9.6
极危
56 个模型检测该样本为恶意!
重新分析
更多

08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641

5ff20e2b723edb2d0fb27df4fc2c4468.exe

分析耗时

129s

最近分析

文件大小

65.8KB
静态报毒 动态报毒 100% AI SCORE=100 AMBVH BSCOPE CONFIDENCE DANGEROUSSIG EQX@AGLIFZN FILECODER GENCIRC GENERICKD HBZB HFIUJG HIGH CONFIDENCE JSWORM KCLOUD KTSE MALCERT MALWARE@#2H9OCVY03ESHK MJXBBXKS1ZO NEFICRYPT NEFILIM NEFILRAN NEMTY NEPHILIM R + TROJ RANSOMWARE SCORE TRUC UNSAFE ZEXACO ZUDOCHKA 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast Win32:DangerousSig [Trj] 20210426 21.1.5827.0
Alibaba Ransom:Win32/JSWorm.c0e52b22 20190527 0.3.0.5
Kingsoft Win32.Troj.Zudochka.e.(kcloud) 20210426 2017.9.26.565
McAfee Ransomware-GWS!5FF20E2B723E 20210426 6.0.6.653
Tencent Malware.Win32.Gencirc.10b9c10f 20210426 1.0.0.1
静态指标
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path C:\Users\Administrator\Desktop\New folder\Release\NEFILIM.pdb
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1136634822&cup2hreq=963325ca3cef56d0b2d6823747875326a1a8d0de953ceb05d5c5837c3b631b46
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:1136634822&cup2hreq=963325ca3cef56d0b2d6823747875326a1a8d0de953ceb05d5c5837c3b631b46
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1136634822&cup2hreq=963325ca3cef56d0b2d6823747875326a1a8d0de953ceb05d5c5837c3b631b46
Creates executable files on the filesystem (2 个事件)
file C:\Python27\Lib\test\empty.vbs
file C:\Python27\Lib\idlelib\idle.bat
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\Python27\agent.pyw
Writes a potential ransom message to disk (1 个事件)
Time & API Arguments Status Return Repeated
1619513305.360879
NtWriteFile
file_handle: 0x00000084
filepath: C:\NEFILIM-DECRYPT.txt
buffer: All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. jamesgonzaleswork1972@protonmail.com pretty_hardjob2881@mail.com dprworkjessiaeye1955@tutanota.com
offset: 0
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.110:443
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33540160
CAT-QuickHeal Trojan.Multi
ALYac Trojan.Ransom.Nefilim
Malwarebytes Ransom.Nefilim
VIPRE Trojan.Win32.Generic!BT
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.33540160
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Cyren W32/Jsworm.HBZB-3393
Symantec Ransom.Nemty
ESET-NOD32 Win32/Filecoder.Nemty.D
Avast Win32:DangerousSig [Trj]
ClamAV Win.Ransomware.Nephilim-9238434-0
Alibaba Ransom:Win32/JSWorm.c0e52b22
NANO-Antivirus Trojan.Win32.JSWorm.hfiujg
ViRobot Trojan.Win32.Nemty.197088
AegisLab Trojan.Win32.JSWorm.truC
Rising Ransom.NEFILIM!1.C3E7 (KTSE)
Ad-Aware Trojan.GenericKD.33540160
TACHYON Ransom/W32.Nefilim.67376
Emsisoft MalCert.A (A)
Comodo Malware@#2h9ocvy03eshk
DrWeb Trojan.Encoder.31246
Zillya Trojan.JSWorm.Win32.1
TrendMicro Ransom.Win32.NEFILIM.A
McAfee-GW-Edition Ransomware-GWS!5FF20E2B723E
FireEye Trojan.GenericKD.33540160
Sophos Mal/Generic-R + Troj/Nefilran-A
GData Win32.Trojan-Ransom.Nefilim.A
Jiangmin Trojan.Zudochka.fc
MaxSecure Ransomware.Trojan.Ransom.W32.JSWorm.d_189641
Avira TR/Zudochka.ambvh
Kingsoft Win32.Troj.Zudochka.e.(kcloud)
Gridinsoft Ransom.Win32.Filecoder.cc
Arcabit Trojan.Generic.D1FFC840
ZoneAlarm Trojan-Ransom.Win32.JSWorm.d
Microsoft Ransom:MSIL/NefiCrypt.PI!MSR
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Ransom.C4041707
McAfee Ransomware-GWS!5FF20E2B723E
MAX malware (ai score=100)
VBA32 BScope.Trojan.Encoder
Cylance Unsafe
Panda Trj/WLT.F
Zoner Trojan.Win32.90038
TrendMicro-HouseCall Ransom.Win32.NEFILIM.A
Tencent Malware.Win32.Gencirc.10b9c10f
Yandex Trojan.Filecoder!mJXbbxks1zo
Performs 2657 file moves indicative of a ransomware file encryption process (50 out of 2657 个事件)
Time & API Arguments Status Return Repeated
1619513305.439879
MoveFileWithProgressW
oldfilepath: C:\Python27\agent.pyw
newfilepath: C:\Python27\agent.pyw.NEFILIM
newfilepath_r: C:\Python27\agent.pyw.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\agent.pyw
success 1 0
1619513305.485879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.NEFILIM
newfilepath_r: C:\Python27\DLLs\py.ico.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\py.ico
success 1 0
1619513305.517879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.NEFILIM
newfilepath_r: C:\Python27\DLLs\pyc.ico.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\pyc.ico
success 1 0
1619513305.579879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\unicodedata.pyd
newfilepath: C:\Python27\DLLs\unicodedata.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\unicodedata.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\unicodedata.pyd
success 1 0
1619513305.595879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\winsound.pyd
newfilepath: C:\Python27\DLLs\winsound.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\winsound.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\winsound.pyd
success 1 0
1619513306.079879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_bsddb.pyd
newfilepath: C:\Python27\DLLs\_bsddb.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_bsddb.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_bsddb.pyd
success 1 0
1619513306.142879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd
newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd
success 1 0
1619513306.173879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_elementtree.pyd
newfilepath: C:\Python27\DLLs\_elementtree.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_elementtree.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_elementtree.pyd
success 1 0
1619513306.220879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_msi.pyd
newfilepath: C:\Python27\DLLs\_msi.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_msi.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_msi.pyd
success 1 0
1619513306.251879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd
newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd
success 1 0
1619513306.282879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_sqlite3.pyd
newfilepath: C:\Python27\DLLs\_sqlite3.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_sqlite3.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_sqlite3.pyd
success 1 0
1619513306.298879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_testcapi.pyd
newfilepath: C:\Python27\DLLs\_testcapi.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_testcapi.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_testcapi.pyd
success 1 0
1619513306.314879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_tkinter.pyd
newfilepath: C:\Python27\DLLs\_tkinter.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_tkinter.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_tkinter.pyd
success 1 0
1619513306.360879
MoveFileWithProgressW
oldfilepath: C:\Python27\Doc\python2718.chm
newfilepath: C:\Python27\Doc\python2718.chm.NEFILIM
newfilepath_r: C:\Python27\Doc\python2718.chm.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\Doc\python2718.chm
success 1 0
1619513306.392879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\abstract.h
newfilepath: C:\Python27\include\abstract.h.NEFILIM
newfilepath_r: C:\Python27\include\abstract.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\abstract.h
success 1 0
1619513306.407879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\asdl.h
newfilepath: C:\Python27\include\asdl.h.NEFILIM
newfilepath_r: C:\Python27\include\asdl.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\asdl.h
success 1 0
1619513306.407879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\ast.h
newfilepath: C:\Python27\include\ast.h.NEFILIM
newfilepath_r: C:\Python27\include\ast.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\ast.h
success 1 0
1619513306.439879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bitset.h
newfilepath: C:\Python27\include\bitset.h.NEFILIM
newfilepath_r: C:\Python27\include\bitset.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bitset.h
success 1 0
1619513306.470879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\boolobject.h
newfilepath: C:\Python27\include\boolobject.h.NEFILIM
newfilepath_r: C:\Python27\include\boolobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\boolobject.h
success 1 0
1619513306.501879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bufferobject.h
newfilepath: C:\Python27\include\bufferobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bufferobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bufferobject.h
success 1 0
1619513306.532879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytearrayobject.h
newfilepath: C:\Python27\include\bytearrayobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bytearrayobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytearrayobject.h
success 1 0
1619513306.548879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytesobject.h
newfilepath: C:\Python27\include\bytesobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bytesobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytesobject.h
success 1 0
1619513306.579879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytes_methods.h
newfilepath: C:\Python27\include\bytes_methods.h.NEFILIM
newfilepath_r: C:\Python27\include\bytes_methods.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytes_methods.h
success 1 0
1619513306.610879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cellobject.h
newfilepath: C:\Python27\include\cellobject.h.NEFILIM
newfilepath_r: C:\Python27\include\cellobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cellobject.h
success 1 0
1619513306.610879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\ceval.h
newfilepath: C:\Python27\include\ceval.h.NEFILIM
newfilepath_r: C:\Python27\include\ceval.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\ceval.h
success 1 0
1619513306.642879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\classobject.h
newfilepath: C:\Python27\include\classobject.h.NEFILIM
newfilepath_r: C:\Python27\include\classobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\classobject.h
success 1 0
1619513306.657879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cobject.h
newfilepath: C:\Python27\include\cobject.h.NEFILIM
newfilepath_r: C:\Python27\include\cobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cobject.h
success 1 0
1619513306.673879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\code.h
newfilepath: C:\Python27\include\code.h.NEFILIM
newfilepath_r: C:\Python27\include\code.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\code.h
success 1 0
1619513306.704879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\codecs.h
newfilepath: C:\Python27\include\codecs.h.NEFILIM
newfilepath_r: C:\Python27\include\codecs.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\codecs.h
success 1 0
1619513306.720879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\compile.h
newfilepath: C:\Python27\include\compile.h.NEFILIM
newfilepath_r: C:\Python27\include\compile.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\compile.h
success 1 0
1619513306.751879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\complexobject.h
newfilepath: C:\Python27\include\complexobject.h.NEFILIM
newfilepath_r: C:\Python27\include\complexobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\complexobject.h
success 1 0
1619513306.782879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cStringIO.h
newfilepath: C:\Python27\include\cStringIO.h.NEFILIM
newfilepath_r: C:\Python27\include\cStringIO.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cStringIO.h
success 1 0
1619513306.814879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\datetime.h
newfilepath: C:\Python27\include\datetime.h.NEFILIM
newfilepath_r: C:\Python27\include\datetime.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\datetime.h
success 1 0
1619513306.845879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\descrobject.h
newfilepath: C:\Python27\include\descrobject.h.NEFILIM
newfilepath_r: C:\Python27\include\descrobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\descrobject.h
success 1 0
1619513306.860879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\dictobject.h
newfilepath: C:\Python27\include\dictobject.h.NEFILIM
newfilepath_r: C:\Python27\include\dictobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\dictobject.h
success 1 0
1619513306.876879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\dtoa.h
newfilepath: C:\Python27\include\dtoa.h.NEFILIM
newfilepath_r: C:\Python27\include\dtoa.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\dtoa.h
success 1 0
1619513306.892879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\enumobject.h
newfilepath: C:\Python27\include\enumobject.h.NEFILIM
newfilepath_r: C:\Python27\include\enumobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\enumobject.h
success 1 0
1619513306.907879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\errcode.h
newfilepath: C:\Python27\include\errcode.h.NEFILIM
newfilepath_r: C:\Python27\include\errcode.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\errcode.h
success 1 0
1619513306.907879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\eval.h
newfilepath: C:\Python27\include\eval.h.NEFILIM
newfilepath_r: C:\Python27\include\eval.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\eval.h
success 1 0
1619513306.939879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\fileobject.h
newfilepath: C:\Python27\include\fileobject.h.NEFILIM
newfilepath_r: C:\Python27\include\fileobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\fileobject.h
success 1 0
1619513306.985879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\floatobject.h
newfilepath: C:\Python27\include\floatobject.h.NEFILIM
newfilepath_r: C:\Python27\include\floatobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\floatobject.h
success 1 0
1619513307.017879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\frameobject.h
newfilepath: C:\Python27\include\frameobject.h.NEFILIM
newfilepath_r: C:\Python27\include\frameobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\frameobject.h
success 1 0
1619513307.048879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\funcobject.h
newfilepath: C:\Python27\include\funcobject.h.NEFILIM
newfilepath_r: C:\Python27\include\funcobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\funcobject.h
success 1 0
1619513307.064879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\genobject.h
newfilepath: C:\Python27\include\genobject.h.NEFILIM
newfilepath_r: C:\Python27\include\genobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\genobject.h
success 1 0
1619513307.095879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\graminit.h
newfilepath: C:\Python27\include\graminit.h.NEFILIM
newfilepath_r: C:\Python27\include\graminit.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\graminit.h
success 1 0
1619513307.110879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\grammar.h
newfilepath: C:\Python27\include\grammar.h.NEFILIM
newfilepath_r: C:\Python27\include\grammar.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\grammar.h
success 1 0
1619513307.126879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\import.h
newfilepath: C:\Python27\include\import.h.NEFILIM
newfilepath_r: C:\Python27\include\import.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\import.h
success 1 0
1619513307.173879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\intobject.h
newfilepath: C:\Python27\include\intobject.h.NEFILIM
newfilepath_r: C:\Python27\include\intobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\intobject.h
success 1 0
1619513307.189879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\intrcheck.h
newfilepath: C:\Python27\include\intrcheck.h.NEFILIM
newfilepath_r: C:\Python27\include\intrcheck.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\intrcheck.h
success 1 0
1619513307.189879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\iterobject.h
newfilepath: C:\Python27\include\iterobject.h.NEFILIM
newfilepath_r: C:\Python27\include\iterobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\iterobject.h
success 1 0
Appends a new file extension or content to 2657 files indicative of a ransomware file encryption process (50 out of 2657 个事件)
Time & API Arguments Status Return Repeated
1619513305.439879
MoveFileWithProgressW
oldfilepath: C:\Python27\agent.pyw
newfilepath: C:\Python27\agent.pyw.NEFILIM
newfilepath_r: C:\Python27\agent.pyw.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\agent.pyw
success 1 0
1619513305.485879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\py.ico
newfilepath: C:\Python27\DLLs\py.ico.NEFILIM
newfilepath_r: C:\Python27\DLLs\py.ico.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\py.ico
success 1 0
1619513305.517879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\pyc.ico
newfilepath: C:\Python27\DLLs\pyc.ico.NEFILIM
newfilepath_r: C:\Python27\DLLs\pyc.ico.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\pyc.ico
success 1 0
1619513305.579879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\unicodedata.pyd
newfilepath: C:\Python27\DLLs\unicodedata.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\unicodedata.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\unicodedata.pyd
success 1 0
1619513305.595879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\winsound.pyd
newfilepath: C:\Python27\DLLs\winsound.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\winsound.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\winsound.pyd
success 1 0
1619513306.079879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_bsddb.pyd
newfilepath: C:\Python27\DLLs\_bsddb.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_bsddb.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_bsddb.pyd
success 1 0
1619513306.142879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_ctypes_test.pyd
newfilepath: C:\Python27\DLLs\_ctypes_test.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_ctypes_test.pyd
success 1 0
1619513306.173879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_elementtree.pyd
newfilepath: C:\Python27\DLLs\_elementtree.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_elementtree.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_elementtree.pyd
success 1 0
1619513306.220879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_msi.pyd
newfilepath: C:\Python27\DLLs\_msi.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_msi.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_msi.pyd
success 1 0
1619513306.251879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_multiprocessing.pyd
newfilepath: C:\Python27\DLLs\_multiprocessing.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_multiprocessing.pyd
success 1 0
1619513306.282879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_sqlite3.pyd
newfilepath: C:\Python27\DLLs\_sqlite3.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_sqlite3.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_sqlite3.pyd
success 1 0
1619513306.298879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_testcapi.pyd
newfilepath: C:\Python27\DLLs\_testcapi.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_testcapi.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_testcapi.pyd
success 1 0
1619513306.314879
MoveFileWithProgressW
oldfilepath: C:\Python27\DLLs\_tkinter.pyd
newfilepath: C:\Python27\DLLs\_tkinter.pyd.NEFILIM
newfilepath_r: C:\Python27\DLLs\_tkinter.pyd.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\DLLs\_tkinter.pyd
success 1 0
1619513306.360879
MoveFileWithProgressW
oldfilepath: C:\Python27\Doc\python2718.chm
newfilepath: C:\Python27\Doc\python2718.chm.NEFILIM
newfilepath_r: C:\Python27\Doc\python2718.chm.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\Doc\python2718.chm
success 1 0
1619513306.392879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\abstract.h
newfilepath: C:\Python27\include\abstract.h.NEFILIM
newfilepath_r: C:\Python27\include\abstract.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\abstract.h
success 1 0
1619513306.407879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\asdl.h
newfilepath: C:\Python27\include\asdl.h.NEFILIM
newfilepath_r: C:\Python27\include\asdl.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\asdl.h
success 1 0
1619513306.407879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\ast.h
newfilepath: C:\Python27\include\ast.h.NEFILIM
newfilepath_r: C:\Python27\include\ast.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\ast.h
success 1 0
1619513306.439879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bitset.h
newfilepath: C:\Python27\include\bitset.h.NEFILIM
newfilepath_r: C:\Python27\include\bitset.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bitset.h
success 1 0
1619513306.470879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\boolobject.h
newfilepath: C:\Python27\include\boolobject.h.NEFILIM
newfilepath_r: C:\Python27\include\boolobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\boolobject.h
success 1 0
1619513306.501879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bufferobject.h
newfilepath: C:\Python27\include\bufferobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bufferobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bufferobject.h
success 1 0
1619513306.532879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytearrayobject.h
newfilepath: C:\Python27\include\bytearrayobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bytearrayobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytearrayobject.h
success 1 0
1619513306.548879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytesobject.h
newfilepath: C:\Python27\include\bytesobject.h.NEFILIM
newfilepath_r: C:\Python27\include\bytesobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytesobject.h
success 1 0
1619513306.579879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\bytes_methods.h
newfilepath: C:\Python27\include\bytes_methods.h.NEFILIM
newfilepath_r: C:\Python27\include\bytes_methods.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\bytes_methods.h
success 1 0
1619513306.610879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cellobject.h
newfilepath: C:\Python27\include\cellobject.h.NEFILIM
newfilepath_r: C:\Python27\include\cellobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cellobject.h
success 1 0
1619513306.610879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\ceval.h
newfilepath: C:\Python27\include\ceval.h.NEFILIM
newfilepath_r: C:\Python27\include\ceval.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\ceval.h
success 1 0
1619513306.642879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\classobject.h
newfilepath: C:\Python27\include\classobject.h.NEFILIM
newfilepath_r: C:\Python27\include\classobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\classobject.h
success 1 0
1619513306.657879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cobject.h
newfilepath: C:\Python27\include\cobject.h.NEFILIM
newfilepath_r: C:\Python27\include\cobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cobject.h
success 1 0
1619513306.673879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\code.h
newfilepath: C:\Python27\include\code.h.NEFILIM
newfilepath_r: C:\Python27\include\code.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\code.h
success 1 0
1619513306.704879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\codecs.h
newfilepath: C:\Python27\include\codecs.h.NEFILIM
newfilepath_r: C:\Python27\include\codecs.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\codecs.h
success 1 0
1619513306.720879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\compile.h
newfilepath: C:\Python27\include\compile.h.NEFILIM
newfilepath_r: C:\Python27\include\compile.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\compile.h
success 1 0
1619513306.751879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\complexobject.h
newfilepath: C:\Python27\include\complexobject.h.NEFILIM
newfilepath_r: C:\Python27\include\complexobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\complexobject.h
success 1 0
1619513306.782879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\cStringIO.h
newfilepath: C:\Python27\include\cStringIO.h.NEFILIM
newfilepath_r: C:\Python27\include\cStringIO.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\cStringIO.h
success 1 0
1619513306.814879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\datetime.h
newfilepath: C:\Python27\include\datetime.h.NEFILIM
newfilepath_r: C:\Python27\include\datetime.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\datetime.h
success 1 0
1619513306.845879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\descrobject.h
newfilepath: C:\Python27\include\descrobject.h.NEFILIM
newfilepath_r: C:\Python27\include\descrobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\descrobject.h
success 1 0
1619513306.860879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\dictobject.h
newfilepath: C:\Python27\include\dictobject.h.NEFILIM
newfilepath_r: C:\Python27\include\dictobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\dictobject.h
success 1 0
1619513306.876879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\dtoa.h
newfilepath: C:\Python27\include\dtoa.h.NEFILIM
newfilepath_r: C:\Python27\include\dtoa.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\dtoa.h
success 1 0
1619513306.892879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\enumobject.h
newfilepath: C:\Python27\include\enumobject.h.NEFILIM
newfilepath_r: C:\Python27\include\enumobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\enumobject.h
success 1 0
1619513306.907879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\errcode.h
newfilepath: C:\Python27\include\errcode.h.NEFILIM
newfilepath_r: C:\Python27\include\errcode.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\errcode.h
success 1 0
1619513306.907879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\eval.h
newfilepath: C:\Python27\include\eval.h.NEFILIM
newfilepath_r: C:\Python27\include\eval.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\eval.h
success 1 0
1619513306.939879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\fileobject.h
newfilepath: C:\Python27\include\fileobject.h.NEFILIM
newfilepath_r: C:\Python27\include\fileobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\fileobject.h
success 1 0
1619513306.985879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\floatobject.h
newfilepath: C:\Python27\include\floatobject.h.NEFILIM
newfilepath_r: C:\Python27\include\floatobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\floatobject.h
success 1 0
1619513307.017879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\frameobject.h
newfilepath: C:\Python27\include\frameobject.h.NEFILIM
newfilepath_r: C:\Python27\include\frameobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\frameobject.h
success 1 0
1619513307.048879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\funcobject.h
newfilepath: C:\Python27\include\funcobject.h.NEFILIM
newfilepath_r: C:\Python27\include\funcobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\funcobject.h
success 1 0
1619513307.064879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\genobject.h
newfilepath: C:\Python27\include\genobject.h.NEFILIM
newfilepath_r: C:\Python27\include\genobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\genobject.h
success 1 0
1619513307.095879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\graminit.h
newfilepath: C:\Python27\include\graminit.h.NEFILIM
newfilepath_r: C:\Python27\include\graminit.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\graminit.h
success 1 0
1619513307.110879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\grammar.h
newfilepath: C:\Python27\include\grammar.h.NEFILIM
newfilepath_r: C:\Python27\include\grammar.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\grammar.h
success 1 0
1619513307.126879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\import.h
newfilepath: C:\Python27\include\import.h.NEFILIM
newfilepath_r: C:\Python27\include\import.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\import.h
success 1 0
1619513307.173879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\intobject.h
newfilepath: C:\Python27\include\intobject.h.NEFILIM
newfilepath_r: C:\Python27\include\intobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\intobject.h
success 1 0
1619513307.189879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\intrcheck.h
newfilepath: C:\Python27\include\intrcheck.h.NEFILIM
newfilepath_r: C:\Python27\include\intrcheck.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\intrcheck.h
success 1 0
1619513307.189879
MoveFileWithProgressW
oldfilepath: C:\Python27\include\iterobject.h
newfilepath: C:\Python27\include\iterobject.h.NEFILIM
newfilepath_r: C:\Python27\include\iterobject.h.NEFILIM
flags: 2
oldfilepath_r: C:\Python27\include\iterobject.h
success 1 0
Drops 1681 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 1677 个事件)
file c:\python27\lib\email\message.pyc.nefilim
file c:\python27\lib\markupbase.pyc.nefilim
file c:\python27\lib\site-packages\pip\_vendor\html5lib\__init__.py.nefilim
file c:\python27\include\pgenheaders.h.nefilim
file C:\Python27\Lib\test\decimaltestdata\ddCopy.decTest
file c:\python27\lib\sqlite3\test\hooks.py.nefilim
file C:\Python27\Lib\test\formatfloat_testcases.txt
file c:\python27\lib\site-packages\pip\_vendor\html5lib\filters\lint.py.nefilim
file c:\python27\lib\site-packages\pil\imageshow.pyc.nefilim
file c:\python27\lib\encodings\cp1251.py.nefilim
file c:\python27\lib\test\exception_hierarchy.txt.nefilim
file c:\python27\lib\email\__init__.py.nefilim
file c:\python27\lib\distutils\dist.pyc.nefilim
file c:\python27\lib\distutils\tests\test_sysconfig.py.nefilim
file c:\python27\lib\site-packages\pil\features.pyc.nefilim
file c:\python27\lib\lib2to3\fixes\fix_methodattrs.py.nefilim
file c:\python27\lib\site-packages\pip\_vendor\html5lib\filters\sanitizer.pyc.nefilim
file c:\python27\lib\lib2to3\fixes\fix_numliterals.py.nefilim
file c:\python27\lib\distutils\tests\test_spawn.py.nefilim
file c:\python27\lib\multiprocessing\__init__.py.nefilim
file c:\python27\lib\site-packages\pip\_vendor\html5lib\_trie\__init__.pyc.nefilim
file c:\python27\lib\idlelib\macosxsupport.py.nefilim
file c:\python27\lib\site-packages\pil\mcidasimageplugin.pyc.nefilim
file c:\python27\lib\lib2to3\tests\data\crlf.py.nefilim
file c:\python27\lib\site-packages\pip\_internal\utils\hashes.py.nefilim
file c:\python27\lib\site-packages\pip\_vendor\urllib3\util\wait.pyc.nefilim
file c:\python27\lib\site-packages\pil\fpximageplugin.pyc.nefilim
file c:\python27\lib\fnmatch.py.nefilim
file C:\Python27\Lib\test\Sine-1000Hz-300ms.aif
file c:\python27\lib\idlelib\autocompletewindow.py.nefilim
file c:\python27\lib\getpass.pyc.nefilim
file c:\python27\lib\test\test_codecencodings_jp.py.nefilim
file c:\python27\lib\test\ssl_key.passwd.pem.nefilim
file c:\python27\lib\test\test_dummy_threading.py.nefilim
file c:\python27\lib\site-packages\pip\_vendor\chardet\escsm.py.nefilim
file c:\python27\lib\site-packages\pip\_vendor\chardet\escprober.py.nefilim
file C:\Python27\Lib\test\decimaltestdata\testall.decTest
file c:\python27\lib\encodings\iso8859_6.py.nefilim
file C:\Python27\Lib\test\capath\0e4015b9.0
file c:\python27\lib\site-packages\pkg_resources\_vendor\packaging\__about__.py.nefilim
file C:\Python27\Lib\site-packages\setuptools\command\__init__.pyc
file c:\python27\lib\mailcap.py.nefilim
file c:\python27\lib\distutils\command\upload.py.nefilim
file c:\python27\lib\test\decimaltestdata\dqadd.dectest.nefilim
file c:\python27\lib\encodings\utf_32_be.py.nefilim
file c:\python27\lib\encodings\cp500.py.nefilim
file c:\python27\lib\ctypes\test\test_numbers.py.nefilim
file c:\python27\lib\test\decimaltestdata\dqremainder.dectest.nefilim
file c:\python27\lib\site-packages\pip\_internal\commands\freeze.pyc.nefilim
file c:\python27\lib\test\test_cookielib.py.nefilim
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-03-11 07:06:11

Imports

Library KERNEL32.dll:
0x40a028 GetTickCount
0x40a02c GetProcessHeap
0x40a030 WriteFile
0x40a034 Sleep
0x40a038 ReadFile
0x40a03c CreateFileW
0x40a040 GetFileSizeEx
0x40a044 GetStdHandle
0x40a048 GetLastError
0x40a04c SetLastError
0x40a050 GetProcAddress
0x40a054 MoveFileW
0x40a058 GetLogicalDrives
0x40a05c LoadLibraryA
0x40a060 lstrcmpiW
0x40a064 FindNextFileW
0x40a068 CloseHandle
0x40a06c CreateThread
0x40a070 ExitProcess
0x40a074 GetModuleFileNameW
0x40a078 WideCharToMultiByte
0x40a07c ExitThread
0x40a080 MultiByteToWideChar
0x40a084 CreateMutexA
0x40a088 WaitForSingleObject
0x40a08c HeapFree
0x40a090 SetFilePointerEx
0x40a094 GetCurrentProcess
0x40a098 HeapAlloc
0x40a09c GetDriveTypeW
0x40a0a0 lstrlenA
0x40a0a4 FindFirstFileW
0x40a0a8 FindClose
0x40a0b0 GetStringTypeW
0x40a0b4 LCMapStringW
0x40a0b8 IsValidCodePage
0x40a0c0 EncodePointer
0x40a0c4 DecodePointer
0x40a0c8 GetCommandLineA
0x40a0cc HeapSetInformation
0x40a0d0 RaiseException
0x40a0d4 TerminateProcess
0x40a0e0 IsDebuggerPresent
0x40a0e8 HeapSize
0x40a0ec GetModuleHandleW
0x40a0f0 GetModuleFileNameA
0x40a0fc SetHandleCount
0x40a104 GetFileType
0x40a108 GetStartupInfoW
0x40a110 TlsAlloc
0x40a114 TlsGetValue
0x40a118 TlsSetValue
0x40a11c TlsFree
0x40a124 GetCurrentThreadId
0x40a12c HeapCreate
0x40a134 GetCurrentProcessId
0x40a140 RtlUnwind
0x40a144 HeapReAlloc
0x40a148 LoadLibraryW
0x40a14c GetCPInfo
0x40a150 GetACP
0x40a154 GetOEMCP
Library ADVAPI32.dll:
0x40a000 CryptDecrypt
0x40a004 CryptCreateHash
0x40a008 CryptDeriveKey
0x40a00c CryptDestroyKey
0x40a010 CryptEncrypt
0x40a014 CryptImportKey
0x40a01c CryptReleaseContext
0x40a020 CryptHashData
Library SHELL32.dll:
0x40a15c ShellExecuteW
Library SHLWAPI.dll:
0x40a164 PathFindExtensionW
0x40a168 PathIsDirectoryW

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 50259 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 50263 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 50071 203.208.40.66 update.googleapis.com 443
192.168.56.101 50251 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=7dc3d0c2b74816a6&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619502023&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6910
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.