18.2
0-day
56 个模型检测该样本为恶意!
重新分析
更多

146fb5b594f6b9da202cd0d303548afb1f364ca93c27c44e2f442b1fe26ff77f

e6e5eb5ea72343702b51a8ea5ba8e14f.exe

分析耗时

105s

最近分析

文件大小

406.5KB
静态报毒 动态报毒 100% 7XF2KWCRTVQ AGEN AI SCORE=88 AIDETECTVM ALI2000010 ARTEMIS ATTRIBUTE CONFIDENCE DELF FILEREPMALWARE GENERICKD GPRG HIGH CONFIDENCE HIGHCONFIDENCE HOAX HPPACL KCLOUD KRYPTIK MALWARE1 MALWARE@#25TBM5RLMGXYA MILICRY R346410 SAGE SAGECRYPT SCORE STATIC AI SUSPICIOUS PE YMACCO ZEXAF ZOW@ACZK6SKI ZWOQ+QIQFLQ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Ransom:Win32/generic.ali2000010 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Evo-gen [Susp] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Artemis!E6E5EB5EA723 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619968390.695875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619968390.855656
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619968392.925968
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619968402.800968
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619968425.532914
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619968425.532914
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619968399.863968
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619968402.824656
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1619968425.032914
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619968425.547914
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619968386.867875
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)
section .text1
section .data1
section .trace
section _RDATA
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name RCDATA
resource name SVT
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 393 个事件)
Time & API Arguments Status Return Repeated
1619968387.585875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02b50000
success 0 0
1619968387.585875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 270336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02bf0000
success 0 0
1619968388.804875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.820875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.820875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.835875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.851875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.867875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.882875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.898875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.914875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.914875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.929875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.945875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.960875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.976875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968388.992875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.007875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.023875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.023875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.039875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.070875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.085875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.101875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.117875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.132875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.132875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.148875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.164875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.179875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.195875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.210875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.226875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.242875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.257875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.257875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.273875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.289875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.304875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.320875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.335875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.351875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.351875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.367875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.382875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.398875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.414875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.429875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.445875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
1619968389.460875
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03910000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e6e5eb5ea72343702b51a8ea5ba8e14f.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619968390.679875
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1619968391.570875
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1619968424.597968
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619968391.632875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e6e5eb5ea72343702b51a8ea5ba8e14f.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e6e5eb5ea72343702b51a8ea5ba8e14f.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.911366360055763 section {'size_of_data': '0x00001600', 'virtual_address': '0x00049000', 'entropy': 7.911366360055763, 'name': '.text', 'virtual_size': '0x000015a0'} description A section with a high entropy has been found
entropy 7.48984395487257 section {'size_of_data': '0x0001bc00', 'virtual_address': '0x0004f000', 'entropy': 7.48984395487257, 'name': '.rsrc', 'virtual_size': '0x0001baf0'} description A section with a high entropy has been found
entropy 0.2872996300863132 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619968424.953914
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 203.208.40.34
host 203.208.41.33
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619968424.300968
EnumServicesStatusW
service_handle: 0x009af1f0
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\tmpsij43m\analyzer.py
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1533 个事件)
file C:\Python27\Lib\test\test_multifile.py
file C:\Python27\Lib\site-packages\pip\_vendor\webencodings\mklabels.py
file C:\Python27\Lib\encodings\iso8859_13.py
file C:\Python27\Lib\test\test_userstring.py
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file C:\Python27\Lib\test\test_multibytecodec.py
file C:\Python27\Lib\wsgiref\util.py
file C:\Python27\Lib\test\test_timeit.py
file C:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\__init__.py
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\__init__.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\Lib\test\test_heapq.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\encodings\mac_arabic.py
file C:\Python27\Lib\test\test_zipfile64.py
file C:\Python27\Lib\test\test_md5.py
file C:\Python27\Lib\encodings\iso2022_jp_2.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\models.py
file C:\Python27\Lib\json\tests\test_float.py
file C:\Python27\Lib\wave.py
file C:\Python27\Lib\encodings\iso8859_15.py
file C:\Python27\Lib\test\test_richcmp.py
file C:\Python27\Lib\encodings\cp1253.py
file C:\Python27\Lib\test\ssl_key.pem
file C:\Python27\Lib\smtplib.py
file C:\Python27\Lib\ctypes\macholib\dyld.py
file C:\Python27\Lib\encodings\mbcs.py
file C:\Python27\Lib\HTMLParser.py
file C:\Python27\Lib\test\test_importhooks.py
file C:\Python27\Lib\test\test_traceback.py
file C:\Python27\Lib\bsddb\dbshelve.py
file C:\Python27\include\intrcheck.h
file C:\tmpsij43m\modules\packages\pdf.py
file C:\Python27\Lib\site-packages\pip\_vendor\pep517\check.py
file C:\Python27\Lib\bsddb\dbutils.py
file C:\Python27\Lib\test\test_contextlib.py
file C:\Python27\include\symtable.h
file C:\Python27\Lib\test\test_operator.py
file C:\Python27\Lib\encodings\cp1257.py
file C:\Python27\Lib\test\crashers\infinite_loop_re.py
file C:\Python27\Lib\site-packages\setuptools\version.py
file C:\Python27\Lib\test\sample_doctest.py
file C:\Python27\Lib\site-packages\pip\_vendor\html5lib\filters\alphabeticalattributes.py
file C:\Python27\Lib\test\test_poll.py
file C:\Python27\include\warnings.h
file C:\Python27\Lib\xml\sax\expatreader.py
file C:\Python27\Lib\test\test_urllib2_localnet.py
file C:\Python27\Lib\test\make_ssl_certs.py
file C:\Python27\Lib\test\test_longexp.py
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
cmdline vssadmin.exe delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
Detects VirtualBox through the presence of a file (1 个事件)
dll C:\Windows\system32\VBoxMRXNP.dll
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34249808
FireEye Generic.mg.e6e5eb5ea7234370
ALYac Trojan.Ransom.Sage
Malwarebytes Ransom.Sage
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0050b2d01 )
Alibaba Ransom:Win32/generic.ali2000010
K7GW Trojan ( 0050b2d01 )
Cybereason malicious.ea7234
Arcabit Trojan.Generic.D20A9C50
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Evo-gen [Susp]
Kaspersky HEUR:Trojan-Ransom.Win32.SageCrypt.vho
BitDefender Trojan.GenericKD.34249808
NANO-Antivirus Trojan.Win32.SageCrypt.hppacl
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.34249808
Emsisoft Trojan.GenericKD.34249808 (B)
Comodo Malware@#25tbm5rlmgxya
F-Secure Heuristic.HEUR/AGEN.1115437
DrWeb Trojan.Encoder.27265
Zillya Trojan.SageCrypt.Win32.204
TrendMicro Mal_MiliCry-2t
McAfee-GW-Edition BehavesLike.Win32.Generic.gh
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Crypt
Jiangmin Trojan.SageCrypt.gg
Avira HEUR/AGEN.1115437
MAX malware (ai score=88)
Antiy-AVL Trojan[Ransom]/Win32.SageCrypt
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:Win32/Ymacco.AA14
ZoneAlarm HEUR:Trojan-Ransom.Win32.SageCrypt.vho
GData Trojan.GenericKD.34249808
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R346410
Acronis suspicious
McAfee Artemis!E6E5EB5EA723
TACHYON Ransom/W32.SageCrypt.416256
VBA32 Hoax.SageCrypt
ESET-NOD32 a variant of Win32/Kryptik.GPRG
TrendMicro-HouseCall Mal_MiliCry-2t
Rising Stealer.Delf!8.415 (TFE:1:7xF2kwcrTVQ)
Yandex Trojan.Kryptik!Zwoq+qiQflQ
SentinelOne Static AI - Suspicious PE
Performs 1533 file moves indicative of a ransomware file encryption process (50 out of 1533 个事件)
Time & API Arguments Status Return Repeated
1619968391.632875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e6e5eb5ea72343702b51a8ea5ba8e14f.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e6e5eb5ea72343702b51a8ea5ba8e14f.exe
success 1 0
1619968397.632875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
success 1 0
1619968427.988968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\pycacert.pem
newfilepath: C:\Python27\Lib\test\pycacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\pycacert.pem...
success 1 0
1619968428.019968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem
newfilepath: C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem...
success 1 0
1619968428.035968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nokia.pem
newfilepath: C:\Python27\Lib\test\nokia.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nokia.pem...
success 1 0
1619968428.066968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullcert.pem
newfilepath: C:\Python27\Lib\test\nullcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullcert.pem...
success 1 0
1619968428.081968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\nullbytecert.pem
newfilepath: C:\Python27\Lib\test\nullbytecert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\nullbytecert.pem...
success 1 0
1619968428.097968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem
newfilepath: C:\Python27\Lib\test\ssl_key.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.passwd.pem...
success 1 0
1619968428.113968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_key.pem
newfilepath: C:\Python27\Lib\test\ssl_key.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_key.pem...
success 1 0
1619968428.160968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badkey.pem
newfilepath: C:\Python27\Lib\test\badkey.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badkey.pem...
success 1 0
1619968428.160968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\talos-2019-0758.pem
newfilepath: C:\Python27\Lib\test\talos-2019-0758.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\talos-2019-0758.pem...
success 1 0
1619968428.191968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
newfilepath: C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\selfsigned_pythontestdotnet.pem...
success 1 0
1619968428.191968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert4.pem
newfilepath: C:\Python27\Lib\test\keycert4.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert4.pem...
success 1 0
1619968428.222968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert3.pem
newfilepath: C:\Python27\Lib\test\keycert3.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert3.pem...
success 1 0
1619968428.222968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ssl_cert.pem
newfilepath: C:\Python27\Lib\test\ssl_cert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ssl_cert.pem...
success 1 0
1619968428.253968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\allsans.pem
newfilepath: C:\Python27\Lib\test\allsans.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\allsans.pem...
success 1 0
1619968428.300968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\badcert.pem
newfilepath: C:\Python27\Lib\test\badcert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\badcert.pem...
success 1 0
1619968428.300968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\ffdh3072.pem
newfilepath: C:\Python27\Lib\test\ffdh3072.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\ffdh3072.pem...
success 1 0
1619968428.300968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert2.pem
newfilepath: C:\Python27\Lib\test\keycert2.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert2.pem...
success 1 0
1619968428.316968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.passwd.pem
newfilepath: C:\Python27\Lib\test\keycert.passwd.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.passwd.pem...
success 1 0
1619968428.316968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\keycert.pem
newfilepath: C:\Python27\Lib\test\keycert.pem.sage
newfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\keycert.pem...
success 1 0
1619968428.316968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\185test.db
newfilepath: C:\Python27\Lib\test\185test.db.sage
newfilepath_r: \\?\C:\Python27\Lib\test\185test.db.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\185test.db...
success 1 0
1619968428.331968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif
newfilepath: C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
newfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\Sine-1000Hz-300ms.aif...
success 1 0
1619968428.347968
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\py.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\py.ico...
success 1 0
1619968428.347968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico
newfilepath: C:\Python27\Lib\idlelib\Icons\idle.ico.sage
newfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\idlelib\Icons\idle.ico...
success 1 0
1619968428.363968
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.sage
newfilepath_r: \\?\C:\Python27\DLLs\pyc.ico.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\DLLs\pyc.ico...
success 1 0
1619968428.363968
MoveFileWithProgressW
oldfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff
newfilepath: C:\Python27\Lib\test\imghdrdata\python.tiff.sage
newfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\Lib\test\imghdrdata\python.tiff...
success 1 0
1619968428.394968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\code.xpm...
success 1 0
1619968428.425968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\combobox.xpm...
success 1 0
1619968428.441968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\drivea.xpm...
success 1 0
1619968428.441968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\filebox.xpm...
success 1 0
1619968428.456968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\exit.xpm...
success 1 0
1619968428.456968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\optmenu.xpm...
success 1 0
1619968428.472968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\select.xpm...
success 1 0
1619968428.472968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\harddisk.xpm...
success 1 0
1619968428.472968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\network.xpm...
success 1 0
1619968428.472968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\netw.xpm...
success 1 0
1619968428.472968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minus.xpm...
success 1 0
1619968428.488968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.xpm...
success 1 0
1619968428.488968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.xpm...
success 1 0
1619968428.488968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\file.xpm...
success 1 0
1619968428.488968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm...
success 1 0
1619968428.503968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\info.xpm...
success 1 0
1619968428.503968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\folder.xpm...
success 1 0
1619968428.503968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\demos\bitmaps\about.xpm...
success 1 0
1619968428.503968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm...
success 1 0
1619968428.503968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\warning.xpm...
success 1 0
1619968428.519968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\plus.xpm...
success 1 0
1619968428.519968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm...
success 1 0
1619968428.519968
MoveFileWithProgressW
oldfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm
newfilepath: C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
newfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm.sage
flags: 1
oldfilepath_r: \\?\C:\Python27\tcl\tix8.4.3\bitmaps\srcfile.xpm...
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-07-26 19:52:35

Imports

Library KERNEL32.dll:
0x4300a8 OutputDebugStringW
0x4300ac LoadLibraryExW
0x4300b0 HeapReAlloc
0x4300bc GetModuleFileNameA
0x4300c0 HeapSize
0x4300c4 SetFilePointerEx
0x4300c8 FlushFileBuffers
0x4300cc GetConsoleMode
0x4300d0 GetConsoleCP
0x4300d4 GetModuleFileNameW
0x4300d8 AreFileApisANSI
0x4300dc GetModuleHandleExW
0x4300e0 ExitProcess
0x4300e4 GetFileType
0x4300e8 GetOEMCP
0x4300ec GetACP
0x4300f0 IsValidCodePage
0x4300f4 IsDebuggerPresent
0x4300f8 EnumSystemLocalesW
0x4300fc GetUserDefaultLCID
0x430100 IsValidLocale
0x430104 GetLocaleInfoW
0x430108 LCMapStringW
0x43010c GlobalLock
0x430110 GetStartupInfoW
0x430114 TlsFree
0x430118 TlsSetValue
0x43011c TlsGetValue
0x430120 TlsAlloc
0x430124 TerminateProcess
0x430128 SetStdHandle
0x43012c WriteConsoleW
0x430130 GetFileSize
0x430134 ReadConsoleW
0x430138 CreateFileW
0x43013c SetEndOfFile
0x430144 LoadLibraryExA
0x430148 GetModuleHandleExA
0x43014c GetCurrentProcessId
0x430154 GetFileAttributesA
0x43015c GetLastError
0x430160 OpenProcess
0x430168 SetLastError
0x430178 GetCPInfo
0x43017c ReadFile
0x430180 GlobalUnlock
0x430184 CloseHandle
0x430188 GetModuleHandleA
0x43018c GetProcAddress
0x430190 CreateEventA
0x430194 WaitForSingleObject
0x430198 ResetEvent
0x4301a0 lstrlenA
0x4301a4 GetCurrentThreadId
0x4301a8 lstrcatA
0x4301ac GetModuleHandleW
0x4301b0 GetCommandLineA
0x4301b4 RaiseException
0x4301b8 RtlUnwind
0x4301bc FormatMessageA
0x4301c0 GetThreadLocale
0x4301c4 GetStringTypeW
0x4301c8 MultiByteToWideChar
0x4301cc WideCharToMultiByte
0x4301e0 DecodePointer
0x4301e4 EncodePointer
0x4301e8 HeapAlloc
0x4301ec LoadLibraryA
0x4301f0 LoadLibraryW
0x4301f4 GlobalAlloc
0x4301f8 lstrcpyA
0x4301fc GetProcessHeap
0x430200 HeapFree
0x430204 CreateFileA
0x430208 GetCurrentProcess
0x43020c Sleep
0x430210 WriteFile
0x430214 GetStdHandle
Library USER32.dll:
0x43026c IsWindow
0x430274 AttachThreadInput
0x430278 GetDlgCtrlID
0x43027c EnableMenuItem
0x430280 GetMenu
0x430284 SendMessageA
0x430288 LoadBitmapA
0x43028c EnumWindowStationsW
0x430294 DefWindowProcA
0x430298 ReleaseDC
0x43029c GetWindow
0x4302a0 RegisterClassExA
0x4302a4 LoadIconA
0x4302a8 LoadCursorA
0x4302ac RedrawWindow
0x4302b0 SendDlgItemMessageW
0x4302b4 SetScrollRange
0x4302b8 SendMessageW
0x4302bc GetPropW
0x4302c0 CopyRect
0x4302c4 DestroyCaret
0x4302c8 HideCaret
0x4302cc EnableWindow
0x4302d0 DestroyMenu
0x4302d4 TrackPopupMenu
0x4302d8 CheckMenuRadioItem
0x4302dc GetSubMenu
0x4302e0 GetDlgItem
0x4302e4 GetDC
0x4302e8 GetWindowRect
0x4302ec LoadMenuA
0x4302f0 GetCursorPos
0x4302f4 GetClassLongA
0x4302f8 ShowCaret
0x4302fc SendMessageTimeoutA
0x430300 GetParent
0x430304 IsWindowVisible
0x430308 GetWindowTextA
0x43030c CallWindowProcA
0x430310 SetCaretPos
0x430314 MapWindowPoints
0x430318 SetDlgItemTextA
0x43031c EndDialog
0x430320 FindWindowA
0x430324 SendInput
0x430328 CreateCaret
0x43032c GetWindowLongA
Library GDI32.dll:
0x430058 GetObjectA
0x43005c SetBrushOrgEx
0x430064 ExtTextOutA
0x430068 GetCurrentObject
0x43006c GetPaletteEntries
0x430078 CreateRectRgn
0x43007c SetAbortProc
0x430080 GetStockObject
0x430084 GetDeviceCaps
0x430088 SetTextColor
0x43008c SetBkColor
0x430090 GetBitmapBits
Library WINSPOOL.DRV:
0x430380 EnumPrintersA
0x430384 OpenPrinterA
0x43038c GetPrinterA
0x430394 ClosePrinter
0x430398 EnumJobsA
Library ADVAPI32.dll:
0x430004 GetTokenInformation
0x430008 OpenProcessToken
0x430018 AccessCheck
0x43001c LookupAccountNameW
0x430020 GetFileSecurityA
0x430024 LookupAccountSidA
0x430028 GetAclInformation
0x43002c ImpersonateSelf
Library SHELL32.dll:
0x430258 SHQueryRecycleBinA
0x43025c SHEmptyRecycleBinA
Library ole32.dll:
0x4303c8 CreateItemMoniker
0x4303d0 CoCreateInstance
Library OLEAUT32.dll:
0x430224 OleLoadPicture
0x430228 OleSavePictureFile
Library WININET.dll:
0x43034c InternetOpenA
0x43035c InternetConnectA
Library WS2_32.dll:
0x4303a0 closesocket
0x4303a4 send
0x4303a8 WSAGetLastError
Library NETAPI32.dll:
0x43021c NetAuditClear
Library PSAPI.DLL:
0x430240 EnumDeviceDrivers
0x430248 EnumProcesses
Library WINMM.dll:
0x430364 timeGetTime
0x430368 waveOutWrite
0x43036c waveOutClose
0x430370 timeBeginPeriod
0x430378 waveOutOpen
Library CRYPT32.dll:
Library IPHLPAPI.DLL:
0x4300a0 GetBestInterface
Library COMCTL32.dll:
0x430040
Library gdiplus.dll:
0x4303b0 GdipFree
0x4303b4 GdipDisposeImage
0x4303b8 GdipCloneImage
0x4303bc GdipAlloc
Library Secur32.dll:
Library IMM32.dll:
0x430098 ImmEscapeA
Library WINHTTP.dll:
0x430344 WinHttpSendRequest

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49186 192.168.56.1 139
192.168.56.101 49187 192.168.56.1 139
192.168.56.101 49191 192.168.56.1 139

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.