Malware Analysis Report

2024-09-11 00:57

Sample ID 240705-b7snkasapc
Target c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6.zip
SHA256 c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
Tags
neshta persistence spyware stealer phobos defense_evasion evasion execution impact privilege_escalation ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6

Threat Level: Known bad

The file c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6.zip was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer phobos defense_evasion evasion execution impact privilege_escalation ransomware

Neshta

Phobos

Detect Neshta payload

Neshta family

Renames multiple (514) files with added filename extension

Renames multiple (319) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Modifies system executable filetype association

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-05 01:47

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 01:47

Reported

2024-07-05 06:25

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 2701f5f07f9c3bd97f752b93e11224a6
SHA1 19e11632c430f6db218be7d54719e7d16005703f
SHA256 15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99
SHA512 121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

memory/1616-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1616-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1616-87-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1616-89-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 01:47

Reported

2024-07-05 06:24

Platform

win7-20240704-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (319) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3CPCT0UC\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84790KOV\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF1SL0MP\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penkor.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18225_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Niue C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6 C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR25F.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\IRIS.INF.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS4BOXES.POC.id[A57A2536-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2784 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2716 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2784 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2784 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2784 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2784 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2596 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2596 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2028 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2028 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2028 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2028 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2028 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2028 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2028 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2028 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2028 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 f1b8bfce95d9055491115a8d92f34e15
SHA1 239c1adff21e9d49c463defad878996645154ef6
SHA256 65b4a05ce8bb89e13515ece8485058aa7d3a3d37bd34034c93c464591a718301
SHA512 a9811f3ba2ed0166a909356152ead141caa380a5aa9d508f879b73ecd916c1517a8f1afd48263dea3e4564c95070f83a03275918e97ab86b646ac4cfdfe86ea5

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 01:47

Reported

2024-07-05 06:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (514) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons2x.png.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\MSFT_PackageManagement.strings.psd1.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\virgo-new-folder.svg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\manifest.json.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_th.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.id[CCA719D7-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2948 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 876 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 876 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2948 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2948 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2948 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2948 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2948 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2948 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2948 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2948 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3256 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3256 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 304 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 304 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 304 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 304 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 304 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 304 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 304 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 304 wrote to memory of 4384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 304 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 304 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[CCA719D7-3327].[[email protected]].Devos

MD5 08fed47bd3f58ac6145834a8d7a557d6
SHA1 9ea8770efa80fb5b92983564621088fabf652a53
SHA256 32dd2b5b163d130acfa54971eeb2a1e0b28c6a7554eb03bec2a6bbea86286f93
SHA512 a09858b9dd4c14f0abca69450328e0f2ee54025516e7c689fc5533aa67f33cebd0689cccbc615b236ec5bce622b20210ec37ec5b9ddf48943925727bbacefd72

C:\info.hta

MD5 af3c16d7114bab76c9b5fa9acef2987c
SHA1 26531033fea6836d399949dab34cfd4e0ed0caf0
SHA256 25be458e956c6566b81fda605473347a2a6af1d526ef258c8128141201e1c7a4
SHA512 046c04779d7e6e51cd2f2c1ba2bd0d9ddea32203204168e6f91942af7a54ad4a553a0dc369e8dedf9ee6b2e4943fb7617b205649a823accdc41c6b5a8220ac57

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 01:47

Reported

2024-07-05 06:24

Platform

win7-20240704-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 f2e5cfb8f498639baf77b6a55fb9325e
SHA1 dad7f1b0d38a1142c50c629555289daf678cc5a6
SHA256 51fadba4debb9030662f2593ede938f175656208aaa30c9b214fa580114613e0
SHA512 80689f12aeefaf5452515a4ad3525ce6e85fb4fa4e0f3c0f2e41f8ca37235a4188711871e3b5fd4e67b95b53d99ed447b8603edd35f9c74b12f0ae0f63eb634c

memory/2060-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2060-71-0x0000000000400000-0x000000000041B000-memory.dmp