SmartHawk

12.4

0-day

11 个模型检测该样本为恶意！

重新分析

下载样本

996fc1a9fa4f31ab9ecb0b6d18c8352463142a4990875d5af5e5e93a11cc87a4

e19fa9399c0d86ec58588e0a1b3704a2.exe

分析耗时

47s

最近分析

文件大小

20.0MB

静态报毒动态报毒 BROWSEFOX BUNDLEINSTALLER GENERIC@ML HIGH CONFIDENCE MOKUVSBS6DY1 QSADEUILG QVM41 R346996 RDML SOFT32 WEBCOMPANION WEBCOMPANION7806 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20200901	6.0.6.653
Alibaba	20190527	0.3.0.5
Avast	20200901	18.4.3895.0
Tencent	20200901	1.0.0.1
Baidu	20190318	1.0.0.2
Kingsoft	20200901	2013.8.14.323
CrowdStrike	20190702	1.0

Queries for the computername (31 个事件)

Time & API	Arguments	Status	Return
1620810314.257875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810314.772875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810314.928875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810314.975875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.163875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.257875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.288875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.319875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.413875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.553875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.600875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.647875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.663875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.710875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.741875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.772875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.788875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810315.819875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810317.319875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810318.694875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810319.944875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810318.351 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810319.961 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810324.929 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810325.008 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810325.039 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810325.039 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810325.179 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810326.429 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810327.679 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620810327.742 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (9 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810308.27275 IsDebuggerPresent		failed	0	0
1620810315.914 IsDebuggerPresent		failed	0	0
1620810315.914 IsDebuggerPresent		failed	0	0
1620810326.242 IsDebuggerPresent		failed	0	0
1620810326.367 IsDebuggerPresent		failed	0	0
1620810326.461 IsDebuggerPresent		failed	0	0
1620810326.914 IsDebuggerPresent		failed	0	0
1620810327.054 IsDebuggerPresent		failed	0	0
1620810327.242 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810318.726 CryptExportKey	crypto_handle: 0x00884f18 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1	0

This executable is signed

Tries to locate where the browsers are installed (4 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\InstallDate
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810313.991875 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sxdata

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 个事件)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
suspicious_features	GET method with no useragent header	suspicious_request	GET https://h2oapi.adaware.com/v1/bundleinfo/82365e6f68722feb8ef6615ec0bb835653cebfe2

Performs some HTTP requests (3 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
request	GET https://h2oapi.adaware.com/v1/bundleinfo/82365e6f68722feb8ef6615ec0bb835653cebfe2

Sends data using the HTTP POST Method (2 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart

Allocates read-write-execute memory (usually to unpack itself) (50 out of 259 个事件)

Time & API	Arguments	Status
1620810315.523 NtAllocateVirtualMemory	process_identifier: 428 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00470000	success
1620810315.523 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004d0000	success
1620810315.742 NtAllocateVirtualMemory	process_identifier: 428 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x01f00000	success
1620810315.742 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01ff0000	success
1620810315.804 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620810315.914 NtAllocateVirtualMemory	process_identifier: 428 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00510000	success
1620810315.914 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d0000	success
1620810315.914 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002ea000	success
1620810315.914 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620810315.914 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002e2000	success
1620810316.211 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f2000	success
1620810316.32 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00315000	success
1620810316.336 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0031b000	success
1620810316.336 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00317000	success
1620810316.523 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f3000	success
1620810316.57 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002fc000	success
1620810316.695 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f4000	success
1620810316.726 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02180000	success
1620810316.726 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f5000	success
1620810316.726 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f6000	success
1620810316.742 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f7000	success
1620810316.758 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f8000	success
1620810316.758 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002f9000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04600000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04601000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04602000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002fd000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04603000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04604000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04605000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04606000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04607000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04608000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002fe000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04609000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460a000	success
1620810316.789 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460b000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460c000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460d000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460e000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002ff000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0460f000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04740000	success
1620810316.804 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04741000	success
1620810316.82 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04742000	success
1620810316.851 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04743000	success
1620810317.07 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04744000	success
1620810317.117 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04745000	success
1620810317.133 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04ce0000	success
1620810317.133 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04746000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810328.538875 GetDiskFreeSpaceExW	root_path: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3 free_bytes_available: 19430318080 total_number_of_free_bytes: 19430318080 total_number_of_bytes: 34252779520	success	1	0

Creates executable files on the filesystem (23 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\H2OSciter.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\HtmlAgilityPack.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\OfferServiceBLL.dll

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.exe

Drops an executable to the user AppData folder (23 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\HtmlAgilityPack.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\OfferServiceBLL.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\H2OSciter.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll

Executes one or more WMI queries (6 个事件)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 个事件)

Time & API	Arguments	Status	Return
1620810314.022875 Process32FirstW	process_name: [System Process] snapshot_handle: 0x000000d8 process_identifier: 0	success	1
1620810314.022875 Process32NextW	process_name: System snapshot_handle: 0x000000d8 process_identifier: 4	success	1
1620810314.022875 Process32NextW	process_name: smss.exe snapshot_handle: 0x000000d8 process_identifier: 276	success	1
1620810314.022875 Process32NextW	process_name: csrss.exe snapshot_handle: 0x000000d8 process_identifier: 372	success	1
1620810314.022875 Process32NextW	process_name: csrss.exe snapshot_handle: 0x000000d8 process_identifier: 424	success	1
1620810314.022875 Process32NextW	process_name: wininit.exe snapshot_handle: 0x000000d8 process_identifier: 432	success	1
1620810314.022875 Process32NextW	process_name: services.exe snapshot_handle: 0x000000d8 process_identifier: 476	success	1
1620810314.022875 Process32NextW	process_name: winlogon.exe snapshot_handle: 0x000000d8 process_identifier: 508	success	1
1620810314.022875 Process32NextW	process_name: lsass.exe snapshot_handle: 0x000000d8 process_identifier: 536	success	1
1620810314.022875 Process32NextW	process_name: lsm.exe snapshot_handle: 0x000000d8 process_identifier: 544	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 656	success	1
1620810314.022875 Process32NextW	process_name: VBoxService.exe snapshot_handle: 0x000000d8 process_identifier: 720	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 788	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 868	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 924	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 956	success	1
1620810314.022875 Process32NextW	process_name: audiodg.exe snapshot_handle: 0x000000d8 process_identifier: 112	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 540	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 1080	success	1
1620810314.022875 Process32NextW	process_name: spoolsv.exe snapshot_handle: 0x000000d8 process_identifier: 1260	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 1288	success	1
1620810314.022875 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000000d8 process_identifier: 1336	success	1
1620810314.022875 Process32NextW	process_name: dwm.exe snapshot_handle: 0x000000d8 process_identifier: 1384	success	1
1620810314.022875 Process32NextW	process_name: explorer.exe snapshot_handle: 0x000000d8 process_identifier: 1424	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 1592	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 1980	success	1
1620810314.022875 Process32NextW	process_name: taskeng.exe snapshot_handle: 0x000000d8 process_identifier: 1240	success	1
1620810314.022875 Process32NextW	process_name: VBoxTray.exe snapshot_handle: 0x000000d8 process_identifier: 2072	success	1
1620810314.022875 Process32NextW	process_name: SearchIndexer.exe snapshot_handle: 0x000000d8 process_identifier: 2380	success	1
1620810314.022875 Process32NextW	process_name: wmpnetwk.exe snapshot_handle: 0x000000d8 process_identifier: 2460	success	1
1620810314.022875 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x000000d8 process_identifier: 2672	success	1
1620810314.022875 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x000000d8 process_identifier: 2744	success	1
1620810314.022875 Process32NextW	process_name: SearchFilterHost.exe snapshot_handle: 0x000000d8 process_identifier: 2784	success	1
1620810314.022875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000d8 process_identifier: 2884	success	1
1620810314.022875 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x000000d8 process_identifier: 2940	success	1
1620810314.022875 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000000d8 process_identifier: 2132	success	1
1620810314.022875 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000000d8 process_identifier: 1068	success	1
1620810314.022875 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000000d8 process_identifier: 2988	success	1
1620810314.022875 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000000d8 process_identifier: 2368	success	1
1620810314.022875 Process32NextW	process_name: e19fa9399c0d86ec58588e0a1b3704a2.exe snapshot_handle: 0x000000d8 process_identifier: 3044	success	1
1620810314.022875 Process32NextW	process_name: installer.exe snapshot_handle: 0x000000d8 process_identifier: 2120	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810321.492 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810318.039 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Expresses interest in specific running processes (1 个事件)

process

installer.exe

Queries for potentially installed applications (13 个事件)

Time & API	Arguments	Status
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000007a8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1620810324.976 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1620810324.992 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success

Executes one or more WMI queries which can be used to identify virtual machines (3 个事件)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by registry key (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Browser\Update
registry	HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Browser\Update

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620810325.82 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\GenericSetup.exe

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 个事件)

Elastic	malicious (high confidence)
DrWeb	Adware.Downware.19662
Malwarebytes	PUP.Optional.BundleInstaller
Invincea	heuristic
FireEye	Generic.mg.e19fa9399c0d86ec
Webroot	W32.Adware.Soft32
AhnLab-V3	PUP/Win32.BrowseFox.R346996
ESET-NOD32	a variant of Win32/WebCompanion.B potentially unwanted
Rising	Trojan.Generic@ML.94 (RDML:MokUVSbS6dy1/QSadeuilg)
Fortinet	Riskware/WebCompanion7806
Qihoo-360	HEUR/QVM41.1.A2BF.Malware.Gen

Performs 89 file moves indicative of a ransomware file encryption process (50 out of 89 个事件)

Time & API	Arguments	Status	Return
1620810311.319875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll	success	1
1620810311.350875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\de	success	1
1620810311.366875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll	success	1
1620810311.397875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\en	success	1
1620810311.397875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll	success	1
1620810311.428875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\es	success	1
1620810311.444875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll	success	1
1620810311.491875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\fr	success	1
1620810311.507875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll	success	1
1620810311.538875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\it	success	1
1620810311.538875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll	success	1
1620810311.569875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\pt	success	1
1620810311.585875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810311.616875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810311.647875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images	success	1
1620810311.663875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810311.678875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810311.710875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810311.741875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810311.772875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810311.803875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis	success	1
1620810311.803875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810311.819875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810311.835875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\InstallingPage.html	success	1
1620810311.866875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\LaunchCarrierPage.html	success	1
1620810311.882875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\OfferPage.html	success	1
1620810311.944875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\ScanningPage.html	success	1
1620810311.975875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\style.css	success	1
1620810312.022875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810312.053875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810312.069875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810312.085875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810312.100875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810312.116875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\WelcomePage.html	success	1
1620810312.147875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources	success	1
1620810312.147875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810312.163875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810312.178875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images	success	1
1620810312.178875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810312.210875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810312.225875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810312.225875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810312.241875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810312.257875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis	success	1
1620810312.257875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll	success	1
1620810312.288875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\ru	success	1
1620810312.303875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\2021.05.12_11.45.11.351000_installer_pid=2120.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\2021.05.12_11.45.11.351000_installer_pid=2120.txt	success	1
1620810312.335875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\app.ico	success	1
1620810312.350875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\BundleConfig.json	success	1
1620810312.382875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE	success	1

Appends a new file extension or content to 89 files indicative of a ransomware file encryption process (50 out of 89 个事件)

Time & API	Arguments	Status	Return
1620810311.319875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\de\DevLib.resources.dll	success	1
1620810311.350875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\de	success	1
1620810311.366875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\en\DevLib.resources.dll	success	1
1620810311.397875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\en	success	1
1620810311.397875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\es\DevLib.resources.dll	success	1
1620810311.428875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\es	success	1
1620810311.444875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\fr\DevLib.resources.dll	success	1
1620810311.491875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\fr	success	1
1620810311.507875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\it\DevLib.resources.dll	success	1
1620810311.538875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\it	success	1
1620810311.538875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\pt\DevLib.resources.dll	success	1
1620810311.569875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\pt	success	1
1620810311.585875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810311.616875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810311.647875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images	success	1
1620810311.663875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810311.678875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810311.710875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810311.741875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810311.772875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810311.803875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis	success	1
1620810311.803875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810311.819875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810311.835875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\InstallingPage.html	success	1
1620810311.866875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\LaunchCarrierPage.html	success	1
1620810311.882875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\OfferPage.html	success	1
1620810311.944875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\ScanningPage.html	success	1
1620810311.975875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\style.css	success	1
1620810312.022875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810312.053875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810312.069875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810312.085875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810312.100875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810312.116875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\WelcomePage.html	success	1
1620810312.147875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources	success	1
1620810312.147875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\loader.gif	success	1
1620810312.163875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images\warning48x48.png	success	1
1620810312.178875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\images	success	1
1620810312.178875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Config.tis	success	1
1620810312.210875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\EventHandler.tis	success	1
1620810312.225875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\Log.tis	success	1
1620810312.225875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\TranslateOfferTemplate.tis	success	1
1620810312.241875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis\ViewStateLoader.tis	success	1
1620810312.257875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Resources\tis	success	1
1620810312.257875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\ru\DevLib.resources.dll	success	1
1620810312.288875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\ru	success	1
1620810312.303875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\2021.05.12_11.45.11.351000_installer_pid=2120.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\2021.05.12_11.45.11.351000_installer_pid=2120.txt	success	1
1620810312.335875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\app.ico	success	1
1620810312.350875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\BundleConfig.json	success	1
1620810312.382875 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4EBF0AF3\Carrier.EXE	success	1

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-04-19 02:54:06

Imports

Library OLEAUT32.dll:

• 0x41b198 VariantClear

• 0x41b19c SysAllocString

Library USER32.dll:

• 0x41b1ac SendMessageA

• 0x41b1b0 SetTimer

• 0x41b1b4 DialogBoxParamW

• 0x41b1b8 DialogBoxParamA

• 0x41b1bc SetWindowLongA

• 0x41b1c0 GetWindowLongA

• 0x41b1c4 SetWindowTextW

• 0x41b1c8 LoadIconA

• 0x41b1cc LoadStringW

• 0x41b1d0 LoadStringA

• 0x41b1d4 CharUpperW

• 0x41b1d8 CharUpperA

• 0x41b1dc DestroyWindow

• 0x41b1e0 EndDialog

• 0x41b1e4 PostMessageA

• 0x41b1e8 ShowWindow

• 0x41b1ec MessageBoxW

• 0x41b1f0 GetDlgItem

• 0x41b1f4 KillTimer

• 0x41b1f8 SetWindowTextA

Library SHELL32.dll:

• 0x41b1a4 ShellExecuteExA

Library KERNEL32.dll:

• 0x41b000 GetCurrentDirectoryA

• 0x41b004 GetStringTypeW

• 0x41b008 GetStringTypeA

• 0x41b00c LCMapStringW

• 0x41b010 LCMapStringA

• 0x41b014 InterlockedIncrement

• 0x41b018 InterlockedDecrement

• 0x41b01c GetProcAddress

• 0x41b020 GetOEMCP

• 0x41b024 GetACP

• 0x41b028 GetCPInfo

• 0x41b02c IsBadCodePtr

• 0x41b030 IsBadReadPtr

• 0x41b034 GetFileType

• 0x41b038 SetHandleCount

• 0x41b03c GetEnvironmentStringsW

• 0x41b040 GetEnvironmentStrings

• 0x41b044 FreeEnvironmentStringsW

• 0x41b048 FreeEnvironmentStringsA

• 0x41b04c UnhandledExceptionFilter

• 0x41b050 HeapSize

• 0x41b054 GetCurrentProcess

• 0x41b058 TerminateProcess

• 0x41b05c IsBadWritePtr

• 0x41b060 HeapCreate

• 0x41b064 HeapDestroy

• 0x41b068 GetEnvironmentVariableA

• 0x41b06c SetUnhandledExceptionFilter

• 0x41b070 TlsAlloc

• 0x41b074 ExitProcess

• 0x41b078 GetVersion

• 0x41b07c GetCommandLineA

• 0x41b080 GetStartupInfoA

• 0x41b084 GetModuleHandleA

• 0x41b088 WaitForSingleObject

• 0x41b08c CloseHandle

• 0x41b090 CreateProcessA

• 0x41b094 GetCommandLineW

• 0x41b098 GetVersionExA

• 0x41b09c LeaveCriticalSection

• 0x41b0a0 EnterCriticalSection

• 0x41b0a4 DeleteCriticalSection

• 0x41b0a8 MultiByteToWideChar

• 0x41b0ac WideCharToMultiByte

• 0x41b0b0 GetLastError

• 0x41b0b4 LoadLibraryA

• 0x41b0b8 GetModuleFileNameW

• 0x41b0bc GetModuleFileNameA

• 0x41b0c0 LocalFree

• 0x41b0c4 FormatMessageW

• 0x41b0c8 FormatMessageA

• 0x41b0cc SetFileTime

• 0x41b0d0 CreateFileW

• 0x41b0d4 SetLastError

• 0x41b0d8 SetFileAttributesW

• 0x41b0dc SetFileAttributesA

• 0x41b0e0 RemoveDirectoryW

• 0x41b0e4 RemoveDirectoryA

• 0x41b0e8 CreateDirectoryW

• 0x41b0ec CreateDirectoryA

• 0x41b0f0 DeleteFileW

• 0x41b0f4 DeleteFileA

• 0x41b0f8 GetFullPathNameW

• 0x41b0fc GetFullPathNameA

• 0x41b100 SetCurrentDirectoryW

• 0x41b104 SetCurrentDirectoryA

• 0x41b108 GetCurrentDirectoryW

• 0x41b10c GetTempPathW

• 0x41b110 GetTempPathA

• 0x41b114 GetCurrentProcessId

• 0x41b118 GetTickCount

• 0x41b11c GetCurrentThreadId

• 0x41b120 FindClose

• 0x41b124 FindFirstFileW

• 0x41b128 FindFirstFileA

• 0x41b12c FindNextFileW

• 0x41b130 FindNextFileA

• 0x41b134 CreateFileA

• 0x41b138 GetFileSize

• 0x41b13c SetFilePointer

• 0x41b140 ReadFile

• 0x41b144 WriteFile

• 0x41b148 SetEndOfFile

• 0x41b14c GetStdHandle

• 0x41b150 WaitForMultipleObjects

• 0x41b154 Sleep

• 0x41b158 VirtualAlloc

• 0x41b15c VirtualFree

• 0x41b160 CreateEventA

• 0x41b164 SetEvent

• 0x41b168 ResetEvent

• 0x41b16c InitializeCriticalSection

• 0x41b170 RtlUnwind

• 0x41b174 RaiseException

• 0x41b178 HeapAlloc

• 0x41b17c HeapFree

• 0x41b180 HeapReAlloc

• 0x41b184 CreateThread

• 0x41b188 TlsSetValue

• 0x41b18c TlsGetValue

• 0x41b190 ExitThread

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
h2oapi.adaware.com	A 104.16.236.79 A 104.16.235.79	104.16.236.79
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com
flow.lavasoft.com	A 104.18.88.101 A 104.18.87.101	104.18.87.101

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49224	104.16.236.79 h2oapi.adaware.com	443
192.168.56.101	49222	104.18.87.101 flow.lavasoft.com	80
192.168.56.101	49223	104.18.87.101 flow.lavasoft.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart	POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 152 {"Data":{"BundleId":"SFT002","MachineId":"a2288c9b-45c8-1668-b277-802b13ff8a29","InstallId":"4543ee90-13a8-4e22-b414-a6a2ee2a0861","InProcess":"true"}}
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 266 {"Data":{"BundleId":"SFT002","MachineId":"a2288c9b-45c8-1668-b277-802b13ff8a29","InstallId":"4543ee90-13a8-4e22-b414-a6a2ee2a0861","OsVersion":"Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full"}}

URI

Data

http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart

POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1
Host: flow.lavasoft.com
Accept: application/json
Content-Type: application/json
charsets: utf-8
Content-Length: 152

{"Data":{"BundleId":"SFT002","MachineId":"a2288c9b-45c8-1668-b277-802b13ff8a29","InstallId":"4543ee90-13a8-4e22-b414-a6a2ee2a0861","InProcess":"true"}}

http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart

POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1
Host: flow.lavasoft.com
Accept: application/json
Content-Type: application/json
charsets: utf-8
Content-Length: 266

{"Data":{"BundleId":"SFT002","MachineId":"a2288c9b-45c8-1668-b277-802b13ff8a29","InstallId":"4543ee90-13a8-4e22-b414-a6a2ee2a0861","OsVersion":"Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full"}}

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.