8e15c4d4f71bdd9dbc48cd2cabc87806
Hash
- MD5: 8e15c4d4f71bdd9dbc48cd2cabc87806
- SHA1: 13e2753bbebf5180b6fba4b234d9a08c953c0e01
- SHA256: 38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e
- First Seen: 2026-05-14
- Last Seen: 2026-05-14
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e"
},
"attributes": {
"first_seen_itw_date": 1778763758,
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 10
},
{
"value": "downloader",
"count": 2
},
{
"value": "dropper",
"count": 1
}
],
"popular_threat_name": [
{
"value": "kimsuky",
"count": 5
},
{
"value": "horse",
"count": 1
},
{
"value": "kagent",
"count": 1
}
],
"suggested_threat_label": "trojan.kimsuky/horse"
},
"filecondis": {
"dhash": "e6eab02086c6c3c0",
"raw_md5": "542dbc1e5202652c6dbc022f0bd9ba97"
},
"times_submitted": 1,
"names": [
"38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse"
],
"reputation": 0,
"md5": "8e15c4d4f71bdd9dbc48cd2cabc87806",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"crowdsourced_yara_results": [
{
"ruleset_id": "00074b7629",
"ruleset_version": "00074b7629|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_susp_obfuscation",
"rule_name": "SUSP_Double_Base64_Encoded_Executable",
"match_date": 1780318627,
"description": "Detects an executable that has been encoded with base64 twice",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "0122bae1e9",
"ruleset_version": "0122bae1e9|589bbefc22847193cac455858fa15e627d671918",
"ruleset_name": "Base64_Encoded_URL",
"rule_name": "Base64_Encoded_URL",
"match_date": 1780318627,
"description": "This signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation.",
"author": "InQuest Labs",
"source": "https://github.com/InQuest/yara-rules-vt"
}
],
"magic": "ASCII text, with very long lines (65536u), with no line terminators",
"magika": "TXT",
"type_tags": [
"text"
],
"meaningful_name": "38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse",
"sigma_analysis_stats": {
"critical": 1,
"high": 4,
"medium": 10,
"low": 6
},
"sha1": "13e2753bbebf5180b6fba4b234d9a08c953c0e01",
"type_tag": "text",
"last_modification_date": 1780325824,
"size": 58599609,
"last_analysis_stats": {
"malicious": 18,
"suspicious": 0,
"undetected": 43,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 14
},
"sigma_analysis_results": [
{
"rule_level": "critical",
"rule_id": "59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Powershell launch regsvr32",
"rule_description": "Powershell launch regsvr32",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"EventID": "1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden regsvr32.exe /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "New RUN Key Pointing to Suspicious Folder",
"rule_description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",
"rule_author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventType": "SetValue",
"Details": "regsvr32.exe /s /n /i:3edc5tgb \"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\"",
"Image": "C:\\Windows\\system32\\reg.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cheongseongService"
}
}
]
},
{
"rule_level": "high",
"rule_id": "2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File Decoded From Base64/Hex Via Certutil.EXE",
"rule_description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution",
"rule_author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community",
"match_context": [
{
"values": {
"Hashes": "MD5=2EE61062AF648FF954408D422CA408F4,SHA256=1C010BFBF42A6A32EC9BFF5A3A559B51C983D77CE47D30074AA170417FA4CF1D,IMPHASH=92EAFDFBCF8B4ECD46E832973B0649D6",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "CertUtil.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "CertUtil.exe",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\certutil.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=C2319F1E8ADB193FC1B3466F32E4F134B97DF9E3,MD5=2D3C8A1DEA8BA4677B4199EAE9DE148B,SHA256=6AF299712FE257BF7A51CBA7E86206E43452040D82CF28180AD9F9EF13488692,IMPHASH=323A326D7B550351B75EC637A5575902",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "CertUtil.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "CertUtil.exe",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.22621.1992 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\certutil.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potentially Suspicious Child Process Of Regsvr32",
"rule_description": "Detects potentially suspicious child processes of \"regsvr32.exe\".",
"rule_author": "elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "reg.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Registry Console Tool",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "reg add hkcu\\software\\microsoft\\windows\\currentversion\\run -d \"regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"\" -t REG_SZ -v \"cheongseongService\" -f",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Shell/Scripting Processes Spawning Suspicious Programs",
"rule_description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.",
"rule_author": "Florian Roth (Nextron Systems), Tim Shelton",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "CertUtil.exe",
"Hashes": "MD5=2EE61062AF648FF954408D422CA408F4,SHA256=1C010BFBF42A6A32EC9BFF5A3A559B51C983D77CE47D30074AA170417FA4CF1D,IMPHASH=92EAFDFBCF8B4ECD46E832973B0649D6",
"Description": "CertUtil.exe",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\certutil.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=C2319F1E8ADB193FC1B3466F32E4F134B97DF9E3,MD5=2D3C8A1DEA8BA4677B4199EAE9DE148B,SHA256=6AF299712FE257BF7A51CBA7E86206E43452040D82CF28180AD9F9EF13488692,IMPHASH=323A326D7B550351B75EC637A5575902",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "CertUtil.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "CertUtil.exe",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\certutil.exe\" -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.22621.1992 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\certutil.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "DNS Query Request By Regsvr32.EXE",
"rule_description": "Detects DNS queries initiated by \"Regsvr32.exe\"",
"rule_author": "Dmitriy Lifanov, oscd.community",
"match_context": [
{
"values": {
"QueryResults": "::ffff:209.159.155.109;",
"QueryStatus": "0",
"QueryName": "opedromos1.r-e.kr",
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"EventID": "22"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Unusual Parent Process For Cmd.EXE",
"rule_description": "Detects suspicious parent process for cmd.exe",
"rule_author": "Tim Rauch, Elastic (idea)",
"match_context": [
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Roaming\\temp\\784.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"",
"CommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%%programfiles%%\" & dir \"%%programfiles%% (x86)\" & dir \"%%programdata%%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%%appdata%%\\Microsoft\\Windows\\Recent\" & dir \"%%userprofile%%\\desktop\" /s & dir \"%%userprofile%%\\downloads\" /s & dir \"%%userprofile%%\\documents\" /s",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "3c839a03f4fc9d7988e0debb79087dea4e4584fa05c3ee8cd7aad8c037b505cf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Scripting/CommandLine Process Spawned Regsvr32",
"rule_description": "Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "MD5=878E47C8656E53AE8A8A21E927C6F7E0,SHA256=31AEE70F9705F6578C6B41849EA3B5A948A446F494F24BEFCF5B169A1C2A71D2,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden regsvr32.exe /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "49c4c4517c1ca707a5dfadad1b8db8afe6380c4546c944335aee3a1fadcc5542",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Regsvr32 Execution From Potential Suspicious Location",
"rule_description": "Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "MD5=B0C2FA35D14A9FAD919E99D9D75E1B9E,SHA256=022CB167A29A32DAE848BE91AEF721C74F1975AF151807DAFCC5ED832DB246B7,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"Details": "DWORD (0x00000001)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
}
},
{
"values": {
"Details": "DWORD (0x00000000)",
"EventType": "SetValue",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "Binary Data",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001_Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache\\LangID"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventID": "13",
"Details": "regsvr32.exe /s /n /i:3edc5tgb \"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\"",
"Image": "C:\\Windows\\system32\\reg.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cheongseongService"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE",
"rule_description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry",
"rule_author": "Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "reg.exe",
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"Description": "Registry Console Tool",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "reg add hkcu\\software\\microsoft\\windows\\currentversion\\run -d \"regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"\" -t REG_SZ -v \"cheongseongService\" -f",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Direct Autorun Keys Modification",
"rule_description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "reg.exe",
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"Description": "Registry Console Tool",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "reg add hkcu\\software\\microsoft\\windows\\currentversion\\run -d \"regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"\" -t REG_SZ -v \"cheongseongService\" -f",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocation From Script Engines",
"rule_description": "Detects suspicious powershell invocations from interpreters or unusual programs",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Bruno\\Desktop\\2dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\wscript.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\2dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Regsvr32 DLL Execution With Uncommon Extension",
"rule_description": "Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=878E47C8656E53AE8A8A21E927C6F7E0,SHA256=31AEE70F9705F6578C6B41849EA3B5A948A446F494F24BEFCF5B169A1C2A71D2,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden regsvr32.exe /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "MD5=B0C2FA35D14A9FAD919E99D9D75E1B9E,SHA256=022CB167A29A32DAE848BE91AEF721C74F1975AF151807DAFCC5ED832DB246B7,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\regsvr32.exe\" /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "REGSVR32.EXE",
"Hashes": "MD5=B0C2FA35D14A9FAD919E99D9D75E1B9E,SHA256=022CB167A29A32DAE848BE91AEF721C74F1975AF151807DAFCC5ED832DB246B7,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F",
"Description": "Microsoft(C) Register Server",
"EventID": "1",
"ParentCommandLine": " /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"CommandLine": "regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\regsvr32.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\wscript.exe\" \"C:\\Users\\Bruno\\Desktop\\2dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\wscript.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"EventID": "1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden regsvr32.exe /s /n /i:3edc5tgb C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%programfiles%\" & dir \"%programfiles% (x86)\" & dir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%appdata%\\Microsoft\\Windows\\Recent\" & dir \"%userprofile%\\desktop\" /s & dir \"%userprofile%\\downloads\" /s & dir \"%userprofile%\\documents\" /s",
"CommandLine": "powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct ",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Bruno\\Desktop\\2dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e.jse\"",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\vefIUW3km.s0L41 C:\\Windows\\..\\ProgramData\\blSsr3Hei.wxt1z",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wscript.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Network Command",
"rule_description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems",
"rule_author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
"match_context": [
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"",
"CommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%%programfiles%%\" & dir \"%%programfiles%% (x86)\" & dir \"%%programdata%%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%%appdata%%\\Microsoft\\Windows\\Recent\" & dir \"%%userprofile%%\\desktop\" /s & dir \"%%userprofile%%\\downloads\" /s & dir \"%%userprofile%%\\documents\" /s",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "ipconfig.exe",
"Hashes": "MD5=62F170FB07FDBB79CEB7147101406EB8,SHA256=53E000F5AA9B3A00934319DB8080BB99CB323BF48FC628A64F75D7847C265606,IMPHASH=1002D523645A81BC52877D82D9E88417",
"Description": "IP Configuration Utility",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%programfiles%\" & dir \"%programfiles% (x86)\" & dir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%appdata%\\Microsoft\\Windows\\Recent\" & dir \"%userprofile%\\desktop\" /s & dir \"%userprofile%\\downloads\" /s & dir \"%userprofile%\\documents\" /s",
"CommandLine": "ipconfig /all ",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\ipconfig.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "arp.exe",
"Hashes": "MD5=2AF1B2C042B83437A4BE82B19749FA98,SHA256=7B79171410482F410B7572C58EDB7FD39326F7150C7C6882249B1CF9D7C970F0,IMPHASH=48A4D83E58F21E6758C9F94526FBB940",
"Description": "TCP/IP Arp Command",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%programfiles%\" & dir \"%programfiles% (x86)\" & dir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%appdata%\\Microsoft\\Windows\\Recent\" & dir \"%userprofile%\\desktop\" /s & dir \"%userprofile%\\downloads\" /s & dir \"%userprofile%\\documents\" /s",
"CommandLine": "arp -a ",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\ARP.EXE",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File And SubFolder Enumeration Via Dir Command",
"rule_description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "regsvr32.exe /s /n /i:3edc5tgb \\\"C:\\Users\\Bruno\\AppData\\Roaming\\cheongseongServ\\Hadawcheong\\cheongseongService\\Server\\CheongSeongServ.db\\\"",
"CommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%%programfiles%%\" & dir \"%%programfiles%% (x86)\" & dir \"%%programdata%%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%%appdata%%\\Microsoft\\Windows\\Recent\" & dir \"%%userprofile%%\\desktop\" /s & dir \"%%userprofile%%\\downloads\" /s & dir \"%%userprofile%%\\documents\" /s",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\regsvr32.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"MessageTotal": "1",
"ScriptBlockId": "97d13a8c-13eb-4809-ac88-b37821784e53",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Local Accounts Discovery",
"rule_description": "Local accounts, System Owner/User discovery using operating systems utilities",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "net.exe",
"Hashes": "MD5=0BD94A338EEA5A4E1F2830AE326E6D19,SHA256=9F376759BCBCD705F726460FC4A7E2B07F310F52BAA73CAAAAA124FDDBDF993E,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07",
"Description": "Net Command",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%programfiles%\" & dir \"%programfiles% (x86)\" & dir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%appdata%\\Microsoft\\Windows\\Recent\" & dir \"%userprofile%\\desktop\" /s & dir \"%userprofile%\\downloads\" /s & dir \"%userprofile%\\documents\" /s",
"CommandLine": "net user ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\net.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=480868AEBA9C04CA04D641D5ED29937B,SHA256=766C791EDFA6EEEBA0F99D6481BFE23BF59E6ACB81A930B71F3AA33EFBAFE544,IMPHASH=B72F14292FAC033099AD1A08D6867486",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "quser.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Query User Utility",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "query user ",
"CommandLine": "\"C:\\Windows\\system32\\quser.exe\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\query.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\quser.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Execution of Systeminfo",
"rule_description": "Detects usage of the \"systeminfo\" command to retrieve information",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "sysinfo.exe",
"Hashes": "MD5=EE309A9C61511E907D87B10EF226FDCD,SHA256=6F87CAA51BDEA802045BB281FC2686A3C76364C26A3FFE6C2CCAC4AF5F9DB37B,IMPHASH=C7C3DF13F22D7A13802E6509367A5830",
"Description": "Displays system information",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\System32\\cmd.exe /c systeminfo & powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct & ipconfig /all & arp -a & net user & query user & dir \"%programfiles%\" & dir \"%programfiles% (x86)\" & dir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" /s dir \"%appdata%\\Microsoft\\Windows\\Recent\" & dir \"%userprofile%\\desktop\" /s & dir \"%userprofile%\\downloads\" /s & dir \"%userprofile%\\documents\" /s",
"CommandLine": "systeminfo ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\systeminfo.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"sha256": "38537c172dec2b985bd7e81d8a8aae7d760896cc2baf7ab25fff7ba9c4c36d3e",
"last_submission_date": 1769602812,
"tags": [
"text",
"long-sleeps"
],
"unique_sources": 1,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan.Text.Kimsuky.a!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.55.59677",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.55.59678",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1218",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260531",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260601",
"category": "malicious",
"result": "JS/Kimsuky.I trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260601",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260601",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan-Downloader.JS.Kimsuky.a"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260530",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan.TR/Malware"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5611",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260601",
"category": "malicious",
"result": "ti!38537C172DEC"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260601",
"category": "malicious",
"result": "txt.trojan.kimsuky"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan.Script.KAgent"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260601",
"category": "malicious",
"result": "JS/Agent.EGU"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260601",
"category": "malicious",
"result": "TR/Malware"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38693",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260601",
"category": "malicious",
"result": "Trojan.Win.S.Script.58599609"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107206",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44752AVA:64.31343",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780311674",
"engine_update": "20260601",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260601",
"category": "malicious",
"result": "Dropper/JS.Agent"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-01.02",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "1925a7e:1925a7e:354c4d2:354c4d2",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260601",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[downloader]:Javascript/Kimsuky.a"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260601-00",
"engine_update": "20260601",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260601",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.783",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260601",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260601",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260601",
"category": "type-unsupported",
"result": null
}
},
"first_submission_date": 1769602812,
"sigma_analysis_summary": {
"Joe Security Rule Set (GitHub)": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 4,
"medium": 10,
"low": 6
}
},
"tlsh": "T197D7F1218AC42FA9DFAC591DD0BE161EA7F14B8B942675CDEB337D07AFEB9040107189",
"type_description": "Text",
"type_extension": "txt",
"last_analysis_date": 1780318550,
"ssdeep": "49152:wutc7uWGl5bweAB9yXNP+MFhSbl4vRfIvrespuHPQJLLsG98K1xhkJp189pSljwf:w"
}
}
}
Related Reports
2026-05-14
Kaspersky