I received a call from a user who was having issues with their PC running slowly. After checking the processes, I noticed PowerShell was using a huge amount of RAM. Curious, I inspected the command and found it was executing a script called `AzureRemove-PrinterPort.ps1` from the user's AppData folder. We don't use Azure at all, and I couldn't find any information on this script online. After running a virus scan which came back clean, I suspect some legitimate application might be leaving these scripts behind. Has anyone else encountered this before?
5 Answers
Just a heads up about formatting; if you’re copying code, try pasting it with indentation to make it look better! It helps everyone read it easily.
That script seems really suspicious. It's executing whatever's in `'$ixwbfsckol'`, and I don't think a legitimate program would leave scripts like this behind. It might be safer to wipe the machine and start fresh—make sure to reset passwords, check emails, and MFA settings since you could have larger issues on your hands here. Is this machine part of a corporate environment?
These appdata folders are tricky to manage because legitimate programs often run there, including Microsoft processes. It's not uncommon for malicious scripts to hide in those locations since they usually fly under the radar. Have you considered stricter policies on running files from user directories?
This looks like a malicious script for sure. You should definitely follow your incident response plan and inform your cybersecurity insurance provider. Also, don't forget to decrypt the payload from the log file mentioned!
Definitely something to investigate! What's inside that log file? The contents could give us more clues.
Ugh, how did I not think to check that? On it!
Check the main post for the updated info; it looks really concerning.