I got this malicious application that was blocked last night with some command lines:
Feature:Advanced Threat Defense
Application path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command line parameters: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy
Restricted -Command
$isBroken = 0
# Define the root registry path
$ShellRegRoot = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' $bagMRURoot = $ShellRegRoot + '\BagMRU'
$bagRoot = $ShellRegRoot + '\Bags'
# Define the target GUID tail for MSGraphHome
$HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'
$properties = Get-ItemProperty -Path $bagMRURoot
foreach ($property in $properties.PSObject.Properties) {
if ($property.TypeNameOfValue -eq 'System.Byte[]') {
$hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''
if ($hexString -eq $HomeFolderGuid) {
$subkey = $property.Name
$nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\' + $subkey) -Name 'NodeSlot' $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\' + $nodeSlot + '\Shell\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }
break
}
}
}
Write-Host 'Final result:',$isBroken
Detection ID: SuspiciousBehavior.C8A623D804BE6628
I already started to search what this is, but could not find anything. I can see that other people got something about stealing coins, but this is clearly different.
After the detection I ran the AdwCleaner and as I am writing this, I am running Malwarebyte with the option to search for Rootkits.
I usually have problems with Firefox browser, so last night I deleted all cookies, but not temporal files.
I am using win11.
