18.2
0-day
58 个模型检测该样本为恶意!
重新分析
更多

7fa53b8b3fa31fca876b75b93bb00832be74e6193b92c1ba2a3e3db074f1da3c

80e7613d95914ffdc9a3b3246c5214bd.exe

分析耗时

100s

最近分析

文件大小

464.0KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM ATTRIBUTE BSCOPE CONFIDENCE DQ0@AATGOAKI FALYIZ FILECODER FILECRYPTER FXTI397GROL GENCIRC GENERICKD GENERICRXBG GENOME GNEJ HIGHCONFIDENCE ICUKK MALICIOUS MALWARE2 MILICRY NVRSO@0 S15245543 SAGE SAGECPMF SAGECRYPT SCORE SUSPICIOUS PE TSGENERIC UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXBG-ZF!80E7613D9591 20200823 6.0.6.653
Alibaba Ransom:Win32/SageCrypt.11dcef05 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200823 18.4.3895.0
Tencent Malware.Win32.Gencirc.10b2ea82 20200823 1.0.0.1
Kingsoft 20200823 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619685972.312625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619709985.073125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619709985.9805
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619709994.2145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619710010.730875
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619710010.730875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619709993.0735
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619709994.042125
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1619710008.464875
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619710010.870875
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619685969.734625
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name BIN
resource name None
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1619685970.406625
__exception__
stacktrace: 
80e7613d95914ffdc9a3b3246c5214bd+0xc174 @ 0x40c174
80e7613d95914ffdc9a3b3246c5214bd+0x16040 @ 0x416040
80e7613d95914ffdc9a3b3246c5214bd+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x73f09977
success 0 0
1619709984.370499
__exception__
stacktrace: 
80e7613d95914ffdc9a3b3246c5214bd+0xc174 @ 0x40c174
80e7613d95914ffdc9a3b3246c5214bd+0x16040 @ 0x416040
80e7613d95914ffdc9a3b3246c5214bd+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x73f09977
success 0 0
1619709985.3395
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 2146895237
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x73f09977
success 0 0
1619709993.40225
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 3380191637
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x73f09977
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 253 个事件)
Time & API Arguments Status Return Repeated
1619685970.422625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 1138688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02bf0000
success 0 0
1619685970.422625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ca0000
success 0 0
1619685970.969625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685970.984625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.000625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.015625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.031625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.047625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.062625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.078625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.094625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.125625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.140625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.156625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.172625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.187625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.203625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.219625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.234625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.234625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.250625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.265625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.281625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.297625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.312625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.328625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.344625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.359625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.359625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.375625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.390625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.406625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.422625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.437625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.453625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.453625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.469625
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c30000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00402000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00403000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00404000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00405000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00406000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00407000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00408000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00409000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040a000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040b000
success 0 0
1619685971.484625
NtProtectVirtualMemory
process_identifier: 2900
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040c000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619685972.312625
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1619685981.750625
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1619710007.3395
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619685981.750625
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619685970.453625
GetAdaptersAddresses
flags: 1158
family: 0
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619710008.277875
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619710006.8555
EnumServicesStatusW
service_handle: 0x009b6fe0
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\tmpsij43m\analyzer.py
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1389 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
file C:\Python27\Lib\test\test_multifile.py
file C:\Python27\Lib\site-packages\pip\_vendor\webencodings\mklabels.py
file C:\Python27\Lib\encodings\iso8859_13.py
file C:\Python27\Lib\test\test_userstring.py
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file C:\Python27\Lib\test\test_multibytecodec.py
file C:\Python27\Lib\wsgiref\util.py
file C:\Python27\Lib\test\test_timeit.py
file C:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\__init__.py
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\__init__.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\Lib\test\test_heapq.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\encodings\mac_arabic.py
file C:\Python27\Lib\test\test_zipfile64.py
file C:\Python27\Lib\test\test_md5.py
file C:\Python27\Lib\encodings\iso2022_jp_2.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\models.py
file C:\Python27\Lib\json\tests\test_float.py
file C:\Python27\Lib\wave.py
file C:\Python27\Lib\encodings\iso8859_15.py
file C:\Python27\Lib\test\test_richcmp.py
file C:\Python27\Lib\encodings\cp1253.py
file C:\Python27\Lib\test\ssl_key.pem
file C:\Python27\Lib\smtplib.py
file C:\Python27\Lib\encodings\mbcs.py
file C:\Python27\Lib\HTMLParser.py
file C:\Python27\Lib\test\test_importhooks.py
file C:\Python27\Lib\test\test_traceback.py
file C:\Python27\include\intrcheck.h
file C:\tmpsij43m\modules\packages\pdf.py
file C:\Python27\Lib\site-packages\pip\_vendor\pep517\check.py
file C:\Python27\Lib\test\test_contextlib.py
file C:\Python27\include\symtable.h
file C:\Python27\Lib\test\test_operator.py
file C:\Python27\Lib\encodings\cp1257.py
file C:\Python27\Lib\test\crashers\infinite_loop_re.py
file C:\Python27\Lib\site-packages\setuptools\version.py
file C:\Python27\Lib\test\sample_doctest.py
file C:\Python27\Lib\site-packages\pip\_vendor\html5lib\filters\alphabeticalattributes.py
file C:\Python27\Lib\test\test_poll.py
file C:\Python27\include\warnings.h
file C:\Python27\Lib\xml\sax\expatreader.py
file C:\Python27\Lib\test\test_urllib2_localnet.py
file C:\Python27\Lib\test\make_ssl_certs.py
file C:\Python27\Lib\test\test_longexp.py
file C:\Python27\Lib\test\test_spwd.py
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
cmdline vssadmin.exe delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
Detects VirtualBox through the presence of a file (1 个事件)
dll C:\Windows\system32\VBoxMRXNP.dll
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware2
Cynet Malicious (score: 100)
FireEye Generic.mg.80e7613d95914ffd
CAT-QuickHeal Trojan.SagecPMF.S15245543
McAfee GenericRXBG-ZF!80E7613D9591
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 004f76a01 )
Alibaba Ransom:Win32/SageCrypt.11dcef05
K7GW Trojan ( 004f76a01 )
Cybereason malicious.d95914
Arcabit Trojan.Generic.D298A25A
TrendMicro Mal_MiliCry-1h
BitDefenderTheta Gen:NN.ZexaF.34186.Dq0@aatgOAki
Cyren W32/Trojan.GNEJ-7115
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Ransom.Win32.SageCrypt.dcv
BitDefender Trojan.GenericKD.43557466
NANO-Antivirus Trojan.Win32.SageCrypt.falyiz
ViRobot Trojan.Win32.Z.Sagecrypt.475136.N
MicroWorld-eScan Trojan.GenericKD.43557466
Avast Win32:Malware-gen
Tencent Malware.Win32.Gencirc.10b2ea82
Ad-Aware Trojan.GenericKD.43557466
Comodo TrojWare.Win32.Genome.nvrso@0
F-Secure Trojan.TR/AD.Sage.icukk
DrWeb Trojan.Encoder.10781
Zillya Trojan.SageCrypt.Win32.177
Invincea heuristic
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Jiangmin Trojan.SageCrypt.hj
Avira TR/AD.Sage.icukk
Antiy-AVL Trojan/Win32.TSGeneric
Microsoft Ransom:Win32/Milicry!rfn
AegisLab Trojan.Win32.SageCrypt.j!c
AhnLab-V3 Win-Trojan/Sagecrypt.Gen
ZoneAlarm Trojan-Ransom.Win32.SageCrypt.dcv
GData Trojan.GenericKD.43557466
TACHYON Ransom/W32.SageCrypt.475136
ESET-NOD32 Win32/Filecoder.NHQ
VBA32 BScope.Trojan-Ransom.SageCrypt
ALYac Trojan.Ransom.Sage
MAX malware (ai score=100)
Malwarebytes Ransom.Sage
TrendMicro-HouseCall Mal_MiliCry-1h
Rising Ransom.Milicry!8.A2F2 (TFE:5:Fxti397groL)
Performs 1389 file moves indicative of a ransomware file encryption process (50 out of 1389 个事件)
Time & API Arguments Status Return Repeated
1619685981.750625
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\80e7613d95914ffdc9a3b3246c5214bd.exe
success 1 0
1619685981.781625
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
success 1 0
1619710021.3085
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\pycacert.pem
newfilepath: C:\Python27\Lib\test\pycacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...
success 1 0
1619710021.3395
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nokia.pem
newfilepath: C:\Python27\Lib\test\nokia.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...
success 1 0
1619710021.3555
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullcert.pem
newfilepath: C:\Python27\Lib\test\nullcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...
success 1 0
1619710021.3555
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullbytecert.pem
newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...
success 1 0
1619710021.3705
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem
newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...
success 1 0
1619710021.3865
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem
newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...
success 1 0
1619710021.4025
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.pem
newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...
success 1 0
1619710021.4335
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem
newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...
success 1 0
1619710021.4335
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badkey.pem
newfilepath: C:\Python27\Lib\test\badkey.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...
success 1 0
1619710021.4645
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...
success 1 0
1619710021.4645
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert4.pem
newfilepath: C:\Python27\Lib\test\keycert4.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...
success 1 0
1619710021.4955
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert3.pem
newfilepath: C:\Python27\Lib\test\keycert3.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...
success 1 0
1619710021.5115
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\allsans.pem
newfilepath: C:\Python27\Lib\test\allsans.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...
success 1 0
1619710021.5115
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_cert.pem
newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...
success 1 0
1619710021.5275
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badcert.pem
newfilepath: C:\Python27\Lib\test\badcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...
success 1 0
1619710021.5425
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ffdh3072.pem
newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...
success 1 0
1619710021.5425
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert2.pem
newfilepath: C:\Python27\Lib\test\keycert2.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...
success 1 0
1619710021.5585
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.pem
newfilepath: C:\Python27\Lib\test\keycert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...
success 1 0
1619710021.5585
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem
newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...
success 1 0
1619710021.5735
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\185test.db
newfilepath: C:\Python27\Lib\test\185test.db.sage
newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...
success 1 0
1619710021.5735
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif
newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...
success 1 0
1619710021.6205
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...
success 1 0
1619710021.6365
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico
newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage
newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...
success 1 0
1619710021.6675
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff
newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage
newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...
success 1 0
1619710021.6675
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...
success 1 0
1619710021.7305
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...
success 1 0
1619710021.7455
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...
success 1 0
1619710021.7615
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...
success 1 0
1619710021.7775
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...
success 1 0
1619710021.7775
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...
success 1 0
1619710021.7775
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...
success 1 0
1619710021.7925
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...
success 1 0
1619710021.7925
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...
success 1 0
1619710021.7925
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...
success 1 0
1619710021.7925
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...
success 1 0
1619710021.8085
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...
success 1 0
1619710021.8085
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...
success 1 0
1619710021.8235
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...
success 1 0
1619710021.8235
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...
success 1 0
1619710021.8235
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...
success 1 0
1619710021.8235
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...
success 1 0
1619710021.8235
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...
success 1 0
1619710021.8395
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...
success 1 0
1619710021.8395
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...
success 1 0
1619710021.8395
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...
success 1 0
1619710021.8395
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...
success 1 0
1619710021.8555
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...
success 1 0
1619710021.8555
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-04-14 17:32:27

Imports

Library KERNEL32.dll:
0x4380a8 GetConsoleOutputCP
0x4380ac WriteConsoleA
0x4380b0 SetStdHandle
0x4380b4 SetFilePointer
0x4380b8 GetStringTypeW
0x4380bc GetStringTypeA
0x4380c0 LCMapStringW
0x4380c4 LCMapStringA
0x4380c8 GetConsoleMode
0x4380cc GetConsoleCP
0x4380d0 FlushFileBuffers
0x4380d4 SetHandleCount
0x4380ec GetCPInfo
0x4380f0 GetOEMCP
0x4380f4 GetACP
0x4380f8 VirtualAlloc
0x4380fc VirtualFree
0x438100 HeapCreate
0x438104 HeapFree
0x438108 HeapReAlloc
0x43810c GlobalFree
0x438110 OutputDebugStringW
0x438114 GetFileType
0x438118 WriteConsoleW
0x43811c OutputDebugStringA
0x438120 WriteFile
0x438124 GetStdHandle
0x438128 DebugBreak
0x43812c TlsFree
0x438130 TlsSetValue
0x438134 TlsAlloc
0x438138 TlsGetValue
0x43813c FatalAppExitA
0x438140 GetStartupInfoA
0x438144 GetVersionExA
0x438148 GetCommandLineA
0x43814c RtlUnwind
0x438150 Sleep
0x438154 GetConsoleWindow
0x438158 lstrcpyA
0x43815c LoadLibraryW
0x438160 lstrcatA
0x438164 GetProcAddress
0x438168 FindNextFileA
0x43816c FindClose
0x438170 lstrcpynA
0x438174 lstrlenA
0x438178 GetModuleFileNameA
0x43817c LoadLibraryA
0x438180 GetCurrentThreadId
0x438184 GetCurrentProcessId
0x43818c DeleteFileA
0x438190 MultiByteToWideChar
0x438194 SetLastError
0x438198 SetLocaleInfoW
0x4381a0 GetThreadLocale
0x4381a4 IsValidLocale
0x4381a8 GetLocaleInfoW
0x4381ac WideCharToMultiByte
0x4381b0 GetLocaleInfoA
0x4381b4 GetTickCount
0x4381bc GlobalAlloc
0x4381c0 IsBadReadPtr
0x4381c4 HeapValidate
0x4381c8 GetModuleFileNameW
0x4381cc FindFirstFileA
0x4381d0 GetLastError
0x4381d4 GetModuleHandleA
0x4381dc Thread32First
0x4381e0 IsDebuggerPresent
0x4381e8 TerminateProcess
0x4381ec RaiseException
0x438208 GetProcessHeap
0x43820c ExitProcess
0x438210 HeapAlloc
0x438214 Thread32Next
0x438218 CloseHandle
0x43821c CreateFileA
0x438220 ReadFile
0x438224 HeapDestroy
0x438228 GetCurrentProcess
Library USER32.dll:
0x438270 GetWindowRect
0x438274 ShowWindow
0x438278 ScreenToClient
0x43827c EnableWindow
0x438280 SetRect
0x438284 GetWindowLongA
0x438288 PostQuitMessage
0x43828c SendMessageA
0x438290 GetDialogBaseUnits
0x438294 GetSysColor
0x438298 UpdateWindow
0x43829c GetScrollInfo
0x4382a0 EnableScrollBar
0x4382a4 CreateWindowExA
0x4382a8 GetDC
0x4382ac IsWindowEnabled
0x4382b4 GetDlgItem
0x4382b8 GetDlgItemTextA
0x4382bc EnumPropsA
0x4382c0 SetWindowPos
0x4382c4 DefWindowProcA
0x4382c8 GetSystemMetrics
0x4382cc GetMessagePos
0x4382d0 DestroyMenu
0x4382d4 AppendMenuA
0x4382d8 CreatePopupMenu
0x4382dc SetCursorPos
0x4382e0 GetCursorPos
0x4382e4 FindWindowA
0x4382e8 FindWindowExA
0x4382ec LoadAcceleratorsA
0x4382f0 EndDialog
0x4382f4 SetFocus
0x4382f8 GetSystemMenu
0x4382fc EnableMenuItem
0x438300 DrawMenuBar
0x438304 GetMenu
0x438308 ModifyMenuA
0x43830c LoadBitmapA
0x438310 ReleaseDC
0x438314 KillTimer
0x438318 TrackPopupMenuEx
0x43831c MessageBoxA
0x438320 BeginPaint
0x438324 GetClientRect
0x438328 GetFocus
0x43832c GetIconInfo
0x438334 SetWindowLongA
0x438338 SetDlgItemInt
0x43833c SendDlgItemMessageA
0x438340 GetDlgItemInt
0x438344 GetForegroundWindow
Library GDI32.dll:
0x438038 LineTo
0x43803c CreatePolygonRgn
0x438040 FillRgn
0x438044 CreatePen
0x438048 CreateDCW
0x43804c GetDeviceCaps
0x438050 CreateDIBSection
0x438054 DeleteDC
0x438058 SaveDC
0x43805c RestoreDC
0x438060 SetDCPenColor
0x438064 GetObjectA
0x438068 CreateRectRgn
0x43806c CombineRgn
0x438070 GetStockObject
0x438074 SetBkColor
0x438078 CreateBitmap
0x43807c Escape
0x438080 CreateSolidBrush
0x438084 GetEnhMetaFileA
0x43808c CreateCompatibleDC
0x438094 SelectObject
0x438098 BitBlt
0x43809c DeleteObject
0x4380a0 MoveToEx
Library WINSPOOL.DRV:
0x43834c OpenPrinterA
0x438350 ClosePrinter
0x438354 EnumJobsA
Library ADVAPI32.dll:
0x438004 OpenProcessToken
Library SHELL32.dll:
0x438244 ShellExecuteA
0x438248 SHGetFileInfoW
0x43824c SHGetFolderPathA
Library ole32.dll:
0x438390 RevokeDragDrop
Library OLEAUT32.dll:
Library WS2_32.dll:
0x43835c gethostbyaddr
0x438360 htons
0x438364 connect
0x438368 inet_addr
Library AVIFIL32.dll:
0x438014 AVIFileInit
Library iphlpapi.dll:
0x438384 GetNetworkParams
0x438388 GetAdaptersInfo
Library SHLWAPI.dll:
0x438254 PathAppendA
0x438258 PathRemoveFileSpecA
0x43825c StrCmpNIA
Library COMCTL32.dll:
0x43801c
0x438020 ImageList_DragEnter
0x438024 ImageList_BeginDrag
Library RPCRT4.dll:
0x438238 RpcMgmtInqStats
Library gdiplus.dll:
0x438378 GdiplusShutdown
0x43837c GdiplusStartup
Library Secur32.dll:
Library dbghelp.dll:
0x438370 MiniDumpWriteDump
Library ESENT.dll:
0x438030 JetUpdate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49187 192.168.56.1 139
192.168.56.101 49188 192.168.56.1 139
192.168.56.101 49190 192.168.56.1 139

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.