Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 8, 2021, 12:17 p.m.	April 8, 2021, 12:19 p.m.

Size	171.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8819d7f8069d35e71902025d801b44dd`
SHA256	`98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab`
CRC32	`C35E72EA`
ssdeep	`3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw`
PDB Path	C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
Yara	Antivirus - Contains references to security software inject_thread - Code injection with CreateRemoteThread in a remote process escalate_priv - Escalade priviledges win_token - Affect system token win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE64 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

Practical3.ex_ "C:\Users\test22\AppData\Local\Temp\Practical3.ex_"
2216
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  1304
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  1048
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  1568
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  1436
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  1016
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  2240
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2408
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  1340
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  2880
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  1116
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2384
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  492
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2976
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  1768
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  1468
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  204
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  804
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2300
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  808
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  240
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2888
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  1772
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2776
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2252
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2540
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  844
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  2624
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  2572
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  604
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  2552
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  1408
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2812
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2416
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2412
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2276
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2212
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2632
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2744
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  112
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  3092
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  3176
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  3260
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  3340
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  3452
- net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  3536
  - net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3600
- net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  3648
  - net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3712
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  3756
  - net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
    3820
- net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  3864
  - net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3932
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  3976
  - net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    4040
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  3088
  - net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    2480
- net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  3144
  - net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    3300
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  3428
  - net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3412
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  3480
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3568
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  3540
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    3744
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  1996
  - net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3852
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  3880
  - net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3928
- net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  4060
  - net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    2600
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  1936
  - net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    2796
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  1308
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    2512
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2616
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    1552
- net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  3400
  - net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    2528
- net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  3616
  - net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3688
- net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y
  3728
  - net1.exe C:\Windows\system32\net1 stop AcronisAgent /y
    2828
- net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  288
  - net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y
    4044
- net.exe "C:\Windows\System32\net.exe" stop Antivirus /y
  1124
  - net1.exe C:\Windows\system32\net1 stop Antivirus /y
    1928
- net.exe "C:\Windows\System32\net.exe" stop ARSM /y
  1692
  - net1.exe C:\Windows\system32\net1 stop ARSM /y
    3240
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  3380
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3360
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  3528
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3548
- net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  3660
  - net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3696
- net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  3996
  - net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y
    784
- net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  3132
  - net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y
    1740
- net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  3244
  - net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y
    3276
- net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  2756
  - net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    2844
- net.exe "C:\Windows\System32\net.exe" stop bedbg /y
  3948
  - net1.exe C:\Windows\system32\net1 stop bedbg /y
    2012
- net.exe "C:\Windows\System32\net.exe" stop DCAgent /y
  4088
  - net1.exe C:\Windows\system32\net1 stop DCAgent /y
    3032
- net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y
  3232
  - net1.exe C:\Windows\system32\net1 stop EPSecurityService /y
    3220
- net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y
  3640
  - net1.exe C:\Windows\system32\net1 stop EPUpdateService /y
    2652
- net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  4020
  - net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y
    3328
- net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y
  2800
  - net1.exe C:\Windows\system32\net1 stop EsgShKernel /y
    4004
- net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  2712
  - net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y
    3716
- net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y
  3732
  - net1.exe C:\Windows\system32\net1 stop IISAdmin /y
    1232
- net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  3912
  - net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y
    3768
- net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y
  3516
  - net1.exe C:\Windows\system32\net1 stop macmnsvc /y
    2208
- net.exe "C:\Windows\System32\net.exe" stop masvc /y
  4080
  - net1.exe C:\Windows\system32\net1 stop masvc /y
    1488
- net.exe "C:\Windows\System32\net.exe" stop MBAMService /y
  3424
  - net1.exe C:\Windows\system32\net1 stop MBAMService /y
    4104
- net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  4148
  - net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y
    4212
- net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  4256
  - net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y
    4320
- net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  4364
  - net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y
    4428
- net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  4472
  - net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    4536
- net.exe "C:\Windows\System32\net.exe" stop McShield /y
  4580
  - net1.exe C:\Windows\system32\net1 stop McShield /y
    4644
- net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y
  4688
  - net1.exe C:\Windows\system32\net1 stop McTaskManager /y
    4752
- net.exe "C:\Windows\System32\net.exe" stop mfemms /y
  4820
  - net1.exe C:\Windows\system32\net1 stop mfemms /y
    4884
- net.exe "C:\Windows\System32\net.exe" stop mfevtp /y
  4928
  - net1.exe C:\Windows\system32\net1 stop mfevtp /y
    4992
- net.exe "C:\Windows\System32\net.exe" stop MMS /y
  5036
  - net1.exe C:\Windows\system32\net1 stop MMS /y
    5100
- net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y
  556
  - net1.exe C:\Windows\system32\net1 stop mozyprobackup /y
    4228
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y
  1432
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer /y
    4316
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  4312
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y
    4504
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  4476
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y
    4676
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y
  4764
  - net1.exe C:\Windows\system32\net1 stop MSExchangeES /y
    4836
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  4912
  - net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y
    5008
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  4988
  - net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y
    5096
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeMTA /y
  5088
  - net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y
    4204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (44 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 8, 2021, 12:11 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 158 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "zoolz.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "agntsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "dbeng50.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "dbsnmp.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "encsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "excel.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "firefoxconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "infopath.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "isqlplussvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:10 p.m.	buffer: ERROR: The process "msaccess.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "msftesql.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mspub.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mydesktopqos.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mydesktopservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mysqld.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mysqld-nt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mysqld-opt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "ocautoupds.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "ocomm.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "ocssd.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "onenote.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "oracle.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "outlook.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "powerpnt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "sqbcoreservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "sqlagent.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "sqlbrowser.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "sqlservr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "sqlwriter.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "steam.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "synctime.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "tbirdconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "thebat.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "thebat64.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "thunderbird.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "visio.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "winword.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "wordpad.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "xfssvccon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "tmlisten.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "PccNTMon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "CNTAoSMgr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "Ntrtscan.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: ERROR: The process "mbamtray.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW April 8, 2021, 12:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 8, 2021, 12:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Executes one or more WMI queries (44 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlbrowser.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tbirdconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-nt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocssd.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mbamtray.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocomm.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ntrtscan.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlwriter.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wordpad.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msaccess.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "synctime.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CNTAoSMgr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefoxconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msftesql.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-opt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "outlook.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbsnmp.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbeng50.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "xfssvccon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "infopath.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "excel.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "oracle.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlservr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "powerpnt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "onenote.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "isqlplussvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "steam.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "visio.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlagent.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agntsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqbcoreservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tmlisten.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "zoolz.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "encsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PccNTMon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocautoupds.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thunderbird.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat64.exe")

A process created a hidden window (50 out of 102 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM zoolz.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM agntsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbeng50.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbsnmp.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM encsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM excel.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM firefoxconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM infopath.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM isqlplussvc.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msaccess.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msftesql.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mspub.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopqos.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopservice.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-nt.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-opt.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocautoupds.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocomm.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocssd.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM onenote.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM oracle.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM outlook.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM powerpnt.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqbcoreservice.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlagent.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlbrowser.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlservr.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlwriter.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM steam.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM synctime.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tbirdconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat64.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thunderbird.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM visio.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM winword.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM wordpad.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM xfssvccon.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tmlisten.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM PccNTMon.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM CNTAoSMgr.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM Ntrtscan.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mbamtray.exe /F filepath: taskkill	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Acronis VSS Provider" /y filepath: net	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Enterprise Client Service" /y filepath: net	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Agent" /y filepath: net	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos AutoUpdate Service" /y filepath: net	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Clean Service" /y filepath: net	1	1
ShellExecuteExW April 8, 2021, 12:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Device Control Service" /y filepath: net	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (44 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 8, 2021, 12:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (50 out of 205 events)

cmdline	"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
cmdline	"C:\Windows\System32\net.exe" stop IISAdmin /y
cmdline	taskkill /IM ocomm.exe /F
cmdline	taskkill /IM sqlwriter.exe /F
cmdline	"C:\Windows\System32\net.exe" stop MSExchangeIS /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
cmdline	taskkill /IM thunderbird.exe /F
cmdline	taskkill /IM powerpnt.exe /F
cmdline	net stop MsDtsServer100 /y
cmdline	net stop BackupExecAgentBrowser /y
cmdline	net stop "SQLsafe Filter Service" /y
cmdline	taskkill /IM steam.exe /F
cmdline	net stop MSExchangeMTA /y
cmdline	net stop "Veeam Backup Catalog Data Service" /y
cmdline	net stop EPSecurityService /y
cmdline	taskkill /IM outlook.exe /F
cmdline	net stop "Sophos File Scanner Service" /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
cmdline	net stop FA_Scheduler /y
cmdline	net stop "Sophos Agent" /y
cmdline	net stop McAfeeFrameworkMcAfeeFramework /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
cmdline	"C:\Windows\System32\net.exe" stop bedbg /y
cmdline	taskkill /IM msftesql.exe /F
cmdline	"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
cmdline	"C:\Windows\System32\net.exe" stop DCAgent /y
cmdline	net stop Antivirus /y
cmdline	net stop MsDtsServer /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
cmdline	taskkill /IM thebat.exe /F
cmdline	net stop MSExchangeIS /y
cmdline	net stop AcrSch2Svc /y
cmdline	net stop BackupExecJobEngine /y
cmdline	"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
cmdline	"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
cmdline	taskkill /IM mysqld-nt.exe /F
cmdline	"C:\Windows\System32\net.exe" stop McTaskManager /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
cmdline	net stop mfevtp /y
cmdline	net stop bedbg /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
cmdline	net stop macmnsvc /y
cmdline	net stop mfemms /y
cmdline	net stop BackupExecDeviceMediaService /y
cmdline	taskkill /IM tmlisten.exe /F
cmdline	net stop mozyprobackup /y

Deletes executed files from disk (1 event)

file

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
ClamAV	Win.Ransomware.Ryuk-6688842-0
CAT-QuickHeal	Trojan.Generic
Qihoo-360	Win64/Ransom.Generic.H8oAChsA
McAfee	Ransom-Ryuk!8819D7F8069D
Cylance	Unsafe
Zillya	Trojan.Generic.Win32.644133
Sangfor	Win.Ransomware.Ryuk-6688842-0
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Ransom:Win32/Genasom.ali1000102
K7GW	Trojan ( 00553fc91 )
K7AntiVirus	Trojan ( 00553fc91 )
Arcabit	Trojan.Ransom.Ryuk.19
Cyren	W64/Ransom.Ryuk.A.gen!Eldorado
Symantec	Ransom.Hermes!gen2
ESET-NOD32	a variant of Win64/Filecoder.T
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ransom.Ryuk.19
MicroWorld-eScan	Gen:Variant.Ransom.Ryuk.19
Avast	Win64:RansomX-gen [Ransom]
Rising	Ransom.Jabaxsta!1.B3AA (CLASSIC)
Ad-Aware	Gen:Variant.Ransom.Ryuk.19
Emsisoft	Gen:Variant.Ransom.Ryuk.19 (B)
DrWeb	Trojan.Inject4.9283
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win64.RYUK.SM
McAfee-GW-Edition	BehavesLike.Win64.RansomRyuk.ch
FireEye	Generic.mg.8819d7f8069d35e7
Sophos	ML/PE-A + Troj/Ransom-FAF
Ikarus	Trojan-Ransom.Ryuk
Jiangmin	Trojan.Generic.cpxqa
Avira	HEUR/AGEN.1110011
Gridinsoft	Ransom.Win64.AI.sa
Microsoft	Ransom:Win64/Jabaxsta.B
AegisLab	Trojan.Win32.Generic.4!c
GData	Win64.Trojan-Ransom.Ryuk.A
AhnLab-V3	Trojan/Win64.Ryukran.R234901
ALYac	Trojan.Ransom.Ryuk
MAX	malware (ai score=86)
Malwarebytes	Malware.AI.218522461
TrendMicro-HouseCall	Ransom.Win64.RYUK.SM
Tencent	Win32.Trojan.Generic.Dyzx
SentinelOne	Static AI - Malicious PE
Fortinet	W64/Ryuk.223E!tr.ransom
AVG	Win64:RansomX-gen [Ransom]
Cybereason	malicious.8069d3
MaxSecure	Trojan.Malware.300983.susgen

Practical3.ex_

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All