SilasCutler_JARM_Scan_CobaltStrike_Beacon_Config.json

1. {
2. "scanner": "IPV4 JARM Scan: Silas Cutler - Beacon Config Scan: Wade Hickey",
3. "scan_date": "2020-11-25",
4. "100.24.69.72": {
5. "x86": {
6. "BeaconType": "8 (HTTPS)",
7. "Port": "443",
8. "Polling": "30000",
9. "Jitter": "50",
10. "Maxdns": "255",
11. "C2 Server": "one.vhy.me,/__utm.gif",
12. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
13. "HTTP Method Path 2": "/___utm.gif",
14. "Header1": "",
15. "Header2": "",
16. "PipeName": "",
17. "DNS Idle": "\\x00\\x00\\x00\\x00",
18. "DNS Sleep": "0",
19. "Method1": "GET",
20. "Method2": "POST",
21. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
22. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
23. "Proxy_AccessType": "2 (Use IE settings)"
24. }
25. },
26. "100.26.209.220": {
27. "x86": {
28. "BeaconType": "8 (HTTPS)",
29. "Port": "443",
30. "Polling": "60000",
31. "Jitter": "0",
32. "Maxdns": "255",
33. "C2 Server": "cdn.az.gov,/__utm.gif,cdn.zendesk.com,/__utm.gif,cdn.atlassian.com,/__utm.gif,a1.awsstatic.com,/__utm.gif,f0.awsstatic.com,/__utm.gif",
34. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) likeGecko",
35. "HTTP Method Path 2": "/___utm.gif",
36. "Header1": "",
37. "Header2": "",
38. "PipeName": "",
39. "DNS Idle": "\\x00\\x00\\x00\\x00",
40. "DNS Sleep": "0",
41. "Method1": "GET",
42. "Method2": "POST",
43. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
44. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
45. "Proxy_AccessType": "2 (Use IE settings)"
46. },
47. "x64": {
48. "BeaconType": "8 (HTTPS)",
49. "Port": "443",
50. "Polling": "60000",
51. "Jitter": "0",
52. "Maxdns": "255",
53. "C2 Server": "cdn.az.gov,/__utm.gif,cdn.zendesk.com,/__utm.gif,cdn.atlassian.com,/__utm.gif,a1.awsstatic.com,/__utm.gif,f0.awsstatic.com,/__utm.gif",
54. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) likeGecko",
55. "HTTP Method Path 2": "/___utm.gif",
56. "Header1": "",
57. "Header2": "",
58. "PipeName": "",
59. "DNS Idle": "\\x00\\x00\\x00\\x00",
60. "DNS Sleep": "0",
61. "Method1": "GET",
62. "Method2": "POST",
63. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
64. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
65. "Proxy_AccessType": "2 (Use IE settings)"
66. }
67. },
68. "103.106.65.251": {
69. "x86": {
70. "BeaconType": "8 (HTTPS)",
71. "Port": "443",
72. "Polling": "60000",
73. "Jitter": "0",
74. "C2 Server": "103.106.65.251,/IE9CompatViewList.xml",
75. "HTTP Method Path 2": "/submit.php",
76. "Method1": "GET",
77. "Method2": "POST",
78. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
79. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
80. "Proxy_AccessType": "2 (Use IE settings)"
81. }
82. },
83. "103.126.6.149": {
84. "x86": {
85. "BeaconType": "8 (HTTPS)",
86. "Port": "443",
87. "Polling": "45000",
88. "Jitter": "37",
89. "Maxdns": "255",
90. "C2 Server": "103.126.6.149,/jquery-3.3.1.min.js",
91. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
92. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
93. "Header1": "",
94. "Header2": "",
95. "PipeName": "",
96. "DNS Idle": "J}\\xC4q",
97. "DNS Sleep": "0",
98. "Method1": "GET",
99. "Method2": "POST",
100. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
101. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
102. "Proxy_AccessType": "2 (Use IE settings)"
103. }
104. },
105. "103.254.75.240": {
106. "x86": {
107. "BeaconType": "8 (HTTPS)",
108. "Port": "443",
109. "Polling": "60000",
110. "Jitter": "0",
111. "Maxdns": "255",
112. "C2 Server": "103.254.75.240,/load",
113. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
114. "HTTP Method Path 2": "/submit.php",
115. "Header1": "",
116. "Header2": "",
117. "PipeName": "",
118. "DNS Idle": "\\x00\\x00\\x00\\x00",
119. "DNS Sleep": "0",
120. "Method1": "GET",
121. "Method2": "POST",
122. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
123. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
124. "Proxy_AccessType": "2 (Use IE settings)"
125. },
126. "x64": {
127. "BeaconType": "8 (HTTPS)",
128. "Port": "443",
129. "Polling": "60000",
130. "Jitter": "0",
131. "Maxdns": "255",
132. "C2 Server": "103.254.75.240,/__utm.gif",
133. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
134. "HTTP Method Path 2": "/submit.php",
135. "Header1": "",
136. "Header2": "",
137. "PipeName": "",
138. "DNS Idle": "\\x00\\x00\\x00\\x00",
139. "DNS Sleep": "0",
140. "Method1": "GET",
141. "Method2": "POST",
142. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
143. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
144. "Proxy_AccessType": "2 (Use IE settings)"
145. }
146. },
147. "103.39.18.161": {
148. "x86": {
149. "BeaconType": "8 (HTTPS)",
150. "Port": "443",
151. "Polling": "60000",
152. "Jitter": "15",
153. "Maxdns": "255",
154. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
155. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
156. "HTTP Method Path 2": "/mail/u/0/",
157. "Header1": "",
158. "Header2": "",
159. "PipeName": "",
160. "DNS Idle": "\\x08\\x08\\x04\\x04",
161. "DNS Sleep": "0",
162. "Method1": "GET",
163. "Method2": "POST",
164. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
165. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
166. "Proxy_AccessType": "2 (Use IE settings)"
167. }
168. },
169. "103.39.18.162": {
170. "x86": {
171. "BeaconType": "8 (HTTPS)",
172. "Port": "443",
173. "Polling": "60000",
174. "Jitter": "15",
175. "Maxdns": "255",
176. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
177. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
178. "HTTP Method Path 2": "/mail/u/0/",
179. "Header1": "",
180. "Header2": "",
181. "PipeName": "",
182. "DNS Idle": "\\x08\\x08\\x04\\x04",
183. "DNS Sleep": "0",
184. "Method1": "GET",
185. "Method2": "POST",
186. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
187. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
188. "Proxy_AccessType": "2 (Use IE settings)"
189. },
190. "x64": {
191. "BeaconType": "8 (HTTPS)",
192. "Port": "443",
193. "Polling": "60000",
194. "Jitter": "15",
195. "Maxdns": "255",
196. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
197. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
198. "HTTP Method Path 2": "/mail/u/0/",
199. "Header1": "",
200. "Header2": "",
201. "PipeName": "",
202. "DNS Idle": "\\x08\\x08\\x04\\x04",
203. "DNS Sleep": "0",
204. "Method1": "GET",
205. "Method2": "POST",
206. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
207. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
208. "Proxy_AccessType": "2 (Use IE settings)"
209. }
210. },
211. "103.39.18.163": {
212. "x86": {
213. "BeaconType": "8 (HTTPS)",
214. "Port": "443",
215. "Polling": "60000",
216. "Jitter": "15",
217. "Maxdns": "255",
218. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
219. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
220. "HTTP Method Path 2": "/mail/u/0/",
221. "Header1": "",
222. "Header2": "",
223. "PipeName": "",
224. "DNS Idle": "\\x08\\x08\\x04\\x04",
225. "DNS Sleep": "0",
226. "Method1": "GET",
227. "Method2": "POST",
228. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
229. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
230. "Proxy_AccessType": "2 (Use IE settings)"
231. }
232. },
233. "103.39.18.165": {
234. "x86": {
235. "BeaconType": "8 (HTTPS)",
236. "Port": "443",
237. "Polling": "60000",
238. "Jitter": "15",
239. "Maxdns": "255",
240. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
241. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
242. "HTTP Method Path 2": "/mail/u/0/",
243. "Header1": "",
244. "Header2": "",
245. "PipeName": "",
246. "DNS Idle": "\\x08\\x08\\x04\\x04",
247. "DNS Sleep": "0",
248. "Method1": "GET",
249. "Method2": "POST",
250. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
251. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
252. "Proxy_AccessType": "2 (Use IE settings)"
253. }
254. },
255. "103.39.18.168": {
256. "x86": {
257. "BeaconType": "8 (HTTPS)",
258. "Port": "443",
259. "Polling": "60000",
260. "Jitter": "15",
261. "Maxdns": "255",
262. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
263. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
264. "HTTP Method Path 2": "/mail/u/0/",
265. "Header1": "",
266. "Header2": "",
267. "PipeName": "",
268. "DNS Idle": "\\x08\\x08\\x04\\x04",
269. "DNS Sleep": "0",
270. "Method1": "GET",
271. "Method2": "POST",
272. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
273. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
274. "Proxy_AccessType": "2 (Use IE settings)"
275. },
276. "x64": {
277. "BeaconType": "8 (HTTPS)",
278. "Port": "443",
279. "Polling": "60000",
280. "Jitter": "15",
281. "Maxdns": "255",
282. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
283. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
284. "HTTP Method Path 2": "/mail/u/0/",
285. "Header1": "",
286. "Header2": "",
287. "PipeName": "",
288. "DNS Idle": "\\x08\\x08\\x04\\x04",
289. "DNS Sleep": "0",
290. "Method1": "GET",
291. "Method2": "POST",
292. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
293. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
294. "Proxy_AccessType": "2 (Use IE settings)"
295. }
296. },
297. "103.39.18.170": {
298. "x64": {
299. "BeaconType": "8 (HTTPS)",
300. "Port": "443",
301. "Polling": "60000",
302. "Jitter": "15",
303. "Maxdns": "255",
304. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
305. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
306. "HTTP Method Path 2": "/mail/u/0/",
307. "Header1": "",
308. "Header2": "",
309. "PipeName": "",
310. "DNS Idle": "\\x08\\x08\\x04\\x04",
311. "DNS Sleep": "0",
312. "Method1": "GET",
313. "Method2": "POST",
314. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
315. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
316. "Proxy_AccessType": "2 (Use IE settings)"
317. }
318. },
319. "103.39.18.171": {
320. "x86": {
321. "BeaconType": "8 (HTTPS)",
322. "Port": "443",
323. "Polling": "60000",
324. "Jitter": "15",
325. "Maxdns": "255",
326. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
327. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
328. "HTTP Method Path 2": "/mail/u/0/",
329. "Header1": "",
330. "Header2": "",
331. "PipeName": "",
332. "DNS Idle": "\\x08\\x08\\x04\\x04",
333. "DNS Sleep": "0",
334. "Method1": "GET",
335. "Method2": "POST",
336. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
337. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
338. "Proxy_AccessType": "2 (Use IE settings)"
339. },
340. "x64": {
341. "BeaconType": "8 (HTTPS)",
342. "Port": "443",
343. "Polling": "60000",
344. "Jitter": "15",
345. "Maxdns": "255",
346. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
347. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
348. "HTTP Method Path 2": "/mail/u/0/",
349. "Header1": "",
350. "Header2": "",
351. "PipeName": "",
352. "DNS Idle": "\\x08\\x08\\x04\\x04",
353. "DNS Sleep": "0",
354. "Method1": "GET",
355. "Method2": "POST",
356. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
357. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
358. "Proxy_AccessType": "2 (Use IE settings)"
359. }
360. },
361. "103.39.18.173": {
362. "x86": {
363. "BeaconType": "8 (HTTPS)",
364. "Port": "443",
365. "Polling": "60000",
366. "Jitter": "15",
367. "Maxdns": "255",
368. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
369. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
370. "HTTP Method Path 2": "/mail/u/0/",
371. "Header1": "",
372. "Header2": "",
373. "PipeName": "",
374. "DNS Idle": "\\x08\\x08\\x04\\x04",
375. "DNS Sleep": "0",
376. "Method1": "GET",
377. "Method2": "POST",
378. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
379. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
380. "Proxy_AccessType": "2 (Use IE settings)"
381. }
382. },
383. "103.39.18.176": {
384. "x86": {
385. "BeaconType": "8 (HTTPS)",
386. "Port": "443",
387. "Polling": "60000",
388. "Jitter": "15",
389. "Maxdns": "255",
390. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
391. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
392. "HTTP Method Path 2": "/mail/u/0/",
393. "Header1": "",
394. "Header2": "",
395. "PipeName": "",
396. "DNS Idle": "\\x08\\x08\\x04\\x04",
397. "DNS Sleep": "0",
398. "Method1": "GET",
399. "Method2": "POST",
400. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
401. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
402. "Proxy_AccessType": "2 (Use IE settings)"
403. },
404. "x64": {
405. "BeaconType": "8 (HTTPS)",
406. "Port": "443",
407. "Polling": "60000",
408. "Jitter": "15",
409. "Maxdns": "255",
410. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
411. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
412. "HTTP Method Path 2": "/mail/u/0/",
413. "Header1": "",
414. "Header2": "",
415. "PipeName": "",
416. "DNS Idle": "\\x08\\x08\\x04\\x04",
417. "DNS Sleep": "0",
418. "Method1": "GET",
419. "Method2": "POST",
420. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
421. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
422. "Proxy_AccessType": "2 (Use IE settings)"
423. }
424. },
425. "103.39.18.180": {
426. "x86": {
427. "BeaconType": "8 (HTTPS)",
428. "Port": "443",
429. "Polling": "60000",
430. "Jitter": "15",
431. "Maxdns": "255",
432. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
433. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
434. "HTTP Method Path 2": "/mail/u/0/",
435. "Header1": "",
436. "Header2": "",
437. "PipeName": "",
438. "DNS Idle": "\\x08\\x08\\x04\\x04",
439. "DNS Sleep": "0",
440. "Method1": "GET",
441. "Method2": "POST",
442. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
443. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
444. "Proxy_AccessType": "2 (Use IE settings)"
445. }
446. },
447. "103.39.18.181": {
448. "x86": {
449. "BeaconType": "8 (HTTPS)",
450. "Port": "443",
451. "Polling": "60000",
452. "Jitter": "15",
453. "Maxdns": "255",
454. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
455. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
456. "HTTP Method Path 2": "/mail/u/0/",
457. "Header1": "",
458. "Header2": "",
459. "PipeName": "",
460. "DNS Idle": "\\x08\\x08\\x04\\x04",
461. "DNS Sleep": "0",
462. "Method1": "GET",
463. "Method2": "POST",
464. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
465. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
466. "Proxy_AccessType": "2 (Use IE settings)"
467. }
468. },
469. "103.39.18.182": {
470. "x86": {
471. "BeaconType": "8 (HTTPS)",
472. "Port": "443",
473. "Polling": "60000",
474. "Jitter": "15",
475. "Maxdns": "255",
476. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
477. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
478. "HTTP Method Path 2": "/mail/u/0/",
479. "Header1": "",
480. "Header2": "",
481. "PipeName": "",
482. "DNS Idle": "\\x08\\x08\\x04\\x04",
483. "DNS Sleep": "0",
484. "Method1": "GET",
485. "Method2": "POST",
486. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
487. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
488. "Proxy_AccessType": "2 (Use IE settings)"
489. }
490. },
491. "103.39.18.183": {
492. "x86": {
493. "BeaconType": "8 (HTTPS)",
494. "Port": "443",
495. "Polling": "60000",
496. "Jitter": "15",
497. "Maxdns": "255",
498. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
499. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
500. "HTTP Method Path 2": "/mail/u/0/",
501. "Header1": "",
502. "Header2": "",
503. "PipeName": "",
504. "DNS Idle": "\\x08\\x08\\x04\\x04",
505. "DNS Sleep": "0",
506. "Method1": "GET",
507. "Method2": "POST",
508. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
509. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
510. "Proxy_AccessType": "2 (Use IE settings)"
511. }
512. },
513. "103.39.18.187": {
514. "x86": {
515. "BeaconType": "8 (HTTPS)",
516. "Port": "443",
517. "Polling": "60000",
518. "Jitter": "15",
519. "Maxdns": "255",
520. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
521. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
522. "HTTP Method Path 2": "/mail/u/0/",
523. "Header1": "",
524. "Header2": "",
525. "PipeName": "",
526. "DNS Idle": "\\x08\\x08\\x04\\x04",
527. "DNS Sleep": "0",
528. "Method1": "GET",
529. "Method2": "POST",
530. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
531. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
532. "Proxy_AccessType": "2 (Use IE settings)"
533. }
534. },
535. "103.39.18.189": {
536. "x86": {
537. "BeaconType": "8 (HTTPS)",
538. "Port": "443",
539. "Polling": "60000",
540. "Jitter": "15",
541. "Maxdns": "255",
542. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
543. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
544. "HTTP Method Path 2": "/mail/u/0/",
545. "Header1": "",
546. "Header2": "",
547. "PipeName": "",
548. "DNS Idle": "\\x08\\x08\\x04\\x04",
549. "DNS Sleep": "0",
550. "Method1": "GET",
551. "Method2": "POST",
552. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
553. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
554. "Proxy_AccessType": "2 (Use IE settings)"
555. }
556. },
557. "103.39.18.190": {
558. "x86": {
559. "BeaconType": "8 (HTTPS)",
560. "Port": "443",
561. "Polling": "60000",
562. "Jitter": "15",
563. "Maxdns": "255",
564. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
565. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
566. "HTTP Method Path 2": "/mail/u/0/",
567. "Header1": "",
568. "Header2": "",
569. "PipeName": "",
570. "DNS Idle": "\\x08\\x08\\x04\\x04",
571. "DNS Sleep": "0",
572. "Method1": "GET",
573. "Method2": "POST",
574. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
575. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
576. "Proxy_AccessType": "2 (Use IE settings)"
577. }
578. },
579. "103.70.137.129": {
580. "x86": {
581. "BeaconType": "8 (HTTPS)",
582. "Port": "443",
583. "Polling": "60000",
584. "Jitter": "0",
585. "C2 Server": "45.170.251.101,/ga.js",
586. "HTTP Method Path 2": "/submit.php",
587. "Method1": "GET",
588. "Method2": "POST",
589. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
590. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
591. "Proxy_AccessType": "2 (Use IE settings)"
592. },
593. "x64": {
594. "BeaconType": "8 (HTTPS)",
595. "Port": "443",
596. "Polling": "60000",
597. "Jitter": "0",
598. "C2 Server": "45.170.251.101,/updates.rss",
599. "HTTP Method Path 2": "/submit.php",
600. "Method1": "GET",
601. "Method2": "POST",
602. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
603. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
604. "Proxy_AccessType": "2 (Use IE settings)"
605. }
606. },
607. "104.131.125.114": {
608. "x64": {
609. "BeaconType": "8 (HTTPS)",
610. "Port": "443",
611. "Polling": "15000",
612. "Jitter": "90",
613. "Maxdns": "225",
614. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records,amp.azure.net,/api2/json/cluster/tasks,global.asazure.windows.net,/wp-content/themes/am43-6/dist/records",
615. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
616. "HTTP Method Path 2": "/ev/prd001001",
617. "Header1": "",
618. "Header2": "",
619. "PipeName": "",
620. "DNS Idle": "h\\xD8<\\x84",
621. "DNS Sleep": "0",
622. "Method1": "GET",
623. "Method2": "POST",
624. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
625. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
626. "Proxy_AccessType": "2 (Use IE settings)"
627. }
628. },
629. "104.131.167.151": {
630. "x86": {
631. "BeaconType": "8 (HTTPS)",
632. "Port": "443",
633. "Polling": "15000",
634. "Jitter": "90",
635. "C2 Server": "ajax.microsoft.com,/v1/buckets/default/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw/records",
636. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
637. "Method1": "GET",
638. "Method2": "POST",
639. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
640. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
641. "Proxy_AccessType": "2 (Use IE settings)"
642. },
643. "x64": {
644. "BeaconType": "8 (HTTPS)",
645. "Port": "443",
646. "Polling": "15000",
647. "Jitter": "90",
648. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records",
649. "HTTP Method Path 2": "/v3/links/ping-beat/check",
650. "Method1": "GET",
651. "Method2": "POST",
652. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
653. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
654. "Proxy_AccessType": "2 (Use IE settings)"
655. }
656. },
657. "104.131.210.108": {
658. "x86": {
659. "BeaconType": "8 (HTTPS)",
660. "Port": "443",
661. "Polling": "60000",
662. "Jitter": "0",
663. "Maxdns": "255",
664. "C2 Server": "mobilecdnprod.azureedge.net,/__utm.gif",
665. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)",
666. "HTTP Method Path 2": "/submit.php",
667. "Header1": "",
668. "Header2": "",
669. "PipeName": "",
670. "DNS Idle": "\\x00\\x00\\x00\\x00",
671. "DNS Sleep": "0",
672. "Method1": "GET",
673. "Method2": "POST",
674. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
675. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
676. "Proxy_AccessType": "2 (Use IE settings)"
677. }
678. },
679. "104.131.76.110": {
680. "x86": {
681. "BeaconType": "8 (HTTPS)",
682. "Port": "443",
683. "Polling": "15000",
684. "Jitter": "90",
685. "Maxdns": "225",
686. "C2 Server": "ajax.microsoft.com,/api2/json/cluster/tasks",
687. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
688. "HTTP Method Path 2": "/v3/links/ping-beat/check",
689. "Header1": "",
690. "Header2": "",
691. "PipeName": "",
692. "DNS Idle": "h\\xD8<\\x84",
693. "DNS Sleep": "0",
694. "Method1": "GET",
695. "Method2": "POST",
696. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
697. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
698. "Proxy_AccessType": "2 (Use IE settings)"
699. }
700. },
701. "104.131.88.156": {
702. "x86": {
703. "BeaconType": "8 (HTTPS)",
704. "Port": "443",
705. "Polling": "15000",
706. "Jitter": "90",
707. "Maxdns": "225",
708. "C2 Server": "wepay.com,/en-us/store/api/checkproductinwishlist",
709. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
710. "HTTP Method Path 2": "/u/0/_/og/botguard/get",
711. "Header1": "",
712. "Header2": "",
713. "PipeName": "",
714. "DNS Idle": "h\\xD8<\\x84",
715. "DNS Sleep": "0",
716. "Method1": "GET",
717. "Method2": "POST",
718. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
719. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
720. "Proxy_AccessType": "2 (Use IE settings)"
721. },
722. "x64": {
723. "BeaconType": "8 (HTTPS)",
724. "Port": "443",
725. "Polling": "15000",
726. "Jitter": "90",
727. "Maxdns": "225",
728. "C2 Server": "wepay.com,/api2/json/access/ticket",
729. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
730. "HTTP Method Path 2": "/v3/links/ping-beat/check",
731. "Header1": "",
732. "Header2": "",
733. "PipeName": "",
734. "DNS Idle": "h\\xD8<\\x84",
735. "DNS Sleep": "0",
736. "Method1": "GET",
737. "Method2": "POST",
738. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
739. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
740. "Proxy_AccessType": "2 (Use IE settings)"
741. }
742. },
743. "104.149.168.199": {
744. "x86": {
745. "BeaconType": "8 (HTTPS)",
746. "Port": "443",
747. "Polling": "60000",
748. "Jitter": "0",
749. "Maxdns": "255",
750. "C2 Server": "104.149.168.199,/g.pixel",
751. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
752. "HTTP Method Path 2": "/submit.php",
753. "Header1": "",
754. "Header2": "",
755. "PipeName": "",
756. "DNS Idle": "\\x00\\x00\\x00\\x00",
757. "DNS Sleep": "0",
758. "Method1": "GET",
759. "Method2": "POST",
760. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
761. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
762. "Proxy_AccessType": "2 (Use IE settings)"
763. },
764. "x64": {
765. "BeaconType": "8 (HTTPS)",
766. "Port": "443",
767. "Polling": "60000",
768. "Jitter": "0",
769. "Maxdns": "255",
770. "C2 Server": "104.149.168.199,/g.pixel",
771. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)",
772. "HTTP Method Path 2": "/submit.php",
773. "Header1": "",
774. "Header2": "",
775. "PipeName": "",
776. "DNS Idle": "\\x00\\x00\\x00\\x00",
777. "DNS Sleep": "0",
778. "Method1": "GET",
779. "Method2": "POST",
780. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
781. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
782. "Proxy_AccessType": "2 (Use IE settings)"
783. }
784. },
785. "104.168.140.127": {
786. "x86": {
787. "BeaconType": "8 (HTTPS)",
788. "Port": "443",
789. "Polling": "62412",
790. "Jitter": "43",
791. "Maxdns": "242",
792. "C2 Server": "qw.run-upgrade.monster,/avatars.js,as.run-upgrade.monster,/fam_newspaper.js,zx.run-upgrade.monster,/avatars.js",
793. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
794. "HTTP Method Path 2": "/templates",
795. "Header1": "",
796. "Header2": "",
797. "PipeName": "",
798. "DNS Idle": "@\\xD9\\xA5\\x04",
799. "DNS Sleep": "0",
800. "Method1": "GET",
801. "Method2": "POST",
802. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
803. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
804. "Proxy_AccessType": "2 (Use IE settings)"
805. },
806. "x64": {
807. "BeaconType": "8 (HTTPS)",
808. "Port": "443",
809. "Polling": "62412",
810. "Jitter": "43",
811. "Maxdns": "242",
812. "C2 Server": "qw.run-upgrade.monster,/fam_newspaper.js,as.run-upgrade.monster,/fam_newspaper.js,zx.run-upgrade.monster,/avatars.js",
813. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
814. "HTTP Method Path 2": "/templates",
815. "Header1": "",
816. "Header2": "",
817. "PipeName": "",
818. "DNS Idle": "@\\xD9\\xA5\\x04",
819. "DNS Sleep": "0",
820. "Method1": "GET",
821. "Method2": "POST",
822. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
823. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
824. "Proxy_AccessType": "2 (Use IE settings)"
825. }
826. },
827. "104.168.159.201": {
828. "x86": {
829. "BeaconType": "8 (HTTPS)",
830. "Port": "443",
831. "Polling": "55365",
832. "Jitter": "43",
833. "Maxdns": "255",
834. "C2 Server": "104.168.159.201,/en",
835. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
836. "HTTP Method Path 2": "/as",
837. "Header1": "",
838. "Header2": "",
839. "PipeName": "",
840. "DNS Idle": "z\\xC1]\\x0E",
841. "DNS Sleep": "0",
842. "Method1": "GET",
843. "Method2": "POST",
844. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
845. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
846. "Proxy_AccessType": "2 (Use IE settings)"
847. }
848. },
849. "104.194.10.58": {
850. "x86": {
851. "BeaconType": "8 (HTTPS)",
852. "Port": "443",
853. "Polling": "30000",
854. "Jitter": "20",
855. "Maxdns": "255",
856. "C2 Server": "peernew.com,/CWoNaJLBo/VTNeWw11212/",
857. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
858. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
859. "Header1": "",
860. "Header2": "",
861. "PipeName": "",
862. "DNS Idle": "\\x00\\x00\\x00\\x00",
863. "DNS Sleep": "0",
864. "Method1": "GET",
865. "Method2": "POST",
866. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
867. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
868. "Proxy_AccessType": "2 (Use IE settings)"
869. }
870. },
871. "104.194.11.10": {
872. "x86": {
873. "BeaconType": "8 (HTTPS)",
874. "Port": "443",
875. "Polling": "5000",
876. "Jitter": "10",
877. "Maxdns": "235",
878. "C2 Server": "simvp.com,/us/ky/louisville/312-s-fourth-st.html",
879. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
880. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
881. "Header1": "",
882. "Header2": "",
883. "PipeName": "",
884. "DNS Idle": "\\x08\\x08\\x08\\x08",
885. "DNS Sleep": "0",
886. "Method1": "GET",
887. "Method2": "POST",
888. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
889. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
890. "Proxy_AccessType": "2 (Use IE settings)"
891. },
892. "x64": {
893. "BeaconType": "8 (HTTPS)",
894. "Port": "443",
895. "Polling": "5000",
896. "Jitter": "10",
897. "Maxdns": "235",
898. "C2 Server": "simvp.com,/us/ky/louisville/312-s-fourth-st.html",
899. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
900. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
901. "Header1": "",
902. "Header2": "",
903. "PipeName": "",
904. "DNS Idle": "\\x08\\x08\\x08\\x08",
905. "DNS Sleep": "0",
906. "Method1": "GET",
907. "Method2": "POST",
908. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
909. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
910. "Proxy_AccessType": "2 (Use IE settings)"
911. }
912. },
913. "104.194.8.114": {
914. "x86": {
915. "BeaconType": "8 (HTTPS)",
916. "Port": "443",
917. "Polling": "5000",
918. "Jitter": "10",
919. "Maxdns": "235",
920. "C2 Server": "raills.com,/us/ky/louisville/312-s-fourth-st.html",
921. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
922. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
923. "Header1": "",
924. "Header2": "",
925. "PipeName": "",
926. "DNS Idle": "\\x08\\x08\\x08\\x08",
927. "DNS Sleep": "0",
928. "Method1": "GET",
929. "Method2": "POST",
930. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
931. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
932. "Proxy_AccessType": "2 (Use IE settings)"
933. }
934. },
935. "104.194.8.36": {
936. "x64": {
937. "BeaconType": "8 (HTTPS)",
938. "Port": "443",
939. "Polling": "5000",
940. "Jitter": "10",
941. "Maxdns": "235",
942. "C2 Server": "rollfx.com,/us/ky/louisville/312-s-fourth-st.html",
943. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
944. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
945. "Header1": "",
946. "Header2": "",
947. "PipeName": "",
948. "DNS Idle": "\\x08\\x08\\x08\\x08",
949. "DNS Sleep": "0",
950. "Method1": "GET",
951. "Method2": "POST",
952. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
953. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
954. "Proxy_AccessType": "2 (Use IE settings)"
955. }
956. },
957. "104.236.172.121": {
958. "x86": {
959. "BeaconType": "8 (HTTPS)",
960. "Port": "443",
961. "Polling": "60000",
962. "Jitter": "0",
963. "Maxdns": "255",
964. "C2 Server": "104.236.172.121,/ga.js,n00she.com,/match",
965. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
966. "HTTP Method Path 2": "/submit.php",
967. "Header1": "",
968. "Header2": "",
969. "PipeName": "",
970. "DNS Idle": "\\x00\\x00\\x00\\x00",
971. "DNS Sleep": "0",
972. "Method1": "GET",
973. "Method2": "POST",
974. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
975. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
976. "Proxy_AccessType": "2 (Use IE settings)"
977. },
978. "x64": {
979. "BeaconType": "8 (HTTPS)",
980. "Port": "443",
981. "Polling": "60000",
982. "Jitter": "0",
983. "Maxdns": "255",
984. "C2 Server": "104.236.172.121,/en_US/all.js,n00she.com,/activity",
985. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)",
986. "HTTP Method Path 2": "/submit.php",
987. "Header1": "",
988. "Header2": "",
989. "PipeName": "",
990. "DNS Idle": "\\x00\\x00\\x00\\x00",
991. "DNS Sleep": "0",
992. "Method1": "GET",
993. "Method2": "POST",
994. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
995. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
996. "Proxy_AccessType": "2 (Use IE settings)"
997. }
998. },
999. "104.238.133.94": {
1000. "x86": {
1001. "BeaconType": "8 (HTTPS)",
1002. "Port": "443",
1003. "Polling": "60000",
1004. "Jitter": "0",
1005. "Maxdns": "255",
1006. "C2 Server": "104.238.133.94,/pixel.gif",
1007. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)",
1008. "HTTP Method Path 2": "/submit.php",
1009. "Header1": "",
1010. "Header2": "",
1011. "PipeName": "",
1012. "DNS Idle": "\\x00\\x00\\x00\\x00",
1013. "DNS Sleep": "0",
1014. "Method1": "GET",
1015. "Method2": "POST",
1016. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1017. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1018. "Proxy_AccessType": "2 (Use IE settings)"
1019. }
1020. },
1021. "104.238.205.115": {
1022. "x86": {
1023. "BeaconType": "8 (HTTPS)",
1024. "Port": "443",
1025. "Polling": "5000",
1026. "Jitter": "10",
1027. "Maxdns": "235",
1028. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
1029. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1030. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1031. "Header1": "",
1032. "Header2": "",
1033. "PipeName": "",
1034. "DNS Idle": "\\x08\\x08\\x08\\x08",
1035. "DNS Sleep": "0",
1036. "Method1": "GET",
1037. "Method2": "POST",
1038. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1039. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1040. "Proxy_AccessType": "2 (Use IE settings)"
1041. }
1042. },
1043. "104.238.205.44": {
1044. "x86": {
1045. "BeaconType": "8 (HTTPS)",
1046. "Port": "443",
1047. "Polling": "60000",
1048. "Jitter": "0",
1049. "Maxdns": "255",
1050. "C2 Server": "syscx.com,/dot.gif",
1051. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; ASU2JS)",
1052. "HTTP Method Path 2": "/submit.php",
1053. "Header1": "",
1054. "Header2": "",
1055. "PipeName": "",
1056. "DNS Idle": "\\x00\\x00\\x00\\x00",
1057. "DNS Sleep": "0",
1058. "Method1": "GET",
1059. "Method2": "POST",
1060. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1061. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1062. "Proxy_AccessType": "2 (Use IE settings)"
1063. }
1064. },
1065. "104.238.205.63": {
1066. "x86": {
1067. "BeaconType": "8 (HTTPS)",
1068. "Port": "443",
1069. "Polling": "30000",
1070. "Jitter": "20",
1071. "Maxdns": "255",
1072. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
1073. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
1074. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
1075. "Header1": "",
1076. "Header2": "",
1077. "PipeName": "",
1078. "DNS Idle": "\\x00\\x00\\x00\\x00",
1079. "DNS Sleep": "0",
1080. "Method1": "GET",
1081. "Method2": "POST",
1082. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1083. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1084. "Proxy_AccessType": "2 (Use IE settings)"
1085. }
1086. },
1087. "104.243.33.7": {
1088. "x64": {
1089. "BeaconType": "8 (HTTPS)",
1090. "Port": "443",
1091. "Polling": "30000",
1092. "Jitter": "20",
1093. "Maxdns": "255",
1094. "C2 Server": "goodroy.com,/CWoNaJLBo/VTNeWw11212/",
1095. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
1096. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
1097. "Header1": "",
1098. "Header2": "",
1099. "PipeName": "",
1100. "DNS Idle": "\\x00\\x00\\x00\\x00",
1101. "DNS Sleep": "0",
1102. "Method1": "GET",
1103. "Method2": "POST",
1104. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1105. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1106. "Proxy_AccessType": "2 (Use IE settings)"
1107. }
1108. },
1109. "104.243.40.126": {
1110. "x86": {
1111. "BeaconType": "8 (HTTPS)",
1112. "Port": "443",
1113. "Polling": "5000",
1114. "Jitter": "10",
1115. "Maxdns": "235",
1116. "C2 Server": "likenic.com,/us/ky/louisville/312-s-fourth-st.html",
1117. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1118. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1119. "Header1": "",
1120. "Header2": "",
1121. "PipeName": "",
1122. "DNS Idle": "\\x08\\x08\\x08\\x08",
1123. "DNS Sleep": "0",
1124. "Method1": "GET",
1125. "Method2": "POST",
1126. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1127. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1128. "Proxy_AccessType": "2 (Use IE settings)"
1129. }
1130. },
1131. "104.243.41.123": {
1132. "x64": {
1133. "BeaconType": "8 (HTTPS)",
1134. "Port": "443",
1135. "Polling": "60000",
1136. "Jitter": "0",
1137. "Maxdns": "255",
1138. "C2 Server": "cuphq.com,/cx",
1139. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)",
1140. "HTTP Method Path 2": "/submit.php",
1141. "Header1": "",
1142. "Header2": "",
1143. "PipeName": "",
1144. "DNS Idle": "\\x00\\x00\\x00\\x00",
1145. "DNS Sleep": "0",
1146. "Method1": "GET",
1147. "Method2": "POST",
1148. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1149. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1150. "Proxy_AccessType": "2 (Use IE settings)"
1151. }
1152. },
1153. "104.243.45.15": {
1154. "x86": {
1155. "BeaconType": "8 (HTTPS)",
1156. "Port": "443",
1157. "Polling": "5000",
1158. "Jitter": "10",
1159. "Maxdns": "235",
1160. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
1161. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1162. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1163. "Header1": "",
1164. "Header2": "",
1165. "PipeName": "",
1166. "DNS Idle": "\\x08\\x08\\x08\\x08",
1167. "DNS Sleep": "0",
1168. "Method1": "GET",
1169. "Method2": "POST",
1170. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1171. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1172. "Proxy_AccessType": "2 (Use IE settings)"
1173. },
1174. "x64": {
1175. "BeaconType": "8 (HTTPS)",
1176. "Port": "443",
1177. "Polling": "5000",
1178. "Jitter": "10",
1179. "Maxdns": "235",
1180. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
1181. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1182. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1183. "Header1": "",
1184. "Header2": "",
1185. "PipeName": "",
1186. "DNS Idle": "\\x08\\x08\\x08\\x08",
1187. "DNS Sleep": "0",
1188. "Method1": "GET",
1189. "Method2": "POST",
1190. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1191. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1192. "Proxy_AccessType": "2 (Use IE settings)"
1193. }
1194. },
1195. "104.243.45.45": {
1196. "x86": {
1197. "BeaconType": "8 (HTTPS)",
1198. "Port": "443",
1199. "Polling": "5000",
1200. "Jitter": "10",
1201. "Maxdns": "235",
1202. "C2 Server": "mobpros.com,/us/ky/louisville/312-s-fourth-st.html",
1203. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1204. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1205. "Header1": "",
1206. "Header2": "",
1207. "PipeName": "",
1208. "DNS Idle": "\\x08\\x08\\x08\\x08",
1209. "DNS Sleep": "0",
1210. "Method1": "GET",
1211. "Method2": "POST",
1212. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1213. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1214. "Proxy_AccessType": "2 (Use IE settings)"
1215. }
1216. },
1217. "104.243.46.74": {
1218. "x86": {
1219. "BeaconType": "8 (HTTPS)",
1220. "Port": "443",
1221. "Polling": "60000",
1222. "Jitter": "0",
1223. "Maxdns": "255",
1224. "C2 Server": "104.243.46.74,/IE9CompatViewList.xml",
1225. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)",
1226. "HTTP Method Path 2": "/submit.php",
1227. "Header1": "",
1228. "Header2": "",
1229. "PipeName": "",
1230. "DNS Idle": "\\x00\\x00\\x00\\x00",
1231. "DNS Sleep": "0",
1232. "Method1": "GET",
1233. "Method2": "POST",
1234. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1235. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1236. "Proxy_AccessType": "2 (Use IE settings)"
1237. }
1238. },
1239. "104.247.196.106": {
1240. "x64": {
1241. "BeaconType": "8 (HTTPS)",
1242. "Port": "443",
1243. "Polling": "60000",
1244. "Jitter": "0",
1245. "Maxdns": "255",
1246. "C2 Server": "104.247.196.106,/match",
1247. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
1248. "HTTP Method Path 2": "/submit.php",
1249. "Header1": "",
1250. "Header2": "",
1251. "PipeName": "",
1252. "DNS Idle": "\\x00\\x00\\x00\\x00",
1253. "DNS Sleep": "0",
1254. "Method1": "GET",
1255. "Method2": "POST",
1256. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1257. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1258. "Proxy_AccessType": "2 (Use IE settings)"
1259. }
1260. },
1261. "104.247.196.170": {
1262. "x86": {
1263. "BeaconType": "8 (HTTPS)",
1264. "Port": "443",
1265. "Polling": "5000",
1266. "Jitter": "10",
1267. "Maxdns": "235",
1268. "C2 Server": "clubuz.com,/us/ky/louisville/312-s-fourth-st.html",
1269. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1270. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1271. "Header1": "",
1272. "Header2": "",
1273. "PipeName": "",
1274. "DNS Idle": "\\x08\\x08\\x08\\x08",
1275. "DNS Sleep": "0",
1276. "Method1": "GET",
1277. "Method2": "POST",
1278. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1279. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1280. "Proxy_AccessType": "2 (Use IE settings)"
1281. }
1282. },
1283. "104.248.224.90": {
1284. "x86": {
1285. "BeaconType": "8 (HTTPS)",
1286. "Port": "443",
1287. "Polling": "15000",
1288. "Jitter": "90",
1289. "Maxdns": "225",
1290. "C2 Server": "www.nytimes.com,/v1/preferences,www.nytimes.com,/v1/preferences,www.nytimes.com,/idcta/translations,www.nytimes.com,/v2/preferences,www.nytimes.com,/idcta/translations",
1291. "User Agent": "Microsoft BITS/7.8",
1292. "HTTP Method Path 2": "/track",
1293. "Header1": "",
1294. "Header2": "",
1295. "PipeName": "",
1296. "DNS Idle": "h\\xD8<\\x84",
1297. "DNS Sleep": "0",
1298. "Method1": "GET",
1299. "Method2": "POST",
1300. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
1301. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
1302. "Proxy_AccessType": "2 (Use IE settings)"
1303. }
1304. },
1305. "104.248.48.249": {
1306. "x86": {
1307. "BeaconType": "8 (HTTPS)",
1308. "Port": "443",
1309. "Polling": "15000",
1310. "Jitter": "90",
1311. "C2 Server": "104.248.48.249,/gp/cerberus/gv",
1312. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
1313. "Method1": "GET",
1314. "Method2": "POST",
1315. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
1316. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
1317. "Proxy_AccessType": "2 (Use IE settings)"
1318. }
1319. },
1320. "104.254.128.107": {
1321. "x86": {
1322. "BeaconType": "8 (HTTPS)",
1323. "Port": "443",
1324. "Polling": "60000",
1325. "Jitter": "0",
1326. "C2 Server": "45.170.251.101,/ga.js",
1327. "HTTP Method Path 2": "/submit.php",
1328. "Method1": "GET",
1329. "Method2": "POST",
1330. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1331. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1332. "Proxy_AccessType": "2 (Use IE settings)"
1333. }
1334. },
1335. "106.52.233.118": {
1336. "x64": {
1337. "BeaconType": "8 (HTTPS)",
1338. "Port": "443",
1339. "Polling": "60000",
1340. "Jitter": "0",
1341. "Maxdns": "255",
1342. "C2 Server": "106.52.233.118,/s",
1343. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
1344. "HTTP Method Path 2": "/S",
1345. "Header1": "",
1346. "Header2": "",
1347. "PipeName": "",
1348. "DNS Idle": "\\x00\\x00\\x00\\x00",
1349. "DNS Sleep": "0",
1350. "Method1": "GET",
1351. "Method2": "POST",
1352. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1353. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1354. "Proxy_AccessType": "2 (Use IE settings)"
1355. }
1356. },
1357. "106.55.153.204": {
1358. "x86": {
1359. "BeaconType": "8 (HTTPS)",
1360. "Port": "443",
1361. "Polling": "60000",
1362. "Jitter": "0",
1363. "Maxdns": "255",
1364. "C2 Server": "106.55.153.204,/en_US/all.js",
1365. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
1366. "HTTP Method Path 2": "/submit.php",
1367. "Header1": "",
1368. "Header2": "",
1369. "PipeName": "",
1370. "DNS Idle": "\\x00\\x00\\x00\\x00",
1371. "DNS Sleep": "0",
1372. "Method1": "GET",
1373. "Method2": "POST",
1374. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1375. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1376. "Proxy_AccessType": "2 (Use IE settings)"
1377. }
1378. },
1379. "108.177.235.180": {
1380. "x86": {
1381. "BeaconType": "8 (HTTPS)",
1382. "Port": "443",
1383. "Polling": "60000",
1384. "Jitter": "0",
1385. "Maxdns": "255",
1386. "C2 Server": "mail.safeyoke.com,/ptj,feedback.safeyoke.com,/cx",
1387. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)",
1388. "HTTP Method Path 2": "/submit.php",
1389. "Header1": "",
1390. "Header2": "",
1391. "PipeName": "",
1392. "DNS Idle": "\\x00\\x00\\x00\\x00",
1393. "DNS Sleep": "0",
1394. "Method1": "GET",
1395. "Method2": "POST",
1396. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1397. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1398. "Proxy_AccessType": "2 (Use IE settings)"
1399. }
1400. },
1401. "108.177.235.22": {
1402. "x86": {
1403. "BeaconType": "8 (HTTPS)",
1404. "Port": "443",
1405. "Polling": "60000",
1406. "Jitter": "0",
1407. "Maxdns": "255",
1408. "C2 Server": "108.177.235.22,/fwlink",
1409. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
1410. "HTTP Method Path 2": "/submit.php",
1411. "Header1": "",
1412. "Header2": "",
1413. "PipeName": "",
1414. "DNS Idle": "\\x00\\x00\\x00\\x00",
1415. "DNS Sleep": "0",
1416. "Method1": "GET",
1417. "Method2": "POST",
1418. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1419. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1420. "Proxy_AccessType": "2 (Use IE settings)"
1421. }
1422. },
1423. "108.62.118.187": {
1424. "x86": {
1425. "BeaconType": "8 (HTTPS)",
1426. "Port": "443",
1427. "Polling": "5000",
1428. "Jitter": "10",
1429. "Maxdns": "235",
1430. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
1431. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1432. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1433. "Header1": "",
1434. "Header2": "",
1435. "PipeName": "",
1436. "DNS Idle": "\\x08\\x08\\x08\\x08",
1437. "DNS Sleep": "0",
1438. "Method1": "GET",
1439. "Method2": "POST",
1440. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1441. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1442. "Proxy_AccessType": "2 (Use IE settings)"
1443. },
1444. "x64": {
1445. "BeaconType": "8 (HTTPS)",
1446. "Port": "443",
1447. "Polling": "5000",
1448. "Jitter": "10",
1449. "Maxdns": "235",
1450. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
1451. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1452. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1453. "Header1": "",
1454. "Header2": "",
1455. "PipeName": "",
1456. "DNS Idle": "\\x08\\x08\\x08\\x08",
1457. "DNS Sleep": "0",
1458. "Method1": "GET",
1459. "Method2": "POST",
1460. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1461. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1462. "Proxy_AccessType": "2 (Use IE settings)"
1463. }
1464. },
1465. "108.62.118.37": {
1466. "x86": {
1467. "BeaconType": "8 (HTTPS)",
1468. "Port": "443",
1469. "Polling": "60000",
1470. "Jitter": "0",
1471. "Maxdns": "255",
1472. "C2 Server": "amajai-technologies.trade,/ga.js",
1473. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)",
1474. "HTTP Method Path 2": "/submit.php",
1475. "Header1": "",
1476. "Header2": "",
1477. "PipeName": "",
1478. "DNS Idle": "\\x00\\x00\\x00\\x00",
1479. "DNS Sleep": "0",
1480. "Method1": "GET",
1481. "Method2": "POST",
1482. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1483. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1484. "Proxy_AccessType": "2 (Use IE settings)"
1485. },
1486. "x64": {
1487. "BeaconType": "8 (HTTPS)",
1488. "Port": "443",
1489. "Polling": "60000",
1490. "Jitter": "0",
1491. "Maxdns": "255",
1492. "C2 Server": "amajai-technologies.trade,/match",
1493. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)",
1494. "HTTP Method Path 2": "/submit.php",
1495. "Header1": "",
1496. "Header2": "",
1497. "PipeName": "",
1498. "DNS Idle": "\\x00\\x00\\x00\\x00",
1499. "DNS Sleep": "0",
1500. "Method1": "GET",
1501. "Method2": "POST",
1502. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1503. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1504. "Proxy_AccessType": "2 (Use IE settings)"
1505. }
1506. },
1507. "108.62.141.129": {
1508. "x64": {
1509. "BeaconType": "8 (HTTPS)",
1510. "Port": "443",
1511. "Polling": "5000",
1512. "Jitter": "10",
1513. "Maxdns": "235",
1514. "C2 Server": "eyedm.com,/us/ky/louisville/312-s-fourth-st.html",
1515. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1516. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1517. "Header1": "",
1518. "Header2": "",
1519. "PipeName": "",
1520. "DNS Idle": "\\x08\\x08\\x08\\x08",
1521. "DNS Sleep": "0",
1522. "Method1": "GET",
1523. "Method2": "POST",
1524. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1525. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1526. "Proxy_AccessType": "2 (Use IE settings)"
1527. }
1528. },
1529. "108.62.141.158": {
1530. "x86": {
1531. "BeaconType": "8 (HTTPS)",
1532. "Port": "443",
1533. "Polling": "5000",
1534. "Jitter": "10",
1535. "Maxdns": "235",
1536. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
1537. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1538. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1539. "Header1": "",
1540. "Header2": "",
1541. "PipeName": "",
1542. "DNS Idle": "\\x08\\x08\\x08\\x08",
1543. "DNS Sleep": "0",
1544. "Method1": "GET",
1545. "Method2": "POST",
1546. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1547. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1548. "Proxy_AccessType": "2 (Use IE settings)"
1549. }
1550. },
1551. "108.62.141.170": {
1552. "x64": {
1553. "BeaconType": "8 (HTTPS)",
1554. "Port": "443",
1555. "Polling": "5000",
1556. "Jitter": "10",
1557. "Maxdns": "235",
1558. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
1559. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1560. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1561. "Header1": "",
1562. "Header2": "",
1563. "PipeName": "",
1564. "DNS Idle": "\\x08\\x08\\x08\\x08",
1565. "DNS Sleep": "0",
1566. "Method1": "GET",
1567. "Method2": "POST",
1568. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1569. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1570. "Proxy_AccessType": "2 (Use IE settings)"
1571. }
1572. },
1573. "108.62.141.62": {
1574. "x86": {
1575. "BeaconType": "8 (HTTPS)",
1576. "Port": "443",
1577. "Polling": "5000",
1578. "Jitter": "10",
1579. "Maxdns": "235",
1580. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
1581. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1582. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1583. "Header1": "",
1584. "Header2": "",
1585. "PipeName": "",
1586. "DNS Idle": "\\x08\\x08\\x08\\x08",
1587. "DNS Sleep": "0",
1588. "Method1": "GET",
1589. "Method2": "POST",
1590. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1591. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1592. "Proxy_AccessType": "2 (Use IE settings)"
1593. }
1594. },
1595. "108.62.141.72": {
1596. "x86": {
1597. "BeaconType": "8 (HTTPS)",
1598. "Port": "443",
1599. "Polling": "5000",
1600. "Jitter": "10",
1601. "Maxdns": "235",
1602. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
1603. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
1604. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
1605. "Header1": "",
1606. "Header2": "",
1607. "PipeName": "",
1608. "DNS Idle": "\\x08\\x08\\x08\\x08",
1609. "DNS Sleep": "0",
1610. "Method1": "GET",
1611. "Method2": "POST",
1612. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
1613. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
1614. "Proxy_AccessType": "2 (Use IE settings)"
1615. }
1616. },
1617. "109.201.142.110": {
1618. "x86": {
1619. "BeaconType": "8 (HTTPS)",
1620. "Port": "443",
1621. "Polling": "60000",
1622. "Jitter": "0",
1623. "Maxdns": "255",
1624. "C2 Server": "forteupdate.com,/match",
1625. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)",
1626. "HTTP Method Path 2": "/submit.php",
1627. "Header1": "",
1628. "Header2": "",
1629. "PipeName": "",
1630. "DNS Idle": "\\x00\\x00\\x00\\x00",
1631. "DNS Sleep": "0",
1632. "Method1": "GET",
1633. "Method2": "POST",
1634. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1635. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1636. "Proxy_AccessType": "2 (Use IE settings)"
1637. }
1638. },
1639. "109.230.199.56": {
1640. "x64": {
1641. "BeaconType": "8 (HTTPS)",
1642. "Port": "443",
1643. "Polling": "60000",
1644. "Jitter": "0",
1645. "Maxdns": "255",
1646. "C2 Server": "109.230.199.56,/dpixel",
1647. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
1648. "HTTP Method Path 2": "/submit.php",
1649. "Header1": "",
1650. "Header2": "",
1651. "PipeName": "",
1652. "DNS Idle": "\\x00\\x00\\x00\\x00",
1653. "DNS Sleep": "0",
1654. "Method1": "GET",
1655. "Method2": "POST",
1656. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1657. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1658. "Proxy_AccessType": "2 (Use IE settings)"
1659. }
1660. },
1661. "109.231.194.189": {
1662. "x86": {
1663. "BeaconType": "8 (HTTPS)",
1664. "Port": "443",
1665. "Polling": "880",
1666. "Jitter": "0",
1667. "Maxdns": "244",
1668. "C2 Server": "109.231.194.189,/access/",
1669. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:1.9) Gecko/20100101 Firefox/4.0",
1670. "HTTP Method Path 2": "/radio/xmlrpc/v35",
1671. "Header1": "",
1672. "Header2": "",
1673. "PipeName": "\\\\%s\\pipe\\msagent_%x",
1674. "DNS Idle": "\\x00\\x00\\x00\\x00",
1675. "DNS Sleep": "0",
1676. "Method1": "GET",
1677. "Method2": "POST",
1678. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1679. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1680. "Proxy_AccessType": "2 (Use IE settings)"
1681. },
1682. "x64": {
1683. "BeaconType": "8 (HTTPS)",
1684. "Port": "443",
1685. "Polling": "880",
1686. "Jitter": "0",
1687. "Maxdns": "244",
1688. "C2 Server": "109.231.194.189,/access/",
1689. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:1.9) Gecko/20100101 Firefox/4.0",
1690. "HTTP Method Path 2": "/radio/xmlrpc/v35",
1691. "Header1": "",
1692. "Header2": "",
1693. "PipeName": "\\\\%s\\pipe\\msagent_%x",
1694. "DNS Idle": "\\x00\\x00\\x00\\x00",
1695. "DNS Sleep": "0",
1696. "Method1": "GET",
1697. "Method2": "POST",
1698. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1699. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1700. "Proxy_AccessType": "2 (Use IE settings)"
1701. }
1702. },
1703. "111.229.210.49": {
1704. "x86": {
1705. "BeaconType": "8 (HTTPS)",
1706. "Port": "443",
1707. "Polling": "60000",
1708. "Jitter": "0",
1709. "Maxdns": "255",
1710. "C2 Server": "111.229.210.49,/push",
1711. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
1712. "HTTP Method Path 2": "/submit.php",
1713. "Header1": "",
1714. "Header2": "",
1715. "PipeName": "",
1716. "DNS Idle": "\\x00\\x00\\x00\\x00",
1717. "DNS Sleep": "0",
1718. "Method1": "GET",
1719. "Method2": "POST",
1720. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1721. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1722. "Proxy_AccessType": "2 (Use IE settings)"
1723. }
1724. },
1725. "114.118.4.189": {
1726. "x86": {
1727. "BeaconType": "8 (HTTPS)",
1728. "Port": "443",
1729. "Polling": "5000",
1730. "Jitter": "10",
1731. "Maxdns": "235",
1732. "C2 Server": "114.118.4.189,/updates",
1733. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
1734. "HTTP Method Path 2": "/windows/mark.jsp",
1735. "Header1": "",
1736. "Header2": "",
1737. "PipeName": "",
1738. "DNS Idle": "\\x08\\x08\\x04\\x04",
1739. "DNS Sleep": "0",
1740. "Method1": "GET",
1741. "Method2": "POST",
1742. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1743. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1744. "Proxy_AccessType": "2 (Use IE settings)"
1745. },
1746. "x64": {
1747. "BeaconType": "8 (HTTPS)",
1748. "Port": "443",
1749. "Polling": "5000",
1750. "Jitter": "10",
1751. "Maxdns": "235",
1752. "C2 Server": "114.118.4.189,/updates",
1753. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
1754. "HTTP Method Path 2": "/windows/fly.jsp",
1755. "Header1": "",
1756. "Header2": "",
1757. "PipeName": "",
1758. "DNS Idle": "\\x08\\x08\\x04\\x04",
1759. "DNS Sleep": "0",
1760. "Method1": "GET",
1761. "Method2": "POST",
1762. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1763. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1764. "Proxy_AccessType": "2 (Use IE settings)"
1765. }
1766. },
1767. "117.50.106.161": {
1768. "x86": {
1769. "BeaconType": "8 (HTTPS)",
1770. "Port": "443",
1771. "Polling": "60000",
1772. "Jitter": "0",
1773. "Maxdns": "255",
1774. "C2 Server": "117.50.106.161,/pixel",
1775. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
1776. "HTTP Method Path 2": "/submit.php",
1777. "Header1": "",
1778. "Header2": "",
1779. "PipeName": "",
1780. "DNS Idle": "\\x00\\x00\\x00\\x00",
1781. "DNS Sleep": "0",
1782. "Method1": "GET",
1783. "Method2": "POST",
1784. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1785. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1786. "Proxy_AccessType": "2 (Use IE settings)"
1787. }
1788. },
1789. "117.51.149.186": {
1790. "x64": {
1791. "BeaconType": "8 (HTTPS)",
1792. "Port": "443",
1793. "Polling": "60000",
1794. "Jitter": "0",
1795. "Maxdns": "255",
1796. "C2 Server": "117.51.149.186,/fwlink",
1797. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MATMJS)",
1798. "HTTP Method Path 2": "/submit.php",
1799. "Header1": "",
1800. "Header2": "",
1801. "PipeName": "",
1802. "DNS Idle": "\\x00\\x00\\x00\\x00",
1803. "DNS Sleep": "0",
1804. "Method1": "GET",
1805. "Method2": "POST",
1806. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1807. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1808. "Proxy_AccessType": "2 (Use IE settings)"
1809. }
1810. },
1811. "119.28.9.129": {
1812. "x64": {
1813. "BeaconType": "8 (HTTPS)",
1814. "Port": "443",
1815. "Polling": "60000",
1816. "Jitter": "0",
1817. "Maxdns": "255",
1818. "C2 Server": "119.28.9.129,/pixel.gif",
1819. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
1820. "HTTP Method Path 2": "/submit.php",
1821. "Header1": "",
1822. "Header2": "",
1823. "PipeName": "",
1824. "DNS Idle": "\\x00\\x00\\x00\\x00",
1825. "DNS Sleep": "0",
1826. "Method1": "GET",
1827. "Method2": "POST",
1828. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1829. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1830. "Proxy_AccessType": "2 (Use IE settings)"
1831. }
1832. },
1833. "121.196.148.36": {
1834. "x86": {
1835. "BeaconType": "8 (HTTPS)",
1836. "Port": "443",
1837. "Polling": "60534",
1838. "Jitter": "41",
1839. "Maxdns": "249",
1840. "C2 Server": "121.196.148.36,/ur.js",
1841. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
1842. "HTTP Method Path 2": "/favicon",
1843. "Header1": "",
1844. "Header2": "",
1845. "PipeName": "",
1846. "DNS Idle": "\\xD6\\x82\\xA4E",
1847. "DNS Sleep": "0",
1848. "Method1": "GET",
1849. "Method2": "POST",
1850. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
1851. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
1852. "Proxy_AccessType": "2 (Use IE settings)"
1853. }
1854. },
1855. "123.56.133.239": {
1856. "x86": {
1857. "BeaconType": "8 (HTTPS)",
1858. "Port": "443",
1859. "Polling": "60000",
1860. "Jitter": "0",
1861. "Maxdns": "255",
1862. "C2 Server": "123.56.133.239,/activity",
1863. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
1864. "HTTP Method Path 2": "/submit.php",
1865. "Header1": "",
1866. "Header2": "",
1867. "PipeName": "",
1868. "DNS Idle": "\\x00\\x00\\x00\\x00",
1869. "DNS Sleep": "0",
1870. "Method1": "GET",
1871. "Method2": "POST",
1872. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1873. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1874. "Proxy_AccessType": "2 (Use IE settings)"
1875. },
1876. "x64": {
1877. "BeaconType": "8 (HTTPS)",
1878. "Port": "443",
1879. "Polling": "60000",
1880. "Jitter": "0",
1881. "Maxdns": "255",
1882. "C2 Server": "123.56.133.239,/activity",
1883. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
1884. "HTTP Method Path 2": "/submit.php",
1885. "Header1": "",
1886. "Header2": "",
1887. "PipeName": "",
1888. "DNS Idle": "\\x00\\x00\\x00\\x00",
1889. "DNS Sleep": "0",
1890. "Method1": "GET",
1891. "Method2": "POST",
1892. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1893. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1894. "Proxy_AccessType": "2 (Use IE settings)"
1895. }
1896. },
1897. "123.57.235.194": {
1898. "x64": {
1899. "BeaconType": "8 (HTTPS)",
1900. "Port": "443",
1901. "Polling": "1000",
1902. "Jitter": "37",
1903. "Maxdns": "255",
1904. "C2 Server": "123.57.235.194,/jquery-3.3.1.min.js",
1905. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",
1906. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
1907. "Header1": "",
1908. "Header2": "",
1909. "PipeName": "",
1910. "DNS Idle": "J}\\xC4q",
1911. "DNS Sleep": "0",
1912. "Method1": "GET",
1913. "Method2": "POST",
1914. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
1915. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
1916. "Proxy_AccessType": "2 (Use IE settings)"
1917. }
1918. },
1919. "123.57.90.172": {
1920. "x64": {
1921. "BeaconType": "8 (HTTPS)",
1922. "Port": "443",
1923. "Polling": "60000",
1924. "Jitter": "0",
1925. "Maxdns": "255",
1926. "C2 Server": "123.57.90.172,/__utm.gif",
1927. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
1928. "HTTP Method Path 2": "/submit.php",
1929. "Header1": "",
1930. "Header2": "",
1931. "PipeName": "",
1932. "DNS Idle": "\\x00\\x00\\x00\\x00",
1933. "DNS Sleep": "0",
1934. "Method1": "GET",
1935. "Method2": "POST",
1936. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1937. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1938. "Proxy_AccessType": "2 (Use IE settings)"
1939. }
1940. },
1941. "123.58.211.116": {
1942. "x86": {
1943. "BeaconType": "8 (HTTPS)",
1944. "Port": "443",
1945. "Polling": "60000",
1946. "Jitter": "0",
1947. "Maxdns": "255",
1948. "C2 Server": "123.58.211.116,/dot.gif",
1949. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)",
1950. "HTTP Method Path 2": "/submit.php",
1951. "Header1": "",
1952. "Header2": "",
1953. "PipeName": "",
1954. "DNS Idle": "\\x00\\x00\\x00\\x00",
1955. "DNS Sleep": "0",
1956. "Method1": "GET",
1957. "Method2": "POST",
1958. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
1959. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
1960. "Proxy_AccessType": "2 (Use IE settings)"
1961. }
1962. },
1963. "124.217.230.137": {
1964. "x64": {
1965. "BeaconType": "8 (HTTPS)",
1966. "Port": "443",
1967. "Polling": "41000",
1968. "Jitter": "37",
1969. "Maxdns": "255",
1970. "C2 Server": "124.217.230.137,/jquery-3.3.1.min.js",
1971. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)",
1972. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
1973. "Header1": "",
1974. "Header2": "",
1975. "PipeName": "",
1976. "DNS Idle": "J}\\xC4q",
1977. "DNS Sleep": "0",
1978. "Method1": "GET",
1979. "Method2": "POST",
1980. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
1981. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
1982. "Proxy_AccessType": "2 (Use IE settings)"
1983. }
1984. },
1985. "128.199.180.58": {
1986. "x86": {
1987. "BeaconType": "8 (HTTPS)",
1988. "Port": "443",
1989. "Polling": "45000",
1990. "Jitter": "37",
1991. "Maxdns": "255",
1992. "C2 Server": "128.199.180.58,/jquery-3.3.1.min.js",
1993. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09",
1994. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
1995. "Header1": "",
1996. "Header2": "",
1997. "PipeName": "",
1998. "DNS Idle": "J}\\xC4q",
1999. "DNS Sleep": "0",
2000. "Method1": "GET",
2001. "Method2": "POST",
2002. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2003. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2004. "Proxy_AccessType": "2 (Use IE settings)"
2005. },
2006. "x64": {
2007. "BeaconType": "8 (HTTPS)",
2008. "Port": "443",
2009. "Polling": "45000",
2010. "Jitter": "37",
2011. "Maxdns": "255",
2012. "C2 Server": "128.199.180.58,/jquery-3.3.1.min.js",
2013. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09",
2014. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2015. "Header1": "",
2016. "Header2": "",
2017. "PipeName": "",
2018. "DNS Idle": "J}\\xC4q",
2019. "DNS Sleep": "0",
2020. "Method1": "GET",
2021. "Method2": "POST",
2022. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2023. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2024. "Proxy_AccessType": "2 (Use IE settings)"
2025. }
2026. },
2027. "128.199.23.209": {
2028. "x64": {
2029. "BeaconType": "8 (HTTPS)",
2030. "Port": "443",
2031. "Polling": "60000",
2032. "Jitter": "37",
2033. "Maxdns": "255",
2034. "C2 Server": "128.199.23.209,/jquery-3.3.1.min.js",
2035. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
2036. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2037. "Header1": "",
2038. "Header2": "",
2039. "PipeName": "",
2040. "DNS Idle": "J}\\xC4q",
2041. "DNS Sleep": "0",
2042. "Method1": "GET",
2043. "Method2": "POST",
2044. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
2045. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
2046. "Proxy_AccessType": "2 (Use IE settings)"
2047. }
2048. },
2049. "130.211.251.187": {
2050. "x86": {
2051. "BeaconType": "8 (HTTPS)",
2052. "Port": "443",
2053. "Polling": "60000",
2054. "Jitter": "0",
2055. "Maxdns": "255",
2056. "C2 Server": "130.211.251.187,/ca",
2057. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)",
2058. "HTTP Method Path 2": "/submit.php",
2059. "Header1": "",
2060. "Header2": "",
2061. "PipeName": "",
2062. "DNS Idle": "\\x00\\x00\\x00\\x00",
2063. "DNS Sleep": "0",
2064. "Method1": "GET",
2065. "Method2": "POST",
2066. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2067. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2068. "Proxy_AccessType": "2 (Use IE settings)"
2069. }
2070. },
2071. "13.211.94.224": {
2072. "x64": {
2073. "BeaconType": "8 (HTTPS)",
2074. "Port": "443",
2075. "Polling": "60000",
2076. "Jitter": "20",
2077. "Maxdns": "235",
2078. "C2 Server": "au.theguardianweb.com,/preload",
2079. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
2080. "HTTP Method Path 2": "/sa",
2081. "Header1": "",
2082. "Header2": "",
2083. "PipeName": "",
2084. "DNS Idle": "\\x08\\x08\\x04\\x04",
2085. "DNS Sleep": "0",
2086. "Method1": "GET",
2087. "Method2": "GET",
2088. "Spawnto_x86": "C:\\Windows\\syswow64\\svchost.exe -k localservice -p -s fdPHost",
2089. "Spawnto_x64": "C:\\Windows\\sysnative\\svchost.exe -k localservice -p -s fdPHost",
2090. "Proxy_AccessType": "2 (Use IE settings)"
2091. }
2092. },
2093. "134.122.21.15": {
2094. "x86": {
2095. "BeaconType": "8 (HTTPS)",
2096. "Port": "443",
2097. "Polling": "600",
2098. "Jitter": "39",
2099. "Maxdns": "248",
2100. "C2 Server": "egress.ninja,/bn",
2101. "User Agent": "",
2102. "HTTP Method Path 2": "/br",
2103. "Header1": "",
2104. "Header2": "",
2105. "PipeName": "",
2106. "DNS Idle": "\\x08\\x08\\x08\\x08",
2107. "DNS Sleep": "0",
2108. "Method1": "GET",
2109. "Method2": "POST",
2110. "Spawnto_x86": "%windir%\\system32\\regsvr32.exe",
2111. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
2112. "Proxy_Hostname": "http://185.46.212.88:9400",
2113. "Proxy_AccessType": "0 (Unknown)"
2114. },
2115. "x64": {
2116. "BeaconType": "8 (HTTPS)",
2117. "Port": "443",
2118. "Polling": "600",
2119. "Jitter": "39",
2120. "Maxdns": "248",
2121. "C2 Server": "egress.ninja,/bn",
2122. "User Agent": "",
2123. "HTTP Method Path 2": "/br",
2124. "Header1": "",
2125. "Header2": "",
2126. "PipeName": "",
2127. "DNS Idle": "\\x08\\x08\\x08\\x08",
2128. "DNS Sleep": "0",
2129. "Method1": "GET",
2130. "Method2": "POST",
2131. "Spawnto_x86": "%windir%\\system32\\regsvr32.exe",
2132. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
2133. "Proxy_Hostname": "http://185.46.212.88:9400",
2134. "Proxy_AccessType": "0 (Unknown)"
2135. }
2136. },
2137. "134.209.117.238": {
2138. "x86": {
2139. "BeaconType": "8 (HTTPS)",
2140. "Port": "443",
2141. "Polling": "50000",
2142. "Jitter": "37",
2143. "C2 Server": "jude.saintjameschurch.org,/Video",
2144. "HTTP Method Path 2": "/search",
2145. "Method1": "GET",
2146. "Method2": "POST",
2147. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2148. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2149. "Proxy_AccessType": "2 (Use IE settings)"
2150. }
2151. },
2152. "134.209.165.165": {
2153. "x86": {
2154. "BeaconType": "8 (HTTPS)",
2155. "Port": "443",
2156. "Polling": "15000",
2157. "Jitter": "90",
2158. "Maxdns": "225",
2159. "C2 Server": "ajax.microsoft.com,/wp-includes/js/script/indigo-migrate",
2160. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
2161. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
2162. "Header1": "",
2163. "Header2": "",
2164. "PipeName": "",
2165. "DNS Idle": "h\\xD8<\\x84",
2166. "DNS Sleep": "0",
2167. "Method1": "GET",
2168. "Method2": "POST",
2169. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
2170. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
2171. "Proxy_AccessType": "2 (Use IE settings)"
2172. }
2173. },
2174. "134.209.200.91": {
2175. "x86": {
2176. "BeaconType": "8 (HTTPS)",
2177. "Port": "443",
2178. "Polling": "30000",
2179. "Jitter": "85",
2180. "Maxdns": "255",
2181. "C2 Server": "134.209.200.91,/jquery-3.3.1.min.js",
2182. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36",
2183. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2184. "Header1": "",
2185. "Header2": "",
2186. "PipeName": "",
2187. "DNS Idle": "J}\\xC4q",
2188. "DNS Sleep": "0",
2189. "Method1": "GET",
2190. "Method2": "POST",
2191. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2192. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2193. "Proxy_AccessType": "2 (Use IE settings)"
2194. }
2195. },
2196. "134.209.5.246": {
2197. "x64": {
2198. "BeaconType": "8 (HTTPS)",
2199. "Port": "443",
2200. "Polling": "60000",
2201. "Jitter": "0",
2202. "Maxdns": "255",
2203. "C2 Server": "134.209.5.246,/j.ad",
2204. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
2205. "HTTP Method Path 2": "/submit.php",
2206. "Header1": "",
2207. "Header2": "",
2208. "PipeName": "",
2209. "DNS Idle": "\\x00\\x00\\x00\\x00",
2210. "DNS Sleep": "0",
2211. "Method1": "GET",
2212. "Method2": "POST",
2213. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2214. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2215. "Proxy_AccessType": "2 (Use IE settings)"
2216. }
2217. },
2218. "134.209.86.120": {
2219. "x64": {
2220. "BeaconType": "8 (HTTPS)",
2221. "Port": "443",
2222. "Polling": "8000",
2223. "Jitter": "30",
2224. "Maxdns": "255",
2225. "C2 Server": "www.stackpath.com,/api/v2/metrics/",
2226. "User Agent": "Microsoft-CryptoAPI/6.1",
2227. "HTTP Method Path 2": "/api/v2/analytics/",
2228. "Header1": "",
2229. "Header2": "",
2230. "PipeName": "",
2231. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
2232. "DNS Sleep": "0",
2233. "Method1": "GET",
2234. "Method2": "POST",
2235. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
2236. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
2237. "Proxy_AccessType": "2 (Use IE settings)"
2238. }
2239. },
2240. "13.64.101.24": {
2241. "x86": {
2242. "BeaconType": "8 (HTTPS)",
2243. "Port": "443",
2244. "Polling": "64489",
2245. "Jitter": "39",
2246. "Maxdns": "248",
2247. "C2 Server": "http://daiwa-cm-us.azureedge.net/,/ro,13.64.101.24,/ro",
2248. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
2249. "HTTP Method Path 2": "/mobile-ipad-home",
2250. "Header1": "",
2251. "Header2": "",
2252. "PipeName": "",
2253. "DNS Idle": "^\\x16\\xC1\\x88",
2254. "DNS Sleep": "0",
2255. "Method1": "GET",
2256. "Method2": "POST",
2257. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
2258. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
2259. "Proxy_AccessType": "2 (Use IE settings)"
2260. }
2261. },
2262. "138.124.180.52": {
2263. "x86": {
2264. "BeaconType": "8 (HTTPS)",
2265. "Port": "443",
2266. "Polling": "7000",
2267. "Jitter": "0",
2268. "Maxdns": "255",
2269. "C2 Server": "gosleepaddict.com,/jquery-3.3.1.min.js",
2270. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
2271. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2272. "Header1": "",
2273. "Header2": "",
2274. "PipeName": "",
2275. "DNS Idle": "J}\\xC4q",
2276. "DNS Sleep": "0",
2277. "Method1": "GET",
2278. "Method2": "POST",
2279. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2280. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2281. "Proxy_AccessType": "2 (Use IE settings)"
2282. },
2283. "x64": {
2284. "BeaconType": "8 (HTTPS)",
2285. "Port": "443",
2286. "Polling": "7000",
2287. "Jitter": "0",
2288. "Maxdns": "255",
2289. "C2 Server": "gosleepaddict.com,/jquery-3.3.1.min.js",
2290. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
2291. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2292. "Header1": "",
2293. "Header2": "",
2294. "PipeName": "",
2295. "DNS Idle": "J}\\xC4q",
2296. "DNS Sleep": "0",
2297. "Method1": "GET",
2298. "Method2": "POST",
2299. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2300. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2301. "Proxy_AccessType": "2 (Use IE settings)"
2302. }
2303. },
2304. "139.155.242.130": {
2305. "x86": {
2306. "BeaconType": "8 (HTTPS)",
2307. "Port": "443",
2308. "Polling": "60000",
2309. "Jitter": "0",
2310. "Maxdns": "255",
2311. "C2 Server": "139.155.242.130,/load",
2312. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)",
2313. "HTTP Method Path 2": "/submit.php",
2314. "Header1": "",
2315. "Header2": "",
2316. "PipeName": "",
2317. "DNS Idle": "\\x00\\x00\\x00\\x00",
2318. "DNS Sleep": "0",
2319. "Method1": "GET",
2320. "Method2": "POST",
2321. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2322. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2323. "Proxy_AccessType": "2 (Use IE settings)"
2324. }
2325. },
2326. "139.162.197.65": {
2327. "x86": {
2328. "BeaconType": "8 (HTTPS)",
2329. "Port": "443",
2330. "Polling": "56943",
2331. "Jitter": "39",
2332. "C2 Server": "139.162.197.65,/styles",
2333. "HTTP Method Path 2": "/RELEASE_NOTES",
2334. "Method1": "GET",
2335. "Method2": "POST",
2336. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
2337. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
2338. "Proxy_AccessType": "2 (Use IE settings)"
2339. }
2340. },
2341. "139.180.212.244": {
2342. "x86": {
2343. "BeaconType": "8 (HTTPS)",
2344. "Port": "443",
2345. "Polling": "60000",
2346. "Jitter": "0",
2347. "Maxdns": "255",
2348. "C2 Server": "139.180.212.244,/pixel",
2349. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)",
2350. "HTTP Method Path 2": "/submit.php",
2351. "Header1": "",
2352. "Header2": "",
2353. "PipeName": "",
2354. "DNS Idle": "\\x00\\x00\\x00\\x00",
2355. "DNS Sleep": "0",
2356. "Method1": "GET",
2357. "Method2": "POST",
2358. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2359. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2360. "Proxy_AccessType": "2 (Use IE settings)"
2361. }
2362. },
2363. "139.186.146.78": {
2364. "x86": {
2365. "BeaconType": "8 (HTTPS)",
2366. "Port": "443",
2367. "Polling": "10000",
2368. "Jitter": "0",
2369. "Maxdns": "255",
2370. "C2 Server": "139.186.146.78,/geo/collect/v1,hw.x0x.in,/geo/collect/v1",
2371. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0;) like Gecko",
2372. "HTTP Method Path 2": "/collect/v1",
2373. "Header1": "",
2374. "Header2": "",
2375. "PipeName": "",
2376. "DNS Idle": "\\x08\\x08\\x08\\x08",
2377. "DNS Sleep": "0",
2378. "Method1": "GET",
2379. "Method2": "POST",
2380. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
2381. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
2382. "Proxy_AccessType": "2 (Use IE settings)"
2383. }
2384. },
2385. "139.196.171.222": {
2386. "x86": {
2387. "BeaconType": "8 (HTTPS)",
2388. "Port": "443",
2389. "Polling": "5500",
2390. "Jitter": "30",
2391. "Maxdns": "240",
2392. "C2 Server": "v.autohome.com.cn,/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d",
2393. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177",
2394. "HTTP Method Path 2": "/person/ithelp/bug/list",
2395. "Header1": "",
2396. "Header2": "",
2397. "PipeName": "",
2398. "DNS Idle": "\\x00\\x00\\x00\\x00",
2399. "DNS Sleep": "0",
2400. "Method1": "GET",
2401. "Method2": "POST",
2402. "Spawnto_x86": "%windir%\\syswow64\\w32tm.exe",
2403. "Spawnto_x64": "%windir%\\sysnative\\w32tm.exe",
2404. "Proxy_Hostname": "http://10.37.84.125:8080",
2405. "Proxy_Username": "paicdom\\lihongmei826",
2406. "Proxy_Password": "Pa888888",
2407. "Proxy_AccessType": "4 (Use proxy server)"
2408. }
2409. },
2410. "139.196.224.35": {
2411. "x86": {
2412. "BeaconType": "8 (HTTPS)",
2413. "Port": "443",
2414. "Polling": "60000",
2415. "Jitter": "0",
2416. "Maxdns": "255",
2417. "C2 Server": "58.215.145.112,/activity",
2418. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
2419. "HTTP Method Path 2": "/submit.php",
2420. "Header1": "",
2421. "Header2": "",
2422. "PipeName": "",
2423. "DNS Idle": "\\x00\\x00\\x00\\x00",
2424. "DNS Sleep": "0",
2425. "Method1": "GET",
2426. "Method2": "POST",
2427. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2428. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2429. "Proxy_AccessType": "2 (Use IE settings)"
2430. }
2431. },
2432. "139.199.185.41": {
2433. "x64": {
2434. "BeaconType": "8 (HTTPS)",
2435. "Port": "443",
2436. "Polling": "5000",
2437. "Jitter": "10",
2438. "Maxdns": "235",
2439. "C2 Server": "139.199.185.41,/updates",
2440. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
2441. "HTTP Method Path 2": "/windowsxp/updcheck.php",
2442. "Header1": "",
2443. "Header2": "",
2444. "PipeName": "",
2445. "DNS Idle": "\\x08\\x08\\x04\\x04",
2446. "DNS Sleep": "0",
2447. "Method1": "GET",
2448. "Method2": "POST",
2449. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2450. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2451. "Proxy_AccessType": "2 (Use IE settings)"
2452. }
2453. },
2454. "139.224.105.96": {
2455. "x86": {
2456. "BeaconType": "8 (HTTPS)",
2457. "Port": "443",
2458. "Polling": "62236",
2459. "Jitter": "39",
2460. "Maxdns": "252",
2461. "C2 Server": "theones.me,/template.js",
2462. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
2463. "HTTP Method Path 2": "/nv",
2464. "Header1": "",
2465. "Header2": "",
2466. "PipeName": "",
2467. "DNS Idle": "G\\xEB\\x88\\x8E",
2468. "DNS Sleep": "0",
2469. "Method1": "GET",
2470. "Method2": "POST",
2471. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
2472. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
2473. "Proxy_AccessType": "2 (Use IE settings)"
2474. }
2475. },
2476. "139.59.230.84": {
2477. "x86": {
2478. "BeaconType": "8 (HTTPS)",
2479. "Port": "443",
2480. "Polling": "60000",
2481. "Jitter": "0",
2482. "Maxdns": "255",
2483. "C2 Server": "139.59.230.84,/push",
2484. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)",
2485. "HTTP Method Path 2": "/submit.php",
2486. "Header1": "",
2487. "Header2": "",
2488. "PipeName": "",
2489. "DNS Idle": "\\x00\\x00\\x00\\x00",
2490. "DNS Sleep": "0",
2491. "Method1": "GET",
2492. "Method2": "POST",
2493. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2494. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2495. "Proxy_AccessType": "2 (Use IE settings)"
2496. }
2497. },
2498. "139.59.73.112": {
2499. "x86": {
2500. "BeaconType": "8 (HTTPS)",
2501. "Port": "443",
2502. "Polling": "45000",
2503. "Jitter": "37",
2504. "Maxdns": "255",
2505. "C2 Server": "139.59.73.112,/jquery-3.3.1.min.js",
2506. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
2507. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2508. "Header1": "",
2509. "Header2": "",
2510. "PipeName": "",
2511. "DNS Idle": "J}\\xC4q",
2512. "DNS Sleep": "0",
2513. "Method1": "GET",
2514. "Method2": "POST",
2515. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2516. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2517. "Proxy_AccessType": "1 (Use direct connection)"
2518. }
2519. },
2520. "139.60.161.215": {
2521. "x86": {
2522. "BeaconType": "8 (HTTPS)",
2523. "Port": "443",
2524. "Polling": "600000",
2525. "Jitter": "28",
2526. "Maxdns": "245",
2527. "C2 Server": "139.60.161.215,/jquery-3.3.1.min.js",
2528. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.3",
2529. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2530. "Header1": "",
2531. "Header2": "",
2532. "PipeName": "",
2533. "DNS Idle": "\\x08\\x08\\x08\\x08",
2534. "DNS Sleep": "0",
2535. "Method1": "GET",
2536. "Method2": "POST",
2537. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2538. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2539. "Proxy_AccessType": "2 (Use IE settings)"
2540. },
2541. "x64": {
2542. "BeaconType": "8 (HTTPS)",
2543. "Port": "443",
2544. "Polling": "600000",
2545. "Jitter": "28",
2546. "Maxdns": "245",
2547. "C2 Server": "139.60.161.215,/jquery-3.3.1.min.js",
2548. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.3",
2549. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
2550. "Header1": "",
2551. "Header2": "",
2552. "PipeName": "",
2553. "DNS Idle": "\\x08\\x08\\x08\\x08",
2554. "DNS Sleep": "0",
2555. "Method1": "GET",
2556. "Method2": "POST",
2557. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
2558. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
2559. "Proxy_AccessType": "2 (Use IE settings)"
2560. }
2561. },
2562. "139.60.162.19": {
2563. "x86": {
2564. "BeaconType": "8 (HTTPS)",
2565. "Port": "443",
2566. "Polling": "60000",
2567. "Jitter": "0",
2568. "Maxdns": "255",
2569. "C2 Server": "139.60.162.19,/g.pixel",
2570. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
2571. "HTTP Method Path 2": "/submit.php",
2572. "Header1": "",
2573. "Header2": "",
2574. "PipeName": "",
2575. "DNS Idle": "\\x00\\x00\\x00\\x00",
2576. "DNS Sleep": "0",
2577. "Method1": "GET",
2578. "Method2": "POST",
2579. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2580. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2581. "Proxy_AccessType": "2 (Use IE settings)"
2582. }
2583. },
2584. "139.9.244.218": {
2585. "x86": {
2586. "BeaconType": "8 (HTTPS)",
2587. "Port": "443",
2588. "Polling": "10000",
2589. "Jitter": "0",
2590. "Maxdns": "255",
2591. "C2 Server": "img.alicdn.com,/contentsvc/microsofticon,at.alicdn.com,/contentsvc/microsofticon,ald.taobao.com,/contentsvc/microsofticon,www.aliyunbaike.com,/contentsvc/microsofticon",
2592. "User Agent": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Word 16.0.12527; Pro)",
2593. "HTTP Method Path 2": "/NlEditor/CloudSuggest/V1",
2594. "Header1": "",
2595. "Header2": "",
2596. "PipeName": "",
2597. "DNS Idle": "\\x08\\x08\\x08\\x08",
2598. "DNS Sleep": "0",
2599. "Method1": "GET",
2600. "Method2": "POST",
2601. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
2602. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
2603. "Proxy_AccessType": "2 (Use IE settings)"
2604. }
2605. },
2606. "141.164.35.117": {
2607. "x86": {
2608. "BeaconType": "8 (HTTPS)",
2609. "Port": "443",
2610. "Polling": "5000",
2611. "Jitter": "0",
2612. "Maxdns": "255",
2613. "C2 Server": "coivo2xo.livehost.live,/access/",
2614. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
2615. "HTTP Method Path 2": "/radio/xmlrpc/v35",
2616. "Header1": "",
2617. "Header2": "",
2618. "PipeName": "",
2619. "DNS Idle": "\\x00\\x00\\x00\\x00",
2620. "DNS Sleep": "0",
2621. "Method1": "GET",
2622. "Method2": "POST",
2623. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2624. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2625. "Proxy_AccessType": "2 (Use IE settings)"
2626. },
2627. "x64": {
2628. "BeaconType": "8 (HTTPS)",
2629. "Port": "443",
2630. "Polling": "5000",
2631. "Jitter": "0",
2632. "Maxdns": "255",
2633. "C2 Server": "coivo2xo.livehost.live,/access/",
2634. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
2635. "HTTP Method Path 2": "/radio/xmlrpc/v35",
2636. "Header1": "",
2637. "Header2": "",
2638. "PipeName": "",
2639. "DNS Idle": "\\x00\\x00\\x00\\x00",
2640. "DNS Sleep": "0",
2641. "Method1": "GET",
2642. "Method2": "POST",
2643. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2644. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2645. "Proxy_AccessType": "2 (Use IE settings)"
2646. }
2647. },
2648. "142.202.205.57": {
2649. "x86": {
2650. "BeaconType": "8 (HTTPS)",
2651. "Port": "443",
2652. "Polling": "60000",
2653. "Jitter": "0",
2654. "Maxdns": "255",
2655. "C2 Server": "142.202.205.57,/updates.rss",
2656. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MALC)",
2657. "HTTP Method Path 2": "/submit.php",
2658. "Header1": "",
2659. "Header2": "",
2660. "PipeName": "",
2661. "DNS Idle": "\\x00\\x00\\x00\\x00",
2662. "DNS Sleep": "0",
2663. "Method1": "GET",
2664. "Method2": "POST",
2665. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2666. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2667. "Proxy_AccessType": "2 (Use IE settings)"
2668. }
2669. },
2670. "142.202.205.88": {
2671. "x86": {
2672. "BeaconType": "8 (HTTPS)",
2673. "Port": "443",
2674. "Polling": "60000",
2675. "Jitter": "0",
2676. "Maxdns": "255",
2677. "C2 Server": "142.202.205.88,/dot.gif",
2678. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MAGWJS)",
2679. "HTTP Method Path 2": "/submit.php",
2680. "Header1": "",
2681. "Header2": "",
2682. "PipeName": "",
2683. "DNS Idle": "\\x00\\x00\\x00\\x00",
2684. "DNS Sleep": "0",
2685. "Method1": "GET",
2686. "Method2": "POST",
2687. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2688. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2689. "Proxy_AccessType": "2 (Use IE settings)"
2690. },
2691. "x64": {
2692. "BeaconType": "8 (HTTPS)",
2693. "Port": "443",
2694. "Polling": "60000",
2695. "Jitter": "0",
2696. "Maxdns": "255",
2697. "C2 Server": "142.202.205.88,/ptj",
2698. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
2699. "HTTP Method Path 2": "/submit.php",
2700. "Header1": "",
2701. "Header2": "",
2702. "PipeName": "",
2703. "DNS Idle": "\\x00\\x00\\x00\\x00",
2704. "DNS Sleep": "0",
2705. "Method1": "GET",
2706. "Method2": "POST",
2707. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2708. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2709. "Proxy_AccessType": "2 (Use IE settings)"
2710. }
2711. },
2712. "142.54.188.26": {
2713. "x64": {
2714. "BeaconType": "8 (HTTPS)",
2715. "Port": "443",
2716. "Polling": "5000",
2717. "Jitter": "0",
2718. "Maxdns": "255",
2719. "C2 Server": "agturnfa.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
2720. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
2721. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
2722. "Header1": "",
2723. "Header2": "",
2724. "PipeName": "",
2725. "DNS Idle": "\\x00\\x00\\x00\\x00",
2726. "DNS Sleep": "0",
2727. "Method1": "GET",
2728. "Method2": "POST",
2729. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
2730. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
2731. "Proxy_AccessType": "2 (Use IE settings)"
2732. }
2733. },
2734. "142.93.152.156": {
2735. "x86": {
2736. "BeaconType": "8 (HTTPS)",
2737. "Port": "443",
2738. "Polling": "60000",
2739. "Jitter": "70",
2740. "C2 Server": "onrnicrosoft.com,/thisisnotevil.gif",
2741. "HTTP Method Path 2": "/send",
2742. "Method1": "GET",
2743. "Method2": "POST",
2744. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
2745. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
2746. "Proxy_AccessType": "2 (Use IE settings)"
2747. },
2748. "x64": {
2749. "BeaconType": "8 (HTTPS)",
2750. "Port": "443",
2751. "Polling": "60000",
2752. "Jitter": "70",
2753. "C2 Server": "onrnicrosoft.com,/thisisnotevil.gif",
2754. "HTTP Method Path 2": "/send",
2755. "Method1": "GET",
2756. "Method2": "POST",
2757. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
2758. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
2759. "Proxy_AccessType": "2 (Use IE settings)"
2760. }
2761. },
2762. "142.93.187.11": {
2763. "x86": {
2764. "BeaconType": "8 (HTTPS)",
2765. "Port": "443",
2766. "Polling": "12000",
2767. "Jitter": "35",
2768. "C2 Server": "142.93.187.11,/u/vercheck,training42.microsoft-essentials.com,/u/vercheck",
2769. "HTTP Method Path 2": "/u/version_status",
2770. "Method1": "GET",
2771. "Method2": "POST",
2772. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
2773. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
2774. "Proxy_AccessType": "2 (Use IE settings)"
2775. }
2776. },
2777. "142.93.98.6": {
2778. "x86": {
2779. "BeaconType": "8 (HTTPS)",
2780. "Port": "443",
2781. "Polling": "60000",
2782. "Jitter": "0",
2783. "Maxdns": "255",
2784. "C2 Server": "360live.digital,/pixel",
2785. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)",
2786. "HTTP Method Path 2": "/submit.php",
2787. "Header1": "",
2788. "Header2": "",
2789. "PipeName": "",
2790. "DNS Idle": "\\x00\\x00\\x00\\x00",
2791. "DNS Sleep": "0",
2792. "Method1": "GET",
2793. "Method2": "POST",
2794. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2795. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2796. "Proxy_AccessType": "2 (Use IE settings)"
2797. }
2798. },
2799. "144.202.112.14": {
2800. "x64": {
2801. "BeaconType": "8 (HTTPS)",
2802. "Port": "443",
2803. "Polling": "5000",
2804. "Jitter": "0",
2805. "Maxdns": "245",
2806. "C2 Server": "z.ziper.xyz,/image/",
2807. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) Chrome/85.0.4183.102 Safari/537.36",
2808. "HTTP Method Path 2": "/history/",
2809. "Header1": "",
2810. "Header2": "",
2811. "PipeName": "",
2812. "DNS Idle": "\\x08\\x08\\x08\\x08",
2813. "DNS Sleep": "0",
2814. "Method1": "GET",
2815. "Method2": "POST",
2816. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2817. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2818. "Proxy_AccessType": "2 (Use IE settings)"
2819. }
2820. },
2821. "144.217.207.21": {
2822. "x64": {
2823. "BeaconType": "8 (HTTPS)",
2824. "Port": "443",
2825. "Polling": "60000",
2826. "Jitter": "0",
2827. "Maxdns": "255",
2828. "C2 Server": "52.188.209.63,/visit.js",
2829. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)",
2830. "HTTP Method Path 2": "/submit.php",
2831. "Header1": "",
2832. "Header2": "",
2833. "PipeName": "",
2834. "DNS Idle": "\\x00\\x00\\x00\\x00",
2835. "DNS Sleep": "0",
2836. "Method1": "GET",
2837. "Method2": "POST",
2838. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2839. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2840. "Proxy_AccessType": "2 (Use IE settings)"
2841. }
2842. },
2843. "145.249.107.130": {
2844. "x86": {
2845. "BeaconType": "8 (HTTPS)",
2846. "Port": "443",
2847. "Polling": "60000",
2848. "Jitter": "0",
2849. "Maxdns": "255",
2850. "C2 Server": "145.249.107.130,/fwlink",
2851. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)",
2852. "HTTP Method Path 2": "/submit.php",
2853. "Header1": "",
2854. "Header2": "",
2855. "PipeName": "",
2856. "DNS Idle": "\\x00\\x00\\x00\\x00",
2857. "DNS Sleep": "0",
2858. "Method1": "GET",
2859. "Method2": "POST",
2860. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2861. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2862. "Proxy_AccessType": "2 (Use IE settings)"
2863. },
2864. "x64": {
2865. "BeaconType": "8 (HTTPS)",
2866. "Port": "443",
2867. "Polling": "60000",
2868. "Jitter": "0",
2869. "Maxdns": "255",
2870. "C2 Server": "145.249.107.130,/pixel",
2871. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)",
2872. "HTTP Method Path 2": "/submit.php",
2873. "Header1": "",
2874. "Header2": "",
2875. "PipeName": "",
2876. "DNS Idle": "\\x00\\x00\\x00\\x00",
2877. "DNS Sleep": "0",
2878. "Method1": "GET",
2879. "Method2": "POST",
2880. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2881. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2882. "Proxy_AccessType": "2 (Use IE settings)"
2883. }
2884. },
2885. "146.56.208.33": {
2886. "x86": {
2887. "BeaconType": "8 (HTTPS)",
2888. "Port": "443",
2889. "Polling": "60000",
2890. "Jitter": "0",
2891. "Maxdns": "255",
2892. "C2 Server": "146.56.208.33,/visit.js",
2893. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
2894. "HTTP Method Path 2": "/submit.php",
2895. "Header1": "",
2896. "Header2": "",
2897. "PipeName": "",
2898. "DNS Idle": "\\x00\\x00\\x00\\x00",
2899. "DNS Sleep": "0",
2900. "Method1": "GET",
2901. "Method2": "POST",
2902. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2903. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2904. "Proxy_AccessType": "2 (Use IE settings)"
2905. }
2906. },
2907. "146.6.15.12": {
2908. "x64": {
2909. "BeaconType": "8 (HTTPS)",
2910. "Port": "443",
2911. "Polling": "60000",
2912. "Jitter": "0",
2913. "C2 Server": "146.6.15.12,/g.pixel",
2914. "HTTP Method Path 2": "/submit.php",
2915. "Method1": "GET",
2916. "Method2": "POST",
2917. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2918. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2919. "Proxy_AccessType": "2 (Use IE settings)"
2920. }
2921. },
2922. "149.129.53.162": {
2923. "x86": {
2924. "BeaconType": "8 (HTTPS)",
2925. "Port": "443",
2926. "Polling": "5000",
2927. "Jitter": "10",
2928. "Maxdns": "235",
2929. "C2 Server": "sit.watchdog3.com,/updates",
2930. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
2931. "HTTP Method Path 2": "/aircanada/dark.php",
2932. "Header1": "",
2933. "Header2": "",
2934. "PipeName": "",
2935. "DNS Idle": "\\x08\\x08\\x04\\x04",
2936. "DNS Sleep": "0",
2937. "Method1": "GET",
2938. "Method2": "POST",
2939. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2940. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2941. "Proxy_AccessType": "2 (Use IE settings)"
2942. },
2943. "x64": {
2944. "BeaconType": "8 (HTTPS)",
2945. "Port": "443",
2946. "Polling": "5000",
2947. "Jitter": "10",
2948. "Maxdns": "235",
2949. "C2 Server": "sit.watchdog3.com,/updates",
2950. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
2951. "HTTP Method Path 2": "/aircanada/dark.php",
2952. "Header1": "",
2953. "Header2": "",
2954. "PipeName": "",
2955. "DNS Idle": "\\x08\\x08\\x04\\x04",
2956. "DNS Sleep": "0",
2957. "Method1": "GET",
2958. "Method2": "POST",
2959. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2960. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2961. "Proxy_AccessType": "2 (Use IE settings)"
2962. }
2963. },
2964. "149.28.20.245": {
2965. "x86": {
2966. "BeaconType": "8 (HTTPS)",
2967. "Port": "443",
2968. "Polling": "60000",
2969. "Jitter": "20",
2970. "Maxdns": "235",
2971. "C2 Server": "149.28.20.245,/search/",
2972. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
2973. "HTTP Method Path 2": "/Search/",
2974. "Header1": "",
2975. "Header2": "",
2976. "PipeName": "",
2977. "DNS Idle": "\\x08\\x08\\x04\\x04",
2978. "DNS Sleep": "0",
2979. "Method1": "GET",
2980. "Method2": "GET",
2981. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
2982. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
2983. "Proxy_AccessType": "1 (Use direct connection)"
2984. }
2985. },
2986. "149.28.95.180": {
2987. "x86": {
2988. "BeaconType": "8 (HTTPS)",
2989. "Port": "443",
2990. "Polling": "60000",
2991. "Jitter": "0",
2992. "Maxdns": "255",
2993. "C2 Server": "149.28.95.180,/en_US/all.js",
2994. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)",
2995. "HTTP Method Path 2": "/submit.php",
2996. "Header1": "",
2997. "Header2": "",
2998. "PipeName": "",
2999. "DNS Idle": "\\x00\\x00\\x00\\x00",
3000. "DNS Sleep": "0",
3001. "Method1": "GET",
3002. "Method2": "POST",
3003. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3004. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3005. "Proxy_AccessType": "2 (Use IE settings)"
3006. }
3007. },
3008. "149.6.167.60": {
3009. "x86": {
3010. "BeaconType": "8 (HTTPS)",
3011. "Port": "443",
3012. "Polling": "5000",
3013. "Jitter": "37",
3014. "C2 Server": "CLIENT.ELISEA-MUTUELLE.fr,/jquery-3.3.1.min.js",
3015. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3016. "Method1": "GET",
3017. "Method2": "POST",
3018. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 223",
3019. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 223",
3020. "Proxy_AccessType": "2 (Use IE settings)"
3021. },
3022. "x64": {
3023. "BeaconType": "8 (HTTPS)",
3024. "Port": "443",
3025. "Polling": "5000",
3026. "Jitter": "37",
3027. "C2 Server": "CLIENT.ELISEA-MUTUELLE.fr,/jquery-3.3.1.min.js",
3028. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3029. "Method1": "GET",
3030. "Method2": "POST",
3031. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 223",
3032. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 223",
3033. "Proxy_AccessType": "2 (Use IE settings)"
3034. }
3035. },
3036. "15.188.88.72": {
3037. "x86": {
3038. "BeaconType": "8 (HTTPS)",
3039. "Port": "443",
3040. "Polling": "600000",
3041. "Jitter": "50",
3042. "Maxdns": "235",
3043. "C2 Server": "tmestoragetest.azureedge.net,/obj_",
3044. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36",
3045. "HTTP Method Path 2": "/upload",
3046. "Header1": "",
3047. "Header2": "",
3048. "PipeName": "",
3049. "DNS Idle": "\\x08\\x08\\x04\\x04",
3050. "DNS Sleep": "0",
3051. "Method1": "GET",
3052. "Method2": "POST",
3053. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k LocalService",
3054. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k LocalService",
3055. "Proxy_AccessType": "2 (Use IE settings)"
3056. }
3057. },
3058. "15.222.241.107": {
3059. "x86": {
3060. "BeaconType": "8 (HTTPS)",
3061. "Port": "443",
3062. "Polling": "45000",
3063. "Jitter": "37",
3064. "C2 Server": "jquery.soundcloudcdn.com,/jquery-3.3.1.min.js",
3065. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3066. "Method1": "GET",
3067. "Method2": "POST",
3068. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
3069. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
3070. "Proxy_AccessType": "2 (Use IE settings)"
3071. }
3072. },
3073. "153.92.127.203": {
3074. "x86": {
3075. "BeaconType": "8 (HTTPS)",
3076. "Port": "443",
3077. "Polling": "60000",
3078. "Jitter": "0",
3079. "Maxdns": "255",
3080. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
3081. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
3082. "HTTP Method Path 2": "/pong",
3083. "Header1": "",
3084. "Header2": "",
3085. "PipeName": "",
3086. "DNS Idle": "\\x00\\x00\\x00\\x00",
3087. "DNS Sleep": "0",
3088. "Method1": "GET",
3089. "Method2": "POST",
3090. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3091. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3092. "Proxy_AccessType": "2 (Use IE settings)"
3093. }
3094. },
3095. "153.92.127.208": {
3096. "x86": {
3097. "BeaconType": "8 (HTTPS)",
3098. "Port": "443",
3099. "Polling": "60000",
3100. "Jitter": "0",
3101. "Maxdns": "255",
3102. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
3103. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
3104. "HTTP Method Path 2": "/pong",
3105. "Header1": "",
3106. "Header2": "",
3107. "PipeName": "",
3108. "DNS Idle": "\\x00\\x00\\x00\\x00",
3109. "DNS Sleep": "0",
3110. "Method1": "GET",
3111. "Method2": "POST",
3112. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3113. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3114. "Proxy_AccessType": "2 (Use IE settings)"
3115. },
3116. "x64": {
3117. "BeaconType": "8 (HTTPS)",
3118. "Port": "443",
3119. "Polling": "60000",
3120. "Jitter": "0",
3121. "Maxdns": "255",
3122. "C2 Server": "io.amscloud.xyz,/ping,d2dtgcu8n83vy7.cloudfront.net,/ping,d1iz6lkxr9mblm.cloudfront.net,/ping",
3123. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
3124. "HTTP Method Path 2": "/pong",
3125. "Header1": "",
3126. "Header2": "",
3127. "PipeName": "",
3128. "DNS Idle": "\\x00\\x00\\x00\\x00",
3129. "DNS Sleep": "0",
3130. "Method1": "GET",
3131. "Method2": "POST",
3132. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3133. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3134. "Proxy_AccessType": "2 (Use IE settings)"
3135. }
3136. },
3137. "154.86.46.35": {
3138. "x64": {
3139. "BeaconType": "8 (HTTPS)",
3140. "Port": "443",
3141. "Polling": "60000",
3142. "Jitter": "0",
3143. "Maxdns": "255",
3144. "C2 Server": "154.86.46.35,/IE9CompatViewList.xml",
3145. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",
3146. "HTTP Method Path 2": "/submit.php",
3147. "Header1": "",
3148. "Header2": "",
3149. "PipeName": "",
3150. "DNS Idle": "\\x00\\x00\\x00\\x00",
3151. "DNS Sleep": "0",
3152. "Method1": "GET",
3153. "Method2": "POST",
3154. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3155. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3156. "Proxy_AccessType": "2 (Use IE settings)"
3157. }
3158. },
3159. "155.138.230.65": {
3160. "x86": {
3161. "BeaconType": "8 (HTTPS)",
3162. "Port": "443",
3163. "Polling": "60000",
3164. "Jitter": "20",
3165. "Maxdns": "235",
3166. "C2 Server": "155.138.230.65,/viewerng/meta",
3167. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
3168. "HTTP Method Path 2": "/viewersng/meta",
3169. "Header1": "",
3170. "Header2": "",
3171. "PipeName": "",
3172. "DNS Idle": "\\x08\\x08\\x04\\x04",
3173. "DNS Sleep": "0",
3174. "Method1": "GET",
3175. "Method2": "GET",
3176. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3177. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3178. "Proxy_AccessType": "2 (Use IE settings)"
3179. }
3180. },
3181. "155.138.245.98": {
3182. "x64": {
3183. "BeaconType": "8 (HTTPS)",
3184. "Port": "443",
3185. "Polling": "60000",
3186. "Jitter": "0",
3187. "C2 Server": "155.138.245.98,/pixel.gif",
3188. "HTTP Method Path 2": "/submit.php",
3189. "Method1": "GET",
3190. "Method2": "POST",
3191. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3192. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3193. "Proxy_AccessType": "2 (Use IE settings)"
3194. }
3195. },
3196. "156.226.191.234": {
3197. "x86": {
3198. "BeaconType": "8 (HTTPS)",
3199. "Port": "443",
3200. "Polling": "60000",
3201. "Jitter": "15",
3202. "Maxdns": "255",
3203. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
3204. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
3205. "HTTP Method Path 2": "/mail/u/0/",
3206. "Header1": "",
3207. "Header2": "",
3208. "PipeName": "",
3209. "DNS Idle": "\\x08\\x08\\x04\\x04",
3210. "DNS Sleep": "0",
3211. "Method1": "GET",
3212. "Method2": "POST",
3213. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
3214. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
3215. "Proxy_AccessType": "2 (Use IE settings)"
3216. },
3217. "x64": {
3218. "BeaconType": "8 (HTTPS)",
3219. "Port": "443",
3220. "Polling": "60000",
3221. "Jitter": "15",
3222. "Maxdns": "255",
3223. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
3224. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
3225. "HTTP Method Path 2": "/mail/u/0/",
3226. "Header1": "",
3227. "Header2": "",
3228. "PipeName": "",
3229. "DNS Idle": "\\x08\\x08\\x04\\x04",
3230. "DNS Sleep": "0",
3231. "Method1": "GET",
3232. "Method2": "POST",
3233. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
3234. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
3235. "Proxy_AccessType": "2 (Use IE settings)"
3236. }
3237. },
3238. "156.226.191.235": {
3239. "x86": {
3240. "BeaconType": "8 (HTTPS)",
3241. "Port": "443",
3242. "Polling": "60000",
3243. "Jitter": "15",
3244. "Maxdns": "255",
3245. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
3246. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
3247. "HTTP Method Path 2": "/mail/u/0/",
3248. "Header1": "",
3249. "Header2": "",
3250. "PipeName": "",
3251. "DNS Idle": "\\x08\\x08\\x04\\x04",
3252. "DNS Sleep": "0",
3253. "Method1": "GET",
3254. "Method2": "POST",
3255. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
3256. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
3257. "Proxy_AccessType": "2 (Use IE settings)"
3258. }
3259. },
3260. "156.226.191.236": {
3261. "x64": {
3262. "BeaconType": "8 (HTTPS)",
3263. "Port": "443",
3264. "Polling": "60000",
3265. "Jitter": "15",
3266. "Maxdns": "255",
3267. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
3268. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
3269. "HTTP Method Path 2": "/mail/u/0/",
3270. "Header1": "",
3271. "Header2": "",
3272. "PipeName": "",
3273. "DNS Idle": "\\x08\\x08\\x04\\x04",
3274. "DNS Sleep": "0",
3275. "Method1": "GET",
3276. "Method2": "POST",
3277. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
3278. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
3279. "Proxy_AccessType": "2 (Use IE settings)"
3280. }
3281. },
3282. "156.226.191.237": {
3283. "x86": {
3284. "BeaconType": "8 (HTTPS)",
3285. "Port": "443",
3286. "Polling": "60000",
3287. "Jitter": "15",
3288. "Maxdns": "255",
3289. "C2 Server": "156.226.191.234,/_/scs/mail-static/_/js/,djiqowenlsakdj.com,/_/scs/mail-static/_/js/",
3290. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALCJS)",
3291. "HTTP Method Path 2": "/mail/u/0/",
3292. "Header1": "",
3293. "Header2": "",
3294. "PipeName": "",
3295. "DNS Idle": "\\x08\\x08\\x04\\x04",
3296. "DNS Sleep": "0",
3297. "Method1": "GET",
3298. "Method2": "POST",
3299. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
3300. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
3301. "Proxy_AccessType": "2 (Use IE settings)"
3302. }
3303. },
3304. "157.230.184.142": {
3305. "x86": {
3306. "BeaconType": "8 (HTTPS)",
3307. "Port": "443",
3308. "Polling": "15",
3309. "Jitter": "20",
3310. "Maxdns": "235",
3311. "C2 Server": "157.230.184.142,/5aq/XP/SY75Qyw.htm",
3312. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )",
3313. "HTTP Method Path 2": "/RCg/vp6rBcQ.htm",
3314. "Header1": "",
3315. "Header2": "",
3316. "PipeName": "",
3317. "DNS Idle": "\\x08\\x08\\x08\\x08",
3318. "DNS Sleep": "0",
3319. "Method1": "GET",
3320. "Method2": "GET",
3321. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3322. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3323. "Proxy_AccessType": "2 (Use IE settings)"
3324. }
3325. },
3326. "157.230.239.44": {
3327. "x86": {
3328. "BeaconType": "8 (HTTPS)",
3329. "Port": "443",
3330. "Polling": "63931",
3331. "Jitter": "41",
3332. "C2 Server": "157.230.239.44,/faq",
3333. "HTTP Method Path 2": "/lt",
3334. "Method1": "GET",
3335. "Method2": "POST",
3336. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
3337. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
3338. "Proxy_AccessType": "2 (Use IE settings)"
3339. }
3340. },
3341. "157.230.81.209": {
3342. "x86": {
3343. "BeaconType": "8 (HTTPS)",
3344. "Port": "443",
3345. "Polling": "15000",
3346. "Jitter": "90",
3347. "Maxdns": "225",
3348. "C2 Server": "software-download.office.microsoft.com,/updates",
3349. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
3350. "HTTP Method Path 2": "/notification",
3351. "Header1": "",
3352. "Header2": "",
3353. "PipeName": "",
3354. "DNS Idle": "h\\xD8<\\x84",
3355. "DNS Sleep": "0",
3356. "Method1": "GET",
3357. "Method2": "POST",
3358. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3359. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3360. "Proxy_AccessType": "2 (Use IE settings)"
3361. },
3362. "x64": {
3363. "BeaconType": "8 (HTTPS)",
3364. "Port": "443",
3365. "Polling": "15000",
3366. "Jitter": "90",
3367. "Maxdns": "225",
3368. "C2 Server": "software-download.office.microsoft.com,/updates",
3369. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
3370. "HTTP Method Path 2": "/notification",
3371. "Header1": "",
3372. "Header2": "",
3373. "PipeName": "",
3374. "DNS Idle": "h\\xD8<\\x84",
3375. "DNS Sleep": "0",
3376. "Method1": "GET",
3377. "Method2": "POST",
3378. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3379. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3380. "Proxy_AccessType": "2 (Use IE settings)"
3381. }
3382. },
3383. "159.65.115.160": {
3384. "x86": {
3385. "BeaconType": "8 (HTTPS)",
3386. "Port": "443",
3387. "Polling": "1500",
3388. "Jitter": "0",
3389. "Maxdns": "255",
3390. "C2 Server": "159.65.115.160,/ocsp/a/",
3391. "User Agent": "Microsoft-CryptoAPI/6.1",
3392. "HTTP Method Path 2": "/ocsp/b/",
3393. "Header1": "",
3394. "Header2": "",
3395. "PipeName": "",
3396. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
3397. "DNS Sleep": "0",
3398. "Method1": "GET",
3399. "Method2": "POST",
3400. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
3401. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
3402. "Proxy_AccessType": "2 (Use IE settings)"
3403. },
3404. "x64": {
3405. "BeaconType": "8 (HTTPS)",
3406. "Port": "443",
3407. "Polling": "1500",
3408. "Jitter": "0",
3409. "Maxdns": "255",
3410. "C2 Server": "159.65.115.160,/ocsp/a/",
3411. "User Agent": "Microsoft-CryptoAPI/6.1",
3412. "HTTP Method Path 2": "/ocsp/b/",
3413. "Header1": "",
3414. "Header2": "",
3415. "PipeName": "",
3416. "DNS Idle": "\\xAC\\xD9\\x10\\x8E",
3417. "DNS Sleep": "0",
3418. "Method1": "GET",
3419. "Method2": "POST",
3420. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
3421. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
3422. "Proxy_AccessType": "2 (Use IE settings)"
3423. }
3424. },
3425. "159.65.96.79": {
3426. "x64": {
3427. "BeaconType": "8 (HTTPS)",
3428. "Port": "443",
3429. "Polling": "61924",
3430. "Jitter": "43",
3431. "C2 Server": "cleerhr.com,/html.js",
3432. "HTTP Method Path 2": "/sq",
3433. "Method1": "GET",
3434. "Method2": "POST",
3435. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
3436. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
3437. "Proxy_AccessType": "2 (Use IE settings)"
3438. }
3439. },
3440. "159.89.109.225": {
3441. "x64": {
3442. "BeaconType": "8 (HTTPS)",
3443. "Port": "443",
3444. "Polling": "15000",
3445. "Jitter": "23",
3446. "Maxdns": "255",
3447. "C2 Server": "159.89.109.225,/sxn/start,104.248.245.41,/sxn/start",
3448. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
3449. "HTTP Method Path 2": "/dd/met7",
3450. "Header1": "",
3451. "Header2": "",
3452. "PipeName": "",
3453. "DNS Idle": "\\x00\\x00\\x00\\x00",
3454. "DNS Sleep": "0",
3455. "Method1": "GET",
3456. "Method2": "POST",
3457. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3458. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3459. "Proxy_AccessType": "2 (Use IE settings)"
3460. }
3461. },
3462. "159.89.131.233": {
3463. "x86": {
3464. "BeaconType": "8 (HTTPS)",
3465. "Port": "443",
3466. "Polling": "45102",
3467. "Jitter": "29",
3468. "C2 Server": "milbank.azurewebsites.net,/azure/api",
3469. "HTTP Method Path 2": "/azure/us",
3470. "Method1": "GET",
3471. "Method2": "POST",
3472. "Spawnto_x86": "%windir%\\syswow64\\typeperf.exe",
3473. "Spawnto_x64": "%windir%\\sysnative\\typeperf.exe",
3474. "Proxy_AccessType": "2 (Use IE settings)"
3475. }
3476. },
3477. "159.89.13.234": {
3478. "x86": {
3479. "BeaconType": "8 (HTTPS)",
3480. "Port": "443",
3481. "Polling": "15000",
3482. "Jitter": "90",
3483. "Maxdns": "225",
3484. "C2 Server": "yelp.com,/wp-includes/js/script/indigo-migrate",
3485. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
3486. "HTTP Method Path 2": "/api2/json/check/ticket",
3487. "Header1": "",
3488. "Header2": "",
3489. "PipeName": "",
3490. "DNS Idle": "h\\xD8<\\x84",
3491. "DNS Sleep": "0",
3492. "Method1": "GET",
3493. "Method2": "POST",
3494. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3495. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3496. "Proxy_AccessType": "2 (Use IE settings)"
3497. }
3498. },
3499. "161.35.218.255": {
3500. "x86": {
3501. "BeaconType": "8 (HTTPS)",
3502. "Port": "443",
3503. "Polling": "60000",
3504. "Jitter": "0",
3505. "C2 Server": "161.35.218.255,/g.pixel",
3506. "HTTP Method Path 2": "/submit.php",
3507. "Method1": "GET",
3508. "Method2": "POST",
3509. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3510. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3511. "Proxy_AccessType": "2 (Use IE settings)"
3512. },
3513. "x64": {
3514. "BeaconType": "8 (HTTPS)",
3515. "Port": "443",
3516. "Polling": "60000",
3517. "Jitter": "0",
3518. "C2 Server": "161.35.218.255,/dot.gif",
3519. "HTTP Method Path 2": "/submit.php",
3520. "Method1": "GET",
3521. "Method2": "POST",
3522. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3523. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3524. "Proxy_AccessType": "2 (Use IE settings)"
3525. }
3526. },
3527. "161.35.38.97": {
3528. "x64": {
3529. "BeaconType": "8 (HTTPS)",
3530. "Port": "443",
3531. "Polling": "90000",
3532. "Jitter": "15",
3533. "Maxdns": "212",
3534. "C2 Server": "jscript-cdn.azureedge.net,/npm/fullpage.js@2.9.4/dist/jquery.fullpage.min.css",
3535. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.3396.99 Safari/537.36",
3536. "HTTP Method Path 2": "/sites/p/b93/googleanalytics/track",
3537. "Header1": "",
3538. "Header2": "",
3539. "PipeName": "",
3540. "DNS Idle": "h\\x10U\\x14",
3541. "DNS Sleep": "0",
3542. "Method1": "GET",
3543. "Method2": "POST",
3544. "Spawnto_x86": "%windir%\\syswow64\\gpresult.exe",
3545. "Spawnto_x64": "%windir%\\sysnative\\gpresult.exe",
3546. "Proxy_AccessType": "2 (Use IE settings)"
3547. }
3548. },
3549. "161.35.51.98": {
3550. "x86": {
3551. "BeaconType": "8 (HTTPS)",
3552. "Port": "443",
3553. "Polling": "53",
3554. "Jitter": "40",
3555. "Maxdns": "255",
3556. "C2 Server": "mscrl.microsoft.com,/feed/Video/c/dynamic/,ajax.microsoft.com,/feed/Video/c/dynamic/",
3557. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)",
3558. "HTTP Method Path 2": "/main/urgent/w/06/",
3559. "Header1": "",
3560. "Header2": "",
3561. "PipeName": "",
3562. "DNS Idle": "\\x00\\x00\\x00\\x00",
3563. "DNS Sleep": "0",
3564. "Method1": "GET",
3565. "Method2": "POST",
3566. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
3567. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
3568. "Proxy_AccessType": "2 (Use IE settings)"
3569. }
3570. },
3571. "161.35.6.3": {
3572. "x64": {
3573. "BeaconType": "8 (HTTPS)",
3574. "Port": "443",
3575. "Polling": "60000",
3576. "Jitter": "0",
3577. "C2 Server": "161.35.6.3,/updates.rss",
3578. "HTTP Method Path 2": "/submit.php",
3579. "Method1": "GET",
3580. "Method2": "POST",
3581. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3582. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3583. "Proxy_AccessType": "2 (Use IE settings)"
3584. }
3585. },
3586. "161.35.76.1": {
3587. "x64": {
3588. "BeaconType": "8 (HTTPS)",
3589. "Port": "443",
3590. "Polling": "1000",
3591. "Jitter": "37",
3592. "Maxdns": "255",
3593. "C2 Server": "161.35.76.1,/jquery-3.3.1.min.js",
3594. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
3595. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3596. "Header1": "",
3597. "Header2": "",
3598. "PipeName": "",
3599. "DNS Idle": "J}\\xC4q",
3600. "DNS Sleep": "0",
3601. "Method1": "GET",
3602. "Method2": "POST",
3603. "Spawnto_x86": "%windir%\\syswow64\\cmd.exe -k updatehelp",
3604. "Spawnto_x64": "%windir%\\sysnative\\cmd.exe -k updatehelp",
3605. "Proxy_AccessType": "2 (Use IE settings)"
3606. }
3607. },
3608. "161.35.81.119": {
3609. "x86": {
3610. "BeaconType": "8 (HTTPS)",
3611. "Port": "443",
3612. "Polling": "15000",
3613. "Jitter": "90",
3614. "Maxdns": "225",
3615. "C2 Server": "bbc.com,/en-us/p/onerf/MeSilentPassport",
3616. "User Agent": "Microsoft BITS/7.8",
3617. "HTTP Method Path 2": "/1.5/95648064/storage/tabs",
3618. "Header1": "",
3619. "Header2": "",
3620. "PipeName": "",
3621. "DNS Idle": "\\xBC\\xA6\\x0Ee",
3622. "DNS Sleep": "0",
3623. "Method1": "GET",
3624. "Method2": "POST",
3625. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3626. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3627. "Proxy_AccessType": "2 (Use IE settings)"
3628. },
3629. "x64": {
3630. "BeaconType": "8 (HTTPS)",
3631. "Port": "443",
3632. "Polling": "15000",
3633. "Jitter": "90",
3634. "Maxdns": "225",
3635. "C2 Server": "bbc.com,/en-us/p/book-2/8MCPZJJCC98C",
3636. "User Agent": "Microsoft BITS/7.8",
3637. "HTTP Method Path 2": "/v1/stats",
3638. "Header1": "",
3639. "Header2": "",
3640. "PipeName": "",
3641. "DNS Idle": "\\xBC\\xA6\\x0Ee",
3642. "DNS Sleep": "0",
3643. "Method1": "GET",
3644. "Method2": "POST",
3645. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3646. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3647. "Proxy_AccessType": "2 (Use IE settings)"
3648. }
3649. },
3650. "161.35.99.14": {
3651. "x86": {
3652. "BeaconType": "8 (HTTPS)",
3653. "Port": "443",
3654. "Polling": "5000",
3655. "Jitter": "37",
3656. "C2 Server": "161.35.99.14,/jquery-3.3.1.min.js",
3657. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3658. "Method1": "GET",
3659. "Method2": "POST",
3660. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
3661. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
3662. "Proxy_AccessType": "2 (Use IE settings)"
3663. }
3664. },
3665. "162.241.127.180": {
3666. "x86": {
3667. "BeaconType": "8 (HTTPS)",
3668. "Port": "443",
3669. "Polling": "60000",
3670. "Jitter": "0",
3671. "Maxdns": "255",
3672. "C2 Server": "162.241.127.180,/j.ad",
3673. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)",
3674. "HTTP Method Path 2": "/submit.php",
3675. "Header1": "",
3676. "Header2": "",
3677. "PipeName": "",
3678. "DNS Idle": "\\x00\\x00\\x00\\x00",
3679. "DNS Sleep": "0",
3680. "Method1": "GET",
3681. "Method2": "POST",
3682. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3683. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3684. "Proxy_AccessType": "2 (Use IE settings)"
3685. },
3686. "x64": {
3687. "BeaconType": "8 (HTTPS)",
3688. "Port": "443",
3689. "Polling": "60000",
3690. "Jitter": "0",
3691. "Maxdns": "255",
3692. "C2 Server": "162.241.127.180,/activity",
3693. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENCA)",
3694. "HTTP Method Path 2": "/submit.php",
3695. "Header1": "",
3696. "Header2": "",
3697. "PipeName": "",
3698. "DNS Idle": "\\x00\\x00\\x00\\x00",
3699. "DNS Sleep": "0",
3700. "Method1": "GET",
3701. "Method2": "POST",
3702. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3703. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3704. "Proxy_AccessType": "2 (Use IE settings)"
3705. }
3706. },
3707. "162.241.65.121": {
3708. "x86": {
3709. "BeaconType": "8 (HTTPS)",
3710. "Port": "443",
3711. "Polling": "60000",
3712. "Jitter": "0",
3713. "Maxdns": "255",
3714. "C2 Server": "162.241.65.121,/cx",
3715. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)",
3716. "HTTP Method Path 2": "/submit.php",
3717. "Header1": "",
3718. "Header2": "",
3719. "PipeName": "",
3720. "DNS Idle": "\\x00\\x00\\x00\\x00",
3721. "DNS Sleep": "0",
3722. "Method1": "GET",
3723. "Method2": "POST",
3724. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3725. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3726. "Proxy_AccessType": "2 (Use IE settings)"
3727. }
3728. },
3729. "162.248.210.234": {
3730. "x64": {
3731. "BeaconType": "8 (HTTPS)",
3732. "Port": "443",
3733. "Polling": "5000",
3734. "Jitter": "10",
3735. "Maxdns": "235",
3736. "C2 Server": "wavetips.com,/us/ky/louisville/312-s-fourth-st.html",
3737. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
3738. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
3739. "Header1": "",
3740. "Header2": "",
3741. "PipeName": "",
3742. "DNS Idle": "\\x08\\x08\\x08\\x08",
3743. "DNS Sleep": "0",
3744. "Method1": "GET",
3745. "Method2": "POST",
3746. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
3747. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
3748. "Proxy_AccessType": "2 (Use IE settings)"
3749. }
3750. },
3751. "162.254.204.222": {
3752. "x86": {
3753. "BeaconType": "8 (HTTPS)",
3754. "Port": "443",
3755. "Polling": "13500",
3756. "Jitter": "27",
3757. "Maxdns": "255",
3758. "C2 Server": "mstronestia.me,/maps/overlaybfpr",
3759. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
3760. "HTTP Method Path 2": "/fd/ls/lsp.aspx",
3761. "Header1": "",
3762. "Header2": "",
3763. "PipeName": "",
3764. "DNS Idle": "\\x00\\x00\\x00\\x00",
3765. "DNS Sleep": "0",
3766. "Method1": "GET",
3767. "Method2": "POST",
3768. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
3769. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
3770. "Proxy_AccessType": "2 (Use IE settings)"
3771. }
3772. },
3773. "165.22.37.148": {
3774. "x86": {
3775. "BeaconType": "8 (HTTPS)",
3776. "Port": "443",
3777. "Polling": "12000",
3778. "Jitter": "35",
3779. "C2 Server": "update03.microsoft-essentials.com,/u/vercheck,165.22.37.148,/u/vercheck",
3780. "HTTP Method Path 2": "/u/version_status",
3781. "Method1": "GET",
3782. "Method2": "POST",
3783. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
3784. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
3785. "Proxy_AccessType": "2 (Use IE settings)"
3786. }
3787. },
3788. "165.227.85.160": {
3789. "x86": {
3790. "BeaconType": "8 (HTTPS)",
3791. "Port": "443",
3792. "Polling": "60000",
3793. "Jitter": "0",
3794. "Maxdns": "255",
3795. "C2 Server": "165.227.85.160,/__utm.gif",
3796. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
3797. "HTTP Method Path 2": "/submit.php",
3798. "Header1": "",
3799. "Header2": "",
3800. "PipeName": "",
3801. "DNS Idle": "\\x00\\x00\\x00\\x00",
3802. "DNS Sleep": "0",
3803. "Method1": "GET",
3804. "Method2": "POST",
3805. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3806. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3807. "Proxy_AccessType": "2 (Use IE settings)"
3808. },
3809. "x64": {
3810. "BeaconType": "8 (HTTPS)",
3811. "Port": "443",
3812. "Polling": "60000",
3813. "Jitter": "0",
3814. "Maxdns": "255",
3815. "C2 Server": "165.227.85.160,/match",
3816. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
3817. "HTTP Method Path 2": "/submit.php",
3818. "Header1": "",
3819. "Header2": "",
3820. "PipeName": "",
3821. "DNS Idle": "\\x00\\x00\\x00\\x00",
3822. "DNS Sleep": "0",
3823. "Method1": "GET",
3824. "Method2": "POST",
3825. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3826. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3827. "Proxy_AccessType": "2 (Use IE settings)"
3828. }
3829. },
3830. "165.22.8.172": {
3831. "x86": {
3832. "BeaconType": "8 (HTTPS)",
3833. "Port": "443",
3834. "Polling": "48",
3835. "Jitter": "79",
3836. "C2 Server": "silicontechgroup.com,/content/latest/i/updateonScroll/",
3837. "HTTP Method Path 2": "/all/hot/0t/1/",
3838. "Method1": "GET",
3839. "Method2": "POST",
3840. "Spawnto_x86": "%windir%\\syswow64\\werfault.exe",
3841. "Spawnto_x64": "%windir%\\sysnative\\werfault.exe",
3842. "Proxy_AccessType": "2 (Use IE settings)"
3843. }
3844. },
3845. "167.172.203.162": {
3846. "x64": {
3847. "BeaconType": "8 (HTTPS)",
3848. "Port": "443",
3849. "Polling": "15000",
3850. "Jitter": "90",
3851. "C2 Server": "ajax.microsoft.com,/v4/links/activity-stream",
3852. "HTTP Method Path 2": "/api2/json/check/ticket",
3853. "Method1": "GET",
3854. "Method2": "POST",
3855. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3856. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3857. "Proxy_AccessType": "2 (Use IE settings)"
3858. }
3859. },
3860. "167.172.217.69": {
3861. "x64": {
3862. "BeaconType": "8 (HTTPS)",
3863. "Port": "443",
3864. "Polling": "45000",
3865. "Jitter": "37",
3866. "C2 Server": "xifin.co,/jquery-3.3.1.min.js",
3867. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3868. "Method1": "GET",
3869. "Method2": "POST",
3870. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
3871. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
3872. "Proxy_AccessType": "2 (Use IE settings)"
3873. }
3874. },
3875. "167.179.87.86": {
3876. "x64": {
3877. "BeaconType": "8 (HTTPS)",
3878. "Port": "443",
3879. "Polling": "60000",
3880. "Jitter": "0",
3881. "Maxdns": "255",
3882. "C2 Server": "167.179.87.86,/g.pixel",
3883. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; BOIE9;ENUS)",
3884. "HTTP Method Path 2": "/submit.php",
3885. "Header1": "",
3886. "Header2": "",
3887. "PipeName": "",
3888. "DNS Idle": "\\x00\\x00\\x00\\x00",
3889. "DNS Sleep": "0",
3890. "Method1": "GET",
3891. "Method2": "POST",
3892. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3893. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3894. "Proxy_AccessType": "2 (Use IE settings)"
3895. }
3896. },
3897. "167.179.96.215": {
3898. "x64": {
3899. "BeaconType": "8 (HTTPS)",
3900. "Port": "443",
3901. "Polling": "9800",
3902. "Jitter": "26",
3903. "Maxdns": "235",
3904. "C2 Server": "167.179.96.215,/cdn/heartbeat",
3905. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
3906. "HTTP Method Path 2": "/cdn/update",
3907. "Header1": "",
3908. "Header2": "",
3909. "PipeName": "",
3910. "DNS Idle": "\\x08\\x08\\x04\\x04",
3911. "DNS Sleep": "0",
3912. "Method1": "GET",
3913. "Method2": "POST",
3914. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
3915. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
3916. "Proxy_AccessType": "2 (Use IE settings)"
3917. }
3918. },
3919. "167.71.145.204": {
3920. "x86": {
3921. "BeaconType": "8 (HTTPS)",
3922. "Port": "443",
3923. "Polling": "45000",
3924. "Jitter": "37",
3925. "C2 Server": "1shop4health.com,/jquery-3.3.1.min.js",
3926. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3927. "Method1": "GET",
3928. "Method2": "POST",
3929. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
3930. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
3931. "Proxy_AccessType": "2 (Use IE settings)"
3932. },
3933. "x64": {
3934. "BeaconType": "8 (HTTPS)",
3935. "Port": "443",
3936. "Polling": "45000",
3937. "Jitter": "37",
3938. "C2 Server": "1shop4health.com,/jquery-3.3.1.min.js",
3939. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
3940. "Method1": "GET",
3941. "Method2": "POST",
3942. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
3943. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
3944. "Proxy_AccessType": "2 (Use IE settings)"
3945. }
3946. },
3947. "167.71.244.25": {
3948. "x86": {
3949. "BeaconType": "8 (HTTPS)",
3950. "Port": "443",
3951. "Polling": "15000",
3952. "Jitter": "90",
3953. "C2 Server": "ajax.microsoft.com,/wp-content/themes/am43-6/dist/records",
3954. "HTTP Method Path 2": "/ev/ext001001",
3955. "Method1": "GET",
3956. "Method2": "POST",
3957. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3958. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3959. "Proxy_AccessType": "2 (Use IE settings)"
3960. },
3961. "x64": {
3962. "BeaconType": "8 (HTTPS)",
3963. "Port": "443",
3964. "Polling": "15000",
3965. "Jitter": "90",
3966. "C2 Server": "ajax.microsoft.com,/api2/json/cluster/resources",
3967. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
3968. "Method1": "GET",
3969. "Method2": "POST",
3970. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
3971. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
3972. "Proxy_AccessType": "2 (Use IE settings)"
3973. }
3974. },
3975. "167.99.197.196": {
3976. "x86": {
3977. "BeaconType": "8 (HTTPS)",
3978. "Port": "443",
3979. "Polling": "60000",
3980. "Jitter": "0",
3981. "Maxdns": "255",
3982. "C2 Server": "myredirector1.live,/c/msdownload/update/others/2020/10/29136388_,myredirector2.live,/c/msdownload/update/others/2020/10/29136388_",
3983. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
3984. "HTTP Method Path 2": "/c/msdownload/update/others/2020/10/28986731_",
3985. "Header1": "",
3986. "Header2": "",
3987. "PipeName": "",
3988. "DNS Idle": "\\x00\\x00\\x00\\x00",
3989. "DNS Sleep": "0",
3990. "Method1": "GET",
3991. "Method2": "POST",
3992. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
3993. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
3994. "Proxy_AccessType": "2 (Use IE settings)"
3995. }
3996. },
3997. "167.99.200.45": {
3998. "x64": {
3999. "BeaconType": "8 (HTTPS)",
4000. "Port": "443",
4001. "Polling": "30000",
4002. "Jitter": "20",
4003. "Maxdns": "235",
4004. "C2 Server": "outlook-1.azureedge.net,/static/css/main.d22d3525.chunk.css",
4005. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
4006. "HTTP Method Path 2": "/owamail/calendar/service.svc",
4007. "Header1": "",
4008. "Header2": "",
4009. "PipeName": "",
4010. "DNS Idle": "\rZ\\xD5\\xCC",
4011. "DNS Sleep": "0",
4012. "Method1": "GET",
4013. "Method2": "POST",
4014. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
4015. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
4016. "Proxy_AccessType": "2 (Use IE settings)"
4017. }
4018. },
4019. "168.119.0.88": {
4020. "x86": {
4021. "BeaconType": "8 (HTTPS)",
4022. "Port": "443",
4023. "Polling": "60000",
4024. "Jitter": "0",
4025. "Maxdns": "255",
4026. "C2 Server": "168.119.0.88,/g.pixel",
4027. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
4028. "HTTP Method Path 2": "/submit.php",
4029. "Header1": "",
4030. "Header2": "",
4031. "PipeName": "",
4032. "DNS Idle": "\\x00\\x00\\x00\\x00",
4033. "DNS Sleep": "0",
4034. "Method1": "GET",
4035. "Method2": "POST",
4036. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4037. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4038. "Proxy_AccessType": "2 (Use IE settings)"
4039. }
4040. },
4041. "168.62.7.130": {
4042. "x64": {
4043. "BeaconType": "8 (HTTPS)",
4044. "Port": "443",
4045. "Polling": "37500",
4046. "Jitter": "33",
4047. "Maxdns": "245",
4048. "C2 Server": "red.therclegalgroup.com,/javascripts/jquery.foundation.navigation.js",
4049. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MS-RTC LM 8)",
4050. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
4051. "Header1": "",
4052. "Header2": "",
4053. "PipeName": "",
4054. "DNS Idle": "\\x08\\x08\\x08\\x08",
4055. "DNS Sleep": "0",
4056. "Method1": "GET",
4057. "Method2": "POST",
4058. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
4059. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
4060. "Proxy_AccessType": "2 (Use IE settings)"
4061. }
4062. },
4063. "172.241.27.214": {
4064. "x86": {
4065. "BeaconType": "8 (HTTPS)",
4066. "Port": "443",
4067. "Polling": "5000",
4068. "Jitter": "10",
4069. "Maxdns": "235",
4070. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
4071. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4072. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4073. "Header1": "",
4074. "Header2": "",
4075. "PipeName": "",
4076. "DNS Idle": "\\x08\\x08\\x08\\x08",
4077. "DNS Sleep": "0",
4078. "Method1": "GET",
4079. "Method2": "POST",
4080. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4081. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4082. "Proxy_AccessType": "2 (Use IE settings)"
4083. }
4084. },
4085. "172.241.27.230": {
4086. "x86": {
4087. "BeaconType": "8 (HTTPS)",
4088. "Port": "443",
4089. "Polling": "5000",
4090. "Jitter": "10",
4091. "Maxdns": "235",
4092. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
4093. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4094. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4095. "Header1": "",
4096. "Header2": "",
4097. "PipeName": "",
4098. "DNS Idle": "\\x08\\x08\\x08\\x08",
4099. "DNS Sleep": "0",
4100. "Method1": "GET",
4101. "Method2": "POST",
4102. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4103. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4104. "Proxy_AccessType": "2 (Use IE settings)"
4105. }
4106. },
4107. "172.241.27.46": {
4108. "x86": {
4109. "BeaconType": "8 (HTTPS)",
4110. "Port": "443",
4111. "Polling": "5000",
4112. "Jitter": "10",
4113. "Maxdns": "235",
4114. "C2 Server": "oldplex.com,/us/ky/louisville/312-s-fourth-st.html",
4115. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4116. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4117. "Header1": "",
4118. "Header2": "",
4119. "PipeName": "",
4120. "DNS Idle": "\\x08\\x08\\x08\\x08",
4121. "DNS Sleep": "0",
4122. "Method1": "GET",
4123. "Method2": "POST",
4124. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4125. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4126. "Proxy_AccessType": "2 (Use IE settings)"
4127. },
4128. "x64": {
4129. "BeaconType": "8 (HTTPS)",
4130. "Port": "443",
4131. "Polling": "5000",
4132. "Jitter": "10",
4133. "Maxdns": "235",
4134. "C2 Server": "oldplex.com,/us/ky/louisville/312-s-fourth-st.html",
4135. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4136. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4137. "Header1": "",
4138. "Header2": "",
4139. "PipeName": "",
4140. "DNS Idle": "\\x08\\x08\\x08\\x08",
4141. "DNS Sleep": "0",
4142. "Method1": "GET",
4143. "Method2": "POST",
4144. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4145. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4146. "Proxy_AccessType": "2 (Use IE settings)"
4147. }
4148. },
4149. "172.241.27.57": {
4150. "x86": {
4151. "BeaconType": "8 (HTTPS)",
4152. "Port": "443",
4153. "Polling": "5000",
4154. "Jitter": "10",
4155. "Maxdns": "235",
4156. "C2 Server": "zipflag.com,/us/ky/louisville/312-s-fourth-st.html",
4157. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4158. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4159. "Header1": "",
4160. "Header2": "",
4161. "PipeName": "",
4162. "DNS Idle": "\\x08\\x08\\x08\\x08",
4163. "DNS Sleep": "0",
4164. "Method1": "GET",
4165. "Method2": "POST",
4166. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4167. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4168. "Proxy_AccessType": "2 (Use IE settings)"
4169. }
4170. },
4171. "172.241.29.153": {
4172. "x86": {
4173. "BeaconType": "8 (HTTPS)",
4174. "Port": "443",
4175. "Polling": "60000",
4176. "Jitter": "0",
4177. "Maxdns": "255",
4178. "C2 Server": "172.241.29.153,/dpixel",
4179. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Xbox)",
4180. "HTTP Method Path 2": "/submit.php",
4181. "Header1": "",
4182. "Header2": "",
4183. "PipeName": "",
4184. "DNS Idle": "\\x00\\x00\\x00\\x00",
4185. "DNS Sleep": "0",
4186. "Method1": "GET",
4187. "Method2": "POST",
4188. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4189. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4190. "Proxy_AccessType": "2 (Use IE settings)"
4191. }
4192. },
4193. "172.241.29.155": {
4194. "x64": {
4195. "BeaconType": "8 (HTTPS)",
4196. "Port": "443",
4197. "Polling": "60000",
4198. "Jitter": "0",
4199. "Maxdns": "255",
4200. "C2 Server": "amamai-tecnologies.space,/dot.gif",
4201. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
4202. "HTTP Method Path 2": "/submit.php",
4203. "Header1": "",
4204. "Header2": "",
4205. "PipeName": "",
4206. "DNS Idle": "\\x00\\x00\\x00\\x00",
4207. "DNS Sleep": "0",
4208. "Method1": "GET",
4209. "Method2": "POST",
4210. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4211. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4212. "Proxy_AccessType": "2 (Use IE settings)"
4213. }
4214. },
4215. "172.241.29.156": {
4216. "x64": {
4217. "BeaconType": "8 (HTTPS)",
4218. "Port": "443",
4219. "Polling": "60000",
4220. "Jitter": "0",
4221. "Maxdns": "255",
4222. "C2 Server": "amamai-tecnologies.digital,/IE9CompatViewList.xml",
4223. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
4224. "HTTP Method Path 2": "/submit.php",
4225. "Header1": "",
4226. "Header2": "",
4227. "PipeName": "",
4228. "DNS Idle": "\\x00\\x00\\x00\\x00",
4229. "DNS Sleep": "0",
4230. "Method1": "GET",
4231. "Method2": "POST",
4232. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4233. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4234. "Proxy_AccessType": "2 (Use IE settings)"
4235. }
4236. },
4237. "172.82.148.202": {
4238. "x86": {
4239. "BeaconType": "8 (HTTPS)",
4240. "Port": "443",
4241. "Polling": "5000",
4242. "Jitter": "10",
4243. "Maxdns": "235",
4244. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
4245. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4246. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4247. "Header1": "",
4248. "Header2": "",
4249. "PipeName": "",
4250. "DNS Idle": "\\x08\\x08\\x08\\x08",
4251. "DNS Sleep": "0",
4252. "Method1": "GET",
4253. "Method2": "POST",
4254. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4255. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4256. "Proxy_AccessType": "2 (Use IE settings)"
4257. },
4258. "x64": {
4259. "BeaconType": "8 (HTTPS)",
4260. "Port": "443",
4261. "Polling": "5000",
4262. "Jitter": "10",
4263. "Maxdns": "235",
4264. "C2 Server": "172.82.148.202,/us/ky/louisville/312-s-fourth-st.html,resnote.com,/us/ky/louisville/312-s-fourth-st.html",
4265. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4266. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4267. "Header1": "",
4268. "Header2": "",
4269. "PipeName": "",
4270. "DNS Idle": "\\x08\\x08\\x08\\x08",
4271. "DNS Sleep": "0",
4272. "Method1": "GET",
4273. "Method2": "POST",
4274. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4275. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4276. "Proxy_AccessType": "2 (Use IE settings)"
4277. }
4278. },
4279. "172.82.179.170": {
4280. "x64": {
4281. "BeaconType": "8 (HTTPS)",
4282. "Port": "443",
4283. "Polling": "5000",
4284. "Jitter": "10",
4285. "Maxdns": "235",
4286. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
4287. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4288. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4289. "Header1": "",
4290. "Header2": "",
4291. "PipeName": "",
4292. "DNS Idle": "\\x08\\x08\\x08\\x08",
4293. "DNS Sleep": "0",
4294. "Method1": "GET",
4295. "Method2": "POST",
4296. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4297. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4298. "Proxy_AccessType": "2 (Use IE settings)"
4299. }
4300. },
4301. "172.93.101.50": {
4302. "x86": {
4303. "BeaconType": "8 (HTTPS)",
4304. "Port": "443",
4305. "Polling": "5000",
4306. "Jitter": "10",
4307. "Maxdns": "235",
4308. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
4309. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4310. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4311. "Header1": "",
4312. "Header2": "",
4313. "PipeName": "",
4314. "DNS Idle": "\\x08\\x08\\x08\\x08",
4315. "DNS Sleep": "0",
4316. "Method1": "GET",
4317. "Method2": "POST",
4318. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4319. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4320. "Proxy_AccessType": "2 (Use IE settings)"
4321. },
4322. "x64": {
4323. "BeaconType": "8 (HTTPS)",
4324. "Port": "443",
4325. "Polling": "5000",
4326. "Jitter": "10",
4327. "Maxdns": "235",
4328. "C2 Server": "orgsale.com,/us/ky/louisville/312-s-fourth-st.html",
4329. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4330. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4331. "Header1": "",
4332. "Header2": "",
4333. "PipeName": "",
4334. "DNS Idle": "\\x08\\x08\\x08\\x08",
4335. "DNS Sleep": "0",
4336. "Method1": "GET",
4337. "Method2": "POST",
4338. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4339. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4340. "Proxy_AccessType": "2 (Use IE settings)"
4341. }
4342. },
4343. "172.93.102.164": {
4344. "x86": {
4345. "BeaconType": "8 (HTTPS)",
4346. "Port": "443",
4347. "Polling": "5000",
4348. "Jitter": "10",
4349. "Maxdns": "235",
4350. "C2 Server": "facesh.com,/us/ky/louisville/312-s-fourth-st.html",
4351. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4352. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4353. "Header1": "",
4354. "Header2": "",
4355. "PipeName": "",
4356. "DNS Idle": "\\x08\\x08\\x08\\x08",
4357. "DNS Sleep": "0",
4358. "Method1": "GET",
4359. "Method2": "POST",
4360. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4361. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4362. "Proxy_AccessType": "2 (Use IE settings)"
4363. }
4364. },
4365. "172.93.107.2": {
4366. "x86": {
4367. "BeaconType": "8 (HTTPS)",
4368. "Port": "443",
4369. "Polling": "30000",
4370. "Jitter": "20",
4371. "Maxdns": "255",
4372. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
4373. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4374. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4375. "Header1": "",
4376. "Header2": "",
4377. "PipeName": "",
4378. "DNS Idle": "\\x00\\x00\\x00\\x00",
4379. "DNS Sleep": "0",
4380. "Method1": "GET",
4381. "Method2": "POST",
4382. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4383. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4384. "Proxy_AccessType": "2 (Use IE settings)"
4385. },
4386. "x64": {
4387. "BeaconType": "8 (HTTPS)",
4388. "Port": "443",
4389. "Polling": "30000",
4390. "Jitter": "20",
4391. "Maxdns": "255",
4392. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
4393. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4394. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4395. "Header1": "",
4396. "Header2": "",
4397. "PipeName": "",
4398. "DNS Idle": "\\x00\\x00\\x00\\x00",
4399. "DNS Sleep": "0",
4400. "Method1": "GET",
4401. "Method2": "POST",
4402. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4403. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4404. "Proxy_AccessType": "2 (Use IE settings)"
4405. }
4406. },
4407. "172.93.97.66": {
4408. "x86": {
4409. "BeaconType": "8 (HTTPS)",
4410. "Port": "443",
4411. "Polling": "30000",
4412. "Jitter": "20",
4413. "Maxdns": "255",
4414. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
4415. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4416. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4417. "Header1": "",
4418. "Header2": "",
4419. "PipeName": "",
4420. "DNS Idle": "\\x00\\x00\\x00\\x00",
4421. "DNS Sleep": "0",
4422. "Method1": "GET",
4423. "Method2": "POST",
4424. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4425. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4426. "Proxy_AccessType": "2 (Use IE settings)"
4427. },
4428. "x64": {
4429. "BeaconType": "8 (HTTPS)",
4430. "Port": "443",
4431. "Polling": "30000",
4432. "Jitter": "20",
4433. "Maxdns": "255",
4434. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
4435. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4436. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4437. "Header1": "",
4438. "Header2": "",
4439. "PipeName": "",
4440. "DNS Idle": "\\x00\\x00\\x00\\x00",
4441. "DNS Sleep": "0",
4442. "Method1": "GET",
4443. "Method2": "POST",
4444. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4445. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4446. "Proxy_AccessType": "2 (Use IE settings)"
4447. }
4448. },
4449. "172.96.160.218": {
4450. "x64": {
4451. "BeaconType": "8 (HTTPS)",
4452. "Port": "443",
4453. "Polling": "5000",
4454. "Jitter": "10",
4455. "Maxdns": "235",
4456. "C2 Server": "lenview.com,/us/ky/louisville/312-s-fourth-st.html",
4457. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4458. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4459. "Header1": "",
4460. "Header2": "",
4461. "PipeName": "",
4462. "DNS Idle": "\\x08\\x08\\x08\\x08",
4463. "DNS Sleep": "0",
4464. "Method1": "GET",
4465. "Method2": "POST",
4466. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4467. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4468. "Proxy_AccessType": "2 (Use IE settings)"
4469. }
4470. },
4471. "172.98.192.91": {
4472. "x86": {
4473. "BeaconType": "8 (HTTPS)",
4474. "Port": "443",
4475. "Polling": "5000",
4476. "Jitter": "0",
4477. "Maxdns": "255",
4478. "C2 Server": "172.98.192.91,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
4479. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
4480. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
4481. "Header1": "",
4482. "Header2": "",
4483. "PipeName": "",
4484. "DNS Idle": "\\x00\\x00\\x00\\x00",
4485. "DNS Sleep": "0",
4486. "Method1": "GET",
4487. "Method2": "POST",
4488. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4489. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4490. "Proxy_AccessType": "2 (Use IE settings)"
4491. }
4492. },
4493. "172.98.192.94": {
4494. "x86": {
4495. "BeaconType": "8 (HTTPS)",
4496. "Port": "443",
4497. "Polling": "60000",
4498. "Jitter": "0",
4499. "Maxdns": "255",
4500. "C2 Server": "172.98.192.94,/g.pixel",
4501. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
4502. "HTTP Method Path 2": "/submit.php",
4503. "Header1": "",
4504. "Header2": "",
4505. "PipeName": "",
4506. "DNS Idle": "\\x00\\x00\\x00\\x00",
4507. "DNS Sleep": "0",
4508. "Method1": "GET",
4509. "Method2": "POST",
4510. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4511. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4512. "Proxy_AccessType": "2 (Use IE settings)"
4513. }
4514. },
4515. "173.234.155.146": {
4516. "x86": {
4517. "BeaconType": "8 (HTTPS)",
4518. "Port": "443",
4519. "Polling": "5000",
4520. "Jitter": "10",
4521. "Maxdns": "235",
4522. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
4523. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4524. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4525. "Header1": "",
4526. "Header2": "",
4527. "PipeName": "",
4528. "DNS Idle": "\\x08\\x08\\x08\\x08",
4529. "DNS Sleep": "0",
4530. "Method1": "GET",
4531. "Method2": "POST",
4532. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4533. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4534. "Proxy_AccessType": "2 (Use IE settings)"
4535. }
4536. },
4537. "173.234.155.173": {
4538. "x86": {
4539. "BeaconType": "8 (HTTPS)",
4540. "Port": "443",
4541. "Polling": "5000",
4542. "Jitter": "10",
4543. "Maxdns": "235",
4544. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
4545. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4546. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4547. "Header1": "",
4548. "Header2": "",
4549. "PipeName": "",
4550. "DNS Idle": "\\x08\\x08\\x08\\x08",
4551. "DNS Sleep": "0",
4552. "Method1": "GET",
4553. "Method2": "POST",
4554. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4555. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4556. "Proxy_AccessType": "2 (Use IE settings)"
4557. }
4558. },
4559. "173.234.155.184": {
4560. "x86": {
4561. "BeaconType": "8 (HTTPS)",
4562. "Port": "443",
4563. "Polling": "30000",
4564. "Jitter": "20",
4565. "Maxdns": "255",
4566. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
4567. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4568. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4569. "Header1": "",
4570. "Header2": "",
4571. "PipeName": "",
4572. "DNS Idle": "\\x00\\x00\\x00\\x00",
4573. "DNS Sleep": "0",
4574. "Method1": "GET",
4575. "Method2": "POST",
4576. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4577. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4578. "Proxy_AccessType": "2 (Use IE settings)"
4579. },
4580. "x64": {
4581. "BeaconType": "8 (HTTPS)",
4582. "Port": "443",
4583. "Polling": "30000",
4584. "Jitter": "20",
4585. "Maxdns": "255",
4586. "C2 Server": "dealeva.com,/CWoNaJLBo/VTNeWw11212/",
4587. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
4588. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
4589. "Header1": "",
4590. "Header2": "",
4591. "PipeName": "",
4592. "DNS Idle": "\\x00\\x00\\x00\\x00",
4593. "DNS Sleep": "0",
4594. "Method1": "GET",
4595. "Method2": "POST",
4596. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4597. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4598. "Proxy_AccessType": "2 (Use IE settings)"
4599. }
4600. },
4601. "173.234.155.54": {
4602. "x86": {
4603. "BeaconType": "8 (HTTPS)",
4604. "Port": "443",
4605. "Polling": "60000",
4606. "Jitter": "0",
4607. "Maxdns": "255",
4608. "C2 Server": "img.intactlinks.com,/fwlink,print.intactlinks.com,/cx",
4609. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)",
4610. "HTTP Method Path 2": "/submit.php",
4611. "Header1": "",
4612. "Header2": "",
4613. "PipeName": "",
4614. "DNS Idle": "\\x00\\x00\\x00\\x00",
4615. "DNS Sleep": "0",
4616. "Method1": "GET",
4617. "Method2": "POST",
4618. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4619. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4620. "Proxy_AccessType": "2 (Use IE settings)"
4621. },
4622. "x64": {
4623. "BeaconType": "8 (HTTPS)",
4624. "Port": "443",
4625. "Polling": "60000",
4626. "Jitter": "0",
4627. "Maxdns": "255",
4628. "C2 Server": "img.intactlinks.com,/j.ad,print.intactlinks.com,/activity",
4629. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
4630. "HTTP Method Path 2": "/submit.php",
4631. "Header1": "",
4632. "Header2": "",
4633. "PipeName": "",
4634. "DNS Idle": "\\x00\\x00\\x00\\x00",
4635. "DNS Sleep": "0",
4636. "Method1": "GET",
4637. "Method2": "POST",
4638. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4639. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4640. "Proxy_AccessType": "2 (Use IE settings)"
4641. }
4642. },
4643. "173.234.155.55": {
4644. "x86": {
4645. "BeaconType": "8 (HTTPS)",
4646. "Port": "443",
4647. "Polling": "5000",
4648. "Jitter": "37",
4649. "Maxdns": "255",
4650. "C2 Server": "cwsedge.net,/jquery-3.3.1.min.js",
4651. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
4652. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
4653. "Header1": "",
4654. "Header2": "",
4655. "PipeName": "",
4656. "DNS Idle": "J}\\xC4q",
4657. "DNS Sleep": "0",
4658. "Method1": "GET",
4659. "Method2": "POST",
4660. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
4661. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
4662. "Proxy_AccessType": "2 (Use IE settings)"
4663. }
4664. },
4665. "173.234.155.75": {
4666. "x64": {
4667. "BeaconType": "8 (HTTPS)",
4668. "Port": "443",
4669. "Polling": "5000",
4670. "Jitter": "10",
4671. "Maxdns": "235",
4672. "C2 Server": "likenic.com,/us/ky/louisville/312-s-fourth-st.html",
4673. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4674. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4675. "Header1": "",
4676. "Header2": "",
4677. "PipeName": "",
4678. "DNS Idle": "\\x08\\x08\\x08\\x08",
4679. "DNS Sleep": "0",
4680. "Method1": "GET",
4681. "Method2": "POST",
4682. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4683. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4684. "Proxy_AccessType": "2 (Use IE settings)"
4685. }
4686. },
4687. "173.234.155.85": {
4688. "x86": {
4689. "BeaconType": "8 (HTTPS)",
4690. "Port": "443",
4691. "Polling": "5000",
4692. "Jitter": "10",
4693. "Maxdns": "235",
4694. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
4695. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4696. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4697. "Header1": "",
4698. "Header2": "",
4699. "PipeName": "",
4700. "DNS Idle": "\\x08\\x08\\x08\\x08",
4701. "DNS Sleep": "0",
4702. "Method1": "GET",
4703. "Method2": "POST",
4704. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4705. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4706. "Proxy_AccessType": "2 (Use IE settings)"
4707. },
4708. "x64": {
4709. "BeaconType": "8 (HTTPS)",
4710. "Port": "443",
4711. "Polling": "5000",
4712. "Jitter": "10",
4713. "Maxdns": "235",
4714. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
4715. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
4716. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
4717. "Header1": "",
4718. "Header2": "",
4719. "PipeName": "",
4720. "DNS Idle": "\\x08\\x08\\x08\\x08",
4721. "DNS Sleep": "0",
4722. "Method1": "GET",
4723. "Method2": "POST",
4724. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
4725. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
4726. "Proxy_AccessType": "2 (Use IE settings)"
4727. }
4728. },
4729. "173.234.25.74": {
4730. "x86": {
4731. "BeaconType": "8 (HTTPS)",
4732. "Port": "443",
4733. "Polling": "60000",
4734. "Jitter": "0",
4735. "C2 Server": "45.170.251.101,/ga.js",
4736. "HTTP Method Path 2": "/submit.php",
4737. "Method1": "GET",
4738. "Method2": "POST",
4739. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4740. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4741. "Proxy_AccessType": "2 (Use IE settings)"
4742. }
4743. },
4744. "173.234.25.75": {
4745. "x64": {
4746. "BeaconType": "8 (HTTPS)",
4747. "Port": "443",
4748. "Polling": "60000",
4749. "Jitter": "0",
4750. "C2 Server": "45.170.251.101,/updates.rss",
4751. "HTTP Method Path 2": "/submit.php",
4752. "Method1": "GET",
4753. "Method2": "POST",
4754. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4755. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4756. "Proxy_AccessType": "2 (Use IE settings)"
4757. }
4758. },
4759. "173.234.25.76": {
4760. "x86": {
4761. "BeaconType": "8 (HTTPS)",
4762. "Port": "443",
4763. "Polling": "60000",
4764. "Jitter": "0",
4765. "C2 Server": "45.170.251.101,/ga.js",
4766. "HTTP Method Path 2": "/submit.php",
4767. "Method1": "GET",
4768. "Method2": "POST",
4769. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4770. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4771. "Proxy_AccessType": "2 (Use IE settings)"
4772. }
4773. },
4774. "173.234.25.77": {
4775. "x86": {
4776. "BeaconType": "8 (HTTPS)",
4777. "Port": "443",
4778. "Polling": "60000",
4779. "Jitter": "0",
4780. "C2 Server": "45.170.251.101,/ga.js",
4781. "HTTP Method Path 2": "/submit.php",
4782. "Method1": "GET",
4783. "Method2": "POST",
4784. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4785. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4786. "Proxy_AccessType": "2 (Use IE settings)"
4787. }
4788. },
4789. "173.234.25.78": {
4790. "x86": {
4791. "BeaconType": "8 (HTTPS)",
4792. "Port": "443",
4793. "Polling": "60000",
4794. "Jitter": "0",
4795. "C2 Server": "45.170.251.101,/ga.js",
4796. "HTTP Method Path 2": "/submit.php",
4797. "Method1": "GET",
4798. "Method2": "POST",
4799. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4800. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4801. "Proxy_AccessType": "2 (Use IE settings)"
4802. },
4803. "x64": {
4804. "BeaconType": "8 (HTTPS)",
4805. "Port": "443",
4806. "Polling": "60000",
4807. "Jitter": "0",
4808. "C2 Server": "45.170.251.101,/updates.rss",
4809. "HTTP Method Path 2": "/submit.php",
4810. "Method1": "GET",
4811. "Method2": "POST",
4812. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4813. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4814. "Proxy_AccessType": "2 (Use IE settings)"
4815. }
4816. },
4817. "176.105.254.220": {
4818. "x64": {
4819. "BeaconType": "8 (HTTPS)",
4820. "Port": "443",
4821. "Polling": "38310",
4822. "Jitter": "35",
4823. "Maxdns": "245",
4824. "C2 Server": "chromeupdates.best,/admin",
4825. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.227.0 Safari/536.3",
4826. "HTTP Method Path 2": "/Login",
4827. "Header1": "",
4828. "Header2": "",
4829. "PipeName": "",
4830. "DNS Idle": "\\x00\\x00\\x00\\x00",
4831. "DNS Sleep": "0",
4832. "Method1": "GET",
4833. "Method2": "GET",
4834. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
4835. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
4836. "Proxy_AccessType": "2 (Use IE settings)"
4837. }
4838. },
4839. "176.121.14.229": {
4840. "x86": {
4841. "BeaconType": "8 (HTTPS)",
4842. "Port": "443",
4843. "Polling": "60000",
4844. "Jitter": "0",
4845. "Maxdns": "255",
4846. "C2 Server": "176.121.14.229,/match",
4847. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
4848. "HTTP Method Path 2": "/submit.php",
4849. "Header1": "",
4850. "Header2": "",
4851. "PipeName": "",
4852. "DNS Idle": "\\x00\\x00\\x00\\x00",
4853. "DNS Sleep": "0",
4854. "Method1": "GET",
4855. "Method2": "POST",
4856. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4857. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4858. "Proxy_AccessType": "2 (Use IE settings)"
4859. }
4860. },
4861. "176.121.14.249": {
4862. "x64": {
4863. "BeaconType": "8 (HTTPS)",
4864. "Port": "443",
4865. "Polling": "60000",
4866. "Jitter": "0",
4867. "Maxdns": "255",
4868. "C2 Server": "176.121.14.249,/j.ad",
4869. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
4870. "HTTP Method Path 2": "/submit.php",
4871. "Header1": "",
4872. "Header2": "",
4873. "PipeName": "",
4874. "DNS Idle": "\\x00\\x00\\x00\\x00",
4875. "DNS Sleep": "0",
4876. "Method1": "GET",
4877. "Method2": "POST",
4878. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4879. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4880. "Proxy_AccessType": "2 (Use IE settings)"
4881. }
4882. },
4883. "176.121.14.251": {
4884. "x86": {
4885. "BeaconType": "8 (HTTPS)",
4886. "Port": "443",
4887. "Polling": "60000",
4888. "Jitter": "0",
4889. "Maxdns": "255",
4890. "C2 Server": "176.121.14.251,/updates.rss",
4891. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)",
4892. "HTTP Method Path 2": "/submit.php",
4893. "Header1": "",
4894. "Header2": "",
4895. "PipeName": "",
4896. "DNS Idle": "\\x00\\x00\\x00\\x00",
4897. "DNS Sleep": "0",
4898. "Method1": "GET",
4899. "Method2": "POST",
4900. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4901. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4902. "Proxy_AccessType": "2 (Use IE settings)"
4903. }
4904. },
4905. "176.123.8.228": {
4906. "x86": {
4907. "BeaconType": "8 (HTTPS)",
4908. "Port": "443",
4909. "Polling": "60000",
4910. "Jitter": "0",
4911. "Maxdns": "255",
4912. "C2 Server": "176.123.8.228,/__utm.gif",
4913. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
4914. "HTTP Method Path 2": "/___utm.gif",
4915. "Header1": "",
4916. "Header2": "",
4917. "PipeName": "",
4918. "DNS Idle": "\\x00\\x00\\x00\\x00",
4919. "DNS Sleep": "0",
4920. "Method1": "GET",
4921. "Method2": "POST",
4922. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
4923. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
4924. "Proxy_AccessType": "2 (Use IE settings)"
4925. }
4926. },
4927. "178.128.105.13": {
4928. "x86": {
4929. "BeaconType": "8 (HTTPS)",
4930. "Port": "443",
4931. "Polling": "15000",
4932. "Jitter": "90",
4933. "Maxdns": "225",
4934. "C2 Server": "ajax.microsoft.com,/gp/aj/private/reviewsGallery/get-image-gallery-assets,mscrl.microsoft.com,/wp-includes/js/script/indigo-migrate",
4935. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
4936. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
4937. "Header1": "",
4938. "Header2": "",
4939. "PipeName": "",
4940. "DNS Idle": "h\\xD8<\\x84",
4941. "DNS Sleep": "0",
4942. "Method1": "GET",
4943. "Method2": "POST",
4944. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
4945. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
4946. "Proxy_AccessType": "2 (Use IE settings)"
4947. }
4948. },
4949. "178.128.187.10": {
4950. "x64": {
4951. "BeaconType": "8 (HTTPS)",
4952. "Port": "443",
4953. "Polling": "15000",
4954. "Jitter": "90",
4955. "C2 Server": "securetraining.org,/wp-includes/js/script/indigo-migrate",
4956. "HTTP Method Path 2": "/v4/links/check-activity/check",
4957. "Method1": "GET",
4958. "Method2": "POST",
4959. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
4960. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
4961. "Proxy_AccessType": "2 (Use IE settings)"
4962. }
4963. },
4964. "178.238.228.90": {
4965. "x86": {
4966. "BeaconType": "8 (HTTPS)",
4967. "Port": "443",
4968. "Polling": "57236",
4969. "Jitter": "37",
4970. "Maxdns": "249",
4971. "C2 Server": "178.238.228.90,/Content",
4972. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
4973. "HTTP Method Path 2": "/adminhtml",
4974. "Header1": "",
4975. "Header2": "",
4976. "PipeName": "",
4977. "DNS Idle": "\\xDC\\\\x92\\x8B",
4978. "DNS Sleep": "0",
4979. "Method1": "GET",
4980. "Method2": "POST",
4981. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
4982. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
4983. "Proxy_AccessType": "2 (Use IE settings)"
4984. }
4985. },
4986. "178.79.134.144": {
4987. "x86": {
4988. "BeaconType": "8 (HTTPS)",
4989. "Port": "443",
4990. "Polling": "5000",
4991. "Jitter": "0",
4992. "Maxdns": "255",
4993. "C2 Server": "tcpsessionsconnect.com,/idle/1376547834/1",
4994. "User Agent": "Shockwave Flash",
4995. "HTTP Method Path 2": "/send/1376547834/",
4996. "Header1": "",
4997. "Header2": "",
4998. "PipeName": "",
4999. "DNS Idle": "\\x00\\x00\\x00\\x00",
5000. "DNS Sleep": "0",
5001. "Method1": "GET",
5002. "Method2": "POST",
5003. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5004. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5005. "Proxy_AccessType": "1 (Use direct connection)"
5006. }
5007. },
5008. "18.144.133.24": {
5009. "x64": {
5010. "BeaconType": "8 (HTTPS)",
5011. "Port": "443",
5012. "Polling": "62658",
5013. "Jitter": "39",
5014. "C2 Server": "18.144.133.24,/search",
5015. "HTTP Method Path 2": "/fo",
5016. "Method1": "GET",
5017. "Method2": "POST",
5018. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
5019. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
5020. "Proxy_AccessType": "2 (Use IE settings)"
5021. }
5022. },
5023. "18.156.114.88": {
5024. "x86": {
5025. "BeaconType": "8 (HTTPS)",
5026. "Port": "443",
5027. "Polling": "60000",
5028. "Jitter": "20",
5029. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
5030. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
5031. "Method1": "GET",
5032. "Method2": "GET",
5033. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5034. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5035. "Proxy_AccessType": "2 (Use IE settings)"
5036. }
5037. },
5038. "18.163.120.26": {
5039. "x64": {
5040. "BeaconType": "8 (HTTPS)",
5041. "Port": "443",
5042. "Polling": "60000",
5043. "Jitter": "0",
5044. "Maxdns": "255",
5045. "C2 Server": "18.163.120.26,/__utm.gif",
5046. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)",
5047. "HTTP Method Path 2": "/submit.php",
5048. "Header1": "",
5049. "Header2": "",
5050. "PipeName": "",
5051. "DNS Idle": "\\x00\\x00\\x00\\x00",
5052. "DNS Sleep": "0",
5053. "Method1": "GET",
5054. "Method2": "POST",
5055. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5056. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5057. "Proxy_AccessType": "2 (Use IE settings)"
5058. }
5059. },
5060. "18.163.195.231": {
5061. "x86": {
5062. "BeaconType": "8 (HTTPS)",
5063. "Port": "443",
5064. "Polling": "60000",
5065. "Jitter": "20",
5066. "Maxdns": "235",
5067. "C2 Server": "18.166.71.96,/c/msdownload/update/others/2016/12/29136388_",
5068. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
5069. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
5070. "Header1": "",
5071. "Header2": "",
5072. "PipeName": "",
5073. "DNS Idle": "\\x08\\x08\\x04\\x04",
5074. "DNS Sleep": "0",
5075. "Method1": "GET",
5076. "Method2": "GET",
5077. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5078. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5079. "Proxy_AccessType": "2 (Use IE settings)"
5080. },
5081. "x64": {
5082. "BeaconType": "8 (HTTPS)",
5083. "Port": "443",
5084. "Polling": "60000",
5085. "Jitter": "20",
5086. "Maxdns": "235",
5087. "C2 Server": "18.166.71.96,/c/msdownload/update/others/2016/12/29136388_",
5088. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
5089. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
5090. "Header1": "",
5091. "Header2": "",
5092. "PipeName": "",
5093. "DNS Idle": "\\x08\\x08\\x04\\x04",
5094. "DNS Sleep": "0",
5095. "Method1": "GET",
5096. "Method2": "GET",
5097. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5098. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5099. "Proxy_AccessType": "2 (Use IE settings)"
5100. }
5101. },
5102. "18.189.12.168": {
5103. "x64": {
5104. "BeaconType": "8 (HTTPS)",
5105. "Port": "443",
5106. "Polling": "60000",
5107. "Jitter": "47",
5108. "Maxdns": "255",
5109. "C2 Server": "jquery.alrowadclinic.com,/jquery-3.3.1.min.js",
5110. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5111. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5112. "Header1": "",
5113. "Header2": "",
5114. "PipeName": "",
5115. "DNS Idle": "J}\\xC4q",
5116. "DNS Sleep": "0",
5117. "Method1": "GET",
5118. "Method2": "POST",
5119. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5120. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5121. "Proxy_AccessType": "2 (Use IE settings)"
5122. }
5123. },
5124. "18.191.170.242": {
5125. "x86": {
5126. "BeaconType": "8 (HTTPS)",
5127. "Port": "443",
5128. "Polling": "5000",
5129. "Jitter": "37",
5130. "C2 Server": "18.191.170.242,/jquery-3.3.1.min.js",
5131. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5132. "Method1": "GET",
5133. "Method2": "POST",
5134. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
5135. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
5136. "Proxy_AccessType": "2 (Use IE settings)"
5137. }
5138. },
5139. "18.191.221.167": {
5140. "x86": {
5141. "BeaconType": "8 (HTTPS)",
5142. "Port": "443",
5143. "Polling": "45000",
5144. "Jitter": "37",
5145. "Maxdns": "255",
5146. "C2 Server": "18.191.221.167,/jquery-3.3.1.min.js",
5147. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5148. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5149. "Header1": "",
5150. "Header2": "",
5151. "PipeName": "",
5152. "DNS Idle": "J}\\xC4q",
5153. "DNS Sleep": "0",
5154. "Method1": "GET",
5155. "Method2": "POST",
5156. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5157. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5158. "Proxy_AccessType": "2 (Use IE settings)"
5159. }
5160. },
5161. "18.191.221.28": {
5162. "x86": {
5163. "BeaconType": "8 (HTTPS)",
5164. "Port": "443",
5165. "Polling": "6700",
5166. "Jitter": "13",
5167. "Maxdns": "247",
5168. "C2 Server": "cmpinsurance.com,/s/ref=nb_sb_noss_1/122-66617254-9010232/field-keywords=problem",
5169. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0",
5170. "HTTP Method Path 2": "/N1547/adj/amzn.us.sr.aps",
5171. "Header1": "",
5172. "Header2": "",
5173. "PipeName": "",
5174. "DNS Idle": "\\x00\\x00\\x00\\x00",
5175. "DNS Sleep": "0",
5176. "Method1": "GET",
5177. "Method2": "POST",
5178. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
5179. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
5180. "Proxy_AccessType": "2 (Use IE settings)"
5181. }
5182. },
5183. "18.206.136.219": {
5184. "x64": {
5185. "BeaconType": "8 (HTTPS)",
5186. "Port": "443",
5187. "Polling": "62177",
5188. "Jitter": "43",
5189. "Maxdns": "254",
5190. "C2 Server": "utils.couch2kubernetes.com,/mobile-home",
5191. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
5192. "HTTP Method Path 2": "/posting",
5193. "Header1": "",
5194. "Header2": "",
5195. "PipeName": "",
5196. "DNS Idle": ":Sg?",
5197. "DNS Sleep": "0",
5198. "Method1": "GET",
5199. "Method2": "POST",
5200. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
5201. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
5202. "Proxy_AccessType": "2 (Use IE settings)"
5203. }
5204. },
5205. "18.212.159.80": {
5206. "x64": {
5207. "BeaconType": "8 (HTTPS)",
5208. "Port": "443",
5209. "Polling": "10000",
5210. "Jitter": "10",
5211. "C2 Server": "d2mq9y2bddy4j9.cloudfront.net,/ec2/",
5212. "HTTP Method Path 2": "/console/home/ec2",
5213. "Method1": "GET",
5214. "Method2": "POST",
5215. "Spawnto_x86": "%windir%\\syswow64\\wermgr.exe",
5216. "Spawnto_x64": "%windir%\\sysnative\\wermgr.exe",
5217. "Proxy_AccessType": "2 (Use IE settings)"
5218. }
5219. },
5220. "18.223.155.112": {
5221. "x86": {
5222. "BeaconType": "8 (HTTPS)",
5223. "Port": "443",
5224. "Polling": "60000",
5225. "Jitter": "0",
5226. "Maxdns": "255",
5227. "C2 Server": "18.223.155.112,/match",
5228. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
5229. "HTTP Method Path 2": "/submit.php",
5230. "Header1": "",
5231. "Header2": "",
5232. "PipeName": "",
5233. "DNS Idle": "\\x00\\x00\\x00\\x00",
5234. "DNS Sleep": "0",
5235. "Method1": "GET",
5236. "Method2": "POST",
5237. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5238. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5239. "Proxy_AccessType": "2 (Use IE settings)"
5240. }
5241. },
5242. "182.254.180.180": {
5243. "x64": {
5244. "BeaconType": "8 (HTTPS)",
5245. "Port": "443",
5246. "Polling": "60000",
5247. "Jitter": "0",
5248. "Maxdns": "255",
5249. "C2 Server": "182.254.180.180,/en_US/all.js",
5250. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)",
5251. "HTTP Method Path 2": "/submit.php",
5252. "Header1": "",
5253. "Header2": "",
5254. "PipeName": "",
5255. "DNS Idle": "\\x00\\x00\\x00\\x00",
5256. "DNS Sleep": "0",
5257. "Method1": "GET",
5258. "Method2": "POST",
5259. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5260. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5261. "Proxy_AccessType": "2 (Use IE settings)"
5262. }
5263. },
5264. "182.92.120.156": {
5265. "x86": {
5266. "BeaconType": "8 (HTTPS)",
5267. "Port": "443",
5268. "Polling": "60000",
5269. "Jitter": "0",
5270. "Maxdns": "255",
5271. "C2 Server": "182.92.120.156,/visit.js",
5272. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
5273. "HTTP Method Path 2": "/submit.php",
5274. "Header1": "",
5275. "Header2": "",
5276. "PipeName": "",
5277. "DNS Idle": "\\x00\\x00\\x00\\x00",
5278. "DNS Sleep": "0",
5279. "Method1": "GET",
5280. "Method2": "POST",
5281. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5282. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5283. "Proxy_AccessType": "2 (Use IE settings)"
5284. }
5285. },
5286. "185.14.30.217": {
5287. "x86": {
5288. "BeaconType": "8 (HTTPS)",
5289. "Port": "443",
5290. "Polling": "5000",
5291. "Jitter": "0",
5292. "C2 Server": "185.14.30.217,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
5293. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
5294. "Method1": "GET",
5295. "Method2": "POST",
5296. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5297. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5298. "Proxy_AccessType": "2 (Use IE settings)"
5299. },
5300. "x64": {
5301. "BeaconType": "8 (HTTPS)",
5302. "Port": "443",
5303. "Polling": "5000",
5304. "Jitter": "0",
5305. "C2 Server": "185.14.30.217,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
5306. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
5307. "Method1": "GET",
5308. "Method2": "POST",
5309. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5310. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5311. "Proxy_AccessType": "2 (Use IE settings)"
5312. }
5313. },
5314. "185.150.117.142": {
5315. "x86": {
5316. "BeaconType": "8 (HTTPS)",
5317. "Port": "443",
5318. "Polling": "60000",
5319. "Jitter": "0",
5320. "Maxdns": "255",
5321. "C2 Server": "185.150.117.142,/activity",
5322. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)",
5323. "HTTP Method Path 2": "/submit.php",
5324. "Header1": "",
5325. "Header2": "",
5326. "PipeName": "",
5327. "DNS Idle": "\\x00\\x00\\x00\\x00",
5328. "DNS Sleep": "0",
5329. "Method1": "GET",
5330. "Method2": "POST",
5331. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5332. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5333. "Proxy_AccessType": "2 (Use IE settings)"
5334. }
5335. },
5336. "185.150.119.148": {
5337. "x86": {
5338. "BeaconType": "8 (HTTPS)",
5339. "Port": "443",
5340. "Polling": "60000",
5341. "Jitter": "15",
5342. "C2 Server": "185.150.119.148,/_/scs/mail-static/_/js/",
5343. "HTTP Method Path 2": "/mail/u/0/",
5344. "Method1": "GET",
5345. "Method2": "POST",
5346. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5347. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5348. "Proxy_AccessType": "2 (Use IE settings)"
5349. }
5350. },
5351. "185.150.190.113": {
5352. "x86": {
5353. "BeaconType": "8 (HTTPS)",
5354. "Port": "443",
5355. "Polling": "5000",
5356. "Jitter": "10",
5357. "Maxdns": "235",
5358. "C2 Server": "topevi.com,/us/ky/louisville/312-s-fourth-st.html",
5359. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
5360. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
5361. "Header1": "",
5362. "Header2": "",
5363. "PipeName": "",
5364. "DNS Idle": "\\x08\\x08\\x08\\x08",
5365. "DNS Sleep": "0",
5366. "Method1": "GET",
5367. "Method2": "POST",
5368. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
5369. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
5370. "Proxy_AccessType": "2 (Use IE settings)"
5371. }
5372. },
5373. "185.150.190.204": {
5374. "x86": {
5375. "BeaconType": "8 (HTTPS)",
5376. "Port": "443",
5377. "Polling": "5000",
5378. "Jitter": "10",
5379. "Maxdns": "235",
5380. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
5381. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
5382. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
5383. "Header1": "",
5384. "Header2": "",
5385. "PipeName": "",
5386. "DNS Idle": "\\x08\\x08\\x08\\x08",
5387. "DNS Sleep": "0",
5388. "Method1": "GET",
5389. "Method2": "POST",
5390. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
5391. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
5392. "Proxy_AccessType": "2 (Use IE settings)"
5393. },
5394. "x64": {
5395. "BeaconType": "8 (HTTPS)",
5396. "Port": "443",
5397. "Polling": "5000",
5398. "Jitter": "10",
5399. "Maxdns": "235",
5400. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
5401. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
5402. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
5403. "Header1": "",
5404. "Header2": "",
5405. "PipeName": "",
5406. "DNS Idle": "\\x08\\x08\\x08\\x08",
5407. "DNS Sleep": "0",
5408. "Method1": "GET",
5409. "Method2": "POST",
5410. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
5411. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
5412. "Proxy_AccessType": "2 (Use IE settings)"
5413. }
5414. },
5415. "185.153.196.130": {
5416. "x86": {
5417. "BeaconType": "8 (HTTPS)",
5418. "Port": "443",
5419. "Polling": "60000",
5420. "Jitter": "0",
5421. "Maxdns": "255",
5422. "C2 Server": "185.153.196.130,/match",
5423. "User Agent": "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent",
5424. "HTTP Method Path 2": "/submit.php",
5425. "Header1": "",
5426. "Header2": "",
5427. "PipeName": "",
5428. "DNS Idle": "\\x00\\x00\\x00\\x00",
5429. "DNS Sleep": "0",
5430. "Method1": "GET",
5431. "Method2": "POST",
5432. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5433. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5434. "Proxy_AccessType": "2 (Use IE settings)"
5435. }
5436. },
5437. "185.158.249.123": {
5438. "x64": {
5439. "BeaconType": "8 (HTTPS)",
5440. "Port": "443",
5441. "Polling": "60000",
5442. "Jitter": "0",
5443. "Maxdns": "255",
5444. "C2 Server": "185.158.249.123,/cm",
5445. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
5446. "HTTP Method Path 2": "/submit.php",
5447. "Header1": "",
5448. "Header2": "",
5449. "PipeName": "",
5450. "DNS Idle": "\\x00\\x00\\x00\\x00",
5451. "DNS Sleep": "0",
5452. "Method1": "GET",
5453. "Method2": "POST",
5454. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5455. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5456. "Proxy_AccessType": "2 (Use IE settings)"
5457. }
5458. },
5459. "185.162.235.111": {
5460. "x64": {
5461. "BeaconType": "8 (HTTPS)",
5462. "Port": "443",
5463. "Polling": "60000",
5464. "Jitter": "0",
5465. "Maxdns": "255",
5466. "C2 Server": "185.162.235.111,/visit.js",
5467. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; LBBROWSER)",
5468. "HTTP Method Path 2": "/submit.php",
5469. "Header1": "",
5470. "Header2": "",
5471. "PipeName": "",
5472. "DNS Idle": "\\x00\\x00\\x00\\x00",
5473. "DNS Sleep": "0",
5474. "Method1": "GET",
5475. "Method2": "POST",
5476. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5477. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5478. "Proxy_AccessType": "2 (Use IE settings)"
5479. }
5480. },
5481. "185.162.235.35": {
5482. "x86": {
5483. "BeaconType": "8 (HTTPS)",
5484. "Port": "443",
5485. "Polling": "60000",
5486. "Jitter": "0",
5487. "Maxdns": "255",
5488. "C2 Server": "185.162.235.35,/dot.gif",
5489. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)",
5490. "HTTP Method Path 2": "/submit.php",
5491. "Header1": "",
5492. "Header2": "",
5493. "PipeName": "",
5494. "DNS Idle": "\\x00\\x00\\x00\\x00",
5495. "DNS Sleep": "0",
5496. "Method1": "GET",
5497. "Method2": "POST",
5498. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5499. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5500. "Proxy_AccessType": "2 (Use IE settings)"
5501. }
5502. },
5503. "185.162.235.61": {
5504. "x86": {
5505. "BeaconType": "8 (HTTPS)",
5506. "Port": "443",
5507. "Polling": "60000",
5508. "Jitter": "0",
5509. "Maxdns": "255",
5510. "C2 Server": "185.162.235.61,/fwlink",
5511. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; ASU2JS)",
5512. "HTTP Method Path 2": "/submit.php",
5513. "Header1": "",
5514. "Header2": "",
5515. "PipeName": "",
5516. "DNS Idle": "\\x00\\x00\\x00\\x00",
5517. "DNS Sleep": "0",
5518. "Method1": "GET",
5519. "Method2": "POST",
5520. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5521. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5522. "Proxy_AccessType": "2 (Use IE settings)"
5523. },
5524. "x64": {
5525. "BeaconType": "8 (HTTPS)",
5526. "Port": "443",
5527. "Polling": "60000",
5528. "Jitter": "0",
5529. "Maxdns": "255",
5530. "C2 Server": "185.162.235.61,/cx",
5531. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
5532. "HTTP Method Path 2": "/submit.php",
5533. "Header1": "",
5534. "Header2": "",
5535. "PipeName": "",
5536. "DNS Idle": "\\x00\\x00\\x00\\x00",
5537. "DNS Sleep": "0",
5538. "Method1": "GET",
5539. "Method2": "POST",
5540. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5541. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5542. "Proxy_AccessType": "2 (Use IE settings)"
5543. }
5544. },
5545. "185.189.151.92": {
5546. "x86": {
5547. "BeaconType": "8 (HTTPS)",
5548. "Port": "443",
5549. "Polling": "60000",
5550. "Jitter": "0",
5551. "Maxdns": "255",
5552. "C2 Server": "185.189.151.92,/activity",
5553. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)",
5554. "HTTP Method Path 2": "/submit.php",
5555. "Header1": "",
5556. "Header2": "",
5557. "PipeName": "",
5558. "DNS Idle": "\\x00\\x00\\x00\\x00",
5559. "DNS Sleep": "0",
5560. "Method1": "GET",
5561. "Method2": "POST",
5562. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5563. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5564. "Proxy_AccessType": "2 (Use IE settings)"
5565. },
5566. "x64": {
5567. "BeaconType": "8 (HTTPS)",
5568. "Port": "443",
5569. "Polling": "60000",
5570. "Jitter": "0",
5571. "Maxdns": "255",
5572. "C2 Server": "185.189.151.92,/dot.gif",
5573. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
5574. "HTTP Method Path 2": "/submit.php",
5575. "Header1": "",
5576. "Header2": "",
5577. "PipeName": "",
5578. "DNS Idle": "\\x00\\x00\\x00\\x00",
5579. "DNS Sleep": "0",
5580. "Method1": "GET",
5581. "Method2": "POST",
5582. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5583. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5584. "Proxy_AccessType": "2 (Use IE settings)"
5585. }
5586. },
5587. "185.191.32.168": {
5588. "x86": {
5589. "BeaconType": "8 (HTTPS)",
5590. "Port": "443",
5591. "Polling": "45000",
5592. "Jitter": "37",
5593. "Maxdns": "255",
5594. "C2 Server": "185.191.32.168,/jquery-3.3.1.min.js",
5595. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5596. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5597. "Header1": "",
5598. "Header2": "",
5599. "PipeName": "",
5600. "DNS Idle": "J}\\xC4q",
5601. "DNS Sleep": "0",
5602. "Method1": "GET",
5603. "Method2": "POST",
5604. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5605. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5606. "Proxy_AccessType": "2 (Use IE settings)"
5607. }
5608. },
5609. "185.191.32.180": {
5610. "x64": {
5611. "BeaconType": "8 (HTTPS)",
5612. "Port": "443",
5613. "Polling": "60000",
5614. "Jitter": "0",
5615. "Maxdns": "255",
5616. "C2 Server": "185.191.32.180,/en_US/all.js",
5617. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
5618. "HTTP Method Path 2": "/submit.php",
5619. "Header1": "",
5620. "Header2": "",
5621. "PipeName": "",
5622. "DNS Idle": "\\x00\\x00\\x00\\x00",
5623. "DNS Sleep": "0",
5624. "Method1": "GET",
5625. "Method2": "POST",
5626. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5627. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5628. "Proxy_AccessType": "2 (Use IE settings)"
5629. }
5630. },
5631. "185.201.47.155": {
5632. "x86": {
5633. "BeaconType": "8 (HTTPS)",
5634. "Port": "443",
5635. "Polling": "60000",
5636. "Jitter": "0",
5637. "Maxdns": "255",
5638. "C2 Server": "thie7keiz2eu2eeshoog.greenyellow.xyz,/ga.js,Oophofeip9aiph4zoo6e.greenyellow.site,/dpixel,eeTaicaiT4eeceingoz9.greenyellow.fun,/visit.js",
5639. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
5640. "HTTP Method Path 2": "/submit.php",
5641. "Header1": "",
5642. "Header2": "",
5643. "PipeName": "",
5644. "DNS Idle": "\\x00\\x00\\x00\\x00",
5645. "DNS Sleep": "0",
5646. "Method1": "GET",
5647. "Method2": "POST",
5648. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5649. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5650. "Proxy_AccessType": "2 (Use IE settings)"
5651. },
5652. "x64": {
5653. "BeaconType": "8 (HTTPS)",
5654. "Port": "443",
5655. "Polling": "60000",
5656. "Jitter": "0",
5657. "Maxdns": "255",
5658. "C2 Server": "thie7keiz2eu2eeshoog.greenyellow.xyz,/cm,Oophofeip9aiph4zoo6e.greenyellow.site,/cx,eeTaicaiT4eeceingoz9.greenyellow.fun,/dot.gif",
5659. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)",
5660. "HTTP Method Path 2": "/submit.php",
5661. "Header1": "",
5662. "Header2": "",
5663. "PipeName": "",
5664. "DNS Idle": "\\x00\\x00\\x00\\x00",
5665. "DNS Sleep": "0",
5666. "Method1": "GET",
5667. "Method2": "POST",
5668. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5669. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5670. "Proxy_AccessType": "2 (Use IE settings)"
5671. }
5672. },
5673. "185.225.19.140": {
5674. "x86": {
5675. "BeaconType": "8 (HTTPS)",
5676. "Port": "443",
5677. "Polling": "60000",
5678. "Jitter": "20",
5679. "Maxdns": "255",
5680. "C2 Server": "185.225.19.140,/c/msdownload/update/others/2020/10/29136388_",
5681. "User Agent": "Windows-Update-Agent/10.0.10022.16384 Client-Protocol/1.40",
5682. "HTTP Method Path 2": "/c/msdownload/update/others/2020/10/28986731_",
5683. "Header1": "",
5684. "Header2": "",
5685. "PipeName": "",
5686. "DNS Idle": "\\x00\\x00\\x00\\x00",
5687. "DNS Sleep": "0",
5688. "Method1": "GET",
5689. "Method2": "POST",
5690. "Spawnto_x86": "%windir%\\syswow64\\wusa.exe",
5691. "Spawnto_x64": "%windir%\\sysnative\\wusa.exe",
5692. "Proxy_AccessType": "2 (Use IE settings)"
5693. }
5694. },
5695. "185.227.82.66": {
5696. "x86": {
5697. "BeaconType": "8 (HTTPS)",
5698. "Port": "443",
5699. "Polling": "60000",
5700. "Jitter": "0",
5701. "Maxdns": "255",
5702. "C2 Server": "185.227.82.66,/push",
5703. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)",
5704. "HTTP Method Path 2": "/submit.php",
5705. "Header1": "",
5706. "Header2": "",
5707. "PipeName": "",
5708. "DNS Idle": "\\x00\\x00\\x00\\x00",
5709. "DNS Sleep": "0",
5710. "Method1": "GET",
5711. "Method2": "POST",
5712. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5713. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5714. "Proxy_AccessType": "2 (Use IE settings)"
5715. }
5716. },
5717. "185.232.52.137": {
5718. "x86": {
5719. "BeaconType": "8 (HTTPS)",
5720. "Port": "443",
5721. "Polling": "60000",
5722. "Jitter": "0",
5723. "Maxdns": "255",
5724. "C2 Server": "185.232.52.137,/g.pixel",
5725. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
5726. "HTTP Method Path 2": "/submit.php",
5727. "Header1": "",
5728. "Header2": "",
5729. "PipeName": "",
5730. "DNS Idle": "\\x00\\x00\\x00\\x00",
5731. "DNS Sleep": "0",
5732. "Method1": "GET",
5733. "Method2": "POST",
5734. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5735. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5736. "Proxy_AccessType": "2 (Use IE settings)"
5737. },
5738. "x64": {
5739. "BeaconType": "8 (HTTPS)",
5740. "Port": "443",
5741. "Polling": "60000",
5742. "Jitter": "0",
5743. "Maxdns": "255",
5744. "C2 Server": "185.232.52.137,/pixel",
5745. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER",
5746. "HTTP Method Path 2": "/submit.php",
5747. "Header1": "",
5748. "Header2": "",
5749. "PipeName": "",
5750. "DNS Idle": "\\x00\\x00\\x00\\x00",
5751. "DNS Sleep": "0",
5752. "Method1": "GET",
5753. "Method2": "POST",
5754. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5755. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5756. "Proxy_AccessType": "2 (Use IE settings)"
5757. }
5758. },
5759. "185.232.52.143": {
5760. "x64": {
5761. "BeaconType": "8 (HTTPS)",
5762. "Port": "443",
5763. "Polling": "60000",
5764. "Jitter": "0",
5765. "Maxdns": "255",
5766. "C2 Server": "185.232.52.143,/ptj",
5767. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
5768. "HTTP Method Path 2": "/submit.php",
5769. "Header1": "",
5770. "Header2": "",
5771. "PipeName": "",
5772. "DNS Idle": "\\x00\\x00\\x00\\x00",
5773. "DNS Sleep": "0",
5774. "Method1": "GET",
5775. "Method2": "POST",
5776. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5777. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5778. "Proxy_AccessType": "2 (Use IE settings)"
5779. }
5780. },
5781. "185.238.169.166": {
5782. "x86": {
5783. "BeaconType": "8 (HTTPS)",
5784. "Port": "443",
5785. "Polling": "5000",
5786. "Jitter": "10",
5787. "Maxdns": "235",
5788. "C2 Server": "rinnosaur.com,/us/ky/louisville/312-s-fourth-st.html",
5789. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
5790. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
5791. "Header1": "",
5792. "Header2": "",
5793. "PipeName": "",
5794. "DNS Idle": "\\x08\\x08\\x08\\x08",
5795. "DNS Sleep": "0",
5796. "Method1": "GET",
5797. "Method2": "POST",
5798. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
5799. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
5800. "Proxy_AccessType": "2 (Use IE settings)"
5801. }
5802. },
5803. "185.244.149.152": {
5804. "x64": {
5805. "BeaconType": "8 (HTTPS)",
5806. "Port": "443",
5807. "Polling": "60000",
5808. "Jitter": "0",
5809. "Maxdns": "255",
5810. "C2 Server": "yambanetsdev.net,/g.pixel",
5811. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
5812. "HTTP Method Path 2": "/submit.php",
5813. "Header1": "",
5814. "Header2": "",
5815. "PipeName": "",
5816. "DNS Idle": "\\x00\\x00\\x00\\x00",
5817. "DNS Sleep": "0",
5818. "Method1": "GET",
5819. "Method2": "POST",
5820. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5821. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5822. "Proxy_AccessType": "2 (Use IE settings)"
5823. }
5824. },
5825. "185.244.39.110": {
5826. "x86": {
5827. "BeaconType": "8 (HTTPS)",
5828. "Port": "443",
5829. "Polling": "45000",
5830. "Jitter": "37",
5831. "Maxdns": "255",
5832. "C2 Server": "185.244.39.110,/jquery-3.3.1.min.js",
5833. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5834. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5835. "Header1": "",
5836. "Header2": "",
5837. "PipeName": "",
5838. "DNS Idle": "J}\\xC4q",
5839. "DNS Sleep": "0",
5840. "Method1": "GET",
5841. "Method2": "POST",
5842. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5843. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5844. "Proxy_AccessType": "2 (Use IE settings)"
5845. },
5846. "x64": {
5847. "BeaconType": "8 (HTTPS)",
5848. "Port": "443",
5849. "Polling": "45000",
5850. "Jitter": "37",
5851. "Maxdns": "255",
5852. "C2 Server": "185.244.39.110,/jquery-3.3.1.min.js",
5853. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5854. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5855. "Header1": "",
5856. "Header2": "",
5857. "PipeName": "",
5858. "DNS Idle": "J}\\xC4q",
5859. "DNS Sleep": "0",
5860. "Method1": "GET",
5861. "Method2": "POST",
5862. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5863. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5864. "Proxy_AccessType": "2 (Use IE settings)"
5865. }
5866. },
5867. "185.62.189.116": {
5868. "x64": {
5869. "BeaconType": "8 (HTTPS)",
5870. "Port": "443",
5871. "Polling": "10000",
5872. "Jitter": "37",
5873. "Maxdns": "255",
5874. "C2 Server": "ojbg.sigiwendksgna.com,/jquery-3.3.1.min.js",
5875. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5876. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5877. "Header1": "",
5878. "Header2": "",
5879. "PipeName": "",
5880. "DNS Idle": "J}\\xC4q",
5881. "DNS Sleep": "0",
5882. "Method1": "GET",
5883. "Method2": "POST",
5884. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5885. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5886. "Proxy_AccessType": "2 (Use IE settings)"
5887. }
5888. },
5889. "185.82.126.47": {
5890. "x86": {
5891. "BeaconType": "8 (HTTPS)",
5892. "Port": "443",
5893. "Polling": "60000",
5894. "Jitter": "0",
5895. "Maxdns": "255",
5896. "C2 Server": "185.82.126.47,/pixel",
5897. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)",
5898. "HTTP Method Path 2": "/submit.php",
5899. "Header1": "",
5900. "Header2": "",
5901. "PipeName": "",
5902. "DNS Idle": "\\x00\\x00\\x00\\x00",
5903. "DNS Sleep": "0",
5904. "Method1": "GET",
5905. "Method2": "POST",
5906. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5907. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5908. "Proxy_AccessType": "2 (Use IE settings)"
5909. }
5910. },
5911. "188.119.112.174": {
5912. "x86": {
5913. "BeaconType": "8 (HTTPS)",
5914. "Port": "8081",
5915. "Polling": "30000",
5916. "Jitter": "20",
5917. "Maxdns": "255",
5918. "C2 Server": "girls4dating.asia,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
5919. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
5920. "HTTP Method Path 2": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
5921. "Header1": "",
5922. "Header2": "",
5923. "PipeName": "",
5924. "DNS Idle": "\\x00\\x00\\x00\\x00",
5925. "DNS Sleep": "0",
5926. "Method1": "GET",
5927. "Method2": "POST",
5928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5930. "Proxy_AccessType": "2 (Use IE settings)"
5931. },
5932. "x64": {
5933. "BeaconType": "8 (HTTPS)",
5934. "Port": "8081",
5935. "Polling": "30000",
5936. "Jitter": "20",
5937. "Maxdns": "255",
5938. "C2 Server": "girls4dating.asia,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
5939. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
5940. "HTTP Method Path 2": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
5941. "Header1": "",
5942. "Header2": "",
5943. "PipeName": "",
5944. "DNS Idle": "\\x00\\x00\\x00\\x00",
5945. "DNS Sleep": "0",
5946. "Method1": "GET",
5947. "Method2": "POST",
5948. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
5949. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
5950. "Proxy_AccessType": "2 (Use IE settings)"
5951. }
5952. },
5953. "188.119.113.18": {
5954. "x86": {
5955. "BeaconType": "0 (HTTP)",
5956. "Port": "443",
5957. "Polling": "7000",
5958. "Jitter": "0",
5959. "Maxdns": "255",
5960. "C2 Server": "hopetmone.com,/jquery-3.3.1.min.js",
5961. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5962. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5963. "Header1": "",
5964. "Header2": "",
5965. "PipeName": "",
5966. "DNS Idle": "J}\\xC4q",
5967. "DNS Sleep": "0",
5968. "Method1": "GET",
5969. "Method2": "POST",
5970. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5971. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5972. "Proxy_AccessType": "2 (Use IE settings)"
5973. },
5974. "x64": {
5975. "BeaconType": "0 (HTTP)",
5976. "Port": "443",
5977. "Polling": "7000",
5978. "Jitter": "0",
5979. "Maxdns": "255",
5980. "C2 Server": "hopetmone.com,/jquery-3.3.1.min.js",
5981. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
5982. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
5983. "Header1": "",
5984. "Header2": "",
5985. "PipeName": "",
5986. "DNS Idle": "J}\\xC4q",
5987. "DNS Sleep": "0",
5988. "Method1": "GET",
5989. "Method2": "POST",
5990. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
5991. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
5992. "Proxy_AccessType": "2 (Use IE settings)"
5993. }
5994. },
5995. "192.111.144.210": {
5996. "x64": {
5997. "BeaconType": "8 (HTTPS)",
5998. "Port": "443",
5999. "Polling": "5000",
6000. "Jitter": "10",
6001. "Maxdns": "235",
6002. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
6003. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6004. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6005. "Header1": "",
6006. "Header2": "",
6007. "PipeName": "",
6008. "DNS Idle": "\\x08\\x08\\x08\\x08",
6009. "DNS Sleep": "0",
6010. "Method1": "GET",
6011. "Method2": "POST",
6012. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6013. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6014. "Proxy_AccessType": "2 (Use IE settings)"
6015. }
6016. },
6017. "192.119.110.81": {
6018. "x64": {
6019. "BeaconType": "8 (HTTPS)",
6020. "Port": "443",
6021. "Polling": "60000",
6022. "Jitter": "0",
6023. "Maxdns": "255",
6024. "C2 Server": "192.119.111.117,/IE9CompatViewList.xml",
6025. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
6026. "HTTP Method Path 2": "/submit.php",
6027. "Header1": "",
6028. "Header2": "",
6029. "PipeName": "",
6030. "DNS Idle": "\\x00\\x00\\x00\\x00",
6031. "DNS Sleep": "0",
6032. "Method1": "GET",
6033. "Method2": "POST",
6034. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6035. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6036. "Proxy_AccessType": "2 (Use IE settings)"
6037. }
6038. },
6039. "192.119.111.117": {
6040. "x86": {
6041. "BeaconType": "8 (HTTPS)",
6042. "Port": "443",
6043. "Polling": "60000",
6044. "Jitter": "0",
6045. "Maxdns": "255",
6046. "C2 Server": "192.119.111.117,/cm",
6047. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
6048. "HTTP Method Path 2": "/submit.php",
6049. "Header1": "",
6050. "Header2": "",
6051. "PipeName": "",
6052. "DNS Idle": "\\x00\\x00\\x00\\x00",
6053. "DNS Sleep": "0",
6054. "Method1": "GET",
6055. "Method2": "POST",
6056. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6057. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6058. "Proxy_AccessType": "2 (Use IE settings)"
6059. },
6060. "x64": {
6061. "BeaconType": "8 (HTTPS)",
6062. "Port": "443",
6063. "Polling": "60000",
6064. "Jitter": "0",
6065. "Maxdns": "255",
6066. "C2 Server": "192.119.111.117,/IE9CompatViewList.xml",
6067. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)",
6068. "HTTP Method Path 2": "/submit.php",
6069. "Header1": "",
6070. "Header2": "",
6071. "PipeName": "",
6072. "DNS Idle": "\\x00\\x00\\x00\\x00",
6073. "DNS Sleep": "0",
6074. "Method1": "GET",
6075. "Method2": "POST",
6076. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6077. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6078. "Proxy_AccessType": "2 (Use IE settings)"
6079. }
6080. },
6081. "192.119.111.155": {
6082. "x86": {
6083. "BeaconType": "8 (HTTPS)",
6084. "Port": "443",
6085. "Polling": "60000",
6086. "Jitter": "0",
6087. "Maxdns": "255",
6088. "C2 Server": "192.119.111.117,/cm",
6089. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
6090. "HTTP Method Path 2": "/submit.php",
6091. "Header1": "",
6092. "Header2": "",
6093. "PipeName": "",
6094. "DNS Idle": "\\x00\\x00\\x00\\x00",
6095. "DNS Sleep": "0",
6096. "Method1": "GET",
6097. "Method2": "POST",
6098. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6099. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6100. "Proxy_AccessType": "2 (Use IE settings)"
6101. }
6102. },
6103. "192.119.92.16": {
6104. "x86": {
6105. "BeaconType": "8 (HTTPS)",
6106. "Port": "443",
6107. "Polling": "59558",
6108. "Jitter": "41",
6109. "Maxdns": "241",
6110. "C2 Server": "qw.client-update.xyz,/kj.html,as.client-update.xyz,/kj.html,zx.client-update.xyz,/kj.html",
6111. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
6112. "HTTP Method Path 2": "/temp",
6113. "Header1": "",
6114. "Header2": "",
6115. "PipeName": "",
6116. "DNS Idle": "\\xA7\\x99\\x1D\\x01",
6117. "DNS Sleep": "0",
6118. "Method1": "GET",
6119. "Method2": "POST",
6120. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
6121. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
6122. "Proxy_AccessType": "2 (Use IE settings)"
6123. }
6124. },
6125. "192.184.35.222": {
6126. "x86": {
6127. "BeaconType": "8 (HTTPS)",
6128. "Port": "443",
6129. "Polling": "5000",
6130. "Jitter": "10",
6131. "Maxdns": "235",
6132. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
6133. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6134. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6135. "Header1": "",
6136. "Header2": "",
6137. "PipeName": "",
6138. "DNS Idle": "\\x08\\x08\\x08\\x08",
6139. "DNS Sleep": "0",
6140. "Method1": "GET",
6141. "Method2": "POST",
6142. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6143. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6144. "Proxy_AccessType": "2 (Use IE settings)"
6145. },
6146. "x64": {
6147. "BeaconType": "8 (HTTPS)",
6148. "Port": "443",
6149. "Polling": "5000",
6150. "Jitter": "10",
6151. "Maxdns": "235",
6152. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
6153. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6154. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6155. "Header1": "",
6156. "Header2": "",
6157. "PipeName": "",
6158. "DNS Idle": "\\x08\\x08\\x08\\x08",
6159. "DNS Sleep": "0",
6160. "Method1": "GET",
6161. "Method2": "POST",
6162. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6163. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6164. "Proxy_AccessType": "2 (Use IE settings)"
6165. }
6166. },
6167. "192.236.232.228": {
6168. "x64": {
6169. "BeaconType": "8 (HTTPS)",
6170. "Port": "443",
6171. "Polling": "60000",
6172. "Jitter": "0",
6173. "Maxdns": "255",
6174. "C2 Server": "192.236.232.228,/en_US/all.js",
6175. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)",
6176. "HTTP Method Path 2": "/submit.php",
6177. "Header1": "",
6178. "Header2": "",
6179. "PipeName": "",
6180. "DNS Idle": "\\x00\\x00\\x00\\x00",
6181. "DNS Sleep": "0",
6182. "Method1": "GET",
6183. "Method2": "POST",
6184. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6185. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6186. "Proxy_AccessType": "2 (Use IE settings)"
6187. }
6188. },
6189. "192.236.248.169": {
6190. "x86": {
6191. "BeaconType": "8 (HTTPS)",
6192. "Port": "443",
6193. "Polling": "60000",
6194. "Jitter": "0",
6195. "Maxdns": "255",
6196. "C2 Server": "amapai-technologies.email,/ptj",
6197. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
6198. "HTTP Method Path 2": "/submit.php",
6199. "Header1": "",
6200. "Header2": "",
6201. "PipeName": "",
6202. "DNS Idle": "\\x00\\x00\\x00\\x00",
6203. "DNS Sleep": "0",
6204. "Method1": "GET",
6205. "Method2": "POST",
6206. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6207. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6208. "Proxy_AccessType": "2 (Use IE settings)"
6209. }
6210. },
6211. "192.3.81.214": {
6212. "x64": {
6213. "BeaconType": "8 (HTTPS)",
6214. "Port": "443",
6215. "Polling": "5000",
6216. "Jitter": "10",
6217. "Maxdns": "235",
6218. "C2 Server": "139.199.185.41,/updates",
6219. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
6220. "HTTP Method Path 2": "/aircanada/dark.php",
6221. "Header1": "",
6222. "Header2": "",
6223. "PipeName": "",
6224. "DNS Idle": "\\x08\\x08\\x04\\x04",
6225. "DNS Sleep": "0",
6226. "Method1": "GET",
6227. "Method2": "POST",
6228. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6229. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6230. "Proxy_AccessType": "2 (Use IE settings)"
6231. }
6232. },
6233. "193.168.147.249": {
6234. "x86": {
6235. "BeaconType": "8 (HTTPS)",
6236. "Port": "443",
6237. "Polling": "5000",
6238. "Jitter": "0",
6239. "Maxdns": "255",
6240. "C2 Server": "mesteratosr.me,/api",
6241. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0",
6242. "HTTP Method Path 2": "/lowpacket/mt.php",
6243. "Header1": "",
6244. "Header2": "",
6245. "PipeName": "",
6246. "DNS Idle": "\\x00\\x00\\x00\\x00",
6247. "DNS Sleep": "0",
6248. "Method1": "GET",
6249. "Method2": "POST",
6250. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6251. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6252. "Proxy_AccessType": "2 (Use IE settings)"
6253. }
6254. },
6255. "193.27.14.247": {
6256. "x64": {
6257. "BeaconType": "8 (HTTPS)",
6258. "Port": "443",
6259. "Polling": "60000",
6260. "Jitter": "37",
6261. "Maxdns": "255",
6262. "C2 Server": "ap.availablenationwide.com,/jquery-ajaxSuccess.js",
6263. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
6264. "HTTP Method Path 2": "/jquery-before.js",
6265. "Header1": "",
6266. "Header2": "",
6267. "PipeName": "",
6268. "DNS Idle": "\\x00\\x00\\x00\\x00",
6269. "DNS Sleep": "0",
6270. "Method1": "GET",
6271. "Method2": "POST",
6272. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6273. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6274. "Proxy_AccessType": "2 (Use IE settings)"
6275. }
6276. },
6277. "193.34.166.124": {
6278. "x86": {
6279. "BeaconType": "8 (HTTPS)",
6280. "Port": "443",
6281. "Polling": "60000",
6282. "Jitter": "0",
6283. "Maxdns": "255",
6284. "C2 Server": "ntservicespack.com,/load",
6285. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)",
6286. "HTTP Method Path 2": "/submit.php",
6287. "Header1": "",
6288. "Header2": "",
6289. "PipeName": "",
6290. "DNS Idle": "\\x00\\x00\\x00\\x00",
6291. "DNS Sleep": "0",
6292. "Method1": "GET",
6293. "Method2": "POST",
6294. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6295. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6296. "Proxy_AccessType": "2 (Use IE settings)"
6297. },
6298. "x64": {
6299. "BeaconType": "8 (HTTPS)",
6300. "Port": "443",
6301. "Polling": "60000",
6302. "Jitter": "0",
6303. "Maxdns": "255",
6304. "C2 Server": "ntservicespack.com,/ptj",
6305. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
6306. "HTTP Method Path 2": "/submit.php",
6307. "Header1": "",
6308. "Header2": "",
6309. "PipeName": "",
6310. "DNS Idle": "\\x00\\x00\\x00\\x00",
6311. "DNS Sleep": "0",
6312. "Method1": "GET",
6313. "Method2": "POST",
6314. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6315. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6316. "Proxy_AccessType": "2 (Use IE settings)"
6317. }
6318. },
6319. "193.34.166.207": {
6320. "x86": {
6321. "BeaconType": "8 (HTTPS)",
6322. "Port": "443",
6323. "Polling": "60000",
6324. "Jitter": "0",
6325. "Maxdns": "255",
6326. "C2 Server": "timesyncad.com,/IE9CompatViewList.xml",
6327. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
6328. "HTTP Method Path 2": "/submit.php",
6329. "Header1": "",
6330. "Header2": "",
6331. "PipeName": "",
6332. "DNS Idle": "\\x00\\x00\\x00\\x00",
6333. "DNS Sleep": "0",
6334. "Method1": "GET",
6335. "Method2": "POST",
6336. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6337. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6338. "Proxy_AccessType": "2 (Use IE settings)"
6339. }
6340. },
6341. "193.34.166.73": {
6342. "x86": {
6343. "BeaconType": "8 (HTTPS)",
6344. "Port": "443",
6345. "Polling": "60000",
6346. "Jitter": "0",
6347. "Maxdns": "255",
6348. "C2 Server": "servupdates.com,/ca",
6349. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; MANM)",
6350. "HTTP Method Path 2": "/submit.php",
6351. "Header1": "",
6352. "Header2": "",
6353. "PipeName": "",
6354. "DNS Idle": "\\x00\\x00\\x00\\x00",
6355. "DNS Sleep": "0",
6356. "Method1": "GET",
6357. "Method2": "POST",
6358. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6359. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6360. "Proxy_AccessType": "2 (Use IE settings)"
6361. },
6362. "x64": {
6363. "BeaconType": "8 (HTTPS)",
6364. "Port": "443",
6365. "Polling": "60000",
6366. "Jitter": "0",
6367. "Maxdns": "255",
6368. "C2 Server": "servupdates.com,/cx",
6369. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
6370. "HTTP Method Path 2": "/submit.php",
6371. "Header1": "",
6372. "Header2": "",
6373. "PipeName": "",
6374. "DNS Idle": "\\x00\\x00\\x00\\x00",
6375. "DNS Sleep": "0",
6376. "Method1": "GET",
6377. "Method2": "POST",
6378. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6379. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6380. "Proxy_AccessType": "2 (Use IE settings)"
6381. }
6382. },
6383. "193.34.166.89": {
6384. "x64": {
6385. "BeaconType": "8 (HTTPS)",
6386. "Port": "443",
6387. "Polling": "60000",
6388. "Jitter": "0",
6389. "Maxdns": "255",
6390. "C2 Server": "193.34.166.89,/fwlink",
6391. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch; MALCJS)",
6392. "HTTP Method Path 2": "/submit.php",
6393. "Header1": "",
6394. "Header2": "",
6395. "PipeName": "",
6396. "DNS Idle": "\\x00\\x00\\x00\\x00",
6397. "DNS Sleep": "0",
6398. "Method1": "GET",
6399. "Method2": "POST",
6400. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6401. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6402. "Proxy_AccessType": "2 (Use IE settings)"
6403. }
6404. },
6405. "193.34.167.200": {
6406. "x86": {
6407. "BeaconType": "8 (HTTPS)",
6408. "Port": "443",
6409. "Polling": "60000",
6410. "Jitter": "0",
6411. "Maxdns": "255",
6412. "C2 Server": "inteldrivers.com,/cm",
6413. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
6414. "HTTP Method Path 2": "/submit.php",
6415. "Header1": "",
6416. "Header2": "",
6417. "PipeName": "",
6418. "DNS Idle": "\\x00\\x00\\x00\\x00",
6419. "DNS Sleep": "0",
6420. "Method1": "GET",
6421. "Method2": "POST",
6422. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6423. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6424. "Proxy_AccessType": "2 (Use IE settings)"
6425. }
6426. },
6427. "193.34.167.60": {
6428. "x86": {
6429. "BeaconType": "8 (HTTPS)",
6430. "Port": "443",
6431. "Polling": "60000",
6432. "Jitter": "0",
6433. "C2 Server": "server3.msadwindows.com,/cm",
6434. "HTTP Method Path 2": "/submit.php",
6435. "Method1": "GET",
6436. "Method2": "POST",
6437. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6438. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6439. "Proxy_AccessType": "2 (Use IE settings)"
6440. }
6441. },
6442. "194.5.249.55": {
6443. "x86": {
6444. "BeaconType": "8 (HTTPS)",
6445. "Port": "443",
6446. "Polling": "60000",
6447. "Jitter": "0",
6448. "Maxdns": "255",
6449. "C2 Server": "194.5.249.55,/cx",
6450. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
6451. "HTTP Method Path 2": "/submit.php",
6452. "Header1": "",
6453. "Header2": "",
6454. "PipeName": "",
6455. "DNS Idle": "\\x00\\x00\\x00\\x00",
6456. "DNS Sleep": "0",
6457. "Method1": "GET",
6458. "Method2": "POST",
6459. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6460. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6461. "Proxy_AccessType": "2 (Use IE settings)"
6462. }
6463. },
6464. "195.123.217.7": {
6465. "x86": {
6466. "BeaconType": "8 (HTTPS)",
6467. "Port": "443",
6468. "Polling": "5000",
6469. "Jitter": "0",
6470. "Maxdns": "255",
6471. "C2 Server": "195.123.217.7,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,yten.xyz,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
6472. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
6473. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
6474. "Header1": "",
6475. "Header2": "",
6476. "PipeName": "",
6477. "DNS Idle": "\\x00\\x00\\x00\\x00",
6478. "DNS Sleep": "0",
6479. "Method1": "GET",
6480. "Method2": "POST",
6481. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6482. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6483. "Proxy_AccessType": "2 (Use IE settings)"
6484. },
6485. "x64": {
6486. "BeaconType": "8 (HTTPS)",
6487. "Port": "443",
6488. "Polling": "5000",
6489. "Jitter": "0",
6490. "Maxdns": "255",
6491. "C2 Server": "195.123.217.7,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,yten.xyz,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
6492. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
6493. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
6494. "Header1": "",
6495. "Header2": "",
6496. "PipeName": "",
6497. "DNS Idle": "\\x00\\x00\\x00\\x00",
6498. "DNS Sleep": "0",
6499. "Method1": "GET",
6500. "Method2": "POST",
6501. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6502. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6503. "Proxy_AccessType": "2 (Use IE settings)"
6504. }
6505. },
6506. "195.123.222.43": {
6507. "x86": {
6508. "BeaconType": "8 (HTTPS)",
6509. "Port": "443",
6510. "Polling": "7000",
6511. "Jitter": "0",
6512. "Maxdns": "255",
6513. "C2 Server": "duskeducate.com,/jquery-3.3.1.min.js",
6514. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
6515. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
6516. "Header1": "",
6517. "Header2": "",
6518. "PipeName": "",
6519. "DNS Idle": "J}\\xC4q",
6520. "DNS Sleep": "0",
6521. "Method1": "GET",
6522. "Method2": "POST",
6523. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
6524. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
6525. "Proxy_AccessType": "2 (Use IE settings)"
6526. },
6527. "x64": {
6528. "BeaconType": "8 (HTTPS)",
6529. "Port": "443",
6530. "Polling": "7000",
6531. "Jitter": "0",
6532. "Maxdns": "255",
6533. "C2 Server": "duskeducate.com,/jquery-3.3.1.min.js",
6534. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
6535. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
6536. "Header1": "",
6537. "Header2": "",
6538. "PipeName": "",
6539. "DNS Idle": "J}\\xC4q",
6540. "DNS Sleep": "0",
6541. "Method1": "GET",
6542. "Method2": "POST",
6543. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
6544. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
6545. "Proxy_AccessType": "2 (Use IE settings)"
6546. }
6547. },
6548. "195.30.132.195": {
6549. "x86": {
6550. "BeaconType": "8 (HTTPS)",
6551. "Port": "443",
6552. "Polling": "5000",
6553. "Jitter": "15",
6554. "Maxdns": "255",
6555. "C2 Server": "d1hp3kzjl3pr7y.cloudfront.net,/_/scs/mail-static/_/css/,d3mdcyc7die6tc.cloudfront.net,/_/scs/mail-static/_/css/",
6556. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
6557. "HTTP Method Path 2": "/mail/u/2/",
6558. "Header1": "",
6559. "Header2": "",
6560. "PipeName": "",
6561. "DNS Idle": "\\x01\\x01\\x01\\x01",
6562. "DNS Sleep": "0",
6563. "Method1": "GET",
6564. "Method2": "POST",
6565. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6566. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6567. "Proxy_AccessType": "2 (Use IE settings)"
6568. },
6569. "x64": {
6570. "BeaconType": "8 (HTTPS)",
6571. "Port": "443",
6572. "Polling": "5000",
6573. "Jitter": "15",
6574. "Maxdns": "255",
6575. "C2 Server": "d1hp3kzjl3pr7y.cloudfront.net,/_/scs/mail-static/_/css/,d3mdcyc7die6tc.cloudfront.net,/_/scs/mail-static/_/css/",
6576. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)",
6577. "HTTP Method Path 2": "/mail/u/2/",
6578. "Header1": "",
6579. "Header2": "",
6580. "PipeName": "",
6581. "DNS Idle": "\\x01\\x01\\x01\\x01",
6582. "DNS Sleep": "0",
6583. "Method1": "GET",
6584. "Method2": "POST",
6585. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6586. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6587. "Proxy_AccessType": "2 (Use IE settings)"
6588. }
6589. },
6590. "198.211.107.136": {
6591. "x64": {
6592. "BeaconType": "8 (HTTPS)",
6593. "Port": "443",
6594. "Polling": "58758",
6595. "Jitter": "39",
6596. "Maxdns": "254",
6597. "C2 Server": "ajax.microsoft.com,/zh.css",
6598. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
6599. "HTTP Method Path 2": "/an",
6600. "Header1": "",
6601. "Header2": "",
6602. "PipeName": "",
6603. "DNS Idle": "L4\\x8D}",
6604. "DNS Sleep": "0",
6605. "Method1": "GET",
6606. "Method2": "POST",
6607. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
6608. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
6609. "Proxy_AccessType": "2 (Use IE settings)"
6610. }
6611. },
6612. "198.27.79.75": {
6613. "x64": {
6614. "BeaconType": "8 (HTTPS)",
6615. "Port": "443",
6616. "Polling": "56196",
6617. "Jitter": "43",
6618. "Maxdns": "241",
6619. "C2 Server": "185.189.151.107,/na",
6620. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
6621. "HTTP Method Path 2": "/extension",
6622. "Header1": "",
6623. "Header2": "",
6624. "PipeName": "",
6625. "DNS Idle": "q\\xF5\\x128",
6626. "DNS Sleep": "0",
6627. "Method1": "GET",
6628. "Method2": "POST",
6629. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
6630. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
6631. "Proxy_AccessType": "2 (Use IE settings)"
6632. }
6633. },
6634. "198.44.14.47": {
6635. "x86": {
6636. "BeaconType": "8 (HTTPS)",
6637. "Port": "443",
6638. "Polling": "63118",
6639. "Jitter": "39",
6640. "Maxdns": "240",
6641. "C2 Server": "qw.update-chromeservices.com,/groupcp,as.update-chromeservices.com,/groupcp,zx.update-chromeservices.com,/hr",
6642. "User Agent": "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)",
6643. "HTTP Method Path 2": "/groupcp",
6644. "Header1": "",
6645. "Header2": "",
6646. "PipeName": "",
6647. "DNS Idle": "\\xD4\\xCC\\xC7&",
6648. "DNS Sleep": "0",
6649. "Method1": "GET",
6650. "Method2": "POST",
6651. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
6652. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
6653. "Proxy_AccessType": "2 (Use IE settings)"
6654. }
6655. },
6656. "198.44.97.180": {
6657. "x86": {
6658. "BeaconType": "8 (HTTPS)",
6659. "Port": "443",
6660. "Polling": "60000",
6661. "Jitter": "0",
6662. "Maxdns": "255",
6663. "C2 Server": "198.44.97.180,/push",
6664. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)",
6665. "HTTP Method Path 2": "/submit.php",
6666. "Header1": "",
6667. "Header2": "",
6668. "PipeName": "",
6669. "DNS Idle": "\\x00\\x00\\x00\\x00",
6670. "DNS Sleep": "0",
6671. "Method1": "GET",
6672. "Method2": "POST",
6673. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6674. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6675. "Proxy_AccessType": "2 (Use IE settings)"
6676. }
6677. },
6678. "198.44.97.181": {
6679. "x86": {
6680. "BeaconType": "8 (HTTPS)",
6681. "Port": "443",
6682. "Polling": "60000",
6683. "Jitter": "0",
6684. "Maxdns": "255",
6685. "C2 Server": "198.44.97.180,/push",
6686. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)",
6687. "HTTP Method Path 2": "/submit.php",
6688. "Header1": "",
6689. "Header2": "",
6690. "PipeName": "",
6691. "DNS Idle": "\\x00\\x00\\x00\\x00",
6692. "DNS Sleep": "0",
6693. "Method1": "GET",
6694. "Method2": "POST",
6695. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6696. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6697. "Proxy_AccessType": "2 (Use IE settings)"
6698. }
6699. },
6700. "199.127.60.227": {
6701. "x86": {
6702. "BeaconType": "8 (HTTPS)",
6703. "Port": "443",
6704. "Polling": "5000",
6705. "Jitter": "10",
6706. "Maxdns": "235",
6707. "C2 Server": "bitsse.com,/us/ky/louisville/312-s-fourth-st.html,uncole.com,/us/ky/louisville/312-s-fourth-st.html",
6708. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6709. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6710. "Header1": "",
6711. "Header2": "",
6712. "PipeName": "",
6713. "DNS Idle": "\\x08\\x08\\x08\\x08",
6714. "DNS Sleep": "0",
6715. "Method1": "GET",
6716. "Method2": "POST",
6717. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6718. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6719. "Proxy_AccessType": "2 (Use IE settings)"
6720. }
6721. },
6722. "199.127.60.67": {
6723. "x86": {
6724. "BeaconType": "8 (HTTPS)",
6725. "Port": "443",
6726. "Polling": "5000",
6727. "Jitter": "10",
6728. "Maxdns": "235",
6729. "C2 Server": "zipflag.com,/us/ky/louisville/312-s-fourth-st.html",
6730. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6731. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6732. "Header1": "",
6733. "Header2": "",
6734. "PipeName": "",
6735. "DNS Idle": "\\x08\\x08\\x08\\x08",
6736. "DNS Sleep": "0",
6737. "Method1": "GET",
6738. "Method2": "POST",
6739. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6740. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6741. "Proxy_AccessType": "2 (Use IE settings)"
6742. }
6743. },
6744. "199.127.61.214": {
6745. "x86": {
6746. "BeaconType": "8 (HTTPS)",
6747. "Port": "443",
6748. "Polling": "5000",
6749. "Jitter": "10",
6750. "Maxdns": "235",
6751. "C2 Server": "volof.com,/us/ky/louisville/312-s-fourth-st.html",
6752. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6753. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6754. "Header1": "",
6755. "Header2": "",
6756. "PipeName": "",
6757. "DNS Idle": "\\x08\\x08\\x08\\x08",
6758. "DNS Sleep": "0",
6759. "Method1": "GET",
6760. "Method2": "POST",
6761. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6762. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6763. "Proxy_AccessType": "2 (Use IE settings)"
6764. }
6765. },
6766. "199.127.61.74": {
6767. "x86": {
6768. "BeaconType": "8 (HTTPS)",
6769. "Port": "443",
6770. "Polling": "5000",
6771. "Jitter": "10",
6772. "Maxdns": "235",
6773. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
6774. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6775. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6776. "Header1": "",
6777. "Header2": "",
6778. "PipeName": "",
6779. "DNS Idle": "\\x08\\x08\\x08\\x08",
6780. "DNS Sleep": "0",
6781. "Method1": "GET",
6782. "Method2": "POST",
6783. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6784. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6785. "Proxy_AccessType": "2 (Use IE settings)"
6786. },
6787. "x64": {
6788. "BeaconType": "8 (HTTPS)",
6789. "Port": "443",
6790. "Polling": "5000",
6791. "Jitter": "10",
6792. "Maxdns": "235",
6793. "C2 Server": "lenfree.com,/us/ky/louisville/312-s-fourth-st.html,199.127.61.74,/us/ky/louisville/312-s-fourth-st.html",
6794. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6795. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6796. "Header1": "",
6797. "Header2": "",
6798. "PipeName": "",
6799. "DNS Idle": "\\x08\\x08\\x08\\x08",
6800. "DNS Sleep": "0",
6801. "Method1": "GET",
6802. "Method2": "POST",
6803. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6804. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6805. "Proxy_AccessType": "2 (Use IE settings)"
6806. }
6807. },
6808. "199.127.63.73": {
6809. "x86": {
6810. "BeaconType": "8 (HTTPS)",
6811. "Port": "443",
6812. "Polling": "5000",
6813. "Jitter": "10",
6814. "Maxdns": "235",
6815. "C2 Server": "eyedm.com,/us/ky/louisville/312-s-fourth-st.html",
6816. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6817. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6818. "Header1": "",
6819. "Header2": "",
6820. "PipeName": "",
6821. "DNS Idle": "\\x08\\x08\\x08\\x08",
6822. "DNS Sleep": "0",
6823. "Method1": "GET",
6824. "Method2": "POST",
6825. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6826. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6827. "Proxy_AccessType": "2 (Use IE settings)"
6828. }
6829. },
6830. "199.195.251.56": {
6831. "x86": {
6832. "BeaconType": "8 (HTTPS)",
6833. "Port": "443",
6834. "Polling": "5000",
6835. "Jitter": "10",
6836. "Maxdns": "235",
6837. "C2 Server": "micsoftin.us,/updates",
6838. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
6839. "HTTP Method Path 2": "/aircanada/dark.php",
6840. "Header1": "",
6841. "Header2": "",
6842. "PipeName": "",
6843. "DNS Idle": "\\x08\\x08\\x04\\x04",
6844. "DNS Sleep": "0",
6845. "Method1": "GET",
6846. "Method2": "POST",
6847. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6848. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6849. "Proxy_AccessType": "2 (Use IE settings)"
6850. }
6851. },
6852. "199.195.254.79": {
6853. "x64": {
6854. "BeaconType": "8 (HTTPS)",
6855. "Port": "443",
6856. "Polling": "10000",
6857. "Jitter": "20",
6858. "Maxdns": "235",
6859. "C2 Server": "www.google-dev.tk,/jquery-3.3.1.min.js",
6860. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )",
6861. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
6862. "Header1": "",
6863. "Header2": "",
6864. "PipeName": "",
6865. "DNS Idle": "\\x08\\x08\\x08\\x08",
6866. "DNS Sleep": "0",
6867. "Method1": "GET",
6868. "Method2": "POST",
6869. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6870. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6871. "Proxy_AccessType": "2 (Use IE settings)"
6872. }
6873. },
6874. "202.182.101.162": {
6875. "x64": {
6876. "BeaconType": "8 (HTTPS)",
6877. "Port": "443",
6878. "Polling": "60000",
6879. "Jitter": "0",
6880. "Maxdns": "255",
6881. "C2 Server": "202.182.101.162,/ca",
6882. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)",
6883. "HTTP Method Path 2": "/submit.php",
6884. "Header1": "",
6885. "Header2": "",
6886. "PipeName": "",
6887. "DNS Idle": "\\x00\\x00\\x00\\x00",
6888. "DNS Sleep": "0",
6889. "Method1": "GET",
6890. "Method2": "POST",
6891. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6892. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6893. "Proxy_AccessType": "2 (Use IE settings)"
6894. }
6895. },
6896. "202.182.96.238": {
6897. "x64": {
6898. "BeaconType": "8 (HTTPS)",
6899. "Port": "443",
6900. "Polling": "5000",
6901. "Jitter": "0",
6902. "Maxdns": "255",
6903. "C2 Server": "coivotek.livehost.live,/access/",
6904. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
6905. "HTTP Method Path 2": "/radio/xmlrpc/v35",
6906. "Header1": "",
6907. "Header2": "",
6908. "PipeName": "",
6909. "DNS Idle": "\\x00\\x00\\x00\\x00",
6910. "DNS Sleep": "0",
6911. "Method1": "GET",
6912. "Method2": "POST",
6913. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6914. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6915. "Proxy_AccessType": "2 (Use IE settings)"
6916. }
6917. },
6918. "20.36.203.162": {
6919. "x64": {
6920. "BeaconType": "8 (HTTPS)",
6921. "Port": "443",
6922. "Polling": "60000",
6923. "Jitter": "0",
6924. "C2 Server": "20.36.203.162,/load",
6925. "HTTP Method Path 2": "/submit.php",
6926. "Method1": "GET",
6927. "Method2": "POST",
6928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
6929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
6930. "Proxy_AccessType": "2 (Use IE settings)"
6931. }
6932. },
6933. "204.16.247.235": {
6934. "x86": {
6935. "BeaconType": "8 (HTTPS)",
6936. "Port": "443",
6937. "Polling": "5000",
6938. "Jitter": "10",
6939. "Maxdns": "235",
6940. "C2 Server": "avetool.com,/us/ky/louisville/312-s-fourth-st.html",
6941. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6942. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6943. "Header1": "",
6944. "Header2": "",
6945. "PipeName": "",
6946. "DNS Idle": "\\x08\\x08\\x08\\x08",
6947. "DNS Sleep": "0",
6948. "Method1": "GET",
6949. "Method2": "POST",
6950. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6951. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6952. "Proxy_AccessType": "2 (Use IE settings)"
6953. },
6954. "x64": {
6955. "BeaconType": "8 (HTTPS)",
6956. "Port": "443",
6957. "Polling": "5000",
6958. "Jitter": "10",
6959. "Maxdns": "235",
6960. "C2 Server": "avetool.com,/us/ky/louisville/312-s-fourth-st.html",
6961. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6962. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6963. "Header1": "",
6964. "Header2": "",
6965. "PipeName": "",
6966. "DNS Idle": "\\x08\\x08\\x08\\x08",
6967. "DNS Sleep": "0",
6968. "Method1": "GET",
6969. "Method2": "POST",
6970. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6971. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6972. "Proxy_AccessType": "2 (Use IE settings)"
6973. }
6974. },
6975. "204.16.247.30": {
6976. "x86": {
6977. "BeaconType": "8 (HTTPS)",
6978. "Port": "443",
6979. "Polling": "5000",
6980. "Jitter": "10",
6981. "Maxdns": "235",
6982. "C2 Server": "ballom.com,/us/ky/louisville/312-s-fourth-st.html",
6983. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
6984. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
6985. "Header1": "",
6986. "Header2": "",
6987. "PipeName": "",
6988. "DNS Idle": "\\x08\\x08\\x08\\x08",
6989. "DNS Sleep": "0",
6990. "Method1": "GET",
6991. "Method2": "POST",
6992. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
6993. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
6994. "Proxy_AccessType": "2 (Use IE settings)"
6995. }
6996. },
6997. "204.16.247.48": {
6998. "x86": {
6999. "BeaconType": "8 (HTTPS)",
7000. "Port": "443",
7001. "Polling": "30000",
7002. "Jitter": "20",
7003. "Maxdns": "255",
7004. "C2 Server": "goodroy.com,/CWoNaJLBo/VTNeWw11212/",
7005. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
7006. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
7007. "Header1": "",
7008. "Header2": "",
7009. "PipeName": "",
7010. "DNS Idle": "\\x00\\x00\\x00\\x00",
7011. "DNS Sleep": "0",
7012. "Method1": "GET",
7013. "Method2": "POST",
7014. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7015. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7016. "Proxy_AccessType": "2 (Use IE settings)"
7017. }
7018. },
7019. "204.16.247.65": {
7020. "x86": {
7021. "BeaconType": "8 (HTTPS)",
7022. "Port": "443",
7023. "Polling": "30000",
7024. "Jitter": "20",
7025. "Maxdns": "255",
7026. "C2 Server": "peernew.com,/CWoNaJLBo/VTNeWw11212/",
7027. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
7028. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
7029. "Header1": "",
7030. "Header2": "",
7031. "PipeName": "",
7032. "DNS Idle": "\\x00\\x00\\x00\\x00",
7033. "DNS Sleep": "0",
7034. "Method1": "GET",
7035. "Method2": "POST",
7036. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7037. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7038. "Proxy_AccessType": "2 (Use IE settings)"
7039. }
7040. },
7041. "204.16.247.89": {
7042. "x86": {
7043. "BeaconType": "8 (HTTPS)",
7044. "Port": "443",
7045. "Polling": "60000",
7046. "Jitter": "0",
7047. "Maxdns": "255",
7048. "C2 Server": "204.16.247.89,/g.pixel",
7049. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
7050. "HTTP Method Path 2": "/submit.php",
7051. "Header1": "",
7052. "Header2": "",
7053. "PipeName": "",
7054. "DNS Idle": "\\x00\\x00\\x00\\x00",
7055. "DNS Sleep": "0",
7056. "Method1": "GET",
7057. "Method2": "POST",
7058. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7059. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7060. "Proxy_AccessType": "2 (Use IE settings)"
7061. },
7062. "x64": {
7063. "BeaconType": "8 (HTTPS)",
7064. "Port": "443",
7065. "Polling": "60000",
7066. "Jitter": "0",
7067. "Maxdns": "255",
7068. "C2 Server": "204.16.247.89,/ptj",
7069. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
7070. "HTTP Method Path 2": "/submit.php",
7071. "Header1": "",
7072. "Header2": "",
7073. "PipeName": "",
7074. "DNS Idle": "\\x00\\x00\\x00\\x00",
7075. "DNS Sleep": "0",
7076. "Method1": "GET",
7077. "Method2": "POST",
7078. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7079. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7080. "Proxy_AccessType": "2 (Use IE settings)"
7081. }
7082. },
7083. "206.189.223.152": {
7084. "x86": {
7085. "BeaconType": "8 (HTTPS)",
7086. "Port": "443",
7087. "Polling": "60000",
7088. "Jitter": "0",
7089. "C2 Server": "206.189.223.152,/push",
7090. "HTTP Method Path 2": "/submit.php",
7091. "Method1": "GET",
7092. "Method2": "POST",
7093. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7094. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7095. "Proxy_AccessType": "2 (Use IE settings)"
7096. }
7097. },
7098. "206.189.37.245": {
7099. "x64": {
7100. "BeaconType": "8 (HTTPS)",
7101. "Port": "443",
7102. "Polling": "15000",
7103. "Jitter": "90",
7104. "Maxdns": "225",
7105. "C2 Server": "do.skype.com,/api2/json/access/ticket,mscrl.microsoft.com,/en-us/p/onerf/MeSilentPassport",
7106. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
7107. "HTTP Method Path 2": "/gql",
7108. "Header1": "",
7109. "Header2": "",
7110. "PipeName": "",
7111. "DNS Idle": "h\\xD8<\\x84",
7112. "DNS Sleep": "0",
7113. "Method1": "GET",
7114. "Method2": "POST",
7115. "Spawnto_x86": "%windir%\\System32\\werfault.exe",
7116. "Spawnto_x64": "%windir%\\System32\\werfault.exe",
7117. "Proxy_AccessType": "2 (Use IE settings)"
7118. }
7119. },
7120. "206.221.176.205": {
7121. "x64": {
7122. "BeaconType": "8 (HTTPS)",
7123. "Port": "443",
7124. "Polling": "5000",
7125. "Jitter": "10",
7126. "Maxdns": "235",
7127. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
7128. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7129. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7130. "Header1": "",
7131. "Header2": "",
7132. "PipeName": "",
7133. "DNS Idle": "\\x08\\x08\\x08\\x08",
7134. "DNS Sleep": "0",
7135. "Method1": "GET",
7136. "Method2": "POST",
7137. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7138. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7139. "Proxy_AccessType": "2 (Use IE settings)"
7140. }
7141. },
7142. "206.221.179.202": {
7143. "x86": {
7144. "BeaconType": "8 (HTTPS)",
7145. "Port": "443",
7146. "Polling": "5000",
7147. "Jitter": "10",
7148. "Maxdns": "235",
7149. "C2 Server": "geotry.com,/us/ky/louisville/312-s-fourth-st.html",
7150. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7151. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7152. "Header1": "",
7153. "Header2": "",
7154. "PipeName": "",
7155. "DNS Idle": "\\x08\\x08\\x08\\x08",
7156. "DNS Sleep": "0",
7157. "Method1": "GET",
7158. "Method2": "POST",
7159. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7160. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7161. "Proxy_AccessType": "2 (Use IE settings)"
7162. },
7163. "x64": {
7164. "BeaconType": "8 (HTTPS)",
7165. "Port": "443",
7166. "Polling": "5000",
7167. "Jitter": "10",
7168. "Maxdns": "235",
7169. "C2 Server": "geotry.com,/us/ky/louisville/312-s-fourth-st.html",
7170. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7171. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7172. "Header1": "",
7173. "Header2": "",
7174. "PipeName": "",
7175. "DNS Idle": "\\x08\\x08\\x08\\x08",
7176. "DNS Sleep": "0",
7177. "Method1": "GET",
7178. "Method2": "POST",
7179. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7180. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7181. "Proxy_AccessType": "2 (Use IE settings)"
7182. }
7183. },
7184. "206.54.190.220": {
7185. "x86": {
7186. "BeaconType": "8 (HTTPS)",
7187. "Port": "443",
7188. "Polling": "60000",
7189. "Jitter": "0",
7190. "C2 Server": "45.170.251.101,/ga.js",
7191. "HTTP Method Path 2": "/submit.php",
7192. "Method1": "GET",
7193. "Method2": "POST",
7194. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7195. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7196. "Proxy_AccessType": "2 (Use IE settings)"
7197. }
7198. },
7199. "207.148.70.82": {
7200. "x64": {
7201. "BeaconType": "8 (HTTPS)",
7202. "Port": "443",
7203. "Polling": "60000",
7204. "Jitter": "0",
7205. "Maxdns": "255",
7206. "C2 Server": "207.148.70.82,/pixel",
7207. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
7208. "HTTP Method Path 2": "/submit.php",
7209. "Header1": "",
7210. "Header2": "",
7211. "PipeName": "",
7212. "DNS Idle": "\\x00\\x00\\x00\\x00",
7213. "DNS Sleep": "0",
7214. "Method1": "GET",
7215. "Method2": "POST",
7216. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7217. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7218. "Proxy_AccessType": "2 (Use IE settings)"
7219. }
7220. },
7221. "207.219.199.120": {
7222. "x86": {
7223. "BeaconType": "8 (HTTPS)",
7224. "Port": "443",
7225. "Polling": "5000",
7226. "Jitter": "0",
7227. "Maxdns": "255",
7228. "C2 Server": "s3app.eastus.cloudapp.azure.com,/iconpage.gif,azurecloudapi.eastus.cloudapp.azure.com,/iconpage.gif",
7229. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
7230. "HTTP Method Path 2": "/iconimage.gif",
7231. "Header1": "",
7232. "Header2": "",
7233. "PipeName": "",
7234. "DNS Idle": "\\x00\\x00\\x00\\x00",
7235. "DNS Sleep": "0",
7236. "Method1": "GET",
7237. "Method2": "GET",
7238. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7239. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7240. "Proxy_AccessType": "2 (Use IE settings)"
7241. },
7242. "x64": {
7243. "BeaconType": "8 (HTTPS)",
7244. "Port": "443",
7245. "Polling": "5000",
7246. "Jitter": "0",
7247. "Maxdns": "255",
7248. "C2 Server": "s3app.eastus.cloudapp.azure.com,/iconpage.gif,azurecloudapi.eastus.cloudapp.azure.com,/iconpage.gif",
7249. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)",
7250. "HTTP Method Path 2": "/iconimage.gif",
7251. "Header1": "",
7252. "Header2": "",
7253. "PipeName": "",
7254. "DNS Idle": "\\x00\\x00\\x00\\x00",
7255. "DNS Sleep": "0",
7256. "Method1": "GET",
7257. "Method2": "GET",
7258. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7259. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7260. "Proxy_AccessType": "2 (Use IE settings)"
7261. }
7262. },
7263. "209.222.101.153": {
7264. "x86": {
7265. "BeaconType": "8 (HTTPS)",
7266. "Port": "443",
7267. "Polling": "5000",
7268. "Jitter": "10",
7269. "Maxdns": "235",
7270. "C2 Server": "mixdir.com,/us/ky/louisville/312-s-fourth-st.html",
7271. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7272. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7273. "Header1": "",
7274. "Header2": "",
7275. "PipeName": "",
7276. "DNS Idle": "\\x08\\x08\\x08\\x08",
7277. "DNS Sleep": "0",
7278. "Method1": "GET",
7279. "Method2": "POST",
7280. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7281. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7282. "Proxy_AccessType": "2 (Use IE settings)"
7283. }
7284. },
7285. "209.222.97.8": {
7286. "x86": {
7287. "BeaconType": "8 (HTTPS)",
7288. "Port": "443",
7289. "Polling": "5000",
7290. "Jitter": "10",
7291. "Maxdns": "235",
7292. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
7293. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7294. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7295. "Header1": "",
7296. "Header2": "",
7297. "PipeName": "",
7298. "DNS Idle": "\\x08\\x08\\x08\\x08",
7299. "DNS Sleep": "0",
7300. "Method1": "GET",
7301. "Method2": "POST",
7302. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7303. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7304. "Proxy_AccessType": "2 (Use IE settings)"
7305. },
7306. "x64": {
7307. "BeaconType": "8 (HTTPS)",
7308. "Port": "443",
7309. "Polling": "5000",
7310. "Jitter": "10",
7311. "Maxdns": "235",
7312. "C2 Server": "landcook.com,/us/ky/louisville/312-s-fourth-st.html",
7313. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7314. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7315. "Header1": "",
7316. "Header2": "",
7317. "PipeName": "",
7318. "DNS Idle": "\\x08\\x08\\x08\\x08",
7319. "DNS Sleep": "0",
7320. "Method1": "GET",
7321. "Method2": "POST",
7322. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7323. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7324. "Proxy_AccessType": "2 (Use IE settings)"
7325. }
7326. },
7327. "209.222.98.45": {
7328. "x86": {
7329. "BeaconType": "8 (HTTPS)",
7330. "Port": "443",
7331. "Polling": "5000",
7332. "Jitter": "10",
7333. "Maxdns": "235",
7334. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
7335. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7336. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7337. "Header1": "",
7338. "Header2": "",
7339. "PipeName": "",
7340. "DNS Idle": "\\x08\\x08\\x08\\x08",
7341. "DNS Sleep": "0",
7342. "Method1": "GET",
7343. "Method2": "POST",
7344. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7345. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7346. "Proxy_AccessType": "2 (Use IE settings)"
7347. },
7348. "x64": {
7349. "BeaconType": "8 (HTTPS)",
7350. "Port": "443",
7351. "Polling": "5000",
7352. "Jitter": "10",
7353. "Maxdns": "235",
7354. "C2 Server": "exrap.com,/us/ky/louisville/312-s-fourth-st.html",
7355. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7356. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7357. "Header1": "",
7358. "Header2": "",
7359. "PipeName": "",
7360. "DNS Idle": "\\x08\\x08\\x08\\x08",
7361. "DNS Sleep": "0",
7362. "Method1": "GET",
7363. "Method2": "POST",
7364. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7365. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7366. "Proxy_AccessType": "2 (Use IE settings)"
7367. }
7368. },
7369. "209.222.98.96": {
7370. "x86": {
7371. "BeaconType": "8 (HTTPS)",
7372. "Port": "443",
7373. "Polling": "5000",
7374. "Jitter": "10",
7375. "Maxdns": "235",
7376. "C2 Server": "wolfnew.com,/us/ky/louisville/312-s-fourth-st.html",
7377. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7378. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7379. "Header1": "",
7380. "Header2": "",
7381. "PipeName": "",
7382. "DNS Idle": "\\x08\\x08\\x08\\x08",
7383. "DNS Sleep": "0",
7384. "Method1": "GET",
7385. "Method2": "POST",
7386. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7387. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7388. "Proxy_AccessType": "2 (Use IE settings)"
7389. },
7390. "x64": {
7391. "BeaconType": "8 (HTTPS)",
7392. "Port": "443",
7393. "Polling": "5000",
7394. "Jitter": "10",
7395. "Maxdns": "235",
7396. "C2 Server": "wolfnew.com,/us/ky/louisville/312-s-fourth-st.html",
7397. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7398. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7399. "Header1": "",
7400. "Header2": "",
7401. "PipeName": "",
7402. "DNS Idle": "\\x08\\x08\\x08\\x08",
7403. "DNS Sleep": "0",
7404. "Method1": "GET",
7405. "Method2": "POST",
7406. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7407. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7408. "Proxy_AccessType": "2 (Use IE settings)"
7409. }
7410. },
7411. "209.249.134.14": {
7412. "x86": {
7413. "BeaconType": "8 (HTTPS)",
7414. "Port": "443",
7415. "Polling": "30000",
7416. "Jitter": "20",
7417. "Maxdns": "255",
7418. "C2 Server": "downloads.daytonaneurosurgery.com,/login",
7419. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36",
7420. "HTTP Method Path 2": "/api/chat.postMessage",
7421. "Header1": "",
7422. "Header2": "",
7423. "PipeName": "",
7424. "DNS Idle": "J}\\xC4q",
7425. "DNS Sleep": "0",
7426. "Method1": "GET",
7427. "Method2": "POST",
7428. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
7429. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
7430. "Proxy_AccessType": "2 (Use IE settings)"
7431. }
7432. },
7433. "217.12.208.251": {
7434. "x86": {
7435. "BeaconType": "8 (HTTPS)",
7436. "Port": "443",
7437. "Polling": "45000",
7438. "Jitter": "37",
7439. "Maxdns": "255",
7440. "C2 Server": "217.12.208.251,/jquery-3.3.1.min.js",
7441. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
7442. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
7443. "Header1": "",
7444. "Header2": "",
7445. "PipeName": "",
7446. "DNS Idle": "J}\\xC4q",
7447. "DNS Sleep": "0",
7448. "Method1": "GET",
7449. "Method2": "POST",
7450. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
7451. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
7452. "Proxy_AccessType": "2 (Use IE settings)"
7453. }
7454. },
7455. "217.8.117.13": {
7456. "x64": {
7457. "BeaconType": "8 (HTTPS)",
7458. "Port": "443",
7459. "Polling": "60000",
7460. "Jitter": "0",
7461. "Maxdns": "255",
7462. "C2 Server": "217.8.117.13,/fwlink",
7463. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)",
7464. "HTTP Method Path 2": "/submit.php",
7465. "Header1": "",
7466. "Header2": "",
7467. "PipeName": "",
7468. "DNS Idle": "\\x00\\x00\\x00\\x00",
7469. "DNS Sleep": "0",
7470. "Method1": "GET",
7471. "Method2": "POST",
7472. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7473. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7474. "Proxy_AccessType": "2 (Use IE settings)"
7475. }
7476. },
7477. "23.106.160.111": {
7478. "x64": {
7479. "BeaconType": "8 (HTTPS)",
7480. "Port": "443",
7481. "Polling": "5000",
7482. "Jitter": "10",
7483. "Maxdns": "235",
7484. "C2 Server": "mixres.com,/us/ky/louisville/312-s-fourth-st.html",
7485. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7486. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7487. "Header1": "",
7488. "Header2": "",
7489. "PipeName": "",
7490. "DNS Idle": "\\x08\\x08\\x08\\x08",
7491. "DNS Sleep": "0",
7492. "Method1": "GET",
7493. "Method2": "POST",
7494. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7495. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7496. "Proxy_AccessType": "2 (Use IE settings)"
7497. }
7498. },
7499. "23.106.160.129": {
7500. "x64": {
7501. "BeaconType": "8 (HTTPS)",
7502. "Port": "443",
7503. "Polling": "5000",
7504. "Jitter": "10",
7505. "Maxdns": "235",
7506. "C2 Server": "regbest.com,/us/ky/louisville/312-s-fourth-st.html",
7507. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7508. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7509. "Header1": "",
7510. "Header2": "",
7511. "PipeName": "",
7512. "DNS Idle": "\\x08\\x08\\x08\\x08",
7513. "DNS Sleep": "0",
7514. "Method1": "GET",
7515. "Method2": "POST",
7516. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7517. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7518. "Proxy_AccessType": "2 (Use IE settings)"
7519. }
7520. },
7521. "23.106.160.191": {
7522. "x86": {
7523. "BeaconType": "8 (HTTPS)",
7524. "Port": "443",
7525. "Polling": "60000",
7526. "Jitter": "0",
7527. "Maxdns": "255",
7528. "C2 Server": "23.106.160.191,/activity",
7529. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)",
7530. "HTTP Method Path 2": "/submit.php",
7531. "Header1": "",
7532. "Header2": "",
7533. "PipeName": "",
7534. "DNS Idle": "\\x00\\x00\\x00\\x00",
7535. "DNS Sleep": "0",
7536. "Method1": "GET",
7537. "Method2": "POST",
7538. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7539. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7540. "Proxy_AccessType": "2 (Use IE settings)"
7541. }
7542. },
7543. "23.106.160.195": {
7544. "x86": {
7545. "BeaconType": "8 (HTTPS)",
7546. "Port": "443",
7547. "Polling": "5000",
7548. "Jitter": "10",
7549. "Maxdns": "235",
7550. "C2 Server": "topevi.com,/us/ky/louisville/312-s-fourth-st.html",
7551. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7552. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7553. "Header1": "",
7554. "Header2": "",
7555. "PipeName": "",
7556. "DNS Idle": "\\x08\\x08\\x08\\x08",
7557. "DNS Sleep": "0",
7558. "Method1": "GET",
7559. "Method2": "POST",
7560. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7561. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7562. "Proxy_AccessType": "2 (Use IE settings)"
7563. }
7564. },
7565. "23.106.160.198": {
7566. "x86": {
7567. "BeaconType": "8 (HTTPS)",
7568. "Port": "443",
7569. "Polling": "5000",
7570. "Jitter": "10",
7571. "Maxdns": "235",
7572. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
7573. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7574. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7575. "Header1": "",
7576. "Header2": "",
7577. "PipeName": "",
7578. "DNS Idle": "\\x08\\x08\\x08\\x08",
7579. "DNS Sleep": "0",
7580. "Method1": "GET",
7581. "Method2": "POST",
7582. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7583. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7584. "Proxy_AccessType": "2 (Use IE settings)"
7585. }
7586. },
7587. "23.106.160.2": {
7588. "x64": {
7589. "BeaconType": "8 (HTTPS)",
7590. "Port": "443",
7591. "Polling": "5000",
7592. "Jitter": "10",
7593. "Maxdns": "235",
7594. "C2 Server": "bitsse.com,/us/ky/louisville/312-s-fourth-st.html,uncole.com,/us/ky/louisville/312-s-fourth-st.html",
7595. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7596. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7597. "Header1": "",
7598. "Header2": "",
7599. "PipeName": "",
7600. "DNS Idle": "\\x08\\x08\\x08\\x08",
7601. "DNS Sleep": "0",
7602. "Method1": "GET",
7603. "Method2": "POST",
7604. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7605. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7606. "Proxy_AccessType": "2 (Use IE settings)"
7607. }
7608. },
7609. "23.106.160.216": {
7610. "x86": {
7611. "BeaconType": "8 (HTTPS)",
7612. "Port": "443",
7613. "Polling": "5000",
7614. "Jitter": "10",
7615. "Maxdns": "235",
7616. "C2 Server": "volof.com,/us/ky/louisville/312-s-fourth-st.html",
7617. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7618. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7619. "Header1": "",
7620. "Header2": "",
7621. "PipeName": "",
7622. "DNS Idle": "\\x08\\x08\\x08\\x08",
7623. "DNS Sleep": "0",
7624. "Method1": "GET",
7625. "Method2": "POST",
7626. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7627. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7628. "Proxy_AccessType": "2 (Use IE settings)"
7629. }
7630. },
7631. "23.106.160.229": {
7632. "x86": {
7633. "BeaconType": "8 (HTTPS)",
7634. "Port": "443",
7635. "Polling": "60000",
7636. "Jitter": "0",
7637. "Maxdns": "255",
7638. "C2 Server": "23.106.160.229,/cx",
7639. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)",
7640. "HTTP Method Path 2": "/submit.php",
7641. "Header1": "",
7642. "Header2": "",
7643. "PipeName": "",
7644. "DNS Idle": "\\x00\\x00\\x00\\x00",
7645. "DNS Sleep": "0",
7646. "Method1": "GET",
7647. "Method2": "POST",
7648. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7649. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7650. "Proxy_AccessType": "2 (Use IE settings)"
7651. },
7652. "x64": {
7653. "BeaconType": "8 (HTTPS)",
7654. "Port": "443",
7655. "Polling": "60000",
7656. "Jitter": "0",
7657. "Maxdns": "255",
7658. "C2 Server": "23.106.160.229,/push",
7659. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
7660. "HTTP Method Path 2": "/submit.php",
7661. "Header1": "",
7662. "Header2": "",
7663. "PipeName": "",
7664. "DNS Idle": "\\x00\\x00\\x00\\x00",
7665. "DNS Sleep": "0",
7666. "Method1": "GET",
7667. "Method2": "POST",
7668. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7669. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7670. "Proxy_AccessType": "2 (Use IE settings)"
7671. }
7672. },
7673. "23.106.160.61": {
7674. "x86": {
7675. "BeaconType": "8 (HTTPS)",
7676. "Port": "443",
7677. "Polling": "5000",
7678. "Jitter": "10",
7679. "Maxdns": "235",
7680. "C2 Server": "wikibros.com,/us/ky/louisville/312-s-fourth-st.html",
7681. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7682. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7683. "Header1": "",
7684. "Header2": "",
7685. "PipeName": "",
7686. "DNS Idle": "\\x08\\x08\\x08\\x08",
7687. "DNS Sleep": "0",
7688. "Method1": "GET",
7689. "Method2": "POST",
7690. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7691. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7692. "Proxy_AccessType": "2 (Use IE settings)"
7693. }
7694. },
7695. "23.106.160.86": {
7696. "x86": {
7697. "BeaconType": "8 (HTTPS)",
7698. "Port": "443",
7699. "Polling": "5000",
7700. "Jitter": "10",
7701. "Maxdns": "235",
7702. "C2 Server": "raills.com,/us/ky/louisville/312-s-fourth-st.html",
7703. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7704. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7705. "Header1": "",
7706. "Header2": "",
7707. "PipeName": "",
7708. "DNS Idle": "\\x08\\x08\\x08\\x08",
7709. "DNS Sleep": "0",
7710. "Method1": "GET",
7711. "Method2": "POST",
7712. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7713. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7714. "Proxy_AccessType": "2 (Use IE settings)"
7715. }
7716. },
7717. "23.106.215.199": {
7718. "x64": {
7719. "BeaconType": "8 (HTTPS)",
7720. "Port": "443",
7721. "Polling": "30000",
7722. "Jitter": "20",
7723. "Maxdns": "255",
7724. "C2 Server": "stephq.com,/CWoNaJLBo/VTNeWw11212/",
7725. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
7726. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
7727. "Header1": "",
7728. "Header2": "",
7729. "PipeName": "",
7730. "DNS Idle": "\\x00\\x00\\x00\\x00",
7731. "DNS Sleep": "0",
7732. "Method1": "GET",
7733. "Method2": "POST",
7734. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7735. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7736. "Proxy_AccessType": "2 (Use IE settings)"
7737. }
7738. },
7739. "23.106.215.32": {
7740. "x64": {
7741. "BeaconType": "8 (HTTPS)",
7742. "Port": "443",
7743. "Polling": "5000",
7744. "Jitter": "37",
7745. "Maxdns": "255",
7746. "C2 Server": "contedge.net,/jquery-3.3.1.min.js",
7747. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
7748. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
7749. "Header1": "",
7750. "Header2": "",
7751. "PipeName": "",
7752. "DNS Idle": "J}\\xC4q",
7753. "DNS Sleep": "0",
7754. "Method1": "GET",
7755. "Method2": "POST",
7756. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
7757. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
7758. "Proxy_AccessType": "2 (Use IE settings)"
7759. }
7760. },
7761. "23.106.215.40": {
7762. "x86": {
7763. "BeaconType": "8 (HTTPS)",
7764. "Port": "443",
7765. "Polling": "60000",
7766. "Jitter": "0",
7767. "Maxdns": "255",
7768. "C2 Server": "cuphq.com,/ga.js",
7769. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MATBJS)",
7770. "HTTP Method Path 2": "/submit.php",
7771. "Header1": "",
7772. "Header2": "",
7773. "PipeName": "",
7774. "DNS Idle": "\\x00\\x00\\x00\\x00",
7775. "DNS Sleep": "0",
7776. "Method1": "GET",
7777. "Method2": "POST",
7778. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7779. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7780. "Proxy_AccessType": "2 (Use IE settings)"
7781. }
7782. },
7783. "23.106.223.151": {
7784. "x86": {
7785. "BeaconType": "8 (HTTPS)",
7786. "Port": "443",
7787. "Polling": "5000",
7788. "Jitter": "10",
7789. "Maxdns": "235",
7790. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
7791. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7792. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7793. "Header1": "",
7794. "Header2": "",
7795. "PipeName": "",
7796. "DNS Idle": "\\x08\\x08\\x08\\x08",
7797. "DNS Sleep": "0",
7798. "Method1": "GET",
7799. "Method2": "POST",
7800. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7801. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7802. "Proxy_AccessType": "2 (Use IE settings)"
7803. },
7804. "x64": {
7805. "BeaconType": "8 (HTTPS)",
7806. "Port": "443",
7807. "Polling": "5000",
7808. "Jitter": "10",
7809. "Maxdns": "235",
7810. "C2 Server": "foxreps.com,/us/ky/louisville/312-s-fourth-st.html,novause.com,/us/ky/louisville/312-s-fourth-st.html",
7811. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7812. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7813. "Header1": "",
7814. "Header2": "",
7815. "PipeName": "",
7816. "DNS Idle": "\\x08\\x08\\x08\\x08",
7817. "DNS Sleep": "0",
7818. "Method1": "GET",
7819. "Method2": "POST",
7820. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7821. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7822. "Proxy_AccessType": "2 (Use IE settings)"
7823. }
7824. },
7825. "23.106.223.172": {
7826. "x86": {
7827. "BeaconType": "8 (HTTPS)",
7828. "Port": "443",
7829. "Polling": "5000",
7830. "Jitter": "10",
7831. "Maxdns": "235",
7832. "C2 Server": "resfox.com,/us/ky/louisville/312-s-fourth-st.html,zeroflip.com,/us/ky/louisville/312-s-fourth-st.html",
7833. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7834. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7835. "Header1": "",
7836. "Header2": "",
7837. "PipeName": "",
7838. "DNS Idle": "\\x08\\x08\\x08\\x08",
7839. "DNS Sleep": "0",
7840. "Method1": "GET",
7841. "Method2": "POST",
7842. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7843. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7844. "Proxy_AccessType": "2 (Use IE settings)"
7845. }
7846. },
7847. "23.106.223.27": {
7848. "x86": {
7849. "BeaconType": "8 (HTTPS)",
7850. "Port": "443",
7851. "Polling": "5000",
7852. "Jitter": "10",
7853. "Maxdns": "235",
7854. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
7855. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7856. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7857. "Header1": "",
7858. "Header2": "",
7859. "PipeName": "",
7860. "DNS Idle": "\\x08\\x08\\x08\\x08",
7861. "DNS Sleep": "0",
7862. "Method1": "GET",
7863. "Method2": "POST",
7864. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7865. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7866. "Proxy_AccessType": "2 (Use IE settings)"
7867. },
7868. "x64": {
7869. "BeaconType": "8 (HTTPS)",
7870. "Port": "443",
7871. "Polling": "5000",
7872. "Jitter": "10",
7873. "Maxdns": "235",
7874. "C2 Server": "arcnew.com,/us/ky/louisville/312-s-fourth-st.html",
7875. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7876. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7877. "Header1": "",
7878. "Header2": "",
7879. "PipeName": "",
7880. "DNS Idle": "\\x08\\x08\\x08\\x08",
7881. "DNS Sleep": "0",
7882. "Method1": "GET",
7883. "Method2": "POST",
7884. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7885. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7886. "Proxy_AccessType": "2 (Use IE settings)"
7887. }
7888. },
7889. "23.19.227.165": {
7890. "x86": {
7891. "BeaconType": "8 (HTTPS)",
7892. "Port": "443",
7893. "Polling": "5000",
7894. "Jitter": "10",
7895. "Maxdns": "235",
7896. "C2 Server": "facesh.com,/us/ky/louisville/312-s-fourth-st.html",
7897. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7898. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7899. "Header1": "",
7900. "Header2": "",
7901. "PipeName": "",
7902. "DNS Idle": "\\x08\\x08\\x08\\x08",
7903. "DNS Sleep": "0",
7904. "Method1": "GET",
7905. "Method2": "POST",
7906. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7907. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7908. "Proxy_AccessType": "2 (Use IE settings)"
7909. }
7910. },
7911. "23.19.227.204": {
7912. "x86": {
7913. "BeaconType": "8 (HTTPS)",
7914. "Port": "443",
7915. "Polling": "60000",
7916. "Jitter": "0",
7917. "Maxdns": "255",
7918. "C2 Server": "pics.lockboxlink.com,/IE9CompatViewList.xml,black.lockboxlink.com,/g.pixel",
7919. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
7920. "HTTP Method Path 2": "/submit.php",
7921. "Header1": "",
7922. "Header2": "",
7923. "PipeName": "",
7924. "DNS Idle": "\\x00\\x00\\x00\\x00",
7925. "DNS Sleep": "0",
7926. "Method1": "GET",
7927. "Method2": "POST",
7928. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7929. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7930. "Proxy_AccessType": "2 (Use IE settings)"
7931. }
7932. },
7933. "23.227.194.185": {
7934. "x86": {
7935. "BeaconType": "8 (HTTPS)",
7936. "Port": "443",
7937. "Polling": "60000",
7938. "Jitter": "0",
7939. "C2 Server": "23.227.194.185,/pixel.gif",
7940. "HTTP Method Path 2": "/submit.php",
7941. "Method1": "GET",
7942. "Method2": "POST",
7943. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
7944. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
7945. "Proxy_AccessType": "2 (Use IE settings)"
7946. }
7947. },
7948. "23.81.246.24": {
7949. "x86": {
7950. "BeaconType": "8 (HTTPS)",
7951. "Port": "443",
7952. "Polling": "5000",
7953. "Jitter": "10",
7954. "Maxdns": "235",
7955. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
7956. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7957. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7958. "Header1": "",
7959. "Header2": "",
7960. "PipeName": "",
7961. "DNS Idle": "\\x08\\x08\\x08\\x08",
7962. "DNS Sleep": "0",
7963. "Method1": "GET",
7964. "Method2": "POST",
7965. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7966. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7967. "Proxy_AccessType": "2 (Use IE settings)"
7968. },
7969. "x64": {
7970. "BeaconType": "8 (HTTPS)",
7971. "Port": "443",
7972. "Polling": "5000",
7973. "Jitter": "10",
7974. "Maxdns": "235",
7975. "C2 Server": "repshd.com,/us/ky/louisville/312-s-fourth-st.html,pinglis.com,/us/ky/louisville/312-s-fourth-st.html,stargut.com,/us/ky/louisville/312-s-fourth-st.html",
7976. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
7977. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
7978. "Header1": "",
7979. "Header2": "",
7980. "PipeName": "",
7981. "DNS Idle": "\\x08\\x08\\x08\\x08",
7982. "DNS Sleep": "0",
7983. "Method1": "GET",
7984. "Method2": "POST",
7985. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
7986. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
7987. "Proxy_AccessType": "2 (Use IE settings)"
7988. }
7989. },
7990. "23.81.246.46": {
7991. "x86": {
7992. "BeaconType": "8 (HTTPS)",
7993. "Port": "443",
7994. "Polling": "5000",
7995. "Jitter": "0",
7996. "Maxdns": "255",
7997. "C2 Server": "contmetric.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
7998. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
7999. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
8000. "Header1": "",
8001. "Header2": "",
8002. "PipeName": "",
8003. "DNS Idle": "\\x00\\x00\\x00\\x00",
8004. "DNS Sleep": "0",
8005. "Method1": "GET",
8006. "Method2": "POST",
8007. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8008. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8009. "Proxy_AccessType": "2 (Use IE settings)"
8010. }
8011. },
8012. "23.81.246.74": {
8013. "x86": {
8014. "BeaconType": "8 (HTTPS)",
8015. "Port": "443",
8016. "Polling": "30000",
8017. "Jitter": "20",
8018. "Maxdns": "255",
8019. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
8020. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
8021. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
8022. "Header1": "",
8023. "Header2": "",
8024. "PipeName": "",
8025. "DNS Idle": "\\x00\\x00\\x00\\x00",
8026. "DNS Sleep": "0",
8027. "Method1": "GET",
8028. "Method2": "POST",
8029. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8030. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8031. "Proxy_AccessType": "2 (Use IE settings)"
8032. },
8033. "x64": {
8034. "BeaconType": "8 (HTTPS)",
8035. "Port": "443",
8036. "Polling": "30000",
8037. "Jitter": "20",
8038. "Maxdns": "255",
8039. "C2 Server": "keyisa.com,/CWoNaJLBo/VTNeWw11212/",
8040. "User Agent": "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)",
8041. "HTTP Method Path 2": "/CWoNaJLBo/VTNeWw11213/",
8042. "Header1": "",
8043. "Header2": "",
8044. "PipeName": "",
8045. "DNS Idle": "\\x00\\x00\\x00\\x00",
8046. "DNS Sleep": "0",
8047. "Method1": "GET",
8048. "Method2": "POST",
8049. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8050. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8051. "Proxy_AccessType": "2 (Use IE settings)"
8052. }
8053. },
8054. "23.81.246.89": {
8055. "x86": {
8056. "BeaconType": "8 (HTTPS)",
8057. "Port": "443",
8058. "Polling": "60000",
8059. "Jitter": "0",
8060. "Maxdns": "255",
8061. "C2 Server": "amapai-technologies.space,/g.pixel",
8062. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)",
8063. "HTTP Method Path 2": "/submit.php",
8064. "Header1": "",
8065. "Header2": "",
8066. "PipeName": "",
8067. "DNS Idle": "\\x00\\x00\\x00\\x00",
8068. "DNS Sleep": "0",
8069. "Method1": "GET",
8070. "Method2": "POST",
8071. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8072. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8073. "Proxy_AccessType": "2 (Use IE settings)"
8074. },
8075. "x64": {
8076. "BeaconType": "8 (HTTPS)",
8077. "Port": "443",
8078. "Polling": "60000",
8079. "Jitter": "0",
8080. "Maxdns": "255",
8081. "C2 Server": "amapai-technologies.space,/__utm.gif",
8082. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)",
8083. "HTTP Method Path 2": "/submit.php",
8084. "Header1": "",
8085. "Header2": "",
8086. "PipeName": "",
8087. "DNS Idle": "\\x00\\x00\\x00\\x00",
8088. "DNS Sleep": "0",
8089. "Method1": "GET",
8090. "Method2": "POST",
8091. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8092. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8093. "Proxy_AccessType": "2 (Use IE settings)"
8094. }
8095. },
8096. "23.83.133.240": {
8097. "x86": {
8098. "BeaconType": "8 (HTTPS)",
8099. "Port": "443",
8100. "Polling": "60000",
8101. "Jitter": "0",
8102. "Maxdns": "255",
8103. "C2 Server": "amapai-technologies.site,/ptj",
8104. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
8105. "HTTP Method Path 2": "/submit.php",
8106. "Header1": "",
8107. "Header2": "",
8108. "PipeName": "",
8109. "DNS Idle": "\\x00\\x00\\x00\\x00",
8110. "DNS Sleep": "0",
8111. "Method1": "GET",
8112. "Method2": "POST",
8113. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8114. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8115. "Proxy_AccessType": "2 (Use IE settings)"
8116. }
8117. },
8118. "23.83.134.16": {
8119. "x86": {
8120. "BeaconType": "8 (HTTPS)",
8121. "Port": "443",
8122. "Polling": "60000",
8123. "Jitter": "0",
8124. "Maxdns": "255",
8125. "C2 Server": "black.lockboxlink.com,/ga.js,pics.lockboxlink.com,/match",
8126. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
8127. "HTTP Method Path 2": "/submit.php",
8128. "Header1": "",
8129. "Header2": "",
8130. "PipeName": "",
8131. "DNS Idle": "\\x00\\x00\\x00\\x00",
8132. "DNS Sleep": "0",
8133. "Method1": "GET",
8134. "Method2": "POST",
8135. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8136. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8137. "Proxy_AccessType": "2 (Use IE settings)"
8138. },
8139. "x64": {
8140. "BeaconType": "8 (HTTPS)",
8141. "Port": "443",
8142. "Polling": "60000",
8143. "Jitter": "0",
8144. "Maxdns": "255",
8145. "C2 Server": "black.lockboxlink.com,/ptj,pics.lockboxlink.com,/pixel",
8146. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
8147. "HTTP Method Path 2": "/submit.php",
8148. "Header1": "",
8149. "Header2": "",
8150. "PipeName": "",
8151. "DNS Idle": "\\x00\\x00\\x00\\x00",
8152. "DNS Sleep": "0",
8153. "Method1": "GET",
8154. "Method2": "POST",
8155. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8156. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8157. "Proxy_AccessType": "2 (Use IE settings)"
8158. }
8159. },
8160. "27.102.70.189": {
8161. "x64": {
8162. "BeaconType": "8 (HTTPS)",
8163. "Port": "443",
8164. "Polling": "10000",
8165. "Jitter": "0",
8166. "Maxdns": "255",
8167. "C2 Server": "img.alicdn.com,/geo/collect/v1,at.alicdn.com,/geo/collect/v1,ald.taobao.com,/geo/collect/v1,www.aliyunbaike.com,/geo/collect/v1",
8168. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0;) like Gecko",
8169. "HTTP Method Path 2": "/collect/v1",
8170. "Header1": "",
8171. "Header2": "",
8172. "PipeName": "",
8173. "DNS Idle": "\\x08\\x08\\x08\\x08",
8174. "DNS Sleep": "0",
8175. "Method1": "GET",
8176. "Method2": "POST",
8177. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
8178. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
8179. "Proxy_AccessType": "2 (Use IE settings)"
8180. }
8181. },
8182. "31.14.40.143": {
8183. "x86": {
8184. "BeaconType": "8 (HTTPS)",
8185. "Port": "443",
8186. "Polling": "60000",
8187. "Jitter": "0",
8188. "Maxdns": "255",
8189. "C2 Server": "31.14.40.143,/g.pixel",
8190. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)",
8191. "HTTP Method Path 2": "/submit.php",
8192. "Header1": "",
8193. "Header2": "",
8194. "PipeName": "",
8195. "DNS Idle": "\\x00\\x00\\x00\\x00",
8196. "DNS Sleep": "0",
8197. "Method1": "GET",
8198. "Method2": "POST",
8199. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8200. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8201. "Proxy_AccessType": "2 (Use IE settings)"
8202. },
8203. "x64": {
8204. "BeaconType": "8 (HTTPS)",
8205. "Port": "443",
8206. "Polling": "60000",
8207. "Jitter": "0",
8208. "Maxdns": "255",
8209. "C2 Server": "31.14.40.143,/push",
8210. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
8211. "HTTP Method Path 2": "/submit.php",
8212. "Header1": "",
8213. "Header2": "",
8214. "PipeName": "",
8215. "DNS Idle": "\\x00\\x00\\x00\\x00",
8216. "DNS Sleep": "0",
8217. "Method1": "GET",
8218. "Method2": "POST",
8219. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8220. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8221. "Proxy_AccessType": "2 (Use IE settings)"
8222. }
8223. },
8224. "31.187.64.199": {
8225. "x86": {
8226. "BeaconType": "8 (HTTPS)",
8227. "Port": "443",
8228. "Polling": "10010",
8229. "Jitter": "1",
8230. "Maxdns": "255",
8231. "C2 Server": "d30qpb9e10re4o.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,dzep7n1lqmr18.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,d2qbce1fkipgyc.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,nix1.xyz,/gen_204eiT6EX_r4F3fqwHI9boDg",
8232. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 15.0;) Gecko/20100101 Firefox/637.0",
8233. "HTTP Method Path 2": "/_/VisualFrontendUi/data/batchexecute",
8234. "Header1": "",
8235. "Header2": "",
8236. "PipeName": "",
8237. "DNS Idle": "\\x00\\x00\\x00\\x00",
8238. "DNS Sleep": "0",
8239. "Method1": "POST",
8240. "Method2": "POST",
8241. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8242. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8243. "Proxy_AccessType": "2 (Use IE settings)"
8244. }
8245. },
8246. "31.187.64.231": {
8247. "x64": {
8248. "BeaconType": "8 (HTTPS)",
8249. "Port": "443",
8250. "Polling": "10010",
8251. "Jitter": "1",
8252. "Maxdns": "255",
8253. "C2 Server": "d30qpb9e10re4o.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,dzep7n1lqmr18.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,d2qbce1fkipgyc.cloudfront.net,/gen_204eiT6EX_r4F3fqwHI9boDg,nix1.xyz,/gen_204eiT6EX_r4F3fqwHI9boDg",
8254. "User Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 15.0;) Gecko/20100101 Firefox/637.0",
8255. "HTTP Method Path 2": "/_/VisualFrontendUi/data/batchexecute",
8256. "Header1": "",
8257. "Header2": "",
8258. "PipeName": "",
8259. "DNS Idle": "\\x00\\x00\\x00\\x00",
8260. "DNS Sleep": "0",
8261. "Method1": "POST",
8262. "Method2": "POST",
8263. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8264. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8265. "Proxy_AccessType": "2 (Use IE settings)"
8266. }
8267. },
8268. "3.122.109.210": {
8269. "x86": {
8270. "BeaconType": "8 (HTTPS)",
8271. "Port": "443",
8272. "Polling": "37500",
8273. "Jitter": "33",
8274. "Maxdns": "245",
8275. "C2 Server": "3.122.109.210,/audio/",
8276. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
8277. "HTTP Method Path 2": "/melody/",
8278. "Header1": "",
8279. "Header2": "",
8280. "PipeName": "",
8281. "DNS Idle": "\\x08\\x08\\x08\\x08",
8282. "DNS Sleep": "0",
8283. "Method1": "GET",
8284. "Method2": "POST",
8285. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8286. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8287. "Proxy_AccessType": "2 (Use IE settings)"
8288. }
8289. },
8290. "3.122.252.220": {
8291. "x64": {
8292. "BeaconType": "8 (HTTPS)",
8293. "Port": "443",
8294. "Polling": "45000",
8295. "Jitter": "37",
8296. "Maxdns": "255",
8297. "C2 Server": "cdn1.srv-spotlfy.com,/js/jquery-3.3.1.min.js",
8298. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
8299. "HTTP Method Path 2": "/js/jquery-3.3.2.min.js",
8300. "Header1": "",
8301. "Header2": "",
8302. "PipeName": "",
8303. "DNS Idle": "J}\\xC4q",
8304. "DNS Sleep": "0",
8305. "Method1": "GET",
8306. "Method2": "POST",
8307. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
8308. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
8309. "Proxy_AccessType": "2 (Use IE settings)"
8310. }
8311. },
8312. "3.124.3.252": {
8313. "x86": {
8314. "BeaconType": "8 (HTTPS)",
8315. "Port": "443",
8316. "Polling": "60000",
8317. "Jitter": "20",
8318. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
8319. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
8320. "Method1": "GET",
8321. "Method2": "GET",
8322. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8323. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8324. "Proxy_AccessType": "2 (Use IE settings)"
8325. }
8326. },
8327. "3.125.158.190": {
8328. "x64": {
8329. "BeaconType": "8 (HTTPS)",
8330. "Port": "443",
8331. "Polling": "37500",
8332. "Jitter": "33",
8333. "Maxdns": "245",
8334. "C2 Server": "hydra1337.com,/audio/",
8335. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
8336. "HTTP Method Path 2": "/melody/",
8337. "Header1": "",
8338. "Header2": "",
8339. "PipeName": "",
8340. "DNS Idle": "\\x08\\x08\\x08\\x08",
8341. "DNS Sleep": "0",
8342. "Method1": "GET",
8343. "Method2": "POST",
8344. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8345. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8346. "Proxy_AccessType": "2 (Use IE settings)"
8347. }
8348. },
8349. "3.126.209.180": {
8350. "x86": {
8351. "BeaconType": "8 (HTTPS)",
8352. "Port": "443",
8353. "Polling": "60000",
8354. "Jitter": "15",
8355. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
8356. "HTTP Method Path 2": "/mail/u/0/",
8357. "Method1": "GET",
8358. "Method2": "POST",
8359. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8360. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8361. "Proxy_AccessType": "2 (Use IE settings)"
8362. }
8363. },
8364. "3.127.139.203": {
8365. "x64": {
8366. "BeaconType": "8 (HTTPS)",
8367. "Port": "443",
8368. "Polling": "60000",
8369. "Jitter": "20",
8370. "C2 Server": "3.127.139.203,/c/msdownload/update/others/2020/11/KB152288_",
8371. "HTTP Method Path 2": "/c/msdownload/update/others/2020/11/KB13434_",
8372. "Method1": "GET",
8373. "Method2": "GET",
8374. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8375. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8376. "Proxy_AccessType": "2 (Use IE settings)"
8377. }
8378. },
8379. "3.127.150.208": {
8380. "x86": {
8381. "BeaconType": "8 (HTTPS)",
8382. "Port": "443",
8383. "Polling": "60000",
8384. "Jitter": "15",
8385. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
8386. "HTTP Method Path 2": "/mail/u/0/",
8387. "Method1": "GET",
8388. "Method2": "POST",
8389. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8390. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8391. "Proxy_AccessType": "2 (Use IE settings)"
8392. },
8393. "x64": {
8394. "BeaconType": "8 (HTTPS)",
8395. "Port": "443",
8396. "Polling": "60000",
8397. "Jitter": "15",
8398. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
8399. "HTTP Method Path 2": "/mail/u/0/",
8400. "Method1": "GET",
8401. "Method2": "POST",
8402. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8403. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8404. "Proxy_AccessType": "2 (Use IE settings)"
8405. }
8406. },
8407. "3.128.244.129": {
8408. "x86": {
8409. "BeaconType": "8 (HTTPS)",
8410. "Port": "443",
8411. "Polling": "30000",
8412. "Jitter": "30",
8413. "Maxdns": "99",
8414. "C2 Server": "analytics.itshealthpro.com,/logo",
8415. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
8416. "HTTP Method Path 2": "/r_config",
8417. "Header1": "",
8418. "Header2": "",
8419. "PipeName": "",
8420. "DNS Idle": "(pH\\xCD",
8421. "DNS Sleep": "0",
8422. "Method1": "GET",
8423. "Method2": "POST",
8424. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
8425. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
8426. "Proxy_AccessType": "2 (Use IE settings)"
8427. }
8428. },
8429. "3.133.100.221": {
8430. "x64": {
8431. "BeaconType": "8 (HTTPS)",
8432. "Port": "443",
8433. "Polling": "60000",
8434. "Jitter": "0",
8435. "C2 Server": "3.133.100.221,/cx",
8436. "HTTP Method Path 2": "/submit.php",
8437. "Method1": "GET",
8438. "Method2": "POST",
8439. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8440. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8441. "Proxy_AccessType": "2 (Use IE settings)"
8442. }
8443. },
8444. "3.133.160.202": {
8445. "x86": {
8446. "BeaconType": "8 (HTTPS)",
8447. "Port": "443",
8448. "Polling": "60000",
8449. "Jitter": "0",
8450. "C2 Server": "scripts.completelyinnocuousdomain.com,/updates.rss",
8451. "HTTP Method Path 2": "/submit.php",
8452. "Method1": "GET",
8453. "Method2": "POST",
8454. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8455. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8456. "Proxy_AccessType": "2 (Use IE settings)"
8457. }
8458. },
8459. "3.135.189.104": {
8460. "x86": {
8461. "BeaconType": "8 (HTTPS)",
8462. "Port": "443",
8463. "Polling": "810",
8464. "Jitter": "0",
8465. "Maxdns": "242",
8466. "C2 Server": "raymondjames.hostedconnectedrisk.com:,/access/",
8467. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
8468. "HTTP Method Path 2": "/radio/xmlrpc/v35",
8469. "Header1": "",
8470. "Header2": "",
8471. "PipeName": "",
8472. "DNS Idle": "\\x00\\x00\\x00\\x00",
8473. "DNS Sleep": "0",
8474. "Method1": "GET",
8475. "Method2": "POST",
8476. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8477. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8478. "Proxy_AccessType": "2 (Use IE settings)"
8479. },
8480. "x64": {
8481. "BeaconType": "8 (HTTPS)",
8482. "Port": "443",
8483. "Polling": "810",
8484. "Jitter": "0",
8485. "Maxdns": "242",
8486. "C2 Server": "raymondjames.hostedconnectedrisk.com:,/access/",
8487. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
8488. "HTTP Method Path 2": "/radio/xmlrpc/v35",
8489. "Header1": "",
8490. "Header2": "",
8491. "PipeName": "",
8492. "DNS Idle": "\\x00\\x00\\x00\\x00",
8493. "DNS Sleep": "0",
8494. "Method1": "GET",
8495. "Method2": "POST",
8496. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8497. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8498. "Proxy_AccessType": "2 (Use IE settings)"
8499. }
8500. },
8501. "3.135.47.125": {
8502. "x86": {
8503. "BeaconType": "8 (HTTPS)",
8504. "Port": "443",
8505. "Polling": "5000",
8506. "Jitter": "47",
8507. "Maxdns": "255",
8508. "C2 Server": "DailyHealthGuide.org,/jquery-3.3.1.min.js",
8509. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
8510. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
8511. "Header1": "",
8512. "Header2": "",
8513. "PipeName": "",
8514. "DNS Idle": "J}\\xC4q",
8515. "DNS Sleep": "0",
8516. "Method1": "GET",
8517. "Method2": "POST",
8518. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
8519. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
8520. "Proxy_AccessType": "2 (Use IE settings)"
8521. }
8522. },
8523. "3.136.109.67": {
8524. "x64": {
8525. "BeaconType": "8 (HTTPS)",
8526. "Port": "443",
8527. "Polling": "30000",
8528. "Jitter": "20",
8529. "Maxdns": "235",
8530. "C2 Server": "pentair-slack.com,/messages/C0527B0NM,3.136.109.67,/messages/C0527B0NM",
8531. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
8532. "HTTP Method Path 2": "/api/api.test",
8533. "Header1": "",
8534. "Header2": "",
8535. "PipeName": "",
8536. "DNS Idle": "\\x08\\x08\\x08\\x08",
8537. "DNS Sleep": "0",
8538. "Method1": "GET",
8539. "Method2": "POST",
8540. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
8541. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
8542. "Proxy_AccessType": "2 (Use IE settings)"
8543. }
8544. },
8545. "3.136.160.122": {
8546. "x64": {
8547. "BeaconType": "8 (HTTPS)",
8548. "Port": "443",
8549. "Polling": "60000",
8550. "Jitter": "37",
8551. "Maxdns": "255",
8552. "C2 Server": "telemetry.wessonlabpartners.com,/jquery-3.3.1.min.js,admitting.healthfitconnection.com,/jquery-3.3.1.min.js,skilled_nursing.healthmanagementtoday.com,/jquery-3.3.1.min.js",
8553. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
8554. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
8555. "Header1": "",
8556. "Header2": "",
8557. "PipeName": "",
8558. "DNS Idle": "\\x03\\x88\\xA0z",
8559. "DNS Sleep": "0",
8560. "Method1": "GET",
8561. "Method2": "POST",
8562. "Spawnto_x86": "%windir%\\syswow64\\spoolsv.exe",
8563. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
8564. "Proxy_AccessType": "2 (Use IE settings)"
8565. }
8566. },
8567. "3.137.139.119": {
8568. "x64": {
8569. "BeaconType": "8 (HTTPS)",
8570. "Port": "443",
8571. "Polling": "60000",
8572. "Jitter": "0",
8573. "Maxdns": "255",
8574. "C2 Server": "service.office247.tech,/match",
8575. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)",
8576. "HTTP Method Path 2": "/submit.php",
8577. "Header1": "",
8578. "Header2": "",
8579. "PipeName": "",
8580. "DNS Idle": "\\x00\\x00\\x00\\x00",
8581. "DNS Sleep": "0",
8582. "Method1": "GET",
8583. "Method2": "POST",
8584. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8585. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8586. "Proxy_AccessType": "2 (Use IE settings)"
8587. }
8588. },
8589. "3.137.206.229": {
8590. "x64": {
8591. "BeaconType": "8 (HTTPS)",
8592. "Port": "443",
8593. "Polling": "60000",
8594. "Jitter": "0",
8595. "C2 Server": "3.133.100.221,/cx",
8596. "HTTP Method Path 2": "/submit.php",
8597. "Method1": "GET",
8598. "Method2": "POST",
8599. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8600. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8601. "Proxy_AccessType": "2 (Use IE settings)"
8602. }
8603. },
8604. "3.137.217.140": {
8605. "x64": {
8606. "BeaconType": "8 (HTTPS)",
8607. "Port": "443",
8608. "Polling": "60000",
8609. "Jitter": "0",
8610. "Maxdns": "255",
8611. "C2 Server": "3.137.217.140,/cm",
8612. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; NP07; NP07)",
8613. "HTTP Method Path 2": "/submit.php",
8614. "Header1": "",
8615. "Header2": "",
8616. "PipeName": "",
8617. "DNS Idle": "\\x00\\x00\\x00\\x00",
8618. "DNS Sleep": "0",
8619. "Method1": "GET",
8620. "Method2": "POST",
8621. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8622. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8623. "Proxy_AccessType": "2 (Use IE settings)"
8624. }
8625. },
8626. "3.139.231.113": {
8627. "x86": {
8628. "BeaconType": "8 (HTTPS)",
8629. "Port": "443",
8630. "Polling": "57081",
8631. "Jitter": "37",
8632. "C2 Server": "3.139.231.113,/ky",
8633. "HTTP Method Path 2": "/lv",
8634. "Method1": "GET",
8635. "Method2": "POST",
8636. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
8637. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
8638. "Proxy_AccessType": "2 (Use IE settings)"
8639. },
8640. "x64": {
8641. "BeaconType": "8 (HTTPS)",
8642. "Port": "443",
8643. "Polling": "57081",
8644. "Jitter": "37",
8645. "C2 Server": "3.139.231.113,/ky",
8646. "HTTP Method Path 2": "/lv",
8647. "Method1": "GET",
8648. "Method2": "POST",
8649. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
8650. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
8651. "Proxy_AccessType": "2 (Use IE settings)"
8652. }
8653. },
8654. "31.44.184.100": {
8655. "x86": {
8656. "BeaconType": "8 (HTTPS)",
8657. "Port": "443",
8658. "Polling": "60000",
8659. "Jitter": "0",
8660. "C2 Server": "31.44.184.100,/dpixel",
8661. "HTTP Method Path 2": "/submit.php",
8662. "Method1": "GET",
8663. "Method2": "POST",
8664. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8665. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8666. "Proxy_AccessType": "2 (Use IE settings)"
8667. }
8668. },
8669. "31.44.184.174": {
8670. "x86": {
8671. "BeaconType": "8 (HTTPS)",
8672. "Port": "443",
8673. "Polling": "60000",
8674. "Jitter": "0",
8675. "C2 Server": "31.44.184.174,/ptj",
8676. "HTTP Method Path 2": "/submit.php",
8677. "Method1": "GET",
8678. "Method2": "POST",
8679. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8680. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8681. "Proxy_AccessType": "2 (Use IE settings)"
8682. },
8683. "x64": {
8684. "BeaconType": "8 (HTTPS)",
8685. "Port": "443",
8686. "Polling": "60000",
8687. "Jitter": "0",
8688. "C2 Server": "31.44.184.174,/dot.gif",
8689. "HTTP Method Path 2": "/submit.php",
8690. "Method1": "GET",
8691. "Method2": "POST",
8692. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8693. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8694. "Proxy_AccessType": "2 (Use IE settings)"
8695. }
8696. },
8697. "31.44.184.181": {
8698. "x86": {
8699. "BeaconType": "8 (HTTPS)",
8700. "Port": "443",
8701. "Polling": "60000",
8702. "Jitter": "0",
8703. "C2 Server": "31.44.184.181,/ptj",
8704. "HTTP Method Path 2": "/submit.php",
8705. "Method1": "GET",
8706. "Method2": "POST",
8707. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8708. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8709. "Proxy_AccessType": "2 (Use IE settings)"
8710. }
8711. },
8712. "31.44.184.56": {
8713. "x86": {
8714. "BeaconType": "8 (HTTPS)",
8715. "Port": "443",
8716. "Polling": "60000",
8717. "Jitter": "0",
8718. "C2 Server": "31.44.184.56,/pixel.gif",
8719. "HTTP Method Path 2": "/submit.php",
8720. "Method1": "GET",
8721. "Method2": "POST",
8722. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8723. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8724. "Proxy_AccessType": "2 (Use IE settings)"
8725. }
8726. },
8727. "3.16.136.106": {
8728. "x86": {
8729. "BeaconType": "8 (HTTPS)",
8730. "Port": "443",
8731. "Polling": "60000",
8732. "Jitter": "37",
8733. "Maxdns": "255",
8734. "C2 Server": "ajax.microsoft.com,/jquery-3.3.1.min.js",
8735. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36",
8736. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
8737. "Header1": "",
8738. "Header2": "",
8739. "PipeName": "",
8740. "DNS Idle": "\\x00\\x00\\x00\\x00",
8741. "DNS Sleep": "0",
8742. "Method1": "GET",
8743. "Method2": "POST",
8744. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
8745. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
8746. "Proxy_AccessType": "2 (Use IE settings)"
8747. }
8748. },
8749. "3.16.1.87": {
8750. "x86": {
8751. "BeaconType": "8 (HTTPS)",
8752. "Port": "443",
8753. "Polling": "60000",
8754. "Jitter": "0",
8755. "Maxdns": "255",
8756. "C2 Server": "3.16.1.87,/dot.gif",
8757. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)",
8758. "HTTP Method Path 2": "/submit.php",
8759. "Header1": "",
8760. "Header2": "",
8761. "PipeName": "",
8762. "DNS Idle": "\\x00\\x00\\x00\\x00",
8763. "DNS Sleep": "0",
8764. "Method1": "GET",
8765. "Method2": "POST",
8766. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8767. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8768. "Proxy_AccessType": "2 (Use IE settings)"
8769. },
8770. "x64": {
8771. "BeaconType": "8 (HTTPS)",
8772. "Port": "443",
8773. "Polling": "60000",
8774. "Jitter": "0",
8775. "Maxdns": "255",
8776. "C2 Server": "3.16.1.87,/load",
8777. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
8778. "HTTP Method Path 2": "/submit.php",
8779. "Header1": "",
8780. "Header2": "",
8781. "PipeName": "",
8782. "DNS Idle": "\\x00\\x00\\x00\\x00",
8783. "DNS Sleep": "0",
8784. "Method1": "GET",
8785. "Method2": "POST",
8786. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8787. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8788. "Proxy_AccessType": "2 (Use IE settings)"
8789. }
8790. },
8791. "3.17.176.47": {
8792. "x64": {
8793. "BeaconType": "8 (HTTPS)",
8794. "Port": "443",
8795. "Polling": "60000",
8796. "Jitter": "0",
8797. "C2 Server": "scripts.arshmedicalfoundation.com,/dot.gif",
8798. "HTTP Method Path 2": "/submit.php",
8799. "Method1": "GET",
8800. "Method2": "POST",
8801. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8802. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8803. "Proxy_AccessType": "2 (Use IE settings)"
8804. }
8805. },
8806. "3.19.26.213": {
8807. "x86": {
8808. "BeaconType": "8 (HTTPS)",
8809. "Port": "443",
8810. "Polling": "5000",
8811. "Jitter": "0",
8812. "C2 Server": "ec2-3-19-26-213.us-east-2.compute.amazonaws.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
8813. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
8814. "Method1": "GET",
8815. "Method2": "POST",
8816. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8817. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8818. "Proxy_AccessType": "2 (Use IE settings)"
8819. }
8820. },
8821. "3.22.101.152": {
8822. "x86": {
8823. "BeaconType": "8 (HTTPS)",
8824. "Port": "443",
8825. "Polling": "30000",
8826. "Jitter": "20",
8827. "C2 Server": "d6qg530ok85uj.cloudfront.net,/safebrowsing/fp/X5dYOhqFrKn95vdkmSCHODPEuY9",
8828. "HTTP Method Path 2": "/safebrowsing/fp/Xtsuqd9wDd34nVxGbIiRlzzODKYweAye7kEob",
8829. "Method1": "GET",
8830. "Method2": "POST",
8831. "Spawnto_x86": "%windir%\\syswow64\\mcbuilder.exe",
8832. "Spawnto_x64": "%windir%\\sysnative\\mcbuilder.exe",
8833. "Proxy_AccessType": "2 (Use IE settings)"
8834. },
8835. "x64": {
8836. "BeaconType": "8 (HTTPS)",
8837. "Port": "443",
8838. "Polling": "30000",
8839. "Jitter": "20",
8840. "C2 Server": "d6qg530ok85uj.cloudfront.net,/safebrowsing/fp/X5dYOhqFrKn95vdkmSCHODPEuY9",
8841. "HTTP Method Path 2": "/safebrowsing/fp/Xtsuqd9wDd34nVxGbIiRlzzODKYweAye7kEob",
8842. "Method1": "GET",
8843. "Method2": "POST",
8844. "Spawnto_x86": "%windir%\\syswow64\\mcbuilder.exe",
8845. "Spawnto_x64": "%windir%\\sysnative\\mcbuilder.exe",
8846. "Proxy_AccessType": "2 (Use IE settings)"
8847. }
8848. },
8849. "3.231.164.70": {
8850. "x64": {
8851. "BeaconType": "8 (HTTPS)",
8852. "Port": "443",
8853. "Polling": "57970",
8854. "Jitter": "43",
8855. "Maxdns": "254",
8856. "C2 Server": "k8s.containerkubernetes.com,/bm",
8857. "User Agent": "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)",
8858. "HTTP Method Path 2": "/br",
8859. "Header1": "",
8860. "Header2": "",
8861. "PipeName": "",
8862. "DNS Idle": "\\xB7\\x08(1",
8863. "DNS Sleep": "0",
8864. "Method1": "GET",
8865. "Method2": "POST",
8866. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
8867. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
8868. "Proxy_AccessType": "2 (Use IE settings)"
8869. }
8870. },
8871. "3.234.215.191": {
8872. "x64": {
8873. "BeaconType": "8 (HTTPS)",
8874. "Port": "443",
8875. "Polling": "30000",
8876. "Jitter": "10",
8877. "C2 Server": "secure.kaysHealthAndBeautySense.com,/recipe.html",
8878. "HTTP Method Path 2": "/italian",
8879. "Method1": "GET",
8880. "Method2": "POST",
8881. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8882. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8883. "Proxy_AccessType": "2 (Use IE settings)"
8884. }
8885. },
8886. "3.23.61.79": {
8887. "x86": {
8888. "BeaconType": "8 (HTTPS)",
8889. "Port": "443",
8890. "Polling": "41000",
8891. "Jitter": "35",
8892. "C2 Server": "3.23.61.79,/c/msdownload/update/others/2019/12/mVKMlUG03GFQfOJ2FZUYNYaNl",
8893. "HTTP Method Path 2": "/msdownload/update/others/2019/12/lmT9iLxVAILu9XhSluVMNWXi9lAma",
8894. "Method1": "GET",
8895. "Method2": "POST",
8896. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
8897. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
8898. "Proxy_AccessType": "2 (Use IE settings)"
8899. },
8900. "x64": {
8901. "BeaconType": "8 (HTTPS)",
8902. "Port": "443",
8903. "Polling": "41000",
8904. "Jitter": "35",
8905. "C2 Server": "3.23.61.79,/c/msdownload/update/others/2019/12/mVKMlUG03GFQfOJ2FZUYNYaNl",
8906. "HTTP Method Path 2": "/msdownload/update/others/2019/12/lmT9iLxVAILu9XhSluVMNWXi9lAma",
8907. "Method1": "GET",
8908. "Method2": "POST",
8909. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
8910. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
8911. "Proxy_AccessType": "2 (Use IE settings)"
8912. }
8913. },
8914. "3.236.230.152": {
8915. "x86": {
8916. "BeaconType": "8 (HTTPS)",
8917. "Port": "443",
8918. "Polling": "2700",
8919. "Jitter": "11",
8920. "Maxdns": "244",
8921. "C2 Server": "www.pepsicoamerica.com,/preload",
8922. "User Agent": "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB6 (.NET CLR 3.5.30729)",
8923. "HTTP Method Path 2": "/sa",
8924. "Header1": "",
8925. "Header2": "",
8926. "PipeName": "",
8927. "DNS Idle": "\\x08\\x08\\x04\\x04",
8928. "DNS Sleep": "0",
8929. "Method1": "GET",
8930. "Method2": "GET",
8931. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8932. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8933. "Proxy_AccessType": "1 (Use direct connection)"
8934. },
8935. "x64": {
8936. "BeaconType": "8 (HTTPS)",
8937. "Port": "443",
8938. "Polling": "2700",
8939. "Jitter": "11",
8940. "Maxdns": "244",
8941. "C2 Server": "www.pepsicoamerica.com,/preload",
8942. "User Agent": "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB6 (.NET CLR 3.5.30729)",
8943. "HTTP Method Path 2": "/sa",
8944. "Header1": "",
8945. "Header2": "",
8946. "PipeName": "",
8947. "DNS Idle": "\\x08\\x08\\x04\\x04",
8948. "DNS Sleep": "0",
8949. "Method1": "GET",
8950. "Method2": "GET",
8951. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
8952. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
8953. "Proxy_AccessType": "1 (Use direct connection)"
8954. }
8955. },
8956. "3.237.38.249": {
8957. "x86": {
8958. "BeaconType": "8 (HTTPS)",
8959. "Port": "443",
8960. "Polling": "45000",
8961. "Jitter": "20",
8962. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/page.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/process.jsp",
8963. "HTTP Method Path 2": "/search.jsp",
8964. "Method1": "GET",
8965. "Method2": "POST",
8966. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
8967. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
8968. "Proxy_AccessType": "2 (Use IE settings)"
8969. },
8970. "x64": {
8971. "BeaconType": "8 (HTTPS)",
8972. "Port": "443",
8973. "Polling": "45000",
8974. "Jitter": "20",
8975. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/process.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/user.jsp",
8976. "HTTP Method Path 2": "/parse.jsp",
8977. "Method1": "GET",
8978. "Method2": "POST",
8979. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
8980. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
8981. "Proxy_AccessType": "2 (Use IE settings)"
8982. }
8983. },
8984. "3.250.193.216": {
8985. "x86": {
8986. "BeaconType": "8 (HTTPS)",
8987. "Port": "443",
8988. "Polling": "400",
8989. "Jitter": "12",
8990. "C2 Server": "ehrclient-canary.teams.microsoft.com,/s/ref=nb_sb_noss_1/698-71218292-1534620/field-keywords=point",
8991. "HTTP Method Path 2": "/N5819/adj/amzn.us.sr.aps",
8992. "Method1": "GET",
8993. "Method2": "POST",
8994. "Spawnto_x86": "%windir%\\syswow64\\net.exe",
8995. "Spawnto_x64": "%windir%\\sysnative\\net.exe",
8996. "Proxy_AccessType": "2 (Use IE settings)"
8997. },
8998. "x64": {
8999. "BeaconType": "8 (HTTPS)",
9000. "Port": "443",
9001. "Polling": "400",
9002. "Jitter": "12",
9003. "C2 Server": "ehrclient-canary.teams.microsoft.com,/s/ref=nb_sb_noss_1/698-71218292-1534620/field-keywords=point",
9004. "HTTP Method Path 2": "/N5819/adj/amzn.us.sr.aps",
9005. "Method1": "GET",
9006. "Method2": "POST",
9007. "Spawnto_x86": "%windir%\\syswow64\\net.exe",
9008. "Spawnto_x64": "%windir%\\sysnative\\net.exe",
9009. "Proxy_AccessType": "2 (Use IE settings)"
9010. }
9011. },
9012. "3.25.232.105": {
9013. "x86": {
9014. "BeaconType": "8 (HTTPS)",
9015. "Port": "443",
9016. "Polling": "5000",
9017. "Jitter": "0",
9018. "C2 Server": "blog.widetechworld.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
9019. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
9020. "Method1": "GET",
9021. "Method2": "POST",
9022. "Spawnto_x86": "C:\\Windows\\syswow64\\svchost.exe -k localservice -p -s fdPHost",
9023. "Spawnto_x64": "C:\\Windows\\sysnative\\svchost.exe -k localservice -p -s fdPHost",
9024. "Proxy_AccessType": "2 (Use IE settings)"
9025. }
9026. },
9027. "34.121.230.223": {
9028. "x64": {
9029. "BeaconType": "8 (HTTPS)",
9030. "Port": "443",
9031. "Polling": "60000",
9032. "Jitter": "0",
9033. "Maxdns": "255",
9034. "C2 Server": "about.inno-finance.com,/cx",
9035. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)",
9036. "HTTP Method Path 2": "/submit.php",
9037. "Header1": "",
9038. "Header2": "",
9039. "PipeName": "",
9040. "DNS Idle": "\\x00\\x00\\x00\\x00",
9041. "DNS Sleep": "0",
9042. "Method1": "GET",
9043. "Method2": "POST",
9044. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9045. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9046. "Proxy_AccessType": "2 (Use IE settings)"
9047. }
9048. },
9049. "34.200.243.234": {
9050. "x86": {
9051. "BeaconType": "8 (HTTPS)",
9052. "Port": "443",
9053. "Polling": "60000",
9054. "Jitter": "20",
9055. "C2 Server": "api.bcbshealth.care,/complete/search",
9056. "HTTP Method Path 2": "/Complete_Search",
9057. "Method1": "GET",
9058. "Method2": "POST",
9059. "Spawnto_x86": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe",
9060. "Spawnto_x64": "C:\\Program Files\\internet explorer\\iexplore.exe",
9061. "Proxy_AccessType": "2 (Use IE settings)"
9062. }
9063. },
9064. "34.201.140.145": {
9065. "x64": {
9066. "BeaconType": "8 (HTTPS)",
9067. "Port": "443",
9068. "Polling": "60000",
9069. "Jitter": "15",
9070. "Maxdns": "255",
9071. "C2 Server": "34.201.140.145,/_/scs/mail-static/_/js/",
9072. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)",
9073. "HTTP Method Path 2": "/mail/u/0/",
9074. "Header1": "",
9075. "Header2": "",
9076. "PipeName": "",
9077. "DNS Idle": "\\x08\\x08\\x04\\x04",
9078. "DNS Sleep": "0",
9079. "Method1": "GET",
9080. "Method2": "POST",
9081. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9082. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9083. "Proxy_AccessType": "2 (Use IE settings)"
9084. }
9085. },
9086. "34.203.235.59": {
9087. "x86": {
9088. "BeaconType": "8 (HTTPS)",
9089. "Port": "443",
9090. "Polling": "20000",
9091. "Jitter": "20",
9092. "C2 Server": "sitehealthcheck.org,/oscp/",
9093. "HTTP Method Path 2": "/oscp/a/",
9094. "Method1": "GET",
9095. "Method2": "POST",
9096. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9097. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9098. "Proxy_AccessType": "2 (Use IE settings)"
9099. },
9100. "x64": {
9101. "BeaconType": "8 (HTTPS)",
9102. "Port": "443",
9103. "Polling": "20000",
9104. "Jitter": "20",
9105. "C2 Server": "sitehealthcheck.org,/oscp/",
9106. "HTTP Method Path 2": "/oscp/a/",
9107. "Method1": "GET",
9108. "Method2": "POST",
9109. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9110. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9111. "Proxy_AccessType": "2 (Use IE settings)"
9112. }
9113. },
9114. "34.211.110.219": {
9115. "x86": {
9116. "BeaconType": "8 (HTTPS)",
9117. "Port": "443",
9118. "Polling": "60000",
9119. "Jitter": "0",
9120. "Maxdns": "255",
9121. "C2 Server": "nelnetbanks.com,/fwlink",
9122. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)",
9123. "HTTP Method Path 2": "/submit.php",
9124. "Header1": "",
9125. "Header2": "",
9126. "PipeName": "",
9127. "DNS Idle": "\\x00\\x00\\x00\\x00",
9128. "DNS Sleep": "0",
9129. "Method1": "GET",
9130. "Method2": "POST",
9131. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9132. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9133. "Proxy_AccessType": "2 (Use IE settings)"
9134. }
9135. },
9136. "34.212.57.1": {
9137. "x86": {
9138. "BeaconType": "8 (HTTPS)",
9139. "Port": "443",
9140. "Polling": "60000",
9141. "Jitter": "0",
9142. "C2 Server": "ec2-34-212-57-1.us-west-2.compute.amazonaws.com,/ptj",
9143. "HTTP Method Path 2": "/submit.php",
9144. "Method1": "GET",
9145. "Method2": "POST",
9146. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9147. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9148. "Proxy_AccessType": "2 (Use IE settings)"
9149. }
9150. },
9151. "34.217.5.107": {
9152. "x86": {
9153. "BeaconType": "8 (HTTPS)",
9154. "Port": "443",
9155. "Polling": "30000",
9156. "Jitter": "50",
9157. "Maxdns": "255",
9158. "C2 Server": "secure.carestreamhealthcare.com,/__utm.gif",
9159. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
9160. "HTTP Method Path 2": "/___utm.gif",
9161. "Header1": "",
9162. "Header2": "",
9163. "PipeName": "",
9164. "DNS Idle": "\\x00\\x00\\x00\\x00",
9165. "DNS Sleep": "0",
9166. "Method1": "GET",
9167. "Method2": "POST",
9168. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
9169. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
9170. "Proxy_AccessType": "2 (Use IE settings)"
9171. }
9172. },
9173. "34.222.203.112": {
9174. "x86": {
9175. "BeaconType": "8 (HTTPS)",
9176. "Port": "443",
9177. "Polling": "5400",
9178. "Jitter": "12",
9179. "C2 Server": "creditnetfinance.com,/rs-apps/assets/images/portfolio",
9180. "HTTP Method Path 2": "/next-api/graphql",
9181. "Method1": "GET",
9182. "Method2": "POST",
9183. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
9184. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
9185. "Proxy_AccessType": "2 (Use IE settings)"
9186. },
9187. "x64": {
9188. "BeaconType": "8 (HTTPS)",
9189. "Port": "443",
9190. "Polling": "5400",
9191. "Jitter": "12",
9192. "C2 Server": "creditnetfinance.com,/rs-apps/assets/images/portfolio",
9193. "HTTP Method Path 2": "/next-api/graphql",
9194. "Method1": "GET",
9195. "Method2": "POST",
9196. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
9197. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
9198. "Proxy_AccessType": "2 (Use IE settings)"
9199. }
9200. },
9201. "34.238.192.43": {
9202. "x86": {
9203. "BeaconType": "8 (HTTPS)",
9204. "Port": "443",
9205. "Polling": "32051",
9206. "Jitter": "57",
9207. "Maxdns": "255",
9208. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
9209. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
9210. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
9211. "Header1": "",
9212. "Header2": "",
9213. "PipeName": "",
9214. "DNS Idle": "\\x00\\x00\\x00\\x00",
9215. "DNS Sleep": "0",
9216. "Method1": "GET",
9217. "Method2": "POST",
9218. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
9219. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
9220. "Proxy_AccessType": "2 (Use IE settings)"
9221. },
9222. "x64": {
9223. "BeaconType": "8 (HTTPS)",
9224. "Port": "443",
9225. "Polling": "32051",
9226. "Jitter": "57",
9227. "Maxdns": "255",
9228. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
9229. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
9230. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
9231. "Header1": "",
9232. "Header2": "",
9233. "PipeName": "",
9234. "DNS Idle": "\\x00\\x00\\x00\\x00",
9235. "DNS Sleep": "0",
9236. "Method1": "GET",
9237. "Method2": "POST",
9238. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
9239. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
9240. "Proxy_AccessType": "2 (Use IE settings)"
9241. }
9242. },
9243. "34.80.40.66": {
9244. "x86": {
9245. "BeaconType": "8 (HTTPS)",
9246. "Port": "443",
9247. "Polling": "25000",
9248. "Jitter": "5",
9249. "Maxdns": "255",
9250. "C2 Server": "www.huijingwifi.com,/link",
9251. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3835.79",
9252. "HTTP Method Path 2": "/images/",
9253. "Header1": "",
9254. "Header2": "",
9255. "PipeName": "",
9256. "DNS Idle": "\\x00\\x00\\x00\\x00",
9257. "DNS Sleep": "0",
9258. "Method1": "GET",
9259. "Method2": "POST",
9260. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9261. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9262. "Proxy_AccessType": "2 (Use IE settings)"
9263. }
9264. },
9265. "35.158.118.182": {
9266. "x86": {
9267. "BeaconType": "8 (HTTPS)",
9268. "Port": "443",
9269. "Polling": "60000",
9270. "Jitter": "15",
9271. "C2 Server": "cob.maranshipssupplies.com,/_/scs/mail-static/_/js/",
9272. "HTTP Method Path 2": "/mail/u/0/",
9273. "Method1": "GET",
9274. "Method2": "POST",
9275. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9276. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9277. "Proxy_AccessType": "2 (Use IE settings)"
9278. }
9279. },
9280. "35.158.226.16": {
9281. "x86": {
9282. "BeaconType": "8 (HTTPS)",
9283. "Port": "443",
9284. "Polling": "5000",
9285. "Jitter": "10",
9286. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
9287. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
9288. "Method1": "GET",
9289. "Method2": "POST",
9290. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
9291. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
9292. "Proxy_AccessType": "2 (Use IE settings)"
9293. },
9294. "x64": {
9295. "BeaconType": "8 (HTTPS)",
9296. "Port": "443",
9297. "Polling": "5000",
9298. "Jitter": "10",
9299. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
9300. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
9301. "Method1": "GET",
9302. "Method2": "POST",
9303. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
9304. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
9305. "Proxy_AccessType": "2 (Use IE settings)"
9306. }
9307. },
9308. "35.176.207.20": {
9309. "x86": {
9310. "BeaconType": "8 (HTTPS)",
9311. "Port": "443",
9312. "Polling": "60000",
9313. "Jitter": "20",
9314. "Maxdns": "235",
9315. "C2 Server": "35.176.207.20,/c/msdownload/update/others/2016/12/29136388_",
9316. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
9317. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
9318. "Header1": "",
9319. "Header2": "",
9320. "PipeName": "",
9321. "DNS Idle": "\\x08\\x08\\x04\\x04",
9322. "DNS Sleep": "0",
9323. "Method1": "GET",
9324. "Method2": "GET",
9325. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
9326. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
9327. "Proxy_AccessType": "2 (Use IE settings)"
9328. },
9329. "x64": {
9330. "BeaconType": "8 (HTTPS)",
9331. "Port": "443",
9332. "Polling": "60000",
9333. "Jitter": "20",
9334. "Maxdns": "235",
9335. "C2 Server": "35.176.207.20,/c/msdownload/update/others/2016/12/29136388_",
9336. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
9337. "HTTP Method Path 2": "/c/msdownload/update/others/2016/12/3215234_",
9338. "Header1": "",
9339. "Header2": "",
9340. "PipeName": "",
9341. "DNS Idle": "\\x08\\x08\\x04\\x04",
9342. "DNS Sleep": "0",
9343. "Method1": "GET",
9344. "Method2": "GET",
9345. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
9346. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
9347. "Proxy_AccessType": "2 (Use IE settings)"
9348. }
9349. },
9350. "35.192.90.50": {
9351. "x86": {
9352. "BeaconType": "8 (HTTPS)",
9353. "Port": "443",
9354. "Polling": "55647",
9355. "Jitter": "39",
9356. "Maxdns": "254",
9357. "C2 Server": "recovery.healthfitconnection.com,/ticket",
9358. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
9359. "HTTP Method Path 2": "/wwwboard",
9360. "Header1": "",
9361. "Header2": "",
9362. "PipeName": "",
9363. "DNS Idle": "D@\\xE68",
9364. "DNS Sleep": "0",
9365. "Method1": "GET",
9366. "Method2": "POST",
9367. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
9368. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
9369. "Proxy_AccessType": "2 (Use IE settings)"
9370. }
9371. },
9372. "35.193.193.149": {
9373. "x86": {
9374. "BeaconType": "8 (HTTPS)",
9375. "Port": "443",
9376. "Polling": "60000",
9377. "Jitter": "0",
9378. "Maxdns": "255",
9379. "C2 Server": "35.193.193.149,/dot.gif",
9380. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)",
9381. "HTTP Method Path 2": "/submit.php",
9382. "Header1": "",
9383. "Header2": "",
9384. "PipeName": "",
9385. "DNS Idle": "\\x00\\x00\\x00\\x00",
9386. "DNS Sleep": "0",
9387. "Method1": "GET",
9388. "Method2": "POST",
9389. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9390. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9391. "Proxy_AccessType": "2 (Use IE settings)"
9392. }
9393. },
9394. "35.221.158.178": {
9395. "x86": {
9396. "BeaconType": "8 (HTTPS)",
9397. "Port": "443",
9398. "Polling": "60000",
9399. "Jitter": "0",
9400. "Maxdns": "255",
9401. "C2 Server": "35.221.158.178,/ptj",
9402. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7)",
9403. "HTTP Method Path 2": "/submit.php",
9404. "Header1": "",
9405. "Header2": "",
9406. "PipeName": "",
9407. "DNS Idle": "\\x00\\x00\\x00\\x00",
9408. "DNS Sleep": "0",
9409. "Method1": "GET",
9410. "Method2": "POST",
9411. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9412. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9413. "Proxy_AccessType": "2 (Use IE settings)"
9414. }
9415. },
9416. "35.241.143.134": {
9417. "x64": {
9418. "BeaconType": "8 (HTTPS)",
9419. "Port": "443",
9420. "Polling": "60000",
9421. "Jitter": "20",
9422. "Maxdns": "235",
9423. "C2 Server": "control.commanderinthe.cloud,/search/",
9424. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
9425. "HTTP Method Path 2": "/Search/",
9426. "Header1": "",
9427. "Header2": "",
9428. "PipeName": "",
9429. "DNS Idle": "\\x08\\x08\\x04\\x04",
9430. "DNS Sleep": "0",
9431. "Method1": "GET",
9432. "Method2": "GET",
9433. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9434. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9435. "Proxy_AccessType": "2 (Use IE settings)"
9436. }
9437. },
9438. "37.252.120.101": {
9439. "x64": {
9440. "BeaconType": "8 (HTTPS)",
9441. "Port": "443",
9442. "Polling": "10000",
9443. "Jitter": "15",
9444. "Maxdns": "255",
9445. "C2 Server": "37.252.120.101,/resolve/alter/",
9446. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)",
9447. "HTTP Method Path 2": "/client/real/",
9448. "Header1": "",
9449. "Header2": "",
9450. "PipeName": "",
9451. "DNS Idle": "\\x08\\x08\\x04\\x04",
9452. "DNS Sleep": "0",
9453. "Method1": "GET",
9454. "Method2": "POST",
9455. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9456. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9457. "Proxy_AccessType": "2 (Use IE settings)"
9458. }
9459. },
9460. "38.100.141.131": {
9461. "x86": {
9462. "BeaconType": "8 (HTTPS)",
9463. "Port": "443",
9464. "Polling": "15000",
9465. "Jitter": "90",
9466. "Maxdns": "225",
9467. "C2 Server": "ecnads1.msn.com,/api2/json/access/ticket",
9468. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
9469. "HTTP Method Path 2": "/gp/aw/ybh/handlers",
9470. "Header1": "",
9471. "Header2": "",
9472. "PipeName": "",
9473. "DNS Idle": "h\\xD8<\\x84",
9474. "DNS Sleep": "0",
9475. "Method1": "GET",
9476. "Method2": "POST",
9477. "Spawnto_x86": "%windir%\\syswow64\\SearchProtocolHost.exe",
9478. "Spawnto_x64": "%windir%\\sysnative\\SearchProtocolHost.exe",
9479. "Proxy_AccessType": "2 (Use IE settings)"
9480. }
9481. },
9482. "3.85.60.172": {
9483. "x86": {
9484. "BeaconType": "8 (HTTPS)",
9485. "Port": "443",
9486. "Polling": "32051",
9487. "Jitter": "57",
9488. "Maxdns": "255",
9489. "C2 Server": "banking.capitalviewfinance.com,/jquery-1.12.1.min.js",
9490. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
9491. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
9492. "Header1": "",
9493. "Header2": "",
9494. "PipeName": "",
9495. "DNS Idle": "\\x00\\x00\\x00\\x00",
9496. "DNS Sleep": "0",
9497. "Method1": "GET",
9498. "Method2": "POST",
9499. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
9500. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
9501. "Proxy_AccessType": "2 (Use IE settings)"
9502. }
9503. },
9504. "3.86.2.34": {
9505. "x86": {
9506. "BeaconType": "8 (HTTPS)",
9507. "Port": "443",
9508. "Polling": "5400",
9509. "Jitter": "12",
9510. "Maxdns": "255",
9511. "C2 Server": "roofstock-cdn5.azureedge.net,/rs-apps/assets/images/portfolio",
9512. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
9513. "HTTP Method Path 2": "/next-api/graphql",
9514. "Header1": "",
9515. "Header2": "",
9516. "PipeName": "",
9517. "DNS Idle": "\\x00\\x00\\x00\\x00",
9518. "DNS Sleep": "0",
9519. "Method1": "GET",
9520. "Method2": "POST",
9521. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
9522. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
9523. "Proxy_AccessType": "2 (Use IE settings)"
9524. },
9525. "x64": {
9526. "BeaconType": "8 (HTTPS)",
9527. "Port": "443",
9528. "Polling": "5400",
9529. "Jitter": "12",
9530. "Maxdns": "255",
9531. "C2 Server": "roofstock-cdn5.azureedge.net,/rs-apps/assets/images/portfolio",
9532. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
9533. "HTTP Method Path 2": "/next-api/graphql",
9534. "Header1": "",
9535. "Header2": "",
9536. "PipeName": "",
9537. "DNS Idle": "\\x00\\x00\\x00\\x00",
9538. "DNS Sleep": "0",
9539. "Method1": "GET",
9540. "Method2": "POST",
9541. "Spawnto_x86": "%windir%\\syswow64\\upnpcont.exe",
9542. "Spawnto_x64": "%windir%\\sysnative\\upnpcont.exe",
9543. "Proxy_AccessType": "2 (Use IE settings)"
9544. }
9545. },
9546. "39.108.229.236": {
9547. "x86": {
9548. "BeaconType": "8 (HTTPS)",
9549. "Port": "443",
9550. "Polling": "60000",
9551. "Jitter": "0",
9552. "Maxdns": "255",
9553. "C2 Server": "39.108.229.236,/match",
9554. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)",
9555. "HTTP Method Path 2": "/submit.php",
9556. "Header1": "",
9557. "Header2": "",
9558. "PipeName": "",
9559. "DNS Idle": "\\x00\\x00\\x00\\x00",
9560. "DNS Sleep": "0",
9561. "Method1": "GET",
9562. "Method2": "POST",
9563. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9564. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9565. "Proxy_AccessType": "2 (Use IE settings)"
9566. }
9567. },
9568. "3.95.159.27": {
9569. "x86": {
9570. "BeaconType": "8 (HTTPS)",
9571. "Port": "443",
9572. "Polling": "32051",
9573. "Jitter": "57",
9574. "Maxdns": "255",
9575. "C2 Server": "sharkfishinguk.com,/jquery-1.12.1.min.js",
9576. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36 Edg/80.0.361.62",
9577. "HTTP Method Path 2": "/jquery-1.12.2.min.js",
9578. "Header1": "",
9579. "Header2": "",
9580. "PipeName": "",
9581. "DNS Idle": "\\x00\\x00\\x00\\x00",
9582. "DNS Sleep": "0",
9583. "Method1": "GET",
9584. "Method2": "POST",
9585. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
9586. "Spawnto_x64": "%windir%\\sysnative\\spoolsv.exe",
9587. "Proxy_AccessType": "2 (Use IE settings)"
9588. }
9589. },
9590. "39.98.84.58": {
9591. "x86": {
9592. "BeaconType": "8 (HTTPS)",
9593. "Port": "443",
9594. "Polling": "5000",
9595. "Jitter": "0",
9596. "Maxdns": "255",
9597. "C2 Server": "www.microport.com.cn,/zC",
9598. "User Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
9599. "HTTP Method Path 2": "/dE",
9600. "Header1": "",
9601. "Header2": "",
9602. "PipeName": "",
9603. "DNS Idle": "\\x00\\x00\\x00\\x00",
9604. "DNS Sleep": "0",
9605. "Method1": "GET",
9606. "Method2": "POST",
9607. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9608. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9609. "Proxy_AccessType": "2 (Use IE settings)"
9610. }
9611. },
9612. "39.99.60.123": {
9613. "x64": {
9614. "BeaconType": "8 (HTTPS)",
9615. "Port": "443",
9616. "Polling": "60000",
9617. "Jitter": "0",
9618. "Maxdns": "255",
9619. "C2 Server": "39.99.60.123,/cx",
9620. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MDDCJS)",
9621. "HTTP Method Path 2": "/submit.php",
9622. "Header1": "",
9623. "Header2": "",
9624. "PipeName": "",
9625. "DNS Idle": "\\x00\\x00\\x00\\x00",
9626. "DNS Sleep": "0",
9627. "Method1": "GET",
9628. "Method2": "POST",
9629. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9630. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9631. "Proxy_AccessType": "2 (Use IE settings)"
9632. }
9633. },
9634. "40.113.217.182": {
9635. "x86": {
9636. "BeaconType": "8 (HTTPS)",
9637. "Port": "443",
9638. "Polling": "60000",
9639. "Jitter": "0",
9640. "C2 Server": "40.113.217.182,/__utm.gif",
9641. "HTTP Method Path 2": "/___utm.gif",
9642. "Method1": "GET",
9643. "Method2": "POST",
9644. "Spawnto_x86": "%windir%\\syswow64\\explorer.exe",
9645. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
9646. "Proxy_AccessType": "2 (Use IE settings)"
9647. },
9648. "x64": {
9649. "BeaconType": "8 (HTTPS)",
9650. "Port": "443",
9651. "Polling": "60000",
9652. "Jitter": "0",
9653. "C2 Server": "40.113.217.182,/__utm.gif",
9654. "HTTP Method Path 2": "/___utm.gif",
9655. "Method1": "GET",
9656. "Method2": "POST",
9657. "Spawnto_x86": "%windir%\\syswow64\\explorer.exe",
9658. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
9659. "Proxy_AccessType": "2 (Use IE settings)"
9660. }
9661. },
9662. "40.117.40.46": {
9663. "x64": {
9664. "BeaconType": "8 (HTTPS)",
9665. "Port": "443",
9666. "Polling": "5000",
9667. "Jitter": "0",
9668. "Maxdns": "255",
9669. "C2 Server": "wmjdvuif.limyonly.me,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
9670. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
9671. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
9672. "Header1": "",
9673. "Header2": "",
9674. "PipeName": "",
9675. "DNS Idle": "\\x00\\x00\\x00\\x00",
9676. "DNS Sleep": "0",
9677. "Method1": "GET",
9678. "Method2": "POST",
9679. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
9680. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
9681. "Proxy_AccessType": "2 (Use IE settings)"
9682. }
9683. },
9684. "40.122.106.213": {
9685. "x64": {
9686. "BeaconType": "8 (HTTPS)",
9687. "Port": "443",
9688. "Polling": "37000",
9689. "Jitter": "25",
9690. "C2 Server": "api.aperture.network,/functionalStatus",
9691. "HTTP Method Path 2": "/rest/2/meetings",
9692. "Method1": "GET",
9693. "Method2": "POST",
9694. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
9695. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
9696. "Proxy_AccessType": "2 (Use IE settings)"
9697. }
9698. },
9699. "43.240.15.68": {
9700. "x86": {
9701. "BeaconType": "8 (HTTPS)",
9702. "Port": "443",
9703. "Polling": "60000",
9704. "Jitter": "0",
9705. "Maxdns": "255",
9706. "C2 Server": "5.180.99.65,/dot.gif",
9707. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)",
9708. "HTTP Method Path 2": "/submit.php",
9709. "Header1": "",
9710. "Header2": "",
9711. "PipeName": "",
9712. "DNS Idle": "\\x00\\x00\\x00\\x00",
9713. "DNS Sleep": "0",
9714. "Method1": "GET",
9715. "Method2": "POST",
9716. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9717. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9718. "Proxy_AccessType": "2 (Use IE settings)"
9719. }
9720. },
9721. "43.243.171.226": {
9722. "x86": {
9723. "BeaconType": "8 (HTTPS)",
9724. "Port": "443",
9725. "Polling": "5000",
9726. "Jitter": "30",
9727. "Maxdns": "255",
9728. "C2 Server": "43.243.171.226,/cache/global/img/aladdinIcon-1.0.gif",
9729. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36",
9730. "HTTP Method Path 2": "/link",
9731. "Header1": "",
9732. "Header2": "",
9733. "PipeName": "",
9734. "DNS Idle": "\\x00\\x00\\x00\\x00",
9735. "DNS Sleep": "0",
9736. "Method1": "GET",
9737. "Method2": "GET",
9738. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9739. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9740. "Proxy_AccessType": "2 (Use IE settings)"
9741. },
9742. "x64": {
9743. "BeaconType": "8 (HTTPS)",
9744. "Port": "443",
9745. "Polling": "5000",
9746. "Jitter": "30",
9747. "Maxdns": "255",
9748. "C2 Server": "43.243.171.226,/cache/global/img/aladdinIcon-1.0.gif",
9749. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36",
9750. "HTTP Method Path 2": "/link",
9751. "Header1": "",
9752. "Header2": "",
9753. "PipeName": "",
9754. "DNS Idle": "\\x00\\x00\\x00\\x00",
9755. "DNS Sleep": "0",
9756. "Method1": "GET",
9757. "Method2": "GET",
9758. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9759. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9760. "Proxy_AccessType": "2 (Use IE settings)"
9761. }
9762. },
9763. "44.231.58.231": {
9764. "x86": {
9765. "BeaconType": "8 (HTTPS)",
9766. "Port": "443",
9767. "Polling": "60000",
9768. "Jitter": "0",
9769. "Maxdns": "225",
9770. "C2 Server": "dist.nuget.org,/cgi-bin/certstore/,ajax.aspnetcdn.com,/cgi-bin/certstore/",
9771. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36",
9772. "HTTP Method Path 2": "/pem/office.microsoft.com/",
9773. "Header1": "",
9774. "Header2": "",
9775. "PipeName": "",
9776. "DNS Idle": "(pH\\xCD",
9777. "DNS Sleep": "0",
9778. "Method1": "GET",
9779. "Method2": "POST",
9780. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9781. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9782. "Proxy_AccessType": "2 (Use IE settings)"
9783. },
9784. "x64": {
9785. "BeaconType": "8 (HTTPS)",
9786. "Port": "443",
9787. "Polling": "60000",
9788. "Jitter": "0",
9789. "Maxdns": "225",
9790. "C2 Server": "dist.nuget.org,/cgi-bin/certstore/,ajax.aspnetcdn.com,/cgi-bin/certstore/",
9791. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36",
9792. "HTTP Method Path 2": "/pem/office.microsoft.com/",
9793. "Header1": "",
9794. "Header2": "",
9795. "PipeName": "",
9796. "DNS Idle": "(pH\\xCD",
9797. "DNS Sleep": "0",
9798. "Method1": "GET",
9799. "Method2": "POST",
9800. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9801. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9802. "Proxy_AccessType": "2 (Use IE settings)"
9803. }
9804. },
9805. "44.234.72.246": {
9806. "x64": {
9807. "BeaconType": "8 (HTTPS)",
9808. "Port": "443",
9809. "Polling": "60000",
9810. "Jitter": "0",
9811. "Maxdns": "255",
9812. "C2 Server": "44.234.72.246,/cx",
9813. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)",
9814. "HTTP Method Path 2": "/submit.php",
9815. "Header1": "",
9816. "Header2": "",
9817. "PipeName": "",
9818. "DNS Idle": "\\x00\\x00\\x00\\x00",
9819. "DNS Sleep": "0",
9820. "Method1": "GET",
9821. "Method2": "POST",
9822. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9823. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9824. "Proxy_AccessType": "2 (Use IE settings)"
9825. }
9826. },
9827. "45.128.156.102": {
9828. "x86": {
9829. "BeaconType": "8 (HTTPS)",
9830. "Port": "443",
9831. "Polling": "5000",
9832. "Jitter": "10",
9833. "Maxdns": "235",
9834. "C2 Server": "mixdir.com,/us/ky/louisville/312-s-fourth-st.html",
9835. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
9836. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
9837. "Header1": "",
9838. "Header2": "",
9839. "PipeName": "",
9840. "DNS Idle": "\\x08\\x08\\x08\\x08",
9841. "DNS Sleep": "0",
9842. "Method1": "GET",
9843. "Method2": "POST",
9844. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
9845. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
9846. "Proxy_AccessType": "2 (Use IE settings)"
9847. }
9848. },
9849. "45.138.172.80": {
9850. "x64": {
9851. "BeaconType": "8 (HTTPS)",
9852. "Port": "443",
9853. "Polling": "57000",
9854. "Jitter": "41",
9855. "C2 Server": "meadowstonto.com,/fo.html",
9856. "HTTP Method Path 2": "/default",
9857. "Method1": "GET",
9858. "Method2": "POST",
9859. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
9860. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
9861. "Proxy_AccessType": "2 (Use IE settings)"
9862. }
9863. },
9864. "45.14.149.202": {
9865. "x86": {
9866. "BeaconType": "8 (HTTPS)",
9867. "Port": "443",
9868. "Polling": "60000",
9869. "Jitter": "0",
9870. "Maxdns": "255",
9871. "C2 Server": "45.14.149.202,/activity",
9872. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)",
9873. "HTTP Method Path 2": "/submit.php",
9874. "Header1": "",
9875. "Header2": "",
9876. "PipeName": "",
9877. "DNS Idle": "\\x00\\x00\\x00\\x00",
9878. "DNS Sleep": "0",
9879. "Method1": "GET",
9880. "Method2": "POST",
9881. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9882. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9883. "Proxy_AccessType": "2 (Use IE settings)"
9884. },
9885. "x64": {
9886. "BeaconType": "8 (HTTPS)",
9887. "Port": "443",
9888. "Polling": "60000",
9889. "Jitter": "0",
9890. "Maxdns": "255",
9891. "C2 Server": "45.14.149.202,/pixel.gif",
9892. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
9893. "HTTP Method Path 2": "/submit.php",
9894. "Header1": "",
9895. "Header2": "",
9896. "PipeName": "",
9897. "DNS Idle": "\\x00\\x00\\x00\\x00",
9898. "DNS Sleep": "0",
9899. "Method1": "GET",
9900. "Method2": "POST",
9901. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9902. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9903. "Proxy_AccessType": "2 (Use IE settings)"
9904. }
9905. },
9906. "45.141.84.32": {
9907. "x86": {
9908. "BeaconType": "8 (HTTPS)",
9909. "Port": "443",
9910. "Polling": "60000",
9911. "Jitter": "0",
9912. "Maxdns": "255",
9913. "C2 Server": "45.141.84.32,/IE9CompatViewList.xml",
9914. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)",
9915. "HTTP Method Path 2": "/submit.php",
9916. "Header1": "",
9917. "Header2": "",
9918. "PipeName": "",
9919. "DNS Idle": "\\x00\\x00\\x00\\x00",
9920. "DNS Sleep": "0",
9921. "Method1": "GET",
9922. "Method2": "POST",
9923. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9924. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9925. "Proxy_AccessType": "2 (Use IE settings)"
9926. }
9927. },
9928. "45.146.165.140": {
9929. "x86": {
9930. "BeaconType": "8 (HTTPS)",
9931. "Port": "443",
9932. "Polling": "60000",
9933. "Jitter": "0",
9934. "Maxdns": "255",
9935. "C2 Server": "45.146.165.140,/IE9CompatViewList.xml",
9936. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)",
9937. "HTTP Method Path 2": "/submit.php",
9938. "Header1": "",
9939. "Header2": "",
9940. "PipeName": "",
9941. "DNS Idle": "\\x00\\x00\\x00\\x00",
9942. "DNS Sleep": "0",
9943. "Method1": "GET",
9944. "Method2": "POST",
9945. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9946. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9947. "Proxy_AccessType": "2 (Use IE settings)"
9948. }
9949. },
9950. "45.147.229.44": {
9951. "x86": {
9952. "BeaconType": "8 (HTTPS)",
9953. "Port": "443",
9954. "Polling": "60283",
9955. "Jitter": "39",
9956. "Maxdns": "249",
9957. "C2 Server": "mn.backup-helper.com,/template.css,nm.backup-helper.com,/fam_calendar.css,ws.backup-helper.com,/fam_calendar.css",
9958. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
9959. "HTTP Method Path 2": "/gv",
9960. "Header1": "",
9961. "Header2": "",
9962. "PipeName": "",
9963. "DNS Idle": "\\x1E\\xBEI\\x86",
9964. "DNS Sleep": "0",
9965. "Method1": "GET",
9966. "Method2": "POST",
9967. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
9968. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
9969. "Proxy_AccessType": "2 (Use IE settings)"
9970. }
9971. },
9972. "45.147.230.0": {
9973. "x86": {
9974. "BeaconType": "8 (HTTPS)",
9975. "Port": "443",
9976. "Polling": "60000",
9977. "Jitter": "0",
9978. "Maxdns": "255",
9979. "C2 Server": "amajai-technologies.online,/push",
9980. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
9981. "HTTP Method Path 2": "/submit.php",
9982. "Header1": "",
9983. "Header2": "",
9984. "PipeName": "",
9985. "DNS Idle": "\\x00\\x00\\x00\\x00",
9986. "DNS Sleep": "0",
9987. "Method1": "GET",
9988. "Method2": "POST",
9989. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
9990. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
9991. "Proxy_AccessType": "2 (Use IE settings)"
9992. },
9993. "x64": {
9994. "BeaconType": "8 (HTTPS)",
9995. "Port": "443",
9996. "Polling": "60000",
9997. "Jitter": "0",
9998. "Maxdns": "255",
9999. "C2 Server": "amajai-technologies.online,/en_US/all.js",
10000. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; Avant Browser)",
10001. "HTTP Method Path 2": "/submit.php",
10002. "Header1": "",
10003. "Header2": "",
10004. "PipeName": "",
10005. "DNS Idle": "\\x00\\x00\\x00\\x00",
10006. "DNS Sleep": "0",
10007. "Method1": "GET",
10008. "Method2": "POST",
10009. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10010. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10011. "Proxy_AccessType": "2 (Use IE settings)"
10012. }
10013. },
10014. "45.153.243.215": {
10015. "x86": {
10016. "BeaconType": "8 (HTTPS)",
10017. "Port": "443",
10018. "Polling": "60000",
10019. "Jitter": "0",
10020. "Maxdns": "255",
10021. "C2 Server": "amajai-technologies.support,/g.pixel",
10022. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",
10023. "HTTP Method Path 2": "/submit.php",
10024. "Header1": "",
10025. "Header2": "",
10026. "PipeName": "",
10027. "DNS Idle": "\\x00\\x00\\x00\\x00",
10028. "DNS Sleep": "0",
10029. "Method1": "GET",
10030. "Method2": "POST",
10031. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10032. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10033. "Proxy_AccessType": "2 (Use IE settings)"
10034. }
10035. },
10036. "45.170.251.101": {
10037. "x86": {
10038. "BeaconType": "8 (HTTPS)",
10039. "Port": "443",
10040. "Polling": "60000",
10041. "Jitter": "0",
10042. "C2 Server": "45.170.251.101,/ga.js",
10043. "HTTP Method Path 2": "/submit.php",
10044. "Method1": "GET",
10045. "Method2": "POST",
10046. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10047. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10048. "Proxy_AccessType": "2 (Use IE settings)"
10049. },
10050. "x64": {
10051. "BeaconType": "8 (HTTPS)",
10052. "Port": "443",
10053. "Polling": "60000",
10054. "Jitter": "0",
10055. "C2 Server": "45.170.251.101,/updates.rss",
10056. "HTTP Method Path 2": "/submit.php",
10057. "Method1": "GET",
10058. "Method2": "POST",
10059. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10060. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10061. "Proxy_AccessType": "2 (Use IE settings)"
10062. }
10063. },
10064. "45.199.110.164": {
10065. "x86": {
10066. "BeaconType": "8 (HTTPS)",
10067. "Port": "443",
10068. "Polling": "60000",
10069. "Jitter": "0",
10070. "Maxdns": "255",
10071. "C2 Server": "wyx.3utilities.com,/IE9CompatViewList.xml",
10072. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER",
10073. "HTTP Method Path 2": "/submit.php",
10074. "Header1": "",
10075. "Header2": "",
10076. "PipeName": "",
10077. "DNS Idle": "\\x00\\x00\\x00\\x00",
10078. "DNS Sleep": "0",
10079. "Method1": "GET",
10080. "Method2": "POST",
10081. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10082. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10083. "Proxy_AccessType": "2 (Use IE settings)"
10084. }
10085. },
10086. "45.207.49.205": {
10087. "x86": {
10088. "BeaconType": "8 (HTTPS)",
10089. "Port": "443",
10090. "Polling": "5000",
10091. "Jitter": "10",
10092. "Maxdns": "235",
10093. "C2 Server": "45.207.49.205,/updates",
10094. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
10095. "HTTP Method Path 2": "/windebug/updcheck.php",
10096. "Header1": "",
10097. "Header2": "",
10098. "PipeName": "",
10099. "DNS Idle": "\\x08\\x08\\x04\\x04",
10100. "DNS Sleep": "0",
10101. "Method1": "GET",
10102. "Method2": "POST",
10103. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10104. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10105. "Proxy_AccessType": "2 (Use IE settings)"
10106. },
10107. "x64": {
10108. "BeaconType": "8 (HTTPS)",
10109. "Port": "443",
10110. "Polling": "5000",
10111. "Jitter": "10",
10112. "Maxdns": "235",
10113. "C2 Server": "45.207.49.205,/updates",
10114. "User Agent": "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0",
10115. "HTTP Method Path 2": "/aero2/fly.php",
10116. "Header1": "",
10117. "Header2": "",
10118. "PipeName": "",
10119. "DNS Idle": "\\x08\\x08\\x04\\x04",
10120. "DNS Sleep": "0",
10121. "Method1": "GET",
10122. "Method2": "POST",
10123. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10124. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10125. "Proxy_AccessType": "2 (Use IE settings)"
10126. }
10127. },
10128. "45.32.52.188": {
10129. "x86": {
10130. "BeaconType": "8 (HTTPS)",
10131. "Port": "443",
10132. "Polling": "10000",
10133. "Jitter": "41",
10134. "Maxdns": "67",
10135. "C2 Server": "45.32.52.188,/settings",
10136. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36",
10137. "HTTP Method Path 2": "/collect/v1",
10138. "Header1": "",
10139. "Header2": "",
10140. "PipeName": "",
10141. "DNS Idle": "\\xDF\\x05\\x05\\x05",
10142. "DNS Sleep": "0",
10143. "Method1": "POST",
10144. "Method2": "POST",
10145. "Spawnto_x86": "%windir%\\syswow64\\msiexec.exe",
10146. "Spawnto_x64": "%windir%\\sysnative\\msiexec.exe",
10147. "Proxy_AccessType": "2 (Use IE settings)"
10148. },
10149. "x64": {
10150. "BeaconType": "8 (HTTPS)",
10151. "Port": "443",
10152. "Polling": "10000",
10153. "Jitter": "41",
10154. "Maxdns": "67",
10155. "C2 Server": "45.32.52.188,/settings",
10156. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36",
10157. "HTTP Method Path 2": "/collect/v1",
10158. "Header1": "",
10159. "Header2": "",
10160. "PipeName": "",
10161. "DNS Idle": "\\xDF\\x05\\x05\\x05",
10162. "DNS Sleep": "0",
10163. "Method1": "POST",
10164. "Method2": "POST",
10165. "Spawnto_x86": "%windir%\\syswow64\\msiexec.exe",
10166. "Spawnto_x64": "%windir%\\sysnative\\msiexec.exe",
10167. "Proxy_AccessType": "2 (Use IE settings)"
10168. }
10169. },
10170. "45.33.27.73": {
10171. "x64": {
10172. "BeaconType": "8 (HTTPS)",
10173. "Port": "443",
10174. "Polling": "60000",
10175. "Jitter": "0",
10176. "Maxdns": "255",
10177. "C2 Server": "45.33.27.73,/dpixel",
10178. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
10179. "HTTP Method Path 2": "/submit.php",
10180. "Header1": "",
10181. "Header2": "",
10182. "PipeName": "",
10183. "DNS Idle": "\\x00\\x00\\x00\\x00",
10184. "DNS Sleep": "0",
10185. "Method1": "GET",
10186. "Method2": "POST",
10187. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10188. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10189. "Proxy_AccessType": "2 (Use IE settings)"
10190. }
10191. },
10192. "45.58.116.242": {
10193. "x86": {
10194. "BeaconType": "8 (HTTPS)",
10195. "Port": "443",
10196. "Polling": "5000",
10197. "Jitter": "10",
10198. "Maxdns": "235",
10199. "C2 Server": "withfix.com,/us/ky/louisville/312-s-fourth-st.html",
10200. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
10201. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
10202. "Header1": "",
10203. "Header2": "",
10204. "PipeName": "",
10205. "DNS Idle": "\\x08\\x08\\x08\\x08",
10206. "DNS Sleep": "0",
10207. "Method1": "GET",
10208. "Method2": "POST",
10209. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
10210. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
10211. "Proxy_AccessType": "2 (Use IE settings)"
10212. }
10213. },
10214. "45.64.186.249": {
10215. "x64": {
10216. "BeaconType": "8 (HTTPS)",
10217. "Port": "443",
10218. "Polling": "60000",
10219. "Jitter": "0",
10220. "Maxdns": "255",
10221. "C2 Server": "45.64.186.249,/static/v3/logo2.gif",
10222. "User Agent": "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08",
10223. "HTTP Method Path 2": "/static/v3/logo1.gif",
10224. "Header1": "",
10225. "Header2": "",
10226. "PipeName": "",
10227. "DNS Idle": "\\x00\\x00\\x00\\x00",
10228. "DNS Sleep": "0",
10229. "Method1": "GET",
10230. "Method2": "POST",
10231. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10232. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10233. "Proxy_AccessType": "2 (Use IE settings)"
10234. }
10235. },
10236. "45.67.229.168": {
10237. "x64": {
10238. "BeaconType": "8 (HTTPS)",
10239. "Port": "443",
10240. "Polling": "53000",
10241. "Jitter": "34",
10242. "Maxdns": "255",
10243. "C2 Server": "45.67.229.168,/jquery-3.3.1.min.js",
10244. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
10245. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
10246. "Header1": "",
10247. "Header2": "",
10248. "PipeName": "",
10249. "DNS Idle": "J}\\xC4q",
10250. "DNS Sleep": "0",
10251. "Method1": "GET",
10252. "Method2": "POST",
10253. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
10254. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
10255. "Proxy_AccessType": "2 (Use IE settings)"
10256. }
10257. },
10258. "45.76.48.40": {
10259. "x86": {
10260. "BeaconType": "8 (HTTPS)",
10261. "Port": "443",
10262. "Polling": "60000",
10263. "Jitter": "0",
10264. "Maxdns": "255",
10265. "C2 Server": "45.76.48.40,/ptj",
10266. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
10267. "HTTP Method Path 2": "/submit.php",
10268. "Header1": "",
10269. "Header2": "",
10270. "PipeName": "",
10271. "DNS Idle": "\\x00\\x00\\x00\\x00",
10272. "DNS Sleep": "0",
10273. "Method1": "GET",
10274. "Method2": "POST",
10275. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10276. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10277. "Proxy_AccessType": "2 (Use IE settings)"
10278. }
10279. },
10280. "46.161.27.220": {
10281. "x86": {
10282. "BeaconType": "8 (HTTPS)",
10283. "Port": "443",
10284. "Polling": "60000",
10285. "Jitter": "0",
10286. "Maxdns": "255",
10287. "C2 Server": "46.161.27.220,/ptj",
10288. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
10289. "HTTP Method Path 2": "/submit.php",
10290. "Header1": "",
10291. "Header2": "",
10292. "PipeName": "",
10293. "DNS Idle": "\\x00\\x00\\x00\\x00",
10294. "DNS Sleep": "0",
10295. "Method1": "GET",
10296. "Method2": "POST",
10297. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10298. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10299. "Proxy_AccessType": "2 (Use IE settings)"
10300. }
10301. },
10302. "46.166.128.234": {
10303. "x64": {
10304. "BeaconType": "8 (HTTPS)",
10305. "Port": "443",
10306. "Polling": "60000",
10307. "Jitter": "0",
10308. "Maxdns": "255",
10309. "C2 Server": "46.166.128.234,/cx",
10310. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
10311. "HTTP Method Path 2": "/submit.php",
10312. "Header1": "",
10313. "Header2": "",
10314. "PipeName": "",
10315. "DNS Idle": "\\x00\\x00\\x00\\x00",
10316. "DNS Sleep": "0",
10317. "Method1": "GET",
10318. "Method2": "POST",
10319. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10320. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10321. "Proxy_AccessType": "2 (Use IE settings)"
10322. }
10323. },
10324. "46.166.129.176": {
10325. "x86": {
10326. "BeaconType": "8 (HTTPS)",
10327. "Port": "443",
10328. "Polling": "60000",
10329. "Jitter": "0",
10330. "Maxdns": "255",
10331. "C2 Server": "46.166.129.169,/load",
10332. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
10333. "HTTP Method Path 2": "/submit.php",
10334. "Header1": "",
10335. "Header2": "",
10336. "PipeName": "",
10337. "DNS Idle": "\\x00\\x00\\x00\\x00",
10338. "DNS Sleep": "0",
10339. "Method1": "GET",
10340. "Method2": "POST",
10341. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10342. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10343. "Proxy_AccessType": "2 (Use IE settings)"
10344. }
10345. },
10346. "46.166.162.165": {
10347. "x86": {
10348. "BeaconType": "8 (HTTPS)",
10349. "Port": "443",
10350. "Polling": "60000",
10351. "Jitter": "0",
10352. "Maxdns": "255",
10353. "C2 Server": "46.166.162.165,/pixel.gif",
10354. "User Agent": "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent",
10355. "HTTP Method Path 2": "/submit.php",
10356. "Header1": "",
10357. "Header2": "",
10358. "PipeName": "",
10359. "DNS Idle": "\\x00\\x00\\x00\\x00",
10360. "DNS Sleep": "0",
10361. "Method1": "GET",
10362. "Method2": "POST",
10363. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10364. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10365. "Proxy_AccessType": "2 (Use IE settings)"
10366. },
10367. "x64": {
10368. "BeaconType": "8 (HTTPS)",
10369. "Port": "443",
10370. "Polling": "60000",
10371. "Jitter": "0",
10372. "Maxdns": "255",
10373. "C2 Server": "46.166.162.165,/j.ad",
10374. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Avant Browser)",
10375. "HTTP Method Path 2": "/submit.php",
10376. "Header1": "",
10377. "Header2": "",
10378. "PipeName": "",
10379. "DNS Idle": "\\x00\\x00\\x00\\x00",
10380. "DNS Sleep": "0",
10381. "Method1": "GET",
10382. "Method2": "POST",
10383. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10384. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10385. "Proxy_AccessType": "2 (Use IE settings)"
10386. }
10387. },
10388. "46.166.162.97": {
10389. "x64": {
10390. "BeaconType": "8 (HTTPS)",
10391. "Port": "443",
10392. "Polling": "60000",
10393. "Jitter": "0",
10394. "Maxdns": "255",
10395. "C2 Server": "46.166.162.97,/cx",
10396. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
10397. "HTTP Method Path 2": "/submit.php",
10398. "Header1": "",
10399. "Header2": "",
10400. "PipeName": "",
10401. "DNS Idle": "\\x00\\x00\\x00\\x00",
10402. "DNS Sleep": "0",
10403. "Method1": "GET",
10404. "Method2": "POST",
10405. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10406. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10407. "Proxy_AccessType": "2 (Use IE settings)"
10408. }
10409. },
10410. "46.30.189.89": {
10411. "x86": {
10412. "BeaconType": "8 (HTTPS)",
10413. "Port": "443",
10414. "Polling": "5000",
10415. "Jitter": "0",
10416. "Maxdns": "255",
10417. "C2 Server": "top.jimwilkens.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
10418. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
10419. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
10420. "Header1": "",
10421. "Header2": "",
10422. "PipeName": "",
10423. "DNS Idle": "\\x00\\x00\\x00\\x00",
10424. "DNS Sleep": "0",
10425. "Method1": "GET",
10426. "Method2": "POST",
10427. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
10428. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
10429. "Proxy_AccessType": "2 (Use IE settings)"
10430. }
10431. },
10432. "46.8.180.147": {
10433. "x86": {
10434. "BeaconType": "8 (HTTPS)",
10435. "Port": "443",
10436. "Polling": "60000",
10437. "Jitter": "0",
10438. "Maxdns": "255",
10439. "C2 Server": "46.8.180.147,/visit.js",
10440. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)",
10441. "HTTP Method Path 2": "/submit.php",
10442. "Header1": "",
10443. "Header2": "",
10444. "PipeName": "",
10445. "DNS Idle": "\\x00\\x00\\x00\\x00",
10446. "DNS Sleep": "0",
10447. "Method1": "GET",
10448. "Method2": "POST",
10449. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10450. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10451. "Proxy_AccessType": "2 (Use IE settings)"
10452. },
10453. "x64": {
10454. "BeaconType": "8 (HTTPS)",
10455. "Port": "443",
10456. "Polling": "60000",
10457. "Jitter": "0",
10458. "Maxdns": "255",
10459. "C2 Server": "46.8.180.147,/cm",
10460. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
10461. "HTTP Method Path 2": "/submit.php",
10462. "Header1": "",
10463. "Header2": "",
10464. "PipeName": "",
10465. "DNS Idle": "\\x00\\x00\\x00\\x00",
10466. "DNS Sleep": "0",
10467. "Method1": "GET",
10468. "Method2": "POST",
10469. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10470. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10471. "Proxy_AccessType": "2 (Use IE settings)"
10472. }
10473. },
10474. "47.101.214.85": {
10475. "x64": {
10476. "BeaconType": "8 (HTTPS)",
10477. "Port": "443",
10478. "Polling": "60000",
10479. "Jitter": "0",
10480. "Maxdns": "255",
10481. "C2 Server": "47.101.214.85,/dpixel",
10482. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
10483. "HTTP Method Path 2": "/submit.php",
10484. "Header1": "",
10485. "Header2": "",
10486. "PipeName": "",
10487. "DNS Idle": "\\x00\\x00\\x00\\x00",
10488. "DNS Sleep": "0",
10489. "Method1": "GET",
10490. "Method2": "POST",
10491. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10492. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10493. "Proxy_AccessType": "2 (Use IE settings)"
10494. }
10495. },
10496. "47.104.11.169": {
10497. "x86": {
10498. "BeaconType": "8 (HTTPS)",
10499. "Port": "443",
10500. "Polling": "60000",
10501. "Jitter": "0",
10502. "Maxdns": "255",
10503. "C2 Server": "47.104.11.169,/pixel",
10504. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)",
10505. "HTTP Method Path 2": "/submit.php",
10506. "Header1": "",
10507. "Header2": "",
10508. "PipeName": "",
10509. "DNS Idle": "\\x00\\x00\\x00\\x00",
10510. "DNS Sleep": "0",
10511. "Method1": "GET",
10512. "Method2": "POST",
10513. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10514. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10515. "Proxy_AccessType": "2 (Use IE settings)"
10516. },
10517. "x64": {
10518. "BeaconType": "8 (HTTPS)",
10519. "Port": "443",
10520. "Polling": "60000",
10521. "Jitter": "0",
10522. "Maxdns": "255",
10523. "C2 Server": "47.104.11.169,/cx",
10524. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENIN)",
10525. "HTTP Method Path 2": "/submit.php",
10526. "Header1": "",
10527. "Header2": "",
10528. "PipeName": "",
10529. "DNS Idle": "\\x00\\x00\\x00\\x00",
10530. "DNS Sleep": "0",
10531. "Method1": "GET",
10532. "Method2": "POST",
10533. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10534. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10535. "Proxy_AccessType": "2 (Use IE settings)"
10536. }
10537. },
10538. "47.104.156.242": {
10539. "x86": {
10540. "BeaconType": "8 (HTTPS)",
10541. "Port": "443",
10542. "Polling": "60000",
10543. "Jitter": "50",
10544. "Maxdns": "244",
10545. "C2 Server": "47.104.156.242,/v1/act",
10546. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4068.4 Safari/537.36",
10547. "HTTP Method Path 2": "/v2/api",
10548. "Header1": "",
10549. "Header2": "",
10550. "PipeName": "",
10551. "DNS Idle": "\\x08\\x08\\x08\\x08",
10552. "DNS Sleep": "0",
10553. "Method1": "GET",
10554. "Method2": "POST",
10555. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
10556. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
10557. "Proxy_AccessType": "2 (Use IE settings)"
10558. },
10559. "x64": {
10560. "BeaconType": "8 (HTTPS)",
10561. "Port": "443",
10562. "Polling": "60000",
10563. "Jitter": "50",
10564. "Maxdns": "244",
10565. "C2 Server": "47.104.156.242,/v1/act",
10566. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4068.4 Safari/537.36",
10567. "HTTP Method Path 2": "/v2/do",
10568. "Header1": "",
10569. "Header2": "",
10570. "PipeName": "",
10571. "DNS Idle": "\\x08\\x08\\x08\\x08",
10572. "DNS Sleep": "0",
10573. "Method1": "GET",
10574. "Method2": "POST",
10575. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
10576. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
10577. "Proxy_AccessType": "2 (Use IE settings)"
10578. }
10579. },
10580. "47.111.134.70": {
10581. "x86": {
10582. "BeaconType": "8 (HTTPS)",
10583. "Port": "443",
10584. "Polling": "59768",
10585. "Jitter": "41",
10586. "Maxdns": "253",
10587. "C2 Server": "47.111.134.70,/mt",
10588. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
10589. "HTTP Method Path 2": "/language",
10590. "Header1": "",
10591. "Header2": "",
10592. "PipeName": "",
10593. "DNS Idle": "d \\x8E\\x86",
10594. "DNS Sleep": "0",
10595. "Method1": "GET",
10596. "Method2": "POST",
10597. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
10598. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
10599. "Proxy_AccessType": "2 (Use IE settings)"
10600. },
10601. "x64": {
10602. "BeaconType": "8 (HTTPS)",
10603. "Port": "443",
10604. "Polling": "59768",
10605. "Jitter": "41",
10606. "Maxdns": "253",
10607. "C2 Server": "47.111.134.70,/eo",
10608. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
10609. "HTTP Method Path 2": "/ny",
10610. "Header1": "",
10611. "Header2": "",
10612. "PipeName": "",
10613. "DNS Idle": "d \\x8E\\x86",
10614. "DNS Sleep": "0",
10615. "Method1": "GET",
10616. "Method2": "POST",
10617. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
10618. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
10619. "Proxy_AccessType": "2 (Use IE settings)"
10620. }
10621. },
10622. "47.114.35.225": {
10623. "x86": {
10624. "BeaconType": "8 (HTTPS)",
10625. "Port": "443",
10626. "Polling": "8658",
10627. "Jitter": "37",
10628. "Maxdns": "243",
10629. "C2 Server": "47.114.35.225,/gv",
10630. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
10631. "HTTP Method Path 2": "/an",
10632. "Header1": "",
10633. "Header2": "",
10634. "PipeName": "",
10635. "DNS Idle": "\\xC1\\x19\\xB3p",
10636. "DNS Sleep": "0",
10637. "Method1": "GET",
10638. "Method2": "POST",
10639. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
10640. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
10641. "Proxy_AccessType": "2 (Use IE settings)"
10642. }
10643. },
10644. "47.242.140.1": {
10645. "x64": {
10646. "BeaconType": "8 (HTTPS)",
10647. "Port": "443",
10648. "Polling": "37500",
10649. "Jitter": "33",
10650. "Maxdns": "245",
10651. "C2 Server": "36.102.212.68,/modcp,221.236.11.67,/mobile-home,58.218.215.93,/mobile-home,118.123.241.208,/modcp,222.222.88.77,/mobile-home,121.9.212.217,/mt,175.6.235.200,/modcp,118.123.241.208,/mt,121.9.212.217,/modcp,125.37.206.224,/modcp,58.218.215.129,/mobile-home",
10652. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
10653. "HTTP Method Path 2": "/Admin",
10654. "Header1": "",
10655. "Header2": "",
10656. "PipeName": "",
10657. "DNS Idle": "rrrr",
10658. "DNS Sleep": "0",
10659. "Method1": "GET",
10660. "Method2": "GET",
10661. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
10662. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
10663. "Proxy_AccessType": "2 (Use IE settings)"
10664. }
10665. },
10666. "47.56.144.122": {
10667. "x86": {
10668. "BeaconType": "8 (HTTPS)",
10669. "Port": "443",
10670. "Polling": "60000",
10671. "Jitter": "0",
10672. "Maxdns": "255",
10673. "C2 Server": "47.56.144.122,/visit.js",
10674. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP08; MAAU; NP08)",
10675. "HTTP Method Path 2": "/submit.php",
10676. "Header1": "",
10677. "Header2": "",
10678. "PipeName": "",
10679. "DNS Idle": "\\x00\\x00\\x00\\x00",
10680. "DNS Sleep": "0",
10681. "Method1": "GET",
10682. "Method2": "POST",
10683. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10684. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10685. "Proxy_AccessType": "2 (Use IE settings)"
10686. },
10687. "x64": {
10688. "BeaconType": "8 (HTTPS)",
10689. "Port": "443",
10690. "Polling": "60000",
10691. "Jitter": "0",
10692. "Maxdns": "255",
10693. "C2 Server": "47.56.144.122,/updates.rss",
10694. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)",
10695. "HTTP Method Path 2": "/submit.php",
10696. "Header1": "",
10697. "Header2": "",
10698. "PipeName": "",
10699. "DNS Idle": "\\x00\\x00\\x00\\x00",
10700. "DNS Sleep": "0",
10701. "Method1": "GET",
10702. "Method2": "POST",
10703. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10704. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10705. "Proxy_AccessType": "2 (Use IE settings)"
10706. }
10707. },
10708. "47.95.37.84": {
10709. "x86": {
10710. "BeaconType": "8 (HTTPS)",
10711. "Port": "443",
10712. "Polling": "5000",
10713. "Jitter": "50",
10714. "Maxdns": "255",
10715. "C2 Server": "47.95.37.84,/jquery-3.3.1.min.js",
10716. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) WebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
10717. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
10718. "Header1": "",
10719. "Header2": "",
10720. "PipeName": "",
10721. "DNS Idle": "\\x00\\x00\\x00\\x00",
10722. "DNS Sleep": "0",
10723. "Method1": "GET",
10724. "Method2": "POST",
10725. "Spawnto_x86": "%windir%\\syswow64\\notepad.exe",
10726. "Spawnto_x64": "%windir%\\sysnative\\notepad.exe",
10727. "Proxy_AccessType": "2 (Use IE settings)"
10728. }
10729. },
10730. "47.97.65.242": {
10731. "x86": {
10732. "BeaconType": "8 (HTTPS)",
10733. "Port": "443",
10734. "Polling": "60000",
10735. "Jitter": "0",
10736. "Maxdns": "255",
10737. "C2 Server": "47.97.65.242,/ptj",
10738. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
10739. "HTTP Method Path 2": "/submit.php",
10740. "Header1": "",
10741. "Header2": "",
10742. "PipeName": "",
10743. "DNS Idle": "\\x00\\x00\\x00\\x00",
10744. "DNS Sleep": "0",
10745. "Method1": "GET",
10746. "Method2": "POST",
10747. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10748. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10749. "Proxy_AccessType": "2 (Use IE settings)"
10750. },
10751. "x64": {
10752. "BeaconType": "8 (HTTPS)",
10753. "Port": "443",
10754. "Polling": "60000",
10755. "Jitter": "0",
10756. "Maxdns": "255",
10757. "C2 Server": "47.97.65.242,/ca",
10758. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
10759. "HTTP Method Path 2": "/submit.php",
10760. "Header1": "",
10761. "Header2": "",
10762. "PipeName": "",
10763. "DNS Idle": "\\x00\\x00\\x00\\x00",
10764. "DNS Sleep": "0",
10765. "Method1": "GET",
10766. "Method2": "POST",
10767. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10768. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10769. "Proxy_AccessType": "2 (Use IE settings)"
10770. }
10771. },
10772. "50.116.12.237": {
10773. "x86": {
10774. "BeaconType": "8 (HTTPS)",
10775. "Port": "443",
10776. "Polling": "80000",
10777. "Jitter": "32",
10778. "Maxdns": "252",
10779. "C2 Server": "fonts.stata.buzz,/common/template/tabLib.php,cache.stata.buzz,/searchbox/res.php,static.stata.buzz,/worldindex/wp-includes/new.php",
10780. "User Agent": "Mozilla/5.0 (Windows; U; MSIE 8.1; Windows NT 5.2) Firefox/68.0",
10781. "HTTP Method Path 2": "/modules/recaptcha.php",
10782. "Header1": "",
10783. "Header2": "",
10784. "PipeName": "",
10785. "DNS Idle": "\\x00\\x00\\x00\\x00",
10786. "DNS Sleep": "0",
10787. "Method1": "GET",
10788. "Method2": "POST",
10789. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
10790. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
10791. "Proxy_AccessType": "2 (Use IE settings)"
10792. }
10793. },
10794. "51.178.83.41": {
10795. "x86": {
10796. "BeaconType": "8 (HTTPS)",
10797. "Port": "443",
10798. "Polling": "5000",
10799. "Jitter": "0",
10800. "Maxdns": "255",
10801. "C2 Server": "top.jimwilkens.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
10802. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
10803. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
10804. "Header1": "",
10805. "Header2": "",
10806. "PipeName": "",
10807. "DNS Idle": "\\x00\\x00\\x00\\x00",
10808. "DNS Sleep": "0",
10809. "Method1": "GET",
10810. "Method2": "POST",
10811. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
10812. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
10813. "Proxy_AccessType": "2 (Use IE settings)"
10814. },
10815. "x64": {
10816. "BeaconType": "8 (HTTPS)",
10817. "Port": "443",
10818. "Polling": "5000",
10819. "Jitter": "0",
10820. "Maxdns": "255",
10821. "C2 Server": "top.jimwilkens.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
10822. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
10823. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
10824. "Header1": "",
10825. "Header2": "",
10826. "PipeName": "",
10827. "DNS Idle": "\\x00\\x00\\x00\\x00",
10828. "DNS Sleep": "0",
10829. "Method1": "GET",
10830. "Method2": "POST",
10831. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
10832. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
10833. "Proxy_AccessType": "2 (Use IE settings)"
10834. }
10835. },
10836. "51.195.35.0": {
10837. "x86": {
10838. "BeaconType": "8 (HTTPS)",
10839. "Port": "443",
10840. "Polling": "60000",
10841. "Jitter": "0",
10842. "Maxdns": "255",
10843. "C2 Server": "51.195.35.0,/ca",
10844. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)",
10845. "HTTP Method Path 2": "/submit.php",
10846. "Header1": "",
10847. "Header2": "",
10848. "PipeName": "",
10849. "DNS Idle": "\\x00\\x00\\x00\\x00",
10850. "DNS Sleep": "0",
10851. "Method1": "GET",
10852. "Method2": "POST",
10853. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10854. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10855. "Proxy_AccessType": "2 (Use IE settings)"
10856. }
10857. },
10858. "51.210.138.71": {
10859. "x86": {
10860. "BeaconType": "8 (HTTPS)",
10861. "Port": "443",
10862. "Polling": "60000",
10863. "Jitter": "0",
10864. "Maxdns": "255",
10865. "C2 Server": "51.210.138.71,/__utm.gif",
10866. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",
10867. "HTTP Method Path 2": "/___utm.gif",
10868. "Header1": "",
10869. "Header2": "",
10870. "PipeName": "",
10871. "DNS Idle": "\\x00\\x00\\x00\\x00",
10872. "DNS Sleep": "0",
10873. "Method1": "GET",
10874. "Method2": "POST",
10875. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10876. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10877. "Proxy_AccessType": "2 (Use IE settings)"
10878. },
10879. "x64": {
10880. "BeaconType": "8 (HTTPS)",
10881. "Port": "443",
10882. "Polling": "60000",
10883. "Jitter": "0",
10884. "Maxdns": "255",
10885. "C2 Server": "51.210.138.71,/__utm.gif",
10886. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)",
10887. "HTTP Method Path 2": "/___utm.gif",
10888. "Header1": "",
10889. "Header2": "",
10890. "PipeName": "",
10891. "DNS Idle": "\\x00\\x00\\x00\\x00",
10892. "DNS Sleep": "0",
10893. "Method1": "GET",
10894. "Method2": "POST",
10895. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10896. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10897. "Proxy_AccessType": "2 (Use IE settings)"
10898. }
10899. },
10900. "51.210.41.37": {
10901. "x86": {
10902. "BeaconType": "8 (HTTPS)",
10903. "Port": "443",
10904. "Polling": "5000",
10905. "Jitter": "37",
10906. "C2 Server": "www.phpbasic.net,/scs/mail-static/js/",
10907. "HTTP Method Path 2": "/mail/u/_/1/",
10908. "Method1": "GET",
10909. "Method2": "POST",
10910. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
10911. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
10912. "Proxy_AccessType": "2 (Use IE settings)"
10913. }
10914. },
10915. "5.149.254.28": {
10916. "x86": {
10917. "BeaconType": "8 (HTTPS)",
10918. "Port": "443",
10919. "Polling": "60000",
10920. "Jitter": "0",
10921. "C2 Server": "5.149.254.28,/__utm.gif",
10922. "HTTP Method Path 2": "/submit.php",
10923. "Method1": "GET",
10924. "Method2": "POST",
10925. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10926. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10927. "Proxy_AccessType": "2 (Use IE settings)"
10928. }
10929. },
10930. "51.75.255.58": {
10931. "x64": {
10932. "BeaconType": "8 (HTTPS)",
10933. "Port": "443",
10934. "Polling": "5000",
10935. "Jitter": "37",
10936. "C2 Server": "51.75.255.58,/scs/mail-static/js/",
10937. "HTTP Method Path 2": "/mail/u/_/1/",
10938. "Method1": "GET",
10939. "Method2": "POST",
10940. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
10941. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
10942. "Proxy_AccessType": "2 (Use IE settings)"
10943. }
10944. },
10945. "51.81.140.156": {
10946. "x86": {
10947. "BeaconType": "8 (HTTPS)",
10948. "Port": "443",
10949. "Polling": "60733",
10950. "Jitter": "43",
10951. "Maxdns": "249",
10952. "C2 Server": "51.81.140.156,/rn.js",
10953. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
10954. "HTTP Method Path 2": "/mobile-home",
10955. "Header1": "",
10956. "Header2": "",
10957. "PipeName": "",
10958. "DNS Idle": "\\x86\\x9F:\\xF9",
10959. "DNS Sleep": "0",
10960. "Method1": "GET",
10961. "Method2": "POST",
10962. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
10963. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
10964. "Proxy_AccessType": "2 (Use IE settings)"
10965. }
10966. },
10967. "5.181.156.49": {
10968. "x86": {
10969. "BeaconType": "8 (HTTPS)",
10970. "Port": "443",
10971. "Polling": "60000",
10972. "Jitter": "37",
10973. "Maxdns": "255",
10974. "C2 Server": "5.181.156.49,/jquery-3.3.1.min.js",
10975. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
10976. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
10977. "Header1": "",
10978. "Header2": "",
10979. "PipeName": "",
10980. "DNS Idle": "J}\\xC4q",
10981. "DNS Sleep": "0",
10982. "Method1": "GET",
10983. "Method2": "POST",
10984. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
10985. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
10986. "Proxy_AccessType": "2 (Use IE settings)"
10987. },
10988. "x64": {
10989. "BeaconType": "8 (HTTPS)",
10990. "Port": "443",
10991. "Polling": "60000",
10992. "Jitter": "37",
10993. "Maxdns": "255",
10994. "C2 Server": "5.181.156.49,/jquery-3.3.1.min.js",
10995. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
10996. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
10997. "Header1": "",
10998. "Header2": "",
10999. "PipeName": "",
11000. "DNS Idle": "J}\\xC4q",
11001. "DNS Sleep": "0",
11002. "Method1": "GET",
11003. "Method2": "POST",
11004. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11005. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11006. "Proxy_AccessType": "2 (Use IE settings)"
11007. }
11008. },
11009. "51.83.180.153": {
11010. "x86": {
11011. "BeaconType": "8 (HTTPS)",
11012. "Port": "443",
11013. "Polling": "60000",
11014. "Jitter": "0",
11015. "Maxdns": "255",
11016. "C2 Server": "updatesourcehealth.com,/dot.gif",
11017. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)",
11018. "HTTP Method Path 2": "/submit.php",
11019. "Header1": "",
11020. "Header2": "",
11021. "PipeName": "",
11022. "DNS Idle": "\\x00\\x00\\x00\\x00",
11023. "DNS Sleep": "0",
11024. "Method1": "GET",
11025. "Method2": "POST",
11026. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11027. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11028. "Proxy_AccessType": "2 (Use IE settings)"
11029. },
11030. "x64": {
11031. "BeaconType": "8 (HTTPS)",
11032. "Port": "443",
11033. "Polling": "60000",
11034. "Jitter": "0",
11035. "Maxdns": "255",
11036. "C2 Server": "updatesourcehealth.com,/g.pixel",
11037. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
11038. "HTTP Method Path 2": "/submit.php",
11039. "Header1": "",
11040. "Header2": "",
11041. "PipeName": "",
11042. "DNS Idle": "\\x00\\x00\\x00\\x00",
11043. "DNS Sleep": "0",
11044. "Method1": "GET",
11045. "Method2": "POST",
11046. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11047. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11048. "Proxy_AccessType": "2 (Use IE settings)"
11049. }
11050. },
11051. "5.189.184.60": {
11052. "x64": {
11053. "BeaconType": "8 (HTTPS)",
11054. "Port": "443",
11055. "Polling": "57697",
11056. "Jitter": "39",
11057. "Maxdns": "244",
11058. "C2 Server": "5.189.184.60,/fam_newspaper.css",
11059. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
11060. "HTTP Method Path 2": "/default",
11061. "Header1": "",
11062. "Header2": "",
11063. "PipeName": "",
11064. "DNS Idle": "(\\x91zb",
11065. "DNS Sleep": "0",
11066. "Method1": "GET",
11067. "Method2": "POST",
11068. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
11069. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
11070. "Proxy_AccessType": "2 (Use IE settings)"
11071. }
11072. },
11073. "51.91.123.189": {
11074. "x86": {
11075. "BeaconType": "8 (HTTPS)",
11076. "Port": "443",
11077. "Polling": "5000",
11078. "Jitter": "37",
11079. "C2 Server": "CLIENT.ELISEA-MUTUELLE.fr,/jquery-3.3.1.min.js",
11080. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11081. "Method1": "GET",
11082. "Method2": "POST",
11083. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 223",
11084. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 223",
11085. "Proxy_AccessType": "2 (Use IE settings)"
11086. }
11087. },
11088. "5.196.114.192": {
11089. "x86": {
11090. "BeaconType": "8 (HTTPS)",
11091. "Port": "443",
11092. "Polling": "60000",
11093. "Jitter": "0",
11094. "Maxdns": "255",
11095. "C2 Server": "amazoning.sytes.net,/dpixel",
11096. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; ASU2JS)",
11097. "HTTP Method Path 2": "/submit.php",
11098. "Header1": "",
11099. "Header2": "",
11100. "PipeName": "",
11101. "DNS Idle": "\\x00\\x00\\x00\\x00",
11102. "DNS Sleep": "0",
11103. "Method1": "GET",
11104. "Method2": "POST",
11105. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11106. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11107. "Proxy_AccessType": "2 (Use IE settings)"
11108. }
11109. },
11110. "52.11.45.65": {
11111. "x64": {
11112. "BeaconType": "8 (HTTPS)",
11113. "Port": "443",
11114. "Polling": "5000",
11115. "Jitter": "0",
11116. "Maxdns": "255",
11117. "C2 Server": "52.11.45.65,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,rest.ehealthdiary.org ,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
11118. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11119. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
11120. "Header1": "",
11121. "Header2": "",
11122. "PipeName": "",
11123. "DNS Idle": "\\x00\\x00\\x00\\x00",
11124. "DNS Sleep": "0",
11125. "Method1": "GET",
11126. "Method2": "POST",
11127. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11128. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11129. "Proxy_AccessType": "2 (Use IE settings)"
11130. }
11131. },
11132. "52.255.183.94": {
11133. "x86": {
11134. "BeaconType": "8 (HTTPS)",
11135. "Port": "443",
11136. "Polling": "37500",
11137. "Jitter": "33",
11138. "Maxdns": "245",
11139. "C2 Server": "red.therclegalgroup.com,/javascripts/jquery.foundation.navigation.js",
11140. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MS-RTC LM 8)",
11141. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11142. "Header1": "",
11143. "Header2": "",
11144. "PipeName": "",
11145. "DNS Idle": "\\x08\\x08\\x08\\x08",
11146. "DNS Sleep": "0",
11147. "Method1": "GET",
11148. "Method2": "POST",
11149. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
11150. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
11151. "Proxy_AccessType": "2 (Use IE settings)"
11152. }
11153. },
11154. "52.28.253.50": {
11155. "x86": {
11156. "BeaconType": "8 (HTTPS)",
11157. "Port": "443",
11158. "Polling": "5000",
11159. "Jitter": "10",
11160. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
11161. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
11162. "Method1": "GET",
11163. "Method2": "POST",
11164. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
11165. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11166. "Proxy_AccessType": "2 (Use IE settings)"
11167. },
11168. "x64": {
11169. "BeaconType": "8 (HTTPS)",
11170. "Port": "443",
11171. "Polling": "5000",
11172. "Jitter": "10",
11173. "C2 Server": "rijkzijn.nl,/vlk/grants,uwprivatebank.nl,/vlk/grants,systest.nl,/vlk/grants",
11174. "HTTP Method Path 2": "/vlk/xmlrpc/v2",
11175. "Method1": "GET",
11176. "Method2": "POST",
11177. "Spawnto_x86": "%windir%\\syswow64\\mavinject.exe",
11178. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11179. "Proxy_AccessType": "2 (Use IE settings)"
11180. }
11181. },
11182. "52.89.33.58": {
11183. "x86": {
11184. "BeaconType": "8 (HTTPS)",
11185. "Port": "443",
11186. "Polling": "60000",
11187. "Jitter": "0",
11188. "C2 Server": "secure.mllnm.com,/visit.js",
11189. "HTTP Method Path 2": "/submit.php",
11190. "Method1": "GET",
11191. "Method2": "POST",
11192. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11193. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11194. "Proxy_AccessType": "2 (Use IE settings)"
11195. }
11196. },
11197. "52.90.168.168": {
11198. "x86": {
11199. "BeaconType": "8 (HTTPS)",
11200. "Port": "443",
11201. "Polling": "5000",
11202. "Jitter": "0",
11203. "Maxdns": "255",
11204. "C2 Server": "m24.yourintrinsichealth.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
11205. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11206. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
11207. "Header1": "",
11208. "Header2": "",
11209. "PipeName": "",
11210. "DNS Idle": "\\x00\\x00\\x00\\x00",
11211. "DNS Sleep": "0",
11212. "Method1": "GET",
11213. "Method2": "POST",
11214. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11215. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11216. "Proxy_AccessType": "2 (Use IE settings)"
11217. }
11218. },
11219. "54.144.48.52": {
11220. "x86": {
11221. "BeaconType": "8 (HTTPS)",
11222. "Port": "443",
11223. "Polling": "5000",
11224. "Jitter": "0",
11225. "Maxdns": "255",
11226. "C2 Server": "m24.yourintrinsichealth.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
11227. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11228. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
11229. "Header1": "",
11230. "Header2": "",
11231. "PipeName": "",
11232. "DNS Idle": "\\x00\\x00\\x00\\x00",
11233. "DNS Sleep": "0",
11234. "Method1": "GET",
11235. "Method2": "POST",
11236. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11237. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11238. "Proxy_AccessType": "2 (Use IE settings)"
11239. },
11240. "x64": {
11241. "BeaconType": "8 (HTTPS)",
11242. "Port": "443",
11243. "Polling": "5000",
11244. "Jitter": "0",
11245. "Maxdns": "255",
11246. "C2 Server": "m24.yourintrinsichealth.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
11247. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11248. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
11249. "Header1": "",
11250. "Header2": "",
11251. "PipeName": "",
11252. "DNS Idle": "\\x00\\x00\\x00\\x00",
11253. "DNS Sleep": "0",
11254. "Method1": "GET",
11255. "Method2": "POST",
11256. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11257. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11258. "Proxy_AccessType": "2 (Use IE settings)"
11259. }
11260. },
11261. "54.174.1.56": {
11262. "x86": {
11263. "BeaconType": "8 (HTTPS)",
11264. "Port": "443",
11265. "Polling": "6000000",
11266. "Jitter": "37",
11267. "Maxdns": "255",
11268. "C2 Server": "917373240,/jquery-3.3.1.min.js,74736b2d677265656e656e657267792e636f6d,/jquery-3.3.1.min.js",
11269. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11270. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11271. "Header1": "",
11272. "Header2": "",
11273. "PipeName": "",
11274. "DNS Idle": "J}\\xC4q",
11275. "DNS Sleep": "0",
11276. "Method1": "GET",
11277. "Method2": "POST",
11278. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11279. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11280. "Proxy_Hostname": "socks=185.75.85.79:4145",
11281. "Proxy_AccessType": "0 (Unknown)"
11282. }
11283. },
11284. "54.197.151.253": {
11285. "x86": {
11286. "BeaconType": "8 (HTTPS)",
11287. "Port": "443",
11288. "Polling": "48000",
11289. "Jitter": "65",
11290. "Maxdns": "235",
11291. "C2 Server": "54.197.151.253,/homes/for_sale/atlanta/",
11292. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
11293. "HTTP Method Path 2": "/homes/for_sale/Atlanta/",
11294. "Header1": "",
11295. "Header2": "",
11296. "PipeName": "",
11297. "DNS Idle": "\\x01\\x01\\x01\\x01",
11298. "DNS Sleep": "0",
11299. "Method1": "GET",
11300. "Method2": "GET",
11301. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11302. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11303. "Proxy_AccessType": "2 (Use IE settings)"
11304. }
11305. },
11306. "54.211.22.67": {
11307. "x86": {
11308. "BeaconType": "8 (HTTPS)",
11309. "Port": "443",
11310. "Polling": "45000",
11311. "Jitter": "20",
11312. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/page.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/process.jsp",
11313. "HTTP Method Path 2": "/search.jsp",
11314. "Method1": "GET",
11315. "Method2": "POST",
11316. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
11317. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
11318. "Proxy_AccessType": "2 (Use IE settings)"
11319. },
11320. "x64": {
11321. "BeaconType": "8 (HTTPS)",
11322. "Port": "443",
11323. "Polling": "45000",
11324. "Jitter": "20",
11325. "C2 Server": "www.amzn-solutions.com,/page.jsp,help.amzn-solutions.com,/process.jsp,forum.dmcseddebtservices.com,/index.jsp,www.dmcseddebtservices.com,/user.jsp",
11326. "HTTP Method Path 2": "/parse.jsp",
11327. "Method1": "GET",
11328. "Method2": "POST",
11329. "Spawnto_x86": "%windir%\\syswow64\\wecutil.exe",
11330. "Spawnto_x64": "%windir%\\sysnative\\wecutil.exe",
11331. "Proxy_AccessType": "2 (Use IE settings)"
11332. }
11333. },
11334. "54.214.197.200": {
11335. "x86": {
11336. "BeaconType": "8 (HTTPS)",
11337. "Port": "443",
11338. "Polling": "60000",
11339. "Jitter": "0",
11340. "Maxdns": "255",
11341. "C2 Server": "pnwcontent-delivery.com,/updates.rss",
11342. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
11343. "HTTP Method Path 2": "/submit.php",
11344. "Header1": "",
11345. "Header2": "",
11346. "PipeName": "",
11347. "DNS Idle": "\\x00\\x00\\x00\\x00",
11348. "DNS Sleep": "0",
11349. "Method1": "GET",
11350. "Method2": "POST",
11351. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11352. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11353. "Proxy_AccessType": "2 (Use IE settings)"
11354. },
11355. "x64": {
11356. "BeaconType": "8 (HTTPS)",
11357. "Port": "443",
11358. "Polling": "60000",
11359. "Jitter": "0",
11360. "Maxdns": "255",
11361. "C2 Server": "pnwcontent-delivery.com,/pixel",
11362. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
11363. "HTTP Method Path 2": "/submit.php",
11364. "Header1": "",
11365. "Header2": "",
11366. "PipeName": "",
11367. "DNS Idle": "\\x00\\x00\\x00\\x00",
11368. "DNS Sleep": "0",
11369. "Method1": "GET",
11370. "Method2": "POST",
11371. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11372. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11373. "Proxy_AccessType": "2 (Use IE settings)"
11374. }
11375. },
11376. "54.242.70.107": {
11377. "x86": {
11378. "BeaconType": "8 (HTTPS)",
11379. "Port": "443",
11380. "Polling": "60000",
11381. "Jitter": "0",
11382. "Maxdns": "255",
11383. "C2 Server": "54.242.70.107,/dpixel",
11384. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
11385. "HTTP Method Path 2": "/submit.php",
11386. "Header1": "",
11387. "Header2": "",
11388. "PipeName": "",
11389. "DNS Idle": "\\x00\\x00\\x00\\x00",
11390. "DNS Sleep": "0",
11391. "Method1": "GET",
11392. "Method2": "POST",
11393. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11394. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11395. "Proxy_AccessType": "2 (Use IE settings)"
11396. }
11397. },
11398. "54.93.130.9": {
11399. "x86": {
11400. "BeaconType": "8 (HTTPS)",
11401. "Port": "443",
11402. "Polling": "37500",
11403. "Jitter": "33",
11404. "Maxdns": "245",
11405. "C2 Server": "zliveaudio.com,/audio/",
11406. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
11407. "HTTP Method Path 2": "/melody/",
11408. "Header1": "",
11409. "Header2": "",
11410. "PipeName": "",
11411. "DNS Idle": "\\x08\\x08\\x08\\x08",
11412. "DNS Sleep": "0",
11413. "Method1": "GET",
11414. "Method2": "POST",
11415. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
11416. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11417. "Proxy_AccessType": "2 (Use IE settings)"
11418. }
11419. },
11420. "60.205.220.98": {
11421. "x86": {
11422. "BeaconType": "8 (HTTPS)",
11423. "Port": "443",
11424. "Polling": "60000",
11425. "Jitter": "20",
11426. "Maxdns": "235",
11427. "C2 Server": "58.218.215.124,/search/,122.193.130.85,/search/,125.37.206.221,/search/,120.221.181.171,/search/",
11428. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11429. "HTTP Method Path 2": "/Search/",
11430. "Header1": "",
11431. "Header2": "",
11432. "PipeName": "",
11433. "DNS Idle": "\\x08\\x08\\x04\\x04",
11434. "DNS Sleep": "0",
11435. "Method1": "GET",
11436. "Method2": "GET",
11437. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11438. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11439. "Proxy_AccessType": "2 (Use IE settings)"
11440. },
11441. "x64": {
11442. "BeaconType": "8 (HTTPS)",
11443. "Port": "443",
11444. "Polling": "60000",
11445. "Jitter": "20",
11446. "Maxdns": "235",
11447. "C2 Server": "58.218.215.124,/search/,122.193.130.85,/search/,125.37.206.221,/search/,120.221.181.171,/search/",
11448. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11449. "HTTP Method Path 2": "/Search/",
11450. "Header1": "",
11451. "Header2": "",
11452. "PipeName": "",
11453. "DNS Idle": "\\x08\\x08\\x04\\x04",
11454. "DNS Sleep": "0",
11455. "Method1": "GET",
11456. "Method2": "GET",
11457. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11458. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11459. "Proxy_AccessType": "2 (Use IE settings)"
11460. }
11461. },
11462. "63.34.20.87": {
11463. "x86": {
11464. "BeaconType": "8 (HTTPS)",
11465. "Port": "443",
11466. "Polling": "9700",
11467. "Jitter": "12",
11468. "Maxdns": "243",
11469. "C2 Server": "cehclient-canary.teams.microsoft.com,/s/ref=nb_sb_noss_1/404-17182125-2303392/field-keywords=group",
11470. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)",
11471. "HTTP Method Path 2": "/N2263/adj/amzn.us.sr.aps",
11472. "Header1": "",
11473. "Header2": "",
11474. "PipeName": "",
11475. "DNS Idle": "\\x00\\x00\\x00\\x00",
11476. "DNS Sleep": "0",
11477. "Method1": "GET",
11478. "Method2": "POST",
11479. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11480. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11481. "Proxy_AccessType": "2 (Use IE settings)"
11482. }
11483. },
11484. "64.187.238.138": {
11485. "x86": {
11486. "BeaconType": "8 (HTTPS)",
11487. "Port": "443",
11488. "Polling": "5000",
11489. "Jitter": "10",
11490. "Maxdns": "235",
11491. "C2 Server": "ramush.com,/us/ky/louisville/312-s-fourth-st.html,leepick.com,/us/ky/louisville/312-s-fourth-st.html",
11492. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11493. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11494. "Header1": "",
11495. "Header2": "",
11496. "PipeName": "",
11497. "DNS Idle": "\\x08\\x08\\x08\\x08",
11498. "DNS Sleep": "0",
11499. "Method1": "GET",
11500. "Method2": "POST",
11501. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11502. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11503. "Proxy_AccessType": "2 (Use IE settings)"
11504. }
11505. },
11506. "64.187.239.138": {
11507. "x86": {
11508. "BeaconType": "8 (HTTPS)",
11509. "Port": "443",
11510. "Polling": "5000",
11511. "Jitter": "10",
11512. "Maxdns": "235",
11513. "C2 Server": "ballom.com,/us/ky/louisville/312-s-fourth-st.html",
11514. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11515. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11516. "Header1": "",
11517. "Header2": "",
11518. "PipeName": "",
11519. "DNS Idle": "\\x08\\x08\\x08\\x08",
11520. "DNS Sleep": "0",
11521. "Method1": "GET",
11522. "Method2": "POST",
11523. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11524. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11525. "Proxy_AccessType": "2 (Use IE settings)"
11526. }
11527. },
11528. "64.225.114.162": {
11529. "x64": {
11530. "BeaconType": "8 (HTTPS)",
11531. "Port": "443",
11532. "Polling": "30000",
11533. "Jitter": "50",
11534. "Maxdns": "255",
11535. "C2 Server": "secure.viper-cdn.com,/__utm.gif",
11536. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11537. "HTTP Method Path 2": "/___utm.gif",
11538. "Header1": "",
11539. "Header2": "",
11540. "PipeName": "",
11541. "DNS Idle": "\\x00\\x00\\x00\\x00",
11542. "DNS Sleep": "0",
11543. "Method1": "GET",
11544. "Method2": "POST",
11545. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
11546. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
11547. "Proxy_AccessType": "2 (Use IE settings)"
11548. }
11549. },
11550. "64.227.24.12": {
11551. "x86": {
11552. "BeaconType": "8 (HTTPS)",
11553. "Port": "443",
11554. "Polling": "3000",
11555. "Jitter": "0",
11556. "C2 Server": "64.227.24.12,/wp08/wp-includes/dtcla.php",
11557. "HTTP Method Path 2": "/includes/phpmailer/class.pop3.php",
11558. "Method1": "GET",
11559. "Method2": "POST",
11560. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11561. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11562. "Proxy_AccessType": "2 (Use IE settings)"
11563. },
11564. "x64": {
11565. "BeaconType": "8 (HTTPS)",
11566. "Port": "443",
11567. "Polling": "3000",
11568. "Jitter": "0",
11569. "C2 Server": "64.227.24.12,/wp06/wp-includes/po.php",
11570. "HTTP Method Path 2": "/includes/phpmailer/class.pop3.php",
11571. "Method1": "GET",
11572. "Method2": "POST",
11573. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11574. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11575. "Proxy_AccessType": "2 (Use IE settings)"
11576. }
11577. },
11578. "64.227.45.20": {
11579. "x64": {
11580. "BeaconType": "8 (HTTPS)",
11581. "Port": "443",
11582. "Polling": "8000",
11583. "Jitter": "30",
11584. "Maxdns": "255",
11585. "C2 Server": "cob.wolt.services,/watch/",
11586. "User Agent": "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11587. "HTTP Method Path 2": "/youtubei/v1/logevent",
11588. "Header1": "",
11589. "Header2": "",
11590. "PipeName": "",
11591. "DNS Idle": "\\xD8:\\xCE\\x0E",
11592. "DNS Sleep": "0",
11593. "Method1": "GET",
11594. "Method2": "POST",
11595. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k netsvcs",
11596. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k netsvcs",
11597. "Proxy_AccessType": "2 (Use IE settings)"
11598. }
11599. },
11600. "64.64.243.42": {
11601. "x86": {
11602. "BeaconType": "0 (HTTP)",
11603. "Port": "443",
11604. "Polling": "8658",
11605. "Jitter": "39",
11606. "Maxdns": "248",
11607. "C2 Server": "64.64.243.42,/fam_calendar",
11608. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
11609. "HTTP Method Path 2": "/html",
11610. "Header1": "",
11611. "Header2": "",
11612. "PipeName": "",
11613. "DNS Idle": "Zo\\x8DO",
11614. "DNS Sleep": "0",
11615. "Method1": "GET",
11616. "Method2": "POST",
11617. "Spawnto_x86": "%Systemroot%\\System32\\WUDFHost.exe",
11618. "Spawnto_x64": "%Systemroot%\\System32\\WUDFHost.exe",
11619. "Proxy_AccessType": "2 (Use IE settings)"
11620. },
11621. "x64": {
11622. "BeaconType": "0 (HTTP)",
11623. "Port": "443",
11624. "Polling": "8658",
11625. "Jitter": "39",
11626. "Maxdns": "248",
11627. "C2 Server": "64.64.243.42,/mobile-home",
11628. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
11629. "HTTP Method Path 2": "/html",
11630. "Header1": "",
11631. "Header2": "",
11632. "PipeName": "",
11633. "DNS Idle": "Zo\\x8DO",
11634. "DNS Sleep": "0",
11635. "Method1": "GET",
11636. "Method2": "POST",
11637. "Spawnto_x86": "%Systemroot%\\System32\\WUDFHost.exe",
11638. "Spawnto_x64": "%Systemroot%\\System32\\WUDFHost.exe",
11639. "Proxy_AccessType": "2 (Use IE settings)"
11640. }
11641. },
11642. "64.73.162.13": {
11643. "x86": {
11644. "BeaconType": "8 (HTTPS)",
11645. "Port": "443",
11646. "Polling": "45000",
11647. "Jitter": "37",
11648. "C2 Server": "64.73.162.13,/jquery-3.3.1.min.js",
11649. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11650. "Method1": "GET",
11651. "Method2": "POST",
11652. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k LocalServiceNoNetwork",
11653. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k LocalServiceNoNetwork",
11654. "Proxy_AccessType": "2 (Use IE settings)"
11655. },
11656. "x64": {
11657. "BeaconType": "8 (HTTPS)",
11658. "Port": "443",
11659. "Polling": "45000",
11660. "Jitter": "37",
11661. "C2 Server": "64.73.162.13,/jquery-3.3.1.min.js",
11662. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11663. "Method1": "GET",
11664. "Method2": "POST",
11665. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k LocalServiceNoNetwork",
11666. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k LocalServiceNoNetwork",
11667. "Proxy_AccessType": "2 (Use IE settings)"
11668. }
11669. },
11670. "65.207.115.215": {
11671. "x86": {
11672. "BeaconType": "8 (HTTPS)",
11673. "Port": "443",
11674. "Polling": "60000",
11675. "Jitter": "20",
11676. "C2 Server": "213.236.64.41,/preload",
11677. "HTTP Method Path 2": "/sa",
11678. "Method1": "GET",
11679. "Method2": "GET",
11680. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11681. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11682. "Proxy_AccessType": "2 (Use IE settings)"
11683. },
11684. "x64": {
11685. "BeaconType": "8 (HTTPS)",
11686. "Port": "443",
11687. "Polling": "60000",
11688. "Jitter": "20",
11689. "C2 Server": "213.236.64.41,/preload",
11690. "HTTP Method Path 2": "/sa",
11691. "Method1": "GET",
11692. "Method2": "GET",
11693. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11694. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11695. "Proxy_AccessType": "2 (Use IE settings)"
11696. }
11697. },
11698. "66.42.40.220": {
11699. "x86": {
11700. "BeaconType": "8 (HTTPS)",
11701. "Port": "443",
11702. "Polling": "61779",
11703. "Jitter": "37",
11704. "Maxdns": "241",
11705. "C2 Server": "66.42.40.220,/toget",
11706. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
11707. "HTTP Method Path 2": "/topost",
11708. "Header1": "",
11709. "Header2": "",
11710. "PipeName": "",
11711. "DNS Idle": "r\\xDE\\x82.",
11712. "DNS Sleep": "0",
11713. "Method1": "GET",
11714. "Method2": "POST",
11715. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
11716. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
11717. "Proxy_AccessType": "2 (Use IE settings)"
11718. },
11719. "x64": {
11720. "BeaconType": "8 (HTTPS)",
11721. "Port": "443",
11722. "Polling": "61779",
11723. "Jitter": "37",
11724. "Maxdns": "241",
11725. "C2 Server": "66.42.40.220,/toget",
11726. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
11727. "HTTP Method Path 2": "/topost",
11728. "Header1": "",
11729. "Header2": "",
11730. "PipeName": "",
11731. "DNS Idle": "r\\xDE\\x82.",
11732. "DNS Sleep": "0",
11733. "Method1": "GET",
11734. "Method2": "POST",
11735. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
11736. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
11737. "Proxy_AccessType": "2 (Use IE settings)"
11738. }
11739. },
11740. "66.42.59.57": {
11741. "x64": {
11742. "BeaconType": "8 (HTTPS)",
11743. "Port": "443",
11744. "Polling": "5000",
11745. "Jitter": "15",
11746. "Maxdns": "255",
11747. "C2 Server": "help.office-books.com,/wp-admin/admin-ajax.php",
11748. "User Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
11749. "HTTP Method Path 2": "/wp-admin/api.php",
11750. "Header1": "",
11751. "Header2": "",
11752. "PipeName": "",
11753. "DNS Idle": "\\x08\\x08\\x04\\x04",
11754. "DNS Sleep": "0",
11755. "Method1": "GET",
11756. "Method2": "GET",
11757. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11758. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11759. "Proxy_AccessType": "2 (Use IE settings)"
11760. }
11761. },
11762. "68.183.85.105": {
11763. "x86": {
11764. "BeaconType": "8 (HTTPS)",
11765. "Port": "443",
11766. "Polling": "15000",
11767. "Jitter": "90",
11768. "Maxdns": "225",
11769. "C2 Server": "iecvlist.microsoft.com,/en-us/p/onerf/MeSilentPassport,cdnppe.vsassets.io,/gp/aj/private/reviewsGallery/get-application-resources,cdnads.msads.net,/api2/json/cluster/tasks,global.asazure.windows.net,/v3/links/ping-centre",
11770. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
11771. "HTTP Method Path 2": "/gql",
11772. "Header1": "",
11773. "Header2": "",
11774. "PipeName": "",
11775. "DNS Idle": "h\\xD8<\\x84",
11776. "DNS Sleep": "0",
11777. "Method1": "GET",
11778. "Method2": "POST",
11779. "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe",
11780. "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe",
11781. "Proxy_AccessType": "2 (Use IE settings)"
11782. }
11783. },
11784. "74.118.138.108": {
11785. "x64": {
11786. "BeaconType": "8 (HTTPS)",
11787. "Port": "443",
11788. "Polling": "5000",
11789. "Jitter": "10",
11790. "Maxdns": "235",
11791. "C2 Server": "wolfnew.com,/us/ky/louisville/312-s-fourth-st.html",
11792. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11793. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11794. "Header1": "",
11795. "Header2": "",
11796. "PipeName": "",
11797. "DNS Idle": "\\x08\\x08\\x08\\x08",
11798. "DNS Sleep": "0",
11799. "Method1": "GET",
11800. "Method2": "POST",
11801. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11802. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11803. "Proxy_AccessType": "2 (Use IE settings)"
11804. }
11805. },
11806. "74.118.138.144": {
11807. "x64": {
11808. "BeaconType": "8 (HTTPS)",
11809. "Port": "443",
11810. "Polling": "5000",
11811. "Jitter": "10",
11812. "Maxdns": "235",
11813. "C2 Server": "geotry.com,/us/ky/louisville/312-s-fourth-st.html",
11814. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11815. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11816. "Header1": "",
11817. "Header2": "",
11818. "PipeName": "",
11819. "DNS Idle": "\\x08\\x08\\x08\\x08",
11820. "DNS Sleep": "0",
11821. "Method1": "GET",
11822. "Method2": "POST",
11823. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11824. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11825. "Proxy_AccessType": "2 (Use IE settings)"
11826. }
11827. },
11828. "74.118.138.25": {
11829. "x86": {
11830. "BeaconType": "8 (HTTPS)",
11831. "Port": "443",
11832. "Polling": "5000",
11833. "Jitter": "10",
11834. "Maxdns": "235",
11835. "C2 Server": "domways.com,/us/ky/louisville/312-s-fourth-st.html",
11836. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11837. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11838. "Header1": "",
11839. "Header2": "",
11840. "PipeName": "",
11841. "DNS Idle": "\\x08\\x08\\x08\\x08",
11842. "DNS Sleep": "0",
11843. "Method1": "GET",
11844. "Method2": "POST",
11845. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11846. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11847. "Proxy_AccessType": "2 (Use IE settings)"
11848. },
11849. "x64": {
11850. "BeaconType": "8 (HTTPS)",
11851. "Port": "443",
11852. "Polling": "5000",
11853. "Jitter": "10",
11854. "Maxdns": "235",
11855. "C2 Server": "domways.com,/us/ky/louisville/312-s-fourth-st.html",
11856. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11857. "HTTP Method Path 2": "/OrderEntryService.asmx/AddOrderLine",
11858. "Header1": "",
11859. "Header2": "",
11860. "PipeName": "",
11861. "DNS Idle": "\\x08\\x08\\x08\\x08",
11862. "DNS Sleep": "0",
11863. "Method1": "GET",
11864. "Method2": "POST",
11865. "Spawnto_x86": "%windir%\\syswow64\\mstsc.exe",
11866. "Spawnto_x64": "%windir%\\sysnative\\mstsc.exe",
11867. "Proxy_AccessType": "2 (Use IE settings)"
11868. }
11869. },
11870. "74.121.151.174": {
11871. "x86": {
11872. "BeaconType": "8 (HTTPS)",
11873. "Port": "443",
11874. "Polling": "6",
11875. "Jitter": "37",
11876. "Maxdns": "255",
11877. "C2 Server": "74.121.151.174,/jquery-3.3.1.min.js",
11878. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11879. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11880. "Header1": "",
11881. "Header2": "",
11882. "PipeName": "",
11883. "DNS Idle": "J}\\xC4q",
11884. "DNS Sleep": "0",
11885. "Method1": "GET",
11886. "Method2": "POST",
11887. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
11888. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
11889. "Proxy_AccessType": "2 (Use IE settings)"
11890. },
11891. "x64": {
11892. "BeaconType": "8 (HTTPS)",
11893. "Port": "443",
11894. "Polling": "6",
11895. "Jitter": "37",
11896. "Maxdns": "255",
11897. "C2 Server": "74.121.151.174,/jquery-3.3.1.min.js",
11898. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
11899. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
11900. "Header1": "",
11901. "Header2": "",
11902. "PipeName": "",
11903. "DNS Idle": "J}\\xC4q",
11904. "DNS Sleep": "0",
11905. "Method1": "GET",
11906. "Method2": "POST",
11907. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
11908. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
11909. "Proxy_AccessType": "2 (Use IE settings)"
11910. }
11911. },
11912. "77.123.155.74": {
11913. "x86": {
11914. "BeaconType": "8 (HTTPS)",
11915. "Port": "443",
11916. "Polling": "30000",
11917. "Jitter": "20",
11918. "Maxdns": "235",
11919. "C2 Server": "77.123.155.74,/owa/",
11920. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11921. "HTTP Method Path 2": "/OWA/",
11922. "Header1": "",
11923. "Header2": "",
11924. "PipeName": "",
11925. "DNS Idle": "\\x08\\x08\\x08\\x08",
11926. "DNS Sleep": "0",
11927. "Method1": "GET",
11928. "Method2": "GET",
11929. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
11930. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11931. "Proxy_AccessType": "2 (Use IE settings)"
11932. },
11933. "x64": {
11934. "BeaconType": "8 (HTTPS)",
11935. "Port": "443",
11936. "Polling": "30000",
11937. "Jitter": "20",
11938. "Maxdns": "235",
11939. "C2 Server": "77.123.155.74,/owa/",
11940. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",
11941. "HTTP Method Path 2": "/OWA/",
11942. "Header1": "",
11943. "Header2": "",
11944. "PipeName": "",
11945. "DNS Idle": "\\x08\\x08\\x08\\x08",
11946. "DNS Sleep": "0",
11947. "Method1": "GET",
11948. "Method2": "GET",
11949. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
11950. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11951. "Proxy_AccessType": "2 (Use IE settings)"
11952. }
11953. },
11954. "78.108.180.43": {
11955. "x64": {
11956. "BeaconType": "8 (HTTPS)",
11957. "Port": "443",
11958. "Polling": "38310",
11959. "Jitter": "35",
11960. "Maxdns": "245",
11961. "C2 Server": "chromeupdates.best,/admin",
11962. "User Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.227.0 Safari/536.3",
11963. "HTTP Method Path 2": "/Login",
11964. "Header1": "",
11965. "Header2": "",
11966. "PipeName": "",
11967. "DNS Idle": "\\x00\\x00\\x00\\x00",
11968. "DNS Sleep": "0",
11969. "Method1": "GET",
11970. "Method2": "GET",
11971. "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe",
11972. "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe",
11973. "Proxy_AccessType": "2 (Use IE settings)"
11974. }
11975. },
11976. "78.128.113.14": {
11977. "x64": {
11978. "BeaconType": "8 (HTTPS)",
11979. "Port": "443",
11980. "Polling": "60000",
11981. "Jitter": "0",
11982. "Maxdns": "255",
11983. "C2 Server": "78.128.113.14,/j.ad",
11984. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)",
11985. "HTTP Method Path 2": "/submit.php",
11986. "Header1": "",
11987. "Header2": "",
11988. "PipeName": "",
11989. "DNS Idle": "\\x00\\x00\\x00\\x00",
11990. "DNS Sleep": "0",
11991. "Method1": "GET",
11992. "Method2": "POST",
11993. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
11994. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
11995. "Proxy_AccessType": "2 (Use IE settings)"
11996. }
11997. },
11998. "78.129.165.207": {
11999. "x86": {
12000. "BeaconType": "8 (HTTPS)",
12001. "Port": "443",
12002. "Polling": "55007",
12003. "Jitter": "37",
12004. "C2 Server": "s91-update.mala7at.com,/lu",
12005. "HTTP Method Path 2": "/dhl",
12006. "Method1": "GET",
12007. "Method2": "POST",
12008. "Spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",
12009. "Spawnto_x64": "%windir%\\sysnative\\regsvr32.exe",
12010. "Proxy_AccessType": "2 (Use IE settings)"
12011. }
12012. },
12013. "79.141.160.16": {
12014. "x86": {
12015. "BeaconType": "8 (HTTPS)",
12016. "Port": "443",
12017. "Polling": "55000",
12018. "Jitter": "20",
12019. "Maxdns": "61",
12020. "C2 Server": "zerocdn.net,/static/fetch.umd.min.js",
12021. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36",
12022. "HTTP Method Path 2": "/submit/analytics/fetch.js",
12023. "Header1": "",
12024. "Header2": "",
12025. "PipeName": "",
12026. "DNS Idle": "J}\\x15\\x8A",
12027. "DNS Sleep": "0",
12028. "Method1": "GET",
12029. "Method2": "POST",
12030. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12031. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12032. "Proxy_AccessType": "2 (Use IE settings)"
12033. }
12034. },
12035. "79.141.160.21": {
12036. "x86": {
12037. "BeaconType": "8 (HTTPS)",
12038. "Port": "443",
12039. "Polling": "55000",
12040. "Jitter": "20",
12041. "Maxdns": "61",
12042. "C2 Server": "zerocdn.net,/static/fetch.umd.min.js",
12043. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36",
12044. "HTTP Method Path 2": "/submit/analytics/fetch.js",
12045. "Header1": "",
12046. "Header2": "",
12047. "PipeName": "",
12048. "DNS Idle": "J}\\x15\\x8A",
12049. "DNS Sleep": "0",
12050. "Method1": "GET",
12051. "Method2": "POST",
12052. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12053. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12054. "Proxy_AccessType": "2 (Use IE settings)"
12055. }
12056. },
12057. "79.141.164.206": {
12058. "x86": {
12059. "BeaconType": "8 (HTTPS)",
12060. "Port": "443",
12061. "Polling": "60000",
12062. "Jitter": "0",
12063. "Maxdns": "255",
12064. "C2 Server": "79.141.164.206,/IE9CompatViewList.xml",
12065. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 733; .NET CLR 2.0.50727)",
12066. "HTTP Method Path 2": "/submit.php",
12067. "Header1": "",
12068. "Header2": "",
12069. "PipeName": "",
12070. "DNS Idle": "\\x00\\x00\\x00\\x00",
12071. "DNS Sleep": "0",
12072. "Method1": "GET",
12073. "Method2": "POST",
12074. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12075. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12076. "Proxy_AccessType": "2 (Use IE settings)"
12077. }
12078. },
12079. "80.209.241.7": {
12080. "x86": {
12081. "BeaconType": "8 (HTTPS)",
12082. "Port": "443",
12083. "Polling": "30000",
12084. "Jitter": "0",
12085. "Maxdns": "255",
12086. "C2 Server": "94.140.114.160,/include/template/isx.php",
12087. "User Agent": "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08",
12088. "HTTP Method Path 2": "/blog/wp-includes/pomo/src.php",
12089. "Header1": "",
12090. "Header2": "",
12091. "PipeName": "",
12092. "DNS Idle": "\\x00\\x00\\x00\\x00",
12093. "DNS Sleep": "0",
12094. "Method1": "GET",
12095. "Method2": "POST",
12096. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12097. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12098. "Proxy_AccessType": "2 (Use IE settings)"
12099. }
12100. },
12101. "80.82.77.164": {
12102. "x86": {
12103. "BeaconType": "8 (HTTPS)",
12104. "Port": "443",
12105. "Polling": "60000",
12106. "Jitter": "0",
12107. "Maxdns": "255",
12108. "C2 Server": "80.82.77.164,/load",
12109. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)",
12110. "HTTP Method Path 2": "/submit.php",
12111. "Header1": "",
12112. "Header2": "",
12113. "PipeName": "",
12114. "DNS Idle": "\\x00\\x00\\x00\\x00",
12115. "DNS Sleep": "0",
12116. "Method1": "GET",
12117. "Method2": "POST",
12118. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12119. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12120. "Proxy_AccessType": "2 (Use IE settings)"
12121. },
12122. "x64": {
12123. "BeaconType": "8 (HTTPS)",
12124. "Port": "443",
12125. "Polling": "60000",
12126. "Jitter": "0",
12127. "Maxdns": "255",
12128. "C2 Server": "80.82.77.164,/fwlink",
12129. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
12130. "HTTP Method Path 2": "/submit.php",
12131. "Header1": "",
12132. "Header2": "",
12133. "PipeName": "",
12134. "DNS Idle": "\\x00\\x00\\x00\\x00",
12135. "DNS Sleep": "0",
12136. "Method1": "GET",
12137. "Method2": "POST",
12138. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12139. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12140. "Proxy_AccessType": "2 (Use IE settings)"
12141. }
12142. },
12143. "81.17.16.106": {
12144. "x64": {
12145. "BeaconType": "8 (HTTPS)",
12146. "Port": "443",
12147. "Polling": "60000",
12148. "Jitter": "0",
12149. "Maxdns": "255",
12150. "C2 Server": "81.17.16.106,/IE9CompatViewList.xml",
12151. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
12152. "HTTP Method Path 2": "/submit.php",
12153. "Header1": "",
12154. "Header2": "",
12155. "PipeName": "",
12156. "DNS Idle": "\\x00\\x00\\x00\\x00",
12157. "DNS Sleep": "0",
12158. "Method1": "GET",
12159. "Method2": "POST",
12160. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12161. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12162. "Proxy_AccessType": "2 (Use IE settings)"
12163. }
12164. },
12165. "8.129.133.18": {
12166. "x64": {
12167. "BeaconType": "8 (HTTPS)",
12168. "Port": "443",
12169. "Polling": "8658",
12170. "Jitter": "37",
12171. "Maxdns": "243",
12172. "C2 Server": "8.129.133.18,/lu.js",
12173. "User Agent": "Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202",
12174. "HTTP Method Path 2": "/html",
12175. "Header1": "",
12176. "Header2": "",
12177. "PipeName": "",
12178. "DNS Idle": "\\xC1\\x19\\xB3p",
12179. "DNS Sleep": "0",
12180. "Method1": "GET",
12181. "Method2": "POST",
12182. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
12183. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
12184. "Proxy_AccessType": "2 (Use IE settings)"
12185. }
12186. },
12187. "8.131.60.36": {
12188. "x86": {
12189. "BeaconType": "8 (HTTPS)",
12190. "Port": "443",
12191. "Polling": "1500",
12192. "Jitter": "0",
12193. "Maxdns": "235",
12194. "C2 Server": "8.131.60.36,/live-txy/check",
12195. "User Agent": "Shockwave Flash",
12196. "HTTP Method Path 2": "/live-txy/",
12197. "Header1": "",
12198. "Header2": "",
12199. "PipeName": "",
12200. "DNS Idle": "\\x08\\x08\\x04\\x04",
12201. "DNS Sleep": "0",
12202. "Method1": "GET",
12203. "Method2": "POST",
12204. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12205. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12206. "Proxy_AccessType": "2 (Use IE settings)"
12207. }
12208. },
12209. "81.70.155.208": {
12210. "x64": {
12211. "BeaconType": "8 (HTTPS)",
12212. "Port": "443",
12213. "Polling": "60000",
12214. "Jitter": "0",
12215. "Maxdns": "255",
12216. "C2 Server": "81.70.155.208,/ga.js",
12217. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MASAJS)",
12218. "HTTP Method Path 2": "/submit.php",
12219. "Header1": "",
12220. "Header2": "",
12221. "PipeName": "",
12222. "DNS Idle": "\\x00\\x00\\x00\\x00",
12223. "DNS Sleep": "0",
12224. "Method1": "GET",
12225. "Method2": "POST",
12226. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12227. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12228. "Proxy_AccessType": "2 (Use IE settings)"
12229. }
12230. },
12231. "81.70.213.71": {
12232. "x86": {
12233. "BeaconType": "8 (HTTPS)",
12234. "Port": "443",
12235. "Polling": "10000",
12236. "Jitter": "0",
12237. "Maxdns": "235",
12238. "C2 Server": "81.70.213.71,/wp-content/themes/calliope/wp_data.php",
12239. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36",
12240. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
12241. "Header1": "",
12242. "Header2": "",
12243. "PipeName": "",
12244. "DNS Idle": "\\x08\\x08\\x04\\x04",
12245. "DNS Sleep": "0",
12246. "Method1": "GET",
12247. "Method2": "POST",
12248. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12249. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12250. "Proxy_AccessType": "2 (Use IE settings)"
12251. }
12252. },
12253. "8.210.253.122": {
12254. "x86": {
12255. "BeaconType": "8 (HTTPS)",
12256. "Port": "443",
12257. "Polling": "60000",
12258. "Jitter": "0",
12259. "Maxdns": "255",
12260. "C2 Server": "8.210.253.122,/IE9CompatViewList.xml",
12261. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)",
12262. "HTTP Method Path 2": "/submit.php",
12263. "Header1": "",
12264. "Header2": "",
12265. "PipeName": "",
12266. "DNS Idle": "\\x00\\x00\\x00\\x00",
12267. "DNS Sleep": "0",
12268. "Method1": "GET",
12269. "Method2": "POST",
12270. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12271. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12272. "Proxy_AccessType": "2 (Use IE settings)"
12273. }
12274. },
12275. "87.120.254.113": {
12276. "x86": {
12277. "BeaconType": "8 (HTTPS)",
12278. "Port": "443",
12279. "Polling": "5000",
12280. "Jitter": "0",
12281. "Maxdns": "255",
12282. "C2 Server": "h22.club,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12283. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12284. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12285. "Header1": "",
12286. "Header2": "",
12287. "PipeName": "",
12288. "DNS Idle": "\\x00\\x00\\x00\\x00",
12289. "DNS Sleep": "0",
12290. "Method1": "GET",
12291. "Method2": "POST",
12292. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12293. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12294. "Proxy_AccessType": "2 (Use IE settings)"
12295. },
12296. "x64": {
12297. "BeaconType": "8 (HTTPS)",
12298. "Port": "443",
12299. "Polling": "5000",
12300. "Jitter": "0",
12301. "Maxdns": "255",
12302. "C2 Server": "h22.club,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12303. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12304. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12305. "Header1": "",
12306. "Header2": "",
12307. "PipeName": "",
12308. "DNS Idle": "\\x00\\x00\\x00\\x00",
12309. "DNS Sleep": "0",
12310. "Method1": "GET",
12311. "Method2": "POST",
12312. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12313. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12314. "Proxy_AccessType": "2 (Use IE settings)"
12315. }
12316. },
12317. "87.120.8.249": {
12318. "x86": {
12319. "BeaconType": "8 (HTTPS)",
12320. "Port": "443",
12321. "Polling": "45000",
12322. "Jitter": "37",
12323. "Maxdns": "255",
12324. "C2 Server": "87.120.8.249,/jquery-3.3.1.min.js",
12325. "User Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36",
12326. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
12327. "Header1": "",
12328. "Header2": "",
12329. "PipeName": "",
12330. "DNS Idle": "J}\\xC4q",
12331. "DNS Sleep": "0",
12332. "Method1": "GET",
12333. "Method2": "POST",
12334. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12335. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12336. "Proxy_AccessType": "2 (Use IE settings)"
12337. }
12338. },
12339. "87.248.0.216": {
12340. "x86": {
12341. "BeaconType": "8 (HTTPS)",
12342. "Port": "443",
12343. "Polling": "5000",
12344. "Jitter": "0",
12345. "Maxdns": "255",
12346. "C2 Server": "ebs.awsedge.net,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12347. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12348. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12349. "Header1": "",
12350. "Header2": "",
12351. "PipeName": "",
12352. "DNS Idle": "\\x00\\x00\\x00\\x00",
12353. "DNS Sleep": "0",
12354. "Method1": "GET",
12355. "Method2": "POST",
12356. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12357. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12358. "Proxy_AccessType": "2 (Use IE settings)"
12359. }
12360. },
12361. "87.251.70.12": {
12362. "x86": {
12363. "BeaconType": "8 (HTTPS)",
12364. "Port": "443",
12365. "Polling": "60000",
12366. "Jitter": "0",
12367. "Maxdns": "255",
12368. "C2 Server": "supercombinating.com,/visit.js",
12369. "User Agent": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
12370. "HTTP Method Path 2": "/submit.php",
12371. "Header1": "",
12372. "Header2": "",
12373. "PipeName": "",
12374. "DNS Idle": "\\x00\\x00\\x00\\x00",
12375. "DNS Sleep": "0",
12376. "Method1": "GET",
12377. "Method2": "POST",
12378. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12379. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12380. "Proxy_AccessType": "2 (Use IE settings)"
12381. }
12382. },
12383. "88.119.171.55": {
12384. "x86": {
12385. "BeaconType": "8 (HTTPS)",
12386. "Port": "443",
12387. "Polling": "55867",
12388. "Jitter": "43",
12389. "Maxdns": "253",
12390. "C2 Server": "88.119.171.55,/lv.html",
12391. "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",
12392. "HTTP Method Path 2": "/dz",
12393. "Header1": "",
12394. "Header2": "",
12395. "PipeName": "",
12396. "DNS Idle": "\\xB1\\x985\\xD4",
12397. "DNS Sleep": "0",
12398. "Method1": "GET",
12399. "Method2": "POST",
12400. "Spawnto_x86": "%windir%\\syswow64\\runonce.exe",
12401. "Spawnto_x64": "%windir%\\sysnative\\runonce.exe",
12402. "Proxy_AccessType": "2 (Use IE settings)"
12403. }
12404. },
12405. "88.119.174.135": {
12406. "x86": {
12407. "BeaconType": "8 (HTTPS)",
12408. "Port": "443",
12409. "Polling": "64699",
12410. "Jitter": "37",
12411. "Maxdns": "250",
12412. "C2 Server": "yh.htpdomrtx.com,/be,yg.htpdomrtx.com,/be,yf.htpdomrtx.com,/be",
12413. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
12414. "HTTP Method Path 2": "/search",
12415. "Header1": "",
12416. "Header2": "",
12417. "PipeName": "",
12418. "DNS Idle": "U\\xF9C>",
12419. "DNS Sleep": "0",
12420. "Method1": "GET",
12421. "Method2": "POST",
12422. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
12423. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
12424. "Proxy_AccessType": "2 (Use IE settings)"
12425. },
12426. "x64": {
12427. "BeaconType": "8 (HTTPS)",
12428. "Port": "443",
12429. "Polling": "64699",
12430. "Jitter": "37",
12431. "Maxdns": "250",
12432. "C2 Server": "yh.htpdomrtx.com,/be,yg.htpdomrtx.com,/be,yf.htpdomrtx.com,/be",
12433. "User Agent": "Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
12434. "HTTP Method Path 2": "/search",
12435. "Header1": "",
12436. "Header2": "",
12437. "PipeName": "",
12438. "DNS Idle": "U\\xF9C>",
12439. "DNS Sleep": "0",
12440. "Method1": "GET",
12441. "Method2": "POST",
12442. "Spawnto_x86": "%windir%\\syswow64\\WUAUCLT.exe",
12443. "Spawnto_x64": "%windir%\\sysnative\\WUAUCLT.exe",
12444. "Proxy_AccessType": "2 (Use IE settings)"
12445. }
12446. },
12447. "88.119.175.104": {
12448. "x86": {
12449. "BeaconType": "8 (HTTPS)",
12450. "Port": "443",
12451. "Polling": "5000",
12452. "Jitter": "0",
12453. "Maxdns": "255",
12454. "C2 Server": "dlubfrhtekkjxdhy.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12455. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12456. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12457. "Header1": "",
12458. "Header2": "",
12459. "PipeName": "",
12460. "DNS Idle": "\\x00\\x00\\x00\\x00",
12461. "DNS Sleep": "0",
12462. "Method1": "GET",
12463. "Method2": "POST",
12464. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12465. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12466. "Proxy_AccessType": "2 (Use IE settings)"
12467. }
12468. },
12469. "88.119.175.132": {
12470. "x86": {
12471. "BeaconType": "8 (HTTPS)",
12472. "Port": "443",
12473. "Polling": "57568",
12474. "Jitter": "43",
12475. "Maxdns": "255",
12476. "C2 Server": "hf.livehealths.com,/default,fh.livehealths.com,/default,ff.livehealths.com,/default",
12477. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
12478. "HTTP Method Path 2": "/profile",
12479. "Header1": "",
12480. "Header2": "",
12481. "PipeName": "",
12482. "DNS Idle": "\\xDF\"M2",
12483. "DNS Sleep": "0",
12484. "Method1": "GET",
12485. "Method2": "POST",
12486. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
12487. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
12488. "Proxy_AccessType": "2 (Use IE settings)"
12489. },
12490. "x64": {
12491. "BeaconType": "8 (HTTPS)",
12492. "Port": "443",
12493. "Polling": "57568",
12494. "Jitter": "43",
12495. "Maxdns": "255",
12496. "C2 Server": "hf.livehealths.com,/default,fh.livehealths.com,/r-arrow,ff.livehealths.com,/styles",
12497. "User Agent": "Mozilla/5.0 (Linux; Android 6.0; HTC One X10 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0",
12498. "HTTP Method Path 2": "/ml",
12499. "Header1": "",
12500. "Header2": "",
12501. "PipeName": "",
12502. "DNS Idle": "\\xDF\"M2",
12503. "DNS Sleep": "0",
12504. "Method1": "GET",
12505. "Method2": "POST",
12506. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
12507. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
12508. "Proxy_AccessType": "2 (Use IE settings)"
12509. }
12510. },
12511. "88.119.175.250": {
12512. "x86": {
12513. "BeaconType": "8 (HTTPS)",
12514. "Port": "443",
12515. "Polling": "59183",
12516. "Jitter": "43",
12517. "Maxdns": "240",
12518. "C2 Server": "domnasemg.com,/da.css",
12519. "User Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0",
12520. "HTTP Method Path 2": "/ms",
12521. "Header1": "",
12522. "Header2": "",
12523. "PipeName": "",
12524. "DNS Idle": "\\xCC\\xB0V\\xA0",
12525. "DNS Sleep": "0",
12526. "Method1": "GET",
12527. "Method2": "POST",
12528. "Spawnto_x86": "%windir%\\syswow64\\svchost.exe",
12529. "Spawnto_x64": "%windir%\\sysnative\\svchost.exe",
12530. "Proxy_AccessType": "2 (Use IE settings)"
12531. }
12532. },
12533. "88.119.175.54": {
12534. "x86": {
12535. "BeaconType": "8 (HTTPS)",
12536. "Port": "443",
12537. "Polling": "5000",
12538. "Jitter": "0",
12539. "Maxdns": "255",
12540. "C2 Server": "hjdytrgfoljgdyoxfa.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12541. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12542. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12543. "Header1": "",
12544. "Header2": "",
12545. "PipeName": "",
12546. "DNS Idle": "\\x00\\x00\\x00\\x00",
12547. "DNS Sleep": "0",
12548. "Method1": "GET",
12549. "Method2": "POST",
12550. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12551. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12552. "Proxy_AccessType": "2 (Use IE settings)"
12553. },
12554. "x64": {
12555. "BeaconType": "8 (HTTPS)",
12556. "Port": "443",
12557. "Polling": "5000",
12558. "Jitter": "0",
12559. "Maxdns": "255",
12560. "C2 Server": "hjdytrgfoljgdyoxfa.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12561. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12562. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12563. "Header1": "",
12564. "Header2": "",
12565. "PipeName": "",
12566. "DNS Idle": "\\x00\\x00\\x00\\x00",
12567. "DNS Sleep": "0",
12568. "Method1": "GET",
12569. "Method2": "POST",
12570. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12571. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12572. "Proxy_AccessType": "2 (Use IE settings)"
12573. }
12574. },
12575. "88.151.99.149": {
12576. "x86": {
12577. "BeaconType": "8 (HTTPS)",
12578. "Port": "443",
12579. "Polling": "30000",
12580. "Jitter": "23",
12581. "Maxdns": "255",
12582. "C2 Server": "emcor-services.com,/jquery-3.3.1.min.js",
12583. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
12584. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
12585. "Header1": "",
12586. "Header2": "",
12587. "PipeName": "",
12588. "DNS Idle": "J}\\xC4q",
12589. "DNS Sleep": "0",
12590. "Method1": "GET",
12591. "Method2": "POST",
12592. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12593. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12594. "Proxy_AccessType": "2 (Use IE settings)"
12595. },
12596. "x64": {
12597. "BeaconType": "8 (HTTPS)",
12598. "Port": "443",
12599. "Polling": "30000",
12600. "Jitter": "23",
12601. "Maxdns": "255",
12602. "C2 Server": "emcor-services.com,/jquery-3.3.1.min.js",
12603. "User Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",
12604. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
12605. "Header1": "",
12606. "Header2": "",
12607. "PipeName": "",
12608. "DNS Idle": "J}\\xC4q",
12609. "DNS Sleep": "0",
12610. "Method1": "GET",
12611. "Method2": "POST",
12612. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12613. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12614. "Proxy_AccessType": "2 (Use IE settings)"
12615. }
12616. },
12617. "88.218.92.19": {
12618. "x86": {
12619. "BeaconType": "8 (HTTPS)",
12620. "Port": "443",
12621. "Polling": "5000",
12622. "Jitter": "0",
12623. "C2 Server": "88.218.92.19,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12624. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12625. "Method1": "GET",
12626. "Method2": "POST",
12627. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12628. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12629. "Proxy_AccessType": "2 (Use IE settings)"
12630. }
12631. },
12632. "88.85.122.220": {
12633. "x86": {
12634. "BeaconType": "8 (HTTPS)",
12635. "Port": "443",
12636. "Polling": "60000",
12637. "Jitter": "0",
12638. "Maxdns": "255",
12639. "C2 Server": "datacatapult.sytes.net,/ga.js",
12640. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)",
12641. "HTTP Method Path 2": "/submit.php",
12642. "Header1": "",
12643. "Header2": "",
12644. "Injection Process": "rundll32.exe",
12645. "PipeName": "\\\\%s\\pipe\\msagent_%x",
12646. "Year": "0",
12647. "Month": "0",
12648. "Day": "0",
12649. "DNS Idle": "\\x00\\x00\\x00\\x00",
12650. "DNS Sleep": "0"
12651. }
12652. },
12653. "89.38.226.218": {
12654. "x64": {
12655. "BeaconType": "8 (HTTPS)",
12656. "Port": "443",
12657. "Polling": "5000",
12658. "Jitter": "37",
12659. "C2 Server": "www.phpbasic.net,/scs/mail-static/js/",
12660. "HTTP Method Path 2": "/mail/u/_/1/",
12661. "Method1": "GET",
12662. "Method2": "POST",
12663. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
12664. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
12665. "Proxy_AccessType": "2 (Use IE settings)"
12666. }
12667. },
12668. "91.229.77.41": {
12669. "x86": {
12670. "BeaconType": "8 (HTTPS)",
12671. "Port": "443",
12672. "Polling": "60000",
12673. "Jitter": "0",
12674. "Maxdns": "255",
12675. "C2 Server": "bdiaccs.global.ssl.fastly.net,/ptj",
12676. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)",
12677. "HTTP Method Path 2": "/submit.php",
12678. "Header1": "",
12679. "Header2": "",
12680. "PipeName": "",
12681. "DNS Idle": "\\x00\\x00\\x00\\x00",
12682. "DNS Sleep": "0",
12683. "Method1": "GET",
12684. "Method2": "POST",
12685. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12686. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12687. "Proxy_AccessType": "2 (Use IE settings)"
12688. },
12689. "x64": {
12690. "BeaconType": "8 (HTTPS)",
12691. "Port": "443",
12692. "Polling": "60000",
12693. "Jitter": "0",
12694. "Maxdns": "255",
12695. "C2 Server": "bdiaccs.global.ssl.fastly.net,/IE9CompatViewList.xml",
12696. "User Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
12697. "HTTP Method Path 2": "/submit.php",
12698. "Header1": "",
12699. "Header2": "",
12700. "PipeName": "",
12701. "DNS Idle": "\\x00\\x00\\x00\\x00",
12702. "DNS Sleep": "0",
12703. "Method1": "GET",
12704. "Method2": "POST",
12705. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12706. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12707. "Proxy_AccessType": "2 (Use IE settings)"
12708. }
12709. },
12710. "92.42.14.133": {
12711. "x86": {
12712. "BeaconType": "8 (HTTPS)",
12713. "Port": "443",
12714. "Polling": "60000",
12715. "Jitter": "0",
12716. "Maxdns": "255",
12717. "C2 Server": "92.42.14.133,/activity",
12718. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)",
12719. "HTTP Method Path 2": "/submit.php",
12720. "Header1": "",
12721. "Header2": "",
12722. "PipeName": "",
12723. "DNS Idle": "\\x00\\x00\\x00\\x00",
12724. "DNS Sleep": "0",
12725. "Method1": "GET",
12726. "Method2": "POST",
12727. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12728. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12729. "Proxy_AccessType": "2 (Use IE settings)"
12730. },
12731. "x64": {
12732. "BeaconType": "8 (HTTPS)",
12733. "Port": "443",
12734. "Polling": "60000",
12735. "Jitter": "0",
12736. "Maxdns": "255",
12737. "C2 Server": "92.42.14.133,/IE9CompatViewList.xml",
12738. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)",
12739. "HTTP Method Path 2": "/submit.php",
12740. "Header1": "",
12741. "Header2": "",
12742. "PipeName": "",
12743. "DNS Idle": "\\x00\\x00\\x00\\x00",
12744. "DNS Sleep": "0",
12745. "Method1": "GET",
12746. "Method2": "POST",
12747. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12748. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12749. "Proxy_AccessType": "2 (Use IE settings)"
12750. }
12751. },
12752. "94.140.115.165": {
12753. "x64": {
12754. "BeaconType": "8 (HTTPS)",
12755. "Port": "443",
12756. "Polling": "60000",
12757. "Jitter": "15",
12758. "Maxdns": "255",
12759. "C2 Server": "94.140.115.165,/_/scs/mail-static/_/js/",
12760. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)",
12761. "HTTP Method Path 2": "/mail/u/0/",
12762. "Header1": "",
12763. "Header2": "",
12764. "PipeName": "",
12765. "DNS Idle": "\\x08\\x08\\x04\\x04",
12766. "DNS Sleep": "0",
12767. "Method1": "GET",
12768. "Method2": "POST",
12769. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12770. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12771. "Proxy_AccessType": "2 (Use IE settings)"
12772. }
12773. },
12774. "95.179.190.111": {
12775. "x86": {
12776. "BeaconType": "8 (HTTPS)",
12777. "Port": "443",
12778. "Polling": "5000",
12779. "Jitter": "0",
12780. "Maxdns": "255",
12781. "C2 Server": "securityreserch86.net,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12782. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12783. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12784. "Header1": "",
12785. "Header2": "",
12786. "PipeName": "",
12787. "DNS Idle": "\\x00\\x00\\x00\\x00",
12788. "DNS Sleep": "0",
12789. "Method1": "GET",
12790. "Method2": "POST",
12791. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12792. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12793. "Proxy_AccessType": "2 (Use IE settings)"
12794. }
12795. },
12796. "95.179.247.174": {
12797. "x86": {
12798. "BeaconType": "8 (HTTPS)",
12799. "Port": "443",
12800. "Polling": "5000",
12801. "Jitter": "0",
12802. "Maxdns": "255",
12803. "C2 Server": "testginwebsite.tk,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books",
12804. "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
12805. "HTTP Method Path 2": "/N4215/adj/amzn.us.sr.aps",
12806. "Header1": "",
12807. "Header2": "",
12808. "PipeName": "",
12809. "DNS Idle": "\\x00\\x00\\x00\\x00",
12810. "DNS Sleep": "0",
12811. "Method1": "GET",
12812. "Method2": "POST",
12813. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12814. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12815. "Proxy_AccessType": "2 (Use IE settings)"
12816. }
12817. },
12818. "95.217.197.124": {
12819. "x86": {
12820. "BeaconType": "8 (HTTPS)",
12821. "Port": "443",
12822. "Polling": "60000",
12823. "Jitter": "0",
12824. "Maxdns": "255",
12825. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/pixel.gif",
12826. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
12827. "HTTP Method Path 2": "/submit.php",
12828. "Header1": "",
12829. "Header2": "",
12830. "PipeName": "",
12831. "DNS Idle": "\\x00\\x00\\x00\\x00",
12832. "DNS Sleep": "0",
12833. "Method1": "GET",
12834. "Method2": "POST",
12835. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12836. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12837. "Proxy_AccessType": "2 (Use IE settings)"
12838. },
12839. "x64": {
12840. "BeaconType": "8 (HTTPS)",
12841. "Port": "443",
12842. "Polling": "60000",
12843. "Jitter": "0",
12844. "Maxdns": "255",
12845. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/push",
12846. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
12847. "HTTP Method Path 2": "/submit.php",
12848. "Header1": "",
12849. "Header2": "",
12850. "PipeName": "",
12851. "DNS Idle": "\\x00\\x00\\x00\\x00",
12852. "DNS Sleep": "0",
12853. "Method1": "GET",
12854. "Method2": "POST",
12855. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12856. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12857. "Proxy_AccessType": "2 (Use IE settings)"
12858. }
12859. },
12860. "95.217.197.66": {
12861. "x64": {
12862. "BeaconType": "8 (HTTPS)",
12863. "Port": "443",
12864. "Polling": "60000",
12865. "Jitter": "0",
12866. "Maxdns": "255",
12867. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/push",
12868. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
12869. "HTTP Method Path 2": "/submit.php",
12870. "Header1": "",
12871. "Header2": "",
12872. "PipeName": "",
12873. "DNS Idle": "\\x00\\x00\\x00\\x00",
12874. "DNS Sleep": "0",
12875. "Method1": "GET",
12876. "Method2": "POST",
12877. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12878. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12879. "Proxy_AccessType": "2 (Use IE settings)"
12880. }
12881. },
12882. "95.217.197.67": {
12883. "x86": {
12884. "BeaconType": "8 (HTTPS)",
12885. "Port": "443",
12886. "Polling": "60000",
12887. "Jitter": "0",
12888. "Maxdns": "255",
12889. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/pixel.gif",
12890. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
12891. "HTTP Method Path 2": "/submit.php",
12892. "Header1": "",
12893. "Header2": "",
12894. "PipeName": "",
12895. "DNS Idle": "\\x00\\x00\\x00\\x00",
12896. "DNS Sleep": "0",
12897. "Method1": "GET",
12898. "Method2": "POST",
12899. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12900. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12901. "Proxy_AccessType": "2 (Use IE settings)"
12902. },
12903. "x64": {
12904. "BeaconType": "8 (HTTPS)",
12905. "Port": "443",
12906. "Polling": "60000",
12907. "Jitter": "0",
12908. "Maxdns": "255",
12909. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/push",
12910. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
12911. "HTTP Method Path 2": "/submit.php",
12912. "Header1": "",
12913. "Header2": "",
12914. "PipeName": "",
12915. "DNS Idle": "\\x00\\x00\\x00\\x00",
12916. "DNS Sleep": "0",
12917. "Method1": "GET",
12918. "Method2": "POST",
12919. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12920. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12921. "Proxy_AccessType": "2 (Use IE settings)"
12922. }
12923. },
12924. "95.217.197.78": {
12925. "x86": {
12926. "BeaconType": "8 (HTTPS)",
12927. "Port": "443",
12928. "Polling": "60000",
12929. "Jitter": "0",
12930. "Maxdns": "255",
12931. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/pixel.gif",
12932. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
12933. "HTTP Method Path 2": "/submit.php",
12934. "Header1": "",
12935. "Header2": "",
12936. "PipeName": "",
12937. "DNS Idle": "\\x00\\x00\\x00\\x00",
12938. "DNS Sleep": "0",
12939. "Method1": "GET",
12940. "Method2": "POST",
12941. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12942. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12943. "Proxy_AccessType": "2 (Use IE settings)"
12944. },
12945. "x64": {
12946. "BeaconType": "8 (HTTPS)",
12947. "Port": "443",
12948. "Polling": "60000",
12949. "Jitter": "0",
12950. "Maxdns": "255",
12951. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/push",
12952. "User Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)",
12953. "HTTP Method Path 2": "/submit.php",
12954. "Header1": "",
12955. "Header2": "",
12956. "PipeName": "",
12957. "DNS Idle": "\\x00\\x00\\x00\\x00",
12958. "DNS Sleep": "0",
12959. "Method1": "GET",
12960. "Method2": "POST",
12961. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12962. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12963. "Proxy_AccessType": "2 (Use IE settings)"
12964. }
12965. },
12966. "95.217.197.85": {
12967. "x86": {
12968. "BeaconType": "8 (HTTPS)",
12969. "Port": "443",
12970. "Polling": "60000",
12971. "Jitter": "0",
12972. "Maxdns": "255",
12973. "C2 Server": "oomdatacollect.global.ssl.fastly.net,/pixel.gif",
12974. "User Agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
12975. "HTTP Method Path 2": "/submit.php",
12976. "Header1": "",
12977. "Header2": "",
12978. "PipeName": "",
12979. "DNS Idle": "\\x00\\x00\\x00\\x00",
12980. "DNS Sleep": "0",
12981. "Method1": "GET",
12982. "Method2": "POST",
12983. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
12984. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
12985. "Proxy_AccessType": "2 (Use IE settings)"
12986. }
12987. },
12988. "98.142.141.43": {
12989. "x86": {
12990. "BeaconType": "8 (HTTPS)",
12991. "Port": "443",
12992. "Polling": "45000",
12993. "Jitter": "37",
12994. "Maxdns": "255",
12995. "C2 Server": "www.nameshow.site,/jquery-3.3.1.min.js",
12996. "User Agent": "Mozilla/5.1 (Windows NT 6.4; Trident/7.1; rv:12.0) like Gecko",
12997. "HTTP Method Path 2": "/jquery-3.3.2.min.js",
12998. "Header1": "",
12999. "Header2": "",
13000. "PipeName": "",
13001. "DNS Idle": "J}\\xC4r",
13002. "DNS Sleep": "0",
13003. "Method1": "GET",
13004. "Method2": "POST",
13005. "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe",
13006. "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe",
13007. "Proxy_AccessType": "2 (Use IE settings)"
13008. }
13009. },
13010. "98.142.143.100": {
13011. "x86": {
13012. "BeaconType": "8 (HTTPS)",
13013. "Port": "443",
13014. "Polling": "980",
13015. "Jitter": "0",
13016. "Maxdns": "243",
13017. "C2 Server": "d3kgm44zuz83i3.cloudfront.net,/access/",
13018. "User Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36",
13019. "HTTP Method Path 2": "/radio/xmlrpc/v35",
13020. "Header1": "",
13021. "Header2": "",
13022. "PipeName": "",
13023. "DNS Idle": "\\x00\\x00\\x00\\x00",
13024. "DNS Sleep": "0",
13025. "Method1": "GET",
13026. "Method2": "POST",
13027. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
13028. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
13029. "Proxy_AccessType": "2 (Use IE settings)"
13030. },
13031. "x64": {
13032. "BeaconType": "8 (HTTPS)",
13033. "Port": "443",
13034. "Polling": "980",
13035. "Jitter": "0",
13036. "Maxdns": "243",
13037. "C2 Server": "d3kgm44zuz83i3.cloudfront.net,/access/",
13038. "User Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36",
13039. "HTTP Method Path 2": "/radio/xmlrpc/v35",
13040. "Header1": "",
13041. "Header2": "",
13042. "PipeName": "",
13043. "DNS Idle": "\\x00\\x00\\x00\\x00",
13044. "DNS Sleep": "0",
13045. "Method1": "GET",
13046. "Method2": "POST",
13047. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
13048. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
13049. "Proxy_AccessType": "2 (Use IE settings)"
13050. }
13051. },
13052. "99.79.101.225": {
13053. "x86": {
13054. "BeaconType": "8 (HTTPS)",
13055. "Port": "443",
13056. "Polling": "60000",
13057. "Jitter": "20",
13058. "Maxdns": "235",
13059. "C2 Server": "ajax.microsoft.com,/c/msdownload/update/1930155_",
13060. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
13061. "HTTP Method Path 2": "/c/msdownload/update/1534335_",
13062. "Header1": "",
13063. "Header2": "",
13064. "PipeName": "",
13065. "DNS Idle": "\\x08\\x08\\x04\\x04",
13066. "DNS Sleep": "0",
13067. "Method1": "POST",
13068. "Method2": "POST",
13069. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
13070. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
13071. "Proxy_AccessType": "2 (Use IE settings)"
13072. },
13073. "x64": {
13074. "BeaconType": "8 (HTTPS)",
13075. "Port": "443",
13076. "Polling": "60000",
13077. "Jitter": "20",
13078. "Maxdns": "235",
13079. "C2 Server": "ajax.microsoft.com,/c/msdownload/update/1930155_",
13080. "User Agent": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40",
13081. "HTTP Method Path 2": "/c/msdownload/update/1534335_",
13082. "Header1": "",
13083. "Header2": "",
13084. "PipeName": "",
13085. "DNS Idle": "\\x08\\x08\\x04\\x04",
13086. "DNS Sleep": "0",
13087. "Method1": "POST",
13088. "Method2": "POST",
13089. "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
13090. "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
13091. "Proxy_AccessType": "2 (Use IE settings)"
13092. }
13093. }
13094. }
13095.