Malware Analysis Report

2024-09-11 00:56

Sample ID 240707-vbnjhsvgrp
Target Fast.exe
SHA256 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
Tags
phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f

Threat Level: Known bad

The file Fast.exe was found to be: Known bad.

Malicious Activity Summary

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (235) files with added filename extension

Deletes shadow copies

Renames multiple (245) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 16:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 16:49

Reported

2024-07-07 17:01

Platform

win7-20240705-en

Max time kernel

97s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (245) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Fast.exe C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Swift_Current.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR1B.GIF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmpnscfg.exe.mui C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL.IDX_DLL.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCOLKI.DLL.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198234.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEINTL.DLL.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hu.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\OpenUpdate.ADT.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF.id[340E0446-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18198_.WMF C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2980 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2980 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2884 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2884 wrote to memory of 1752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2980 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2980 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2980 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2980 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2980 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2980 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2980 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Fast.exe

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

C:\Users\Admin\AppData\Local\Temp\Fast.exe

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[340E0446-3483].[[email protected]].8base

MD5 4e6a3d1a10d894bf394bf71ebd8f9d5e
SHA1 f4eb95f1565e14210531ddc087fd19de893d56ef
SHA256 a2a46f03ca77548b6257fe4c81029dbc4ad09477b5e299f64dd30ba44f1e2b5f
SHA512 59a04a3a67a22e225b8c7f4d99803ef3172b7374588adfb52eeffddd1dfacf1a677cfe240c81f69fbad17fc183840d7d575dd497d4c4a42bfaa95141c7b9ef1d

C:\info.hta

MD5 32ba90b2bcea58e674b434d108abb638
SHA1 d4976f72b5d601bff95818dd9d05eacf4caacaa5
SHA256 ad26790201e8bba346a5ab50e9fb7e1f8eabb8600ef57f66d32e3f62a6757054
SHA512 93c9b1d8070aaa85d74228acb852f621a1346f8a70d8a1519c269775d91eca74b69e4f81370927354c63085dbd1cdf56e66a4abc6b5a947437ba8f97df6244c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 16:49

Reported

2024-07-07 17:01

Platform

win10v2004-20240704-en

Max time kernel

49s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (235) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Fast.exe C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2494989678-839960665-2515455429-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2494989678-839960665-2515455429-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\prism_common.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.id[EE907AA5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\Fast.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2864 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4340 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4340 wrote to memory of 3448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4340 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4340 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2864 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2864 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2864 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 3452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2864 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2864 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Fast.exe

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

C:\Users\Admin\AppData\Local\Temp\Fast.exe

"C:\Users\Admin\AppData\Local\Temp\Fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[EE907AA5-3483].[[email protected]].8base

MD5 6ca433371afd64502fdd2b15745583b3
SHA1 144faab037e0bd1be854312179a75ecc34cdac2f
SHA256 d2c318c4cc3e28f9f864d67c734f155a03603ee62c3ddd12e76244d1934a3f15
SHA512 acfdd8e67a9e1d81fbe660d01b6b8b8e4e9d0c6efc0d4932dd3df47a33b29de50c4f1f71aba3b8e7e076713f28fed9248617e1fd16319ef630af3d63d9e0f89d

C:\info.hta

MD5 8d97690f28f9cbaa66407e403b65a66a
SHA1 ce666d55e834b5df503b5cb4a30027fdf2a1ba3d
SHA256 dc9c2a948079c0d1591aa2c6f4a04f9852d9e42a95a38b058115ed75dbb7b556
SHA512 083fdf60ef1dd8dd635f4e8d392680ed7e3cc0a0c4b69355000d3dcb8786dd230b5ab7ff0074b098fadcd343a22c371e5976cd17629466cfe6490fe695ac5168