# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/#/ip-address/85.17.26.65 (#URL section)

/boxMrenewal.php
/challengevdl.php
/dd.php
/girisi.php
/rerewp.php
/overviewshn.php
/signOnV2Screen.php
/Up-dating.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1045564495723188225

/1/gate.php
/1/screenshot_gate.php

# Reference: https://twitter.com/malwrhunterteam/status/1045622528541151232

/hows_yourfever.php
/introductio_n.php
/psycho.php
/review_me.php
/rootme.php

# Reference: https://www.virustotal.com/#/domain/manapowermta.us

/loomistech/gate.php

# Reference: https://twitter.com/nullcookies/status/1019569151503986689

/bc0de.php

# Reference: https://twitter.com/devnullek/status/1020015255144017920

/order588.php

# Reference: https://twitter.com/YouMayBeHacked/status/1040368782408069120

/Kostenaufstellung.169156596183882049609578.php

# Reference: https://twitter.com/James_inthe_box/status/1048277465397751808

/onlinegoogle.php

# Reference: https://twitter.com/YouMayBeHacked/status/1048341985319444481

/Abrechnung-76-31210998378353168993665795447.php

# Reference: https://twitter.com/DissectMalware/status/1048329071061606400

/90AS98DF.php

# Reference: https://www.hybrid-analysis.com/sample/f65ba1cc50b29dd05ddaa83242f4b7bd0429841bfc4befa9e203cb6621d2389b?environmentId=100

/loader_mn.php

# Reference: https://twitter.com/James_inthe_box/status/1053668299165229056

/loader_ma.php

# Reference: https://twitter.com/nullcookies/status/1054496925469343744

/anzhuo.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/IpNigh/status/1107567316148150274

/universalmail-notifications/updates.php

# Reference: https://twitter.com/Racco42/status/1102488453990830080

/masquare.php

# Reference: https://twitter.com/Racco42/status/1098218160111734789

nitdesenders.tianat.cat/tmp/signup.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1103983033307271168

/photo/123.php
/Sep2018/gsm.php

# Reference: https://twitter.com/benkow_/status/1085483319347867649

 /public/hydra.php

# Reference: https://twitter.com/anyrun_app/status/1060858198599577601

/ghuae/huadh.php

# Reference: https://twitter.com/pollo290987/status/1108755025604591622

/loro_4.php

# Reference: https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

statconuter.com/c.php

# Reference: https://twitter.com/James_inthe_box/status/1109832439700971520
# Reference: https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e

/loadbase1.php

# Reference: https://twitter.com/malwrhunterteam/status/1111630255763189761

/D2017HL/u.php

# Reference: https://twitter.com/IpNigh/status/1111919996266049536

/ahzhnobu48jgm1rksb2zl3sc.php

# Reference: https://twitter.com/IpNigh/status/1111904352053198848

/challengevdl.php

# Reference: https://twitter.com/IpNigh/status/1111872373446377472

/overviewshn.php

# Reference: https://twitter.com/executemalware/status/1112337168138149888

/phpmailer/Pmxyz.php

# Reference: https://twitter.com/albertzsigovits/status/1113096573284728839

/asfdh4/auth.php

# Reference: https://twitter.com/IpNigh/status/1113287915612798976

/49rrf856hqofcuq6mkdntfdp.php

# Reference: https://otx.alienvault.com/pulse/5ca5e12bcf299875864044a6
# Reference: https://www.securityartwork.es/2019/04/02/militaryfinancingmaldoc/
# Reference: https://blog.trendmicro.co.jp/archives/19054

/7773/index.php
/9125/gate.php 

# Reference: https://www.bromium.com/mapping-malware-distribution-network/
# Reference: https://otx.alienvault.com/pulse/5ca7142dd898276082584a58

/olala/get.php

# Reference: https://twitter.com/IpNigh/status/1114334454930190336

/hcu9e676hqzffjez47ec6ggd.php

# Reference: https://twitter.com/ViriBack/status/1114610878056402945

/class-walker-page-up.php

# Reference: http://marketplace.1c-bitrix.ru/blog/remove-virus-miner-from-the-site-to-1cbitrix/ (RU-lang)
# Generic detection for compromised Bitrix CMS

/bitrix/tools/check_files.php
/bitrix/gadgets/bitrix/weather/lang/ru/exec/include.php

# Reference: https://twitter.com/VK_Intel/status/1080919080616439808

/spr_updates.php

# Reference: https://twitter.com/packet_Wire/status/1118528816509591552

/rz7g271ct2iv65rmhwwq42bu.php

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1122804929452814337

/2abjk95b4kwbdpnfdn7uewhr.php

# Reference: https://twitter.com/pancak3lullz/status/1123233975252787200

/ya63omxqknnm4ar8vb8evwje.php

# Reference: https://twitter.com/GelosSnake/status/1123540164268183552

/mnbv/handler.php

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834

/rwrw66/1111z.php
/rwrw66/2222z.php

# Reference: https://twitter.com/JCyberSec_/status/1124290346668777505

/g4f9sokfo2ecegn2twq4u3t7.php

# Reference: https://app.any.run/tasks/3068b154-d6f2-4483-ae72-60fbd5f3467f

/cmd.php?hwid=

# Reference: https://twitter.com/JAMESWT_MHT/status/1126020627075403776

/pabury473675.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1126109441651245057

/v2i.php?need=

# Reference: https://twitter.com/malwrhunterteam/status/1126821015567384582

authconfig.imrris.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126830402834968576

authconfig.motonsoft.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126834434504822789

oneonlinetrue.com/cgi-bin/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126835745640067074

razire.com/root/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126837652571992065

ptlonghigroup.us/01001/pain.php
ptlonghigroup.us/01001/pain2.php
/01001/pain.php
/01001/pain2.php

# Reference: https://twitter.com/malwrhunterteam/status/1126844312053067776

/spemmg.php

# Reference: https://twitter.com/malwrhunterteam/status/1126848369190686721

oneonlinetrue.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126850750708109315

creacionesdelsac.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126855753791356928

poa-oreo.co.uk/racks/space/p.php

# Reference: https://twitter.com/malware_traffic/status/810966197881671680
# Reference: http://malware-traffic-analysis.net/2016/12/19/index.html

/drb31.php
/d8/ul.php

# Reference: https://twitter.com/malwrhunterteam/status/1127945201841049600

namecakes.com/epl/ajax.php

# Reference: https://twitter.com/WifiRumHam/status/1127971696126783488

westflies.com/api/api.php

# Reference: https://twitter.com/JayTHL/status/1128173436889653248

/send/ab-apr29-1.php
/send/ab-apr29-2.php
/send/cj-apr27-1.php
/send/cj-apr29-1.php
/send/cj-apr29-2.php
/send/cj-may4-1.php
/send/m24m24-1.php
/send/m24m24-2.php
/send/m24m24-3.php
/send/m24m24-4.php
/send/f13m13-1.php
/send/f13m13-2.php
/send/f13m13-3.php
/send/f13m13-4.php
/send/f13m13-5.php
/send/a10j10-1.php
/send/m10a10-1.php
/send/azu.php
/send/was.php

# Reference: https://twitter.com/JayTHL/status/1129865519417499651
# Reference: https://pastebin.com/raw/mU7abvT9

/attiinnddeexx.php

# Reference: https://twitter.com/JayTHL/status/1131329627954319361
# Reference: https://pastebin.com/raw/g8bhsb4G

/6i5aiewuz0xprm8htmrrhhz9.php

# Reference: https://twitter.com/IpNigh/status/1131425432543408129

/index91484101498.php

# Reference: https://twitter.com/VirITeXplorer/status/1131816142199250944

/pagiy75.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135453581144969216

/v21in603.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135815803880820742

/pagighg66.php

# Reference: https://twitter.com/IpNigh/status/1136167409751138304

/plwnkfd8gcn5x317by4goj7c.php

# Reference: https://twitter.com/IpNigh/status/1136480809861419010

/vq5sinmcamguedpoak8epeh3.php

# Reference: https://twitter.com/packet_Wire/status/1137019106559967232

/hhhhh.php

# Reference: https://twitter.com/IpNigh/status/1138206277992161281

/o365ms.php

# Reference: https://twitter.com/cyberanalyzer/status/1140571010518978560

/main.jspsid.php

# Reference: https://twitter.com/IpNigh/status/1141059894021361666

/chaseind.php

# Reference: https://twitter.com/IpNigh/status/1142886176975675395

/l9ymhf8w6w11sjeay07wrkng.php

# Reference: https://twitter.com/ffforward/status/1143100705303158784

/klla.php

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.php

# Reference: https://twitter.com/killamjr/status/1113876111543492608

/newauto2.php

# Reference: https://twitter.com/IpNigh/status/1143687948619124737

/index91484101498.php

# Reference: https://twitter.com/ViriBack/status/1145135557548367872

/index234index.php

# Reference: https://twitter.com/smica83/status/1146648528846041089

/7gvbp7pbrrdp2j8o5y4iqfva.php

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

/AffdrDrr.php
/lickmyass.php

# Reference: https://twitter.com/IpNigh/status/1147295303931977733

/ubwa0opty4jnoerxyj8dtjra.php

# Reference: https://twitter.com/ps66uk/status/1148183374818873344

/publickprivate.php
/74_8_839.php
/fontandcolor.php
