Malwarebytes
This Integration is part of the Malwarebytes Pack.#
Overview#
Scan and Remediate threats on endpoints in the Malwarebytes cloud | Nebula. This integration was integrated and tested with Malwarebytes cloud | Nebula.
Malwarebytes Playbook#
- Malwarebytes - Scan & Remediate Endpoint
- Malwarebytes - Isolate Endpoint
Use Cases#
- Trigger Malwarebytes Scans and Remediation as part of Cortex XSOAR Playbook.
- Trigger Malwarebytes EDR Advanced Capabilities as part of a Cortex XSOAR Playbook.
- Create Cortex XSOAR incidents based on threats detected by Malwarebytes.
Configure Malwarebytes on Cortex XSOAR#
This integration collects your E-mail and Company Name for usage analytics of Malwarebytes, if provided in the config.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Malwarebytes.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Account ID
- Client ID
- Client Secret
- Fetch incidents
- Incident type
- Fetch Event List
- RTP Detections Threat Category
- Suspicious Activity Severity
- Trust any certificate (not secure)
- Use system proxy settings
- Company Name
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data#
The fetch incidents command is the function that Cortex XSOAR calls every minute to import new incidents and is triggered by the "Fetches incidents" parameter in the integration configuration.
What kind of objects/entities the integration should fetch (events/alerts/incidents/cases/tickets/etc)?
- Create a Cortex XSOAR incident upon a Malwarebytes Real-time protection detections.
- Create a Cortex XSOAR incident upon a Malwarebytes Suspicious Activity detections.
Are there any filters available to allow users to filter those incidents (e.g. type, status, etc) ?
Filters like Severity, Malware Category will be provided on the integration config.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- malwarebytes-scan-and-remediate
- malwarebytes-scan-and-report
- malwarebytes-isolate-endpoint
- malwarebytes-isolate-process
- malwarebytes-isolate-desktop
- malwarebytes-isolate-network
- malwarebytes-deisolate-endpoint
- malwarebytes-list-endpoints
- malwarebytes-list-endpoint-info
- malwarebytes-get-scan-detections
- malwarebytes-get-job-status
- malwarebytes-open-sa-incident
- malwarebytes-remediate-sa-incident
- malwarebytes-close-sa-incident
- malwarebytes-get-sa-activities
1. malwarebytes-scan-and-remediate#
Initiate Scan and Remediate action on an endpoint based on IP or Hostname.
Base Command#
malwarebytes-scan-and-remediate
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-scan-and-remediate hostname=DESKTOP-LI4MQ7B
Context Example#
Human Readable Output#
Scan and Remediate action has been successfully started on the Endpoint: DESKTOP-LI4MQ7B with the job_id: 964776a3-9cd8-45a2-9c56-59f692f42cc6. Use job_id in malwarebytes-get-job-status command to check status and malwarebytes-get-scan-detections command to view results
2. malwarebytes-scan-and-report#
Initiate Scan and report action on an endpoint based on IP or Hostname.
Base Command#
malwarebytes-scan-and-report
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-scan-and-report hostname=TA-AZ-CLT1
Context Example#
Human Readable Output#
Scan and Report action has been successfully started on the Endpoint: TA-AZ-CLT1 with the job_id: 88c6de27-d7d2-45da-a0b9-239a774afe50. Use job_id in malwarebytes-get-job-status command to check status and malwarebytes-get-scan-detections command to view results
3. malwarebytes-isolate-endpoint#
Initiate Isolation action on an endpoint based on IP or Hostname. This action isolate an endpoint by Process, Network and Desktop.
Base Command#
malwarebytes-isolate-endpoint
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-isolate-endpoint hostname=DESKTOP-LI4MQ7B
Context Example#
Human Readable Output#
Isolation action has been successfully started on the Endpoint: DESKTOP-LI4MQ7B with the job_id: c133caaf-2c1c-4c54-86b5-b45354608e4d. Use job_id in malwarebytes-get-job-status command to view results
4. malwarebytes-isolate-process#
Initiate Process Isolation action on an endpoint based on IP or Hostname.
Base Command#
malwarebytes-isolate-process
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-isolate-process hostname=DESKTOP-LI4MQ7B
Context Example#
Human Readable Output#
Process Isolation action has been successfully started on the Endpoint: DESKTOP-LI4MQ7B with the job_id: 72708102-465f-4a3e-8be5-de93cdae6cad. Use job_id in malwarebytes-get-job-status command to view results
5. malwarebytes-isolate-desktop#
Initiate Desktop Isolation action on an endpoint based on IP or Hostname.
Base Command#
malwarebytes-isolate-desktop
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-isolate-desktop hostname=TA-AZ-CLT1
Context Example#
Human Readable Output#
Desktop Isolation action has been successfully started on the Endpoint: TA-AZ-CLT1 with the job_id: 6b0d17b7-bb5b-4314-a841-f25ae93c6a8e. Use job_id in malwarebytes-get-job-status command to view results
6. malwarebytes-isolate-network#
Initiate Network Isolation action on an endpoint based on IP or Hostname.
Base Command#
malwarebytes-isolate-network
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-isolate-network hostname=TA-AZ-CLT1
Context Example#
Human Readable Output#
Network Isolation action has been successfully started on the Endpoint: TA-AZ-CLT1 with the job_id: cc92a1f4-7253-415d-a743-64f0ea7afb65. Use job_id in malwarebytes-get-job-status command to view results
7. malwarebytes-deisolate-endpoint#
Initiate Deisolation action on an endpoint based on IP or Hostname. This action deisolate an endpoint by Process, Network and Desktop.
Base Command#
malwarebytes-deisolate-endpoint
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Machine_ID | string | Endpoint ID of the host |
| Malwarebytes.Scan.Job_ID | string | Job ID of the scanned host |
Command Example#
!malwarebytes-deisolate-endpoint hostname=TA-AZ-CLT1
Context Example#
Human Readable Output#
Deisolation action has been successfully started on the Endpoint: TA-AZ-CLT1 with the job_id: 8dab60e1-e6d8-47c3-b321-0a74de329d20. Use job_id in malwarebytes-get-job-status command to view results
8. malwarebytes-list-endpoints#
List all/online/offline endpoints available in the Malwarebytes Cloud.
Base Command#
malwarebytes-list-endpoints
Input#
| Argument Name | Description | Required |
|---|---|---|
| endpoints | Enter value 'all' to get all endpoints and value 'online' or 'offline' to get online/offline endpoints. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Endpoint.total_count | int | total count of all/online/offline endpoints. |
Command Example#
!malwarebytes-list-endpoints endpoints=all
Context Example#
Human Readable Output#
Found all 5 Endpoints from Malwarebytes Cloud:#
| created_at | id | last_seen_at | name | online | os_architecture | os_platform | os_release_name |
|---|---|---|---|---|---|---|---|
| 2020-02-05T10:12:55.187467Z | 017febb6-ae68-4c15-9918-d911c72d062a | 2020-04-16T14:05:41.668409Z | TA-AZ-CLT1 | false | AMD64 | WINDOWS | Microsoft Windows 10 Pro |
| 2020-03-31T08:42:14.319976Z | 1d711cdc-6c6c-4457-927f-2528ecc857a0 | 2020-04-15T08:50:42.737922Z | EC2AMAZ-KK7M02P | false | AMD64 | WINDOWS | Microsoft Windows Server 2019 Datacenter |
| 2020-02-05T09:50:02.194556Z | 211d8c3e-142c-4849-b1f0-1680b4bd239c | 2020-04-22T09:07:41.206037Z | DESKTOP-LI4MQ7B | true | AMD64 | WINDOWS | Microsoft Windows 10 Enterprise |
| 2019-11-25T19:47:15.833008Z | b5740188-00a2-434b-a180-5b0fa85cb10b | 2020-04-21T18:17:43.064707Z | DESKTOP-91UJNA1 | false | AMD64 | WINDOWS | Microsoft Windows 10 Pro |
| 2019-10-18T09:26:26.993555Z | 5074ade3-5716-44d8-83c7-5985379c0399 | 2020-04-22T09:32:25.813131Z | DESKTOP-664HFM6 | true | AMD64 | WINDOWS | Microsoft Windows 10 Pro |
9. malwarebytes-list-endpoint-info#
Lists more granular information about an endpoint.
Base Command#
malwarebytes-list-endpoint-info
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of an endpoint in Malwarebytes Cloud. | Optional |
| ip | IP of an endpoint in Malwarebytes Cloud. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Endpoint.Assets | string | Asset information of the endpoint. |
| Malwarebytes.Endpoint.Hostname | string | The hostname that is mapped to this endpoint. |
| Malwarebytes.Endpoint.IPAddress | string | The IP address of the endpoint. |
| Malwarebytes.Endpoint.Domain | string | The domain of the endpoint. |
| Malwarebytes.Endpoint.MACAddress | string | The MAC address of the endpoint. |
| Malwarebytes.Endpoint.OS | string | Endpoint OS. |
| Malwarebytes.Endpoint.OSVersion | string | OS version. |
| Malwarebytes.Endpoint.Model | string | The model of the machine or device. |
| Malwarebytes.Endpoint.Memory | int | Memory on this endpoint. |
| Endpoint.Hostname | string | The hostname that is mapped to this endpoint. |
| Endpoint.IPAddress | string | The IP address of the endpoint. |
| Endpoint.Domain | string | The domain of the endpoint. |
| Endpoint.MACAddress | string | The MAC address of the endpoint. |
| Endpoint.OS | string | Endpoint OS. |
| Endpoint.OSVersion | string | OS version. |
| Endpoint.Model | string | The model of the machine or device. |
| Endpoint.Memory | int | Memory on this endpoint. |
Command Example#
!malwarebytes-list-endpoint-info hostname=TA-AZ-CLT1
Context Example#
Human Readable Output#
Endpoint Information for the Hostname: TA-AZ-CLT1#
| computer_info | culture | dhcp_scope_name | domain_name | drives | fully_qualified_host_name | host_name | memory | nics | object_guid | object_sid | os_info | plugin_version | software_installed | startups | time_zone | updates_installed |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| manufacturer: Microsoft Corporation model: Virtual Machine | en-US | {'freespace_available': 124591616000, 'volume_label': 'Windows', 'drive_format': 'NTFS', 'freespace_total': 124591616000, 'name': 'C:\', 'total_size': 135838822400}, {'freespace_available': 7477661696, 'volume_label': 'Temporary Storage', 'drive_format': 'NTFS', 'freespace_total': 7477661696, 'name': 'D:\', 'total_size': 8588816384} | TA-AZ-CLT1 | TA-AZ-CLT1 | total_virtual: 5368094720 free_virtual: 2920792064 total_physical: 4294967296 free_physical: 1683750912 | {'mac_address': '000D3A0AFEC2', 'description': 'Microsoft Hyper-V Network Adapter', 'ips': ['10.0.0.11']} | os_platform: Windows os_architecture: Amd64 os_version: 10.0.17763 os_release_name: Microsoft Windows 10 Pro os_type: Workstation | 1.2.0.330 | {'vendor': 'Google LLC', 'product': 'Google Chrome', 'installed_date': '2020-02-05T00:00:00Z', 'version': '80.0.3987.87'}, {'vendor': 'Malwarebytes', 'product': 'Malwarebytes Endpoint Agent', 'installed_date': '2020-02-05T00:00:00Z', 'version': '1.2.0.0'} | {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'name': 'Shell', 'value': 'explorer.exe'}, {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'name': 'System', 'value': ''}, {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'name': 'Taskman', 'value': ''}, {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'name': 'Userinit', 'value': 'C:\windows\system32\userinit.exe,'}, {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'name': 'SecurityHealth', 'value': 'C:\windows\system32\SecurityHealthSystray.exe'}, {'key': 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad', 'name': 'WebCheck', 'value': '{E6FB5E20-DE35-11CF-9C87-00AA005127ED}'}, {'key': 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa', 'name': 'Authentication Packages'}, {'key': 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa', 'name': 'Notification Packages'}, {'key': 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa', 'name': 'Security Packages'}, {'key': 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders', 'name': 'SecurityProviders', 'value': 'credssp.dll'} | Etc/GMT |
10. malwarebytes-get-scan-detections#
Lists detections from an endpoint for the scans initiated from Cortex XSOAR.
Base Command#
malwarebytes-get-scan-detections
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job ID of the initiated Scan actions only. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Job_ID | string | Job_Id of the initiated Scan/Isolation/Deisolation actions. |
| Malwarebytes.Scan.Status | string | Scan Status for the host |
| Malwarebytes.Scan.Detections | string | Scan detections for the host |
Command Example#
!malwarebytes-get-scan-detections job_id=931f63ca-e14f-43ad-85d2-3eb8236f1bdd
Context Example#
Human Readable Output#
Scan Detections Report for the Job_Id: 931f63ca-e14f-43ad-85d2-3eb8236f1bdd#
| category | machine_id | machine_name | path | reported_at | status | threat_name | type |
|---|---|---|---|---|---|---|---|
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CCOKDBVT\MHTQR4AW1913.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CCOKDBVT\EKATI3479.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CCOKDBVT\5WRQN2VY9117.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\AMDSCQBK\EKATI3234.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\RKSUGKK2\EKATI1111.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\RKSUGKK2\5IPWAWNR7377.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\REAQNH4P\UWAEL22C6434.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\REAQNH4P\GJL0GTPS2496.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\REAQNH4P\EKATI5786.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\REAQNH4P\AAWK4JEC6577.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\R5QH05OL\EKATI5120.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\QJTCQTO5\EKATI3976.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\QGZQD505\EKATI6903.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\QDI3PGI1\EKATI8011.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\PHVALVXM\EKATI5172.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\PCHQV24F\EKATI8221.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\PCHQV24F\0LI1UX235485.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\OX4R0SZA\EKATI6865.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\K2LXHNO1\EKATI6770.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\K1UQJ5KL\EKATI1034.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\JI4PZP0K\EKATI5574.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ICOWWYNX\EKATI7940.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\HUOBVYD0\EKATI8486.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\H0LKYXKH\EKATI6183.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ZWIZHTVD\EKATI6050.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ZAAN0543\EKATI4385.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\YWDLSBOE\EKATI7806.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\XXQBCKEL\Y2YWHFY47970.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\XXQBCKEL\HVAVEBY58253.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\XXQBCKEL\EKATI6877.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\XDFR4BMU\EKATI1611.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\X5IN24J2\EKATI2562.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\X3DL34QB\EKATI4718.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\WAWZXFJU\EKATI3613.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\VAIVLV51\EKATI2378.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FW3M1KTG\NKWWQ5337273.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FW3M1KTG\KQDYZ5DZ2805.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FW3M1KTG\EKATI8812.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FNKI23QO\EKATI9379.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FMULGDCG\EKATI5361.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\EZ3VSVR0\EKATI3626.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\DYEBLIJJ\EKATI2757.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\DVM05IV0\EKATI4168.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\DKI4HFKX\EKATI2083.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\TXS354JE\EKATI7864.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\TFDVXDEW\EKATI3594.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\TCERNEHR\EKATI3060.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\SSODDPVL\EKATI3273.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\SK4GT55H\NSMDWPVW1226.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\SK4GT55H\EKATI6166.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\SJRCS2D5\EKATI3838.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\S0RPYHDI\EKATI1244.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\MDX3HHPZ\EKATI7764.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\MA2EZOX5\HURT2A3R4366.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\MA2EZOX5\GVXQMXK04108.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\MA2EZOX5\EKATI5862.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\LTMZR34O\EKATI8397.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\5KE1T1MN\EKATI3121.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\40ASYTIK\EKATI2489.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\2VR0DR23\EKATI9180.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\22PMRE41\EKATI2935.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\1U0KTXL4\EKATI4859.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\0TNNQOPO\EKATI4374.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.FileLocker | file |
| arw | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\0TNNQOPO\CHLGY5ZD1037.EXE | 2020-03-03T13:28:57.393772Z | found | Ransom.Ekati | file |
| Malware | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\BIN3333.RAR | 2020-03-03T13:28:57.393772Z | found | Generic.Malware/Suspicious | file |
| Malware | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CCTV.EXE | 2020-03-03T13:28:57.393772Z | found | DDoSTool.Nitol | file |
| PUP | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\MICROSOFT OFFICE 2007 SERVICE PACK 2.EXE | 2020-03-03T13:28:57.393772Z | found | PUP.Optional.Solimba | file |
| Malware | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\FCK_RSC.DUMP | 2020-03-03T13:28:57.393772Z | found | Trojan.ServStart | file |
| Malware | 5074ade3-5716-44d8-83c7-5985379c0399 | DESKTOP-664HFM6 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\2211.RAR | 2020-03-03T13:28:57.393772Z | found | Generic.Malware/Suspicious | file |
11. malwarebytes-get-job-status#
Lists scan/isolation/deisolation status of the endpoint for the scan/isolation/deisolation initated from Cortex XSOAR.
Base Command#
malwarebytes-get-job-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | Job_Id of the initiated Scan/Isolation/Deisolation actions. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Scan.Job_ID | string | Job_Id of the initiated Scan/Isolation/Deisolation actions. |
| Malwarebytes.Scan.Status | string | Scan Status for the host |
Command Example#
!malwarebytes-get-job-status job_id=831afff7-7511-40be-a1ce-eace622e1e3e
Context Example#
Human Readable Output#
Scan Status for the job_id 831afff7-7511-40be-a1ce-eace622e1e3e is EXPIRED
12. malwarebytes-open-sa-incident#
Open Suspicious Activity for investigation in Malwarebytes Cloud. Use malwarebytes-get-sa-activities command to get machine and detection ID.
Base Command#
malwarebytes-open-sa-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| machine_id | Machine ID of an endpoint where Suspicious Activity is found. | Required |
| detection_id | Detection ID of the Suspicious Activity. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.SA.Machine_ID | string | Machine ID of the Suspicious host |
Command Example#
!malwarebytes-open-sa-incident machine_id=5074ade3-5716-44d8-83c7-5985379c0399 detection_id=69306685
Context Example#
Human Readable Output#
Open SA Incident action is initiated Successfully for the detection id: 69306685
13. malwarebytes-remediate-sa-incident#
Remediate Suspicious Activity from Malwarebytes Cloud. Use malwarebytes-get-sa-activities command to get machine and detection ID.
Base Command#
malwarebytes-remediate-sa-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| machine_id | Machine ID of an endpoint in Malwarebytes Cloud where Suspicious Activity is found. | Required |
| detection_id | Detection ID of the Suspicious Activity | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.SA.Machine_ID | string | Machine ID of the Suspicious host |
Command Example#
!malwarebytes-remediate-sa-incident machine_id=5074ade3-5716-44d8-83c7-5985379c0399 detection_id=69306697
Context Example#
Human Readable Output#
Remediate SA Incident action is initiated Successfully for the detection id: 69306697
14. malwarebytes-close-sa-incident#
Close Suspicious Activity Incident in Malwarebytes Cloud. Use malwarebytes-get-sa-activities command to get machine and detection ID.
Base Command#
malwarebytes-close-sa-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| machine_id | Machine ID of an endpoint in Malwarebytes Cloud where Suspicious Activity is found. | Required |
| detection_id | Detection ID of the Suspicious Activity. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.SA.Machine_ID | string | Machine ID of the Suspicious host |
Command Example#
!malwarebytes-close-sa-incident machine_id=5074ade3-5716-44d8-83c7-5985379c0399 detection_id=69306685
Context Example#
Human Readable Output#
Close SA Incident action is initiated Successfully for the detection id: 69306685
15. malwarebytes-get-sa-activities#
Lists all suspicious activities from hostname value and list all the hostnames from path of file.
Base Command#
malwarebytes-get-sa-activities
Input#
| Argument Name | Description | Required |
|---|---|---|
| hostname | Hostname of the endpoint. | Optional |
| path | Path of the file to be searched in suspicious activities. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Malwarebytes.Endpoint.Suspicious_Activities | string | Suspicious Activities for the host |
Command Example#
!malwarebytes-get-sa-activities hostname=DESKTOP-664HFM6
Context Example#
Human Readable Output#
Suspicious Activites found for the host: DESKTOP-664HFM6#
| account_id | detected_by_count | detection_id_list | level | machine_id | path | pc_hostname | status | timestamp |
|---|---|---|---|---|---|---|---|---|
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 69306685 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\51I24R0R\4S4USN157912.EXE | DESKTOP-664HFM6 | closed | 2020-04-22T00:22:03.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 69306697 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\51I24R0R\EKATI3419.EXE | DESKTOP-664HFM6 | processing | 2020-04-22T00:22:03.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69298563 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ZRPQZLD0\EKATI4166.EXE | DESKTOP-664HFM6 | detected | 2020-04-22T00:03:17.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 3 | 69297395 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ULHYC0ZK\EKATI7387.EXE | DESKTOP-664HFM6 | detected | 2020-04-22T00:00:18.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69293149 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\SXM2TCFT\EKATI7194.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T23:51:31.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 3 | 69224002 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\Y20DB3LK\EKATI3988.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T21:26:21.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69216054 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\1VG2J1ZZ\EKATI9823.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T21:14:39.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 69216153 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CJGQRXFS\WR1LKLFO5074.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T21:13:28.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 69216169 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\CJGQRXFS\EKATI7396.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T21:13:27.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69205108 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\WGKUJRGM\EKATI7827.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:53:33.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 69199010 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\NURKWB4B\MIYO4ZBX5817.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:41:41.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 69199008 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\NURKWB4B\EKATI1485.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:41:40.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69196909 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\Z2QEP4IQ\EKATI1206.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:41:15.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 69183153 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\R0TZHA1D\QTVKKU0O3864.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:18:19.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 69183344 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\R0TZHA1D\EKATI3336.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:18:18.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 69182161 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\Y5B35RXH\EKATI4787.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:16:25.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 69182258 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\QI2K3DLV\EKATI8446.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T20:16:06.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 68915780 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\LERQ0DSN\PFNLX1ZC2666.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T13:35:33.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 68915910 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\LERQ0DSN\EKATI1279.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T13:35:28.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 68917631 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\KGSXOYUY\1DM4MJK56911.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T13:35:21.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 3 | 68917642 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\KGSXOYUY\EKATI5694.EXE | DESKTOP-664HFM6 | detected | 2020-04-21T13:35:21.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 67932985 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\TLX3EVTX\EKATI4102.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:46:20.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 9 | 67932021 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\LYFB0FPR\EKATI8717.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:38.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 8 | 67932009 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\X0BDZ1FX\EKATI5156.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:35.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 3 | 67932084 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\ZAX2TN0U\EKATI3331.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:32.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 10 | 67932008 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\V1YOTCGH\EKATI1530.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:08.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 67932145 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\IJJZUABZ\E55QEANT8731.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:02.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 2 | 67932186 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\IJJZUABZ\EKATI7353.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:45:02.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 9 | 67931295 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\IMPDUHIQ\EKATI3476.EXE | DESKTOP-664HFM6 | closed | 2020-04-20T08:43:34.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 9 | 67931302 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\4KQQJWG5\EKATI4354.EXE | DESKTOP-664HFM6 | processing | 2020-04-20T08:43:31.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 1 | 67931496 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\AVQCVSEN\CSF2FQEI8635.EXE | DESKTOP-664HFM6 | processing | 2020-04-20T08:43:24.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 3 | 67931509 | 2 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\AVQCVSEN\EKATI2270.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:43:24.000Z |
| 2020bd17-a809-4102-b744-94fe8ad1c591 | 11 | 67931294 | 3 | 5074ade3-5716-44d8-83c7-5985379c0399 | C:\USERS\ROHIN SAMBATH KUMAR\DESKTOP\RGCNKCKH\EKATI1130.EXE | DESKTOP-664HFM6 | detected | 2020-04-20T08:43:16.000Z |