Analysis
-
max time kernel
63s -
max time network
72s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
21-12-2024 15:14
General
-
Target
https://github.com/hellzerg/optimizer/releases
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 1 IoCs
-
Runs .reg file with regedit 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/hellzerg/optimizer/releases1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbea0e46f8,0x7ffbea0e4708,0x7ffbea0e47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x140,0x254,0x7ff7a9e05460,0x7ff7a9e05470,0x7ff7a9e054803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6460 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,377808479974180669,742706354354609890,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Optimizer-16.7.exe"C:\Users\Admin\Downloads\Optimizer-16.7.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled3⤵
-
C:\Windows\system32\sc.exesc config "RemoteRegistry" start= disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"3⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\EnableOfficeTelemetryTasks.bat""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /enable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /enable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /enable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /enable4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\EnableOfficeTelemetryTasks.reg"3⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"4⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"3⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dfa5e07ad0441b69b619c7088bf2acb7
SHA134ee739f6d541b005f977ae6987c5bc9dc7b6935
SHA256d4b95e76a84159c9cddf091dadaddb8d703d5e91326570a730e7d7de5a4c410e
SHA5122ee1667bf35e7616f5dfb2aa0c659d81be0cccf0b19e6224a71ebf0d9cb218b0e0dedc97f40d919eafcb1efc779a490bec6fbe9cbdf43ba785b1ec43b4424c29
-
Filesize
313B
MD5e036d9dfc34c5d33eda6301e4fb3f242
SHA1981986e90869734ccad41dd0ec625cb0605ee035
SHA256ba63f34403e64a5f5110811fc1b32c6c4cf27daeb567ef4a52f43cf3905d02b8
SHA51267133b708bf848c57db3aae2cf2947ee1cee4aaad6e942a930b747fb07a9c45d8130b50dc0097afa0a5d1f3e3bf99a14fb50cf131a8144bda0deee3a10f1379d
-
Filesize
2KB
MD5fed75b5cb9d9f4ec5ee22b8fd304ccf7
SHA11b4bdac9ac71fdee3bae90e52fcec60c88d7fa9d
SHA256d884c0d04ba09b113d9439d2f8c0b7ed322111ae2e3ed802f6a95278ff8e0ac2
SHA51236bed8311050f8c79e766678c59bb65177630279af8b4d2302aaf6146157887e1fb744785ac7f3290519778a592fb4d90fb7b7b9420e7346efdfec1085bf34e9
-
Filesize
648B
MD57f7b192506491e4105e2ae1cf5ea9067
SHA15dafd2516bd4a4b3d230624f8ea590f640e2c381
SHA25641cf9db9e395349b94ec7a1ee99db68062f27bf95c3b364aa6b035dc39ff1dc0
SHA5125fcfbec12316f24bdbadb3d4a018945de9afb849fcfc026e601728b1dce107eaf1b8ce56d5e646461006a45bb305f16e3160d760649f7716b70a3e2fd195763f
-
Filesize
2KB
MD58e83aac7a144bb7460a3d7235442b802
SHA1c06944f89a4922574e8be07a0b0770cf1c9dba58
SHA256275f9e1a0701f097c4cb9505d42e1ef3d5dd0ae9aba2cbb399f7ebb23e3e8773
SHA51261906d0791fee3341e995e3043067855750428fbcc3edcefcda78a08a03ffe1f149bd5930d24009132405b66d187ad7bd805f645e304af956a37651c4568492d
-
Filesize
466B
MD5496768ea845782927c2a9e0dd172d241
SHA14bd07eab1936fd36206846a5b0d4cfb03f7db154
SHA2566a8f76c97fd957afec1f416363df1e56843c8a56e0f2c470aae66d9be8cd2a1a
SHA5125d6019c96db49b94ca0e5790c18ce626610790e763ccd0f475cd0c25837cb44b0ebb7e7ede76186f07e9b111bdafb56d11354fbc0a716c78e4a8a5cc8d60b80e
-
Filesize
152B
MD5b9fc751d5fa08ca574eba851a781b900
SHA1963c71087bd9360fa4aa1f12e84128cd26597af4
SHA256360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb
SHA512ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757
-
Filesize
152B
MD5d9a93ee5221bd6f61ae818935430ccac
SHA1f35db7fca9a0204cefc2aef07558802de13f9424
SHA256a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968
SHA512b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44
-
Filesize
48B
MD5c73a6c5ee09ad09097f82049eceba578
SHA1a4cbe21827fa378b1018f46204f4c075caa3c3e2
SHA2566cad11774854049a0d82d913ffcc770e5749151ca02dcd36fc40a91c3681bdfd
SHA5120b6e5eceee05b032d20576110e9b4462a595f8cd7430fc0e731be9e280e5754bc5b1abfbd75fd491063dac6bb8f7c5a17478107397de864a0b85dedaddc36863
-
Filesize
1KB
MD53b3181435168a9a19fa6e60f39f4dc9f
SHA1d89041b4d4a2af4c4b4440f633b8a0d49792387b
SHA256be8ced73bf0127346745e949a12afcaf733b388413b1674f79155b9dd73c2652
SHA5123d63d59c9fb9360db5fcb4e9ad2e65dfb4bc98a2961c371ad6cbb9ef3873873fe62380ab1fdec6700a62c163d75a6538c08747375fdeeefd6552031c31d13f24
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
5KB
MD537f84cab8d7d110c7202437becb2a290
SHA183942ef781fd99e7f95d7f0838ec5b3a8d8840a2
SHA25686628e09e9e02d8e092a053414fc7b4c081b9aa3de8baa03746fb936acb58a63
SHA5129928c908804fc71000cbe4b0ca45eb413506a4021fe6ddc02abfeeb0693471af82b5643752baaf4888f2f192477aaf15dfa21f7d58949eb576f2f2a7bab0dfa9
-
Filesize
5KB
MD5886357f8a73582ffe513944612ed8143
SHA123fe2005c827d24cda0a677307b73e443572d375
SHA256b8effacde4e2e6bcaf9ae26072c73840235965836be67f410a0382c4cc38a82b
SHA512974dc6781f448affd7c00d12850df6356a47b8ff5a0e44180b2c1a0701dd8db2c6c9856b3264994362daac1a6479ade6bb8ef30ac9a2fd861f055062d6ab274a
-
Filesize
5KB
MD577c20390add1833728ac637d6ae8b92d
SHA1bb8714072e0769fa7c2d7810d108fe93fcb4eeb0
SHA25627d00572a390d6ef12d8ffcef0bbeb23276dc78f9f970cf1edb400b686d1a66b
SHA512624ce1d8de1e5a39d422094d547aa092b33861f2f209346538b22fc39b7c54ef8e54add8cd02ddda73d5cfcf55ef21e43cb9b072166a110e16397d0622363545
-
Filesize
5KB
MD55a3161f03c31f94838441bb1fb8b1d0c
SHA177284068f2cf92d51c46c6bb3b1292b1d3e97f80
SHA2565ba9a50a261a7cecf1e9ff9b7bd48d0d4e39732c1a114e5c3ac987c4e527ab18
SHA512984fdeda883ca54791e257b8147fa0fe3537d070bb5e027a720bbe5652cd2569a4f8ec702317f5f1a4684f82421ca0687be76c6946bb511691082325c6d2828b
-
Filesize
24KB
MD5f9055ea0f42cb1609ff65d5be99750dc
SHA16f3a884d348e9f58271ddb0cdf4ee0e29becadd4
SHA2561cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348
SHA512b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4
-
Filesize
24KB
MD5d3412a01d4c3df1df43f94ecd14a889a
SHA12900a987c87791c4b64d80e9ce8c8bd26b679c2f
SHA256dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be
SHA5127d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e
-
Filesize
874B
MD5943fe5b547f90593a63bfe3c92ba587a
SHA1be22bab5920c662758a44b19030471b8247b9733
SHA2563de05ea0b0cdcc1a97c2502970f66e33e9a4b3ccb9c0a277c18ce34bb616aa4b
SHA512b2b87660bb5f085525b2e91ff5e3952671ea732bfbc6b80ad55dd29b6d3e1f86ba76bab29fc7a64a6e640480520cba9c265db61deb267dbafc141866673b1ea5
-
Filesize
874B
MD563df9deaa12f9a9808dfcad9163cf9a7
SHA18e2d33f169ebc34ecb90e1f6328c4fdb516a821e
SHA25644930a6eb52f63b3c777acc2869f97898d6d6aa2b94166e3d9530056b12ebe92
SHA512ab0574cc6766106a9f915733187813356a572624e24bfa407a8cd18f1fd2eca4304cc976ad14a70e9076ea7543d4e4fe5effe15b41fc7b4507c4016761239da8
-
Filesize
874B
MD516194fce18e05ddf98d5a3cf27340d3f
SHA1fd1592df42252fa10961a3ef830aff3cc399635b
SHA25654b9475348bf04c6a7a1b5c03d56722d8c3286d0709bdf29cfad6368791d5883
SHA51204c7893824070e9985b1ca28e557acc7c064df2c0e65f157dbf7673086aee45a010a98b2c93fedd20f0b0cce4204cc4db7fc2ae88b3b87eb08dae943107d8603
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD50977f54acc2e07fa365bee4ebb3690f4
SHA1d80a774b457880edfad9e97368063618038cce69
SHA2563c321379bd7719bd190a515f3cef2076cc41d67fdf36f49962cebf4222dda3d5
SHA5127b16038785dbabf67a0bd0f8d519625de88d552262dc360e1395f8565a1de2f416181e93e9495334bd12016734ddfb7f6c80df0307615f2987d7cf8cb4398ef6
-
Filesize
8KB
MD5751f24bf0883a1df0ddc2699905aff20
SHA16bbe1d740e0e4af0c12fcc7941fa3025afe0d79d
SHA2569567f5b3603b7ec62b9dd21433d1ddbf2bcf41bbb3f443c52be7007ea51711aa
SHA5129186b87b965357404e8154a070de570d735ec8a9bdfae5b191f8abde8b1b29b1fe11f806e2b32700823d36ef60ade4ba8b56145aa9eb8c4625f4c6d9be7b3c67
-
Filesize
10KB
MD522ac9080c7a813500997d86c4816d52e
SHA1a20b846a0111f84e09592495c67dfccda2ecb088
SHA256ff80f7c86b2c4cda3e00d4c80c59a7c80408b57a85975c928194a15f06dc6392
SHA512c6ba750b756c8fc1534e5abd165645c6c8faa3a6fcf0f746f2cdb5482faf23597bf0b3f609555bf3ba10e994dca0760c9f0de89c4ece7a380715fb16af35e4d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD55c5e3741ef9d907b4a93ec832680380d
SHA147a24ad6ea26c07b8862801d3d74c19be046801c
SHA2569d585d4172c709e8bd6f76c51769a73aa4372dcc2744616506c50397e6a3b6fc
SHA512137872a0a367720782b387148cc7e6485ba48cbee0c72378455c7eaf2dc3c290c8ef2631b99e10b2e964a6e25fc3ef02de015e2f3f2e740b4f6d8e8595fa1bb4
-
Filesize
3KB
MD5bcd40ab014d48139dd0633274556ccc9
SHA1ca6f21bbd3a0f858b0df8d5708589eca8c6a470f
SHA256f1dc2a6dafb3418a785af363c20139a2e5285ee75959cc49511317153ea010f3
SHA5123fe3d81e5804aa723ae3433ed347ee50a708be495f7c0680293d18187c8c8e0b22502ffc54c0c107f4a22702a4f1848e17fed0be7dbd198b80387338c9b01dde
-
Filesize
2.5MB
MD57f57207f221db2b08e27d64bc9121b28
SHA13bfc4b12a533ee1ce62e5d348027d4ac90ab49db
SHA25603a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8
SHA5127cc44ff1c3210db2478f4e37fef23669f0425b1b1672fc5f53956890daccb84b32fa25c8da9f7ce0cd1deb9e697e46cdae0762a0af818f98b93544b8e39f8a25
-
Filesize
88KB
-
Filesize
304KB
-
Filesize
2.5MB
-
Filesize
72KB
-
Filesize
712KB
-
Filesize
152KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
120KB