SmartHawk

15.6

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

929dea381136f491a6b9e291182835ab8d9b190614fed258d744cac0939aada4

9b163a5ca8bdb527de702718ce487383.exe

分析耗时

134s

最近分析

文件大小

406.5KB

静态报毒动态报毒 100% 7XF2KWCRTVQ AGEN AI SCORE=100 AIDETECTVM ALI2000010 ARTEMIS ATTRIBUTE CONFIDENCE DELF GENCIRC GENERICKD GPRG HIGH CONFIDENCE HIGHCONFIDENCE HOAX HPOYXT KCLOUD KRYPTIK MALWARE1 MALWARE@#1T917CTRNPYYW MILICRY QVM10 R346410 SAGE SAGECRYPT SCORE STATIC AI SUSPICIOUS PE XRCY YMACCO ZEXAF ZOW@AQ5KSDFI ZWOQ+QIQFLQ 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!9B163A5CA8BD	20201211	6.0.6.653
Alibaba	Ransom:Win32/generic.ali2000010	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
Tencent	Malware.Win32.Gencirc.10bbe17d	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (6 个事件)

Time & API	Arguments	Status	Return
1619784413.78175 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619784414.166492 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619784421.078727 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619784421.266727 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619784428.238214 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619784428.238214 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619784421.125727 IsDebuggerPresent		failed	0	0

Command line console output was observed (3 个事件)

Time & API	Arguments	Status	Return
1619784414.776492 WriteConsoleW	buffer: 成功: 成功创建计划任务 "N0mFUQoa"。 console_handle: 0x00000007	success	1
1619784427.363214 WriteConsoleW	buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp. console_handle: 0x00000007	success	1
1619784428.238214 WriteConsoleW	buffer: 错误: 意外故障: 没有注册类 console_handle: 0x00000007	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619784398.43775 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)

section	.text1
section	.data1
section	.trace
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)

resource name	RCDATA
resource name	SVT

Allocates read-write-execute memory (usually to unpack itself) (50 out of 393 个事件)

Time & API	Arguments	Status
1619784403.90675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02b30000	success
1619784403.90675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bc0000	success
1619784408.34375 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.39075 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.51575 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.59375 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.62475 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.65675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.68775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.70275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.73475 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.74975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.84375 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.85975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.93775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.95275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784408.96875 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.01575 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.06275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.18775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.23475 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.37475 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.43775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.46875 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.49975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.54675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.56275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.60975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.67175 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.67175 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.70275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.74975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784409.89075 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.01575 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.18775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.21875 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.24975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.29675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.31275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.42175 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.42175 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.46875 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.67175 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.68775 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.70275 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784410.85975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784411.01575 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784411.04675 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784411.09375 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success
1619784411.10975 NtAllocateVirtualMemory	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x03910000	success

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe

Creates a suspicious process (4 个事件)

cmdline	bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline	schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline	bcdedit.exe /set {default} recoveryenabled no

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe

A process created a hidden window (3 个事件)

Time & API	Arguments	Status	Return
1619784413.78175 ShellExecuteExW	parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F filepath: schtasks filepath_r: schtasks show_type: 0	success	1
1619784416.01575 ShellExecuteExW	parameters: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs show_type: 0	success	1
1619784426.032727 ShellExecuteExW	parameters: delete shadows /all /quiet filepath: vssadmin.exe filepath_r: vssadmin.exe show_type: 0	success	1

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619784416.01575 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.911366360055763

section

{'size_of_data': '0x00001600', 'virtual_address': '0x00049000', 'entropy': 7.911366360055763, 'name': '.text', 'virtual_size': '0x000015a0'}

description

A section with a high entropy has been found

entropy

7.48984395487257

section

{'size_of_data': '0x0001bc00', 'virtual_address': '0x0004f000', 'entropy': 7.48984395487257, 'name': '.rsrc', 'virtual_size': '0x0001baf0'}

description

A section with a high entropy has been found

entropy

0.2872996300863132

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619784427.332214 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline	schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Enumerates services, possibly for anti-virtualization (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619784425.875727 EnumServicesStatusW	service_handle: 0x005743a8 service_type: 48 service_status: 3	success	1	0

Installs itself for autorun at Windows startup (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline	schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F

Runs bcdedit commands specific to ransomware (2 个事件)

cmdline	bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline	bcdedit.exe /set {default} recoveryenabled no

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 167 个事件)

file	C:\Python27\include\boolobject.h
file	C:\Python27\Lib\test\nokia.pem
file	C:\Python27\include\rangeobject.h
file	C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem
file	C:\Python27\include\pyport.h
file	C:\Python27\include\patchlevel.h
file	C:\Python27\include\graminit.h
file	C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm
file	C:\Python27\include\grammar.h
file	C:\Python27\Lib\test\185test.db
file	C:\Python27\include\pythonrun.h
file	C:\Python27\include\pymem.h
file	C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file	C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
file	C:\Python27\include\funcobject.h
file	C:\Python27\Lib\test\lock_tests.py
file	C:\Python27\include\dtoa.h
file	C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm
file	C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
file	C:\Python27\include\object.h
file	C:\Python27\include\intobject.h
file	C:\Python27\Lib\test\mp_fork_bomb.py
file	C:\Python27\Lib\test\keycert2.pem
file	C:\Python27\Lib\test\keycert4.pem
file	C:\Python27\include\pystate.h
file	C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm
file	C:\Python27\include\pydebug.h
file	C:\Python27\Lib\test\sortperf.py
file	C:\Python27\Lib\test\script_helper.py
file	C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm
file	C:\Python27\tcl\tix8.4.3\bitmaps\plusarm.xpm
file	C:\Python27\include\fileobject.h
file	C:\Python27\include\osdefs.h
file	C:\Python27\include\moduleobject.h
file	C:\Python27\include\traceback.h
file	C:\Python27\include\opcode.h
file	C:\Python27\Lib\test\sample_doctest.py
file	C:\Python27\include\stringobject.h
file	C:\Python27\include\pyerrors.h
file	C:\Python27\include\ucnhash.h
file	C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm
file	C:\Python27\include\intrcheck.h
file	C:\Python27\include\metagrammar.h
file	C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
file	C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm
file	C:\Python27\include\symtable.h
file	C:\Python27\Lib\test\reperf.py
file	C:\Python27\include\longobject.h
file	C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm
file	C:\Python27\Lib\test\re_tests.py

Removes the Shadow Copy to avoid recovery of the system (1 个事件)

cmdline

vssadmin.exe delete shadows /all /quiet

Uses suspicious command line tools or Windows utilities (2 个事件)

cmdline	"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
cmdline	vssadmin.exe delete shadows /all /quiet

The process wscript.exe wrote an executable file to disk (1 个事件)

file	C:\Windows\SysWOW64\wscript.exe

Detects VirtualBox through the presence of a device (2 个事件)

file	\??\VBoxGuest
file	\??\VBoxMiniRdrDN

Detects VirtualBox through the presence of a file (1 个事件)

dll	C:\Windows\system32\VBoxMRXNP.dll

Performs 168 file moves indicative of a ransomware file encryption process (50 out of 168 个事件)

Time & API	Arguments	Status	Return
1619784416.01575 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe	success	1
1619784416.04675 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs	success	1
1619784427.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...	success	1
1619784427.938727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nokia.pem newfilepath: C:\Python27\Lib\test\nokia.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...	success	1
1619784427.969727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\pycacert.pem newfilepath: C:\Python27\Lib\test\pycacert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...	success	1
1619784428.032727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nullbytecert.pem newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...	success	1
1619784428.078727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nullcert.pem newfilepath: C:\Python27\Lib\test\nullcert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...	success	1
1619784428.110727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...	success	1
1619784428.125727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_key.pem newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...	success	1
1619784428.235727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\badkey.pem newfilepath: C:\Python27\Lib\test\badkey.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...	success	1
1619784428.282727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...	success	1
1619784428.297727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...	success	1
1619784428.313727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert4.pem newfilepath: C:\Python27\Lib\test\keycert4.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...	success	1
1619784428.344727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_cert.pem newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...	success	1
1619784428.360727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert3.pem newfilepath: C:\Python27\Lib\test\keycert3.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...	success	1
1619784428.422727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\allsans.pem newfilepath: C:\Python27\Lib\test\allsans.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...	success	1
1619784428.422727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\badcert.pem newfilepath: C:\Python27\Lib\test\badcert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...	success	1
1619784428.469727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ffdh3072.pem newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...	success	1
1619784428.469727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert2.pem newfilepath: C:\Python27\Lib\test\keycert2.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...	success	1
1619784428.500727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...	success	1
1619784428.516727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\185test.db newfilepath: C:\Python27\Lib\test\185test.db.sage newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...	success	1
1619784428.532727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert.pem newfilepath: C:\Python27\Lib\test\keycert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...	success	1
1619784428.532727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...	success	1
1619784428.563727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico newfilepath: C:\Python27\DLLs\py.ico.sage newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico newfilepath: C:\Python27\DLLs\pyc.ico.sage newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...	success	1
1619784428.625727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...	success	1
1619784428.625727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...	success	1
1619784428.657727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...	success	1
1619784428.657727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...	success	1
1619784428.688727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...	success	1
1619784428.703727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...	success	1
1619784428.703727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...	success	1
1619784428.719727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...	success	1
1619784428.735727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...	success	1
1619784428.735727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...	success	1
1619784428.750727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...	success	1
1619784428.750727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...	success	1
1619784428.782727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...	success	1
1619784428.782727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...	success	1
1619784428.797727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...	success	1
1619784428.813727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...	success	1
1619784428.813727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...	success	1
1619784428.828727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...	success	1
1619784428.828727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...	success	1
1619784428.875727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...	success	1
1619784428.875727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...	success	1
1619784428.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...	success	1
1619784428.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...	success	1

Appends a new file extension or content to 168 files indicative of a ransomware file encryption process (50 out of 168 个事件)

Time & API	Arguments	Status	Return
1619784416.01575 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b163a5ca8bdb527de702718ce487383.exe	success	1
1619784416.04675 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs	success	1
1619784427.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...	success	1
1619784427.938727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nokia.pem newfilepath: C:\Python27\Lib\test\nokia.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...	success	1
1619784427.969727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\pycacert.pem newfilepath: C:\Python27\Lib\test\pycacert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...	success	1
1619784428.032727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nullbytecert.pem newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...	success	1
1619784428.078727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\nullcert.pem newfilepath: C:\Python27\Lib\test\nullcert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...	success	1
1619784428.110727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...	success	1
1619784428.125727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_key.pem newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...	success	1
1619784428.235727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\badkey.pem newfilepath: C:\Python27\Lib\test\badkey.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...	success	1
1619784428.282727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...	success	1
1619784428.297727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...	success	1
1619784428.313727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert4.pem newfilepath: C:\Python27\Lib\test\keycert4.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...	success	1
1619784428.344727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ssl_cert.pem newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...	success	1
1619784428.360727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert3.pem newfilepath: C:\Python27\Lib\test\keycert3.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...	success	1
1619784428.422727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\allsans.pem newfilepath: C:\Python27\Lib\test\allsans.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...	success	1
1619784428.422727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\badcert.pem newfilepath: C:\Python27\Lib\test\badcert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...	success	1
1619784428.469727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\ffdh3072.pem newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...	success	1
1619784428.469727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert2.pem newfilepath: C:\Python27\Lib\test\keycert2.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...	success	1
1619784428.500727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...	success	1
1619784428.516727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\185test.db newfilepath: C:\Python27\Lib\test\185test.db.sage newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...	success	1
1619784428.532727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\keycert.pem newfilepath: C:\Python27\Lib\test\keycert.pem.sage newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...	success	1
1619784428.532727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...	success	1
1619784428.563727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\py.ico newfilepath: C:\Python27\DLLs\py.ico.sage newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\DLLs\pyc.ico newfilepath: C:\Python27\DLLs\pyc.ico.sage newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage flags: 1 oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...	success	1
1619784428.578727 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage flags: 1 oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...	success	1
1619784428.625727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...	success	1
1619784428.625727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...	success	1
1619784428.657727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...	success	1
1619784428.657727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...	success	1
1619784428.688727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...	success	1
1619784428.703727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...	success	1
1619784428.703727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...	success	1
1619784428.719727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...	success	1
1619784428.735727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...	success	1
1619784428.735727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...	success	1
1619784428.750727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...	success	1
1619784428.750727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...	success	1
1619784428.782727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...	success	1
1619784428.782727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...	success	1
1619784428.797727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...	success	1
1619784428.813727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...	success	1
1619784428.813727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...	success	1
1619784428.828727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...	success	1
1619784428.828727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...	success	1
1619784428.875727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...	success	1
1619784428.875727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...	success	1
1619784428.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...	success	1
1619784428.907727 MoveFileWithProgressW	oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage flags: 1 oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...	success	1

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43557469
FireEye	Generic.mg.9b163a5ca8bdb527
McAfee	Artemis!9B163A5CA8BD
Malwarebytes	Ransom.Sage
Zillya	Trojan.SageCrypt.Win32.204
K7AntiVirus	Trojan ( 0050b2d01 )
Alibaba	Ransom:Win32/generic.ali2000010
K7GW	Trojan ( 0050b2d01 )
Cybereason	malicious.ca8bdb
Arcabit	Trojan.Generic.D298A25D
BitDefenderTheta	Gen:NN.ZexaF.34670.zOW@aq5KsDfi
Cyren	W32/Trojan.XRCY-8532
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Ransom.Win32.SageCrypt.vho
BitDefender	Trojan.GenericKD.43557469
NANO-Antivirus	Trojan.Win32.SageCrypt.hpoyxt
Rising	Stealer.Delf!8.415 (TFE:1:7xF2kwcrTVQ)
Ad-Aware	Trojan.GenericKD.43557469
Sophos	Mal/Generic-S
Comodo	Malware@#1t917ctrnpyyw
F-Secure	Heuristic.HEUR/AGEN.1115437
DrWeb	Trojan.Encoder.27265
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Mal_MiliCry-2t
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
Emsisoft	Trojan.GenericKD.43557469 (B)
Ikarus	Trojan.Win32.Crypt
Jiangmin	Trojan.SageCrypt.gg
Avira	HEUR/AGEN.1115437
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Ransom]/Win32.SageCrypt
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/Ymacco.AA72
AegisLab	Trojan.Win32.Malicious.4!c
ZoneAlarm	HEUR:Trojan-Ransom.Win32.SageCrypt.vho
GData	Trojan.GenericKD.43557469
AhnLab-V3	Trojan/Win32.Kryptik.R346410
Acronis	suspicious
VBA32	Hoax.SageCrypt
ALYac	Trojan.Ransom.Sage
TACHYON	Ransom/W32.SageCrypt.416256
ESET-NOD32	a variant of Win32/Kryptik.GPRG
TrendMicro-HouseCall	Mal_MiliCry-2t
Tencent	Malware.Win32.Gencirc.10bbe17d

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2016-07-26 19:52:35

Imports

Library KERNEL32.dll:

• 0x4300a8 OutputDebugStringW

• 0x4300ac LoadLibraryExW

• 0x4300b0 HeapReAlloc

• 0x4300b4 FreeEnvironmentStringsW

• 0x4300b8 QueryPerformanceCounter

• 0x4300bc GetModuleFileNameA

• 0x4300c0 HeapSize

• 0x4300c4 SetFilePointerEx

• 0x4300c8 FlushFileBuffers

• 0x4300cc GetConsoleMode

• 0x4300d0 GetConsoleCP

• 0x4300d4 GetModuleFileNameW

• 0x4300d8 AreFileApisANSI

• 0x4300dc GetModuleHandleExW

• 0x4300e0 ExitProcess

• 0x4300e4 GetFileType

• 0x4300e8 GetOEMCP

• 0x4300ec GetACP

• 0x4300f0 IsValidCodePage

• 0x4300f4 IsDebuggerPresent

• 0x4300f8 EnumSystemLocalesW

• 0x4300fc GetUserDefaultLCID

• 0x430100 IsValidLocale

• 0x430104 GetLocaleInfoW

• 0x430108 LCMapStringW

• 0x43010c GlobalLock

• 0x430110 GetStartupInfoW

• 0x430114 TlsFree

• 0x430118 TlsSetValue

• 0x43011c TlsGetValue

• 0x430120 TlsAlloc

• 0x430124 TerminateProcess

• 0x430128 SetStdHandle

• 0x43012c WriteConsoleW

• 0x430130 GetFileSize

• 0x430134 ReadConsoleW

• 0x430138 CreateFileW

• 0x43013c SetEndOfFile

• 0x430140 InitializeCriticalSection

• 0x430144 LoadLibraryExA

• 0x430148 GetModuleHandleExA

• 0x43014c GetCurrentProcessId

• 0x430150 GetFileInformationByHandle

• 0x430154 GetFileAttributesA

• 0x430158 GetSystemTimeAsFileTime

• 0x43015c GetLastError

• 0x430160 OpenProcess

• 0x430164 InitializeCriticalSectionAndSpinCount

• 0x430168 SetLastError

• 0x43016c SetUnhandledExceptionFilter

• 0x430170 UnhandledExceptionFilter

• 0x430174 IsProcessorFeaturePresent

• 0x430178 GetCPInfo

• 0x43017c ReadFile

• 0x430180 GlobalUnlock

• 0x430184 CloseHandle

• 0x430188 GetModuleHandleA

• 0x43018c GetProcAddress

• 0x430190 CreateEventA

• 0x430194 WaitForSingleObject

• 0x430198 ResetEvent

• 0x43019c GetEnvironmentStringsW

• 0x4301a0 lstrlenA

• 0x4301a4 GetCurrentThreadId

• 0x4301a8 lstrcatA

• 0x4301ac GetModuleHandleW

• 0x4301b0 GetCommandLineA

• 0x4301b4 RaiseException

• 0x4301b8 RtlUnwind

• 0x4301bc FormatMessageA

• 0x4301c0 GetThreadLocale

• 0x4301c4 GetStringTypeW

• 0x4301c8 MultiByteToWideChar

• 0x4301cc WideCharToMultiByte

• 0x4301d0 DeleteCriticalSection

• 0x4301d4 GetEnvironmentVariableA

• 0x4301d8 LeaveCriticalSection

• 0x4301dc EnterCriticalSection

• 0x4301e0 DecodePointer

• 0x4301e4 EncodePointer

• 0x4301e8 HeapAlloc

• 0x4301ec LoadLibraryA

• 0x4301f0 LoadLibraryW

• 0x4301f4 GlobalAlloc

• 0x4301f8 lstrcpyA

• 0x4301fc GetProcessHeap

• 0x430200 HeapFree

• 0x430204 CreateFileA

• 0x430208 GetCurrentProcess

• 0x43020c Sleep

• 0x430210 WriteFile

• 0x430214 GetStdHandle

Library USER32.dll:

• 0x43026c IsWindow

• 0x430270 GetWindowThreadProcessId

• 0x430274 AttachThreadInput

• 0x430278 GetDlgCtrlID

• 0x43027c EnableMenuItem

• 0x430280 GetMenu

• 0x430284 SendMessageA

• 0x430288 LoadBitmapA

• 0x43028c EnumWindowStationsW

• 0x430290 MsgWaitForMultipleObjects

• 0x430294 DefWindowProcA

• 0x430298 ReleaseDC

• 0x43029c GetWindow

• 0x4302a0 RegisterClassExA

• 0x4302a4 LoadIconA

• 0x4302a8 LoadCursorA

• 0x4302ac RedrawWindow

• 0x4302b0 SendDlgItemMessageW

• 0x4302b4 SetScrollRange

• 0x4302b8 SendMessageW

• 0x4302bc GetPropW

• 0x4302c0 CopyRect

• 0x4302c4 DestroyCaret

• 0x4302c8 HideCaret

• 0x4302cc EnableWindow

• 0x4302d0 DestroyMenu

• 0x4302d4 TrackPopupMenu

• 0x4302d8 CheckMenuRadioItem

• 0x4302dc GetSubMenu

• 0x4302e0 GetDlgItem

• 0x4302e4 GetDC

• 0x4302e8 GetWindowRect

• 0x4302ec LoadMenuA

• 0x4302f0 GetCursorPos

• 0x4302f4 GetClassLongA

• 0x4302f8 ShowCaret

• 0x4302fc SendMessageTimeoutA

• 0x430300 GetParent

• 0x430304 IsWindowVisible

• 0x430308 GetWindowTextA

• 0x43030c CallWindowProcA

• 0x430310 SetCaretPos

• 0x430314 MapWindowPoints

• 0x430318 SetDlgItemTextA

• 0x43031c EndDialog

• 0x430320 FindWindowA

• 0x430324 SendInput

• 0x430328 CreateCaret

• 0x43032c GetWindowLongA

Library GDI32.dll:

• 0x430058 GetObjectA

• 0x43005c SetBrushOrgEx

• 0x430060 GetTextExtentExPointA

• 0x430064 ExtTextOutA

• 0x430068 GetCurrentObject

• 0x43006c GetPaletteEntries

• 0x430070 AddFontMemResourceEx

• 0x430074 RemoveFontMemResourceEx

• 0x430078 CreateRectRgn

• 0x43007c SetAbortProc

• 0x430080 GetStockObject

• 0x430084 GetDeviceCaps

• 0x430088 SetTextColor

• 0x43008c SetBkColor

• 0x430090 GetBitmapBits

Library WINSPOOL.DRV:

• 0x430380 EnumPrintersA

• 0x430384 OpenPrinterA

• 0x430388 FindFirstPrinterChangeNotification

• 0x43038c GetPrinterA

• 0x430390 FindClosePrinterChangeNotification

• 0x430394 ClosePrinter

• 0x430398 EnumJobsA

Library ADVAPI32.dll:

• 0x430000 GetSecurityDescriptorDacl

• 0x430004 GetTokenInformation

• 0x430008 OpenProcessToken

• 0x43000c SetSecurityDescriptorDacl

• 0x430010 InitializeSecurityDescriptor

• 0x430014 GetNamedSecurityInfoA

• 0x430018 AccessCheck

• 0x43001c LookupAccountNameW

• 0x430020 GetFileSecurityA

• 0x430024 LookupAccountSidA

• 0x430028 GetAclInformation

• 0x43002c ImpersonateSelf

Library SHELL32.dll:

• 0x430258 SHQueryRecycleBinA

• 0x43025c SHEmptyRecycleBinA

Library ole32.dll:

• 0x4303c4 GetRunningObjectTable

• 0x4303c8 CreateItemMoniker

• 0x4303cc CreateStreamOnHGlobal

• 0x4303d0 CoCreateInstance

Library OLEAUT32.dll:

• 0x430224 OleLoadPicture

• 0x430228 OleSavePictureFile

Library WININET.dll:

• 0x43034c InternetOpenA

• 0x430350 InternetCanonicalizeUrlA

• 0x430354 InternetSetStatusCallback

• 0x430358 FtpSetCurrentDirectoryA

• 0x43035c InternetConnectA

Library WS2_32.dll:

• 0x4303a0 closesocket

• 0x4303a4 send

• 0x4303a8 WSAGetLastError

Library NETAPI32.dll:

• 0x43021c NetAuditClear

Library PSAPI.DLL:

• 0x430238 GetDeviceDriverFileNameA

• 0x43023c GetDeviceDriverBaseNameA

• 0x430240 EnumDeviceDrivers

• 0x430244 InitializeProcessForWsWatch

• 0x430248 EnumProcesses

Library WINMM.dll:

• 0x430364 timeGetTime

• 0x430368 waveOutWrite

• 0x43036c waveOutClose

• 0x430370 timeBeginPeriod

• 0x430374 waveOutPrepareHeader

• 0x430378 waveOutOpen

Library CRYPT32.dll:

• 0x430048 CertOpenSystemStoreA

• 0x43004c CertFreeCertificateContext

• 0x430050 CertFindCertificateInStore

Library IPHLPAPI.DLL:

• 0x4300a0 GetBestInterface

Library COMCTL32.dll:

• 0x430040

Library gdiplus.dll:

• 0x4303b0 GdipFree

• 0x4303b4 GdipDisposeImage

• 0x4303b8 GdipCloneImage

• 0x4303bc GdipAlloc

Library Secur32.dll:

• 0x430264 AcquireCredentialsHandleA

Library IMM32.dll:

• 0x430098 ImmEscapeA

Library WINHTTP.dll:

• 0x430344 WinHttpSendRequest

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49187	192.168.56.1	139
192.168.56.101	49189	192.168.56.1	139
192.168.56.101	49191	192.168.56.1	139

UDP

Source	Source Port	Destination	Destination Port
192.168.56.1	137	192.168.56.101	137
192.168.56.1	138	192.168.56.101	138
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	63497	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.