15.2
0-day
59 个模型检测该样本为恶意!
重新分析
更多

68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3

6d122b4bfab5e75f3ae903805cbbc641.exe

分析耗时

129s

最近分析

文件大小

116.0KB
静态报毒 动态报毒 100% AGEN AI SCORE=100 CLASSIC CONFIDENCE DEAPAX FILECODER GDSDA GENCIRC HIGH CONFIDENCE HIQYCX HUPIGON KCLOUD KLOPRANSOM LOTHLOCK MALICIOUS PE MALWARE@#Q02NP0BMN1EH NONE R + TROJ RAGNAR RAGNARLOCKER RANSOMX SCORE SIGGEN9 SMTH STATIC AI TDGWENWPWFG UNSAFE ZENPAK ZQTR 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Ransom-ragnar 20210116 6.0.6.653
Alibaba Ransom:Win32/KlopRansom.None 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:RansomX-gen [Ransom] 20210116 21.1.5827.0
Tencent Malware.Win32.Gencirc.113c60a1 20210116 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20210116 2017.9.26.565
静态指标
Queries for the computername (7 个事件)
Time & API Arguments Status Return Repeated
1619596031.857017
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619596066.794017
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619625085.655875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619625087.952875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619625088.030875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619625088.437875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619625088.483875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619625087.733875
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619625084.780375
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x0000000000000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619596031.763017
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00330000
success 0 0
1619596031.763017
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Python27\Lib\idlelib\idle.bat
Creates a suspicious process (1 个事件)
cmdline wmic.exe shadowcopy delete
Executes one or more WMI queries (1 个事件)
wmi SELECT * FROM Win32_ShadowCopy
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619625084.749375
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 个事件)
Time & API Arguments Status Return Repeated
1619596062.107017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.138017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.154017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.185017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.201017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.216017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.247017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.279017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.310017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.341017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.372017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.388017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.404017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.435017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.451017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.466017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.482017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.513017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.529017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.560017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.591017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.607017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.622017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.654017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.685017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.716017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.747017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.779017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.794017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.826017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.857017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.888017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.919017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.951017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596062.982017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596062.997017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.013017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.044017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.060017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.076017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.091017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.122017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.154017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.169017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.201017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.232017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.247017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.279017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
1619596063.310017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619596063.341017
Process32NextW
process_name: 6d122b4bfab5e75f3ae903805cbbc641.exe
snapshot_handle: 0x000000f0
process_identifier: 1912
failed 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline wmic.exe shadowcopy delete
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 23.45.12.34
Attempts to stop active services (1 个事件)
Time & API Arguments Status Return Repeated
1619596032.091017
ControlService
service_handle: 0x005b6348
service_name: DfsC
control_code: 1
success 1 0
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619596031.982017
EnumServicesStatusA
service_handle: 0x005b6668
service_type: 59
service_status: 3
failed 0 0
Creates known Hupigon files, registry keys and/or mutexes (1 个事件)
file D:\Boot\BOOTSTAT.DAT
Writes a potential ransom message to disk (1 个事件)
Time & API Arguments Status Return Repeated
1619596066.810017
NtWriteFile
file_handle: 0x00000120
filepath: C:\Users\Public\Documents\RGNR_7BA2AAAD.txt
buffer: ***************************************************************************************************************** HELLO EDP.com ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ATTENTION ! We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties. Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://p6o7m73ujalhgkiv.onion/?p=171 We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://torproject.org b) For contact us via LIVE CHAT open our website : http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E c) For visit our NEWS PORTAL with your data, open this website : http://p6o7m73ujalhgkiv.onion/?page_id=171 d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn).
offset: 0
success 0 0
Removes the Shadow Copy to avoid recovery of the system (2 个事件)
cmdline vssadmin delete shadows /all /quiet
cmdline wmic.exe shadowcopy delete
Uses suspicious command line tools or Windows utilities (1 个事件)
cmdline vssadmin delete shadows /all /quiet
Detects VirtualBox through the presence of a file (3 个事件)
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 216.58.200.238:443
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Ransom.Ragnar.3
FireEye Generic.mg.6d122b4bfab5e75f
McAfee Ransom-ragnar
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056475b1 )
Alibaba Ransom:Win32/KlopRansom.None
K7GW Trojan ( 0056475b1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Ransom.Ragnar.3
Cyren W32/Trojan.ZQTR-3907
Symantec Trojan Horse
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Trojan.RagnarLocker-7997800-0
Kaspersky HEUR:Trojan.Win32.Deapax.gen
BitDefender Gen:Variant.Ransom.Ragnar.3
NANO-Antivirus Trojan.Win32.Filecoder.hiqycx
Paloalto generic.ml
AegisLab Trojan.Win32.Zenpak.4!c
Tencent Malware.Win32.Gencirc.113c60a1
Ad-Aware Gen:Variant.Ransom.Ragnar.3
Sophos Mal/Generic-R + Troj/Lothlock-A
Comodo Malware@#q02np0bmn1eh
F-Secure Heuristic.HEUR/AGEN.1107231
DrWeb Trojan.Siggen9.38391
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom.Win32.RAGNARLOCKER.SMTH
McAfee-GW-Edition Ransom-ragnar
Emsisoft Gen:Variant.Ransom.Ragnar.3 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Zenpak.bms
Webroot W32.Ransom.Ragnar
Avira HEUR/AGEN.1107231
Antiy-AVL Trojan[Ransom]/Win32.RagnarLocker
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Ransom.Win32.Heur.oa!s1
Microsoft Ransom:Win32/RagnarLocker!MSR
ViRobot Trojan.Win32.S.RagnarLocker.118784.A
ZoneAlarm HEUR:Trojan.Win32.Deapax.gen
GData Gen:Variant.Ransom.Ragnar.3
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Ransom.C4120640
BitDefenderTheta AI:Packer.682770761E
ALYac Trojan.Ransom.Filecoder
MAX malware (ai score=100)
VBA32 Trojan.Zenpak
Malwarebytes Ransom.Ragnar
ESET-NOD32 Win32/Filecoder.RagnarLocker.A
Performs 1571 file moves indicative of a ransomware file encryption process (50 out of 1571 个事件)
Time & API Arguments Status Return Repeated
1619596067.982017
MoveFileWithProgressW
oldfilepath: D:\Boot\BOOTSTAT.DAT
newfilepath: D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD
newfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT
success 1 0
1619596068.029017
MoveFileWithProgressW
oldfilepath: D:\PZASN
newfilepath: D:\PZASN.ragnar_7BA2AAAD
newfilepath_r: \\?\D:\PZASN.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\D:\PZASN
success 1 0
1619596074.279017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui
success 1 0
1619596074.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui
newfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui
success 1 0
1619596074.482017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui
success 1 0
1619596074.935017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui
success 1 0
1619596075.122017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui
success 1 0
1619596075.263017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui
newfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui
success 1 0
1619596075.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui
success 1 0
1619596075.451017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui
success 1 0
1619596075.591017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui
success 1 0
1619596075.638017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui
success 1 0
1619596075.763017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui
success 1 0
1619596075.872017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui
success 1 0
1619596075.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui
success 1 0
1619596076.076017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui
success 1 0
1619596076.201017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui
newfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui
success 1 0
1619596076.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
success 1 0
1619596076.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
success 1 0
1619596076.560017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log
success 1 0
1619596076.560017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url
success 1 0
1619596076.576017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
success 1 0
1619596076.591017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico
success 1 0
1619596076.622017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat
success 1 0
1619596076.669017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
success 1 0
1619596076.732017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
success 1 0
1619596076.888017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
success 1 0
1619596076.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
success 1 0
1619596081.888017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Windows Sidebar\settings.ini
newfilepath: C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini
success 1 0
1619596082.779017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml
newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml
success 1 0
1619596082.779017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml
newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml
success 1 0
1619596082.857017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
success 1 0
1619596082.857017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
success 1 0
1619596082.935017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
success 1 0
1619596082.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
success 1 0
1619596085.654017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini
newfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini
success 1 0
1619596085.716017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico
success 1 0
1619596085.732017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_elementtree.pyd
newfilepath: C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd
success 1 0
1619596085.747017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\unicodedata.pyd
newfilepath: C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_tkinter.pyd
newfilepath: C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_msi.pyd
newfilepath: C:\Python27\DLLs\_msi.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_msi.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_msi.pyd
success 1 0
1619596085.794017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\winsound.pyd
newfilepath: C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd
success 1 0
1619596085.794017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd
newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd
success 1 0
1619596085.810017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_bsddb.pyd
newfilepath: C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd
success 1 0
1619596085.826017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd
newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd
success 1 0
Appends a new file extension or content to 1571 files indicative of a ransomware file encryption process (50 out of 1571 个事件)
Time & API Arguments Status Return Repeated
1619596067.982017
MoveFileWithProgressW
oldfilepath: D:\Boot\BOOTSTAT.DAT
newfilepath: D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD
newfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\D:\Boot\BOOTSTAT.DAT
success 1 0
1619596068.029017
MoveFileWithProgressW
oldfilepath: D:\PZASN
newfilepath: D:\PZASN.ragnar_7BA2AAAD
newfilepath_r: \\?\D:\PZASN.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\D:\PZASN
success 1 0
1619596074.279017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Chess\zh-CN\Chess.exe.mui
success 1 0
1619596074.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui
newfilepath: C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\FreeCell\zh-CN\FreeCell.exe.mui
success 1 0
1619596074.482017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Hearts\zh-CN\Hearts.exe.mui
success 1 0
1619596074.935017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Mahjong\zh-CN\Mahjong.exe.mui
success 1 0
1619596075.122017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Minesweeper\zh-CN\Minesweeper.exe.mui
success 1 0
1619596075.263017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui
newfilepath: C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\More Games\zh-CN\MoreGames.dll.mui
success 1 0
1619596075.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgRes.dll.mui
success 1 0
1619596075.451017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Backgammon\zh-CN\bckgzm.exe.mui
success 1 0
1619596075.591017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\ChkrRes.dll.mui
success 1 0
1619596075.638017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Checkers\zh-CN\chkrzm.exe.mui
success 1 0
1619596075.763017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\ShvlRes.dll.mui
success 1 0
1619596075.872017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Multiplayer\Spades\zh-CN\shvlzm.exe.mui
success 1 0
1619596075.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Purble Place\zh-CN\PurblePlace.exe.mui
success 1 0
1619596076.076017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui
newfilepath: C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\Solitaire\zh-CN\Solitaire.exe.mui
success 1 0
1619596076.201017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui
newfilepath: C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Microsoft Games\SpiderSolitaire\zh-CN\SpiderSolitaire.exe.mui
success 1 0
1619596076.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
success 1 0
1619596076.357017
MoveFileWithProgressW
oldfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
newfilepath: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
success 1 0
1619596076.560017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\install_drivers.log
success 1 0
1619596076.560017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\Oracle VM VirtualBox Guest Additions.url
success 1 0
1619596076.576017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.cat
success 1 0
1619596076.591017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\iexplore.ico
success 1 0
1619596076.622017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat
success 1 0
1619596076.669017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.inf
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.inf
success 1 0
1619596076.716017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf
success 1 0
1619596076.732017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
newfilepath: C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
success 1 0
1619596076.888017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
success 1 0
1619596076.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
newfilepath: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
success 1 0
1619596081.888017
MoveFileWithProgressW
oldfilepath: C:\Program Files\Windows Sidebar\settings.ini
newfilepath: C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files\Windows Sidebar\settings.ini
success 1 0
1619596082.779017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml
newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml
success 1 0
1619596082.779017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml
newfilepath: C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml
success 1 0
1619596082.857017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
success 1 0
1619596082.857017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
newfilepath: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
success 1 0
1619596082.935017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml
success 1 0
1619596082.997017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
newfilepath: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml
success 1 0
1619596085.654017
MoveFileWithProgressW
oldfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini
newfilepath: C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Program Files (x86)\Windows Sidebar\settings.ini
success 1 0
1619596085.716017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico
success 1 0
1619596085.732017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_elementtree.pyd
newfilepath: C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_elementtree.pyd
success 1 0
1619596085.747017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\unicodedata.pyd
newfilepath: C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\unicodedata.pyd
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_tkinter.pyd
newfilepath: C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_tkinter.pyd
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico
success 1 0
1619596085.779017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_msi.pyd
newfilepath: C:\Python27\DLLs\_msi.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_msi.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_msi.pyd
success 1 0
1619596085.794017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\winsound.pyd
newfilepath: C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\winsound.pyd
success 1 0
1619596085.794017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd
newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_ctypes_test.pyd
success 1 0
1619596085.810017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_bsddb.pyd
newfilepath: C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_bsddb.pyd
success 1 0
1619596085.826017
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd
newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD
newfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd.ragnar_7BA2AAAD
flags: 3
oldfilepath_r: \\?\C:\Python27\DLLs\_multiprocessing.pyd
success 1 0
Drops 1047 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 1046 个事件)
file c:\python27\lib\email\test\data\msg_03.txt.ragnar_7ba2aaad
file C:\Python27\Lib\lib2to3\tests\data\false_encoding.py
file c:\python27\lib\site-packages\pip\_vendor\cachecontrol\heuristics.pyc.ragnar_7ba2aaad
file c:\python27\lib\lib-tk\tkmessagebox.py.ragnar_7ba2aaad
file c:\python27\lib\email\mime\nonmultipart.py.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\pip\_vendor\idna\core.pyc
file c:\python27\dlls\_sqlite3.pyd.ragnar_7ba2aaad
file c:\python27\lib\lib2to3\fixer_util.py.ragnar_7ba2aaad
file c:\python27\lib\idlelib\idle_test\test_textview.py.ragnar_7ba2aaad
file c:\python27\lib\distutils\util.py.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file c:\python27\lib\site-packages\pip\_vendor\chardet\langbulgarianmodel.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\pyaccess.py.ragnar_7ba2aaad
file c:\python27\lib\ensurepip\__main__.py.ragnar_7ba2aaad
file c:\python27\lib\lib-tk\test\test_tkinter\test_variables.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_internal\cli\cmdoptions.py.ragnar_7ba2aaad
file c:\python27\lib\idlelib\idlever.py.ragnar_7ba2aaad
file c:\python27\lib\email\test\data\msg_15.txt.ragnar_7ba2aaad
file c:\program files\reference assemblies\microsoft\framework\v3.0\winfxlist.xml.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\distlib\wheel.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\html5lib\treeadapters\genshi.pyc.ragnar_7ba2aaad
file c:\python27\lib\idlelib\tooltip.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\cachecontrol\adapter.pyc.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\icoimageplugin.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\imagefont.pyc.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\imagefilter.pyc.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\chardet\cli\__init__.pyc.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\fitsstubimageplugin.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\chardet\cli\__init__.py.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\pip\_vendor\chardet\charsetgroupprober.py
file c:\python27\lib\multiprocessing\dummy\connection.py.ragnar_7ba2aaad
file c:\python27\lib\distutils\tests\test_bdist_rpm.py.ragnar_7ba2aaad
file c:\python27\lib\encodings\mac_greek.py.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\PIL\IcnsImagePlugin.pyc
file c:\python27\lib\distutils\msvccompiler.py.ragnar_7ba2aaad
file c:\python27\lib\distutils\errors.pyc.ragnar_7ba2aaad
file c:\python27\lib\encodings\__init__.pyc.ragnar_7ba2aaad
file c:\python27\lib\idlelib\calltips.py.ragnar_7ba2aaad
file c:\python27\lib\idlelib\idle_test\mock_idle.py.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\PIL\MicImagePlugin.pyc
file c:\python27\lib\lib2to3\tests\data\py2_test_grammar.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\html5lib\treewalkers\dom.pyc.ragnar_7ba2aaad
file C:\Python27\Lib\site-packages\PIL\ExifTags.py
file c:\python27\lib\site-packages\pil\wmfimageplugin.pyc.ragnar_7ba2aaad
file c:\python27\lib\idlelib\tabbedpages.py.ragnar_7ba2aaad
file c:\python27\lib\email\mime\image.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pil\dcximageplugin.py.ragnar_7ba2aaad
file C:\Python27\Lib\lib2to3\fixes\fix_raise.py
file c:\python27\lib\lib2to3\pgen2\pgen.py.ragnar_7ba2aaad
file c:\python27\lib\site-packages\pip\_vendor\distlib\_backport\sysconfig.py.ragnar_7ba2aaad
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-03-09 05:16:45

Imports

Library KERNEL32.dll:
0x40e000 GetModuleHandleW
0x40e004 VirtualAllocEx
0x40e008 GetACP
0x40e010 GetOEMCP
0x40e014 GetTickCount
0x40e018 CreateEventA
0x40e01c GetProcAddress
0x40e020 GetCommandLineA
0x40e024 LoadLibraryW
0x40e028 GetLastError
0x40e03c GetCurrentProcess
0x40e040 GetProcessHeap
0x40e048 lstrlenA
0x40e04c GetVersionExA
0x40e050 GetVersionExW
0x40e054 GetModuleHandleA
0x40e058 CompareStringW
0x40e05c CompareStringA
0x40e060 LCMapStringW
0x40e064 GetStartupInfoW
0x40e068 GetVersion
0x40e06c ExitProcess
0x40e070 TerminateProcess
0x40e078 GetModuleFileNameW
0x40e080 MultiByteToWideChar
0x40e08c GetCommandLineW
0x40e090 SetHandleCount
0x40e094 GetStdHandle
0x40e098 GetFileType
0x40e09c GetStartupInfoA
0x40e0a0 GetCurrentThreadId
0x40e0a4 TlsSetValue
0x40e0a8 TlsAlloc
0x40e0ac TlsFree
0x40e0b0 SetLastError
0x40e0b4 TlsGetValue
0x40e0b8 GetCurrentThread
0x40e0bc HeapDestroy
0x40e0c0 HeapCreate
0x40e0c4 VirtualFree
0x40e0c8 HeapFree
0x40e0cc RtlUnwind
0x40e0d0 WriteFile
0x40e0d4 GetModuleFileNameA
0x40e0d8 SetFilePointer
0x40e0e0 WideCharToMultiByte
0x40e0e8 FatalAppExitA
0x40e0ec HeapAlloc
0x40e0f0 VirtualAlloc
0x40e0f4 HeapReAlloc
0x40e0f8 IsBadWritePtr
0x40e0fc LoadLibraryA
0x40e100 SetStdHandle
0x40e104 Sleep
0x40e108 FlushFileBuffers
0x40e10c GetCPInfo
0x40e110 IsValidLocale
0x40e114 IsValidCodePage
0x40e118 GetLocaleInfoA
0x40e11c EnumSystemLocalesA
0x40e120 GetUserDefaultLCID
0x40e124 CloseHandle
0x40e128 GetStringTypeA
0x40e12c GetStringTypeW
0x40e134 GetLocaleInfoW
0x40e138 LCMapStringA
Library USER32.dll:
0x40e144 LoadCursorFromFileA
0x40e148 CharUpperW

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.