SmartHawk

14.6

0-day

59 个模型检测该样本为恶意！

重新分析

下载样本

dd5d4cf9422b6e4514d49a3ec542cffb682be8a24079010cda689afbb44ac0f4

1ee5456c1226affd7b72bcdf3db443b7.exe

分析耗时

130s

最近分析

文件大小

48.5KB

静态报毒动态报毒 100% A + TROJ AI SCORE=100 AIDETECT BSCOPE CLOUD CONFIDENCE CQSH CVE-2017-0213 DELSHAD EDON ELDORADO FILECODER GDSDA HIGH CONFIDENCE HJCZNZ HUPIGON HXMBPKUA KCLOUD KVMH008 LOTHLOCK MALICIOUS PE MALWARE1 MALWARE@#1ED9719QZGXQH RAGNAR RAGNARLOCKER RANSOMHEUR RANSOMWARE RANSOMX SAVE SCORE STATIC AI SUSGEN UNSAFE ZRGLI 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Ransomware-GWY!1EE5456C1226	20210330	6.0.6.653
Alibaba	Ransom:Win32/Ragnar.a5bd5cd1	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20210330	21.1.5827.0
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20210331	2017.9.26.565
Tencent	Win32.Trojan.Filecoder.Edon	20210331	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (7 个事件)

Time & API	Arguments	Status	Return
1619269229.764372 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619269264.592372 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619299679.004645 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619299681.863645 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619299681.957645 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619299682.285645 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619299682.301645 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619299681.582645 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619299678.238395 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x0000000000000007	success	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.keys

Creates executable files on the filesystem (1 个事件)

file	C:\Python27\Lib\idlelib\idle.bat

Creates a suspicious process (1 个事件)

cmdline

wmic.exe shadowcopy delete

Executes one or more WMI queries (1 个事件)

wmi	SELECT * FROM Win32_ShadowCopy

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619299678.207395 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 个事件)

Time & API	Arguments	Status
1619269259.873372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269259.889372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269259.905372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269259.920372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269259.936372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269259.967372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269259.983372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.014372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.030372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.045372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.061372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.076372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.076372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.092372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.123372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.139372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.155372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.186372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.201372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.248372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.280372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.295372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.311372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.342372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.373372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.389372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.420372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.436372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.451372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.467372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.498372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.530372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.545372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.576372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.608372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.639372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.655372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.686372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.686372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.717372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.748372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.764372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.780372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.811372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.826372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.842372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.889372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.905372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed
1619269260.920372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000e4 process_identifier: 2224	failed
1619269260.951372 Process32NextW	process_name: 1ee5456c1226affd7b72bcdf3db443b7.exe snapshot_handle: 0x000000dc process_identifier: 2224	failed

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

wmic.exe shadowcopy delete

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to stop active services (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269229.842372 ControlService	service_handle: 0x008056e0 service_name: DfsC control_code: 1	success	1	0

Enumerates services, possibly for anti-virtualization (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269229.826372 EnumServicesStatusA	service_handle: 0x00805a00 service_type: 59 service_status: 3	failed	0	0

Creates known Hupigon files, registry keys and/or mutexes (1 个事件)

file	D:\Boot\BOOTSTAT.DAT

Writes a potential ransom message to disk (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269264.592372 NtWriteFile	file_handle: 0x0000010c filepath: C:\Users\Public\Documents\RGNR_7BA2AAAD.txt buffer: *************************************************************************************************************** HELLO GST_AutoLeather ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! *************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. WARNING ! We had downloaded more than 1TB of your private information including billing info, clients private data, contracts, agreements and a lot of other sensitive information. Also we get everything from such files as "topsecret.doc" where was an access to your's SQL databases, Sharepoints, Barracuda Backups, Admin credentials and other services. You can check some proofs here: https://prnt.sc/s1xrct https://prnt.sc/s1xrpe https://prnt.sc/s1xs5s https://prnt.sc/s1xt9j Whole data gathered from your SECRET files and directories could be published for everyone's view and your partners, clients and investors would be notified about leak. However if we make a deal everything would be kept in secret and all your data will be restored. You can take a look on some examples of what we have, right now it's a private hidden page. Use Tor Browser to open the link: http://p6o7m73ujalhgkiv.onion/in-project-temporarypage-18-04/ to view the page's content use password: leather9912gst013 ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://stppd5as5x4hxs45.onion/client/?1cdCAFdD70D2Eb1E078BCDED49fAb75d6315592715f319aFcb3c6106eFda88a2 c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/in-project-temporarypage-18-04/ ( password: leather9912gst013 ) d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). offset: 0	success	0	0

Removes the Shadow Copy to avoid recovery of the system (2 个事件)

cmdline	vssadmin delete shadows /all /quiet
cmdline	wmic.exe shadowcopy delete

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

vssadmin delete shadows /all /quiet

Detects VirtualBox through the presence of a file (3 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.110:443

Drops 982 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 982 个事件)

file	C:\Python27\Lib\site-packages\pip\_vendor\html5lib\_trie\datrie.pyc
file	c:\python27\lib\encodings\iso8859_1.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pil\jpegpresets.pyc.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\macholib\dyld.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\progress\spinner.pyc.ragnar_7ba2aaad
file	c:\program files (x86)\windows sidebar\settings.ini.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\requests\help.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pil\blpimageplugin.pyc.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pil\iptcimageplugin.py.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_memfunctions.py.ragnar_7ba2aaad
file	c:\python27\lib\distutils\dep_util.pyc.ragnar_7ba2aaad
file	c:\python27\lib\bsddb\dbshelve.py.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_refcounts.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_internal\models\candidate.py.ragnar_7ba2aaad
file	c:\python27\include\code.h.ragnar_7ba2aaad
file	c:\python27\lib\distutils\tests\test_config_cmd.py.ragnar_7ba2aaad
file	c:\python27\lib\encodings\euc_kr.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\pep517\colorlog.py.ragnar_7ba2aaad
file	c:\python27\include\py_curses.h.ragnar_7ba2aaad
file	c:\python27\lib\email\encoders.pyc.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_callbacks.py.ragnar_7ba2aaad
file	c:\python27\lib\idlelib\confighelpsourceedit.py.ragnar_7ba2aaad
file	c:\python27\lib\lib2to3\pgen2\literals.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_internal\operations\check.py.ragnar_7ba2aaad
file	c:\python27\lib\idlelib\debugger.py.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_prototypes.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pil\pdfimageplugin.py.ragnar_7ba2aaad
file	c:\python27\lib\encodings\cp1258.py.ragnar_7ba2aaad
file	c:\python27\lib\compiler\consts.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\html5lib\treebuilders\base.pyc.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_internal\utils\ui.pyc.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\msgpack\fallback.pyc.ragnar_7ba2aaad
file	c:\python27\lib\distutils\tests\test_unixccompiler.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\cachecontrol\compat.pyc.ragnar_7ba2aaad
file	c:\python27\lib\distutils\tests\test_config.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_internal\utils\temp_dir.py.ragnar_7ba2aaad
file	c:\python27\lib\distutils\tests\test_versionpredicate.py.ragnar_7ba2aaad
file	c:\python27\lib\lib2to3\tests\test_main.py.ragnar_7ba2aaad
file	c:\python27\lib\encodings\mbcs.pyc.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\requests\cookies.pyc.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_buffers.py.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_funcptr.py.ragnar_7ba2aaad
file	c:\python27\lib\idlelib\confighandler.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pil\mpoimageplugin.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_internal\models\selection_prefs.py.ragnar_7ba2aaad
file	c:\python27\lib\encodings\cp869.py.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_loading.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\colorama\ansitowin32.pyc.ragnar_7ba2aaad
file	c:\python27\lib\ctypes\test\test_errno.py.ragnar_7ba2aaad
file	c:\python27\lib\site-packages\pip\_vendor\html5lib\filters\whitespace.pyc.ragnar_7ba2aaad

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Ransom.Ragnar.D9471B0A
McAfee	Ransomware-GWY!1EE5456C1226
Malwarebytes	Ransom.Ragnar
Zillya	Trojan.Filecoder.Win32.13900
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005623661 )
Alibaba	Ransom:Win32/Ragnar.a5bd5cd1
K7GW	Trojan ( 005623661 )
Cybereason	malicious.c1226a
Arcabit	Generic.Ransom.Ragnar.D9471B0A
Cyren	W32/Filecoder.AA.gen!Eldorado
Symantec	W97M.Downloader
ESET-NOD32	a variant of Win32/Filecoder.RagnarLocker.A
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Exploit.CVE_2017_0213-6306933-0
Kaspersky	UDS:Trojan-Ransom.Win32.Agent.gen
BitDefender	Generic.Ransom.Ragnar.D9471B0A
NANO-Antivirus	Trojan.Win32.Encoder.hjcznz
Avast	Win32:RansomX-gen [Ransom]
Rising	Ransom.Ragnar!1.C24D (CLOUD)
Ad-Aware	Generic.Ransom.Ragnar.D9471B0A
Sophos	ML/PE-A + Troj/Lothlock-A
Comodo	Malware@#1ed9719qzgxqh
DrWeb	Trojan.Encoder.31566
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.RAGNAR.SMA
McAfee-GW-Edition	BehavesLike.Win32.Generic.ph
FireEye	Generic.mg.1ee5456c1226affd
Emsisoft	Generic.Ransom.Ragnar.D9471B0A (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Agent.cqsh
Webroot	W32.Ransom.Ragnar
Avira	TR/AD.RansomHeur.zrgli
eGambit	Unsafe.AI_Score_54%
MAX	malware (ai score=100)
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Ransom.Win32.Ransom.oa
Microsoft	Ransom:Win32/CVE
AegisLab	Trojan.Win32.Agent.j!c
GData	Win32.Trojan-Ransom.Ragnar.A
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Ransom.C4006138
ALYac	Trojan.Ransom.RagnarLocker
TACHYON	Ransom/W32.RagnarLocker.49664
VBA32	BScope.Trojan.DelShad
Cylance	Unsafe
TrendMicro-HouseCall	Ransom.Win32.RAGNAR.SMA

Performs 1659 file moves indicative of a ransomware file encryption process (50 out of 1659 个事件)

Time & API	Arguments	Status	Return
1619269265.108372 MoveFileWithProgressW	oldfilepath: D:\Boot\BOOTSTAT.DAT newfilepath: D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD newfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT	success	1
1619269265.186372 MoveFileWithProgressW	oldfilepath: D:\PZASN newfilepath: D:\PZASN.ragnar_7BA2AAAD newfilepath_r: \\?\D:\PZASN.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\D:\PZASN	success	1
1619269271.045372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui newfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui	success	1
1619269271.139372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui newfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui	success	1
1619269271.233372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui newfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui	success	1
1619269271.311372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui newfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui	success	1
1619269271.389372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui newfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui	success	1
1619269271.451372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui newfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui	success	1
1619269271.561372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui	success	1
1619269271.561372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui	success	1
1619269271.670372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui	success	1
1619269271.670372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui	success	1
1619269271.764372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui	success	1
1619269271.764372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui	success	1
1619269271.858372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui newfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui	success	1
1619269272.014372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui newfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui	success	1
1619269272.170372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui newfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui	success	1
1619269272.358372 MoveFileWithProgressW	oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	success	1
1619269272.436372 MoveFileWithProgressW	oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	success	1
1619269272.733372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log	success	1
1619269273.076372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat	success	1
1619269273.233372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico	success	1
1619269273.248372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf	success	1
1619269273.311372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url	success	1
1619269273.342372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf	success	1
1619269273.342372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf	success	1
1619269273.451372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	success	1
1619269273.514372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	success	1
1619269276.983372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Windows Sidebar\settings.ini newfilepath: C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini	success	1
1619269277.780372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	success	1
1619269277.780372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	success	1
1619269277.811372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	success	1
1619269277.811372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	success	1
1619269277.936372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	success	1
1619269277.998372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	success	1
1619269280.280372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini newfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_elementtree.pyd newfilepath: C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_testcapi.pyd newfilepath: C:\Python27\DLLs\_testcapi.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_testcapi.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_testcapi.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\unicodedata.pyd newfilepath: C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_tkinter.pyd newfilepath: C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\winsound.pyd newfilepath: C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico newfilepath: C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\py.ico	success	1
1619269280.451372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_bsddb.pyd newfilepath: C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd	success	1
1619269280.467372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico newfilepath: C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico	success	1

Appends a new file extension or content to 1659 files indicative of a ransomware file encryption process (50 out of 1659 个事件)

Time & API	Arguments	Status	Return
1619269265.108372 MoveFileWithProgressW	oldfilepath: D:\Boot\BOOTSTAT.DAT newfilepath: D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD newfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT	success	1
1619269265.186372 MoveFileWithProgressW	oldfilepath: D:\PZASN newfilepath: D:\PZASN.ragnar_7BA2AAAD newfilepath_r: \\?\D:\PZASN.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\D:\PZASN	success	1
1619269271.045372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui newfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui	success	1
1619269271.139372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui newfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui	success	1
1619269271.233372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui newfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui	success	1
1619269271.311372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui newfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui	success	1
1619269271.389372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui newfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui	success	1
1619269271.451372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui newfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui	success	1
1619269271.561372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui	success	1
1619269271.561372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui	success	1
1619269271.670372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui	success	1
1619269271.670372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui	success	1
1619269271.764372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui	success	1
1619269271.764372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui	success	1
1619269271.858372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui newfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui	success	1
1619269272.014372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui newfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui	success	1
1619269272.170372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui newfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui	success	1
1619269272.358372 MoveFileWithProgressW	oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	success	1
1619269272.436372 MoveFileWithProgressW	oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	success	1
1619269272.733372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log	success	1
1619269273.076372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat	success	1
1619269273.233372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico	success	1
1619269273.248372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf	success	1
1619269273.311372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat	success	1
1619269273.326372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url	success	1
1619269273.342372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf	success	1
1619269273.342372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf	success	1
1619269273.451372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	success	1
1619269273.514372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	success	1
1619269276.983372 MoveFileWithProgressW	oldfilepath: C:\Program Files\Windows Sidebar\settings.ini newfilepath: C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini	success	1
1619269277.780372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	success	1
1619269277.780372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	success	1
1619269277.811372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets	success	1
1619269277.811372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets	success	1
1619269277.936372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	success	1
1619269277.998372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	success	1
1619269280.280372 MoveFileWithProgressW	oldfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini newfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_elementtree.pyd newfilepath: C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_testcapi.pyd newfilepath: C:\Python27\DLLs\_testcapi.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_testcapi.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_testcapi.pyd	success	1
1619269280.420372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\unicodedata.pyd newfilepath: C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_tkinter.pyd newfilepath: C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\winsound.pyd newfilepath: C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd	success	1
1619269280.436372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico newfilepath: C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\py.ico	success	1
1619269280.451372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\_bsddb.pyd newfilepath: C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd	success	1
1619269280.467372 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico newfilepath: C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD flags: 3 oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico	success	1

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-18 23:07:09

Imports

Library KERNEL32.dll:

• 0x409068 SetFilePointerEx

• 0x40906c FindClose

• 0x409070 CloseHandle

• 0x409074 GetNativeSystemInfo

• 0x409078 GetTickCount

• 0x40907c MapViewOfFile

• 0x409080 UnmapViewOfFile

• 0x409084 lstrcmpiW

• 0x409088 lstrcpyA

• 0x40908c lstrcpyW

• 0x409090 lstrcatW

• 0x409094 lstrlenA

• 0x409098 lstrlenW

• 0x40909c CreateEventW

• 0x4090a0 CreateFileMappingW

• 0x4090a4 LoadLibraryW

• 0x4090a8 CreateProcessW

• 0x4090ac GetStartupInfoW

• 0x4090b0 GetCommandLineW

• 0x4090b4 GetDriveTypeW

• 0x4090b8 GetSystemDirectoryW

• 0x4090bc GetWindowsDirectoryW

• 0x4090c0 ReadFile

• 0x4090c4 CreateFileW

• 0x4090c8 SetFileAttributesW

• 0x4090cc GetFileAttributesW

• 0x4090d0 FindFirstFileW

• 0x4090d4 FindNextFileW

• 0x4090d8 CopyFileW

• 0x4090dc MoveFileExW

• 0x4090e0 GetVolumeInformationA

• 0x4090e4 GetVolumeInformationW

• 0x4090e8 GetComputerNameW

• 0x4090ec FindFirstVolumeA

• 0x4090f0 FindNextVolumeA

• 0x4090f4 FindVolumeClose

• 0x4090f8 SetVolumeMountPointA

• 0x4090fc GetVolumePathNamesForVolumeNameA

• 0x409100 WTSGetActiveConsoleSessionId

• 0x409104 MultiByteToWideChar

• 0x409108 WideCharToMultiByte

• 0x40910c GetLocaleInfoW

• 0x409110 CreateToolhelp32Snapshot

• 0x409114 Process32FirstW

• 0x409118 Process32NextW

• 0x40911c DeviceIoControl

• 0x409120 WriteFile

• 0x409124 GetFileSize

• 0x409128 GetFileSizeEx

• 0x40912c UnlockFile

• 0x409130 LockFile

• 0x409134 GetLogicalDrives

• 0x409138 Sleep

• 0x40913c WaitForMultipleObjects

• 0x409140 WaitForSingleObject

• 0x409144 GetLastError

• 0x409148 CreateThread

• 0x40914c TerminateProcess

• 0x409150 ExitProcess

• 0x409154 GetCurrentProcess

• 0x409158 OpenProcess

• 0x40915c GetProcessHeap

• 0x409160 HeapFree

• 0x409164 HeapAlloc

• 0x409168 VirtualFree

• 0x40916c VirtualAlloc

• 0x409170 LocalFree

• 0x409174 LocalAlloc

• 0x409178 GetFullPathNameW

• 0x40917c GetProcAddress

Library USER32.dll:

• 0x4091a0 wsprintfA

• 0x4091a4 wsprintfW

Library ADVAPI32.dll:

• 0x409000 CryptGenRandom

• 0x409004 CryptReleaseContext

• 0x409008 QueryServiceStatusEx

• 0x40900c OpenServiceA

• 0x409010 OpenSCManagerA

• 0x409014 EnumServicesStatusA

• 0x409018 EnumDependentServicesA

• 0x40901c ControlService

• 0x409020 CloseServiceHandle

• 0x409024 CryptEncrypt

• 0x409028 CryptDestroyKey

• 0x40902c CryptAcquireContextW

• 0x409030 RegQueryValueExW

• 0x409034 RegOpenKeyExW

• 0x409038 RegCloseKey

• 0x40903c DuplicateTokenEx

• 0x409040 CreateProcessAsUserW

• 0x409044 GetUserNameW

• 0x409048 SetTokenInformation

• 0x40904c OpenProcessToken

Library SHELL32.dll:

• 0x409184 SHGetSpecialFolderPathW

• 0x409188 CommandLineToArgvW

Library SHLWAPI.dll:

• 0x409190 StrStrIA

• 0x409194 PathFindExtensionW

• 0x409198 StrToIntA

Library CRYPT32.dll:

• 0x409054 CryptDecodeObjectEx

• 0x409058 CryptStringToBinaryW

• 0x40905c CryptBinaryToStringA

• 0x409060 CryptImportPublicKeyInfo

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	49235	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.