1768.py

bosny.com

borgelin.org

jquery.com

gmail.com

yandex.ru

outlook.com

dropmail.me

joeware.net

find.bat

1.msi

regsvr32.exe

1768.py

svchost.exe

uomcgbxygce.exe

c:\programdata\1.dll

c:\windows\system32\lsass.exe

c:\windows\system32\kernelbase.dll

c:\windows\system32\kernel32.dll

adfind.exe

ad_users.txt

ad_ous.txt

subnets.txt

servers.txt

dir.exe

min.js

%windir%\\sysnative\\dllhost.exe

info_1805.xls

attack.exe

runsuite.log

32.exe

32.dll

xx.cpp

72a589da586844d7f0818ce684948eea

acd3d4e8f63f52eaf57467a76ca2389d

c96b2b5b52ef0013b841d136ddab0f49

e984f812689ec7af136a151a19b2d56c

066c972d2129d0e167d371a0abfcf03b

d1aef4e37a548a43a95d44bd2f8c0afc

4a42b5e7e7fd43ddefc856f45bb95d97656ddca6

22cc2bc032ae327de9f975e9122b692e4474ac15

88591ad3806c0a1e451c744d4942e99e9a5d2ff7

e598b9700e13f2cb1c30c6d9230152ed5716a6d6e25db702576fefeb6638005e

5a5c601ede80d53e87e9ccb16b3b46f704e63ec7807e51f37929f65266158f4c

2b2e00ed89ce6898b9e58168488e72869f8e09f98fecb052143e15e98e5da9df

76bfb4a73dc0d3f382d3877a83ce62b50828f713744659bb21c30569d368caf8

b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682

103.41.204.169

103.56.149.105

104.248.225.227

116.124.128.206

134.122.119.23

159.69.237.188

178.62.112.199

188.225.32.231

194.9.172.107

195.77.239.39

202.134.4.210

202.29.239.162

207.148.81.119

217.182.143.207

37.44.244.177

45.71.195.104

51.68.141.164

54.37.228.122

54.38.242.185

62.171.178.147

68.183.91.111

78.46.73.125

85.214.67.203

87.106.97.83

93.104.209.107

T1059.006

T1055.001

T1059.001

T1550.002

T1087.002

T1204.002

T1055

T1055.003

T1082

T1135

T1003.001

T1566

http://praachichemfood.com/wp-content/mwmos/","..\hvxda.ocx

https://bosny.com/aspnet_client/rnmp0ofr/","..\hvxda.ocx

http://borgelin.org/belzebub/okwrwz1c/","..\hvxda.ocx

https://lopespublicidade.com/cgi-bin/e5r5og4ieaqnxqrzdh

http://seasidesolutions.com/cgi-bin/wloo6sezycj3ltlc

http://loa-hk.com/wp-content/ffbag

https://103.133.214.242:8080

https://103.41.204.169:8080

https://103.42.58.120:7080

https://103.56.149.105:8080

https://103.8.26.17:8080

https://104.248.225.227:8080

https://110.235.83.107:7080

https://116.124.128.206:8080

https://134.122.119.23

https://139.196.72.155:8080

https://175.126.176.79

https://178.62.112.199

https://185.148.168.220

https://188.225.32.231

https://190.90.233.66

https://194.9.172.107:8080

https://195.77.239.39

https://196.44.98.190

https://202.134.4.210

https://202.28.34.99

https://202.29.239.162

https://207.148.81.119

https://210.57.209.142

https://217.182.143.207

https://37.44.244.177

https://37.59.209.141

https://45.71.195.104:8080

https://51.68.141.164:8080

https://54.37.228.122

https://54.38.143.246:7080

https://59.148.253.194

https://66.42.57.149

https://68.183.91.111:8080

https://78.46.73.125

https://85.214.67.203

https://85.25.120.45

https://87.106.97.83

https://88.217.172.165

https://93.104.209.107

http://59.95.98.204:8080/jquery-3.3.1.min.js

import "pe"

rule UOmCgbXygCe_14335 {
	meta:
		description = "UOmCgbXygCe.exe"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2022-09-12"
		hash1 = "f4c085ef1ba7e78a17a9185e4d5e06163fe0e39b6b0dc3088b4c1ed11c0d726b"
	strings:
		$s1 = "runsuite.log" ascii fullword
		$s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s3 = "f73.exe" ascii fullword
		$s4 = "Processing test line %ld %s leaked %d" ascii fullword
		$s5 = "Internal error: xmlSchemaTypeFixup, complex type '%s': the <simpleContent><restriction> is missing a <simpleType> child, but was"
		$s6 = "The target namespace of the included/redefined schema '%s' has to be absent or the same as the including/redefining schema's tar"
		$s7 = "The target namespace of the included/redefined schema '%s' has to be absent, since the including/redefining schema has no target"
		$s8 = "A <simpleType> is expected among the children of <restriction>, if <simpleContent> is used and the base type '%s' is a complex t"
		$s9 = "there is at least one entity reference in the node-tree currently being validated. Processing of entities with this XML Schema p"
		$s10 = "## %s test suite for Schemas version %s" ascii fullword
		$s11 = "Internal error: %s, " ascii fullword
		$s12 = "If <simpleContent> and <restriction> is used, the base type must be a simple type or a complex type with mixed content and parti"
		$s13 = "For a string to be a valid default, the type definition must be a simple type or a complex type with simple content or mixed con"
		$s14 = "For a string to be a valid default, the type definition must be a simple type or a complex type with mixed content and a particl"
		$s15 = "Could not open the log file, running in verbose mode" ascii fullword
		$s16 = "not validating will not read content for PE entity %s" ascii fullword
		$s17 = "Skipping import of schema located at '%s' for the namespace '%s', since this namespace was already imported with the schema loca"
		$s18 = "(annotation?, (simpleContent | complexContent | ((group | all | choice | sequence)?, ((attribute | attributeGroup)*, anyAttribut"
		$s19 = "get namespace" ascii fullword
		$s20 = "instance %s fails to parse" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 7000KB and (pe.imphash() == "bcf185f1308ffd9e4249849d206d9d0c" and pe.exports("xmlEscapeFormatString") or 12 of them)
}

import "pe"

rule cobalt_strike_14435_dll_1 {
	meta:
		description = "1.dll"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2022-09-12"
		hash1 = "1b9c9e4ed6dab822b36e3716b1e8f046e92546554dff9bdbd18c822e18ab226b"
	strings:
		$s1 = "curity><requestedPrivileges><requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel></requeste"
		$s2 = "CDNS Project.dll" ascii fullword
		$s3 = "hemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware></windowsSettings></application></assembly>" ascii fullword
		$s4 = "Hostname to lookup:" wide fullword
		$s5 = "Hostnames:" wide fullword
		$s6 = "wOshV- D3\" [email protected] \\" ascii fullword
		$s7 = "T4jk{zrvG#@KRO* d'z" ascii fullword
		$s8 = "CDNS Project Version 1.0" wide fullword
		$s9 = "zK$%S.cPO>rtW" ascii fullword
		$s10 = "vOsh.HSDiXRI" ascii fullword
		$s11 = "l4p.oZewOsh7zP" ascii fullword
		$s12 = "5p2o.ewOsh7H" ascii fullword
		$s13 = "h7H.DiX" ascii fullword
		$s14 = "l4pWo.ewOsh[H%DiXRI" ascii fullword
		$s15 = "rEWS).lpp~o" ascii fullword
		$s16 = ",m}_lOG" ascii fullword
		$s17 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3"
		$s18 = "vileges></security></trustInfo><application xmlns=\"urn:schemas-microsoft-com:asm.v3\"><windowsSettings><dpiAware xmlns=\"http:/"
		$s19 = "tn9- 2" ascii fullword
		$s20 = "PDiXRI7" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 8000KB and (pe.imphash() == "d1aef4e37a548a43a95d44bd2f8c0afc" or 8 of them)
}

rule find_bat_14335 {
	meta:
		description = "Find.bat using AdFind"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2022-09-12"
		hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"
	strings:
		$x1 = "find.exe" ascii wide nocase
		$s1 = "objectcategory" ascii wide nocase
		$s2 = "person" ascii wide nocase
		$s3 = "computer" ascii wide nocase
		$s4 = "organizationalUnit" ascii wide nocase
		$s5 = "trustdmp" ascii wide nocase
	condition:
		filesize < 1000 and 1 of ($x*) and 4 of ($s*)
}

rule p_bat_14335 {
	meta:
		description = "Finding bat files that is used for enumeration"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2022-09-12"
	strings:
		$a1 = "for /f %%i in" ascii wide nocase
		$a2 = "do ping %%i" ascii wide nocase
		$a3 = "-n 1 >>" ascii wide nocase
		$a4 = "res.txt" ascii wide nocase
	condition:
		filesize < 2000KB and all of ($a*)
}