Google AdSense Leak

Now i see why they closed my account lol. I am a former Google employee and I am writing this to leak information to the public of what I witnessed and took part in while being an employee. My position was to deal with AdSense accounts, more specifically the accounts of publishers (not advertisers). I Google AdSense Leak

Ransomware GandCrab v5.0.4

Our ruski hecker snk is still hunting for money. Downloader : hxxp:// Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp:// Password for the archive : Ransomware)

Samples : hxxp:// Url’s : hxxp:// hxxp:// hxxp://gandcrabmfe6mnef.onion/68763f12385ff103 Miner)

Domains contacted : “”  “” Sample : hxxps://

GandCrab v4 Ransomware CnC

The sample looks like Carberp with ransomware option added . Contacts domains :  “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “” Contacts ips : “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “”  “” “”  “”  “”  “”  “”  “”  “” Sample here : hxxp:// The sample porn.jpg downloads these GandCrab v4 Ransomware CnC Bot Hosted In Shinjiru MSC Sdn Bhd)

Sample here : hxxp:// Panel here : hxxp:// All directories listing here : hxxp:// Contacted hosts : hxxp:// hxxp:// hxxp:// hxxp:// hxxp:// Hosting info : Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : Ip’s : Samples : hxxp:// hxxp:// hxxp:// hxxp:// hxxp:// hxp:// : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker. Hosted In Portugal Lisbon Dotsi Unipessoal Lda.)

Resolved [ ] To [ ] Malware activity : Reads terminal service related keys (often RDP related) Sets a global windows hook to intercept keystrokes Creates a fake system process Modifies auto-execute functionality by setting/creating a value in the registry Writes data to a remote process Reads the active computer name Reads the Hosted In Portugal Lisbon Dotsi Unipessoal Lda.) Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)

Steals bitcoins from these vallets :  AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat AppDataRoamingBitcoinwallet.dat AppDataRoamingLitecoinwallet.dat AppDataRoamingPPCoinwallet.dat AppDataRoamingTerracoinwallet.dat Uses email to transfer stealed wallets. Some strings from the executable : @600018e: ldarg.0    @600018f: ldc.i4.0  @6000190: callvirt 0A000052  @6000191: call 0A000053  @6000192: call 0A000054  @6000193: stloc.s V_4  @6000194: ldloc.s V_4  @6000195: ldstr ;FileSplit  @6000196: callvirt 0A000055  @6000197: brtrue.s label_0 Stealer Hosted In Lithuania Vilnius Uab Interneto Vizija)