Kimsuky is linked to a PowerShell script named system_first.ps1 that the excerpt says is launched from an earlier pay.bat infection chain. The script requests Dropbox API access with embedded OAuth refresh-token parameters, collects the first local IP address and current time, writes a small marker file in AppData, and uploads it to a Dropbox path under /githut/santa2_persist/. The source provides hashes for the script, including SHA-256 ed55bb081d0e4dfeefd7af35dbb0a0481be192d3d0759631c951f7d6d5737749, and notes detections such as PowerShell/Kimsuky.AR and PS.S.Infostealer.1532. The behavior gives defenders evidence of cloud-service abuse, host fingerprinting, and PowerShell-based staging associated with the described Kimsuky chain.