# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.alyac.co.kr/2347

/ChromSrch.egg
/GoogleRsv.egg
/HncCheck.egg
/IEService.egg

# Reference: https://app.any.run/tasks/26522454-b349-42db-9cbe-230b37a3c836/

/exploit.swf

# Reference: https://twitter.com/angel11VR/status/1115343202167533568
# Reference: https://pastebin.com/0bX17LaY

/out-761452637.hta

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403

/moonx.hta
/first.hta

# Reference: https://twitter.com/neonprimetime/status/1116740246790602753

/wormhta.hta

# Reference: https://twitter.com/InQuest/status/1116772541312401408

/ec470000/file.hta

# Reference: https://twitter.com/JAMESWT_MHT/status/1118088254224515072

/out-1618282703.hta

# Reference: https://twitter.com/blackorbird/status/1118334122592591872
# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf
# Reference: https://blog.alyac.co.kr/2299 (Korean)
# Reference: https://blog.alyac.co.kr/2243 (Korean)

/Ahfzo0.hta
/Ersrr0.hta
/first.hta
/fmaov0.hta
/fwvuj0.hta
/Htqgf0.hta
/Msgxo.hta
/Msgxo0.hta
/Mylqn0.hta
/Pkjjy.hta
/Qfnaq.hta
/Qfnaq0.hta
/Qzqrn0.hta
/second.hta
/szgfj0.hta
/Vkggy0.hta
/xtgnb0.hta
/Yluhi0.hta

# Reference: https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attacks.html

/we.hta

# Reference: https://twitter.com/pancak3lullz/status/1113084930475638784

/9Y4wOJot.hta

# Reference: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

/Vkggy0.hta
/Usoro.hta

# Reference: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

/Mzfmj.hta

# Reference: https://otx.alienvault.com/pulse/5cc85460920fb55c466d6e8d

/Second.hta
/temp.hta

# Reference: https://twitter.com/DissectMalware/status/1126384963497205762

/ihenketata2019.hta
/out-802561251.hta
/out-2069830595.hta
/out-427331541.hta
/out-270833413.hta
/out-746027731.hta
/out-890192022.hta
/out-1389213074.hta
/out-325515559.hta
/out-413662816.hta
/out-961903221.hta
/out-1719427273.hta
/out-167611131.hta
/out-642154941.hta
/out-1033585073.hta
/out-1181438660.hta
/out-43874915.hta
/out-288511419.hta
/out-1053850352.hta
/out-1841585389.hta
/task2.hta
/tk.hta

# Reference: https://twitter.com/James_inthe_box/status/1129452679250321408

/out-1081291084.hta

# Reference: https://twitter.com/HONKONE_K/status/1133205335877885952

/h.hta

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/
# Reference: https://otx.alienvault.com/pulse/5cf53cdb5089737750fab25d

/Black.hta

# Reference: https://twitter.com/James_inthe_box/status/1136631137571237888

/2VXzzTcNjTvas8r9.hta

# Reference: https://twitter.com/ViriBack/status/1136712921461997570

/sample.hta

# Reference: https://www.malware-traffic-analysis.net/2017/12/22/index.html

/beta.hta

# Reference: https://twitter.com/James_inthe_box/status/1139536021572317185

/out-1445440753.hta

# Reference: https://www.virustotal.com/gui/file/d5f18e907465fd5bd659df74e51377052337fc515f17f1e915551f3cc05823dc/community
# Reference: https://app.any.run/tasks/44ceb7c7-518e-4bb1-8a00-de2d887b32c3/

/iyk1.hta

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.hta

# Reference: https://twitter.com/dineshdina04/status/1008621004896198657
# Reference: https://app.any.run/tasks/a8c1f660-71ae-4ab1-a217-11256fd6a158/

/wm.hta

# Reference: https://twitter.com/ViriBack/status/970443789234929664

/bb.hta

# Reference: https://twitter.com/teamcymru/status/920135790600114176

/bqowsj.hta
/fsfsyt.hta
/kekcgt.hta
/nrjhyr.hta
/oonhci.hta
/otvpoi.hta
/phtjae.hta

# Reference: https://twitter.com/FewAtoms/status/1146804894785056768

/out-182876786.hta

# Reference: https://twitter.com/James_inthe_box/status/1146896227000209408

/BitMaster.hta

# Reference: https://twitter.com/Timele9527/status/1147750939576586244

/am_cy_167.hta
/comm.hta
/emp.hta

# Reference: https://twitter.com/YouMayBeHacked/status/1148625116101844992

/bi.hta

# Reference: https://twitter.com/James_inthe_box/status/1149026394472472576

/kkknng.hta

# Reference: https://twitter.com/James_inthe_box/status/1149412096418840576

/hit.hta

# Reference: https://twitter.com/KorbenD_Intel/status/1146463851526938625

/9000.hta

# Reference: https://twitter.com/RedDrip7/status/1118009381679878144
# Reference: https://www.virustotal.com/gui/file/b101035ae8b25263cf7101fbc63df71682cf0963d59b28e28da6e83b35003452/detection
# Reference: https://ti.360.net/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf (Chinese)

/zxcvb.hta

# Reference: https://twitter.com/_CPResearch_/status/1102943725750239237

/RawabiJob.hta

# Reference: https://twitter.com/killamjr/status/1150218238573404160

/SystemUpdater.hta

# Reference: https://www.freebuf.com/articles/network/196788.html (Chinese)

/file.hta
/fin.hta
/final.hta
/zoxr4yr5KV.hta

# Reference: https://twitter.com/James_inthe_box/status/1059087094612602881

/SamRefJobsVacancies.hta

# Reference: https://twitter.com/James_inthe_box/status/1151156619733921792

/8741161.hta

# Reference: https://twitter.com/alex_lanstein/status/988851524406099968

/LPOKGGTEFFGFJ.hta

# Reference: https://twitter.com/FewAtoms/status/1159473273870196736

/out-1379808530.hta

# Reference: https://twitter.com/reecdeep/status/1159833486817034241

/elnino.hta

# Reference: https://twitter.com/w3ndige/status/1168437823193669632

/2055970.hta

# Reference: https://twitter.com/Zerophage1337/status/1007645365133246464

/dwie.hta

# Reference: https://otx.alienvault.com/pulse/5d7a4780d9dfe5be7ab9296e

/Lfvbu0.hta
/Msgxo0.hta
/Qbjoo0.hta
/Rjboi0.hta
/Rnlnb0.hta
/Vamva0.hta

# Reference: https://twitter.com/rpsanch/status/1172548993177522176

/ManTechJobs.hta

# Reference: https://twitter.com/i/status/1172612874708996096

/Tickets.hta

# Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901

/Duxuu.hta
/Duxuu0.hta

# Reference: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/

/Player1566444384.hta

# Reference: https://twitter.com/h4ckak/status/1144173749056315392

/startup.hta

# Reference: https://twitter.com/FewAtoms/status/1180819300476755969

/MS.hta
/MSHTAPayload.hta
/out-1302410780.hta
/out-2091529197.hta
/out-792744321.hta
/out-932457051.hta
/ppro.hta

# Reference: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
# Reference: https://otx.alienvault.com/pulse/5d9c72d7e2efa3b5aa799b41

/Mau2.hta

# Reference: https://twitter.com/cyber__sloth/status/1181957000927727616

/out-1369462999.hta
/out-834610808.hta

# Reference: https://twitter.com/w3ndige/status/1168437823193669632

/2055970.hta

# Reference: https://twitter.com/tkanalyst/status/1184825216033099777

/SYUWSL1.hta

# Reference: https://mp.weixin.qq.com/s/ujeIeb_BWoLWu420imwAOQ
# Reference: https://otx.alienvault.com/pulse/5dad976536418494e8540014

/hta1.hta

# Reference: https://twitter.com/wwp96/status/1186622658751938560

/out-1029000015.hta

# Reference: https://twitter.com/tkanalyst/status/1196033182694379527

/flusupdxx64.hta

# Reference: https://twitter.com/FewAtoms/status/1198574338036969474

/azo.hta
/PO98989211.hta

# Reference: https://twitter.com/cyber__sloth/status/1200005508641558528

/out-1246717249.hta

# Reference: https://app.any.run/tasks/c382b09f-03f7-4680-86c5-28316c5cc5e3/

/microsoft.hta

# Reference: https://twitter.com/wwp96/status/1202267925559808000

/2206907.hta

# Reference: https://twitter.com/wwp96/status/1214926249535164422

/25067710.hta

# Reference: https://mp.weixin.qq.com/s/L3dVwbkfTABtE4ZYtv5r4w
# Reference: https://otx.alienvault.com/pulse/5e206d8b77de0b2690b9946c

/zaqxswcde.hta
/zaqxswcderfv.hta

# Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b

/brzol0.hta
/dbrcn0.hta
/tyjui3.hta
/zjirz.hta
/zjirz0.hta

# Reference: https://twitter.com/JayTHL/status/1227122437885698049

/youuth.hta

# Reference: https://twitter.com/FewAtoms/status/1231994766398717954

/out-337443407.hta
/out-510267147.hta

# Reference: https://twitter.com/casual_malware/status/1239760321021128706

/out-44955964.hta
/out-1376540361.hta
/out-1897288366.hta

# Reference: https://twitter.com/FewAtoms/status/1239938872341139456

/out-8815323.hta

# Reference: https://twitter.com/malwrhunterteam/status/1240996072425652224

/out-1429065212.hta
/out-1770163823.hta
/out-1890736898.hta
/out-531451995.hta

# Reference: https://twitter.com/Rmy_Reserve/status/1241301496571953152

/cfhkjkk.hta

# Reference: https://twitter.com/FewAtoms/status/1241813291460067329

/out-756898907.hta
/out-1019569980.hta
/out-1388663052.hta

# Reference: https://twitter.com/malwrhunterteam/status/1241318536280227844

/sol.hta

# Reference: https://twitter.com/malwrhunterteam/status/1242812814668038151

/out-1068156992.hta

# Reference: https://twitter.com/FewAtoms/status/1243579932590161930

/out-571924757.hta
/out-756898907.hta

# Refecerence: https://twitter.com/bit_dam/status/1256311982992633862

/new%201.hta

# Reference: https://pastebin.com/uwPeU4CL

/Cqsl.hta

# Reference: https://twitter.com/malwrhunterteam/status/1258844055682912259

/out-2010667608.hta

# Reference: https://blog.alyac.co.kr/3033 (Korean)
# Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6

/pre.hta
/suf.hta

# Reference: https://urlhaus.abuse.ch/downloads/text_recent/

/Hmoye0.hta

# Reference: https://twitter.com/KorbenD_Intel/status/1281290067382685696

/convert.hta

# Reference: https://twitter.com/wwp96/status/1328087453392130052

/windows.hta

# Reference: https://twitter.com/fr0s7_/status/1330828461196382215

/evil.hta

# Reference: https://twitter.com/jstrosch/status/1333935819380416512

/invoice.hta

# Reference: https://twitter.com/wwp96/status/1337520882034544641

/OpenToView.hta

# Reference: https://twitter.com/nao_sec/status/1339483904189685760

/r.hta

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

ads.voipnewswire.net/ad.js
drupalupdates.tk/check.js
cdn.allyouwant.online/main.js
ejyoklygase.tk
examhome.net
mp3menu.org
uustoughtonma.org

# Reference: https://twitter.com/bad_packets/status/1038967603048243200
# Reference: https://www.virustotal.com/#/file/d527ea936ab99a2e3a25cf8786c66c0e07fc509b9465d48dd26065f034795f19/relations

aster18cdn.nl/app.js
feesocrald.com/app.js
istlandoll.com/app.js
soodatmish.com/app.js
play.aster18cdn.nl/app.js
play.feesocrald.com/app.js
play.istlandoll.com/app.js
play.soodatmish.com/app.js

# Reference: https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/

/2131.js
/webmr.js
/webmr-2.js
/webmr-x7.js

# Reference: https://twitter.com/ViriBack/status/1035692468459720704

/r/6jHa5
/r/Lx4er

# Reference: https://www.virustotal.com/#/domain/coinhive.com
# Reference: https://twitter.com/bad_packets/status/1042627971368939521

/lib/captcha.min.js
/lib/ch2.min.js
/lib/coinhive.min.js
/lib/miner.min.js
/lib/worker-asmjs.min.js

# Reference: https://www.virustotal.com/#/url/e2887029795c19d1b0d7e97bcd6b29fd25988ea27e8f958ef9af6f9520f97b45/detection

coinimp.com/scripts/min.js

# Reference: https://twitter.com/malwrhunterteam/status/1044950859875012608

/perfekt/perfekt.js

# Reference: https://twitter.com/VK_Intel/status/1021453551975817217

wjcqsstycdujc.eu

# Reference: https://twitter.com/ps66uk/status/1036775592371384320
# Reference: https://twitter.com/ps66uk/status/1026391185953312768
# Reference: https://pastebin.com/izi6pDs8
# Reference: https://threats.kaspersky.com/en/threat/Trojan-Downloader.JS.SLoad/

4play4girls.com/.cabinet/29rf852359-package-updated
adetailimage.com/.customer/3G5QH49725-Your-receipt
alaxvong.com/.customer-area/pack-82AK376-updated
arenaofshrugs.com/.customer-area/package-3M516645-updated
asecretenergyofmiracles.com/.customer-area/pack-42X31841-updated
atlantaseedsmentoringforgirls.com/.customer/1OC358756-your-receipt
ayca.com/.customer/FW8149101-Your-receipt
bakerassistants.com/.safe/GD8JY47086-receipt
bekahwagner.com/.customer-area/package-1GHF7189-updated
beneaththeblackrainbow.com/.customer-area/pack-0VX2107-updated
beneaththeblackrainbow.com/.customer-area/pack-7WRS_214-updated
bettingmlb.com/.customer-area/package-919R-70321-updated
bleuhaven.com/.customer-area/package-79JK8_63195-updated
bollygupshup.com/.advicedetails/0235789168-details
bostonteleprompter.com/.advice-notification/86MZ71628-complete-details
browseright.com/.customer/TI1N01666-your-Receipt
bullcityapparel.com/.safetyarea/TNF4Z521816-order-receipt
buyinggoldhq.com/.customer-area/package-11U492-updated
buzznewscenter.com/.cabinet/2dgp641-package-updated
byxaru.com/.orderdetails/92EW-60267-confirmation
comocuidarme.com/omoc/darme
comunicazionecreativaconsapevole.com/.customer-area/pack-156Q3055-updated
cumbrecapital.com/.customer/6B1R003355-Your-receipt
cumbrecapital.com/.customer/A1K414064-your-Receipt
customers.breastandbodyguidemd.com/.productdetails/8P97438-status-updated
customers.delvecchiopastafresca.com/.personal/package-1XTY6521-updated
customers.golf-classifieds.com/.clientarea/delivery-status-updated
dasheriemagazine.com/.customer-area/pack-24CG4727-updated
db.agile-kanata.com/usernotice/35Z4760-status-update
db.avonbourne.com/usernotice/9RYK9707-status-update
db.bobwu.com/usernotice/71AX0842-notifications
db.boomer-angle.com/usernotice/8T3G41905-notifications
db.careerever.com/usernotice/93I5333-notifications
db.catalinaappraisalservice.com/usernotice/1RJ6972-notifications
db.catalinaappraisalservice.com/usernotice/69V1K3619-notifications
db.digitalwizards.com/usernotice/0CW618-notifications
db.disruptivedrama.com/.safe/66B_410-Receipt
db.falsefiddle.com/.safe/H3X837846-Receipt
db.flyingelephantstudios.com/usernotice/57K5X36453-notifications
db.glennwithrow.com/usernotice/69JY81993-notifications
db.hivetastic.com/usernotice/51X768973-notifications
db.honeycombbooks.net/usernotice/484J7970-notifications
db.icmeet.com/.safe/9L7235-Receipt
db.jclbioassay.com/.safe/S2JA10415-Receipt
db.nobuwrap.com/.safe/E9B3M049671-Receipt
db.nobuwrap.com/usernotice/6L6295-notifications
db.obimfresh.net/usernotice/8O551983-notifications
db.pakkaussuunnittelu.com/usernotice/47E67189-status-update
db.preciselysoftware.com/usernotice/79OE4365-notifications
db.replayrink.com/usernotice/68SEG85567-notifications
db.serendipidance.com/usernotice/9UKS3638-notifications
db.sextoysandmen.com/usernotice/91NRI363-notifications
db.stonyrundesign.com/.safe/CJ0YU149110-receipt
db.stonyrundesign.com/usernotice/81FI02058-notifications
db.strawberryshakemovie.com/usernotice/3485145-notifications
db.whiterivercountry.com/usernotice/1WNO3384-status-update
db.whiterivercountry.com/usernotice/64AW18330-notifications
db.woodenboatgallery.com/usernotice/6CPO02141-notifications
db.yellowstonebrewingcompany.com/usernotice/08CY772-notifications
db.yourfuturebeginshere.com/usernotice/33YHT45331-notifications
dflathmann.com/.customer-area/pack-652B619488-updated
districtframesph.com/.getyourticket/81365093-ticket
drjarad.com/.customer-area/package-5Z4015-updated
durolosangeles.com/.customer-area/package-15H85328-updated
dwiby.com/.customer/3I51694269-Your-Receipt
enataihomes.com/.advice-customers/order-complete-details
eventfish.com/.safetyadvicearea/01686431953-order-Receipt
farmersce.com/.safe/PYN9005J-476356-your-New-Receipt
fitnessdetail.com/.safe/1CUS794179-Receipt
flightcasefilms.com/.customer-area/package-0GZ77952-updated
flipsandals.com/.safetyadvice/36PU815683-Receipt
forsalekentucky.com/.safe/NIUFZ748379-Receipt
forsalemontana.com/.safe/SE-37885-Receipt
foundationtour.com/.customer-area/pack-77ER586-updated
foundationtour.com/.customer-area/package-01ZK1-8120-updated
freewaydeathsquad.com/.cabinet/5ihz6840-pack-updated
fromthedeskofashigeorgia.com/.advice-customers/order-complete-details
fruchile.com/.safe/QF8267H-99740-your-New-receipt
funtimefacepainting.com/.customer-area/pack-5OR7_4582-updated
gettingsecure.com/.safe/THK11097-receipt
goldmaggot.com/.safe/L65P912030-receipt
hercrush.com/.safe/EHR168605-Receipt
holtsberrydesign.com/.customer-area/package-19YY6241-updated
horseharmonyfarm.com/.safe/RDFN509606-Receipt
hoschtonhomesforless.com/.safetyarea/16O711723-order-Receipt
hotnewreads.com/.advicedetails/7XV777-details
howelladventures.com/.safetyadvice/87YA590-Receipt
identitygift.com/.safe/WPVWT808948-receipt
iphone6backgrounds.com/.advicedetails/71PL2590-details
jennanorwood.com/.advice/delivered-status-notification
jvive.com/.customer-area/pack-3BM8_29302-updated
kentuckyinjuryaccident.com/.safe/2GN1356-Your-new-Receipt
kevinecotter.com/.safetyadvice/29K054-receipt
kivacopper.com/.cabinet/14zc_9521-pack-updated
kosmopolitanfinearts.com/.customer-area/package-8WE6996-updated
krcooking.com/.customer-area/package-54GWB-04521-updated
ladyfounder.com/.customer-area/package-830ZO_3159-updated
laibachmusic.com/.safetyarea/UVRN559091-order-receipt
laucacau.com/.safetyadvicearea/0814656528-order-Receipt
lifebyaileen.com/.advice-notification/order-complete-details
longbayhideaway.com/.safetyadvice/JO6OV00947-receipt
lonnielepp.com/.safetyarea/2VC41131-order-receipt
lonnielepp.com/.safetyarea/ENS9Y49504-order-receipt
loulouinhollywood.com/.customer/1P4FC280342-your-receipt
lrsresources.com/.safetyadvice/2MVK655933-Receipt
luchtefeld.com/.safe/CE-737941-Receipt
maloneandcompanyswededfilmfest.com/.safetyarea/003702712-order-Receipt
margotgarnick.com/.customer-area/package-6OF_22197-updated
megachief.com/.safetyadvice/77RUZ57184-Receipt
mjsmallbusinessservices.com/.safetyarea/74C56_2495-order-receipt
motomako.com/.safetyarea/EYGL699416-order-receipt
moveinmandalay.com/.cabinet/11sf_9124-pack-updated
myblagh.com/.safetyadvice/66YS2836-Receipt
northernlightssurvey.com/.productdetails/receipt-details-updated
norway2thailand.com/.customer-area/pack-60HX346-updated
norway2thailand.com/.customer-area/package-9GP_90045-updated
odedadali.com/.advicedetails/026052352956-details
okiostyle.com/.safetyarea/0409669990-order-Receipt
onenationhealing.com/.advicedetails/28MM_665-details
pacificrimbonsai.com/.advice-notification/order-complete-details
paperlovestudios.com/.advicedetails/078391277951-details
passportstatusonline.com/.orderdetails/69X99475-confirmation
pdxinjuryattorney.com/.customer-area/pack-8XD_2636-updated
perimenopausetherapy.com/.cabinet/23hu_5379-pack-updated
philasoup.com/.safetyarea/IVEU187436-order-Receipt
placeklaw.com/.advice/10HF81744-order-receipt
popnuvo.com/.safetyadvice/49RBX589238-receipt
qtheboat.com/.advicedetails/088641320452-details
rescuingchildrenhealingadults.com/.customer-area/pack-474TT-33472-updated
retroframing.com/.customer-area/pack-4RLJ0016-updated
rickyville.com/.customer-area/pack-52JT3992-updated
riideinc.com/.advice/delivered-status-notification
robdonato.com/.advice/91-673620-ticket
rontonsoup.com/.customer-area/pack-00ME-9651-updated
runningvillage.com/.advicedetails/0CQ265196-details
rynegrund.com/.customer-area/package-51QJ728660-updated
saragoldstein.com/.customer-area/pack-772M_3561-updated
saragoldstein.com/.customer-area/package-7FEQ5204-updated
sbicarolinas.com/.safetyadvice/EG778094-Receipt
scottad.com/.customer/1NNZN394864-your-receipt
seoandgrow.com/.safe/CBR00207-receipt
sethpgoldstein.com/.customer-area/package-22AX-42309-updated
sketcheleven.com/.customer-area/pack-5Z04750-updated
sketcheleven.com/.customer-area/package-7OUF_395-updated
smallscalelng.com/.customer/8JY41782-your-new-Receipt
smartglassesdataplans.com/.safe/PJ2B028923-receipt
smokeshopsinc.com/.customer-area/package-06FB3259-updated
solofront.com/.customer-area/pack-25P92664-updated
startabusinessinpa.com/.customer-area/pack-0YQM250-updated
sunandprasad.com/.safetyadvice/3XTV756223-receipt
theartofbridal.com/.customer-area/pack-315J713173-updated
theartofbridal.com/.customer-area/package-1P5212-updated
thefinancialcontrollers.com/.dXNlcLNTF7pUywsgZm5A1KDNHnNlc3ND1pBVMcjXgwhF735D0idpb/3ZG2038-receipt
thehowandwhy.com/.safetyarea/ODSW3456060-order-Receipt
thejunglejournal.com/.customer-area/package-2HH382-updated
thekindlesales.com/.customer/NGJ3494423-your-receipt
themeterminal.com/.safetyadvicearea/088432722890-order-Receipt
thepathlightcenter.com/.customer-area/pack-93IGG_25443-updated
thepynebros.com/.advice/delivered-status-notification
thequietcreatives.com/.customer-area/package-4699700-updated
theseamill.com/.safe/PDQVC123710-receipt
timharwoodmusic.com/.safe/U6N2P16610-Receipt
tinynaps.com/.advicedetails/7F25947-details
top-costumes.com/.safe/P9SVQ222688-Receipt
twobulletsleft.com/.safetyarea/ZNMP57074-order-Receipt
uberdragon.com/.safetyadvice/6O46703705-receipt
urban-meditations.com/.advice/03BEN7818-order-Receipt
valbridgetucson.com/.cabinet/98cg814-pack-updated
valbridgetucson.com/.cabinet/9d5080138-pack-updated
veterantruckingjobs.com/.customer-area/pack-8UVL_62500-updated
videosforwhatsapp.com/.safetyadvice/2LY9480-receipt
wewalk4you.com/.customer-area/pack-864O_5167-updated
whataresquingies.com/.safetyadvicearea/0405470695-order-receipt
wildhowlz.com/.advicedetails/027380256-details
yokosukadoula.com/.advicedetails/0864668306-detail
zenartfree.com/.advicedetails/1Z2-510491-details

# Reference: https://www.symantec.com/security-center/writeup/2018-092007-1208-99
# Reference: https://www.virustotal.com/#/ip-address/212.109.222.157

# Reference: https://twitter.com/unmaskparasites/status/1049723562746146816

/wp-load.js

# Reference: https://twitter.com/malware_traffic/status/1051999693780262912

/flashplayer_41.22_plugin.js

# Reference: https://twitter.com/securitydoggo/status/938750437913776128

/SexyHot19.js

# Reference: https://twitter.com/securitydoggo/status/919906367254728706

/chronopost-colis-suivi.js

# Reference: https://twitter.com/securitydoggo/status/856526428933943296

/Consulta FGTS.js

# Reference: https://twitter.com/bad_packets/status/1106430758179110912

blockchainanalyticscdn.com
5b0c4f7f0587346ad14b9e59704c1d9a.top
925e40815f619e622ef71abc6923167f.top

# Reference: https://www.group-ib.com/media/js-sniffer/

gmo.li

# Reference: https://twitter.com/VK_Intel/status/1104109897531224065

host.moresecurity.kz/host/info

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-06-12 Charming Kitten waterhole)

178.32.48.50:8443/node.js

# Reference: https://blog.attacker.net/a-new-wave-of-the-simpleoneline-malware

simpleoneline.online

# Reference: https://twitter.com/natmchugh/status/1118851237351497734

so.youneverfind.com/statistics.js

# Reference: https://twitter.com/bad_packets/status/976677742862200832

/5992203285ab3219.3.n.2.1.l60.js

# Reference: https://securelist.com/muddywaters-arsenal/90659/

dzoz.us/js/js.js

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
# Reference: https://otx.alienvault.com/pulse/5cc71ac7631c3a2f3c67ba7f

/assests/eng_edge_new.html

# Reference: https://twitter.com/gwillem/status/1127617495911804935
# Reference: https://twitter.com/CERTA_intNsec/status/1127849427572527104

assets.pcrl.co/js/jstracker.min.js

# Reference: https://twitter.com/gwillem/status/1127619061725241349

code.cloudcms.com/alpaca/1.5.17/bootstrap/alpaca.min.css

# Reference: https://twitter.com/gwillem/status/1127890329175244800

d20iczrsxk7wft.cloudfront.net/botwverified/badge.js

# Reference: https://twitter.com/_mmeltzer/status/1128311225228648449

cdn.ryviu.com/js/reviews.js
ww1-filecloud.com

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

/thecry.js

# Reference: https://www.fortinet.com/blog/threat-research/payment-card-details-stolen-magecart.html
# Reference: https://www.virustotal.com/gui/ip-address/178.33.231.184/relations

/ausliebezumduft.js
/bigmusicshop.js
/brain-payment.js
/darussalam.js
/dotsport.js
/hepler.js
/iloveskininc.js
/kimon.js
/klarna.js
/mycigara.js
/relightdepot.js
/sanasafinaz.js
/stutterheim.js
/turtlecase.js
/whinkel.js

# Reference: https://twitter.com/eComscan/status/1136181192796061697

/baypre.js
/cashionrods.js
/dans.js

# Reference: https://twitter.com/Racco42/status/1136621446053150720

/0001.js

# Reference: https://twitter.com/luc4m/status/1138430833533104128

/tkeezwbzpl.js

# Reference: https://twitter.com/Racco42/status/1139461501113311232

/urgente.js

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.js

# Reference: https://twitter.com/david_jursa/status/1148199946618732544

/add5.js

# Reference: https://twitter.com/JayTHL/status/1149055957256802307

click.clickanalytics208.com

# Reference: https://thehackernews.com/2019/07/magecart-amazon-s3-hacking.html
# Reference: https://www.zscaler.com/blogs/research/magecart-activity-and-campaign-enhancements

/js/decor.js

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

/zaqedcvfr.js
/zaqwsxcde.js

# Reference: https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/

/alfuncsync.js
/fingerprint_db.js
akibanoticias.com
tharbadir.com

# Reference: https://twitter.com/James_inthe_box/status/1150794193494630401

/sharing_buttons.js

# Reference: https://twitter.com/adrian__luca/status/1151393084380459009
# Reference: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180/

/k55qtf704vukk11a8r24riuuoc.js
/pe0gecpi4ins56vi9kfrnh7kbs.js

# Reference: https://blog.sucuri.net/2019/07/fake-google-domains-used-in-evasive-magento-skimmer.html
# Reference: https://otx.alienvault.com/pulse/5d3f2283df812ea7458e98f8

/3f5cf4657d5d9.js
/5d32125dab5ee.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

/e1cuqrhmik66gu7pr90qk9v3p8.js
/ftp22vfljscml2370rsritui9g.js
/tinyjs.min.js

# Reference: https://twitter.com/smica83/status/1156485272617570304

/factura.js

# Reference: https://twitter.com/ScumBots/status/1157875582765535232

http://156.236.102.78

# Reference: https://twitter.com/securitydoggo/status/1158370884899495936

/2019-National-Intelligence-Coordinating-Agency-Survey-Questionnaire.js

# Reference: https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/

boobahbabies.com
eventsbysteph.com
query.network
connect.clevelandskin.net
connect.clevelandskin.org
track.amishbrand.com
track.positiverefreshment.org
link.easycounter210.com
click.clickanalytics208.com
/s_code.js?cid=

# Reference: https://twitter.com/James_inthe_box/status/1159917575301582848

/JFd0mx.js
/rKPcLW.js

# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

/pass_sqzr.jsp

# Reference: https://twitter.com/JAMESWT_MHT/status/1164140106095177731
# Reference: https://app.any.run/tasks/0c5278c0-d505-4873-b612-9318dbbc2733/

/ajwngsj.js

# Reference: https://twitter.com/JAMESWT_MHT/status/1167096432236650497

/0f.js
/1f.js
/2f.js
/3f.js
/4f.js
/5f.js
/6f.js
/7f.js
/8f.js
/9f.js

# Reference: https://twitter.com/StopMalvertisin/status/1167121250847580162

/msg_frr_w3.js
/myjs28_frr_c1.js
/myjs28_frr_s37.js

# Reference: https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html

/r2.js

# Reference: https://twitter.com/killamjr/status/1171122456528150528

tut-64.com
yourservice.live
0wnpr0m0.com

# Reference: https://twitter.com/shotgunner101/status/1174324923499765760

/5d7c50e85111d.js

# Reference: https://www.ibm.com/downloads/cas/O3W1LZAZ

/advnads20.js
/test1ccf.js
/test1try.js
/test2try.js
/test3ccf.js
/test3try.js
/test4ccf.js
/test4try.js
/tongji.js

# Reference: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/

/01sall.js
/02sall.js
/03sall.js
/04sall.js
/05sall.js
/06sall.js
/07sall.js
/08sall.js
/09sall.js
/1566444384.js

# Reference: https://twitter.com/killamjr/status/1178030065486974976

allyouwant.online

# Reference: https://twitter.com/killamjr/status/1178019676653146112

/js/google.analytics.min.js

# Reference: https://www.virustotal.com/gui/ip-address/162.222.213.20/relations

/ikandej.js

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2010/2010-01-14-more-details-on-operation-aurora/more-details-on-operation-aurora.csv

/GDSRScripts.js

# Reference: https://twitter.com/0xFrost/status/1181153730382716928
# Reference: https://twitter.com/James_inthe_box/status/1316079441034919936
# Reference: https://twitter.com/James_inthe_box/status/1316091614113087488

hostcontent.live
hostingcloud.cloud
hostingcloud.racing
/ab20.js
/Iit5.js

# Reference: https://otx.alienvault.com/pulse/5d9cadcab8eefffbac23367a
# Reference: https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html
# Reference: https://www.scmagazineuk.com/cookie-monster-malware-steals-cookies-hijacks-wordpress-sessions/article/1474671

1.newor.net
2.api.viralheadlines.net
3.newor.net
a01.u-ad.info
abtrcking.com
adrenalinecdn.com
agrkings.com
airjss.com
andrewandjack.com
api.behavioralmailing.com
b.nwcdn.xyz
beatchucknorris.com
blozoo.net
bwinpoker24.com
c.radxcomm.com
caphyon-analytics.com
cdn.adpoints.media
cdn.avrti.xyz
cdn.echoenabled.com
cdn.inaudium.com
cdn.jquery.tools
cdn.muse-widgets.ru
cdn.owlcdn.com
cfs.u-ad.info
chat-client-js.firehoseapp.com
cleantds.in
code.jguery.org
con1.sometimesfree.biz
connect.f1call.com
d0.histats.12mlbe.com
da.adsvcs.com
daljarrock.hurlinesswhitchurch.com
dcts.pw
dezaula.com
dup.baidustatic.pw
e.e708.net
earsham.pontypriddcrick.com
flipdigital.ru
frompariswithhate.org
gamescale.vio.rocks
getsocialbuttons.xyz
hmailserver.in
hosted-oswa.org
i.omeljs.info
i.rfgdjs.info
i.selectionlinksjs.info
i3.putags.com
ijquery9.com
infinite-2.tcs3.co.uk
infinite-3.tcs3.co.uk
java.sometimesfree.biz
jquery.im
js.nster.net
js.sn00.net
js.trafficanalytics.online
js2.sn00.net
kanpianjs.top
keit.kristofer.ga
livestats.us
log.widgetstat.net
m.free-codes.org
m.xfanclub.ru
mediros.ru
narnia.tcs3.co.uk
nstracking.com
oasagm82wioi.org
onlinemarketplace.top
ournet-analytics.com
parts.kuru2jam.com
pipardot.com
rarstats.com
s.orange81safe.com
s1.omnitor.ru
sbdtds.com
script.affilizr.com
sdb.dancewithme.biz
seo101.net
spartan-ntv.com
src.dancewithme.biz
srv1.clk-analytics.com
st.segpress.io
st.stadsvc.com
stablemoney.ru
stat.botthumb.com
stat.rolledwil.biz
static.bh-cdn.com
tag.imaginaxs.com
takoashi.net
themes.affect.lt
trafficapi.nl
traffictrade.life
upgraderservices.cf
upskirt-jp.net
w5983.lb.wa-track.com
webstats.xcellenzy.com
widgets.wowzio.net
yourmsrp.com
yys1982.com
zirve100.com

# Reference: https://twitter.com/david_jursa/status/1181925512798773249
# Reference: https://app.any.run/tasks/14d9b5a2-d8d3-41f4-9557-f21aec01fa32/

/xGpmLMHiaqCy-agu1ud6fHqKiTo.js

# Reference: https://twitter.com/david_jursa/status/1183728660710338561

/p8anm0bn388i8bg6sqcv0smlto.js
/uqff1t6racoanqj092dg2q5bg8.js

# Reference: https://twitter.com/MBThreatIntel/status/1184531791102857216

/umbro.js

# Reference: https://twitter.com/tkanalyst/status/1184840339070148609

/5j76hga6tnpo7levlgmhrosuhs.js

# Reference: https://twitter.com/killamjr/status/1185376383180136448

/media/si.js

# Reference: https://twitter.com/GroupIB_GIB/status/1185230751769468928

/js/mirasvit/

# Reference: https://twitter.com/Placebo52510486/status/1141619924512792583

12js.org
12lib.org
16js.org
16lib.org
22js.org
lib0.org
wp11.org

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain:-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/

info-stat.ws

# Reference: https://cyberweek.ae/materials/D4%20TRACK%202%20-%20APT%20Attacks%20On%20Crypto%20Exchange%20Employees%20-%20Heungsoo%20Kang.pdf

analyticsfit.com

# Reference: https://twitter.com/EKFiddle/status/1187034052227784704

/lsdioss612ns.js

# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584
# Reference: https://www.virustotal.com/gui/domain/humsoolt.net/relations

humsoolt.net

# Reference: https://twitter.com/tkanalyst/status/1190975614766833664

/bootstrap.minfc4a.js
/ghost-sdk.minfc4a.js
/highlight.packfc4a.js
/jflickrfeed.minfc4a.js
/jquery.fitvidsfc4a.js
/mainfc4a.js

# Reference: https://wordpress.org/support/topic/malware-infected-file-wordpress-core-wp-includes-wp-tmp-php/
# Reference: https://twitter.com/unmaskparasites/status/1181651764921155584

/afu.php?zoneid=
/apu.php?zoneid=

# Reference: https://www.virustotal.com/gui/ip-address/104.151.24.95/relations
# Reference: https://www.virustotal.com/gui/ip-address/128.14.150.144/relations

/index_files/analytics.js
/index_files/matc.js

# Reference: https://twitter.com/xuy1202/status/1195701523797303296

adsnet.work

# Reference: https://twitter.com/killamjr/status/1198093080966115330

boot-uprenewedintenselyproduct.icu

# Reference: https://twitter.com/xuy1202/status/1199347607920734208

ask-us.pro
askus.mobi
cheofaabridri.gq
forumdownloadforall.mobi
mykeitonly.info

# Reference: https://twitter.com/xuy1202/status/1199595200949059584

/js/jquery/advListRotator.js

# Reference: https://twitter.com/nullcookies/status/1200576466150477824

/js/faker_secrets.js

# Reference: https://twitter.com/xuy1202/status/1201778263271436289

cdn.buycongestion.com
top.worldtraffic.com

# Reference: https://twitter.com/gwillem/status/1201647716352380929

sequracdn.net
live.sequracdn.net
/modrrnize.js

# Reference: https://twitter.com/JCyberSec_/status/1201850074822778880

/5c3a398f10058.js

# Reference: https://twitter.com/JCyberSec_/status/1201850062994903045

/jquery_noconflict.js

# Reference: https://www.getastra.com/blog/911/how-magecart-attackers-are-continuing-to-affect-e-commerce-platforms/

/js/everlast.js
/js/mage.js

# Reference: https://twitter.com/JCyberSec_/status/1202575691365191680
# Reference: https://www.virustotal.com/gui/domain/marketplace-magento.com/relations
# Reference: https://www.virustotal.com/gui/ip-address/181.214.86.150/relations
# Reference: https://www.virustotal.com/gui/domain/phplib.net/relations

/authoriz-getway.js
/authorizenet-getway.js
/BancesellaGetway.js
/bancasella-getway.js
/braintree-getway.js
/direct-getway.js
/gestpaypro-getway.js
/PaymentGetway.js

# Reference: https://twitter.com/gwillem/status/1202602117510451200

2chat.top

# Reference: https://twitter.com/JCyberSec_/status/1202903192192901120

/js/AuthorizenetMagento.js

# Reference: https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

/vmartgo.js

# Reference: https://twitter.com/xuy1202/status/1204778227517935616

/2RuLm5ldHdvcmsx.js
/9nRYFAGehAFJJ7u.js
/klei53Wl6dT2bSF6S.js

# Reference: https://twitter.com/ninoseki/status/1204971169658523649
# Reference: https://www.virustotal.com/gui/ip-address/1.171.162.250/relations

/user_info_uploader

# Reference: https://twitter.com/JCyberSec_/status/1206919450802438144
# Reference: https://twitter.com/JCyberSec_/status/1206919471597850624

/5c117b7b019cb.js
/5c12fffeea71e.js
/5c21f3dbf01e0.js
/5c3a398f10058.js
/5c13086d94587.js
/5d94c29e12536.js
/5d2c953326774.js

# Reference: https://twitter.com/killamjr/status/1207685407229526023

sgamno.com

# Reference: https://twitter.com/tkanalyst/status/1210663918953123841

/3pik20j30ri0f17q37u2s4mkms.js

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1213878934514864128

site-great.xyz

# Reference: https://twitter.com/JayTHL/status/1214207517590511616
# Reference: https://twitter.com/JayTHL/status/1214240539563966465

static.srcspot.com
/libs/carlos.js
/libs/darrel.js
/libs/galindo.js

# Reference: https://twitter.com/aglongo/status/1214575812646752259

/js/b76dadb06c3582b7f598111d60f2f944.js
/js/ee497bb12cf272d333449cd79582c289.js
/js/34dbc8a61ab0c8e3f7fc444d83b8a3d4.js

# Reference: https://twitter.com/ScumBots/status/1218627885579362304
# Reference: https://twitter.com/pmelson/status/1218655235205451777

149.248.1.128:443
149.248.1.128:80

# Reference: https://twitter.com/unmaskparasites/status/1219611201891708928

admarketresearch.xyz
adsformarket.com

# Reference: https://twitter.com/matr0cks/status/1220418827751763969

/jqueryprivatesecurity.js
/onloadsecurityvalidate.js

# Reference: https://twitter.com/unmaskparasites/status/1206662128213594117

whoisloookup.com

# Reference: https://twitter.com/pjcampbe11/status/1222556092242317315
# Reference: https://www.helpnetsecurity.com/2019/09/24/cve-2019-1367/
# Reference: https://otx.alienvault.com/pulse/5e32f827509fbbbeb2d3ee2a

202.122.128.28:80
largeurlcache.com

# Reference: https://twitter.com/david_jursa/status/1223740643912093696

/fc1i4iicca17n7p0h8mrsb0jfs.js
/lhglbfj4if5d1hisd2iuha1670.js

# Reference: https://twitter.com/FaLconIntel/status/1229004752312078336

/veugi45pre97c4koiurgjg0ar0.js

# Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/

coolbrowsering.xyz
alfapromo.info
archivepoisk-zone.info
onlinemobsoft.ru
anyaaplanet.info
decentsite.xyz
archivepoisk.info
sympleplace.info
adsmeneger.club

# Reference: https://twitter.com/felixaime/status/1236196571928236037

scriptcdn.info

# Reference: https://twitter.com/unmaskparasites/status/1235190676838633477

collectfasttracks.com

# Reference: https://twitter.com/unmaskparasites/status/1241068775157510144
# Reference: https://publicwww.com/websites/%22scriptalicious.info%22/

scriptalicious.info

# Reference: https://twitter.com/blackorbird/status/1245597745403969544

/t0uch/tou64.js
/t0uch/tou86.js

# Reference: https://twitter.com/d09r_/status/1245306272175419392

/o93jak2nm1k2.js

# Reference: https://twitter.com/unmaskparasites/status/1250469460617637891
# Reference: https://www.virustotal.com/gui/domain/stivenfernando.com/relations

stivenfernando.com

# Reference: https://twitter.com/fahadsoror/status/1251638383245475840

underthebreach.com/breach-protection

# Reference: https://www.kitploit.com/2020/04/flux-keylogger-modern-javascript.html

/42963187845881.js

# Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/

coronamasksupply.com
coronavirusinrealtime.com
coronashirts.store

# Reference: https://sansec.io/labs/2018/08/30/magentocore.net_skimmer_most_aggressive_to_date/

/19303817.js

# Reference: https://twitter.com/unmaskparasites/status/1254766052296122368
# Reference: https://www.virustotal.com/gui/domain/trackstatisticsss.com/relations
# Reference: https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/

adsforbusines.com
stivenfernando.com
ps.stivenfernando.com
ws.stivenfernando.com
trackstatisticsss.com
stat.trackstatisticsss.com

# Reference: https://www.virustotal.com/gui/domain/crisgrey.com/relations

crisgrey.com

# Reference: https://www.virustotal.com/gui/domain/cdn-js.net/detection

cdn-js.net

# Reference: https://twitter.com/unmaskparasites/status/1260542044747059200

digestcolect.com
css.digestcolect.com
js.digestcolect.com

# Reference: https://twitter.com/CERT_Polska_en/status/1270623116931317760
# Reference: https://pastebin.com/raw/Ap38Fr7e
# Reference: https://pastebin.com/raw/YyYs8Her

/myjs28_frr_b7.js
/myjs28_frr_c1.js
/myjs28_frr_j2.js
/myjs28_frr_n01.js
/myjs28_frr_n02.js
/myjs28_frr_s17.js
/myjs28_frr_s20.js
/myjs28_frr_s21.js
/myjs28_frr_s22.js
/myjs28_frr_s23.js
/myjs28_frr_s29.js
/myjs28_frr_s30.js
/myjs28_frr_s31.js
/myjs28_frr_s33.js
/myjs28_frr_s35.js
/myjs28_frr_s36.js
/myjs28_frr_s37.js
/myjs28_frr_s38.js
/myjs28_frr_s39.js
/myjs28_frr_s4.js
/myjs28_frr_s45.js
/myjs28_frr_s47.js
/myjs28_frr_s48.js
/myjs28_frr_s49.js
/myjs28_frr_s50.js
/myjs28_frr_s51.js
/myjs28_frr_s52.js
/myjs28_frr_s55.js
/myjs28_frr_s7.js
/myjs28_frr_w1.js

# Reference: https://twitter.com/ScumBots/status/1271482475546660864

141.255.154.194:1666
fivemmods222.ddns.net

# Reference: https://twitter.com/xuy1202/status/1272842659183255553

hellokity.in

# Reference: https://twitter.com/ScumBots/status/1274497302628098048

91.153.0.57:1556

# Reference: https://twitter.com/felixaime/status/1278600095538262017 (# WPScriptInjection)
# Reference: https://twitter.com/felixaime/status/1278602674401955846
# Reference: https://twitter.com/unmaskparasites/status/1280581176747601920
# Reference: https://www.virustotal.com/gui/ip-address/185.244.172.39/relations
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.49/relations

letsmakeparty3.ga
lobbydesires.com
tlcweb.ml
wpctrl.ga
wpctrl.gq
wpctrl.ml

# Reference: https://twitter.com/unmaskparasites/status/1289272342837895171
# Reference: https://twitter.com/unmaskparasites/status/1303792031693778947
# Reference: https://twitter.com/unmaskparasites/status/1303792922140254215
# Reference: https://twitter.com/unmaskparasites/status/1293570769545580545
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.126/relations

declarebusinessgroup.ga
developerstatss.ga
donatelloflowfirstly.ga
lowerbeforwarden.ml
trendopportunityfollow.ga

# Reference: https://twitter.com/unmaskparasites/status/1329490824875282432
# Reference: https://www.virustotal.com/gui/ip-address/217.144.106.108/relations

lovegreenpencils.ga

# Reference: https://twitter.com/unmaskparasites/status/1291406328129298434
# Reference: https://blog.sucuri.net/2020/07/reverse-string-woocommerce-wordpress-credit-card-swiper.html

localhostnametable.com

# Reference: https://unit42.paloaltonetworks.com/script-based-malware/

assurancetemporaireenligne.com/c.js

# Reference: https://twitter.com/yazilimci_adam/status/1297785340581883904 (Turkish)

176.235.38.79:8080
bilgilendirme.turkcell.com.tr

# Reference: https://www.virustotal.com/gui/domain/party-nwvqdtumtz.now.sh/relations

party-nwvqdtumtz.now.sh

# Reference: https://twitter.com/unmaskparasites/status/1308145960682426368

celolum.com

# Reference: https://twitter.com/david_jursa/status/1310659997324410880

vahjgkjhfkjdhkjdfhjdfj26a.s3-accelerate.amazonaws.com

# Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/

googleads.store

# Reference: https://ideone.com/CYMY4

/eqq.all.js
/ggmainv3d0718.js

# Reference: https://twitter.com/EKFiddle/status/1326245935559692289
# Reference: https://www.virustotal.com/gui/ip-address/162.241.201.20/relations

/5fa7ae834efee.js

# Reference: https://twitter.com/david_jursa/status/1326648367049486337

/u5nrroma8jlrdredqooe4bl18o.js

# Reference: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

/include/static/template-letter.asp

# Reference: https://twitter.com/Circuitous__/status/1329218754979434496
# Reference: https://www.virustotal.com/gui/file/3b9af7c880f01b0a4773fbc06867276b3121f3ad588dbcf73eb1552e9c0bd108/detection

messaging-security.comano.us
secure-messaging.comano.us
comano.us

# Reference: https://www.virustotal.com/#/ip-address/85.17.26.65 (#URL section)

/boxMrenewal.php
/challengevdl.php
/dd.php
/girisi.php
/rerewp.php
/overviewshn.php
/signOnV2Screen.php
/Up-dating.php

# Reference: https://twitter.com/malwrhunterteam/status/1045622528541151232

/hows_yourfever.php
/introductio_n.php
/psycho.php
/review_me.php
/rootme.php

# Reference: https://www.virustotal.com/#/domain/manapowermta.us

/loomistech/gate.php

# Reference: https://twitter.com/nullcookies/status/1019569151503986689

/bc0de.php

# Reference: https://twitter.com/devnullek/status/1020015255144017920

/order588.php

# Reference: https://twitter.com/YouMayBeHacked/status/1040368782408069120

/Kostenaufstellung.169156596183882049609578.php

# Reference: https://twitter.com/James_inthe_box/status/1048277465397751808

/onlinegoogle.php

# Reference: https://twitter.com/YouMayBeHacked/status/1048341985319444481

/Abrechnung-76-31210998378353168993665795447.php

# Reference: https://twitter.com/DissectMalware/status/1048329071061606400

/90AS98DF.php

# Reference: https://www.hybrid-analysis.com/sample/f65ba1cc50b29dd05ddaa83242f4b7bd0429841bfc4befa9e203cb6621d2389b?environmentId=100

/loader_mn.php

# Reference: https://twitter.com/James_inthe_box/status/1053668299165229056

/loader_ma.php

# Reference: https://twitter.com/nullcookies/status/1054496925469343744

/anzhuo.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/IpNigh/status/1107567316148150274

/universalmail-notifications/updates.php

# Reference: https://twitter.com/Racco42/status/1102488453990830080

/masquare.php

# Reference: https://twitter.com/Racco42/status/1098218160111734789

nitdesenders.tianat.cat/tmp/signup.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1103983033307271168

/photo/123.php
/Sep2018/gsm.php

# Reference: https://twitter.com/benkow_/status/1085483319347867649

 /public/hydra.php

# Reference: https://twitter.com/anyrun_app/status/1060858198599577601

/ghuae/huadh.php

# Reference: https://twitter.com/pollo290987/status/1108755025604591622

/loro_4.php

# Reference: https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

statconuter.com/c.php

# Reference: https://twitter.com/James_inthe_box/status/1109832439700971520
# Reference: https://app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e

/loadbase1.php

# Reference: https://twitter.com/malwrhunterteam/status/1111630255763189761

/D2017HL/u.php

# Reference: https://twitter.com/IpNigh/status/1111919996266049536

/ahzhnobu48jgm1rksb2zl3sc.php

# Reference: https://twitter.com/IpNigh/status/1111904352053198848

/challengevdl.php

# Reference: https://twitter.com/IpNigh/status/1111872373446377472

/overviewshn.php

# Reference: https://twitter.com/executemalware/status/1112337168138149888

/phpmailer/Pmxyz.php

# Reference: https://twitter.com/albertzsigovits/status/1113096573284728839

/asfdh4/auth.php

# Reference: https://twitter.com/IpNigh/status/1113287915612798976

/49rrf856hqofcuq6mkdntfdp.php

# Reference: https://otx.alienvault.com/pulse/5ca5e12bcf299875864044a6
# Reference: https://www.securityartwork.es/2019/04/02/militaryfinancingmaldoc/
# Reference: https://blog.trendmicro.co.jp/archives/19054

/7773/index.php
/9125/gate.php 

# Reference: https://www.bromium.com/mapping-malware-distribution-network/
# Reference: https://otx.alienvault.com/pulse/5ca7142dd898276082584a58

/olala/get.php

# Reference: https://twitter.com/IpNigh/status/1114334454930190336

/hcu9e676hqzffjez47ec6ggd.php

# Reference: https://twitter.com/ViriBack/status/1114610878056402945

/class-walker-page-up.php

# Reference: https://twitter.com/VK_Intel/status/1080919080616439808

/spr_updates.php

# Reference: https://twitter.com/packet_Wire/status/1118528816509591552

/rz7g271ct2iv65rmhwwq42bu.php

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1122804929452814337

/2abjk95b4kwbdpnfdn7uewhr.php

# Reference: https://twitter.com/pancak3lullz/status/1123233975252787200

/ya63omxqknnm4ar8vb8evwje.php

# Reference: https://twitter.com/GelosSnake/status/1123540164268183552

/mnbv/handler.php

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834

/rwrw66/1111z.php
/rwrw66/2222z.php

# Reference: https://twitter.com/JCyberSec_/status/1124290346668777505

/g4f9sokfo2ecegn2twq4u3t7.php

# Reference: https://app.any.run/tasks/3068b154-d6f2-4483-ae72-60fbd5f3467f
# Reference: https://www.virustotal.com/gui/file/0cbf6190e0a381a0ec20a2b54156f06615453bb80ae2e1256242cb8af96b065d/detection
# Reference: https://www.virustotal.com/gui/file/cd5eeddb8eb8074b97583b653cbcf627da475debbb3070284fd6c6446f9eec97/detection

/cmd.php?hwid=
/cmd.php1?hwid=
/cmd.php?timeout=

# Reference: https://twitter.com/JAMESWT_MHT/status/1126020627075403776

/pabury473675.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1126109441651245057

/v2i.php?need=

# Reference: https://twitter.com/malwrhunterteam/status/1126821015567384582

authconfig.imrris.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126830402834968576

authconfig.motonsoft.com/validate.php

# Reference: https://twitter.com/malwrhunterteam/status/1126834434504822789

oneonlinetrue.com/cgi-bin/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126835745640067074

razire.com/root/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126837652571992065

ptlonghigroup.us/01001/pain.php
ptlonghigroup.us/01001/pain2.php
/01001/pain.php
/01001/pain2.php

# Reference: https://twitter.com/malwrhunterteam/status/1126844312053067776

/spemmg.php

# Reference: https://twitter.com/malwrhunterteam/status/1126848369190686721

oneonlinetrue.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126850750708109315

creacionesdelsac.com/Cacha/handler.php

# Reference: https://twitter.com/malwrhunterteam/status/1126855753791356928

poa-oreo.co.uk/racks/space/p.php

# Reference: https://twitter.com/malware_traffic/status/810966197881671680
# Reference: http://malware-traffic-analysis.net/2016/12/19/index.html

/drb31.php
/d8/ul.php

# Reference: https://twitter.com/malwrhunterteam/status/1127945201841049600

namecakes.com/epl/ajax.php

# Reference: https://twitter.com/WifiRumHam/status/1127971696126783488

westflies.com/api/api.php

# Reference: https://twitter.com/JayTHL/status/1128173436889653248

/send/ab-apr29-1.php
/send/ab-apr29-2.php
/send/cj-apr27-1.php
/send/cj-apr29-1.php
/send/cj-apr29-2.php
/send/cj-may4-1.php
/send/m24m24-1.php
/send/m24m24-2.php
/send/m24m24-3.php
/send/m24m24-4.php
/send/f13m13-1.php
/send/f13m13-2.php
/send/f13m13-3.php
/send/f13m13-4.php
/send/f13m13-5.php
/send/a10j10-1.php
/send/m10a10-1.php
/send/azu.php
/send/was.php

# Reference: https://twitter.com/JayTHL/status/1129865519417499651
# Reference: https://pastebin.com/raw/mU7abvT9

/attiinnddeexx.php

# Reference: https://twitter.com/JayTHL/status/1131329627954319361
# Reference: https://pastebin.com/raw/g8bhsb4G

/6i5aiewuz0xprm8htmrrhhz9.php

# Reference: https://twitter.com/IpNigh/status/1131425432543408129

/index91484101498.php

# Reference: https://twitter.com/VirITeXplorer/status/1131816142199250944

/pagiy75.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135453581144969216

/v21in603.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1135815803880820742

/pagighg66.php

# Reference: https://twitter.com/IpNigh/status/1136167409751138304

/plwnkfd8gcn5x317by4goj7c.php

# Reference: https://twitter.com/IpNigh/status/1136480809861419010

/vq5sinmcamguedpoak8epeh3.php

# Reference: https://twitter.com/packet_Wire/status/1137019106559967232

/hhhhh.php

# Reference: https://twitter.com/IpNigh/status/1138206277992161281

/o365ms.php

# Reference: https://twitter.com/cyberanalyzer/status/1140571010518978560

/main.jspsid.php

# Reference: https://twitter.com/IpNigh/status/1141059894021361666

/chaseind.php

# Reference: https://twitter.com/IpNigh/status/1142886176975675395

/l9ymhf8w6w11sjeay07wrkng.php

# Reference: https://twitter.com/ffforward/status/1143100705303158784

/klla.php

# Reference: https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/

/mhtexp.php

# Reference: https://twitter.com/killamjr/status/1113876111543492608

/newauto2.php

# Reference: https://twitter.com/IpNigh/status/1143687948619124737

/index91484101498.php

# Reference: https://twitter.com/smica83/status/1146648528846041089

/7gvbp7pbrrdp2j8o5y4iqfva.php

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

/AffdrDrr.php
/lickmyass.php

# Reference: https://twitter.com/IpNigh/status/1147295303931977733

/ubwa0opty4jnoerxyj8dtjra.php

# Reference: https://twitter.com/ps66uk/status/1148183374818873344

/publickprivate.php
/74_8_839.php
/fontandcolor.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1148562854808891392

/ddss0h9lipd6diuh5jan2w0t.php

# Reference: https://twitter.com/navSi16/status/1148192534654439426
# Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7

/js/left.php

# Reference: https://twitter.com/IpNigh/status/1148676390759391234

/31npodfikdtpkgq6difyox4s.php

# Reference: https://twitter.com/IpNigh/status/1149168247683633153

/3mm9etr00x4b2ml4b0fhdv7f.php

# Reference: https://twitter.com/MalwarePatrol/status/1149383199904210944

/a1ev2wehp69sw2tjkua8wc39.php

# Reference: https://twitter.com/MalwarePatrol/status/1149769820709314561

/c9mq35lqup5b25sljr2qomce.php

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

/fredcvbgt.php
/swqazxcde.php
/trfvbnhy.php
/uythuycr.php
/yhnbgtrfv.php

# Reference: https://twitter.com/IpNigh/status/1150572125603934208

/info_secure_account.php

# Reference: https://twitter.com/YouMayBeHacked/status/1151197704090988544

/dna_excel.php

# Reference: https://twitter.com/adrian__luca/status/1151393084380459009
# Reference: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180/

/8yZ7YDpM2Cu3lqbB7WFJV19PE9mb1f8c.php
/XKIOEEEEE.KDJDD.php

# Reference: https://twitter.com/YouMayBeHacked/status/1152234246083424256

/myriad-pro-installerr.php

# Reference: https://twitter.com/IpNigh/status/1152929163797512194

/h1nnbwfsediifgz2yv3w09xs.php

# Reference: https://twitter.com/IpNigh/status/1153149383589933056

/l7mg85smredbpehm3gnp2g1n.php

# Reference: https://twitter.com/MalwarePatrol/status/1153699284497440771

/bxo2fxmx9ub9kg1ghf3xc9va.php

# Reference: https://twitter.com/IpNigh/status/1154707735524630528

/ah1who7vrexwov9pe3g57va9.php

# Reference: https://twitter.com/MalwarePatrol/status/1154815918461128705

/tw0207s24zsj7ukq21d7l0iw.php

# Reference: https://twitter.com/dvk01uk/status/1155068156471382023

/c6e905de8a762015cd177be60cd6bd67.php

# Reference: https://twitter.com/IpNigh/status/1155282939623727104

/k7xscuhn9fkiwczwud5t2kqq.php

# Reference: https://www.virustotal.com/gui/ip-address/173.231.184.61/relations

/mars/remote.php

# Reference: https://twitter.com/IpNigh/status/1156083556747268096

/outer_pag.php

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

/1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c.php
/chihuahua-posting.php
/XKIOEEEEE.KDJDD.php

# Reference: https://twitter.com/IpNigh/status/1156311805154725888

/info_secure_account.php

# Reference: https://twitter.com/IpNigh/status/1156600041274040320

/u6ke0yj0s6btjdh22yrr62tj.php

# Reference: https://twitter.com/MalwarePatrol/status/1156627854572081152

/c3jccysjfbj8u3u9atw9vkff.php

# Reference: https://twitter.com/MalwarePatrol/status/1157493998577225728

/13rqsblgaqu1z4h04w7ql2kh.php

# Reference: https://twitter.com/MalwarePatrol/status/1157594231407632384

/i9eyybpavhc50wb8lcc7yle9.php

# Reference: https://twitter.com/MalwarePatrol/status/1157669728544088064

/a9di3q2br7kzvl1gl5rjh9pr.php

# Reference: https://twitter.com/MalwarePatrol/status/1158243497587204096

/2i729w0bw448s72mzt9c1pc0.php

# Reference: https://twitter.com/PhishStats/status/1158280905892519936

/o365ms.php

# Reference: https://twitter.com/IpNigh/status/1159063350103420928

/mwnsmre6in7pv7abig7tzfyu.php

# Reference: https://twitter.com/MalwarePatrol/status/1159617579469742082

/835pnjmr1w4p5ypvgcymfkkx.php

# Reference: https://twitter.com/MalwarePatrol/status/1161731505065988102

/acabx352of60k6h87abrrjg6.php

# Reference: https://twitter.com/James_inthe_box/status/1162068269387276289
# Reference: https://app.any.run/tasks/6812075f-1785-494f-9624-eda8b19943c3/

/add_bot.php

# Reference: https://twitter.com/ANeilan/status/1162803350511017985

/setoransnsv.php

# Reference: https://twitter.com/smica83/status/1163222123923615745

/transaction_find.php

# Reference: https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/

/addbot?hwid=

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

tqbeu.redirectvoluum.com
tqbeu.voluumtrk.com

# Reference: https://twitter.com/IpNigh/status/1164328397314699265

/9cfryg81syzg9u27cxh19tax.php

# Reference: https://twitter.com/MalwarePatrol/status/1164917499281989632

/8k1bkkn094xdivviaab8hs19.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1165926508084563968

/107741af5648cf.php

# Reference: https://twitter.com/luc4m/status/1166558549742411777

/wnzwyq3o8jvv4fbjsc42sfvl.php

# Reference: https://twitter.com/malware_traffic/status/1166838031556517888
# Reference: https://app.any.run/tasks/2141fadd-0379-404f-b8e1-917035910c4b/

/loader/gate.php

# Reference: https://twitter.com/MalwarePatrol/status/1167816610805161984

/s5a03tkf4q9d9nb73da3nhsi.php

# Reference: https://twitter.com/killamjr/status/1168904634498502656

/43333.php

# Reference: https://twitter.com/IpNigh/status/1169988952096432129

/d8fo713p7xcqwe3gmej9ahtl.php

# Reference: https://twitter.com/tkanalyst/status/1170688633172443139

/c0nf1g.php
/c0nfig.php

# Reference: https://twitter.com/ViriBack/status/1170728460781871105

/configurationssss.php
/oficialmuieingaoaza.php

# Reference: https://twitter.com/MalwarePatrol/status/1172452149625643008

/j1x28e4tr691s8cen0eeu43d.php

# Reference: https://twitter.com/Cyberfishio/status/1173202856654057472

/rvqjseptt66izwsmtj5rwj6k.php

# Reference: https://twitter.com/MalwarePatrol/status/1174339575570980865

/b9aapumjlkzrcxw8sl4i2zor.php

# Reference: https://twitter.com/MalwarePatrol/status/1173826189577850880

/82gnq2z9u7lpl560f16htzzf.php

# Reference: https://github.com/eset/malware-ioc/tree/master/stantinko (# The Safe Surfing injected script)

safesurfing.me

# Reference: https://twitter.com/IpNigh/status/1173924979462823938

/101454858.php

# Reference: https://twitter.com/MalwarePatrol/status/1175502232978100231

/6b2vru1bujseuosd0gjvndag27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1176800786615087104

/bp5ayjj97kidyn89d9pw6jwq27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1177314170821382145

/3u0j30ly39gt9f4677hal1dj27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1178325835771711488

/kbhtz3rscf9vqr0l6gk40uxi27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/smica83/status/1177552932004401152

/ilqzck5hf6ypq465yzbhmvn7.php

# Reference: https://twitter.com/MalwarePatrol/status/1177676554517790721

/7u73zbven6ronnzmiqt7vf1q27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1178763720970919936

/2xc14iaupg8qto7r300jdtfy27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1177109960309858304
# Reference: https://app.any.run/tasks/947e97aa-fb67-4856-bcc7-297b4d14c9cd/

/stoc_post.php

# Reference: https://twitter.com/demonslay335/status/1000222227546148871

/pwd/write.php?info=

# Reference: https://twitter.com/bartblaze/status/980877270565957633

/wp-images/log.php?info=

# Reference: https://twitter.com/blackorbird/status/1178491520518770688

/patch/chkupdate.php

# Reference: https://www.fortinet.com/blog/threat-research/free-rugby-world-cup-streaming-foul-play.html
# Reference: https://otx.alienvault.com/pulse/5d93710f59fc94e047c15637

/tuname.php

# Reference: https://twitter.com/MalwarePatrol/status/1179262006068748290

/fgyt6678/login.php

# Reference: https://twitter.com/PhishFindR/status/1180032797156761600

/0147-wadho.php

# Reference: https://twitter.com/PhishFindR/status/1179987498128363520

/log1n.php
/ma53sk2.php
/sendrzlt.php

# Reference: https://twitter.com/MalwarePatrol/status/1180062277162156032

/k9ou2mlnk5rl6kbr0z68vz9x27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/PhishFindR/status/1180062995793285120

/bankpas_aanvragen.php

# Reference: https://twitter.com/420spiritz/status/1179903273995767808

/hijaiyh-panel.php

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-07-07-leakerlocker-mobile-ransomware-acts-without-encryption/leakerlocker-mobile-ransomware-acts-without-encryption.csv

/click.php?cnv_id=

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-10-24-badrabbit-ransomware-burrows-russia-ukraine/badrabbit-ransomware-burrows-russia-ukraine.csv

/flash_install.php

# Reference: https://twitter.com/PhishFindR/status/1180470680204259328

/wapG2app.php

# Reference: https://twitter.com/PhishFindR/status/1180455576616280066

/send_billing.php

# Reference: https://twitter.com/PhishFindR/status/1180395189652873217

/firstlog.php

# Reference: https://twitter.com/PhishFindR/status/1180289486074331138

/billing.php?ip=
/complete.php?ip=
/payment.php?ip=

# Reference: https://twitter.com/PhishFindR/status/1180274387527884805

/8rsiu3gu5vbwkznr6znv6kf3.php

# Reference: https://twitter.com/PhishFindR/status/1180334788575662081

/kox3k6ev4at2i4cyyn2tztcs.php
/ys26r01vhg6r8279hiqd5auc.php
/z7nnaf3qmjeh11pt174clb89.php

# Reference: https://twitter.com/IpNigh/status/1181466510172315648

/uim4vz14u9o4un7m819o3a7azt.php

# Reference: https://twitter.com/PhishFindR/status/1181572952598499334

/3wd1abbmevsxjvq8702v8vwy.php

# Reference: https://twitter.com/PhishFindR/status/1179745909783109632

/ondetverifier.php

# Reference: https://twitter.com/PhishFindR/status/1179715711465377793

/zweryfikowany.php

# Reference: https://twitter.com/PhishFindR/status/1180757572023934977

/capatcha.php

# Reference: https://twitter.com/IpNigh/status/1180896155108020224

/directe-demande-compte.php

# Reference: https://twitter.com/MalwarePatrol/status/1181224949215834114

/s2sdjgls74n39hucqyuddblu27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://www.virustotal.com/gui/ip-address/54.39.233.175/relations

/kksahc.php

# Reference: https://twitter.com/PhishFindR/status/1181557852407812096

/fullz.php

# Reference: https://twitter.com/JCyberSec_/status/1182281930823258114

/indexbabo.php

# Reference: https://twitter.com/JCyberSec_/status/1182284439679881216

/index50G.php

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

/sthadd.php

# Reference: https://twitter.com/cocaman/status/1182339090420830208

/Invoicely.php

# Reference: https://twitter.com/malware_traffic/status/1182456890095259652

/2hd3.php
/hyyfydd35.php

# Reference: https://twitter.com/MalwarePatrol/status/1182749989480685568

/2s2jgyug9537ov3guofwa2da27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1182885899702591488

/pev5x30ugjedndsjt86lqkb527524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/PhishFindR/status/1182826217206091777

/lastdesj.php

# Reference: https://twitter.com/PhishFindR/status/1182947001622843392

/OrgSurveyMonkeyincorrect.php

# Reference: https://twitter.com/PhishFindR/status/1183294298017673216

/redirectlog.php

# Reference: https://twitter.com/ecarlesi/status/1183416858948636672

/outherename.php

# Reference: https://twitter.com/MalwarePatrol/status/1183610672527171584

/hfgf5jrvfx6odl7xi6bbndz5.php

# Reference: https://twitter.com/yvesago/status/1181541621705383936

/jizz2.php

# Reference: https://twitter.com/PhishFindR/status/1183762397649080321

/ob_anmelden.php

# Reference: https://twitter.com/MalwarePatrol/status/1184199568021508096

/61tgu20b80ylafuzev5cfx9427524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/MalwarePatrol/status/1184410933378113536

/8mh8tkv75bx8vne8k3w33hex.php

# Reference: https://twitter.com/MalwarePatrol/status/1184561928443699200

/wx6xy08d1bdand1ekx3b5bc927524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/IpNigh/status/1185208281750487040

/EasyWeb%20Login1.php

# Reference: https://www.virustotal.com/gui/file/8890413aaf104d61f7736558350252d63e55e370449ebcec8812f5a1637ed12e/detection

/nsy6z9ybvhrts5nm6inzf2ld.php

# Reference: https://www.virustotal.com/gui/file/d10c51034be9e3e5338e378900ca5eabff72eb3b02ef34a3e37146a656b62821/detection

/box3Drenewal.php

# Reference: https://twitter.com/MalwarePatrol/status/1185784986303188992

/5u0ytv3c71064zvzsdonbhhi.php

# Reference: https://twitter.com/MalwarePatrol/status/1186380237090766848

/7ojr9y8dx5ywd6cnc33nc2ro.php

# Reference: https://twitter.com/PhishFindR/status/1186570877485420544

/iqov6j5ohz02kv3x1w5sbrvl.php
/okbppq6lqo7ld2y9a31343oi.php
/x2khxmw4n64wzm1g9rhi0j3f.php

# Reference: https://twitter.com/MalwarePatrol/status/1188608587297370112

/4ajm5od1mrxwz53ixra4iixa.php

# Reference: https://wordpress.org/support/topic/website-hacked-index-php-totally-changed/
# Reference: https://www.virustotal.com/gui/domain/bingstyle.com/relations

bingstyle.com
saleforyou.org

# Reference: https://twitter.com/pancak3lullz/status/1192132907277733889

/DbegcjODZNhoeY10.php

# Reference: https://twitter.com/MalwarePatrol/status/1193108234422358016

/b5t67uhgo6mofy2cy6plw5ao.php

# Reference: https://twitter.com/MalwarePatrol/status/1193259233325830144

/a8f393621f61442943b4f24c.php

# Reference: https://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html

/yolo/admin/settings.php

# Reference: https://twitter.com/James_inthe_box/status/1193965109552406528

/c7afb5603b20fe.php

# Reference: https://twitter.com/MalwarePatrol/status/1195358076574085121

/ftzxrdyd4bzn34urui0wjjf2.php

# Reference: https://twitter.com/chybeta/status/1196250816476139520

/wp-content/plugins/super-socialat/super_socialat.php

# Reference: https://twitter.com/PhishFindR/status/1197533121052323840

/rbcgi3m01.php

# Reference: https://twitter.com/James_inthe_box/status/1197577070500401152

/ftsp2fflm.php

# Reference: https://twitter.com/MalwarePatrol/status/1197607895656992769

/h7mcpj41d18meamdw8t6gwcb.php

# Reference: https://twitter.com/killamjr/status/1198093080966115330

/dickygg.php

# Reference: https://twitter.com/JayTHL/status/1199362012368789504

/slamduncker.php

# Reference: https://twitter.com/0xCARNAGE/status/1199700157127892992

/8fdbb8f102faff.php

# Reference: https://www.virustotal.com/gui/ip-address/54.202.202.94/relations

/9609e559db7a36.php

# Reference: https://www.virustotal.com/gui/ip-address/194.187.249.103/relations

/56rgwr3ymoyb5pmftfxp18b4.php
/7shgj1hwpp80tlf4s8yqcb4r.php
/jd7j9mmyypufdw808gtr8wfu.php

# Reference: https://app.any.run/tasks/b480973a-0b99-46ad-9a74-6fab20fc206e/

/YrgGyhkU6V8R0i3s.php

# Reference: https://twitter.com/stoicbird/status/422824507192008705

/c/feed.php
/c/form.php

# Reference: https://twitter.com/IpNigh/status/1204464565800583169

/home3e6e.php

# Reference: https://twitter.com/PhishFindR/status/1207015599890747397

/processar_1.php
/processar_1-1.php
/processar_2.php
/processar_2-2.php

# Reference: https://twitter.com/unmaskparasites/status/1207356669052801024

zctrack.com

# Reference: https://twitter.com/PhishFindR/status/1207755477565751296

/fcc-authenticazione.php

# Reference: https://twitter.com/MalwarePatrol/status/1208404034346004487

/t4t3bcw368wwno9zlciqr244.php

# Reference: https://twitter.com/MalwarePatrol/status/1208977815481307137

/1djx9hic7893s4ibzf3dtnjf.php

# Reference: https://twitter.com/nao_sec/status/1209090544711815169

/jppropellerads.php

# Reference: https://twitter.com/MalwarePatrol/status/1209853585141501952

/xbwzo420wz1r6frvy127b3zl.php

# Reference: https://twitter.com/MalwarePatrol/status/1210215974600945667

/sf2u6eovopsz6qqcv0unjld1.php

# Reference: https://twitter.com/Vishnyak0v/status/1210528486512824321

/f8h7ghd8gd8/index.php

# Reference: https://twitter.com/MalwarePatrol/status/1210789744143060992

/qtt30bxz0x2n86r2ivlcdqkt.php

# Reference: https://twitter.com/MalwarePatrol/status/1211076635736379393

/kz3zscegcucigqia01ifzale.php

# Reference: https://twitter.com/MalwarePatrol/status/1211439022557605888

/5iosdxlj7wlaqxi5fca2f3an.php

# Reference: https://twitter.com/MalwarePatrol/status/1212465790873673728

/vola4ob2hwwrak36r8ytzcf2.php

# Reference: https://twitter.com/JCyberSec_/status/1214130157356822528

/7xctzza3vnuc6kx62lseaqsn.php

# Reference: https://twitter.com/wwp96/status/1214939236195086337

/5d54ff24322827.php

# Reference: https://twitter.com/MalwarePatrol/status/1218263998963077121

/1ynjmpv989zfji1p3mmyi73q.php

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1215267911666950145
# Reference: https://app.any.run/tasks/3d00b564-5584-41bf-bbc9-177f53315c96/
# Reference: https://www.virustotal.com/gui/ip-address/18.219.52.4/relations

/PediuPraPostarPostou.php
/PostaEstaPorra.php
/VaiPostaProPai.php

# Reference: https://twitter.com/dubstard/status/1215705048824655873

/secure-bankofamerica-personal-information-update.php

# Reference: https://twitter.com/MalwarePatrol/status/1219351173024624640

/1yroihdrc99ceanyt77k0h82.php

# Reference: https://twitter.com/wwp96/status/1219614957416873984

/d380803e561db4.php

# Reference: https://twitter.com/dubstard/status/1219703659111636993

/tDxhinc.php

# Reference: https://twitter.com/IpNigh/status/1220249931946037249

/yo0io9tpd5y85cjgsivluoif.php

# Reference: https://www.virustotal.com/gui/domain/newbook-t.info/relations

/downloadcdneu98680113.php
/downloadcdnus46745341.php
/downloadcdnus46745343.php

# Reference: https://twitter.com/IntezerLabs/status/1221789726702800897

/ddos.php

# Reference: https://twitter.com/MalwarePatrol/status/1222099275607351296

/2gv5x6lg8sugbhjmtg7ezufe.php

# Reference: https://www.virustotal.com/gui/domain/web.riderit.com/relations
# Reference: https://app.any.run/tasks/193b764b-c408-4226-9a66-8400d1b1f4f9/

/0251e9e6dd2b6761318cf74b9c7cfbcc.php
/21a44295fbc5e240b8897759c8d4ecbd.php
/2eff7f856c921b9679658fc1076ad8df.php
/3192bf6e779334e01ff1f354b369e992.php
/3a6966fd4933d209199b9bf401c56325.php
/42f5aabbcbba40b021ac48b5d03424eb.php
/4a122e1be14c64455d732d6809397908.php
/4c76a53c02e96376537dd399c26d42e6.php
/4ebcbf3ba7ccb02dfb195c7d5ca7787d.php
/597684641290261a2d9b5e4f3c31448f.php
/5a2eec141864de49a45bb29ac52dbe6b.php
/5fa33fb8aff4f22b08f6371b434982ae.php
/7b86de71fe96e99fdb691ef6232bf67d.php
/824e747ac0a4b302b94c5c8811aecffc.php
/921f92a5d1a046bfb48a3c9ea2e85893.php
/93b9f5a0890ae2b6cfbfd44ab5f5698f.php
/9e9ec25815b236f8481bf58f872f9499.php
/a647cd724dccdc618bde9486f9048c1d.php
/a8d7ca744ce9804d9684ead43bcc3f12.php
/c516cd9f3d02c0a9657652b835170278.php
/c6e905de8a762015cd177be60cd6bd67.php
/c899b67fe5f3939e234fa5e427fda4eb.php
/dd45006971f6dc8fe2abe8ea9904a2fe.php
/dd7e6cce27c6cc2b70d705559c9a158b.php
/de33e172deb9cd1a01cc95a3198b5ff2.php
/dedfa9292432a75b835f7e73b6f3b84f.php
/e649d1894bdae5a5d60226290297fdf3.php
/e6f482cc5f9dd0a1d18cb925499c1e6b.php
/ea0645ba64ff256edb90e1c12a0a4cdb.php
/ef0390ca68e9e2a0e3851e0cf6b22353.php
/f7d2dd7b5bdd9919634388790cc9c4fa.php

# Reference: https://twitter.com/unmaskparasites/status/1222242298404179970

/backdoor.php
/inject.php

# Reference: https://twitter.com/smica83/status/1222440174489100288

/5h5qibac2xyhjtvuig3gaabo.php

# Reference: https://twitter.com/MalwarePatrol/status/1224424598650966018

/8gtd3b4wfigyiks4byoj5jyd.php

# Reference: https://twitter.com/MalwarePatrol/status/1226236539216257024

/6x39zirn3k4gr0njt1fotypx.php

# Reference: https://twitter.com/MalwarePatrol/status/1225285279050870784

/0cpc8mjcq211xolw8ma10v2j.php

# Reference: https://twitter.com/MalwarePatrol/status/1226885813667074049

/pn4nfl0niuptkem28h804gz5.php

# Reference: https://app.any.run/tasks/9683cba3-6fcd-4264-91f1-575da5329677/

/api/X.php

# Reference: https://twitter.com/ninoseki/status/1223376549287620610

/0cpc8mjcq211xolw8ma10v2j.php

# Reference: https://twitter.com/MalwarePatrol/status/1227535087438311424

/lg50lqqckgrorhfbk7z0nt07.php

# Reference: https://twitter.com/MalwarePatrol/status/1228410873984831489

/2qs8brx2ayrqu6954pwroacc.php

# Reference: https://twitter.com/MalwarePatrol/status/1228471256787439616

/5r9z334kjramxzfizndwlq98.php

# Reference: https://twitter.com/MalwarePatrol/status/1233484287393046533

/ioor2y6d10o6knz0pj1tweua.php

# Reference: https://twitter.com/IpNigh/status/1233182231964856320

/s7d5b2g45htrj028xo0y00gu.php

# Reference: https://twitter.com/MalwarePatrol/status/1231370355291414529

/67u7is2tdmnp9bj0pr4511f8.php

/ZuluDaka1.php
/ZuluDaka2.php
/ZuluDaka3.php
/ZuluDaka4.php
/ZuluDaka5.php
/ZuluDaka6.php
/ZuluDaka7.php
/ZuluDaka8.php

# Reference: https://twitter.com/IpNigh/status/1224406954564517889

/captura01Controller.php

# Reference: https://www.virustotal.com/gui/file/f92ffc14ebc9ea2be74f7a6f73fa2055e345a42428171cee6491e6903816dce3/detection

/0ec71210595a57.php
/5d54ff24322827.php
/a92079a4564cf9.php
/b3a443d2dcbd9f.php
/d380803e561db4.php

# Reference: https://twitter.com/JayTHL/status/1227122437885698049

/74633a062dfc6c.php

# Reference: https://www.virustotal.com/gui/domain/ipblasta.com/relations

/860cce76152de2.php

# Reference: https://twitter.com/wwp96/status/1227265060566917120

/095ac16cdd62d1.php

# Reference: https://www.virustotal.com/gui/ip-address/89.208.229.55/relations

/acbf8e37fb139b.php
/ca4341dad4fe26.php

# Reference: https://twitter.com/pancak3lullz/status/1230522568026673153

/85b4aa12e220f7.php

# Reference: https://twitter.com/wwp96/status/1232396705028616197

/7b96d23b4371b5.php

# Reference: https://twitter.com/tkanalyst/status/1229794466816389120

/usexosell.php
/usflexexosell.php

# Reference: https://blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html
# Reference: https://otx.alienvault.com/pulse/5e4d6c5790faacd62f7afed6

brilns.com
crilns.com
devata.icu
dolodos.top
frilns.com
kdsidsiadsakfsas.com
medsource.top
oajdasnndkdahm.com
pervas.top
piastas.gdn
piasuna.gdn
semasa.icu
tdreg.icu
tdreg.top
tretas.top
trilns.com
vosmas.icu
vtoras.top

# Reference: https://twitter.com/ANeilan/status/1232283590114840576
# Reference: https://twitter.com/JayTHL/status/1253459585731563522
# Reference: https://pastebin.com/8LL4Hg9e
# Reference: https://pastebin.com/trRiwBKQ
# Reference: https://paste.ee/r/v9aRR/0

bankss-71.cf
bankss-71.ga
bankss-71.gq
bankss-71.ml
bankss-71.tk
bantoom-71.ga
bantoom-71.gq
blessed-812.ga
blessed-812.gq
blessed-812.ml
blessed-812.tk
braums-74.cf
braums-74.ga
braums-74.gq
braums-74.ml
braums-74.tk
bucks-812.cf
bucks-812.ga
bucks-812.gq
bucks-812.ml
bucks-812.tk
cahult-71.cf
canjerry-812.gq
canjerry-812.ml
canjerry-812.tk
cost-812.ml
cost-812.tk
cynth-812.cf
cynth-812.gq
cynth-812.ml
cynth-812.tk
cynthia-812.cf
cynthia-812.ga
cynthia-812.gq
cynthia-812.ml
cynthia-812.tk
darklight-812.cf
darklight-812.ga
darklight-812.tk
empbomb-812.cf
empbomb-812.ga
empbomb-812.gq
empbomb-812.ml
empbomb-812.tk
enter-812.cf
enter-812.ga
enter-812.gq
enter-812.ml
enter-812.tk
fight-812.gq
fight-812.ml
grrrls-812.ga
grrrls-812.gq
grrrls-812.ml
grrrls-812.tk
haloest-71.tk
karthus-71.cf
karthus-71.ga
karthus-71.gq
karthus-71.ml
karthus-71.tk
knife-812.cf
knife-812.ga
knife-812.gq
lighter-812.ga
lighter-812.gq
lighter-812.ml
neekos-74.cf
neekos-74.ga
neekos-74.gq
neekos-74.ml
noirs-812.cf
noirs-812.ga
noirs-812.gq
noirs-812.tk
nukes-812.cf
nukes-812.ga
nukes-812.gq
nukes-812.ml
nukes-812.tk
outlak-71.cf
outlak-71.ga
outlak-71.gq
outlak-71.ml
pain-812.cf
pain-812.ga
pain-812.tk
ramen-812.ga
ramen-812.gq
ramen-812.tk
redmi-812.ga
redmi-812.gq
redmi-812.ml
redmi-812.tk
sense-812.cf
sense-812.ga
sense-812.gq
sense-812.ml
sense-812.tk
senses-812.ga
senses-812.gq
senses-812.ml
senses-812.tk
shift-812.cf
shift-812.gq
shift-812.ml
soliare-71.cf
soliare-71.ga
soliare-71.gq
soliare-71.ml
soliare-71.tk
soutma-71.cf
soutma-71.ga
soutma-71.gq
soutma-71.ml
soutma-71.tk
starsbucks-812.cf
starsbucks-812.ga
starsbucks-812.gq
starsbucks-812.ml
starsbucks-812.tk
suit-812.cf
suit-812.ga
suit-812.gq
suit-812.ml
tanta-71.cf
tanta-71.ml
tanta-71.tk
tratot-71.tk
trosl-71.cf
trosl-71.ga
trosl-71.gq
trosl-71.ml
trosl-71.tk
tunacan-812.ga
tunacan-812.ml
tunacan-812.tk

# Reference: https://www.virustotal.com/gui/domain/cureprm.com/relations
# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

/IlOysTgNjFrGtHtEAwVo/index.php
/IlOysTgNjFrGtHtEAwVo/indexx.php

# Reference: https://twitter.com/IpNigh/status/1233838562241589253

/akjajkajdjhdjh395984988487f87f87f87ddjdjdjhjhdjdj49858.php

# Reference: https://www.virustotal.com/gui/domain/suportedigital30hr.ddns.net/relations

/home3e6e.php

# Reference: https://twitter.com/Bitterman59/status/1233487861082677249

/rivkasej325jdew.php

# Reference: https://twitter.com/MalwarePatrol/status/1235220728787750912

/z2xtc6md0ucgi8pmwb86hezq.php

# Reference: https://twitter.com/James_inthe_box/status/1236318055203889158

/kraus6.php

# Reference: https://www.virustotal.com/gui/ip-address/37.72.171.98/relations

/package-delivery/snd_conti-data.php

# Reference: https://twitter.com/VK_Intel/status/983729623367270401

/vitamindisapproval.php

# Reference: https://twitter.com/James_inthe_box/status/1238606200154886144

/upload10.php

# Reference: https://twitter.com/nao_sec/status/1240261158113689601/photo/1

/8WFhndlp4soxNOGim5D2J0cYC9EBLtVyrU6R7ePuwjkMAqagKTv1.php

# Reference: https://www.virustotal.com/gui/domain/tokai-lm.jp/relations

/344sx.php
/98989776.php

# Reference: https://twitter.com/Rmy_Reserve/status/1241301496571953152

/eweerew.php

# Reference: https://twitter.com/MalwarePatrol/status/1241592719576829952

/9epq78sao4h2v1jpywaj2tai.php

# Reference: https://twitter.com/shiftybitshiftr/status/1242559823100559361

/53dd0276af1963ba832464402a418d85.php

# Reference: https://www.virustotal.com/gui/ip-address/216.170.114.99/relations

/b7eb90271b3f54.php

# Reference: https://twitter.com/DynamicAnalysis/status/1245437394473582593
# Reference: https://twitter.com/DynamicAnalysis/status/1247570159939747846
# Reference: https://twitter.com/DynamicAnalysis/status/1247916030183247872
# Reference: https://twitter.com/malware_traffic/status/1332410802641514496

/in2d2d.php
/wp-cran.php
/wp-crun.php
/wp-cryn.php
/wp-punch.php

# Reference: https://www.virustotal.com/gui/domain/webcindario0.dvrdns.org/relations

/tcvh0suizgqonzsegw2p71b1.php

# Reference: https://www.virustotal.com/gui/ip-address/184.168.221.42/relations

/g0t6q3hsierdb43h9rp0gpcf.php
/jog06tlwitnzupwsz7m429hdb8fefdb9c8e9aba0f526dc8176725f94.php

# Reference: https://www.virustotal.com/gui/url/d7a8b43a2ef3439fa640b10dce6da642996535efe01d2c71321748fd803e6e46/detection

/l91opka52wljumjc5spkbhnc.php

# Reference: https://twitter.com/James_inthe_box/status/1248669623848853504

/cachetfmbUXkGerOtP.php
/_cachetfmbUXkGerOtP.php

# Refefrence: https://www.virustotal.com/gui/ip-address/141.8.194.74/relations

/9ldfcvv539grtjr1krbwrbsf.php

# Reference: https://twitter.com/elgofo/status/1251051263757815808

/ys9kbpsz873wam1qijuofe9e.php

# Reference: https://twitter.com/elgofo/status/1251059765452693506

/twnexzoamsfmi9k3jyi60dg8.php

# Reference: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

/azGovaz.php

# Reference: https://twitter.com/IpNigh/status/1252124774177943555

/11644210b.php

# Reference: https://www.virustotal.com/gui/file/17425e66428e284c2da73f3a7173e4291fb0b2bc76fd6d618921a9f0eb543340/detection

/upload/get.php?UID=
/upload/get-functions.php?UID=
/upload/message.php?UID=

# Reference: https://twitter.com/MalwarePatrol/status/1254714230265319426

/uphdird3igc2q2jhsgm9cez0.php

# Reference: https://twitter.com/IpNigh/status/1255422445047119872

/6ogyock6bqt55br29xz41y4ozt.php

# Reference: https://twitter.com/IpNigh/status/1255370965510479872

/c9t4x6ypwut14ouvps6kszaf.php

# Reference: https://twitter.com/dewan202/status/1255582744110862345
# Reference: https://www.virustotal.com/gui/file/7edacdf35900e722b798dbc891159cf1ede9f6d671a86b0f01f9ef802202aa73/detection
# Reference: https://www.virustotal.com/gui/ip-address/185.77.129.152/relations
# Reference: https://www.virustotal.com/gui/ip-address/93.115.38.132/relations

/jRizyPxmRnO.php
/mskzrpufe.php

# Reference: https://twitter.com/MalwarePatrol/status/1255801447318532096

/0lnzqew8fz6gzds536vlirop27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://pastebin.com/raw/0BrjR63Q

/bxhhylagbbbw.php
/n2t00y42r6.php

# Reference: https://twitter.com/malwrhunterteam/status/1255903574023983108

/trackattachment.php

# Reference: https://twitter.com/malwarefr0gg0z/status/1255573957844983808

/ThreatProvider/bot.php

# Reference: https://twitter.com/JayTHL/status/1256103956717109249

/logiinnnnn.php

# Reference: https://twitter.com/MalwarePatrol/status/1256888609074024448

/cjp06ozeq4j00p66uek5qokp27524e5d5582cfb0ee5b91de81c038c5.php

# Reference: https://twitter.com/malwrhunterteam/status/1257660701428142080

/4ij6qw.php
/FC5pz8.php
/fnojg.php
/jikPcQ.php

# Reference: https://twitter.com/IpNigh/status/1257797957686112257

/rbcgi3m01.php

# Reference: https://twitter.com/MalwarePatrol/status/1258051238924517376

/c65f9sbx5g0nhf74mxfbtort.php

# Reference: https://twitter.com/James_inthe_box/status/1258763270690713600

/0x5xmta6bazciio7llfg0l9e.php

# Reference: https://www.virustotal.com/gui/ip-address/5.9.226.4/relations

/server/das/dastoor.php

# Reference: https://twitter.com/PhishFindR/status/1259381536396369920

/rbcgi3m01.php

# Reference: https://twitter.com/PhishFindR/status/1259381536396369920

/confirmnewboa/login.php

# Reference: https://app.any.run/tasks/17b516fd-2351-4330-8cee-90caac222963/

/xuraca.php

# Reference: https://www.virustotal.com/gui/domain/vanillabean.bounceme.net/relations

/chase.com/fullz/billing.php
/chase.com/fullz/home.php
/chase.com/fullz/homepage.php
/chase.com/fullz/index.php
/chase.com/fullz/index2.php
/chase.com/fullz/index3.php
/chase.com/fullz/login.php
/chase.com/fullz/main.php
/chase.com/fullz/thanks.php
/chase.com/fullz/verify.php

# Reference: https://twitter.com/MalwarePatrol/status/1259636683781308416

/ncceg0dxw8nx6tnf0kdf1r9e.php

# Reference: https://twitter.com/MalwarePatrol/status/1259999082849976320

/6dp6zted83lurftrrxh1b2m5.php

# Reference: https://www.virustotal.com/gui/ip-address/46.21.147.111/relations

/11dniosilnj5b6y6ktrrlfhr.php
/4h925v7vfpulgdhjobci09bk.php
/dda0nwei0akmgjrbhdg7henb.php
/fiyycp4s6ye310a8r6q2zdie.php
/mr7xuen7osh0gjkeuam56bgw.php
/p8g7uxk09yytz1on4g8brq7p.php
/upnqi0usn8ej565w8msy1ui3.php
/vkdw36ry81rtlyq5yq49p5d1.php
/zjcya375wuoz6m9jk7mfim6s.php

# Reference: https://twitter.com/MalwarePatrol/status/1261312724627161088

/ykhao930gaptbm11s0duni86.php

# Reference: https://twitter.com/MalwarePatrol/status/1264060822327832576

/2a79hohpsm1vxuo1d0xuqoer.php

# Reference: https://www.virustotal.com/gui/file/3d3351726f3b5cd848ad58cabcc33c9dcd1c601cc1664f197f10b8b1adf7038b/detection

/qwegweherjhntrj.php

# Reference: https://twitter.com/MalwarePatrol/status/1264211826616786947

/dtsf394vt015wph23m7vxw4m.php

# Reference: https://twitter.com/MalwarePatrol/status/1264287322192871436

/xwlb5u9cbldxslwlfcxsp58k.php

# Reference: https://twitter.com/em1rerdogan/status/1264692980633436166

/xx1.php?user=

# Reference: https://twitter.com/romonlyht/status/1265444577319645184

/5ecdb4896b9f0.php

# Reference: https://twitter.com/MalwarePatrol/status/1266099238364209152

/k5imi5k4pngob7t9gf9phgrk.php

# Reference: https://twitter.com/MalwarePatrol/status/1266673024880836608

/qtc2l6i1lih17a2gfsu9qlpz.php

# Reference: https://twitter.com/MalwarePatrol/status/1266824062136918021

/ygc9ksbfjfy78fzq462kvyti.php

# Reference: https://twitter.com/MalwarePatrol/status/1269723128076386307

/uyg4by5obdovgilq4w9labte.php

# Reference: https://twitter.com/MalwarePatrol/status/1270221471135252480

/x65qn21ms238tz3enpyx1uum.php

# Reference: https://twitter.com/romonlyht/status/1270205743967301632

/5edf094170e13.php

# Reference: https://twitter.com/romonlyht/status/1273407575858442240

/5eeaae813aa67.php

# Reference: https://twitter.com/James_inthe_box/status/1273983069435789316

/9646f89fe77fb3.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1270997007180730368
# Reference: https://app.any.run/tasks/4dede486-355d-4e84-874c-d9318532db23/

/3e454986f0a072.php

# Reference: https://twitter.com/MalwarePatrol/status/1272471337903087616

/jh1evx1mbeeq2scfw051bo5p.php

# Reference: https://twitter.com/OttoScav/status/1272937840301813763

/omuscreativos.php

# Reference: https://twitter.com/MalwarePatrol/status/1273347106015674368

/em7fic0xazghxn8pg88lf9p1.php

# Reference: https://twitter.com/reecdeep/status/1273576796735377408

/ppos8.php

# Reference: https://twitter.com/abuse_ch/status/1275526243404972034
# Reference: https://bazaar.abuse.ch/sample/921138bc2b28d01a51e6673c6e61ba3237592d08875180e0b3749d8e47fdfd6d/

/tds.php?omz=

# Reference: http://benkow.cc/export.php

/admin---------.php

# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

/desjardinsin.php
/nerr34.php
/ondetverifier.php

# Reference: https://twitter.com/killamjr/status/1280564058739990528

/ecnxg8w7d5suuciz4w1jv057.php

# Reference: https://www.virusradar.com/en/Win32_TrojanClicker.Clidak.A/description
# Reference: https://www.virustotal.com/gui/file/980ef75a800eba45c7cb64b4c1bcc61a3b0cdf92854c24dbf1ea0f3fe4cad944/detection
# Reference: https://www.virustotal.com/gui/ip-address/65.254.51.42/relations

/~pete19c/r.php

# Reference: https://twitter.com/Bl4ng3l/status/1283853966795780097

/niM4t1A9c4q.php

# Reference: https://twitter.com/jcarndt/status/1283799735065862144

/KFm63QEU7ArF.php

# Reference: https://www.virustotal.com/gui/file/d72133df3fee1d91fcab0adb532459b6c0044e7f8b4ca542fa3f6ae470b42be1/detection

/5c2eab368ebd00202fc7b56bb4a46f1ee67acd8e.php

# Reference: https://www.virustotal.com/gui/file/dacce09fd5829213606cef3f45d5bc43d4522183e54422eb4a5c7a404c69a6c2/detection

/bdeefbc5c36a0b584fa7c5330e493a7d22b741af.php

# Reference: https://www.virustotal.com/gui/file/44f3eb01406921d5605933abce49e5fe04cfe6a73f3fcb7380dc99765043ea2a/detection

/1dc5e926948fd82a85e7c085e0bf0c6db31969f3.php

# Reference: https://www.virustotal.com/gui/file/4bf6ec0d9ab95d7d7d4e1e7453a83ed731c9188fbe6d007834025f00791cdcb9/detection

/64d631e36c839e2964fcdc671f84e96bc9dcd7ca.php

# Reference: https://www.virustotal.com/gui/file/9fabd7b98f8972850549231d2ac2762ec1cad3ef8fdf3cb994d14c9c3ad17ba5/detection

/156b2b990971b28b12393cd82884a7d3.php

# Reference: https://www.virustotal.com/gui/file/0130797c1baa9ac6709693d7e357cd37cf4bfb48fe9bfaede723674bec4cde85/detection

/84a7d5fcbbe9a0cdcf1357c70cf326bed852c7ee.php

# Reference: https://www.virustotal.com/gui/file/41dcb2cb400c656826db00e368c5ddc4d254d69d5d9ab0cd6a63fd68bba2fb5f/detection

/901212b6cc3a718fd6012ed1ff31c04663ffeb8b.php

# Reference: https://www.virustotal.com/gui/file/b9024622a0e5c982db8b533e6c3a736d65d5c02bf01b4ff15d3fd770f4632443/detection

/86872acabed89173a9b729bb81eca3ab802559ca.php

# Reference: https://twitter.com/ANeilan/status/1291891899872301058

/animauxpinterest.xyz.php
/christmascookie.club.php
/christmascookie.xyz.php
/crochetscarf.xyz.php
/fkcement.xyz.php
/fkveternikviskol.xyz.php
/francepinterest.xyz.php
/frauenfrisuren.xyz.php
/gwangsanfc.xyz.php
/happytiere.xyz.php
/hausschuhestricken.club.php
/hausschuhestricken.xyz.php
/lksnadwislangora.xyz.php
/pinlab.xyz.php
/pinterest-yonlendirme.php
/pinterestdessert.club.php
/pinterestdeutschland.com.php
/pinterestdressing.club.php
/pinterestfashion.club.php
/pinterestfrance.xyz.php
/pinteresthairstyle.club.php
/pinteresttoptrends.club.php
/pinteresttrendstyle.online.php
/pinterestworld.xyz.php
/pinterestworldstyle.club.php
/pinterestworldtrend.club.php
/pinzoom.xyz.php
/strickenmodellen.xyz.php
/strickenschal.xyz.php
/tejer.xyz.php
/womanclub.xyz.php
/womanstyle.xyz.php

# Reference: https://twitter.com/MalwarePatrol/status/1293927664651317248

/buhib3i0r6dss6ar46e115s8.php

# Reference: https://twitter.com/MalwarePatrol/status/1294863800932487171

/wdpi76b16t6sl74ihdvkhlmx.php

# Reference: https://twitter.com/MalwarePatrol/status/1297038049134739456

/pjxgz4xbrlkw03ke7s91s4kx.php

# Reference: https://twitter.com/MalwarePatrol/status/1298125211934621703

/sxwrgoja78tufkckzfa3crgb.php

# Reference: https://twitter.com/MalwarePatrol/status/1300526033804894210

/wwyu1has496nieeoza8rhs22.php

# Reference: https://twitter.com/MalwarePatrol/status/1300812922835230720

/47kh3qv7uwl2qqwjew5hpbge.php

# Reference: https://twitter.com/MalwarePatrol/status/1300888418449268741

/jhj2bp54nql29m5rsrwsh4rb.php

# Reference: https://twitter.com/MalwarePatrol/status/1301613194415427584

/6lmwtif3htomluuo6wt3lrp2.php

# Reference: https://twitter.com/MalwarePatrol/status/1301975584252334080

/7n9zahad80idagj19vqtpurq.php

# Reference: https://twitter.com/MalwarePatrol/status/1302337970284965889

/p8omduqtiw8wojo4kimlp7p8.php

# Reference: https://twitter.com/MalwarePatrol/status/1303787522485563392

/4fnsez9i81l6mb42m2aw25jp.php

# Reference: https://twitter.com/MalwarePatrol/status/1325666690638680064

/ovj2lwziaeel3l2k5xuyzvbr.php

# Reference: https://twitter.com/jstrosch/status/1301718677419700224

/djqnonxwrv.php
/ezkwdjrwog.php
/smhcbhcdrm.php
/tjzyawxylv.php

# Reference: https://www.virustotal.com/gui/file/51060b4e21864f229b5945b24d66cb29c727641c36639de395ebc4c83b0860a9/relations

/aoluouscutao.php
/bapedoalrag.php
/bowevuyfjx.php
/budpugovuje.php
/dimaetepunagaji.php
/dkopezitecea.php
/duiifyts.php
/duwuypy.php
/eleqikbagkyoxu.php
/fujolnodes.php
/govepuc.php
/iodevbokyqki.php
/jekizeleiso.php
/khvopo.php
/luboduj.php
/mjojylefayh.php
/mufydoutvotug.php
/nyzapftutes.php
/offatoisejub.php
/omuzxby.php
/otzyyduzhyvob.php
/owusuedutipomib.php
/oziiolohordor.php
/pittiryc.php
/puxuecmu.php
/udjovezna.php
/uearapus.php
/uejoreyuip.php
/uelytohufojuyr.php
/ufipeqib.php
/ugpug.php
/uouhubeequsybyb.php
/uruhu.php
/uvzipaoluuu.php
/vpobacuy.php
/vyivelbv.php
/wivpyouqemuv.php
/xojabgovykou.php
/yjozpegovyhaa.php
/yufesoryzvepice.php
/yxopkufu.php
/zetamblareu.php
/zomlevyzui.php
/zoofavegup.php

# Reference: https://twitter.com/illegalFawn/status/1309542440995614720
# Reference: https://twitter.com/illegalFawn/status/1310518625573507072
# Reference: https://twitter.com/illegalFawn/status/1310947357534687232
# Reference: https://twitter.com/illegalFawn/status/1310972332404617216
# Reference: https://twitter.com/illegalFawn/status/1310959162822725638

/awagrncglvr.php
/aywjtcan.php
/beycdawf.php
/btdzdz.php
/bupvudvhjuo.php
/ernbfpsawct.php
/hqjdjnxn.php
/ijuljytf.php
/jgizmh.php
/jkdxpgwv.php
/kqqtedo.php
/liyqfa.php
/ljwvjup.php
/lsrmrt.php
/mmvvbg.php
/msayqpkvkyq.php
/mwmkajlpgg.php
/nevnal.php
/pursue.php
/pxglcxop.php
/rlcwhmlykz.php
/sdhrhg.php
/vopisiyx.php
/yblhzstgysf.php
/yymclv.php
/zpsxxla.php
/zxlbw.php

# Reference: https://twitter.com/KorbenD_Intel/status/1314251628959076353

/orMkdppaG1PQ0WgF.php

# Reference: https://twitter.com/JCyberSec_/status/1314208821368115202

/ixdxctmg5umaskdjtbnapfly.php

# Reference: https://twitter.com/MalwarePatrol/status/1315383937389277184

/v0k7mrdjuncsoof64kayjzal.php

# Reference: https://twitter.com/MalwarePatrol/status/1315519829948891136

/fhx2mavv4mmh750l4gv8kf9a.php

# Reference: https://twitter.com/MalwarePatrol/status/1315670825744424960

/j8kp4r7yuzfs5dzmnzhn10z1.php

# Reference: https://twitter.com/MalwarePatrol/status/1315746322478247942

/a9q4uvjm9qy5gdoafj26snhi.php

# Reference: https://twitter.com/MalwarePatrol/status/1316320102728585217

/457uizv6aeh7f2grvhxo8651.php

# Reference: https://twitter.com/MalwarePatrol/status/1316682492259299328

/7gtsw9a6qg5dqxkeibh8u8vf.php

# Reference: https://cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/
# Reference: https://twitter.com/david_jursa/status/1318209187667714048

/mbl/2/ads.php
/mbl/2/change.php

# Reference: https://twitter.com/ffforward/status/1318868941821890569

/948493733774474746484738.php

# Reference: https://twitter.com/MalwarePatrol/status/1319657089267126274

/z08xniim0s5gnpxf2v0gu6hy.php

# Reference: https://twitter.com/MalwarePatrol/status/1322269303891263489

/u0mie8r79j3degt9tspqremw.php

# Reference: https://twitter.com/MalwarePatrol/status/1322556193076846592

/oprl3w53zz6gdprwsc4sl1ms.php

# Reference: https://twitter.com/MalwarePatrol/status/1323643357948715013

/6k555a3cpy5e2p4wlfy03b9a.php

# Reference: https://twitter.com/JCyberSec_/status/1325847530354184192

/7ihwqy7vhvly2nxe89hzgjo5.php

# Reference: https://www.virustotal.com/gui/file/cf1927ab098bdaace7eabc39ae410f39e47433a993ef602eb59dee5923bef042/detection

/uniq_traff.php

# Reference: https://ideone.com/CYMY4

/110786663424.php
/facebookinvisibledetector.php
/installht7.php

# Reference: https://twitter.com/malwaretracekr/status/1320367958485430275

/wowadto/job/wov-vellssz.php
/wov-vellssz.php

# Reference: https://twitter.com/jstrosch/status/1321681398139363333

/A7Ks0s6.php
/BAoLS9C.php
/Yv1pteWscript.php

# Reference: https://www.virustotal.com/gui/file/f1060a686155fbbe7274073c557c24648cdf30a3f3ef2cbb184ccfc41d99fd3b/detection
# Reference: https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/

/salem123.php
/salem123aas.php
/admin/config.php?password%5B0%5D=Inje3t0r3-Seraj

# Reference: https://twitter.com/abel1ma/status/1324477543001415680

/f.php#～

# Reference: https://www.virustotal.com/gui/file/33a7196538a17da13cc67b31162c14d0f3f473816b98f75f01709eda2b1464a7/detection

/power.php?getserver=

# Reference: https://app.any.run/tasks/97a9483e-5c62-46e2-9b78-fefd1dff32de/

/4b1cea4932c6b7.php

# Reference: https://gist.github.com/silence-is-best/bb68598afd9713235d9b11eeaf79ff52

/0cec3a12c251a5.php
/9c5fbf42bfe4ed.php
/e07ad886e055fb.php

# Reference: https://twitter.com/wwp96/status/1329243657556422658

/4q63b64z.php
/akidrfkemm.php
/amsettings.php
/bxujmzcluo.php
/demavohzgx.php
/dtxjocpkzg.php
/eihrqlvkmg.php
/koagnypcfr.php
/kwtnkxjalf.php
/mlsowmfrtk.php
/mwkttspbvj.php
/porjgiiksy.php
/ppjzoqvurh.php
/qtukgysibc.php
/teuqkrtldt.php
/tlpcugqfxj.php
/txqbiwppkd.php
/umsbhzotrc.php
/uyahdfhplr.php
/vhudmigwpw.php
/vjdzrelpvi.php
/wxmjntvjhi.php
/xhjoqlp8.php
/ydyauuhcji.php
/yleyzabdli.php
/ymnsyebskq.php

# Reference: https://twitter.com/ShadowChasing1/status/1329247256122322944

/getCommand?guid=

# Reference: https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/

/caflexactive.php
/post.php?file=download

# Reference: https://twitter.com/malwrhunterteam/status/1331888599231565825

/o365server.php

# Reference: https://twitter.com/linecon0/status/1268862151214710787

/112254.php

# Reference: https://twitter.com/neutrify/status/1332235055469649920

/blvcksn0vv.php
/xxx.php?user=

# Reference: https://www.virustotal.com/gui/file/b858e24eac464afd49d6bf782557f946b03e5e97431a1987b09b0203b5636c97/detection

/Conumer1PirloS2S.php

# Reference: https://twitter.com/malwrhunterteam/status/1309044455018725381
# Reference: https://twitter.com/MaelSecurity/status/1333312479129202688

/PayPal_Desktop.php

# Reference: https://twitter.com/malwrhunterteam/status/1333499691674329093

/avgaxrtjzt.php
/vnrlvvxwej.php

# Reference: https://www.virustotal.com/gui/domain/auroratd.cf/relations

/orMkdppaG1PQ0WgF.php

# Reference: https://www.virustotal.com/gui/file/a82a8fe9efbbaa4453be26645debe4a6e6077725171a982b90ed0a04bd6fb6ba/detection

/logsgate.php

# Reference: https://twitter.com/MalwarePatrol/status/1334228104995352578

/8suu7672mgcg1ws7n4222vpj.php

# Reference: https://twitter.com/ActorExpose/status/1338198557925519361

/ebtrj24mbq57ev5at3iupvjv.php

# Reference: https://twitter.com/MalwarePatrol/status/1367054402947866626

/143ipc5dm5nnvyu0737okk35ra.php

# Reference: https://twitter.com/neonprimetime/status/1335995482632581121

/merrybe/post.php

# Reference: https://twitter.com/ffforward/status/1335965749681250314

/75dfbfe5ddf77b.php

# Reference: https://twitter.com/MalwarePatrol/status/1336402429240373248

/5er0zed1j5xkqcmwupaqm6oy.php

# Reference: https://twitter.com/wwp96/status/1336830110050160640

/0f2005ac2d520c.php

# Reference: https://www.virustotal.com/gui/file/cd508affafb2152aa3511774518e1a4a150eb68f62d65208b0d477e83d0306a2/detection

/aaf0cc48f53372.php

# Reference: https://www.virustotal.com/gui/file/21c51bed18906fb1c167adb68146e2765d7a901f19f59029f3e58218b3ac1c37/detection

/e66d5b2b0b484d.php

# Reference: https://twitter.com/wwp96/status/1337109603151122432

/2520721a19a52c.php

# Reference: https://twitter.com/ffforward/status/1338190571249291264

/usd73h1szzz.php

# Reference: https://twitter.com/wwp96/status/1338510510736683009

/4a6f007e85f3e3.php

# Reference: https://twitter.com/wwp96/status/1339011510480351232

/04f1a6b86f59a0.php

# Reference: https://twitter.com/slayersecurity/status/1115635967875014656

/out-292242810.ps1
/out-1584466740.ps1

# Reference: https://twitter.com/slayersecurity/status/1115902366686031878

/spid.ps1

# Reference: https://twitter.com/x42x5a/status/1116272110912065536

/out-113489727.ps1
/out-734087850.ps1
/out-1137236610.ps1

# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf

/keylogger.ps1
/keylogger1.ps1

# Reference: https://twitter.com/malwrhunterteam/status/1118768633377955840

/bs.ps1
/indiapro.ps1

# Reference: https://krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt

/abc.ps1
/sc.ps1

# Reference: https://securelist.com/muddywaters-arsenal/90659/

/km.ps1

# Reference: https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/

/ICAS.ps1

# Reference: https://twitter.com/VK_Intel/status/1093001266974916608

/dnipu.ps1

# Reference: https://twitter.com/blackorbird/status/1125308108773871617

/ipconfig.ps1

# Reference: https://otx.alienvault.com/pulse/5cd154f0905e39830df5e5f5

/ms17-010.ps1

# Reference: https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

/msinp.ps1

# Reference: https://twitter.com/DissectMalware/status/1126384963497205762

/bros.ps1
/out-1215218964.ps1
/out-1717054512.ps1
/out-1552287668.ps1
/papa.ps1
/youngest.ps1

# Reference: https://twitter.com/sudosev/status/1126552059334070272

/Invoke-Mimikatz.ps1

# Reference: https://twitter.com/James_inthe_box/status/1131556358732443650

/out-821986920.ps1

# Reference: https://www.virustotal.com/gui/domain/checkerrors.ug/relations

/payload.ps1
/payload2.ps1

# Reference: https://twitter.com/HONKONE_K/status/1133205335877885952

/coki.ps1
/gc.ps1
/java1.ps1
/ky.ps1

# Reference: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

/msctx.ps1

# Reference: https://twitter.com/reecdeep/status/1136581953770205185

/5WD3emSKcJoLcaDjAUCFj7.ps1

# Reference: https://twitter.com/p5yb34m/status/1138143258498949122

/PayAdvice.ps1
/remit.ps1
/remittance.ps1

# Reference: https://twitter.com/HONKONE_K/status/1139364022296272896

/done1.ps1
/done2.ps1
/putty.ps1
/x10.ps1
/x11.ps1
/x12.ps1
/xvid1.ps1
/xvid2.ps1

# Reference: https://twitter.com/h4ckak/status/1144173749056315392

/shell.ps1

# Reference: https://twitter.com/FewAtoms/status/1144636921437655041

/GetPass.ps1
/payload.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1149574068435218432

/pps.ps1

# Reference: https://twitter.com/James_inthe_box/status/1150418960464039936

/ppx.ps1

# Reference: https://twitter.com/ViriBack/status/1150758731371749377

/qwerty.ps1
/qwertyj1.ps1

# Reference: https://twitter.com/James_inthe_box/status/1059087094612602881

/posh80.ps1
/posh443.ps1
/samref448.ps1

# Reference: https://twitter.com/James_inthe_box/status/1154398293524271104

/out-1624020870.ps1

# Reference: https://twitter.com/James_inthe_box/status/1148692646942015488
# Reference: https://twitter.com/DynamicAnalysis/status/1162208563982241793

/ACHPaymentAdvice.ps1
/AMEXACHCREDITREF080819.ps1
/AMEXPMTREF.ps1
/CHASEACHPMT.ps1
/PMTREFCHS191508.ps1
/PaymentAdvice.ps1
/PaymentCopy.ps1
/PaymentDetails0348.ps1
/PaymentRef.ps1
/Remittance.ps1
/RemittanceAdvice.ps1
/RemittanceDetails.ps1
/SupplierRemittanceDetails.ps1
/WFACHPMT.ps1


# Reference: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
# Reference: https://www.virustotal.com/gui/ip-address/67.229.97.229/relations

/d2.ps1

# Reference: https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html
# Reference: https://otx.alienvault.com/pulse/5d655ebc59a1b06f8c097c1f

/6HqJB0SPQqbFbHJD/init.ps1

# Reference: https://twitter.com/ItsReallyNick/status/1166889941844074496

/abc.ps1
/sc.ps1

# Reference: https://twitter.com/killamjr/status/1167453693194752000

/paymentinfo.ps1
/PaymentDts.ps1
/SecureTransDts.ps1

# Reference: https://twitter.com/FewAtoms/status/1171076098244919297

/out-1934240370.ps1

# Reference: https://twitter.com/killamjr/status/1171849775911772165

/remittance.ps1

# Reference: https://www.bleepingcomputer.com/news/security/new-tortoiseshell-group-hacks-11-it-providers-to-reach-their-customers/

/get-logon-history.ps1

# Reference: https://twitter.com/VirITeXplorer/status/1181128795337773057

/run.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1192451935225438209

/asdg.ps1

# Reference: https://twitter.com/0xFrost/status/1111247631223791617

/Standoff8900.ps1

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/23-10-19/analysis.md

/snphhuatvsbkw.ps1
/sopiiubuvsclwukz.ps1

# Reference: https://twitter.com/FewAtoms/status/1198574338036969474

/ShellCode.ps1

# Reference: https://app.any.run/tasks/717442d5-db0b-46b5-a0e9-5c3578471edd/

/meow.ps1

# Reference: https://twitter.com/cyber__sloth/status/1202274774342406144

/out-2028772214.ps1

# Reference: https://twitter.com/notajungman/status/1203034991858466817

/amexdata.ps1

# Reference: https://www.virustotal.com/gui/domain/worldwidetechsecurity.com/relations

/securetransmission.ps1

# Reference: https://twitter.com/DynamicAnalysis/status/1205555781095108608

/payment_advice.ps1

# Reference: https://twitter.com/malware_traffic/status/1216882597789360134

/hcxUr9dg.ps1

# Reference: https://twitter.com/Malwaredev/status/1219914293426212864

/cnotmij.ps1

# Reference: https://twitter.com/Racco42/status/1221707041615630336

/swift.ps1

# Reference: https://www.virustotal.com/gui/ip-address/104.168.248.36/relations

/out-1513314073.ps1

# Reference: https://twitter.com/DynamicAnalysis/status/1231999794035535875

/po.ps1

# Reference: https://pastebin.com/uveiJed9
# Reference: https://www.virustotal.com/gui/domain/gm-adv.com/relations

/dhl%20invoice.ps1
/dhlinvoice.ps1
/dhl_invoice.ps1
/order.ps1
/quotation.ps1
/remit.ps1
/sec.ps1

# Reference: https://twitter.com/c_APT_ure/status/1235231442906603520/photo/1
# Reference: https://www.virustotal.com/gui/domain/umeed.app/relations

/hk.ps1
/quote.ps1

# Reference: https://twitter.com/KorbenD_Intel/status/1238102354320166912

/Miao.ps1

# Reference: https://www.virustotal.com/gui/domain/crypterfile.com/relations

/crypt.ps1

# Reference: https://twitter.com/reecdeep/status/1272464515544776704

/Sheet.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1275338252531249152

/crimea.ps1

# Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704

/leess1982.ps1

# Reference: https://twitter.com/BlackonIntel/status/1276166654980956161

/keda.ps1
/pikachu.ps1
/pikachu616.ps1
/pikachu616_5556.ps1
/pikachu6165556.ps1
/pikachu_7777.ps1

# Reference: https://twitter.com/ANeilan/status/1292939552085233664

/Update-KB4524147.ps1

# Reference: https://www.virustotal.com/gui/file/724ce0d8ca978f9bb9004c2252fb51b44f96c87721d68582ec67268cbd8f13a5/detection

/jupyter.ps1

# Reference: https://www.virustotal.com/gui/file/d4d438925fb775a4a599abd3054b036a95f12b4dc9f29d4d1506a985b2c23934/detection

/B1P244.ps1

# Reference: https://twitter.com/InQuest/status/1326258921833684992

/e3c43e9531f8b75fe88abc724bb2cace.ps1

# Reference: https://twitter.com/wwp96/status/1328082526582214658

/in3.ps1
/in6.ps1
/info3.ps1
/info6.ps1
/ma3.ps1
/ma6.ps1
/mate3.ps1
/mate6.ps1
/ze3.ps1
/ze6.ps1
/zero3.ps1
/zero6.ps1

# Reference: https://www.virustotal.com/gui/domain/xmr.givemexyz.in/relations

/kkwx.ps1

# Reference: https://twitter.com/jorgemieres/status/1333417189005799424

/powershell.ps1

# Reference: https://twitter.com/wwp96/status/1331067128150102016

/file.ps1

# Reference: https://twitter.com/InQuest/status/1335991964525858817

/xpn.ps1

# Reference: https://twitter.com/JCyberSec_/status/1339868346540552194

/aaa/fullz/post.php
/aaa/office/post.php
/aaa/post.php
/fullz/post.php

# Reference: https://www.virustotal.com/gui/file/e30d400146e380b77b094a9ac761bf84620325f7759a3c3f06201197f4225cb9/detection

/0921a86ec36dc8.php

# Reference: https://www.virustotal.com/gui/file/8d1fd0a9544e74bfec387ed16ade3f9ec6b334476f0ef0e984420b4923c8f624/detection

/25692ea80cd968.php

# Reference: # Reference: https://twitter.com/James_inthe_box/status/1349360887186874371

/eea5c8636b504d.php

# Reference: https://www.virustotal.com/gui/file/50c7c0dce8af82cf62d98e6d8ea3de29bc70969e6614f59c785f2d07c9c7b37b/detection

/zc1/wpasp3.asp

# Reference: https://twitter.com/MalwarePatrol/status/1341324864867749889

/69pkoqft8pem61075l0fbdu7.php

# Reference: https://twitter.com/MBThreatIntel/status/1341894084315607042

/uoppg.swf

# Reference: https://blog.sucuri.net/2020/05/wordpress-malware-collects-sensitive-woocommerce-data.html

/5ea331c1744115ea331c17441f.php
/5eba1a04b47c4.php
/5eba1a04b47c41.php

# Reference: https://twitter.com/r3dbU7z/status/1344547651564539904

/mine.ps1

# Reference: https://twitter.com/neonprimetime/status/1346176402148765705

/picture_library/goon.js

# Reference: https://twitter.com/malwrhunterteam/status/1346038126263865345
# Reference: https://www.virustotal.com/gui/file/9d09788543b16ee59c469199cb0ef78891d8c66981169f0a6720fda8d4eeff9a/detection

/rat/contact/uploader.php

# Reference: https://www.virustotal.com/gui/file/bef03e00e79bdced1eccb00458216f34c8e47274b08f044ac0186882ffadd0bc/detection

/mack/post.php?type=

# Reference: https://www.virustotal.com/gui/file/8bbd83f12f7804f61406c18fe7d6636a339bb165e641297d1f6cf9233adb5060/behavior/C2AE

/p2p_v4/psp.php

# Reference: https://twitter.com/unmaskparasites/status/1349202063100502016

premcloa.shop

# Reference: https://twitter.com/MalwarePatrol/status/1350022176049680386

/tliomxaltla03oxusghg2pn4.php

# Reference: https://twitter.com/MalwarePatrol/status/1350233568841183240

/orglsgr4a00bcchevqhnaryg.php

# Reference: https://twitter.com/MalwarePatrol/status/1366767513355321350

/zfbe56fluk0eim07iptk4pge.php

# Reference: https://twitter.com/r3dbU7z/status/1351651516806033415

/1.ps1
/AA.ps1
/BB.ps1
/Invoke-CustomKatz.ps1
/Invoke-Mimikatz.ps1
/powercat.ps1
/shell.hta
/shell.ps1
/shell.vba
/shell.vbs
/shellcode.hta
/shellcode.ps1
/shellcode.vba
/shellcode.vbs

# Reference: https://twitter.com/FewAtoms/status/1352324221964320768

/aX51N8ewqGs.php

# Reference: https://app.any.run/tasks/806f2c56-309b-4dac-877b-0af4b9080db0/

/1210776429.php

# Reference: https://app.any.run/tasks/a6789a42-f9eb-45be-a2e6-a0d939ba28fd/

/9d051d446f2aa6.php

# Reference: https://twitter.com/James_inthe_box/status/1313832984303157250
# Reference: https://app.any.run/tasks/5ddfb57a-bc6b-42bb-a042-f906e5a2cabb/
# Reference: https://www.virustotal.com/gui/file/bc7900c1440c578c0dc0de73889755bbbf9e43026d8beafe83dbdc5d76dd6a62/detection

/337aea9edeb1f9.php
/bc4514100d55a6.php

# Reference: https://twitter.com/ps66uk/status/1354382482230149122

/rh1swa.php

# Reference: https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff-obfuscation-telegram-communications.html
# Reference: https://otx.alienvault.com/pulse/6011bf6e6167f335ba6e7bbb/

/11644210b.php
/F004f19441/sms1.php

# Reference: https://twitter.com/malwrhunterteam/status/1355168209360605184

/donkeydick.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1357260178635243520
# Reference: https://app.any.run/tasks/a2fe9cdb-7af6-44e5-99ca-d924c96d2b72/

/9bc55352dda4bb.php

# Reference: https://twitter.com/r3dbU7z/status/1357647150008717312

/Bill_inv002198.js

# Reference: https://twitter.com/MalwarePatrol/status/1358070205633724418

/567jcn03tc9zp0iay52xijs9.php

# Reference: https://twitter.com/bad_packets/status/1358910664060723202

/xms.ps1

# Reference: https://twitter.com/r3dbU7z/status/1358998466735833088

/keylogger.py
/packetsniffer.py
/portscanner.py
/ransom.py
/spreader.py
/a11.py
/adl.py
/fJ5.py
/g9o.py
/hMQ.py
/hms.py
/i31.py
/j06.py
/jc0.py
/k4D.py
/rJz.py
/ufb.py
/y3m.py
/zpj.py

# Reference: https://www.virustotal.com/gui/file/4ad6418af82212c7719ed7a12a23597dfaf6f5606c3bd3bc4e513820aa13ea63/detection

/wp01/wp-includes/po.php
/wp02/wp-includes/po.php
/wp03/wp-includes/po.php
/wp04/wp-includes/po.php
/wp05/wp-includes/po.php
/wp06/wp-includes/po.php
/wp07/wp-includes/po.php
/wp08/wp-includes/po.php
/wp09/wp-includes/po.php

# Reference: https://twitter.com/JCyberSec_/status/1359115107213664259

/0453000.php
/009808989.php
/324455.php
/8897.php
/09908.js
/434.js

# Reference: https://twitter.com/JCyberSec_/status/1359439467447222272

/3063qmv20ngebpacbqy4q9vlro.php

# Reference: https://twitter.com/MalwarePatrol/status/1359731149719887873

/9p3qzns4rk57fvxw9xuwb4df.php

# Reference: https://twitter.com/MalwarePatrol/status/1359806647871434752

/t958p8ba8votwhkwdd8v9wa5.php

# Reference: https://twitter.com/MalwarePatrol/status/1360320028013428739

/7rzkoe5rrcfaniubcme1sxh6.php

# Reference: https://twitter.com/MalwarePatrol/status/1360380429371641860

/tpgcteic2wyk8j12lg0rg3tq.php

# Reference: https://twitter.com/MalwarePatrol/status/1360682417678397443

/4w49ylbq2uay3r9ho9d0m1jx.php

# Reference: https://twitter.com/unmaskparasites/status/1359639196911104001
# Reference: https://www.virustotal.com/gui/domain/51la.adcef.com/detection

51la.adcef.com

# Reference: https://twitter.com/JCyberSec_/status/1360159197002883073

/w_client_id_4d5aac59-3e25-4e7d-9331-78bf74b323ec_redirect_u.php

# Reference: https://twitter.com/unmaskparasites/status/1361814973983322114

statclick.net

# Reference: https://twitter.com/MBThreatIntel/status/1361815657440894976

namfortrust.xyz
win-admin.xyz
win-admin-center365.xyz

# Reference: https://twitter.com/h2jazi/status/1363683531067715584
# Reference: http://hackdig.com/02/hack-280699.htm
# Reference: https://app.any.run/tasks/b88e935c-b17a-4429-acdc-65156804ad1c/

/12345678.hta
/PdDOnR.hta
/testper.hta

# Reference: https://twitter.com/JCyberSec_/status/1364196643453734913

/woyptizlcq76mjcyjbb955pk.php

# Reference: https://twitter.com/MalwarePatrol/status/1364804580085743616

/si1bidg6p7xw30yfhl5lm5zg.php

# Reference: https://twitter.com/MalwarePatrol/status/1365166968635015172

/0xrvo9o1pq295qxp887b5ch0.php

# Reference: https://twitter.com/MalwarePatrol/status/1365317962580844546

/8532ykw0jtkewkdoitoyfgnr.php

# Reference: https://twitter.com/MalwarePatrol/status/1365891744173326336

/qgx8xrabmj1ijzk6qy5sen9n.php

# Reference: https://twitter.com/wwp96/status/1364811015112826883

/13233-878.js
/545665656.js

# Reference: https://twitter.com/malwrhunterteam/status/1365613904487976963

/fcm/mc/tapp.php

# Reference: https://twitter.com/wato_dn/status/1366259334955499524
# Reference: https://tria.ge/210301-7z5cpr6z82/behavioral1

/643307c3d81193.php

# Reference: https://www.virustotal.com/gui/file/528c696de7b59c6dd12beda7b650a25c5b0d3b55884bcf0b37380b639b5065d6/detection

/000000.php

# Reference: https://twitter.com/wwp96/status/1366485090340077572

/HGFGHGFH.php

# Reference: https://twitter.com/r3dbU7z/status/1366886386985545728

/flood.bat
/flood.hta
/flood.js
/flood.php
/flood.ps1
/flood.py
/flood.sh
/pyddos.py

# Reference: https://twitter.com/InQuest/status/1367241459225747464

/obfuscated.bat
/obfuscated.hta
/obfuscated.js
/obfuscated.php
/obfuscated.ps1
/obfuscated.py
/obfuscated.sh

# Reference: https://twitter.com/JCyberSec_/status/1367752994700296195

/file_soffice365/index.php

# Reference: https://twitter.com/MalwarePatrol/status/1368141566251053056

/6iaxro1pbufjlk6eshn7v7iira.php

# Reference: https://twitter.com/MalwarePatrol/status/1368503956532588545

/q4nts35hclwu08ydsp63kei7ra.php

# Reference: https://twitter.com/MalwarePatrol/status/1368866343668359169

/wd0ykjlrqq22j17unubmfg4wra.php

# Reference: https://twitter.com/MalwarePatrol/status/1369304228347469834

/wdvgzd6z53atzv80c044h5xr.php

# Reference: https://twitter.com/MalwarePatrol/status/1369666615541956609

/2guxysk0ia47bxh2jzqx931k.php
/Weusour123!/

# Reference: https://www.virustotal.com/gui/file/68529af30403ffc66192445c3d2cace2f72df0ccbaefa9b5a25935ce8b42d4ae/detection

/flex.php?hwid=

# Reference: https://www.virustotal.com/gui/file/13345f418c210dee561872a5e21dc53b9f5a752110aca661647ac444ac4fa2cf/detection

/bot.php?connect

# Reference: https://twitter.com/r3dbU7z/status/1368893677658124290

/fsag4.ps1
/Get-Content.ps1
/ready.ps1

# Reference: https://twitter.com/jstrosch/status/1369460970720989189

/dxlgwwfmze.html
/mnfvchznvz.html
/bxvsogzyre.php
/hzjuwplrcp.php
/mfvsgjyraa.php
/srzrbowcso.php
/yallews.php

# Reference: https://twitter.com/MalwarePatrol/status/1369953508238168065

/ffekwwfqyb06k804u1phgkcjra.php

# Reference: https://twitter.com/JCyberSec_/status/1372127327853903874

/stsx2hzd6mczfb1d0cy0jlg9.php

# Reference: https://twitter.com/r3dbU7z/status/1370839780678848514

/l.cmd
/lol.cmd
/lol_china.cmd
/lol.ps1
/lol2.ps1
/lol3.ps1
/w.cmd

# Reference: https://twitter.com/Dr_N0b0dyh/status/1367802254800084993

/7bdbdeb3137bf5.php

# Reference: https://twitter.com/peterkruse/status/1371753665355202564

/8900077.php
/9099x.php

# Reference: https://www.virustotal.com/gui/domain/ahmedadel.work/relations

ahmedadel.work

# Reference: https://www.virustotal.com/gui/file/6919611d3b398a6b8aad6ee43f8f0166dbbe866cd9f1d4a25eb5d7e1c5771eda/detection

/A2336411-46c8-4f83-96b6-294966496d652.js

# Reference: https://twitter.com/JCyberSec_/status/1372206087496212486

/81hcea474dhj7feqt9iyqz51.php
/xh3rllhzt8cqxhc0lcb7mbye.php

# Reference: https://twitter.com/MalwarePatrol/status/1372414725028511744

/2wkzljmkp4bbxqubflol9iuk.php

# Reference: https://twitter.com/MalwarePatrol/status/1372777117595824131

/jl8rikblhsw1sw0778yzk36o.php

# Reference: https://twitter.com/MalwarePatrol/status/1373290496559300613

/mk806y617xypn6d4z2j3x5t3.php

# Reference: https://twitter.com/MalwarePatrol/status/1373365992164839426

/ikd1234je4cfvh3tb9vf4yp1.php
/obv12000/cmn4/

# Reference: https://twitter.com/MalwarePatrol/status/1373501887346044933

/x32j8krv3d7zj6mgddry36l5.php

# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf

/Invoke-SocksProxy.psm1

# Reference: https://www.virustotal.com/gui/file/627a14984f64f3774b0dda21f2f2d8e2b412beb8c42897d0a0e3e4f65c3e73bd/detection

/fucku.php
/fuckyou.php

# Reference: https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/

/mini-reverse.ps1

# Reference: https://twitter.com/z0ul_/status/1375469461713600512

d27qdop2sa027t.cloudfront.net

# Reference: https://twitter.com/MalwarePatrol/status/1376400990728032256

/dwc8a33vh2eaqefp2nfbs511.php

# Reference: https://twitter.com/Circuitous__/status/1377767299709550593
# Reference: https://pastebin.com/9U57CHZn

/gfdbvgfgggh.php
/ijkbfumnbvc.php

# Reference: https://twitter.com/MalwarePatrol/status/1378439421599580165

/h7090pcjq8q2xzx3ci1aq4ad.php

# Reference: https://www.group-ib.com/blog/rats_nigeria

/ava.hta
/oyii.hta

# Reference: https://twitter.com/ps66uk/status/1379408490960130048
# Reference: https://app.any.run/tasks/6abf3b2c-9e92-4f76-81d5-06898cfb3f3e/

/e1bdf31053a154.php

# Reference: https://twitter.com/InQuest/status/1379458364887986176

/8P3V78L4u.php

# Reference: https://twitter.com/ps66uk/status/1379467933932519436

/33b44fe4fae0b0.php

# Reference: https://tria.ge/210407-akdmy3ldv6

/3dbea0f5d87dcc.php

# Reference: https://twitter.com/r3dbU7z/status/1381517028817825795
# Reference: https://www.virustotal.com/gui/url/026ec2ee22c5b8a04806a13701238e971565cd80d9ca10a0be85c80f4222fa9e/details

/payload3.ps1
/payload4.ps1
/payload5.ps1
/payload6.ps1
/payload7.ps1
/payload8.ps1
/payload9.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1381987802938769409

/3cuxoaskux3q0bywimjkyvez.php

# Reference: https://twitter.com/r3dbU7z/status/1382237585586724867

/theone.ps1
/theoneFUD2.ps1

# Reference: https://twitter.com/58_158_177_102/status/1382254845659291650
# Reference: https://tria.ge/210414-aqahkvar82/behavioral2

/887d2c240852a4.php

# Reference: https://www.virustotal.com/gui/ip-address/96.45.180.73/relations

/beacon.ps1

# Reference: https://twitter.com/wato_dn/status/1382553067170635779

/YKgOy11r.php

# Reference: https://twitter.com/MalwarePatrol/status/1383437363402067968

/gzddd0opl2e08ze4yv7av58m.php

# Reference: https://twitter.com/MalwarePatrol/status/1384373522181599234

/3gvjdn0xhl3qk3191douym8b.php

# Reference: https://twitter.com/MalwarePatrol/status/1386185463262846983

/i5whs7vo7eacn7is5xqqr8n5.php

# Reference: https://twitter.com/MalwarePatrol/status/1386547850545410050

/0s2jblrpnt7n31k24jz81u56.php

# Reference: https://twitter.com/MalwarePatrol/status/1387635013471117312

/v6pywfv5ldc5l39j8lpva5o0.php

# Reference: https://twitter.com/MalwarePatrol/status/1390171728584839175

/gc5dxi0jayumpytlwniae4g1.php

# Reference: https://twitter.com/reecdeep/status/1384844628478898181
# Reference: https://app.any.run/tasks/d5ae94e7-f656-455c-a039-9ebf7f8ac9e5/

/50b35103666b5c.php

# Reference: https://twitter.com/ShadowChasing1/status/1382869518830039041
# Reference: https://twitter.com/ShadowChasing1/status/1382869522965667840
# Reference: https://www.virustotal.com/gui/file/813c8b8b43be5a928a5cd841bea08d7d5453ab8a1196e3c81abd7a144027247b/detection
# Reference: https://www.virustotal.com/gui/file/a140a4e60c699dcf110678fca8cfd259660d21c428256898a65f9d3f196b8c13/detection

/Rumpwltop.php

# Reference: https://twitter.com/wwp96/status/1385599004294135815
# Reference: https://app.any.run/tasks/3612bf52-bf05-4b8a-bf1f-14314a89f50c/

/0Vw3HoA.php
/9v0PVEF.php
/BfwhQsS.php
/CR7sTdk.php
/EmbtJ0Q.php
/GErg6Juscript.php
/HXg53mR.php
/I6pAfnc.php
/Ju8BXdy.php
/N0yq3xz.php
/NbnGdvUscript.php
/azrcmnltdt.php
/byeSlhE.php
/cHCTjbL.php
/cankviuhag.php
/cycqodnata.php
/egodokcnyi.php
/ekdolrisek.php
/fO9RzJC.php
/faghrgwmpd.php
/fjwmmcyqux.php
/g3wC826.php
/gVfmOdN.php
/hSqWuOr.php
/haagjweayl.php
/iQ39jUH.php
/ixliwszrfm.php
/kexiusxkht.php
/l5rwiO0script.php
/legzkktzsb.php
/mxQsPYL.php
/o045Yn9.php
/oE6k32I.php
/qpjmMGoscript.php
/s9dOK5.php
/tvwtmbzxgz.php
/twiprlcpkv.php
/u6MnC9x.php
/v7S6F3rscript.php
/vtkblqpdhs.php
/vwltssqysa.php
/wIb0VuG.php
/xxtbmlngdy.php
/ydlST42.php
/zJarPL3script.php
/zbbupptyol.php

# Reference: https://twitter.com/unmaskparasites/status/1387205583665647618

monster.newaff.monster
s3.amazonaws.com/cgc-badge-v2/common.js
s3.amazonaws.com/cgc-badge-v2/load.min.js
sieglowfingoachap.ga
/cgc-badge-v2/common.js
/cgc-badge-v2/load.min.js
/cgc-badge-v2/

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/Cm1WxCm/index.php
/Cx1WxC1cC/index.php
/ssllxxssll/bp/index.php

# Reference: https://twitter.com/xuy1202/status/1387414908199866369

/6034003x100.js

# Reference: https://twitter.com/ShadowChasing1/status/1387602989033017346

/HBankers_Latest.hta

# Reference: https://www.virustotal.com/gui/file/a8d4bfcf4a966ac593f31cf8fe82b8f133034066859acb8bb54fc19577b35d14/detection
# Reference: https://github.com/stamparm/maltrail/pull/16278/commits/59ae491e0c6aa664c82ac0c3be8129ee7756ba4f

/avBypass.php

# Reference: https://github.com/hardenedlinux/hardenedlinux-zeek-script/blob/master/scripts/frameworks/intel/OSINT/CYBERCRiME-03-03-19.txt

/bmfoaqdzhuclgqgreudq9.php
/dump_grabber.php
/hf3yh4687df.php
/staaaaaats.php

# Reference: https://www.virustotal.com/gui/file/a49f23aac652d63d1529338a12b3ba424d0b4eab637af8ffa7d9e557fb441a37/detection

/mfbjhth8g4sfmssfgeq/dkhd94kz.php
/dkhd94kz.php

# Reference: https://twitter.com/josh_larsen/status/1388892152680288262

xn--80ak6aa92e.com
g1thubassets.com

# Reference: https://twitter.com/James_inthe_box/status/1389238006398164997
# Reference: https://twitter.com/James_inthe_box/status/1390361000155639812

/0CdHOfB6.php
/0YLkHHgkr5e5GkS.php
/AQlZNLOYLB.php
/Cyry48Yoz8z6.php
/FF006npc0jeMf6.php
/GHT1XGSWJ.php
/KdKg0tl6lF5F3Fa.php
/KR4c0Bk3vlQpI.php
/OoIF23ZyfjmfI8.php
/Q8i4tw3Hw2oWo6V.php
/Rg8lDv4cJXWWaz.php
/S0kpWspb.php
/XKBRBS0vQa.php
/acDQfS5Xw7.php
/bhM6o0If.php
/goD5dPTcC.php
/i2zz9YbX54.php
/i5an1VBykIH.php
/mQ8HReIBcDnSG.php
/o5ATDDB7Ib8FbHT.php
/qtJJKheJ4uX1p.php
/r4brQXPL3tc6OZ.php
/rQn6mD3r.php
/t0vy3Ks7CM8QR.php
/uSryOO1m8EGzN.php
/x7eS3Bkgfiv7sN.php
/xOykYWEbDK4zqD.php
/xZ7MnwtJIAkN5hy.php
/zDz0PTXDToNLA.php

# Reference: https://twitter.com/MaelSecurity/status/1388976425504497669
# Reference: https://twitter.com/MaelSecurity/status/1388977826431438851
# Reference: https://www.virustotal.com/gui/ip-address/139.45.197.236/relations

1phads.com
abbronzongor.com
abdurantom.com
agavanilliteom.com
amarceusan.com
ammankeyan.com
atmetagrossan.com
becuboneor.com
bejolteonor.com
beludicolor.com
beonixom.com
betnoctowlor.com
betshucklean.com
billionstarads.com
blatwalm.com
buylnk.com
cobalten.com
constintptr.com
couptoug.net
dolohen.com
domankeyan.com
done.witchcraftcash.com
dooloust.net
ducmissy.com
dupelipperan.com
dutorterraom.com
eefoathy.com
eikegolehem.com
glixaing.com
go.deliverymodo.com
go.mobtrks.com
go.oclaserver.com
grimsaiy.com
hemtatch.net
hothoomu.net
ichimaip.net
inhonedgean.com
itroggenrolaa.com
jewhouca.net
jomtingi.net
kikoosso.net
louchees.net
luxlnk.com
mobpushup.com
my.rtmark.net
offalakazaman.com
ofgogoatan.com
omareeper.com
onclkds.com
onsolrockon.com
onstunkyr.com
opgolan.com
oufauthy.net
ousseghu.net
overgalladean.com
ozongees.com
pheghoug.net
phooreew.net
poosoahe.com
prestoris.com
ravaquinal.com
riluaneth.com
shunguts.com
storylnk.com
stremanp.com
survey2you.com
takelnk.com
tozoruaon.com
unelekidan.com
unrotomon.com
upshroomishtor.com
uselnk.com
vexacion.com
vigraghe.net
whihauve.net
whowhipi.net
wonderlandads.com
ww2.ceesty.com
ww2.clkmein.com
ww2.corneey.com
ww2.destyy.com
ww2.festyy.com
ww2.gestyy.com
ww2.sh.st
yttompthree.com

# Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676

/0b03976abf4fd3.php

# Reference: https://twitter.com/MalwarePatrol/status/1389522450145218561

/6widk071or85ab5fx3n9i0kdra.php

# Reference: https://unit42.paloaltonetworks.com/proactive-detector/

/ghose123354/next.php

# Reference: https://twitter.com/ESETresearch/status/1390263927859208193
# Reference: https://twitter.com/ESETresearch/status/1390263930833063938

/LOADER_AQUI.php

# Reference: https://twitter.com/James_inthe_box/status/1390672589102534668
# Reference: https://twitter.com/James_inthe_box/status/1390679565685563396

/qxEJ4XFyEF.php

# Reference: https://www.virustotal.com/gui/file/14e7fdec6624ba60bfee6bf686060db46ad0052075664935fe69be63fb3ab467/detection

/za3ma_za3ma.php

# Reference: https://www.virustotal.com/gui/file/1be388f74d98754a616ec3265cf9dc7cf94383759fc0ed88eeff1267ad4efa16/detection

/zxcvb.ps1

# Reference: https://twitter.com/JCyberSec_/status/1392113003512963074

/siteanalyze_6015663.js
/js/siteanalyze_6015663.js

# Reference: https://lukeleal.com/research/posts/lolzilla-php-js-skimmer/

/hu345bhuufd73fsdy8w4.php

# Reference: https://twitter.com/Circuitous__/status/1392136823963590659
# Reference: https://www.virustotal.com/gui/file/f075b72d185a2ed404361268d3c4e3ed6d8aef0ebbcf179c5b3384bd2c012791/detection
# Reference: https://www.virustotal.com/gui/file/95f36b06a9ef5bdf1301634ff67e49d51643e747c9be8ade616e26328c10ca02/detection

/1WiStiiT.php
/3RKTmgwCIosO1Q.php
/5QvWk6qm.php
/7q0Vreh38laGy9.php
/Agk5yxu6D3SEW.php
/EHEtRsJyIPR6o75.php
/HShRYdMy.php
/ITmEihJkT.php
/MGggfHzY0QH0Cp3.php
/OMqNCOuk.php
/SFMm6Qoe.php
/VsMQ4PexH.php
/Z1Oeq1XQhEC.php
/ZkIMh91mDLu9z7.php
/e1KqWCgL.php
/njNvuZ7MIDRL.php
/paEAehZhSWNmH.php
/vUYhCCeCNKQoEk.php

# Reference: https://twitter.com/MalwarePatrol/status/1392346056550199296

/OneDrive_adrut0x/encrypted.php

# Reference: https://twitter.com/MalwarePatrol/status/1394384488092901379

/1vhwk2eubzz6huxmknyw6jcm.php

# Reference: https://twitter.com/gorimpthon/status/1394600529469210624
# Reference: https://tria.ge/210518-hpxbx989hs

/70e30b90838689.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1394905859696873473

/d867u9ltcpuk9k1jsusztdvsro.php

# Reference: https://twitter.com/MalwarePatrol/status/1395033768801587202

/rhtzf7qb3rsr8xgyrue6ypno.php

# Reference: https://malware.love/malware_analysis/reverse_engineering/2021/05/19/unknown-python-stealer.html

/6846546874968946.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1399689971401900036

/d3808c7188cb55.php

# Reference: https://www.virustotal.com/gui/ip-address/8.141.54.214/relations

/AVpayload.ps1

# Reference: https://twitter.com/xuy1202/status/1396059012794224643

/EvilObject.class
/EvilObject.cmd
/EvilObject.hta
/EvilObject.ps1

# Reference: https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/
# Reference: https://otx.alienvault.com/pulse/60b8a178a6e813e88be3181b

/ldr.ps1

# Reference: https://otx.alienvault.com/indicator/file/f49dc180e970ce41abe518e00e76012885d21ce201a3fdb30c4cc274b47c3bec
# Reference: https://www.virustotal.com/gui/file/79bbdb8009278ba629dae626b86f4447a81333ef9535e2a9341d5728571e4ae1/detection

/addInstallImpression.php?key=

# Reference: https://www.virustotal.com/gui/file/e61627d4179e36ec097c97cc14b83dbb8de8f5a206d72044fbee5ab8323a133f/detection

/dontrun.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1401405755174105088

/ndbsia13n1bps81zxf5qegzm.php

# Reference: https://twitter.com/MalwarePatrol/status/1401481253023633412

/sut4xvvkcxivtmuocw2ppvbj.php

# Reference: https://twitter.com/malwrhunterteam/status/1402528954263670784

/qwqdanchun.sct

# Reference: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
# Reference: https://otx.alienvault.com/pulse/60be1d277d109b2b37060c4c

/4fa00001c720b30002987d983e62d5e1.jpg
/4fa00001c720b30102987d980e62d5e4.php

# Reference: https://blogs.jpcert.or.jp/en/2021/06/php_malware.html
# Reference: https://otx.alienvault.com/pulse/60be0d9402505f73cefc4c6d

http://144.76.47.168
http://178.63.30.186
http://178.63.30.30
http://5.9.146.0
http://5.9.235.245
http://5.9.34.13

# Reference: https://twitter.com/MalwarePatrol/status/1403293192464879618

/e1kkuv16c0txdc1c00cxpo6j.php

# Reference: https://twitter.com/r3dbU7z/status/1403399105142009864	

/AV-K.cmd
/AV-K.ps1

# Reference: https://twitter.com/MalwarePatrol/status/1403580083999281152

/OneDrive_adrut0x/encrypted.php

# Reference: https://www.virustotal.com/gui/file/4c6240772603eff2d1c58bb948a8eb5afa24619d5ea2c715e8d80839a432e8c6/detection

/300.ps1

# Reference: https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
# Reference: https://otx.alienvault.com/pulse/60cb37bf5fe8246bb2556969

/CVDWwr42525.php

# Reference: https://twitter.com/MalwarePatrol/status/1406116795052867584

/y5eukec7amu2npvdxbclwdsz.php

# Reference: https://twitter.com/malwrhunterteam/status/1405894315474313224

/ceshi.ps1

# Reference: https://twitter.com/JAMESWT_MHT/status/1406867629982294020

/qc2kwkwacmyu4hmxdqj51797.php

# Reference: https://twitter.com/MalwarePatrol/status/1408215627312082950

/cne82jyx15erri76gbffh16z.php

# Reference: https://www.virustotal.com/gui/file/f5380da161d45e09115bf0eb392b979db161ec710294352e5cf10d78469aa5a9/detection

/track/bot.php

# Reference: https://twitter.com/rootprivilege/status/1410430545373323264

/UVPd5nFADk90KioqvL82.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1410592639968104459

/indxkic2b4aqygzuoqfnibjtphewu23b8ebjkf5um6n0qn6pq97sfdtwjokt2cu3tm3gj8inpebw2gf46u64.php

# Reference: https://twitter.com/banxen/status/1375292245906087937
# Reference: https://www.zscaler.com/blogs/security-research/low-volume-multi-stage-attack-leveraging-azureedge-and-shopify-cdns

officechairatwork.com/wp-content/plugins/yith-woocommerce-order-tracking/assets/js/ywot.js
global.asazure.windows.net
atlant18.azureedge.net
compos17.azureedge.net
compos20.azureedge.net
doc-web1.azureedge.net
metrica2.azureedge.net
string.azureedge.net
theme.azureedge.net
web-google.azureedge.net

# Reference: https://twitter.com/KesaGataMe0/status/1410874602021023745

/smbcupdatebill.php

# Reference: https://twitter.com/1ZRR4H/status/1408252818272751621

/HR13I5MD0ASC5J.php

# Reference: https://www.virustotal.com/gui/domain/7naturalessences.com/relations

7naturalessences.com

# Generic

/js/altmanluggage.js
/js/aureliaskincare.js
/js/bluerooster.js
/js/bvibe.js
/js/caremax.js
/js/craftalley.js
/js/curediva.js
/js/deluxecomfort.js
/js/deroosbv.js
/js/dragonkayak.js
/js/gopestfree.js
/js/hello1010.js
/js/herbsnpuja.js
/js/horusrc.js
/js/indiamags.js
/js/justbuttons.js
/js/kitchenstuff.js
/js/labohemecafe.js
/js/lavignery.js
/js/mitoq.js
/js/mototorque.js
/js/notinshops.js
/js/probanners.js
/js/ramybrook.js
/js/rss_pt.js
/js/siamflorist.js
/js/simplygems.js
/js/singerstore.js
/js/sparxxrx.js
/js/storageshedsoutlet.js
/js/themotley.js
/js/thesingularbathroom.js
/js/totaram.js
/js/tradeplumbing.js
/js/ussi.js
/js/vladofootwear.js
/js/wallerbmx.js
/myrrem.hta
/out-1334992907.hta
/out-1347051899.hta
/out-849945592.hta
/7328-dating-verification-card.php
/canadiane-compte.php
/ccgate.php
/dating-verification-card.php
/evreigate.php
/fcc-authenticazione.php
/gate.php
/gate01.php
/gate1.php
/gate16.php
/gate2.php
/gate.get
/gating.php
/gatw.php
/gate.phpgate.php
/online-dating-verification-card.php
/ravufgate.php
/screenshot_gate.php
/tgate.php
/testgate.php
/uadmin/adm.php
/verification-card.php
/1drvme/
