Pastein: #Requires -RunAsAdministrator Write-Host "`n=== AWSTORE MALWARE IOC SCAN ===" -ForegroundColor Cyan $infected = $false # 1. Директория установки Write-Host "[1/12] SngCache in

Загрузка данных
#Requires -RunAsAdministrator
Write-Host "`n=== AWSTORE MALWARE IOC SCAN ===" -ForegroundColor Cyan
$infected = $false

# 1. Директория установки
Write-Host "[1/12] SngCache install dir..." -NoNewline
if (Test-Path "$env:LOCALAPPDATA\Microsoft\SngCache") {
    Write-Host " INFECTED!" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 2. Scheduled Tasks (persistence)
Write-Host "[2/12] Scheduled Tasks..." -NoNewline
$tasks = Get-ScheduledTask -TaskPath '\Microsoft\Windows\Maintenance\' -EA SilentlyContinue |
    Where-Object { $_.TaskName -in @('StartupOptimizer','CodeAssist') }
if ($tasks) {
    Write-Host " INFECTED: $($tasks.TaskName -join ', ')" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 3. Вредоносные процессы
Write-Host "[3/12] Malware processes..." -NoNewline
$procs = Get-Process -Name claude-code,awproxy,proxy,tun2socks -EA SilentlyContinue
if ($procs) {
    Write-Host " RUNNING: $($procs.ProcessName -join ', ')" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 4. Claude settings.json (подменённый конфиг)
Write-Host "[4/12] Claude settings.json..." -NoNewline
$cfg = "$env:USERPROFILE\.claude\settings.json"
if ((Test-Path $cfg) -and (Select-String -Path $cfg -Pattern 'awstore' -Quiet)) {
    Write-Host " COMPROMISED (awstore in config)" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 5. ScriptBlock Logging (малварь отключает)
Write-Host "[5/12] ScriptBlock Logging..." -NoNewline
$sbl = Get-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -EA SilentlyContinue
if ($sbl -and $sbl.EnableScriptBlockLogging -eq 0) {
    Write-Host " DISABLED by malware!" -ForegroundColor Red; $infected = $true
} else { Write-Host " OK" -ForegroundColor Green }

# 6. TUN-адаптер (tun2socks proxy)
Write-Host "[6/12] TUN adapter (tun0)..." -NoNewline
$tun = Get-NetAdapter | Where-Object { $_.Name -eq 'tun0' -or $_.InterfaceDescription -like '*WinTun*' }
if ($tun) {
    Write-Host " FOUND (proxy active!)" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 7. Route hijack (0.0.0.0/1 + 128.0.0.0/1)
Write-Host "[7/12] Route hijack..." -NoNewline
$rh = Get-NetRoute -DestinationPrefix '0.0.0.0/1' -EA SilentlyContinue
if ($rh) {
    Write-Host " HIJACKED!" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 8. Active connection to SOCKS5 proxy
Write-Host "[8/12] SOCKS5 connection 2.27.43.246..." -NoNewline
$sx = Get-NetTCPConnection -EA SilentlyContinue | Where-Object { $_.RemoteAddress -eq '2.27.43.246' }
if ($sx) {
    Write-Host " ACTIVE CONNECTION!" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 9. wintun.dll в System32
Write-Host "[9/12] wintun.dll in System32..." -NoNewline
if (Test-Path "$env:SystemRoot\System32\wintun.dll") {
    Write-Host " FOUND (installed by malware)" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

# 10. Environment variables
Write-Host "[10/12] Environment variables..." -NoNewline
$envHit = $false
foreach ($scope in @('User','Machine')) {
    [Environment]::GetEnvironmentVariables($scope).GetEnumerator() |
        Where-Object { $_.Value -match 'awstore' } |
        ForEach-Object { Write-Host " $scope`: $($_.Key)=$($_.Value)" -ForegroundColor Red; $envHit = $true }
}
if (-not $envHit) { Write-Host " Clean" -ForegroundColor Green }else { $infected = $true }

# 11. PSReadLine history (малварь удаляет)
Write-Host "[11/12] PSReadLine history..." -NoNewline
$hPath = (Get-PSReadLineOption -EA SilentlyContinue).HistorySavePath
if ($hPath -and (Test-Path $hPath)) {
    Write-Host " Exists ($((Get-Item $hPath).Length) bytes)" -ForegroundColor Green
} else { Write-Host " MISSING (may have been wiped!)" -ForegroundColor Red }

# 12. RealTime priority processes (малварь ставит RealTime)
Write-Host "[12/12] RealTime priority processes..." -NoNewline
$rt = Get-Process -EA SilentlyContinue | Where-Object {
    try { $_.PriorityClass -eq 'RealTime' } catch { $false }
}
if ($rt) {
    Write-Host " FOUND: $($rt.ProcessName -join ', ')" -ForegroundColor Red; $infected = $true
} else { Write-Host " Clean" -ForegroundColor Green }

Write-Host ""
if ($infected) {
    Write-Host "  !!! INFECTION DETECTED — proceed to Cleanup !!!" -ForegroundColor Red
} else {
    Write-Host "  System appears CLEAN." -ForegroundColor Green
}
Больше возможностей при регистрации:
