Malware Analysis Report

2024-09-11 01:00

Sample ID 240706-cd9wessejr
Target bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
SHA256 bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
Tags
neshta persistence spyware stealer phobos defense_evasion evasion execution impact privilege_escalation ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174

Threat Level: Known bad

The file bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174 was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer phobos defense_evasion evasion execution impact privilege_escalation ransomware

Phobos

Detect Neshta payload

Neshta

Neshta family

Renames multiple (316) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (643) files with added filename extension

Deletes backup catalog

Modifies Windows Firewall

Checks computer location settings

Reads user/profile data of web browsers

Modifies system executable filetype association

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Interacts with shadow copies

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:58

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240705-en

Max time kernel

16s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 f2e5cfb8f498639baf77b6a55fb9325e
SHA1 dad7f1b0d38a1142c50c629555289daf678cc5a6
SHA256 51fadba4debb9030662f2593ede938f175656208aaa30c9b214fa580114613e0
SHA512 80689f12aeefaf5452515a4ad3525ce6e85fb4fa4e0f3c0f2e41f8ca37235a4188711871e3b5fd4e67b95b53d99ed447b8603edd35f9c74b12f0ae0f63eb634c

memory/2488-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2488-71-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 2701f5f07f9c3bd97f752b93e11224a6
SHA1 19e11632c430f6db218be7d54719e7d16005703f
SHA256 15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99
SHA512 121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

memory/3872-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3872-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3872-87-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3872-89-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240705-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (316) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72EHROQQ\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4QLC8FPK\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7JXML4U5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AWH2H80Y\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CNQY6MQU\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6089GTH\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00114_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\calendars.properties C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected][2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\RedoImport.ram.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.id[2B90FA51-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2732 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2732 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2732 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2732 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2732 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2732 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2732 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2732 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2732 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2732 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 2272 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2272 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2976 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2976 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2976 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2976 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2976 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2976 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2976 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\info.hta

MD5 2ad1c05b76136f28b8adcfd2fa6cc7de
SHA1 c0938b7d9e507f2767cbba67054974a683225682
SHA256 49927a2ba7a5d25d1dd62d4c3fc52913dc7add1cdff0611091e239675eb02db4
SHA512 e69ef3a651bd718b47225c8bf5eda2fc50d4585a6922fb7e988c03d7c059049ef69d80c20aeaf0a9e4ffe08e49e69c798fad0a6516e554bc99100e131c8ebc4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:03

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (643) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-661257284-3186977026-4220467887-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-661257284-3186977026-4220467887-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\editpdf.svg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.Preview.winmd C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionController.xbf C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2_Loud.m4a C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadline.psm1 C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\segoeui_semibold.woff C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadce.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Trust Protection Lists\Mu\Other C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\e_sqlite3.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.id[2BD3A257-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.87\Trust Protection Lists\Sigma\Analytics C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1336 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3548 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 3704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1336 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1336 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1336 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1336 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1336 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1336 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1336 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1336 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3216 wrote to memory of 6052 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6052 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6052 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 3216 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3216 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4196 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4196 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4196 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4196 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4196 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4196 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4196 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4196 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4196 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=4468 /prefetch:8

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[2BD3A257-3327].[[email protected]].Devos

MD5 9f8e6b8edb138462bf22adce4f06dc16
SHA1 7e1c4144e4e6891249161019fb285af12934a83a
SHA256 a0fc83e7f90ecdc810d6908ee0bf1f6212332dcdb18c57e31c54404f3f02aaaa
SHA512 4b7cf07b22fa9d38a7cdc2747ac1f73cabb66daa50b5355d73e8a96166500116923ea0a03ae15107cfea588c887ad6412a8ac9379ed702ce2d6210bb716dffb2

C:\info.hta

MD5 e443b98efe6417a0cb2118ad3437226a
SHA1 c78c68e0d2b7ec56831e322866a62b7902d797bc
SHA256 f841950cb7e3e16d991696775196a97592bcc3b8d856cf45fcbd6683fc75d3f2
SHA512 231afade996582af64d2c7b1d0ae8898cecde4eaa61d218938df600097ce1e9b98ab64267cdf57cfcfd0374618db02b4723e6c7c91434e605cbc24f86fc510ee