hawkeye | 8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516

Analysis

max time kernel
153s
max time network
142s
platform
windows10_x64
resource
win10
submitted
25/10/2020, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
Size

1.5MB
MD5

6283d7dedf246ce837a43b9843356cd4
SHA1

f81c108eced16ff1f6b9b34037f14b248242ce34
SHA256

8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516
SHA512

831f45b904b10454c5499c6b9888a9ea91ed632a1df15e9535661bcdd45c0365254dfae044cf6d1c2dc9d5fc39a533c139114b95e6b3d7abd712304968491d6c

Score

10^/10

persistence keylogger trojan stealer spyware hawkeye rat luminosity

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
173.237.185.61
Port:
587
Username:
[email protected]
Password:
7213575ace

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Luminosity 27 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
		3840	schtasks.exe
		1588	schtasks.exe
		2744	schtasks.exe
		3580	schtasks.exe
		3924	schtasks.exe
		3660	schtasks.exe
		1964	schtasks.exe
		2548	schtasks.exe
		3120	schtasks.exe
		1648	schtasks.exe
		2736	schtasks.exe
		1824	schtasks.exe
		1216	schtasks.exe
		2140	schtasks.exe
		2444	schtasks.exe
		488	schtasks.exe
		1908	schtasks.exe
		1956	schtasks.exe
		2064	schtasks.exe
		3420	schtasks.exe
		1744	schtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters		Binded Pred.exe
		4024	schtasks.exe
		2552	schtasks.exe
		2544	schtasks.exe
		3304	schtasks.exe
		3760	schtasks.exe

Executes dropped EXE 1 IoCs

pid	Process
1748	Binded Pred.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	whatismyipaddress.com
15	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 4092	1748	Binded Pred.exe	79
PID 3860 set thread context of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1748 set thread context of 3300	1748	Binded Pred.exe	80

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3300	vbc.exe
3300	vbc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
Token: SeDebugPrivilege	1748	Binded Pred.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1748	Binded Pred.exe
3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Suspicious use of WriteProcessMemory 110 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 1748	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 3860 wrote to memory of 1748	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 3860 wrote to memory of 1748	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 1748 wrote to memory of 4092	1748	Binded Pred.exe	79
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 3860 wrote to memory of 3540	3860	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 1748 wrote to memory of 3300	1748	Binded Pred.exe	80
PID 3540 wrote to memory of 2548	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	81
PID 3540 wrote to memory of 2548	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	81
PID 3540 wrote to memory of 2548	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	81
PID 3540 wrote to memory of 3840	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	83
PID 3540 wrote to memory of 3840	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	83
PID 3540 wrote to memory of 3840	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	83
PID 3540 wrote to memory of 4024	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	85
PID 3540 wrote to memory of 4024	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	85
PID 3540 wrote to memory of 4024	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	85
PID 3540 wrote to memory of 1588	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	87
PID 3540 wrote to memory of 1588	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	87
PID 3540 wrote to memory of 1588	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	87
PID 3540 wrote to memory of 1648	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	89
PID 3540 wrote to memory of 1648	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	89
PID 3540 wrote to memory of 1648	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	89
PID 3540 wrote to memory of 2744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	91
PID 3540 wrote to memory of 2744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	91
PID 3540 wrote to memory of 2744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	91
PID 3540 wrote to memory of 3780	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	93
PID 3540 wrote to memory of 3780	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	93
PID 3540 wrote to memory of 3780	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	93
PID 3540 wrote to memory of 1216	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	94
PID 3540 wrote to memory of 1216	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	94
PID 3540 wrote to memory of 1216	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	94
PID 3540 wrote to memory of 488	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	97
PID 3540 wrote to memory of 488	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	97
PID 3540 wrote to memory of 488	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	97
PID 3540 wrote to memory of 3580	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	99
PID 3540 wrote to memory of 3580	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	99
PID 3540 wrote to memory of 3580	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	99
PID 3540 wrote to memory of 2064	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	101
PID 3540 wrote to memory of 2064	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	101
PID 3540 wrote to memory of 2064	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	101
PID 3540 wrote to memory of 3420	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	103
PID 3540 wrote to memory of 3420	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	103
PID 3540 wrote to memory of 3420	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	103
PID 3540 wrote to memory of 1744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	105
PID 3540 wrote to memory of 1744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	105
PID 3540 wrote to memory of 1744	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	105
PID 3540 wrote to memory of 3120	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	107
PID 3540 wrote to memory of 3120	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	107
PID 3540 wrote to memory of 3120	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	107
PID 3540 wrote to memory of 2552	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	109
PID 3540 wrote to memory of 2552	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	109
PID 3540 wrote to memory of 2552	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	109
PID 3540 wrote to memory of 2544	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	111
PID 3540 wrote to memory of 2544	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	111
PID 3540 wrote to memory of 2544	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	111
PID 3540 wrote to memory of 1908	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	113
PID 3540 wrote to memory of 1908	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	113
PID 3540 wrote to memory of 1908	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	113
PID 3540 wrote to memory of 2140	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	115
PID 3540 wrote to memory of 2140	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	115
PID 3540 wrote to memory of 2140	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	115
PID 3540 wrote to memory of 3924	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	117
PID 3540 wrote to memory of 3924	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	117
PID 3540 wrote to memory of 3924	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	117
PID 3540 wrote to memory of 2444	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	119
PID 3540 wrote to memory of 2444	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	119
PID 3540 wrote to memory of 2444	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	119
PID 3540 wrote to memory of 1956	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	121
PID 3540 wrote to memory of 1956	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	121
PID 3540 wrote to memory of 1956	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	121
PID 3540 wrote to memory of 3660	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	123
PID 3540 wrote to memory of 3660	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	123
PID 3540 wrote to memory of 3660	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	123
PID 3540 wrote to memory of 2736	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	125
PID 3540 wrote to memory of 2736	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	125
PID 3540 wrote to memory of 2736	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	125
PID 3540 wrote to memory of 3304	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	127
PID 3540 wrote to memory of 3304	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	127
PID 3540 wrote to memory of 3304	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	127
PID 3540 wrote to memory of 1824	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	129
PID 3540 wrote to memory of 1824	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	129
PID 3540 wrote to memory of 1824	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	129
PID 3540 wrote to memory of 1964	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	131
PID 3540 wrote to memory of 1964	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	131
PID 3540 wrote to memory of 1964	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	131
PID 3540 wrote to memory of 3760	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	133
PID 3540 wrote to memory of 3760	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	133
PID 3540 wrote to memory of 3760	3540	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	133

C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
"C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\Documents\Binded Pred.exe
  "C:\Users\Admin\Documents\Binded Pred.exe"
  2⤵
  - Luminosity
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    PID:4092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3300
- C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
  "C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:4024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2744
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:3780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:3304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3300-10-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3300-8-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3540-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4092-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4092-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download