Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 30, 2021, 5:10 p.m.	March 30, 2021, 5:12 p.m.

Size	171.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8819d7f8069d35e71902025d801b44dd`
SHA256	`98ece6bcafa296326654db862140520afc19cfa0b4a76a5950deedb2618097ab`
CRC32	`C35E72EA`
ssdeep	`3072:b+hfiA0PJ/lmL4a17VnAy5jtZXDkIVT49RQwo:i4AK/lmkaFVz7QQw`
PDB Path	C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Antivirus - Contains references to security software inject_thread - Code injection with CreateRemoteThread in a remote process escalate_priv - Escalade priviledges win_token - Affect system token win_files_operation - Affect private profile IsPE64 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

Practical3.exe "C:\Users\test22\AppData\Local\Temp\Practical3.exe"
1868
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM zoolz.exe /F
  2800
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM agntsvc.exe /F
  668
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbeng50.exe /F
  888
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM dbsnmp.exe /F
  1240
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM encsvc.exe /F
  2212
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM excel.exe /F
  1348
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM firefoxconfig.exe /F
  2744
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM infopath.exe /F
  1120
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM isqlplussvc.exe /F
  1108
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msaccess.exe /F
  1596
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
  2720
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mspub.exe /F
  1892
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopqos.exe /F
  2064
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F
  108
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld.exe /F
  2648
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-nt.exe /F
  1884
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
  3020
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
  2252
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocomm.exe /F
  2412
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
  2888
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM onenote.exe /F
  1828
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM oracle.exe /F
  2092
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM outlook.exe /F
  2120
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM powerpnt.exe /F
  2388
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqbcoreservice.exe /F
  2852
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlagent.exe /F
  2772
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlbrowser.exe /F
  1116
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlservr.exe /F
  1744
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM sqlwriter.exe /F
  2408
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM steam.exe /F
  1760
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM synctime.exe /F
  2080
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tbirdconfig.exe /F
  2128
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
  2540
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thebat64.exe /F
  2776
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM thunderbird.exe /F
  2608
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM visio.exe /F
  2340
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM winword.exe /F
  2192
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM wordpad.exe /F
  2432
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
  916
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM tmlisten.exe /F
  2696
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM PccNTMon.exe /F
  2988
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM CNTAoSMgr.exe /F
  3092
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
  3200
- taskkill.exe "C:\Windows\System32\taskkill.exe" /IM mbamtray.exe /F
  3284
- net.exe "C:\Windows\System32\net.exe" stop "Acronis VSS Provider" /y
  3368
  - net1.exe C:\Windows\system32\net1 stop "Acronis VSS Provider" /y
    3432
- net.exe "C:\Windows\System32\net.exe" stop "Enterprise Client Service" /y
  3476
  - net1.exe C:\Windows\system32\net1 stop "Enterprise Client Service" /y
    3540
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Agent" /y
  3592
  - net1.exe C:\Windows\system32\net1 stop "Sophos Agent" /y
    3656
- net.exe "C:\Windows\System32\net.exe" stop "Sophos AutoUpdate Service" /y
  3700
  - net1.exe C:\Windows\system32\net1 stop "Sophos AutoUpdate Service" /y
    3764
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Clean Service" /y
  3844
  - net1.exe C:\Windows\system32\net1 stop "Sophos Clean Service" /y
    3908
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
  3960
  - net1.exe C:\Windows\system32\net1 stop "Sophos Device Control Service" /y
    4024
- net.exe "C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
  4068
  - net1.exe C:\Windows\system32\net1 stop "Sophos File Scanner Service" /y
    652
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Health Service" /y
  3180
  - net1.exe C:\Windows\system32\net1 stop "Sophos Health Service" /y
    3228
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Agent" /y
  3244
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Agent" /y
    3352
- net.exe "C:\Windows\System32\net.exe" stop "Sophos MCS Client" /y
  3444
  - net1.exe C:\Windows\system32\net1 stop "Sophos MCS Client" /y
    2616
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Message Router" /y
  3560
  - net1.exe C:\Windows\system32\net1 stop "Sophos Message Router" /y
    3604
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Safestore Service" /y
  3720
  - net1.exe C:\Windows\system32\net1 stop "Sophos Safestore Service" /y
    3760
- net.exe "C:\Windows\System32\net.exe" stop "Sophos System Protection Service" /y
  2592
  - net1.exe C:\Windows\system32\net1 stop "Sophos System Protection Service" /y
    3864
- net.exe "C:\Windows\System32\net.exe" stop "Sophos Web Control Service" /y
  3912
  - net1.exe C:\Windows\system32\net1 stop "Sophos Web Control Service" /y
    1344
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Backup Service" /y
  3976
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Backup Service" /y
    3964
- net.exe "C:\Windows\System32\net.exe" stop "SQLsafe Filter Service" /y
  3088
  - net1.exe C:\Windows\system32\net1 stop "SQLsafe Filter Service" /y
    3080
- net.exe "C:\Windows\System32\net.exe" stop "Symantec System Recovery" /y
  3272
  - net1.exe C:\Windows\system32\net1 stop "Symantec System Recovery" /y
    3360
- net.exe "C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
  3344
  - net1.exe C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service" /y
    2828
- net.exe "C:\Windows\System32\net.exe" stop AcronisAgent /y
  2600
  - net1.exe C:\Windows\system32\net1 stop AcronisAgent /y
    3552
- net.exe "C:\Windows\System32\net.exe" stop AcrSch2Svc /y
  3776
  - net1.exe C:\Windows\system32\net1 stop AcrSch2Svc /y
    3716
- net.exe "C:\Windows\System32\net.exe" stop Antivirus /y
  3804
  - net1.exe C:\Windows\system32\net1 stop Antivirus /y
    2036
- net.exe "C:\Windows\System32\net.exe" stop ARSM /y
  2700
  - net1.exe C:\Windows\system32\net1 stop ARSM /y
    604
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentAccelerator /y
  3104
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3184
- net.exe "C:\Windows\System32\net.exe" stop BackupExecAgentBrowser /y
  3400
  - net1.exe C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3460
- net.exe "C:\Windows\System32\net.exe" stop BackupExecDeviceMediaService /y
  2536
  - net1.exe C:\Windows\system32\net1 stop BackupExecDeviceMediaService /y
    3740
- net.exe "C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
  3812
  - net1.exe C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3920
- net.exe "C:\Windows\System32\net.exe" stop BackupExecManagementService /y
  2512
  - net1.exe C:\Windows\system32\net1 stop BackupExecManagementService /y
    3084
- net.exe "C:\Windows\System32\net.exe" stop BackupExecRPCService /y
  2752
  - net1.exe C:\Windows\system32\net1 stop BackupExecRPCService /y
    2756
- net.exe "C:\Windows\System32\net.exe" stop BackupExecVSSProvider /y
  1520
  - net1.exe C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    2920
- net.exe "C:\Windows\System32\net.exe" stop bedbg /y
  3728
  - net1.exe C:\Windows\system32\net1 stop bedbg /y
    3624
- net.exe "C:\Windows\System32\net.exe" stop DCAgent /y
  3928
  - net1.exe C:\Windows\system32\net1 stop DCAgent /y
    1208
- net.exe "C:\Windows\System32\net.exe" stop EPSecurityService /y
  2088
  - net1.exe C:\Windows\system32\net1 stop EPSecurityService /y
    3504
- net.exe "C:\Windows\System32\net.exe" stop EPUpdateService /y
  3076
  - net1.exe C:\Windows\system32\net1 stop EPUpdateService /y
    3784
- net.exe "C:\Windows\System32\net.exe" stop EraserSvc11710 /y
  1064
  - net1.exe C:\Windows\system32\net1 stop EraserSvc11710 /y
    3904
- net.exe "C:\Windows\System32\net.exe" stop EsgShKernel /y
  1272
  - net1.exe C:\Windows\system32\net1 stop EsgShKernel /y
    3520
- net.exe "C:\Windows\System32\net.exe" stop FA_Scheduler /y
  3528
  - net1.exe C:\Windows\system32\net1 stop FA_Scheduler /y
    196
- net.exe "C:\Windows\System32\net.exe" stop IISAdmin /y
  3536
  - net1.exe C:\Windows\system32\net1 stop IISAdmin /y
    3820
- net.exe "C:\Windows\System32\net.exe" stop IMAP4Svc /y
  996
  - net1.exe C:\Windows\system32\net1 stop IMAP4Svc /y
    2604
- net.exe "C:\Windows\System32\net.exe" stop macmnsvc /y
  4052
  - net1.exe C:\Windows\system32\net1 stop macmnsvc /y
    232
- net.exe "C:\Windows\System32\net.exe" stop masvc /y
  3480
  - net1.exe C:\Windows\system32\net1 stop masvc /y
    3188
- net.exe "C:\Windows\System32\net.exe" stop MBAMService /y
  1720
  - net1.exe C:\Windows\system32\net1 stop MBAMService /y
    4056
- net.exe "C:\Windows\System32\net.exe" stop MBEndpointAgent /y
  4136
  - net1.exe C:\Windows\system32\net1 stop MBEndpointAgent /y
    4200
- net.exe "C:\Windows\System32\net.exe" stop McAfeeEngineService /y
  4244
  - net1.exe C:\Windows\system32\net1 stop McAfeeEngineService /y
    4308
- net.exe "C:\Windows\System32\net.exe" stop McAfeeFramework /y
  4352
  - net1.exe C:\Windows\system32\net1 stop McAfeeFramework /y
    4416
- net.exe "C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
  4460
  - net1.exe C:\Windows\system32\net1 stop McAfeeFrameworkMcAfeeFramework /y
    4524
- net.exe "C:\Windows\System32\net.exe" stop McShield /y
  4592
  - net1.exe C:\Windows\system32\net1 stop McShield /y
    4656
- net.exe "C:\Windows\System32\net.exe" stop McTaskManager /y
  4700
  - net1.exe C:\Windows\system32\net1 stop McTaskManager /y
    4764
- net.exe "C:\Windows\System32\net.exe" stop mfemms /y
  4808
  - net1.exe C:\Windows\system32\net1 stop mfemms /y
    4872
- net.exe "C:\Windows\System32\net.exe" stop mfevtp /y
  4916
  - net1.exe C:\Windows\system32\net1 stop mfevtp /y
    4980
- net.exe "C:\Windows\System32\net.exe" stop MMS /y
  5028
  - net1.exe C:\Windows\system32\net1 stop MMS /y
    5092
- net.exe "C:\Windows\System32\net.exe" stop mozyprobackup /y
  4124
  - net1.exe C:\Windows\system32\net1 stop mozyprobackup /y
    4216
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer /y
  4172
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer /y
    4292
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer100 /y
  4420
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer100 /y
    4552
- net.exe "C:\Windows\System32\net.exe" stop MsDtsServer110 /y
  4572
  - net1.exe C:\Windows\system32\net1 stop MsDtsServer110 /y
    4696
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeES /y
  4732
  - net1.exe C:\Windows\system32\net1 stop MSExchangeES /y
    4828
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeIS /y
  4904
  - net1.exe C:\Windows\system32\net1 stop MSExchangeIS /y
    4996
- net.exe "C:\Windows\System32\net.exe" stop MSExchangeMGMT /y
  4976
  - net1.exe C:\Windows\system32\net1 stop MSExchangeMGMT /y
    5064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (44 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 30, 2021, 5:11 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 156 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "zoolz.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "agntsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "dbeng50.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "dbsnmp.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "encsvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "excel.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "firefoxconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "infopath.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "isqlplussvc.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "msaccess.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "msftesql.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mspub.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mydesktopqos.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mydesktopservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mysqld.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mysqld-nt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "mysqld-opt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:10 p.m.	buffer: ERROR: The process "ocautoupds.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "ocomm.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "ocssd.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "onenote.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "oracle.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "outlook.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "powerpnt.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "sqbcoreservice.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "sqlagent.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "sqlbrowser.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "sqlservr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "sqlwriter.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "steam.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "synctime.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "tbirdconfig.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "thebat.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "thebat64.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "thunderbird.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "visio.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "winword.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "wordpad.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "xfssvccon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "tmlisten.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "PccNTMon.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "CNTAoSMgr.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "Ntrtscan.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: ERROR: The process "mbamtray.exe" not found. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 30, 2021, 5:11 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\Documents\Visual Studio 2015\Projects From Ryuk\ConsoleApplication54\x64\Release\ConsoleApplication54.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 30, 2021, 5:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Executes one or more WMI queries (44 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tbirdconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocssd.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-nt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mbamtray.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocomm.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Ntrtscan.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlwriter.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "encsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wordpad.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "synctime.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CNTAoSMgr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefoxconfig.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msftesql.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld-opt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "outlook.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbsnmp.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dbeng50.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "xfssvccon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "infopath.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "excel.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tmlisten.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqbcoreservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "powerpnt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msaccess.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "onenote.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "isqlplussvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "steam.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "visio.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlagent.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agntsvc.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlservr.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "oracle.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "zoolz.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mysqld.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopservice.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlbrowser.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PccNTMon.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ocautoupds.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thunderbird.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "thebat64.exe")

A process created a hidden window (50 out of 101 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM zoolz.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM agntsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbeng50.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM dbsnmp.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM encsvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM excel.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM firefoxconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM infopath.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM isqlplussvc.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msaccess.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM msftesql.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mspub.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopqos.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mydesktopservice.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-nt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mysqld-opt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocautoupds.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocomm.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM ocssd.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM onenote.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM oracle.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM outlook.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM powerpnt.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqbcoreservice.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlagent.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlbrowser.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlservr.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:10 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM sqlwriter.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM steam.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM synctime.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tbirdconfig.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thebat64.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM thunderbird.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM visio.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM winword.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM wordpad.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM xfssvccon.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM tmlisten.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM PccNTMon.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM CNTAoSMgr.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM Ntrtscan.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: taskkill parameters: /IM mbamtray.exe /F filepath: taskkill	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Acronis VSS Provider" /y filepath: net	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Enterprise Client Service" /y filepath: net	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Agent" /y filepath: net	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos AutoUpdate Service" /y filepath: net	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Clean Service" /y filepath: net	1	1
ShellExecuteExW March 30, 2021, 5:11 p.m.	show_type: 0 filepath_r: net parameters: stop "Sophos Device Control Service" /y filepath: net	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (44 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 30, 2021, 5:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (50 out of 203 events)

cmdline	"C:\Windows\System32\net.exe" stop McAfeeFrameworkMcAfeeFramework /y
cmdline	taskkill /IM ocomm.exe /F
cmdline	taskkill /IM sqlwriter.exe /F
cmdline	"C:\Windows\System32\net.exe" stop MSExchangeIS /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM ocssd.exe /F
cmdline	taskkill /IM thunderbird.exe /F
cmdline	taskkill /IM powerpnt.exe /F
cmdline	net stop MsDtsServer100 /y
cmdline	net stop BackupExecAgentBrowser /y
cmdline	net stop "SQLsafe Filter Service" /y
cmdline	taskkill /IM steam.exe /F
cmdline	net stop "Veeam Backup Catalog Data Service" /y
cmdline	net stop EPSecurityService /y
cmdline	taskkill /IM outlook.exe /F
cmdline	net stop "Sophos File Scanner Service" /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos File Scanner Service" /y
cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM thebat.exe /F
cmdline	net stop FA_Scheduler /y
cmdline	net stop "Sophos Agent" /y
cmdline	net stop McAfeeFrameworkMcAfeeFramework /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM Ntrtscan.exe /F
cmdline	"C:\Windows\System32\net.exe" stop bedbg /y
cmdline	taskkill /IM msftesql.exe /F
cmdline	"C:\Windows\System32\net.exe" stop BackupExecJobEngine /y
cmdline	"C:\Windows\System32\net.exe" stop DCAgent /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM ocautoupds.exe /F
cmdline	net stop MsDtsServer /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM msftesql.exe /F
cmdline	taskkill /IM thebat.exe /F
cmdline	net stop MSExchangeIS /y
cmdline	net stop AcrSch2Svc /y
cmdline	net stop BackupExecJobEngine /y
cmdline	"C:\Windows\System32\net.exe" stop MBEndpointAgent /y
cmdline	"C:\Windows\System32\net.exe" stop "Veeam Backup Catalog Data Service" /y
cmdline	taskkill /IM mysqld-nt.exe /F
cmdline	"C:\Windows\System32\net.exe" stop McTaskManager /y
cmdline	"C:\Windows\System32\taskkill.exe" /IM xfssvccon.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mysqld-opt.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM visio.exe /F
cmdline	taskkill /IM sqbcoreservice.exe /F
cmdline	net stop bedbg /y
cmdline	"C:\Windows\System32\net.exe" stop "Sophos Device Control Service" /y
cmdline	net stop macmnsvc /y
cmdline	net stop mfemms /y
cmdline	net stop BackupExecDeviceMediaService /y
cmdline	taskkill /IM tmlisten.exe /F
cmdline	net stop mozyprobackup /y
cmdline	"C:\Windows\System32\net.exe" stop mfevtp /y
cmdline	net stop IMAP4Svc /y

Deletes executed files from disk (1 event)

file

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	taskkill /IM mydesktopservice.exe /F
cmdline	"C:\Windows\System32\taskkill.exe" /IM mydesktopservice.exe /F

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ransom.Ryuk.19
Qihoo-360	Win64/Ransom.Generic.H8oAChsA
ALYac	Gen:Variant.Ransom.Ryuk.19
Malwarebytes	Malware.AI.218522461
Zillya	Trojan.Generic.Win32.644133
Sangfor	Win.Ransomware.Ryuk-6688842-0
CrowdStrike	win/malicious_confidence_90% (W)
Alibaba	Ransom:Win32/Genasom.ali1000102
K7GW	Trojan ( 00553fc91 )
K7AntiVirus	Trojan ( 00553fc91 )
Cyren	W64/Ransom.Ryuk.A.gen!Eldorado
ESET-NOD32	a variant of Win64/Filecoder.T
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Ransomware.Ryuk-6688842-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ransom.Ryuk.19
Avast	Win64:RansomX-gen [Ransom]
Rising	Ransom.Jabaxsta!1.B3AA (CLOUD)
Ad-Aware	Gen:Variant.Ransom.Ryuk.19
Emsisoft	Gen:Variant.Ransom.Ryuk.19 (B)
DrWeb	Trojan.Inject4.9283
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win64.RYUK.SM
McAfee-GW-Edition	Ransom-Ryuk!8819D7F8069D
FireEye	Generic.mg.8819d7f8069d35e7
Sophos	ML/PE-A + Troj/Ransom-FAF
SentinelOne	Static AI - Malicious PE
GData	Win64.Trojan-Ransom.Ryuk.A
Jiangmin	Trojan.Generic.cpxqa
Avira	HEUR/AGEN.1110011
MAX	malware (ai score=86)
Gridinsoft	Ransom.Win64.AI.sa
Arcabit	Trojan.Ransom.Ryuk.19
AegisLab	Trojan.Win32.Generic.4!c
Microsoft	Ransom:Win64/Jabaxsta.B
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win64.Ryukran.R234901
McAfee	Ransom-Ryuk!8819D7F8069D
Cylance	Unsafe
TrendMicro-HouseCall	Ransom.Win64.RYUK.SM
Yandex	Trojan.GenAsa!IN2Q8puX4gM
Ikarus	Trojan-Ransom.Ryuk
Fortinet	W64/Ryuk.223E!tr.ransom
AVG	Win64:RansomX-gen [Ransom]
Cybereason	malicious.8069d3
MaxSecure	Trojan.Malware.121218.susgen

Practical3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All