6.4
高危
54 个模型检测该样本为恶意!
重新分析
更多

b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad

d5edd6b32296d1cee4829fb1499c8759.exe

分析耗时

82s

最近分析

文件大小

62.0KB
静态报毒 动态报毒 100% 8I3DM2OYG8F AI SCORE=100 CONFIDENCE DELSHAD DOWNLOADER33 FILECODER FILECRYPTER GDSDA GENERICRXKC HAKBIT HIGH CONFIDENCE IDRQDH MALICIOUS PE OMBQ PVCXZ QVM03 QYDYBZPDOO4 R + MAL R327981 RANSOMWARE RANSOMX RAZY SCORE STATIC AI THANOS TSCOPE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKC-TR!D5EDD6B32296 20201229 6.0.6.653
Alibaba Ransom:MSIL/Hakbit.c838dec7 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RansomX-gen [Ransom] 20201229 21.1.5827.0
Kingsoft 20201229 2017.9.26.565
Tencent 20201229 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619917436.187395
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619917439.250897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619917440.95352
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619910418.234286
IsDebuggerPresent
failed 0 0
1619910418.234286
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910418.281286
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 148 个事件)
Time & API Arguments Status Return Repeated
1619910417.312286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 2555904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000820000
success 0 0
1619910417.328286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000a10000
success 0 0
1619910417.797286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00000000021f0000
success 0 0
1619910417.797286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002380000
success 0 0
1619910417.922286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1981000
success 0 0
1619910417.922286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1981000
success 0 0
1619910417.953286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef2000000
success 0 0
1619910418.234286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000002120000
success 0 0
1619910418.234286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002140000
success 0 0
1619910418.234286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.234286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.234286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.234286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.250286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1983000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1981000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.266286
NtProtectVirtualMemory
process_identifier: 2368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1982000
success 0 0
1619910418.672286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1619910418.719286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1619910418.812286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002a000
success 0 0
1619910418.875286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1619910418.875286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000dc000
success 0 0
1619910418.875286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00106000
success 0 0
1619910418.875286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000e0000
success 0 0
1619910419.172286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1619910419.203286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002b000
success 0 0
1619910419.219286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1619910420.094286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00035000
success 0 0
1619910420.219286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00036000
success 0 0
1619910420.266286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0002c000
success 0 0
1619910420.281286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0004b000
success 0 0
1619910420.969286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00150000
success 0 0
1619910420.969286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00151000
success 0 0
1619910421.156286
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00037000
success 0 0
Executes one or more WMI queries (3 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopservice.exe")
A process created a hidden window (32 个事件)
Time & API Arguments Status Return Repeated
1619910426.719286
CreateProcessInternalW
thread_identifier: 368
thread_handle: 0x0000000000000254
process_identifier: 1436
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop avpsus /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000260
inherit_handles: 1
success 1 0
1619910428.672286
CreateProcessInternalW
thread_identifier: 2436
thread_handle: 0x0000000000000258
process_identifier: 1564
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop McAfeeDLPAgentService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000274
inherit_handles: 1
success 1 0
1619910430.406286
CreateProcessInternalW
thread_identifier: 520
thread_handle: 0x0000000000000284
process_identifier: 3040
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop mfewc /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000290
inherit_handles: 1
success 1 0
1619910432.047286
CreateProcessInternalW
thread_identifier: 1752
thread_handle: 0x00000000000002d8
process_identifier: 2852
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop BMR Boot Service /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000002e4
inherit_handles: 1
success 1 0
1619910433.953286
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x0000000000000394
process_identifier: 2032
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop NetBackup BMR MTFTP Service /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000003a0
inherit_handles: 1
success 1 0
1619910436.016286
CreateProcessInternalW
thread_identifier: 2252
thread_handle: 0x0000000000000280
process_identifier: 1880
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLTELEMETRY start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000002e0
inherit_handles: 1
success 1 0
1619910437.422286
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x0000000000000280
process_identifier: 1752
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000000000028c
inherit_handles: 1
success 1 0
1619910438.250286
CreateProcessInternalW
thread_identifier: 1160
thread_handle: 0x0000000000000284
process_identifier: 2796
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLWriter start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000280
inherit_handles: 1
success 1 0
1619910438.953286
CreateProcessInternalW
thread_identifier: 3104
thread_handle: 0x000000000000025c
process_identifier: 3100
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SstpSvc start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000284
inherit_handles: 1
success 1 0
1619910439.953286
CreateProcessInternalW
thread_identifier: 3188
thread_handle: 0x00000000000003b0
process_identifier: 3184
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill.exe" /IM mspub.exe /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000003a8
inherit_handles: 1
success 1 0
1619910443.078286
CreateProcessInternalW
thread_identifier: 3344
thread_handle: 0x0000000000000418
process_identifier: 3340
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill.exe" /IM mydesktopqos.exe /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000424
inherit_handles: 1
success 1 0
1619910444.797286
CreateProcessInternalW
thread_identifier: 3456
thread_handle: 0x0000000000000418
process_identifier: 3452
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill.exe" /IM mydesktopservice.exe /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000428
inherit_handles: 1
success 1 0
1619910447.234286
CreateProcessInternalW
thread_identifier: 3556
thread_handle: 0x00000000000002e8
process_identifier: 3552
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" Delete Shadows /all /quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000304
inherit_handles: 1
success 1 0
1619910452.187286
CreateProcessInternalW
thread_identifier: 3888
thread_handle: 0x000000000000028c
process_identifier: 3884
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000254
inherit_handles: 1
success 1 0
1619910454.969286
CreateProcessInternalW
thread_identifier: 4028
thread_handle: 0x000000000000028c
process_identifier: 4024
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000424
inherit_handles: 1
success 1 0
1619910456.719286
CreateProcessInternalW
thread_identifier: 2504
thread_handle: 0x000000000000028c
process_identifier: 2604
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000428
inherit_handles: 1
success 1 0
1619910458.094286
CreateProcessInternalW
thread_identifier: 3224
thread_handle: 0x000000000000028c
process_identifier: 3212
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000000000042c
inherit_handles: 1
success 1 0
1619910459.812286
CreateProcessInternalW
thread_identifier: 2412
thread_handle: 0x000000000000028c
process_identifier: 3380
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000278
inherit_handles: 1
success 1 0
1619910461.781286
CreateProcessInternalW
thread_identifier: 3480
thread_handle: 0x000000000000028c
process_identifier: 3472
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000420
inherit_handles: 1
success 1 0
1619910464.156286
CreateProcessInternalW
thread_identifier: 176
thread_handle: 0x0000000000000428
process_identifier: 3664
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000000000042c
inherit_handles: 1
success 1 0
1619910465.844286
CreateProcessInternalW
thread_identifier: 3596
thread_handle: 0x0000000000000304
process_identifier: 3556
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000002e8
inherit_handles: 1
success 1 0
1619910467.562286
CreateProcessInternalW
thread_identifier: 3920
thread_handle: 0x0000000000000304
process_identifier: 3888
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000428
inherit_handles: 1
success 1 0
1619910469.250286
CreateProcessInternalW
thread_identifier: 3152
thread_handle: 0x0000000000000304
process_identifier: 3168
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000000000000039c
inherit_handles: 1
success 1 0
1619910471.078286
CreateProcessInternalW
thread_identifier: 3248
thread_handle: 0x0000000000000304
process_identifier: 1124
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000003a8
inherit_handles: 1
success 1 0
1619910472.781286
CreateProcessInternalW
thread_identifier: 3376
thread_handle: 0x0000000000000304
process_identifier: 3392
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000284
inherit_handles: 1
success 1 0
1619910474.453286
CreateProcessInternalW
thread_identifier: 3260
thread_handle: 0x0000000000000304
process_identifier: 3848
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "vssadmin.exe" Delete Shadows /all /quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000000000001cc
inherit_handles: 1
success 1 0
1619910476.109286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
1619910476.156286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
1619910476.172286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
1619910476.187286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
1619910476.203286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
1619910476.219286
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 0
command_line: "del.exe" /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000000000000000
inherit_handles: 1
failed 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619910434.406286
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (18 个事件)
Time & API Arguments Status Return Repeated
1619910422.203286
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619917436.172395
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619917439.234897
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619917440.95352
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619917443.32827
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917448.297395
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917880.434126
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917882.200126
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917883.575126
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917885.309249
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917887.309626
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917889.590001
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917891.325751
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917893.059876
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917894.762001
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917896.559499
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917898.278626
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619917900.012501
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (12 个事件)
cmdline "taskkill.exe" /IM mydesktopservice.exe /F
cmdline "net.exe" stop NetBackup BMR MTFTP Service /y
cmdline "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
cmdline "net.exe" stop BMR Boot Service /y
cmdline "net.exe" stop McAfeeDLPAgentService /y
cmdline "taskkill.exe" /IM mydesktopqos.exe /F
cmdline "net.exe" stop mfewc /y
cmdline "taskkill.exe" /IM mspub.exe /F
cmdline "sc.exe" config SstpSvc start= disabled
cmdline "sc.exe" config SQLTELEMETRY start= disabled
cmdline "sc.exe" config SQLWriter start= disabled
cmdline "net.exe" stop avpsus /y
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Uses suspicious command line tools or Windows utilities (13 个事件)
cmdline "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
cmdline "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
cmdline "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
cmdline "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
cmdline "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
cmdline "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
cmdline "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
cmdline "vssadmin.exe" Delete Shadows /all /quiet
cmdline "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
cmdline "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
cmdline "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
cmdline "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
cmdline "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
Uses Sysinternals tools in order to add additional command line functionality (1 个事件)
cmdline "taskkill.exe" /IM mydesktopservice.exe /F
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.629400
McAfee GenericRXKC-TR!D5EDD6B32296
Cylance Unsafe
K7AntiVirus Trojan ( 0055ef9f1 )
Alibaba Ransom:MSIL/Hakbit.c838dec7
K7GW Trojan ( 0055ef9f1 )
Cybereason malicious.32296d
Arcabit Trojan.Razy.D99A98
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:RansomX-gen [Ransom]
ClamAV Win.Ransomware.Razy-9205761-0
Kaspersky HEUR:Trojan-Ransom.Win32.Generic
BitDefender Gen:Variant.Razy.629400
NANO-Antivirus Trojan.Win32.DelShad.idrqdh
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Rising Trojan.Filecoder!8.68 (TFE:C:8I3Dm2Oyg8F)
Ad-Aware Gen:Variant.Razy.629400
Sophos Mal/Generic-R + Mal/Hakbit-A
F-Secure Trojan.TR/Ransom.pvcxz
DrWeb Trojan.DownLoader33.27839
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom.MSIL.HAKBIT.D
McAfee-GW-Edition BehavesLike.Win32.Generic.kh
FireEye Generic.mg.d5edd6b32296d1ce
Emsisoft Gen:Variant.Razy.629400 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.MSIL.ombq
Webroot W32.Ransom.Gen
Avira TR/Ransom.pvcxz
Gridinsoft Ransom.Win32.Injector.cc
Microsoft Ransom:MSIL/Hakbit.SK!MTB
ViRobot Trojan.Win32.S.Ransom.63488.B
ZoneAlarm HEUR:Trojan.MSIL.DelShad.gen
GData Gen:Variant.Razy.629400
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RansomCrypt.R327981
BitDefenderTheta AI:Packer.9514F7A91F
ALYac Trojan.Ransom.Hakbit
MAX malware (ai score=100)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.Injector
ESET-NOD32 a variant of MSIL/Filecoder.Thanos.A
TrendMicro-HouseCall Ransom.MSIL.HAKBIT.D
Yandex Trojan.Filecoder!qyDyBZpdoo4
Ikarus Trojan-Ransom.FileCrypter
eGambit Unsafe.AI_Score_100%
Fortinet MSIL/Filecoder.VL!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-04 14:39:00

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49205 185.199.109.133 raw.githubusercontent.com 443
192.168.56.101 49212 185.199.109.133 raw.githubusercontent.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 59704 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.