2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Cheat.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Cheat.exe

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 29 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exe

pid	process
4780	HDAudio.exe
4936	HDAudio.exe
4504	HDAudio.exe
4416	HDAudio.exe
684	HDAudio.exe
1696	HDAudio.exe
3396	HDAudio.exe
3176	HDAudio.exe
2764	HDAudio.exe
2856	HDAudio.exe
4824	HDAudio.exe
2372	HDAudio.exe
3556	HDAudio.exe
716	HDAudio.exe
4948	HDAudio.exe
5036	HDAudio.exe
4056	HDAudio.exe
2232	HDAudio.exe
756	HDAudio.exe
4176	HDAudio.exe
1064	HDAudio.exe
4828	HDAudio.exe
2420	HDAudio.exe
4080	HDAudio.exe
2424	HDAudio.exe
1908	HDAudio.exe
1584	HDAudio.exe
1808	HDAudio.exe
4660	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3824	schtasks.exe
2760	schtasks.exe
4968	schtasks.exe
4624	schtasks.exe
1464	schtasks.exe
5028	schtasks.exe
872	schtasks.exe
1892	schtasks.exe
628	schtasks.exe
4928	schtasks.exe
4676	schtasks.exe
4404	schtasks.exe
3008	schtasks.exe
1704	schtasks.exe
4632	schtasks.exe
3328	schtasks.exe
736	schtasks.exe
2132	schtasks.exe
1524	schtasks.exe
4140	schtasks.exe
2252	schtasks.exe
4680	schtasks.exe
2036	schtasks.exe
3324	schtasks.exe
4696	schtasks.exe
4500	schtasks.exe
1936	schtasks.exe
2444	schtasks.exe
1952	schtasks.exe
184	schtasks.exe
3616	schtasks.exe
1228	schtasks.exe
3404	schtasks.exe
1052	schtasks.exe
4448	schtasks.exe
1100	schtasks.exe
2532	schtasks.exe
1876	schtasks.exe
2240	schtasks.exe
1496	schtasks.exe
1652	schtasks.exe
4388	schtasks.exe
3956	schtasks.exe
1080	schtasks.exe
3176	schtasks.exe
4940	schtasks.exe
2908	schtasks.exe
3900	schtasks.exe
468	schtasks.exe
3468	schtasks.exe
4612	schtasks.exe
3836	schtasks.exe
3208	schtasks.exe
3708	schtasks.exe
4204	schtasks.exe
940	schtasks.exe
2716	schtasks.exe
2396	schtasks.exe
4408	schtasks.exe
4516	schtasks.exe
2576	schtasks.exe
3444	schtasks.exe
904	schtasks.exe
3356	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HDAudio.exe

pid process

4780 HDAudio.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HDAudio.exe

description	pid	process
Token: SeDebugPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe
Token: SeIncBasePriorityPrivilege	4780	HDAudio.exe
Token: 33	4780	HDAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Cheat.exeHDAudio.exe

description	pid	process	target process
PID 2272 wrote to memory of 4780	2272	Cheat.exe	HDAudio.exe
PID 2272 wrote to memory of 4780	2272	Cheat.exe	HDAudio.exe
PID 2272 wrote to memory of 4780	2272	Cheat.exe	HDAudio.exe
PID 4780 wrote to memory of 3164	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3164	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3164	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2532	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2532	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2532	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1152	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1152	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1152	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 628	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 628	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 628	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1824	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1824	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1824	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 184	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 184	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 184	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4548	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4548	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4548	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4968	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4968	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4968	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3280	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3280	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3280	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4204	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4204	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4204	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3248	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3248	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3248	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4940	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4940	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4940	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 460	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 460	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 460	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3324	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3324	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 3324	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 632	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 632	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 632	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2716	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2716	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 2716	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 740	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 740	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 740	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1952	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1952	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 1952	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4036	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4036	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4036	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4652	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4652	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 4652	4780	HDAudio.exe	schtasks.exe
PID 4780 wrote to memory of 5060	4780	HDAudio.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\HDAudio.exe
"C:\Windows\HDAudio.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2532

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:628

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1824

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:184

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3280

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3248

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4940

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3324

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2716

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:4652

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3900

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1228

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3892

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3824

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:736

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4200

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2612

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1680

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2764

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3532

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1100

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4588

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4612

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3836

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1696

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1212

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4408

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4632

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3896

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:2512

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
PID:912

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3708

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:716

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HDAudio.exe.log
Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Windows\HDAudio.exe
Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
memory/2272-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2272-2-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2272-12-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4780-13-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4780-14-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4780-18-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads