CAB

Hi Marcos, Please see attached for requested logs efsw_logs.zip

I seem to be having the same issue as Marco2526 in this topic from last year: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ I have a server that has a mysterious power-shell processes that reopens on a continuous basis. It seems to be generating malicious files that ESET file Security is thankfully cleaning. The powershell script generates files infected with Coinminer.cz, and other trojans. I believe the script is using WMI for persistence, as described by James R in the previous topic. I've run the WMILister_20.vbs script JamesR suggested in the previous topic. The results of the script are attached to this post. However, when I run the recommended powershell commands, they seem to have no effect in removing the issue. Do I need to modify the powershell scripts for this specific variant of WMI persistence? Please advise. Thanks, DumpedScrpts.txt