Malware Analysis Report

2024-11-16 12:15

Sample ID 230419-wkp95sed2x
Target V1Fast.bin.exe
SHA256 c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715

Threat Level: Known bad

The file V1Fast.bin.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies registry class

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-19 17:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-19 17:59

Reported

2023-04-19 18:01

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\V1Fast.bin.exe C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V1Fast.bin = "C:\\Users\\Admin\\AppData\\Local\\V1Fast.bin.exe" C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\V1Fast.bin = "C:\\Users\\Admin\\AppData\\Local\\V1Fast.bin.exe" C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTIFN44A\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2STIOPZK\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FPRRZWTM\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D3FFX6WH\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KDJSR44L\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.dll C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.ELM C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.DLL C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185834.WMF C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195812.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01080_.WMF.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MAIL.ICO.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.id[28667182-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1484 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1484 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1168 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1168 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1168 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1168 wrote to memory of 428 N/A C:\Windows\System32\Wbem\WMIC.exe C:\Windows\system32\netsh.exe
PID 1168 wrote to memory of 428 N/A C:\Windows\System32\Wbem\WMIC.exe C:\Windows\system32\netsh.exe
PID 1168 wrote to memory of 428 N/A C:\Windows\System32\Wbem\WMIC.exe C:\Windows\system32\netsh.exe
PID 1484 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1484 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1484 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1484 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1484 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1484 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1484 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1692 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1692 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1608 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1608 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[28667182-3327].[[email protected]].Devos

MD5 63425398605eab2749069e68225fa064
SHA1 0e64abf86dac4fc0149bfce38e1a6f53427d48c5
SHA256 4eae7e9439cc2b14e94f992427bc786c4db8ef62ca90908d45688707c2ab67c4
SHA512 840c4023abca71c7144b948837235cf58cbd23134c756b4776616cafdc1fc96a05a6656798d55eb9b30395903952d4f80d507dfed7d6a1f31cfe64ab9f9da09a

C:\info.hta

MD5 59f3187369ca7b62843f643da33ae548
SHA1 6cddc6ef3a7b45b7fde6dedada75bce4c7007cef
SHA256 d2cf7eacfc0847d673bc34ac567436db80c49bc14872ca4f7d41a7327e117fa3
SHA512 17d2e12774b6d0b13bd7932f78ebfa25671c768232f087af8f197c2c125195c6f0cc556963764fd16038e6f8f0b5531ae97afa14ad0cb8ca8f9134ce48c89a7d

C:\info.hta

MD5 59f3187369ca7b62843f643da33ae548
SHA1 6cddc6ef3a7b45b7fde6dedada75bce4c7007cef
SHA256 d2cf7eacfc0847d673bc34ac567436db80c49bc14872ca4f7d41a7327e117fa3
SHA512 17d2e12774b6d0b13bd7932f78ebfa25671c768232f087af8f197c2c125195c6f0cc556963764fd16038e6f8f0b5531ae97afa14ad0cb8ca8f9134ce48c89a7d

C:\users\public\desktop\info.hta

MD5 59f3187369ca7b62843f643da33ae548
SHA1 6cddc6ef3a7b45b7fde6dedada75bce4c7007cef
SHA256 d2cf7eacfc0847d673bc34ac567436db80c49bc14872ca4f7d41a7327e117fa3
SHA512 17d2e12774b6d0b13bd7932f78ebfa25671c768232f087af8f197c2c125195c6f0cc556963764fd16038e6f8f0b5531ae97afa14ad0cb8ca8f9134ce48c89a7d

C:\Users\Admin\Desktop\info.hta

MD5 59f3187369ca7b62843f643da33ae548
SHA1 6cddc6ef3a7b45b7fde6dedada75bce4c7007cef
SHA256 d2cf7eacfc0847d673bc34ac567436db80c49bc14872ca4f7d41a7327e117fa3
SHA512 17d2e12774b6d0b13bd7932f78ebfa25671c768232f087af8f197c2c125195c6f0cc556963764fd16038e6f8f0b5531ae97afa14ad0cb8ca8f9134ce48c89a7d

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-19 17:59

Reported

2023-04-19 18:01

Platform

win10v2004-20230220-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\V1Fast.bin.exe C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V1Fast.bin = "C:\\Users\\Admin\\AppData\\Local\\V1Fast.bin.exe" C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V1Fast.bin = "C:\\Users\\Admin\\AppData\\Local\\V1Fast.bin.exe" C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\packages.config C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment-2x.png.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinOnboardingCommands.xml C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFUI.DLL.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.173.45\msedgeupdateres_da.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.css C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Error_Box.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_is.dll.id[C3D90E0E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4828 wrote to memory of 4888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3644 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3644 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4828 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4828 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3644 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3644 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4828 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4828 wrote to memory of 3796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4828 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4828 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4828 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4828 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1480 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\SysWOW64\mshta.exe
PID 1480 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe C:\Windows\system32\cmd.exe
PID 792 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 792 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 792 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 792 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 792 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 792 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 792 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 792 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 792 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 792 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe

"C:\Users\Admin\AppData\Local\Temp\V1Fast.bin.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 192.229.221.95:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 20.189.173.11:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C3D90E0E-3327].[[email protected]].Devos

MD5 04a83410254c8043a9449485b446e99a
SHA1 7d88a29115a48b09ebcf149712ba489e464f5e4f
SHA256 2beac4524d54fc50181118b255fdcef902c729df7d2aec75221973262e6f2ae6
SHA512 5737b4748f0ed8636450dd9292588e6822cb35bb6b669be9325448caab23379a4c43b12f7247a6486208ac619b4e418c26e80e2c81a96b8446de3139f77bb9e1

C:\info.hta

MD5 ac121023febf0e35bcb6c19cc8c35d4a
SHA1 e036f0293e0fa081293b26c61e901d5d70b9e699
SHA256 72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc
SHA512 64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

C:\Users\Admin\Desktop\info.hta

MD5 ac121023febf0e35bcb6c19cc8c35d4a
SHA1 e036f0293e0fa081293b26c61e901d5d70b9e699
SHA256 72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc
SHA512 64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

C:\users\public\desktop\info.hta

MD5 ac121023febf0e35bcb6c19cc8c35d4a
SHA1 e036f0293e0fa081293b26c61e901d5d70b9e699
SHA256 72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc
SHA512 64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf

C:\info.hta

MD5 ac121023febf0e35bcb6c19cc8c35d4a
SHA1 e036f0293e0fa081293b26c61e901d5d70b9e699
SHA256 72d732c2574effc7a1fd2cb60072c48abd652a0b24127af85b6fdd66ae46ddbc
SHA512 64a51fce86284584d8d5620be559fdcc16b6a6593fcc5d7ca4b235e2c23b5bd3d444c34757fca0b1247c2ef72f4f67daf7e9fc7c27d6fc68f33c7235f4d4a8cf