14.6
0-day
60 个模型检测该样本为恶意!
重新分析
更多

d14863ede83e63102ae3484d2c51cd2cac622e89b89c09097902fa91f3edcd7a

9b629eda783a030bfc54cba61af229a4.exe

分析耗时

132s

最近分析

文件大小

406.0KB
静态报毒 动态报毒 100% 8Z7SAJ ACKJ AGEN AI SCORE=100 AIDETECTVM ARTEMIS ATTRIBUTE CONFIDENCE DESHACOP DSFLBYGLZKN FILEREPMALWARE GENCIRC GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HPPAXI KCLOUD KRYPT KRYPTIK MALWARE1 MALWARE@#3FXJ1ZBUXVZM7 MILICRY MMRS RSVN SAGE SAGECRYPT SAGELOCKER SCORE STATIC AI SUSPICIOUS PE TASKER UNSAFE YMACCO ZEXAF ZGW@AWRGGZGI 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Tasker.b273b238 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Avast Win32:Evo-gen [Susp] 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Tasker.an.(kcloud) 20201211 2017.9.26.565
McAfee Artemis!9B629EDA783A 20201211 6.0.6.653
Tencent Malware.Win32.Gencirc.114ad076 20201211 1.0.0.1
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619799339.795125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619799340.277899
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619799351.742867
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619799351.851867
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619799357.399117
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619799357.399117
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (5 个事件)
Time & API Arguments Status Return Repeated
1619799324.342125
IsDebuggerPresent
failed 0 0
1619799338.671703
IsDebuggerPresent
failed 0 0
1619799340.273867
IsDebuggerPresent
failed 0 0
1619799351.789867
IsDebuggerPresent
failed 0 0
1619799352.151672
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619799340.918899
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1619799356.524117
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619799357.415117
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)
section .text1
section .data1
section .trace
section _RDATA
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name RCDATA
resource name SVT
One or more processes crashed (50 out of 22852 个事件)
Time & API Arguments Status Return Repeated
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 0
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 3
registers.ecx: 0
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 138222496
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 4
registers.ecx: 23972
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3290302368
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 5
registers.ecx: 40804
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1929720728
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 6
registers.ecx: 54066
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 4109411328
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 7
registers.ecx: 1792
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 483103392
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 8
registers.ecx: 25764
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 357072800
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 9
registers.ecx: 42596
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 4032385536
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 10
registers.ecx: 52288
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3549030400
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 11
registers.ecx: 3584
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 594329008
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 12
registers.ecx: 27556
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 333117880
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 13
registers.ecx: 8050
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2044279032
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 14
registers.ecx: 24882
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 69850544
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 15
registers.ecx: 48854
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1265770624
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 16
registers.ecx: 3720
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3276247800
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 17
registers.ecx: 24122
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 87288688
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 18
registers.ecx: 48094
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3628985312
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 19
registers.ecx: 64926
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1476220824
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 20
registers.ecx: 16222
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2525210192
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 21
registers.ecx: 33054
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3092013984
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 22
registers.ecx: 49886
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1739760496
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 23
registers.ecx: 59578
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.873125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1329969624
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 24
registers.ecx: 10874
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3538247000
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 25
registers.ecx: 4182
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3692059424
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 26
registers.ecx: 21014
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 918707960
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 27
registers.ecx: 44986
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2202812120
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 28
registers.ecx: 61818
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3802450728
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 29
registers.ecx: 62266
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 866204632
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 30
registers.ecx: 20702
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 633030784
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 31
registers.ecx: 53918
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3222181120
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 32
registers.ecx: 8784
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 555996592
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 33
registers.ecx: 22046
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 240325912
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 34
registers.ecx: 38878
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 320140064
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 35
registers.ecx: 13698
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1911378680
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 36
registers.ecx: 37670
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2256626944
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 37
registers.ecx: 47362
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 154795088
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 38
registers.ecx: 64194
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3796958928
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 39
registers.ecx: 19060
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3036422400
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 40
registers.ecx: 43032
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1771781920
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 41
registers.ecx: 59864
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3473022792
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 42
registers.ecx: 7590
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3401857504
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 43
registers.ecx: 44376
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 3792053312
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 44
registers.ecx: 2812
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1435892112
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 45
registers.ecx: 19644
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1063526400
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 46
registers.ecx: 43616
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1639870976
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 47
registers.ecx: 60448
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2075905536
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 48
registers.ecx: 18884
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1861239808
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 49
registers.ecx: 35716
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 1666280512
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 50
registers.ecx: 52548
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 633422080
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 51
registers.ecx: 62240
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
1619799333.889125
__exception__
stacktrace: 
9b629eda783a030bfc54cba61af229a4+0x3a67 @ 0x403a67

registers.esp: 1631328
registers.edi: 2076446608
registers.eax: 0
registers.ebp: 1632216
registers.edx: 0
registers.ebx: 1632224
registers.esi: 52
registers.ecx: 20676
exception.instruction_r: 89 02 c7 45 fc ff ff ff ff 8b 43 08 88 85 8b fc
exception.symbol: 9b629eda783a030bfc54cba61af229a4+0xbf40
exception.instruction: mov dword ptr [edx], eax
exception.module: 9b629eda783a030bfc54cba61af229a4.exe
exception.exception_code: 0xc0000005
exception.offset: 48960
exception.address: 0x40bf40
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 437 个事件)
Time & API Arguments Status Return Repeated
1619799324.936125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 794624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02930000
success 0 0
1619799324.936125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 155648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02970000
success 0 0
1619799336.217125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.248125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.264125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.279125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.295125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x04600000
success 0 0
1619799336.342125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.373125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.389125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.404125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.451125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.467125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.482125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.498125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.514125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.545125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.561125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.592125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.623125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.639125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.670125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.701125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.701125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.764125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.779125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.842125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.857125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.904125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.936125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.951125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.951125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.967125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.982125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799336.982125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.014125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.029125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.045125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.045125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.076125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.092125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.170125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.186125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.217125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.248125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.248125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.264125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.279125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.311125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
1619799337.326125
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x045f0000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (16 个事件)
Time & API Arguments Status Return Repeated
1619799333.014125
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 5339664
number_of_free_clusters: 1631904
total_number_of_clusters: 5339664
bytes_per_sector: 0
failed 0 0
1619799333.764125
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2010506092
number_of_free_clusters: 1638136
total_number_of_clusters: 12
bytes_per_sector: 0
failed 0 0
1619799333.857125
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 1073741824
number_of_free_clusters: 1632116
total_number_of_clusters: 5506752
bytes_per_sector: 0
failed 0 0
1619799333.857125
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 5508488
number_of_free_clusters: 3218913153
total_number_of_clusters: 15
bytes_per_sector: 0
failed 0 0
1619799343.030703
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 9271824
number_of_free_clusters: 1631904
total_number_of_clusters: 9271824
bytes_per_sector: 0
failed 0 0
1619799343.436703
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2010506092
number_of_free_clusters: 1638136
total_number_of_clusters: 12
bytes_per_sector: 0
failed 0 0
1619799343.452703
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 3279945728
number_of_free_clusters: 1632116
total_number_of_clusters: 9438912
bytes_per_sector: 0
failed 0 0
1619799343.452703
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 9440648
number_of_free_clusters: 3219787046
total_number_of_clusters: 15
bytes_per_sector: 0
failed 0 0
1619799346.695867
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 6060360
number_of_free_clusters: 1631904
total_number_of_clusters: 6060360
bytes_per_sector: 0
failed 0 0
1619799347.039867
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2010506092
number_of_free_clusters: 1638136
total_number_of_clusters: 12
bytes_per_sector: 0
failed 0 0
1619799347.086867
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 1073741824
number_of_free_clusters: 1632116
total_number_of_clusters: 6227280
bytes_per_sector: 0
failed 0 0
1619799347.086867
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 6229016
number_of_free_clusters: 3220152858
total_number_of_clusters: 15
bytes_per_sector: 0
failed 0 0
1619799358.573672
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2718032
number_of_free_clusters: 1631904
total_number_of_clusters: 2718032
bytes_per_sector: 0
failed 0 0
1619799358.901672
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2010506092
number_of_free_clusters: 1638136
total_number_of_clusters: 12
bytes_per_sector: 0
failed 0 0
1619799358.948672
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 3279945728
number_of_free_clusters: 1632116
total_number_of_clusters: 2884632
bytes_per_sector: 0
failed 0 0
1619799358.948672
GetDiskFreeSpaceW
root_path: V:\
sectors_per_cluster: 2886368
number_of_free_clusters: 1070867053
total_number_of_clusters: 15
bytes_per_sector: 0
failed 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619799339.795125
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1619799342.607125
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1619799356.117867
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619799342.607125
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.467748759361578 section {'size_of_data': '0x00019a00', 'virtual_address': '0x00052000', 'entropy': 7.467748759361578, 'name': '.rsrc', 'virtual_size': '0x000199dc'} description A section with a high entropy has been found
entropy 0.25308641975308643 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619799356.524117
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619799355.742867
EnumServicesStatusW
service_handle: 0x040a3e48
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 403 个事件)
file C:\Python27\Lib\test\pythoninfo.py
file C:\Python27\include\pythonrun.h
file C:\Python27\Lib\test\sample_doctest_no_doctests.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
file C:\Python27\Lib\sysconfig.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\test\badsyntax_future4.py
file C:\Python27\Lib\test\test_cl.py
file C:\Python27\Lib\test\test_capi.py
file C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
file C:\Python27\Lib\site-packages\pip\_vendor\requests\compat.py
file C:\Python27\Lib\test\test_defaultdict.py
file C:\Python27\Lib\test\test_file.py
file C:\Python27\tcl\tix8.4.3\bitmaps\plusarm.xpm
file C:\Python27\Lib\symtable.py
file C:\Python27\Lib\site-packages\pip\_vendor\progress\spinner.py
file C:\Python27\Lib\test\test_bigmem.py
file C:\Python27\Lib\sre_compile.py
file C:\Python27\Lib\test\leakers\test_dictself.py
file C:\Python27\include\pyerrors.h
file C:\Python27\Lib\test\crashers\borrowed_ref_2.py
file C:\Python27\include\intrcheck.h
file C:\Python27\Lib\test\test_codecmaps_hk.py
file C:\Python27\Lib\symbol.py
file C:\Python27\Lib\test\test_binop.py
file C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
file C:\Python27\Lib\test\test_contextlib.py
file C:\Python27\include\symtable.h
file C:\Python27\Lib\test\reperf.py
file C:\Python27\Lib\test\test_email.py
file C:\Python27\Lib\test\crashers\infinite_loop_re.py
file C:\Python27\Lib\test\test_bytes.py
file C:\Python27\Lib\test\crashers\warnings_del_crasher.py
file C:\Python27\Lib\test\sample_doctest.py
file C:\Python27\Lib\site-packages\pip\_vendor\pytoml\parser.py
file C:\Python27\include\warnings.h
file C:\Python27\tcl\tix8.4.3\pref\Gray.cs
file C:\Python27\Lib\test\test_bigaddrspace.py
file C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm
file C:\Python27\Lib\test\test_codecs.py
file C:\Python27\Lib\test\make_ssl_certs.py
file C:\Python27\include\bytearrayobject.h
file C:\Python27\Lib\test\crashers\decref_before_assignment.py
file C:\Python27\Lib\idlelib\Icons\idle.ico
file C:\Python27\include\modsupport.h
file C:\Python27\Lib\test\crashers\gc_has_finalizer.py
file C:\Python27\Lib\test\ssl_cert.pem
file C:\Python27\include\weakrefobject.h
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
cmdline vssadmin.exe delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
Detects VirtualBox through the presence of a file (1 个事件)
dll C:\Windows\system32\VBoxMRXNP.dll
Performs 404 file moves indicative of a ransomware file encryption process (50 out of 404 个事件)
Time & API Arguments Status Return Repeated
1619799342.607125
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
success 1 0
1619799342.623125
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
success 1 0
1619799357.992867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem
newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...
success 1 0
1619799358.023867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\pycacert.pem
newfilepath: C:\Python27\Lib\test\pycacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...
success 1 0
1619799358.055867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nokia.pem
newfilepath: C:\Python27\Lib\test\nokia.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...
success 1 0
1619799358.086867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullcert.pem
newfilepath: C:\Python27\Lib\test\nullcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...
success 1 0
1619799358.101867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem
newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...
success 1 0
1619799358.117867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.pem
newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...
success 1 0
1619799358.148867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badkey.pem
newfilepath: C:\Python27\Lib\test\badkey.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...
success 1 0
1619799358.164867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullbytecert.pem
newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...
success 1 0
1619799358.195867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem
newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...
success 1 0
1619799358.211867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert4.pem
newfilepath: C:\Python27\Lib\test\keycert4.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...
success 1 0
1619799358.258867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert3.pem
newfilepath: C:\Python27\Lib\test\keycert3.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...
success 1 0
1619799358.258867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...
success 1 0
1619799358.320867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_cert.pem
newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...
success 1 0
1619799358.351867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\allsans.pem
newfilepath: C:\Python27\Lib\test\allsans.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...
success 1 0
1619799358.398867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badcert.pem
newfilepath: C:\Python27\Lib\test\badcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...
success 1 0
1619799358.414867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ffdh3072.pem
newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...
success 1 0
1619799358.414867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert2.pem
newfilepath: C:\Python27\Lib\test\keycert2.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...
success 1 0
1619799358.430867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem
newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...
success 1 0
1619799358.445867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.pem
newfilepath: C:\Python27\Lib\test\keycert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...
success 1 0
1619799358.461867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\185test.db
newfilepath: C:\Python27\Lib\test\185test.db.sage
newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...
success 1 0
1619799358.492867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif
newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...
success 1 0
1619799358.492867
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...
success 1 0
1619799358.523867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico
newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage
newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...
success 1 0
1619799358.539867
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...
success 1 0
1619799358.570867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff
newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage
newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...
success 1 0
1619799358.570867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...
success 1 0
1619799358.617867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...
success 1 0
1619799358.617867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...
success 1 0
1619799358.664867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...
success 1 0
1619799358.664867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...
success 1 0
1619799358.695867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...
success 1 0
1619799358.711867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...
success 1 0
1619799358.711867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...
success 1 0
1619799358.742867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...
success 1 0
1619799358.742867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...
success 1 0
1619799358.758867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...
success 1 0
1619799358.773867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...
success 1 0
1619799358.789867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...
success 1 0
1619799358.789867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...
success 1 0
1619799358.836867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...
success 1 0
1619799358.836867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...
success 1 0
1619799358.867867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...
success 1 0
1619799358.883867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...
success 1 0
1619799358.883867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...
success 1 0
1619799358.914867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...
success 1 0
1619799358.914867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...
success 1 0
1619799358.930867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...
success 1 0
1619799358.945867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...
success 1 0
Appends a new file extension or content to 404 files indicative of a ransomware file encryption process (50 out of 404 个事件)
Time & API Arguments Status Return Repeated
1619799342.607125
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9b629eda783a030bfc54cba61af229a4.exe
success 1 0
1619799342.623125
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
success 1 0
1619799357.992867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem
newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...
success 1 0
1619799358.023867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\pycacert.pem
newfilepath: C:\Python27\Lib\test\pycacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...
success 1 0
1619799358.055867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nokia.pem
newfilepath: C:\Python27\Lib\test\nokia.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...
success 1 0
1619799358.086867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullcert.pem
newfilepath: C:\Python27\Lib\test\nullcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...
success 1 0
1619799358.101867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem
newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...
success 1 0
1619799358.117867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.pem
newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...
success 1 0
1619799358.148867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badkey.pem
newfilepath: C:\Python27\Lib\test\badkey.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...
success 1 0
1619799358.164867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullbytecert.pem
newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...
success 1 0
1619799358.195867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem
newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...
success 1 0
1619799358.211867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert4.pem
newfilepath: C:\Python27\Lib\test\keycert4.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...
success 1 0
1619799358.258867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert3.pem
newfilepath: C:\Python27\Lib\test\keycert3.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...
success 1 0
1619799358.258867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...
success 1 0
1619799358.320867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_cert.pem
newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...
success 1 0
1619799358.351867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\allsans.pem
newfilepath: C:\Python27\Lib\test\allsans.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...
success 1 0
1619799358.398867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badcert.pem
newfilepath: C:\Python27\Lib\test\badcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...
success 1 0
1619799358.414867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ffdh3072.pem
newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...
success 1 0
1619799358.414867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert2.pem
newfilepath: C:\Python27\Lib\test\keycert2.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...
success 1 0
1619799358.430867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem
newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...
success 1 0
1619799358.445867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.pem
newfilepath: C:\Python27\Lib\test\keycert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...
success 1 0
1619799358.461867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\185test.db
newfilepath: C:\Python27\Lib\test\185test.db.sage
newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...
success 1 0
1619799358.492867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif
newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...
success 1 0
1619799358.492867
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...
success 1 0
1619799358.523867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico
newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage
newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...
success 1 0
1619799358.539867
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...
success 1 0
1619799358.570867
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff
newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage
newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...
success 1 0
1619799358.570867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...
success 1 0
1619799358.617867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...
success 1 0
1619799358.617867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...
success 1 0
1619799358.664867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...
success 1 0
1619799358.664867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...
success 1 0
1619799358.695867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...
success 1 0
1619799358.711867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...
success 1 0
1619799358.711867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...
success 1 0
1619799358.742867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...
success 1 0
1619799358.742867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...
success 1 0
1619799358.758867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...
success 1 0
1619799358.773867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...
success 1 0
1619799358.789867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...
success 1 0
1619799358.789867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...
success 1 0
1619799358.836867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...
success 1 0
1619799358.836867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...
success 1 0
1619799358.867867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...
success 1 0
1619799358.883867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...
success 1 0
1619799358.883867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...
success 1 0
1619799358.914867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...
success 1 0
1619799358.914867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...
success 1 0
1619799358.930867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...
success 1 0
1619799358.945867
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-02-22 00:05:53

Imports

Library KERNEL32.dll:
0x429084 ReadConsoleW
0x429088 SetEndOfFile
0x42908c CreateFileW
0x429090 LCMapStringW
0x429094 HeapReAlloc
0x429098 WriteConsoleW
0x42909c SetFilePointerEx
0x4290a0 FlushFileBuffers
0x4290a4 OutputDebugStringW
0x4290a8 HeapSize
0x4290bc GetModuleFileNameA
0x4290c0 VirtualQuery
0x4290c4 GetStringTypeW
0x4290c8 GetCurrentThreadId
0x4290cc GetCPInfo
0x4290d0 GetOEMCP
0x4290d4 GetACP
0x4290d8 IsValidCodePage
0x4290dc LoadLibraryExW
0x4290e0 GetModuleHandleW
0x4290e4 GetStartupInfoW
0x4290e8 HeapCreate
0x4290ec TlsSetValue
0x4290f0 LoadLibraryExA
0x4290f4 TlsAlloc
0x4290f8 TerminateProcess
0x4290fc GetCurrentProcess
0x429104 SetLastError
0x429114 GetConsoleMode
0x429118 GetConsoleCP
0x42911c SetStdHandle
0x429120 DeleteFileW
0x429124 GetModuleHandleExA
0x429128 GetFileTime
0x429134 GlobalAlloc
0x429138 GlobalLock
0x42913c GlobalUnlock
0x429140 FindFirstFileA
0x429144 FindNextFileA
0x429148 CreateFileA
0x42914c GetFileType
0x429150 GetFileSize
0x429154 Sleep
0x429158 GetVersionExA
0x42915c GetCurrentProcessId
0x429160 WideCharToMultiByte
0x429164 ReadFile
0x429168 CloseHandle
0x42916c GetProcessHeap
0x429170 GetModuleFileNameW
0x429174 HeapAlloc
0x429180 lstrlenA
0x429184 WriteFile
0x429188 GetStdHandle
0x429190 IsDebuggerPresent
0x429194 GetCommandLineA
0x4291a0 RaiseException
0x4291a4 RtlUnwind
0x4291a8 MultiByteToWideChar
0x4291ac AreFileApisANSI
0x4291b0 GetProcAddress
0x4291b4 GetModuleHandleExW
0x4291b8 ExitProcess
0x4291bc DecodePointer
0x4291c0 EncodePointer
0x4291c8 HeapFree
0x4291cc FormatMessageA
0x4291d0 GetThreadLocale
0x4291d4 LoadLibraryA
0x4291d8 GetDiskFreeSpaceW
0x4291dc GlobalFree
0x4291e0 GlobalSize
0x4291e4 GetCommState
0x4291e8 GetLastError
0x4291ec TlsGetValue
0x4291f0 lstrcpyA
0x4291f4 TlsFree
Library USER32.dll:
0x429250 SendMessageA
0x429254 OffsetRect
0x429258 BeginDeferWindowPos
0x42925c DeferWindowPos
0x429260 CheckMenuRadioItem
0x429264 GetMenu
0x429268 IsDlgButtonChecked
0x42926c EndDeferWindowPos
0x429270 GetCursorPos
0x429274 CreatePopupMenu
0x429278 DefWindowProcA
0x42927c EndDialog
0x429280 GetWindowTextA
0x429284 SetWindowTextA
0x429288 UpdateWindow
0x42928c ScrollWindowEx
0x429290 SetScrollInfo
0x429294 ReleaseDC
0x429298 GetDC
0x42929c PostQuitMessage
0x4292a0 DestroyWindow
0x4292a4 MoveWindow
0x4292ac SetFocus
0x4292b0 GetClassNameA
0x4292b4 DefMDIChildProcA
0x4292b8 EnumDisplayDevicesA
0x4292bc LoadImageA
0x4292c0 InvalidateRect
0x4292c4 SetScrollPos
0x4292c8 SetTimer
0x4292cc CreateWindowExA
0x4292d0 SetScrollRange
0x4292d4 TrackPopupMenuEx
0x4292d8 GetClientRect
0x4292dc GetScrollPos
0x4292e0 EndPaint
0x4292e4 GetDialogBaseUnits
0x4292e8 GetWindowLongA
0x4292ec OpenClipboard
0x4292f0 EmptyClipboard
0x4292f4 SetClipboardData
0x4292f8 CloseClipboard
0x4292fc LoadCursorA
0x429300 CopyIcon
0x429304 GetCursorInfo
0x429308 SetSystemCursor
0x42930c IsWindow
0x429310 GetDesktopWindow
0x429314 GetParent
0x429318 GetWindow
0x42931c wsprintfA
0x429320 GetClipboardData
0x429324 BeginPaint
0x429328 SetRect
0x42932c GetDlgItem
Library GDI32.dll:
0x429018 CreateDCA
0x42901c CreateDIBSection
0x429020 SetBkColor
0x429024 DeleteObject
0x429028 BitBlt
0x42902c CreateCompatibleDC
0x429030 CreateSolidBrush
0x429034 SetBkMode
0x429038 ChoosePixelFormat
0x42903c SetPixelFormat
0x429040 SetTextColor
0x429044 GetCurrentObject
0x429048 GetDeviceCaps
0x42904c DeleteDC
0x429050 TextOutA
0x429054 GetStockObject
0x429058 SelectObject
0x42905c GetObjectA
Library WINSPOOL.DRV:
0x429360 EnumPrintersA
Library COMDLG32.dll:
0x429008 GetOpenFileNameA
Library ADVAPI32.dll:
Library SHELL32.dll:
0x429240 SHParseDisplayName
0x429244 SHGetFolderPathA
0x429248 SHBindToParent
Library ole32.dll:
0x4293b8 CoGetCallContext
Library OLEAUT32.dll:
0x429214 VariantInit
0x429218 VariantCopy
0x42921c LoadTypeLibEx
Library WS2_32.dll:
0x429368 getnameinfo
0x42936c ioctlsocket
0x429370 sendto
0x429374 closesocket
0x429378 WSAAsyncSelect
0x42937c WSAStringToAddressW
0x429380 setsockopt
0x429384 htons
0x429388 socket
0x42938c recvfrom
0x429390 bind
Library NETAPI32.dll:
0x429200 NetWkstaGetInfo
Library WINMM.dll:
0x429348 midiOutShortMsg
0x42934c waveOutOpen
0x429350 midiOutOpen
0x429354 midiOutGetDevCapsA
0x429358 midiOutGetNumDevs
Library CRYPT32.dll:
Library IPHLPAPI.DLL:
0x429070 GetExtendedTcpTable
0x429074 IcmpCreateFile
0x429078 IcmpCloseHandle
Library pdh.dll:
0x4293c0 PdhCollectQueryData
Library gdiplus.dll:
0x429398 GdiplusStartup
0x42939c GdipAlloc
0x4293a0 GdipCloneImage
0x4293a4 GdipFree
0x4293a8 GdipDisposeImage
Library OPENGL32.dll:
0x429224 wglCreateContext
0x429228 glMatrixMode
0x42922c glLoadIdentity
0x429230 glClearColor
0x429234 glViewport
0x429238 glShadeModel
Library GLU32.dll:
0x429064 gluPerspective
Library WINHTTP.dll:
0x42933c WinHttpCloseHandle
0x429340 WinHttpConnect
Library USP10.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49187 192.168.56.1 139
192.168.56.101 49188 192.168.56.1 139
192.168.56.101 49190 192.168.56.1 139

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.