Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/03/2025, 06:17
General
-
Target
192f0f1221e376146e725a4d23ee69a0.exe
-
Size
1.9MB
-
MD5
192f0f1221e376146e725a4d23ee69a0
-
SHA1
9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
-
SHA256
019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
-
SHA512
daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 27 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 27 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e82330-10e4-4d69-9ac7-ae20e57401a6.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad17da4-5d28-4cd3-a423-197244fd6b37.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4bf8ee-f19c-4b34-b84f-556cf4df2999.vbs"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e482dfe-79c2-45b2-844d-0acd5076dd8a.vbs"9⤵
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071b134e-531d-47df-b1b7-f33365a13a85.vbs"11⤵
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3cfbd5-f0bf-4992-ad0e-9d99381e32ea.vbs"13⤵
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa2486c-af8f-4add-bc44-5514dd129b38.vbs"15⤵
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35759043-3256-4dbb-a295-53a22ceb79d6.vbs"17⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95a67844-932d-4545-8d20-5741a0100290.vbs"17⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e97fc3e9-eb6c-4165-a7b0-564e1470c976.vbs"15⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773797a4-d74c-4eff-bdd0-ddc240bd6cca.vbs"13⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc235d5d-142a-4fc2-a493-2f9f613403bc.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e8eb5e-cd31-40f9-81bc-38767d6b7880.vbs"9⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f95aca8-b736-4c7b-86e9-e0f13a37da05.vbs"7⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84943063-e335-42af-b71f-b023053a5e6b.vbs"5⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000a36eb-8f05-429d-855f-89b30d664d3d.vbs"3⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD54082314399ef9432f746d09ddeba93bd
SHA14365fa6112e0e6b5fb3b7c6ab1c08b79c8fa721b
SHA256ef58eeb4cf44148e62370990d952b04a8749f27bf1338a6cae4e91ea99049040
SHA512d4c378d7500dd5bea61766f89cc699113cffdf69ad7541889c76be267e04da42eb7e9ba411b8be385ea2d1d74fa3c3468bfbe91f95b94751494810752cbb574d
-
Filesize
1.9MB
MD5192f0f1221e376146e725a4d23ee69a0
SHA19500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54
-
Filesize
1.9MB
MD5c525e1d9ff51e646742e7c6403469529
SHA128e5050a7657af750630854b5aced9c905ab7a2c
SHA256ba26c630cffe91736feb9c17258770bc9416828b8a3fd3feb30f2016aba1d6e1
SHA5129d62218b92b454620f654d305cddc86c04c978c60eb512735b56556928e1cacc270c7cea0065a09eee4a3e72a437f66c1c14d3f29788a38369d966803f80e5db
-
Filesize
1.9MB
MD51d34a4062408c41685f98d3552a8ac2d
SHA13fcc24ee7da60f71b563cf360a395178274d83fe
SHA256fde44434ca762a577c4f2840b3029eed88e91c41ec6ef2ae28473a6606035402
SHA51250b75e117397301f3acc1ae2f362cec75d061c45789011c57e0b3e2a8bbd4ce673f5bc081df3d64d589dbfb7ab95a297dd1a04804f39adc2c8b579f3e56018fa
-
Filesize
511B
MD5b76eb07a43724a1abd0f255b4a18ae54
SHA1d432e154aaed126f85cbb0f9a6fb9e86ea6690b8
SHA2560dc17a8271ff4e59c2b9f03b0c92727cbf40428628b7779e3a9c2018dee2bd38
SHA512a77412116a45e3498d0db7f008f7220777844b155fff6ebd946c07f155a553013c7b58e510cfbf9b2d4a17d565c94108e722ccbb5b47df09bdb91c6b3880629d
-
Filesize
735B
MD50d0d3de3358243b3f86178f207867bd4
SHA1fad78c801830da5f828fecee992279f1186a0a60
SHA25663dc8e286131d64c43bb997a1f6285eaca66946cf31a213ea6166cfd1b53337a
SHA512343c795fd3260ae434f80ac894c32139d25ab043967a0f6369a2481e1ec72f3647d28151ea762e6a0950eb6630fa8c9b592bebf3bcada62adb1ffd0925d85193
-
Filesize
735B
MD51c1fb7e7eaff7a849c91a681e172598f
SHA19c8645b6bf491c9da40f4072758fedcc674317f7
SHA256815bee69e3790c16eee1f79cd0aebfd1935d1d80248664dd0b0d45672719675c
SHA512a4d37cbafef139cad93add21af4ebe0444b976de41ee498c4ed384627f4d1ce0c8bbe5548318a38ba016edf2456f8b1431d2e1df4507dff5cd0fc1b717dd1569
-
Filesize
735B
MD54d27bcab7652be26e04e6c20efba3b06
SHA1befd13c8a1e6bef14cba0c5132d55a2061324700
SHA256ff0a44b592cfa886108b18a0bd313baa2af59a65909bb855d864fab6edefe7db
SHA512ad39822d324cc645db71b92af81c770dd86e56f2b8d900f058fcf68e0cd86ba9a07369d48b2e6876865f9a9f6a7ce70d8831e533400fd994b6fe798f0544f374
-
Filesize
735B
MD5c2a150fb928ca9efc370146e13a49ff0
SHA1cb3b5b1a2c1641466827837f0543c98a52b51146
SHA256e279e09607455b6fe7e5210b368a2cbb94f485ca341c4622facd4e86701ccb08
SHA51205f954315dc988ec32e4559a5585ccb7c9559d897b5fef47ae294c40dfec61b88fb07a48789a2289f751fc0d051ff948dff64ff17a47cbe4ef3d02f35eafa8da
-
Filesize
735B
MD5b6cc3157632624ad3ec1b198aea0db7d
SHA144ca5d291f8ad3e5367bc97deb3ed05b30101deb
SHA256714e73935e73cc28c6ee37614b3c35c64d534b97336a88849e88f12a29e1af09
SHA512a80f9c7664e9e11dabfd07a10bda576f9dbb6c4aa6bd2e405517d8c0fb8efbf105cf8622aefe42b9238f9df11189e1e1c9d6fc9016cf4617b79088389aa192ab
-
Filesize
735B
MD5ad6208c1c901a1458291f59bc3a660d7
SHA177fcbabbc38d067960f2b8dac95c6c521b34ceb3
SHA2566fc1848997af117e009920bf33929ef8f2ea0e614c83f1f283d3ab2c0b6db012
SHA51208b955647310ce25b8d14f839df80244d21c3eb35c147596dd2bf6cf71691ff0c564eafe2ac47ab72edb118193fb6b404709c6c5b07f502c9c7ce55d0547b58a
-
Filesize
735B
MD56e9b538a9e02c38aa2477eb65f3b2720
SHA1a0620edf4f3a4be162ffde2d998d690450119e52
SHA25649b595e6a4633b09c8d6fcfa079807333f98ab4ed1a8c08fa3f6f73b28facd23
SHA512102dbe7038494a4979bbc51c1a32eb35363315c69280e521e2b3805e832929f8b2ab47cdecf0ef6c6dd8babbc05070c7a57075e9f8bb46f9068b0d2fefe7680d
-
Filesize
735B
MD50b0749de7c4301b78b8350e9251fa22e
SHA1476e3228368a092a257adac380741417d2bb0d94
SHA256afbb0ac0be3b7ae469ef2b2478b3357dd689aec71f913e4f3fe1ba76a2eb67fc
SHA512be02fb5cc0623819cfe1e73363a6539071407c89e9a1a33542a1109a77e7cae665e0322d188b10fd9074dbdcdf2dff97b525736db8b6961a7c413a23a7908e49
-
Filesize
7KB
MD5bb00fa18531eb39ea0f379e3ac0b5713
SHA135806a59a3cfb75a8efa321b7d077e5702b08e44
SHA25654b5b1d9a6fd1db968e4792e52059e8a3cb682e99a0a467d0e0b3cd4dd507ec3
SHA512654fdbc7d0d6aed33a075fe422362f198d43735da004245bdf80591545dbea9d830bb092014c14cf8b7d84151a17e8bd92c15de216747611b431e41d84d713ef
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
2.9MB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
344KB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
1.9MB