来源:网友发的,服务器应急发现

沙盘结果:https://app.any.run/tasks/c7513203-9969-4abd-85ef-241df9fcc57f/

Filename:AntiRecuvaAndDB.exe

md5:7BE5F0B5B0583E504D781E4E2AF4350D

sha256:9EEE735D0356A4D8263B9E2408E8028D6266151F5B07AC3432FB66ABB43CF3FA

进程行为:

Untitled

执行命令:

wmic shadowcopy delete

bcdedit /set {default} bootstatuspolicy ignoreallfailures

vssadmin delete shadows /all /quiet

wbadmin  delete catalog -quiet

netsh  advfirewall set currentprofile state off

netsh  firewall set opmode mode=disable

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\vdsldr.exe -Embedding