# Ransomware, Trojan and Miner together against “PIK-Group”

**marcoramilli.com/2019/02/28/ransomware-trojan-and-miner-together-against-pik-group**

View all posts by marcoramilli February 28, 2019

When an unknown sender suggests me to click on a super wired url, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a
huge company, well I kinda looking forward to it ! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” file. The zip file wrapped out an
interesting “cyrillic looking” javascript file named: Группа Компаний ПИК подробности заказа, which according to google translate would be: “PIK Group of
[Companies order details”. It looks like a crafted file for PIK-Group,one of the most important real estate companies based in Russia with more then 14k](http://pik-group.com/)
employees ! By analysing such a script it’s clear that it wont be a piece of cake. The script is heavily obfuscated with more techniques. As you might appreciate
from Stage0 (following image) there are two main obfuscation streams: the first one is implemented by introducing fake static forks such as: “if” and “cases”
and the second one is implemented by dynamically building function blocks from nested strings which are either dynamically built and separated into multiple
concatenation steps.

Javascript Stage0

The script eventually drops and executes (Stage0 Execution phase follows) a fake image file (msg.jpg) which actually is an UPX packet windows PE acting as
second stage. The second stage drops and executes three additional modules: a backdoor, a Miner and finally a quite known Ransomware. It actually weird to
understand the attacker’s needs, at such point, why so many different actors in an unique attack ?

Stage0 Execution

[According to pcrisk, the first downloaded module (327B0EF4.exe) looks like a well-known Troldesh Ransomware. This particular ransomware renames files so](https://www.pcrisk.com/removal-guides/13937-crypted000007-ransomware)
that they comprise a line of characters and digits and adds the “.crypted000007” extension to each. For example, after encryption, the file “1.jpg” might have
an appearance similar to this example: “hmv8IGQE5oYCLEd2IS3wZQ==.135DB21A6CE65DAEFE26.crypted000007”. Furthermore, Crypted000007
creates ten ransom-demand messages (with identical content) called “README1.txt”, “README2.txt” … “README10.txt” and places them on the
desktop. This virus also changes the desktop wallpaper. The following image shows the ransom note that I’ve got during the infection phase.


-----

Ransomware Note

The second installed module (37ED0C97.exe) is well-known piece of software as well. It’s a Miner called nheqminer. Nheqminer is a great implementation of
equihash mining, mainly used on NiceHas but forked many times and todays is getting used for several spare projects as well. Nheqminer is a specific miner
[for Zcash value based on common PCs. You might want to checkout more here. Exploring memory snapshots during its execution can be easy to figure out](https://github.com/nicehash/nheqminer)
the miner runs over Zcash.Flypool server mining for the following wallet address.

Attacker Wallet

[According to zcashnetwork the attacker’s wallet received from mining activity 4.89 ZCash (lsat transaction on February 26th, 2019) so far. This amount](https://zcashnetwork.info/address/t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep)
suggests that the attacker activity is started (re-started) few days ago or its infected botnet is not so big at that time.

According to Virustotal the third installed module ( B56CE7B7.exe) is another well-known software called Trojan-Heur and (in)famous during 2017 to perform
brute force attack on WordPress based websites.

## A typical behaviour for Trojans like HEUR.Trojan.Win32.Generic is one or all of the following:

 Download and install other malware. Use your computer for click fraud.

 Record your keystrokes and the sites you visit.
 Send information about your PC, including usernames and browsing history, to a remote malicious hacker. Give a remote malicious hacker access to your PC.
 Advertising banners are injected with the web pages that you are visiting.
 Random web page text is turned into hyperlinks. Browser popups appear which recommend fake updates or other software

Indeed it behaviour perfectly fits the Malware family behaviour. Once installed on victim PC it starts to brute force many websites looking for weak credentials.
Once it finds weak credentials it installs itself into the WordPress website maintaining the original name: “pik.zip”. Thanks to this characteristic it would be
possible to enumerate infected website through a combined searches on google engine (please see dropping urls).


-----

-----

BruteForce Module and installation path

The following image shows the main actor connections and their relationships. The analysed implant is quite interesting since rises many questions, for
example: Why the attacker pretends to build a targeted attack to PIK-Group (using crafted strings) with refurbished malware ? Why the implant installs a
“miner” and a “ransomware” as well ? While it might be understandable the usage of software for harvesting money, why the attacker introduced a brute force
Trojan bot ?


-----

Main actors map

On my personal point of view it’s a quite weird behaviour goes pretty far from classical state sponsored attacks. We are facing an actor who apparently wants
money (ransomware and miner), but also wants credentials and want to be able to control victim’s box in future. But we are facing again an actor who is using
the victim to brute force third party random websites as well. This activity is quite heavy and it ‘s easy to be detected and to be blocked from security
administrators or IT guys, which is clearly, in opposition to mining (which wants to remain stealth as more as possible) and to trojan as well (who wants to
propagate itself silently). We might assume a malware building factory who is overselling a small botnet. In any case I don’t think it would be a state sponsored
attack against PIK-Group but rather a nice way to maximise profits on a realtive small botnet.

**IOC:**

Following the dissected IOC. Command and Control IoC refers to Heur Malware family, hashes refer to found evidences files, dropping urls refer to first
infection url, in other words where the final victims could drop and execute Stage0. TrojanVictims (Brute-forced websites) refer to the trojan Heur victims.
Those victims are not the original victims (the ones got infected by opening the original zip file) but the trojan Heur victims. In other words are the victim of the
brute force attack such a module does during its life.

**URL C2:**

despari[.]informatik[.]uni-erlangen[.]de
belegost[.]csail[.]mit[.]edu
95[.]154[.]221[.]3
morty[.]ultrasrv[.]de
92[.]117[.]130[.]61
x5oemza3jjjeb7j3[.]onion

**HASH:**

c1ee8c13b2c3f5e44b9d0db6b6ec9fbbeab3dc88068adf09a9a890ec054073f5 (piks.zip)
b2b91a36320ee8e64bf081c44aac2fabe621cdb809bf487035bb9da3e864a9c6 (Группа Компаний ПИК подробности заказа)
d7931e0573af3f962f7e10ee48996ddf33b3491a99da031a67426825a8c2d62c (msg.jpg)
9ff6b78524b83d667df34eb5e00bf47dc66ca2b4bb7f9422622103311eee3d6e (327B0EF4 exe)


-----

026e8c1bb6fda0bd89dd2d87ef95a8920df5ba331b74c604223f75e597069ded (37ED0C97.exe)
2824a8ce0e65bb185a88ff1fe5f1df202405c42b6705a420dbc07c565a44b240 (7E08836E.exe)
9d3bac28e24a997c2d2b3a955b7f0d57494950a0269f1bf31dc45fb1dadcdb84 (B56CE7B7.exe)

**Dropping URLs:**

http[:]//prodvizheniesaitovufa[.]ru/plugins/authentication/pikz[.]zip
http[:]//caffeportici[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//www[.]jantichy[.]cz/wp-content/themes/twentytwelve/css/pikz[.]zip
http[:]//subdomain[.]petstores[.]com/pikz[.]zip
http[:]//pcmamoru[.]com/cd/pikz[.]zip
http[:]//cdvo[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//nkybcc[.]com/templates/jsn_decor_pro/backups/pikz[.]zip
http[:]//shiodashika[.]com/topix/img/pikz[.]zip
http[:]//www[.]wisconsinweimaraners[.]com/wp-content/themes/eclipse/includes/pikz[.]zip
http[:]//mkt-msk[.]ru/errordocs/style/pikz[.]zip
http[:]//chansomania[.]fr/wp-content/themes/twentyten/languages/pikz[.]zip
https[:]//mdlab[.]ru/files/pikz[.]zip
http[:]//ccs-moscow[.]ru/libraries/cms/captcha/pikz[.]zip
http[:]//www[.]flowerbed[.]cz/templates/flowerbed_v1/css/pikz[.]zip
http[:]//writegenuine[.]com/wp-content/themes/dzonia-lite/languages/pikz[.]zip
http[:]//xtronik[.]ru/cgi-bin/pikz[.]zip
http[:]//studiomedicoscaparro[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//kiziltepeototamircilereso[.]org/wp-content/blogs[.]dir/pikz[.]zip
http[:]//dnaliferegression[.]com/wp-admin/css/colors/blue/pikz[.]zip
http[:]//droneinside[.]com/bigdump/pikz[.]zip
http[:]//scorzacostruzioni[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//handstandbuffer[.]com/wp-content/cache/et/global/pikz[.]zip
http[:]//lapradellina[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//neweraservice[.]com/templates/templatenewera/library/Artx/Content/pikz[.]zip
http[:]//isk-yokohama[.]com/pikz[.]zip
https[:]//galyonkin[.]com/wp-content/themes/ink/inc/meta/pikz[.]zip
http[:]//job-grand[.]com/bitcom777/wp-admin/css/colors/blue/pikz[.]zip
http[:]//srpresse[.]fr/wp-includes/ID3/pikz[.]zip
http[:]//hoangsong[.]com/wp-content/themes/salient/img/icons/social/pikz[.]zip
https[:]//www[.]activehotelolympic[.]it/wp-content/themes/olympic/assets/map-icons/pikz[.]zip
https[:]//adroitlyadvertising[.]com/wp-content/themes/sydney/plugins/pikz[.]zip
http[:]//sukra-gmbh[.]de/templates/sukra_cmedien_10v4/joomla_images/pikz[.]zip
http[:]//www[.]fromrussiawithglove[.]com/cgi-bin/pikz[.]zip
http[:]//bthsp[.]com/wp-content/themes/skt-elastic/css/pikz[.]zip
http[:]//cmattoon[.]com/wp-content/themes/minnow-wpcom/js/pikz[.]zip
http[:]//digitalmarketgh[.]com/wp-includes/ID3/pikz[.]zip
http[:]//palbarsport[.]com/wp-content/cache/et/global/pikz[.]zip
http[:]//www[.]thezinker[.]com/wp-admin/css/colors/blue/pikz[.]zip
http[:]//asatrustore[.]com/errors/inc/pikz[.]zip
http[:]//valleorbadepurazione[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//sigurjon[.]com/wp-content/themes/oshin/ReduxFramework/ReduxCore/assets/css/color-picker/pikz[.]zip
http[:]//davidaluke[.]com/wp-content/themes/genesis/lib/admin/images/layouts/pikz[.]zip
http[:]//elinika[.]ru/templates/siteground-j15-57/images/pikz[.]zip
http[:]//warcraftoutlet[.]com/wp-content/blogs[.]dir/pikz[.]zip
https[:]//zattslaw[.]com/wp-content/themes/lawyer-gravity/template-parts/front-page/pikz[.]zip
http[:]//indigoconseils[.]com/wp-content/themes/exo-theme/admin/ReduxCore/assets/css/color-picker/pikz[.]zip
https[:]//infopatcom[.]com/templates/hosting/js/pikz[.]zip
http[:]//x-radio[.]net/templates/radio_dj_lernvid[.]com/css/pikz[.]zip
http[:]//slastiotnasti[.]ru/pikz[.]zip
http[:]//englishrep[.]ru/administrator/cache/pikz[.]zip
http[:]//mi1[.]fr/templates/61/data/images/pikz[.]zip
http[:]//woodtennis[.]net/homepage/img/pikz[.]zip
http[:]//internetpipelinesuk[.]com/templates/belleevents/images/pikz[.]zip
https[:]//eskisehircicekleri[.]com/wp-content/themes/classipress/examples/classipress-child/includes/pikz[.]zip
http[:]//taifturk[.]org/wp-content/blogs[.]dir/pikz[.]zip
http[:]//www[.]dutchaviationphoto[.]com/wp-content/themes/dt-the7/css/compatibility/woo-fonts/pikz[.]zip
http[:]//twinkletoesfootcare[.]com/wp-admin/css/colors/blue/pikz[.]zip
http[:]//it-coman[.]de/templates/beez_20/css/pikz[.]zip
http[:]//lili-plaf[.]pl/FB-landingpage/pikz[.]zip
https[:]//www[.]greenebikes[.]com/wp-content/themes/Avada/sensei/wrappers/pikz[.]zip
http[:]//tredepblog[.]net/wp-content/themes/fotogenic/inc/customizer/pikz[.]zip
http[:]//trabasta[.]com/sakurait/cms2017/wp-content/themes/oshin/_notes/pikz[.]zip
http[:]//markmollerus[.]de/wp-content/themes/cubic/languages/pikz[.]zip
http[:]//vat-registration[.]com/wp/wp-admin/cache/pikz[.]zip
http[:]//unype[ ]com/wp content/themes/triton lite/images/colorpicker/pikz[ ]zip


-----

https[:]//www[.]isoldrain[.]com/wp-content/themes/Avada/bbpress/pikz[.]zip
http[:]//blog[.]putyrsky[.]ru/wp-admin/css/colors/blue/pikz[.]zip
http[:]//justsee[.]ru/templates/protostar/html/com_media/imageslist/pikz[.]zip
http[:]//lebazarfleuri[.]com/wp-content/themes/flowvin[.]theme_/flowvin/assets/css/color/pikz[.]zip
http[:]//www[.]mix-engineer[.]com/wp-content/themes/oshin/ReduxFramework/ReduxCore/assets/css/color-picker/pikz[.]zip
http[:]//www[.]lesarchivistes[.]net/wp-content/themes/V3-LesArchivistes/images/authors/pikz[.]zip
http[:]//careprevention[.]bdpm[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//artuom[.]com/templates/theme884/css/img/pikz[.]zip
https[:]//www[.]tinmountain[.]org/wp-content/themes/Avada/assets/admin/css/pikz[.]zip
https[:]//www[.]healthexpertsview[.]com/wp-content/themes/eximious-magazine/assets/images/pikz[.]zip
http[:]//hiphop100[.]com/cgi-bin/pikz[.]zip
http[:]//www[.]blackmarker[.]net/_notes/pikz[.]zip
http[:]//sergiupetrisor[.]com/baum/images/pikz[.]zip
http[:]//testes[.]xor[.]ptservidor[.]net/wp-content/cache/blogs/pikz[.]zip
http[:]//nankaijidousya[.]com/common/Classes/PHPExcel/CachedObjectStorage/pikz[.]zip
http[:]//technogamma[.]ru/logs/pikz[.]zip
http[:]//ac-tokushima[.]com/images/pikz[.]zip
http[:]//nmcchittor[.]com/wp-content/themes/nmc/core/admin/css/pikz[.]zip
http[:]//marcelboom[.]com/wp-content/themes/arctic/includes/acf-location-field/css/pikz[.]zip
http[:]//story-aqua[.]com/css/pikz[.]zip
http[:]//novi[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//torycapital[.]com/[.]well-known/pki-validation/pikz[.]zip
https[:]//hotel-villasmariana[.]com/wp-content/themes/Divi/css/tinymce-skin/fonts/pikz[.]zip
https[:]//suanhangay[.]com/wp-content/themes/ostrya/assets/css/pikz[.]zip
http[:]//www[.]cheatz0ne[.]com/wp-content/themes/publisher/bbpress/pikz[.]zip
http[:]//rwittrup[.]com/wp-content/themes/valerie/acf/core/actions/pikz[.]zip
http[:]//proftests[.]ru/Templates/pikz[.]zip
http[:]//autogirl[.]net/4c18a2f403135d64e8633f1cf29c9f67/pikz[.]zip
http[:]//scanztech[.]com/docs/pikz[.]zip
http[:]//saladopress[.]com/modere/pikz[.]zip
http[:]//gyrocopterexperience[.]com/templates/gyroecom/html/pikz[.]zip
http[:]//belowtheweb[.]ru/avia/300×500/images/pikz[.]zip
https[:]//syscomopen[.]it/templates/inspiration-et/html/com_contact/contact/pikz[.]zip
http[:]//nedvigovka[.]ru/Templates/pikz[.]zip
http[:]//allmytshirt[.]com/wp-content/themes/Newsmag/translation/pikz[.]zip
http[:]//media[.]xtronik[.]ru/pikz[.]zip
https[:]//woodysunglass[.]com/wp-content/blogs[.]dir/pikz[.]zip
http[:]//zurito[.]es/administrator/cache/_system/pikz[.]zip
http[:]//myinternetjobs[.]com/wp-content/themes/oceanwp/sass/base/pikz[.]zip
http[:]//utdshowrooms[.]com/wp-content/themes/invert/languages/pikz[.]zip
http[:]//intransplant[.]com/wp-content/themes/twentyseventeen/template-parts/footer/pikz[.]zip
http[:]//liberty-bikes[.]fr/wp-content/themes/kingsize/lang/pikz[.]zip
http[:]//www[.]kiki-seikotsu[.]com/lp/css/pikz[.]zip
https[:]//nachoserrano[.]com/wp-content/themes/Divi/core/admin/css/pikz[.]zip
https[:]//www[.]ashida-kougei[.]com/css/pikz[.]zip
http[:]//seritarghe[.]novi[.]it/wp-content/blogs[.]dir/pikz[.]zip
https[:]//www[.]heizung-fink[.]de/templates/ja_purity/images/header/pikz[.]zip
https[:]//creativeengravingplus[.]com/wp-content/themes/ce/css/images/pikz[.]zip
http[:]//studiooffside[.]com/n_regista/css/pikz[.]zip
http[:]//healthtipsadvisor[.]com/wp-content/themes/frontier/images/pikz[.]zip
http[:]//mauroparisi[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//smartspirit[.]ru/pikz[.]zip
http[:]//aup-consulting[.]ru/Templates/pikz[.]zip
http[:]//globalapostolicom[.]org/wp-includes/certificates/pikz[.]zip
http[:]//blindaccessjournal[.]com/wp-content/plugins/ap-style-dates-and-times/pikz[.]zip
http[:]//www[.]realsolutions[.]it/wp-content/themes/made/groups/_notes/pikz[.]zip
http[:]//cyberdale[.]net/wp-content/cache/meta/pikz[.]zip
http[:]//www[.]jaymaxmarketing[.]com/wp-content/themes/inspiration-premium-wordpress-theme/partners/pikz[.]zip
http[:]//novimedical[.]it/wp-content/blogs[.]dir/pikz[.]zip
http[:]//melissadreamsofsushi[.]com/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/blog/bl
http[:]//flowerbed[.]cz/administrator/backups/pikz[.]zip
https[:]//evzek[.]net/wp-content/themes/ritual/functions/aweber_api/pikz[.]zip
http[:]//studiomir[.]net/downloads/otchety/pikz[.]zip
http[:]//petstores[.]com/BACKUP_PRE-AMAZON-STORE/holiday/pikz[.]zip
https[:]//techfreakonline[.]com/wp-content/themes/oceanwp/tribe-events/pikz[.]zip
http[:]//erciyesdavetiye[.]com/admin/controller/amazon/pikz[.]zip
http[:]//wk7[.]org/templates/WK7_Web_V1/html/com_contact/category/pikz[.]zip
http[:]//ksenta[.]ru/pikz[.]zip
http[:]//martinburch[.]com/wp-content/themes/minimatica/audio-player/pikz[.]zip
http[:]//fastter[.]allsb[.]ru/xmlrpc/cache/pikz[.]zip


-----

https[:]//11jamesjacksondrive[.]com/wp-content/themes/ananke/framework/Custom-Metaboxes/images/pikz[.]zip
https[:]//himalayancruiser[.]com/wp-content/themes/Divi/et-pagebuilder/pikz[.]zip
https[:]//bethelastjedi[.]com/wp-includes/ID3/pikz[.]zip
http[:]//kiziltepedemirdogramacilareso[.]org/wp-includes/ID3/pikz[.]zip
http[:]//wacl3[.]com/templates/foodworld/modules/pikz[.]zip
http[:]//dutchaviationphoto[.]com/vboffice/wp-admin/css/colors/blue/pikz[.]zip
https[:]//www[.]off-road-light[.]ru/logs/pikz[.]zip
http[:]//olivefreaks[.]com/wp-content/themes/olivefreaks/js/slider/images/pikz[.]zip
http[:]//www[.]ansariproperty[.]com/wp-content/themes/hitmag/fonts/pikz[.]zip
http[:]//www[.]pib-et-flo[.]com/templates/themza_j15_14/html/pikz[.]zip
http[:]//hopespoint[.]com/wp-content/themes/resurrect/fonts/pikz[.]zip
http[:]//diaochungthinhland[.]net/wp-content/themes/dns-landing/core/dns-widget/pikz[.]zip
http[:]//seafoid[.]org/wp-content/themes/seafoidv2/img/psd/pikz[.]zip
http[:]//raisagarrido[.]com/wp-includes/ID3/pikz[.]zip
http[:]//marathonbuilding[.]com/wp-content/themes/Marathon20140204a/languages/pikz[.]zip
http[:]//www[.]amc-israel[.]com/EN/administrator/cache/sh404sef_rconfig/pikz[.]zip
http[:]//www[.]azimut-industries[.]com/wp-content/themes/azimutportal/js/pikz[.]zip
http[:]//www[.]alexrbn[.]com/wp-content/themes/artmag/vc_templates/pikz[.]zip
https[:]//sportcorbon[.]fr/wp-content/languages/plugins/pikz[.]zip
https[:]//mirage-net[.]com/wp-content/themes/nirvana/templates/pikz[.]zip
http[:]//bjlaser[.]com/templates/outsourcing-fjt/html/com_contact/contact/pikz[.]zip
https[:]//www[.]coast2coast[.]net/wp-content/themes/Avada/sensei/wrappers/pikz[.]zip
http[:]//fachowe-remonty[.]com/wp-content/themes/gaad-wp-template/css/pikz[.]zip
http[:]//yourservicezone[.]net/wp-content/themes/pressive/focusareas/pikz[.]zip
http[:]//cubantripadvisor[.]com/wp-content/themes/magazine-basic/images/followme/pikz[.]zip
http[:]//www[.]dcvair[.]com/wp-content/themes/Avada-latest/sensei/wrappers/pikz[.]zip
http[:]//igorfoygel[.]com/awstats/pikz[.]zip
http[:]//madenagi[.]com/wp-content/themes/viceversa/css/fancybox/helpers/pikz[.]zip
https[:]//notlrealty[.]com/wp-content/themes/notl/includes/pikz[.]zip
http[:]//kanther[.]net/templates/seriousblue/images/pikz[.]zip
https[:]//svettenkirch[.]de/templates/a4joomla-triplex2/language/en-GB/pikz[.]zip
http[:]//garrigue-gourmande[.]fr/templates/gg_green09b4/html/com_content/archive/pikz[.]zip
http[:]//orientalspawellness[.]com/wp-content/themes/sydney/inc/controls/pikz[.]zip
http[:]//sahrodion[.]com/wp-content/themes/photograph/woocommerce/pikz[.]zip
https[:]//www[.]jaremskiphotography[.]com/wp-content/themes/kinetika/kinetika/framework/admin/css/pikz[.]zip
https[:]//www[.]hunklinger-allortech[.]com/templates/hunklinger/language/en-GB/pikz[.]zip
http[:]//batdongsanvngod[.]com/wp-admin/css/colors/blue/pikz[.]zip
https[:]//imtsa[.]fr/wp-content/gallery/arques-mars-2018/dynamic/pikz[.]zip
http[:]//touring-athens[.]com/images/banners/pikz[.]zip
https[:]//www[.]assetuganda[.]org/wp-content/themes/arisen/inc/comments/pikz[.]zip
https[:]//fgatti[.]it/wp-content/themes/CherryFramework/languages/pikz[.]zip
http[:]//apocalypticfail[.]com/wp-content/themes/lighthouse/img/pikz[.]zip
http[:]//fijidirectoryonline[.]com/wp-includes/ID3/pikz[.]zip
http[:]//auroradx[.]com/adxwp/wp-content/backups-dup-pro/tmp/pikz[.]zip
http[:]//www[.]breretonhanley[.]com/wp-content/themes/canvas/styles/pikz[.]zip
http[:]//pearl-apartment[.]com/wp-content/themes/dt-the7/languages/pikz[.]zip
http[:]//soul-bg[.]com/wp-content/themes/Divi/css/tinymce-skin/fonts/pikz[.]zip
http[:]//omegabiuro[.]com[.]pl/wp-content/themes/fruitful/css/pikz[.]zip
https[:]//racketlonmc[.]fr/wp-admin/css/colors/blue/pikz[.]zip
https[:]//uviaus[.]com/wp-content/themes/salient/img/icons/leaflet/pikz[.]zip
http[:]//netprava[.]ru/Templates/pikz[.]zip
https[:]//www[.]medientechnik-schmidt[.]de/wp-content/themes/MTS-Divi-Child/pikz[.]zip
https[:]//netquarry[.]com/wp-content/themes/u-design/licensing/pikz[.]zip
https[:]//tbkgf[.]org/wp-content/banners/pikz[.]zip
http[:]//accont[.]ru/templates/bizblue/language/en-GB/pikz[.]zip
http[:]//american-dsign[.]com/wp-content/themes/Divi/et-pagebuilder/pikz[.]zip
http[:]//chienbinhlama[.]com/wp-content/themes/twentyseventeen/inc/pikz[.]zip
http[:]//www[.]greldez-vous[.]fr/wp-content/themes/wp-coda/script/pikz[.]zip
http[:]//joseph[.]gergis[.]net/wordpress/wp-admin/css/colors/blue/pikz[.]zip
https[:]//optimistron[.]com/wp-content/themes/themify-ultra/skins/accountant/images/pikz[.]zip

**TrojanVictims (Brute-forced websites):**

abrahamlopz[.]website
accesorios[.]online
actiontransportmanchester[.]com
agsolucionesinmobiliarias[.]com
altunizadecilingir[.]info
americancarcruisingpodcast[.]com
anamosashopsabovethewapsi[.]com
antsolutions[ ]online


-----

anydomainname[.]website
ashleymeador[.]website
atikabanowati[.]com
banichironton[.]website
barbarafowler[.]website
benjaminlaw[.]website
bertranabogadosconsultores[.]com
bestclearance[.]website
bestpcgames[.]website
bestvrporn[.]online
blueprintbehavioralhealth[.]com
bojtoles[.]online
bongdatv[.]online
brandinghome[.]online
businessvalueandtransition[.]com
camarasdeseguridadenbogota[.]com
cameronsimms[.]website
camlicacilingir[.]info
carrollfamilyreunionmobile[.]com
celebrityinfo[.]net
cellularmaster[.]net
cellularsignalsolutions[.]com
cengelkoycilingir[.]info
cerberusgo[.]online
champderevescannabiscanada[.]com
charlesathompson[.]com
charlestrejo[.]website
cheapraybanfreeshipping[.]com
cheapwebsiteseoservices[.]com
chris-hudson[.]net
christian-bertero-sicilia[.]com
christmaseveinwesterville[.]com
cidadenatural[.]online
claracernatthierryhuillet[.]com
clarksvillefurniturestore[.]com
cldtesttwo[.]website
clubedasofertasedescontos[.]com
coisasdemama[.]website
comerciospilardelahoradada[.]com
comfortinnhotelsorlando[.]com
comoganartuprimermillon[.]com
conceptos30[.]website
consciouslivingandloving[.]com
consecionaria[.]online
cooperslidingdoorrepair[.]com
coral-gables-waterfront[.]com
couchtuner[.]pro
crmemailmarketing[.]online
crmsolutions[.]online
culture-generale[.]info
dailyremedies[.]net
dentalexchange[.]nulouweb[.]com
des-livres-pour-evoluer[.]com
destinychangersministries[.]com
deyarcofurniturefactory[.]online
diamantech[.]com[.]uy
diariolaindustriatrujillo[.]com
discounthydroflaskcheap[.]com
dom9[.]online
dorothyhills[.]website
droyalhair[.]website
duniabelajar[.]online
ebookpremium[.]net
eileensmith[.]website
elect-eng-tech[.]info
elizaedmonds[.]website
elobservadordelmundo[.]online
elvanelson[.]website
emmetcountyconservation[.]com
enamoratedelmundoyviaja[.]com


-----

entornorural[.]online
epicexpertz[.]website
ericagilbert[.]website
ericfoster[.]website
escortboyz[.]com
esdirqazan[.]com
espacio2030[.]com
esportszon[.]com
ethirkaalam[.]com
everlation[.]com
exceliqpro[.]com
exoduskate[.]com
exploreidku[.]com
extra4games[.]com
ezbuy[.]online
factsbaazar[.]com
faithfamilyandfootball[.]online
farhadsanat[.]com
fatimafashion[.]net
fatimsaadan[.]website
fbgameworld[.]com
fcjwireless[.]com
femmesandco[.]com
ferrypointinc[.]com
fidelerbeta[.]com
fightforolddc[.]net
fincapaypay[.]com
findfreetrial[.]com
findmeqatar[.]com
findthebesttreatmentcenter[.]com
fishingtamarindocostarica[.]com
fishlakechick[.]com
fisiopilatesclaradelrey[.]com
fisj-official[.]com
fisketackle[.]com[.]au
fitnesstime[.]website
fixitnowrnr[.]com
fiyatmakinesi[.]com
fizzlecrash[.]com
forooshfori[.]com
fortwaynehomeschoolacademy[.]com
fozosjatekok[.]net
frameset-uk[.]com
fraternidadedobeijaflor[.]com
frbproduction[.]com
freepdfreview[.]com
freshflesh[.]online
fullhdmoviez[.]net
g2dijital[.]com
gabbaland[.]com
gadget-nations[.]net
gaia-glow[.]com
galaarchitecturaldesign[.]com
galamotel[.]com
galletour[.]com
gamereview[.]website
garagedoorrepairbasehorks[.]com
garagedoorrepairhaworth[.]com
garagedoorrepairmissionks[.]com
garagedoorrepairparamus[.]com
garagedoorrepairstilwellks[.]com
garagedoorrepairteaneck[.]com
garp-mate[.]com
gathertofly[.]com
gatodourado[.]com
gayarambut[.]website
gcgcatering[.]com
geekroutine[.]com
gensunasumus[.]website
gentateknik[.]com


-----

geopolitics[.]website
gesatstudio[.]com
gespartrh[.]com
getafemplea[.]com
getbuzzwire[.]com
getdfygmb[.]com
gfcenergy[.]com
ghimcaiao[.]com
giaibaitap[.]website
giantltdsrl[.]com
gilbertobarriavallarino[.]com
gilletjones[.]com
gizmomart[.]online
glammylissa[.]com
glebfetisov[.]com
global-branded-residences[.]com
global-talent-recruitment[.]com
gls-tracking[.]net
goaugmentor[.]com
golden-june[.]com
grapevinetxcarpetcleaning[.]com
graphicspapers[.]net
greatinnova[.]com
greenslotscenter[.]info
greidphotos[.]com
gretaweddle[.]website
gretelbroyn[.]com
groobysauce[.]com
group-avana[.]com
gtcquangnam[.]com
guidedmedia[.]website
guitarristasdominicanos[.]com
gustavomata[.]com
gymproffsen[.]com
hailuaorganic[.]com
hallakbrode[.]com
halterophilie-musculation[.]com
healthbody[.]website
healthtipsbd[.]website
healthunit[.]website
healthy-lifestyle-guide[.]com
healthymag[.]website
helloshowbiz[.]website
herbs-health[.]website
herbsandenergynaturalcures[.]com
herlenmurieles[.]net
hiredunia[.]com
hirianavi[.]com
hithasini[.]com
hobilinka[.]com
homeandgardendecoration[.]com
homefashioned[.]net
homegenious[.]website
hometrends[.]website
homevisions[.]website
honeafrik[.]com
hop-merch[.]com
hostingtraffic[.]net
hotspotgy[.]com
hrbizdirectory[.]com
huahinprantrip[.]com
huellashn[.]com
hunteraluminum[.]com
hydrovegie[.]com
hyperbent[.]com
i-c-p-inc[.]com
iamnangial[.]com
ibatsystem[.]com
iceongeist[.]com
icsam2009[.]com


-----

idnsbobet88[.]com
idownfree[.]com
ieakademi[.]com
ifretmusic[.]com
igenius253[.]com
ihawangrill[.]com
iketodiets[.]com
ikiteglobal[.]com
ile-paradis[.]com
iletcreativity[.]com
illu-studio[.]com
ilooktobuy[.]com
ilpadellino[.]com
imanagecareers[.]com
improvkings[.]com
indiatienda[.]com
indiaulwe[.]com
indiviajes[.]com
indoreplumbers[.]com
indosbobett[.]com
indrahidayat[.]website
inexstore[.]com
infinitiuma[.]com
influencersworld[.]com
influmify[.]com
infocerta[.]com
infosatbg[.]com
infoteachs[.]com
infoterunik[.]com
ingredientesar[.]com
inno-maps[.]com
innvestio[.]com
inoptimista[.]com
instant-dessin[.]com
insurecrib[.]com
interiorsribno[.]info
invisionthings[.]com
inxsights[.]online
ipathdesign[.]com
ipegyourpardon[.]com
iplmatcheslive[.]com
ipltickets[.]website
irckingston[.]com
irenepijoan[.]com
ishtawellbeing[.]com
istanbulatlasi[.]com
itstraveltimes[.]com
ivoryspring[.]website
jackmendelsohn[.]com
jackrichards[.]website
jainempireresorts[.]com
jakesrugbytake[.]com
janniebyars[.]website
jasadukunampuh[.]com
jcmarketing[.]website
jeanjohnston[.]website
jeanveutencore[.]com
jesustudyblog[.]com
jewelrybuyersinternational[.]com
jillconger[.]website
jmkhealthcare[.]com
johnthompson[.]website
jonathanrozenblit[.]com
jorgelvallejov[.]com
josephhoke[.]website
josephsutton[.]website
josevinicius[.]online
joytourtravelrevolution[.]com
jupitergaragedoorrepair[.]com
kakarenbandung[.]com


-----

kalakaaris[.]online
kalamiscilingir[.]info
kanada-resorts[.]info
karmagreetings[.]com
katywatchman[.]website
kepompong[.]online
khanhlinhchung[.]com
khuyenmai3mien[.]com
kinesiologiahogarysalud[.]com
konkonsaafrica[.]com
kushnewsportal[.]com
kuyubasicilingir[.]info
lamthemonline[.]net
lapausaproject[.]com
laptopminhlong[.]com
lartdebienvivre[.]com
lastdaysfinancial[.]com
laurenjurado[.]website
leadozen[.]com
lebinfluencers[.]com
leochavarriaga[.]com
lesothersiders[.]com
letsgetitstore[.]com
lifenatureblog[.]com
linkalligator[.]info
lintasbandar66[.]com
lion-dynasty[.]website
livevideorobot[.]com
location-au-bord-de-mer[.]com
logiccloudit[.]com
lovingmommy[.]online
lucillegray[.]website
luggage-master[.]com
luxjewelryzone[.]com
luxuryexchangemanagment[.]com
madereradosdemayo[.]com
magicien-mentalisme-monaco[.]com
mahendradhayal[.]com
mahnazsahebjam[.]com
majalahislam[.]net
majalahkerjaya[.]com
makhuyenmaivip[.]com
mamakatubosyuu[.]com
mara-big-five[.]com
maramoldo[.]com
marefatacademy[.]com
marielmor[.]com
mariusardelean[.]com
mariuszmacieja[.]com
marketgenrator[.]com
martinnoziglia[.]com
marwanjalaleddine[.]com
marygospe[.]com
masculindeplin[.]com
mayphatdienmynhat[.]com
mazika2day[.]website
mckenzieholtphotos[.]com
mcqueentargets[.]com
media360zim[.]online
meshurizmirkumrusu[.]com
metabolismrecovery[.]com
metaldetectorpicks[.]com
metalmatazaune[.]com
meublessalon[.]net
meufilhonasceu[.]com
meximillenials[.]com
michaelbadal[.]net
midwestdefense[.]net
midwinterfurniture[.]com
milfpornograph[.]com


-----

mindfulexperiments[.]com
mini4wdph[.]com
miningpms[.]com
minnhydro[.]com
minssushi[.]com
misionmua[.]com
misoanime[.]com
mmoharvey[.]com
mo-ta-san-pham[.]com
mobile1reviews[.]com
mobilyumm[.]com
modern-houses[.]info
modrenexp[.]com
modsforandroid[.]com
mohamedelhagan[.]com
molinemgt[.]com
mollylinslifestyle[.]com
momtazdarbeiranian[.]com
moncouplevamal[.]com
money-industry[.]com
moneysavingduo[.]com
montaubanbeach[.]com
moreofppc[.]com
mosamanagement[.]com
mostamazing[.]website
motorhaberleri[.]com
motosierrastop[.]com
mountainbikecorner[.]com
movementmortgagewestcoast[.]com
moverenow[.]com
moviecliq[.]com
movieskiduniya[.]info
moviesongdrive[.]com
moyburger[.]com
msdemonir[.]com
msrent2own[.]website
muddasser[.]com
mulherunica[.]online
musclehealth[.]website
musicforvideo[.]net
mysmartcart[.]website
naturabenteuerteam[.]com
new-york-city-limo-service[.]com
newbalancestudios[.]com
newsedition[.]website
newtohongkong[.]info
nineheavenshealing[.]com
nj-production[.]net
nospointscardinaux[.]com
novicetonoticeable[.]com
nutritionmeetsfoodscience[.]com
odisstoker[.]website
ohwhatastagingsite[.]com
oksanamanagementgroup[.]com
olive-thai-karaoke[.]com
oncallplumbingofli[.]com
oncarrot[.]com
onlinedeegree[.]online
onlinehelp[.]website
onlinernprograms[.]info
onyxstaffingagency[.]com
outcallentertainmentxxx[.]com
outsourcingtrainingcenter[.]com
pandulabandaraphotography[.]com
paolaricaurte[.]net
paracrafts[.]website
parentresources[.]info
parisblockchainweeksummit[.]com
partycake[.]online
pepperspraychoices[.]com


-----

pestcontrollocalwa[.]com
phukhoaphucminhtam[.]com
piccoloparadisobeverlyhills[.]com
pinoytambayanhd[.]info
pompanogaragedoorrepair[.]com
pompes-funebres-blouin-jego[.]com
pompes-funebres-du-chateau[.]com
precioushealthandwellness[.]com
proformancebaseballacademy[.]com
promoprint[.]online
propakistani[.]website
publichealthnw[.]org
qhiroofingsolarcontractors[.]com
quadrantinvestmentgroupllc[.]com
quantumstudents[.]online
quickcarinsurance[.]info
raissa[.]online
rajasthani[.]website
ralphbellis[.]website
ranchocucamongaplumbinginc[.]com
randlbrand[.]website
rbvrrkarimnagarreddysociety[.]com
reallyawesomeappfactory[.]com
realmediterraneanparadise[.]com
recolecciondedesperdicios[.]com
reeltalkwithchuckandpam[.]com
refugiosloan[.]website
renovation-alexdisa-paris[.]com
rentalsecrets[.]net
restrive[.]online
retouchingwedding[.]com
reviewplus[.]website
robertnguyen[.]website
ropamadeinusa[.]com
rosettefedora[.]com
roshinteriors[.]com
royalartgallery[.]online
roywatkins[.]website
rtvelvendrell[.]com
ruudacflorida[.]com
sabbiirahamed[.]com
salimahsumbar[.]com
sandovalcarpetcleaningllc[.]com
sangamnernews[.]com
sangothanhnam[.]com
sarbaz[.]online
sarumakyachay[.]com
sasitamircisi[.]com
satvahosting[.]website
saudagartenda[.]com
savvylifetips[.]com
scarbabunforum[.]info
schonewohnung[.]com
screenwiki[.]website
sehitliklerimiz[.]online
sergioconner[.]website
servimarqui[.]website
servingandsightseeing[.]com
sewaalatcampingjogja[.]com
sgproperty[.]website
shahiltoursandtravels[.]com
sharingjoyhymnandbook[.]com
shifaadialysiscenter[.]com
shopbuildingmaterialx[.]com
shreeganeshtourandtravels[.]com
shysbathandcandlebakery[.]online
skenterprises[.]net
sketchacademy[.]net
skupnieruchomoscizagotowke[.]com
smitemedia[.]website


-----

southfloridastaffinggroup[.]com
springfieldboardofrealtors[.]com
sribnotravels[.]info
starcomidachinafuencarral[.]online
stonelegends[.]website
stonetowerminiatures[.]com
str8upmentoringfoundation[.]com
studiopsychologiczne[.]com
successhatch[.]website
sulminaspneus[.]net
suministrosyequiposltda[.]com
sunilwaghale[.]website
super-deals[.]website
superbfightmarketing[.]com
tarotyvidenciavalentina[.]com
taxi-aeroport-roissy[.]com
tayloracademyofmusic[.]com
teamsolutionsconsulting[.]com
technogeek[.]website
tecnologiaplay[.]net
tecnologiaytendencia[.]com
tekken3apkmod[.]com
telenergia[.]eu
tendenciasdeinternet[.]com
terrehappy[.]website
thaigoodsmart[.]com
thaisagostini[.]com
the-diamond-credit-center[.]com
thecabanadogs[.]com
thecabovillas[.]com
thechamberick[.]com
thecowsareout[.]net
thecuratedtravelcollection[.]com
thecustomarmy[.]com
theeightbells[.]net
theemeraldrecruitinggroup[.]com
thegreatcommissionpodcast[.]com
thehealthy[.]website
theinsidehome[.]com
thelamichhane[.]com
theleejackson[.]com
themindpuzzle[.]com
theresourcein[.]net
theuppercut[.]website
timesindia[.]website
top100burgers[.]com
topfullmoon[.]website
topnewfashion[.]com
toptechoffers[.]com
toptenonworld[.]com
traceyourfoodprint[.]org
traffik77[.]com
trascendentalarquitectura[.]com
travelgoals[.]website
travelstory[.]website
tricksdaily[.]website
trilbiche[.]com
tripitiew[.]com
triptogig[.]com
trongphuc[.]com
trunghoc[.]online
truyenlon[.]com
tsurigear[.]com
tuhlaya-pizda[.]info
tumergrup[.]com
turbo-one[.]com
turismointernacionalonline[.]com
turnerbiopharmaconsulting[.]com
tvkidunia[.]com
txcannaco[.]com


-----

tyagineha[.]com
uberiboka[.]com
valerieclementphotography[.]com
viraltalks[.]website
visafromindia[.]net
visualmarketingypublicidad[.]com
vitaepreno[.]online
wardwealthmanagementgroup[.]com
watch-hindi-movies-online[.]com
weaving[.]online
werecookingrestaurantsusa[.]com
windofchange[.]online
wpchampion[.]website
www[.]123graffiti[.]com
www[.]acceptcreditcards-freemachine[.]com
www[.]accompagnatori[.]online
www[.]certifiedfeti[.]com
www[.]cheapraybanfreeshipping[.]com
www[.]cheapwatches[.]website
www[.]chrisgreigandthemerchants[.]com
www[.]cooperslidingdoorrepair[.]com
www[.]coral-gables-waterfront[.]com
www[.]delineavit-architecture[.]com
www[.]delrayslidingdoorrepair[.]com
www[.]diariolaindustriatrujillo[.]com
www[.]discounthydroflaskcheap[.]com
www[.]edmaudlin[.]com
www[.]feedersgame[.]com
www[.]fildactualite[.]com
www[.]fischcharters[.]com
www[.]fisj-official[.]com
www[.]fullhdmoviez[.]net
www[.]gacostore[.]com
www[.]gadget-nations[.]net
www[.]garagedoorrepairhaworth[.]com
www[.]garagedoorrepairparamus[.]com
www[.]gatodourado[.]com
www[.]gingkofarms[.]com
www[.]gironacidade[.]net
www[.]gnarmasters[.]com
www[.]goaugmentor[.]com
www[.]graphicspapers[.]net
www[.]greatpeters[.]com
www[.]group-capri[.]com
www[.]groupejados[.]com
www[.]gustavomata[.]com
www[.]halterophilie-musculation[.]com
www[.]handbagsdistributorfactory[.]com
www[.]homebuyeringrandprairie[.]com
www[.]hopevacay[.]com
www[.]i-c-p-inc[.]com
www[.]ibatsystem[.]com
www[.]ibksplace[.]com
www[.]iceongeist[.]com
www[.]ideiinpractica[.]com
www[.]ifretmusic[.]com
www[.]ilcinpromosyon[.]com
www[.]ilkbetbonus[.]com
www[.]ilkbetgiris[.]com
www[.]ilpadellino[.]com
www[.]importmada[.]com
www[.]indigo-line[.]com
www[.]inicarane[.]com
www[.]instantbusinesslistings[.]com
www[.]investigacionsobreeleccema[.]com
www[.]irmadrinziu[.]com
www[.]islandgreeneast[.]info
www[.]jmkhealthcare[.]com
www[.]jupitergaragedoorrepair[.]com
www[.]kanrel[.]com


-----

www[.]klenamventures[.]com
www[.]lagocciadacqua[.]com
www[.]lasatisfaction[.]com
www[.]letsgetitstore[.]com
www[.]licmerchant[.]website
www[.]lihuidachaoshi[.]com
www[.]lilywebbmysteries[.]com
www[.]llcgoldenhomes[.]com
www[.]martinowithanolive[.]com
www[.]marygospe[.]com
www[.]massme[.]fr
www[.]maudlinrealtygroup[.]com
www[.]mcqueentargets[.]com
www[.]medshingepatil[.]com
www[.]meilleursfilmsdvd[.]com
www[.]mentorshelponline[.]com
www[.]meshurizmirkumrucusu[.]com
www[.]meublessalon[.]net
www[.]mindable[.]health
www[.]minnhydro[.]com
www[.]minssushi[.]com
www[.]mithostel[.]com
www[.]money-industry[.]com
www[.]moverenow[.]com
www[.]moviecliq[.]com
www[.]moyburger[.]com
www[.]mrandmrsthomas[.]fr
www[.]mutlusonlu[.]xyz
www[.]naturalcure[.]website
www[.]naturaltoys[.]online
www[.]naturelovingenergy[.]com
www[.]new-york-city-limo-service[.]com
www[.]nextgenerationfaithfulness[.]com
www[.]offersforyourhouse[.]com
www[.]oldschoolsurfshop[.]com
www[.]parentresources[.]info
www[.]pneumoniavaccinesresearch[.]com
www[.]pompanogaragedoorrepair[.]com
www[.]raceacrossamericachallenge[.]com
www[.]ranchocucamongaplumbinginc[.]com
www[.]restaurantefincadelaribera[.]com
www[.]roshinteriors[.]com
www[.]rtvelvendrell[.]com
www[.]saglamkarotcu[.]com
www[.]sauvaige[.]com
www[.]shivamloanconsultancy[.]com
www[.]suministrosyequiposltda[.]com
www[.]superbfightmarketing[.]com
www[.]tengxunyunyhw[.]com
www[.]tetrasysgroup[.]com
www[.]the-diamond-club[.]com
www[.]thecatpumpkin[.]com
www[.]thechamberick[.]com
www[.]thefionastarr[.]com
www[.]theleejackson[.]com
www[.]topnewfashion[.]com
www[.]traceotop[.]com
www[.]trascendentalarquitectura[.]com
www[.]veranime[.]online
www[.]werecookingrestaurantsusa[.]com
www[.]westchesterrestorations[.]com
www[.]whitecottagehomeandliving[.]com
www[.]yedeklemesunucusu[.]com
www[.]zettlerintegratedsolutions[.]com
wwwnutricionistalinacorpus[.]com
xiaomistore[.]website
yelletqazan[.]com
yenisahracilingir[.]info
yomecanico7[.]website
yynew1000[.]000webhostapp[.]com


-----

zettlerintegratedsolutions[.]com


-----