52f1ff082e981cbdfd1f045c6021c63f
Hash
- MD5: 52f1ff082e981cbdfd1f045c6021c63f
- SHA1: be85ab350916ab4d95048ebc50e748d75d959b6b
- SHA256: 59eb093c10f11f612b8dadab258285aa2020219a0b86d65a5c890c214434809e
- First Seen: 2026-05-14
- Last Seen: 2026-05-14
-
2
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "59eb093c10f11f612b8dadab258285aa2020219a0b86d65a5c890c214434809e",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/59eb093c10f11f612b8dadab258285aa2020219a0b86d65a5c890c214434809e"
},
"attributes": {
"meaningful_name": "2026\ub144 \uc0c1\ubc18\uae30 \uad6d\ub0b4\ub300\ud559\uc6d0 \uc11d\uc0ac\uc57c\uac04\uacfc\uc815 \uc704\ud0c1\uad50\uc721\uc0dd \uc120\ubc1c\uad00\ub828 \uc11c\ub958.hwpx.jse",
"total_votes": {
"harmless": 0,
"malicious": 1
},
"trid": [
{
"file_type": "file seems to be plain text/ASCII",
"probability": 0.0
}
],
"unique_sources": 2,
"filecondis": {
"raw_md5": "72fe9cf609351a9e7194e645a852bced",
"dhash": "c68000028a868382"
},
"sha1": "be85ab350916ab4d95048ebc50e748d75d959b6b",
"type_description": "Text",
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 10,
"low": 4
},
"crowdsourced_yara_results": [
{
"ruleset_id": "0122bae1e9",
"ruleset_version": "0122bae1e9|589bbefc22847193cac455858fa15e627d671918",
"ruleset_name": "Base64_Encoded_URL",
"rule_name": "Base64_Encoded_URL",
"match_date": 1779790188,
"description": "This signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation.",
"author": "InQuest Labs",
"source": "https://github.com/InQuest/yara-rules-vt"
},
{
"ruleset_id": "00074b7629",
"ruleset_version": "00074b7629|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_susp_obfuscation",
"rule_name": "SUSP_Double_Base64_Encoded_Executable",
"match_date": 1779790188,
"description": "Detects an executable that has been encoded with base64 twice",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
}
],
"last_analysis_stats": {
"malicious": 20,
"suspicious": 0,
"undetected": 40,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 1,
"type-unsupported": 14
},
"ssdeep": "49152:fAuW+sJS1VL0N830DKNrwH7Y0AuW+sJS1VL0N830DKN3RWtSZt56ex3V1HyX3FXW:6",
"last_submission_date": 1770392300,
"first_seen_itw_date": 1765644581,
"tlsh": "T1E017E1119BC8AF59AF8C590AC07E261E73F22B49C493B1CDA7937C077AEFD0C4A16459",
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 10,
"value": "trojan"
},
{
"count": 1,
"value": "dropper"
}
],
"suggested_threat_label": "trojan.sagent/jsransom",
"popular_threat_name": [
{
"count": 5,
"value": "sagent"
},
{
"count": 2,
"value": "jsransom"
},
{
"count": 1,
"value": "abtrojan"
}
]
},
"type_tags": [
"text"
],
"last_modification_date": 1779818673,
"magic": "ASCII text, with very long lines (65536u), with no line terminators",
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"TROJAN",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 88
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"first_submission_date": 1765699906,
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 10,
"low": 4
}
},
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Text.SAgent.4!c"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260526",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59615",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59617",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1214",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260526",
"category": "malicious",
"result": "JS/Kimsuky.I trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_JSRANSOM.O4"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR:Trojan.Script.SAgent.gen"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "malicious",
"result": "Script.Trojan.Sagent.Zwhl"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.TR/Malware"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260526",
"category": "malicious",
"result": "JS.Muldrop.1299"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5608",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_JSRANSOM.O4"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260526",
"category": "malicious",
"result": "ti!59EB093C10F1"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260526",
"category": "malicious",
"result": "txt.trojan.sagent"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Script.KAgent"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260526",
"category": "malicious",
"result": "ABTrojan.BSHB-2"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260526",
"category": "malicious",
"result": "TR/Malware"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260524",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38677",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260526",
"category": "malicious",
"result": "JS.S.Agent.19481809"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107039",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44681AVA:64.31308",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779782449",
"engine_update": "20260526",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260526",
"category": "malicious",
"result": "Dropper/JSE.Agent"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-26.02",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "b8a15cc:b8a15cc:e0fccfc:e0fccfc",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Multi/SAgent.gyf"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": null,
"engine_update": "20260525",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260526-00",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.261",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
}
},
"tags": [
"long-sleeps",
"detect-debug-environment",
"macro-powershell",
"calls-wmi",
"persistence",
"text"
],
"sha256": "59eb093c10f11f612b8dadab258285aa2020219a0b86d65a5c890c214434809e",
"size": 19481809,
"magika": "TXT",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File Decoded From Base64/Hex Via Certutil.EXE",
"rule_description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "CertUtil.exe",
"Hashes": "SHA1=C2319F1E8ADB193FC1B3466F32E4F134B97DF9E3,MD5=2D3C8A1DEA8BA4677B4199EAE9DE148B,SHA256=6AF299712FE257BF7A51CBA7E86206E43452040D82CF28180AD9F9EF13488692,IMPHASH=323A326D7B550351B75EC637A5575902",
"Description": "CertUtil.exe",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"FileVersion": "10.0.22621.1992 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\certutil.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Shell/Scripting Processes Spawning Suspicious Programs",
"rule_description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.",
"rule_author": "Florian Roth (Nextron Systems), Tim Shelton",
"match_context": [
{
"values": {
"Hashes": "SHA1=C2319F1E8ADB193FC1B3466F32E4F134B97DF9E3,MD5=2D3C8A1DEA8BA4677B4199EAE9DE148B,SHA256=6AF299712FE257BF7A51CBA7E86206E43452040D82CF28180AD9F9EF13488692,IMPHASH=323A326D7B550351B75EC637A5575902",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "CertUtil.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "CertUtil.exe",
"FileVersion": "10.0.22621.1992 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\certutil.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Cscript/Wscript Potentially Suspicious Child Process",
"rule_description": "Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\nMalware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\script.js\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden Start-Process rundll32.exe -argumentlist 'C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load' -NoNewWindow",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "4725cdcf2dfdd90c3aa0d331fae77d6ac8021c254701744a01444af04e9a0e69",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Rundll32 Internet Connection",
"rule_description": "Detects a rundll32 that communicates with public IP addresses",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"SourcePort": "49721",
"DestinationIp": "49.247.9.92"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49722",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"DestinationIp": "49.247.9.92"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "49.247.9.92",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49723",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "49.247.9.92",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"SourcePort": "49724",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "49.247.9.92",
"Protocol": "tcp",
"SourceIp": "192.168.122.100",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "49725",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"Initiated": "true"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Rundll32 Spawned Via Explorer.EXE",
"rule_description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.",
"rule_author": "CD_ROM_",
"match_context": [
{
"values": {
"Hashes": "SHA1=CBFD746699A0C0D37597F91F3F4ED2CE6213025C,MD5=57A6B4BDF247C1A6CA08AC09A8F9B742,SHA256=98D37EFF504A7ADB864131EA4A042AAF4D79C4356960A8AB2FA656CC59AEC014,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "RUNDLL32.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows host process (Rundll32)",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "683818f24875a562c0b792edd4183d333b6b0b284ca8a88cc47fb2c9ae5b1473",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Unsigned DLL Loaded by Windows Utility",
"rule_description": "Detects windows utilities loading an unsigned or untrusted DLL.\nAdversaries often abuse those programs to proxy execution of malicious code.\n",
"rule_author": "Swachchhanda Shrawan Poudel",
"match_context": [
{
"values": {
"Hashes": "SHA1=DF226A702FEE389E2186DAA405069A3975A44AE7,MD5=08160ACF08FCCECDE7B34090DB18B321,SHA256=23420100260CC80055FBF02F4464212278C0E71A4387537771F3FB50F2F891E5,IMPHASH=4B60E239E1F821496F625E84618C6F3C",
"SignatureStatus": "Unavailable",
"Signed": "false",
"ImageLoaded": "C:\\ProgramData\\kE2I3TP.crqn",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"EventID": "7"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Details": "DWORD (0x00000001)",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass"
}
},
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"Details": "DWORD (0x00000001)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
}
},
{
"values": {
"EventID": "13",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
}
},
{
"values": {
"Details": "DWORD (0x00000000)",
"EventType": "SetValue",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
}
},
{
"values": {
"EventID": "13",
"Details": "QWORD (0x00000000-0x0042bc2a)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows Script\\Settings\\Telemetry\\wscript.exe\\JScriptSetScriptStateStarted"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"EventID": "13",
"Details": "rundll32.exe \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"Image": "C:\\Windows\\system32\\rundll32.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything 1.9a-8531968"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potentially Suspicious CMD Shell Output Redirect",
"rule_description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5906.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5941.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5D22.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At596F.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5DEF.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Suspicious PowerShell Keywords",
"rule_description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"rule_author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"match_context": [
{
"values": {
"ScriptBlockText": "Start-Process rundll32.exe -argumentlist 'C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load' -NoNewWindow",
"MessageTotal": "1",
"ScriptBlockId": "03e41173-cdea-4893-ad79-b5706f514656",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocation From Script Engines",
"rule_description": "Detects suspicious powershell invocations from interpreters or unusual programs",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\script.js\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\script.js\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden Start-Process rundll32.exe -argumentlist 'C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load' -NoNewWindow",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Rundll32 Execution With Uncommon DLL Extension",
"rule_description": "Detects the execution of rundll32 with a command line that doesn't contain a common extension",
"rule_author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "RUNDLL32.EXE",
"Hashes": "SHA1=CBFD746699A0C0D37597F91F3F4ED2CE6213025C,MD5=57A6B4BDF247C1A6CA08AC09A8F9B742,SHA256=98D37EFF504A7ADB864131EA4A042AAF4D79C4356960A8AB2FA656CC59AEC014,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C",
"Description": "Windows host process (Rundll32)",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden Start-Process rundll32.exe -argumentlist 'C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load' -NoNewWindow",
"CommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "RUNDLL32.EXE",
"Hashes": "SHA1=CBFD746699A0C0D37597F91F3F4ED2CE6213025C,MD5=57A6B4BDF247C1A6CA08AC09A8F9B742,SHA256=98D37EFF504A7ADB864131EA4A042AAF4D79C4356960A8AB2FA656CC59AEC014,IMPHASH=5C68DE198B5D2DD5C1129782AD19676C",
"Description": "Windows host process (Rundll32)",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\script.js\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\iIdypWi.zgyY C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\script.js\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden Start-Process rundll32.exe -argumentlist 'C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load' -NoNewWindow",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"CommandLine": "powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct ",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Network Command",
"rule_description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
"rule_author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5906.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5906.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5941.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5941.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5D22.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "bf668539-e7be-4965-bbe8-ded7cb5188fd",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "6c138493-b0e9-4fd0-a874-f9276dbe75ba",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "fc19de5a-03d6-43b4-8c20-f7c0739217e3",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "99b7ecb5-2fc1-46f9-ba4c-98146394b93a",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "f9e6228e-ca87-4cde-8aa7-f9b8009ee856",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Local Accounts Discovery",
"rule_description": "Local accounts, System Owner/User discovery using operating systems utilities",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5906.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5906.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\ProgramData\\kE2I3TP.crqn\",load",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5941.tmp\"",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\System32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%USERPROFILE%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5941.tmp\"",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /S /D /c\" ( powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"C:\\Users\\Bruno\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo )\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\..\\ProgramData\\kE2I3TP.crqn load ",
"CommandLine": "cmd.exe /c chcp 949|(powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & dir C:\\ & dir C:\\programdata & dir C:\\Users & tasklist & dir \"C:\\program files\" & dir \"%%USERPROFILE%%\\Desktop\" & ipconfig /all & route print & net user & netstat -nao & systeminfo) & reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run > \"C:\\Users\\Bruno\\AppData\\Local\\Temp\\2At5D22.tmp\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\rundll32.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"type_extension": "txt",
"type_tag": "text",
"times_submitted": 2,
"md5": "52f1ff082e981cbdfd1f045c6021c63f",
"reputation": -52,
"last_analysis_date": 1779790116,
"names": [
"2026\ub144 \uc0c1\ubc18\uae30 \uad6d\ub0b4\ub300\ud559\uc6d0 \uc11d\uc0ac\uc57c\uac04\uacfc\uc815 \uc704\ud0c1\uad50\uc721\uc0dd \uc120\ubc1c\uad00\ub828 \uc11c\ub958.hwpx.jse",
"ptt6mc2w.exe"
]
}
}
}
Related Reports
2026-05-14
Kaspersky