08160acf08fccecde7b34090db18b321
Hash
- MD5: 08160acf08fccecde7b34090db18b321
- SHA1: df226a702fee389e2186daa405069a3975a44ae7
- SHA256: 23420100260cc80055fbf02f4464212278c0e71a4387537771f3fb50f2f891e5
- First Seen: 2026-05-14
- Last Seen: 2026-05-14
-
2
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "23420100260cc80055fbf02f4464212278c0e71a4387537771f3fb50f2f891e5",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/23420100260cc80055fbf02f4464212278c0e71a4387537771f3fb50f2f891e5"
},
"attributes": {
"names": [
"ke2i3tp.crqn",
"zgsix.exe",
"1.bin",
"kE2I3TP.crqn"
],
"type_tag": "pedll",
"tlsh": "T1CE86128169C9D7BCC0C94B38354150A974E2A9DD88FCDB49AAC7CC337BA1E5D046E7A3",
"trid": [
{
"file_type": "Win64 Executable (generic)",
"probability": 33.1
},
{
"file_type": "Win16 NE executable (generic)",
"probability": 25.6
},
{
"file_type": "Windows Icons Library (generic)",
"probability": 10.4
},
{
"file_type": "OS/2 Executable (generic)",
"probability": 10.3
},
{
"file_type": "Generic Win/DOS Executable",
"probability": 10.1
}
],
"md5": "08160acf08fccecde7b34090db18b321",
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"TROJAN",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 80
},
"C2AE": {
"category": "undetected",
"malware_classification": [
"UNKNOWN_VERDICT"
],
"sandbox_name": "C2AE"
}
},
"popular_threat_classification": {
"popular_threat_name": [
{
"value": "bobik",
"count": 9
},
{
"value": "vmprotect",
"count": 9
},
{
"value": "dqaf",
"count": 2
}
],
"popular_threat_category": [
{
"value": "trojan",
"count": 23
},
{
"value": "pua",
"count": 3
},
{
"value": "spyware",
"count": 1
}
],
"suggested_threat_label": "trojan.bobik/vmprotect"
},
"last_analysis_date": 1779895067,
"sha256": "23420100260cc80055fbf02f4464212278c0e71a4387537771f3fb50f2f891e5",
"ssdeep": "196608:o79KQkgfgW7klAH90GBuvuzns+qf1XMZ/Zoz:o79Vkgonzwum7cEZ",
"detectiteasy": {
"filetype": "PE64",
"values": [
{
"info": "DS",
"version": "new 14 jmp 22",
"type": "Protector",
"name": "VMProtect"
}
]
},
"times_submitted": 1,
"authentihash": "da034f74340c4ba2fd903ccd7ee64c6be9dc49a7152953dc50838c0d082d731a",
"last_submission_date": 1765772436,
"total_votes": {
"harmless": 0,
"malicious": 1
},
"type_tags": [
"executable",
"windows",
"win32",
"pe",
"pedll"
],
"vhash": "1860a6050d0505060d177098z63nz1ez1",
"type_extension": "dll",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260527",
"category": "malicious",
"result": "W32.Malware.7E215609"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Win32.Bobik.l!c"
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Gen:Variant.Packed.VMProtect.1"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260527",
"category": "malicious",
"result": "BehavesLike.Win64.Rootkit.rc"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260527",
"category": "malicious",
"result": "Backdoor.Agent.status"
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "malicious",
"result": "Unsafe"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5608",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan.VMProtect.Win32.138547"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "malicious",
"result": "Suspicious.Win32.Save.a"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59634",
"engine_update": "20260527",
"category": "malicious",
"result": "Riskware ( 005cdde61 )"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260527",
"category": "malicious",
"result": "Gen:Variant.Packed.VMProtect.1"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59634",
"engine_update": "20260527",
"category": "malicious",
"result": "Riskware ( 005cdde61 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "malicious",
"result": "win/malicious_confidence_100% (W)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8019ebe:8019ebe:4ac772e:4ac772e",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1216",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Gen.MBT"
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260527",
"category": "malicious",
"result": "malicious (high confidence)"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Win64/Kimsuky.CF trojan"
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "malicious",
"result": "Malicious"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "malicious",
"result": "TROJ_FRS.VSNTAD26"
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260527",
"category": "malicious",
"result": "generic.ml"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan-Spy.Win32.Bobik.dqaf"
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "malicious",
"result": "Packed:Win32/VMProtect.50316450"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260527",
"category": "malicious",
"result": "Spyware.Bobik!8.108FF (CLOUD)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Mal/Generic-S"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.TR/W64.Agent"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260527",
"category": "malicious",
"result": "BackDoor.Siggen2.5677"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260527",
"category": "malicious",
"result": "Gen:Variant.Packed.VMProtect.1"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260527",
"category": "malicious",
"result": "TROJ_FRS.VSNTAD26"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260527",
"category": "malicious",
"result": "ti!23420100260C"
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260527",
"category": "malicious",
"result": "dll.trojan.bobik"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260527",
"category": "malicious",
"result": "Gen:Variant.Packed.VMProtect.1 (B)"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "malicious",
"result": "Static AI - Suspicious PE"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779890474",
"engine_update": "20260527",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260527",
"category": "malicious",
"result": "TR/W64.Agent"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260527",
"category": "malicious",
"result": "W64/ABTrojan.RIKA-6613"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan[Spy]/Win32.Bobik"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260527",
"category": "malicious",
"result": "Win32.Trojan-Spy.Bobik.dqaf"
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan:Win32/Casdet!rfn"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Heur!.02212022"
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38681",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Packed.VMProtect.1"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Win.C.Bobik.8531968.A"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107068",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44694AVA:64.31315",
"engine_update": "20260527",
"category": "malicious",
"result": "Gen:Variant.Packed.VMProtect.1"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260527",
"category": "malicious",
"result": "Malicious (score: 100)"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260527",
"category": "malicious",
"result": "Backdoor/Win.Mudsdoor.R744597"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260527",
"category": "malicious",
"result": "TrojanSpy.Bobik"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-27.02",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260527",
"category": "malicious",
"result": "MALICIOUS"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260527",
"category": "malicious",
"result": "Malware.AI.4250203055"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "malicious",
"result": "Win32.Trojan-Spy.Bobik.Ftgl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260527",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260527",
"category": "malicious",
"result": "Artemis!08160ACF08FC"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Win32.VMProtect"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260527",
"category": "malicious",
"result": "Trojan.Malware.338148470.susgen"
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Riskware/FRS"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Win64:MalwareX-gen [Misc]"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260527",
"category": "malicious",
"result": "Win64:MalwareX-gen [Misc]"
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[spy]:Win/Wacatac.B9nj"
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260527-02",
"engine_update": "20260527",
"category": "type-unsupported",
"result": null
}
},
"magika": "PEBIN",
"last_modification_date": 1779902289,
"first_submission_date": 1765772436,
"magic": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"first_seen_itw_date": 1765814607,
"filecondis": {
"raw_md5": "5a41c9ca662227b88a7b7f6f6a7606e0",
"dhash": "0000001e0d0f0a04"
},
"last_analysis_stats": {
"malicious": 53,
"suspicious": 0,
"undetected": 18,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 4
},
"sha1": "df226a702fee389e2186daa405069a3975a44ae7",
"creation_date": 1765528447,
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 2,
"low": 4
},
"meaningful_name": "ke2i3tp.crqn",
"unique_sources": 1,
"type_description": "Win32 DLL",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 2,
"low": 4
}
},
"reputation": -52,
"pe_info": {
"timestamp": 1765528447,
"imphash": "4b60e239e1f821496f625e84618c6f3c",
"machine_type": 34404,
"entry_point": 10088760,
"resource_details": [
{
"lang": "ENGLISH US",
"chi2": 1428.08,
"filetype": "XML",
"entropy": 4.885799884796143,
"sha256": "d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04",
"type": "RT_MANIFEST"
}
],
"resource_langs": {
"ENGLISH US": 1
},
"resource_types": {
"RT_MANIFEST": 1
},
"sections": [
{
"name": ".text",
"chi2": -1.0,
"virtual_address": 4096,
"flags": "rx",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 612772,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": ".rdata",
"chi2": -1.0,
"virtual_address": 618496,
"flags": "r",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 144758,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": ".data",
"chi2": -1.0,
"virtual_address": 765952,
"flags": "rw",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 18276,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": ".pdata",
"chi2": -1.0,
"virtual_address": 786432,
"flags": "r",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 18588,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": "_RDATA",
"chi2": -1.0,
"virtual_address": 806912,
"flags": "r",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 348,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": "9bku4mfk",
"chi2": -1.0,
"virtual_address": 811008,
"flags": "rx",
"raw_size": 0,
"entropy": 0.0,
"virtual_size": 4375716,
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"name": "9bku4mfk",
"chi2": 360253.25,
"virtual_address": 5189632,
"flags": "rw",
"raw_size": 2048,
"entropy": 1.79,
"virtual_size": 1776,
"md5": "736ccd8c4329af38e728cbcbe7201681"
},
{
"name": "9bku4mfk",
"chi2": 7290027.0,
"virtual_address": 5193728,
"flags": "rx",
"raw_size": 8527872,
"entropy": 7.74,
"virtual_size": 8527628,
"md5": "89478a5bd6b564311e76f11bf027b10f"
},
{
"name": ".reloc",
"chi2": 63280.0,
"virtual_address": 13721600,
"flags": "r",
"raw_size": 512,
"entropy": 2.61,
"virtual_size": 296,
"md5": "c602d157e76947e992e5908df3adf0b0"
},
{
"name": ".rsrc",
"chi2": 61549.0,
"virtual_address": 13725696,
"flags": "r",
"raw_size": 512,
"entropy": 2.53,
"virtual_size": 233,
"md5": "1da857dcbcd398aeebd6c7665882bce4"
}
],
"exports": [
"load"
],
"import_list": [
{
"library_name": "KERNEL32.dll",
"imported_functions": [
"CloseHandle",
"CompareStringEx",
"CompareStringW",
"CreateEventW",
"CreateFileW",
"CreateProcessW",
"CreateThread",
"DecodePointer",
"DeleteCriticalSection",
"EncodePointer",
"EnterCriticalSection",
"EnumSystemLocalesW",
"ExitProcess",
"ExitThread",
"FindClose",
"FindFirstFileExW",
"FindNextFileW",
"FlsAlloc",
"FlsFree",
"FlsGetValue",
"FlsSetValue",
"FlushFileBuffers",
"FreeEnvironmentStringsW",
"FreeLibrary",
"GetACP",
"GetCommandLineA",
"GetCommandLineW",
"GetConsoleMode",
"GetConsoleOutputCP",
"GetCPInfo",
"GetCurrentProcess",
"GetCurrentProcessId",
"GetCurrentThreadId",
"GetDateFormatW",
"GetEnvironmentStringsW",
"GetFileSizeEx",
"GetFileType",
"GetLastError",
"GetLocaleInfoEx",
"GetLocaleInfoW",
"GetModuleFileNameW",
"GetModuleHandleA",
"GetModuleHandleExW",
"GetModuleHandleW",
"GetOEMCP",
"GetProcAddress",
"GetProcessHeap",
"GetStartupInfoW",
"GetStdHandle",
"GetStringTypeW",
"GetSystemInfo",
"GetSystemTimeAsFileTime",
"GetTimeFormatW",
"GetTimeZoneInformation",
"GetUserDefaultLCID",
"HeapAlloc",
"HeapFree",
"HeapReAlloc",
"HeapSize",
"InitializeCriticalSection",
"InitializeCriticalSectionAndSpinCount",
"InitializeCriticalSectionEx",
"InitializeSListHead",
"InterlockedFlushSList",
"IsBadReadPtr",
"IsDebuggerPresent",
"IsProcessorFeaturePresent",
"IsValidCodePage",
"IsValidLocale",
"LCMapStringEx",
"LCMapStringW",
"LeaveCriticalSection",
"LoadLibraryA",
"LoadLibraryExW",
"MultiByteToWideChar",
"QueryPerformanceCounter",
"RaiseException",
"RtlCaptureContext",
"RtlLookupFunctionEntry",
"RtlPcToFileHeader",
"RtlUnwindEx",
"RtlVirtualUnwind",
"SetEnvironmentVariableW",
"SetFilePointerEx",
"SetLastError",
"SetStdHandle",
"SetUnhandledExceptionFilter",
"Sleep",
"TerminateProcess",
"TlsAlloc",
"TlsFree",
"TlsGetValue",
"TlsSetValue",
"UnhandledExceptionFilter",
"VirtualFree",
"VirtualQuery",
"WaitForSingleObject",
"WideCharToMultiByte",
"WriteConsoleW",
"WriteFile"
]
},
{
"library_name": "USER32.dll",
"imported_functions": [
"wsprintfW"
]
},
{
"library_name": "ADVAPI32.dll",
"imported_functions": [
"ChangeServiceConfig2W",
"CloseServiceHandle",
"ControlService",
"CreateServiceW",
"DeleteService",
"OpenSCManagerW",
"OpenServiceW",
"StartServiceW",
"SystemFunction036"
]
}
]
},
"size": 8531968,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Abused Debug Privilege by Arbitrary Parent Processes",
"rule_description": "Detection of unusual child processes by different system processes",
"rule_author": "Semanur Guneysu @semanurtg, oscd.community",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\services.exe",
"CommandLine": "cmd.exe /c \"rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\services.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious SYSTEM User Process Creation",
"rule_description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)",
"rule_author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Windows\\TEMP\\2At7570.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Windows\\TEMP\\2At7570.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Windows\\system32\\config\\systemprofile\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "4725cdcf2dfdd90c3aa0d331fae77d6ac8021c254701744a01444af04e9a0e69",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Rundll32 Internet Connection",
"rule_description": "Detects a rundll32 that communicates with public IP addresses",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "49.247.9.92",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49704",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49706",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"DestinationIp": "49.247.9.92"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49707",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"DestinationIp": "49.247.9.92"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49708",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"DestinationIp": "49.247.9.92"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "49.247.9.92",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"SourcePort": "49709",
"Initiated": "true"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potentially Suspicious CMD Shell Output Redirect",
"rule_description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7549.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\Bruno\\Desktop\\attachment.dll\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At756A.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\Bruno\\Desktop\\attachment.dll\",#1",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7643.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"CommandLine": "powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct ",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Windows\\system32\\config\\systemprofile\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"CommandLine": "powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Network Command",
"rule_description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
"rule_author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7549.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\Bruno\\Desktop\\attachment.dll\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At756A.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7549.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Windows\\TEMP\\2At7570.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "System",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At756A.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "a4f71b3d-2ba9-44cf-ac0f-5ff90e587567",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "eca25845-4158-4cf0-b5ed-c50b3a2c1029",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "1d3739b2-491c-41e5-9f41-d432e2be6aca",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "1054df01-e270-4944-a683-4d386a4bbe07",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Local Accounts Discovery",
"rule_description": "Local accounts, System Owner/User discovery using operating systems utilities",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe C:\\Users\\Bruno\\Desktop\\attachment.dll,load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7549.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\Bruno\\Desktop\\attachment.dll\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At756A.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7549.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At756A.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "rundll32.exe \"C:\\Users\\Bruno\\Desktop\\attachment.dll\",#1",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At7643.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"tags": [
"pedll",
"long-sleeps",
"64bits",
"calls-wmi",
"detect-debug-environment"
]
}
}
}
Related Reports
2026-05-14
Kaspersky