Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
Optimizer-16.7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Optimizer-16.7.exe
Resource
win10v2004-20241007-en
General
-
Target
Optimizer-16.7.exe
-
Size
2.5MB
-
MD5
7f57207f221db2b08e27d64bc9121b28
-
SHA1
3bfc4b12a533ee1ce62e5d348027d4ac90ab49db
-
SHA256
03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8
-
SHA512
7cc44ff1c3210db2478f4e37fef23669f0425b1b1672fc5f53956890daccb84b32fa25c8da9f7ce0cd1deb9e697e46cdae0762a0af818f98b93544b8e39f8a25
-
SSDEEP
24576:zv5MZtiOMKNOJMv9EC8oJ8VxHuDBjk38WuBcAbwoA/BkjSHXP36RMG:zxMZtiOMK9EC8oa6CSA/Bkj0
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Optimizer-16.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Optimizer-16.7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Optimizer-16.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Optimizer-16.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Optimizer-16.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Optimizer-16.7.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Optimizer-16.7.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe\Debugger = "%windir%\\System32\\taskkill.exe" Optimizer-16.7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe Optimizer-16.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe" Optimizer-16.7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe Optimizer-16.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe" Optimizer-16.7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe Optimizer-16.7.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2432 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 8 raw.githubusercontent.com -
Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 784 cmd.exe 3008 powercfg.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1296 sc.exe 2044 sc.exe 2228 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Control Panel 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\AutoEndTasks = "1" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\MenuShowDelay = "0" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\MouseHoverTime = "0" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\HungAppTimeout = "1000" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" Optimizer-16.7.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter Optimizer-16.7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" Optimizer-16.7.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "506" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "122" Optimizer-16.7.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "58" Optimizer-16.7.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To Optimizer-16.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To Optimizer-16.7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.7.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1684 regedit.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2736 Optimizer-16.7.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeShutdownPrivilege 3008 powercfg.exe Token: SeCreatePagefilePrivilege 3008 powercfg.exe Token: SeTakeOwnershipPrivilege 2736 Optimizer-16.7.exe Token: SeShutdownPrivilege 1532 shutdown.exe Token: SeRemoteShutdownPrivilege 1532 shutdown.exe Token: 33 2740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2740 AUDIODG.EXE Token: 33 2740 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2740 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 948 2736 Optimizer-16.7.exe 32 PID 2736 wrote to memory of 948 2736 Optimizer-16.7.exe 32 PID 2736 wrote to memory of 948 2736 Optimizer-16.7.exe 32 PID 948 wrote to memory of 1296 948 cmd.exe 34 PID 948 wrote to memory of 1296 948 cmd.exe 34 PID 948 wrote to memory of 1296 948 cmd.exe 34 PID 2736 wrote to memory of 784 2736 Optimizer-16.7.exe 36 PID 2736 wrote to memory of 784 2736 Optimizer-16.7.exe 36 PID 2736 wrote to memory of 784 2736 Optimizer-16.7.exe 36 PID 784 wrote to memory of 3008 784 cmd.exe 38 PID 784 wrote to memory of 3008 784 cmd.exe 38 PID 784 wrote to memory of 3008 784 cmd.exe 38 PID 2736 wrote to memory of 1604 2736 Optimizer-16.7.exe 39 PID 2736 wrote to memory of 1604 2736 Optimizer-16.7.exe 39 PID 2736 wrote to memory of 1604 2736 Optimizer-16.7.exe 39 PID 1604 wrote to memory of 2332 1604 cmd.exe 41 PID 1604 wrote to memory of 2332 1604 cmd.exe 41 PID 1604 wrote to memory of 2332 1604 cmd.exe 41 PID 2736 wrote to memory of 2464 2736 Optimizer-16.7.exe 42 PID 2736 wrote to memory of 2464 2736 Optimizer-16.7.exe 42 PID 2736 wrote to memory of 2464 2736 Optimizer-16.7.exe 42 PID 2464 wrote to memory of 2432 2464 cmd.exe 44 PID 2464 wrote to memory of 2432 2464 cmd.exe 44 PID 2464 wrote to memory of 2432 2464 cmd.exe 44 PID 2736 wrote to memory of 2188 2736 Optimizer-16.7.exe 45 PID 2736 wrote to memory of 2188 2736 Optimizer-16.7.exe 45 PID 2736 wrote to memory of 2188 2736 Optimizer-16.7.exe 45 PID 2188 wrote to memory of 1684 2188 cmd.exe 47 PID 2188 wrote to memory of 1684 2188 cmd.exe 47 PID 2188 wrote to memory of 1684 2188 cmd.exe 47 PID 2188 wrote to memory of 1624 2188 cmd.exe 48 PID 2188 wrote to memory of 1624 2188 cmd.exe 48 PID 2188 wrote to memory of 1624 2188 cmd.exe 48 PID 2188 wrote to memory of 3024 2188 cmd.exe 49 PID 2188 wrote to memory of 3024 2188 cmd.exe 49 PID 2188 wrote to memory of 3024 2188 cmd.exe 49 PID 2188 wrote to memory of 3016 2188 cmd.exe 50 PID 2188 wrote to memory of 3016 2188 cmd.exe 50 PID 2188 wrote to memory of 3016 2188 cmd.exe 50 PID 2188 wrote to memory of 1536 2188 cmd.exe 51 PID 2188 wrote to memory of 1536 2188 cmd.exe 51 PID 2188 wrote to memory of 1536 2188 cmd.exe 51 PID 2188 wrote to memory of 1648 2188 cmd.exe 52 PID 2188 wrote to memory of 1648 2188 cmd.exe 52 PID 2188 wrote to memory of 1648 2188 cmd.exe 52 PID 2188 wrote to memory of 2684 2188 cmd.exe 53 PID 2188 wrote to memory of 2684 2188 cmd.exe 53 PID 2188 wrote to memory of 2684 2188 cmd.exe 53 PID 2188 wrote to memory of 2840 2188 cmd.exe 54 PID 2188 wrote to memory of 2840 2188 cmd.exe 54 PID 2188 wrote to memory of 2840 2188 cmd.exe 54 PID 2188 wrote to memory of 2656 2188 cmd.exe 55 PID 2188 wrote to memory of 2656 2188 cmd.exe 55 PID 2188 wrote to memory of 2656 2188 cmd.exe 55 PID 2188 wrote to memory of 2780 2188 cmd.exe 56 PID 2188 wrote to memory of 2780 2188 cmd.exe 56 PID 2188 wrote to memory of 2780 2188 cmd.exe 56 PID 2188 wrote to memory of 2964 2188 cmd.exe 57 PID 2188 wrote to memory of 2964 2188 cmd.exe 57 PID 2188 wrote to memory of 2964 2188 cmd.exe 57 PID 2188 wrote to memory of 2692 2188 cmd.exe 58 PID 2188 wrote to memory of 2692 2188 cmd.exe 58 PID 2188 wrote to memory of 2692 2188 cmd.exe 58 PID 2188 wrote to memory of 2564 2188 cmd.exe 59 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1" Optimizer-16.7.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies visibility of file extensions in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Modifies Control Panel
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\sc.exesc config "RemoteRegistry" start= disabled3⤵
- Launches sc.exe
PID:1296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -h off2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\system32\powercfg.exepowercfg -h off3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 12⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\fsutil.exefsutil behavior set disablelastaccess 13⤵PID:2332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\icacls.exeicacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F3⤵
- Modifies file permissions
PID:2432
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"3⤵PID:1684
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable3⤵PID:1624
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"3⤵PID:3024
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable3⤵PID:3016
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"3⤵PID:1536
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable3⤵PID:1648
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"3⤵PID:2684
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable3⤵PID:2840
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"3⤵PID:2656
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable3⤵PID:2780
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"3⤵PID:2964
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable3⤵PID:2692
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"3⤵PID:2564
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable3⤵PID:2556
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"3⤵PID:2796
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"3⤵PID:2696
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"3⤵PID:2584
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable3⤵PID:2772
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"3⤵PID:2528
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable3⤵PID:2544
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"3⤵PID:2572
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable3⤵PID:2604
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"3⤵PID:2016
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable3⤵PID:1016
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"3⤵PID:604
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable3⤵PID:2588
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"3⤵PID:1928
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable3⤵PID:2252
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"3⤵PID:2704
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable3⤵PID:880
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"3⤵PID:572
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable3⤵PID:1432
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"3⤵PID:584
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable3⤵PID:1796
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"3⤵PID:2084
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable3⤵PID:2104
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"3⤵PID:2568
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable3⤵PID:2628
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"3⤵PID:2148
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable3⤵PID:2304
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"3⤵PID:1600
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable3⤵PID:2888
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"3⤵PID:2900
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable3⤵PID:1852
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"3⤵PID:1696
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable3⤵PID:1728
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"3⤵PID:2600
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable3⤵PID:2876
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable3⤵PID:2912
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable3⤵PID:2812
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable3⤵PID:2748
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"3⤵PID:2820
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable3⤵PID:2880
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"3⤵PID:2904
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable3⤵PID:2916
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"3⤵PID:3036
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable3⤵PID:3044
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"3⤵PID:2936
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable3⤵PID:2308
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Device Information\Device"3⤵PID:1980
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable3⤵PID:1976
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Device Information\Device User"3⤵PID:1760
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable3⤵PID:1452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable2⤵PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable3⤵PID:840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable2⤵PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable3⤵PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable2⤵PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable3⤵PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net.exe stop NvTelemetryContainer2⤵PID:676
-
C:\Windows\system32\net.exenet.exe stop NvTelemetryContainer3⤵PID:2200
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NvTelemetryContainer4⤵PID:2356
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc.exe config NvTelemetryContainer start= disabled2⤵PID:2216
-
C:\Windows\system32\sc.exesc.exe config NvTelemetryContainer start= disabled3⤵
- Launches sc.exe
PID:2044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc.exe stop NvTelemetryContainer2⤵PID:852
-
C:\Windows\system32\sc.exesc.exe stop NvTelemetryContainer3⤵
- Launches sc.exe
PID:2228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"2⤵PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"3⤵PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"2⤵PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""2⤵PID:1808
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"3⤵PID:1668
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable3⤵PID:1880
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"3⤵PID:1092
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable3⤵PID:1108
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"3⤵PID:2348
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable3⤵PID:1056
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"3⤵PID:2056
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable3⤵PID:108
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:940
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:1712
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f3⤵PID:2492
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f3⤵PID:784
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:2320
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:272
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:2440
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f3⤵PID:1604
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f3⤵PID:1956
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f3⤵PID:2328
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f3⤵PID:2432
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f3⤵PID:1240
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f3⤵PID:2036
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f3⤵PID:1004
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f3⤵PID:2336
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f3⤵PID:2008
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f3⤵PID:908
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f3⤵PID:2636
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"2⤵
- Runs .reg file with regedit
PID:1684
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵PID:1196
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2848
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:596
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5badaa6ac02c7da6752314b8487cb81f9
SHA1bdbfec2d40a7ef3a95df4ed4c295b2a498125efc
SHA256d947a75908d8cfa06dc8bd580a80037f20329896646839015ea49bc47e0c9b06
SHA5120d4adc49fc792526fc882d318598d3ddd86a00a9267a855a017ffb5c9853dc89a07cf904672860b4accecd1f5a4d55822cdf418d885aec51116ca9ef915ac867
-
Filesize
665B
MD556055e8bd9ac8f09abdcde0027d22f6e
SHA1321b08fdab5128328b11e404c2379268774a691f
SHA256cb8572ae3492d48d14875a8d6f70ea5101a777c028eee2f5b82c45f0bd3e926e
SHA5127e3954ec4edbacfe0b4bebbd2caa4d426f82119914997d87aceb809962fbbd01c556f99e60fefbb7886bd089dff9709ddd37c259a1b59b3fbbff2fa87fc96398
-
Filesize
1KB
MD5269130fa4075bdbab778bbccdc7ceef6
SHA1ff961ccb075e666cace57ed4f2f06bf7d2c557e8
SHA256a6d67b08c0481e0fe201a6ae660aa7099e4de514a12fafe5eae67ae52f698b01
SHA5124a2b47e1a1eb05e0ffc4e5c3a437ae599596d3cb4c0764f2614091b353bdee0e15dd05a2d82648ed70ae7430b887bcbc15fec05c96f40b94b062cf11a4cee480
-
Filesize
1KB
MD512645abb1bfa4aaaa6cd497d724b23a6
SHA19e90626292863dfdc58511122afd0759a9393002
SHA256c7797ad242377b4a2ef2eb3c01e417e845df5840929bf797aab8952d6c2683c8
SHA512c4e5a2af5164048c7e272ee336d0cd19985bef6a62e784bab5176144e4579b84d8226b30611fb8df50534f775a0a5508533e6147e55dc91785141aee563254e4
-
Filesize
1KB
MD503626d47c0fe05cdd3e97cb73e30ce07
SHA1a2f62aedc5eb562ba9fac71415574ee10663ad3f
SHA256c0798b61a3e647f67a50a30d5f4ecf0ec013f6155a9eaeef458bab81d2482ee1
SHA5120e6c68c399f96411a1e6c28a4a251ce0fd236c886b353c592e94539817f50da052571d4825ed9f9acd5da7ad26266633d53edfd875493fe84108b54988c30601
-
Filesize
1KB
MD5475ecefa2567bf298f0916a7c6a56995
SHA122b00217f5febc1e7342173f711e3ee3dfbb7079
SHA2568313e1cb06699835332921a2baf5c1ad7a1f1371c30d60a43db86e6bf05fb553
SHA512be1352f71bfe2b9053b13494e2213c32cd4a28633d4527c0be105acc5981d1f23662962a2fc130c535bd111421b2feb7950d198e4b083ddc2038823a509495dd
-
Filesize
102B
MD5a4c6cbdf479234773a1194ee13cd5334
SHA12f735f7bde2d52f2dfc73b2b13b34848bef5fbb3
SHA256425026be8f4413e2c3b22bde846aa094cbe517d2cc5ce4c7a89d1ed029916a77
SHA512fc07bbcbe6f5e195f69ace4a9371054dadb2d327428e08b1420c8d61224b52e9682bcde17693f36b880d870f02a5ea22913f16cc362bce85cc39d4cb47bd66f6
-
Filesize
297B
MD5c789a164b02340a363722de0f79b0bb3
SHA13b6d4f69f467d817f5ae5818bf399c0cceb6421e
SHA2560b36c095deb27470d32abb973098eb2836f83f4e21b72d925abda161db709c2d
SHA512ac6a8ebae1a1478e4b31ccdd0bcaeb63922b712ed52230115377a20d2568df3541a3f2f43c62a6f95f5defb27adf240791d6dd9f225edb2ccc3084dd76d36ccb
-
Filesize
2KB
MD5fed75b5cb9d9f4ec5ee22b8fd304ccf7
SHA11b4bdac9ac71fdee3bae90e52fcec60c88d7fa9d
SHA256d884c0d04ba09b113d9439d2f8c0b7ed322111ae2e3ed802f6a95278ff8e0ac2
SHA51236bed8311050f8c79e766678c59bb65177630279af8b4d2302aaf6146157887e1fb744785ac7f3290519778a592fb4d90fb7b7b9420e7346efdfec1085bf34e9
-
Filesize
648B
MD57f7b192506491e4105e2ae1cf5ea9067
SHA15dafd2516bd4a4b3d230624f8ea590f640e2c381
SHA25641cf9db9e395349b94ec7a1ee99db68062f27bf95c3b364aa6b035dc39ff1dc0
SHA5125fcfbec12316f24bdbadb3d4a018945de9afb849fcfc026e601728b1dce107eaf1b8ce56d5e646461006a45bb305f16e3160d760649f7716b70a3e2fd195763f
-
Filesize
5KB
MD5cb03c3144aaff8fb1c3497c403c2b60f
SHA1ba4380abb20eaaeb638cdb142452def731817212
SHA256abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3
SHA512d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b