8edc77fb36bf80bb52d158cf9043cecd
Hash
- MD5: 8edc77fb36bf80bb52d158cf9043cecd
- SHA1: 4bd7ca1a8a0f04f3354b7bd80e16b105f0e85b7a
- SHA256: 08f8a56c22282f5827674c65e75b15ab13da34d828eb7f9c089f15bb58de3296
- First Seen: 2026-05-21
- Last Seen: 2026-05-21
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "08f8a56c22282f5827674c65e75b15ab13da34d828eb7f9c089f15bb58de3296",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/08f8a56c22282f5827674c65e75b15ab13da34d828eb7f9c089f15bb58de3296"
},
"attributes": {
"last_modification_date": 1777073610,
"size": 283580,
"vhash": "3879e1ce01b4f2d2696106b3a3e40e2c",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "New RUN Key Pointing to Suspicious Folder",
"rule_description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",
"rule_author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventID": "13",
"Details": "C:\\Users\\Public\\Downloads\\Name_File.hta",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Path"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "WmiPrvSE Spawned A Process",
"rule_description": "Detects WmiPrvSE spawning a process",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell",
"rule_description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.",
"rule_author": "Markus Neis @Karneades",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventID": "13",
"EventType": "SetValue",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Details": "C:\\Users\\Public\\Downloads\\Name_File.hta",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Path"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \"IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260424",
"category": "malicious",
"result": "javascript.trojan.generic"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260423",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.231",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5588",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.48.59306",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.48.59306",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1194",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260424",
"category": "malicious",
"result": "Scr.Malcode!gen"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260424",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260424",
"category": "malicious",
"result": "HEUR:Trojan.Script.Generic"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.4.1.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260424",
"category": "malicious",
"result": "VBS.Starter.519"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan:Script/Formbook.VZC!1"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053 (B)"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8e4a097:8e4a097:a9d2355:a9d2355",
"engine_update": "20260424",
"category": "malicious",
"result": "HEUR:Trojan/JS.Obfuscator.c"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44308AVA:64.31110",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.39849053"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260423",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.244.174",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38593",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan.Generic.D2600C5D"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260423",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.24-114820483",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26030.3008",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260424",
"category": "malicious",
"result": "JS/Agent.DXZ!Eldorado"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260424",
"category": "malicious",
"result": "Trojan/HTA.RemcosRAT!MTB"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-04-23.02",
"engine_update": "20260423",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260424",
"category": "malicious",
"result": "JS/Rescoms.B!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260424",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Multi/Generic.Gen"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": null,
"engine_update": "20260424",
"category": "timeout",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260424-00",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.257",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.772",
"engine_update": "20260422",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.11.0",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260423",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260424",
"category": "type-unsupported",
"result": null
}
},
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 4,
"low": 1
},
"type_extension": "js",
"names": [
"youaremybestfeelingsforme.hta",
"youaremybestfeelingsforme[1].hta"
],
"sha256": "08f8a56c22282f5827674c65e75b15ab13da34d828eb7f9c089f15bb58de3296",
"last_submission_date": 1776861539,
"ssdeep": "3072:NKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKW:e",
"javascript_info": {
"tags": [
"malformed"
]
},
"magic": "CSV text",
"first_submission_date": 1776837785,
"crowdsourced_ids_stats": {
"high": 4,
"medium": 0,
"low": 2,
"info": 0
},
"popular_threat_classification": {
"suggested_threat_label": "trojan.",
"popular_threat_category": [
{
"value": "trojan",
"count": 13
}
]
},
"type_description": "JavaScript",
"filecondis": {
"dhash": "ded8a8e0a884c02a",
"raw_md5": "906c977ee906b73fb3b35e3932013337"
},
"magika": "JAVASCRIPT",
"tags": [
"javascript"
],
"last_analysis_stats": {
"malicious": 18,
"suspicious": 0,
"undetected": 42,
"harmless": 0,
"timeout": 1,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 14
},
"reputation": -12,
"times_submitted": 2,
"crowdsourced_ids_results": [
{
"rule_category": "Exploit Kit Activity Detected",
"alert_severity": "high",
"rule_msg": "ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound",
"rule_id": "1:2020423",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound\"; flow:established,to_client; file.data; content:\"lRXdjVGeFxGblh2U\"; classtype:exploit-kit; sid:2020423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2015_02_16, deployment Perimeter, malware_family ReverseLoader, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_23;)",
"alert_context": [
{
"src_ip": "66.179.248.120",
"src_port": 80,
"hostname": "66.179.248.120",
"url": "http://66.179.248.120/img/optimized_MSI.png"
}
]
},
{
"rule_category": "Exploit Kit Activity Detected",
"alert_severity": "high",
"rule_msg": "ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1",
"rule_id": "1:2020424",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1\"; flow:established,from_server; file_data; content:\"Z0V3YlhXRsxWZoN\"; classtype:exploit-kit; sid:2020424; rev:2; metadata:created_at 2015_02_16, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)",
"alert_context": [
{
"src_ip": "172.245.209.228",
"src_port": 80,
"hostname": "172.245.209.228",
"url": "http://172.245.209.228/10/img_212426.png"
}
]
},
{
"rule_category": "Exploit Kit Activity Detected",
"alert_severity": "high",
"rule_msg": "ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2",
"rule_id": "1:2020425",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2\"; flow:established,to_client; file.data; content:\"Gd1NWZ4VEbsVGaT\"; classtype:exploit-kit; sid:2020425; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2015_02_16, deployment Perimeter, malware_family ReverseLoader, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_24;)",
"alert_context": [
{
"src_ip": "172.245.209.228",
"src_port": 80,
"hostname": "172.245.209.228",
"url": "http://172.245.209.228/10/img_212426.png"
}
]
},
{
"rule_category": "Malware Command and Control Activity Detected",
"alert_severity": "high",
"rule_msg": "ET JA3 Hash - Remcos 3.x/4.x TLS Connection",
"rule_id": "1:2036594",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET JA3 Hash - Remcos 3.x/4.x TLS Connection\"; flow:established,to_server; ja3.hash; content:\"a85be79f7b569f1df5e6087b69deb493\"; classtype:command-and-control; sid:2036594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, malware_family Remcos, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_19;)",
"alert_context": [
{
"dest_ip": "107.175.88.78",
"dest_port": 14646,
"ja3": [
"a85be79f7b569f1df5e6087b69deb493"
],
"ja3s": [
"eb1d94daa7e0344597e756a1fb6e7054"
]
}
]
},
{
"rule_category": "Misc activity",
"alert_severity": "low",
"rule_msg": "ET INFO DYNAMIC_DNS Query to *.duckdns. Domain",
"rule_id": "1:2022918",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert dns $HOME_NET any -> any any (msg:\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\"; dns.query; content:\".duckdns.\"; nocase; classtype:misc-activity; sid:2022918; rev:4; metadata:created_at 2016_06_27, confidence Medium, signature_severity Informational, updated_at 2022_11_30, reviewed_at 2024_04_16;)",
"alert_context": [
{
"dest_ip": "8.8.4.4",
"dest_port": 53
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain",
"rule_id": "1:2042936",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert dns $HOME_NET any -> any any (msg:\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\"; dns.query; content:\".duckdns.org\"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2042936; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_15, deployment Perimeter, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_03_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1568, mitre_technique_name Dynamic_Resolution;)",
"rule_references": [
"https://changeip.com"
],
"alert_context": [
{
"dest_ip": "8.8.8.8",
"dest_port": 53
}
]
}
],
"tlsh": "T1DC54798CCBF89B49ECB8B890CB9364BB554E045542267DAA532C3E101D6E8FE3F5857C",
"sha1": "4bd7ca1a8a0f04f3354b7bd80e16b105f0e85b7a",
"md5": "8edc77fb36bf80bb52d158cf9043cecd",
"sandbox_verdicts": {
"CAPE Sandbox": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "CAPE Sandbox",
"malware_names": [
"Remcos"
]
},
"Zenbox": {
"category": "harmless",
"malware_classification": [
"CLEAN"
],
"sandbox_name": "Zenbox",
"confidence": 99
}
},
"last_analysis_date": 1777063835,
"meaningful_name": "youaremybestfeelingsforme.hta",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 4,
"low": 1
}
},
"type_tag": "javascript",
"total_votes": {
"harmless": 0,
"malicious": 2
},
"type_tags": [
"source",
"javascript",
"js"
],
"unique_sources": 2
}
}
}