Malware Analysis Report

2024-09-11 01:09

Sample ID 240308-hlwxeshg96
Target fast.exe
SHA256 3d47651f5e95c7e3a815a2d5f24eb3144824cb58d2ee6ba8b96d96973d1a6cba
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d47651f5e95c7e3a815a2d5f24eb3144824cb58d2ee6ba8b96d96973d1a6cba

Threat Level: Known bad

The file fast.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (494) files with added filename extension

Deletes shadow copies

Renames multiple (312) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-08 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 06:50

Reported

2024-03-08 06:53

Platform

win7-20240215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF692Q5Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P1KETFJO\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K03K2CA5\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_F_COL.HXK.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvr.dll.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProject.dll.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ONLINE.ICO C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.id[B7BFF3BE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.ELM C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2024 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2024 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2636 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2636 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2636 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2024 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2024 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2024 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2636 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2636 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2636 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2636 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2636 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2636 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2636 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2108 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 768 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 768 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 768 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 768 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 768 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 768 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 768 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 768 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[B7BFF3BE-2815].[[email protected]].faust

MD5 e2c7bec01808587bef494d3f11731cfc
SHA1 4998fde83c1803c05aa3e21f618a0d6d061a2b88
SHA256 fb735b01bf37b51a073141a9a86dc09c9030fcac6348ba8db6df4c2c0878b197
SHA512 c3b4e45c68d19689f38f720b559b1fb0772111c5b075583329abf666ab9a60bf3b72a82d228fe5656cee69b19457504d0f2d85c6927bb227f1d2a379b512302d

C:\info.hta

MD5 8f9585d138c55b3ba74174cb5a833d44
SHA1 e549b163c9825eb251a42b322018b8c7beb7dcc6
SHA256 2383ec8dee599ebc94b309881de2f59dd5d3ce69e35006af5d8e8a8d6bd05ee0
SHA512 28e17c3b1be83e3d9df3b717cae2e0f3fe8228ea61da20cecfa3c6b763854b90f8e5ae093f61d558b80f69afde87442face55c25dc0f438ff48d3b50e0011f22

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 06:50

Reported

2024-03-08 06:53

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (494) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.TypeConverter.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\selector.js.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses.svg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nl.pak.DATA C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Drawing.Common.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\ShowOut.nfo.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscordaccore.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1 C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\stdole.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MemMDL2.1.85.ttf C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\javaw.exe.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_trends.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\ui-strings.js.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Incoming_Video_Available.m4a C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\deploy.dll.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\ui-strings.js.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.id[C06FDB58-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-64.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 5024 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5024 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4728 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4728 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5024 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5024 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4728 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4728 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4728 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4728 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4728 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3656 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3656 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4452 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4452 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4452 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4452 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4452 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4452 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4452 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4452 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4452 wrote to memory of 3184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C06FDB58-2815].[[email protected]].faust

MD5 d5b3327c42686c42b1d522b990592d32
SHA1 d95186e2cdbbfdb4c862954f82ede523b80a2923
SHA256 ad7b2ae16d26a037ac73483bcc69215ae642b7faa8cac4a47078ee378ccc054d
SHA512 c3ecccf7c19639a14adf6f0fa760ffd843c1eece3a6b0fca128283c2b26bde01c931533215988d1ded30d1099a0799bd6a67afcba929624816100b1d44d57ed3

C:\info.hta

MD5 b10bf0edbcc00999a99bb78b6d185fe9
SHA1 38bf19cb4480c3fb408955688814fce270da30b4
SHA256 d8f1a83d926069d3cc0babf4e990b007178c826e8964d09497de0a549007e829
SHA512 750eafac39e2653b3f496435db9fe69aaef744bcba49951ce298a8eec3d25da325ab7ef5dc9b8bdeed2a5bdeba148b3798c8fb3191137592d4c665487cb9869d