ThreatFox IOC Database

AndreGironda

{
"anti_analysis": false,
"anti_debug": false,
"anti_vm": false,
"c2_ping_interval": 5,
"c2_port": 2351,
"c2_servers": [
"http://179.60.149.3"
],
"check_disk": false,
"check_ram": false,
"check_xeon": false,
"crypter_au3": true,
"crypter_dll": false,
"crypter_rawstub": false,
"crypto_key": "XKIfdZvBeJiyXh",
"flag_14": 5,
"flag_18": true,
"flag_19": false,
"flag_21": "ipscanner",
"internal_mutex": "bfdaaE",
"min_disk": 100,
"min_ram": 4096,
"rootkit": true,
"startup_persistence": true,
"strings": [
"ms2A`",
"ms2A`",
"PQpQ7V",
"G\u0019JVD",
"1s2A`",
"@>PCD4",
"0G\u001cz,",
"0G\u001cz,",
"0G\u001cz,",
"^'V\u0000p",
"wn\tlu",
"qccW$",
"wlku0",
"qh\u001eqp",
"wmVq\u0005",
"\u0005v-3\u0005",
"Mozilla\\",
"firefox.exe",
"/c cd /d \"\u0000",
"\" && move firefox firefox\u0000",
"cmd.exe\u0000",
"firefox\u0000",
"/c del /q /f /s \u0000",
"firefox\\*",
"Google",
"chrome.exe\u0000",
"\" && move Google google",
"Opera Software",
"cookie",
"opera.exe",
"discord.exe",
"discord.exe",
"\"events\":[{\"type\":\"channel_opened\",\"properties\":{\"client_track_timestamp",
"{\"token\":\"\u0000",
"FileZilla\\\u0000",
"sitemanager.xml",
"recentservers.xml",
"virtualdesk",
"C:\\WINDOWS\\system32\\explorer.exe",
"virtualdesk",
"Start hVNC Process: ",
"Process Error ",
"Shell_TrayWnd\u0000",
"TaskBar\u0000",
"Progman\u0000",
"Desktop\u0000",
"Shell_TrayWnd\u0000",
"TaskBar\u0000",
"Progman\u0000",
"Desktop\u0000",
"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe",
"C:\\Program Files (x86)\\BraveSoftware\\Brave-Browser\\Application\\brave.exe",
"C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe",
"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"xhMenu",
"itemPos\u0000",
"ventana\u0000",
"Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u0000",
"Desktop\u0000",
"USERPROFILE",
"c:\\temp\\tmp",
"c:\\temp\u0000",
"C:\\temp\\",
".rar\u0000",
"C:\\Program Files\\WinRAR\\Rar.exe\u0000",
"C:\\Program Files (x86)\\WinRAR\\Rar.exe\u0000",
"Rar.exe\u0000",
"a -ep1 -r -y -v5m -m1 \"",
"rar.exe\u0000",
"C:\\temp\u0000",
"cmd.exe\u0000",
"No multiple files",
"C:\\*\u0000",
"C:\\Windows\u0000",
"C:\\Program Files\u0000",
"Chrome Legacy Window",
"vchromeHandle\u0000",
"vchromeRectH",
"vchromeRectW",
"vchromeinternalPosX\u0000",
"vchromeinternalPosY\u0000",
"vchromeHandleInterno",
"vchromeRectInternoH\u0000",
"vchromeRectInternoW\u0000",
"Google Chrome\u0000",
"Brave",
"Microsoft",
"hVNC phase 1",
"Cleaning virtualdesk hVNC processes",
"hVNC phase 2",
" not found\u0000",
"virtualdesk",
"hVNC phase 3",
"hVNC VirtualDesk Failed",
"hVNC phase 4",
"Google\\Chrome\\test",
"Google\\Chrome\\User Data",
"--user-data-dir=\"",
"BraveSoftware\\Brave-Browser\\test",
"BraveSoftware\\Brave-Browser\\User Data\u0000",
"Microsoft\\Edge\\test\u0000",
"Microsoft\\Edge\\User Data",
" --user-data-dir=\"",
"hVNC phase 5",
"https://mail.google.com/mail/u/0/#inbox",
"hVNC phase 6",
" --window-position=\u0000",
"Process Error ",
"hVNC phase 7",
"Error zEnumProcess",
"hVNC phase 8",
"oripid",
"autoit3.exe",
"AppData\\Local\\Temp",
":\\windows",
"\\appdata\\",
":\\program files",
"Corrupted data while updating",
"RAW STUB is not installed... executing on memory and killing myself...\u0000",
"Corrupted DLL data Update\u0000",
"Updating by DLL method... Bytes: ",
" Hash Data Update: \u0000",
"pidgin.exe\u0000",
"No startup configured, skip update\u0000",
"Restart Darkgate\u0000",
"update",
"Updating by AU3 method... Bytes: ",
" Hash Data Update: \u0000",
"update",
"Incorrect data bytes: \u0000",
"No startup configured, skip update\u0000",
"849\u0013$4",
"9999\u0000",
"Test_",
"/c ping 127.0.0.1 & del /q /f %s & exit",
"cmd.exe\u0000",
"process hacker",
"process explorer\u0000",
"taskmgr.exe",
"procexp\u0000",
"hwmonitor",
"processhacker.exe",
"process hacker",
"process explorer\u0000",
"administrador de tareas",
"taskmanager",
"task manager",
"ccleaner",
"system config\u0000",
"malwarebytes",
"C:\\PROGRAMDATA\\MALWAREBYTES\\MBAMSERVICE\\tmp\u0000",
"farbar recovery",
"avast",
"startup\u0000",
"rootkit\u0000",
"autoruns",
"editor de registro",
"editor del registro\u0000",
"registry editor",
"gerenciador de tarefas\u0000",
"zhpcleaner\u0000",
"task manager",
"junkware removal\u0000",
"administrador de tareas",
"hijackthis\u0000",
"tcpview\u0000",
"process monitor",
"wireshark",
"taskmanager",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"pidgin.exe\u0000",
"AutoIt3.exe",
"au3file\u0000",
".lnk\u0000",
"Autoit3.exe",
"AutoIt3EXEData nope\u0000",
"U_Persistence.MainPEPathData nope",
"/c shutdown -f -r -t 0\u0000",
"cmd.exe\u0000",
"pidgin.exe\u0000",
"@7$z$\"",
"Google\\Chrome\\User Data\\",
"Microsoft\\Edge\\User Data\\\u0000",
"BraveSoftware\\Brave-Browser\\User Data\\",
"Default\\",
"Default\\Network\\Cookies",
"%sProfile %d\\Network\\Cookies\u0000",
"%sProfile %d",
"Delete Credentials not worked because I do not have Admin Rights\u0000",
"c:\\temp\\cred.txt\u0000",
"/c cmdkey /list > ",
"cmd.exe\u0000",
" not exists",
"target=\u0000",
"Credentials detected, removing them!",
"/c cmdkey /delete:",
"All Credentials got Removed, Previous list of Credentials:\u0000",
"|\\/|\u0000",
"Mail PassView\u0000",
"MailPassView",
"WebBrowserPassView",
"SysListView32\u0000",
"cmd.exe ",
"GetPassswords Failed",
"SysListView32 MaxError\u0000",
"SysListView32 Handle not found",
"Mozilla\\Firefox\\Profiles",
"cookies.sqlite",
"ChromeCookiesView",
"ChromeCookiesView",
"Opera Software\\Opera GX Stable\\Network\\Cookies\u0000",
"Opera Software\\Opera Stable\\Cookies",
"ChromeCookiesView",
"ChromeCookiesView",
"ChromeCookiesView",
"lol.exe /stext \"\u0000",
"skype.txt\"\u0000",
"skype.txt",
"lol.exe /shtml \"\u0000",
"skype.txt\"\u0000",
"skype.txt",
"domains\u0000",
"notifications\u0000",
"monero",
"minerconfig",
"epoch",
"glpuerto",
"puerto",
"version\u0000",
"hwid\u0000",
"domains\u0000",
"notifications\u0000",
"monero",
"minerconfig",
"startup\u0000",
"rootkit\u0000",
"antivm",
"antiaenv",
"antiram\u0000",
"antidisk",
"install_dir",
"current_path",
"process_id\u0000",
"glpuerto",
"delayloader",
"delayglobal",
"screensize\u0000",
"keyspeed",
"internalmutex\u0000",
"systemstartuptime",
"DarkGate InternalCrypter DLL\u0000",
"DarkGate InternalCrypter AU3\u0000",
"crypter\u0000",
"domains\u0000",
"http://\u0000",
"notifications\u0000",
"monero",
"minerconfig",
"epoch",
"gldelay\u0000",
"version\u0000",
"puerto",
"vepoch",
"svAUm\n",
"paranoic",
"C:\\ProgramData",
"msgdata_",
"mainfolder\u0000",
"C:\\ProgramData\\",
"resourcesplit\u0000",
"logsfolder\u0000",
"addonsfolder",
"settings",
"resources",
"binder",
"minercpu2",
"supertemp",
"notepad.exe",
"DontShowUI\u0000",
"SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting",
"defrag.exe\u0000",
"ETCHASH\u0000",
"KASPA",
"NEXA\u0000",
"AUTOLYKOS2\u0000",
"C:\\temp\u0000",
" --threads=",
"C:\\temp\\xmr.txt",
"C:\\temp\\xmr",
"C:\\temp\\tr\u0000",
"C:\\temp\\testdec.txt\u0000",
":3340 ",
"* ys@",
"C:\\temp\\testgpudec.txt\u0000",
"C:\\temp\\etc.txt",
"C:\\temp\\etc",
"Stub: Corrupted miner MZ, will redownload miner soon | Retry \u0000",
"Stub: Corrupted miner FilesDelimiter is missing, will redownload miner soon | Retry ",
"Stub: ",
"C:\\darkgateminertest",
"Stub: darkminertest! TimeToIDLE:",
"Miner is waiting IDLE \u0000",
"Stub: Miner do not start because taskmanager is open!",
"Stub: Miner injected at Defrag.exe\u0000",
"Stub: Miner has been killed because not IDLE",
"CPU+GPU\u0000",
"Stub: Miner has been Downloaded -> Installing Miner \u0000",
":N\u001c1\r",
"Stub: Miner installed and enabled / Elapsed: ",
"C:\\temp\\id.txt",
"Stub: Critical error in miner 0\u0000",
"nominear",
"C:\\temp\\xmr",
"C:\\temp\\etc",
"C:\\temp\\tr\u0000",
"C:\\temp\\xmr.txt",
"C:\\temp\\etc.txt",
" x86\u0000",
"nominear",
"id=%s&data=%s&act=%d",
"<html",
"xeon\u0000",
"Microsoft Hyper-V Video",
"Standard VGA Graphics Adapter",
"Microsoft Basic Display Adapter\u0000",
"virtual\u0000",
"virtual\u0000",
"vmware",
"Microsoft Hyper-V Video",
"IsUserAnAdmin\u0000",
"GlobalMemoryStatusEx",
"SYSTEM",
" x86\u0000",
" x64\u0000",
" x64\u0000",
"ProductName",
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"CSDVersion\u0000",
"CurrentBuildNumber",
" Build \u0000",
"windows xp\u0000",
"windows\u0000",
"Windows 2000",
"Windows ???",
"ProcessorNameString\u0000",
"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\u0000",
"Unknown\u0000",
"ProductID",
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\",
"monitor.exe",
"smBootTime.exe",
"C:\\ProgramData\\Bitdefender",
"Bitdefender",
"C:\\ProgramData\\AVAST",
"Avast",
"C:\\ProgramData\\AVG",
"C:\\ProgramData\\Kaspersky Lab\u0000",
"Kaspersky",
"|egui",
"Nod32",
"C:\\Program Files (x86)\\Avira\u0000",
"Avira",
"|ns.exe\u0000",
"Norton",
"|nis.exe",
"nortonsecurity.exe",
"|smc.exe",
"Symantec",
"uiseagnt.exe",
"Trend Micro",
"mcshield.exe",
"McAfee",
"mcuicnt.exe",
"superantispyware.exe",
"SUPER AntiSpyware",
"vkise.exe",
"Comodo",
"|mbam.exe",
"MalwareBytes",
"|cis.exe",
"bytefence.exe\u0000",
"ByteFence",
"sdscan.exe\u0000",
"Search & Destroy\u0000",
"qhsafetray.exe",
"360 Total Security",
"totalav.exe",
"Total AV",
"C:\\Program Files (x86)\\IObit\u0000",
"IObit Malware Fighter",
"psuaservice.exe",
"Panda Security",
"C:\\Program Files\\Malwarebytes",
"C:\\ProgramData\\Emsisoft",
"Emsisoft",
"C:\\Program Files\\Quick Heal",
"Quick Heal\u0000",
"C:\\Program Files (x86)\\F-Secure\u0000",
"F-Secure",
"C:\\Program Files (x86)\\Sophos",
"Sophos",
"Unknown\u0000",
"mainhw",
"|0|0|",
"|0|0|",
"INVOKE BSOD ",
"IsWow64Process",
"NtSuspendProcess\u0000",
"NtResumeProcess",
"/c vssadmin delete shadows /for=c: /all /quiet\u0000",
"cmd.exe\u0000",
"C:\\Program Files\u0000",
".0xCrypt",
".log\u0000",
".exe\u0000",
"OPEN\u0000",
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\u0000",
"WINDIR",
"C:\\Windows\\",
"C:\\Users\\",
"\\AppData\\Local\\",
"LOCALAPPDATA",
"C:\\Users\\",
"\\AppData\\Roaming\\",
"APPDATA\u0000",
"C:\\temp\\",
"C:\\Users\\",
"\\AppData\\Local\\Temp\\",
"TEMP\u0000",
"C:\\temp\u0000",
"C:\\temp\\",
"NtAllocateVirtualMemory",
"NtWriteVirtualMemory",
"NtProtectVirtualMemory\u0000",
"NtFlushInstructionCache",
"cmd.exe\u0000",
"corrupted pe",
"c:\\temp\u0000",
"c:\\temp\\a",
"cmd.exe\u0000",
"NtQueueApcThread\u0000",
"NtTestAlert",
"mutex",
"notepad.exe",
"cmd.exe\u0000",
"NtGetContextThread",
"NtReadVirtualMemory\u0000",
"NtUnmapViewOfSection",
"NtSetContextThread",
"NtResumeThread",
"NtTerminateProcess",
"NtFreeVirtualMemory\u0000",
"WINDIR",
"C:\\Windows\\",
"C:\\windows\\SysWOW64\\notepad.exe\u0000",
"SysWOW64\\notepad.exe",
"system32\\notepad.exe",
"SysWOW64\\systeminfo.exe",
"C:\\Windows\\System32\\systeminfo.exe\u0000",
"System32\\systeminfo.exe",
"C:\\Windows\\SysWOW64\\systeminfo.exe\u0000",
"Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe",
"Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe",
"Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe",
"Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe",
"C:\\windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe",
"#guid",
"#guid",
"notepad.exe ",
"masteroflog",
".log\u0000",
"masteroflog",
":::Clipboard:::",
"masteroflog",
"aeiouAEIOU\u0000",
"{KANJI}\u0000",
"{JUNJA}\u0000",
"{KANA}",
"{Insert}",
"{Esc}",
"{Tab}",
"{Del2}",
"{Del}",
"|ymW!",
"{start}\u0000",
"{end}",
"NtTerminateProcess",
"LoadLibraryA",
"programdata",
"MapViewOfFile\u0000",
"MessageBoxTimeoutA",
"OpenProcess",
"VirtualAlloc",
"GetLastInputInfo\u0000",
"SetCurrentDirectoryA",
"RegSetValueExA",
"GetExitCodeThread",
"WaitForSingleObject\u0000",
"ShellExecuteA\u0000",
"GetCurrentProcess",
"FindClose",
"CloseHandle",
"GetWindowTextA",
"GetWindowTextW",
"RegDeleteValueA",
"FindWindowExA\u0000",
"GetForegroundWindow\u0000",
"FindWindowA",
"MapVirtualKeyExA\u0000",
"GetKeyState",
"EnumDisplayDevicesA\u0000",
"GetUserDefaultLangID",
"GetKeyboardState\u0000",
"GetWindow",
"GetWindowThreadProcessId",
"SystemParametersInfoA",
"TerminateProcess\u0000",
"GetAsyncKeyState\u0000",
"FindFirstFileA",
"FileTimeToSystemTime",
"GetModuleFileNameA",
"WriteProcessMemory",
"SendMessageA",
"ReadProcessMemory",
"CreateDirectoryA\u0000",
"RegCloseKey",
"RegOpenKeyExA\u0000",
"CreateFileA",
"GetDriveTypeA\u0000",
"GetComputerNameA\u0000",
"SetThreadLocale",
"OPEN\u0000",
"OPEN\u0000",
"OPEN\u0000",
"GetFileAttributesW",
"GetFileAttributesA",
"CreateProcessA",
"RegQueryValueExA\u0000",
"VirtualAllocEx",
"GetFileSize",
"WriteFile",
"ReadFile",
"GetKeyNameTextA",
"GetCurrentDirectoryA",
"CreateRemoteThread",
"GetWindowTextLengthW",
"GetEnvironmentVariableA",
"GetLastError",
"FindNextFileA\u0000",
"FileTimeToLocalFileTime",
"FileTimeToDosDateTime",
"DeleteFileA",
"Binder: no data",
"cantidad",
"Binder: cantidad not number",
"data\u0000",
"action",
"parametros\u0000",
"nombres\u0000",
"Binder: SpActions not number\u0000",
"cmd.exe ",
"Remote Desktop Connection\u0000",
"#32770",
"hAnyDesk Handle not found 0x00",
"hRDP Handle found 0x00\u0000",
"Error zEnumProcess",
"hAnydesk_NameList",
"hAnydesk_HandleList\u0000",
"Connect\u0000",
"pidgin.exe\u0000",
"DarkGate not found to get executed on the new hAnyDesk Desktop, Did you enabled Startup option on builder?\u0000",
"c:\\temp\\PsExec.exe",
"c:\\temp\\PsExec.exe not found\u0000",
"Executed: \u0000",
"\\SafeMode -p \u0000",
" -i 2 ",
"c:\\temp\\anydesk.exe\u0000",
"c:\\temp\\anydesk.exe not exists",
"Starting Anydesk\u0000",
"Anydesk unable to start, desktop not ready? Waiting 5 seconds\u0000",
"Anydesk started, reading config\u0000",
"C:\\Users\\SafeMode\\AppData\\Roaming\\AnyDesk\\system.conf",
"anydesk.exe",
"C:\\Users\\SafeMode\\AppData\\Roaming\\AnyDesk\\system.conf Not exists, maybe desktop still not ready, waiting 45 seconds more...",
"For some reason AnyDesk app is not working, check inside SafeMode user for manual operations",
"Anydesk Config loaded - Injecting DarkGate hAnydesk Config\u0000",
"Anydesk.exe",
"Restarting AnyDesk",
"ad.anynet.id",
"ad.anynet.id = \"\" waiting 20 second",
"Invalid config hAnydeskGetInjectAbleConfig",
"Configuring hAnyDesk",
"Error, unable to read config file",
"hAnyDesk Config: ",
"hAnyDesk Password: darkgatepassword0",
"C:\\temp\\rdpwrap.ini\u0000",
"C:\\temp\\test.rdp\u0000",
"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"& { Set-ItemProperty -Path \"\"HKCU:\\Software\\Microsoft\\Terminal Server Client\"\" -Name \"\"AuthenticationLevelOverride\"\" -Value 0 }\"",
"cmd.exe\u0000",
"open\u0000",
"C:\\Program Files (x86)\\Google\\Update\\\u0000",
"hAnyDeskInstall Started, Downloading data...",
"Data Downloaded Resource Bytes: ",
"hAnyDeskInstall Corrupted data, Failure",
"Write rdpwrap config",
"C:\\temp\\rdpwrap.ini\u0000",
"Execute powershell",
"/c reg add \"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\" /v \"Terminal Services\" /t REG_SZ /d \"\" && exit",
"cmd.exe\u0000",
"C:\\Windows\\System32\\",
"/c -NoProfile -ExecutionPolicy Bypass -Command \"& { Set-Item WSMan:\\localhost\\Client\\TrustedHosts -Value \"127.0.0.2\" -Concatenate -Force }\"\u0000",
"/c -NoProfile -ExecutionPolicy Bypass -Command \"& { Set-ItemProperty -Path \"\"HKCU:\\Software\\Microsoft\\Terminal Server Client\"\" -Name \"\"AuthenticationLevelOverride\"\" -Value 0 }\"",
"/c reg add \"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /v \"DisableRemoteDesktopAntiAlias\" /t REG_DWORD /d 1 && exit",
"/c reg add \"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\" /v \"DisableSecuritySettings\" /t REG_DWORD /d 1 && exit",
"Injecting rdpwrap",
"Special Injection failure\u0000",
"extexport.exe\u0000",
"Execute cmdkey",
"\u0003ctY0",
"Configure local RDP\u0000",
"full address:s:127.0.0.2",
"username:s:SafeMode\u0000",
"authentication level:i:0",
"prompt for credentials:i:0",
"c:\\temp\\test.rdp\u0000",
"Execute test.rdp\u0000",
"hanydesk",
"hAnyDesk VirtualDesk Failed",
"AnyDesk\u0000",
"c:\\temp\\AnyDesk.exe\u0000",
"C:\\temp\\",
"c:\\temp\\test.rdp /v:127.0.0.2 /f /admin",
"C:\\Windows\\System32\\mstsc.exe",
"reg.exe\u0000",
"hAnyDesk failure\u0000",
"hAnyDeskConfirmLocalhRDP okay Starting hAnyDesk desktop, wait 30-60 seconds...",
"C:\\users\\safemode",
"For some reason it did not work, I will try 1 more time with a different config\u0000",
"hAnyDesk: Failure",
"C:\\debugk",
"extexport.exe\u0000",
"update.exe\u0000",
"zLAxuU0kQKf3sWE7ePRO",
"c:\\temp\\",
"Error data au3",
"Cannot find ",
"pidgin.exe\u0000",
"\\pidgin-%s-dbgs",
"cannot find libssp \u0000",
"c:\\debug",
"c:\\debug\\data.bin",
"Corrupted data check c:\\debug\\data.bin EP0_\u0000",
"Corrupted header data EP1\u0000",
"http://179.60.149.3|",
"Corrupted config\u0000",
"debug_config.txt\u0000",
"4.8.1",
"Elevation completed\u0000",
"DarkGate has recovered from a Critical error",
"Add monitor: \u0000",
"Restart Process: ",
" no |",
" is not a number\u0000",
"hAnyDesk Restarted",
"anydesk.exe",
"c:\\temp\\anydesk.exe\u0000",
"hAnyDesk Executed as Admin",
"Executing DarkGate inside the new desktop...",
"/c net user SafeMode /delete\u0000",
"DELETE_HVNC_PROFILE\u0000",
"Starting Miner Test\u0000",
"System Restore points deleted",
"Delete Restore Points not worked because I do not have Admin Rights\u0000",
"Monitor shutdown\u0000",
"Kill cookies",
"PC_SHUTDOWN",
"/c shutdown -f -s -t 0\u0000",
"cmd.exe\u0000",
"PC_RESTART\u0000",
"/c shutdown -f -r -t 0\u0000",
"/c del /q /f /s \u0000",
" && rmdir /s /q \"",
"\" && rmdir /s /q c:\\temp && del /q /f %temp%\\*.vbs",
"Miner Uninstalled",
"Miner Restarted",
"Reinstalling Miner",
"Miner Closed",
"brave.exe",
"msedge.exe\u0000",
"chrome.exe\u0000",
"firefox.exe",
"New Bot: DarkGate is inside hAnyDesk user without admin rights, executing elevation exploit\u0000",
"New Bot: DarkGate is inside hAnyDesk user with admin rights",
"SYSTEM",
"SafeMode",
"0=2351\r\n1=Yes\r\n2=Yes\r\n3=No\r\n5=No\r\n4=100\r\n6=No\r\n8=No\r\n7=4096\r\n9=No\r\n10=bfdaaE\r\n11=No\r\n12=No\r\n13=Yes\r\n14=5\r\n15=XKIfdZvBeJiyXh\r\n16=5\r\n17=No\r\n18=Yes\r\n19=No\r\n21=ipscanner\r\n",
"internal_config_config_config_config_config_config_config_config_config_config_config_config_config_config_config_config",
"update",
"\u0005|\u0017Qp",
"AUirY",
"%\u0017aXP",
"\u0014w\u0016\u001c\u0002H8p",
"VUDUE",
"R5\u001cP5"
]
}