Managed XDR

c-users-user-appdata-l...-2hxk45vz.nv4-raul.lnk — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-user-appdata-local-temp-2hxk45vz.nv4-raul.lnk
Тип файла
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=10, Archive, ctime=Sun May 26 07:01:55 2024, mtime=Mon Mar 31 11:13:50 2025, atime=Sun May 26 07:01:55 2024, length=289792, window=hidenormalshowminimized
Размер файла
874.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
9b806db855135ad920204cdb48c60c35bcde09cb
SHA256
f54dc4b91383d84e0a51fee2e232916da8899a7b7b39f91a782af8ef17f15d02
MD5
f26de9d478c96df37e6f1d4c77d15dde

Сигнатуры

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1218.008 odbcconf: Uses Odbcconf.exe to execute code
T1070.004 self_removal_command: Executes command to delete itself

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Other

yara_rules: Static rules
static_pe_anomaly: The PE file structure contains anomalies
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
pe_overlay: PE file contains overlay
dotnet_mixed_assembly: Dotnet program is mixed assembly