-
Notifications
You must be signed in to change notification settings - Fork 21
/
for610-concordance.txt
373 lines (373 loc) · 7.78 KB
/
for610-concordance.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
ADD; "ADD" in cswordlist
Address Space Layout Randomization (ASLR); "address space layout randomization" in page or "ASLR" in cswordlist
Adobe Reader
AND; "AND" in cswordlist
ApateDNS
apihooks
automated sandboxes
base64dump.py
bbcrack.py
Beaconing
beautify; "beautify" in page or "beautification" in page
BelkaSoft Live RAM Capturer
BinText
BlockInput
box-js
Browser Helper Objects (BHOs); "browser helper objects" in page or "BHOs" in cswordlist
brutexor.py
brxor.py
CallNextHook
Call Stack
call table hooks
capstone engine
cdecl
CFF Explorer
cleardb
Clonezilla
CloseClipboard
CMP; "CMP" in cswordlist
command and control (C2); "command and control" in page or "C2" in cswordlist
conditional jump
console.group
console.log
CreateMutex
CreateProcess
CreateRemoteThread
CREATE_SUSPENDED
CreateToolhelp32Snapshot
CryptDecrypt
CryptEncrypt
CScript
curl
d8
data structure
Deep Freeze
dereferencing
Detect It Easy (DIE); "detect it easy" in page or "DIE" in cswordlist
Device Driver
dlllist
document.write
dropper
DS; "DS" in cswordlist
DumpIt
dwFlags
DynamicBase
EAX; "EAX" in cswordlist
EBP; "EBP" in cswordlist
EBX; "EBX" in cswordlist
ECX; "ECX" in cswordlist
EDI; "EDI" in cswordlist
EDX; "EDX" in cswordlist
EFLAGS; "EFLAGS" in cswordlist
EIP; "EIP" in cswordlist
EnumProcess
ES; "ES" in cswordlist
ESI; "ESI" in cswordlist
ESP; "ESP" in cswordlist
eval
Exeinfo
Exfiltration
exiftool
fakedns
FakeNet-NG
fastcall
Fast Library Identification and Recognition Technology (FLIRT); "fast library identification and recognition technology" in page or "FLIRT" in cswordlist
feh
Fiddler
FileInsight
FindSc
FireWire
FlateDecode
FLOSS
FOG; "FOG" in cswordlist
for loop; "for" in page and "loop" in page
Foxit Reader
Framework
FS; "FS" in cswordlist
general-purpose registers
GetAsyncKeyState
GetClipboardData
GetCursorPos
GetKeyState
GetModuleHandle
GetThreadContext
GetTickCount
GetWindowText
Global Descriptor Table (GDT); "global descriptor table" in page or "GDT" in cswordlist
grep
GS; "GS" in cswordlist
heap spraying
Hextostring
HKEY_CURRENT_USER (HKCU); "hkey_current_user" in page or "HKCU" in cswordlist
HKEY_LOCAL_MACHINE (HKLM); "hkey_local_machine" in page or "HKLM" in cswordlist
hooking
Hopper
HTML Applications (HTAs); "html applications" in page or "HTAs" in cswordlist
HttpOpenRequest
IDA; "IDA" in cswordlist
Import Address Table (IAT); "import address table" in page or "IAT" in cswordlist
Import/Export Table
impscan
IMUL; "IMUL" in cswordlist
Indicator of Compromise (IOC); "indicator of compromise" in page or "IOC" in cswordlist
INetSim
inline hooks
Internet Explorer
Internet Relay Chat (IRC); "internet relay chat" in page or "IRC" in cswordlist
Interrupt Descriptor Table (IDT); "interrupt descriptor table" in page or "IDT" in cswordlist
I/O Request Packet (IRP); "i/o request packet" in page or "IRP" in cswordlist
iptables
JGE; "JGE" in cswordlist
jmp2it
JMP; "JMP" in cswordlist
JNE; "JNE" in cswordlist
JNG; "JNG" in cswordlist
JNL; "JNL" in cswordlist
JNZ; "JNZ" in cswordlist
JonDonym
js-didier
Kahu
Kahu Security
kdbgscan
Keylogger
keystroke logger
KnTDD
layering
ldrmodules
LEAVE; "LEAVE" in cswordlist
libemu
LibreOffice
LoadLibrary
location.href
LOOPcc
looping
lower 16 bits
lpFile
lpOperation
lpParameters
lpStartAddress
macros
malfind
MASTIFF
memdump
memory forensics
Memory Map
MEM_WRITE
Microsoft APIs
MicroSoft Developer Network (MSDN); "microsoft developer network" in page or "MSDN" in cswordlist
Microsoft Office
minidriver
MOV; "MOV" in cswordlist
mutant
mutex
Native APIs
NoMoreXOR.py
No OPeration (NOP); "no operation" in page or "NOP" in cswordlist
Notepad++
NtAllocateVirtualMemory
NTDLL.DLL
NtGetContextThread
NtUnmapViewOfSection
NT Virtual DOS Machine (NTVDM); "nt virtual dos machine" in page or "NTVDM" in cswordlist
Object Linking and Embedding (OLE); "object linking and embedding" in page or "OLE" in cswordlist
Office Open XML (OOXML); "office open xml" in page or "OOXML" in cswordlist
OLE2
olebrowse.py
olecfinfo
oledir.py
oledump.py
oleid.py
olemap.py
oletools
olevba.py
OllyDbg
OpenAction
OpenClipboard
OpenClipBoard
OpenProcess
Open-Source INTelligence (OSINT); "open-source intelligence" in page or "OSINT" in cswordlist
Open Threat Exchange
OpenVPN
Origami PDF
Original Entry Point (OEP); "original entry point" in page or "OEP" in cswordlist
OR; "OR" in cswordlist
packerid
page tables
Parent Process ID (PPID); "parent process id" in page or "PPID" in cswordlist
patching
PCAP
pdfid.py
pdf-parser.py
PDF Stream Dumper
pdftk
PE Capture
peepdf.py
peframe
PE Header
pepack
percent Unicode
pescan
pestr
PeStudio
pe_unmapper
Pev toolkit
PhantomJS
Pinpoint
Portable Document Format (PDF); "portable document format" in page or "PDF" in cswordlist
portex
Position-Independent Code (PIC); "position-independent code" in page or "PIC" in cswordlist
PowerShell
PowerShell ISE
ProcDOT
Process32First
Process32Next
Process Environment Block (PEB); "process environment block" in page or "PEB" in cswordlist
Process Hacker
Process Hollowing
Process IDentifier (PID); "process identifier" in page or "PID" in cswordlist
Process ID (PID); "process id" in page or "PID" in cswordlist
Process Monitor
process replacement
ProtectionID
pstree
PXE boot
qpdf
queuing
Quttera
Radare
Radare2
RAX register
RDG Packer Detector
ReadFile
reg_export
RegOpenKeyEx
Regshot
regsvr32.exe
ResumeThread
RETN; "RETN" in cswordlist
RET; "RET" in cswordlist
Rich Text Format (RTF); "rich text format" in page or "RTF" in cswordlist
RIP pointer
RIP-relative addressing
RollBack Rx
rootkit
rtfdump.py
RtlDecompressBuffer
RunPE
sandboxes
Sandboxie
scdbg
SciTE
Scout
Scylla
ScyllaHide
Secure File Transfer Protocol (SFTP); "secure file transfer protocol" in page or "SFTP" in cswordlist
Secure Shell (SSH); "secure shell" in page or "SSH" in cswordlist
segment registers
setdllcharacteristics
SetThreadContext
SetWindowsHook
SetWindowsHookEx
Shellcode
shellcode2exe
shellcode2exe.py
ShellExecuteW
SHL; "SHL" in cswordlist
SHR; "SHR" in cswordlist
signsrch
SOCKS
SpiderMonkey
SS; "SS" in cswordlist
Stages of malware analysis
static analysis
static analyzer
stdcall
strace
Strace-for-NT
strcpy
strdeob.pl
strings2
Structured Exception Handling (SEH); "structured exception handling" in page or "SEH" in cswordlist
Structured Storage (SS; "structured storage" in page or "SS" in cswordlist
SUB; "SUB" in cswordlist
Summary of the analysis
svchost.exe
swf_mastah.py
switch statement
SysAnalyzer
system calls
System Monitor (Sysmon); "system monitor" in page or "Sysmon" in cswordlist
System Service Descriptor Table (SSDT); "system service descriptor table" in page or "SSDT" in cswordlist
TcpLogView
TEST; "TEST" in cswordlist
thiscall
Thread Information Block (TIB); "thread information block" in page or "TIB" in cswordlist
Thread Local Storage (TLS); "thread local storage" in page or "TLS" in cswordlist
ThreatAnalyzer
Thug
Tinba
TitanMist
TOR; "TOR" in cswordlist
TorSocks
trampoline
TrickBot
trid
unescape
Unicode
unXOR
unzip
UPX
urlQuery
user-mode
usewithtor
V8
vaddump
Viper
Virtual Address Descriptor (VAD); "virtual address descriptor" in page or "VAD" in cswordlist
VirtualAlloc
VirtualAllocEx
VirtualBox
Virtual Function Table (vftable); "virtual function table" in page or "vftable" in cswordlist
Virtualization
Virtual PC
VirtualProtect
VirusTotal
Visual Basic for Applications (VBA); "visual basic for applications" in page or "VBA" in cswordlist
VMDetection
VMware
Volatility
VPN
vURL
wget
while loop; "while" in page and "loop" in page
WinDbg
Windows Virtual PC
WinGraph32
WinPMEM
WinSCP
Wireshark
WMIC
WM_LBUTTONDOWN
WM_LBUTTONUP
WM_MOUSEMOVE
WPE Pro
WriteProcessMemory
WRITE; "WRITE" in cswordlist
WScriptShell.Run
x64dbg
XCHG; "XCHG" in cswordlist
XML
XML-based Office documents
XML Forms Architecture (XFA); "xml forms architecture" in page or "XFA" in cswordlist
xorBruteForcer.py
XORI
xor-kpa.py
XORSearch
xortool
xrefs window
xxd
zipdump.py
ZwGetContextThread
ZwProtectVirtualMemory
ZwUnmapViewOfSection
ZwWriteVirtualMemory