Malware Analysis Report

2024-11-16 12:15

Sample ID 230603-2rb9raac58
Target fastli_Nopwd.zip
SHA256 9ea438471b7623fd3e27f1a8029f40e4c15363e92bcfdb5cbea2366d4dc72afc
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ea438471b7623fd3e27f1a8029f40e4c15363e92bcfdb5cbea2366d4dc72afc

Threat Level: Known bad

The file fastli_Nopwd.zip was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (313) files with added filename extension

Renames multiple (478) files with added filename extension

Deletes backup catalog

Modifies extensions of user files

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-03 22:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-03 22:48

Reported

2023-06-03 22:51

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fastli.exe C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fastli = "C:\\Users\\Admin\\AppData\\Local\\fastli.exe" C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\fastli = "C:\\Users\\Admin\\AppData\\Local\\fastli.exe" C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCT3UJZ1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4EJGXEBJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\A6DSJQQJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPTKCP3O\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CNVACXT5\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E9J3Z65S\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BZB8KC7X\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\TRANSMRR.DLL.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.XML C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLPROXY.DLL C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\PST8PDT C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12 C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jre7\bin\javafx-font.dll.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\install.log C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\application.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.id[279F3F44-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 648 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 648 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 564 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 648 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 648 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 648 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 648 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 648 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 648 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 648 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2012 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2912 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2912 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2912 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2912 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2912 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2912 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2912 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[279F3F44-3340].[[email protected]].Elbie

MD5 0fa61693abe9bf222da84d07646bb608
SHA1 fb2e0f1b48ef18b97dbef3420b98e50e8d015e32
SHA256 cbd4d3db33bc7fc2eb19fe03cea532484c0ca692d3fcb49345e7ec222c148f73
SHA512 dd7a5018e2d79c0aa4ba5c97f80bec84b1b19b2774cfb005462179c24ea84286e32ef6c6b92f9a4310f55ff7e77afb9fb52d367e2d2ac6a96b5cf332677c764c

C:\info.hta

MD5 b15d43eb30effb923dfb62f65f4ed57e
SHA1 2319d9e7d1f354a0174a217ad148a0b4991931dc
SHA256 42591a64e31799643201473bad7e7fe61b9f87aaeb8eff60f54ffd875f9276a5
SHA512 97170d3203fe322bff4760c51d82b5bf1c03ef2f3a06794e8025ef8de145ef832a0bfea1bb786222c74045c300ecde7b3cd4e63e2563533308911625d9da6667

C:\users\public\desktop\info.hta

MD5 b15d43eb30effb923dfb62f65f4ed57e
SHA1 2319d9e7d1f354a0174a217ad148a0b4991931dc
SHA256 42591a64e31799643201473bad7e7fe61b9f87aaeb8eff60f54ffd875f9276a5
SHA512 97170d3203fe322bff4760c51d82b5bf1c03ef2f3a06794e8025ef8de145ef832a0bfea1bb786222c74045c300ecde7b3cd4e63e2563533308911625d9da6667

C:\info.hta

MD5 b15d43eb30effb923dfb62f65f4ed57e
SHA1 2319d9e7d1f354a0174a217ad148a0b4991931dc
SHA256 42591a64e31799643201473bad7e7fe61b9f87aaeb8eff60f54ffd875f9276a5
SHA512 97170d3203fe322bff4760c51d82b5bf1c03ef2f3a06794e8025ef8de145ef832a0bfea1bb786222c74045c300ecde7b3cd4e63e2563533308911625d9da6667

C:\Users\Admin\Desktop\info.hta

MD5 b15d43eb30effb923dfb62f65f4ed57e
SHA1 2319d9e7d1f354a0174a217ad148a0b4991931dc
SHA256 42591a64e31799643201473bad7e7fe61b9f87aaeb8eff60f54ffd875f9276a5
SHA512 97170d3203fe322bff4760c51d82b5bf1c03ef2f3a06794e8025ef8de145ef832a0bfea1bb786222c74045c300ecde7b3cd4e63e2563533308911625d9da6667

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-03 22:48

Reported

2023-06-03 22:52

Platform

win10v2004-20230220-en

Max time kernel

210s

Max time network

213s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (478) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\LimitMerge.tiff C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushConvert.tiff C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fastli.exe C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fastli = "C:\\Users\\Admin\\AppData\\Local\\fastli.exe" C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fastli = "C:\\Users\\Admin\\AppData\\Local\\fastli.exe" C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforsignature_18.svg C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\VALoading.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderWhite.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\SaveExit.html C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SpeedSelectionSlider.xbf C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\osmmui.msi.16.en-us.vreg.dat.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Google\Chrome\Application\master_preferences.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_contrast-white.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-200.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nl.pak C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-40.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.id[C24F29F8-3340].[[email protected]].Elbie C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3368 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 396 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 396 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3368 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3368 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 396 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 396 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 396 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 396 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 396 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 396 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 396 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 396 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2196 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe C:\Windows\system32\cmd.exe
PID 220 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 220 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 220 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 220 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 220 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 220 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 220 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 220 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 220 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 220 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe

"C:\Users\Admin\AppData\Local\Temp\fastli\fastli.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 39.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 20.189.173.5:443 tcp
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 assets.msn.com udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
GB 95.101.143.242:443 assets.msn.com tcp
US 8.8.8.8:53 242.143.101.95.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C24F29F8-3340].[[email protected]].Elbie

MD5 003e5f3abbbdf907478a99eff95bd02e
SHA1 779c022b6c128c89aa69c350e83892acb0b82530
SHA256 507fcb17c66cc7ada6e347952f101092093d0e24bdad3fefae0b82e4ca20e174
SHA512 423418550ff5ff33904332b626197e7af8b4c36bca9dc82839db226c2123a3fbe7929e9313c6c137e212c48e27e3cb1b27d2a9cc9d31bf18e84b31ff67239c55

C:\info.hta

MD5 21d1a60884ec3f8bb86c7287db63fd92
SHA1 33da8dc7b7bb8a898b6256d5fcc0334001133d5b
SHA256 fabf1b30158aeb3badfe6bf03b3404c87bd78ec46f560b897c25774df4c2080d
SHA512 578c429e1403cc917bfb3c3fbbb957162182ccb53921477044627a0aa58aee6bcd51b37c6b06759ff573093a46f43b18f51ab1df89d53f497b2816ca698c65cf

C:\Users\Admin\Desktop\info.hta

MD5 21d1a60884ec3f8bb86c7287db63fd92
SHA1 33da8dc7b7bb8a898b6256d5fcc0334001133d5b
SHA256 fabf1b30158aeb3badfe6bf03b3404c87bd78ec46f560b897c25774df4c2080d
SHA512 578c429e1403cc917bfb3c3fbbb957162182ccb53921477044627a0aa58aee6bcd51b37c6b06759ff573093a46f43b18f51ab1df89d53f497b2816ca698c65cf

C:\info.hta

MD5 21d1a60884ec3f8bb86c7287db63fd92
SHA1 33da8dc7b7bb8a898b6256d5fcc0334001133d5b
SHA256 fabf1b30158aeb3badfe6bf03b3404c87bd78ec46f560b897c25774df4c2080d
SHA512 578c429e1403cc917bfb3c3fbbb957162182ccb53921477044627a0aa58aee6bcd51b37c6b06759ff573093a46f43b18f51ab1df89d53f497b2816ca698c65cf

C:\users\public\desktop\info.hta

MD5 21d1a60884ec3f8bb86c7287db63fd92
SHA1 33da8dc7b7bb8a898b6256d5fcc0334001133d5b
SHA256 fabf1b30158aeb3badfe6bf03b3404c87bd78ec46f560b897c25774df4c2080d
SHA512 578c429e1403cc917bfb3c3fbbb957162182ccb53921477044627a0aa58aee6bcd51b37c6b06759ff573093a46f43b18f51ab1df89d53f497b2816ca698c65cf