13.4
0-day
54 个模型检测该样本为恶意!
重新分析
更多

6e9c9b72d1bdb993184c7aa05d961e706a57b3becf151ca4f883a80a07fdd955

be13334c44f2e0331a6d1d6460ff9359.exe

分析耗时

130s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 0NA103IC20 100% AGEN AI SCORE=100 ANCI CCMW CLOUD CONFIDENCE COSSTA ENCPK EVW@AMNOD@EG GENERICKDZ HGIASQWA HGMS HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#18D95L8WNLET2 MULDROP13 PGCP PHOBOS PINKSBOT R + MAL RANSOMWARE RAZY SAVE SCORE STATIC AI SUFF SUSGEN UNSAFE WACATAC ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee W32/PinkSbot-HD!BE13334C44F2 20210404 6.0.6.653
Alibaba Trojan:Win32/Cossta.41e0f057 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20210404 21.1.5827.0
Tencent Win32.Trojan.Cossta.Pgcp 20210404 1.0.0.1
Kingsoft 20210404 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620994244.626501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620994255.016501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620994244.766501
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\libGLESv2.dll
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620994239.047501
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620994236.376501
NtAllocateVirtualMemory
process_identifier: 196
region_size: 1069056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00740000
success 0 0
1620994236.391501
NtProtectVirtualMemory
process_identifier: 196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1069056
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620994244.782501
NtProtectVirtualMemory
process_identifier: 196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03930000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description be13334c44f2e0331a6d1d6460ff9359.exe tried to sleep 173 seconds, actually delayed analysis time by 173 seconds
Steals private information from local Internet browsers (9 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db.id[38C63B41-2987].[wiruxa@airmail.cc].eking
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.id[38C63B41-2987].[wiruxa@airmail.cc].eking
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.id[38C63B41-2987].[wiruxa@airmail.cc].eking
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal
Creates a shortcut to an executable file (50 out of 80 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\More Games from Microsoft.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Hearts.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk
file C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Chess.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Solitaire.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Purble Place.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python (command line).lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Minesweeper.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Uninstall Python.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk
Creates a suspicious process (2 个事件)
cmdline C:\Windows\System32\cmd.exe
cmdline wmic shadowcopy delete
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 个事件)
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1620994244.579501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620994250.298124
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 98 个事件)
Time & API Arguments Status Return Repeated
1620994245.141501
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000001d0
process_identifier: 1108
failed 0 0
1620994245.766501
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000001d4
process_identifier: 708
failed 0 0
1620994246.501501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x00000290
process_identifier: 1688
failed 0 0
1620994247.079501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000002a0
process_identifier: 1688
failed 0 0
1620994247.829501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x00000290
process_identifier: 2860
failed 0 0
1620994248.391501
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x0000029c
process_identifier: 2860
failed 0 0
1620994248.969501
Process32NextW
process_name: inject-x64.exe
snapshot_handle: 0x00000250
process_identifier: 1176
failed 0 0
1620994249.563501
Process32NextW
process_name: inject-x64.exe
snapshot_handle: 0x00000290
process_identifier: 1176
failed 0 0
1620994250.469501
Process32NextW
process_name: netsh.exe
snapshot_handle: 0x00000290
process_identifier: 2424
failed 0 0
1620994251.641501
Process32NextW
process_name: netsh.exe
snapshot_handle: 0x00000238
process_identifier: 2424
failed 0 0
1620994252.438501
Process32NextW
process_name: netsh.exe
snapshot_handle: 0x00000290
process_identifier: 2424
failed 0 0
1620994253.079501
Process32NextW
process_name: netsh.exe
snapshot_handle: 0x00000254
process_identifier: 2424
failed 0 0
1620994253.610501
Process32NextW
process_name: netsh.exe
snapshot_handle: 0x000001a4
process_identifier: 2424
failed 0 0
1620994254.204501
Process32NextW
process_name: VSSVC.exe
snapshot_handle: 0x000002a8
process_identifier: 2128
failed 0 0
1620994254.985501
Process32NextW
process_name: VSSVC.exe
snapshot_handle: 0x000002a8
process_identifier: 2128
failed 0 0
1620994255.860501
Process32NextW
process_name: VSSVC.exe
snapshot_handle: 0x000001e0
process_identifier: 2128
failed 0 0
1620994256.438501
Process32NextW
process_name: VSSVC.exe
snapshot_handle: 0x0000028c
process_identifier: 2128
failed 0 0
1620994257.501501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000304
process_identifier: 2948
failed 0 0
1620994258.157501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001a4
process_identifier: 2948
failed 0 0
1620994258.938501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002b8
process_identifier: 2948
failed 0 0
1620994259.532501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994260.188501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994260.907501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001a4
process_identifier: 2948
failed 0 0
1620994261.626501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000310
process_identifier: 2948
failed 0 0
1620994262.157501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000028c
process_identifier: 2948
failed 0 0
1620994262.797501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000001a4
process_identifier: 2948
failed 0 0
1620994263.641501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000028c
process_identifier: 2948
failed 0 0
1620994264.532501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000030c
process_identifier: 2948
failed 0 0
1620994265.344501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994266.188501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000028c
process_identifier: 2948
failed 0 0
1620994266.844501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x00000290
process_identifier: 2948
failed 0 0
1620994267.563501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994268.219501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994269.157501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x000002cc
process_identifier: 2948
failed 0 0
1620994270.032501
Process32NextW
process_name: svchost.exe
snapshot_handle: 0x0000030c
process_identifier: 2948
failed 0 0
1620994270.766501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000002b4
process_identifier: 3176
failed 0 0
1620994271.579501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000029c
process_identifier: 3176
failed 0 0
1620994272.188501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000001a4
process_identifier: 3176
failed 0 0
1620994273.297501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000002bc
process_identifier: 3176
failed 0 0
1620994274.047501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000001e0
process_identifier: 3176
failed 0 0
1620994275.016501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000001e0
process_identifier: 3176
failed 0 0
1620994275.735501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000002bc
process_identifier: 3176
failed 0 0
1620994276.688501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000002cc
process_identifier: 3176
failed 0 0
1620994277.501501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000028c
process_identifier: 3176
failed 0 0
1620994278.235501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000314
process_identifier: 3176
failed 0 0
1620994278.891501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000330
process_identifier: 3176
failed 0 0
1620994279.719501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000029c
process_identifier: 3176
failed 0 0
1620994280.516501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000001a4
process_identifier: 3176
failed 0 0
1620994281.516501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000228
process_identifier: 3176
failed 0 0
1620994282.172501
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000021c
process_identifier: 3176
failed 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline netsh advfirewall set currentprofile state off
cmdline wmic shadowcopy delete
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (3 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\be13334c44f2e0331a6d1d6460ff9359 reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\be13334c44f2e0331a6d1d6460ff9359.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\be13334c44f2e0331a6d1d6460ff9359 reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\be13334c44f2e0331a6d1d6460ff9359.exe
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[38C63B41-2987].[wiruxa@airmail.cc].eking
Operates on local firewall's policies and settings (1 个事件)
cmdline netsh advfirewall set currentprofile state off
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\Python27\agent.pyw
Drops 108 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 108 个事件)
file C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ro.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ml.pak
file C:\ProgramData\Microsoft\Windows\DRM\blackbox.bin
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\th.pak
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.cat
file C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak
file C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db
file C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\5d91c0b736f4f8dbdd317cf8a037fced_f86f21bc-e5d8-4e58-9fce-2ae2b7f127ee
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\v8_context_snapshot.bin
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-TW.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lv.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db
file C:\Users\Oskar\AppData\Local\IconCache.db
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.dir
file C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic
file C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWddm.cat
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nb.pak
file C:\Program Files\Google\Chrome\Application\SetupMetrics\20210411204935.pma
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.cat
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak
file C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak
file C:\Program Files\Google\Chrome\Application\SetupMetrics\20210411204910.pma
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\el.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 607 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
file C:\Python27\Lib\collections.pyc
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ta.dll
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ro.dll
file C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\Python27\Lib\bsddb\test\test_thread.py
file C:\Python27\include\pythonrun.h
file C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file C:\Python27\Lib\bisect.pyc
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak
file C:\Python27\include\dtoa.h
file C:\Program Files (x86)\Google\Update\1.3.36.72\psmachine.dll
file C:\Python27\Lib\antigravity.py
file C:\Python27\Lib\chunk.py
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_lv.dll
file C:\Python27\include\bufferobject.h
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ar.dll
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_cs.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_sr.dll
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_hi.dll
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_kn.dll
file C:\Program Files (x86)\Google\Update\1.3.36.72\psuser_64.dll
file C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
file C:\Python27\Lib\codeop.py
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs
file C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file C:\Python27\Lib\Bastion.py
file C:\Python27\include\tupleobject.h
file C:\Python27\Lib\commands.py
file C:\Python27\include\sliceobject.h
file C:\Python27\Lib\bsddb\dbshelve.py
file C:\Python27\include\pyerrors.h
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_el.dll
file C:\Users\Oskar\AppData\Local\IconCache.db
file C:\Python27\include\intrcheck.h
file C:\Python27\Lib\ast.py
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file C:\Python27\Lib\bsddb\dbutils.py
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db
file C:\Python27\include\symtable.h
file C:\Program Files\Google\Chrome\Application\master_preferences
file C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_da.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
Removes the Shadow Copy to avoid recovery of the system (2 个事件)
cmdline vssadmin delete shadows /all /quiet
cmdline wmic shadowcopy delete
Uses suspicious command line tools or Windows utilities (1 个事件)
cmdline vssadmin delete shadows /all /quiet
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
Detects VirtualBox through the presence of a file (10 个事件)
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDisp.dll
dll C:\Windows\system32\VBoxMRXNP.dll
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.sys
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.inf.id[38C63B41-2987].[wiruxa@airmail.cc].eking
file C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
file C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
Performs 169 file moves indicative of a ransomware file encryption process (50 out of 169 个事件)
Time & API Arguments Status Return Repeated
1620994245.204501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
failed 0 0
1620994245.204501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.376501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
failed 0 0
1620994245.376501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.032501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
failed 0 0
1620994246.047501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.704501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
failed 0 0
1620994246.704501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.735501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
failed 0 0
1620994246.735501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.751501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
failed 0 0
1620994246.751501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.344501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\DVDMaker.exe
newfilepath: C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe
failed 0 0
1620994248.344501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\DVDMaker.exe
newfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdBase.dll
newfilepath: C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\OmdBase.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdProject.dll
newfilepath: C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\OmdProject.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Pipeline.dll
newfilepath: C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Pipeline.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\PipeTran.dll
newfilepath: C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\PipeTran.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.829501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
failed 0 0
1620994250.829501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
failed 0 0
1620994250.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.891501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
failed 0 0
1620994250.891501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
Appends a new file extension or content to 169 files indicative of a ransomware file encryption process (50 out of 169 个事件)
Time & API Arguments Status Return Repeated
1620994245.204501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
failed 0 0
1620994245.204501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\chslm.wdic2.bin.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.376501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
failed 0 0
1620994245.376501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
failed 0 0
1620994245.985501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
failed 0 0
1620994246.001501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.032501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
failed 0 0
1620994246.047501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.704501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
failed 0 0
1620994246.704501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.735501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
failed 0 0
1620994246.735501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994246.751501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
failed 0 0
1620994246.751501
MoveFileWithProgressW
oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
newfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\Common Files\Microsoft Shared\ink\mshwchsr.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.344501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\DVDMaker.exe
newfilepath: C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe
failed 0 0
1620994248.344501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\DVDMaker.exe
newfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\DVDMaker.exe.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdBase.dll
newfilepath: C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\OmdBase.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdBase.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdProject.dll
newfilepath: C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\OmdProject.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\OmdProject.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Pipeline.dll
newfilepath: C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Pipeline.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Pipeline.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\PipeTran.dll
newfilepath: C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll
failed 0 0
1620994248.391501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\PipeTran.dll
newfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\PipeTran.dll.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
failed 0 0
1620994249.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.829501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
failed 0 0
1620994250.829501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
failed 0 0
1620994250.844501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.860501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
failed 0 0
1620994250.876501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
1620994250.891501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
failed 0 0
1620994250.891501
MoveFileWithProgressW
oldfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
newfilepath: C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
newfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv
flags: 2
oldfilepath_r: \\?\C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.id[38C63B41-2987].[wiruxa@airmail.cc].eking
failed 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.840267
FireEye Generic.mg.be13334c44f2e033
McAfee W32/PinkSbot-HD!BE13334C44F2
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056e3901 )
Alibaba Trojan:Win32/Cossta.41e0f057
K7GW Trojan ( 0056e3901 )
Cybereason malicious.c44f2e
Cyren W32/Trojan.SUFF-1742
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/Kryptik.HGMS
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky Trojan.Win32.Cossta.anci
BitDefender Gen:Variant.Razy.840267
NANO-Antivirus Virus.Win32.Gen.ccmw
Paloalto generic.ml
AegisLab Trojan.Win32.Cossta.4!c
Tencent Win32.Trojan.Cossta.Pgcp
Ad-Aware Gen:Variant.Razy.840267
Sophos Mal/Generic-R + Mal/EncPk-APW
Comodo Malware@#18d95l8wnlet2
DrWeb Trojan.MulDrop13.64400
Zillya Trojan.Kryptik.Win32.2537744
TrendMicro TROJ_FRS.0NA103IC20
McAfee-GW-Edition BehavesLike.Win32.Dropper.tz
Emsisoft Gen:Variant.Razy.840267 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Cossta.ahj
Avira HEUR/AGEN.1138446
Antiy-AVL Trojan/Win32.Cossta
Gridinsoft Ransom.Win32.Wacatac.oa
Microsoft Ransom:Win32/Phobos
GData Gen:Variant.Razy.840267
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Ransomware.C4197397
BitDefenderTheta Gen:NN.ZexaF.34670.evW@amNOD@eG
ALYac Trojan.Ransom.Phobos
MAX malware (ai score=100)
VBA32 Trojan.Cossta
Malwarebytes Ransom.Phobos
TrendMicro-HouseCall TROJ_FRS.0NA103IC20
Rising Ransom.Agent!8.6B7 (CLOUD)
Ikarus Trojan.SuspectCRC
MaxSecure Trojan.Malware.106601437.susgen
Fortinet W32/GenericKDZ.6978!tr
Webroot W32.Trojan.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-17 03:44:28

Imports

Library kernel32.dll:
0x50215c GetProcAddress
0x502160 GetVersion
0x502164 LoadLibraryA
0x502168 VirtualAlloc
0x50216c VirtualFree
0x502170 VirtualProtect
0x502174 GetModuleHandleA
0x502178 GetTickCount
0x50217c GetBinaryTypeA
0x502180 SetFileAttributesA
0x502188 SetCommBreak
0x50218c lstrcpynA
0x502190 IsDebuggerPresent
0x50219c GetProfileSectionW
0x5021a0 OpenSemaphoreA
0x5021a4 GlobalFindAtomW
0x5021a8 MultiByteToWideChar
0x5021ac GetBinaryTypeW
0x5021b4 GetConsoleFontSize
0x5021b8 VDMConsoleOperation
0x5021bc EnumCalendarInfoA
0x5021c0 MapViewOfFile
Library user32.dll:
0x502360 GetAsyncKeyState
0x502364 ScrollDC
0x502370 ShowCaret
0x502374 NotifyWinEvent
0x502378 WCSToMBEx
0x50237c SetScrollPos
0x502380 RegisterTasklist
0x502384 MessageBoxA
0x50238c DrawCaption
0x502390 SetMenuDefaultItem
0x502394 WaitForInputIdle
0x502398 SetWindowsHookExA
0x50239c GetDC
0x5023a0 SetThreadDesktop
0x5023a8 RealGetWindowClassA
0x5023ac SetWindowLongA
0x5023b0 DispatchMessageW
0x5023b4 CharLowerA
0x5023b8 CreateWindowExW
0x5023c0 CopyImage
0x5023c4 IMPQueryIMEA
0x5023c8 MapWindowPoints
0x5023cc SetProgmanWindow
0x5023d0 SetWindowsHookExW
0x5023d4 IsIconic
Library comctl32.dll:
0x502090 ImageList_Duplicate
0x502094 PropertySheetA
0x502098 DefSubclassProc
0x5020a0 DSA_GetItemPtr
0x5020a4 ImageList_AddMasked
0x5020ac PropertySheetW
0x5020b0 CreateStatusWindow
0x5020b4 DPA_DeletePtr
0x5020b8 ImageList_Read
0x5020bc DrawStatusText
0x5020c0 ImageList_DragEnter
0x5020c8 CreateUpDownControl
0x5020cc DPA_GetPtr
0x5020d0 MenuHelp
0x5020d8 DSA_DeleteAllItems
0x5020dc DPA_Create
0x5020e0 AddMRUStringW
0x5020e4 InitializeFlatSB
0x5020e8 CreateStatusWindowA
0x5020ec ImageList_SetFlags
Library oleaut32.dll:
0x5021cc VarUI1FromI1
0x5021d0 VarUI2FromStr
0x5021d4 VarUI4FromDate
0x5021d8 VarR4FromUI4
0x5021dc VarCmp
0x5021e0 VarDecFromUI2
0x5021e4 VarCyMul
0x5021e8 VarI1FromUI4
0x5021ec VarUI4FromI1
0x5021f0 LHashValOfNameSys
0x5021f4 VarUI2FromCy
0x5021f8 UnRegisterTypeLib
0x5021fc VarI2FromBool
0x502200 SysFreeString
0x502204 VarCyCmpR8
0x502208 VarI4FromDec
0x50220c SafeArrayPtrOfIndex
0x502210 VarDateFromCy
0x502214 VarI4FromR4
0x502218 GetAltMonthNames
0x50221c VarI4FromUI1
0x502220 VarI4FromI8
0x502224 VarUI4FromR4
0x502228 VarUI4FromDec
0x50222c VarUI8FromR4
0x502230 VarR8Round
0x502234 VarCyFix
0x502238 DllGetClassObject
0x50223c VarDateFromDisp
0x502240 VarUI1FromI4
0x502244 VarDecInt
0x502248 VarBoolFromI4
0x50224c VarR8Pow
0x502250 SafeArrayGetLBound
Library winspool.drv:
0x502450 GetPrinterDataExW
0x502454 EnumFormsW
0x502458 DocumentEvent
0x50245c DeletePrinterKeyA
0x502464 PerfCollect
0x50246c PrinterMessageBoxA
0x502470 DeviceCapabilities
0x502474 PrinterMessageBoxW
0x502478 GetPrinterDataW
0x502480 AddPrinterDriverW
0x50248c StartDocDlgA
0x502490 AddPortA
0x502498 EnumJobsW
0x50249c StartDocDlgW
0x5024a0 EnumPrinterKeyA
0x5024a4 AddPortW
0x5024a8 AddPortExA
0x5024ac EnumPrinterDataA
0x5024b0 PrinterProperties
0x5024b4 EnumJobsA
0x5024bc DevQueryPrintEx
0x5024c0 GetPrinterDriverW
Library advapi32.dll:
0x502000 SetSecurityInfoExA
0x50200c EqualSid
0x50201c RegSaveKeyA
0x502020 RegConnectRegistryW
0x502024 SystemFunction015
0x502030 ElfOpenEventLogW
0x50203c RegConnectRegistryA
0x502048 LogonUserExA
0x50204c GetTrusteeNameA
0x502054 CryptDuplicateKey
0x502058 BackupEventLogW
0x50205c UpdateTraceW
0x502060 RegUnLoadKeyA
0x502064 IsTextUnicode
0x502068 A_SHAUpdate
0x50206c IsWellKnownSid
0x502080 InstallApplication
0x502084 RegReplaceKeyW
0x502088 LookupAccountNameW
Library imagehlp.dll:
0x5020fc StackWalk
0x502100 SymGetLinePrev
0x502104 ImageUnload
0x50210c CheckSumMappedFile
0x502110 ImageRvaToVa
0x50211c UpdateDebugInfoFile
0x502120 ReBaseImage
0x502128 ReBaseImage64
0x50212c SymEnumSymbols
0x502130 SymGetModuleInfo
0x502134 SymLoadModule64
0x502138 SymGetSymFromName
0x502140 SymFindFileInPath
0x50214c SymLoadModule
0x502154 ImageAddCertificate
Library winmm.dll:
0x5023dc midiOutOpen
0x5023e0 mmioClose
0x5023e4 sndPlaySoundW
0x5023e8 midiInGetID
0x5023ec waveOutWrite
0x5023f0 mmTaskBlock
0x5023f4 joyGetNumDevs
0x5023f8 mmioFlush
0x502400 timeGetSystemTime
0x502404 midiInOpen
0x50240c waveInGetPosition
0x502410 waveOutGetDevCapsA
0x502414 mmioSetInfo
0x502418 mmioSetBuffer
0x50241c mixerMessage
0x502420 waveOutGetID
0x50242c midiInMessage
0x502430 mixerGetLineInfoA
0x502434 mciSendStringA
0x502438 waveInAddBuffer
0x50243c mmioSendMessage
0x502440 joyGetPosEx
0x502444 mciExecute
Library shell32.dll:
0x502258 DragQueryFileAorW
0x502260 OpenRegStream
0x502264 ILCreateFromPathA
0x502268 SHGetNewLinkInfo
0x50226c SHGetDesktopFolder
0x502270 OpenAs_RunDLLW
0x502274 StrStrA
0x50227c Control_RunDLLW
0x502280 SHAlloc
0x502284 ShellExecuteW
0x502288 SHGetSetSettings
0x50228c PathIsExe
0x502298 SHGetFileInfo
0x50229c SHBindToParent
0x5022a0 DriveType
0x5022ac SHDefExtractIconW
0x5022b4 IsLFNDriveA
0x5022bc StrChrA
0x5022c4 ShellAboutA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49187 192.168.56.1 139
192.168.56.101 49206 192.168.56.1 139
192.168.56.101 49226 192.168.56.1 139

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.