Analysis
-
max time kernel
172s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 22:39
Static task
static1
Behavioral task
behavioral1
Sample
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe
Resource
win10v2004-20220414-en
General
-
Target
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe
-
Size
1.9MB
-
MD5
1e46759bafac1ed3e1e193e921ae7ff4
-
SHA1
87f5e0193fbce5a9b172783bb09084c4408f5dfb
-
SHA256
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788
-
SHA512
cbaa5b31591e480e4b6521c103002c4cd23deebdb238e5369410f35ef6c9fecb94bdbc1069e0d5e1a41e3a7cbbda62a344bfb819788e290f94a47e71d1055c8c
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
fortepakistan.com - Port:
587 - Username:
[email protected] - Password:
k*x9cOZWttEV
624be3da-26b4-41f8-813a-f54aacfa6665
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:k*x9cOZWttEV _EmailPort:587 _EmailSSL:false _EmailServer:fortepakistan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:624be3da-26b4-41f8-813a-f54aacfa6665 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/1932-57-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1932-64-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1932-63-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger behavioral1/memory/1932-62-0x000000000048B2FE-mapping.dmp m00nd3v_logger behavioral1/memory/968-89-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/968-94-0x000000000011B2FE-mapping.dmp m00nd3v_logger behavioral1/memory/968-96-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/968-95-0x0000000000090000-0x0000000000120000-memory.dmp m00nd3v_logger behavioral1/memory/1224-127-0x000000000011B2FE-mapping.dmp m00nd3v_logger behavioral1/memory/1320-173-0x000000000048B2FE-mapping.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/988-158-0x000000000041211A-mapping.dmp MailPassView behavioral1/memory/988-162-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral1/memory/828-188-0x000000000041211A-mapping.dmp MailPassView behavioral1/memory/828-192-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 10 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1496-78-0x000000000044472E-mapping.dmp WebBrowserPassView behavioral1/memory/1496-81-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1496-77-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1496-86-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1608-114-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1608-111-0x000000000044472E-mapping.dmp WebBrowserPassView behavioral1/memory/1608-115-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1452-143-0x000000000044472E-mapping.dmp WebBrowserPassView behavioral1/memory/1452-147-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral1/memory/1296-203-0x000000000044472E-mapping.dmp WebBrowserPassView -
Nirsoft 14 IoCs
Processes:
resource yara_rule behavioral1/memory/1496-78-0x000000000044472E-mapping.dmp Nirsoft behavioral1/memory/1496-81-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1496-77-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1496-86-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1608-114-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1608-111-0x000000000044472E-mapping.dmp Nirsoft behavioral1/memory/1608-115-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/1452-143-0x000000000044472E-mapping.dmp Nirsoft behavioral1/memory/1452-147-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/988-158-0x000000000041211A-mapping.dmp Nirsoft behavioral1/memory/988-162-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/828-188-0x000000000041211A-mapping.dmp Nirsoft behavioral1/memory/828-192-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral1/memory/1296-203-0x000000000044472E-mapping.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
winlogons.exewinlogons.exewinlogons.exepid process 756 winlogons.exe 1420 winlogons.exe 1508 winlogons.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe autoit_exe C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe autoit_exe C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe autoit_exe C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe autoit_exe -
Suspicious use of SetThreadContext 10 IoCs
Processes:
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exeRegAsm.exewinlogons.exeRegAsm.exewinlogons.exeRegAsm.exewinlogons.exeRegAsm.exedescription pid process target process PID 1704 set thread context of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1932 set thread context of 1496 1932 RegAsm.exe vbc.exe PID 756 set thread context of 968 756 winlogons.exe RegAsm.exe PID 968 set thread context of 1608 968 RegAsm.exe vbc.exe PID 1420 set thread context of 1224 1420 winlogons.exe RegAsm.exe PID 1224 set thread context of 1452 1224 RegAsm.exe vbc.exe PID 1932 set thread context of 988 1932 RegAsm.exe vbc.exe PID 1508 set thread context of 1320 1508 winlogons.exe RegAsm.exe PID 968 set thread context of 828 968 RegAsm.exe vbc.exe PID 1320 set thread context of 1296 1320 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2044 schtasks.exe 300 schtasks.exe 1236 schtasks.exe 1208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1496 vbc.exe 1608 vbc.exe 1608 vbc.exe 1608 vbc.exe 1608 vbc.exe 1608 vbc.exe 1608 vbc.exe 1452 vbc.exe 1452 vbc.exe 1452 vbc.exe 1452 vbc.exe 1452 vbc.exe 1452 vbc.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exewinlogons.exewinlogons.exewinlogons.exepid process 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 756 winlogons.exe 756 winlogons.exe 756 winlogons.exe 1420 winlogons.exe 1420 winlogons.exe 1420 winlogons.exe 1508 winlogons.exe 1508 winlogons.exe 1508 winlogons.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exewinlogons.exewinlogons.exewinlogons.exepid process 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe 756 winlogons.exe 756 winlogons.exe 756 winlogons.exe 1420 winlogons.exe 1420 winlogons.exe 1420 winlogons.exe 1508 winlogons.exe 1508 winlogons.exe 1508 winlogons.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exeRegAsm.exetaskeng.exewinlogons.exeRegAsm.exewinlogons.exedescription pid process target process PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 1932 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe RegAsm.exe PID 1704 wrote to memory of 2044 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe schtasks.exe PID 1704 wrote to memory of 2044 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe schtasks.exe PID 1704 wrote to memory of 2044 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe schtasks.exe PID 1704 wrote to memory of 2044 1704 0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe schtasks.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 1932 wrote to memory of 1496 1932 RegAsm.exe vbc.exe PID 928 wrote to memory of 756 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 756 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 756 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 756 928 taskeng.exe winlogons.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 968 756 winlogons.exe RegAsm.exe PID 756 wrote to memory of 300 756 winlogons.exe schtasks.exe PID 756 wrote to memory of 300 756 winlogons.exe schtasks.exe PID 756 wrote to memory of 300 756 winlogons.exe schtasks.exe PID 756 wrote to memory of 300 756 winlogons.exe schtasks.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 968 wrote to memory of 1608 968 RegAsm.exe vbc.exe PID 928 wrote to memory of 1420 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 1420 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 1420 928 taskeng.exe winlogons.exe PID 928 wrote to memory of 1420 928 taskeng.exe winlogons.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1224 1420 winlogons.exe RegAsm.exe PID 1420 wrote to memory of 1236 1420 winlogons.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe"C:\Users\Admin\AppData\Local\Temp\0df58978a28b178dee837a2e64cee7424f3d6498cc9bf54cb993537fa44e0788.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFE1E.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpA279.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:988 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\taskeng.exetaskeng.exe {2E8751FF-BF44-442F-843C-7779215B28CE} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp31CB.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD7CB.tmp"4⤵
- Accesses Microsoft Outlook accounts
PID:828 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:300 -
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
PID:1224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp926.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1452 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1236 -
C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exeC:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpF22C.tmp"4⤵PID:1296
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn winlogons /tr "C:\Users\Admin\AppData\Roaming\winlogons\winlogons.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78
-
Filesize
1.9MB
MD5c9d9b94208ecd8a119c06bed4fe2c674
SHA19e80799e0b6fb41d3e3ea41c44a1cd2725198ba3
SHA256e66d5a880d06e064b83b4a816394bf2f569cf12eb718e037beced6ff0e48afda
SHA51227e1a864ca2818cfd88cd8eae88ead2e90903ce976874188b139d8fda1c2bb7c74bc80189f85aeecc0553535d9533fd6e26f76863ed1fa9f808daae7911a2b78