SHARE
TWEET

Tick Group

a guest Jun 24th, 2019 265 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ANALYSIS-IN-DEPTH
  2. ‚ÄĘ Tick Group of Korean Companies
  3. 'USB Usage Attack Technique' in-depth analysis
  4. ASEC REPORT Vol.95 | Security Trend
  5. There is a group of threats that have been steadily attacking since 2008 to the second quarter of 2019. Aka 'Tick'
  6. The group, which is called the group, has been in full-fledged domestic activity since 2014. These are the defense industry
  7. Including defense and political organizations, security, IT and electronics industries.
  8. I have.
  9. In addition, the Tick (Tick) group grasps the security vulnerabilities of attack targets in advance,
  10. It is known to have. Especially, the attack of Tickusb
  11. , It can infect a secure USB flash drive (USB memory) that is in use by an enterprise and propagate the malicious code
  12. As a result, the domestic IT environment and infrastructure are already considerable.
  13. .
  14. In this report, we aim at major domestic corporations and corporations and use USB flash drive to get information
  15. Tick ‚Äč‚ÄčAttack Taking centering on actual attack cases of group AhnLab Security
  16. The correlation of the Tickusb malicious code analyzed by the Emergency-response Center (ASEC)
  17. Law and so on.
  18. 20
  19. Domestic companies
  20.  
  21. Tick ‚Äč‚ÄčGroup 'USB Usage
  22. Attack technique 'in-depth analysis
  23. Detailed analysis of malicious code
  24. Analysis-In-Depth
  25. ASEC REPORT Vol.95 | Security Trend 21
  26. 1. Tickusb Attack Trends
  27. 'Tickusb' is a tick attack group that uses USB flash drives to leak confidential information of domestic companies.
  28. Malicious code was created for the purpose of detecting malicious code from spring 2014 to November 2017. [Figure 2-1]
  29. Tickusb malicious code used by tick attack group. Some variations of Tickusb
  30. It exists as a dock file, but it is mostly composed of DLL file and EXE file.
  31. Figure 2-1 | Tickusb whole relationship diagram
  32. When a malicious DLL file is run, it creates a log file in a specific path and checks for a USB flash drive connection
  33. All. If your system has a USB flash drive connected, run a malicious EXE file and download additional files
  34. It is also said. Malicious EXE files perform slightly different functions depending on the variation,
  35. Collect information about the files in the drive. Some variants modulate the EXE file in the USB flash drive.
  36. After connecting the USB flash drive with the final modified EXE file to another system,
  37. When run, the computer is also infected with Tickusb.
  38. [Figure 2-2] is a timeline showing the change of Tickusb malicious code.
  39. ASEC REPORT Vol.95 | Security Trend 22
  40. Figure 2-2 | Tickusb Timeline
  41. The initial version is supposed to be made before 2014, and the 2014 version with the file name cryptbase.dll
  42. The brother appears. In September 2014, a variant was created that modifies an EXE file in a USB flash drive.
  43. All. In 2015, a variant of the DLL and EXE files will be created, and at the beginning of June 2015,
  44. I used a tool to patch malicious files on my system and load malicious DLLs. 2016
  45. From October to November 2017, change the filename of the malicious DLL to wincrypt.dll.
  46. [Table 2-1] summarizes major attacks using Tickusb in chronological order.
  47. When to Discover File Contents
  48. 2014.3? .Exe September 2012 production estimate. In 2018, Unit 42 released its analysis for the first time and other Tickusb
  49. Estimated to be an early version of Tickusb with significantly different variants and code.
  50. 2015.4 CRYPTBASE.dll December 2014 Production Estimate. DLL single type.
  51. System information and USB Flash Drive file information collection.
  52. 2015.6 BrStMonW.exe, BrWeb.dll, wsmt.exe
  53. Modify the BrStMonW.exe file associated with the Brother printer and load the BrWeb.dll file.
  54. Download the msupdata.exe file.
  55. My EXE file tampering with USB Flash Drive and ALYAC25.exe file patch.
  56. 2015.6 CRYPTBASE.dll, svcmgr.exe February 2015 Production Estimate. Check for a specific secure USB connection. My EXE file in USB Flash Drive
  57. Modulation and patches the ALYAC25.exe file.
  58. 2015.7? .Dll (Unidentified), ctfmon.exe Estimated production in September 2014. USB Flash Drive ALYAC25.exe with my EXE file tampering
  59. File patch.
  60. 2015.7 CRYPTBASE.dll, svcmgr.exe (uncertain) November 2014 production estimates.
  61. 2016.10 Wincrypt.dll, wsmt.exe (Uncertified) -
  62. 2017.01 Wincrypt.dll, wsmt.exe (Uncertified) -
  63. 2017.11 Wincrypt.dll DLL single type.
  64. Table 2-1 | Major attacks using Tickusb
  65. ASEC REPORT Vol.95 | Security Trend 23
  66. Tickusb's dropper was discovered in March 2014. The build date of the malicious code generated is 2012
  67. It is probable that it has been active since 2014, due to the fact that it is a monthly one. This variant is different
  68. The Tickusb variant is different from the code and is estimated to be an early version of Tickusb.
  69. In April 2015, a variant of Tickusb, Cryptbase.dll, was discovered. Unlike other Tickusb variants, DLL
  70. It is a file-only type. Windows has the same export function as the normal CRYPTBASE.dll file
  71. And the file path found is% ProgramFiles% \ common files \ java \ java update \ cryptbase.dll
  72. to be. It is assumed that the Java related program is loaded when it is executed.
  73. The attack that occurred on June 1, 2015 found a variant consisting of a DLL file and an EXE file. attacker
  74. Patches the Brother printer driver file BrSrMonW.exe and executes the corresponding file
  75. I have loaded BrWeb.dll, a malicious DLL file. EXE file contains EXE from USB flash drive
  76. The ability to find and modify files has been added. In addition, other than Tickusb malicious code
  77. Secure unlock win.exe which acts as a dropper and asp server which acts as downloader.
  78. A bisodown deformation and a ghostdown deformation were further found.
  79. In October 2016, a variant of Tickusb, wincrypt.dll (16572393021beea366679e80cc78610c)
  80. A variant with the same filename was discovered by November 2017.
  81. 2. Malicious code analysis
  82. Tickusb Malware related dropper, downloader, etc. have been found, but specific infection method still not confirmed
  83. It was not. However, with the disassembled installation files and USB flashes infected with Tickusb
  84. As a result of comparing and analyzing the file modulation codes in the drive, some of the droppers are EXE waves
  85. It was confirmed as work. In addition, an attacker can not run Tickusb malware automatically when booting Windows,
  86. ASEC REPORT Vol.95 | Security Trend 24
  87. Is executed only when it is executed. This is to prevent the user from finding malicious code
  88. It looks for purpose. Let's look at the droppers, downloaders, patchers, and loaders that an attacker used in Tickusb attacks.
  89. 2-1) Dropper
  90. Tickusb malware has been found to be associated with several droppers.
  91. One of them, Aya.exe (b76d2b33366c5ec96bc23a717c421f71) is a Go game file, and [Figure 2-3]
  92. When the game is launched, as in the initial version of Tickusb (6f665826f89969f689cba819
  93. d626a85b are generated. The Aya.exe file was collected in March 2014 in AAPL and the build of the dropped file
  94. Time seems to have worked before 2014.
  95. Figure 2-3 | Aya.exe execution screen
  96. The Secure Unlock win.exe file (bb8c83cfd133ab38f767d39605208a75)
  97. The dropper used in domestic attack in early June, the normal program is a modulated form and the program is executed
  98. , It creates wsktray.exe file (3c6e67fc006818363b7ddade90757a84) in the temporary folder. Also
  99. ASEC REPORT Vol.95 | Security Trend 25
  100. When creating a file, it adds a garbage value to the end of the file, which is more than 34 megabytes in length. At this time,
  101. A file is a variant of Bisodown that downloads another malware.
  102. Another dropper, Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2),
  103. pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e), NEW_GOMPLAYERSETUP.
  104. exe (0a4bec5fc88406d126aa106a7c0aab87) uses the same Bisodown transform file (e470
  105. b7538dc075294532d8467b1516f8), of which SecretZone.exe and pNDPS (V2.11).
  106. The exe file is assumed to be infected by the Tickusb variant.
  107. 2-2) Downloader - Ghostdown
  108. Tickusb On a system infected with malware, a ghostdown that acts as anRespectively.
  109. Ghost Down is the first malicious code found in February 2013 that has been active until February 2018,
  110. Last Name Code (4868fd194f0448c1f43f37c33935547d, 62ee703bbfbd5d77ff4266f9038c3c6c) Also,
  111. Found.
  112. Figure 2-4 | Characteristic string of ghost-down variant malicious code (4868fd194f0448c1f43f37c33935547d)
  113. ASEC REPORT Vol.95 | Security Trend 26
  114. Figure 2-5 | Encrypted C & C string decryption result
  115. [Figure 2-4] shows the characteristic string of the ghost-down variant malicious code. API, connection address, etc.
  116. The main string is encrypted, and the initial version has the address and key string it connects to with the XOR 0xDF key
  117. It is encrypted.
  118. Figure 2-6 | iff.exe execution screen
  119. The initial variant of ghostdown is to use www.poi.cydisk.net, www.kot.gogoblog.net, etc. as a C & C server.
  120. All of these addresses were created with the service www.dnserver.com. Figure 2-5 shows the encrypted C & C
  121. This is the result of decoding the string. This allows the ghost-down variant found in the Tickusb infection system in 2016
  122. C & C address is www.memsbay.com:443, and you can see that you have used the cloud service.
  123. 2-3) Patcher - iff.exe
  124. Iff.exe (e84f29c45e4fbbce5d32edbfeec11e3a) acts as a patcher to modulate the EXE file
  125. Execute a specific EXE file or load a specific DLL file. The iff found in the Tickusb infection system.
  126. The exe file is assumed to be an additional file after the attacker has infiltrated the system.
  127. ASEC REPORT Vol.95 | Security Trend 27
  128. iff.exe is a file modification method, a file to be modulated, a file to be executed or a DLL file to be loaded as shown in [Figure 2-6].
  129. It is input as argument value.
  130. The -b option modifies the executable file by adding it to the end of the target EXE file, and the -l option causes the target EXE
  131. Modify the file to load a specific DLL file.
  132. As shown in [Figure 2-7], there is '.texe' which is infection identification string in EXE file modulated by iff.exe.
  133. Figure 2-7 | Patch Results by iff.exe 1
  134. You can also change the jump command to the entry point (entry point)
  135. Let the command execute first.
  136. Figure 2-8 | Patch Contents by iff.exe 2
  137. ASEC REPORT Vol.95 | Security Trend 28
  138. The code added with the -b option in [Figure 2-9] requires the necessary API (Application Programming Interface)
  139. After loading the file, load the contents of the executable file at the end of the modified file in the% temp% folder.
  140. Create it as a file and execute it. According to the text of the executable screen of the iff.exe file, download another malware
  141. It seems to be for the purpose of adding an adder to download.
  142. Figure 2-9 | Additional code by iff.exe -b
  143. Also, the executable file to be executed by MZ is added to the end of the modulated file as shown in [Figure 2-10]. therefore
  144. The total file length increases by the length of the file appended to the end of the file.
  145. Figure 2-10 | Code at the end of the modulated file
  146. The -l option overwrites the code that finds a blank area in the target EXE file and loads the specified DLL file. follow
  147. If there is not enough free space in the file, no file tampering will occur and even if file tampering occurs
  148. ASEC REPORT Vol.95 | Security Trend 29
  149. There is no change in the file length of the target EXE file.
  150. 2-4) Loader - BrStMonW.exe
  151. The attacker used the iff.exe file on June 1, 2015 to download Brother's printer program
  152. I have patched the BrStMonW.exe file (d536f5f929ddd2472a95f3356f7d835c). Through this patch,
  153. When I run the BrStMonW.exe file, which has more role, I have modified it to load the malicious BrWeb.dll file first.
  154. Also, modify the entry point (Entry Point) as shown in [Figure 2-11] and add the code address
  155. '0x004972EF' was executed first.
  156. Figure 2-11 | Entry points modified with JMP code
  157. Another characteristic is that since the arbitrary code is overwritten in the blank area of ‚Äč‚Äčthe BrStMonW.exe file,
  158. There is no change in file length even after modulation. The code for the modified BrStMonW.exe file is shown in [Figure 2-12]
  159. .
  160. ASEC REPORT Vol.95 | Security Trend 30
  161. Figure 2-12 | Modified BrStMonW.exe
  162. Figure 2-13 | Added specific DLL loading code
  163. The code added by iff.exe will load the specific DLL (BrWeb.dll) file into memory as shown in [Figure 2-13].
  164. And then execute it.
  165. Therefore, only when the printer is used, Tickusb malicious code is executed,
  166. it's difficult.
  167. Using a patcher, such as iff.exe, an attacker can break into the system and select a program
  168. You can run additional malicious code through the process of patching.
  169. ASEC REPORT Vol.95 | Security Trend 31
  170. 3. Tickusb strain analysis
  171. Tickusb is usually made up of DLL files and EXE files, some of which are DLL files or EXE files
  172. In the form of a single file. Tickusb DLL file to connect USB flash drive from system
  173. If it is connected, it executes malicious EXE file. The EXE file that is executed at this time,
  174. And modifies the executable file in the flash drive. The DLL file that configures Tickusb
  175. Let's examine the EXE file in detail.
  176. 3-1) Tickusb DLL Analysis
  177. The files used as Tickusb DLL files are BrWeb.dll, CRYPTEBASE.dll, and wincrypt.dll. double
  178. The CRYPTEBASE.dll file is the same as the Windows filename that provides password-related functionality. As well as
  179. It has the same Export function as CRYPTBASE.dll in Windows,
  180. You can load the CRYPTBASE.dll file when a program with Malignant CRYPTBASE.
  181. A program that loads a dll is assumed to use the cryptographic function.
  182. The Tickusb DLL file acts as a loader, and it contains the name of the log file to execute, the path of the EXE file to execute,
  183. Drive type, and so on. [Figure 2-14] is the main string of the Tickusb DLL file.
  184. Figure 2-14 | Key string for Tickusb DLL file
  185. ASEC REPORT Vol.95 | Security Trend 32
  186. The Tickusb DLL CRYPTBASE.dll (bcb56ee8b4f8c3f0dfa6740f80cc8502), which was discovered in April 2015,
  187. There is no additional EXE file in the form of DLL file alone. When the DLL is executed, the Credentials.dat file
  188. And creates a TAG file (C: \\ WINDOWS \\ system32 \\ CatRoot \\ {375EA1F-1CD3-22D3-7602-
  189. 00D04ED295CC} \\ TAG) and collect system information with netstat.exe. In addition,
  190. Verify that VPN_Cliend.exe and IPPEManager.exe are present on the server.
  191. The Tickusb DLL, BrWeb.dll (9b31a5d124621e244cede857300f8aa6), found in June 2015,
  192. (Brother) and disguised as a printer related file, C: \ Program Files (x86) \ browny02 \ brother
  193. And C: \ Program Files (x86) \ ControlCenter4. As shown in [Figure 2-15]
  194. It is loaded when the corresponding EXE file is executed by patching BrinterMon.exe, which is a linter related file, and the BrWeb.dll file
  195. Credentials.csv (% USERPROFILE% \ AppData \ Roaming \ Microsoft \ Credentials \
  196. Credentials.csv).
  197. Figure 2-15 | Tickusb relationship that occurred in June 2015
  198. ASEC REPORT Vol.95 | Security Trend 33
  199. It also creates a mutex called 'WinsMutexIII' and creates three threads. First thread
  200. (0x10004774) indicates that if a USB flash drive is connected to the system, the wsmt.exe file (C: \
  201. WINDOWS \ System32 \ migration \ WSMT \ wsmt.exe). Second thread (0x100045cd)
  202. Reads the basev1.xsd file (C: \ Windows \ schemas \ AvailableNetwork \ basev1.xsd)
  203. Find a specific process through Windows (FindWindow). Process lease you are looking for in basev1.xsd
  204. It is presumed that it contains. The third thread (0x100035f0) checks the system date,
  205. For Sundays and Thursdays, download the file from http://update.saranmall.com/script/main.html
  206. Create and run the MSUPDATA.EXE file.
  207. msupdata.exe is a file name often used as a downloader by the Ticking attack group, and since October 2016
  208. Changed the file name to wincrypt.dll file. Variants with this filename will be found by November 2017
  209. .
  210. 3-2) Tickusb EXE Analysis
  211. Tickusb EXE file collects file list in USB flash drive or modifies EXE file
  212. , And it was confirmed as a file such as cftmon.exe, svcmgr.exe, and wsmt.exe.
  213. Within that EXE file,Strings related to infections, logs associated with USB flash drives, etc.
  214. And the main string is shown in [Figure 2-16].
  215. Figure 2-16 | Key string of Tickusb EXE file
  216. ASEC REPORT Vol.95 | Security Trend 34
  217. The EXE variant found in June 2015 (29875836605c26f7c78fc91bb2cff95d) is in the USB flash drive
  218. The ability to collect file information and modulate EXE files has been added.
  219. When the EXE file is executed, the FlashHistory.dat file (C: \ Users \
  220. Default \ AppData \ Local \ Microsoft \ Windows \ History \ FlashHistory.dat).
  221. Figure 2-17 | File contents of FlashHistory.dat
  222. For some variants, find and modify the EXE file on a USB flash drive. Of the target EXE file to be modulated
  223. At the end, you can add a specific file (for example, C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat)
  224. It is a way to execute.
  225. For some Tickusb found between 2012 and 2014, certain secure USB flash drives from domestic companies
  226. It is confirmed that the data is read from a specific area of ‚Äč‚Äčthe USB drive and executed.
  227. . Such attacks are estimated to be aimed at attacking networked enterprise systems.
  228. 4. EXE analysis modulated by Tickusb transformation
  229. As we have seen, some of the Tickusb variants have evolved to find and manipulate EXE files in USB flash drives.
  230. ASEC REPORT Vol.95 | Security Trend 35
  231. Perform sexual activity. Modified EXE files will have their entry points modified to execute specific code,
  232. Execute the executable file added at the end. The added executable file is not verified, but with a modified file
  233. The executable file is assumed to be an downloader.
  234. Figure 2-18 | Modulated EXE
  235. Portable SecretZone.exe (dbc10f9b99cc03e21c033ea97940a8c2) serving as a dropper
  236. pNDPS (V2.11) .exe (c865b83a2096642b0de3e2880e63ab0e) is the same downloader (e470b7538dc
  237. 075294532d8467b1516f8).
  238. The Tickusb variant that was discovered in June 2015 finds the EXE file on a USB flash drive and writes the apihex.dat file
  239. (C: \ Windows \ AppPatch \ Custom \ Custom64 \ apihex.dat) to the end of the EXE file.
  240. Modify the work.
  241. As a result of the analysis, it is confirmed that the code added to the modified EXE file is similar to the code of the file known as the dropper
  242. . Therefore, these files are assumed to be EXE files modulated from Tickusb variants, not droppers. [Drawing
  243. 2-19] is a comparison of the codes of the two files.
  244. ASEC REPORT Vol.95 | Security Trend 36
  245. Figure 2-19 | Comparing the Tickusb infected file code with the file known as the dropper
  246. Other infection identifiers are also similar. As shown in [Figure 2-20], the EXE file modulated by Tickusb transformation is characterized
  247. It contains '.texe' as an example.
  248. Figure 2-20 | Tickusb dropper containing '.texe' string
  249. Figure 2-21 | The initial Tickusb dropper that contains the string '.ext'
  250. A file that drops an early version of Tickusb found in March 2014 (b76d2b33366c5ec96bc23a717c42
  251. 1f71) contains '.ext' as an infection identifier as shown in [Figure 2-21]. This file also has a dropper
  252. It is presumed that the file is likely to be modified by a non Tickusb variant.
  253. ASEC REPORT Vol.95 | Security Trend 37
  254. 5. Analyze additional installation files
  255. In the Tickusb malware-infected system, the keylogger, ARP spoofer,
  256. Port Scanner, and Mimikatz were added. These chusens used in the Tickusb attack
  257. Let's look at the installation file.
  258. 5-1) Keylogger Type C
  259. Keyloggers have been found in some of the Tickusb infection systems. Found between April 2017 and February 2018
  260. The keyloggers mainly used file names such as apphelp.dll, linkinfo.dll, and netutils.dll.
  261. The key string used in the keylogger is shown in [Figure 2-22], and the key content entered by the user is debug.log
  262. In the file.
  263. Figure 2-22 | Keylogger key string
  264. 5-2) ARPspaper (ARPSpoofer) - hwp70.exe
  265. The attacker carried out the attack by disguising it as a file related to the program. Of a system infected with Tickusb
  266. The malicious EXE file hwp70.exe (026ae46934eca5862db4) from the Hangman Hangul folder (C: \ HNC \ Hwp70)
  267. dfc8c88c720a) was found.
  268. ASEC REPORT Vol.95 | Security Trend 38
  269. A hijack that causes ARP spoofing (ARPS spoofing)
  270. It is presumed to be one purpose, and the execution screen is as shown in [Figure 2-23].
  271. Figure 2-23 | Hijack (hijack) execution screen
  272. 5-3) Port Scanner ScanLine - l.dat
  273. The attacker will be able to scan files that have Packed Scanning Line (ScanLine), the port scanner of Foundstone in 2016
  274. (a353b591c7598a3ed808980e2b22b2a2) was used in the attack. In many systems,
  275. RAM has been used, and the file names used are msp.exe, ls.tmp, and sl-p.exe.
  276. [Figure 2-24] is the screen where the scan line is executed.
  277. Figure 2-24 | ScanLine execution screen
  278. ASEC REPORT Vol.95 | Security Trend 39
  279. 5-4) Mimikatz - mi.exe, mi2.exe
  280. The attacker could use the Mimikatz variant mimi 2.1 (3fe76cf644e045b8620d577c2
  281. 366630a) and mimi 2.1.1 (b108df0bd168684f27b6bddea737535e). File name
  282. Also, mi.exe, mi2.exe which is mainly used in tick attack group.
  283. [Figure 2-25] and [Figure 2-26] are execution screens of mimi 2.1 and mimi 2.1.1, respectively.
  284. Figure 2-25 | mimi 2.1 launch screen
  285. Figure 2-26 | mimi 2.1.1 launch screen
  286. ASEC REPORT Vol.95 | Security Trend 40
  287. 6. Conclusion
  288. Most major corporations and organizations use networked systems, so security updates
  289. It is easy to overlook, or neglect security regulations. Since 2008, for the past 10 years,
  290. The Tick attack group, which is constantly attacking companies,
  291. Spear Phishing, Watering hole attack as well as USB flash drive
  292. EXE files to infect malicious code by using various attack techniques, such as continuous attacks
  293. I have done.
  294. In particular, in order to prepare for attacks such as Tickusb,
  295. Do not use USB flash drive, hash before running executable in USB flash drive
  296. Etc. to check whether there is no malicious code infection during the file transfer process.
  297. You need to be careful.
  298. The V3 family detects the corresponding Tickusb-related malicious code with the following diagnosis.
  299. <V3 Family Diagnostics>
  300. - HackTool / Win32.Hijack
  301. - HackTool / Win32.Mimikatz
  302. - HackTool / Win32.Tickpatcher
  303. - Trojan / Win32.Agent
  304. - Trojan / Win32.Homamdown
  305. - Trojan / Win32.Loader
  306. - Trojan / Win32.Tickusb
  307. ASEC REPORT Vol.95 | Security Trend 41
  308. 7. Indicators of Compromise (IoC)
  309. Representative file name
  310. apphelp.dll
  311. BrWeb.dll
  312. CRYPTBASE.dll
  313. igfext.exe
  314. linkinfo.dll
  315. msupdata.exe
  316. svcmgr.exe
  317. wincrypt.dll
  318. wsmt.exe
  319. Hashes (md5)
  320. -Downloader: Bisodown
  321. 3c6e67fc006818363b7ddade90757a84
  322. e470b7538dc075294532d8467b1516f8
  323. -Downloader: Ghostdown
  324. 4868fd194f0448c1f43f37c33935547d
  325. 62ee703bbfbd5d77ff4266f9038c3c6c
  326. -Tickusb
  327. 15e72d83caaf1fe9e72e72b633ec5dfb
  328. 16572393021beea366679e80cc78610c
  329. ASEC REPORT Vol.95 | Security Trend 42
  330. 29875836605c26f7c78fc91bb2cff95d
  331. 46c9fb12187c08f9da3429c047a41fd8
  332. 4aadf927e5c2aa43b90d4b830c331a69
  333. 599c4110aed58aa75d2322b4232a6855
  334. 6f665826f89969f689cba819d626a85b
  335. 9b31a5d124621e244cede857300f8aa6
  336. ad33da0d9507e242eb344b313454cea9
  337. bcb56ee8b4f8c3f0dfa6740f80cc8502
  338. ca99ea5f1ece7430243d8322445d1a1c
  339. dfba5e8019be5e400d53afeba83d6d93
  340. -Keylogger
  341. 220bf51185cd7ccc0aa64229c434ce1a
  342. 27dbf927e85e00f14ee9be56711a5246
  343. 7f98ff2b6648bd4fe2fc1503fc56b46d
  344. b79ef5a004e26c3d491eca895c59fb86
  345. -Tools
  346. 026ae46934eca5862db4dfc8c88c720a
  347. 3fe76cf644e045b8620d577c2366630a
  348. a353b591c7598a3ed808980e2b22b2a2
  349. b108df0bd168684f27b6bddea737535e
  350. e84f29c45e4fbbce5d32edbfeec11e3a
  351. ASEC REPORT Vol.95 | Security Trend 43
  352. Domains, URLs and IP address
  353. 127.0.0.1/jscript/timepill.html
  354. pre.englandprevail.com/km/news/index.htm
  355. update.saranmall.com/script/main.html
  356. www.memsbay.com:443
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top