Search
Keyword: URL
its installation routine: HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Main TabProcGrowth = "0" HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\ Windows\ CURRENTVERSION\ URL SystemMgr = "Del
browser helper objects (BHOs). BHOs are commonly used by adware. With this, users may experience unwanted pop-up advertisements and URL redirections. This backdoor executes commands from a remote malicious
browser helper objects (BHOs). BHOs are commonly used by adware. With this, users may experience unwanted pop-up advertisements and URL redirections. This backdoor executes commands from a remote malicious
possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: fife hobo Other Details This Trojan
to the following non-malicious URL to download updates: update.gamma-international.de:6666 It may display the following interface: Constructor.Win32.Fisy.b (Kaspersky) Dropped by other malware,
}\AppData\Roaming on Windows Vista and 7.) NOTES: It connects to the URL to report status and to receive data. It is capable of brute forcing Windows logon users via a list of passwords from the
Server 2008, and Windows Server 2012.) NOTES: It connects the following URL to download data related to GeoIP https://www.{BLOCKED}d.com/en/locate-my-ip-address The downloaded data should not contain any
server safe_mode status web host URL web host server address remote user server address Stolen Information This backdoor sends the data it gathers to the following email addresses via SMTP: {BLOCKED
), Windows Server 2008, and Windows Server 2012.) NOTES: It appends pdf=FUQiFYcM to the URL to download the decoy PDF. JS/Nemucod.h (McAfee), Troj/JSDldr-BW (Sophos), Trojan-Downloader.JS.Agent.hhi
{Server}/r Other Details This Backdoor does the following: This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information: http://{BLOCKED}.{BLOCKED
following: Connects to the following URL for coinmining activities: bit.p{BLOCKED}.com Format of the executed command -v {algorithm} -o {CnC} -u {username} -p {password} -t {number of CPU threads}
String2 any of the following filename of the files found on %User Temp% It attempts to connect to an unknown malicious site. However, URL is not specified. (Note: %User Temp% is the current user's Temp
Copy files and directories Move a directory or a file Create a new directory Change timestamps of a file or directory Download a file from a URL Execute a process and capture its output Connect to a SQL
\ Search Assistant DefaultSearchURL = "http://www.{BLOCKED}l.co.uk/index.php?page=search/web&search=" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "http://www.{BLOCKED
remote URL where a copy of the worm may be downloaded. It may also post similar content to Facebook wall. In order to accomplish its malicious routines, it downloads a configuration file from any of the
\ WorkgroupCrawler\Shares shared = "\New Folder.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "{random characters}" HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer
websites to download files: http://www.pta.gov.pk/index.php - non-malicious URL Note: The malware repeatedly connects to this URL, to perform its DDOS attack. It saves the files it downloads using the
CAB cab CMD cmd COM com cpl CPL exe EXE ini INI dll DLL lnk LNK url URL ttf TTF DECRYPT.txt It avoids encrypting files with the following strings in their file path: $RECYCLE.BIN rsa NTDETECT.COM ntldr
Microsoft Support site, it does look a legitimate Microsoft site only that the URL is not. The PC Support site fronts a Virus Removal Malware Support page wherein it visitors are guided through a step-by-step
designed to steal information from users. ZBOT variants typically access a URL where these retrieve a configuration file containing the list of websites these will monitor and steal information. Some reports