Managed XDR

c-users-user-appdata-l...tion-investigation.lnk — malware analysis report

File info

Filename
c-users-user-appdata-local-temp-jtoe2nor.duz-property-corruption-investigation.lnk
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=4, Archive, ctime=Tue Jun 3 15:47:44 2025, mtime=Tue Nov 4 15:41:48 2025, atime=Tue Jun 3 15:47:44 2025, length=289792, window=hidenormalshowminimized
File size
2 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
591a61dfa4941dd1df502e001764caace07efbb2
SHA256
a8f1e6669f5658386f856ec4e1437c34aa9c4d83668b1348bf097a5a7861e696
MD5
644e4c9e4d78abca41876a960be46f02

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1202 lolbin_conhost: conhost.exe spawning unexpected processes via --headless argument

Other

yara_rules: Static rules
creates_suspended_process: Creates suspended process
writes_data: Writes big amount of data to disk
Managed XDR