3d535198ebf1e519e4f58c9aaca1b1e00c9b375c6f79cd3cca5f0b70f0a3dcd5

Analysis

max time kernel
97s
max time network
92s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-01-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Optimizer-14.8.exe
Size

2.1MB
MD5

8d7df991938615da66351c6ff74b9d3d
SHA1

c578d96f7a34816ba3b2cf2ace512e9d0da9e437
SHA256

3d535198ebf1e519e4f58c9aaca1b1e00c9b375c6f79cd3cca5f0b70f0a3dcd5
SHA512

93d5c39aef54bd2da111e62d3ead58a55b6dabed5e713412ab9b3a9ff4ca3979e9899cc8cb79921ae14d8f2e0547786b1977e3a0c4ee5336891f432b03261da1
SSDEEP

24576:KvC0vZ1r+ewP85NWrnwED8XJV9WwhBA/ZTvQD0XY0AJBSjRlXP36RMG:Krr+ewP85NhED8Xv9WwhEAJBSjh

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Optimizer-14.8.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Registers COM server for autorun 1 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{6BB93B4E-44D8-40E2-BD97-42DBCF18A40F}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LOCALSERVER32	OneDriveSetup.exe

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe	Optimizer-14.8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-14.8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe	Optimizer-14.8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-14.8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe	Optimizer-14.8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-14.8.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4588	icacls.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Public\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	OneDriveSetup.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	OneDriveSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1336	sc.exe
2628	sc.exe
4164	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4132	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3304	taskkill.exe

Modifies Control Panel 12 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\MenuShowDelay = "0"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Mouse\MouseHoverTime = "0"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Accessibility\StickyKeys\Flags = "506"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\UnsupportedHardwareNotificationCache\SV2 = "0"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\AutoEndTasks = "1"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\UnsupportedHardwareNotificationCache	Optimizer-14.8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\HungAppTimeout = "1000"	Optimizer-14.8.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	Optimizer-14.8.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "122"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	Optimizer-14.8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy\TailoredExperiencesWithDiagnosticDataEnabled = "0"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "506"	Optimizer-14.8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "58"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-14.8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\ShowedToastAtLevel = "1"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	Optimizer-14.8.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	Optimizer-14.8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20	Optimizer-14.8.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	Optimizer-14.8.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\AppID\{EEABD3A3-784D-4334-AAFC-BB13234F17CF}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\PROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\SYNCENGINEFILEINFOPROVIDER.SYNCENGINEFILEINFOPROVIDER\CURVER	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\WIN32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To	Optimizer-14.8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{C1439245-96B4-47FC-B391-679386C5D40F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\SHELL\IMPORT\DROPTARGET	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\odopen\shell\open	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}"	Optimizer-14.8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\PROGRAMMABLE	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\WOW6432NODE\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDriveSetup.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1776	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2292	PING.EXE
3492	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3824	Optimizer-14.8.exe
3824	Optimizer-14.8.exe
4316	OneDriveSetup.exe
4316	OneDriveSetup.exe
4316	OneDriveSetup.exe
4316	OneDriveSetup.exe
4316	OneDriveSetup.exe
4316	OneDriveSetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3824	Optimizer-14.8.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	Optimizer-14.8.exe
Token: SeBackupPrivilege	4488	vssvc.exe
Token: SeRestorePrivilege	4488	vssvc.exe
Token: SeAuditPrivilege	4488	vssvc.exe
Token: SeShutdownPrivilege	4248	powercfg.exe
Token: SeCreatePagefilePrivilege	4248	powercfg.exe
Token: SeShutdownPrivilege	4248	powercfg.exe
Token: SeCreatePagefilePrivilege	4248	powercfg.exe
Token: SeShutdownPrivilege	5096	powercfg.exe
Token: SeCreatePagefilePrivilege	5096	powercfg.exe
Token: SeShutdownPrivilege	5096	powercfg.exe
Token: SeCreatePagefilePrivilege	5096	powercfg.exe
Token: SeTakeOwnershipPrivilege	3824	Optimizer-14.8.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2424	OneDriveSetup.exe
Token: SeTakeOwnershipPrivilege	3824	Optimizer-14.8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3756	3824	Optimizer-14.8.exe	69
PID 3824 wrote to memory of 3756	3824	Optimizer-14.8.exe	69
PID 3756 wrote to memory of 2628	3756	cmd.exe	71
PID 3756 wrote to memory of 2628	3756	cmd.exe	71
PID 3824 wrote to memory of 4132	3824	Optimizer-14.8.exe	73
PID 3824 wrote to memory of 4132	3824	Optimizer-14.8.exe	73
PID 3824 wrote to memory of 3440	3824	Optimizer-14.8.exe	77
PID 3824 wrote to memory of 3440	3824	Optimizer-14.8.exe	77
PID 3440 wrote to memory of 4248	3440	cmd.exe	79
PID 3440 wrote to memory of 4248	3440	cmd.exe	79
PID 3824 wrote to memory of 4168	3824	Optimizer-14.8.exe	80
PID 3824 wrote to memory of 4168	3824	Optimizer-14.8.exe	80
PID 4168 wrote to memory of 5096	4168	cmd.exe	82
PID 4168 wrote to memory of 5096	4168	cmd.exe	82
PID 3824 wrote to memory of 5072	3824	Optimizer-14.8.exe	83
PID 3824 wrote to memory of 5072	3824	Optimizer-14.8.exe	83
PID 5072 wrote to memory of 4844	5072	cmd.exe	85
PID 5072 wrote to memory of 4844	5072	cmd.exe	85
PID 3824 wrote to memory of 4180	3824	Optimizer-14.8.exe	86
PID 3824 wrote to memory of 4180	3824	Optimizer-14.8.exe	86
PID 4180 wrote to memory of 4588	4180	cmd.exe	88
PID 4180 wrote to memory of 4588	4180	cmd.exe	88
PID 3824 wrote to memory of 4656	3824	Optimizer-14.8.exe	89
PID 3824 wrote to memory of 4656	3824	Optimizer-14.8.exe	89
PID 4656 wrote to memory of 4924	4656	cmd.exe	91
PID 4656 wrote to memory of 4924	4656	cmd.exe	91
PID 4656 wrote to memory of 4932	4656	cmd.exe	92
PID 4656 wrote to memory of 4932	4656	cmd.exe	92
PID 4656 wrote to memory of 3112	4656	cmd.exe	93
PID 4656 wrote to memory of 3112	4656	cmd.exe	93
PID 4656 wrote to memory of 4904	4656	cmd.exe	94
PID 4656 wrote to memory of 4904	4656	cmd.exe	94
PID 4656 wrote to memory of 3744	4656	cmd.exe	95
PID 4656 wrote to memory of 3744	4656	cmd.exe	95
PID 4656 wrote to memory of 2844	4656	cmd.exe	96
PID 4656 wrote to memory of 2844	4656	cmd.exe	96
PID 4656 wrote to memory of 2940	4656	cmd.exe	97
PID 4656 wrote to memory of 2940	4656	cmd.exe	97
PID 4656 wrote to memory of 4840	4656	cmd.exe	98
PID 4656 wrote to memory of 4840	4656	cmd.exe	98
PID 4656 wrote to memory of 4748	4656	cmd.exe	99
PID 4656 wrote to memory of 4748	4656	cmd.exe	99
PID 4656 wrote to memory of 4760	4656	cmd.exe	100
PID 4656 wrote to memory of 4760	4656	cmd.exe	100
PID 4656 wrote to memory of 4732	4656	cmd.exe	101
PID 4656 wrote to memory of 4732	4656	cmd.exe	101
PID 4656 wrote to memory of 4712	4656	cmd.exe	102
PID 4656 wrote to memory of 4712	4656	cmd.exe	102
PID 4656 wrote to memory of 4704	4656	cmd.exe	103
PID 4656 wrote to memory of 4704	4656	cmd.exe	103
PID 4656 wrote to memory of 652	4656	cmd.exe	104
PID 4656 wrote to memory of 652	4656	cmd.exe	104
PID 4656 wrote to memory of 420	4656	cmd.exe	105
PID 4656 wrote to memory of 420	4656	cmd.exe	105
PID 4656 wrote to memory of 428	4656	cmd.exe	106
PID 4656 wrote to memory of 428	4656	cmd.exe	106
PID 4656 wrote to memory of 372	4656	cmd.exe	107
PID 4656 wrote to memory of 372	4656	cmd.exe	107
PID 4656 wrote to memory of 1188	4656	cmd.exe	108
PID 4656 wrote to memory of 1188	4656	cmd.exe	108
PID 4656 wrote to memory of 1088	4656	cmd.exe	109
PID 4656 wrote to memory of 1088	4656	cmd.exe	109
PID 4656 wrote to memory of 1488	4656	cmd.exe	110
PID 4656 wrote to memory of 1488	4656	cmd.exe	110

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn = "1"	Optimizer-14.8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "0"	Optimizer-14.8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	Optimizer-14.8.exe

C:\Users\Admin\AppData\Local\Temp\Optimizer-14.8.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-14.8.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Sets file execution options in registry
- Modifies Control Panel
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\sc.exe
    sc config "RemoteRegistry" start= disabled
    3⤵
    - Launches sc.exe
    PID:2628
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin" delete shadows /for=c: /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -h off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\powercfg.exe
    powercfg -h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -h off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\powercfg.exe
    powercfg -h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Modifies file permissions
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4924
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:4932
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:3112
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:4904
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:3744
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:2844
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:2940
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:4840
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:4748
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:4760
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:4732
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:4712
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:4704
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:652
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:420
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:428
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:372
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:1188
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:1088
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:1488
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:1080
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:1052
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:1236
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:1892
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:2160
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:1344
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:4780
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:3284
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:312
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:212
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:1688
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:2308
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:2768
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:2196
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:1288
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:848
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:908
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:2420
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:2736
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:2888
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:2740
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:4008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:2688
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:3816
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:3920
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:4276
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:5052
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:3424
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:3364
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:4996
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:2948
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
    3⤵
    PID:2312
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
    3⤵
    PID:1484
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:3792
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:2008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:4260
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:2032
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
    3⤵
    PID:4084
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
    3⤵
    PID:1112
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:4136
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:4500
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
    3⤵
    PID:3948
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
    3⤵
    PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:1936
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:4496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:4624
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:4764
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net.exe stop NvTelemetryContainer
  2⤵
  PID:3964
- - C:\Windows\system32\net.exe
    net.exe stop NvTelemetryContainer
    3⤵
    PID:4212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NvTelemetryContainer
      4⤵
      PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc.exe config NvTelemetryContainer start= disabled
  2⤵
  PID:5076
- - C:\Windows\system32\sc.exe
    sc.exe config NvTelemetryContainer start= disabled
    3⤵
    - Launches sc.exe
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc.exe stop NvTelemetryContainer
  2⤵
  PID:5092
- - C:\Windows\system32\sc.exe
    sc.exe stop NvTelemetryContainer
    3⤵
    - Launches sc.exe
    PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
  2⤵
  PID:4716
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
    3⤵
    PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
  2⤵
  PID:3568
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""
  2⤵
  PID:3760
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:3712
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:4908
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:4652
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:4620
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"
    3⤵
    PID:4836
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable
    3⤵
    PID:4820
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:4840
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4944
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4800
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4708
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4808
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:492
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:584
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:428
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:1692
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:1128
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:1512
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:1392
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:708
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4976
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"
  2⤵
  - Runs .reg file with regedit
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\OneDrive_Uninstaller.cmd""
  2⤵
  PID:792
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OneDrive.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2292
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /silent /childprocess /cusid:S-1-5-21-1099808672-3828198950-1535142148-1000
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess
      4⤵
      Registers COM server for autorun
      Drops desktop.ini file(s)
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4316
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
        5⤵
        Registers COM server for autorun
        Modifies registry class
        
        PID:4840
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:3492
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:4456
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:3368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" /V {7AD84985-87B4-4a16-BE58-8B72A5B390F7} /T REG_SZ /D "Play to Menu" /F
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" /V {7AD84985-87B4-4a16-BE58-8B72A5B390F7} /T REG_SZ /D "Play to Menu" /F
    3⤵
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableXboxTasks.bat""
  2⤵
  PID:4508
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\XblGameSave\XblGameSaveTask"
    3⤵
    PID:1604
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\XblGameSave\XblGameSaveTask" /disable
    3⤵
    PID:4168
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\XblGameSave\XblGameSaveTaskLogon"
    3⤵
    PID:1336
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\XblGameSave\XblGameSaveTaskLogon" /disable
    3⤵
    PID:5092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C SCHTASKS /Delete /TN "OneDrive Standalone Update Task" /F
  2⤵
  PID:1240
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN "OneDrive Standalone Update Task" /F
    3⤵
    PID:4140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C SCHTASKS /Delete /TN "OneDrive Standalone Update Task v2" /F
  2⤵
  PID:4116
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN "OneDrive Standalone Update Task v2" /F
    3⤵
    PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

Filesize
25B

MD5
d31492098ef22e390927472aee0e15e1

SHA1
8d2000d22ffb43db081edd4bb6ad1a4dcec7895f

SHA256
1ab56b140cac14bdaa4c3c86ee43eee5c051bfd97e58f14603f917715ee9dd6a

SHA512
3fc56a622dddcb5fee42ff8a7d0f6d53e1de497b944f4aa7791c482f2f6ec51f674e4b82a40db23768e0926f1f3341349c8156b0a24a15d85e5487383d2ba886

Download Submit
C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat

Filesize
2KB

MD5
fed75b5cb9d9f4ec5ee22b8fd304ccf7

SHA1
1b4bdac9ac71fdee3bae90e52fcec60c88d7fa9d

SHA256
d884c0d04ba09b113d9439d2f8c0b7ed322111ae2e3ed802f6a95278ff8e0ac2

SHA512
36bed8311050f8c79e766678c59bb65177630279af8b4d2302aaf6146157887e1fb744785ac7f3290519778a592fb4d90fb7b7b9420e7346efdfec1085bf34e9

Download Submit
C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg

Filesize
649B

MD5
2446deb7e8dfd6336a44e1d53df9cf33

SHA1
b293c203ce60d883e541f84331fbffbe439e455a

SHA256
61b217ef0ff73b6f35d8ff86096f2db483785cb7532687ebdf0d4cd029ebab2a

SHA512
d4b522d0c8b1b691b7f5b1968689c690eb886ad767e5fc42b98be1a9afb24f302e16f1243fdc368da147717bb195bfd3761b7049beb03873c9bf7ccc4a3562f6

Download Submit
C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

Filesize
5KB

MD5
cb03c3144aaff8fb1c3497c403c2b60f

SHA1
ba4380abb20eaaeb638cdb142452def731817212

SHA256
abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3

SHA512
d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660

Download Submit
C:\ProgramData\Optimizer\Required\DisableXboxTasks.bat

Filesize
274B

MD5
39618d49de20114a6e4412507c4ad156

SHA1
324ce0b434e8d80da59606e7bc9e59b0fb2a1419

SHA256
aff075485c4139ec19fa8c3ea1f9afdcd4c3b6894bb93a56474273e027a7162f

SHA512
71c442edda586bdc83581cda6a509cf6f264961257521a86b0007a60495d56ebcb263b56ad2a14e6d79f8dc132c246a4ecf1595ac036895fc4001a1f47c2e9fe

Download Submit
C:\ProgramData\Optimizer\Required\OneDrive_Uninstaller.cmd

Filesize
924B

MD5
522f706e19f359a973c17722c61478ed

SHA1
d81b490509baee86e7d435a311552aadea35a36e

SHA256
43f50e6ad08310c365f143301685950330b15ad58ad4b45efcba37d876cb1021

SHA512
fb8e6bc09f471efda516bba5c7d7072471db1ca35f1eea7851c3eb765ae9ed8eea7b8a0e8eab3624e5f2ece16117c4ed799df6a0b9e9ecea7a3d7822aa945903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~1.LOG

Filesize
90KB

MD5
b36bec84abcfff2887ac6044f175d210

SHA1
26ce14f721274d996853ee4846df4be4ec521948

SHA256
669f3625a4fc2b2de2d9022dde911e69dfa1450bb12c3f1ae182a134f844ea55

SHA512
88f419281107a5272a368d5be0418995df6e4c47eb31b708f1a7af409b86ead39b595616a4b4959321f8e7160ebfacbbf7b217288d5cf5e4c92ae6f3828a4b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~2.LOG

Filesize
92KB

MD5
7a9bd05e9ce87b5716026c3258be4954

SHA1
8c60bf30ab3c000c9bd7f03c769e2832e6639892

SHA256
5195e19443b6d83d761de883970546894db14966508c89cf94f1a1c3f4d7de49

SHA512
a67d8edd233cc3a178c8823fc2e566a1ed86567ba72974d46ac8d11188d066a2c35c42ef50e78bd416150ecabf66efd6752b1ef30090df6d8663b3299a98db49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~3.LOG

Filesize
107KB

MD5
a8ef6616bbd601d69b82e3ea2473dd8d

SHA1
04c1d3f7774c5b2cb0223037a2effeb3f9fd8079

SHA256
cd265ba1a52a6f467b811795f6ba0d0b4c185529f6a1f34a583100aee388fa56

SHA512
71dc5e5a4e4adc5f14665fbfff6f4783890074e98c6af610882431bc747f634b6cb535547ca29cb5c6f925b8264ca0ae8605db9941fcccb4c5bd0ff3cacd892f

Download Submit
memory/2424-220-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-200-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-256-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-255-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-254-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-253-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-197-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-252-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-251-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-250-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-249-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-248-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-247-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-246-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-245-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-244-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-243-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-242-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-241-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-240-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-198-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-239-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-238-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-237-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-205-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-210-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-217-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-223-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-225-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-226-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-228-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-230-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-232-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-233-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-235-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-199-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-234-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-231-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-229-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-227-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-224-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-222-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-221-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-219-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-218-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-216-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-194-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-195-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-196-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-215-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-214-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-236-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-202-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-201-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-203-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-204-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-206-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-207-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-208-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-209-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-211-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-212-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/2424-213-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3500-257-0x00000000778F0000-0x0000000077A7E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-116-0x0000020DCF8A0000-0x0000020DCFAB6000-memory.dmp

Filesize
2.1MB

Download
memory/3824-120-0x0000020DEA5D0000-0x0000020DEA5EE000-memory.dmp

Filesize
120KB

Download
memory/3824-122-0x0000020DEDDD0000-0x0000020DEDDDA000-memory.dmp

Filesize
40KB

Download
memory/3824-511-0x0000020DF0E64000-0x0000020DF0E67000-memory.dmp

Filesize
12KB

Download
memory/3824-191-0x0000020DE9F99000-0x0000020DE9F9F000-memory.dmp

Filesize
24KB

Download
memory/3824-117-0x0000020DE9E40000-0x0000020DE9EF2000-memory.dmp

Filesize
712KB

Download
memory/3824-118-0x0000020DEA620000-0x0000020DEA696000-memory.dmp

Filesize
472KB

Download
memory/3824-119-0x0000020DE9EF0000-0x0000020DE9F12000-memory.dmp

Filesize
136KB

Download
memory/3824-123-0x0000020DEDE50000-0x0000020DEDE62000-memory.dmp

Filesize
72KB

Download
memory/3824-193-0x0000020DE9F99000-0x0000020DE9F9F000-memory.dmp

Filesize
24KB

Download
memory/3824-121-0x0000020DEDDB0000-0x0000020DEDDC4000-memory.dmp

Filesize
80KB

Download
memory/3824-506-0x0000020DF0E60000-0x0000020DF0E64000-memory.dmp

Filesize
16KB

Download
memory/3824-476-0x0000020DF0E64000-0x0000020DF0E67000-memory.dmp

Filesize
12KB

Download
memory/3824-475-0x0000020DF0E60000-0x0000020DF0E64000-memory.dmp

Filesize
16KB

Download