Malware Analysis Report

2024-09-11 00:58

Sample ID 240704-tjp7ms1djb
Target c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
SHA256 c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
Tags
neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6

Threat Level: Known bad

The file c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6 was found to be: Known bad.

Malicious Activity Summary

neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Detect Neshta payload

Neshta family

Phobos

Neshta

Renames multiple (520) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (313) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Checks computer location settings

Drops startup file

Modifies system executable filetype association

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:05

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:05

Reported

2024-07-04 16:08

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1D5U9W0O\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USLGY7LX\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9PLWLLW7\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\03PVXV8P\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2Y8NTX1F\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\IntroducingPowerPoint2010.potx.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\zipfs.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgzm.exe.mui.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWSS.DLL.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psmachine.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_iw.dll.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18241_.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_id.dll.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.id[AF31204E-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2576 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2184 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2184 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2184 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2576 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2576 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2576 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2184 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2184 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2184 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2184 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2184 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2188 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2188 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 684 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 684 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 684 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 684 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 684 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 684 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 684 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 684 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 684 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 cb8de320ff2289e44fcb496c7f95d27c
SHA1 0b101bdfb7cdd435ca2272aa763fced54684b521
SHA256 3715a4f3ac4f0d5badcaab02bf9dd7a12949c2e6538d78d6b02c5528b609ca0c
SHA512 48d3af830da5ecac22aeda7c882f7075ff859e6aef94dd743a9d75361b8f96e1c008c6e7a390e69407c855cd4eb3ce0dbdb84cbce7cd9ddc58584ccd209bc3ad

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:05

Reported

2024-07-04 16:08

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (520) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\OneNoteAppContracts.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations_retina.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListSettings.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Resources.ResourceManager.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\hxcommintl.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdateres_eu.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\ui-strings.js.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\ui-strings.js.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\FacebookLoginButton.xbf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\deploy.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.id[13D19145-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1628 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1612 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1612 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1628 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1612 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1612 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1612 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1612 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1612 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1612 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1612 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1612 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3940 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3940 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1628 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1628 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1628 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 184.28.176.98:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 98.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[13D19145-3327].[[email protected]].Devos

MD5 ba62a1f7914f08dd6bc4e3f7782958dd
SHA1 b2d55cba4112730578065415a9b7e976f78d1200
SHA256 b120cedd8363afaf17e1d13e9a0fb70e0b1cf428b29f538f5d02792a8e37d0aa
SHA512 378cb6a27f8f1a6cbf49dba0cec2a1fad2375a67d9e12059a32c0dddf48aff8206caf72d0b50d5b463a9095112dc437a2d8ac35b4983ec2ea0db74b437dd193a

C:\info.hta

MD5 196b936d7468080574dbcd35607af3eb
SHA1 0ac29975aba29fe5d6a31ccf53d8ed5f7c15609f
SHA256 14b4a93675ddea9938b58645421c75e8d41913fc4593363a7dad0b8a0d82d2bd
SHA512 5208446847620d12cba83020fba8a14c6bc39a2f03dc25e65b61a2a5ff7c7459818cda18aafc1659d962bfb2068756a473c4bc817ed014d4725f246b44b97a0b

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 16:05

Reported

2024-07-04 16:08

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 f2e5cfb8f498639baf77b6a55fb9325e
SHA1 dad7f1b0d38a1142c50c629555289daf678cc5a6
SHA256 51fadba4debb9030662f2593ede938f175656208aaa30c9b214fa580114613e0
SHA512 80689f12aeefaf5452515a4ad3525ce6e85fb4fa4e0f3c0f2e41f8ca37235a4188711871e3b5fd4e67b95b53d99ed447b8603edd35f9c74b12f0ae0f63eb634c

memory/1732-70-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 16:05

Reported

2024-07-04 16:08

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 2701f5f07f9c3bd97f752b93e11224a6
SHA1 19e11632c430f6db218be7d54719e7d16005703f
SHA256 15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99
SHA512 121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

memory/4196-88-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4196-89-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4196-91-0x0000000000400000-0x000000000041B000-memory.dmp