No src? instant red flag, after checking i found that:
DONT USE THE COMPILED VERSION IF U REALLY NEED A TOOL THAT DOES THIS USE THE OPEN SOURCE VERSION THEY MADE ON THEIR PROFILE.
-
it checks for a debugenv so a vm, and aborts if it has found one. (i think it does cuz it allocates memory with a read write watch
-
Did'nt check for debugger checks yet but i suppose it prevents usage cuz i couldnt use one easily
-
fake/invalid/revoked signature.
-
the WORST obfuscation ive EVER seen
-
logs pc info
(these keys being checked i saw with tria.ge)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
C:\Users\user\Desktop\EnableUAC.exe VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
C:\ VolumeInformation
-
lists running processes and i assume it sends all of the gathered info to a webhook, telegram bot, discord user id, or api endpoint
-
contains overlay at offset 0x0000e000 with a size of 1384 bytes which i do not understand but im not finished reversing yet.
-
creates files inside "C:\Users\username123\Documents\20250825"
-
all packed and horrid obfuscation
-
read from the memory of process handle 0x00000464
-
and runs powershell
api: System.Management.Automation.PowerShell::Create
api: System.Management.Automation.PowerShell::AddScript
(and more)
-
detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution
-
detects loading of essential DLLs used by PowerShell by non-PowerShell process. detects behavior similar to meterpreter's "load powershell" extension.
traffic:
TCP 23.46.228.36:443 (res.public.onecdn.static.microsoft)
TCP 23.196.145.221:80
TCP 20.69.140.28:443
Memory Pattern Domains
github.com
schemas.xmlsoap.org
Memory Pattern Urls
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com
https://github.com/pxradiso
Files written
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
C:\Users\user\AppData\Roaming
C:\Users\user\Documents\20250825
C:\Users\user\Documents\20250825\PowerShell_transcript.813848.yY7VyYDb.20250825074500.txt
\Device\ConDrv
\Device\ConDrv\Connect
Files deleted
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
Files dropped
__PSScriptPolicyTest_fvd3u3fb.021.psm1
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\attachments
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\metadata
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\reports
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\uninstall.cmd
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\updater.exe
C:\Program Files\Google2824_325311936
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
C:\Users\user\Documents\20250825\PowerShell_transcript.813848.yY7VyYDb.20250825074500.txt
\Device\ConDrv
reg keys set
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
Processes created
"C:\Users<USER>\Desktop\EnableUAC.exe"
%SAMPLEPATH%\EnableUAC.exe
C:\Program Files\Google844_531656701\bin\updater.exe
C:\Windows\System32\UI0Detect.exe
"C:\Users\user\Desktop\EnableUAC.exe"
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Processes injected
C:\Program Files\Google844_531656701\bin\updater.exe
Processes terminated
%CONHOST% "-667144396-338371868290486001-575459348-176023821621077951121006611801264715659
%SAMPLEPATH%
%windir%\System32\svchost.exe -k WerSvcGroup
%windir%\system32\WerFault.exe -u -p 2516 -s 524
wmiadap.exe /F /T /R
C:\Program Files\Google844_531656701\bin\updater.exe
C:\Windows\System32\UI0Detect.exe
EnableUAC.exe
my pleasure.
No src? instant red flag, after checking i found that:
DONT USE THE COMPILED VERSION IF U REALLY NEED A TOOL THAT DOES THIS USE THE OPEN SOURCE VERSION THEY MADE ON THEIR PROFILE.
it checks for a debugenv so a vm, and aborts if it has found one. (i think it does cuz it allocates memory with a read write watch
Did'nt check for debugger checks yet but i suppose it prevents usage cuz i couldnt use one easily
fake/invalid/revoked signature.
the WORST obfuscation ive EVER seen
logs pc info
(these keys being checked i saw with tria.ge)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
C:\Users\user\Desktop\EnableUAC.exe VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
C:\ VolumeInformation
lists running processes and i assume it sends all of the gathered info to a webhook, telegram bot, discord user id, or api endpoint
contains overlay at offset 0x0000e000 with a size of 1384 bytes which i do not understand but im not finished reversing yet.
creates files inside "C:\Users\username123\Documents\20250825"
all packed and horrid obfuscation
read from the memory of process handle 0x00000464
and runs powershell
api: System.Management.Automation.PowerShell::Create
api: System.Management.Automation.PowerShell::AddScript
(and more)
detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution
detects loading of essential DLLs used by PowerShell by non-PowerShell process. detects behavior similar to meterpreter's "load powershell" extension.
traffic:
TCP 23.46.228.36:443 (res.public.onecdn.static.microsoft)
TCP 23.196.145.221:80
TCP 20.69.140.28:443
Memory Pattern Domains
github.com
schemas.xmlsoap.org
Memory Pattern Urls
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com
https://github.com/pxradiso
Files written
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
C:\Users\user\AppData\Roaming
C:\Users\user\Documents\20250825
C:\Users\user\Documents\20250825\PowerShell_transcript.813848.yY7VyYDb.20250825074500.txt
\Device\ConDrv
\Device\ConDrv\Connect
Files deleted
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
Files dropped
__PSScriptPolicyTest_fvd3u3fb.021.psm1
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\attachments
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\metadata
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\Crashpad\reports
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\uninstall.cmd
C:\Program Files (x86)\Google\GoogleUpdater\141.0.7340.0\updater.exe
C:\Program Files\Google2824_325311936
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_4hqxbp15.g22.ps1
C:\Users\user\AppData\Local\Temp__PSScriptPolicyTest_zzparsdi.m4l.psm1
C:\Users\user\Documents\20250825\PowerShell_transcript.813848.yY7VyYDb.20250825074500.txt
\Device\ConDrv
reg keys set
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
Processes created
"C:\Users<USER>\Desktop\EnableUAC.exe"
%SAMPLEPATH%\EnableUAC.exe
C:\Program Files\Google844_531656701\bin\updater.exe
C:\Windows\System32\UI0Detect.exe
"C:\Users\user\Desktop\EnableUAC.exe"
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Processes injected
C:\Program Files\Google844_531656701\bin\updater.exe
Processes terminated
%CONHOST% "-667144396-338371868290486001-575459348-176023821621077951121006611801264715659
%SAMPLEPATH%
%windir%\System32\svchost.exe -k WerSvcGroup
%windir%\system32\WerFault.exe -u -p 2516 -s 524
wmiadap.exe /F /T /R
C:\Program Files\Google844_531656701\bin\updater.exe
C:\Windows\System32\UI0Detect.exe
EnableUAC.exe
my pleasure.