来源:网友发的,服务器应急发现
沙盘结果:https://app.any.run/tasks/c7513203-9969-4abd-85ef-241df9fcc57f/
Filename:AntiRecuvaAndDB.exe
md5:7BE5F0B5B0583E504D781E4E2AF4350D
sha256:9EEE735D0356A4D8263B9E2408E8028D6266151F5B07AC3432FB66ABB43CF3FA
进程行为:
执行命令:
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disable
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\vdsldr.exe -Embedding