8d78838a8c4bda57e8de3d9de4dc4d0e4e51c3e7c0af62fe8490df3e6bd22f59

Analysis

max time kernel
102s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2023 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Optimizer-10.9.exe
Size

1.6MB
MD5

f5a5123443d544e9e580793fbdc16099
SHA1

62e75d5714d031900db894f34b97528162d68195
SHA256

8d78838a8c4bda57e8de3d9de4dc4d0e4e51c3e7c0af62fe8490df3e6bd22f59
SHA512

049faf08e5f48438e4dabeb031f8541d10b3a56f6422ad58e7c03156bb412eef61772264d5ed3d984fc7ff7b3699f3b8cf08ea37a2e6c913e74a2a5b694431c9
SSDEEP

24576:x9yoBcCUpGQzP7vXUrUmG/aeggD7PIEjR4xq7iiXTK7D3So9AIB+jg:vyoBQzTvXUImG/aeL70XWIB+j

Score

10^/10

discovery evasion exploit trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Optimizer-10.9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Optimizer-10.9.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Optimizer-10.9.exe

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
4436	icacls.exe
5084	takeown.exe
4984	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Optimizer-10.9.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4436	icacls.exe
5084	takeown.exe
4984	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
400	sc.exe
852	sc.exe
2680	sc.exe
4412	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 7 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000"	Optimizer-10.9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	Optimizer-10.9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Mouse\MouseHoverTime = "8"	Optimizer-10.9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	Optimizer-10.9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\AutoEndTasks = "1"	Optimizer-10.9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\HungAppTimeout = "1000"	Optimizer-10.9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\MenuShowDelay = "8"	Optimizer-10.9.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	Optimizer-10.9.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-10.9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\ShowedToastAtLevel = "1"	Optimizer-10.9.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy\TailoredExperiencesWithDiagnosticDataEnabled = "0"	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Optimizer-10.9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Optimizer-10.9.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}"	Optimizer-10.9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To	Optimizer-10.9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}"	Optimizer-10.9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To	Optimizer-10.9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
884	Optimizer-10.9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
884	Optimizer-10.9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	Optimizer-10.9.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
884	Optimizer-10.9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4980	884	Optimizer-10.9.exe	96
PID 884 wrote to memory of 4980	884	Optimizer-10.9.exe	96
PID 4980 wrote to memory of 400	4980	cmd.exe	98
PID 4980 wrote to memory of 400	4980	cmd.exe	98
PID 884 wrote to memory of 376	884	Optimizer-10.9.exe	99
PID 884 wrote to memory of 376	884	Optimizer-10.9.exe	99
PID 376 wrote to memory of 852	376	cmd.exe	101
PID 376 wrote to memory of 852	376	cmd.exe	101
PID 884 wrote to memory of 1904	884	Optimizer-10.9.exe	102
PID 884 wrote to memory of 1904	884	Optimizer-10.9.exe	102
PID 1904 wrote to memory of 2680	1904	cmd.exe	104
PID 1904 wrote to memory of 2680	1904	cmd.exe	104
PID 884 wrote to memory of 4596	884	Optimizer-10.9.exe	105
PID 884 wrote to memory of 4596	884	Optimizer-10.9.exe	105
PID 4596 wrote to memory of 1492	4596	cmd.exe	107
PID 4596 wrote to memory of 1492	4596	cmd.exe	107
PID 884 wrote to memory of 3200	884	Optimizer-10.9.exe	108
PID 884 wrote to memory of 3200	884	Optimizer-10.9.exe	108
PID 3200 wrote to memory of 2868	3200	cmd.exe	110
PID 3200 wrote to memory of 2868	3200	cmd.exe	110
PID 884 wrote to memory of 4464	884	Optimizer-10.9.exe	115
PID 884 wrote to memory of 4464	884	Optimizer-10.9.exe	115
PID 4464 wrote to memory of 3196	4464	cmd.exe	117
PID 4464 wrote to memory of 3196	4464	cmd.exe	117
PID 884 wrote to memory of 384	884	Optimizer-10.9.exe	118
PID 884 wrote to memory of 384	884	Optimizer-10.9.exe	118
PID 384 wrote to memory of 1420	384	cmd.exe	120
PID 384 wrote to memory of 1420	384	cmd.exe	120
PID 884 wrote to memory of 2996	884	Optimizer-10.9.exe	121
PID 884 wrote to memory of 2996	884	Optimizer-10.9.exe	121
PID 2996 wrote to memory of 4436	2996	cmd.exe	123
PID 2996 wrote to memory of 4436	2996	cmd.exe	123
PID 884 wrote to memory of 436	884	Optimizer-10.9.exe	124
PID 884 wrote to memory of 436	884	Optimizer-10.9.exe	124
PID 436 wrote to memory of 5084	436	cmd.exe	126
PID 436 wrote to memory of 5084	436	cmd.exe	126
PID 884 wrote to memory of 4948	884	Optimizer-10.9.exe	127
PID 884 wrote to memory of 4948	884	Optimizer-10.9.exe	127
PID 4948 wrote to memory of 4984	4948	cmd.exe	129
PID 4948 wrote to memory of 4984	4948	cmd.exe	129
PID 884 wrote to memory of 4900	884	Optimizer-10.9.exe	130
PID 884 wrote to memory of 4900	884	Optimizer-10.9.exe	130
PID 4900 wrote to memory of 4784	4900	cmd.exe	132
PID 4900 wrote to memory of 4784	4900	cmd.exe	132
PID 4900 wrote to memory of 2044	4900	cmd.exe	133
PID 4900 wrote to memory of 2044	4900	cmd.exe	133
PID 4900 wrote to memory of 1344	4900	cmd.exe	134
PID 4900 wrote to memory of 1344	4900	cmd.exe	134
PID 4900 wrote to memory of 1476	4900	cmd.exe	135
PID 4900 wrote to memory of 1476	4900	cmd.exe	135
PID 4900 wrote to memory of 4132	4900	cmd.exe	136
PID 4900 wrote to memory of 4132	4900	cmd.exe	136
PID 4900 wrote to memory of 2012	4900	cmd.exe	137
PID 4900 wrote to memory of 2012	4900	cmd.exe	137
PID 4900 wrote to memory of 4920	4900	cmd.exe	138
PID 4900 wrote to memory of 4920	4900	cmd.exe	138
PID 4900 wrote to memory of 624	4900	cmd.exe	139
PID 4900 wrote to memory of 624	4900	cmd.exe	139
PID 4900 wrote to memory of 2632	4900	cmd.exe	140
PID 4900 wrote to memory of 2632	4900	cmd.exe	140
PID 4900 wrote to memory of 2256	4900	cmd.exe	141
PID 4900 wrote to memory of 2256	4900	cmd.exe	141
PID 4900 wrote to memory of 2656	4900	cmd.exe	142
PID 4900 wrote to memory of 2656	4900	cmd.exe	142

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1"	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1"	Optimizer-10.9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	Optimizer-10.9.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Optimizer-10.9.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-10.9.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Modifies Control Panel
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\sc.exe
    sc config "RemoteRegistry" start= disabled
    3⤵
    - Launches sc.exe
    PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\sc.exe
    sc config "RemoteRegistry" start= disabled
    3⤵
    - Launches sc.exe
    PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\sc.exe
    sc config "RemoteRegistry" start= disabled
    3⤵
    - Launches sc.exe
    PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C regsvr32 /u /s "C:\Program Files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /u /s "C:\Program Files"
    3⤵
    PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Gpupdate /Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\system32\gpupdate.exe
    Gpupdate /Force
    3⤵
    PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C regsvr32 /u /s "C:\Program Files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /u /s "C:\Program Files"
    3⤵
    PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Gpupdate /Force
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\system32\gpupdate.exe
    Gpupdate /Force
    3⤵
    PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C takeown /F C:\Windows\System32\CompatTelRunner.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\CompatTelRunner.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls "C:\Windows\System32\CompatTelRunner.exe" /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\CompatTelRunner.exe" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4784
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:2044
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:1344
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:1476
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:4132
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:2012
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:4920
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:624
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:2632
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:2256
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:2656
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:3616
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:1252
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:2736
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:2268
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:460
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:1364
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:1880
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:5044
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:4804
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:3892
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:5088
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4240
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4644
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:1564
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:4668
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:1624
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:4636
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:828
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:4272
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:1700
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:3736
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:4292
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:3928
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:320
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:2692
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:3868
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:856
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:4596
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:232
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:1492
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:668
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:5008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:4816
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:4160
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:4888
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:3292
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:4852
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:3032
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "DPS" start=disabled
  2⤵
  PID:4208
- - C:\Windows\system32\sc.exe
    sc config "DPS" start=disabled
    3⤵
    - Launches sc.exe
    PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:1724
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

Filesize
4KB

MD5
940520879ae026716bbfc9caef7d13f6

SHA1
c4f38ffefee022ab420fd9dd2ab0f792afb61aa0

SHA256
8ff092023e40a9ffe10432d4ea154a530b04fb2e47b63a0dda3bb666cd1601f7

SHA512
ef8946498d58a74dd67dfd8a68c19b9f0bde066fec8d13d2d58d6a0c9a3e83723841169980287f5f5a3f9282f9fccf454daac048601699ad07839a75314e5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwdpcyy5.mjg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/884-158-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-172-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-157-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-133-0x000002C8ACB40000-0x000002C8ACCEA000-memory.dmp

Filesize
1.7MB

Download
memory/884-159-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-160-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-161-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-162-0x000002C8C94C0000-0x000002C8C94DE000-memory.dmp

Filesize
120KB

Download
memory/884-154-0x000002C8C8800000-0x000002C8C8822000-memory.dmp

Filesize
136KB

Download
memory/884-156-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-173-0x000002C8CC1A0000-0x000002C8CC1B6000-memory.dmp

Filesize
88KB

Download
memory/884-174-0x000002C8C95D0000-0x000002C8C95DA000-memory.dmp

Filesize
40KB

Download
memory/884-175-0x000002C8CC230000-0x000002C8CC256000-memory.dmp

Filesize
152KB

Download
memory/884-176-0x000002C8CC200000-0x000002C8CC212000-memory.dmp

Filesize
72KB

Download
memory/884-179-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-180-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-181-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download
memory/884-134-0x000002C8C8780000-0x000002C8C87F6000-memory.dmp

Filesize
472KB

Download
memory/884-184-0x000002C8AD030000-0x000002C8AD040000-memory.dmp

Filesize
64KB

Download