I have the issue that powershell v1.0 opens randomly and closes immediately, while it keeps running in task manager in the background and takes up a high amount of memory.
#Powershell Running in the background and using up high amount of Memory
warped vapor
warped vapor
I might have found the task in the task scheduler.
In all active running tasks.
So after running for like 30min at 3gb memory it dialed down now.
manic nimbus
Looks potentially malicious what does the task do?
mild plaza
google says it translates to Not available. Can't tell which column that is, requires more info
On my tasks, I have some values named unavoidable and disabled
@warped vapor as test, see if this works right
powershell -nop
You could check your profile, looking for anything strange
code $PROFILE
code $PROFILE.CurrentUserAllHosts
If you have SysInternals, there's process explorer
and even procmon if you need to catch it in action
So after running for like 30min at 3gb memory it dialed down now.
The time I had pwsh jump up to 4GBs in a few seconds was when I usedConvertTo-Jsonwith without limit onget-process
warped vapor
Used autorun and found the task, and also the ps1 file running it
That's the ps1 file and it's contents
warped vapor
<@424026520164630531> as test, see if this works right
```ps1
powershell -nop
``...
The folder itself was created on 20.12.2022
I think it might be save to say to disable this task and delete the ps1 file
manic nimbus
Looks like bad news
mild plaza
defintely
appears to be using the registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\dotnet
warped vapor
appears to be using the registry `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\dotnet`
What would you recommend
I deleted the ps1 file and disabled the task under all active tasks on task scheduler.
manic nimbus
If it's malware, and honestly I don't see any legitimate reason for that script and in that location then it can have done a bunch of stuff to stay resident on the system
mild plaza
It's building a script block, getting something from the registry and executes code
it's definitely obfuscated on purpose, whatever it does.
warped vapor
Trigger for the task was the login of an user.
Deleted now the task completely.
And also did a complete reboot, to see whatever another task pops up or if the powershell gets executed on their own again.
mild plaza
In the registry, do you see anything at ``HKEY_LOCAL_MACHINE\SOFTWARE\dotnet` ?
the first part checks this address
gp ('HKLM:\SOFTWARE\dotnetFLHyledR6')
property name might be 0b13tRNFAUL , can't tell with the font
warped vapor
In the registry, do you see anything at ``HKEY_LOCAL_MACHINE\SOFTWARE\dotnet` ? ...
Yeah found it
DotnetFLHyledR6
In the registry, going to delete it
paper gull
not delete dotnet is fireworks for windows
warped vapor
not delete dotnet is fireworks for windows
Not dotnet, I deleted DotnetFLHyledR6 the newly created one from the malicious powershell scriptm
outer hazel
you need to work out when that was created and if it is on other machines in your org too and sharpish