Analysis
-
max time kernel
79s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Optimizer-16.4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Optimizer-16.4.exe
Resource
win10v2004-20240221-en
General
-
Target
Optimizer-16.4.exe
-
Size
2.3MB
-
MD5
9352623ba2fee1206079ce3d81bf0132
-
SHA1
9c398c2d975d82ba1e46f3bcc0e6298a2b713b8d
-
SHA256
f4775567ca9941b4fb3224d97b0741ae669eedfcb0d8b3c71106b21bdb1aee28
-
SHA512
a38cef70819524a3ba8d7583b763da3fac71a9b67e832165f14f60568f7a2a07f67418bb7f7a544b32aa3d76a4fa9a6b142a3998cf362a116171ed4fae05187e
-
SSDEEP
24576:QqsJmQYTZZ4GKTnbv7DO9JvvEC8ZJC3Bjk38WuBcAbwoA/BkjSHXP36RMG:QMH4VTnbv7uEC8Zw3CSA/Bkj0
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Optimizer-16.4.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe" Optimizer-16.4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe Optimizer-16.4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe" Optimizer-16.4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe Optimizer-16.4.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation Optimizer-16.4.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3132 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 raw.githubusercontent.com 17 raw.githubusercontent.com -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Control Panel 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Mouse\MouseHoverTime = "0" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\AutoEndTasks = "1" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\MenuShowDelay = "0" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\HungAppTimeout = "1000" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" Optimizer-16.4.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter Optimizer-16.4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" Optimizer-16.4.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "122" Optimizer-16.4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "506" Optimizer-16.4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "58" Optimizer-16.4.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To Optimizer-16.4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To Optimizer-16.4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2668 Optimizer-16.4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2668 Optimizer-16.4.exe Token: SeShutdownPrivilege 976 shutdown.exe Token: SeRemoteShutdownPrivilege 976 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 4372 2668 Optimizer-16.4.exe 90 PID 2668 wrote to memory of 4372 2668 Optimizer-16.4.exe 90 PID 4372 wrote to memory of 976 4372 cmd.exe 92 PID 4372 wrote to memory of 976 4372 cmd.exe 92 PID 2668 wrote to memory of 1564 2668 Optimizer-16.4.exe 94 PID 2668 wrote to memory of 1564 2668 Optimizer-16.4.exe 94 PID 1564 wrote to memory of 3132 1564 cmd.exe 96 PID 1564 wrote to memory of 3132 1564 cmd.exe 96 PID 2668 wrote to memory of 4956 2668 Optimizer-16.4.exe 97 PID 2668 wrote to memory of 4956 2668 Optimizer-16.4.exe 97 PID 4956 wrote to memory of 4272 4956 cmd.exe 99 PID 4956 wrote to memory of 4272 4956 cmd.exe 99 PID 4956 wrote to memory of 2296 4956 cmd.exe 100 PID 4956 wrote to memory of 2296 4956 cmd.exe 100 PID 4956 wrote to memory of 2248 4956 cmd.exe 101 PID 4956 wrote to memory of 2248 4956 cmd.exe 101 PID 4956 wrote to memory of 3956 4956 cmd.exe 102 PID 4956 wrote to memory of 3956 4956 cmd.exe 102 PID 4956 wrote to memory of 1860 4956 cmd.exe 103 PID 4956 wrote to memory of 1860 4956 cmd.exe 103 PID 4956 wrote to memory of 1472 4956 cmd.exe 104 PID 4956 wrote to memory of 1472 4956 cmd.exe 104 PID 4956 wrote to memory of 1616 4956 cmd.exe 105 PID 4956 wrote to memory of 1616 4956 cmd.exe 105 PID 4956 wrote to memory of 3388 4956 cmd.exe 106 PID 4956 wrote to memory of 3388 4956 cmd.exe 106 PID 4956 wrote to memory of 3484 4956 cmd.exe 107 PID 4956 wrote to memory of 3484 4956 cmd.exe 107 PID 4956 wrote to memory of 3584 4956 cmd.exe 108 PID 4956 wrote to memory of 3584 4956 cmd.exe 108 PID 4956 wrote to memory of 2288 4956 cmd.exe 109 PID 4956 wrote to memory of 2288 4956 cmd.exe 109 PID 4956 wrote to memory of 5068 4956 cmd.exe 110 PID 4956 wrote to memory of 5068 4956 cmd.exe 110 PID 4956 wrote to memory of 4760 4956 cmd.exe 111 PID 4956 wrote to memory of 4760 4956 cmd.exe 111 PID 4956 wrote to memory of 1656 4956 cmd.exe 112 PID 4956 wrote to memory of 1656 4956 cmd.exe 112 PID 4956 wrote to memory of 4444 4956 cmd.exe 113 PID 4956 wrote to memory of 4444 4956 cmd.exe 113 PID 4956 wrote to memory of 3892 4956 cmd.exe 114 PID 4956 wrote to memory of 3892 4956 cmd.exe 114 PID 4956 wrote to memory of 4948 4956 cmd.exe 115 PID 4956 wrote to memory of 4948 4956 cmd.exe 115 PID 4956 wrote to memory of 3736 4956 cmd.exe 116 PID 4956 wrote to memory of 3736 4956 cmd.exe 116 PID 4956 wrote to memory of 1588 4956 cmd.exe 117 PID 4956 wrote to memory of 1588 4956 cmd.exe 117 PID 4956 wrote to memory of 2044 4956 cmd.exe 118 PID 4956 wrote to memory of 2044 4956 cmd.exe 118 PID 4956 wrote to memory of 2020 4956 cmd.exe 119 PID 4956 wrote to memory of 2020 4956 cmd.exe 119 PID 4956 wrote to memory of 2176 4956 cmd.exe 120 PID 4956 wrote to memory of 2176 4956 cmd.exe 120 PID 4956 wrote to memory of 644 4956 cmd.exe 121 PID 4956 wrote to memory of 644 4956 cmd.exe 121 PID 4956 wrote to memory of 3948 4956 cmd.exe 122 PID 4956 wrote to memory of 3948 4956 cmd.exe 122 PID 4956 wrote to memory of 3384 4956 cmd.exe 123 PID 4956 wrote to memory of 3384 4956 cmd.exe 123 PID 4956 wrote to memory of 220 4956 cmd.exe 124 PID 4956 wrote to memory of 220 4956 cmd.exe 124 PID 4956 wrote to memory of 2164 4956 cmd.exe 125 PID 4956 wrote to memory of 2164 4956 cmd.exe 125 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments Optimizer-16.4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1" Optimizer-16.4.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Sets file execution options in registry
- Checks computer location settings
- Modifies Control Panel
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\sc.exesc config "RemoteRegistry" start= disabled3⤵
- Launches sc.exe
PID:976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\icacls.exeicacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F3⤵
- Modifies file permissions
PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"3⤵PID:4272
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable3⤵PID:2296
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"3⤵PID:2248
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable3⤵PID:3956
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"3⤵PID:1860
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable3⤵PID:1472
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"3⤵PID:1616
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable3⤵PID:3388
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"3⤵PID:3484
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable3⤵PID:3584
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"3⤵PID:2288
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable3⤵PID:5068
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"3⤵PID:4760
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable3⤵PID:1656
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"3⤵PID:4444
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"3⤵PID:3892
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"3⤵PID:4948
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable3⤵PID:3736
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"3⤵PID:1588
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable3⤵PID:2044
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"3⤵PID:2020
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable3⤵PID:2176
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"3⤵PID:644
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable3⤵PID:3948
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"3⤵PID:3384
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable3⤵PID:220
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"3⤵PID:2164
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable3⤵PID:3300
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"3⤵PID:1096
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable3⤵PID:3904
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"3⤵PID:2364
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable3⤵PID:1844
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"3⤵PID:3380
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable3⤵PID:3352
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"3⤵PID:1200
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable3⤵PID:1040
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"3⤵PID:2912
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable3⤵PID:2612
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"3⤵PID:2696
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable3⤵PID:4640
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"3⤵PID:864
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable3⤵PID:3212
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"3⤵PID:3272
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable3⤵PID:4788
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"3⤵PID:2716
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable3⤵PID:772
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"3⤵PID:4944
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable3⤵PID:4860
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable3⤵PID:4940
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable3⤵PID:2980
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable3⤵PID:3096
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"3⤵PID:408
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable3⤵PID:1716
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"3⤵PID:1720
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable3⤵PID:1124
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"3⤵PID:3120
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable3⤵PID:4452
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"3⤵PID:452
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable3⤵PID:4616
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Device Information\Device"3⤵PID:4736
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable3⤵PID:4708
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Device Information\Device User"3⤵PID:2264
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable3⤵PID:1152
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4720
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56b67d4971607b5050f86886ce9eeac6e
SHA111e812da278994cef6c50171c7494379dd34057a
SHA2561cf9b8c1ab1a3f3b0535e9176b3434793364ad4cd5a40175e390184f1fe5f60c
SHA5126b63200bb2773792c652496a6a1899ad6b58450a467b62294aef699cd2b3e75aa780012e6eb6bfafb62ab3aeeca2dc2084557718b52037852cf91a5ff388bb4c
-
Filesize
5KB
MD5cb03c3144aaff8fb1c3497c403c2b60f
SHA1ba4380abb20eaaeb638cdb142452def731817212
SHA256abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3
SHA512d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82