20210311_Exchange_Vuln_IOC.txt

### IPv4 Address

103.77.192.219
104.140.114.110
104.248.49.97
104.250.191.110
108.61.246.56
125.70.170.26
149.28.14.163
157.230.221.198
161.35.1.207
161.35.1.225
161.35.45.41
165.232.154.116
167.99.168.251
167.99.239.29
182.18.152.105
185.250.151.72
188.166.162.201
192.81.208.169
203.160.69.66
211.56.98.146
45.77.252.175
5.2.69.13
5.254.43.18
80.92.205.81
86.105.18.116
89.34.111.11
91.192.103.43
165.227.196.109
149.28.139.229
176.58.124.134
130.255.189.21

### Hashes (WebShell)

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a
893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2
0fd9bffa49c76ee12e51e3b8ae0609ac

### Shellcode (Cobalt Strike)

79eb217578bed4c250803bd573b10151

### File Names (WebShells)

error.aspx
Logout.aspx
OutlookJP.aspx
MultiUp.aspx
Shell.aspx
RedirSuiteServerProxy.aspx
OutlookRU.aspx
Online.aspx
Discover.aspx
OutlookEN.aspx
HttpProxy.aspx
iisstart.aspx
help.aspx
Server.aspx
Supp0rt.aspx
xx.aspx
xclkmcfldfi948398430fdjkfdkj.aspx
iispage.aspx
s.aspx
a.aspx
shell2.aspx
shell90.aspx
default1.aspx
default.aspx
one.aspx
one1.aspx
log.aspx
logg.aspx
bob.aspx
OutlookZH.aspx
w7tAhF9i1pJnRo.aspx
authhead.aspx
fatal-erro.aspx
errorPage.aspx
errorPages.aspx
aspnet_client.aspx
aspnet_iisstart.aspx
aspnet_pages.aspx
aspnet_www.aspx

### File Names (JavaScripts)

x.js
y.js