Concrete signature match: Trojan Spy - Monitors and reports user activity for 32-bit Windows platform, family Banker
Relevant strings associated with this threat:
- netview.exe (PEHSTR_EXT)
- 360netview.dll (PEHSTR_EXT)
- 360Safe.exe (PEHSTR_EXT)
- rsion\Run\ShellRun (PEHSTR_EXT)
- .anti (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\RTLd (PEHSTR)
- E m P r E s A s . N E T (PEHSTR)
- { I n f . N E T E m p r e s a (PEHSTR)
- msbcb.exe (PEHSTR_EXT)
- gbiehcef.dll (PEHSTR)
- Shdocwv.dll (PEHSTR)
- msvbvm60.dll (PEHSTR)
- userinit.exe,sv (PEHSTR_EXT)
- https://ibank. (PEHSTR_EXT)
- update.php?os= (PEHSTR_EXT)
- cmd.exe /k echo y| cacls (PEHSTR_EXT)
- @gmail.com (PEHSTR_EXT)
- WinExec (PEHSTR_EXT)
- \legoz\nlhtml (PEHSTR_EXT)
- \Implemented Categories (PEHSTR_EXT)
- \Required Categories (PEHSTR_EXT)
- finanzportal.fiducia.de (PEHSTR)
- internetsube.akbank.com.tr (PEHSTR)
- yapikredi.com.tr (PEHSTR)
- IE Auto Complete Fields (PEHSTR)
- /upload.php (PEHSTR)
- /mail.php (PEHSTR)
- _KG\0.bmp (PEHSTR)
- /Count.asp?mac= (PEHSTR)
- http://110.34.232.11:1314 (PEHSTR)
- INIdirectbankUI60.dll (PEHSTR)
- simcard1.dll (PEHSTR)
- ppret2.dll (PEHSTR)
- tns1.dll (PEHSTR)
- Software\MRSoft (PEHSTR)
- ShellExecuteA (PEHSTR)
- T65pQsjfR6mWBsOWBsbj865sPs5jStPoBcLuPG (PEHSTR_EXT)
- GpfSH6zZTMrbRdHp865kP21JPNHqQMvdSrn1R6mWLNDbSdDSStHXSdGWRMLkTLnmSczdSc5jSrnpT65oT7LmN7TfRYvbU6K (PEHSTR_EXT)
- /infects.php (PEHSTR_EXT)
- user_pref("network.proxy.autoconfig_url","http:// (PEHSTR_EXT)
- P.pac"); (PEHSTR_EXT)
- \startup\ (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- :\ProgramData\Microsoft\Windows\Menu Iniciar\Programas\Inicializar\ (PEHSTR_EXT)
- EnableHttp1_1 (PEHSTR_EXT)
- \Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
- ,\prefs.js (PEHSTR_EXT)
- /1.pac (PEHSTR_EXT)
- .com (PEHSTR_EXT)
- P.com"); (PEHSTR_EXT)
- abc.php (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
- UBSauthenticateAXC.ocx (PEHSTR_EXT)
- DllCanUnloadNow (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- DllUnregisterServer (PEHSTR_EXT)
- ShellExecuteA (PEHSTR_EXT)
- bbcombr (PEHSTR)
- internetcaixa.caixa.gov.br (PEHSTR)
- Software\Borland\Delphi\Locales (PEHSTR)
- ao procurar o nome do computador (PEHSTR)
- bright.exe (PEHSTR)
- [Usuario].........: (PEHSTR)
- [Contrasena]......: (PEHSTR)
- [Clave Transf]....: (PEHSTR)
- digo de Acceso Seguro. (PEHSTR)
- Digite en el Campo Abajo. (PEHSTR)
- >Caso o link nao fique clicavel, copie e cole no seu navegador. (PEHSTR)
- @terra.com.br (PEHSTR)
- c:\MSN_ENVIA.log (PEHSTR)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR)
- k8k88.com/xiaojin (PEHSTR)
- /acct/qqacctsavecard.cgi?u (PEHSTR)
- FooBar.local.host (PEHSTR)
- HTTP/1.1 (PEHSTR)
- HttpOpenRequestA (PEHSTR)
- /INVOKE:Shutdown:NoPrompt (PEHSTR)
- %axabanque.fr/client/sauthentification (PEHSTR)
- banesto.es (PEHSTR)
- .bankingportal. (PEHSTR)
- seguridad.kCollfirma.clave1 (PEHSTR)
- [ie reset complete] (PEHSTR)
- sabadellatlantico.com (PEHSTR)
- bancaonline. (PEHSTR)
- bdeadmin.exe (PEHSTR)
- SCRSAVE.EXE (PEHSTR)
- bradeco.com.br/aappff/default (PEHSTR)
- 9SYSTEM\CurrentControlSet\Services\lanmanserver\parameters (PEHSTR)
- -System\CurrentControlSet\Services\Vxd\VNETSUP (PEHSTR)
- partizan.exe.googlepages.com (PEHSTR)
- netprofiles.com.br/tmp/envia (PEHSTR)
- cmrss.exe (PEHSTR_EXT)
- [bb.com.br] (PEHSTR_EXT)
- Yc:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE http://www.receita.fazenda.gov.br (PEHSTR)
- Zesta sendo redirecionado para o site da Receita Federal: http://www.receita.fazenda.gov.br (PEHSTR)
- http://www.ic-hk.cz/onnas.exe (PEHSTR)
- http://www.ic-hk.cz/w.exe (PEHSTR)
- C:\k.exe (PEHSTR)
- C:\w.exe (PEHSTR)
- txtZanotti.txt (PEHSTR_EXT)
- C:\Arquivos de programas\ (PEHSTR_EXT)
- c:\\scpMIB.dll, scpIBCfg.bin, scpLIB.dll, scpsssh2.dll, sshib.dll (PEHSTR_EXT)
- C:\Arquivos de programas\Scpad (PEHSTR_EXT)
- *:Enabled:msappts32.exe (PEHSTR_EXT)
- C:\windows\wplogs.txt (PEHSTR_EXT)
- delexec.bat (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\RTLd (PEHSTR_EXT)
- autorun.infd (PEHSTR_EXT)
- shellexecuted (PEHSTR_EXT)
- shell\Auto\commandd (PEHSTR_EXT)
- \Software\Microsoft\Windows\CurrentVersion\Rund (PEHSTR_EXT)
- SysCom (PEHSTR_EXT)
- C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar (PEHSTR_EXT)
- C:\Documents and Settings\All Users\start menu\programs\startup (PEHSTR_EXT)
- msnmsgr.exe (PEHSTR_EXT)
- http://www.bb.com.br/portalbb (PEHSTR_EXT)
- http://www.bradesco.com.br (PEHSTR_EXT)
- http://www.unibanco.com.br (PEHSTR_EXT)
- http://www.itau.com.br (PEHSTR_EXT)
- https://internetbanking.caixa.gov.br (PEHSTR_EXT)
- http://www.nossacaixa.com.br (PEHSTR_EXT)
- \msnobj.dll (PEHSTR_EXT)
- \msnprint.dll (PEHSTR_EXT)
- listahotmailwecham@gmail.com (PEHSTR_EXT)
- C:\Arquivos de programas\msn_livers.exe (PEHSTR_EXT)
- \Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- Aw3JSfYadOrWCR3Dmu1kCYiTdpH (PEHSTR_EXT)
- cY/Yb8Dci/enNp4th5I (PEHSTR_EXT)
- KYIRxjha0M/mF3snbHN (PEHSTR_EXT)
- c:\windows\msiexplorer.exe (PEHSTR)
- http://www.caixa.gov.br/Voce/ (PEHSTR)
- http://lusys.nexenservices.com/ (PEHSTR)
- \msnmsgr.exe (PEHSTR_EXT)
- http://mail.terra.com.br (PEHSTR_EXT)
- google.com/accounts/ServiceLogin?service=mail (PEHSTR_EXT)
- TWebBrowserDocumentComplete (PEHSTR_EXT)
- OnDownloadComplete (PEHSTR_EXT)
- \Downloaded Program Files\*gb*.* (PEHSTR_EXT)
- \GbPlugin\*.* (PEHSTR_EXT)
- SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN (PEHSTR_EXT)
- ~log.tmp (PEHSTR_EXT)
- /logs/gate.php (PEHSTR_EXT)
- banks-money.com (PEHSTR_EXT)
- -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- *.key (PEHSTR)
- *.crt (PEHSTR)
- windows\system\certifexpXP.exe (PEHSTR)
- \windows\babies (PEHSTR)
- \WINDOWS\SYSTEM\w32upd.exe (PEHSTR)
- \downloaded program files\*.* (PEHSTR_EXT)
- .Software\Microsoft\Internet Explorer\TypedURLs (PEHSTR)
- 1Software\Microsoft\Internet Explorer\TypedAddress (PEHSTR)
- .com (PEHSTR)
- .bat (PEHSTR)
- .pif (PEHSTR)
- www.google.com/accounts/servicelogin?service=orkut (PEHSTR_EXT)
- SYSTEMA DE SCRAPT DLLHOSTC (PEHSTR_EXT)
- http://www.orkut.com (PEHSTR_EXT)
- .br/friendsList.aspx/scrapbook.aspx? (PEHSTR_EXT)
- msn_livers.exe (PEHSTR_EXT)
- User.....: (PEHSTR_EXT)
- Pwd.......: (PEHSTR_EXT)
- \config\jute.vbs (FILEPATH)
- \config\vip.html (FILEPATH)
- \config\index.html (FILEPATH)
- \config\token.html (FILEPATH)
- \config\index2.html (FILEPATH)
- \config\principa.js (FILEPATH)
- \config\empresas.html (FILEPATH)
- \config\personas.html (FILEPATH)
- \config\bcp\index.html (FILEPATH)
- \config\css\estilo.css (FILEPATH)
- \config\images\logo.gif (FILEPATH)
- \config\images\fl_nar.gif (FILEPATH)
- \config\images\spacer.gif (FILEPATH)
- \config\images\fl_blan.gif (FILEPATH)
- \config\images\prine01.jpg (FILEPATH)
- \config\scripts\scripts.js (FILEPATH)
- \config\styles\estilos.css (FILEPATH)
- \config\styles\viabcp1.css (FILEPATH)
- \config\css\portada_new.css (FILEPATH)
- \config\images\esq_azul.gif (FILEPATH)
- c:\remove\deleta.cmd (FILEPATH)
- c:\remove\remove.cmd (FILEPATH)
- gerenciador.cable.nu/search.php (PEHSTR)
- \mycomputer.dat (FILEPATH)
- Tmsupdate.dll (PEHSTR)
- DllCanUnloadNow (PEHSTR)
- DllGetClassObject (PEHSTR)
- DllRegisterServer (PEHSTR)
- DllUnregisterServer (PEHSTR)
- \configex.dll (PEHSTR)
- -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- arquivoupgrader.s5.com (PEHSTR)
- SOFTWARE\Borland\Delphi (PEHSTR_EXT)
- es da Internet... (PEHSTR_EXT)
- ExeNameMutacao (PEHSTR_EXT)
- /nogui C:\system (PEHSTR)
- %windir%\scpVista.exe (PEHSTR)
- %systemdrive%\avenger.txt (PEHSTR)
- -%systemdrive%\Arquivos de programas\GbPlugin\ (PEHSTR)
- /worm (PEHSTR_EXT)
- *.mbx (PEHSTR_EXT)
- *.eml (PEHSTR_EXT)
- msoe@microsoft.com (PEHSTR_EXT)
- Software\Borland\Delphi (PEHSTR_EXT)
- type="multipart/alternative"; (PEHSTR_EXT)
- IdHTTPHeaderInfo (PEHSTR_EXT)
- CPF Invalido. (PEHSTR_EXT)
- Senha de 4 digitos incorreta. (PEHSTR_EXT)
- http://www.caixa.gov.br - Ca (PEHSTR_EXT)
- c:\windows\system32\plugacef.dll (PEHSTR_EXT)
- USER..: (PEHSTR_EXT)
- SENHA.: (PEHSTR_EXT)
- Indy 9.00.10 (PEHSTR)
- smtp.isbt.com.br (PEHSTR)
- [3 Digitos]... (PEHSTR)
- Validade... (PEHSTR)
- festadocolono1@isbt.com.br (PEHSTR)
- thalixinhainvia@isbt.com.br (PEHSTR)
- *.tbb (PEHSTR_EXT)
- *.mbox (PEHSTR_EXT)
- C:\download\ (PEHSTR_EXT)
- /getzalivi.php (PEHSTR)
- http://%s%s?search=%s (PEHSTR)
- csrss.exe (PEHSTR)
- svchost.exe (PEHSTR)
- taskmgr.exe (PEHSTR)
- pstorec.dll (PEHSTR)
- Dynamic.dll (PEHSTR_EXT)
- CHECKTUDO.COM - Sistema Brasileiro de Informa (PEHSTR_EXT)
- =robinwoodbr@gmail.com (PEHSTR)
- .edb.log.txt.pf.jpg (PEHSTR)
- 8svchost.exe,smss.exe,lsass.exe,services.exe,winlogon.exe (PEHSTR)
- \hlgd.dll (PEHSTR)
- \hlgd.exe (PEHSTR)
- :Users\conish\Desktop\Systema Novo Dll\_IEBrowserHelper.pas (PEHSTR)
- SOOPNEXT.dll (PEHSTR)
- C: serial..........: (PEHSTR)
- \se7tings.s0l (PEHSTR)
- \downl0ad.track (PEHSTR)
- \noti.fy (PEHSTR)
- POST...........: (PEHSTR_EXT)
- ~/~/~/~Chegou (PEHSTR_EXT)
- https:// (PEHSTR_EXT)
- .com.br (PEHSTR_EXT)
- Mac Address....: (PEHSTR)
- Cursors\aero_link.cur (PEHSTR)
- C:\WINDOWS\system32\libeay32.dll (PEHSTR)
- C:\WINDOWS\system32\ssleay32.dll (PEHSTR)
- Identificacion..: (PEHSTR)
- Hora...........: (PEHSTR)
- PIN1............: (PEHSTR)
- Serie HD....: (PEHSTR)
- C:\WINDOWS\KB110809.txt (PEHSTR)
- Software\Borland\Delphi (PEHSTR)
- Senha do Cartao......: (PEHSTR)
- rafas.sites.uol.com.br/ (PEHSTR_EXT)
- cmd /k c:\xx (PEHSTR_EXT)
- @gordo.com.br (PEHSTR_EXT)
- @hotmail.com (PEHSTR_EXT)
- E-Banking instalado com sucesso (PEHSTR_EXT)
- http://linkando.orgfree.com/ (PEHSTR_EXT)
- c:\system32.gif (PEHSTR_EXT)
- http (PEHSTR_EXT)
- nomeexe= (PEHSTR)
- Come (PEHSTR)
- \wlogs2.txt (PEHSTR)
- )Software\Microsoft\WAB\WAB4\Wab File Name (PEHSTR)
- =Software\Microsoft\Internet Account Manager\Accounts\00000001 (PEHSTR)
- 2aHR0cDovL3d3dy5tZWJsb3F1ZW91Lm5ldC93aW5mYXgyLmpwZw (PEHSTR)
- .aHR0cDovL3d3dy5tZWJsb3F1ZW91Lm5ldC9raWNrLmpwZw (PEHSTR)
- IdHTTPMethod (PEHSTR_EXT)
- EmbeddedWB http://bsalsa.com/ (PEHSTR)
- GAROTA-MA.COM (PEHSTR)
- INOVANDOOOO... (PEHSTR)
- #Projetos\Java\BHO_NOVO\uFuncoes.pas (PEHSTR)
- 1https://acesso.uol.com.br/login.html?skin=webmail (PEHSTR)
- uploadlanhouse.com.br/uploads/source/winupdate.exe (PEHSTR_EXT)
- cmd /k c:\google-image (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- http://200. (PEHSTR_EXT)
- /.mms/lsd (PEHSTR_EXT)
- http://www.policiajudiciaria.pt/ (PEHSTR_EXT)
- URLMON.DLL (PEHSTR_EXT)
- 3Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) (PEHSTR)
- del delexec.bat (PEHSTR)
- justtbbaby.com/js/ (PEHSTR)
- www.guantanamera.org.br/fotos/ (PEHSTR)
- catolicanet.net/images/ (PEHSTR)
- eugenia-jorge.com/js/ (PEHSTR)
- esperalimentosme.com.br/js (PEHSTR)
- lapimepp.com/js/ (PEHSTR)
- www.rajkotchamber.com/images/ (PEHSTR)
- www.formandosunidf.com/fotos/ (PEHSTR)
- www.fundacionasilo.com/Scripts/ (PEHSTR)
- www.jpx-arq.com/staff/ (PEHSTR)
- 'www.pronauti.com/loja/includes/modules/ (PEHSTR)
- thatsdesign.it/wp-includes/js/ (PEHSTR)
- www.cinet.it/js/ (PEHSTR)
- www.asturmed.org/index_archivos/ (PEHSTR)
- exe. (PEHSTR_EXT)
- \erawtfoS\MLKH (PEHSTR_EXT)
- \bck.bck (PEHSTR_EXT)
- Dados de aplicativos\ (PEHSTR_EXT)
- pplication Data\ (PEHSTR_EXT)
- ppData\ (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ (PEHSTR_EXT)
- df;mgsdfongsodfngolsnfdkgolsdnfgosbfdogjsn (PEHSTR_EXT)
- alipay.com/ebank/payment_gateway.htm (PEHSTR_EXT)
- taskkill /f /im (PEHSTR_EXT)
- \??\c:\WINDOWS\rapportClean1.txt (PEHSTR_EXT)
- !\??\C:\Program Files\Trusteer\Rapport\js\config.js (PEHSTR_EXT)
- banestes.com.br (PEHSTR_EXT)
- \system32\drivers\etc\hosts (PEHSTR_EXT)
- credicard.com.br (PEHSTR_EXT)
- pagamentodigital.com.br (PEHSTR_EXT)
- paypal.com.br (PEHSTR_EXT)
- bradesco.com.br (PEHSTR_EXT)
- banrisul.com.br (PEHSTR_EXT)
- serasaexperian.com.br (PEHSTR_EXT)
- americanexpress.com.br (PEHSTR_EXT)
- itau.com.br (PEHSTR_EXT)
- hotmail.com.br (PEHSTR_EXT)
- C:\Windows\IME (PEHSTR)
- w.163.com.z1.rqbao.com (PEHSTR)
- taskkill /im msnmsgr.exe /f (PEHSTR_EXT)
- mail.terra.com.br (PEHSTR_EXT)
- </B><SPAN id=bank-name> (PEHSTR_EXT)
- %s/PayToMe/TB_Pay.Asp?nFlag=0&UserName=%s (PEHSTR_EXT)
- .com.br (PEHSTR_EXT)
- logaa.dll (PEHSTR_EXT)
- INOVANDOOOO... (PEHSTR_EXT)
- projects\novobho (PEHSTR_EXT)
- ,h@#@t@t#p:@//vi@su@#ali#zaca@o.b#@lo@g.b#@r/ (PEHSTR)
- #r@#e@@g add "H@#KEY_C@URRE@NT_USER\S@OF#@TW@ARE\Micr@o#soft\Wi@n#@do@ws\Cur@re@#ntVersi@on@\R#@u#n" /#v s@#y@@#@s#@y@ /d "#@C@#:\ (PEHSTR)
- #@C@#:\@sy#s@@#tea@#m\ (PEHSTR)
- Keylogger of Banker (PEHSTR_EXT)
- Device\varsao (PEHSTR_EXT)
- infect.php (PEHSTR_EXT)
- hotmail.comgmail.com (PEHSTR_EXT)
- injetel.com.br (PEHSTR_EXT)
- Policies\Explorer\Run" /v " (PEHSTR_EXT)
- CIPAVIPA" /d C:\Unnisttall.exe /t "REG_SZ" /f (PEHSTR_EXT)
- \Internet Settings\Zones\3 (PEHSTR_EXT)
- https://cashier.alipay.com/standard/gateway/ebankPay.htm (PEHSTR_EXT)
- .alipay.com/standard/payment/cashier.htm (PEHSTR_EXT)
- MicrosoftWord.formCapitalone.resources (PEHSTR_EXT)
- brasilinstrumental.com.br/envioX.php (PEHSTR_EXT)
- hotmail.com (PEHSTR_EXT)
- dilma.gif (PEHSTR)
- namorada.gif (PEHSTR)
- 69.64.43.129 (PEHSTR)
- ipadconf.exe (PEHSTR)
- @hotmail.com (PEHSTR)
- @yahoo.com (PEHSTR)
- Explorer\Run" /v "Politcs" /d C:\ (PEHSTR_EXT)
- SELECT * FROM controle_dep_comunicacao WHERE N_MCADDRESS =' (PEHSTR_EXT)
- /c "wscript.exe /B "%userprofile%\ (PEHSTR_EXT)
- .vbs"" (PEHSTR_EXT)
- Telegrama_Online.bat (PEHSTR_EXT)
- 0#xer//:p#tth (PEHSTR_EXT)
- windows\temp.jpg (PEHSTR_EXT)
- go do iToken invalido. (PEHSTR_EXT)
- REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
- IPA" /d C:\Unnisttall.exe (PEHSTR_EXT)
- C:\totalvisita.jpg (PEHSTR)
- .com/pc.txt (PEHSTR)
- /contadore/entrar.php (PEHSTR)
- 208.115.238.109 (PEHSTR)
- asti-ticino.ch/ (PEHSTR_EXT)
- /Open.dll (PEHSTR_EXT)
- regsvr32 /s (PEHSTR_EXT)
- \Winetwork.dll (PEHSTR_EXT)
- atendimento-pessoal-suporte.com/ (PEHSTR_EXT)
- cmd /k c:\Windows\ (PEHSTR_EXT)
- /enviador.php (PEHSTR_EXT)
- c:\windows\it.bom (PEHSTR_EXT)
- \itas.exe (PEHSTR_EXT)
- \dsc.exe (PEHSTR_EXT)
- \dscprog.txt (PEHSTR_EXT)
- update/rb.php?hello (PEHSTR_EXT)
- \inf.txt (PEHSTR_EXT)
- user_pref("network.proxy.autoconfig_url" (PEHSTR_EXT)
- Meu PHARM\EXE\PerfecT (PEHSTR_EXT)
- includes/js/theme.php (PEHSTR)
- !src="https://bradesconetempresa.c (PEHSTR_EXT)
- !om.br/ (PEHSTR_EXT)
- orkut.com/img/gwt/input-btn-html.png (PEHSTR_EXT)
- insertsql.php? (PEHSTR_EXT)
- updatesql.php? (PEHSTR_EXT)
- _SCRIPT_PASTE_URLACTION_IF_PROMPT (PEHSTR_EXT)
- up@.exe (PEHSTR_EXT)
- *up*.*ex*e (PEHSTR_EXT)
- http:// (PEHSTR_EXT)
- .uol.com.br (PEHSTR_EXT)
- /ibpflogin/identificacao.jsf (PEHSTR_EXT)
- \11.txt (PEHSTR_EXT)
- \versao.txt (PEHSTR_EXT)
- gmail.txt (PEHSTR_EXT)
- msn.txt (PEHSTR_EXT)
- Dados de aplicativos\Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
- *.default (PEHSTR_EXT)
- \Internet Settings (PEHSTR_EXT)
- httpfile:// (PEHSTR_EXT)
- comorgapi (PEHSTR_EXT)
- \prefs.js (PEHSTR_EXT)
- firefox.exe (PEHSTR_EXT)
- user_pref("network.proxy.type", (PEHSTR_EXT)
- \Software\Alx\Config\ (PEHSTR_EXT)
- M.@.5.7.3.R..C.@.R.D (PEHSTR_EXT)
- Senha Cartao....: (PEHSTR_EXT)
- H.5.B.C (PEHSTR_EXT)
- Serial HD....: (PEHSTR_EXT)
- Maquina......: (PEHSTR_EXT)
- Usuario......: (PEHSTR_EXT)
- http://dl.dropbox.com/u/51009855/julix.xtz (PEHSTR_EXT)
- 3ad324.exe (PEHSTR_EXT)
- 8001s2.exe (PEHSTR_EXT)
- ld3842.exe (PEHSTR_EXT)
- text/html, */* (PEHSTR_EXT)
- /ing/account.asp?id= (PEHSTR_EXT)
- rundll32.exe shimgvw.dll,ImageView_Fullscreen C:\ (PEHSTR_EXT)
- Cmss 1.0 Bate (PEHSTR_EXT)
- sant#andern#et.co#m.b#r/IB#PF/Ma#in.a#sp (PEHSTR_EXT)
- _Compr_Pagm_Imp_DRE_ (PEHSTR_EXT)
- .si#cr#edi.co#m.b#r (PEHSTR_EXT)
- .insidewab.com (PEHSTR_EXT)
- xercle.net//sql.php (PEHSTR_EXT)
- xercles.exe (PEHSTR_EXT)
- xercle.dll (PEHSTR_EXT)
- evdat2.dmc (PEHSTR_EXT)
- computador (PEHSTR_EXT)
- cmd /k (PEHSTR_EXT)
- /IM iexplore.exe /F (PEHSTR_EXT)
- /IM firefox.exe /F (PEHSTR_EXT)
- Crhome.exe (PEHSTR_EXT)
- fenix\TAM\zsantao (PEHSTR_EXT)
- getexe (PEHSTR_EXT)
- firefox.exe (PEHSTR_EXT)
- @o@ #p%a*r#a# %t*e@r@ #a%c%e*s#s%o*.* (PEHSTR)
- I%n*u@R#\%n%o*i#s%r%e*V@t@n#e%r*r*u#C%\*s*w@o#d%n%i*W#\%t*f*o@s#o%r*c*i#M% (PEHSTR)
- 9fPtLfR6XbScrbBdDfT6LpBdLlR2vZRsqkOd8l (PEHSTR_EXT)
- IKjsCrDYH6v8T3aqIavbSabEDMfKIrTpH4jwDqbpK39CDZLBI3HYS5HQDJbJD5Ho (PEHSTR_EXT)
- taskkill /im mpfalert.exe /f (PEHSTR_EXT)
- c:\ProgramLog\wsbsltfy.exe (PEHSTR_EXT)
- mysteryinscarletcity.com//modules/mod_cblogin/mod_cblogin.html (PEHSTR_EXT)
- \Mozilla\Firefox\profiles.ini (PEHSTR_EXT)
- network.proxy.type (PEHSTR_EXT)
- user_pref("network.proxy.autoconfig_url (PEHSTR_EXT)
- islabonita.be/afbeeldingen/oi.php#reffer2 (PEHSTR_EXT)
- dropbox.com/u/2 (PEHSTR_EXT)
- SOFTWARE\ (PEHSTR_EXT)
- /70573505/winapp.txt (PEHSTR_EXT)
- \CurrentVersion\Policies\System (PEHSTR_EXT)
- \CurrentControlSet\Control\ServiceGroupOrder (PEHSTR_EXT)
- for /f "tokens=*" %%z in ('dir "%homepath%\.." /b /s (PEHSTR_EXT)
- dnsResolve("google.portalvipbrasil.com"); (PEHSTR_EXT)
- reg.exe add "%key%" /v "AutoConfigUrl" /d "file://%_aaa%" /f (PEHSTR_EXT)
- = "com.br"; (PEHSTR_EXT)
- = "b.br"; (PEHSTR_EXT)
- +".credicard."+ (PEHSTR_EXT)
- +".santanderbanespa."+ (PEHSTR_EXT)
- +".serasaexperian."+ (PEHSTR_EXT)
- +".bancodobrasil."+ (PEHSTR_EXT)
- if ((host == "santander. (PEHSTR_EXT)
- attrib +H "%appdata%"\!z! (PEHSTR_EXT)
- key=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR_EXT)
- %LOIOLA%set ix=user_pref("network.pr (PEHSTR_EXT)
- ZKLKZJBCVNBHDYUERI36786GAJSGDJGJWE (PEHSTR_EXT)
- praquem=chaves.wab@gmail.com (PEHSTR_EXT)
- http://187.109.161.164/r3.php (PEHSTR_EXT)
- c:\Temp\wab.txt (PEHSTR_EXT)
- vavino3DownloadComplete (PEHSTR_EXT)
- loaders\PharmingbyeCoLoGy (PEHSTR_EXT)
- Source=mssql.acessoadimistrativo.kinghost.net,1433 (PEHSTR_EXT)
- /minimized/regrum (PEHSTR_EXT)
- HSBC BANK BRASIL S.A. - BANCO M (PEHSTR)
- Banco Santander S.A. (PEHSTR)
- 1http://promote.orkut.com/preview?nt=orkut.com&tt= (PEHSTR)
- Numero Card....: (PEHSTR)
- cmd.html&cmd2= (PEHSTR_EXT)
- http://colegiobobs.com/felicidade/secret.pac (PEHSTR_EXT)
- es da internet... (PEHSTR_EXT)
- campinasemfoco.com.br/images/ (PEHSTR_EXT)
- 200.98.162.126/GeraDados.php (PEHSTR_EXT)
- txtpasswd.value=pwdekad (PEHSTR_EXT)
- parent.parent.Dummy.getpwd()d (PEHSTR_EXT)
- <script>window.location = "https://www.santandernet (PEHSTR_EXT)
- .document.frmEnviar.txtEka.value=Eka; (PEHSTR_EXT)
- Dllsaintangerc\Release (PEHSTR_EXT)
- 205.234.134.102 (PEHSTR_EXT)
- 1.0.0.0 (PEHSTR_EXT)
- fMenu.AbrePagina(2773);</script> (PEHSTR_EXT)
- checaAltura(){};</script (PEHSTR_EXT)
- C#:%\*B#a%n%c#o*B*r*a#s*i%l#d (PEHSTR_EXT)
- i#n*f*e%c@t#/@inf4*/*i*n*d%e%x%.%p%h%pd (PEHSTR_EXT)
- /#/#c%d*x*2%0*1@5#.@t*h%a*i#e#a#s#y@d%n@s@.%c#o#m@/*m (PEHSTR_EXT)
- c#m*d@ */*c% #r#m*d*i%r# */%s% @/%q% (PEHSTR_EXT)
- winkav.cpl (PEHSTR_EXT)
- init.vrx (PEHSTR_EXT)
- liquigas.it/immagini/informa.php (PEHSTR_EXT)
- Q7HqS7CwBozYSc5aPNDZRsvbT6LjS79bSs4kOszjBc (PEHSTR_EXT)
- 86.55.206.170 (PEHSTR_EXT)
- GET /sets.txt (PEHSTR_EXT)
- REGEXEND (PEHSTR_EXT)
- \msvcr64.dll (PEHSTR_EXT)
- \dynpagefile.sys (PEHSTR_EXT)
- AllianceMemo.resources (PEHSTR_EXT)
- FormCardDetails2.resources (PEHSTR_EXT)
- SanMemo.resources (PEHSTR_EXT)
- empresa.pacd (PEHSTR)
- karavelacenter@hotmail.comd (PEHSTR)
- remetente=FTP@hotmail.com2 (PEHSTR)
- !querotopsys.com/solucao/email.php2 (PEHSTR)
- .prluiz.produtoraalphanet.com.br/lang/email.php (PEHSTR)
- jaojeba@hotmail.com (PEHSTR)
- recebendo2012@live.com (PEHSTR)
- msn10@hotmail.com.br (PEHSTR)
- \ift.txtd (PEHSTR)
- !empresaseikebatista.com/includes/d (PEHSTR)
- tgklbbnksloop.com/includes/ (PEHSTR)
- novo.baixevideos-seguro.com/contact2 (PEHSTR_EXT)
- r/total_visitas.php (PEHSTR_EXT)
- VRBBVJ\E (PEHSTR_EXT)
- contador/log.php (PEHSTR_EXT)
- a#tua#lizac#ao.e#xe (PEHSTR)
- ht#tp://lo#gin. (PEHSTR)
- \win.vbs (PEHSTR_EXT)
- */:*pt*t#h (PEHSTR_EXT)
- )banking.caixa.gov.br/SIIBC/index.processa (PEHSTR)
- CURRENTVERSION\RUN (PEHSTR)
- Senha incorreta. (PEHSTR)
- acrff.dll (PEHSTR_EXT)
- planetawebnoticias.com/maps/seg.pac (PEHSTR_EXT)
- solucoesfat.com/get/pos.pac (PEHSTR_EXT)
- transpara2012.com/golf/feliz.pac (PEHSTR_EXT)
- luzanjo.com/mes/pit.pac (PEHSTR_EXT)
- WinNTService.vbs (PEHSTR_EXT)
- sa*nt*an@der.@c#o@m* (PEHSTR_EXT)
- #/v ForceAutoLogon /d 1 /t REG_SZ /f (PEHSTR)
- cmd /k (PEHSTR_EXT)
- #%*@\ (PEHSTR_EXT)
- \keeps32.exe (PEHSTR_EXT)
- M4qu1n4. (PEHSTR_EXT)
- D4t3....: (PEHSTR_EXT)
- Time....: (PEHSTR_EXT)
- N3rv0s0.....: (PEHSTR_EXT)
- DATE....: (PEHSTR_EXT)
- johny-da@uol.com.br (PEHSTR_EXT)
- todainfro@gmail.com (PEHSTR_EXT)
- info.jpg (PEHSTR_EXT)
- info.bmp (PEHSTR_EXT)
- \drivers\etc\hosts (PEHSTR_EXT)
- crear_bat (PEHSTR_EXT)
- viabcp.com (PEHSTR_EXT)
- interbank.com.pe (PEHSTR_EXT)
- bn.com.pe (PEHSTR_EXT)
- screenshot (PEHSTR_EXT)
- exec (PEHSTR_EXT)
- bankline.itau.com.br (PEHSTR_EXT)
- GB Plugin Instalado. (PEHSTR_EXT)
- GDgYIzb6ToK8crvVdBFFBMTRJ/xjlbPaYiYdsSJKO2cK9izy (PEHSTR_EXT)
- C:\ProgramData\ (PEHSTR_EXT)
- //:ptth (PEHSTR_EXT)
- \Control Panel (PEHSTR_EXT)
- \ZoneMap (PEHSTR_EXT)
- C:\COPA.exe (PEHSTR_EXT)
- C:\Addob.exe (PEHSTR_EXT)
- /add.php (PEHSTR_EXT)
- ION\RUN (PEHSTR_EXT)
- Scriptlet1 (PEHSTR_EXT)
- \_AsDullhillBho.pas (PEHSTR_EXT)
- pbank.95559.com.cn/netpay (PEHSTR_EXT)
- /Install/Post.asp?Uid= (PEHSTR_EXT)
- gpupdate /force (PEHSTR_EXT)
- .db" (start /low /min iexplore.exe "http:// (PEHSTR_EXT)
- txtSenhaToken.value= (PEHSTR_EXT)
- \oIWBQQA\KBC7JIG\ (PEHSTR_EXT)
- yRR7mT:4T7GT/ZTtQ (PEHSTR_EXT)
- wIJT3AC7\oBRCIeIJT\1B6sI3e\OvCC76Tp7CeBI6\V6T7C67T4w7TTB6ke\yvTIOI6JBkMCQ (PEHSTR_EXT)
- macrodirect.com.ar/ (PEHSTR_EXT)
- /RetailHomeBankingWeb/access.do (PEHSTR_EXT)
- /RetailInstitucionalWeb/home.do (PEHSTR_EXT)
- Banco Credicoop Coop. Ltdo. (PEHSTR_EXT)
- internet-options.com.br/ie (PEHSTR_EXT)
- \A87AS3HIU4.txt (PEHSTR_EXT)
- 216.245.199.195/index.php (PEHSTR_EXT)
- \HAUEHEFUHFUEAN.txt (PEHSTR_EXT)
- http://sishab.uhosti.com/index.php (PEHSTR_EXT)
- \CurrentVersion\Run (PEHSTR_EXT)
- C:\Foto62534.exe (PEHSTR_EXT)
- .\prefs.js (PEHSTR_EXT)
- user_pref("network.proxy.autoconfig_url","http://www. (PEHSTR_EXT)
- user_pref("network.proxy.type", 2); (PEHSTR_EXT)
- /ilovepr (PEHSTR_EXT)
- omote.com/ (PEHSTR_EXT)
- c:\Arquivos de Programas (x86)\GbPlugin\bb.gpc (PEHSTR_EXT)
- remetente=pcw@pcw.com (PEHSTR_EXT)
- chrome.exe (PEHSTR_EXT)
- iexplore.exe (PEHSTR_EXT)
- Software\Policies\ (PEHSTR_EXT)
- Project3.cpl (PEHSTR_EXT)
- HJI8.zip (PEHSTR_EXT)
- I6H8.exe (PEHSTR_EXT)
- koreacitidirect.citigroup.coM (PEHSTR_EXT)
- kBstar.coM (PEHSTR_EXT)
- www.kBstar.coM (PEHSTR_EXT)
- Open.kBstar.coM (PEHSTR_EXT)
- omoney.kBstar.coM (PEHSTR_EXT)
- oBank.kBstar.coM (PEHSTR_EXT)
- \....\ (PEHSTR_EXT)
- \....\TemporaryFile (PEHSTR_EXT)
- \TemporaryFile (PEHSTR_EXT)
- amidalas.tmp (PEHSTR_EXT)
- atm1.exe (PEHSTR_EXT)
- /cont/ (PEHSTR_EXT)
- a-z0-9/acesso.php (PEHSTR_EXT)
- r_pref("network.proxy.autoconfig_url", (PEHSTR_EXT)
- /ctd/noti.php (PEHSTR_EXT)
- whitehouse.exe (PEHSTR_EXT)
- @uol.com.br (PEHSTR_EXT)
- bradesco.recadastramento@gmail.com (PEHSTR_EXT)
- ritamariasantos2014@gmail.com (PEHSTR_EXT)
- N-O-M-E__________PC.: (PEHSTR_EXT)
- N*O*M*E*-------->PC.: (PEHSTR_EXT)
- S-E-R-I-A-L______HD.: (PEHSTR_EXT)
- S*E*R*I*A*L*---->HD.: (PEHSTR_EXT)
- Operadora.: (PEHSTR_EXT)
- Usuario...: (PEHSTR_EXT)
- Senha.....: (PEHSTR_EXT)
- Nome Cartao....: (PEHSTR_EXT)
- Numero Card....: (PEHSTR_EXT)
- Validade.......: (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\ (PEHSTR_EXT)
- 'COD_BARNOSSO';var a=document.getElementsByTagName('img') (PEHSTR_EXT)
- Mozilla/3.0 (compatible; Indy Library) (PEHSTR_EXT)
- o, Por favor digite novamente. (PEHSTR_EXT)
- B.A.N.K.-.H.S.B.C (PEHSTR_EXT)
- ERRO: Acrobat Readers com defeito, contacte seu revendedor. (PEHSTR_EXT)
- gitos." (PEHSTR_EXT)
- =type="password" class="campo" size="6" maxlength="6" /> (PEHSTR_EXT)
- javascript:acessaPagina("seleciona_investimento.processa") (PEHSTR_EXT)
- SendCMD (PEHSTR_EXT)
- proteger seu computador de programas maliciosos (PEHSTR_EXT)
- Banco Bradesco S/A (PEHSTR_EXT)
- \windows\system\sms.exe (PEHSTR_EXT)
- McAfee.InstantUpdate.Monitor (PEHSTR_EXT)
- .gov.br/ (PEHSTR_EXT)
- AutoConfigURL"="http:// (PEHSTR_EXT)
- /proxypac (PEHSTR_EXT)
- del /q /s /f "%DataDir%" (PEHSTR_EXT)
- regedit /s C:\Comando.Reg (PEHSTR_EXT)
- start /min C:\ (PEHSTR_EXT)
- .bat (PEHSTR_EXT)
- enviadedemail.tmp (PEHSTR_EXT)
- /imagens/erro/index.php (PEHSTR_EXT)
- \GbPlugin (PEHSTR_EXT)
- \Scpad (PEHSTR_EXT)
- Brasil.exe (PEHSTR_EXT)
- .postfixcombo.com (PEHSTR_EXT)
- count/i/addInstall.action?params={"systemtype: (PEHSTR_EXT)
- c:\windows\system\rundll32~.hlp (PEHSTR)
- C:\Windows\System\logpass (PEHSTR)
- Finalizando... (PEHSTR)
- atlusnoc/rb.moc. (PEHSTR_EXT)
- Novo acesso Connect Bank. (PEHSTR_EXT)
- Novo acesso Hsbc bank-line... (PEHSTR_EXT)
- FoxitReader.cpl (PEHSTR_EXT)
- maximusdecimus.cpl (PEHSTR_EXT)
- serasa.com.br (PEHSTR_EXT)
- cmd /k C:\ProgramData\java_update32.cmd (PEHSTR_EXT)
- 0.gif?3076455 (PEHSTR_EXT)
- sitenet.serasa.com.br (PEHSTR_EXT)
- GbpSV.exe (PEHSTR_EXT)
- MARCOS\Desktop\PROJETO DIVIDIDO\PRODUTOS (PEHSTR_EXT)
- @/inicio (PEHSTR_EXT)
- RunDll32.exe (PEHSTR_EXT)
- FIREFOX.EXE (PEHSTR_EXT)
- GbpSv.exe" /T /E /C /P (PEHSTR_EXT)
- wsftprp64.sys" /T /E /C /P (PEHSTR_EXT)
- Winge.exe (PEHSTR_EXT)
- Windp.exe (PEHSTR_EXT)
- Project2_XE5.dll (PEHSTR_EXT)
- ].txt (PEHSTR_EXT)
- safebank.korea.co.kr (PEHSTR_EXT)
- AYAgent.aye (PEHSTR_EXT)
- DIALUP/RAS/VPN PASSWORDS (PEHSTR_EXT)
- \MicrosoftEdge\TypedURLs (PEHSTR_EXT)
- \Apple Computer\Preferences\keychain.plist (PEHSTR_EXT)
- \Thunderbird\%s\logins.json (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (PEHSTR_EXT)
- System.Text.RegularExpressions (PEHSTR_EXT)
- \Bitcoin-Grabber-master\Bitcoin-Grabber\ (PEHSTR_EXT)
- 2.pdb (PEHSTR_EXT)
- b4([0-9]|[A-B])(.){93} (PEHSTR_EXT)
- schtasks.exe (PEHSTR_EXT)
- steamcommunity.com/tradeoffer (PEHSTR_EXT)
- donationalerts.com/ (PEHSTR_EXT)
- marie\Desktop\clipmonitor KETHAS FINAL EVERYTHING FIXED\clipmonitor (PEHSTR_EXT)
- CLIPBOARD: '' vs. '' (PEHSTR_EXT)
- ShellExecuteExA (PEHSTR_EXT)
- C:\ProgramData\MyApp\ (PEHSTR_EXT)
- v4.0.30319 (PEHSTR_EXT)
- choice /C Y /N /D Y /T (PEHSTR_EXT)
- SbieDll.dll (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- clrjit.dll (PEHSTR_EXT)
- http://bot.whatismyipaddress.com/ (PEHSTR_EXT)
- SOFTWARE\WOW6432Node\Clients\StartMenuInternet (PEHSTR_EXT)
- shell\open\command (PEHSTR_EXT)
- ^bc1[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz].*$ (PEHSTR_EXT)
- https://api.telegram.org/bot (PEHSTR_EXT)
- https://ipv4bot.whatismyipaddress.com/ (PEHSTR_EXT)
- WinHost.exe (PEHSTR_EXT)
- Sevirem.Clipper (PEHSTR_EXT)
- Decompress (PEHSTR_EXT)
- pyi-windows-manifest-filename crypto-yank.exe.manifest (PEHSTR_EXT)
- email._encoded_words (PEHSTR_EXT)
- http.cookiejar (PEHSTR_EXT)
- email.base64mime (PEHSTR_EXT)
- multiprocessing.resource_tracker (PEHSTR_EXT)
- subst.exe (PEHSTR_EXT)
- /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr (PEHSTR_EXT)
- ProcessHacker.exe (PEHSTR_EXT)
- Users\youar (PEHSTR_EXT)
- WSOCK32.dll (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- FileDelete, %A_ScriptDir%\SN.txt (PEHSTR_EXT)
- click(786, 288,0.4,250) (PEHSTR_EXT)
- click(779,400,0.4,250) (PEHSTR_EXT)
- #32768 ahk_exe AutoHotkey.exe (PEHSTR_EXT)
- C:\src\Solarion2018\Bin32\ (PEHSTR)
- Banker (PEHSTR_EXT)
- SELECT * FROM Win32_ComputerSystem (PEHSTR_EXT)
- Confuser.Core 1.5.0 (PEHSTR_EXT)
- http://185.215.113.93 (PEHSTR_EXT)
- SOFTWARE\wtu (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR_EXT)
- MicrosoftWindowsStart MenuProgramsStartupupdater.lnk (PEHSTR_EXT)
- Discord Link : v1.0.0-custom (PEHSTR_EXT)
- ShellExecute (PEHSTR_EXT)
- Oreans.vxd (PEHSTR_EXT)
- Software\Wine (PEHSTR_EXT)
- %userappdata%\RestartApp.exe (PEHSTR_EXT)
- 2DJS2 (PEHSTR_EXT)
- bitcoinminingsoftware.Bitcoin_Grabber (PEHSTR_EXT)
- bitcoinminingsoftware.pdb (PEHSTR_EXT)
- Clipper.exe (PEHSTR_EXT)
- AssemblyDescriptionAttribute (PEHSTR_EXT)
- mogu.exe (PEHSTR_EXT)
- http://www.xiuzhe.com/ddvan.exe (PEHSTR)
- mysql1.100ws.com (PEHSTR)
- ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb (PEHSTR)
- Users\DNS\Documents\ (PEHSTR)
- YourFileHost.com (PEHSTR)
- HostFilez.com (PEHSTR)
- updater.dll (PEHSTR)
- audiohq.exe (PEHSTR)
- dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s (PEHSTR)
- Minascred (PEHSTR_EXT)
- sitonlyvisa.exe (PEHSTR_EXT)
- C.B. Corban Software Express (PEHSTR_EXT)
- Associacao Comercial SP (PEHSTR_EXT)
- sitwayup.exe (PEHSTR_EXT)
- sitcarto.exe (PEHSTR_EXT)
- sitonebox.exe (PEHSTR_EXT)
- sitmaxxicard.exe (PEHSTR_EXT)
- sitpaysmartid.exe (PEHSTR_EXT)
- Clipper\Clipper\bin\Release\Obfuscated\Inc.Infrastructur Host driver.pdb (PEHSTR_EXT)
- C:\Users\jon doe\Desktop\Registry\Registry\obj\Release\Registry.pdb (PEHSTR_EXT)
- My.Computer (PEHSTR_EXT)
- Registry.exe (PEHSTR_EXT)
- \apwiz.dll (FILEPATH)
- StringComparison (PEHSTR_EXT)
- Application Data\Clipper (PEHSTR_EXT)
- BTC Clipper.pdb (PEHSTR_EXT)
- \Windowslib.exe (PEHSTR_EXT)
- HidenProces.pdb (PEHSTR_EXT)
- /Create /tn MicrosoftDriver /sc MINUTE /tr (PEHSTR_EXT)
- card.php (PEHSTR_EXT)
- ChromeUpdate.exe (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- System.Security.Cryptography.AesCryptoServiceProvider (PEHSTR_EXT)
- noSXPFMbbZh2Bafej4.bKHDLoYx25MeUohwr7 (PEHSTR_EXT)
- rJqNEeiWXDvJsanTbLjIo4HO (PEHSTR_EXT)
- 185.215.113.8 (PEHSTR_EXT)
- tsrv3.ru (PEHSTR_EXT)
- tsrv4.ws (PEHSTR_EXT)
- tldrbox.top (PEHSTR_EXT)
- tldrhaus.top (PEHSTR_EXT)
- tldrzone.top (PEHSTR_EXT)
- HBankers (PEHSTR_EXT)
- \Microsoft\Windows\Start Menu\Programs\StartUp (PEHSTR_EXT)
- BIOS System.exe (PEHSTR_EXT)
- 239.255.255.250 (PEHSTR_EXT)
- 185.215.113.84 (PEHSTR_EXT)
- /c start .\%s & start .\%s\VolDriver.exe (PEHSTR_EXT)
- desktop.ini (PEHSTR_EXT)
- >AUTOHOTKEY SCRIPT< (PEHSTR_EXT)
- PasswordsList.txt (PEHSTR_EXT)
- scr.jpg (PEHSTR_EXT)
- System.txt (PEHSTR_EXT)
- ip.txt (PEHSTR_EXT)
- cmd /C "start "q" (PEHSTR_EXT)
- Users\Awar (PEHSTR_EXT)
- Setup.pdb (PEHSTR_EXT)
- main.HideWindow (PEHSTR_EXT)
- main.createWallets (PEHSTR_EXT)
- cryptoStealer/proccess64/main.go (PEHSTR_EXT)
- proccess64/domain/App/replace.ReplaceWallet (PEHSTR_EXT)
- github.com/go-telegram-bot-api/telegram-bot-api (PEHSTR_EXT)
- github.com/atotto/clipboard.WriteAll (PEHSTR_EXT)
- github.com/AllenDang/w32 (PEHSTR_EXT)
- github.com/technoweenie/multipartstreamer (PEHSTR_EXT)
- dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php? (PEHSTR_EXT)
- key.cocotechnology.tech/autologin (PEHSTR_EXT)
- Ready For Execution! (PEHSTR_EXT)
- CocoBytecode.dll (PEHSTR_EXT)
- TEMP%\Indicium-Supra.log (PEHSTR_EXT)
- Silent Miner.pdb (PEHSTR_EXT)
- EvilShit\BTC Wallet Changer (PEHSTR_EXT)
- wscript.exe /E:jscript (PEHSTR_EXT)
- RtlSetProcessIsCritical (PEHSTR_EXT)
- WsP/Vycd5eiHgC0WhpYMwskAjWF6ha5cQ1zwNEheUy0= (PEHSTR_EXT)
- Si-paling-umberela\Growtopia MultiBot (PEHSTR_EXT)
- project-umbrella.pdb (PEHSTR_EXT)
- Realtek.exe (PEHSTR_EXT)
- 23.88.125.20 (PEHSTR_EXT)
- CSClipper.pdb (PEHSTR_EXT)
- (?:[13][a-km-zA-HJ-NP-Z1-9]{25,34})src\main.rs (PEHSTR_EXT)
- DJSHDHFEKFDMVC (PEHSTR_EXT)
- 79.137.196.121 (PEHSTR_EXT)
- XPdriver.exe (PEHSTR_EXT)
- ComputeHash (PEHSTR_EXT)
- Lona.pdb (PEHSTR_EXT)
- TrafficProgrammerv2.exe (PEHSTR_EXT)
- \stub\x64\Release\stub.pdb (PEHSTR_EXT)
- \b(0x[a-fA-F0-9]{40}) (PEHSTR_EXT)
- \b(([13]|bc1)[A-HJ-NP-Za-km-z1-9]{27,34}) (PEHSTR_EXT)
- M@oUCC/_I3P3?b/p\[-P8);I8".resources (PEHSTR_EXT)
- BNG}/I9h6x|>\*zj95u$.resources (PEHSTR_EXT)
- BitcoinClipboardMalware-1-master\btcclipboard\x64\Release\avery.pdb (PEHSTR_EXT)
- FNinternal.exe (PEHSTR_EXT)
- O.N.resources (PEHSTR_EXT)
- H4sIAAAAAAAEAPPwsMrNBQAO/K06BQAAAA== (PEHSTR_EXT)
- PokemonSystem.Resources.resources (PEHSTR_EXT)
- bnb1fga0zpcwsvwv32rx6kzt8gmukwrcjm36cjsavm (PEHSTR_EXT)
- Release\Clipper.pdb (PEHSTR_EXT)
- Clipper-5059811751\clipper2.0.pdb (PEHSTR_EXT)
- \Clipez\x64\Debug\Clipez.pdb (PEHSTR_EXT)
- \Microsoft\Windows\Start Menu\Programs\Startup\Update.exe (PEHSTR_EXT)
- [4|8]([0-9]|[A-B])(.){93} (PEHSTR_EXT)
- WinServiceSE.g.resources (PEHSTR_EXT)
- WinServiceSE.pdb (PEHSTR_EXT)
- FileDelete, nr.bcn (PEHSTR_EXT)
- Telegram.Bot (PEHSTR_EXT)
- Regex.Match(GetText (PEHSTR_EXT)
- Convert.ToString(PatternRegex (PEHSTR_EXT)
- ClipperBuild.g.resources (PEHSTR_EXT)
- costura.dotnetzip.pdb.compressed (PEHSTR_EXT)
- vhsposion.xyz (PEHSTR_EXT)
- 146.19.213.248 (PEHSTR_EXT)
- Jellybeans.exe (PEHSTR_EXT)
- epldrive.dll (PEHSTR_EXT)
- CryptoLauncher.Properties.Resources (PEHSTR_EXT)
- (^|\s)[13]{1}[a-km-zA-HJ-NP-Z1-9]{25,34}($|\s) (PEHSTR_EXT)
- |\s)bnb[a-zA-Z0-9]{38,40}($|\s) (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
- Local\ExitCliper (PEHSTR_EXT)
- trades.g.resources (PEHSTR_EXT)
- main.importClipboard (PEHSTR_EXT)
- \pidfenon.dll (PEHSTR)
- \paruisd.dll (PEHSTR)
- RITLAB.1 (PEHSTR)
- /c del (PEHSTR)
- \conf.dat (PEHSTR)
- ISoftware\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects (PEHSTR)
- ,C:\Archivos de programa\Messenger\msmsgs.exe (PEHSTR)
- =C:\Arquivos de programas\Microsoft Visual Studio\VB98\VB6.OLB (PEHSTR)
- %s/activate.php?email=%s&code=%s (PEHSTR)
- ./AvScan.conf (PEHSTR)
- #virustriggerbinwarning.warningbho.1 (PEHSTR)
- Software\AvScan (PEHSTR)
- \runonce\virustriggerbin (PEHSTR)
- Software\AvScan (PEHSTR_EXT)
- proxylsp.dll (PEHSTR_EXT)
- %s/block.php?r=%s (PEHSTR_EXT)
- %s/purchase?r=%s (PEHSTR_EXT)
- /activate.php?email= (PEHSTR_EXT)
- /scan (PEHSTR_EXT)
- avsuite.exe (PEHSTR_EXT)
- htmlayout.dll (PEHSTR_EXT)
- avsoft.exe (PEHSTR_EXT)
- Software\avs (PEHSTR_EXT)
- downloads/common/script.s (PEHSTR_EXT)
- .text (PEHSTR_EXT)
- `.rdata (PEHSTR_EXT)
- @.data (PEHSTR_EXT)
- Software\ssuite (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)0f7ba594fe8081bdba9f2ac67924fa7ee776a75b94ab7900b7e78ee9537fc495