101.126.11.79 — x64 — port 443
hash ae1d61acc382517d4428c054fa05e6a7abf35f7b331f7732e492e2d6303cd642
first 2025-12-17 16:10:15 CET / last 2025-12-17 16:10:15 CET
| Path | Value |
|---|---|
| version | Cobalt Strike 4.8 (Feb 28, 2023) |
| watermark | 987654321 |
| trial | False |
| protocol | https |
| settings.SETTING_PROTOCOL | 8 |
| settings.SETTING_PORT | 443 |
| settings.SETTING_SLEEPTIME | 50000 |
| settings.SETTING_MAXGET | 1398521 |
| settings.SETTING_JITTER | 30 |
| settings.SETTING_PUBKEY | d38ae367efa30b262bfbff96e52f677ed9e625f09ea3fc77c5dffd5aa8085663 |
| settings.SETTING_DOMAINS | 101.126.11.79,/gtag/js |
| settings.SETTING_DOMAIN_STRATEGY | 0 |
| settings.SETTING_DOMAIN_STRATEGY_SECONDS | 4294967295 |
| settings.SETTING_DOMAIN_STRATEGY_FAIL_X | 4294967295 |
| settings.SETTING_DOMAIN_STRATEGY_FAIL_SECONDS | 4294967295 |
| settings.SETTING_SPAWNTO | 00000000000000000000000000000000 |
| settings.SETTING_SPAWNTO_X86 | %windir%\syswow64\svchost.exe |
| settings.SETTING_SPAWNTO_X64 | %windir%\sysnative\svchost.exe |
| settings.SETTING_CRYPTO_SCHEME | 0 |
| settings.SETTING_C2_VERB_GET | GET |
| settings.SETTING_C2_VERB_POST | POST |
| settings.SETTING_C2_CHUNK_POST | 0 |
| settings.SETTING_WATERMARK | 987654321 |
| settings.SETTING_WATERMARKHASH | NtZOV6JzDr9QkEnX6bobPg== |
| settings.SETTING_CLEANUP | 1 |
| settings.SETTING_CFG_CAUTION | 0 |
| settings.SETTING_MAX_RETRY_STRATEGY_ATTEMPTS | 0 |
| settings.SETTING_MAX_RETRY_STRATEGY_INCREASE | 0 |
| settings.SETTING_MAX_RETRY_STRATEGY_DURATION | 0 |
| settings.SETTING_USERAGENT | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 |
| settings.SETTING_SUBMITURI | /firebase/log |
| settings.SETTING_C2_RECOVER[0][0] | |
| settings.SETTING_C2_RECOVER[0][1] | True |
| settings.SETTING_C2_RECOVER[1][0] | append |
| settings.SETTING_C2_RECOVER[1][1] | 5 |
| settings.SETTING_C2_RECOVER[2][0] | append |
| settings.SETTING_C2_RECOVER[2][1] | 6 |
| settings.SETTING_C2_RECOVER[3][0] | append |
| settings.SETTING_C2_RECOVER[3][1] | 58 |
| settings.SETTING_C2_RECOVER[4][0] | append |
| settings.SETTING_C2_RECOVER[4][1] | 70 |
| settings.SETTING_C2_RECOVER[5][0] | append |
| settings.SETTING_C2_RECOVER[5][1] | 4 |
| settings.SETTING_C2_RECOVER[6][0] | prepend |
| settings.SETTING_C2_RECOVER[6][1] | 62 |
| settings.SETTING_C2_RECOVER[7][0] | prepend |
| settings.SETTING_C2_RECOVER[7][1] | 80 |
| settings.SETTING_C2_RECOVER[8][0] | prepend |
| settings.SETTING_C2_RECOVER[8][1] | 26 |
| settings.SETTING_C2_RECOVER[9][0] | prepend |
| settings.SETTING_C2_RECOVER[9][1] | 51 |
| settings.SETTING_C2_RECOVER[10][0] | prepend |
| settings.SETTING_C2_RECOVER[10][1] | 57 |
| settings.SETTING_C2_RECOVER[11][0] | base64url |
| settings.SETTING_C2_RECOVER[11][1] | True |
| settings.SETTING_C2_REQUEST[0][0] | _HEADER |
| settings.SETTING_C2_REQUEST[0][1] | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 |
| settings.SETTING_C2_REQUEST[1][0] | _HEADER |
| settings.SETTING_C2_REQUEST[1][1] | Accept: */* |
| settings.SETTING_C2_REQUEST[2][0] | _HEADER |
| settings.SETTING_C2_REQUEST[2][1] | Accept-Language: en-US,en;q=0.9 |
| settings.SETTING_C2_REQUEST[3][0] | _HEADER |
| settings.SETTING_C2_REQUEST[3][1] | Accept-Encoding: gzip, deflate, br |
| settings.SETTING_C2_REQUEST[4][0] | _HEADER |
| settings.SETTING_C2_REQUEST[4][1] | Connection: keep-alive |
| settings.SETTING_C2_REQUEST[5][0] | _HEADER |
| settings.SETTING_C2_REQUEST[5][1] | Origin: https://www.google.com |
| settings.SETTING_C2_REQUEST[6][0] | _HEADER |
| settings.SETTING_C2_REQUEST[6][1] | Referer: https://www.google.com/ |
| settings.SETTING_C2_REQUEST[7][0] | _HEADER |
| settings.SETTING_C2_REQUEST[7][1] | Sec-Fetch-Dest: script |
| settings.SETTING_C2_REQUEST[8][0] | _HEADER |
| settings.SETTING_C2_REQUEST[8][1] | Sec-Fetch-Mode: no-cors |
| settings.SETTING_C2_REQUEST[9][0] | _HEADER |
| settings.SETTING_C2_REQUEST[9][1] | Sec-Fetch-Site: cross-site |
| settings.SETTING_C2_REQUEST[10][0] | BUILD |
| settings.SETTING_C2_REQUEST[10][1] | metadata |
| settings.SETTING_C2_REQUEST[11][0] | BASE64URL |
| settings.SETTING_C2_REQUEST[11][1] | True |
| settings.SETTING_C2_REQUEST[12][0] | APPEND |
| settings.SETTING_C2_REQUEST[12][1] | &_ga=GA1.1.1234567890.1234567890 |
| settings.SETTING_C2_REQUEST[13][0] | APPEND |
| settings.SETTING_C2_REQUEST[13][1] | &_gid=GA1.1.987654 |
{
"protocol": "https",
"settings": {
"SETTING_C2_CHUNK_POST": 0,
"SETTING_C2_RECOVER": [
[
"print",
true
],
[
"append",
5
],
[
"append",
6
],
[
"append",
58
],
[
"append",
70
],
[
"append",
4
],
[
"prepend",
62
],
[
"prepend",
80
],
[
"prepend",
26
],
[
"prepend",
51
],
[
"prepend",
57
],
[
"base64url",
true
]
],
"SETTING_C2_REQUEST": [
[
"_HEADER",
"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
],
[
"_HEADER",
"Accept: */*"
],
[
"_HEADER",
"Accept-Language: en-US,en;q=0.9"
],
[
"_HEADER",
"Accept-Encoding: gzip, deflate, br"
],
[
"_HEADER",
"Connection: keep-alive"
],
[
"_HEADER",
"Origin: https://www.google.com"
],
[
"_HEADER",
"Referer: https://www.google.com/"
],
[
"_HEADER",
"Sec-Fetch-Dest: script"
],
[
"_HEADER",
"Sec-Fetch-Mode: no-cors"
],
[
"_HEADER",
"Sec-Fetch-Site: cross-site"
],
[
"BUILD",
"metadata"
],
[
"BASE64URL",
true
],
[
"APPEND",
"&_ga=GA1.1.1234567890.1234567890"
],
[
"APPEND",
"&_gid=GA1.1.987654"
]
],
"SETTING_C2_VERB_GET": "GET",
"SETTING_C2_VERB_POST": "POST",
"SETTING_CFG_CAUTION": 0,
"SETTING_CLEANUP": 1,
"SETTING_CRYPTO_SCHEME": 0,
"SETTING_DOMAINS": "101.126.11.79,/gtag/js",
"SETTING_DOMAIN_STRATEGY": 0,
"SETTING_DOMAIN_STRATEGY_FAIL_SECONDS": 4294967295,
"SETTING_DOMAIN_STRATEGY_FAIL_X": 4294967295,
"SETTING_DOMAIN_STRATEGY_SECONDS": 4294967295,
"SETTING_JITTER": 30,
"SETTING_MAXGET": 1398521,
"SETTING_MAX_RETRY_STRATEGY_ATTEMPTS": 0,
"SETTING_MAX_RETRY_STRATEGY_DURATION": 0,
"SETTING_MAX_RETRY_STRATEGY_INCREASE": 0,
"SETTING_PORT": 443,
"SETTING_PROTOCOL": 8,
"SETTING_PUBKEY": "d38ae367efa30b262bfbff96e52f677ed9e625f09ea3fc77c5dffd5aa8085663",
"SETTING_SLEEPTIME": 50000,
"SETTING_SPAWNTO": "00000000000000000000000000000000",
"SETTING_SPAWNTO_X64": "%windir%\\sysnative\\svchost.exe",
"SETTING_SPAWNTO_X86": "%windir%\\syswow64\\svchost.exe",
"SETTING_SUBMITURI": "/firebase/log",
"SETTING_USERAGENT": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"SETTING_WATERMARK": 987654321,
"SETTING_WATERMARKHASH": "NtZOV6JzDr9QkEnX6bobPg=="
},
"trial": false,
"version": "Cobalt Strike 4.8 (Feb 28, 2023)",
"watermark": 987654321
}