Summary | ZeroBOX

Practical3.ex_

Antivirus
Category Machine Started Completed
FILE s1_win7_x6401 April 8, 2021, 12:17 p.m. April 8, 2021, 12:19 p.m.
Size 171.5KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 8819d7f8069d35e71902025d801b44dd
SHA256 98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab
CRC32 C35E72EA
ssdeep 3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw
PDB Path C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
Yara
  • Antivirus - Contains references to security software
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • escalate_priv - Escalade priviledges
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • IsPE64 - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: ERROR: The process "zoolz.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "agntsvc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "dbeng50.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "dbsnmp.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "encsvc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "excel.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "firefoxconfig.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "infopath.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "isqlplussvc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "msaccess.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "msftesql.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mspub.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mydesktopqos.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mydesktopservice.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mysqld.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mysqld-nt.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mysqld-opt.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "ocautoupds.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "ocomm.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "ocssd.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "onenote.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "oracle.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "outlook.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "powerpnt.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "sqbcoreservice.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "sqlagent.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "sqlbrowser.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "sqlservr.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "sqlwriter.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "steam.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "synctime.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "tbirdconfig.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "thebat.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "thebat64.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "thunderbird.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "visio.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "winword.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "wordpad.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "xfssvccon.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "tmlisten.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "PccNTMon.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "CNTAoSMgr.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "Ntrtscan.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: ERROR: The process "mbamtray.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: The service name is invalid.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: More help is available by typing NET HELPMSG 2185.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: The service name is invalid.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: More help is available by typing NET HELPMSG 2185.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: The service name is invalid.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

buffer: More help is available by typing NET HELPMSG 2185.
console_handle: 0x000000000000000b
1 1 0
pdb_path C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .gfids
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlbrowser.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tbirdconfig.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-nt.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocssd.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mbamtray.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocomm.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ntrtscan.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlwriter.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wordpad.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msaccess.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "synctime.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CNTAoSMgr.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefoxconfig.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msftesql.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-opt.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "outlook.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbsnmp.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbeng50.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "xfssvccon.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "infopath.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "excel.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "oracle.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlservr.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "powerpnt.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "onenote.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "isqlplussvc.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "steam.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "visio.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlagent.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agntsvc.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqbcoreservice.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tmlisten.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "zoolz.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopservice.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "encsvc.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PccNTMon.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocautoupds.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thunderbird.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat64.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM zoolz.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM agntsvc.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM dbeng50.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM dbsnmp.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM encsvc.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM excel.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM firefoxconfig.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM infopath.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM isqlplussvc.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM msaccess.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM msftesql.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mspub.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mydesktopqos.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mydesktopservice.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mysqld.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mysqld-nt.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mysqld-opt.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM ocautoupds.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM ocomm.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM ocssd.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM onenote.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM oracle.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM outlook.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM powerpnt.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM sqbcoreservice.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM sqlagent.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM sqlbrowser.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM sqlservr.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM sqlwriter.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM steam.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM synctime.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM tbirdconfig.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM thebat.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM thebat64.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM thunderbird.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM visio.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM winword.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM wordpad.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM xfssvccon.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM tmlisten.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM PccNTMon.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM CNTAoSMgr.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM Ntrtscan.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: taskkill
parameters: /IM mbamtray.exe /F
filepath: taskkill
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Acronis VSS Provider" /y
filepath: net
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Enterprise Client Service" /y
filepath: net
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Sophos Agent" /y
filepath: net
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Sophos AutoUpdate Service" /y
filepath: net
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Sophos Clean Service" /y
filepath: net
1 1 0

ShellExecuteExW

show_type: 0
filepath_r: net
parameters: stop "Sophos Device Control Service" /y
filepath: net
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
cmdline "C:\Windows\System32\net.exe" stop IISAdmin /y
cmdline taskkill /IM ocomm.exe /F
cmdline taskkill /IM sqlwriter.exe /F
cmdline "C:\Windows\System32\net.exe" stop MSExchangeIS /y
cmdline "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
cmdline taskkill /IM thunderbird.exe /F
cmdline taskkill /IM powerpnt.exe /F
cmdline net stop MsDtsServer100 /y
cmdline net stop BackupExecAgentBrowser /y
cmdline net stop "SQLsafe Filter Service" /y
cmdline taskkill /IM steam.exe /F
cmdline net stop MSExchangeMTA /y
cmdline net stop "Veeam Backup Catalog Data Service" /y
cmdline net stop EPSecurityService /y
cmdline taskkill /IM outlook.exe /F
cmdline net stop "Sophos File Scanner Service" /y
cmdline "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
cmdline taskkill /IM mydesktopservice.exe /F
cmdline "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
cmdline net stop FA_Scheduler /y
cmdline net stop "Sophos Agent" /y
cmdline net stop McAfeeFrameworkMcAfeeFramework /y
cmdline "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
cmdline "C:\Windows\System32\net.exe" stop bedbg /y
cmdline taskkill /IM msftesql.exe /F
cmdline "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
cmdline "C:\Windows\System32\net.exe" stop DCAgent /y
cmdline net stop Antivirus /y
cmdline net stop MsDtsServer /y
cmdline "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
cmdline taskkill /IM thebat.exe /F
cmdline net stop MSExchangeIS /y
cmdline net stop AcrSch2Svc /y
cmdline net stop BackupExecJobEngine /y
cmdline "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
cmdline "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
cmdline taskkill /IM mysqld-nt.exe /F
cmdline "C:\Windows\System32\net.exe" stop McTaskManager /y
cmdline "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
cmdline "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
cmdline "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
cmdline net stop mfevtp /y
cmdline net stop bedbg /y
cmdline "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
cmdline net stop macmnsvc /y
cmdline net stop mfemms /y
cmdline net stop BackupExecDeviceMediaService /y
cmdline taskkill /IM tmlisten.exe /F
cmdline net stop mozyprobackup /y
file
cmdline taskkill /IM mydesktopservice.exe /F
cmdline "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
Elastic malicious (high confidence)
ClamAV Win.Ransomware.Ryuk-6688842-0
CAT-QuickHeal Trojan.Generic
Qihoo-360 Win64/Ransom.Generic.H8oAChsA
McAfee Ransom-Ryuk!8819D7F8069D
Cylance Unsafe
Zillya Trojan.Generic.Win32.644133
Sangfor Win.Ransomware.Ryuk-6688842-0
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Ransom:Win32/Genasom.ali1000102
K7GW Trojan ( 00553fc91 )
K7AntiVirus Trojan ( 00553fc91 )
Arcabit Trojan.Ransom.Ryuk.19
Cyren W64/Ransom.Ryuk.A.gen!Eldorado
Symantec Ransom.Hermes!gen2
ESET-NOD32 a variant of Win64/Filecoder.T
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Gen:Variant.Ransom.Ryuk.19
MicroWorld-eScan Gen:Variant.Ransom.Ryuk.19
Avast Win64:RansomX-gen [Ransom]
Rising Ransom.Jabaxsta!1.B3AA (CLASSIC)
Ad-Aware Gen:Variant.Ransom.Ryuk.19
Emsisoft Gen:Variant.Ransom.Ryuk.19 (B)
DrWeb Trojan.Inject4.9283
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom.Win64.RYUK.SM
McAfee-GW-Edition BehavesLike.Win64.RansomRyuk.ch
FireEye Generic.mg.8819d7f8069d35e7
Sophos ML/PE-A + Troj/Ransom-FAF
Ikarus Trojan-Ransom.Ryuk
Jiangmin Trojan.Generic.cpxqa
Avira HEUR/AGEN.1110011
Gridinsoft Ransom.Win64.AI.sa
Microsoft Ransom:Win64/Jabaxsta.B
AegisLab Trojan.Win32.Generic.4!c
GData Win64.Trojan-Ransom.Ryuk.A
AhnLab-V3 Trojan/Win64.Ryukran.R234901
ALYac Trojan.Ransom.Ryuk
MAX malware (ai score=86)
Malwarebytes Malware.AI.218522461
TrendMicro-HouseCall Ransom.Win64.RYUK.SM
Tencent Win32.Trojan.Generic.Dyzx
SentinelOne Static AI - Malicious PE
Fortinet W64/Ryuk.223E!tr.ransom
AVG Win64:RansomX-gen [Ransom]
Cybereason malicious.8069d3
MaxSecure Trojan.Malware.300983.susgen