Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 21, 2021, 4:20 p.m.	March 21, 2021, 4:22 p.m.

Size	171.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8819d7f8069d35e71902025d801b44dd`
SHA256	`98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab`
CRC32	`C35E72EA`
ssdeep	`3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw`
PDB Path	C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Antivirus - Contains references to security software inject_thread - Code injection with CreateRemoteThread in a remote process escalate_priv - Escalade priviledges win_token - Affect system token win_files_operation - Affect private profile IsPE64 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

Practical3.exe "C:\Users\test22\AppData\Local\Temp\Practical3.exe"
7092
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  3532
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  8152
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  8104
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  4848
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  6596
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  7912
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  5572
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  3064
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  7056
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  6316
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2300
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  296
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  7220
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  6372
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  7120
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  8836
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  2384
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  4416
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2180
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  4248
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  2712
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  8864
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  6784
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  5936
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  8180
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  4484
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  6656
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  6888
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  1016
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  5028
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  8312
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  4052
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  7536
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2672
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  4500
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  7752
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  4040
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  5180
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  6712
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  7868
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  9104
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  6648
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  8420
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  8804
- net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  3504
  - net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    6132
- net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  9144
  - net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    6884
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  7332
  - net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
    3920
- net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  4912
  - net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    1832
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  8640
  - net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    8012
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  1816
  - net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    8072
- net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  3768
  - net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    5580
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  7072
  - net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
    4980
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  6200
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    7724
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  5256
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    7908
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  2060
  - net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
    2340
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  2108
  - net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    8920
- net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  6584
  - net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    4468
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  7376
  - net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    6188
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  5024
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    6332
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  2852
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    7904
- net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  6496
  - net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    4020
- net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  2708
  - net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    3748
- net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2088
  - net1.exe C:\Windows\system32\net1 stop AcronisAgent /y
    8132
- net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  8000
  - net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y
    3428
- net.exe "C:\Windows\System32\net.exe" stop Antivirus /y
  4212
  - net1.exe C:\Windows\system32\net1 stop Antivirus /y
    1004
- net.exe "C:\Windows\System32\net.exe" stop ARSM /y
  6520
  - net1.exe C:\Windows\system32\net1 stop ARSM /y
    1996
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  5240
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3764
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  6336
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    6644
- net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  1188
  - net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    2192
- net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  2448
  - net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y
    804
- net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  7372
  - net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y
    4448
- net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2568
  - net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y
    9192
- net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  3584
  - net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    6992
- net.exe "C:\Windows\System32\net.exe" stop bedbg /y
  5184
  - net1.exe C:\Windows\system32\net1 stop bedbg /y
    7596
- net.exe "C:\Windows\System32\net.exe" stop DCAgent /y
  7176
  - net1.exe C:\Windows\system32\net1 stop DCAgent /y
    8500
- net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y
  7852
  - net1.exe C:\Windows\system32\net1 stop EPSecurityService /y
    5060
- net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y
  8996
  - net1.exe C:\Windows\system32\net1 stop EPUpdateService /y
    4240
- net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  5728
  - net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y
    8416
- net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y
  5196
  - net1.exe C:\Windows\system32\net1 stop EsgShKernel /y
    4512
- net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  4132
  - net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y
    4460
- net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y
  8732
  - net1.exe C:\Windows\system32\net1 stop IISAdmin /y
    8288
- net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  4044
  - net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y
    2100
- net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y
  5568

Name	Response	Post-Analysis Lookup
r3---sn-3u-bh26.gvt1.com	A 59.18.44.14 CNAME r3.sn-3u-bh26.gvt1.com	59.18.44.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
59.18.44.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49863 -> 216.58.200.3:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49992 -> 216.58.200.3:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:50033 -> 216.58.200.3:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 59.18.44.14:80 -> 192.168.56.102:49874	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 59.18.44.14:80 -> 192.168.56.102:49874	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 59.18.44.14:80 -> 192.168.56.102:49874	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49863 216.58.200.3:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	3a:64:d0:6c:61:07:6b:6b:27:d2:ca:a4:29:2c:fe:46:60:2e:51:1c
TLS 1.2 192.168.56.102:49992 216.58.200.3:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	3a:64:d0:6c:61:07:6b:6b:27:d2:ca:a4:29:2c:fe:46:60:2e:51:1c
TLS 1.2 192.168.56.102:50033 216.58.200.3:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	3a:64:d0:6c:61:07:6b:6b:27:d2:ca:a4:29:2c:fe:46:60:2e:51:1c

Queries for the computername (44 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 21, 2021, 4:14 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 120 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "zoolz.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "agntsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "dbeng50.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "dbsnmp.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "encsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "excel.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "firefoxconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "infopath.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "isqlplussvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "msaccess.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "msftesql.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mspub.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mydesktopqos.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mydesktopservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mysqld.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mysqld-nt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "mysqld-opt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "ocautoupds.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "ocomm.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "ocssd.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "onenote.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "oracle.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "outlook.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "powerpnt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:13 p.m.	buffer: ERROR: The process "sqbcoreservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "sqlagent.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "sqlbrowser.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "sqlservr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "sqlwriter.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "steam.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "synctime.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "tbirdconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "thebat.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "thebat64.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: SUCCESS: The process "thunderbird.exe" with PID 3960 has been terminated. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "visio.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "winword.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "wordpad.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "xfssvccon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "tmlisten.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "PccNTMon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "CNTAoSMgr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "Ntrtscan.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: ERROR: The process "mbamtray.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 21, 2021, 4:14 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 21, 2021, 4:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:3997491519&cup2hreq=46abe5d62d869d2508101903ff1ca53db88bdb8803d25d712e89899c3eeb344a
suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2

Performs some HTTP requests (5 events)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	HEAD http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1616310975&mv=m&mvi=3&pl=18&shardbypass=yes
request	GET http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1616310975&mv=m&mvi=3&pl=18&shardbypass=yes
request	POST https://update.googleapis.com/service/update2?cup2key=10:3997491519&cup2hreq=46abe5d62d869d2508101903ff1ca53db88bdb8803d25d712e89899c3eeb344a
request	POST https://update.googleapis.com/service/update2

Sends data using the HTTP POST Method (2 events)

request	POST https://update.googleapis.com/service/update2?cup2key=10:3997491519&cup2hreq=46abe5d62d869d2508101903ff1ca53db88bdb8803d25d712e89899c3eeb344a
request	POST https://update.googleapis.com/service/update2

Executes one or more WMI queries (44 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tbirdconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlbrowser.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-nt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocssd.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mbamtray.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocomm.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tmlisten.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ntrtscan.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlwriter.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wordpad.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msaccess.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "synctime.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CNTAoSMgr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefoxconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msftesql.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-opt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbsnmp.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbeng50.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "xfssvccon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "infopath.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "excel.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "outlook.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqbcoreservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "powerpnt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "onenote.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "isqlplussvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "steam.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "visio.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlagent.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agntsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlservr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "oracle.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "zoolz.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "encsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PccNTMon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocautoupds.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thunderbird.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat64.exe")

A process created a hidden window (50 out of 83 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM zoolz.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM agntsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbeng50.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbsnmp.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM encsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM excel.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM firefoxconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM infopath.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM isqlplussvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msaccess.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msftesql.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mspub.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopqos.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopservice.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-nt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-opt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocautoupds.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocomm.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocssd.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM onenote.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM oracle.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM outlook.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM powerpnt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqbcoreservice.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:13 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlagent.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlbrowser.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlservr.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlwriter.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM steam.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM synctime.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tbirdconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat64.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thunderbird.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM visio.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM winword.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM wordpad.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM xfssvccon.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tmlisten.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM PccNTMon.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM CNTAoSMgr.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM Ntrtscan.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mbamtray.exe /F filepath: taskkill	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Acronis VSS Provider" /y filepath: net	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Enterprise Client Service" /y filepath: net	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Agent" /y filepath: net	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos AutoUpdate Service" /y filepath: net	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Clean Service" /y filepath: net	1	1
ShellExecuteExW March 21, 2021, 4:14 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Device Control Service" /y filepath: net	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (44 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 21, 2021, 4:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 3535 events)

url	https://developer.mozilla.org/docs/Web/CSS/color
url	https://github.com/facebook/react/issues/7253
url	https://redux.js.org/api-reference/store
url	https://github.com/v8/v8/blob/6.0.122/test/mjsunit/fast-prototype.js
url	http://www.timeanddate.com/time/zones/hast)
url	http://creativecommons.org/ns
url	https://developer.mozilla.org/docs/Tools/Debugger/Using_the_Debugger_map_scopes_feature?utm_source=devtools
url	https://identity.mozilla.com/cmd/open-uri
url	https://developer.mozilla.org/docs/Web/CSS/margin-block
url	https://developer.mozilla.org/docs/Web/CSS/border-bottom-color
url	https://www.reddit.com/
url	https://bugzilla.mozilla.org/show_bug.cgi?id=599971
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1209588
url	https://searchfox.org/mozilla-central/source/devtools/client/themes/variables.css
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1164243
url	http://support.microsoft.com/kb/2430460
url	https://te.wikipedia.org/w/api.php?action=opensearch
url	https://istumbler.net/).
url	https://bugzilla.mozilla.org/show_bug.cgi?id=421993
url	http://developer.mozilla.org/en/Localization_and_Plurals
url	https://bugs.chromium.org/p/v8/issues/detail?id=90
url	https://mozilla.github.io/basket-example/
url	https://html.spec.whatwg.org/multipage/browsers.html
url	https://mozilla.org/MPL/2.0/.
url	http://www.openh264.org/faq.html
url	https://chromereleases.googleblog.com/2016/06/chrome-for-android-update.html
url	https://firefox-source-docs.mozilla.org/
url	https://developer.mozilla.org/docs/Web/CSS/widows
url	https://github.com/mozilla/readability
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1529126
url	https://bugzilla.mozilla.org/show_bug.cgi?id=755443
url	http://www.microsoft.com/hk/hkscs
url	https://outlook.office365.com/SMTP.Send
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1330483
url	http://www.alanwood.net/unicode/fonts.html
url	https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html
url	https://developer.apple.com/library/content/releasenotes/General/WhatsNewInSafari/Articles/Safari_9_0.html
url	https://www.pazaruvaj.com/CategorySearch.php
url	https://developer.mozilla.org/docs/Web/CSS/mask-mode
url	https://web.skype.com/
url	https://et.wikipedia.org/wiki/Eri:Otsimine?search=
url	https://github.com/Modernizr/Modernizr/wiki/HTML5-Cross-browser-Polyfills
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1603001
url	https://developer.mozilla.org/docs/Web/CSS/box-flex
url	https://developer.mozilla.org/docs/Web/CSS/block-size
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1479009
url	https://bugzilla.mozilla.org/show_bug.cgi?id=690184
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1483995
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1516131
url	https://bugzilla.mozilla.org/show_bug.cgi?id=1554097

Yara rule detected in process memory (50 out of 5059 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 21, 2021, 4:14 p.m.	status_code: 0x00000001 process_identifier: 3960 process_handle: 0x0000000000000174		0	0
NtTerminateProcess March 21, 2021, 4:14 p.m.	status_code: 0x00000001 process_identifier: 3960 process_handle: 0x0000000000000174	1	0	0

Uses Windows utilities for basic Windows functionality (50 out of 167 events)

cmdline	net stop "SQLsafe Filter Service" /y
cmdline	taskkill /IM ocomm.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
cmdline	taskkill /IM thunderbird.exe /F
cmdline	taskkill /IM powerpnt.exe /F
cmdline	taskkill /IM steam.exe /F
cmdline	net stop BackupExecAgentBrowser /y
cmdline	net stop "Veeam Backup Catalog Data Service" /y
cmdline	net stop EPSecurityService /y
cmdline	taskkill /IM outlook.exe /F
cmdline	"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
cmdline	net stop "Sophos File Scanner Service" /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	net stop FA_Scheduler /y
cmdline	net stop "Sophos Agent" /y
cmdline	"C:\Windows\System32\net.exe" stop bedbg /y
cmdline	taskkill /IM msftesql.exe /F
cmdline	"C:\Windows\System32\net.exe" stop EPUpdateService /y
cmdline	"C:\Windows\System32\net.exe" stop DCAgent /y
cmdline	net stop Antivirus /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
cmdline	taskkill /IM thebat.exe /F
cmdline	net stop AcrSch2Svc /y
cmdline	net stop BackupExecJobEngine /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
cmdline	"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
cmdline	taskkill /IM mysqld-nt.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
cmdline	net stop bedbg /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
cmdline	net stop macmnsvc /y
cmdline	net stop BackupExecDeviceMediaService /y
cmdline	taskkill /IM tmlisten.exe /F
cmdline	C:\Windows\system32\net1 stop "Sophos Message Router" /y
cmdline	"C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
cmdline	net stop "Acronis VSS Provider" /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
cmdline	taskkill /IM infopath.exe /F
cmdline	taskkill /IM synctime.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
cmdline	"C:\Windows\System32\net.exe" stop BackupExecManagementService /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
cmdline	net stop ARSM /y
cmdline	taskkill /IM excel.exe /F
cmdline	net stop IISAdmin /y
cmdline	net stop "Sophos MCS Client" /y

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Deletes executed files from disk (1 event)

file

url	https://check.torproject.org/api/ip

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Elastic	malicious (high confidence)
ClamAV	Win.Ransomware.Ryuk-6688842-0
ALYac	Gen:Variant.Ransom.Ryuk.19
Malwarebytes	Malware.AI.218522461
Zillya	Trojan.Generic.Win32.644133
Sangfor	Win.Ransomware.Ryuk-6688842-0
K7AntiVirus	Trojan ( 00553fc91 )
K7GW	Trojan ( 00553fc91 )
Cybereason	malicious.8069d3
Arcabit	Trojan.Ransom.Ryuk.19
Cyren	W64/Ransom.Ryuk.A.gen!Eldorado
ESET-NOD32	a variant of Win64/Filecoder.T
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ransom.Ryuk.19
MicroWorld-eScan	Gen:Variant.Ransom.Ryuk.19
Avast	Win64:RansomX-gen [Ransom]
Rising	Ransom.Jabaxsta!1.B3AA (CLASSIC)
Ad-Aware	Gen:Variant.Ransom.Ryuk.19
Sophos	ML/PE-A + Troj/Ransom-FAF
F-Secure	Heuristic.HEUR/AGEN.1110011
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win64.RYUK.SM
McAfee-GW-Edition	Ransom-Ryuk!8819D7F8069D
FireEye	Generic.mg.8819d7f8069d35e7
Emsisoft	Gen:Variant.Ransom.Ryuk.19 (B)
Ikarus	Trojan-Ransom.Ryuk
Jiangmin	Trojan.Generic.cpxqa
Avira	HEUR/AGEN.1110011
Microsoft	Ransom:Win64/Jabaxsta.B
GData	Win64.Trojan-Ransom.Ryuk.A
AhnLab-V3	Trojan/Win64.Ryukran.R234901
McAfee	Ransom-Ryuk!8819D7F8069D
MAX	malware (ai score=86)
Cylance	Unsafe
TrendMicro-HouseCall	Ransom.Win64.RYUK.SM
SentinelOne	Static AI - Malicious PE
Fortinet	W64/Ryuk.223E!tr.ransom
AVG	Win64:RansomX-gen [Ransom]
CrowdStrike	win/malicious_confidence_60% (D)
MaxSecure	Trojan.Malware.121218.susgen

Practical3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All