Malware Analysis Report

2024-09-11 01:01

Sample ID 240705-xxrjeatdmn
Target c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6.zip
SHA256 c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
Tags
neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6

Threat Level: Known bad

The file c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6.zip was found to be: Known bad.

Malicious Activity Summary

neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Neshta family

Detect Neshta payload

Neshta

Renames multiple (313) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (514) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Modifies system executable filetype association

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Interacts with shadow copies

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-05 19:14

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 19:14

Reported

2024-07-05 19:16

Platform

win7-20240704-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (313) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U42VY3XA\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SX809FAK\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.password.template C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\security\javafx.policy.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_underline.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMCCore.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.DLL C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right_over.gif.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_on.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.id[06EC36A5-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2856 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2856 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2856 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2856 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2856 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2856 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2884 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2884 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2884 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2884 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2348 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1528 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1528 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1528 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1528 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1528 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1528 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1528 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1528 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 421dde48d725478af6cd1d58f001ddae
SHA1 e45b59d8df2f876cb22556d703e198002332a18d
SHA256 1e1f14240e53306ad8f9d8e9e0964d842e953b909515c840c76e02cb2feff50b
SHA512 6acdda69d9da3d744739da6e3dd260a1dc0880076ee1aca8e50b487a361fe9946eb8da9de2c723262102be817787f8b05f06a1d4f05952b39ca0cf030c2169b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 19:14

Reported

2024-07-05 19:16

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (514) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlMiddleCircleHover.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info2x.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\msvcp140_app.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\beep C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\EmbeddedBrowserWebView.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sunglasses.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-CN.pak.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_is.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ja.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\osfintlimm.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-64.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ko_135x40.svg.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.id[D4215A17-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4440 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3996 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3996 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4440 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4440 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3996 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3996 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3996 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3996 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3996 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3996 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3996 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3996 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2920 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2920 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4448 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4448 wrote to memory of 644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4448 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4448 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4448 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4448 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4448 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4448 wrote to memory of 1824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4448 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4448 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[D4215A17-3327].[[email protected]].Devos

MD5 115531859f4c06a7fd53a29ad59b1ec1
SHA1 3a5e03c3aa9125b2be47a5561b382a39b4db455f
SHA256 098be12f3085fc89c5e28c24d92a53cc6499bcade7cfe9541995e5b73ad3add9
SHA512 5319560b6de47fa857e233e2255b0497efa3fa46c2d9cc14c4219d2a679985895a978e3648a6cd8c7b67eae3810ac0b023df8451087d3ae716dec69d96e2f8e5

C:\info.hta

MD5 62651da930f481482f1e5307defe1d6d
SHA1 6409f41f1dfda098bc100518c19773b2899a53ff
SHA256 4582058b1fc016c27c8a6d42056bcf44951c92c612beed8f466c6f94cd8b9127
SHA512 2ee4ca2afed8d6908f773fa320c03b5ce58d3073dd55c54245faa06337aa8a9b35777482e292043484168c9d7dee22b8596803bd8f138b8b37c79ee6f705b901

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 19:14

Reported

2024-07-05 19:16

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 f2e5cfb8f498639baf77b6a55fb9325e
SHA1 dad7f1b0d38a1142c50c629555289daf678cc5a6
SHA256 51fadba4debb9030662f2593ede938f175656208aaa30c9b214fa580114613e0
SHA512 80689f12aeefaf5452515a4ad3525ce6e85fb4fa4e0f3c0f2e41f8ca37235a4188711871e3b5fd4e67b95b53d99ed447b8603edd35f9c74b12f0ae0f63eb634c

memory/2408-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2408-71-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 19:14

Reported

2024-07-05 19:16

Platform

win10v2004-20240508-en

Max time kernel

42s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 2701f5f07f9c3bd97f752b93e11224a6
SHA1 19e11632c430f6db218be7d54719e7d16005703f
SHA256 15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99
SHA512 121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

memory/3760-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3760-87-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3760-89-0x0000000000400000-0x000000000041B000-memory.dmp