GachiLoader: Defeating Node.js Malware with API Tracing

Research by: Sven Rath (@eversinc33), Jaromír Hořejší (@JaromirHorejsi)

Key Points

• The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers.
• One of the observed campaigns uses a new, heavily obfuscated loader malware written in Node.js, which we call GachiLoader.
• To make it easier to analyze obfuscated Node.js malware, Check Point Research developed an open-source Node.js tracer, which significantly reduces the effort needed to analyze this type of malware and extract configurations.
• One variant of GachiLoader deploys a second stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection. This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.

Introduction

In a previous publication, we examined the YouTube Ghost Network, a coordinated collection of compromised accounts that abuse the platform to promote malware. In our current research, we analyze one specific campaign of this network, which stood out as the deployed malware implements a previously undocumented PE injection method which abuses Vectored Exception Handling to load its malicious payload.

Campaign Overview

Similar to campaigns we previously documented, the infection chain begins with compromised accounts that host videos designed to lure viewers into downloading malware from an external file hosting platform. The theme of this campaign are game cheats and various cracked software:

The video’s descriptions then provide a password for the archive containing the malware, as well as instructions that usually include disabling Windows Defender.

We identified more than a hundred videos belonging to this campaign, which collected approximately 220.000 views. The videos were spread across 39 compromised accounts, with the first video uploaded on December 22, 2024. This means that this campaign has been running for more than 9 months. After we reported these videos to YouTube, most have been taken offline, although new videos will continue to appear on newly compromised accounts.

Since we started monitoring this specific campaign, it deployed the Rhadamanthys infostealer as a final payload, which is distributed through a custom loader which we call GachiLoader.

GachiLoader

GachiLoader is a heavily obfuscated Node.js JavaScript malware used to deploy additional payloads to an infected machine. Node.js is one of a long line of threat actors always adapt their arsenal using non-traditional programming languages and platforms adapted by threat actors in their quest to spread malware.

As obfuscated JavaScript requires a lot of time and effort to manually deobfuscate, we developed a tracer for Node.js scripts to dynamically analyze this type of malware, defeat common anti-analysis tricks and significantly reduce the manual analysis effort. This tool is not only useful for GachiLoader, but is useful for anyone analyzing heavily obfuscated Node.js malware. Therefore, we decided to share it with the research community here:

• https://github.com/CheckPointSW/Nodejs-Tracer

Some of the analyzed GachiLoader samples drop a second-stage loader, which we call Kidkadi. This loader is particularly interesting, as it implements a novel technique for PE injection, which tricks the Windows loader into loading a malicious PE from memory instead of a legitimate DLL. We analyzed this technique, which we call Vectored Overloading and reimplemented it in a Proof-of-Concept (PoC) shared below.

Technical Analysis

GachiLoader’s JavaScript module is bundled into a self-contained executable, using the nexe packer, with sizes roughly between 60 and 90 MB. nexe is an open-source project, that compiles a Node.js application into a single executable file, bundled with a Node.js runtime, so that the file can run on a host without Node.js installed. While the size of the executable is quite big, it isn’t suspicious as the victim expects to receive a software package. The tool nexe_unpacker can be used to extract the obfuscated JavaScript source code from the PE.

Anti-Analysis Features

To avoid analysis by a security researcher or an automated sandbox, the GachiLoader JavaScript module employs several anti-VM and anti-analysis checks:

• Checks if the total amount of RAM is at least 4GB
• Checks if at least 2 CPU cores are available
• Compares the username against a list of usernames, that can be associated with various sandboxes or analysis systems (see Appendix A for a list of all names).
• Checks the hostname against a similar list of hostnames (see Appendix B for a list of all hostnames).
• Probes the running programs and compares against a list of programs, such as analysis tools, sandbox indicators or common programs running on VMs (see Appendix C for a list of all process names).

The malware then proceeds to run several PowerShell commands to enumerate the system resources and capabilities over WMI .

• Check if at least one port connector object exists: (Get-WmiObject Win32_PortConnector).Count
• Get drive manufacturers and compare against a blacklist: Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model (See Appendix D for a list of all drive manufacturers).
• Resolve video controllers via Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name, and check the names against a blacklist associated with VM environments (See Appendix E for a list of all video controller names).

If any of these checks indicate a virtual machine, sandbox or analysis environment the malware enters a loop of sending HTTP GET requests to benign websites such as linkedin.com, grok.com, whatsapp.com or twitter.com :

Finally, to avoid running multiple times in a short period of time, a mutex file with a random-per-sample name and the .lock extension is created in the %TEMP% directory on running for the first time. If this file already exists or was modified within the last 5 minutes, the program terminates.

We were able to easily bypass all of these anti-analysis with Node.js Tracer: the tool hooks into the respective methods and spoofs the results to the caller, in this case the malware, allowing the script to run and expose its malicious actions:

Privilege Elevation via UAC Prompt

If the malware decides that the environment is not that a sandbox, it then checks if it is running in an elevated context by running net session , a command that is expected to fail if run by a non-administrative user. If the command fails, the malware tries to restart itself in an elevated context using the following PowerShell command:

powershell -WindowStyle Hidden -Command "Start-Process cmd.exe -Verb RunAs -WindowStyle Hidden -ArgumentList '/c \"<path_to_program_itself>\"'"

While this triggers a UAC prompt, that prompt is likely to be accepted by the victim, as they expect to run an installer for some sort of software, which usually requires administrative privileges.

Defense Evasion

To avoid detections of subsequent payloads, the malware attempts to kill Windows Defender’s SecHealthUI.exe process by running taskkill /F /IM SecHealthUI.exe and adds Defender exclusions via Add-MpPreference -ExclusionPath for the following paths:

• C:\Users\
• C:\ProgramData\
• C:\Windows\
• For all other existing drives, at the root (e.g. D:\ )

In addition, an exclusion for *.sys files is added via Add-MpPreference -ExclusionExtension '.sys', although we have not observed any *.sys files being dropped by the analyzed samples.

Payload Delivery and Execution

To retrieve the next stage’s payload, the malware comes in two variants.

• One variant gets the payload from a remote URL
• The other variant drops another loader, kidkadi.node, which loads the final payload using the Vectored Overloading method. This payload is embedded in the loader’s JavaScript source.

First Variant – Remote Payload

GachiLoader first obtains information about the host it is running on, such as antivirus products and the OS version, and sends them via a POST request to the /log endpoint of its C2 (Command and Control) addresses. The samples all have multiple C2 addresses embedded for redundancy and try out each one in succession, as we saw when tracing the calls through our tracer:

Next, a GET request to the /richfamily/<key> endpoint (where <key> is a value unique to each sample) with the X-Secret: gachifamily header gets the URL of the final payload to download, encoded in Base64. This final payload can only be retrieved if using the correct X-Secret header again – this time using a unique key embedded in the binary, e.g. X-Secret: 5FZQY1gYj0UKw4ZC99d1oNYR8LvTPtrfN357Eh5gmRvsMaPYgXtMxRXpMb2bTFOb2h2HqMnvUKT9CUpj9864gckmPUzf9uLIIU9. Otherwise, the web server returns a Forbidden error.

The final payload is then downloaded to the %TEMP% directory and saved with a random name, mimicking legitimate software such as KeePass.exe, GoogleDrive.exe , UnrealEngine.exe or others which contain the Rhadamanthys infostealer, packed and protected with VMProtect or Themida.

Second Variant – Kidkadi

The second variant we observed in the wild did not reach out to a C2 server to get the second payload, but instead had an embedded payload which is executed through another loader that is dropped to disk under %TEMP% as kidkadi.node:

.node files are native addons for Node.js, which are essentially just DLLs that can be called from Node.js code via dlopen. Therefore, they can be used by developers whenever the Node-API does not expose sufficient functionality.

The malware exposes a function for Node.js to call, where the name of the method differs across samples. In some cases, the name as well as the error messages in some samples are of Russian origin:

The loader passes the payload PE as a binary buffer to Kidkadi through this exposed function, which then runs this payload via reflective PE loading. We found that this loader uses a novel spin on Module Overloading, abusing Vectored Exception Handlers (VEHs) to trick the Windows operating system to run the final payload, when invoking LoadLibrary to load an arbitrary DLL. This technique, not yet documented, shows that the author has a decent understanding of Windows internals. We named this method Vectored Overloading.

PE Loading via Vectored Overloading

The malware first creates a new section with SEC_IMAGE from the legitimate wmp.dll, a DLL used by Windows Media Player. It then overwrites this section with the content of the payload (the PE to be loaded) and maps a view of that section into the process via NtMapViewOfSection. The PE’s sections are then copied into memory one by one and relocations as well as the correct protections are applied:

This results in a view of the malicious PE, mapped to the process, which is backed by the legitimate DLL wmp.dll. This section view is what the Windows loader (meaning ntdll!Ldr*) will be tricked into loading later on.

Since the Windows loader, called via LoadLibrary, does not load arbitrary PEs, but only those that have DLL characteristics, the Characteristics of the FileHeader are set to IMAGE_FILE_DLL , if the payload is not a DLL. Additionally, the entry point is zeroed out, likely to avoid the loader calling an entry point that is not that of a DLL. If the payload is a DLL, the header is not changed.

Afterwards, the malware registers a Vectored Exception Handler (VEH).

VEHs are user-mode callbacks that are invoked by the OS when an exception occurs. A common malware technique abusing VEHs is to register a hardware breakpoint on a specific instruction, which triggers an exception whenever this instruction is reached. This exception is then handled by the VEH, which can intercept the call and, for example, change the parameters. This essentially allows hooking functions without patching memory, such as when using classic trampoline hooks.

In this case, the hardware breakpoint (HWBP) is set on NtOpenSection :

The malware then loads amsi.dll via LoadLibrary , which kicks off the injection:

A call to LoadLibrary internally ends up in the Windows loader creating a section object of the target DLL to load, which is opened through a call to NtOpenSection . This triggers the hardware breakpoint, and subsequently the VEH, which were registered earlier. This is where the main injection logic is implemented.

To make the loader map the malicious PE instead of the actual amsi.dll section, the section object pointing to amsi.dll is swapped with the malicious payload section from earlier. The VEH simply places the section handle created earlier on the stack position that corresponds to the [out] PHANDLE SectionHandle argument of NtOpenSection. The VEH then advances the instruction pointer eip to the ret instruction and resumes execution. This skips the actual call to the kernel while still giving back a valid handle, essentially emulatingNtOpenSection:

Before stepping out of the VEH, the hardware breakpoint is re-set to NtMapViewOfSection.

NtMapViewOfSection is then used by the Windows loader to map the section into the process, which again triggers the hardware breakpoint. To make sure the malicious payload is mapped, the syscall is again emulated by advancing the instruction pointer and replacing the [out] arguments with the relevant values, such as the section base address or the section size. This is possible, because the section view was mapped by the malware earlier, when the malicious payload was written into the view of wmp.dll:

A final hardware breakpoint is then set on NtClose , where the malware simply verifies that the correct section handle is closed.

Back in the regular flow of the program, outside the VEH, the entry point will be invoked if the payload is a regular PE. If it is a DLL, the loader expects it to be another .node module and resolves the correct exports to invoke:

Completely unrelated to this campaign, we found a file with an original filename of HookPE.exe, which is a 64-bit PoC version of the technique with debug prints that uses the technique to load calc.exe into memory. Error strings in this binary indicate that the loader uses code from libpeconv for PE manipulation.

This injection technique has multiple advantages over “classic” RunPE-style reflective loading:

• Just like when using the Module Overloading technique, the injected DLL will show up as backed by a legitimate image (such as wmp.dll), since the section was originally created for this DLL. However, since the code in memory will differ from the code on disk, tools such as Moneta are able to detect it:

• Some loader work is offloaded to the Windows loader. This significantly reduces complexity for the malware author as they do not have to implement e.g. resolving imports or TLS callbacks, which in turn increases payload compatibility. For example, many publicly available PE loaders do not properly handle TLS callbacks.
• By emulating syscalls, the respective kernel side callbacks such as ETWti are not invoked, as the call to the kernel is skipped entirely. This may fool security solutions that rely only on these section ETWti events. Of course, the earlier calls before the injection (when mapping the image) still trigger those events, but not in the order usually expected.

We published a reimplementation of the 64bit variant of this injection method as a tool for security researchers to analyze the technique and test detections:

• https://github.com/CheckPointSW/VectoredOverloading

Dynamic Config Extraction at Scale

As deobfuscation of the JavaScript source is a tedious and partially manual process, we decided to run all available samples of GachiLoader through Node.js Tracer to bypass the anti-analysis checks and receive the final payloads. By hooking filesystem-related Node APIs, the downloaded files are saved for the analyst before they can be deleted by the malware trying to remove its traces.

The final payloads of both variants of GachiLoader were all packed and protected by Themida or VMProtect. Dumping the unprotected configuration from memory when running them in an automated sandbox then allowed us to extract the C2 servers of the final payloads.

All the analyzed samples that were part of this campaign dropped Rhadamanthys as the final malware. The extracted C2 servers can be found in the IoC section below.

Conclusion

Malware written for the Node.js platform has become increasingly common and is mostly found in obfuscated form, which is tedious to statically deobfuscate and analyze. By enabling analysts to trace and hook Node-API execution dynamically with our open source Node.js Tracer, the time that has to be spent on triage and analysis is significantly reduced, and common anti-analysis checks can easily be defeated.

The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique. This highlights the need for security researchers to stay up-to-date with malware techniques such as PE injections and to proactively look for new ways in which malware authors try to evade detections.

The threat actors behind the YouTube Ghost Network exploit the trust in the YouTube platform to trick victims into downloading malware. Users should be particularly cautious of offers for cracked software, cracks, trainers, or cheats, as these files are frequently laced with malware designed to steal data and/or compromise a device. While both the security community and YouTube actively work to identify and remove such content, these attacks remain persistent.

Protections

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, filetypes, and operating systems, and protect against the attacks and threats described in this report.

Indicators of Compromise

Description	Value
.zip Archives	062d342f59136c3bbc729e0c412d2c2589b6f9058912583eeb9b61d7916db00e 34e1cd959c0c586fcd495225803061e6e2a19e7818c47a46a47822ba6726500d 434fc84cc190bb0c8af86d3566d6517672fed9c171eb0df5c7541f0dce679c8b 606eca698d0d4a67b21428b0812a261daab36598fded60b189106b0b27992225 775b05b8cc8d03751828986727cd1929caf6868e1df9cd21e9366c48ce161c5e 872fde8128f3a0f074975b6ca0d83fa56a8289b2063351f298bbf0c9025948d3 99f4755fd9b25aadae4e154d661ccceecbbb3d4343dc6c81e04aa81516be81d0 a4e2c0ffb93103db23777c12b48a31816b83b0799c9bc71e92bb576e884d76d4 b48f3e7e6c67bfb3c73c85a33a377f9bb840e1b7b09871ab29a19cdb7965d5d1 c4266da90d6c655388ae8d64aebf5f9178adbbe486b2249e6bb7d18451f28a3b cc95609cc375263129b8f425800a9bb462055b11dbf0d8aef2b3312aa2e90daf f0de35ff0b889c7e93a89e918488a33aa21e4b6e7743ae87f1993ea77b237ecf
Variant 1 – GachiLoader	00bcfecad4b679f72c50cbdcd883caf55b6a1f641258a636317871c7b8940156 00db4aa911e95ecfafa6f10ebfeb9f0a8051ee63de51ea1d9515ece5be2a294b 01a3da42f74578c0b7c1146f30eceb2a2bc26c2d814a48fcf29ae527a1048aff 028711c1b435c773ba600a863f4d4a2d1218860de799a1275d15d4ea93f0cbef 02c0de5116d9b05d930e4858cd9768cc2ba70e91be62690439537fdf0f52de53 032a297bfbdc94226f0d88c77ab27148c54ebde6bfa2750fed09b1d8667ddcd6 03d55245ef2766943813c0d1eaa3859d3918ee6fed2705bb5eeb38f4f87a5643 079a180eeed0f4fc84c2412ba0398a79c5262efa1d9e8fd53290cd001b5abf9f 094240cd298de1121da36adb96b3cdd632f866837f27e3951b6a0a544e5437f6 0a6d41411ef3c65540a525dc5c3ab0964cd595aa73c3a477a8a96ec986277660 0bd44592e75854a1c763384bf9dcea6dfe1174f6f45df342ebd9dfaa3a27dc85 0c03845b9e2ff5ddac56f6e75b8e9dadf1a7bd1681d074e732478596b3173922 0f81656ce724b65c230c4d63259c3a0edff20cc664de964f16451417eda60005 14bfaf75b5c7ffac451f41352f8e94b6cc060efe7d645189795fa921f4e602bc 16b2f7d9d4ace9e3004bd47f97c252a7fea21662656ec6b906d30a6b21900fc4 18649874ab887ab613a3ccdd7cddc683e2b21f7cbe0762d2ce8201fc7e57540c 1d28c23b271eb2156bf2780cb0dd042573f38f4758ef61877a7347bbbc756c8b 1ebeca5dc62d759904c47597ebeb67865017a99892081c94d7647206b78a6cd2 1f35a5ee4ead5c286f3e0d3ddecaf8789f12da7b8b7422b0511af619353284b7 2038f38ccd42cd1df84abfb5915e3a6eb9c976b8d822768068343716f46a09f1 210d821109ec1dff3b92ad3cfdde59912581327f4017b754864ba1e263c3c366 2601d2c2b4515d3f1414d4543cfe2091490e2502457eab6c437a310f7e5e2a1a 266216b097561e57448b940c3087b82c4cea7581b67e5dcc52c8c4dfcbbf8333 278c5a0acd6603947e59e1961642279e29cc4b9be299c8edb7b719d6568eb8da 29fac0ce48b9114990a4dd942d6de1da55bf9c49938929123fb1f221be385eff 2a87f4d47ad95f4eb46c08a4d33fd4732c10a1408db1b758871dfe6b1059c6bb 2e5389a32a6c21fec476fdc6e80fcb577de31c43adb7c090c3a11f3b048787ed 2fee47e12ca72863ee132d63dcac3b39aeace1a4d71b0aa14a30b56ecabf29c9 30bcfa6bbb5e9d9bc64c65a27e1565a9ad21af3d5e1f202933a340cc400abdb9 3124fe59b26dc77c1e4b4d615112928ca1830c890c8c77e853ac6948069ba463 3151700d8f13cf55ad46148cd46ccb0b3409c0adf253433f16ef6612e9280eb2 31dac5bc21b0dabfac51cb99c821e62421c39949971a44898a1ec15efe33e8c4 32855dba1ec6b3c9ba422cf9203d8130e59dcb5235764b8f56b6d02970a5e5b5 33dce93dfdb43f47ef1d36e2dd16725ed365300c371dc45491b52afe13b6e412 3630538febdedf693ca9d996c3f1998d50c97052ab99e653d95b381ddb3546ef 38a7feb5ab611e6a487ce8b048732f7721484ceebb316fd34c9cc611dbc4e3cc 38ac7917ce895448203e6d14f121850ecc4ff89f530e792c794d771f881c7b07 3c16548ab32996a58298978b20db1d4133827298e166f93b7c943dc3ffc51782 3d8c1469de3bb01ef72992e07d1feea9380183983327576978851b8c78ea7fc9 3ed63941e7411e93f644a064094b5a6c7e2a9547840a5198dd7f6b4d45ef9eea 401e7b72f4b7ed4119b625ab34c2c7d37c0dabc08bbdf943fd291445e2fe753c 40f899294ea02f7a9823ada63c869ede18a8afc6238aedb62d2b30a2744cb846 4210e9e1df0bc41e497285483782609c0b4777ef6682fb40b0d25c8149c9f3d2 428f86204b69f31dfc3f3479d18d23b15cad63d72998a8418e8da22941c74956 43b1a11962f83db6bb59bb7467d5456e852d0421ca5eaeae3a249a34839e67b4 43d9130c8f077a5885842bda24bee19e4dd231c49f88629442e5b9f02ff5f33a 45fd42669157357f1e16c0b542eab5836061f5b2e2160a5104a4bde38cac85bf 47ab9b9deaa14202b94320df16f52c8d98adee49c9bff8909ab5deefcbdfe401 48a269d2c083868e2b5347012afb85bb3c233c9f042985bcab764f7788316660 4b71d8cb7ce8de8d557283df3543aa2aed89dd5446c7acf855c0ea2e5e7e89dd 4be48937c603c910c29de2af3b0d3e3bc05b809b19190e90ade2489a347d8b03 4ed90af2fb3fe13eb8ab69fe2fcd82a0775426da33da4ba043d7e7e2fd4a18f7 4f8c55cb3f99741f4fcccdbcff07c7d0b8ab7fa23dcbf8847d7a37a35f6d3f5e 4f95af5b4a1569eb54f6995e547584f429a49895d0d81c71d74970275b170a08 5173c6b57642dd89dba2f039a1ad630d6d73d3557248dd09ca2a51a329e6119e 53ac3b1601f2fa43121cfd43ac9b49f6751a8b84b4ffcc5a1241f71eb1e8d7b8 5538d6f24e1330c934cdfc95188aede5c9668154376e507c41fe1c752cdd7a5b 561436df09f87be34317eeb25a2b7bf5c67201fa501262f72a9a63b9977ae217 59c93f81063e8b77b20292d1d03598f74d997690aac41f5fb7a248ac8ad866c2 5c88a6efd0a713460dcf8b828575285be3a43d6481e245662bafb3472d344dd1 5d1bf72af319901f22d78625d60c877d7a8d6c54bbbcbcfc643376558e176211 5dbdd6d45021383a3c76b2e0c7258a7b0fcfd70904602eb2fb1afe3b33efc80e 60de97fff85ba6f0b114fe565f53ffc1ef43a19de95c31299884e034f05dc037 616b74a6b17b70bae357c43cf03fe1946abc36eea1d0e7d911ca29bd067f63ae 61e215ccf73cba014ecd72abd38ff78d5a23c2727577c5b3e2c8f52b90dc2a4a 62bab101900a92db76e2c368c4a83f7340f42c460b16d11dea94c8db002d5bc9 62bcb939df4a8b7bdc896cd229cf34f55d93555c14e5816ac2aa6285d1cf4112 6463e7f48f01f482fa846bc106de245c833ad7c3ea7fae4caa7ead54b2901cb9 64d6d018e3b7a1d718b96d9950b3579af2a784ab004ad575e13cb41b2c27aa25 66e684ab10b1daf2a46df1031c6ddc331ab80af4e21144a68997d4a1859e9fd7 6985717a754fe121e99c337cc33b0e9a25852fa33c580dc9caaffefaf0908233 69c0084b78bf963997033759fa45933b61de425aea7612a06289ec6c78492745 6a8dd64af57926514131efdc388c9883db2c23aebfd8b97c44e808d637f0fc23 6b80c4fa88fbb35af2b254c63586fd6e0455d0e917b842afc79b821ac87a2b9d 6c428016506c2ae076d049deeba60514cb8c0afa6fd00fc349722cdbc6e1b305 6d5af67f05c9db6763cd494f64c5f62faeb8f1b67ba26a7ab278e27d4c9b8f22 6f1b97838bc5702954ef5f536de86a8477e0008f25bcfba72b7fda4c1f37b9d2 6fcd071c6ab51e71407e8bf242fac8552a10aedff113c9efb92ccc53cc49fbed 7029d2c60ee04772d9dc4d8d34f5effd3e3be17769584bbf912954e926280131 71415238f740c7528f3314f94dc07ffd9b802a34c3997b09ad02da1bcd3c8137 717f05b96a344b1fdd159b4c45e3089a26d1f64e63cd4ac2ed3bf2db33074c3a 765041cdf97bf0b55734cd5619d7d4568a641ae3fc35540344a488184839674b 78908b01a8d959b80f7fa1f42c734c4c64a8cec58394f94cf362b8efd38c7b9c 78b6c96910d8f1e3889bad17f97cd26aed5f6c7a15432cc11c2224a8c9adf691 7a155a20c1e5df83b566fdad3bf59ca49ac6559e0561233a95c7cd70a5caa6dc 7db2025192f4f2497bdc356c1920dfc4740bb868de8a6b5786f01865dfa9e564 825bd0b103d647c296bd2b9eee251b04b7f5dc72f27898fcf0fc25ca24587125 8295cddaf1c23d554b90e4d1ee1ca064f68124df63003a046f58241c3513cd1e 8383a421e9a4f55af53cf1911680042659b28722cff8a30cd202bc728a8fea23 8443994a687269f2d7d19678e571ce1a1658df7da69c25b4bd902f87f849c98d 857f68127546f829861e796b11b80304e2c53e70e54191fec8087f64d7c8146d 86082a735440124bae953c0a68e5eff6a7fe6792f90ea1e71cc0c83a724bc273 87c1c62369657904418affebca3f706a4e968dd1a672729274ba287dfae43be4 88938ad37225074c923ac4baa0b4a171076c273cb064a4905c66a25ca3acfee0 8d473631c12231079a241d63ddc9e4b537d2531135e9aa4d795abf22f2aefd39 8db4cf8f666b7c4ec5051139570b5d3b88569c9e62de31249a70b6cdc716aecd 9211d6fb5db70a51ba5795e0a7126aa1efd0f4b78262031dfb72e98c319ce37e 95760397b9cc05d0180258afee22cd8e6bc997e13754a11cb737733d0beeb444 95f875c01b889f9ba811dae11822c6c83eb28d8260f16ca070c76e83f6f7e7cb 96d2c11dd5bb43da5945259494d7e26a68b5c48eaa32d5eb2d1dc61aa0dfb7fe 980d0d78b3e288f24bcb793d2e49a4e26138cfe4ef272171557658be751d277d 99a3a973caf956102c563773a9a58ff79c539c7c77480873dd0e09fa259b3594 99cc25edbc65ea201b957abbd6cfbd7b3b6f04759cbb47fc999d35508a654748 9a0ccafc516df1e931ba2028ea59f39b31e1cc812c3a2ab1765b9e91fb8cc507 9a28d80ce2c191d743554313edbb8eef09e6f72b34c4d701c0a84090d61264e9 9b60930efa096a98d9fb6392c74f8d3e5f2df6ba8a5b31a304b7fac3d847e7f1 9c562c28323e7681c1cb5a4b23e703c21cda8bc020946de691b6765fcb613a16 a9ec251b719b2ebb85e50f43eea4e2944e0a065daaf5c92420efc852b594d96f ad27bfdd9d51f81e6e743ed351c47812874565e89f6ace03ac39d6c85fefa949 af0891bff41d67815ed7a979fc2127295ea662079afa16d09d1a377684d678ba b1b72689afa038d413e36f5aca61b971b69e4e411976cbd01e3cbf5b2e83141e b67ac42c0ef7402dd53dc950e8162e9a213aa65d5a7901a5cc4aee0b93058b93 b6a3ad06c57b45142dd7ac2c77ea70980296b5d168517f5d7ec4100ec10d305a b8eaa5c0686fb49f6f3e4edd5716df48581001249d5e62563f2468db73526cce bd378786d84743beb0adc8d3dd14ff3d7996caaf6a1eb8783c665091ee9ae225 bd7df13098f3984a18c4a21282ba04ed802bb73c1f91c7eb5a35b89544c545cb bfd049ef7d1384a25c3edaf857b94539525b5f442dbe543fafa2356315780d8d c164232a5a3a2b49705257e62c5f8e004df68e3cf32d7702e4af879abd55008b c1a6587fb04a94943ab616cf0ce8b3d0c55e59ffbd4bc9b3a1add955391210ae c1fb323ed08adca20912906e8756e6f8a805cd1d08cf20226f37cb51f33117eb c4cd91a5ce722f3c510151513501e9aab54ad535b934132e6e6f6c9c76be2e9e c50c73ef1be87b84055ee73bda503ad20884fcf67b207fa918190f40f4353729 c5e9eaaa5dc6ec4780c319c26a4f552f7030438dcfb008ccfd52358512dc3f81 c605642e0edac4b63e9819648f79d54d5f47cac240480fad808cbfb61f31c88a c67bad311a48bb86a865b08ad2ef175a17e46063ef3c5de734fb3c4a5ea07578 ca0c525bf22b499b2f374d41f7e07a60ed9181645af485b0183c65eea68d364d ca1465224a206c9323a4a3215afa402ce7f592ddf17db5d477d2a5905e982d56 cd6c1ebc720ba509967f9e508657ad02d8fafee1d958af0174bfd0d192291d0a d2c3f54b03d50271dad1eba0abf1cad6529d67b74015e530f716bd18f943c6b5 d52894f027b8ce185efa3f584024b8a9a7f6694f6e294aba8ddac9789d00468f d56afbac1b7eebdb1aa03744cb45a260975de75a08e7f4d9a89ccb57656d9b65 d5e05fa6ddbaf68f6b08e188d444b664a08a69a6102df37c4c3c3cbc7ebfd326 d5e530f607260ee2ce19ef3f6ac277b202cd15fc947b0c02ba9060421f799bc3 d64d4ede406cc439617a2f17e31a3d9c1adb81d35cbb97de1a7e0145b03a08cd d666dcf48f569d6ba9defd87e149408373c0ac237a017624fd51aacfcfeb89d0 d66fb9cc2c40311df8af5aee664303f5226338cd0f2046cb2f8d8d42bda6f9b9 d737d53d2fb7a233b9732bfcd9c99ac8ef9846ad65af07cae490c8ffd9dc02ee d858fd5207e758e84b7ea1a84f27b0e782d0cf3a39db9fd72c3869bd136f9440 d9133df2668bac02ab8150fe9bc7b44a69936322b624fdf80a4f0de635970e81 df481a8014760def4bdd933639d01e8381fed910f5cf6d0e974560afc446451b dff27eb46d17a25416a9cbefb705d13ccaf8bbc03461f3112fd5132c6261a187 e111cbbc94fa932ad24e84cb308195ad7d05fa2d9bb2716a0f6f9c11a4c3f570 e17622f041536a253ab17dfc10011a65225356cb120970b4c4948df1c37ced23 e1d90617390211860b40839338c235df016cafeed7bdda9f39b17b86f48a9fe8 e37d2b812d6ce5653ee7c54157b6288469152dd64a4cb3cb25943bbc3b28e909 e6cdc47ab4a4496d42d84281d5d89c4fdad665cad0546e820aa29e9a18d454f2 e70516e7aa7c9dbfc459993516cde705685f1e44a75c29c55d9f71abe7733c78 eb3f6f8f99b86d4a68490e56a6f5a963523743685ecb6c8bd1d87389dbe0fde0 ed74747bb58f78df2c11f247cc173051cc0e058fad7def595d14b8ce03889a53 f09e67864cc19f5b831fde944c7ee917cbd3af9ff89ed4893d2fa441d12bf5d9 f25531eef40e268b251ce117375bbcaa1a586506d3fa56fa722b200713ee4c1b f37df47e517702f3becf6e3c85733dfea0031572bf199c1f56faad951b354573 f566a942a7c59f53efd9418f0c97850a749a806ee84e88056138c699d3b4d08a f624c81e47e350123490897fa04fe43886ae9cec9b128e8b9ef54fe9405b4612 f64a20a44a60dd899bf0cccb5de57897dd80819cd36c55878a56ed0d1c995352 f8a881216fce67e89b8a56774504b5ea86ebb763d87ff7426a9344d13790e7ea f94c8771545fd31371dcdfbe80260378709e686b44c2b440957cb923aa952b37 f9bc90f545b3eb8d5bd963d00debc6f3ff22403f94f91d063f18a7fb85be59eb fa1bd55fc9aecc625992448306e0dd456e4011bc07a926046ed6d3280aededae fbfa7f980b0d29f8c12933ef68daff306e2cbec3247db8242a5d97e6a96927d7 ff02edab9a670769ce074b2f6d6728909950785d2c8507e01d3333de98156c58 ff89d6917b775ef0bd38e4ee3a401bb310c4276eba79ff872b827920f72185b3 ffd7d43487fa1e15d8ea2a1e8737533cfcf7763cad6cb7504f270500a37f4261
GachiLoader’s C2 Servers	davpniktonevidit[.]cfd nupogodi[.]cfd 94[.]154[.]35[.]99 nexus-cloud-360[.]com globalmarket247online[.]com 176[.]46[.]152[.]18 213[.]209[.]150[.]104 [vault-360-nexus[.]com] iietrich[.]cfd mceenzie[.]sbs 62[.]60[.]226[.]233 66[.]63[.]187[.]72 digitalservice365cloud[.]com 178[.]16[.]52[.]231
Variant 2 – Kidkadi Dropper	01bdbb37d4b5d22ab98f1977f89c0eb69b35cdbf1d690c434a9d21dc1d0c56b0 02bdf8a8206b520db3d55fb7426ecef1ad10518f22eba26c848e548b75bc9999 04bb04bbea55fa1dabda974b2c2f4aceb44ddccb7b9c1715e0aa67318369a768 0577a28c0bcc1b033f44f458ab2d068fc301ef30d4175a3d2012d3601e9e13e1 0859936dff1e2af60940c5f0764e187c642ffea5344118eb702a7ac59f5a9281 08b5875f9867aa6c71cb8d96fb79de9f8975e0f7d1298388c95845aaa49e55de 0ef9623e3ba8bc2c5be6de9cccd4a9e17bf74d1f8f83455da40c35f72fb34922 110a17f1d65790337329d22d94ac10a9b6581202d5eab02897cb41ac543f1007 13f1ee54ec2f7ca835313b828c64d1b0ffd6288c59e3361013a17c765da7335c 178a24418d3057eb38b80e63786f9908a856618f1d19a9b667a55dff2717c9db 20179c8ceeede0056b0d3f545d0641160490642c90b23dce5603b8b47acb62d0 2101d91dc775638f1f392d0867aca9a15d9139f0c986ed7004df134c9c52fcfe 254abb6da9296f8c6f8e567186e3d59ddba2392fa4baf791492f7e76b4ff5af7 28a9a74d8eeae80de63a1938cadfa55a5a0f334e593e975cb32af8ec3cae79e6 2aea932e216145e38e5751f4daa9788974dd8e4ad4e90d7b42613d3df6341aee 2e519a26e3cb67b9e1186065c4245f89b8cdfb5b3346fc86b028213e0f08c286 2ed1c34780a3e9d2972f14d2828abf77a329075bd4c055458ef2f064237544b9 354a66191805500b4a45d7455fd02527ffe0b76ae9285eabf8f182ea7d893c19 38063272da02cf4fd383c634df988c07dcb2ce59cc3cdb036c4ff155fefc62e2 38da058e5fafbdd9c371f4d64e7cc0e317ad1e59291470ddf01c7681c0c03c43 3903bab79a2fa38e05df6f311d2dc9640c5916f8050bffab0d47ab8e58837210 396caae9215849b674eecb0f8d5b91985f81986069c09e50454cb8f607ad4231 39c72a4467ead5190ab2aff718c1d8fe66dd03760b3c2bb085466d56a6d10f3e 39cdf78fdfeeb8ce82f5a8b0abbbfb1a74fd0bf9568e11a9b5f5d47060c33dc7 3dbea0934dd2de6441ba27b762dc6424ce518f4882555fb96cd5225f9167339a 405072e611a49489d1074dafcd84791f60ab9daebf55be36b924718e9d847c48 416b81138d3c20578228c9610dca686eb7193e8d93cc4a2a18e6815efeacb810 425d78b7a5cbd87b36e4ca991171e90851d0dac29fe5934fe9b289ea88793298 46926ff7f778ea242603d233eabc0916a8a6945769fa0ea20c60cbac1f164150 4a509f3605cb039c6f426e110b23ce82f1ef67db06c32e4bc5ebfb3ae3ca1e31 4bdf84addb7e9bce6bb98086e6554f68fd529c49ae20b770d8db9ffc9debd3df 4bf54789913bfbca6bb87263137ff6a662e32eb9e9ff124441af6304cc2b401e 568e8082704d7fd2473862e93120412de1d043da5d106a12f9d1d5f1492eb173 56e4bb0f077b2081f0fcdaeaa90d8c6da48beedfb0a381ae054030e5a2988f05 574934eeab1d23c163c4e59cad869de2f5c3d46dbdd563b17fb4320b53e95770 5982d92d6a3bd210fd13a9986bda7f9fc6cb0321e523506acf9dc2e9ee6501de 59a17d129944bf8bc426d23746b285522d94b293eb2c2808d56a307022e5b92d 5a290d01a08f774f13f0991b7cf5c8c48b8cd2c0eb896ad069f02a474d8747f2 5bd83b8ecfb1efd13191a76cb0998cf6d645491b76b6fe4f1a516bfd756bed3b 5e4ae0bdc6081a22357e73aff3023a63623f3475610b23c35ff073b0b6890175 6253d1285a7579f482ba1983a2c4db2c01f9f11194dac76aca4424e3d6977a02 62db621c97bdaadffc1e900aac8d3af6e4e759b27018da635418c3921e1c8068 679ff95c8c383d55b60d80d1803f347e206bd358e3980ee8de1de105680ffb37 6bcb16d0ceae1b27bc7860477aa60a8c2a2588fb7625aa3a2dd78ee543658437 6dc57007880918de4ef89d98b70dfa0cb1ac4c7a9d1eeffc57408d3f18524980 6e087f40e4aac5fa780bfd1046c1d65e2b59c6abf391f9507718e61be61ddf42 6edb286fa173145e8bb9597d8f02ec3d86f9f680468ba48618bcc5d2240ad121 73cf316dc4359d80022e0ff7be22b9c86530e982a1d939e78a20090b9373b8a4 77c728333ebff9d313d87b763b9d8e4a9d580b76f734ea6e43d7cc7bc81da260 7a70e48a2721d5f5946ec2904dee105ba6c8561b205e5e8fce2aa5f6f3ef0549 7c53826ea6a9f4ba8d44ca455f1723af9d72b99e97d5053babcfd528fb344e24 80e8a40be533b4470275d567f7f9d21f6ba4e41e9b3272de77ff67ab9f8442b4 828c2b61686f9dd8ee888a89ad92793b586a273b57bfd0ad57be6ae2f72616b1 861c9536994ea3bb6c7aa5463001b79ab61fd945cf44956074d9034e384b3834 8b30ecb0376e7853c4b323e6b504c967d76f22aa880c587878aa4d5de9bd9808 8ee29bb1ea8f289d2233fd8053001a29b4fb7d5275120bbcb3e92f5cd5a77b47 8fb633896f714598c3b935cc45658f3fa14c99a006708c0a78e2f7d29b4c2b1f 90f4f2c7d5fd9ea10e05cd9bb28a7700fe3fd5cc97d5d59b7e0f043e74f4adbd 9dc8628aa94effdb2e982d10a6daa4b7897b75db9d452d806f839c9099c01fd4 9f074ac880d8ae454c84dc03fcbaf0a9c4a15b32a28a590708a38ec6542fc620 9f38d473a87c4c72760dd3e578c21f23b271c3c6a28d92e9ffa842073c4abc3b a0857210ed5a0e38a73a908158905f4271bf82d3f18e0f73494c1846043102f6 a21d016f92be196e4d101a9f20d928ededa930dca835e5bdaffa0ea96372530e a3bdc6f2f7930af9d4f3378c88fa9c84ee36c8a79b6689c0907fb4e065d7b572 a66220bea0f76e47ca218b99a2b91c7347cb3a291f2df03329009fde23c1a02a a745b6efbb006d7c9c33503c12f247a95d3d72b98e22f6aa883d7ef45359afdc aa71db5eb8ec06fbf676dacbb53bc3fdab62169b7287fe5d489713661ddf6360 af14df77f75b1440cd98dc39e4fd24e4d4da62904a699ca2e977c91db30ecc0d afdcb3443f1b46fe4bd0818654dcbf48a542afdebef4c0725618cd66b2dbddf9 b10e7bbe60e82ec581a3dea4d829838d9c9603f4581125d0200b620d366c75cb b281b6ffb8cf114b5836ead7cbc424179ac4070e2b15721a5a84af6be0b376d1 b8d46875182730276cf2a67de909ab4b8f3f298554f39928b418984d8cb515b0 bb359ebb2ddc1489a3489c0c37b974d05f9a37e23d4e74517d882fb5c7e493b0 bb88a06cff4e8d73eef046c6a8352dfff7f52903761ced27acd68c065391a464 bd2fb7d2bb7c15d634a986068d5cf811faa83aed72cb7e81df5e5082b22356d2 be68dd32a6b3375935fac1cebf132a2fc7fbfd4074cb8c53022d8eb4e7e17db1 bf5ce4b2911f2d6592abafaf5096936e61d23f98fd9a6b6bbcd763269fba729b c0b239f989ecd535b9e80570487a39ad67c1e77ba3133caba150da7bf553b724 c10d286de8111a7133831d57394164586584157da2b50d7f3bb85582d69c2b17 c26b86a7e9ff0fb61a2ac0e9eaf78ed34e97a0326df66c7d2311ee7a6033e590 c2b66d97a64d87ce48eb5fb972d23a6b834a677ae154f9f8d4300e9699922ca5 c7646b0f6de08759e19928e25f2ca65cd023a9b820101ae52eb2dc7c7f6f1a69 cbeb46542f05028aee563efb5afa3616612637b31928f98b3d880de2ca524fb0 ce5b2579a7893c29ad24ad7126cb83ab629e1d879f69348ad2eb5f9b884d4c44 d1b7ae2d2e12faa4244bd4e5625ffbb2e525586f888bf5b292386221672b5b6d d5038061e4d308341f6dfd7e807c84266442dbd0afe3b567082ebf6fdbd4c5d4 d51e67e9d81041500994880ecbad47f43a66fc4779a5f79c2c1f47517b8b14ec d79722670889cf3ce869ed23be59c12029e0df3e536162045b6a87f0b522672d d80cd0fe212dcfd4a0e683d36c48ba73a7e500a31dbf3f629a13c89565db7580 d8d138f4ebb7a5f12691e2c4edddcf906b66bd5640f8e09e1196a629a624a2ca d9e2773a56847f4d28e82b2e7215bc4db05807a08d49588f6d6b40be9a430d1b dbb8a2943af9559d4b3ec8e4c0879cfee3edd882e78b1cd1fb4546acdd7365ee dce1732d7e260843a9930dea78ff1dc6c469bd306817c827318b56d754f77a98 dd851d7d8b79900e151f91f82d9f1826db493b67f012829783001ab5ffe392e2 ddf5f0ac5484e8e3090b9ce51f53f57cba9550be0e5fcdc2b60787ffc31c15c5 de13a7f1f2cc3cfeeaed063b558134631add81f74e58595bfdf921ff78470a9c de40f512a3ead48f8c334bcd92198304df41d166ee0c0a90dc4a281464ee7980 ded2e57b60ba81fe9fc9a52ee0591db262527a0b6d166c6ca7165bfb99c4e835 e076d0d1bac228175f0ea23046f0bb7241b0a0457d245ae365ec3de8554a3499 e2627e6c31bb30f791ae80fbbf7d6b57a9ce6ae9e568cff6942ccf6f72195a5e e4d7ace20cd9704805d144c26bd8c54f6a1b3175b549b6c8279e2d0ee81da9d2 e58ed739c3e6f0f1b0aee262ce0cd99cff6fa04ec7bd665c7c9de7fdfd289c1e e7372984816703e5664bb1a0632bd7689d573e2868ceccd138c0a5a2977b2a23 e79d67e6c265ff53fb428123711db25b5fc3612ae650b55a2c6484bce3385bec e806c33313e0490293edeb998abcd9413744e307af5619662ae6a62f6224aee7 ec55eadc6aab2a8c519c016e4b238b39463345c87160b7e2005e6e38ef05ff21 eca5155749b0f83671e8c17094a4380c19a3b5096781bd7b88cd9f93a70fc574 ed0cbb7b137a10493319473610209016f2c1a8b9560876bc32999b472a32e18f ee363c5bdc5e786b0b47840d8fe69a5bd71f3684a9eec5d9e49b9ab68c64c793 ee752ce83f645fe4d3db0b1d8c41428d7b9adf37e72a9c21c153450862d30906 eed231bda3ad5a946a254d06865610e50b05eabaece8f09f84323d9fb23e2742 ef4d2a7ca4306626ff90e53ebad63e243a50dff63f34eb0eeaeb4acb2f39c42b f0269f2b26534acc3ef8bee5b243c54b14812769249a974b2e2b7eba9734a967 f1de30fa0eeedc1f1a7d97736cf751c88fb01456a182f97ede7294bc89bf69af f4f18af4acee36826b8e2162749250ffb96fc7f8f154d181dd1b8179cf4da68d f73e65f624f15d967951a6795c712daf31363ab1602485c164549b04989caaaf f9648d34727738abe86310378929ab7a8d5c8f2698c913bc84dee9be49e3b96a f98ce437118aeca437a43612858068f4ea6099bb93c63f1b4ffc4d4335e8eaed fbae3424943aec7aea7ce380c7a83c89ca9c6ff243bfac5186edba6e560f5b66 fd06caf741fd4e5fc9f00c575cc22c00f1a7fd55e826a16dbabc8b3436ed64c4
Rhadamanthys C2 Servers	176[.]46[.]152[.]18:8181/gDatFeDway/r26ggaap[.]dssde 178[.]16[.]53[.]193/mK2k20ajW7kairt1mg88vT1aT9vwU5AZN9AkYYs2QBNbnXV3ph/YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq[.]exe 180[.]178[.]189[.]34:8181/gDatFeDway/mh3af5md[.]wg4ja 180[.]178[.]189[.]34:8181/gDatFeDway/ujp8k5q9[.]kbtsk 185[.]141[.]216[.]120:1888/gateway/st2jdbg8[.]gsg45 3[.]126[.]43 78[.]16[.]53[.]193/mK2k20ajW7kairt1mg88vT1aT9vwU5AZN9AkYYs2QBNbnXV3ph/YEr2KP0jEBhSDdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq[.]exe 94[.]154[.]35[.]99:1888/gateway/el3tkioe[.]xcg4w 94[.]154[.]35[.]99:1888/gateway/mbw0n34s[.]gibis 94[.]154[.]35[.]99:1888/gateway/wwpac3ey[.]q23nf cxbnqdytjgrxutmzawczv[.]cg/gateway/0f4m3h8r[.]trz19 jfbcrmphnnikoktsmcpzirlplkwp[.]zl/gateway/8pv47lge[.]93qfg
Kidkadi.node	2ac4f1a2e22c99a823f18dba8ad5aafde0de98966d5534d5af61650d1f47997c f87b964e6a619cae6bb8852822d70bee93d708da98214e3b2381ff0774ee8e62 0e0a094e2d27a0e3583ff528296f784d29e139bed9ba41fdc6788169c83698b4 72eb1f7a418def9d64aaadc556f9350d2a8c444eb7ab56fc59324c5d5f4d76f9 33bba47346c03968977688bddbdd245210c06fb7686b4dfc78789c70e2a95219 f9ab9fc5f1e092ace1dcea7610f4643040a85a5385e3eab3c3666bfe09dc8d6b 90fa0da74389a302edd4cdb641f280bf95b9f73ed7145f0f9c1728c576cfc0df 1d405b03bc5913b6b43c06550ef0b9b02196b270625e4dc5fa0c37e8a424be25
HookPE.exe	ded68a8f5d0765740d469c08bd66270097f3474eab92ee1e65ddcdd6d15fca6e

Appendix A – Username Blocklist

mashinesssss	sandbox	honey
vmware	currentuser	nepenthes
andy	hal9th	johndoe
wdagutilityaccount	abby	peter wilson
hmarc	patex	john-pc
rdhj0cnfevzx	keecfmwgqj	frank
8nl0colnq5bq	lisa	john
pxmduopvyx	8vizsm	w0fjuovmcpa
lmvwjj9b	pqonjhvwxss	3u2v9m8
julia	heuerzl	harry johnson
j.seance	a.monaldo	tvmt
johanna	johnson	miller
malware	maltest	virus
test user	sand bog	bruno
anand	it-admin	walker

Appendix B – Hostname Blocklist

b30f0242-1c6a-4	desktop-vrsqlag	q9itrkphr
xc64zb	desktop-d019gdm	desktop-wi8clet
server1	lisa-pc	john-pc
desktop-b0t93d6	desktop-1pypk29	desktop-1y2433r
wileypc	wok	6c4e733f-c2d9-4
ralphs-pc	desktop-wg3myjs	desktop-7xc6gez
desktop-5oy9s0o	qarzhrdbj	orelee pc
archibaldpc	julia-pc	d1b_coursek
comname_5076	ralphs-pc	desktop-vkeons4
tdt-eff-2w11wss	work	q9iatrkphr

Appendix C – Process Blocklist

human.exe	cred-store.exe	device-sense.exe
private-cloud-proxy.exe	tib_monitor_monitor.exe	tmsmonitor.exe
vmtoolsd.exe	adpagent.exe	fakenet.exe
dumpcap.exe	httpdebugger.exe	wireshark.exe
fiddler.exe	vboxservice.exe	df5serv.exe
vboxtray.exe	ollydbg.exe	pestudio.exe
vmwareuser.exe	vgautservice.exe	vmacthlp.exe
x96dbgn.exe	vmsrvc.exe	x32dbgn.exe
vmusrvc.exe	prl_cc.exe	prl_tools.exe
xenservice.exe	qemu-ga.exe	joeboxcontrol.exe
ksdumperclient.exe	ksdumper.exe	joeboxserver.exe
vmwareservice.exe	vmwaretray.exe	todaydeathdo.exe
mitmdump.exe	idaw.exe	vxtkernelsvcntmgr.exe
windbg.exe	dumpit.exe	procmon.exe
rammap.exe	rammap64.exe	inetsim.exe
hvix64.exe	ida64.exe	x64dbg.exe
cutter.exe	r2.exe	binaryninja.exe
dbgview.exe	tcpdump.exe	netcat.exe
idaq64.exe	frida-server.exe	frida-inject.exe
frida.exe	pin.exe	drrun.exe
apimonitor.exe	volatility.exe	rekall

Appendix D – Drive Manufacturer Blocklist

vmware	xen	msft virtual
hyper-v	kvm	red hat
aws	azure	google
gcp	openstack	cinder
ovirt	citrix	virtuozzo
virtio

Appendix E – Video Controller Blocklist

virtualbox graphics adapter	vbox disp adapter	qemu virtual video
hyper-v video	parallels display adapter wddm	red hat qxl
xen vga	citrix display adapter