as others have said its a virus, its probably a infostealer, it might have some sort of persistance mechanism so put your pc offline and use another one to change all of your passwords (email & banks ones first) and log out everywhere to invalidate tokens, if youve saved cards freeze them, then wipe your pc that got infected and fresh install https://www.youtube.com/watch?v=HUR4QOHEurY
this post was submitted on 02 Apr 2025
7 points (76.9% liked)
techsupport
2719 readers
21 users here now
The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.
If something works or if you find a solution to your problem let us know it will be greatly apreciated.
Rules: instance rules + stay on topic
Partnered communities:
founded 2 years ago
MODERATORS
Hackers have been figuring out a variety of nifty ways to trigger powershell commands for nefarious purposes. For whatever it's worth, I'm glad you spotted it. As the other commenter suggested, I'd recommend a full data backup and ~~reinstall Windows~~ install Linux. And change your passwords and shit.
Also, this video from ThioJoe is very relevant and revealing as to how sneaky these sort of attacks can be...
U got a virus. Anything from a crypto miner to a password/credit card stealer.
Turn off the effected computer pull put the drive plug it into a separate computer as a secondary drive. Pull the data u need off the drive and make a backup. Then wipe the old system full reset(update BIOS if ur really paranoid). Then copy over ur backed up data. Do not copy any executable file from the infected drive.
Go change ALL ur passwords that u ever saved on that computer. And watch ur bank statements like a hawk.
Don't do this - plugging in an infected drive can infect the secondary computer; you may wish to plug it into a linux or other hardened system to get the data however. The post by @silverdiamond is a better response.
I highly doubt some random malware has the capacity to reprogramme the firmware to do some rubber ducky type shit.
What is that supposed to do?
I'm not too sure. I think -w runs powershell silently?! I'm hoping someone can figure out the rest.
well thats the neat part, the url it presumably downloads and executes the first payload from has died so no unless you catch it when its live you can't easily replicate what happended on your computer anywhere else i have no clue what the powershell is doing but hiding malware in a weird file or pretending its a different file type and then executing that file isn't uncommon
This example is likely an HTA polyglot. An actual MP4 is merged with a binary, basically. The MP4 will play as normal, but the powershell is responsible for execution of the malware.
I'm on
Version 21H2
Installed on 06-12-2024
OS build 19044.5608
Experience Windows Feature Experience Pack 1000.19061.1000.0
if that's relevant