# Appendix A: IoCs

4d98790aa67fb14f6bedef97f5f27ea8a60277dda9e2dcb8f1c0142d9619ef52 Obfuscated Javascript
cc085b1f803c1566d51372230a3c18d87fe025cad2ed78704dca7827de3f7c10 Packed LOLSnif
8d700ea74a33ffa2fd3e0b2c47a2add4254c376a6a2e430457fe08248ddf2797 LOLSnif
c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa LOLSnif
7307f15e8baebca4d001da7db5841d96556f7db17eb3c99ce0287a6535d896eb LOLSnif
f48e634d5ce543593b8f3b96452aa8308a49e545bf8349c3de69315f1ba6c400 LOLSnif
e3d89b564e57e6f1abba05830d93fa83004ceda1dbc32b3e5fb97f25426fbda2 LOLSnif
8ffe59d11b2adbf78054cc8272c79b942adb37393544bb927f5256fcc837473e LOLSnif
6buzj3jmnvrak4lh[.]onion CC domain
ad1.wensa[.]at CC domain
ap.ganikol[.]at CC domain
api10.dianer[.]at CC domain
api11.explik[.]at CC domain
api2.casus[.]at CC domain
api3.lamanak[.]at CC domain
api5.malorun[.]at CC domain
app.calag[.]at CC domain
been.dianer[.]at CC domain
chat.allage[.]at CC domain
chat.casus[.]at CC domain
deem.dianer[.]at CC domain
df1.kamalak[.]at CC domain
dianer[.]at CC domain
f1.pipen[.]at CC domain
g4xp7aanksu6qgci[.]onion CC domain
g8.farihon[.]at CC domain
io.laurela[.]at CC domain
kamalak[.]at CC domain
k28.ioipzet[.]at CC domain
l35sr5h5jl7xrh2q[.]onion CC domain
mobify[.]at CC domain
nort.calag[.]at CC domain
pipen[.]at CC domain
two.ahah100[.]at CC domain
vv.malorun[.]at CC domain
w8.wensa[.]at CC domain
ya.aftnoop[.]at CC domain

|Appendix A: IoCs|Col2|
|---|---|
|4d98790aa67fb14f6bedef97f5f27ea8a60277dda9e2dcb8f1c0142d9619ef52|Obfuscated Javascript|
|cc085b1f803c1566d51372230a3c18d87fe025cad2ed78704dca7827de3f7c10|Packed LOLSnif|
|8d700ea74a33ffa2fd3e0b2c47a2add4254c376a6a2e430457fe08248ddf2797|LOLSnif|
|c206f90bd8e3a34f7eb522e01dba93e5dd8282a7573bbf03e6a91434c9d4a7fa|LOLSnif|
|7307f15e8baebca4d001da7db5841d96556f7db17eb3c99ce0287a6535d896eb|LOLSnif|
|f48e634d5ce543593b8f3b96452aa8308a49e545bf8349c3de69315f1ba6c400|LOLSnif|
|e3d89b564e57e6f1abba05830d93fa83004ceda1dbc32b3e5fb97f25426fbda2|LOLSnif|
|8ffe59d11b2adbf78054cc8272c79b942adb37393544bb927f5256fcc837473e|LOLSnif|
|6buzj3jmnvrak4lh[.]onion|CC domain|
|ad1.wensa[.]at|CC domain|
|ap.ganikol[.]at|CC domain|
|api10.dianer[.]at|CC domain|
|api11.explik[.]at|CC domain|
|api2.casus[.]at|CC domain|
|api3.lamanak[.]at|CC domain|
|api5.malorun[.]at|CC domain|
|app.calag[.]at|CC domain|
|been.dianer[.]at|CC domain|
|chat.allage[.]at|CC domain|
|chat.casus[.]at|CC domain|
|deem.dianer[.]at|CC domain|
|df1.kamalak[.]at|CC domain|
|dianer[.]at|CC domain|
|f1.pipen[.]at|CC domain|
|g4xp7aanksu6qgci[.]onion|CC domain|
|g8.farihon[.]at|CC domain|
|io.laurela[.]at|CC domain|
|kamalak[.]at|CC domain|
|k28.ioipzet[.]at|CC domain|
|l35sr5h5jl7xrh2q[.]onion|CC domain|
|mobify[.]at|CC domain|
|nort.calag[.]at|CC domain|
|pipen[.]at|CC domain|
|two.ahah100[.]at|CC domain|
|vv.malorun[.]at|CC domain|
|w8.wensa[.]at|CC domain|
|ya.aftnoop[.]at|CC domain|


-----