

/sample.hta

# Reference: https://www.malware-traffic-analysis.net/2017/12/22/index.html

/beta.hta

# Reference: https://twitter.com/James_inthe_box/status/1139536021572317185

/out-1445440753.hta

# Reference: https://www.virustotal.com/gui/file/d5f18e907465fd5bd659df74e51377052337fc515f17f1e915551f3cc05823dc/community
# Reference: https://app.any.run/tasks/44ceb7c7-518e-4bb1-8a00-de2d887b32c3/

/iyk1.hta

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.hta

# Reference: https://twitter.com/dineshdina04/status/1008621004896198657
# Reference: https://app.any.run/tasks/a8c1f660-71ae-4ab1-a217-11256fd6a158/

/wm.hta

# Reference: https://twitter.com/ViriBack/status/970443789234929664

/bb.hta

# Reference: https://twitter.com/teamcymru/status/920135790600114176

/bqowsj.hta
/fsfsyt.hta
/kekcgt.hta
/nrjhyr.hta
/oonhci.hta
/otvpoi.hta
/phtjae.hta

# Reference: https://twitter.com/FewAtoms/status/1146804894785056768

/out-182876786.hta

# Reference: https://twitter.com/James_inthe_box/status/1146896227000209408

/BitMaster.hta

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

/am_cy_167.hta
/comm.hta
/emp.hta

# Reference: https://twitter.com/YouMayBeHacked/status/1148625116101844992

/bi.hta

# Reference: https://twitter.com/James_inthe_box/status/1149026394472472576

/kkknng.hta

# Reference: https://twitter.com/James_inthe_box/status/1149412096418840576

/hit.hta

# Reference: https://twitter.com/KorbenD_Intel/status/1146463851526938625

/9000.hta

# Reference: https://twitter.com/RedDrip7/status/1118009381679878144
# Reference: https://www.virustotal.com/gui/file/b101035ae8b25263cf7101fbc63df71682cf0963d59b28e28da6e83b35003452/detection
# Reference: https://ti.360.net/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf (Chinese)

/zxcvb.hta

# Reference: https://twitter.com/_CPResearch_/status/1102943725750239237

/RawabiJob.hta

# Reference: https://twitter.com/killamjr/status/1150218238573404160

/SystemUpdater.hta

# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

/file.hta
/fin.hta
/final.hta
/zoxr4yr5KV.hta

# Reference: https://twitter.com/James_inthe_box/status/1059087094612602881

/SamRefJobsVacancies.hta

# Reference: https://twitter.com/James_inthe_box/status/1151156619733921792

/8741161.hta

# Reference: https://twitter.com/alex_lanstein/status/988851524406099968

/LPOKGGTEFFGFJ.hta

# Reference: https://twitter.com/FewAtoms/status/1159473273870196736

/out-1379808530.hta

# Reference: https://twitter.com/reecdeep/status/1159833486817034241

/elnino.hta

# Reference: https://twitter.com/w3ndige/status/1168437823193669632

/2055970.hta

# Reference: https://twitter.com/Zerophage1337/status/1007645365133246464

/dwie.hta

# Reference: https://otx.alienvault.com/pulse/5d7a4780d9dfe5be7ab9296e

/Lfvbu0.hta
/Msgxo0.hta
/Qbjoo0.hta
/Rjboi0.hta
/Rnlnb0.hta
/Vamva0.hta

# Reference: https://twitter.com/rpsanch/status/1172548993177522176

/ManTechJobs.hta

# Reference: https://twitter.com/i/status/1172612874708996096

/Tickets.hta

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901

/Duxuu.hta
/Duxuu0.hta

# Reference: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/

/Player1566444384.hta

# Reference: https://twitter.com/h4ckak/status/1144173749056315392

/startup.hta

# Reference: https://twitter.com/FewAtoms/status/1180819300476755969

/MS.hta
/MSHTAPayload.hta
/out-1302410780.hta
/out-2091529197.hta
/out-792744321.hta
/out-932457051.hta
/ppro.hta

# Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
# Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41

/Mau2.hta

# Reference: https://twitter.com/cyber__sloth/status/1181957000927727616

/out-1369462999.hta
/out-834610808.hta

# Reference: https://twitter.com/w3ndige/status/1168437823193669632

/2055970.hta

# Reference: https://twitter.com/tkanalyst/status/1184825216033099777

/SYUWSL1.hta

# Reference: https://mp.weixin.qq.com/s/ujeIeb_BWoLWu420imwAOQ
# Reference: https://otx.alienvault.com/pulse/5dad976536418494e8540014

/hta1.hta

# Reference: https://twitter.com/wwp96/status/1186622658751938560

/out-1029000015.hta

# Reference: https://twitter.com/tkanalyst/status/1196033182694379527

/flusupdxx64.hta

# Reference: https://twitter.com/FewAtoms/status/1198574338036969474

/azo.hta
/PO98989211.hta

# Reference: https://twitter.com/cyber__sloth/status/1200005508641558528

/out-1246717249.hta

# Reference: https://app.any.run/tasks/c382b09f-03f7-4680-86c5-28316c5cc5e3/

/microsoft.hta

# Reference: https://twitter.com/wwp96/status/1202267925559808000

/2206907.hta

# Reference: https://twitter.com/wwp96/status/1214926249535164422

/25067710.hta

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

/zaqxswcde.hta
/zaqxswcderfv.hta

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

/brzol0.hta
/dbrcn0.hta
/tyjui3.hta
/zjirz.hta
/zjirz0.hta

# Reference: https://twitter.com/JayTHL/status/1227122437885698049

/youuth.hta

# Reference: https://twitter.com/FewAtoms/status/1231994766398717954

/out-337443407.hta
/out-510267147.hta

# Reference: https://twitter.com/casual_malware/status/1239760321021128706

/out-44955964.hta
/out-1376540361.hta
/out-1897288366.hta

# Reference: https://twitter.com/FewAtoms/status/1239938872341139456

/out-8815323.hta

# Reference: https://twitter.com/malwrhunterteam/status/1240996072425652224

/out-1429065212.hta
/out-1770163823.hta
/out-1890736898.hta
/out-531451995.hta

# Reference: https://twitter.com/Rmy_Reserve/status/1241301496571953152

/cfhkjkk.hta

# Reference: https://twitter.com/FewAtoms/status/1241813291460067329

/out-756898907.hta
/out-1019569980.hta
/out-1388663052.hta

# Reference: https://twitter.com/malwrhunterteam/status/1241318536280227844

/sol.hta

# Reference: https://twitter.com/malwrhunterteam/status/1242812814668038151

/out-1068156992.hta

# Reference: https://twitter.com/FewAtoms/status/1243579932590161930

/out-571924757.hta
/out-756898907.hta

# Reference: https://twitter.com/bit_dam/status/1256311982992633862

/new%201.hta

# Reference: https://pastebin.com/uwPeU4CL

/Cqsl.hta

# Reference: https://twitter.com/malwrhunterteam/status/1258844055682912259

/out-2010667608.hta

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

/pre.hta
/suf.hta

# Reference: https://urlhaus.abuse.ch/downloads/text_recent/

/Hmoye0.hta

# Reference: https://twitter.com/KorbenD_Intel/status/1281290067382685696

/convert.hta

# Reference: https://twitter.com/wwp96/status/1328087453392130052

/windows.hta

# Reference: https://twitter.com/fr0s7_/status/1330828461196382215

/evil.hta

# Reference: https://twitter.com/jstrosch/status/1333935819380416512

/invoice.hta

# Reference: https://twitter.com/wwp96/status/1337520882034544641

/OpenToView.hta

# Reference: https://twitter.com/nao_sec/status/1339483904189685760

/r.hta

# Reference: https://twitter.com/bad_packets/status/1038967603048243200
# Reference: https://www.virustotal.com/#/file/d527ea936ab99a2e3a25cf8786c66c0e07fc509b9465d48dd26065f034795f19/relations

aster18cdn.nl/app.js
feesocrald.com/app.js
istlandoll.com/app.js
soodatmish.com/app.js
play.aster18cdn.nl/app.js
play.feesocrald.com/app.js
play.istlandoll.com/app.js
play.soodatmish.com/app.js

# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

/2131.js
/webmr.js
/webmr-2.js
/webmr-x7.js

# Reference: https://twitter.com/ViriBack/status/1035692468459720704

/r/6jHa5
/r/Lx4er

# Reference: https://www.virustotal.com/#/domain/coinhive.com
# Reference: https://twitter.com/bad_packets/status/1042627971368939521

/lib/captcha.min.js
/lib/ch2.min.js
/lib/coinhive.min.js
/lib/miner.min.js
/lib/worker-asmjs.min.js

# Reference: https://www.virustotal.com/#/url/e2887029795c19d1b0d7e97bcd6b29fd25988ea27e8f958ef9af6f9520f97b45/detection

coinimp.com/scripts/min.js

# Reference: https://twitter.com/malwrhunterteam/status/1044950859875012608

/perfekt/perfekt.js

# Reference: https://twitter.com/VK_Intel/status/1021453551975817217

wjcqsstycdujc.eu

# Reference: https://twitter.com/ps66uk/status/1036775592371384320
# Reference: https://twitter.com/ps66uk/status/1026391185953312768
# Reference: https://pastebin.com/izi6pDs8
# Reference: https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/

4play4girls.com/.cabinet/29rf852359-package-updated
adetailimage.com/.customer/3G5QH49725-Your-receipt
alaxvong.com/.customer-area/pack-82AK376-updated
arenaofshrugs.com/.customer-area/package-3M516645-updated
asecretenergyofmiracles.com/.customer-area/pack-42X31841-updated
atlantaseedsmentoringforgirls.com/.customer/1OC358756-your-receipt
ayca.com/.customer/FW8149101-Your-receipt
bakerassistants.com/.safe/GD8JY47086-receipt
bekahwagner.com/.customer-area/package-1GHF7189-updated
beneaththeblackrainbow.com/.customer-area/pack-0VX2107-updated
beneaththeblackrainbow.com/.customer-area/pack-7WRS_214-updated
bettingmlb.com/.customer-area/package-919R-70321-updated
bleuhaven.com/.customer-area/package-79JK8_63195-updated
bollygupshup.com/.advicedetails/0235789168-details
bostonteleprompter.com/.advice-notification/86MZ71628-complete-details
browseright.com/.customer/TI1N01666-your-Receipt
bullcityapparel.com/.safetyarea/TNF4Z521816-order-receipt
buyinggoldhq.com/.customer-area/package-11U492-updated
buzznewscenter.com/.cabinet/2dgp641-package-updated
byxaru.com/.orderdetails/92EW-60267-confirmation
comocuidarme.com/omoc/darme
comunicazionecreativaconsapevole.com/.customer-area/pack-156Q3055-updated
cumbrecapital.com/.customer/6B1R003355-Your-receipt
cumbrecapital.com/.customer/A1K414064-your-Receipt
customers.breastandbodyguidemd.com/.productdetails/8P97438-status-updated
customers.delvecchiopastafresca.com/.personal/package-1XTY6521-updated
customers.golf-classifieds.com/.clientarea/delivery-status-updated
dasheriemagazine.com/.customer-area/pack-24CG4727-updated
db.agile-kanata.com/usernotice/35Z4760-status-update
db.avonbourne.com/usernotice/9RYK9707-status-update
db.bobwu.com/usernotice/71AX0842-notifications
db.boomer-angle.com/usernotice/8T3G41905-notifications
db.careerever.com/usernotice/93I5333-notifications
db.catalinaappraisalservice.com/usernotice/1RJ6972-notifications
db.catalinaappraisalservice.com/usernotice/69V1K3619-notifications
db.digitalwizards.com/usernotice/0CW618-notifications
db.disruptivedrama.com/.safe/66B_410-Receipt
db.falsefiddle.com/.safe/H3X837846-Receipt
db.flyingelephantstudios.com/usernotice/57K5X36453-notifications
db.glennwithrow.com/usernotice/69JY81993-notifications
db.hivetastic.com/usernotice/51X768973-notifications
db.honeycombbooks.net/usernotice/484J7970-notifications
db.icmeet.com/.safe/9L7235-Receipt
db.jclbioassay.com/.safe/S2JA10415-Receipt
db.nobuwrap.com/.safe/E9B3M049671-Receipt
db.nobuwrap.com/usernotice/6L6295-notifications
db.obimfresh.net/usernotice/8O551983-notifications
db.pakkaussuunnittelu.com/usernotice/47E67189-status-update
db.preciselysoftware.com/usernotice/79OE4365-notifications
db.replayrink.com/usernotice/68SEG85567-notifications
db.serendipidance.com/usernotice/9UKS3638-notifications
db.sextoysandmen.com/usernotice/91NRI363-notifications
db.stonyrundesign.com/.safe/CJ0YU149110-receipt
db.stonyrundesign.com/usernotice/81FI02058-notifications
db.strawberryshakemovie.com/usernotice/3485145-notifications
db.whiterivercountry.com/usernotice/1WNO3384-status-update
db.whiterivercountry.com/usernotice/64AW18330-notifications
db.woodenboatgallery.com/usernotice/6CPO02141-notifications
db.yellowstonebrewingcompany.com/usernotice/08CY772-notifications
db.yourfuturebeginshere.com/usernotice/33YHT45331-notifications
dflathmann.com/.customer-area/pack-652B619488-updated
districtframesph.com/.getyourticket/81365093-ticket
drjarad.com/.customer-area/package-5Z4015-updated
durolosangeles.com/.customer-area/package-15H85328-updated
dwiby.com/.customer/3I51694269-Your-Receipt
enataihomes.com/.advice-customers/order-complete-details
eventfish.com/.safetyadvicearea/01686431953-order-Receipt
farmersce.com/.safe/PYN9005J-476356-your-New-Receipt
fitnessdetail.com/.safe/1CUS794179-Receipt
flightcasefilms.com/.customer-area/package-0GZ77952-updated
flipsandals.com/.safetyadvice/36PU815683-Receipt
forsalekentucky.com/.safe/NIUFZ748379-Receipt
forsalemontana.com/.safe/SE-37885-Receipt
foundationtour.com/.customer-area/pack-77ER586-updated
foundationtour.com/.customer-area/package-01ZK1-8120-updated
freewaydeathsquad.com/.cabinet/5ihz6840-pack-updated
fromthedeskofashigeorgia.com/.advice-customers/order-complete-details
fruchile.com/.safe/QF8267H-99740-your-New-receipt
funtimefacepainting.com/.customer-area/pack-5OR7_4582-updated
gettingsecure.com/.safe/THK11097-receipt
goldmaggot.com/.safe/L65P912030-receipt
hercrush.com/.safe/EHR168605-Receipt
holtsberrydesign.com/.customer-area/package-19YY6241-updated
horseharmonyfarm.com/.safe/RDFN509606-Receipt
hoschtonhomesforless.com/.safetyarea/16O711723-order-Receipt
hotnewreads.com/.advicedetails/7XV777-details
howelladventures.com/.safetyadvice/87YA590-Receipt
identitygift.com/.safe/WPVWT808948-receipt
iphone6backgrounds.com/.advicedetails/71PL2590-details
jennanorwood.com/.advice/delivered-status-notification
jvive.com/.customer-area/pack-3BM8_29302-updated
kentuckyinjuryaccident.com/.safe/2GN1356-Your-new-Receipt
kevinecotter.com/.safetyadvice/29K054-receipt
kivacopper.com/.cabinet/14zc_9521-pack-updated
kosmopolitanfinearts.com/.customer-area/package-8WE6996-updated
krcooking.com/.customer-area/package-54GWB-04521-updated
ladyfounder.com/.customer-area/package-830ZO_3159-updated
laibachmusic.com/.safetyarea/UVRN559091-order-receipt
laucacau.com/.safetyadvicearea/0814656528-order-Receipt
lifebyaileen.com/.advice-notification/order-complete-details
longbayhideaway.com/.safetyadvice/JO6OV00947-receipt
lonnielepp.com/.safetyarea/2VC41131-order-receipt
lonnielepp.com/.safetyarea/ENS9Y49504-order-receipt
loulouinhollywood.com/.customer/1P4FC280342-your-receipt
lrsresources.com/.safetyadvice/2MVK655933-Receipt
luchtefeld.com/.safe/CE-737941-Receipt
maloneandcompanyswededfilmfest.com/.safetyarea/003702712-order-Receipt
margotgarnick.com/.customer-area/package-6OF_22197-updated
megachief.com/.safetyadvice/77RUZ57184-Receipt
mjsmallbusinessservices.com/.safetyarea/74C56_2495-order-receipt
motomako.com/.safetyarea/EYGL699416-order-receipt
moveinmandalay.com/.cabinet/11sf_9124-pack-updated
myblagh.com/.safetyadvice/66YS2836-Receipt
northernlightssurvey.com/.productdetails/receipt-details-updated
norway2thailand.com/.customer-area/pack-60HX346-updated
norway2thailand.com/.customer-area/package-9GP_90045-updated
odedadali.com/.advicedetails/026052352956-details
okiostyle.com/.safetyarea/0409669990-order-Receipt
onenationhealing.com/.advicedetails/28MM_665-details
pacificrimbonsai.com/.advice-notification/order-complete-details
paperlovestudios.com/.advicedetails/078391277951-details
passportstatusonline.com/.orderdetails/69X99475-confirmation
pdxinjuryattorney.com/.customer-area/pack-8XD_2636-updated
perimenopausetherapy.com/.cabinet/23hu_5379-pack-updated
philasoup.com/.safetyarea/IVEU187436-order-Receipt
placeklaw.com/.advice/10HF81744-order-receipt
popnuvo.com/.safetyadvice/49RBX589238-receipt
qtheboat.com/.advicedetails/088641320452-details
rescuingchildrenhealingadults.com/.customer-area/pack-474TT-33472-updated
retroframing.com/.customer-area/pack-4RLJ0016-updated
rickyville.com/.customer-area/pack-52JT3992-updated
riideinc.com/.advice/delivered-status-notification
robdonato.com/.advice/91-673620-ticket
rontonsoup.com/.customer-area/pack-00ME-9651-updated
runningvillage.com/.advicedetails/0CQ265196-details
rynegrund.com/.customer-area/package-51QJ728660-updated
saragoldstein.com/.customer-area/pack-772M_3561-updated
saragoldstein.com/.customer-area/package-7FEQ5204-updated
sbicarolinas.com/.safetyadvice/EG778094-Receipt
scottad.com/.customer/1NNZN394864-your-receipt
seoandgrow.com/.safe/CBR00207-receipt
sethpgoldstein.com/.customer-area/package-22AX-42309-updated
sketcheleven.com/.customer-area/pack-5Z04750-updated
sketcheleven.com/.customer-area/package-7OUF_395-updated
smallscalelng.com/.customer/8JY41782-your-new-Receipt
smartglassesdataplans.com/.safe/PJ2B028923-receipt
smokeshopsinc.com/.customer-area/package-06FB3259-updated
solofront.com/.customer-area/pack-25P92664-updated
startabusinessinpa.com/.customer-area/pack-0YQM250-updated
sunandprasad.com/.safetyadvice/3XTV756223-receipt
theartofbridal.com/.customer-area/pack-315J713173-updated
theartofbridal.com/.customer-area/package-1P5212-updated
thefinancialcontrollers.com/.dXNlcLNTF7pUywsgZm5A1KDNHnNlc3ND1pBVMcjXgwhF735D0idpb/3ZG2038-receipt
thehowandwhy.com/.safetyarea/ODSW3456060-order-Receipt
thejunglejournal.com/.customer-area/package-2HH382-updated
thekindlesales.com/.customer/NGJ3494423-your-receipt
themeterminal.com/.safetyadvicearea/088432722890-order-Receipt
thepathlightcenter.com/.customer-area/pack-93IGG_25443-updated
thepynebros.com/.advice/delivered-status-notification
thequietcreatives.com/.customer-area/package-4699700-updated
theseamill.com/.safe/PDQVC123710-receipt
timharwoodmusic.com/.safe/U6N2P16610-Receipt
tinynaps.com/.advicedetails/7F25947-details
top-costumes.com/.safe/P9SVQ222688-Receipt
twobulletsleft.com/.safetyarea/ZNMP57074-order-Receipt
uberdragon.com/.safetyadvice/6O46703705-receipt
urban-meditations.com/.advice/03BEN7818-order-Receipt
valbridgetucson.com/.cabinet/98cg814-pack-updated
valbridgetucson.com/.cabinet/9d5080138-pack-updated
veterantruckingjobs.com/.customer-area/pack-8UVL_62500-updated
videosforwhatsapp.com/.safetyadvice/2LY9480-receipt
wewalk4you.com/.customer-area/pack-864O_5167-updated
whataresquingies.com/.safetyadvicearea/0405470695-order-receipt
wildhowlz.com/.advicedetails/027380256-details
yokosukadoula.com/.advicedetails/0864668306-detail
zenartfree.com/.advicedetails/1Z2-510491-details

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99
# Reference: https://www.virustotal.com/#/ip-address/212.109.222.157

# Reference: https://twitter.com/unmaskparasites/status/1049723562746146816

/wp-load.js

# Reference: https://twitter.com/malware_traffic/status/1051999693780262912

/flashplayer_41.22_plugin.js

# Reference: https://twitter.com/securitydoggo/status/938750437913776128

/SexyHot19.js

# Reference: https://twitter.com/securitydoggo/status/919906367254728706

/chronopost-colis-suivi.js

# Reference: https://twitter.com/securitydoggo/status/856526428933943296

/Consulta FGTS.js

# Reference: https://twitter.com/bad_packets/status/1106430758179110912

blockchainanalyticscdn.com
5b0c4f7f0587346ad14b9e59704c1d9a.top
925e40815f619e622ef71abc6923167f.top

# Reference: https://www.group-ib.com/media/js-sniffer/

gmo.li

# Reference: https://twitter.com/VK_Intel/status/1104109897531224065

host.moresecurity.kz/host/info

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

178.32.48.50:8443/node.js

# Reference: https://blog.attacker.net/a-new-wave-of-the-simpleoneline-malware

simpleoneline.online

# Reference: https://twitter.com/natmchugh/status/1118851237351497734

so.youneverfind.com/statistics.js

# Reference: https://twitter.com/bad_packets/status/976677742862200832

/5992203285ab3219.3.n.2.1.l60.js

# Reference: https://securelist.com/muddywaters-arsenal/90659/

dzoz.us/js/js.js

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
# Reference: https://otx.alienvault.com/pulse/5cc71ac7631c3a2f3c67ba7f

/assests/eng_edge_new.html

# Reference: https://twitter.com/gwillem/status/1127617495911804935
# Reference: https://twitter.com/CERTA_intNsec/status/1127849427572527104

assets.pcrl.co/js/jstracker.min.js

# Reference: https://twitter.com/gwillem/status/1127619061725241349

code.cloudcms.com/alpaca/1.5.17/bootstrap/alpaca.min.css

# Reference: https://twitter.com/gwillem/status/1127890329175244800

d20iczrsxk7wft.cloudfront.net/botwverified/badge.js

# Reference: https://twitter.com/_mmeltzer/status/1128311225228648449

cdn.ryviu.com/js/reviews.js
ww1-filecloud.com

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

/thecry.js

# Reference: https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
# Reference: https://www.virustotal.com/gui/ip-address/178.33.231.184/relations

/ausliebezumduft.js
/bigmusicshop.js
/brain-payment.js
/darussalam.js
/dotsport.js
/hepler.js
/iloveskininc.js
/kimon.js
/klarna.js
/mycigara.js
/relightdepot.js
/sanasafinaz.js
/stutterheim.js
/turtlecase.js
/whinkel.js

# Reference: https://twitter.com/eComscan/status/1136181192796061697

/baypre.js
/cashionrods.js
/dans.js

# Reference: https://twitter.com/Racco42/status/1136621446053150720

/0001.js

# Reference: https://twitter.com/luc4m/status/1138430833533104128

/tkeezwbzpl.js

# Reference: https://twitter.com/Racco42/status/1139461501113311232

/urgente.js

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.js

# Reference: https://twitter.com/david_jursa/status/1148199946618732544

/add5.js

# Reference: https://twitter.com/JayTHL/status/1149055957256802307

click.clickanalytics208.com

# Reference: https://thehackernews.com/2019/07/magecart-amazon-s3-hacking.html
# Reference: https://www.zscaler.com/blogs/research/magecart-activity-and-campaign-enhancements

/js/decor.js

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

/zaqedcvfr.js
/zaqwsxcde.js

# Reference: https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/

/alfuncsync.js
/fingerprint_db.js
akibanoticias.com
tharbadir.com

# Reference: https://twitter.com/James_inthe_box/status/1150794193494630401

/sharing_buttons.js

# Reference: https://twitter.com/adrian__luca/status/1151393084380459009
# Reference: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180/

/k55qtf704vukk11a8r24riuuoc.js
/pe0gecpi4ins56vi9kfrnh7kbs.js

# Reference: https://blog.sucuri.net/2019/07/fake-google-domains-used-in-evasive-magento-skimmer.html
# Reference: https://otx.alienvault.com/pulse/5d3f2283df812ea7458e98f8

/3f5cf4657d5d9.js
/5d32125dab5ee.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

/e1cuqrhmik66gu7pr90qk9v3p8.js
/ftp22vfljscml2370rsritui9g.js
/tinyjs.min.js

# Reference: https://twitter.com/smica83/status/1156485272617570304

/factura.js

# Reference: https://twitter.com/ScumBots/status/1157875582765535232

http://156.236.102.78

# Reference: https://twitter.com/securitydoggo/status/1158370884899495936

/2019-National-Intelligence-Coordinating-Agency-Survey-Questionnaire.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/

boobahbabies.com
eventsbysteph.com
query.network
connect.clevelandskin.net
connect.clevelandskin.org
track.amishbrand.com
track.positiverefreshment.org
link.easycounter210.com
click.clickanalytics208.com
/s_code.js?cid=

# Reference: https://twitter.com/James_inthe_box/status/1159917575301582848

/JFd0mx.js
/rKPcLW.js

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

/pass_sqzr.jsp

# Reference: https://twitter.com/JAMESWT_MHT/status/1164140106095177731
# Reference: https://app.any.run/tasks/0c5278c0-d505-4873-b612-9318dbbc2733/

/ajwngsj.js

# Reference: https://twitter.com/JAMESWT_MHT/status/1167096432236650497

/0f.js
/1f.js
/2f.js
/3f.js
/4f.js
/5f.js
/6f.js
/7f.js
/8f.js
/9f.js

# Reference: https://twitter.com/StopMalvertisin/status/1167121250847580162

/msg_frr_w3.js
/myjs28_frr_c1.js
/myjs28_frr_s37.js

# Reference: https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html

/r2.js

# Reference: https://twitter.com/killamjr/status/1171122456528150528

tut-64.com
yourservice.live
0wnpr0m0.com

# Reference: https://twitter.com/shotgunner101/status/1174324923499765760

/5d7c50e85111d.js

# Reference: https://www.ibm.com/downloads/cas/O3W1LZAZ

/advnads20.js
/test1ccf.js
/test1try.js
/test2try.js
/test3ccf.js
/test3try.js
/test4ccf.js
/test4try.js
/tongji.js

# Reference: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/

/01sall.js
/02sall.js
/03sall.js
/04sall.js
/05sall.js
/06sall.js
/07sall.js
/08sall.js
/09sall.js
/1566444384.js

# Reference: https://twitter.com/killamjr/status/1178030065486974976

allyouwant.online

# Reference: https://twitter.com/killamjr/status/1178019676653146112

/js/google.analytics.min.js

# Reference: https://www.virustotal.com/gui/ip-address/162.222.213.20/relations

/ikandej.js

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2010/2010-01-14-more-details-on-operation-aurora/more-details-on-operation-aurora.csv

/GDSRScripts.js

# Reference: https://twitter.com/0xFrost/status/1181153730382716928
# Reference: https://twitter.com/James_inthe_box/status/1316079441034919936
# Reference: https://twitter.com/James_inthe_box/status/1316091614113087488

hostcontent.live
hostingcloud.cloud
hostingcloud.racing
/ab20.js
/Iit5.js

# Reference: https://twitter.com/david_jursa/status/1181925512798773249
# Reference: https://app.any.run/tasks/14d9b5a2-d8d3-41f4-9557-f21aec01fa32/

/xGpmLMHiaqCy-agu1ud6fHqKiTo.js

# Reference: https://twitter.com/david_jursa/status/1183728660710338561

/p8anm0bn388i8bg6sqcv0smlto.js
/uqff1t6racoanqj092dg2q5bg8.js

# Reference: https://twitter.com/MBThreatIntel/status/1184531791102857216

/umbro.js

# Reference: https://twitter.com/tkanalyst/status/1184840339070148609

/5j76hga6tnpo7levlgmhrosuhs.js

# Reference: https://twitter.com/killamjr/status/1185376383180136448

/media/si.js

# Reference: https://twitter.com/GroupIB_GIB/status/1185230751769468928

/js/mirasvit/

# Reference: https://twitter.com/Placebo52510486/status/1141619924512792583

12js.org
12lib.org
16js.org
16lib.org
22js.org
lib0.org
wp11.org

# Reference: https://twitter.com/EKFiddle/status/1187034052227784704

/lsdioss612ns.js

# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584
# Reference: https://www.virustotal.com/gui/domain/humsoolt.net/relations

humsoolt.net

# Reference: https://twitter.com/tkanalyst/status/1190975614766833664

/bootstrap.minfc4a.js
/ghost-sdk.minfc4a.js
/highlight.packfc4a.js
/jflickrfeed.minfc4a.js
/jquery.fitvidsfc4a.js
/mainfc4a.js

# Reference: https://wordpress.org/support/topic/malware-infected-file-wordpress-core-wp-includes-wp-tmp-php/
# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584

/afu.php?zoneid=
/apu.php?zoneid=

# Reference: https://www.virustotal.com/gui/ip-address/104.151.24.95/relations
# Reference: https://www.virustotal.com/gui/ip-address/128.14.150.144/relations

/index_files/analytics.js
/index_files/matc.js

# Reference: https://twitter.com/xuy1202/status/1195701523797303296

adsnet.work

# Reference: https://twitter.com/killamjr/status/1198093080966115330

boot-uprenewedintenselyproduct.icu

# Reference: https://twitter.com/xuy1202/status/1199347607920734208

ask-us.pro
askus.mobi
cheofaabridri.gq
forumdownloadforall.mobi
mykeitonly.info

# Reference: https://twitter.com/xuy1202/status/1199595200949059584

/js/jquery/advListRotator.js

# Reference: https://twitter.com/nullcookies/status/1200576466150477824

/js/faker_secrets.js

# Reference: https://twitter.com/xuy1202/status/1201778263271436289

cdn.buycongestion.com
top.worldtraffic.com

# Reference: https://twitter.com/gwillem/status/1201647716352380929

sequracdn.net
live.sequracdn.net
/modrrnize.js

# Reference: https://twitter.com/JCyberSec_/status/1201850074822778880

/5c3a398f10058.js

# Reference: https://twitter.com/JCyberSec_/status/1201850062994903045

/jquery_noconflict.js

# Reference: https://www.getastra.com/blog/911/how-magecart-attackers-are-continuing-to-affect-e-commerce-platforms/

/js/everlast.js
/js/mage.js

# Reference: https://twitter.com/JCyberSec_/status/1202575691365191680
# Reference: https://www.virustotal.com/gui/domain/marketplace-magento.com/relations
# Reference: https://www.virustotal.com/gui/ip-address/181.214.86.150/relations
# Reference: https://www.virustotal.com/gui/domain/phplib.net/relations

/authoriz-getway.js
/authorizenet-getway.js
/BancesellaGetway.js
/bancasella-getway.js
/braintree-getway.js
/direct-getway.js
/gestpaypro-getway.js
/PaymentGetway.js

# Reference: https://twitter.com/gwillem/status/1202602117510451200

2chat.top

# Reference: https://twitter.com/JCyberSec_/status/1202903192192901120

/js/AuthorizenetMagento.js

# Reference: https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

/vmartgo.js

# Reference: https://twitter.com/xuy1202/status/1204778227517935616

/2RuLm5ldHdvcmsx.js
/9nRYFAGehAFJJ7u.js
/klei53Wl6dT2bSF6S.js

# Reference: https://twitter.com/ninoseki/status/1204971169658523649
# Reference: https://www.virustotal.com/gui/ip-address/1.171.162.250/relations

/user_info_uploader

# Reference: https://twitter.com/JCyberSec_/status/1206919450802438144
# Reference: https://twitter.com/JCyberSec_/status/1206919471597850624

/5c117b7b019cb.js
/5c12fffeea71e.js
/5c21f3dbf01e0.js
/5c3a398f10058.js
/5c13086d94587.js
/5d94c29e12536.js
/5d2c953326774.js

# Reference: https://twitter.com/killamjr/status/1207685407229526023

sgamno.com

# Reference: https://twitter.com/tkanalyst/status/1210663918953123841

/3pik20j30ri0f17q37u2s4mkms.js

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1213878934514864128

site-great.xyz

# Reference: https://twitter.com/JayTHL/status/1214207517590511616
# Reference: https://twitter.com/JayTHL/status/1214240539563966465

static.srcspot.com
/libs/carlos.js
/libs/darrel.js
/libs/galindo.js

# Reference: https://twitter.com/aglongo/status/1214575812646752259

/js/b76dadb06c3582b7f598111d60f2f944.js
/js/ee497bb12cf272d333449cd79582c289.js
/js/34dbc8a61ab0c8e3f7fc444d83b8a3d4.js

# Reference: https://twitter.com/ScumBots/status/1218627885579362304
# Reference: https://twitter.com/pmelson/status/1218655235205451777

149.248.1.128:443
149.248.1.128:80

# Reference: https://twitter.com/unmaskparasites/status/1219611201891708928

admarketresearch.xyz
adsformarket.com

# Reference: https://twitter.com/matr0cks/status/1220418827751763969

/jqueryprivatesecurity.js
/onloadsecurityvalidate.js

# Reference: https://twitter.com/unmaskparasites/status/1206662128213594117

whoisloookup.com

# Reference: https://twitter.com/pjcampbe11/status/1222556092242317315
# Reference: https://www.helpnetsecurity.com/2019/09/24/cve-2019-1367/
# Reference: https://otx.alienvault.com/pulse/5e32f827509fbbbeb2d3ee2a

202.122.128.28:80
largeurlcache.com

# Reference: https://twitter.com/david_jursa/status/1223740643912093696

/fc1i4iicca17n7p0h8mrsb0jfs.js
/lhglbfj4if5d1hisd2iuha1670.js

# Reference: https://twitter.com/FaLconIntel/status/1229004752312078336

/veugi45pre97c4koiurgjg0ar0.js

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

coolbrowsering.xyz
alfapromo.info
archivepoisk-zone.info
onlinemobsoft.ru
anyaaplanet.info
decentsite.xyz
archivepoisk.info
sympleplace.info
adsmeneger.club

# Reference: https://twitter.com/felixaime/status/1236196571928236037

scriptcdn.info

# Reference: https://twitter.com/unmaskparasites/status/1241068775157510144
# Reference: https://publicwww.com/websites/%22scriptalicious.info%22/

scriptalicious.info

# Reference: https://twitter.com/blackorbird/status/1245597745403969544

/t0uch/tou64.js
/t0uch/tou86.js

# Reference: https://twitter.com/d09r_/status/1245306272175419392

/o93jak2nm1k2.js

# Reference: https://twitter.com/unmaskparasites/status/1250469460617637891
# Reference: https://www.virustotal.com/gui/domain/stivenfernando.com/relations

stivenfernando.com

# Reference: https://twitter.com/fahadsoror/status/1251638383245475840

underthebreach.com/breach-protection

# Reference: https://www.kitploit.com/2020/04/flux-keylogger-modern-javascript.html

/42963187845881.js

# Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/

coronamasksupply.com
coronavirusinrealtime.com
coronashirts.store

# Reference: https://sansec.io/labs/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/

/19303817.js

# Reference: https://www.virustotal.com/gui/domain/crisgrey.com/relations

crisgrey.com

# Reference: https://www.virustotal.com/gui/domain/cdn-js.net/detection

cdn-js.net

# Reference: https://twitter.com/unmaskparasites/status/1260542044747059200

digestcolect.com
css.digestcolect.com
js.digestcolect.com

# Reference: https://twitter.com/CERT_Polska_en/status/1270623116931317760
# Reference: https://pastebin.com/raw/Ap38Fr7e
# Reference: https://pastebin.com/raw/YyYs8Her

/myjs28_frr_b7.js
/myjs28_frr_c1.js
/myjs28_frr_j2.js
/myjs28_frr_n01.js
/myjs28_frr_n02.js
/myjs28_frr_s17.js
/myjs28_frr_s20.js
/myjs28_frr_s21.js
/myjs28_frr_s22.js
/myjs28_frr_s23.js
/myjs28_frr_s29.js
/myjs28_frr_s30.js
/myjs28_frr_s31.js
/myjs28_frr_s33.js
/myjs28_frr_s35.js
/myjs28_frr_s36.js
/myjs28_frr_s37.js
/myjs28_frr_s38.js
/myjs28_frr_s39.js
/myjs28_frr_s4.js
/myjs28_frr_s45.js
/myjs28_frr_s47.js
/myjs28_frr_s48.js
/myjs28_frr_s49.js
/myjs28_frr_s50.js
/myjs28_frr_s51.js
/myjs28_frr_s52.js
/myjs28_frr_s55.js
/myjs28_frr_s7.js
/myjs28_frr_w1.js

# Reference: https://twitter.com/ScumBots/status/1271482475546660864

141.255.154.194:1666
fivemmods222.ddns.net

# Reference: https://twitter.com/xuy1202/status/1272842659183255553

hellokity.in

# Reference: https://twitter.com/ScumBots/status/1274497302628098048

91.153.0.57:1556

# Reference: https://unit42.paloaltonetworks.com/script-based-malware/

assurancetemporaireenligne.com/c.js

# Reference: https://twitter.com/yazilimci_adam/status/1297785340581883904 (Turkish)

176.235.38.79:8080
bilgilendirme.turkcell.com.tr

# Reference: https://www.virustotal.com/gui/domain/party-nwvqdtumtz.now.sh/relations

party-nwvqdtumtz.now.sh

# Reference: https://twitter.com/unmaskparasites/status/1308145960682426368

celolum.com

# Reference: https://twitter.com/david_jursa/status/1310659997324410880

vahjgkjhfkjdhkjdfhjdfj26a.s3-accelerate.amazonaws.com

# Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/

googleads.store

# Reference: https://ideone.com/CYMY4

/eqq.all.js
/ggmainv3d0718.js

# Reference: https://twitter.com/EKFiddle/status/1326245935559692289
# Reference: https://www.virustotal.com/gui/ip-address/162.241.201.20/relations

/5fa7ae834efee.js

# Reference: https://twitter.com/david_jursa/status/1326648367049486337

/u5nrroma8jlrdredqooe4bl18o.js

# Reference: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

/include/static/template-letter.asp

# Reference: https://twitter.com/Circuitous__/status/1329218754979434496
# Reference: https://www.virustotal.com/gui/file/3b9af7c880f01b0a4773fbc06867276b3121f3ad588dbcf73eb1552e9c0bd108/detection

messaging-security.comano.us
secure-messaging.comano.us
comano.us

# Reference: https://www.virustotal.com/#/ip-address/85.17.26.65 (#URL section)

/boxMrenewal.php
/challengevdl.php
/dd.php
/girisi.php
/rerewp.php
/overviewshn.php
/signOnV2Screen.php
/Up-dating.php

# Reference: https://twitter.com/malwrhunterteam/status/1045622528541151232

/hows_yourfever.php
/introductio_n.php
/psycho.php
/review_me.php
/rootme.php

# Reference: https://www.virustotal.com/#/domain/manapowermta.us

/loomistech/gate.php

# Reference: https://twitter.com/nullcookies/status/1019569151503986689

/bc0de.php

# Reference: https://twitter.com/devnullek/status/1020015255144017920

/order588.php

# Reference: https://twitter.com/YouMayBeHacked/status/1040368782408069120

/Kostenaufstellung.169156596183882049609578.php

# Reference: https://twitter.com/James_inthe_box/status/1048277465397751808

/onlinegoogle.php

# Reference: https://twitter.com/YouMayBeHacked/status/1048341985319444481

/Abrechnung-76-31210998378353168993665795447.php

# Reference: https://twitter.com/DissectMalware/status/1048329071061606400

/90AS98DF.php

# Reference: https://www.hybrid-analysis.com/sample/f65ba1cc50b29dd05ddaa83242f4b7bd0429841bfc4befa9e203cb6621d2389b?environmentId=100

/loader_mn.php

# Reference: https://twitter.com/James_inthe_box/status/1053668299165229056

/loader_ma.php

# Reference: https://twitter.com/nullcookies/status/1054496925469343744

/anzhuo.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/IpNigh/status/1107567316148150274

/universalmail-notifications/updates.php

# Reference: https://twitter.com/Racco42/status/1102488453990830080

/masquare.php

# Reference: https://twitter.com/Racco42/status/1098218160111734789

nitdesenders.tianat.cat/tmp/signup.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1103983033307271168

/photo/123.php
/Sep2018/gsm.php

# Reference: https://twitter.com/benkow_/status/1085483319347867649

 /public/hydra.php

# Reference: https://twitter.com/anyrun_app/status/1060858198599577601

/ghuae/huadh.php

# Reference: https://twitter.com/pollo290987/status/1108755025604591622

/loro_4.php

# Reference: https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

statconuter.com/c.php

# Reference: https://twitter.com/James_inthe_box/status/1109832439700971520
# Reference: https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e

/loadbase1.php

# Reference: https://twitter.com/malwrhunterteam/status/1111630255763189761

/D2017HL/u.php

# Reference: https://twitter.com/IpNigh/status/1111919996266049536

/ahzhnobu48jgm1rksb2zl3sc.php

# Reference: https://twitter.com/IpNigh/status/1111904352053198848

/challengevdl.php

# Reference: https://twitter.com/IpNigh/status/1111872373446377472

/overviewshn.php

# Reference: https://twitter.com/executemalware/status/1112337168138149888

/phpmailer/Pmxyz.php

# Reference: https://twitter.com/albertzsigovits/status/1113096573284728839

/asfdh4/auth.php

# Reference: https://twitter.com/IpNigh/status/1113287915612798976

/49rrf856hqofcuq6mkdntfdp.php

# Reference: https://otx.alienvault.com/pulse/5ca5e12bcf299875864044a6
# Reference: https://www.securityartwork.es/2019/04/02/militaryfinancingmaldoc/
# Reference: https://blog.trendmicro.co.jp/archives/19054

/7773/index.php
/9125/gate.php 

# Reference: https://www.bromium.com/mapping-malware-distribution-network/
# Reference: https://otx.alienvault.com/pulse/5ca7142dd898276082584a58

/olala/get.php

# Reference: https://twitter.com/IpNigh/status/1114334454930190336

/hcu9e676hqzffjez47ec6ggd.php

# Reference: https://twitter.com/ViriBack/status/1114610878056402945

/class-walker-page-up.php

# Reference: https://twitter.com/VK_Intel/status/1080919080616439808

/spr_updates.php

# Reference: https://twitter.com/packet_Wire/status/1118528816509591552

/rz7g271ct2iv65rmhwwq42bu.php

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1122804929452814337

/2abjk95b4kwbdpnfdn7uewhr.php

# Reference: https://twitter.com/pancak3lullz/status/1123233975252787200

/ya63omxqknnm4ar8vb8evwje.php

# Reference: https://twitter.com/GelosSnake/status/1123540164268183552

/mnbv/handler.php

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834

/rwrw66/1111z.php
/rwrw66/2222z.php

# Reference: https://twitter.com/JCyberSec_/status/1124290346668777505

/g4f9sokfo2ecegn2twq4u3t7.php

# Reference: https://app.any.run/tasks/3068b154-d6f2-4483-ae72-60fbd5f3467f
# Reference: https://www.virustotal.com/gui/file/0cbf6190e0a381a0ec20a2b54156f06615453bb80ae2e1256242cb8af96b065d/detection
# Reference: https://www.virustotal.com/gui/file/cd5eeddb8eb8074b97583b653cbcf627da475debbb3070284fd6c6446f9eec97/detection

/cmd.php?hwid=
/cmd.php1?hwid=
/cmd.php?timeout=

# Reference: https://twitter.com/JAMESWT_MHT/status/1126020627075403776

/pabury473675.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1126109441651245057

/v2i.php?need=

# Reference: https://twitter.com/malwrhunterteam/status/1126821015567384582

authconfig.imrris.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126830402834968576

authconfig.motonsoft.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126834434504822789

oneonlinetrue.com/cgi-bin/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126835745640067074

razire.com/root/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126837652571992065

ptlonghigroup.us/01001/pain.php
ptlonghigroup.us/01001/pain2.php
/01001/pain.php
/01001/pain2.php

# Reference: https://twitter.com/malwrhunterteam/status/1126844312053067776

/spemmg.php

# Reference: https://twitter.com/malwrhunterteam/status/1126848369190686721

oneonlinetrue.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126850750708109315

creacionesdelsac.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126855753791356928

poa-oreo.co.uk/racks/space/p.php

# Reference: https://twitter.com/malware_traffic/status/810966197881671680
# Reference: http://malware-traffic-analysis.net/2016/12/19/index.html

/drb31.php
/d8/ul.php

# Reference: https://twitter.com/malwrhunterteam/status/1127945201841049600

namecakes.com/epl/ajax.php

# Reference: https://twitter.com/WifiRumHam/status/1127971696126783488

westflies.com/api/api.php

# Reference: https://twitter.com/JayTHL/status/1128173436889653248

/send/ab-apr29-1.php
/send/ab-apr29-2.php
/send/cj-apr27-1.php
/send/cj-apr29-1.php
/send/cj-apr29-2.php
/send/cj-may4-1.php
/send/m24m24-1.php
/send/m24m24-2.php
/send/m24m24-3.php
/send/m24m24-4.php
/send/f13m13-1.php
/send/f13m13-2.php
/send/f13m13-3.php
/send/f13m13-4.php
/send/f13m13-5.php
/send/a10j10-1.php
/send/m10a10-1.php
/send/azu.php
/send/was.php

# Reference: https://twitter.com/JayTHL/status/1129865519417499651
# Reference: https://pastebin.com/raw/mU7abvT9

/attiinnddeexx.php

# Reference: https://twitter.com/JayTHL/status/1131329627954319361
# Reference: https://pastebin.com/raw/g8bhsb4G

/6i5aiewuz0xprm8htmrrhhz9.php

# Reference: https://twitter.com/IpNigh/status/1131425432543408129

/index91484101498.php

# Reference: https://twitter.com/VirITeXplorer/status/1131816142199250944

/pagiy75.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135453581144969216

/v21in603.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135815803880820742

/pagighg66.php

# Reference: https://twitter.com/IpNigh/status/1136167409751138304

/plwnkfd8gcn5x317by4goj7c.php

# Reference: https://twitter.com/IpNigh/status/1136480809861419010

/vq5sinmcamguedpoak8epeh3.php

# Reference: https://twitter.com/packet_Wire/status/1137019106559967232

/hhhhh.php

# Reference: https://twitter.com/IpNigh/status/1138206277992161281

/o365ms.php

# Reference: https://twitter.com/cyberanalyzer/status/1140571010518978560

/main.jspsid.php

# Reference: https://twitter.com/IpNigh/status/1141059894021361666

/chaseind.php

# Reference: https://twitter.com/IpNigh/status/1142886176975675395

/l9ymhf8w6w11sjeay07wrkng.php

# Reference: https://twitter.com/ffforward/status/1143100705303158784

/klla.php

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.php

# Reference: https://twitter.com/killamjr/status/1113876111543492608

/newauto2.php

# Reference: https://twitter.com/IpNigh/status/1143687948619124737

/index91484101498.php

# Reference: https://twitter.com/smica83/status/1146648528846041089

/7gvbp7pbrrdp2j8o5y4iqfva.php

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

/AffdrDrr.php
/lickmyass.php

# Reference: https://twitter.com/IpNigh/status/1147295303931977733

/ubwa0opty4jnoerxyj8dtjra.php

# Reference: https://twitter.com/ps66uk/status/1148183374818873344

/publickprivate.php
/74_8_839.php
/fontandcolor.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1148562854808891392

/ddss0h9lipd6diuh5jan2w0t.php

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

/js/left.php

# Reference: https://twitter.com/IpNigh/status/1148676390759391234

/31npodfikdtpkgq6difyox4s.php

# Reference: https://twitter.com/IpNigh/status/1149168247683633153

/3mm9etr00x4b2ml4b0fhdv7f.php

# Reference: https://twitter.com/MalwarePatrol/status/1149383199904210944

/a1ev2wehp69sw2tjkua8wc39.php

# Reference: https://twitter.com/MalwarePatrol/status/1149769820709314561

/c9mq35lqup5b25sljr2qomce.php

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

/fredcvbgt.php
/swqazxcde.php
/trfvbnhy.php
/uythuycr.php
/yhnbgtrfv.php

# Reference: https://twitter.com/IpNigh/status/1150572125603934208

/info_secure_account.php

# Reference: https://twitter.com/YouMayBeHacked/status/1151197704090988544

/dna_excel.php

# Reference: https://twitter.com/adrian__luca/status/1151393084380459009
# Reference: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180/

/8yZ7YDpM2Cu3lqbB7WFJV19PE9mb1f8c.php
/XKIOEEEEE.KDJDD.php

# Reference: https://twitter.com/YouMayBeHacked/status/1152234246083424256

/myriad-pro-installerr.php

# Reference: https://twitter.com/IpNigh/status/1152929163797512194

/h1nnbwfsediifgz2yv3w09xs.php

# Reference: https://twitter.com/IpNigh/status/1153149383589933056

/l7mg85smredbpehm3gnp2g1n.php

# Reference: https://twitter.com/MalwarePatrol/status/1153699284497440771

/bxo2fxmx9ub9kg1ghf3xc9va.php

# Reference: https://twitter.com/IpNigh/status/1154707735524630528

/ah1who7vrexwov9pe3g57va9.php

# Reference: https://twitter.com/MalwarePatrol/status/1154815918461128705

/tw0207s24zsj7ukq21d7l0iw.php

# Reference: https://twitter.com/dvk01uk/status/1155068156471382023

/c6e905de8a762015cd177be60cd6bd67.php

# Reference: https://twitter.com/IpNigh/status/1155282939623727104

/k7xscuhn9fkiwczwud5t2kqq.php

# Reference: https://www.virustotal.com/gui/ip-address/173.231.184.61/relations

/mars/remote.php

# Reference: https://twitter.com/IpNigh/status/1156083556747268096

/outer_pag.php

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

/1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c.php
/chihuahua-posting.php
/XKIOEEEEE.KDJDD.php

# Reference: https://twitter.com/IpNigh/status/1156311805154725888

/info_secure_account.php

# Reference: https://twitter.com/IpNigh/status/1156600041274040320

/u6ke0yj0s6btjdh22yrr62tj.php

# Reference: https://twitter.com/MalwarePatrol/status/1156627854572081152

/c3jccysjfbj8u3u9atw9vkff.php

# Reference: https://twitter.com/MalwarePatrol/status/1157493998577225728

/13rqsblgaqu1z4h04w7ql2kh.php

# Reference: https://twitter.com/MalwarePatrol/status/1157594231407632384

/i9eyybpavhc50wb8lcc7yle9.php

# Reference: https://twitter.com/MalwarePatrol/status/1157669728544088064

/a9di3q2br7kzvl1gl5rjh9pr.php

# Reference: https://twitter.com/MalwarePatrol/status/1158243497587204096

/2i729w0bw448s72mzt9c1pc0.php

# Reference: https://twitter.com/PhishStats/status/1158280905892519936

/o365ms.php

# Reference: https://twitter.com/IpNigh/status/1159063350103420928

/mwnsmre6in7pv7abig7tzfyu.php

# Reference: https://twitter.com/MalwarePatrol/status/1159617579469742082

/835pnjmr1w4p5ypvgcymfkkx.php

# Reference: https://twitter.com/MalwarePatrol/status/1161731505065988102

/acabx352of60k6h87abrrjg6.php

# Reference: https://twitter.com/James_inthe_box/status/1162068269387276289
# Reference: https://app.any.run/tasks/6812075f-1785-494f-9624-eda8b19943c3/

/add_bot.php

# Reference: https://twitter.com/ANeilan/status/1162803350511017985

/setoransnsv.php

# Reference: https://twitter.com/smica83/status/1163222123923615745

/transaction_find.php

# Reference: https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/

/addbot?hwid=

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

tqbeu.redirectvoluum.com
tqbeu.voluumtrk.com

# Reference: https://twitter.com/IpNigh/status/1164328397314699265

/9cfryg81syzg9u27cxh19tax.php

# Reference: https://twitter.com/MalwarePatrol/status/1164917499281989632

/8k1bkkn094xdivviaab8hs19.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1165926508084563968

/107741af5648cf.php

# Reference: https://twitter.com/luc4m/status/1166558549742411777

/wnzwyq3o8jvv4fbjsc42sfvl.php

# Reference: https://twitter.com/malware_traffic/status/1166838031556517888
# Reference: https://app.any.run/tasks/2141fadd-0379-404f-b8e1-917035910c4b/

/loader/gate.php

# Reference: https://twitter.com/MalwarePatrol/status/1167816610805161984

/s5a03tkf4q9d9nb73da3nhsi.php

# Reference: https://twitter.com/killamjr/status/1168904634498502656

/43333.php

# Reference: https://twitter.com/IpNigh/status/1169988952096432129

/d8fo713p7xcqwe3gmej9ahtl.php

# Reference: https://twitter.com/tkanalyst/status/1170688633172443139

/c0nf1g.php
/c0nfig.php

# Reference: https://twitter.com/ViriBack/status/1170728460781871105

/configurationssss.php
/oficialmuieingaoaza.php

# Reference: https://twitter.com/MalwarePatrol/status/1172452149625643008

/j1x28e4tr691s8cen0eeu43d.php

# Reference: https://twitter.com/Cyberfishio/status/1173202856654057472

/rvqjseptt66izwsmtj5rwj6k.php

# Reference: https://twitter.com/MalwarePatrol/status/1174339575570980865

/b9aapumjlkzrcxw8sl4i2zor.php

# Reference: https://twitter.com/MalwarePatrol/status/1173826189577850880

/82gnq2z9u7lpl560f16htzzf.php

# Reference: https://github.com/eset/malware-ioc/tree/master/stantinko (# The Safe Surfing injected script)

safesurfing.me

# Reference: https://twitter.com/IpNigh/status/1173924979462823938

/101454858.php

# Reference: https://twitter.com/MalwarePatrol/status/1175502232978100231

/6b2vru1bujseuosd0gjvndag27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1176800786615087104

/bp5ayjj97kidyn89d9pw6jwq27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1177314170821382145

/3u0j30ly39gt9f4677hal1dj27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1178325835771711488

/kbhtz3rscf9vqr0l6gk40uxi27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/smica83/status/1177552932004401152

/ilqzck5hf6ypq465yzbhmvn7.php

# Reference: https://twitter.com/MalwarePatrol/status/1177676554517790721

/7u73zbven6ronnzmiqt7vf1q27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1178763720970919936

/2xc14iaupg8qto7r300jdtfy27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1177109960309858304
# Reference: https://app.any.run/tasks/947e97aa-fb67-4856-bcc7-297b4d14c9cd/

/stoc_post.php

# Reference: https://twitter.com/demonslay335/status/1000222227546148871

/pwd/write.php?info=

# Reference: https://twitter.com/bartblaze/status/980877270565957633

/wp-images/log.php?info=

# Reference: https://twitter.com/blackorbird/status/1178491520518770688

/patch/chkupdate.php

# Reference: https://www.fortinet.com/blog/threat-research/free-rugby-world-cup-streaming-foul-play.html
# Reference: https://otx.alienvault.com/pulse/5d93710f59fc94e047c15637

/tuname.php

# Reference: https://twitter.com/MalwarePatrol/status/1179262006068748290

/fgyt6678/login.php

# Reference: https://twitter.com/PhishFindR/status/1180032797156761600

/0147-wadho.php

# Reference: https://twitter.com/PhishFindR/status/1179987498128363520

/log1n.php
/ma53sk2.php
/sendrzlt.php

# Reference: https://twitter.com/MalwarePatrol/status/1180062277162156032

/k9ou2mlnk5rl6kbr0z68vz9x27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/PhishFindR/status/1180062995793285120

/bankpas_aanvragen.php

# Reference: https://twitter.com/420spiritz/status/1179903273995767808

/hijaiyh-panel.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-07-07-leakerlocker-mobile-ransomware-acts-without-encryption/leakerlocker-mobile-ransomware-acts-without-encryption.csv

/click.php?cnv_id=

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-10-24-badrabbit-ransomware-burrows-russia-ukraine/badrabbit-ransomware-burrows-russia-ukraine.csv

/flash_install.php

# Reference: https://twitter.com/PhishFindR/status/1180470680204259328

/wapG2app.php

# Reference: https://twitter.com/PhishFindR/status/1180455576616280066

/send_billing.php

# Reference: https://twitter.com/PhishFindR/status/1180395189652873217

/firstlog.php

# Reference: https://twitter.com/PhishFindR/status/1180289486074331138

/billing.php?ip=
/complete.php?ip=
/payment.php?ip=

# Reference: https://twitter.com/PhishFindR/status/1180274387527884805

/8rsiu3gu5vbwkznr6znv6kf3.php

# Reference: https://twitter.com/PhishFindR/status/1180334788575662081

/kox3k6ev4at2i4cyyn2tztcs.php
/ys26r01vhg6r8279hiqd5auc.php
/z7nnaf3qmjeh11pt174clb89.php

# Reference: https://twitter.com/IpNigh/status/1181466510172315648

/uim4vz14u9o4un7m819o3a7azt.php

# Reference: https://twitter.com/PhishFindR/status/1181572952598499334

/3wd1abbmevsxjvq8702v8vwy.php

# Reference: https://twitter.com/PhishFindR/status/1179745909783109632

/ondetverifier.php

# Reference: https://twitter.com/PhishFindR/status/1179715711465377793

/zweryfikowany.php

# Reference: https://twitter.com/PhishFindR/status/1180757572023934977

/capatcha.php

# Reference: https://twitter.com/IpNigh/status/1180896155108020224

/directe-demande-compte.php

# Reference: https://twitter.com/MalwarePatrol/status/1181224949215834114

/s2sdjgls74n39hucqyuddblu27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://www.virustotal.com/gui/ip-address/54.39.233.175/relations

/kksahc.php

# Reference: https://twitter.com/PhishFindR/status/1181557852407812096

/fullz.php

# Reference: https://twitter.com/JCyberSec_/status/1182281930823258114

/indexbabo.php

# Reference: https://twitter.com/JCyberSec_/status/1182284439679881216

/index50G.php

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

/sthadd.php

# Reference: https://twitter.com/cocaman/status/1182339090420830208

/Invoicely.php

# Reference: https://twitter.com/malware_traffic/status/1182456890095259652

/2hd3.php
/hyyfydd35.php

# Reference: https://twitter.com/MalwarePatrol/status/1182749989480685568

/2s2jgyug9537ov3guofwa2da27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1182885899702591488

/pev5x30ugjedndsjt86lqkb527524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/PhishFindR/status/1182826217206091777

/lastdesj.php

# Reference: https://twitter.com/PhishFindR/status/1182947001622843392

/OrgSurveyMonkeyincorrect.php

# Reference: https://twitter.com/PhishFindR/status/1183294298017673216

/redirectlog.php

# Reference: https://twitter.com/ecarlesi/status/1183416858948636672

/outherename.php

# Reference: https://twitter.com/MalwarePatrol/status/1183610672527171584

/hfgf5jrvfx6odl7xi6bbndz5.php

# Reference: https://twitter.com/yvesago/status/1181541621705383936

/jizz2.php

# Reference: https://twitter.com/PhishFindR/status/1183762397649080321

/ob_anmelden.php

# Reference: https://twitter.com/MalwarePatrol/status/1184199568021508096

/61tgu20b80ylafuzev5cfx9427524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1184410933378113536

/8mh8tkv75bx8vne8k3w33hex.php

# Reference: https://twitter.com/MalwarePatrol/status/1184561928443699200

/wx6xy08d1bdand1ekx3b5bc927524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/IpNigh/status/1185208281750487040

/EasyWeb%20Login1.php

# Reference: https://www.virustotal.com/gui/file/8890413aaf104d61f7736558350252d63e55e370449ebcec8812f5a1637ed12e/detection

/nsy6z9ybvhrts5nm6inzf2ld.php

# Reference: https://www.virustotal.com/gui/file/d10c51034be9e3e5338e378900ca5eabff72eb3b02ef34a3e37146a656b62821/detection

/box3Drenewal.php

# Reference: https://twitter.com/MalwarePatrol/status/1185784986303188992

/5u0ytv3c71064zvzsdonbhhi.php

# Reference: https://twitter.com/MalwarePatrol/status/1186380237090766848

/7ojr9y8dx5ywd6cnc33nc2ro.php

# Reference: https://twitter.com/PhishFindR/status/1186570877485420544

/iqov6j5ohz02kv3x1w5sbrvl.php
/okbppq6lqo7ld2y9a31343oi.php
/x2khxmw4n64wzm1g9rhi0j3f.php

# Reference: https://twitter.com/MalwarePatrol/status/1188608587297370112

/4ajm5od1mrxwz53ixra4iixa.php

# Reference: https://twitter.com/pancak3lullz/status/1192132907277733889

/DbegcjODZNhoeY10.php

# Reference: https://twitter.com/MalwarePatrol/status/1193108234422358016

/b5t67uhgo6mofy2cy6plw5ao.php

# Reference: https://twitter.com/MalwarePatrol/status/1193259233325830144

/a8f393621f61442943b4f24c.php

# Reference: https://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html

/yolo/admin/settings.php

# Reference: https://twitter.com/James_inthe_box/status/1193965109552406528

/c7afb5603b20fe.php

# Reference: https://twitter.com/MalwarePatrol/status/1195358076574085121

/ftzxrdyd4bzn34urui0wjjf2.php

# Reference: https://twitter.com/chybeta/status/1196250816476139520

/wp-content/plugins/super-socialat/super_socialat.php

# Reference: https://twitter.com/PhishFindR/status/1197533121052323840

/rbcgi3m01.php

# Reference: https://twitter.com/James_inthe_box/status/1197577070500401152

/ftsp2fflm.php

# Reference: https://twitter.com/MalwarePatrol/status/1197607895656992769

/h7mcpj41d18meamdw8t6gwcb.php

# Reference: https://twitter.com/killamjr/status/1198093080966115330

/dickygg.php

# Reference: https://twitter.com/JayTHL/status/1199362012368789504

/slamduncker.php

# Reference: https://twitter.com/0xCARNAGE/status/1199700157127892992

/8fdbb8f102faff.php

# Reference: https://www.virustotal.com/gui/ip-address/54.202.202.94/relations

/9609e559db7a36.php

# Reference: https://www.virustotal.com/gui/ip-address/194.187.249.103/relations

/56rgwr3ymoyb5pmftfxp18b4.php
/7shgj1hwpp80tlf4s8yqcb4r.php
/jd7j9mmyypufdw808gtr8wfu.php

# Reference: https://app.any.run/tasks/b480973a-0b99-46ad-9a74-6fab20fc206e/

/YrgGyhkU6V8R0i3s.php

# Reference: https://twitter.com/stoicbird/status/422824507192008705

/c/feed.php
/c/form.php

# Reference: https://twitter.com/IpNigh/status/1204464565800583169

/home3e6e.php

# Reference: https://twitter.com/PhishFindR/status/1207015599890747397

/processar_1.php
/processar_1-1.php
/processar_2.php
/processar_2-2.php

# Reference: https://twitter.com/unmaskparasites/status/1207356669052801024

zctrack.com

# Reference: https://twitter.com/PhishFindR/status/1207755477565751296

/fcc-authenticazione.php

# Reference: https://twitter.com/MalwarePatrol/status/1208404034346004487

/t4t3bcw368wwno9zlciqr244.php

# Reference: https://twitter.com/MalwarePatrol/status/1208977815481307137

/1djx9hic7893s4ibzf3dtnjf.php

# Reference: https://twitter.com/nao_sec/status/1209090544711815169

/jppropellerads.php

# Reference: https://twitter.com/MalwarePatrol/status/1209853585141501952

/xbwzo420wz1r6frvy127b3zl.php

# Reference: https://twitter.com/MalwarePatrol/status/1210215974600945667

/sf2u6eovopsz6qqcv0unjld1.php

# Reference: https://twitter.com/Vishnyak0v/status/1210528486512824321

/f8h7ghd8gd8/index.php

# Reference: https://twitter.com/MalwarePatrol/status/1210789744143060992

/qtt30bxz0x2n86r2ivlcdqkt.php

# Reference: https://twitter.com/MalwarePatrol/status/1211076635736379393

/kz3zscegcucigqia01ifzale.php

# Reference: https://twitter.com/MalwarePatrol/status/1211439022557605888

/5iosdxlj7wlaqxi5fca2f3an.php

# Reference: https://twitter.com/MalwarePatrol/status/1212465790873673728

/vola4ob2hwwrak36r8ytzcf2.php

# Reference: https://twitter.com/JCyberSec_/status/1214130157356822528

/7xctzza3vnuc6kx62lseaqsn.php

# Reference: https://twitter.com/wwp96/status/1214939236195086337

/5d54ff24322827.php

# Reference: https://twitter.com/MalwarePatrol/status/1218263998963077121

/1ynjmpv989zfji1p3mmyi73q.php

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1215267911666950145
# Reference: https://app.any.run/tasks/3d00b564-5584-41bf-bbc9-177f53315c96/
# Reference: https://www.virustotal.com/gui/ip-address/18.219.52.4/relations

/PediuPraPostarPostou.php
/PostaEstaPorra.php
/VaiPostaProPai.php

# Reference: https://twitter.com/dubstard/status/1215705048824655873

/secure-bankofamerica-personal-information-update.php

# Reference: https://twitter.com/MalwarePatrol/status/1219351173024624640

/1yroihdrc99ceanyt77k0h82.php

# Reference: https://twitter.com/wwp96/status/1219614957416873984

/d380803e561db4.php

# Reference: https://twitter.com/dubstard/status/1219703659111636993

/tDxhinc.php

# Reference: https://twitter.com/IpNigh/status/1220249931946037249

/yo0io9tpd5y85cjgsivluoif.php

# Reference: https://www.virustotal.com/gui/domain/newbook-t.info/relations

/downloadcdneu98680113.php
/downloadcdnus46745341.php
/downloadcdnus46745343.php

# Reference: https://twitter.com/IntezerLabs/status/1221789726702800897

/ddos.php

# Reference: https://twitter.com/MalwarePatrol/status/1222099275607351296

/2gv5x6lg8sugbhjmtg7ezufe.php

# Reference: https://www.virustotal.com/gui/domain/web.riderit.com/relations
# Reference: https://app.any.run/tasks/193b764b-c408-4226-9a66-8400d1b1f4f9/

/0251e9e6dd2b6761318cf74b9c7cfbcc.php
/21a44295fbc5e240b8897759c8d4ecbd.php
/2eff7f856c921b9679658fc1076ad8df.php
/3192bf6e779334e01ff1f354b369e992.php
/3a6966fd4933d209199b9bf401c56325.php
/42f5aabbcbba40b021ac48b5d03424eb.php
/4a122e1be14c64455d732d6809397908.php
/4c76a53c02e96376537dd399c26d42e6.php
/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php
/597684641290261a2d9b5e4f3c31448f.php
/5a2eec141864de49a45bb29ac52dbe6b.php
/5fa33fb8aff4f22b08f6371b434982ae.php
/7b86de71fe96e99fdb691ef6232bf67d.php
/824e747ac0a4b302b94c5c8811aecffc.php
/921f92a5d1a046bfb48a3c9ea2e85893.php
/93b9f5a0890ae2b6cfbfd44ab5f5698f.php
/9e9ec25815b236f8481bf58f872f9499.php
/a647cd724dccdc618bde9486f9048c1d.php
/a8d7ca744ce9804d9684ead43bcc3f12.php
/c516cd9f3d02c0a9657652b835170278.php
/c6e905de8a762015cd177be60cd6bd67.php
/c899b67fe5f3939e234fa5e427fda4eb.php
/dd45006971f6dc8fe2abe8ea9904a2fe.php
/dd7e6cce27c6cc2b70d705559c9a158b.php
/de33e172deb9cd1a01cc95a3198b5ff2.php
/dedfa9292432a75b835f7e73b6f3b84f.php
/e649d1894bdae5a5d60226290297fdf3.php
/e6f482cc5f9dd0a1d18cb925499c1e6b.php
/ea0645ba64ff256edb90e1c12a0a4cdb.php
/ef0390ca68e9e2a0e3851e0cf6b22353.php
/f7d2dd7b5bdd9919634388790cc9c4fa.php

# Reference: https://twitter.com/unmaskparasites/status/1222242298404179970

/backdoor.php
/inject.php

# Reference: https://twitter.com/smica83/status/1222440174489100288

/5h5qibac2xyhjtvuig3gaabo.php

# Reference: https://twitter.com/MalwarePatrol/status/1224424598650966018

/8gtd3b4wfigyiks4byoj5jyd.php

# Reference: https://twitter.com/MalwarePatrol/status/1226236539216257024

/6x39zirn3k4gr0njt1fotypx.php

# Reference: https://twitter.com/MalwarePatrol/status/1225285279050870784

/0cpc8mjcq211xolw8ma10v2j.php

# Reference: https://twitter.com/MalwarePatrol/status/1226885813667074049

/pn4nfl0niuptkem28h804gz5.php

# Reference: https://app.any.run/tasks/9683cba3-6fcd-4264-91f1-575da5329677/

/api/X.php

# Reference: https://twitter.com/ninoseki/status/1223376549287620610

/0cpc8mjcq211xolw8ma10v2j.php

# Reference: https://twitter.com/MalwarePatrol/status/1227535087438311424

/lg50lqqckgrorhfbk7z0nt07.php

# Reference: https://twitter.com/MalwarePatrol/status/1228410873984831489

/2qs8brx2ayrqu6954pwroacc.php

# Reference: https://twitter.com/MalwarePatrol/status/1228471256787439616

/5r9z334kjramxzfizndwlq98.php

# Reference: https://twitter.com/MalwarePatrol/status/1233484287393046533

/ioor2y6d10o6knz0pj1tweua.php

# Reference: https://twitter.com/IpNigh/status/1233182231964856320

/s7d5b2g45htrj028xo0y00gu.php

# Reference: https://twitter.com/MalwarePatrol/status/1231370355291414529

/67u7is2tdmnp9bj0pr4511f8.php

/ZuluDaka1.php
/ZuluDaka2.php
/ZuluDaka3.php
/ZuluDaka4.php
/ZuluDaka5.php
/ZuluDaka6.php
/ZuluDaka7.php
/ZuluDaka8.php

# Reference: https://twitter.com/IpNigh/status/1224406954564517889

/captura01Controller.php

# Reference: https://www.virustotal.com/gui/file/f92ffc14ebc9ea2be74f7a6f73fa2055e345a42428171cee6491e6903816dce3/detection

/0ec71210595a57.php
/5d54ff24322827.php
/a92079a4564cf9.php
/b3a443d2dcbd9f.php
/d380803e561db4.php

# Reference: https://twitter.com/JayTHL/status/1227122437885698049

/74633a062dfc6c.php

# Reference: https://www.virustotal.com/gui/domain/ipblasta.com/relations

/860cce76152de2.php

# Reference: https://twitter.com/wwp96/status/1227265060566917120

/095ac16cdd62d1.php

# Reference: https://www.virustotal.com/gui/ip-address/89.208.229.55/relations

/acbf8e37fb139b.php
/ca4341dad4fe26.php

# Reference: https://twitter.com/pancak3lullz/status/1230522568026673153

/85b4aa12e220f7.php

# Reference: https://twitter.com/wwp96/status/1232396705028616197

/7b96d23b4371b5.php

# Reference: https://twitter.com/tkanalyst/status/1229794466816389120

/usexosell.php
/usflexexosell.php

# Reference: https://twitter.com/ANeilan/status/1232283590114840576
# Reference: https://twitter.com/JayTHL/status/1253459585731563522
# Reference: https://pastebin.com/8LL4Hg9e
# Reference: https://pastebin.com/trRiwBKQ
# Reference: https://paste.ee/r/v9aRR/0

bankss-71.cf
bankss-71.ga
bankss-71.gq
bankss-71.ml
bankss-71.tk
bantoom-71.ga
bantoom-71.gq
blessed-812.ga
blessed-812.gq
blessed-812.ml
blessed-812.tk
braums-74.cf
braums-74.ga
braums-74.gq
braums-74.ml
braums-74.tk
bucks-812.cf
bucks-812.ga
bucks-812.gq
bucks-812.ml
bucks-812.tk
cahult-71.cf
canjerry-812.gq
canjerry-812.ml
canjerry-812.tk
cost-812.ml
cost-812.tk
cynth-812.cf
cynth-812.gq
cynth-812.ml
cynth-812.tk
cynthia-812.cf
cynthia-812.ga
cynthia-812.gq
cynthia-812.ml
cynthia-812.tk
darklight-812.cf
darklight-812.ga
darklight-812.tk
empbomb-812.cf
empbomb-812.ga
empbomb-812.gq
empbomb-812.ml
empbomb-812.tk
enter-812.cf
enter-812.ga
enter-812.gq
enter-812.ml
enter-812.tk
fight-812.gq
fight-812.ml
grrrls-812.ga
grrrls-812.gq
grrrls-812.ml
grrrls-812.tk
haloest-71.tk
karthus-71.cf
karthus-71.ga
karthus-71.gq
karthus-71.ml
karthus-71.tk
knife-812.cf
knife-812.ga
knife-812.gq
lighter-812.ga
lighter-812.gq
lighter-812.ml
neekos-74.cf
neekos-74.ga
neekos-74.gq
neekos-74.ml
noirs-812.cf
noirs-812.ga
noirs-812.gq
noirs-812.tk
nukes-812.cf
nukes-812.ga
nukes-812.gq
nukes-812.ml
nukes-812.tk
outlak-71.cf
outlak-71.ga
outlak-71.gq
outlak-71.ml
pain-812.cf
pain-812.ga
pain-812.tk
ramen-812.ga
ramen-812.gq
ramen-812.tk
redmi-812.ga
redmi-812.gq
redmi-812.ml
redmi-812.tk
sense-812.cf
sense-812.ga
sense-812.gq
sense-812.ml
sense-812.tk
senses-812.ga
senses-812.gq
senses-812.ml
senses-812.tk
shift-812.cf
shift-812.gq
shift-812.ml
soliare-71.cf
soliare-71.ga
soliare-71.gq
soliare-71.ml
soliare-71.tk
soutma-71.cf
soutma-71.ga
soutma-71.gq
soutma-71.ml
soutma-71.tk
starsbucks-812.cf
starsbucks-812.ga
starsbucks-812.gq
starsbucks-812.ml
starsbucks-812.tk
suit-812.cf
suit-812.ga
suit-812.gq
suit-812.ml
tanta-71.cf
tanta-71.ml
tanta-71.tk
tratot-71.tk
trosl-71.cf
trosl-71.ga
trosl-71.gq
trosl-71.ml
trosl-71.tk
tunacan-812.ga
tunacan-812.ml
tunacan-812.tk

# Reference: https://www.virustotal.com/gui/domain/cureprm.com/relations
# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

/IlOysTgNjFrGtHtEAwVo/index.php
/IlOysTgNjFrGtHtEAwVo/indexx.php

# Reference: https://twitter.com/IpNigh/status/1233838562241589253

/akjajkajdjhdjh395984988487f87f87f87ddjdjdjhjhdjdj49858.php

# Reference: https://www.virustotal.com/gui/domain/suportedigital30hr.ddns.net/relations

/home3e6e.php

# Reference: https://twitter.com/Bitterman59/status/1233487861082677249

/rivkasej325jdew.php

# Reference: https://twitter.com/MalwarePatrol/status/1235220728787750912

/z2xtc6md0ucgi8pmwb86hezq.php

# Reference: https://twitter.com/James_inthe_box/status/1236318055203889158

/kraus6.php

# Reference: https://www.virustotal.com/gui/ip-address/37.72.171.98/relations

/package-delivery/snd_conti-data.php

# Reference: https://twitter.com/VK_Intel/status/983729623367270401

/vitamindisapproval.php

# Reference: https://twitter.com/James_inthe_box/status/1238606200154886144

/upload10.php

# Reference: https://twitter.com/nao_sec/status/1240261158113689601/photo/1

/8WFhndlp4soxNOGim5D2J0cYC9EBLtVyrU6R7ePuwjkMAqagKTv1.php

# Reference: https://www.virustotal.com/gui/domain/tokai-lm.jp/relations

/344sx.php
/98989776.php

# Reference: https://twitter.com/Rmy_Reserve/status/1241301496571953152

/eweerew.php

# Reference: https://twitter.com/MalwarePatrol/status/1241592719576829952

/9epq78sao4h2v1jpywaj2tai.php

# Reference: https://twitter.com/shiftybitshiftr/status/1242559823100559361

/53dd0276af1963ba832464402a418d85.php

# Reference: https://www.virustotal.com/gui/ip-address/216.170.114.99/relations

/b7eb90271b3f54.php

# Reference: https://twitter.com/DynamicAnalysis/status/1245437394473582593
# Reference: https://twitter.com/DynamicAnalysis/status/1247570159939747846
# Reference: https://twitter.com/DynamicAnalysis/status/1247916030183247872
# Reference: https://twitter.com/malware_traffic/status/1332410802641514496

/in2d2d.php
/wp-cran.php
/wp-crun.php
/wp-cryn.php
/wp-punch.php

# Reference: https://www.virustotal.com/gui/domain/webcindario0.dvrdns.org/relations

/tcvh0suizgqonzsegw2p71b1.php

# Reference: https://www.virustotal.com/gui/ip-address/184.168.221.42/relations

/g0t6q3hsierdb43h9rp0gpcf.php
/jog06tlwitnzupwsz7m429hdb8fefdb9c8e9aba0f526dc8176725f94.php

# Reference: https://www.virustotal.com/gui/url/d7a8b43a2ef3439fa640b10dce6da642996535efe01d2c71321748fd803e6e46/detection

/l91opka52wljumjc5spkbhnc.php

# Reference: https://twitter.com/James_inthe_box/status/1248669623848853504

/cachetfmbUXkGerOtP.php
/_cachetfmbUXkGerOtP.php

# Reference: https://www.virustotal.com/gui/ip-address/141.8.194.74/relations

/9ldfcvv539grtjr1krbwrbsf.php

# Reference: https://twitter.com/elgofo/status/1251051263757815808

/ys9kbpsz873wam1qijuofe9e.php

# Reference: https://twitter.com/elgofo/status/1251059765452693506

/twnexzoamsfmi9k3jyi60dg8.php

# Reference: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

/azGovaz.php

# Reference: https://twitter.com/IpNigh/status/1252124774177943555

/11644210b.php

# Reference: https://www.virustotal.com/gui/file/17425e66428e284c2da73f3a7173e4291fb0b2bc76fd6d618921a9f0eb543340/detection

/upload/get.php?UID=
/upload/get-functions.php?UID=
/upload/message.php?UID=

# Reference: https://twitter.com/MalwarePatrol/status/1254714230265319426

/uphdird3igc2q2jhsgm9cez0.php

# Reference: https://twitter.com/IpNigh/status/1255422445047119872

/6ogyock6bqt55br29xz41y4ozt.php

# Reference: https://twitter.com/IpNigh/status/1255370965510479872

/c9t4x6ypwut14ouvps6kszaf.php

# Reference: https://twitter.com/dewan202/status/1255582744110862345
# Reference: https://www.virustotal.com/gui/file/7edacdf35900e722b798dbc891159cf1ede9f6d671a86b0f01f9ef802202aa73/detection
# Reference: https://www.virustotal.com/gui/ip-address/185.77.129.152/relations
# Reference: https://www.virustotal.com/gui/ip-address/93.115.38.132/relations

/jRizyPxmRnO.php
/mskzrpufe.php

# Reference: https://twitter.com/MalwarePatrol/status/1255801447318532096

/0lnzqew8fz6gzds536vlirop27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://pastebin.com/raw/0BrjR63Q

/bxhhylagbbbw.php
/n2t00y42r6.php

# Reference: https://twitter.com/malwrhunterteam/status/1255903574023983108

/trackattachment.php

# Reference: https://twitter.com/malwarefr0gg0z/status/1255573957844983808

/ThreatProvider/bot.php

# Reference: https://twitter.com/JayTHL/status/1256103956717109249

/logiinnnnn.php

# Reference: https://twitter.com/MalwarePatrol/status/1256888609074024448

/cjp06ozeq4j00p66uek5qokp27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/malwrhunterteam/status/1257660701428142080

/4ij6qw.php
/FC5pz8.php
/fnojg.php
/jikPcQ.php

# Reference: https://twitter.com/IpNigh/status/1257797957686112257

/rbcgi3m01.php

# Reference: https://twitter.com/MalwarePatrol/status/1258051238924517376

/c65f9sbx5g0nhf74mxfbtort.php

# Reference: https://twitter.com/James_inthe_box/status/1258763270690713600

/0x5xmta6bazciio7llfg0l9e.php

# Reference: https://www.virustotal.com/gui/ip-address/5.9.226.4/relations

/server/das/dastoor.php

# Reference: https://twitter.com/PhishFindR/status/1259381536396369920

/rbcgi3m01.php

# Reference: https://twitter.com/PhishFindR/status/1259381536396369920

/confirmnewboa/login.php

# Reference: https://app.any.run/tasks/17b516fd-2351-4330-8cee-90caac222963/

/xuraca.php

# Reference: https://www.virustotal.com/gui/domain/vanillabean.bounceme.net/relations

/chase.com/fullz/billing.php
/chase.com/fullz/home.php
/chase.com/fullz/homepage.php
/chase.com/fullz/index.php
/chase.com/fullz/index2.php
/chase.com/fullz/index3.php
/chase.com/fullz/login.php
/chase.com/fullz/main.php
/chase.com/fullz/thanks.php
/chase.com/fullz/verify.php

# Reference: https://twitter.com/MalwarePatrol/status/1259636683781308416

/ncceg0dxw8nx6tnf0kdf1r9e.php

# Reference: https://twitter.com/MalwarePatrol/status/1259999082849976320

/6dp6zted83lurftrrxh1b2m5.php

# Reference: https://www.virustotal.com/gui/ip-address/46.21.147.111/relations

/11dniosilnj5b6y6ktrrlfhr.php
/4h925v7vfpulgdhjobci09bk.php
/dda0nwei0akmgjrbhdg7henb.php
/fiyycp4s6ye310a8r6q2zdie.php
/mr7xuen7osh0gjkeuam56bgw.php
/p8g7uxk09yytz1on4g8brq7p.php
/upnqi0usn8ej565w8msy1ui3.php
/vkdw36ry81rtlyq5yq49p5d1.php
/zjcya375wuoz6m9jk7mfim6s.php

# Reference: https://twitter.com/MalwarePatrol/status/1261312724627161088

/ykhao930gaptbm11s0duni86.php

# Reference: https://twitter.com/MalwarePatrol/status/1264060822327832576

/2a79hohpsm1vxuo1d0xuqoer.php

# Reference: https://www.virustotal.com/gui/file/3d3351726f3b5cd848ad58cabcc33c9dcd1c601cc1664f197f10b8b1adf7038b/detection

/qwegweherjhntrj.php

# Reference: https://twitter.com/MalwarePatrol/status/1264211826616786947

/dtsf394vt015wph23m7vxw4m.php

# Reference: https://twitter.com/MalwarePatrol/status/1264287322192871436

/xwlb5u9cbldxslwlfcxsp58k.php

# Reference: https://twitter.com/em1rerdogan/status/1264692980633436166

/xx1.php?user=

# Reference: https://twitter.com/romonlyht/status/1265444577319645184

/5ecdb4896b9f0.php

# Reference: https://twitter.com/MalwarePatrol/status/1266099238364209152

/k5imi5k4pngob7t9gf9phgrk.php

# Reference: https://twitter.com/MalwarePatrol/status/1266673024880836608

/qtc2l6i1lih17a2gfsu9qlpz.php

# Reference: https://twitter.com/MalwarePatrol/status/1266824062136918021

/ygc9ksbfjfy78fzq462kvyti.php

# Reference: https://twitter.com/MalwarePatrol/status/1269723128076386307

/uyg4by5obdovgilq4w9labte.php

# Reference: https://twitter.com/MalwarePatrol/status/1270221471135252480

/x65qn21ms238tz3enpyx1uum.php

# Reference: https://twitter.com/romonlyht/status/1270205743967301632

/5edf094170e13.php

# Reference: https://twitter.com/romonlyht/status/1273407575858442240

/5eeaae813aa67.php

# Reference: https://twitter.com/James_inthe_box/status/1273983069435789316

/9646f89fe77fb3.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1270997007180730368
# Reference: https://app.any.run/tasks/4dede486-355d-4e84-874c-d9318532db23/

/3e454986f0a072.php

# Reference: https://twitter.com/MalwarePatrol/status/1272471337903087616

/jh1evx1mbeeq2scfw051bo5p.php

# Reference: https://twitter.com/OttoScav/status/1272937840301813763

/omuscreativos.php

# Reference: https://twitter.com/MalwarePatrol/status/1273347106015674368

/em7fic0xazghxn8pg88lf9p1.php

# Reference: https://twitter.com/reecdeep/status/1273576796735377408

/ppos8.php

# Reference: https://twitter.com/abuse_ch/status/1275526243404972034
# Reference: https://bazaar.abuse.ch/sample/921138bc2b28d01a51e6673c6e61ba3237592d08875180e0b3749d8e47fdfd6d/

/tds.php?omz=

# Reference: http://benkow.cc/export.php

/admin---------.php

# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

/desjardinsin.php
/nerr34.php
/ondetverifier.php

# Reference: https://twitter.com/killamjr/status/1280564058739990528

/ecnxg8w7d5suuciz4w1jv057.php

# Reference: https://www.virusradar.com/en/Win32_TrojanClicker.Clidak.A/description
# Reference: https://www.virustotal.com/gui/file/980ef75a800eba45c7cb64b4c1bcc61a3b0cdf92854c24dbf1ea0f3fe4cad944/detection
# Reference: https://www.virustotal.com/gui/ip-address/65.254.51.42/relations

/~pete19c/r.php

# Reference: https://twitter.com/Bl4ng3l/status/1283853966795780097

/niM4t1A9c4q.php

# Reference: https://twitter.com/jcarndt/status/1283799735065862144

/KFm63QEU7ArF.php

# Reference: https://www.virustotal.com/gui/file/d72133df3fee1d91fcab0adb532459b6c0044e7f8b4ca542fa3f6ae470b42be1/detection

/5c2eab368ebd00202fc7b56bb4a46f1ee67acd8e.php

# Reference: https://www.virustotal.com/gui/file/dacce09fd5829213606cef3f45d5bc43d4522183e54422eb4a5c7a404c69a6c2/detection

/bdeefbc5c36a0b584fa7c5330e493a7d22b741af.php

# Reference: https://www.virustotal.com/gui/file/44f3eb01406921d5605933abce49e5fe04cfe6a73f3fcb7380dc99765043ea2a/detection

/1dc5e926948fd82a85e7c085e0bf0c6db31969f3.php

# Reference: https://www.virustotal.com/gui/file/4bf6ec0d9ab95d7d7d4e1e7453a83ed731c9188fbe6d007834025f00791cdcb9/detection

/64d631e36c839e2964fcdc671f84e96bc9dcd7ca.php

# Reference: https://www.virustotal.com/gui/file/9fabd7b98f8972850549231d2ac2762ec1cad3ef8fdf3cb994d14c9c3ad17ba5/detection

/156b2b990971b28b12393cd82884a7d3.php

# Reference: https://www.virustotal.com/gui/file/0130797c1baa9ac6709693d7e357cd37cf4bfb48fe9bfaede723674bec4cde85/detection

/84a7d5fcbbe9a0cdcf1357c70cf326bed852c7ee.php

# Reference: https://www.virustotal.com/gui/file/41dcb2cb400c656826db00e368c5ddc4d254d69d5d9ab0cd6a63fd68bba2fb5f/detection

/901212b6cc3a718fd6012ed1ff31c04663ffeb8b.php

# Reference: https://www.virustotal.com/gui/file/b9024622a0e5c982db8b533e6c3a736d65d5c02bf01b4ff15d3fd770f4632443/detection

/86872acabed89173a9b729bb81eca3ab802559ca.php

# Reference: https://twitter.com/ANeilan/status/1291891899872301058

/animauxpinterest.xyz.php
/christmascookie.club.php
/christmascookie.xyz.php
/crochetscarf.xyz.php
/fkcement.xyz.php
/fkveternikviskol.xyz.php
/francepinterest.xyz.php
/frauenfrisuren.xyz.php
/gwangsanfc.xyz.php
/happytiere.xyz.php
/hausschuhestricken.club.php
/hausschuhestricken.xyz.php
/lksnadwislangora.xyz.php
/pinlab.xyz.php
/pinterest-yonlendirme.php
/pinterestdessert.club.php
/pinterestdeutschland.com.php
/pinterestdressing.club.php
/pinterestfashion.club.php
/pinterestfrance.xyz.php
/pinteresthairstyle.club.php
/pinteresttoptrends.club.php
/pinteresttrendstyle.online.php
/pinterestworld.xyz.php
/pinterestworldstyle.club.php
/pinterestworldtrend.club.php
/pinzoom.xyz.php
/strickenmodellen.xyz.php
/strickenschal.xyz.php
/tejer.xyz.php
/womanclub.xyz.php
/womanstyle.xyz.php

# Reference: https://twitter.com/MalwarePatrol/status/1293927664651317248

/buhib3i0r6dss6ar46e115s8.php

# Reference: https://twitter.com/MalwarePatrol/status/1294863800932487171

/wdpi76b16t6sl74ihdvkhlmx.php

# Reference: https://twitter.com/MalwarePatrol/status/1297038049134739456

/pjxgz4xbrlkw03ke7s91s4kx.php

# Reference: https://twitter.com/MalwarePatrol/status/1298125211934621703

/sxwrgoja78tufkckzfa3crgb.php

# Reference: https://twitter.com/MalwarePatrol/status/1300526033804894210

/wwyu1has496nieeoza8rhs22.php

# Reference: https://twitter.com/MalwarePatrol/status/1300812922835230720

/47kh3qv7uwl2qqwjew5hpbge.php

# Reference: https://twitter.com/MalwarePatrol/status/1300888418449268741

/jhj2bp54nql29m5rsrwsh4rb.php

# Reference: https://twitter.com/MalwarePatrol/status/1301613194415427584

/6lmwtif3htomluuo6wt3lrp2.php

# Reference: https://twitter.com/MalwarePatrol/status/1301975584252334080

/7n9zahad80idagj19vqtpurq.php

# Reference: https://twitter.com/MalwarePatrol/status/1302337970284965889

/p8omduqtiw8wojo4kimlp7p8.php

# Reference: https://twitter.com/MalwarePatrol/status/1303787522485563392

/4fnsez9i81l6mb42m2aw25jp.php

# Reference: https://twitter.com/MalwarePatrol/status/1325666690638680064

/ovj2lwziaeel3l2k5xuyzvbr.php

# Reference: https://twitter.com/jstrosch/status/1301718677419700224

/djqnonxwrv.php
/ezkwdjrwog.php
/smhcbhcdrm.php
/tjzyawxylv.php

# Reference: https://www.virustotal.com/gui/file/51060b4e21864f229b5945b24d66cb29c727641c36639de395ebc4c83b0860a9/relations

/aoluouscutao.php
/bapedoalrag.php
/bowevuyfjx.php
/budpugovuje.php
/dimaetepunagaji.php
/dkopezitecea.php
/duiifyts.php
/duwuypy.php
/eleqikbagkyoxu.php
/fujolnodes.php
/govepuc.php
/iodevbokyqki.php
/jekizeleiso.php
/khvopo.php
/luboduj.php
/mjojylefayh.php
/mufydoutvotug.php
/nyzapftutes.php
/offatoisejub.php
/omuzxby.php
/otzyyduzhyvob.php
/owusuedutipomib.php
/oziiolohordor.php
/pittiryc.php
/puxuecmu.php
/udjovezna.php
/uearapus.php
/uejoreyuip.php
/uelytohufojuyr.php
/ufipeqib.php
/ugpug.php
/uouhubeequsybyb.php
/uruhu.php
/uvzipaoluuu.php
/vpobacuy.php
/vyivelbv.php
/wivpyouqemuv.php
/xojabgovykou.php
/yjozpegovyhaa.php
/yufesoryzvepice.php
/yxopkufu.php
/zetamblareu.php
/zomlevyzui.php
/zoofavegup.php

# Reference: https://twitter.com/illegalFawn/status/1309542440995614720
# Reference: https://twitter.com/illegalFawn/status/1310518625573507072
# Reference: https://twitter.com/illegalFawn/status/1310947357534687232
# Reference: https://twitter.com/illegalFawn/status/1310972332404617216
# Reference: https://twitter.com/illegalFawn/status/1310959162822725638

/awagrncglvr.php
/aywjtcan.php
/beycdawf.php
/btdzdz.php
/bupvudvhjuo.php
/ernbfpsawct.php
/hqjdjnxn.php
/ijuljytf.php
/jgizmh.php
/jkdxpgwv.php
/kqqtedo.php
/liyqfa.php
/ljwvjup.php
/lsrmrt.php
/mmvvbg.php
/msayqpkvkyq.php
/mwmkajlpgg.php
/nevnal.php
/pursue.php
/pxglcxop.php
/rlcwhmlykz.php
/sdhrhg.php
/vopisiyx.php
/yblhzstgysf.php
/yymclv.php
/zpsxxla.php
/zxlbw.php

# Reference: https://twitter.com/KorbenD_Intel/status/1314251628959076353

/orMkdppaG1PQ0WgF.php

# Reference: https://twitter.com/JCyberSec_/status/1314208821368115202

/ixdxctmg5umaskdjtbnapfly.php

# Reference: https://twitter.com/MalwarePatrol/status/1315383937389277184

/v0k7mrdjuncsoof64kayjzal.php

# Reference: https://twitter.com/MalwarePatrol/status/1315519829948891136

/fhx2mavv4mmh750l4gv8kf9a.php

# Reference: https://twitter.com/MalwarePatrol/status/1315670825744424960

/j8kp4r7yuzfs5dzmnzhn10z1.php

# Reference: https://twitter.com/MalwarePatrol/status/1315746322478247942

/a9q4uvjm9qy5gdoafj26snhi.php

# Reference: https://twitter.com/MalwarePatrol/status/1316320102728585217

/457uizv6aeh7f2grvhxo8651.php

# Reference: https://twitter.com/MalwarePatrol/status/1316682492259299328

/7gtsw9a6qg5dqxkeibh8u8vf.php

# Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/
# Reference: https://twitter.com/david_jursa/status/1318209187667714048

/mbl/2/ads.php
/mbl/2/change.php

# Reference: https://twitter.com/ffforward/status/1318868941821890569

/948493733774474746484738.php

# Reference: https://twitter.com/MalwarePatrol/status/1319657089267126274

/z08xniim0s5gnpxf2v0gu6hy.php

# Reference: https://twitter.com/MalwarePatrol/status/1322269303891263489

/u0mie8r79j3degt9tspqremw.php

# Reference: https://twitter.com/MalwarePatrol/status/1322556193076846592

/oprl3w53zz6gdprwsc4sl1ms.php

# Reference: https://twitter.com/MalwarePatrol/status/1323643357948715013

/6k555a3cpy5e2p4wlfy03b9a.php

# Reference: https://twitter.com/JCyberSec_/status/1325847530354184192

/7ihwqy7vhvly2nxe89hzgjo5.php

# Reference: https://www.virustotal.com/gui/file/cf1927ab098bdaace7eabc39ae410f39e47433a993ef602eb59dee5923bef042/detection

/uniq_traff.php

# Reference: https://ideone.com/CYMY4

/110786663424.php
/facebookinvisibledetector.php
/installht7.php

# Reference: https://twitter.com/malwaretracekr/status/1320367958485430275

/wowadto/job/wov-vellssz.php
/wov-vellssz.php

# Reference: https://twitter.com/jstrosch/status/1321681398139363333

/A7Ks0s6.php
/BAoLS9C.php
/Yv1pteWscript.php

# Reference: https://www.virustotal.com/gui/file/f1060a686155fbbe7274073c557c24648cdf30a3f3ef2cbb184ccfc41d99fd3b/detection
# Reference: https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/

/salem123.php
/salem123aas.php
/admin/config.php?password%5B0%5D=Inje3t0r3-Seraj

# Reference: https://www.virustotal.com/gui/file/33a7196538a17da13cc67b31162c14d0f3f473816b98f75f01709eda2b1464a7/detection

/power.php?getserver=

# Reference: https://app.any.run/tasks/97a9483e-5c62-46e2-9b78-fefd1dff32de/

/4b1cea4932c6b7.php

# Reference: https://gist.github.com/silence-is-best/bb68598afd9713235d9b11eeaf79ff52

/0cec3a12c251a5.php
/9c5fbf42bfe4ed.php
/e07ad886e055fb.php

# Reference: https://twitter.com/wwp96/status/1329243657556422658

/4q63b64z.php
/akidrfkemm.php
/amsettings.php
/bxujmzcluo.php
/demavohzgx.php
/dtxjocpkzg.php
/eihrqlvkmg.php
/koagnypcfr.php
/kwtnkxjalf.php
/mlsowmfrtk.php
/mwkttspbvj.php
/porjgiiksy.php
/ppjzoqvurh.php
/qtukgysibc.php
/teuqkrtldt.php
/tlpcugqfxj.php
/txqbiwppkd.php
/umsbhzotrc.php
/uyahdfhplr.php
/vhudmigwpw.php
/vjdzrelpvi.php
/wxmjntvjhi.php
/xhjoqlp8.php
/ydyauuhcji.php
/yleyzabdli.php
/ymnsyebskq.php

# Reference: https://twitter.com/ShadowChasing1/status/1329247256122322944
# Reference: https://twitter.com/ShadowChasing1/status/1475819281648553986

/getCommand?guid=
/getTargetInfo?guid=

# Reference: https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/

/caflexactive.php
/post.php?file=download

# Reference: https://twitter.com/malwrhunterteam/status/1331888599231565825

/o365server.php

# Reference: https://twitter.com/linecon0/status/1268862151214710787

/112254.php

# Reference: https://twitter.com/neutrify/status/1332235055469649920

/blvcksn0vv.php
/xxx.php?user=

# Reference: https://www.virustotal.com/gui/file/b858e24eac464afd49d6bf782557f946b03e5e97431a1987b09b0203b5636c97/detection

/Conumer1PirloS2S.php

# Reference: https://twitter.com/malwrhunterteam/status/1309044455018725381
# Reference: https://twitter.com/MaelSecurity/status/1333312479129202688

/PayPal_Desktop.php

# Reference: https://twitter.com/malwrhunterteam/status/1333499691674329093

/avgaxrtjzt.php
/vnrlvvxwej.php

# Reference: https://www.virustotal.com/gui/domain/auroratd.cf/relations

/orMkdppaG1PQ0WgF.php

# Reference: https://www.virustotal.com/gui/file/a82a8fe9efbbaa4453be26645debe4a6e6077725171a982b90ed0a04bd6fb6ba/detection

/logsgate.php

# Reference: https://twitter.com/MalwarePatrol/status/1334228104995352578

/8suu7672mgcg1ws7n4222vpj.php

# Reference: https://twitter.com/ActorExpose/status/1338198557925519361

/ebtrj24mbq57ev5at3iupvjv.php

# Reference: https://twitter.com/MalwarePatrol/status/1367054402947866626

/143ipc5dm5nnvyu0737okk35ra.php

# Reference: https://twitter.com/neonprimetime/status/1335995482632581121

/merrybe/post.php

# Reference: https://twitter.com/ffforward/status/1335965749681250314

/75dfbfe5ddf77b.php

# Reference: https://twitter.com/MalwarePatrol/status/1336402429240373248

/5er0zed1j5xkqcmwupaqm6oy.php

# Reference: https://twitter.com/wwp96/status/1336830110050160640

/0f2005ac2d520c.php

# Reference: https://www.virustotal.com/gui/file/cd508affafb2152aa3511774518e1a4a150eb68f62d65208b0d477e83d0306a2/detection

/aaf0cc48f53372.php

# Reference: https://www.virustotal.com/gui/file/21c51bed18906fb1c167adb68146e2765d7a901f19f59029f3e58218b3ac1c37/detection

/e66d5b2b0b484d.php

# Reference: https://twitter.com/wwp96/status/1337109603151122432

/2520721a19a52c.php

# Reference: https://twitter.com/ffforward/status/1338190571249291264

/usd73h1szzz.php

# Reference: https://twitter.com/wwp96/status/1338510510736683009

/4a6f007e85f3e3.php

# Reference: https://twitter.com/wwp96/status/1339011510480351232

/04f1a6b86f59a0.php

# Reference: https://twitter.com/slayersecurity/status/1115635967875014656

/out-292242810.ps1
/out-1584466740.ps1

# Reference: https://twitter.com/slayersecurity/status/1115902366686031878

/spid.ps1

# Reference: https://twitter.com/x42x5a/status/1116272110912065536

/out-113489727.ps1
/out-734087850.ps1
/out-1137236610.ps1

# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf

/keylogger.ps1
/keylogger1.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1118768633377955840

/bs.ps1
/indiapro.ps1

# Reference: https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt

/abc.ps1
/sc.ps1

# Reference: https://securelist.com/muddywaters-arsenal/90659/

/km.ps1

# Reference: https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/

/ICAS.ps1

# Reference: https://twitter.com/VK_Intel/status/1093001266974916608

/dnipu.ps1

# Reference: https://twitter.com/blackorbird/status/1125308108773871617

/ipconfig.ps1

# Reference: https://otx.alienvault.com/pulse/5cd154f0905e39830df5e5f5

/ms17-010.ps1

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

/msinp.ps1

# Reference: https://twitter.com/DissectMalware/status/1126384963497205762

/bros.ps1
/out-1215218964.ps1
/out-1717054512.ps1
/out-1552287668.ps1
/papa.ps1
/youngest.ps1

# Reference: https://twitter.com/sudosev/status/1126552059334070272

/Invoke-Mimikatz.ps1

# Reference: https://twitter.com/James_inthe_box/status/1131556358732443650

/out-821986920.ps1

# Reference: https://www.virustotal.com/gui/domain/checkerrors.ug/relations

/payload.bat
/payload.hta
/payload.ps1
/payload2.bat
/payload2.hta
/payload2.ps1

# Reference: https://twitter.com/HONKONE_K/status/1133205335877885952

/coki.ps1
/gc.ps1
/java1.ps1
/ky.ps1

# Reference: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

/msctx.ps1

# Reference: https://twitter.com/reecdeep/status/1136581953770205185

/5WD3emSKcJoLcaDjAUCFj7.ps1

# Reference: https://twitter.com/p5yb34m/status/1138143258498949122

/PayAdvice.ps1
/remit.ps1
/remittance.ps1

# Reference: https://twitter.com/HONKONE_K/status/1139364022296272896

/done1.ps1
/done2.ps1
/putty.ps1
/x10.ps1
/x11.ps1
/x12.ps1
/xvid1.ps1
/xvid2.ps1

# Reference: https://twitter.com/h4ckak/status/1144173749056315392

/shell.ps1

# Reference: https://twitter.com/FewAtoms/status/1144636921437655041

/GetPass.ps1
/payload.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1149574068435218432

/pps.ps1

# Reference: https://twitter.com/James_inthe_box/status/1150418960464039936

/ppx.ps1

# Reference: https://twitter.com/ViriBack/status/1150758731371749377

/qwerty.ps1
/qwertyj1.ps1

# Reference: https://twitter.com/James_inthe_box/status/1059087094612602881

/posh80.ps1
/posh443.ps1
/samref448.ps1

# Reference: https://twitter.com/James_inthe_box/status/1154398293524271104

/out-1624020870.ps1

# Reference: https://twitter.com/James_inthe_box/status/1148692646942015488
# Reference: https://twitter.com/DynamicAnalysis/status/1162208563982241793

/ACHPaymentAdvice.ps1
/AMEXACHCREDITREF080819.ps1
/AMEXPMTREF.ps1
/CHASEACHPMT.ps1
/PMTREFCHS191508.ps1
/PaymentAdvice.ps1
/PaymentCopy.ps1
/PaymentDetails0348.ps1
/PaymentRef.ps1
/Remittance.ps1
/RemittanceAdvice.ps1
/RemittanceDetails.ps1
/SupplierRemittanceDetails.ps1
/WFACHPMT.ps1


# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

/d2.ps1

# Reference: https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html
# Reference: https://otx.alienvault.com/pulse/5d655ebc59a1b06f8c097c1f

/6HqJB0SPQqbFbHJD/init.ps1

# Reference: https://twitter.com/ItsReallyNick/status/1166889941844074496

/abc.ps1
/sc.ps1

# Reference: https://twitter.com/killamjr/status/1167453693194752000

/paymentinfo.ps1
/PaymentDts.ps1
/SecureTransDts.ps1

# Reference: https://twitter.com/FewAtoms/status/1171076098244919297

/out-1934240370.ps1

# Reference: https://twitter.com/killamjr/status/1171849775911772165

/remittance.ps1

# Reference: https://www.bleepingcomputer.com/news/security/new-tortoiseshell-group-hacks-11-it-providers-to-reach-their-customers/

/get-logon-history.ps1

# Reference: https://twitter.com/VirITeXplorer/status/1181128795337773057

/run.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1192451935225438209

/asdg.ps1

# Reference: https://twitter.com/0xFrost/status/1111247631223791617

/Standoff8900.ps1

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/23-10-19/analysis.md

/snphhuatvsbkw.ps1
/sopiiubuvsclwukz.ps1

# Reference: https://twitter.com/FewAtoms/status/1198574338036969474

/ShellCode.ps1

# Reference: https://app.any.run/tasks/717442d5-db0b-46b5-a0e9-5c3578471edd/

/meow.ps1

# Reference: https://twitter.com/cyber__sloth/status/1202274774342406144

/out-2028772214.ps1

# Reference: https://twitter.com/notajungman/status/1203034991858466817

/amexdata.ps1

# Reference: https://www.virustotal.com/gui/domain/worldwidetechsecurity.com/relations

/securetransmission.ps1

# Reference: https://twitter.com/DynamicAnalysis/status/1205555781095108608

/payment_advice.ps1

# Reference: https://twitter.com/malware_traffic/status/1216882597789360134

/hcxUr9dg.ps1

# Reference: https://twitter.com/Malwaredev/status/1219914293426212864

/cnotmij.ps1

# Reference: https://twitter.com/Racco42/status/1221707041615630336

/swift.ps1

# Reference: https://www.virustotal.com/gui/ip-address/104.168.248.36/relations

/out-1513314073.ps1

# Reference: https://twitter.com/DynamicAnalysis/status/1231999794035535875

/po.ps1

# Reference: https://pastebin.com/uveiJed9
# Reference: https://www.virustotal.com/gui/domain/gm-adv.com/relations

/dhl%20invoice.ps1
/dhlinvoice.ps1
/dhl_invoice.ps1
/order.ps1
/quotation.ps1
/remit.ps1
/sec.ps1

# Reference: https://twitter.com/c_APT_ure/status/1235231442906603520/photo/1
# Reference: https://www.virustotal.com/gui/domain/umeed.app/relations

/hk.ps1
/quote.ps1

# Reference: https://twitter.com/KorbenD_Intel/status/1238102354320166912

/Miao.ps1

# Reference: https://www.virustotal.com/gui/domain/crypterfile.com/relations

/crypt.ps1

# Reference: https://twitter.com/reecdeep/status/1272464515544776704

/Sheet.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1275338252531249152

/crimea.ps1

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

/leess1982.ps1

# Reference: https://twitter.com/BlackonIntel/status/1276166654980956161

/keda.ps1
/pikachu.ps1
/pikachu616.ps1
/pikachu616_5556.ps1
/pikachu6165556.ps1
/pikachu_7777.ps1

# Reference: https://twitter.com/ANeilan/status/1292939552085233664

/Update-KB4524147.ps1

# Reference: https://www.virustotal.com/gui/file/724ce0d8ca978f9bb9004c2252fb51b44f96c87721d68582ec67268cbd8f13a5/detection

/jupyter.ps1

# Reference: https://www.virustotal.com/gui/file/d4d438925fb775a4a599abd3054b036a95f12b4dc9f29d4d1506a985b2c23934/detection

/B1P244.ps1

# Reference: https://twitter.com/InQuest/status/1326258921833684992

/e3c43e9531f8b75fe88abc724bb2cace.ps1

# Reference: https://twitter.com/wwp96/status/1328082526582214658

/in3.ps1
/in6.ps1
/info3.ps1
/info6.ps1
/ma3.ps1
/ma6.ps1
/mate3.ps1
/mate6.ps1
/ze3.ps1
/ze6.ps1
/zero3.ps1
/zero6.ps1

# Reference: https://www.virustotal.com/gui/domain/xmr.givemexyz.in/relations

/kkwx.ps1

# Reference: https://twitter.com/jorgemieres/status/1333417189005799424

/powershell.ps1

# Reference: https://twitter.com/wwp96/status/1331067128150102016

/file.ps1

# Reference: https://twitter.com/InQuest/status/1335991964525858817

/xpn.ps1

# Reference: https://twitter.com/JCyberSec_/status/1339868346540552194

/aaa/fullz/post.php
/aaa/office/post.php
/aaa/post.php
/fullz/post.php

# Reference: https://www.virustotal.com/gui/file/e30d400146e380b77b094a9ac761bf84620325f7759a3c3f06201197f4225cb9/detection

/0921a86ec36dc8.php

# Reference: https://www.virustotal.com/gui/file/8d1fd0a9544e74bfec387ed16ade3f9ec6b334476f0ef0e984420b4923c8f624/detection

/25692ea80cd968.php

# Reference: https://twitter.com/James_inthe_box/status/1349360887186874371

/eea5c8636b504d.php

# Reference: https://www.virustotal.com/gui/file/50c7c0dce8af82cf62d98e6d8ea3de29bc70969e6614f59c785f2d07c9c7b37b/detection

/zc1/wpasp3.asp

# Reference: https://twitter.com/MalwarePatrol/status/1341324864867749889

/69pkoqft8pem61075l0fbdu7.php

# Reference: https://twitter.com/MBThreatIntel/status/1341894084315607042

/uoppg.swf

# Reference: https://blog.sucuri.net/2020/05/wordpress-malware-collects-sensitive-woocommerce-data.html

/5ea331c1744115ea331c17441f.php
/5eba1a04b47c4.php
/5eba1a04b47c41.php

# Reference: https://twitter.com/r3dbU7z/status/1344547651564539904

/mine.ps1

# Reference: https://twitter.com/neonprimetime/status/1346176402148765705

/picture_library/goon.js

# Reference: https://twitter.com/malwrhunterteam/status/1346038126263865345
# Reference: https://www.virustotal.com/gui/file/9d09788543b16ee59c469199cb0ef78891d8c66981169f0a6720fda8d4eeff9a/detection

/rat/contact/uploader.php

# Reference: https://www.virustotal.com/gui/file/bef03e00e79bdced1eccb00458216f34c8e47274b08f044ac0186882ffadd0bc/detection

/mack/post.php?type=

# Reference: https://www.virustotal.com/gui/file/8bbd83f12f7804f61406c18fe7d6636a339bb165e641297d1f6cf9233adb5060/behavior/C2AE

/p2p_v4/psp.php

# Reference: https://twitter.com/unmaskparasites/status/1349202063100502016

premcloa.shop

# Reference: https://twitter.com/MalwarePatrol/status/1350022176049680386

/tliomxaltla03oxusghg2pn4.php

# Reference: https://twitter.com/MalwarePatrol/status/1350233568841183240

/orglsgr4a00bcchevqhnaryg.php

# Reference: https://twitter.com/MalwarePatrol/status/1366767513355321350

/zfbe56fluk0eim07iptk4pge.php

# Reference: https://twitter.com/r3dbU7z/status/1351651516806033415

/1.ps1
/AA.ps1
/BB.ps1
/Invoke-CustomKatz.ps1
/Invoke-Mimikatz.ps1
/Invoke-Mimikatz2.ps1
/powercat.ps1
/shell.hta
/shell.ps1
/shell.vba
/shell.vbs
/shellcode.hta
/shellcode.ps1
/shellcode.vba
/shellcode.vbs

# Reference: https://twitter.com/FewAtoms/status/1352324221964320768

/aX51N8ewqGs.php

# Reference: https://app.any.run/tasks/806f2c56-309b-4dac-877b-0af4b9080db0/

/1210776429.php

# Reference: https://app.any.run/tasks/a6789a42-f9eb-45be-a2e6-a0d939ba28fd/

/9d051d446f2aa6.php

# Reference: https://twitter.com/James_inthe_box/status/1313832984303157250
# Reference: https://app.any.run/tasks/5ddfb57a-bc6b-42bb-a042-f906e5a2cabb/
# Reference: https://www.virustotal.com/gui/file/bc7900c1440c578c0dc0de73889755bbbf9e43026d8beafe83dbdc5d76dd6a62/detection

/337aea9edeb1f9.php
/bc4514100d55a6.php

# Reference: https://twitter.com/ps66uk/status/1354382482230149122

/rh1swa.php

# Reference: https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff-obfuscation-telegram-communications.html
# Reference: https://otx.alienvault.com/pulse/6011bf6e6167f335ba6e7bbb/

/11644210b.php
/F004f19441/sms1.php

# Reference: https://twitter.com/malwrhunterteam/status/1355168209360605184

/donkeydick.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1357260178635243520
# Reference: https://app.any.run/tasks/a2fe9cdb-7af6-44e5-99ca-d924c96d2b72/

/9bc55352dda4bb.php

# Reference: https://twitter.com/r3dbU7z/status/1357647150008717312

/Bill_inv002198.js

# Reference: https://twitter.com/MalwarePatrol/status/1358070205633724418

/567jcn03tc9zp0iay52xijs9.php

# Reference: https://twitter.com/bad_packets/status/1358910664060723202

/xms.ps1

# Reference: https://twitter.com/r3dbU7z/status/1358998466735833088

/keylogger.py
/packetsniffer.py
/portscanner.py
/ransom.py
/spreader.py
/a11.py
/adl.py
/fJ5.py
/g9o.py
/hMQ.py
/hms.py
/i31.py
/j06.py
/jc0.py
/k4D.py
/rJz.py
/ufb.py
/y3m.py
/zpj.py

# Reference: https://www.virustotal.com/gui/file/4ad6418af82212c7719ed7a12a23597dfaf6f5606c3bd3bc4e513820aa13ea63/detection

/wp01/wp-includes/po.php
/wp02/wp-includes/po.php
/wp03/wp-includes/po.php
/wp04/wp-includes/po.php
/wp05/wp-includes/po.php
/wp06/wp-includes/po.php
/wp07/wp-includes/po.php
/wp08/wp-includes/po.php
/wp09/wp-includes/po.php

# Reference: https://twitter.com/JCyberSec_/status/1359115107213664259

/0453000.php
/009808989.php
/324455.php
/8897.php
/09908.js
/434.js

# Reference: https://twitter.com/JCyberSec_/status/1359439467447222272

/3063qmv20ngebpacbqy4q9vlro.php

# Reference: https://twitter.com/MalwarePatrol/status/1359731149719887873

/9p3qzns4rk57fvxw9xuwb4df.php

# Reference: https://twitter.com/MalwarePatrol/status/1359806647871434752

/t958p8ba8votwhkwdd8v9wa5.php

# Reference: https://twitter.com/MalwarePatrol/status/1360320028013428739

/7rzkoe5rrcfaniubcme1sxh6.php

# Reference: https://twitter.com/MalwarePatrol/status/1360380429371641860

/tpgcteic2wyk8j12lg0rg3tq.php

# Reference: https://twitter.com/MalwarePatrol/status/1360682417678397443

/4w49ylbq2uay3r9ho9d0m1jx.php

# Reference: https://twitter.com/unmaskparasites/status/1359639196911104001
# Reference: https://www.virustotal.com/gui/domain/51la.adcef.com/detection

51la.adcef.com

# Reference: https://twitter.com/JCyberSec_/status/1360159197002883073

/w_client_id_4d5aac59-3e25-4e7d-9331-78bf74b323ec_redirect_u.php

# Reference: https://twitter.com/MBThreatIntel/status/1361815657440894976

namfortrust.xyz
win-admin.xyz
win-admin-center365.xyz

# Reference: https://twitter.com/h2jazi/status/1363683531067715584
# Reference: http://hackdig.com/02/hack-280699.htm
# Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/

/12345678.hta
/PdDOnR.hta
/testper.hta

# Reference: https://twitter.com/JCyberSec_/status/1364196643453734913

/woyptizlcq76mjcyjbb955pk.php

# Reference: https://twitter.com/MalwarePatrol/status/1364804580085743616

/si1bidg6p7xw30yfhl5lm5zg.php

# Reference: https://twitter.com/MalwarePatrol/status/1365166968635015172

/0xrvo9o1pq295qxp887b5ch0.php

# Reference: https://twitter.com/MalwarePatrol/status/1365317962580844546

/8532ykw0jtkewkdoitoyfgnr.php

# Reference: https://twitter.com/MalwarePatrol/status/1365891744173326336

/qgx8xrabmj1ijzk6qy5sen9n.php

# Reference: https://twitter.com/wwp96/status/1364811015112826883

/13233-878.js
/545665656.js

# Reference: https://twitter.com/malwrhunterteam/status/1365613904487976963

/fcm/mc/tapp.php

# Reference: https://twitter.com/wato_dn/status/1366259334955499524
# Reference: https://tria.ge/210301-7z5cpr6z82/behavioral1

/643307c3d81193.php

# Reference: https://www.virustotal.com/gui/file/528c696de7b59c6dd12beda7b650a25c5b0d3b55884bcf0b37380b639b5065d6/detection

/000000.php

# Reference: https://twitter.com/wwp96/status/1366485090340077572

/HGFGHGFH.php

# Reference: https://twitter.com/r3dbU7z/status/1366886386985545728

/flood.bat
/flood.hta
/flood.js
/flood.php
/flood.ps1
/flood.py
/flood.sh
/pyddos.py

# Reference: https://twitter.com/InQuest/status/1367241459225747464

/obfuscated.bat
/obfuscated.hta
/obfuscated.js
/obfuscated.php
/obfuscated.ps1
/obfuscated.py
/obfuscated.sh

# Reference: https://twitter.com/JCyberSec_/status/1367752994700296195

/file_soffice365/index.php

# Reference: https://twitter.com/MalwarePatrol/status/1368141566251053056

/6iaxro1pbufjlk6eshn7v7iira.php

# Reference: https://twitter.com/MalwarePatrol/status/1368503956532588545

/q4nts35hclwu08ydsp63kei7ra.php

# Reference: https://twitter.com/MalwarePatrol/status/1368866343668359169

/wd0ykjlrqq22j17unubmfg4wra.php

# Reference: https://twitter.com/MalwarePatrol/status/1369304228347469834

/wdvgzd6z53atzv80c044h5xr.php

# Reference: https://twitter.com/MalwarePatrol/status/1369666615541956609

/2guxysk0ia47bxh2jzqx931k.php
/Weusour123!/

# Reference: https://www.virustotal.com/gui/file/68529af30403ffc66192445c3d2cace2f72df0ccbaefa9b5a25935ce8b42d4ae/detection

/flex.php?hwid=

# Reference: https://www.virustotal.com/gui/file/13345f418c210dee561872a5e21dc53b9f5a752110aca661647ac444ac4fa2cf/detection

/bot.php?connect

# Reference: https://twitter.com/r3dbU7z/status/1368893677658124290

/fsag4.ps1
/Get-Content.ps1
/ready.ps1

# Reference: https://twitter.com/jstrosch/status/1369460970720989189

/dxlgwwfmze.html
/mnfvchznvz.html
/bxvsogzyre.php
/hzjuwplrcp.php
/mfvsgjyraa.php
/srzrbowcso.php
/yallews.php

# Reference: https://twitter.com/MalwarePatrol/status/1369953508238168065

/ffekwwfqyb06k804u1phgkcjra.php

# Reference: https://twitter.com/JCyberSec_/status/1372127327853903874

/stsx2hzd6mczfb1d0cy0jlg9.php

# Reference: https://twitter.com/r3dbU7z/status/1370839780678848514

/l.cmd
/lol.cmd
/lol_china.cmd
/lol.ps1
/lol2.ps1
/lol3.ps1
/w.cmd

# Reference: https://twitter.com/Dr_N0b0dyh/status/1367802254800084993

/7bdbdeb3137bf5.php

# Reference: https://twitter.com/peterkruse/status/1371753665355202564

/8900077.php
/9099x.php

# Reference: https://www.virustotal.com/gui/domain/ahmedadel.work/relations

ahmedadel.work

# Reference: https://www.virustotal.com/gui/file/6919611d3b398a6b8aad6ee43f8f0166dbbe866cd9f1d4a25eb5d7e1c5771eda/detection

/A2336411-46c8-4f83-96b6-294966496d652.js

# Reference: https://twitter.com/JCyberSec_/status/1372206087496212486

/81hcea474dhj7feqt9iyqz51.php
/xh3rllhzt8cqxhc0lcb7mbye.php

# Reference: https://twitter.com/MalwarePatrol/status/1372414725028511744

/2wkzljmkp4bbxqubflol9iuk.php

# Reference: https://twitter.com/MalwarePatrol/status/1372777117595824131

/jl8rikblhsw1sw0778yzk36o.php

# Reference: https://twitter.com/MalwarePatrol/status/1373290496559300613

/mk806y617xypn6d4z2j3x5t3.php

# Reference: https://twitter.com/MalwarePatrol/status/1373365992164839426

/ikd1234je4cfvh3tb9vf4yp1.php
/obv12000/cmn4/

# Reference: https://twitter.com/MalwarePatrol/status/1373501887346044933

/x32j8krv3d7zj6mgddry36l5.php

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf

/Invoke-SocksProxy.psm1

# Reference: https://www.virustotal.com/gui/file/627a14984f64f3774b0dda21f2f2d8e2b412beb8c42897d0a0e3e4f65c3e73bd/detection

/fucku.php
/fuckyou.php

# Reference: https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/

/mini-reverse.ps1

# Reference: https://twitter.com/z0ul_/status/1375469461713600512

d27qdop2sa027t.cloudfront.net

# Reference: https://twitter.com/MalwarePatrol/status/1376400990728032256

/dwc8a33vh2eaqefp2nfbs511.php

# Reference: https://twitter.com/Circuitous__/status/1377767299709550593
# Reference: https://pastebin.com/9U57CHZn

/gfdbvgfgggh.php
/ijkbfumnbvc.php

# Reference: https://twitter.com/MalwarePatrol/status/1378439421599580165

/h7090pcjq8q2xzx3ci1aq4ad.php

# Reference: https://www.group-ib.com/blog/rats_nigeria

/ava.hta
/oyii.hta

# Reference: https://twitter.com/ps66uk/status/1379408490960130048
# Reference: https://app.any.run/tasks/6abf3b2c-9e92-4f76-81d5-06898cfb3f3e/

/e1bdf31053a154.php

# Reference: https://twitter.com/InQuest/status/1379458364887986176

/8P3V78L4u.php

# Reference: https://twitter.com/ps66uk/status/1379467933932519436

/33b44fe4fae0b0.php

# Reference: https://tria.ge/210407-akdmy3ldv6

/3dbea0f5d87dcc.php

# Reference: https://twitter.com/r3dbU7z/status/1381517028817825795
# Reference: https://twitter.com/r3dbU7z/status/1457338809566343168
# Reference: https://www.virustotal.com/gui/url/026ec2ee22c5b8a04806a13701238e971565cd80d9ca10a0be85c80f4222fa9e/details

/payload1.apsx
/payload2.apsx
/payload3.apsx
/payload4.apsx
/payload5.apsx
/payload6.apsx
/payload7.apsx
/payload8.apsx
/payload9.apsx
/payload1.hta
/payload2.hta
/payload3.hta
/payload4.hta
/payload5.hta
/payload6.hta
/payload7.hta
/payload8.hta
/payload9.hta
/payload1.php
/payload2.php
/payload3.php
/payload4.php
/payload5.php
/payload6.php
/payload7.php
/payload8.php
/payload9.php
/payload1.ps1
/payload2.ps1
/payload3.ps1
/payload4.ps1
/payload5.ps1
/payload6.ps1
/payload7.ps1
/payload8.ps1
/payload9.ps1
/payload1.py
/payload2.py
/payload3.py
/payload4.py
/payload5.py
/payload6.py
/payload7.py
/payload8.py
/payload9.py

# Reference: https://twitter.com/MalwarePatrol/status/1381987802938769409

/3cuxoaskux3q0bywimjkyvez.php

# Reference: https://twitter.com/r3dbU7z/status/1382237585586724867

/theone.ps1
/theoneFUD2.ps1

# Reference: https://twitter.com/58_158_177_102/status/1382254845659291650
# Reference: https://tria.ge/210414-aqahkvar82/behavioral2

/887d2c240852a4.php

# Reference: https://www.virustotal.com/gui/ip-address/96.45.180.73/relations

/beacon.ps1

# Reference: https://twitter.com/wato_dn/status/1382553067170635779

/YKgOy11r.php

# Reference: https://twitter.com/MalwarePatrol/status/1383437363402067968

/gzddd0opl2e08ze4yv7av58m.php

# Reference: https://twitter.com/MalwarePatrol/status/1384373522181599234

/3gvjdn0xhl3qk3191douym8b.php

# Reference: https://twitter.com/MalwarePatrol/status/1386185463262846983

/i5whs7vo7eacn7is5xqqr8n5.php

# Reference: https://twitter.com/MalwarePatrol/status/1386547850545410050

/0s2jblrpnt7n31k24jz81u56.php

# Reference: https://twitter.com/MalwarePatrol/status/1387635013471117312

/v6pywfv5ldc5l39j8lpva5o0.php

# Reference: https://twitter.com/MalwarePatrol/status/1390171728584839175

/gc5dxi0jayumpytlwniae4g1.php

# Reference: https://twitter.com/reecdeep/status/1384844628478898181
# Reference: https://app.any.run/tasks/d5ae94e7-f656-455c-a039-9ebf7f8ac9e5/

/50b35103666b5c.php

# Reference: https://twitter.com/ShadowChasing1/status/1382869518830039041
# Reference: https://twitter.com/ShadowChasing1/status/1382869522965667840
# Reference: https://www.virustotal.com/gui/file/813c8b8b43be5a928a5cd841bea08d7d5453ab8a1196e3c81abd7a144027247b/detection
# Reference: https://www.virustotal.com/gui/file/a140a4e60c699dcf110678fca8cfd259660d21c428256898a65f9d3f196b8c13/detection

/Rumpwltop.php

# Reference: https://twitter.com/wwp96/status/1385599004294135815
# Reference: https://app.any.run/tasks/3612bf52-bf05-4b8a-bf1f-14314a89f50c/

/0Vw3HoA.php
/9v0PVEF.php
/BfwhQsS.php
/CR7sTdk.php
/EmbtJ0Q.php
/GErg6Juscript.php
/HXg53mR.php
/I6pAfnc.php
/Ju8BXdy.php
/N0yq3xz.php
/NbnGdvUscript.php
/azrcmnltdt.php
/byeSlhE.php
/cHCTjbL.php
/cankviuhag.php
/cycqodnata.php
/egodokcnyi.php
/ekdolrisek.php
/fO9RzJC.php
/faghrgwmpd.php
/fjwmmcyqux.php
/g3wC826.php
/gVfmOdN.php
/hSqWuOr.php
/haagjweayl.php
/iQ39jUH.php
/ixliwszrfm.php
/kexiusxkht.php
/l5rwiO0script.php
/legzkktzsb.php
/mxQsPYL.php
/o045Yn9.php
/oE6k32I.php
/qpjmMGoscript.php
/s9dOK5.php
/tvwtmbzxgz.php
/twiprlcpkv.php
/u6MnC9x.php
/v7S6F3rscript.php
/vtkblqpdhs.php
/vwltssqysa.php
/wIb0VuG.php
/xxtbmlngdy.php
/ydlST42.php
/zJarPL3script.php
/zbbupptyol.php

# Reference: https://twitter.com/unmaskparasites/status/1387205583665647618

monster.newaff.monster
s3.amazonaws.com/cgc-badge-v2/common.js
s3.amazonaws.com/cgc-badge-v2/load.min.js
sieglowfingoachap.ga
/cgc-badge-v2/common.js
/cgc-badge-v2/load.min.js
/cgc-badge-v2/

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/Cm1WxCm/index.php
/Cx1WxC1cC/index.php
/ssllxxssll/bp/index.php

# Reference: https://twitter.com/xuy1202/status/1387414908199866369

/6034003x100.js

# Reference: https://twitter.com/ShadowChasing1/status/1387602989033017346

/HBankers_Latest.hta

# Reference: https://www.virustotal.com/gui/file/a8d4bfcf4a966ac593f31cf8fe82b8f133034066859acb8bb54fc19577b35d14/detection
# Reference: https://github.com/stamparm/maltrail/pull/16278/commits/59ae491e0c6aa664c82ac0c3be8129ee7756ba4f

/avBypass.php

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/bmfoaqdzhuclgqgreudq9.php
/dump_grabber.php
/hf3yh4687df.php
/staaaaaats.php

# Reference: https://www.virustotal.com/gui/file/a49f23aac652d63d1529338a12b3ba424d0b4eab637af8ffa7d9e557fb441a37/detection

/mfbjhth8g4sfmssfgeq/dkhd94kz.php
/dkhd94kz.php

# Reference: https://twitter.com/josh_larsen/status/1388892152680288262

xn--80ak6aa92e.com
g1thubassets.com

# Reference: https://twitter.com/James_inthe_box/status/1389238006398164997
# Reference: https://twitter.com/James_inthe_box/status/1390361000155639812

/0CdHOfB6.php
/0YLkHHgkr5e5GkS.php
/AQlZNLOYLB.php
/Cyry48Yoz8z6.php
/FF006npc0jeMf6.php
/GHT1XGSWJ.php
/KdKg0tl6lF5F3Fa.php
/KR4c0Bk3vlQpI.php
/OoIF23ZyfjmfI8.php
/Q8i4tw3Hw2oWo6V.php
/Rg8lDv4cJXWWaz.php
/S0kpWspb.php
/XKBRBS0vQa.php
/acDQfS5Xw7.php
/bhM6o0If.php
/goD5dPTcC.php
/i2zz9YbX54.php
/i5an1VBykIH.php
/mQ8HReIBcDnSG.php
/o5ATDDB7Ib8FbHT.php
/qtJJKheJ4uX1p.php
/r4brQXPL3tc6OZ.php
/rQn6mD3r.php
/t0vy3Ks7CM8QR.php
/uSryOO1m8EGzN.php
/x7eS3Bkgfiv7sN.php
/xOykYWEbDK4zqD.php
/xZ7MnwtJIAkN5hy.php
/zDz0PTXDToNLA.php

# Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676

/0b03976abf4fd3.php

# Reference: https://twitter.com/MalwarePatrol/status/1389522450145218561

/6widk071or85ab5fx3n9i0kdra.php

# Reference: https://unit42.paloaltonetworks.com/proactive-detector/

/ghose123354/next.php

# Reference: https://twitter.com/ESETresearch/status/1390263927859208193
# Reference: https://twitter.com/ESETresearch/status/1390263930833063938

/LOADER_AQUI.php

# Reference: https://twitter.com/James_inthe_box/status/1390672589102534668
# Reference: https://twitter.com/James_inthe_box/status/1390679565685563396

/qxEJ4XFyEF.php

# Reference: https://www.virustotal.com/gui/file/14e7fdec6624ba60bfee6bf686060db46ad0052075664935fe69be63fb3ab467/detection

/za3ma_za3ma.php

# Reference: https://www.virustotal.com/gui/file/1be388f74d98754a616ec3265cf9dc7cf94383759fc0ed88eeff1267ad4efa16/detection
# Reference: https://www.virustotal.com/gui/file/049397828f8ba90b6e4dcb90daa3d9292c5e77454d5fd63b59fa320e179154e2/detection

/zxcv.ps1
/zxcvb.ps1

# Reference: https://twitter.com/JCyberSec_/status/1392113003512963074

/siteanalyze_6015663.js
/js/siteanalyze_6015663.js

# Reference: https://lukeleal.com/research/posts/lolzilla-php-js-skimmer/

/hu345bhuufd73fsdy8w4.php

# Reference: https://twitter.com/Circuitous__/status/1392136823963590659
# Reference: https://www.virustotal.com/gui/file/f075b72d185a2ed404361268d3c4e3ed6d8aef0ebbcf179c5b3384bd2c012791/detection
# Reference: https://www.virustotal.com/gui/file/95f36b06a9ef5bdf1301634ff67e49d51643e747c9be8ade616e26328c10ca02/detection

/1WiStiiT.php
/3RKTmgwCIosO1Q.php
/5QvWk6qm.php
/7q0Vreh38laGy9.php
/Agk5yxu6D3SEW.php
/EHEtRsJyIPR6o75.php
/HShRYdMy.php
/ITmEihJkT.php
/MGggfHzY0QH0Cp3.php
/OMqNCOuk.php
/SFMm6Qoe.php
/VsMQ4PexH.php
/Z1Oeq1XQhEC.php
/ZkIMh91mDLu9z7.php
/e1KqWCgL.php
/njNvuZ7MIDRL.php
/paEAehZhSWNmH.php
/vUYhCCeCNKQoEk.php

# Reference: https://twitter.com/MalwarePatrol/status/1392346056550199296

/OneDrive_adrut0x/encrypted.php

# Reference: https://twitter.com/MalwarePatrol/status/1394384488092901379

/1vhwk2eubzz6huxmknyw6jcm.php

# Reference: https://twitter.com/gorimpthon/status/1394600529469210624
# Reference: https://tria.ge/210518-hpxbx989hs

/70e30b90838689.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1394905859696873473

/d867u9ltcpuk9k1jsusztdvsro.php

# Reference: https://twitter.com/MalwarePatrol/status/1395033768801587202

/rhtzf7qb3rsr8xgyrue6ypno.php

# Reference: https://malware.love/malware_analysis/reverse_engineering/2021/05/19/unknown-python-stealer.html

/6846546874968946.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1399689971401900036

/d3808c7188cb55.php

# Reference: https://www.virustotal.com/gui/ip-address/8.141.54.214/relations

/AVpayload.ps1

# Reference: https://twitter.com/xuy1202/status/1396059012794224643

/EvilObject.class
/EvilObject.cmd
/EvilObject.hta
/EvilObject.ps1

# Reference: https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/
# Reference: https://otx.alienvault.com/pulse/60b8a178a6e813e88be3181b

/ldr.ps1

# Reference: https://otx.alienvault.com/indicator/file/f49dc180e970ce41abe518e00e76012885d21ce201a3fdb30c4cc274b47c3bec
# Reference: https://www.virustotal.com/gui/file/79bbdb8009278ba629dae626b86f4447a81333ef9535e2a9341d5728571e4ae1/detection

/addInstallImpression.php?key=

# Reference: https://www.virustotal.com/gui/file/e61627d4179e36ec097c97cc14b83dbb8de8f5a206d72044fbee5ab8323a133f/detection

/dontrun.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1401405755174105088

/ndbsia13n1bps81zxf5qegzm.php

# Reference: https://twitter.com/MalwarePatrol/status/1401481253023633412

/sut4xvvkcxivtmuocw2ppvbj.php

# Reference: https://twitter.com/malwrhunterteam/status/1402528954263670784

/qwqdanchun.sct

# Reference: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
# Reference: https://otx.alienvault.com/pulse/60be1d277d109b2b37060c4c

/4fa00001c720b30002987d983e62d5e1.jpg
/4fa00001c720b30102987d980e62d5e4.php

# Reference: https://blogs.jpcert.or.jp/en/2021/06/php_malware.html
# Reference: https://otx.alienvault.com/pulse/60be0d9402505f73cefc4c6d

http://144.76.47.168
http://178.63.30.186
http://178.63.30.30
http://5.9.146.0
http://5.9.235.245
http://5.9.34.13

# Reference: https://twitter.com/MalwarePatrol/status/1403293192464879618

/e1kkuv16c0txdc1c00cxpo6j.php

# Reference: https://twitter.com/r3dbU7z/status/1403399105142009864	

/AV-K.cmd
/AV-K.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1403580083999281152

/OneDrive_adrut0x/encrypted.php

# Reference: https://www.virustotal.com/gui/file/4c6240772603eff2d1c58bb948a8eb5afa24619d5ea2c715e8d80839a432e8c6/detection

/300.ps1

# Reference: https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
# Reference: https://otx.alienvault.com/pulse/60cb37bf5fe8246bb2556969

/CVDWwr42525.php

# Reference: https://twitter.com/MalwarePatrol/status/1406116795052867584

/y5eukec7amu2npvdxbclwdsz.php

# Reference: https://twitter.com/malwrhunterteam/status/1405894315474313224

/ceshi.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1406867629982294020

/qc2kwkwacmyu4hmxdqj51797.php

# Reference: https://twitter.com/MalwarePatrol/status/1408215627312082950

/cne82jyx15erri76gbffh16z.php

# Reference: https://www.virustotal.com/gui/file/f5380da161d45e09115bf0eb392b979db161ec710294352e5cf10d78469aa5a9/detection

/track/bot.php

# Reference: https://twitter.com/rootprivilege/status/1410430545373323264

/UVPd5nFADk90KioqvL82.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1410592639968104459

/indxkic2b4aqygzuoqfnibjtphewu23b8ebjkf5um6n0qn6pq97sfdtwjokt2cu3tm3gj8inpebw2gf46u64.php

# Reference: https://twitter.com/banxen/status/1375292245906087937
# Reference: https://www.zscaler.com/blogs/security-research/low-volume-multi-stage-attack-leveraging-azureedge-and-shopify-cdns

officechairatwork.com/wp-content/plugins/yith-woocommerce-order-tracking/assets/js/ywot.js
global.asazure.windows.net
atlant18.azureedge.net
compos17.azureedge.net
compos20.azureedge.net
doc-web1.azureedge.net
metrica2.azureedge.net
string.azureedge.net
theme.azureedge.net
web-google.azureedge.net

# Reference: https://twitter.com/KesaGataMe0/status/1410874602021023745

/smbcupdatebill.php
/smbc/smbcupdatebill.php

# Reference: https://twitter.com/1ZRR4H/status/1408252818272751621

/HR13I5MD0ASC5J.php

# Reference: https://www.virustotal.com/gui/domain/7naturalessences.com/relations

7naturalessences.com

# Reference: https://www.virustotal.com/gui/ip-address/165.232.142.149/relations

scriptcc.cc

# Reference: https://www.virustotal.com/gui/file/895c3e47bf41c07189e079b9f6136dd49e44eac681e646ab40bca216418420e8/detection

/4j17tSRM9X14SsdW.js

# Reference: https://twitter.com/KesaGataMe0/status/1414197200909869056

/wctx1D1DFxFDg.do.php

# Reference: https://twitter.com/pollo290987/status/1415214033767182336
# Reference: https://www.virustotal.com/gui/file/fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422/detection

/f462c05ed33f1c.php

# Reference: https://twitter.com/MalwarePatrol/status/1416988433919221763

/gnjfurbcfcrvv4myxk0t1gb7.php

# Reference: https://twitter.com/KorbenD_Intel/status/1418673471496892421

/a.ps1
/meterpreter-64.ps1

# Reference: https://twitter.com/FewAtoms/status/1417886430467170305

/YJHLZX.py

# Reference: https://ioc.finsin.cl/Output_FINSIN_URL

/zagda4cquzoj.php

# Reference: https://isc.sans.edu/forums/diary/Simple+Powershell+Ransomware+Creating+a+7Z+Archive+of+your+Files/27286/
# Reference: https://www.virustotal.com/gui/file/aff84c3e2f40b6cf3724447252c770ade426cfea0458b172db38e9753ce4fba4/detection

/10d2c.ps1

# Reference: https://twitter.com/p0x53/status/1419974528998932485

/.well-known/login.php?ss=

# Reference: https://twitter.com/unmaskparasites/status/1420896604526026753

hittail.com

# Reference: https://twitter.com/MalwarePatrol/status/1421153124610416645
# Reference: https://www.virustotal.com/gui/file/659c06cce3b9bb0c13ee83d68aa16bdcfce3ffbf9f91fcfb996f6f097b01a756/detection

c.d.cg

# Reference: https://www.virustotal.com/gui/file/8f4bbc0dca7842761a9025508b0ce988ebb6a37c35117dcf41d82c898a49427a/detection

g.d.cg

# Reference: https://www.virustotal.com/gui/file/071231d29a8548be8cb0a8f48a4b23d12e08139fd8dba842781912a11dc7c5f6/detection

/pb_fnc/id27315002.php

# Reference: https://twitter.com/tosscoinwitcher/status/1422262670879727616
# Reference: https://twitter.com/James_inthe_box/status/1422284259344060418

/4MVmSStHhq.js

# Reference: https://twitter.com/malwrhunterteam/status/1422266865871622152

/forvt.ps1

# Reference: https://twitter.com/KesaGataMe0/status/1422746848993812480

/aibgsjsw1001.asp

# Reference: https://twitter.com/James_inthe_box/status/1423311821658681347

/A3CQN1Sa9HXw2.php
/KhfI5axi.php

# Reference: https://www.virustotal.com/gui/file/5aa49c79925f27538f09602c9e4e70d94055a7fffa2afc4c0519096038998e7a/detection

/1q0h3u8j3b8l.php
/2e0y3p5g8w8w.php
/4j2x5r4c5l9n.php
/5v1e6t0a3y7r.php
/5v6v0p2a2k9a.php
/8y0j6a9u2t3v.php

# Reference: https://twitter.com/MalwarePatrol/status/1431634940219822083

/fxhnyv5h9wvjs4i0z86wggq5.php

# Reference: https://twitter.com/MalwarePatrol/status/1438958197839122440

/3lonx05ciwldr69pge5jbb6u.php

# Reference: https://twitter.com/James_inthe_box/status/1445508345117380618
# Reference: https://app.any.run/tasks/056603f9-a869-476c-8581-554abc31a464/

/549c03609890dee87e18.php

# Reference: https://www.virustotal.com/gui/file/505821500697793ddef2fbf8c37d56846459d63bf3de87e5232b2740e3019239/detection

/b81b83efe1608c.php

# Reference: https://twitter.com/MBThreatIntel/status/1440472066822602759

https-center.net

# Reference: https://twitter.com/pr0xylife/status/1450047080089759745

/b04042b22b2b6179257d.php

# Reference: https://twitter.com/yvesago/status/1450111171789529089

/won-00-bh.html

# Reference: https://twitter.com/reecdeep/status/1450453705296318464

/317dd0e0d501b3697287.php

# Reference: https://twitter.com/benkow_/status/1453639490094907392
# Reference: https://www.virustotal.com/gui/file/33c1ee4c99e89fc0d2255cfbc2e0084147bb915bb2c90dfa72748e5b0a9fb787/detection

signorcredito.it

# Reference: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

/vefEPjwOdNF9qNw.hta

# Reference: https://twitter.com/pr0xylife/status/1457683130534477824

/9fa099d0b6dea5.php

# Reference: https://twitter.com/James_inthe_box/status/1457709661801496581
# Reference: https://app.any.run/tasks/0032c1f8-af31-43ba-bb4f-caf15023d05a/

/9d0476a1a62a896eb293.php

# Reference: https://twitter.com/James_inthe_box/status/1455532066142101510

/ac2d3e49ed481ffff187.php

# Reference: https://twitter.com/sansecio/status/1458454276875948041

limb-330718.appspot.com
/limb-330718.appspot.com/

# Reference: https://twitter.com/pr0xylife/status/1458425006883590146

/karolTubeKarol.hta

# Reference: https://twitter.com/unmaskparasites/status/1458899921596149785

ptfish.top
tasks.ptfish.top

# Reference: https://twitter.com/MalwarePatrol/status/1461788634865098757

/y2t0oh31ji9xxankxfps6x6w.php

# Reference: https://blog.cyble.com/2021/11/11/gravity-rat-malware-returns-as-a-chat-application/

/61c10953.php

# Reference: https://twitter.com/1ZRR4H/status/1464289306399420419

/e2b649d30646dc.php

# Reference: https://twitter.com/vikas891/status/1467394956721475585

/aspnet_client/rncyqsyrpvnwbjqx.aspx
/rncyqsyrpvnwbjqx.aspx

# Reference: https://twitter.com/Iamdeadlyz/status/1396337155228585991

/Rgbtmt9QxaKJBCW8eD0u.php

# Reference: https://twitter.com/MalwarePatrol/status/1468236118537691138

/v7lmxawiuc0n40y9uyw44aiz.php

# Reference: https://twitter.com/pr0xylife/status/1468624598774304768

/69bb7ee91c7a92b6dfa1.php

# Reference: https://twitter.com/TeamDreier/status/1469272043833245704

/tki01/logpa/send.php

# Reference: https://twitter.com/cyber__sloth/status/1470353289866850305
# Reference: https://pastebin.com/TvEH1ZAg

/14-1dznzz-hc-dar-ikys-g1j9.class
/14-1e470x-jc-ear-ikdw-h1j9.class
/19-1jrsa8-ic-dar-jkys-h1j9.class
/19-1k3pp1-fc-ear-jkoc-d1j9.class
/19-1k5kr4-cc-ear-jkw2-b1j9.class
/19-1llckp-f18-gar-jkwv-d1mo.class
/261523260_570309860735261_6837498676061670623_n.class
/40848.class
/5-9sc3k-cc-gar-bkw2-d1j9.class
/5-a0pr5-hc-gar-bklh-c1j9.class
/5-azqw4-c1h-idz-bkwv-g1nl.class
/7wpym.class
/9y8ah.class
/a-e3ge9-bc-dar-ckwv-h1j9.class
/a-eyszl-h1h-fdz-ck8r-d1nl.class
/a-frllx-h1b-gdf-cl3s-i1my.class
/a-gl8vi-e1h-hdz-cksp-g1nl.class
/ExecTemplateJDK1.class
/ExecTemplateJDK2.class
/ExecTemplateJDK3.class
/ExecTemplateJDK4.class
/ExecTemplateJDK5.class
/ExecTemplateJDK6.class
/ExecTemplateJDK7.class
/exectemplatejdk8.class
/ExecTemplateJDK9.class
/explit.class
/exploit.class
/exploit0.class
/exploit69ogqnsqyz.class
/exploitjkk87onvoh.class
/f-my6w7-b1o-idz-dksp-e1nm.class
/fast_filters$1.class
/fastuse.class
/foo.class
/gradesusingarrayswithsorting.class
/hl5ul.class
/hud.class
/itpidd.class
/k-rx4nk-c1o-gdz-ekih-j1nm.class
/l.class
/laura.class
/log4j.class
/logme.class
/logrce.class
/lucidphase.class
/maxusers.class
/nnd_.class
/oz7tc.class
/p-v26fa-ec-car-fkdl-g1j9.class
/p-vnrla-c1h-ddz-fklh-h1nl.class
/pwnme.class
/rwlogbook.class
/test.class
/u-10o2l6-e18-bar-gl96-i1mo.class
/u-12bb0h-h1h-edz-gi9g-f1nl.class
/u-12mh27-bc-ear-gkw2-h1j9.class
/u-12t8pw-cc-far-gkw2-i1j9.class
/u-138yvq-ic-far-gkwv-c1j9.class
/use.class
/use2.class
/wcontent_user.class
/wmi6p.class
/wpjgh.class
/z-19fsc4-e1d-gdp-hk8q-b1mw.class
/z-1aqd7l-d1h-idz-hlaf-j1nl.class
/z-1azs15-fc-iar-hklh-d1j9.class
/zg6wo.class

# Reference: https://twitter.com/felixaime/status/1471157639077842959
# Note: Google Chrome marks this domain as being related to phishing, but this seems to be FP.

# 9d6a-93-183-194-122.ngrok.io

# Reference: https://twitter.com/0xrb/status/1473599097646948352/photo/3

/16false.class
/18true.class
/Log4jRCE.class

# Reference: https://twitter.com/douglasmun/status/1473661827707924484

/exploit.java

# Reference: https://twitter.com/ankit_anubhav/status/1471079526658560003

/reverse.ps1

# Reference: https://twitter.com/ankit_anubhav/status/1471078479596638214
# Reference: https://threatfox.abuse.ch/browse/tag/log4j/

/ExploitWeWHgyhfpa.class
/N0t4n3xplo1t.class

# Reference: https://www.virustotal.com/gui/file/9b7fa2646d19e73c50f17acb5ee9a4e856870f5eb621017d73afd5db43ae7628/detection

/Amsi.ps1

# Reference: https://twitter.com/unmaskparasites/status/1452803088482377729

downvebuttrephen.ml
hauslicsu.tk
haystonapcom.cf
misconiseciri.tk
traffic-redirect.site
ulwebga.tk

# Reference: https://www.virustotal.com/gui/file/ca4632c36974541e4c05642ad0c093566d009b05bffbd6cc9d0fe6e437a2066d/detection

/G7VaYpFEqKptzqWy.js

# Reference: https://twitter.com/r3dbU7z/status/1468119168096612357

/bt2rat13_x32.html
/bt2rat13_x64.html
/bt2rat13_x32.ps1
/bt2rat13_x64.ps1
/icbt6801_64refl.ps1
/RawDNS.html
/RawDNS.ps1
/RawHTTPx32.html
/RawHTTPx64.html
/RawHTTPx32.ps1
/RawHTTPx64.ps1

# Reference: https://twitter.com/pr0xylife/status/1458514764531912704

/nextNextDoor.hta

# Reference: https://twitter.com/s1ckb017/status/1476174815035854850/photo/1

/fuck_niggers.hta
/fuck_niggers_1.hta
/fuck_niggers_2.hta
/fuck_niggers_3.hta
/fuck_niggers_4.hta
/fuck_niggers_5.hta
/fuck_niggers_6.hta
/fuck_niggers_7.hta
/fuck_niggers_8.hta
/fuck_niggers_9.hta
/fuck_niggers_10.hta
/fuck_niggers_11.hta
/fuck_niggers_12.hta
/fuck_niggers_13.hta
/fuck_niggers_14.hta
/fuck_niggers_15.hta
/fuck_niggers_16.hta
/fuck_niggers_17.hta
/fuck_niggers_18.hta
/fuck_niggers_19.hta
/fuck_niggers_20.hta
/fuck_niggers_21.hta
/fuck_niggers_22.hta
/fuck_niggers_23.hta
/fuck_niggers_24.hta
/fuck_niggers_25.hta
/fuck_niggers_26.hta
/fuck_niggers_27.hta
/fuck_niggers_28.hta
/fuck_niggers_29.hta
/fuck_niggers_30.hta
/fuck_niggers_31.hta
/fuck_niggers_32.hta
/fuck_niggers_33.hta
/fuck_niggers_34.hta
/fuck_niggers_35.hta
/fuck_niggers_36.hta
/fuck_niggers_37.hta
/fuck_niggers_38.hta
/fuck_niggers_39.hta
/fuck_niggers_40.hta
/fuck_niggers_41.hta
/fuck_niggers_42.hta
/fuck_niggers_43.hta
/fuck_niggers_44.hta
/fuck_niggers_45.hta
/fuck_niggers_46.hta
/fuck_niggers_47.hta
/fuck_niggers_48.hta
/fuck_niggers_49.hta
/fuck_niggers_50.hta
/fuck_niggers_51.hta
/fuck_niggers_52.hta
/fuck_niggers_53.hta
/fuck_niggers_54.hta
/fuck_niggers_55.hta
/fuck_niggers_56.hta
/fuck_niggers_57.hta
/fuck_niggers_58.hta
/fuck_niggers_59.hta
/fuck_niggers_60.hta
/fuck_niggers_61.hta
/fuck_niggers_62.hta
/fuck_niggers_63.hta
/fuck_niggers_64.hta
/fuck_niggers_65.hta
/fuck_niggers_66.hta
/fuck_niggers_67.hta
/fuck_niggers_68.hta
/fuck_niggers_69.hta
/fuck_niggers_70.hta
/fuck_niggers_71.hta
/fuck_niggers_72.hta
/fuck_niggers_73.hta
/fuck_niggers_74.hta
/fuck_niggers_75.hta
/fuck_niggers_76.hta
/fuck_niggers_77.hta
/fuck_niggers_78.hta
/fuck_niggers_79.hta
/fuck_niggers_80.hta
/fuck_niggers_81.hta
/fuck_niggers_82.hta
/fuck_niggers_83.hta
/fuck_niggers_84.hta
/fuck_niggers_85.hta
/fuck_niggers_86.hta
/fuck_niggers_87.hta
/fuck_niggers_88.hta
/fuck_niggers_89.hta
/fuck_niggers_90.hta
/fuck_niggers_91.hta
/fuck_niggers_92.hta
/fuck_niggers_93.hta
/fuck_niggers_94.hta
/fuck_niggers_95.hta
/fuck_niggers_96.hta
/fuck_niggers_97.hta
/fuck_niggers_98.hta
/fuck_niggers_99.hta

# Reference: https://www.virustotal.com/gui/file/8db3a8a01b91a4d0fcaef624d9e477a6c42fb4976087721e1debbd7bf167bb80/detection

/payload64.ps1

# Reference: https://www.virustotal.com/gui/file/6da1b35ef3b88a801c9256c45d4eed523a9648b0b63726c8f97d701fb6fa7a22/detection

/code/shellcode.txt
/code/shellcode1.txt
/code/shellcode2.txt
/code/shellcode3.txt
/code/shellcode4.txt
/code/shellcode5.txt
/code/shellcode6.txt
/code/shellcode7.txt
/code/shellcode8.txt
/code/shellcode9.txt

# Reference: https://app.any.run/tasks/eaa7e1d3-4df8-4536-bbb2-0168e99d6682/

/4c3aa4cfa29243d5cabb.php

# Reference: https://twitter.com/ffforward/status/1479416818829860866

/zpol.ps1

# Reference: https://www.virustotal.com/gui/file/c60e4ea99ca2ebf51e8f0a2e4d839f93842eade69fe8615b37e172f973588da7/detection

/a56ed6248446a9.php

# Reference: https://twitter.com/drb_ra/status/1479581621288415235

/ll_9354efa.js

# Reference: https://www.virustotal.com/gui/file/0c7786afe1888faa6c9ad8fc8b4a9efa8428bd359c6ba90f1dde6136a5d2ad87/detection

/5eN1bjqzgoY3K/ll_935a.js
/ll_935a.js

# Reference: https://twitter.com/OiOi_012/status/1480540570670219271

/3jitiaozhuan.js

# Reference: https://twitter.com/JavierAleP/status/1480964509888299008

/indexhjhyu.php

# Reference: https://twitter.com/r3dbU7z/status/1481533464646418439

/wer23457grweg.jsp

# Reference: https://www.virustotal.com/gui/file/2e8aa1230aebf32c537c3aaa17ac9de639889fc3473fbd3f9b44c6c5e05fea8e/detection

/1_4987797867906203838.php
/1_4987797867906203838.txt
/1_4987797867906203839.php
/1_4987797867906203839.txt

# Reference: https://twitter.com/James_inthe_box/status/1481993249615056899
# Reference: https://app.any.run/tasks/bd261b33-c8aa-462a-8024-7a6d68f3eef5/

/6b2313f5d21340a3.php

# Reference: https://www.virustotal.com/gui/file/248ce8f51907aa4a7ce3ae5f9c947a30a7844340bae4a3621d4e0234ba18dc22/detection

/5b95498f031ce7.php

# Reference: https://www.virustotal.com/gui/file/646de057f12a986bb75c1cfc9e7b8d241b3b24a54e50b002e283b33cebd91a87/detection

/e8c05bb5ecd725.php

# Reference: https://twitter.com/drb_ra/status/1482116740368814086

/security-details.a52152.js

# Reference: https://www.virustotal.com/gui/domain/s37click.info/relations

s37click.info

# Reference: https://twitter.com/malwrhunterteam/status/1483419651740618752

/cww/xxl2.php

# Reference: https://twitter.com/malwrhunterteam/status/1483715095083499520

/pngebanoe.hta

# Reference: https://threatfox.abuse.ch/ioc/298466/

/1b2f863184d500f8.php

# Reference: https://www.virustotal.com/gui/file/6f98f871db9f73d7f7c37e8b2c20413349b7fb78c9aae74e42eba51e824e2c8f/detection

yourjavascript.com

# Reference: https://twitter.com/500mk500/status/1486434273292865546
# Reference: https://app.any.run/tasks/e980d3f8-148d-46f2-a135-0f919113dcdc/
# Reference: https://app.any.run/tasks/b02d6537-afe7-4bbb-99d5-7bf2ba3104a3/
# Reference: https://mlwr.ee/analysis/2502241/summary

/script/suurl4.php

# Reference: https://twitter.com/KyleKrejci/status/1488556020863578117

/62da8f09d02b4de8.php

# Reference: https://twitter.com/MalwarePatrol/status/1490417274691465222

/xx0yhlm432lmvudpdo0949lp.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1491315122421530625

/cfd048dakjocvewyqfcelh9wro.php

# Reference: https://twitter.com/MalwarePatrol/status/1491640333435867137

/umbo3brbes95rptt6632zx89.php

# Reference: https://tria.ge/220204-rblhdaahbl

/d1c107a865581ff88ad673786ee059f2.php

# Reference: https://www.virustotal.com/gui/file/794bcfb84b20f5e74a85d54aa222cc580600a7a6f9ee90ad667989ee1f2f13a5/detection

/HLZQRCXKHTGSOQQOWOQHATHTGRIFHEEUFHIEJQBEERAIKHSOFHIJKHQTUPUYCCUIOKVB.hta
/ZEJKLQVAJGRIKXETJLQPKIHZEEWUXFGKWEQAJPCZZCXFPHENCRQSKWOGZKOLOOAWEVEE.hta

# Reference: https://github.com/executemalware/Malware-IOCs/commit/50f99cd6f12f7ea7234eb68984d783750d814091

/843cdfe7e4a349a1899b.php

# Reference: https://twitter.com/r3dbU7z/status/1493675446210281479

/Evil.class
/zzz_exploit.py

# Reference: https://www.virustotal.com/gui/file/285a61210326ff7f555c101bd70e19297a0eae42d1cb60a054c9b3827476920a/detection

/e4c23e6e3fcec2.php

# Reference: https://twitter.com/pr0xylife/status/1494027121672572934

/42b4d2772d7097b3d81b.php

# Reference: https://www.facebook.com/UACERT/posts/307433441415921 (Ukrainian)
# Reference: https://twitter.com/Dashowl/status/1497620618216452098
# Reference: https://www.virustotal.com/gui/file/09da4054f6a5cf6930f73c182cbc33208df771074f6a6c67ec503f4542195f83/detection

87yc.xyz
b04.us
f1r.us
fr7c.us
i0t.us
j0r.us
r0m.us
rwi2v.eu
se13.biz
t7s.us
v0k.us
/duju9w.php

# Reference: https://twitter.com/MalwarePatrol/status/1495490708853112833

/pdf2022-ikn.php

# Reference: https://twitter.com/TeamDreier/status/1498267807536099328

/a93e21e3b8ca68.php

# Reference: https://twitter.com/evilgash/status/1498185745181384714

/5n8oaw2so2.js

# Reference: https://twitter.com/TeamDreier/status/1498960798458298373

/sdfghj654hgfkc/htaccess.php

# Reference: https://www.virustotal.com/gui/file/fd65e992dfedf627104a5ca05e77dca129184b4e4a91b03079278f60649b29a9/detection

/BADmojo.ps1

# Reference: https://twitter.com/pr0xylife/status/1501538557302906881

/bc9c14b7aee3bf.php

# Reference: https://twitter.com/0xrb/status/1501811448481468418
# Reference: https://www.virustotal.com/gui/file/e420d90738208a061aaca7b310bedf7efb56e89451c19d5049649621283ec583/detection

/8e8f4129f88b3c.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1503310432429293570

/9c523a9e14cc09.php

# Reference: https://twitter.com/0xrb/status/1504363330651451395
# Reference: https://www.virustotal.com/gui/file/96c94753d9c4e21e9b27234517b36a2e3dd20492e2b112df8424de6e4f3971ce/detection

/dbd157ad09eba7.php

# Reference: https://twitter.com/James_inthe_box/status/1504460868460834818

/ad96de224fd42a40.php

# Reference: https://twitter.com/MalwarePatrol/status/1505637563452825602

/s37dr6df9ubml9nz87reecfl.php

# Reference: https://twitter.com/BushidoToken/status/1505639071443570699
# Reference: https://otx.alienvault.com/pulse/6237878e4937d1bad108047f/

/aaa.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1506286843154898954

/8t0wkvjov3adezb83hjb45em.php

# Reference: https://twitter.com/0xrb/status/1508384289574252544

/38e5788e36faeb.php

# Reference: https://www.virustotal.com/gui/file/09f6c1c60d6d471a0dcc78523e338df2826df8cd6f6528c396077e88481d06e1/detection

/index.e943403db0.js

# Reference: https://twitter.com/MalwarePatrol/status/1509986222109872137

/71lhsrgw1dqbsq8fnhr7fvw1.php

# Reference: https://twitter.com/MalwarePatrol/status/1509684228220461058

/iikh4r30228jdmtqa7t2r5yo.php

# Reference: https://twitter.com/MalwarePatrol/status/1510348605382705163

/c2tj7dtub657a34jr5vxaijw.php

# Reference: https://twitter.com/MalwarePatrol/status/1510710991180414985

/iyy8dyvj7mn3ejpk7gpypvu8.php

# Reference: https://twitter.com/MalwarePatrol/status/1510846886747549696

/f3ro9qexvh4t5mswaq7h6qpo.php

# Reference: https://twitter.com/MalwarePatrol/status/1510922385117130752

/stgbos0c4pdnb0jskes9lv9f.php

# Reference: https://www.virustotal.com/gui/file/921ab11978687f7b8120f0753f7d500d95512316834f71082a028b08c838109a/detection

/bypassassssssssssssy.txt
/bypassassssssssssssy.ps1
/bypassassssssssssssy.hta
/bypassassssssssssssy.php
/bypassassssssssssssy.class
/bypassassssssssssssy.java
/Serverasssy.txt
/Serverasssy.ps1
/Serverasssy.hta
/Serverasssy.php
/Serverasssy.class
/Serverasssy.java

# Reference: https://www.virustotal.com/gui/file/6e5bc57767ea314f50262e10884e592ac5e833165d85db41e2033baaa7c5682d/detection

/ASYYServer.txt
/ASYYServer.ps1
/ASYYServer.hta
/ASYYServer.php
/ASYYServer.class
/ASYYServer.java
/ASSYY%20Bypass.txt
/ASSYY%20Bypass.ps1
/ASSYY%20Bypass.hta
/ASSYY%20Bypass.php
/ASSYY%20Bypass.class
/ASSYY%20Bypass.java

# Reference: https://twitter.com/tosscoinwitcher/status/1512294579961171978

/owa/auth/x.js

# Reference: https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant
# Reference: https://otx.alienvault.com/pulse/61b75c2915050cf6e811fef9

/7dd66d9f8e1cf61ae198.php

# Reference: https://twitter.com/MalwarePatrol/status/1513610098475778056

/moybnndujrplohgq5qmo3282.php

# Reference: https://app.any.run/tasks/c1872210-cc81-434c-beae-21f74c8ea83a/

/179de82bffbf2e.php

# Reference: https://www.virustotal.com/gui/ip-address/101.35.199.101/relations

/d1mo.ps1

# Reference: https://unit42.paloaltonetworks.com/javascript-based-phishing/
# Reference: https://otx.alienvault.com/pulse/613f5dc1c1c8aa2b896a009c

coffeeshop.store
cooking4kor.ru
selcdn.ru
uber.space
555305.selcdn.ru
appleid.uber.space

# Reference: https://blog.virustotal.com/2022/04/virustotal-multisandbox-elf-digest.html

/boaform/admin/formLogin?username=

# Reference: https://www.virustotal.com/gui/file/378e01925608bcd74544a5b5536c20a0007eb255e145370df228bb004aa59de2/detection
# Reference: https://www.virustotal.com/gui/file/f964f108f661de1c15e3cedee074cf1617ce02f85eb7e8613077f9ed95c4b37d/detection
# Reference: https://www.virustotal.com/gui/file/e81baa5e7bf0fe2ebeb07983e71d05d09698e567d9bcaf17176e631156d01c60/detection
# Reference: https://www.virustotal.com/gui/file/95eb3d6f61d5082bee11ea47a7c90c0dcdc18af71985276ab56f648dcc549d87/detection
# Reference: https://www.virustotal.com/gui/file/8c2215d43e7cd77c90a424ca6c81c1b94acf01eaecbb048447e171ebef0c2dfd/detection
# Reference: https://www.virustotal.com/gui/file/8b437a76538722dc4535cbf3180005eb973caa6e9be13c6d3852fed1789960a0/detection
# Reference: https://www.virustotal.com/gui/file/80e498268b8be964d5a74ca226218b17cb7a28a8929e70e2d2c3aed768e6308c/detection

/3xp1r3Exp.ps1
/ABC123.ps1
/BcDAHlHQmO.ps1
/DFzM1n9Gai.ps1
/executer.ps1
/fPTcKQTX4K.ps1
/giraExp.ps1
/miOFUdAw6t.ps1
/mUOmAi4R5i.ps1
/rp9R4cgF97.ps1
/scrupExp.ps1
/sicariopExp.ps1
/stage1x32.ps1
/stage1x64.ps1
/WZypgeP1da.ps1

# Reference: https://twitter.com/AffableKraut/status/1517534880950857733

brigettera.com

# Reference: https://twitter.com/osipov_ar/status/1518654392777510916

/work_443.bin_m2.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1518894918999097345

/z8s7he941vjp0im3tm2ogovn.php

# Reference: https://twitter.com/MalwarePatrol/status/1518970419444961280

/449lz1bpy0zfswnmnywdzlv1.php

# Reference: https://twitter.com/MalwarePatrol/status/1519257308014030850

/vdbzw6fu3n9e0ytsj4xdtfwj.php

# Reference: https://twitter.com/AltShiftPrtScn/status/1519840040637157378

/xmr.ps1
/xms.sp1

# Reference: https://www.virustotal.com/gui/file/5382b04454079d0408abdcb25b1ff85bd4301f5b0c1b2459269bcbab86db8278/detection

dodgyblokes.club

# Reference: https://twitter.com/MalwarePatrol/status/1523681457130061824

/1gatqjm9ev8otbfo08zgtuqh.php

# Reference: https://www.virustotal.com/gui/file/ed374e0b094ff23907497ed79a603e0b20bdfc268ea5fc1fabbf559cf0fab235/detection

/c81f0953b36a6b.php

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-05-10_Mekotio_MTT_CL

/3t1x2oBj19sH33.php

# Reference: https://www.virustotal.com/gui/file/2123f1c10dac02ac6c2fe68531d4ac9f03b9dedf68bbf7988667c7938a1788f1/detection

/8eaf9c2923101a.php

# Reference: https://www.virustotal.com/gui/file/e5f471dcd4f5a47f0a53fc389e58c70b9ef81805c503ed6b100950d02ee7f777/detection

/572663248.php

# Reference: https://twitter.com/MalwarePatrol/status/1527879120893403137

/qw09ua40uo56e8gb2284pgiy.php

# Reference: https://www.virustotal.com/gui/file/fbf53255c0a5a3c5f0010df3256462b5f3bfd4def9127808d8265ae4c0b0cb09/detection

/testinghtaa.hta

# Reference: https://www.virustotal.com/gui/file/4c6a8a2acdc3bc3ab8fe29295981caf1a07ea69a60372df05a2bc74e383bb8dd/detection

/fuckusaterrorists.hta
/fuckusaterrorists.txt
/terror.hta

# Reference: https://twitter.com/ShadowChasing1/status/1528908083476713472

/djavascript.hta

# Reference: https://www.virustotal.com/gui/file/90de674bea63102925c6d7f948106deb582663b7cb19e0b17d50484da13c01de/detection

/B82K3Manl9UWoYN6.js

# Reference: https://www.virustotal.com/gui/file/881d2e40edf5bd4293ad3e4d92f33508122b3ad44bc1333e3d5fc186bb8fd53d/detection

/kXDzAmnYvJzy57mRDdLJiQhlKyi.html

# Reference: https://twitter.com/MalwarePatrol/status/1530566827507605505

/ymao78ixhazwjeulw2vypdeh.php

# Reference: https://twitter.com/malwrhunterteam/status/1531619205845590016

/Beznall_crypt.hta

# Reference: https://twitter.com/Computeus7/status/1531657197507297280

/9f3d37faadd0a5.php

# Reference: https://twitter.com/malwrhunterteam/status/1531957313032052736
# Reference: https://www.virustotal.com/gui/file/df4190f1b39f60c2e898d51cb43fec4f2ff50bd54b83b2ab22f4bf3567bcd558/detection

/Docum.hta

# Reference: https://twitter.com/midnight_comms/status/1532708285786116096

/d1office2.php

# Reference: https://twitter.com/malwrhunterteam/status/1535703306705805313

/wasiq.hta

# Reference: https://twitter.com/MalwarePatrol/status/1536289539366522880

/one-hot-0t0s.php

# Reference: https://twitter.com/malwrhunterteam/status/1537022403347460096
# Reference: https://www.virustotal.com/gui/file/a8ce2181ce6e56c147412c600a430fdb7baf68550b6f822b98a1759f52adb72f/detection

/runobject.hta

# Reference: https://twitter.com/ps66uk/status/1537370503974903809

/cl/.bot/s.php

# Reference: https://twitter.com/malwrhunterteam/status/1537412988558245888
# Reference: https://www.virustotal.com/gui/file/de495346ac81d29707c92181382989cbcc9ecab3feeb7c38eb6fe4364c89cde8/detection

/account.hta

# Reference: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

/cve2021-4034.py

# Reference: https://twitter.com/tosscoinwitcher/status/1537499839168032769

/c53b0420d91d96.php

# Reference: https://twitter.com/StopMalvertisin/status/1537403718236520448

/dllhost.hta

# Reference: https://twitter.com/malwrhunterteam/status/1538094207478517764

/a1790.hta
/a1799.hta

# Reference: https://www.virustotal.com/gui/file/0000f195ca3a1f2f67e34b1773deb311b2006a19e2153f7459e8cc97728ed569/behavior/VirusTotal%20Droidy

/Exploit/ExploitResultReport.aspx

# Reference: https://twitter.com/StopMalvertisin/status/1538766748249636869
# Reference: https://www.virustotal.com/gui/file/211a1f74eea68ebe7178d90f0df0446a87cdda865145c397b7a32e253086139e/detection

/forbest.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1539331504081453057
# Reference: https://www.virustotal.com/gui/file/d5fc8f42b8ec97ce6ae6007b994c855dd2b07e98697d0c2d2990d9b080d044c1/detection

/BAYC_Roadmap_Leaked.hta

# Reference: https://twitter.com/malwrhunterteam/status/1539621033908621314

/shell2.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1540614846600908800

/lum.hta

# Reference: https://gist.github.com/silence-is-best/7b71542e9713d9e8c2546090a1358789

/1cd1e844dad621.php

# Reference: https://www.virustotal.com/gui/file/0b1c3985cfe6fd26489cc745f60cf63e6bea52b410c099e3434befa2c6568b19/detection

/ada185df82b054.php

# Reference: https://twitter.com/malwrhunterteam/status/1544050660433399813
# Reference: https://www.virustotal.com/gui/file/452c3bd1e8cdf19bd89704c81540b995e887ba06e13a9cd12c67977feddfdfba/detection

/pipo.hta
/zbi.hta

# Reference: https://twitter.com/malwrhunterteam/status/1544693640563494912

/coba-with-obfy.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1544691386011815936

/111.ps1

# Reference: https://twitter.com/k3dg3/status/1544747167751065601
# Reference: https://tria.ge/220706-wl7wkshgg2/behavioral1

/5h.hta

# Reference: https://twitter.com/ecarlesi/status/1545957606195339264
# Reference:m https://www.virustotal.com/gui/ip-address/65.108.235.212/relations

amandanys.lol
amartisha.cloud
amecontrols.info
armyangel220.cloud
armyangel220.lol
artandwork.info
aspace.info
autoribirokrasi.me
bdigital.cloud
bimbeldigital.club
chamberscapital.info
cloudiator.cloud
cnbmtech.cloud
coxwatersolutions.lol
credit24-money.cloud
crossviewcov.info
dataagent.biz
dataindulgence.cloud
downvote.us
ds-wizard.cloud
ednolbmi.cloud
epayroll.cloud
esb-platten.info
fewclicksaway.club
fidelitybank-fl.info
foundnewpatrons.cloud
frigofluides.info
georgiaexposto.cloud
goood-day.club
grobot.cloud
happiful.club
helix-dynamicscorporation.company
heritagesystems.us
hyperflow.cloud
i-office.cloud
idcredit.club
imaginable.us
instalink.cloud
instantpay.cloud
intellibusiness.biz
intelligenttraffic.cloud
jphenephom.lol
jprutch24.cloud
jprutch24.lol
justinemantello.cloud
kacegame.lol
keba70.lol
keshaontiktok.cloud
knowyourfinances.biz
legalboard.info
link123.info
linkleaders.cloud
liveal.us
lool.cloud
manstatement.biz
manultd.club
mascottech.us
mediastack.cloud
memberme.cloud
multistream.cloud
my-app-i.cloud
my-online.cloud
newedigital.cloud
oscn.cloud
pays-activate.club
pays-apology.club
pays-cinema.club
pays-cord.club
pays-day.club
pays-go.club
pays-liberty.club
pays-need.club
pays-objective.club
pays-produce.club
pays-reaction.club
pays-sentence.club
pays-shareholder.club
pays-shell.club
pays-understanding.club
pcprime.us
personaldevelopers.us
personprotection.biz
productco.us
pypl-service.hrpwr.hu
quantumbridge.cloud
remotevhost.cloud
restricted.contact
ruther.cloud
selection-elseneeded.club
serviceai.cloud
sh.amecontrols.info
sh.artandwork.info
sh.aspace.info
sh.chamberscapital.info
sh.crossviewcov.info
sh.dataagent.biz
sh.downvote.us
sh.esb-platten.info
sh.fidelitybank-fl.info
sh.frigofluides.info
sh.goood-day.club
sh.happiful.club
sh.heritagesystems.us
sh.idcredit.club
sh.imaginable.us
sh.intellibusiness.biz
sh.knowyourfinances.biz
sh.legalboard.info
sh.link123.info
sh.liveal.us
sh.manstatement.biz
sh.manultd.club
sh.mascottech.us
sh.memberme.cloud
sh.pays-liberty.club
sh.pays-need.club
sh.pays-produce.club
sh.pcprime.us
sh.personaldevelopers.us
sh.personprotection.biz
sh.productco.us
sh.simplewatch.biz
sh.sissyofhop.cloud
sh.successvip.biz
sh.transfert.club
sh.versionhistory.info
sh.wildcreators.club
sh.womanslife.info
simplewatch.biz
sissyofhop.cloud
smarttraffic.cloud
smartvirtual.cloud
smiteaddress.art
successvip.biz
sundayatumah.xyz
techn.cloud
theblogpress.us
transfert.club
twilightarmor.cloud
verificar.cloud
versionhistory.info
vipmail.cloud
wepair.cloud
wesecure.cloud
wildcreators.club
womanslife.info

# Reference: https://twitter.com/harugasumi/status/1546067750044729344

/ic6oXx7P3s/page1.php
/ic6oXx7P3s/

# Reference: https://unit42.paloaltonetworks.com/digium-phones-web-shell/
# Reference: https://otx.alienvault.com/pulse/62d55f865acf112119766930

campusteen.ru
caramelgirl.ru
cumixface.ru
cutiebooty.ru
gentlepus.ru
lopornix.ru
megabobox.ru
sledporn.ru
sweetassma.ru

# Reference: https://twitter.com/StopMalvertisin/status/1552176809382653952

/xix.js

# Reference: https://www.virustotal.com/gui/file/2c91462fb50fb7d0a394317401f9044db58e652435cd3beb05ae6e0a0184d63a/detection

/this.ps1

# Reference: https://twitter.com/rootprivilege/status/1559238666077081600

/a1b2.php

# Reference: https://twitter.com/malwrhunterteam/status/1559902576757424130
# Reference: https://www.virustotal.com/gui/file/6634cd044332d28d153519298fd0f68590d966d1c970a80d5a6462fd5a9734ec/detection

/disable-defender.ps1

# Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Agent%20Tesla/AgentTesla-%2017082022

/hfhfhgfghfghgf.txt

# Reference: https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html

/fortest/parsez.php

# Reference: https://twitter.com/StopMalvertisin/status/1563729037671149568
# Reference: https://www.virustotal.com/gui/file/ed3ef87baf72ac521db91bbb0dbd78bb47fc4eb092b7941e6802ab1118c6603d/detection

/T729D734B881E4336C393BDB056B167FD.php

# Reference: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/

autobuyapp.com
goscreenshotting.com
langhort.com
netflixparty1.com
netflixpartyplus.com
unscart.in
amz.langhort.com
d.langhort.com
data.langhort.com
s.langhort.com

# Reference: https://twitter.com/JCyberSec_/status/1567586121839697923

/QWETRT44444.php

# Reference: https://twitter.com/drb_ra/status/1567699547756920832 

/update_wapp2.aspx

# Reference: https://twitter.com/drb_ra/status/1568421255627550720

/wpaas/load.php

# Reference: https://www.virustotal.com/gui/file/5fbe698c1b9f5d270cb997b7a99ea16295c9a1704676023438130d0574860ea5/detection

javfoo.com

# Reference: https://www.virustotal.com/gui/file/d7b370cd27d4f6448c0ab9b9946d26ec636720e1c87408d13cce198b7776cda9/detection

cuddlethehyena.com
glenprejudice.com
javhaj.com
mc7clurd09pla4nrtat7ion.com

# Reference: https://www.virustotal.com/gui/ip-address/188.114.96.1/relations

javcoz.com
javyp.com
javgad.com
javnor.com
javzag.com
javapo.com
javfey.com
javzax.com
javkay.com
javwv.com
javcoq.com
javqis.com
javhyp.com
javwon.com
javoho.com
javmew.com
javpas.com
javsai.com
javwuz.com
javspa.com
javsuq.com
javuse.com
javtal.com
javjoy.com
javzin.com
javhoi.com
javmac.com
javole.com
javmq.com

# Reference: https://unit42.paloaltonetworks.com/originlogger/
# Reference: https://otx.alienvault.com/pulse/6321cdc9ae733812be9b9331

/7a5c36cee88e6b.php

# Reference: https://twitter.com/r3dbU7z/status/1572735985586143236

/loadpay.ps1
/rawpayload.ps1

# Reference: https://twitter.com/jstrosch/status/1572953204400209921

dev.api.cal.ukpbj.codelogic.id

# Reference: https://twitter.com/jaydinbas/status/1547530236878852096

/cijjus.php

# Reference: https://twitter.com/malwrhunterteam/status/1575442588982804480

/BWCL.hta

# Reference: https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
# Reference: https://otx.alienvault.com/pulse/633acb17ed56f34d3779a9a4

/jsJ13j.sct

# Reference: https://twitter.com/r3dbU7z/status/1576920251853582336

/attackstorm.py
/tlsattackfunc.py

# Reference: https://twitter.com/jstrosch/status/1578056013130989568

/adminer-137hi.php
/adminer-48edw.php
/adminer-enm5f.php
/adminer-mlwpc.php
/akndwegidy.php
/hbjglueocv.php
/krhdfjkomr.php
/kyvgmjykfo.php
/lozqtcornp.php
/lrynmamrhl.php
/mailer-gi3hx.php
/mailer-px16q.php
/mdqidzyuiv.php
/ndtesbiznh.php
/nxwcgaolxk.php
/plrczjhrse.php
/putqwnbkhu.php
/qlaobdzrbj.php
/swekjlzbed.php
/tbtmdckzuz.php
/tcujelbrbc.php
/ulfywujokb.php
/uwehfmweug.php
/veqhqwwhzr.php
/vztbipqlpk.php

# Reference: https://twitter.com/1ZRR4H/status/1578993357237649408

/pe64.ps1

# Reference: https://twitter.com/1ZRR4H/status/1579569830751252481

/fucked.php

# Reference: https://www.virustotal.com/gui/file/1064aaec1537695abeadeabe1ca73f4d5bee047564cc79e76f944fc77a397760/detection

/yesdrg.ps1

# Reference: https://www.virustotal.com/gui/file/00f452bcd981fcca980f2beeaef1d3e43b5ccc4c010ed0410eae5cd86a48c190/detection

/ltys/app.js
/ltys/dh.js
/ltys/dh1.js
/ltys/dl.js
/ltys/tj3.js
/ltys/xx1.js
/ltys/xx2.js

# Reference: https://www.virustotal.com/gui/file/3f6d866f09cfabb1aa2a0393d290533ed31705c87b85f77edc3fdd51b90f6e24/detection

/ms1.hta

# Reference: https://twitter.com/ViriBack/status/1581732406893346816

/hhbbmn.php

# Reference: https://twitter.com/InQuest/status/1582114710740008960
# Reference: https://www.virustotal.com/gui/file/0a656baa4ca55df0c78dcc20151a223089da31e836bb8cd586969e2281cf9fbf/detection
# Reference: https://www.virustotal.com/gui/file/ab82809dfa85921cbb290df23dbdfaf29d36433c45e351866f202ed261c3a484/detection
# Reference: https://www.virustotal.com/gui/file/47bbeeb8ce166f7285b8f10188e32f2affc0d5cbe0ec5bb848593a9750b3a560/detection

/get_cmd.php?hdd=

# Reference: https://twitter.com/0xToxin/status/1583157689898573824

/523ecb38582a9c.php

# Reference: https://twitter.com/unmaskparasites/status/1584592625327575040
# Reference: https://www.virustotal.com/gui/file/6738f60ad76ff0930858b829574f3eb03aa403bf80695ccf5fea2598d345793d/detection
# Reference: https://www.virustotal.com/gui/file/df318d78bb1c951f6134419cdd3d6e3a605e28b73235dbbc46bc871bf12c9e74/detection

http://37.1.209.213
/NZMcgH
/xD252Hx3
/xD252Hx3?host=

# Reference: https://twitter.com/JAMESWT_MHT/status/1584816141960372224

/root.hta

# Reference: https://www.virustotal.com/gui/file/1b82739880e1851d032b09de787033bd19135c8496124cd505b32afe4212b7b0/detection

/ms7.hta

# Reference: https://twitter.com/0xToxin/status/1587576617949446148

/0895.hta

# Reference: https://twitter.com/malwrhunterteam/status/1587542657332568067

/nonka.hta

# Reference: https://www.malware-traffic-analysis.net/2022/11/07/index.html

/tps1.ps1

# Reference: https://twitter.com/drb_ra/status/1590076101337849856

/js/chunk-vendors.413ca6b2.js
/chunk-vendors.413ca6b2.js

# Reference: https://asec.ahnlab.com/en/41450/

/cc.ps1

# Reference: https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

/RVbCGlEjx6H.php

# Reference: https://www.virustotal.com/gui/file/23941746340e89fb699e4ecec106fbfd40186fc5b483bf72d82d5d5a2706863f/detection

/api/firegate.php

# Reference: https://twitter.com/malwrhunterteam/status/1591500789540847616

/tYDds36jjPb7.hta

# Reference: https://twitter.com/malwrhunterteam/status/1591553050753236993

/rublikat.hta

# Reference: https://twitter.com/malwrhunterteam/status/1592231757461741569

/Receipt_parking.hta

# Reference: https://twitter.com/malwrhunterteam/status/1592249538802511873

/AcrobatInstaller.hta

# Reference: https://twitter.com/malwrhunterteam/status/1593019577969303553

/PMQNwqez.hta

# Reference: https://twitter.com/malwrhunterteam/status/1593723747491614727
# Reference: https://twitter.com/midnight_comms/status/1596502593668538371
# Reference: https://www.virustotal.com/gui/file/e8d7a0436d04e4ce48769481da317755a217a0f9fd08f679a79b4b54f2d45490/detection

/save_sms.php?phone=
/save_sms0.php?phone=

# Reference: https://corelight.com/blog/detecting-5-current-apts

/bot/cmd.php?botid=
/bot/gate.php?botid=

# Reference: https://twitter.com/r3dbU7z/status/1596097530697117697

/Azucar.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1596269879824465922

/clineti2022.hta

# Reference: https://twitter.com/malwrhunterteam/status/1596217071742128128
# Reference: https://www.virustotal.com/gui/file/74712e4b42600980566b6dc10df3fb2f63a7daefc3e28abc591d222e3fe0ece0/detection

/gsis.ps1

# Reference: https://cert-agid.gov.it/wp-content/uploads/2022/12/trojan.json_.txt

/lib.hta
/lib32.hta
/lib64.hta

# Reference: https://twitter.com/h2jazi/status/1600536584398553107
# Reference: https://twitter.com/InQuest/status/1602420917195374593
# Reference: https://www.virustotal.com/gui/file/d1cdab058056e0e4cbf2a08851d493d9f46d1d36e65f7b284d2ecc3558e80660/detection

/dwopen.hta
/dwopen1.hta

# Reference: https://www.virustotal.com/gui/ip-address/18.222.107.105/relations
# Reference: https://www.virustotal.com/gui/file/474a83ab9e606773f64bce7d639dae8a56f262af53ef0e7ee0d5be2bc6695d88/detection

/RusherBypass.asp
/RusherBypass.aspx
/RusherBypass.bat
/RusherBypass.hta
/RusherBypass.js
/RusherBypass.php
/RusherBypass.ps1
/RusherBypass.vbs

# Reference: https://www.virustotal.com/gui/file/16fb8609cbf720e31b7850a02fc3a2951a44efcdaf1b5fb960160e7d15e7d009/detection

/config_20.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1604964169023115264
# Reference: https://www.virustotal.com/gui/file/b3cb1b5e3d828e25d9802cc536dd89e347bb70528285e1bf1e1acf123fb4659e/detection

/first1.hta

# Reference: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/

/get_grabber.asp
/get_grabber.aspx
/get_grabber.bat
/get_grabber.hta
/get_grabber.js
/get_grabber.php
/get_grabber.ps1
/get_grabber.vbs
/get_grabbers.asp
/get_grabbers.aspx
/get_grabbers.bat
/get_grabbers.hta
/get_grabbers.js
/get_grabbers.php
/get_grabbers.ps1
/get_grabbers.vbs

# Reference: https://www.virustotal.com/gui/file/c97105d284a7055d6896e5afeb2775c1b1c7fac869fc6aa875c7ea7f46d19800/detection

/lost.ps1

# Reference: https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe

/api?payload=
/auth?payload=
/click?payload=
/cmd?payload=
/get?payload=
/load?payload=
/download?payload=
/set?payload=
/upload?payload=

# Reference: https://twitter.com/ViriBack/status/1610393842787704835
# Reference: https://twitter.com/albertzsigovits/status/1626473710671605760
# Reference: https://twitter.com/1ZRR4H/status/1626493369877770240
# Reference: https://www.virustotal.com/gui/file/05067bb1ebbce3dd4b18f736e18672f77ff8863cce2efd68796618fc92903bdc/detection

/api/inject
/api/injection
/inject
/injection
/injector

# Reference: https://twitter.com/malwrhunterteam/status/1611423202957213701
# Reference: https://twitter.com/r3dbU7z/status/1717062792589586859
# Reference: https://www.virustotal.com/gui/file/4c1b02898a8fc99afa72f1616ecdda6bda734a9487fdf0d9725eca3c422a4c23/detection

/bypass.asp
/bypass.aspx
/bypass.bat
/bypass.hta
/bypass.js
/bypass.php
/bypass.ps1
/bypass.vbs
/bypass2.asp
/bypass2.aspx
/bypass2.bat
/bypass2.hta
/bypass2.js
/bypass2.php
/bypass2.ps1
/bypass2.vbs

# Reference: https://twitter.com/Stalkphish_io/status/1612427080758710272

/agdbaoep.php
/ajfhgehm.php
/bas00158787.php

# Reference: https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

elon2xmusk.com
saylor2xbtc.com

# Reference: https://twitter.com/Merlax_/status/1614742984943181824

/vrttyttytyyt.php

# Reference: https://twitter.com/faisalusuf/status/1614890162273542145

89743677348987793490832904.xyz

# Reference: https://twitter.com/unmaskparasites/status/1615076169816379392

hotdatemehard.com
lovelywildgirls.com
wildhottiegirls.com
/lilly/sshv9mmwr6c9yi
/profile.php?id=sshv9mmwr6c9yi
/sshv9mmwr6c9yi

# Reference: https://twitter.com/StopMalvertisin/status/1615176339946090496

/nvz0g1.ps1

# Reference: https://www.virustotal.com/gui/file/0034290e7bb88ac02b9161e2f5729c428bf9b8583e379a4edd82ecb046cf5db9/detection

/winmon.ps1

# Reference: https://twitter.com/1ZRR4H/status/1617696464230285313

/serverhta.asp
/serverhta.aspx
/serverhta.bat
/serverhta.hta
/serverhta.js
/serverhta.php
/serverhta.ps1
/serverhta.vbs

# Reference: https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild

/ALdr32.ps1
/ALdr64.ps1
/komar.ps1
/komar1.ps1
/komar2.ps1

# Reference: https://www.virustotal.com/gui/file/7766d6f7cb261c2678fa6fb08096ec1a5c7169480cb6f01b583d41f926289ded/detection

/bushiwo.ps1

# Reference: https://www.virustotal.com/gui/file/87099fe915a8795c491d0617ce20d7d9617747d8dc03a90e0082ca680b147157/detection

/bc.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1621128231394107392

/F230002030.hta

# Reference: https://twitter.com/malwrhunterteam/status/1624331588560470016

/dirmon32.hta

# Reference: https://twitter.com/InQuest/status/1626758679843205120

/lqc0er.hta

# Reference: https://twitter.com/wwp96/status/1627413766496464899

/h7f7952ebc537/h7f7952ebc537.php
/h7f7952ebc537/mycommand.php
/h7f7952ebc537/wso.php
/h7f7952ebc537/bid/login.php
/h7f7952ebc537/
/h7f7952ebc537.php

# Reference: https://twitter.com/wwp96/status/1627922823917486080
# Reference: https://app.any.run/tasks/ee706ee5-26a2-4cf9-b0dc-b18a9951ac94/

/2455818bc570ff.php

# Reference: https://twitter.com/malwrhunterteam/status/1628482090114203649

/legitprogramwink.hta

# Reference: https://www.virustotal.com/gui/file/8460715e815be59a13661d1174d6ff302c138b2b54ada3d4f72fcf78b2ae634d/detection

/uhg.hta

# Reference: https://twitter.com/jaydinbas/status/1629149185806069761

/snbtoolswires.hta

# Reference: https://twitter.com/wwp96/status/1629138150630080512

/289191b0208dd6.php

# Reference: https://twitter.com/wwp96/status/1633183691701899269
# Reference: https://app.any.run/tasks/b0d365ec-4c7a-43e2-a39c-0f11bd57c7b0/

/168061e7445d0c.php

# Reference: https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections/

/downloadinject
/downloadinject?access=

# Reference: https://www.wiz.io/blog/redirection-roulette
# Reference: https://otx.alienvault.com/pulse/64089e70cd7ce1921e580bef

51sdk.org
cdn-linkedin.info
helpscout.help
beacon-v2.helpscout.help
v2.helpscout.help
jsstat.51sdk.org
stat.51sdk.org
tpc.cdn-linkedin.info

# Reference: https://twitter.com/HaoZhixiang/status/1635937304970706948
# Reference: https://www.virustotal.com/gui/ip-address/43.154.91.41/relations
# Reference: https://www.virustotal.com/gui/file/4c9b6c5c65eff41d99911dffb8f65730e4bf954ff162e9840d3cac7fe1fc9340/detection

/getCarddataData.php
/api/getCarddataData.php

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-03-16%20IcedID%20(Bokbot)%20IOCs

/gatef1.php

# Reference: https://www.virustotal.com/gui/file/9dcea75ddd40d0319cb396b4fb95177a205f055768135b527dd6bdd01d0980ec/detection

/qsplyz?mac=

# Reference: https://twitter.com/malwrhunterteam/status/1639320109130063872
# Reference: https://www.virustotal.com/gui/file/783d6753583a5d4a01fdd93d242e29f76324625d3b1c701a3fac161aa325bfce/detection

/USCORP.hta

# Reference: https://twitter.com/suyog41/status/1643241392439808001
# Reference: https://www.virustotal.com/gui/file/ba2848dd130c26176303690fd5a07e945dfbd20c59f253dc56cc64611409518d/detection

/hack/getcompid.php

# Reference: https://medium.com/checkmarx-security/who-broke-npm-malicious-packages-flood-leading-to-denial-of-service-77ac707ddbf1

/0ab626f8f67208ad.php

# Reference: https://www.virustotal.com/gui/file/19446bdf86ecbc053df4e6c222d2bc1ac3b926638895ec1068c0557f2daa4837/detection

/cee424f0f512fc7e.php

# Reference: https://twitter.com/sicehice/status/1645494638285922322

/chmodPayload.session
/CVE-2020-9484.sh
/downloadPayload.session
/executePayload.session
/payload.sh

# Reference: https://twitter.com/malwrhunterteam/status/1646609191568658458
# Reference: https://www.virustotal.com/gui/file/6fdfb56033dd92edfde1461cab42042d38ce43b8f2cb75872e7435e62ed744ca/detection

/12b5f6433dfa13f2.php
/paladin.hta

# Reference: https://twitter.com/sicehice/status/1647771330492727296

/disable_defender.ps1

# Reference: https://www.virustotal.com/gui/file/0ae89ff0f8f57e30516f60a3a73d7bf3c0199b92031c933a8300f3f5663430f1/detection

/a21af7dae5690f15.php

# Reference: https://twitter.com/James_inthe_box/status/1648072479980797954
# Reference: https://app.any.run/tasks/40ff202b-33e9-4b9d-bf32-057dc39d06fa/

/dropper.php?code_request=
/load.php?code_request=
/loader.php?code_request=
/payload.php?code_request=

# Reference: https://twitter.com/Gi7w0rm/status/1649005498069401601
# Reference: https://tria.ge/230420-ml7q5sbc8z/behavioral2
# Reference: https://tria.ge/230420-mpceeabc9z/behavioral2
# Reference: https://www.virustotal.com/gui/file/b7d9f37e382bbb34858885e08b72ae41a73e484a9b30f8f0e16bd3f546daa018/detection

/loadaddr

# Reference: https://twitter.com/unmaskparasites/status/1649161956547497984
# Reference: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

/3e9c0ca6bbe9.php
/7299b0773c8d.php

# Reference: https://twitter.com/sicehice/status/1650703773839286272

/valueOwn2_old.hta
/valuOwn2.hta
/UzxxZ.hta

# Reference: https://twitter.com/sicehice/status/1650692593175470080

/inject.sql

# Reference: https://twitter.com/sicehice/status/1650682009923072001

/Shhhloader.cna
/Shhhloader.py

# Reference: https://twitter.com/sicehice/status/1650678836399316994

/tryme.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1650871512847593475

/st.ps1

# Reference: https://www.virustotal.com/gui/file/0a8616d62d28ed7d8ef580784dee2fc816f8d5200e339e69f925078b288a6d7b/detection

/prob.ps1

# Reference: https://www.virustotal.com/gui/file/2d9f0179595ba0a74803c5d3446a1d63c0769f2356632ee55ba2095b6fbfcd1b/detection

/name.hta

# Reference: https://twitter.com/g0njxa/status/1652034044299714563

/929bd6eec88931b3.php

# Reference: https://twitter.com/malwrhunterteam/status/1653055096295399425

/MsMpEng.hta

# Reference: https://twitter.com/500mk500/status/1653860821020049410
# Reference: https://www.virustotal.com/gui/file/d236df798c56b2a32ff744f16d93c6a0412b4caaf2ea35b171a3953b19609074/detection

/api/api.php?action=getcmd&id=
/api/api.php?action=getpe&id=

# Reference: https://twitter.com/pr0xylife/status/1656581454925529088

/droidddxxxPayload.vbs

# Reference: https://twitter.com/malwrhunterteam/status/1658197993273565187
# Reference: https://www.virustotal.com/gui/file/ff5d3736cb0f0d09bce42c5d6d6b6c4ac126a378028e4bd5c8ca8d47f3585530/detection

/xboyxVersionxx.txt

# Reference: https://gist.github.com/kirk-sayre-work/1a7ec92ab9018ffac71ee5826de9aba8

/f1.ps1
/f2.ps1
/file1.ps1
/file2.ps1
/file3.ps1
/file4.ps1
/file.ps1
/upl.ps1

# Reference: https://www.virustotal.com/gui/file/63ddb34c0196ad0597464fcc39667e2410bbfcd51ffb5d52e69081bb342531ca/detection

/drvsa.hta

# Reference: https://twitter.com/suyog41/status/1660893657623347200
# Reference: https://www.virustotal.com/gui/file/459d3d75db323b230afc26b1f5bf2ea40591eeb7bb3d4927f87f302b71108e24/detection
# Reference: https://www.virustotal.com/gui/file/42f3651063202a8fd42021a1ffc27bd1b9709779ec10654368ea34d8f047d08b/detection

/glooko-windows.php
/glooko-windows.php?host=

# Reference: https://twitter.com/g0njxa/status/1662432191249281025

/4107e896e74f964e.php

# Reference: https://twitter.com/James_inthe_box/status/1663586640101793793

/5de6a3ffd5d23c.php

# Reference: https://threatfox.abuse.ch/ioc/1211511/

/e59783f5c53b6e.php

# Reference: https://twitter.com/threatintel/status/1663920614887899152

/777.ps1
/bADtkM9pCNHe.hta
/tomtom.ps1

# Reference: https://twitter.com/doc_guard/status/1676690812942397440

/host21/74ef424.php
/74ef424.php

# Reference: https://twitter.com/faisalusuf/status/1677288652345573376

/www/xxx/46ff82b.php
/xxx/46ff82b.php
/46ff82b.php

# Reference: https://twitter.com/doc_guard/status/1679136232847159298

/kpb.hta

# Reference: https://twitter.com/doc_guard/status/1681281900424441857

/ileyarudy/ebe51b8.php
/ebe51b8.php

# Reference: https://twitter.com/Yeti_Sec/status/1681294210492669953

/3DESbypass.ps1
/AMSIbypassScanInterception32bits.ps1
/AMSIbypassScanInterception64bits.ps1
/AmsiWin32APIBypass.ps1
/AmsiWin32APIBypassALL.ps1
/AmsiWin32APIBypassALLApplkCLM.ps1
/CeaserXOrbypass.ps1
/Invoke-ReflectivePEInjection.ps1
/amsibypassjs.js
/bypassDES.ps1
/bypassRC2.ps1
/bypassxor.ps1
/loadmetANDinjecttoexpls.ps1

# Reference: https://twitter.com/K_N1kolenko/status/1670717372418736128

/okinaloi.hta

# Reference: https://threatfox.abuse.ch/ioc/1140177/

/def4f4924bdf6e.php

# Reference: https://threatfox.abuse.ch/ioc/1140405/

/8fcde15698ce9a.php

# Reference: https://www.virustotal.com/gui/file/2750db58bd94b97aa33fb563461c528c54eb3f08f3315b0648291842576e6857/detection

/idbk.hta

# Reference: https://twitter.com/sicehice/status/1676336562915667971

/cve-2019-19781.py
/cve-2022-22963.py

# Reference: https://twitter.com/sicehice/status/1658975084973903873

/cve-2018-7600_poc.py
/cve-2018-7600.py

# Reference: https://twitter.com/sicehice/status/1658227388117839874

/Invoke-AppPathBypass.ps1

# Reference: https://threatfox.abuse.ch/ioc/1143987/

/f4058d59f18c3d.php

# Reference: https://threatfox.abuse.ch/ioc/1143989/

/6def98ac6de238.php

# Reference: https://www.virustotal.com/gui/file/05f3c3043ce59ea4711d0a090e69382370be2a8ad4f2526260c57eafe305e1fc/detection

/IE_NET.hta

# Reference: https://twitter.com/1ZRR4H/status/1686659981389463552

/067ft5.hta

# Reference: https://twitter.com/malwrhunterteam/status/1686850055599239169

/akuy4l.hta

# Reference: https://www.virustotal.com/gui/file/cc652a2be3f935f1bf3c40f7033239e09357da22f98b6abcab17bbb34266a02a/detection

/XVXCSASD.hta

# Reference: https://twitter.com/doc_guard/status/1686640977430069248

/inj/IE_browser.vbs
/IE_browser.vbs

# Reference: https://twitter.com/StopMalvertisin/status/1688816016443547648

/msk.hta
/zaza.hta
/zero.hta

# Reference: https://twitter.com/ViriBack/status/1689625007532511233
# Reference: https://tria.ge/230810-p92wxach32/behavioral1

/gate?id=

# Reference: https://twitter.com/sicehice/status/1689840704879509504

/dropper_client.py
/dropper_server.py

# Reference: https://twitter.com/sicehice/status/1689830829634023424

/CVE-2016-7255.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1689894749400911873
# Reference: https://www.virustotal.com/gui/file/dbebb179b1d007eb15349de7a9e0e13f1ab1831b5e4f74afbdbc59e6ce3f439f/detection

/status.jpg?bypassCache=

# Reference: https://twitter.com/sicehice/status/1689858299837980672

/pshobfs.ps1

# Reference: https://twitter.com/KesaGataMe0/status/1690913251478110208

/wctxNBCW2101.doa.php

# Reference: https://www.virustotal.com/gui/file/4b33a49ae0540f43c8357709841be70541d2cf162755e7649604b13740c5bad9/detection

/gate.php?hwid=
/keylogs.php?hwid=

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1692443866841121094

/durare.hta

# Reference: https://www.virustotal.com/gui/file/a70d2999b817814f006a7f3e0bda9a69e8be0d4835e9c03cc3d39aa3e0a510e7/detection

/final_pshnet_revhttps.ps1

# Reference: https://twitter.com/doc_guard/status/1693666858958717236

/863jehjf.js

# Reference: https://twitter.com/fr0s7_/status/1693551189260976157

/iscsicpl_bypassUAC

# Reference: https://www.virustotal.com/gui/file/a08c36812818618f44782c3677c8b8b8159a1beacbad66adbe232e694d91176e/detection

/batdrop.hta
/batdrop.ps1

# Reference: https://twitter.com/sicehice/status/1694549050584973690

/shell-x64.hta
/shell_x64.hta
/shell-x86.hta
/shell_x86.hta
/shell-x64.ps1
/shell_x64.ps1
/shell-x86.ps1
/shell_x86.ps1
/shell-x64.py
/shell_x64.py
/shell-x86.py
/shell_x86.py

# Reference: https://twitter.com/sicehice/status/1694546485864435835

/CVE-2021-3156-main.tar
/exploit_userspec.py
/exploit_cent7_userspec.py
/exploit_defaults_mailer.py

# Reference: https://www.virustotal.com/gui/file/d217cf59f8b8ed0916c04e38aaa3ad8c7b2667f61e080c17c52b26bb3ce2d370/detection

/referent.hta

# Reference: https://twitter.com/1ZRR4H/status/1697506554889511164

/CPJLFRfHPCoCEklIgFAjmFaCvhODfPaCcSdPEEfHnGbUMXMelq.php

# Reference: https://twitter.com/souiten/status/1697515866148270249
# Reference: https://www.virustotal.com/gui/file/821b43f3151e568ebf436a05928909968ace706049e09feeec448a3efe9af67c/detection

/rsc/st4rting.hta
/st4rting.hta

# Reference: https://twitter.com/ViriBack/status/1698693553168236869
# Reference: https://www.virustotal.com/gui/file/276cdb84c5db9d081f107c821a4b28e3b7749a0924a8445d0c021de6fbac72a4/detection

/command_bot.php
/connect_bot.php
/receive_bot.php
/command_bot.php?cmd=
/connect_bot.php?cmd=
/receive_bot.php?cmd=
/command_bot.php?hwid=
/connect_bot.php?hwid=
/receive_bot.php?hwid=

# Reference: https://twitter.com/r3dbU7z/status/1699701230300270825
# Reference: https://www.virustotal.com/gui/file/40c5ba301755ec898d9169a80b016d3cb70a5a0a07dd615d98318c45e01b3ce9/detection
# Reference: https://www.virustotal.com/gui/file/6c44a15dc88f1ba8501aa5d8a1924050a72a488bf5a77ff965651e0d16ec2450/detection

/inject.asp
/inject.aspx
/inject.bat
/inject.hta
/inject.ps1
/inject.py
/inject.vbs
/inject.wsf
/inject.xsl
/injection.asp
/injection.aspx
/injection.bat
/injection.hta
/injection.js
/injection.php
/injection.ps1
/injection.py
/injection.vbs
/injection.wsf
/injection.xsl

# Reference: https://twitter.com/petrovic082/status/1699766482517798930

/hhhhhhhhhhhhhhhh.hta

# Reference: https://twitter.com/drb_ra/status/1700478808501993895

/bombaimha.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1701124224281202767

/64feb584a86fd-49317.php

# Reference: https://twitter.com/malwrhunterteam/status/1700105820644462736
# Reference: https://www.virustotal.com/gui/file/e11f0b388f00b177ee036de39d352b503408d9b313307848f1cdd4d9b11c6733/detection

/employeehandbook.hta

# Reference: https://www.virustotal.com/gui/file/b9bebbc0c45cbc87124ba497cb7b7f15fbac6e39535869ae006a950ac04ea285/detection

/get-command.php?cmd=
/get-command.php?hwid=
/get-command.php?uid=

# Reference: https://twitter.com/ginkgo_g/status/1704080438036475950
# Reference: https://twitter.com/suyog41/status/1702583263385301229
# Reference: https://www.virustotal.com/gui/file/ed03aad460e5e31cee1b3a77ae4fe4ae60663cc5efe5e32b22631e7b9fd7c370/detection
# Reference: https://www.virustotal.com/gui/file/0a8fb2609d38e493d77ccb5a8550e84518275671dc8b3eadcad9d55ed8008aa7/detection

/ni2n.ps1
/ua18l.ps1
/wjcgd.ps1
/xc0ix.ps1

# Reference: https://www.virustotal.com/gui/file/171c707afb64b5ad621864968ce888af80401c2247b5b21a05f45985063d5b88/detection

/184d347f3c08fb.php

# Reference: https://twitter.com/drb_ra/status/1703450554175799367

/sigara.aspx

# Reference: https://threatfox.abuse.ch/ioc/1164467/

/060d00f2.php

# Reference: https://twitter.com/taku888infinity/status/1704090624872575183

/ToTP01020101Action.do.php

# Reference: https://www.virustotal.com/gui/file/d975dba50f62eabd79d58afaab3bd2b258f723b9944df5ba1050195ea7279f03/detection

/1e78c4e419aa01.php

# Reference: https://twitter.com/malwrhunterteam/status/1704483766461173984
# Reference: https://www.virustotal.com/gui/file/3af0a90d9a3cd77aa0353ec59bd8129fb799ee72daa6e61555c6228219385d43/detection
# Reference: https://www.virustotal.com/gui/file/64e733d51b0e03957003f0b5e424efd1068f331226880e0c212de2c29b2a38d6/detection
# Reference: https://www.virustotal.com/gui/file/1169c5ba2feae0192d2d8d45ce2fc3456bca1d6633d46b0f219bd62fddcca922/detection

/neverban_zBbnJe.vbs

# Reference: https://twitter.com/r3dbU7z/status/1704854108455551274

/hund.ps1
/ottonova-a1.ps1
/ottonova-a2.ps1
/ottonova-m1.ps1
/ottonova-m2.ps1
/ottonova-a1.shell
/ottonova-a2.shell
/ottonova-m1.shell
/ottonova-m2.shell

# Reference: https://threatfox.abuse.ch/ioc/1165829/

/b1b0a368.php

# Reference: https://www.virustotal.com/gui/file/367233777383f0ab4848784448b9594191c60d4fc4ca9605a6e8b1223c3a23f8/detection

/PWYPwxGyWukmHWTPppdpWPx.hta
/PWYPwxGyWukmHWTPppdpWPx.ps1

# Reference: https://www.virustotal.com/gui/file/843c4407865ab4d809f0e3b8a581bab50a330ad98c926d0f10540f451b6611d5/detection

/qmlbspjn.php
/wymzorxw.php

# Reference: https://twitter.com/malwrhunterteam/status/1706690313975136529

/bazila.hta
/soda.hta

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-09-27%20SocGholish_Lumma%20IOCs

/zwmrqqgqnaww.php

# Reference: https://blogs.blackberry.com/en/2023/09/silent-skimmer-online-payment-scraping-campaign-shifts-targets-from-apac-to-nala

/client111.ps1
/MsMsp.hta

# Reference: https://threatfox.abuse.ch/ioc/1182839/

/ba4d1581aebc19.php

# Reference: https://twitter.com/Merlax_/status/1710072519795896676

/4qo7vrpels1ncni3qv7yobfhvfi85.php
/5cltm1jkqccs.php
/caminho-ranger-32.php
/cff4oi2ucz7wrr62xdcj.php
/d9sywf.php
/df7tkq4d8s7q6t6i1tl9.php
/emfkrktnrrblkk66ywunir89e9gjykhecb.php
/giqw6dm3gefm6vyefnubumdyivb1cdmcw.php
/ocji6w6o3w4q2q1the33c.php
/ql154dcqyonogxnryzwx.php
/qrc9t4ou.php
/rhtcgk1qfeczrl8ou27e1jvyyntwyv.php
/t6h86tu79rpec5y8w4qeglp2yp.php
/y4koyklbzyupogj3q9f.php

# Reference: https://twitter.com/r3dbU7z/status/1710590656597352560

/BadUsb.ps1

# Reference: https://twitter.com/Gi7w0rm/status/1711030015016505609

/reverseshell.asp
/reverseshell.aspx
/reverseshell.bat
/reverseshell.hta
/reverseshell.js
/reverseshell.php
/reverseshell.ps1
/reverseshell.vbs

# Reference: https://threatfox.abuse.ch/ioc/1186091/

/bbc7e6ad6814b3.php

# Reference: https://threatfox.abuse.ch/ioc/1183943/

/cdn-js/minlen.php
/qzwewmrqqgqnaww.php

# Reference: https://twitter.com/r3dbU7z/status/1711882323367457217

/fVvEwlyGLj.wsf

# Reference: https://twitter.com/whichbuffer/status/1712200899869790319

/cisco-CVE-2016-6415.sh
/CVE-2020-8515.go

# Reference: https://twitter.com/naumovax/status/1712449056352444730
# Reference: https://www.virustotal.com/gui/file/ec175a771f670fe5c9f7a1756efa74a693254eaaa7a6c5d46fbd9dddbb34e34c/detection
# Reference: https://www.virustotal.com/gui/file/be46b47e582414db4fe41ca45f4ad180b46ebb101e682a87808b32f2762f7cde/detection
# Reference: https://www.virustotal.com/gui/file/ce5d3ec4169ff72ee9f164880f8c916ec93c8e409812b464744b91803eceec2c/detection

/Public/jquery/TM/jquery_tm.js
/Public/jquery/0/jquery.js
/Public/jquery/1/jquery.js
/Public/jquery/2/jquery.js
/Public/jquery/3/jquery.js
/Public/jquery/4/jquery.js
/Public/jquery/5/jquery.js
/Public/jquery/6/jquery.js
/Public/jquery/7/jquery.js
/Public/jquery/8/jquery.js
/Public/jquery/9/jquery.js

# Reference: https://twitter.com/Gi7w0rm/status/1713923723718238600

/pentest.hta
/pentest.ps1

# Reference: https://threatfox.abuse.ch/ioc/1189584/

/fa87adc3.php

# Reference: https://www.virustotal.com/gui/file/2827bbea71a2c90a1b3ef41239292c4803b78bd3bc18b7ef810d31bd9952d39c/detection

/nenenenenenne.asp
/nenenenenenne.aspx
/nenenenenenne.bat
/nenenenenenne.hta
/nenenenenenne.js
/nenenenenenne.php
/nenenenenenne.ps1
/nenenenenenne.vbs

# Reference: https://twitter.com/malwrhunterteam/status/1714333541201301894

/msfnt.hta
/msfnt.ps1

# Reference: https://cert-agid.gov.it/wp-content/uploads/2023/10/screenconnect_ultravnc_19-10-2023.json

/js/exploit.hta
/js/exploit.ps1
/exploit.hta
/exploit.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1715075131175751740

/lass.hta
/lass.ps1
/PuttyUac.hta
/PuttyUac.ps1

# Reference: https://twitter.com/1ZRR4H/status/1716290332885745949

/crypto.hta
/crypto.ps1

# Reference: https://twitter.com/karol_paciorek/status/1716395306202358156

/evil.ps1
/evil.py
/evil.vbs
/shell.bat

# Reference: https://twitter.com/malwrhunterteam/status/1716517330602033659
# Reference: https://www.virustotal.com/gui/file/a42303a1baa0b48a95f6eaf6cfba9cef523492d078692cb2a1ab4889337624a6/detection

/exploit/IntelCpHDCPSvc.hta
/exploit/IntelCpHDCPSvc.ps1
/IntelCpHDCPSvc.hta
/IntelCpHDCPSvc.ps1

# Reference: https://www.virustotal.com/gui/file/c81f61e669603b59e0b224cf0eb0f86a4d23b9cf050ca484ae87e22b64709a72/detection

/x/sample.hta
/sample.hta

# Reference: https://twitter.com/suyog41/status/1716709552543162496
# Reference: https://www.virustotal.com/gui/file/fa6aa00418f7c7e2c8c840f89acee25dac55e0623e7e5e6641880ffa3dd161ec/detection

/upload/bot.php?id=

# Reference: https://twitter.com/malwrhunterteam/status/1719104612714574309
# Reference: https://www.virustotal.com/gui/file/c2d3fc535e56c109478a742ec44c635c18845dc2e8fd27f13d1fa155588849f6/detection

/more_page.hta
/more_page.ps1

# Reference: https://twitter.com/doc_guard/status/1720030244516643274
# Reference: https://www.virustotal.com/gui/file/aee00173af3d3e8630696a72bd942522543734c26b37afeffbee6d2057285a9a/detection

/HTMLIEbrowserSShistory.vbs
/HTMLIEcentosBrowserHistory.vbs

# Reference: https://threatfox.abuse.ch/ioc/1198171/

/80c2d1651b23ae.php

# Reference: https://threatfox.abuse.ch/ioc/1232006/

/2c6d40d7cc1ad3.php

# Reference: https://twitter.com/Gi7w0rm/status/1721564409800142986

/open_WinCryptoWallet.ps1

# Reference: https://threatfox.abuse.ch/ioc/1199442/

/61b46e405d2c1c.php

# Reference: https://threatfox.abuse.ch/ioc/1199773/

/2dd77469.php

# Reference: https://twitter.com/Slvlombardo/status/1722207081699414430

/wp-includes/ww-new-rta01/dtrta.php
/wp-includes/ww-new-rta01/
/ww-new-rta01/dtrta.php
/ww-new-rta01/

# Reference: https://twitter.com/malwrhunterteam/status/1723017726120149327

/stager_persist_rat.hta
/stager_persist_rat.ps1

# Reference: https://threatfox.abuse.ch/ioc/1201607/

/06642940.php
/30055d25.php
/396833e4.php
/3bd148da.php
/6ea41d52.php
/720420a0.php
/8a5ea326.php
/917abd55.php
/945f1075.php
/b1e57687.php
/e78a6263.php

# Reference: https://twitter.com/suyog41/status/1725500179829436655
# Reference: https://twitter.com/suyog41/status/1765277622777307566
# Reference: https://www.virustotal.com/gui/ip-address/52.221.191.170/relations
# Reference: https://www.virustotal.com/gui/file/dd2b2215977ca4822769a16487e4c22b331ac1fb09791cbde6ee98ae72408137/detection

/jakart/bizposting.php
/jakart/0305.php
/jakart/redirect.php?m=
/singole/shake.php
/singole/welcome.php

# Reference: https://twitter.com/doc_guard/status/1725564939878756608
# Reference: https://www.virustotal.com/gui/file/33d3af4cae982d5f0456f3b13d5dcf90506c0262e2900d4ef32a4e01a59628bc/detection
# Reference: https://www.virustotal.com/gui/file/92343dd76241c60af94b8ccd1d841539dce75f61baf0c8f7eb655244e7c74f5d/detection
# Reference: https://www.virustotal.com/gui/file/96c62314d9fe9d18efb86551ac411d17de0e9ecda19654355da9b5e80ef91cf0/detection

/not/notoku.php
/not/notoku.php?urlcode=

# Reference: https://twitter.com/MaxRogers5/status/1727115516509126824

/F8PtZ87fE8dJWqe.hta
/QfjzVlfbQT0H.hta

# Reference: https://twitter.com/1ZRR4H/status/1727498375946289495

/bot1.py
/mahoa.py

# Reference: https://twitter.com/malwrhunterteam/status/1728175485853872427
# Reference: https://www.virustotal.com/gui/file/72829a5407ecd5607613f6351019302ba8c55317f4f3dff1f8280f7c3e7b4897/detection

/a1111647095336d8170db2cb1d9870f9.php

# Reference: https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/k/attack-signals-possible-return-of-genesis-market/iocs-attack-signals-possible-return-of-genesis-market.txt
# Reference: https://otx.alienvault.com/pulse/65609160cddfd2987cac2ef3

/obfs3ip2.bs64

# Reference: https://twitter.com/1ZRR4H/status/1729196411843985530

/passportscan.hta

# Reference: https://twitter.com/alex_lanstein/status/1732485636601319519
# Reference: https://www.virustotal.com/gui/file/88f64c6021b469a40d3d5bf6ab0f563313caafe5e5ba79854cc31f880636c152/detection

/atoletter2.hta
/atoletter3.hta
/atoletter5555.hta
/atoletter6.hta
/passportscan.hta
/scan_058883.hta

# Reference: https://twitter.com/malware_traffic/status/1732437588059832338

/jeyhivxb.php
/lovtqtyl.php

# Reference: https://www.virustotal.com/gui/file/0c3affef7b7928a44cf5050ed0d38724bf182993db63f786eb926007bd135323/detection

/a051212x/16/load.php

# Reference: https://twitter.com/banthisguy9349/status/1734301694719050200

/coldfusion_rce.py
/evilrmiservernew.class
/springboot-jdbc-deserialization-rce.py

# Reference: https://twitter.com/JustWantToQ1/status/1735870555373355048

/ak12sd3.ps1
/ak12sd3.hta
/ak12sd3.php
/ak12sd3.py

# Reference: https://twitter.com/1ZRR4H/status/1736870188480434417

/xccc.hta

# Reference: https://twitter.com/doc_guard/status/1737494486295486473
# Reference: https://app.docguard.io/4bfc29dff0955937190a085c6114d5019555558ed4a79b4fcb75a18ed28a3252/results/dashboard
# Reference: https://www.virustotal.com/gui/file/4bfc29dff0955937190a085c6114d5019555558ed4a79b4fcb75a18ed28a3252/detection

/Malware/l.php

# Reference: https://twitter.com/1ZRR4H/status/1737237724644655591
# Reference: https://www.virustotal.com/gui/file/57561423590dd2334269cd4cdf22ffc267f202ff0e954cb49b73a292b4492172/detection
# Reference: https://www.virustotal.com/gui/file/0081ec4836a7ecf5b428ba410dc9a86d679cb0d6ef8bb52dc7c8721efc3a4b3d/detection

/agent1.ps1
/agent3.ps1
/sd2.ps1
/sd4.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1738254214353064420
# Reference: https://www.virustotal.com/gui/file/bd871a2ccd6d7c4f89f9f5087e60cfdcc7ab35b670cfda7ddfd6dbbab8c8560c/detection

/algo.hta

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-12-22%20AsyncRAT%20IOCs

/eq2c1svfjphtr.php

# Reference: https://twitter.com/V3n0mStrike/status/1740461394250641595

/0312823187.php
/UD912K0.php

# Reference: https://twitter.com/noexceptcpp/status/1740347631816122829

/cve-2016-1531.sh
/exploit1337.py

# Reference: https://www.virustotal.com/gui/file/e1974c4099cd21cc0b538bdce94f78165930fbfe1f79e7f0fcca3cd276d39bda/detection

/68ce5b29.php

# Reference: https://twitter.com/Merlax_/status/1743380172768784598

/i2m9jn3wm2.php

# Reference: https://threatfox.abuse.ch/ioc/1228977/

/266ba446.php

# Reference: https://threatfox.abuse.ch/ioc/1230683/

/7493c28b.php

# Reference: https://www.virustotal.com/gui/file/29dcf858f36f68827696a9a3ea1b4a821180569ab297d2f73c740b15832302d3/detection

/vj0li6rpzmhtr.php

# Reference: https://www.virustotal.com/gui/file/ed73c5b9cfcc18b8a58f936dd2cf5009599512654ea159b4ccbc479c208063cb/detection

# /b%20kzioe%20f.php
/zg0p9xfcjshtr.php

# Reference: https://www.virustotal.com/gui/file/dcab1d8358b8402218c1015e4e14820c976f15a8d5a8fa16220383e8e39687da/detection

/6wfu21zpaihtr.php
/fk0wvgc9tlhtr.php

# Reference: https://www.virustotal.com/gui/file/4e4088a4d66846f55d25539314f58f553e915bb4cc5aa9d29bc3a5693ff5948f/detection

/3fz20plk5shtr.php
/d%20fziog%20n.php

# Reference: https://www.virustotal.com/gui/file/35ac43ff2e2483ea47f78012970092993ba855bda39563f54e8594e653cad3f9/detection
# Reference: https://www.virustotal.com/gui/file/1c6ecc97d422cd78a972b71ac22e18bec4b4d58511f9a0ad85ed2de9edcd1c35/detection

/h%20lziof%20k.php

# Reference: https://www.virustotal.com/gui/file/2d56047dc2f18420264cf2d9fa454559a346fba937753aab5865f11e1c82b3b3/detection

/$6i7owtj1sv4h0f8.php
/6i7owtj1sv4h0f8.php
/l%20eziof%20h.php
/no27hufp4ehtr.php

# Reference: https://twitter.com/sicehice/status/1745669226935767065

/cve-2021-4034-poc
/cve-2021-4034-poc.py
/exploit_nss_u16.py
/CVE-2021-3156/

# Reference: https://www.virustotal.com/gui/file/9605968addccaa2323334d501b99ab88cd0b879bc8a2b4c5dc1d27c4d27d5e53/detection

/ddsss.ps1

# Reference: https://threatfox.abuse.ch/browse/malware/win.dcrat/ (# 2024-01-24)

/26048ad8.php
/359d80f9.php
/46636ed2.php
/500ae1b3.php
/665cf811.php
/667f720d.php
/8a45dff2.php
/91c007b5.php
/937b6157.php
/9625229d.php
/9b366b94.php
/9bc7b45d.php
/9cf11b76.php
/ab3a3bb6.php
/adcac1e6.php
/b0f62e5c.php
/c2b6ff67.php
/cce379fc.php
/db059622.php
/e3e70db1.php
/e42a6515.php
/ee48257d.php
/f1aba1fe.php
/f50a15cc.php
/f8a8b9ed.php

# Reference: https://twitter.com/noexceptcpp/status/1751572303295504461
# Reference: https://twitter.com/noexceptcpp/status/1751589805647917376
# Reference: https://www.virustotal.com/gui/ip-address/38.148.199.252/relations

imbolexabc.top
resmakabc.top
br.resmakabc.top
ccc.imbolexabc.top

# Reference: https://twitter.com/DmitriyMelikov/status/1752270530126741920
# Reference: https://www.virustotal.com/gui/ip-address/142.93.233.186/relations
# Reference: https://tria.ge/240130-mfylaafdbj/behavioral2
# Reference: https://www.virustotal.com/gui/file/5509ec26758c3c0dcf2bf1b0d7d8600da08cdcfb73cd6b90d46f84ea61c71094/detection

/jMnmopzu
/track/load.js

# Reference: https://twitter.com/banthisguy9349/status/1752335418253566314

/http_bypass

# Reference: https://twitter.com/banthisguy9349/status/1752420692769865775

/CVE-2023-36664-Ghostscript-command-injection/
/CVE-2023-4634/
/exploit-CVE-2023-23752/
/woo.py

# Reference: https://www.virustotal.com/gui/file/d76af2991fb3bf24fbf34c55942dd304ee1aff30d27cbe9cbb2b96cd860e120c/detection

/strasb/
/strasb/scripts/
/strasb/scripts/myscript_1.js

# Reference: https://twitter.com/banthisguy9349/status/1754099584190538104

/api_flooder.bat
/api_flooder.hta
/api_flooder.php
/api_flooder.ps1
/api_stresser.bat
/api_stresser.hta
/api_stresser.php
/api_stresser.ps1
/kill_psw.bat
/kill_psw.hta
/kill_psw.php
/kill_psw.ps1
/rdp_flooder.bat
/rdp_flooder.hta
/rdp_flooder.php
/rdp_flooder.ps1

# Reference: https://twitter.com/banthisguy9349/status/1754134426391359554
# Reference: https://www.virustotal.com/gui/file/3650667be007a3733dc935f0978ae5964e6dac65728b31d44e6b4d92c5220042/detection

/1pdf.hta
/1pdf.ps1

# Reference: https://twitter.com/banthisguy9349/status/1754140240652939341

/clear_bots.php
/clear_bots_database_info.php
/clear_dead_bots.php
/clear_dirty_bots.php
/clear_offline_bots.php
/clear_online_bots.php
/get_bots_by_device.php
/get_bots_by_status.php
/get_bots_by_type.php
/get_bots_countries.php
/get_bots_database_info.php

# Reference: https://twitter.com/k3yp0d/status/1754380225792577647
# Reference: https://www.virustotal.com/gui/file/499528fb822e6cf086e98d9e27067f939ecbf0a3791f701a0a6f9a44ba8864ea/detection

/opituvannya.hta
/opituvannya.ps1

# Reference: https://iamdeadlyz.gitbook.io/malware-research/february-2024/outfoxing-a-malicious-pdf-an-attackers-attempt-to-deliver-a-stealc-infostealer

/officeupdate.hta
/officeupdate.ps1

# Reference: https://twitter.com/karol_paciorek/status/1754472675655774703

/asdf.hta
/asdf.ps1
/qwerty.hta
/qwertyj1.hta
/telly.hta
/telly.ps1

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1754830872031744020
# Reference: https://www.virustotal.com/gui/file/3761fb4c5b30d06501fe6688019ace6c899bdfc278049ddd91b96e0efe0d8830/detection
# Reference: https://www.virustotal.com/gui/file/b9c763ed1cd4cabc6faa0fece7738a941de1d65163d05480c9790217d931c7c8/detection

/60WuOcgFX.hta
/60WuOcgFX.ps1

# Reference: https://twitter.com/banthisguy9349/status/1756606597667709276

/redis-rogue-server.py

# Reference: https://twitter.com/karol_paciorek/status/1757353098035511512
# Reference: https://tria.ge/240213-mgymnsfe3z/behavioral1
# Reference: https://tria.ge/240213-mapfesfc71/behavioral1

/lins2.ps1
/raw_stageless_8000.hta
/s_8000.hta

# Reference: https://twitter.com/banthisguy9349/status/1755838447141401064

/BS10534901.php

# Reference: https://twitter.com/banthisguy9349/status/1757464973867917424
# Reference: https://pastebin.com/R6v4TUX1

/ransomeware/crypto.html
/ransomeware/ransomeware.html
/ransomeware/
/siilencedantibot!

# Reference: https://twitter.com/unmaskparasites/status/1765144260729618782
# Reference: https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html
# Reference: https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html

/cachingjs/turboturbo.js
/turboturbo.js

# Reference: https://twitter.com/banthisguy9349/status/1762883187699556388

/CVE-2023-4911-main/
/SpigotRCE-1.0-SNAPSHOT.jar

# Reference: https://twitter.com/unmaskparasites/status/1763325433427468602
# Reference: https://urlscan.io/search/#filename%3A%22static%2Fdefault%2Fjs%2Fdelighters.js%22

acasellavs.com
acenicesm.life
adminicesm.life
ainiloveet.life
akalovevs.live
aklikeet.xyz
alegoodar.xyz
aloeloveet.life
apkafreeov.com
aresellsk.live
artulikea.life
aslsalesov.live
avgoodsmk.xyz
avsfreeov.life
avsupermk.xyz
aylikeet.life
azfreemk.live
bakubestvs.live
ballfreeov.life
banclovesm.xyz
bealikesm.live
bearsellsk.xyz
beesellsov.life
bengoodsmk.xyz
bestandssm.xyz
bestbabasm.com
bestbibear.xyz
bestbidzmk.xyz
bestbobomk.life
bestcgsvs.life
bestdosesk.live
bestecarsk.live
besteffsm.live
bestenaar.life
bestepro.xyz
bestfotoar.life
bestfsbo.live
bestgefesk.live
bestgmesmk.life
bestgunet.xyz
bestinucmk.com
bestkod.life
bestlessvs.live
bestlet.xyz
bestletsm.xyz
bestmmmsm.com
bestmmosov.live
bestnavosk.live
bestofusk.life
bestonacar.life
bestongsm.live
bestoopset.live
bestoprov.life
bestpdfvs.life
bestpramov.live
bestrootet.live
bestshoar.live
bestsolu.live
bestsucksm.life
besttermsm.xyz
bestxcamet.xyz
bestxpovs.xyz
bestzalet.life
biofreear.live
bmsalemk.xyz
bmxlovesk.xyz
bostbest.life
botsuperar.com
btlovear.live
capbestar.live
capebest.xyz
cartsaleet.life
cassellssk.xyz
cdrsalesk.life
cenicesk.life
chipgoodmk.life
clovebsk.xyz
cmgoodov.live
cnglovesvs.com
crysalesar.xyz
cubestixmk.xyz
cufflovesm.live
dabestsk.live
dabfreesm.life
dassalessm.xyz
ddosbestmk.live
delikesar.life
demgoodsov.live
diebestear.life
digifreeov.life
dipsale.xyz
domelovesm.xyz
dotsfreeet.life
dovelikesm.com
drpfreesk.live
dtssalevs.life
dvdssalear.com
eatslovesk.com
ecloversvs.live
efreesm.live
eggsalea.live
elelovesk.xyz
ellunicear.xyz
emesalesmk.life
epikloveov.life
erosella.life
esalesar.life
esupermk.live
euwloveov.live
examfreevs.com
exloversvs.life
eyelikedsk.xyz
famfreesm.live
farsuperov.life
fartfreemk.com
fastbestsm.live
fastnicear.live
fgoodsm.life
fillsalear.life
filove.live
finsellet.life
flylovesk.xyz
fpsalesov.life
freeaccsk.life
freeacnevs.xyz
freebows.xyz
freeburnsk.life
freebzssk.com
freecareet.life
freeconsov.live
freecostvs.live
freecreet.life
freedleysm.live
freeduckvs.life
freefiatmk.xyz
freegosvs.live
freehearvs.life
freejumpsk.xyz
freekaaet.xyz
freelianvs.xyz
freenvvs.life
freepeakar.live
freepeasmk.xyz
freepiamk.xyz
freepof.xyz
freepreeet.xyz
freeref.xyz
freerpgset.live
freesmet.life
freesupov.live
freetlymk.xyz
freeucsm.xyz
freewebdsm.life
freezupet.xyz
frpfreeet.com
ftlsalesvs.xyz
fugoodvs.live
fundsalemk.live
gagebestar.live
gamelikeov.live
germlikear.live
gifbestsm.life
gisfreeet.live
glloverov.xyz
gogosale.live
gogosalevs.life
goodbasssm.xyz
goodbatset.live
goodbiaovs.xyz
goodbisvs.xyz
goodbyemk.xyz
goodcexet.life
gooddxmk.life
goodfangsm.life
goodfrogsk.life
goodgbsm.life
goodgifset.life
goodgifvs.life
goodglysk.xyz
goodgrad.live
goodgradar.xyz
goodhouret.xyz
goodhrissk.life
goodjacket.live
goodkeenmk.life
goodkret.live
goodmeowsk.life
goodmima.sa.com
goodminesk.xyz
goodmoocsk.life
goodopemk.live
goodplugsk.live
goodrealsk.live
goodromesm.xyz
goodruinsk.live
goodrusk.com
goodrwov.live
goodtopssm.life
goodtr.xyz
goodtrov.live
goodtsar.xyz
goodtypevs.life
goodvinnar.xyz
goodytvsm.xyz
goodzhaosm.live
goodzoneov.live
goolikevs.live
gorgoodsmk.xyz
gowsalesvs.live
halffreesk.live
haosaleset.xyz
hatfreesk.xyz
hatsalemk.live
hcbestsm.live
hghsaleet.live
hllovetvet.xyz
hoaxfreesm.live
hrloversmk.life
hugebestvs.live
hwlovemk.life
hyposaleov.com
hzgoodar.live
ibeelovevs.xyz
icafreevs.live
idnsalear.xyz
idnsaleset.life
ieatfreesk.live
ifreebsd.ru.com
ifwelovevs.xyz
ilikehksm.life
ilikethcar.xyz
iloveedov.xyz
ilovenisvs.live
ilovepaket.com
imagbest.xyz
imfreezeov.live
imylovesm.live
infogoodet.live
ingsellvs.life
inknicear.life
innolikesm.life
inslikesk.live
instlovemk.live
iqlovevs.live
irielovesk.live
jesellear.life
jlgoodmk.life
jlgsaleset.xyz
johnsaleov.life
jufreesk.xyz
knowbestet.life
kodaloveov.com
langbestvs.live
leiuloveov.life
lgbtbestmk.xyz
lgoodov.xyz
likeaevs.life
likebillsk.life
likeconsk.xyz
likehersar.live
likekhao.ru.com
likemoissm.com
likemoonvs.live
likeroommk.live
liketotomk.live
likeubsk.life
likewaveov.life
likewebov.life
ljcsalesar.live
logfreevs.live
looksalein.life
loopgoodar.live
loveardsk.life
loveasmeov.live
lovecagesm.xyz
lovecitear.live
lovedosmk.xyz
lovedytlet.xyz
loveerysm.xyz
lovegolfmk.live
lovehereov.xyz
lovehexsk.xyz
lovehowrp.xyz
loveishqov.life
loveism.life
lovekinka.xyz
lovekizoar.live
lovelygomk.live
lovemalamk.live
lovemaltmk.life
lovemesk.live
lovemon.life
lovemygpov.xyz
lovenjoyov.live
loveodorsk.live
loveovet.life
lovepakiar.life
lovepineov.life
loveplotsk.xyz
loveplymk.life
lovescacar.live
lovesignsm.live
lovesmsov.life
lovesovs.live
lovexaa.live
loveyardov.live
loveyardov.xyz
lsusalessk.xyz
lubenicevs.xyz
lumiloveet.life
lyloverset.live
madsalesm.live
malibestsk.xyz
mazalovesk.xyz
mbrsalessm.life
mechsellmk.live
melovesm.life
metalikeov.live
mfreea.life
milklovesm.xyz
minisella.xyz
mirasellsk.life
misellosk.com
miyabestvs.life
mlmlovevs.live
mmlovear.live
mmlovevret.xyz
mmmlovear.xyz
modabestet.xyz
modasalea.live
mogloveet.xyz
moodfreea.life
morfreeov.xyz
mtgoodsmk.xyz
mumlovesvs.live
mybestbyar.live
mybestemk.live
myloveinsm.life
nasalexet.life
ncsaleset.life
newbestsm.live
nfsalear.life
niceadv.live
nicediscsm.life
niceheshar.life
nicehhsk.life
nicelimeov.live
niceppsk.life
niceredov.life
niceregar.live
niceringvs.life
nicesoulet.live
nicestersm.live
niceswapet.xyz
nicetempvs.life
nicetisk.live
nicetixsm.xyz
nicetossmk.life
nicetreeov.live
nicetruevs.life
niceunitar.xyz
nicevoteet.live
njlovemk.live
njoylovevs.xyz
nloversar.life
novonicesk.life
nowsellssvj.life
nublovevs.live
offlikerar.live
ofgoodssk.live
ogmfreeet.live
oilsellmk.life
okglovesm.live
omgfreeet.live
oralikear.life
outgoodvs.live
paclovesk.life
padsalessm.xyz
paniceyesm.life
paxsaleset.live
pcssalear.xyz
pdxlovevs.live
pentlovear.life
pillfreesm.life
pixelovear.xyz
plrfreear.life
popfreemk.xyz
porsellamk.xyz
posbesta.live
posbestov.live
pplsalesmk.life
promlikesm.live
pumplikesk.life
qrlovesk.life
racesaleet.xyz
reusellcvs.life
rgoodsar.xyz
ridelikesk.xyz
rodsalessm.live
rosaleneov.life
rosalexsm.life
rqsales.live
russalesov.com
sakulovear.live
saleavtomk.life
salebabymk.xyz
salebootvs.live
saleemar.xyz
salefixssk.com
salehighar.life
salehomeov.life
salelesov.life
salembgcet.live
salemodaet.xyz
salemoonar.life
salenotear.xyz
salepondet.life
salerisksm.live
saleroivs.live
salersov.xyz
salerunsvs.life
salesarsm.xyz
salesbuysk.xyz
salesdxbov.life
saleseaov.xyz
saleseco.life
saleshowvs.live
salesmksk.live
salestelov.live
salesticar.xyz
salethatsm.life
salewireov.xyz
salewskiet.live
samgoodsmk.xyz
sbestylesk.live
scanfreear.live
scgoodsov.xyz
sellbanksm.xyz
sellbaosk.com
sellbuxvs.live
sellerbdsm.life
sellerrsk.com
sellfuelmk.xyz
sellhdov.xyz
selliliar.life
sellmamask.life
sellmostmk.xyz
sellmydov.live
sellpalmvs.live
sellrankov.life
sellsdet.life
sellsunavs.xyz
selluaeov.life
sellvavs.life
shangoodsm.live
shrifreevs.live
sloveyouar.xyz
slssalessm.life
smexsellsk.life
smsloverar.life
smssupervs.live
snssalesar.life
sockbestsm.live
sofabestmk.com
soofreemk.life
soogoodsk.life
spgoodssk.xyz
srvfreear.live
statloveov.live
stsellov.xyz
sublikeet.live
suitlikesk.life
superacmk.life
superanoov.life
superbelsm.life
superbie.life
superbloov.life
superbubar.live
superdeyvs.xyz
superera.xyz
superfasov.xyz
superfemk.life
superfret.live
superftpsm.life
supergccet.live
supergtrmk.live
superhaet.live
superhanov.life
superhitvs.live
superibosk.live
superizesm.xyz
superjbar.life
superliumk.live
supermgitos.live
superminar.xyz
supernnsk.life
superoxy.life
superpdxmk.live
superplrar.life
superpocar.live
superpremk.com
superrask.xyz
superrub.live
supersfmk.life
supersqlar.life
superssset.live
supertafet.life
superumar.live
superusdet.xyz
supervicet.live
sursupervs.life
taxsupermk.life
teknicenvs.com
thelikee.life
thgoodsov.live
tiefreemk.live
tiesalesm.live
tisuperet.xyz
tnlikevs.life
toklikersm.life
tolovevs.life
toolfreesm.life
tortnicesk.live
totefree.fun
toylove.xyz
trapfreesk.live
tribestrmk.com
trifreesm.xyz
tripnicesm.life
trybestsm.live
ttsellvs.xyz
tuanbestsm.live
tunlovesk.xyz
twcsalesmk.xyz
uarelove.live
ublegoodvs.life
uisfreeet.xyz
ulikeear.life
unilove.live
unlikeitmk.life
usalover.life
usalovermk.live
usebestov.live
userfreeov.xyz
varnicevs.life
veniceogar.xyz
venicerset.life
veroloveov.live
vibefreeov.xyz
viofreear.xyz
vipsellsmk.live
vivanicemk.live
vpsaleov.xyz
vrsellervs.life
vsaleet.life
wanglikear.live
wangoodssm.life
wcfreeov.life
weloveroet.life
weloveusvs.live
wirefreeet.life
wjsalesov.life
wlanfreeet.life
woofreeet.xyz
wrlovesk.life
wylovear.life
xiesaleov.live
xrplovemk.life
xsuperet.xyz
ybestbuyar.xyz
yourfreesm.xyz
yugeloveet.life
zhisalesm.life
zjgoodsk.life
zqbestvs.live

# Reference: https://twitter.com/1ZRR4H/status/1763433453876335093

/c_payload.c
/c_payload_x64.c
/java_payload.java
/java_payload_x64.java
/python_payload.py
/python_payload_x64.py

# Reference: https://twitter.com/noexceptcpp/status/1765438678967410998
# Reference: https://app.any.run/tasks/ccb87bc3-8d0c-4909-ad0b-ce48abc36378/

/svchost_80_1.ps1
/svchost_80_2.ps1

# Reference: https://www.virustotal.com/gui/domain/cachline.com/relations

cachline.com

# Reference: https://twitter.com/sdcyberresearch/status/1757023351510364666

/js/f336fcf927bc87fba9a43a5c5e8cbc74.js
/f336fcf927bc87fba9a43a5c5e8cbc74.js

# Reference: https://twitter.com/banthisguy9349/status/1769755483768803650

/mimi.ps1

# Reference: https://twitter.com/banthisguy9349/status/1769653638459220391

/cve-2014-4014.c
/h00lyshit.c
/poc_v0.c

# Reference: https://urlscan.io/search/#filename:%22unam_lib.js%22

/unam_lib.js

# Reference: https://twitter.com/banthisguy9349/status/1770831512788705496

/winPEAS.ps1

# Reference: https://twitter.com/threatcat_ch/status/1772714315402912077

/trinity-injector-script.js

# Reference: https://twitter.com/KesaGataMe0/status/1775700950692605994

/?guhqvjbk

# Reference: https://www.virustotal.com/gui/ip-address/194.116.214.225/relations
# Reference: https://www.virustotal.com/gui/file/98f6ecc60e016311511ce920220598b33eb9671e7c71254e76d638d0f2a45883/detection

/kuskus.hta
/kuskus.ps1

# Reference: https://twitter.com/noexceptcpp/status/1778024688066638287

/0Z0EQyFSl1.php
/C0MGGGwszj.php
/FLNvwznqBG.php
/GYf484uMAb.php
/Hbrugz8LLO.php
/JL3Li0Iqxh.php
/bHKluvxJrs.php
/cEkRoGfySO.php
/fZsExq7lgF.php
/glkf7qXdGs.php
/jq6hd.php
/kzU3Zt6X5j.php
/u3jy8V3B1B.php

# Reference: https://twitter.com/RacWatchin8872/status/1778393784809595092

/shell_reverse_tcp.bin
/shell_reverse_tcp.hta
/shell_reverse_tcp.ps1
/shell_reverse_tcp.py
/shell_reverse_tcp.sh

# Reference: https://twitter.com/doc_guard/status/1781325713951314119
# Reference: https://www.virustotal.com/gui/file/b8288968633bcfa46dc1cf1ab6c5b248e6be020184991e82ba8db56676b2e0cf/detection

/basterlord.hta

# Reference: https://twitter.com/malwrhunterteam/status/1782277290363174988

/Cqlqb.hta

# Reference: https://twitter.com/banthisguy9349/status/1782402749805527142

/exploitw.py

# Reference: https://twitter.com/banthisguy9349/status/1782401923133354148

/backgroud_attack.php

# Reference: https://twitter.com/doc_guard/status/1782401510350954620
# Reference: https://app.docguard.io/ed4149d5ac4b15e22b9f240e75638ea3c4da01a021d30ed2d062919159c6a7c9/results/dashboard

/nonendowmentaGen.ps1
/scragglingiJsW.ps1

# Reference: https://twitter.com/doc_guard/status/1784961099219018073
# Reference: https://app.docguard.io/9afa5a1e1448e7469fe0a625ff715e1bff8f7c407d45644445a35b6885d79271/463e66dc-bb30-4273-a94b-b42b6d6729f4/0/results/dashboard

/ifsdjshtx/zxxhttezsnt0pl.php
/zxxhttezsnt0pl.php

# Reference: https://twitter.com/Slvlombardo/status/1785232547623927932

/uutyrtrreer/tttggg.php
/tttggg.php

# Reference: https://twitter.com/JustWantToQ1/status/1787075115823337564

/Anonmy.cmd
/Anonmy.hta
/Anonmy.ps1

# Reference: https://twitter.com/Slvlombardo/status/1787524670956146891

/unZIPpeRn.php

# Reference: https://twitter.com/ShanHolo/status/1787551650493747688

/Shhhloader.py

# Reference: https://www.virustotal.com/gui/file/32c83602b4f08e77ad0d0461f7eb6f800dfae256ec02371d73325d1d551c76f3/detection

/api6231223321213.js

# Reference: https://x.com/banthisguy9349/status/1791853395352977877

/INDIExploit

# Reference: https://x.com/suyog41/status/1793935723961143625
# Reference: https://www.virustotal.com/gui/file/d2809e3e60e5d9671be8644750ad1b385aaa6b4ff01fef8fc594d81c69275a33/detection
# Reference: https://www.virustotal.com/gui/file/7b1b332c653d62effffffd27a8da5bf78c0a5e5c1fb04191e0943333671c46c3/detection

/doomsday.ps1

# Reference: https://x.com/lontze7/status/1796823844335890633

/20231027094801.php

# Reference: https://x.com/malwrhunterteam/status/1797633812945682533

/hfyr7wsb3wazm.html

# Reference: https://x.com/malwrhunterteam/status/1798270656410526004

/bdch8mwsja5azq.html

# Reference: https://x.com/Slvlombardo/status/1800749773135475052

/hhhmeuuw/rtalvl.php

# Reference: https://blog.sucuri.net/2024/06/socgholish-malware.html

/9659650c81ce1b984c58.js

# Reference: https://x.com/doc_guard/status/1804498032685170835
# Reference: https://www.virustotal.com/gui/file/07d66d5f867572bfbed2128def7e1aa43792de09f3d709c77241f0950295f579/detection

/cjuhwvko.php
/dwcetsuu.php
/orvx-avjyyr.php
/pfiigphc.php
/vlspgbsfjo.php

# Reference: https://x.com/malwareforme/status/1809257799387361422
# Reference: https://www.virustotal.com/gui/file/45d3063b41fc1d6c8387600e49b6da5c8ec9909ef3636d539ca2a10aec7f3c59/detection

/CertRead.hta

# Reference: https://www.virustotal.com/gui/file/8decdfe5e000475d09f077a3d5b06843f1138e307141e0d0433526ae7037731d/detection

/0day.asp
/0day.aspx
/0day.bat
/0day.hta
/0day.ps1
/0day.py
/0day.vbs
/0day.wsf
/0day.xsl

# Reference: https://x.com/malwrhunterteam/status/1810305014088282568
# Reference: https://www.virustotal.com/gui/file/23355e6bb3fb1b0e389e7ec95bacf5f205cfb4e1be6f427aabd9fcba0f603a59/detection
# Reference: https://www.virustotal.com/gui/file/47b12bc3756bf1c2339578eef98a12eb68f142f601ebee25eacca7d6ef6dc349/detection
# Reference: https://www.virustotal.com/gui/file/ffac703f236c11563dec94b9d9dcc0f1bb37a814f98400e62512a2df5e596ec6/detection
# Reference: https://www.virustotal.com/gui/file/fbc8bed8f5a9b1c73a165119d5f1735f5f06562b787f50f343b04e1bc8f0b2d4/detection
# Reference: https://www.virustotal.com/gui/file/e314b233b41a5688a4e43f876ccb10718351d3f396b4df623b4ebb0a093be7e0/detection
# Reference: https://www.virustotal.com/gui/file/d938cb8accbc51046158350155f1af9248fc8459ef2b92be752b93dae77504a6/detection

/hooks/och?id=
/hooks/xxx?id=

# Reference: https://www.virustotal.com/gui/file/0ca46fb10da403fd20317cbd55434388275c7e9abba697ca4c9916f241ff53f6/detection

/powershell_attack.asp
/powershell_attack.aspx
/powershell_attack.bat
/powershell_attack.hta
/powershell_attack.ps1
/powershell_attack.py
/powershell_attack.txt
/powershell_attack.vbs
/powershell_attack.wsf
/powershell_attack.xsl

# Reference: https://x.com/ShanHolo/status/1813149888001011754

/d3l.ps1

# Reference: https://x.com/karol_paciorek/status/1813856475670024690

/evil.dtd

# Reference: https://x.com/1ZRR4H/status/1814413341328322966

/20240416.hta

# Reference: https://x.com/banthisguy9349/status/1814925887906664718

/arc1b7jcFClaP
/arcUObduhEO
/arcUObduhRu
/systray.ps1

# Reference: https://x.com/RacWatchin8872/status/1815338996005777590

/UIDEIEEN.hta

# Reference: https://cert.gov.ua/article/6280129

/RemoteAssistanceSvc.hta

# Reference: https://www.virustotal.com/gui/ip-address/1.15.44.211/relations

/m3wtw0.xml

# Reference: https://x.com/500mk500/status/1819325319565758518

/xss.hta
/xss.js
/xss.xspf

# Reference: https://x.com/Huntio/status/1820797152085582112
# Reference: https://moonlock.com/loom-macos-stealer

/yvfiubhferwewf/process_l00m.php
/yvfiubhferwewf/

# Reference: https://x.com/9823f_/status/1820807344638279761
# Reference: https://urlscan.io/search/#filename%3A%22php_en-e372bb40.js%22

/php_en-e372bb40.js

# Reference: https://x.com/lontze7/status/1821042477022822834

/262f6e0.php
/2f20376.php
/5edec54.php

# Reference: https://x.com/JAMESWT_MHT/status/1821171522074984552

/97075184016hjaksjxjzwc
/jU8OTI-qnvhjeIB0-W7q7EvR4-dacb47a/index.html
/jU8OTI-qnvhjeIB0-W7q7EvR4-dacb47a/

# Reference: https://www.joesandbox.com/analysis/1393952#iocs
# Reference: https://tria.ge/240617-vg68tazhkm/behavioral2

/gAySB.php
/gAySB.php?cnv_id=

# Reference: https://x.com/malwrhunterteam/status/1828028438407479788
# Reference: https://www.virustotal.com/gui/file/0077647aa98f096591f70bbd3f1a0364b56c5e39f68ed85509b28a31b2d4f869/detection

/0day.asp
/0day.aspx
/0day.bat
/0day.hta
/0day.js
/0day.ps1
/0day.py
/0day.txt
/0day.vbs
/0day.wsf
/0day.xsl

# Reference: https://x.com/banthisguy9349/status/1828499255184552253

/Payload.kt
/ViewInjectionsad.kt

# Reference: https://www.virustotal.com/gui/file/faf05cc7a617e771f061ed131429ccacfe9039634cbd0259c455c3e8baa6a129/detection

gatetodisplaycontent.com
/3d336374d870f17c9375aee0e6779e7b/invoke.js

# Reference: https://x.com/0Dayhta/status/1828461255784378562

/cd_v2_x64.xsl
/cd_v2_x86.xsl
/cd_v4_x64.xsl
/cd_v4_x86.xsl

# Reference: https://www.virustotal.com/gui/file/828616945d46a2c161c17d88f0f8dd0b890107ec200551ad9b9836d71833fb6a/detection

/downloadfaxfile28071991.php

# Refernce: https://x.com/StrikeReadyLabs/status/1830774821795274784

/Filex1.hta
/Filexxx.hta
/Filexxx2.hta
/KKKKKKK1.hta
/x1.hta
/xxx.hta
/xxx2.hta

# Reference: https://www.virustotal.com/gui/file/8d31ed88202e42a456cef92be1da6e91ee89f763b12e9cddca525453a8d86d6c/detection

/elonkat/jyujuytyt.php
/jyujuytyt.php

# Reference: https://x.com/kddx0178318/status/1834200990565773334
# Reference: https://www.virustotal.com/gui/file/48e74d11c58e4942e394f3f16ffe7446c73884b0a5df0fc89c7f2b94a43f4152/detection

/30f5d97a11d32e80.php

# Reference: https://x.com/RacWatchin8872/status/1836777407996448978

/reverse-shell.ps1

# Reference: https://x.com/banthisguy9349/status/1838597449910251943
# Reference: https://www.joesandbox.com/analysis/1477772/0/html

/internet_put222.php?id=
/k_get.php?bot=
/k_get_new.php?bot=
/k_put_new.php?id=
/o_get.php?uid=

# Reference: https://x.com/Gi7w0rm/status/1838827132174115212

/PhishMailer.py

# Reference: https://x.com/banthisguy9349/status/1839937406969020433

/ips_dk0.ps1
/ips_reverse_https_dk0.ps1

# Reference: https://x.com/banthisguy9349/status/1839929495718932634

/141174.php
/80gm76k.php
/adxkylg.php
/qgadvr0.php
/xbhde.php
/yrw2qif.php

# Reference: https://www.virustotal.com/gui/file/d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254/detection

/netbooknewthingsforupdnow.hta

# Reference: https://www.virustotal.com/gui/file/5f7ede06fa8da808f891e29fcfc533fcab3f7e9bc02ad68d0e5b24fe006fcbe5/detection

/IEnetbookupdation.hta

# Reference: https://x.com/banthisguy9349/status/1842246259765088421

/data/1x_stc.js
/1x_stc.js

# Reference: https://sansec.io/research/cosmicsting

/?exploited=

# Reference: https://x.com/banthisguy9349/status/1842944347417014304

/nmap-payloads
/payload.xml
/payload1.txt
/payload2.txt
/payload3.txt
/payload4.txt
/payload5.txt
/payload6.txt
/payload7.txt
/payload8.txt
/payload9.txt
/payload_arc.hta
/payload_arm.hta
/payload_arm4.hta
/payload_arm4l.hta
/payload_arm4t.hta
/payload_arm4tl.hta
/payload_arm4tll.hta
/payload_arm5.hta
/payload_arm5l.hta
/payload_arm5n.hta
/payload_arm6.hta
/payload_arm64.hta
/payload_arm6l.hta
/payload_arm7.hta
/payload_arm7l.hta
/payload_arm8.hta
/payload_armv4.hta
/payload_armv4l.hta
/payload_armv5l.hta
/payload_armv6.hta
/payload_armv61.hta
/payload_armv6l.hta
/payload_armv7l.hta
/payload_dbg.hta
/payload_exploit.hta
/payload_i4.hta
/payload_i486.hta
/payload_i586.hta
/payload_i6.hta
/payload_i686.hta
/payload_kill.hta
/payload_m68.hta
/payload_m68k.hta
/payload_mips.hta
/payload_mips64.hta
/payload_mipseb.hta
/payload_mipsel.hta
/payload_mpsl.hta
/payload_pcc.hta
/payload_powerpc.hta
/payload_powerpc-440fp.hta
/payload_powerppc.hta
/payload_ppc.hta
/payload_ppc2.hta
/payload_ppc440.hta
/payload_ppc440fp.hta
/payload_root.hta
/payload_root32.hta
/payload_sh.hta
/payload_sh4.hta
/payload_sparc.hta
/payload_spc.hta
/payload_ssh4.hta
/payload_x32.hta
/payload_x64.hta
/payload_x86.hta
/payload_x86_32.hta
/payload_x86_64.hta
/payload_arc.ps1
/payload_arm.ps1
/payload_arm4.ps1
/payload_arm4l.ps1
/payload_arm4t.ps1
/payload_arm4tl.ps1
/payload_arm4tll.ps1
/payload_arm5.ps1
/payload_arm5l.ps1
/payload_arm5n.ps1
/payload_arm6.ps1
/payload_arm64.ps1
/payload_arm6l.ps1
/payload_arm7.ps1
/payload_arm7l.ps1
/payload_arm8.ps1
/payload_armv4.ps1
/payload_armv4l.ps1
/payload_armv5l.ps1
/payload_armv6.ps1
/payload_armv61.ps1
/payload_armv6l.ps1
/payload_armv7l.ps1
/payload_dbg.ps1
/payload_exploit.ps1
/payload_i4.ps1
/payload_i486.ps1
/payload_i586.ps1
/payload_i6.ps1
/payload_i686.ps1
/payload_kill.ps1
/payload_m68.ps1
/payload_m68k.ps1
/payload_mips.ps1
/payload_mips64.ps1
/payload_mipseb.ps1
/payload_mipsel.ps1
/payload_mpsl.ps1
/payload_pcc.ps1
/payload_powerpc.ps1
/payload_powerpc-440fp.ps1
/payload_powerppc.ps1
/payload_ppc.ps1
/payload_ppc2.ps1
/payload_ppc440.ps1
/payload_ppc440fp.ps1
/payload_root.ps1
/payload_root32.ps1
/payload_sh.ps1
/payload_sh4.ps1
/payload_sparc.ps1
/payload_spc.ps1
/payload_ssh4.ps1
/payload_x32.ps1
/payload_x64.ps1
/payload_x86.ps1
/payload_x86_32.ps1
/payload_x86_64.ps1
/yaml-payload11.jar
/yaml-payload111.jar
/yaml-payload12.jar
/yaml-payload2.jar
/yaml-payload3.jar
/yaml-payload4.jar
/yaml-payload5.jar
/yaml-payload6.jar
/yaml-payload99.jar
/yaml-payload.jar

# Reference: https://x.com/kddx0178318/status/1843659566955016274

/!NB12538z/i40vy0n.php
/!NB12538z/
/i40vy0n.php

# Reference: https://x.com/banthisguy9349/status/1847175329120460936

/btc_eng.hta
/btc_pt.hta

# Reference: https://urlscan.io/search/#page.url%3A%2Fhttps%3F%3A%5C%2F%5C%2F%5B0-9%5C.%5D%2B%5C%2F%5Ba-z0-9%5D%7B16%7D%5C.php%2F

/gadsz15mt25ybi5i.php
/getnationranking.php
/index91484101498.php
/indexholddesktop.php
/linewindowstrack.php
/moduloatualizado.php
/portallockunlock.php
/processmeterpost.php
/processorbigload.php
/processorprivate.php
/providerphptrack.php
/pythonsecuretemp.php
/salepopupklaviyo.php
/vikashmitralogin.php
/vmmultiwordpress.php
/wfgfgf232323900x.php

# Reference: https://x.com/banthisguy9349/status/1850632987844759664
# Reference: https://www.virustotal.com/gui/file/dd9fa916c5f14c66b2e83243808072d2b084828167f9f2029366c91023c49532/detection
# Reference: https://www.virustotal.com/gui/file/5a9a05d8b295d6c1ac506532cdbf631ad538a8e33e0d4bc9bc486851ff00cb10/detection

/sigthief.py

# Reference: https://x.com/StrikeReadyLabs/status/1852338012488634491

/InvestmentAdvisersAct2.hta

# Reference: https://x.com/1ZRR4H/status/1854029075720851965

/inerr.ps1

# Reference: https://x.com/banthisguy9349/status/1854575385964368184

/BsO7Pc4leIEmwdV.ps1

# Reference: https://x.com/raghav127001/status/1854686323950629206

/Invoke-Mimi.ps1
/Invoke-Portscan.ps1
/Invoke-PowerShellTcpOneLine.ps1
/Invoke-SessionHUnter.ps1
/amsibypass.txt

# Reference: https://x.com/alexocheema/status/1856295635143524378

/stage1payload

# Reference: https://x.com/banthisguy9349/status/1856305175285154036

/ransom.ps1

# Reference: https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims

/cookienetbookinetcahce.hta

# Reference: https://x.com/cyberfeeddigest/status/1858258809778507868

/emotewipe.ps1
/emotewipe2.ps1

# Reference: https://x.com/malwrhunterteam/status/1862624900592119903
# Reference: https://www.virustotal.com/gui/file/e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819/detection

/wp-includes/barasinghaby.ps1
/wp-includes/neocolonialXAW.php
/wp-includes/phyllopodan7V7GD.php
/barasinghaby.ps1
/neocolonialXAW.php
/phyllopodan7V7GD.php

# Reference: https://x.com/banthisguy9349/status/1864282025579987072

/1krecrypted.cmd

# Reference: https://x.com/Gi7w0rm/status/1864308600841068864

/Network4726Man.cmd

# Reference: https://x.com/solostalking/status/1864532060896924136

/azured_decrypt_msol_v2.ps1
/php_reverse_shell.php

# Reference: https://x.com/banthisguy9349/status/1866121920808419751

/!HELP_SOS.hta

# Reference: https://isc.sans.edu/diary/Exploit+attempts+for+unpatched+Citrix+vulnerability/31446

/script_xen80-mix.php

# Reference: https://x.com/x86rax/status/1871278843404894464
# Reference: https://x.com/ViriBack/status/1871287287860146425

/euqhdsvm.php
/gkkglqfm.php
/lheqfjem.php
/ljlgmtqf.php

# Reference: https://x.com/ValidinLLC/status/1873676244392571286
# Reference: https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domains/

/res444.php

# Reference: https://x.com/JAMESWT_MHT/status/1874365729832870023
# Reference: https://www.virustotal.com/gui/file/e35d7ef701e2a95c6a9f13e379aeb8aac96dd99573e02d87daee3dd120322bce/detection
# Reference: https://www.virustotal.com/gui/file/5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9/detection

/trwsfg.ps1
/vfrcxq.ps1

# Reference: https://x.com/banthisguy9349/status/1875599493967835437

/beans_shel.xml
/beans_shel1.xml
/beans_shel2.xml
/beans_shel3.xml
/beans_shel4.xml
/beans_shell.xml

# Reference: https://x.com/Slvlombardo/status/1879619287440413112

/rtaownnow/rrrtttmmmw.php
/rtaownnow/
/rrrtttmmmw.php

# Reference: https://x.com/malwrhunterteam/status/1887071048455139621

/PWS.vbs
/pws1.vbs
/startupppp.bat

# Reference: https://x.com/solostalking/status/1889733513173172414

/dajkod.ps1

# Reference: https://x.com/JAMESWT_MHT/status/1890017207633293440

/T5Y2B6V32C/index05485643214.php
/index05485643214.php

# Reference: https://threatfox.abuse.ch/ioc/1403883/

/api/get/inj
/api/get/inject
/api/get/injector

# Reference: https://x.com/Merlax_/status/1893073216400248974

/cjFuHeYmH01c.html
/dZAohJEYH01J.html
/gIbojmsyvH01b.html
/latigFcmH01M.html
/myKOJmrYoNIuIH01J.html
/sQNFyCTHftJH01X.html

# Reference: https://x.com/malwrhunterteam/status/1893968102259396881

/sfsdfikcdfti9/tsync.bat
/sfsdfikcdfti9/

# Reference: https://x.com/csideai/status/1892594410149318692
# Reference: https://cside.dev/blog/over-35-000-websites-targeted-in-full-page-hijack-linking-to-a-chinese-language-gambling-scam
# Reference: https://app.validin.com/detail?find=db4adf52b330ca1061ff0ef44ef9cdf9&type=hash&ref_id=3d0262671fd#tab=host_pairs (# 2025-02-24)

/m_c_b28cd5c86f08a2b35c766fc4390924de.js
/go/kaiyun1/ky.html
/js/24/12/7/ky1.js
/js/25/1/8/ky1.js
/js/25/2/y/ky3.js

# Reference: https://x.com/malwrhunterteam/status/1898285268647444952
# Reference: https://www.virustotal.com/gui/file/d2469fa3615ca83da082ccc41da9ff7a4913257af5f977e78e3f27154559c45f/detection
# ReferencE: https://www.virustotal.com/gui/file/c59fb533002f7a7db4c4cde96d7debc5c9d96fd55881d333a12f6b7ea39683e5/detection
# Reference: https://www.virustotal.com/gui/file/ab2d99b8086c52141025dc1430d06337e754e0fa9a9989e7f24b7cfd0be52561/detection
# Reference: https://www.virustotal.com/gui/file/a10dc6149fa3610bd4a78e0db784e918e428c37b8d10dcce21523cdb6bfb9810/detection
# Reference: https://www.virustotal.com/gui/file/a09721158214a0fc57471a78fe1606bf095a683d2c6c124f01be10e64e568297/detection
# Reference: https://www.virustotal.com/gui/file/6e7ba7c9f76bbdc9a4babf68bb41d2375b19c5f01f456b381b8974ad07311bd1/detection
# Reference: https://www.virustotal.com/gui/file/2c4d09e941105fff3bdbde7cf6f72be55a881a14bc5e0a3efcd3efeee92e17af/detection
# Reference: https://www.virustotal.com/gui/file/1339a8867e8f04e12cc7543c548a33ac7b94dcba591e2da8b9ae2df24687c99e/detection

/getdatapass7bakpro.php
/getdatapass7baktest.php
/getdatapass7baktest88.php
/getdatapass7ok.php
/getdatapassmain.php
/getdatapassqiang.php

# Reference: https://x.com/JAMESWT_MHT/status/1899020613701742638

/50MJLUM311KPUPO3/index.php

# Reference: https://x.com/CreateFileInt_/status/1899088994090000727

/api/rastreamento.php?cpf=
/liberacao/rastreamento.php?cpf=
/v2/rastreamento.php?cpf=
/rastreamento.php?cpf=

# Reference: https://x.com/salmanvsf/status/1901517210260062360
# Reference: https://www.virustotal.com/gui/file/d4e60f44103331275740326b4e6016a5f9f84ee2cfb0c2149f9b90530b21e6ef/detection

/Win1234.js

# Reference: https://x.com/karol_paciorek/status/1902455994741092501

/kuipz5q2vg46.js

# Reference: https://x.com/skocherhan/status/1903173695922655248

/devil.ps1
/GUYBIN.ps1
/KENNNTTT.ps1
/kenttt.ps1
/MULK.ps1
/STEPH.ps1
/xenn.ps1
/YG.ps1

# Reference: https://x.com/ShanHolo/status/1902659366051835914

/bestexperienceigotfromtheworldfromthegood.hta

# Reference: https://x.com/ShanHolo/status/1902639209153769953
# Reference: https://www.virustotal.com/gui/file/483b97a047188b7140cf3075506576df8b3300ffa13049405be934d5084fddda/detection

/givenmebestthingsentiretimetogivemebestof.hta

# Reference: https://www.virustotal.com/gui/file/43c102f2db55c353e0e24fdc0e6c935093de02162e7b564f0881453058a0fdcc/detection

/mirrorgate1
/mirrorgate2
/mirrorgate3

# Reference: https://x.com/suyog41/status/1907417166665933268
# Reference: https://www.virustotal.com/gui/file/7cfa19cb17fe67179b413d9e746bc17d6ca35d6ee92dc686d723523227865069/detection

/xjemqlqirwqru9pkrh3j4ztmf/payments.js
/xjemqlqirwqru9pkrh3j4ztmf/

# Reference: https://x.com/ex_raritas/status/1910301184323170533

/bagg.ps1
/fav.ps1
/newfileee.ps1
/sirrdee.ps1
/uchi.ps1
/bag.ps1
/believe.ps1
/kenttttttttttttttttt.ps1
/kim22.ps1
/kimm.ps1
/newmuk.ps1

# Reference: https://x.com/malwrhunterteam/status/1911179378769248632
# Reference: https://www.virustotal.com/gui/file/e16f93ed57e54696766d975e374c2c8a1c92376ec71149381dc087027fb31775/detection

/api/get_bot_commands.php
/api/register_bot.php
/get_bot_commands.php
/register_bot.php

# Reference: https://x.com/JAMESWT_WT/status/1911848010692108367

/netsapp.ps1

# Reference: https://x.com/malwrhunterteam/status/1913154621456998719
# Reference: https://www.virustotal.com/gui/file/6a82e620fdcc5e11e5aa776bd70c120dfb83a921d89edcfe40ed899d227e2ff1/detection

/windowsDefenderAnalyst.ps1
/windowsDefenderAnalyst.vbs
/windowsOutside.ps1

# Reference: https://x.com/skocherhan/status/1913384431437451757
# Reference: https://app.validin.com/detail?find=AKEY%20PRIVATE%20-%20Admin%20Login&type=raw (# 2025-04-19)
# Reference: https://www.virustotal.com/gui/file/0b9a9159e8411d495218794fe8c1448ee9738ba1a0ac683aedceea280da7e0fd/detection

/api/ban_hwid.php
/api/ban_hwid.php?hwid=

# Reference: https://x.com/James_inthe_box/status/1912864102504153100

/bagnew.ps1
/bagsnake.ps1
/big7.ps1
/blacksheep.ps1
/devnew.ps1
/k22.ps1
/sir.ps1

# Reference: https://urlhaus.abuse.ch/host/176.65.144.23/ (# 2025-04-29)

/ddddd.ps1
/k.ps1
/king.ps1
/kingg.ps1
/kinngg.ps1
/kk.ps1
/kkk.ps1
/kkkk.ps1
/marcus.ps1
/marcusss.ps1
/marr.ps1
/sirdeeeeee.ps1
/sirrrrrdeeeee.ps1

# Reference: https://any.run/cybersecurity-blog/pentagon-stealer-malware-analysis/

/wallet_injection

# Reference: https://x.com/malwrhunterteam/status/1925495994885509270
# Reference: https://www.virustotal.com/gui/file/ef4da18aaf928751600c50d7128777ac36c793a71c34d6ac393200c0c4271556/detection
# Reference: https://www.virustotal.com/gui/file/6a9e794381463c3eb947e4dcf075854f0a842f2eecfbfd3ed5358c4a8b4d0810/detection
# Reference: https://www.virustotal.com/gui/file/5854c6560fe3bf47cad820d55fa798385439821c8c87b5b0df83995df320ab5b/detection

/brahmachariN6lXL.php
/unspectacularvM84Z.php

# Reference: https://www.virustotal.com/gui/file/f99f15c3129acabd5a5a60d96ed70c9405efc054ba0b9ad8e434026d80e16b85/detection

/payload/callback.hta
/payload/callback.ps1
/payload/payload.hta
/payload/payload.ps1
/payload/runner.hta
/payload/runner.ps1

# Reference: https://x.com/banthisguy9349/status/1934267500541190271

/amsibypass.ps1
/c2.ps1

# Reference: https://x.com/MalwareUtkonos/status/1939124294547656775
# Reference: https://gist.github.com/utkonos/16210fb50ff0f587bca74383b1ee2c03 (# JSFiretruck)

asetar.info
kopela.info
kumisecream.com
slivwelll.com
vovantrafline.com
service.sxcservice.com
apiklo.weebly.com
booidentity.weebly.com
cclasgig.weebly.com
dadxo.weebly.com
dikiep.weebly.com
fotumix.weebly.com
fundsloki.weebly.com
generatorraf.weebly.com
grosinfinity.weebly.com
gulufoundation.weebly.com
incomeer.weebly.com
klolove.weebly.com
liocaribbean.weebly.com
lomipatient.weebly.com
lopamoving.weebly.com
netbooth.weebly.com
oseads.weebly.com
privacymain.weebly.com
queenhor.weebly.com
racingfoz.weebly.com
snomonster.weebly.com
tooneon.weebly.com
torodd.weebly.com
warehouseple.weebly.com
wescommunications.weebly.com
zenlio.weebly.com

# Reference: https://urlscan.io/search/#filename:%223c7b.js%22

/3c7b.js

# Reference: https://x.com/skocherhan/status/1942053746344632411

/RazerPartners.hta
/RazerPartnersPromo.hta

# Reference: https://x.com/skocherhan/status/1942045447515668972

/loader.ps1
/ploader.ps1
/x11s.hta
/x11s1.hta
/xS2cxsWavs.hta

# Reference: https://app.validin.com/detail?find=powershell%20-nop%20-c%20%22iex(New-Object%20Net.WebClient).DownloadString(%27https%3A%2F%2Fraw.githubusercontent.com%2Fkaywoz%2Fbluestuff%2Fmain%2Fpowershell%2FPayload-nonsense.ps1%27)%22&type=raw&ref_id=5c1a9b34db7 (# 2025-07-19)

/Payload-nonsense.ps1

# Reference: https://x.com/galkofahi/status/1947202313950474245

/test-obf.ps1

# Reference: https://x.com/smica83/status/1948657982016729224

/windowsupdateservice.ps1
/windowsupdateservice.vbs

# Reference: https://x.com/BlinkzSec/status/1950561656867582300
# Reference: https://x.com/JAMESWT_WT/status/1950594741705355436
# Reference: https://urlhaus.abuse.ch/url/3593127/

/js/GYnHx.js
/js/yO5EW.js
/GYnHx.js
/yO5EW.js

# Reference: https://x.com/BlinkzSec/status/1954200067339882732
# Reference: https://urlhaus.abuse.ch/host/162.248.53.119/

/c2-callback
/enable-rdp.ps1
/port-check.ps1
/rev-shell.ps1

# Reference: https://x.com/BlinkzSec/status/1954963598205391364
# Reference: https://urlhaus.abuse.ch/host/files.catbox.moe/ (# 2025-08-11)

/17wzez.ps1
/1nl3hc.ps1
/1y70f1.ps1
/2cy9wa.ps1
/2y6fw1.ps1
/3gor9i.ps1
/3yb2zi.ps1
/45qt92.ps1
/4tzo43.ps1
/79wgg6.ps1
/8yh3e3.ps1
/9gat3x.ps1
/9rj9f3.ps1
/b06gt5.ps1
/b1uf2z.ps1
/cia7id.ps1
/d9bi50.ps1
/ei5hyq.ps1
/et18ob.ps1
/fz2xmo.ps1
/g49vy4.ps1
/g8wt4y.ps1
/gd3nrr.ps1
/izoft0.ps1
/kj00kw.ps1
/kl0sz4.ps1
/km5328.ps1
/kx005t.ps1
/l11se7.ps1
/l18oc0.ps1
/lrdj3s.ps1
/m5ixin.ps1
/ne9m5w.ps1
/ntm9ag.ps1
/q8ynky.ps1
/qivmzx.ps1
/qjv06a.ps1
/qqlgou.ps1
/qrz18p.ps1
/r8qjpc.ps1
/sobl4d.ps1
/tt6634.ps1
/ugok5m.ps1
/v0y9uq.ps1
/vj11kv.ps1
/vqhzwh.ps1
/x5swnw.ps1
/x75eie.ps1
/yfz4t5.ps1
/yoomcy.ps1
/yr53yk.ps1

# reference: https://securityaffairs.com/181203/cyber-crime/encrypthub-abuses-brave-support-in-new-campaign-exploiting-msc-eviltwin-flaw.html

/payload/build.hta
/payload/build.ps1
/payload/shell.hta
/payload/shell.ps1

# Reference: https://app.validin.com/detail?find=wesrdx345.js&type=dom&ref_id=5ce92182d9c#tab=host_pairs (# 2025-08-22)

/wesrdx345.js

# Reference: https://x.com/Merlax_/status/1960048599678493033

/3g2bzgrevl.hta

# Reference: https://www.virustotal.com/gui/file/337d8eaca7f3fbb8694dbb907568888e44e53ef83e25ffa2dd3ea676cf8cf0d3/detection

/3e2w.js

# Reference: https://x.com/smica83/status/1961156187396681852
# Reference: https://tria.ge/250828-xwr4jsynx9/behavioral1

/DpwObgL52/DpwObgL52mde2/HRaHaIW943.js
/DpwObgL52/DpwObgL52mde2/
/DpwObgL52/
/DpwObgL52mde2/HRaHaIW943.js
/DpwObgL52mde2/
/HRaHaIW943.js

# Reference: https://x.com/Slvlombardo/status/1958426095075623270

/aemmfcylvxeo.html

# Reference: https://x.com/ShadowOpCode/status/1962877818162843854

/generate?payload=

# Reference: https://www.malware-traffic-analysis.net/2025/09/03/index.html

/4r2w.js

# Reference: https://x.com/malwrhunterteam/status/1964034069894754812
# Reference: https://www.virustotal.com/gui/file/84f34f24a7f7852ac1c5e99ec3de6e215138d7b8a39514963dc6596945b105d8/detection

/ololo.aspx

# Reference: https://www.virustotal.com/gui/file/c3f451354de6fe675f1c756733208fc6739ebb3603449b68a1c41419d952944b/detection

/verygreatwaygtogivebestnoticingoptional.hta

# Reference: https://x.com/GenThreatLabs/status/1976295017527308757

/mc55tP.ps1

# Reference: https://x.com/smica83/status/1978771256762606024

/stage0.ps1

# Reference: https://x.com/smica83/status/1978880380187938929
# Reference: https://www.virustotal.com/gui/file/84f6f3a7c219b94c9689601a4b179880b12d661f38456f38f3b4e197566855f2/detection
# Reference: https://www.virustotal.com/gui/file/b67fb83392e59d2c62ba606c44cfaa9141d98bd7fed7028539b5ea70cc24ed87/detection
# Reference: https://www.virustotal.com/gui/file/cc5366e31fdaaad3fda3936f9ba67fce2e9c38f34c0607bea1a3855189edd4c0/detection

/crajja/mask.ps1
/crajja/weeder.ps1
/k2a1a/mask.ps1
/k2a1a/weeder.ps1

# Reference: https://x.com/smica83/status/1978017659720532478
# Reference: https://www.virustotal.com/gui/file/42f2626005f1e359d33861b55b62681f52274e02283279fcc3e54be3ee52ffa3/detection

/dcfx8eu84759rt48dfgdf8734jhj535h458dfg87834jrh3458fdg834tret3tbfdg8344385fd.hta

# Reference: https://www.virustotal.com/gui/file/45861cfb823fb2a2d59f697e13623934c635fc8bceb9af5f282343fd224dfab2/detection

/sc9ddc73jjhfjsh8cxs0d9xc23hjhj5j6jhj8bh876hfdf90gd900vb90brt90t0yr09asd03sfd0f0sd.hta
/sc9ddc73jjhfjsh8cxs0d9xc23hjhj5j6jhj8bh876hfdf90gd900vb90brt90t0yr09asd03sfd0f0sd.txt

# Reference: https://x.com/JAMESWT_WT/status/1978708045355000118

/hip9k0.ps1
/iy1e0o.ps1

# Generic

/5c0ca79.php
/js/altmanluggage.js
/js/aureliaskincare.js
/js/bluerooster.js
/js/bvibe.js
/js/caremax.js
/js/craftalley.js
/js/curediva.js
/js/deluxecomfort.js
/js/deroosbv.js
/js/dragonkayak.js
/js/gopestfree.js
/js/hello1010.js
/js/herbsnpuja.js
/js/horusrc.js
/js/indiamags.js
/js/justbuttons.js
/js/kitchenstuff.js
/js/labohemecafe.js
/js/lavignery.js
/js/mitoq.js
/js/mototorque.js
/js/notinshops.js
/js/probanners.js
/js/ramybrook.js
/js/rss_pt.js
/js/siamflorist.js
/js/simplygems.js
/js/singerstore.js
/js/sparxxrx.js
/js/storageshedsoutlet.js
/js/themotley.js
/js/thesingularbathroom.js
/js/totaram.js
/js/tradeplumbing.js
/js/ussi.js
/js/vladofootwear.js
/js/wallerbmx.js
/o/g-analytic.js
/rat/rat.php
/myrrem.hta
/out-1334992907.hta
/out-1347051899.hta
/out-849945592.hta
/7328-dating-verification-card.php
/canadiane-compte.php
/captainsmok3r.php
/ccgate.php
/CodigoInject.asp
/CodigoInject.aspx
/CodigoInject.hta
/CodigoInject.php
/CodigoInject.ps1
/CodigoInject.py
/CodigoInject.pyc
/CodigoInject.txt
/DllQueVaiNoClient.txt
/DllQueVaiNoClient.php
/DllQueVaiNoClient.ps1
/DllQueVaiNoClient.hta
/DllQueVaiNoClient.asp
/DllQueVaiNoClient.aspx
/DllQueVaiNoClient.py
/DllQueVaiNoClient.pyc
/dating-verification-card.php
/encrypted_shellcode.txt
/evreigate.php
/exploit.py
/fcc-authenticazione.php
/g-analytic.js
/gate_tor.php
/gate.php
/gate01.php
/gate1.php
/gate16.php
/gate2.php
/gate.get
/gateg.php
/gatenest.php
/gating.php
/gatw.php
/gate.phpgate.php
/ggate.php
/gggate.php
/gAy5B.php
/Invoke-Phant0m.ps1
/jqwery.js
/online-dating-verification-card.php
/postgreexploit.py
/ravufgate.php
/screenshot_gate.php
/shell.hta
/shell2.php
/shellcode_test.txt
/tgate.php
/testgate.php
/verification-card.php
/1drvme/
/payload/openAttach/
/payload/openAttache/
/payload/openAttachment/
/payload/remote/
/modified_ploader.cpp
/ploader.cpp
