/
dec_string_list.txt
160 lines (160 loc) · 4.5 KB
/
dec_string_list.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
C:\INTERNAL\__empty
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT
.cfg
objFile.Copy("%s")
Next
.cfg
.dll
rundll32.exe
.dll
.exe
ROOT\CIMV2
Win32_ComputerSystem
Win32_Bios
Win32_DiskDrive
Win32_PhysicalMemory
Win32_Product
Win32_PnPEntity
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
ntdll.dll
TWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SystemRoot
NTUSER.DAT
%S.%06d
ALLUSERSPROFILE
rundll32.exe
Updt
c:\\
vbs
open
cscript.exe
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next
WQL
ROOT\CIMV2
SELECT * FROM Win32_OperatingSystem
Caption
root\SecurityCenter2
SELECT * FROM AntiVirusProduct
displayName
ROOT\CIMV2
SELECT * FROM Win32_Processor
Name
select
from
WQL
TRUE
FALSE
type=
Winsta0
S:(ML;;NW;;;LW)
kernelbase.dll
SysWOW64
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
%s\system32\
c:\hiberfil.sysss
.dll
Packages
LocalLow
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.dll
SELF_TEST_1
runas
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfileImagePath
c:\ProgramData
Microsoft
Microsoft
powershell.exe -encodedCommand
net view
cmd /c set
arp -a
ipconfig /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
nltest /domain_trusts /all_trusts
net share
route print
netstat -nao
net localgroup
qwinsta
whoami /all
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
schtasks.exe /Delete /F /TN %u
amstream.dll
c:\\
wmic process call create 'expand "%S" "%S"'
https
xagtnotif.exe;AppUIMonitor.exe
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Software\Microsoft
aabcdeefghiijklmnoopqrstuuvwxyyz
aabcdeefghiijklmnoopqrstuuvwxyyz
aabcdeefghiijklmnoopqrstuuvwxyyz
abcdefghijklmnopqrstuvwxyz
1234567890
\\.\pipe\
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe
wpcap.dll
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
application/x-shockwave-flash
image/gif
image/jpeg
image/pjpeg
*/*
Content-Type: application/x-www-form-urlencoded
https
%u.%u.%u.%u.%u.%u.%04x
Self check
ERROR: GetModuleFileNameW() failed with error: %u
Self check ok!
Component_07
bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
/t5
Component_08
bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
%u;%u;%u;
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
0x8cd: %SystemRoot%\SysWOW64\wermgr.exe
0x8f9: %SystemRoot%\SysWOW64\AtBroker.exe
0x1034: %SystemRoot%\SysWOW64\msra.exe
0x214: %SystemRoot%\System32\wermgr.exe
0x670: %SystemRoot%\System32\AtBroker.exe
0x310: %SystemRoot%\System32\msra.exe
0x734: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
0xd9c: %ProgramFiles%\Internet Explorer\iexplore.exe
0x51f: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
0x7f9: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
0x1080: MsMpEng.exe
0xe9c: mcshield.exe
0x2ef: avp.exe;kavtray.exe
0x108c: egui.exe;ekrn.exe
0xdca: bdagent.exe;vsserv.exe;vsservppl.exe
0x152: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
0x6f5: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
0x128a: SophosUI.exe;SAVAdminService.exe;SavService.exe
0xd3c: fshoster32.exe
0x144: WRSA.exe
0x7a7: vkise.exe;isesrv.exe;cmdagent.exe
0xea9: ByteFence.exe
0x7c9: MBAMService.exe;mbamgui.exe
0x616: fmon.exe
0x131b: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
0x498: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
0x1b2: SonicWallClientProtectionService.exe
0x29a: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
0x9be: CSFalconService.exe;CSFalconContainer.exe
0x125c: RepUx.exe
0xe04: CrAmTray.exe
0x50a: csc_ui.exe
0xe36: xagtnotif.exe;AppUIMonitor.exe
0x400: .Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("%s")