849ddfdba810b251522690d51475a359
Hash
- MD5: 849ddfdba810b251522690d51475a359
- SHA1: b520406cbe32f034f3ef62a1b45314484c18c1b6
- SHA256: 7aa4fba7f1270af6afc326c172ccac39be2101deaabeafa1b0b2cf92ad31f5db
- First Seen: 2026-05-13
- Last Seen: 2026-05-13
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "7aa4fba7f1270af6afc326c172ccac39be2101deaabeafa1b0b2cf92ad31f5db",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/7aa4fba7f1270af6afc326c172ccac39be2101deaabeafa1b0b2cf92ad31f5db"
},
"attributes": {
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 3,
"low": 1
},
"tags": [
"long-sleeps",
"powershell",
"detect-debug-environment",
"url-pattern"
],
"sandbox_verdicts": {
"C2AE": {
"category": "undetected",
"malware_classification": [
"UNKNOWN_VERDICT"
],
"sandbox_name": "C2AE"
}
},
"type_extension": "ps1",
"sha1": "b520406cbe32f034f3ef62a1b45314484c18c1b6",
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 17
}
],
"popular_threat_name": [
{
"value": "powershell",
"count": 6
},
{
"value": "loader",
"count": 4
},
{
"value": "abtrojan",
"count": 1
}
],
"suggested_threat_label": "trojan.powershell/loader"
},
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Script.PowerShell.m!c"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260605",
"category": "malicious",
"result": "powershell.trojan.loader"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.PowerShell.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260604",
"category": "malicious",
"result": "Trojan.GenericKD.80128878"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.55.59724",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.55.59722",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1221",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260605",
"category": "malicious",
"result": "PowerShell/Agent.EEV trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260605",
"category": "malicious",
"result": "UDS:Backdoor.PowerShell.Agent"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.80128878"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260605",
"category": "malicious",
"result": "PS.S.Loader.3199"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.80128878"
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Agent/PS!8.1331B (TOPIS:E0:ZSkx2zyeTvS)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5615",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260605",
"category": "malicious",
"result": "ti!7AA4FBA7F127"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.80128878 (B)"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44797AVA:64.31365",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.80128878"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260605",
"category": "malicious",
"result": "ABTrojan.ZCML-"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260604",
"category": "malicious",
"result": "Win32.Troj.Undef.a"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38704",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Generic.D4C6AB6E"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107315",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780642860",
"engine_update": "20260605",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan/PowerShell.Loader.SC311839"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-05.02",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "malicious",
"result": "Script.Trojan.Loader.Iajl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "2751a2f:2751a2f:52f3dc9:52f3dc9",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Agent.EAN"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "timeout",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "timeout",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260605",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260604-02",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260603",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.785",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
}
},
"type_description": "Powershell",
"vhash": "baecf43733b14a6ee73cd57028e9c222",
"sigma_analysis_summary": {
"Joe Security Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
},
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 0,
"medium": 3,
"low": 1
}
},
"magika": "POWERSHELL",
"last_analysis_stats": {
"malicious": 21,
"suspicious": 0,
"undetected": 37,
"harmless": 0,
"timeout": 2,
"confirmed-timeout": 0,
"failure": 1,
"type-unsupported": 14
},
"first_seen_itw_date": 1779309847,
"reputation": 0,
"names": [
"qdke.ini",
"5gzkrqp.exe",
"eudksre.ps1",
"Eudksre.ps1"
],
"filecondis": {
"dhash": "fcb89caabc941080",
"raw_md5": "df72c791ae8053a79ffd7affba95f383"
},
"ssdeep": "96:jdCm+5zQCxo4h2nXVs+r8XrchzBHD4ApO:BQiiUF0XrMNDRpO",
"first_submission_date": 1773807260,
"meaningful_name": "qdke.ini",
"tlsh": "T1AF6113209754DB2857B2E0549E729849E9769133029B7C3ABD8C0123EF3D07643B6F98",
"size": 3199,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Dot net compiler compiles file from suspicious location",
"rule_description": "Dot net compiler compiles file from suspicious location",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy bypass -File \"C:\\Users\\Bruno\\Desktop\\script.ps1\"",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\bc3efbd2\\bc3efbd2.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "0b65bb3c-92e7-471f-8f97-ebca48f89801",
"Path": "C:\\Users\\azure\\Downloads\\qdke.ini.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\Desktop\\sample.ps1",
"ScriptBlockId": "88e89d25-33d6-457e-bb38-691072a44a30",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "08c9b2bd-7ca2-4935-bd1b-b0db0e777ace",
"Path": "C:\\Users\\Bruno\\Desktop\\script.ps1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Suspicious PowerShell Keywords",
"rule_description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"rule_author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "0b65bb3c-92e7-471f-8f97-ebca48f89801",
"Path": "C:\\Users\\azure\\Downloads\\qdke.ini.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "88e89d25-33d6-457e-bb38-691072a44a30",
"Path": "C:\\Users\\Bruno\\Desktop\\sample.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\Desktop\\script.ps1",
"ScriptBlockId": "08c9b2bd-7ca2-4935-bd1b-b0db0e777ace",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic .NET Compilation Via Csc.EXE",
"rule_description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.",
"rule_author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy bypass -File \"C:\\Users\\Bruno\\Desktop\\script.ps1\"",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\bc3efbd2\\bc3efbd2.cmdline\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic CSharp Compile Artefact",
"rule_description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\bc3efbd2\\bc3efbd2.cmdline",
"EventID": "11"
}
}
]
}
],
"times_submitted": 2,
"total_votes": {
"harmless": 0,
"malicious": 0
},
"last_modification_date": 1780655688,
"magic": "C++ source, ASCII text, with very long lines (564u), with CRLF line terminators",
"md5": "849ddfdba810b251522690d51475a359",
"last_analysis_date": 1780648218,
"unique_sources": 2,
"sha256": "7aa4fba7f1270af6afc326c172ccac39be2101deaabeafa1b0b2cf92ad31f5db",
"powershell_info": {
"dotnet_calls": [
"System.Activator",
"System.Reflection.Assembly"
],
"cmdlets": [
"add-type",
"invoke-webrequest"
]
},
"type_tag": "powershell",
"last_submission_date": 1778707421,
"type_tags": [
"source",
"powershell",
"ps",
"ps1"
]
}
}
}