morimolymoly/cs

## cs
beacon-dump 9d2507cf867f22e1d967fcbc0f429a3dd5334ecb8561febff6813c4476c59534
SETTING_PROTOCOL = 8
SETTING_PORT = 443
SETTING_SLEEPTIME = 730
SETTING_MAXGET = 1048620
SETTING_JITTER = 0
SETTING_PUBKEY = 'd2c4ba9c2c526d3ec6772cb3d4edae802433c144128cef33109edcc1d234943c'
SETTING_DOMAINS = 'dqfkmwvib0lbb.cloudfront.net,/access/'
SETTING_DOMAIN_STRATEGY = 0
SETTING_DOMAIN_STRATEGY_SECONDS = 4294967295
SETTING_DOMAIN_STRATEGY_FAIL_X = 4294967295
SETTING_DOMAIN_STRATEGY_FAIL_SECONDS = 4294967295
SETTING_SPAWNTO = '69278f559aeaf2fe2141f82acfa710c6'
SETTING_SPAWNTO_X86 = '%windir%\\syswow64\\mstsc.exe'
SETTING_SPAWNTO_X64 = '%windir%\\sysnative\\mstsc.exe'
SETTING_CRYPTO_SCHEME = 0
SETTING_C2_VERB_GET = 'GET'
SETTING_C2_VERB_POST = 'POST'
SETTING_C2_CHUNK_POST = 0
SETTING_WATERMARK = 546921291
SETTING_WATERMARKHASH = b'6/DUHV0yCRrJbiVTrYyJKw=='
SETTING_CLEANUP = 0
SETTING_CFG_CAUTION = 0
SETTING_MAX_RETRY_STRATEGY_ATTEMPTS = 0
SETTING_MAX_RETRY_STRATEGY_INCREASE = 0
SETTING_MAX_RETRY_STRATEGY_DURATION = 0
SETTING_USERAGENT = 'Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko'
SETTING_SUBMITURI = '/radio/xmlrpc/v35'
SETTING_C2_RECOVER = [('print', True), ('prepend', 16), ('prepend', 16), ('prepend', 12)]
SETTING_C2_REQUEST = [('_HEADER', b'Accept: */*'), ('_HEADER', b'GetContentFeatures.DLNA.ORG: 1'), ('_HOSTHEADER', b'Host: dqfkmwvib0lbb.cloudfront.net'), ('_HEADER', b'Cookie:  __utma=103813185.5771781954.4194342480.4565361437.4426752015.6;'), ('_PARAMETER', b'version=4'), ('_PARAMETER', b'lid=1835188750'), ('BUILD', 'metadata'), ('NETBIOS', True), ('PARAMETER', b'token')]
SETTING_C2_POSTREQ = [('_HEADER', b'Accept: */*'), ('_HEADER', b'Content-Type: text/xml'), ('_HEADER', b'X-Requested-With: XMLHttpRequest'), ('_HOSTHEADER', b'Host: dqfkmwvib0lbb.cloudfront.net'), ('BUILD', 'id'), ('PARAMETER', b'rid'), ('_PARAMETER', b'lid=2624593113'), ('_PARAMETER', b'method=getSearchRecommendations'), ('BUILD', 'output'), ('BASE64', True), ('PRINT', True)]
SETTING_HOST_HEADER = ''
SETTING_HTTP_NO_COOKIES = 1
SETTING_PROXY_BEHAVIOR = 2
SETTING_TCP_FRAME_HEADER = b''
SETTING_SMB_FRAME_HEADER = b''
SETTING_EXIT_FUNK = 0
SETTING_KILLDATE = 0
SETTING_GARGLE_NOOK = 0
SETTING_PROCINJ_PERMS_I = 64
SETTING_PROCINJ_PERMS = 64
SETTING_PROCINJ_MINALLOC = 0
SETTING_PROCINJ_TRANSFORM_X86 = [('append', b''), ('prepend', b'')]
SETTING_PROCINJ_TRANSFORM_X64 = [('append', b''), ('prepend', b'')]
SETTING_PROCINJ_STUB = '41e6db3cfcfa84be7cac6e42f21a22a8'
SETTING_PROCINJ_EXECUTE = ['CreateThread', 'SetThreadContext', 'CreateRemoteThread', 'RtlCreateUserThread']
SETTING_PROCINJ_ALLOCATOR = 0
SETTING_PROCINJ_ALLOWED = 1
SETTING_KILLDATE_YEAR = 0
SETTING_MASKED_WATERMARK = '225fc035fcfa84a62f993b30aa7c61df73be934ac9acc18b3fd53b37877d1f95'
	beacon-dump 9d2507cf867f22e1d967fcbc0f429a3dd5334ecb8561febff6813c4476c59534
	SETTING_PROTOCOL = 8
	SETTING_PORT = 443
	SETTING_SLEEPTIME = 730
	SETTING_MAXGET = 1048620
	SETTING_JITTER = 0
	SETTING_PUBKEY = 'd2c4ba9c2c526d3ec6772cb3d4edae802433c144128cef33109edcc1d234943c'
	SETTING_DOMAINS = 'dqfkmwvib0lbb.cloudfront.net,/access/'
	SETTING_DOMAIN_STRATEGY = 0
	SETTING_DOMAIN_STRATEGY_SECONDS = 4294967295
	SETTING_DOMAIN_STRATEGY_FAIL_X = 4294967295
	SETTING_DOMAIN_STRATEGY_FAIL_SECONDS = 4294967295
	SETTING_SPAWNTO = '69278f559aeaf2fe2141f82acfa710c6'
	SETTING_SPAWNTO_X86 = '%windir%\\syswow64\\mstsc.exe'
	SETTING_SPAWNTO_X64 = '%windir%\\sysnative\\mstsc.exe'
	SETTING_CRYPTO_SCHEME = 0
	SETTING_C2_VERB_GET = 'GET'
	SETTING_C2_VERB_POST = 'POST'
	SETTING_C2_CHUNK_POST = 0
	SETTING_WATERMARK = 546921291
	SETTING_WATERMARKHASH = b'6/DUHV0yCRrJbiVTrYyJKw=='
	SETTING_CLEANUP = 0
	SETTING_CFG_CAUTION = 0
	SETTING_MAX_RETRY_STRATEGY_ATTEMPTS = 0
	SETTING_MAX_RETRY_STRATEGY_INCREASE = 0
	SETTING_MAX_RETRY_STRATEGY_DURATION = 0
	SETTING_USERAGENT = 'Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko'
	SETTING_SUBMITURI = '/radio/xmlrpc/v35'
	SETTING_C2_RECOVER = [('print', True), ('prepend', 16), ('prepend', 16), ('prepend', 12)]
	SETTING_C2_REQUEST = [('_HEADER', b'Accept: /'), ('_HEADER', b'GetContentFeatures.DLNA.ORG: 1'), ('_HOSTHEADER', b'Host: dqfkmwvib0lbb.cloudfront.net'), ('_HEADER', b'Cookie: __utma=103813185.5771781954.4194342480.4565361437.4426752015.6;'), ('_PARAMETER', b'version=4'), ('_PARAMETER', b'lid=1835188750'), ('BUILD', 'metadata'), ('NETBIOS', True), ('PARAMETER', b'token')]
	SETTING_C2_POSTREQ = [('_HEADER', b'Accept: /'), ('_HEADER', b'Content-Type: text/xml'), ('_HEADER', b'X-Requested-With: XMLHttpRequest'), ('_HOSTHEADER', b'Host: dqfkmwvib0lbb.cloudfront.net'), ('BUILD', 'id'), ('PARAMETER', b'rid'), ('_PARAMETER', b'lid=2624593113'), ('_PARAMETER', b'method=getSearchRecommendations'), ('BUILD', 'output'), ('BASE64', True), ('PRINT', True)]
	SETTING_HOST_HEADER = ''
	SETTING_HTTP_NO_COOKIES = 1
	SETTING_PROXY_BEHAVIOR = 2
	SETTING_TCP_FRAME_HEADER = b''
	SETTING_SMB_FRAME_HEADER = b''
	SETTING_EXIT_FUNK = 0
	SETTING_KILLDATE = 0
	SETTING_GARGLE_NOOK = 0
	SETTING_PROCINJ_PERMS_I = 64
	SETTING_PROCINJ_PERMS = 64
	SETTING_PROCINJ_MINALLOC = 0
	SETTING_PROCINJ_TRANSFORM_X86 = [('append', b''), ('prepend', b'')]
	SETTING_PROCINJ_TRANSFORM_X64 = [('append', b''), ('prepend', b'')]
	SETTING_PROCINJ_STUB = '41e6db3cfcfa84be7cac6e42f21a22a8'
	SETTING_PROCINJ_EXECUTE = ['CreateThread', 'SetThreadContext', 'CreateRemoteThread', 'RtlCreateUserThread']
	SETTING_PROCINJ_ALLOCATOR = 0
	SETTING_PROCINJ_ALLOWED = 1
	SETTING_KILLDATE_YEAR = 0
	SETTING_MASKED_WATERMARK = '225fc035fcfa84a62f993b30aa7c61df73be934ac9acc18b3fd53b37877d1f95'