luminosity | ae192099d8abfa67a49b100223a764cb4e227132e54f10c8ef2bc7bac185c49d

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
Size

1004KB
MD5

17f83bc21dfe5a240ffe81217f0d892f
SHA1

9f15af376dae479aa706555e5509322b018a99ba
SHA256

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd
SHA512

7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979
SSDEEP

24576:xE/NU3dLfFe1gAS0LE2ZKc9PSEH0uZuLfSA5yN4spZjpVcNTkJXo:EihxASPsaEH9ZuL3udKTW

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exeschtasks.exe

description	ioc	process
File created	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
3268	schtasks.exe

Executes dropped EXE 4 IoCs

Processes:

cli.execli.execli.execli.exe

pid process

1324 cli.exe
4248 cli.exe
4112 cli.exe
412 cli.exe

pid	process
1324	cli.exe
4248	cli.exe
4112	cli.exe
412	cli.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\move up = "cmd /c \"start \"move up\" \"C:\\Program Files (x86)\\folder\\cli.exe\""	REG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execli.execli.exe

description	pid	process	target process
PID 3596 set thread context of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1324 set thread context of 4248	1324	cli.exe	cli.exe
PID 4112 set thread context of 412	4112	cli.exe	cli.exe

Drops file in Program Files directory 2 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
File created	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3268 schtasks.exe

pid	process
3268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execli.exe

pid	process
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
1324	cli.exe
1324	cli.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description pid process

Token: SeDebugPrivilege 440 cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

pid process

440 cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description	pid	process
Token: SeDebugPrivilege	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execli.execli.exe

description	pid	process	target process
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 3596 wrote to memory of 440	3596	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 440 wrote to memory of 3268	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 440 wrote to memory of 3268	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 440 wrote to memory of 3268	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 440 wrote to memory of 1324	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 1324	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 1324	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 1324	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 1324	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 1324 wrote to memory of 4248	1324	cli.exe	cli.exe
PID 440 wrote to memory of 4248	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4248	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4248	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 2032	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 440 wrote to memory of 2032	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 440 wrote to memory of 2032	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 440 wrote to memory of 4112	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4112	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4112	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4112	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 440 wrote to memory of 4112	440	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe
PID 4112 wrote to memory of 412	4112	cli.exe	cli.exe

C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
"C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe"
  2⤵
  - Luminosity
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "move up" /tr "'C:\Program Files (x86)\folder\cli.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:3268
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "move up" /d "cmd /c """start """move up""" """C:\Program Files (x86)\folder\cli.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2032

C:\Program Files (x86)\folder\cli.exe
"C:\Program Files (x86)\folder\cli.exe" /startup
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files (x86)\folder\cli.exe
  "C:\Program Files (x86)\folder\cli.exe"
  2⤵
  - Executes dropped EXE
  PID:4248

C:\Program Files (x86)\folder\cli.exe
"C:\Program Files (x86)\folder\cli.exe" /startup
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Program Files (x86)\folder\cli.exe
  "C:\Program Files (x86)\folder\cli.exe"
  2⤵
  - Executes dropped EXE
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cli.exe.log

Filesize
499B

MD5
17f7e5c69c4f1dc984a9810dde3b6982

SHA1
601b5cf990955dabd1693049c2ed13b9ee2d2bd9

SHA256
88f6579fa5ec5ee4040bc0cc74ff0f95966ccfb0181342f51362c42cc10cee12

SHA512
a48162a368d358fe99876d95f0389f07bcbe0f689b741db722d284dbb43dfdeccb0589cc64cb0bad379333bcdbb88c0d3fba7d419572216a219907e2cf501df1

Download Submit
memory/412-66-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/412-65-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/412-64-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/440-4-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/440-17-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/440-18-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/440-14-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/440-12-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/440-11-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/440-6-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1324-36-0x00000000050F0000-0x0000000005107000-memory.dmp

Filesize
92KB

Download
memory/1324-24-0x00000000050F0000-0x0000000005107000-memory.dmp

Filesize
92KB

Download
memory/1324-25-0x00000000050F0000-0x0000000005107000-memory.dmp

Filesize
92KB

Download
memory/1324-26-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1324-27-0x00000000050F0000-0x0000000005107000-memory.dmp

Filesize
92KB

Download
memory/1324-29-0x00000000774E2000-0x00000000774E3000-memory.dmp

Filesize
4KB

Download
memory/1324-23-0x00000000050F0000-0x0000000005107000-memory.dmp

Filesize
92KB

Download
memory/1324-21-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1324-37-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1324-22-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/3596-0-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/3596-2-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/3596-3-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/3596-10-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/3596-1-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4112-46-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4112-54-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/4112-63-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4112-47-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/4112-48-0x0000000005EE0000-0x0000000005EF7000-memory.dmp

Filesize
92KB

Download
memory/4112-49-0x0000000005EE0000-0x0000000005EF7000-memory.dmp

Filesize
92KB

Download
memory/4112-50-0x0000000005EE0000-0x0000000005EF7000-memory.dmp

Filesize
92KB

Download
memory/4112-51-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/4112-52-0x0000000005EE0000-0x0000000005EF7000-memory.dmp

Filesize
92KB

Download
memory/4112-45-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4112-55-0x00000000774E2000-0x00000000774E3000-memory.dmp

Filesize
4KB

Download
memory/4112-56-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/4112-62-0x0000000005EE0000-0x0000000005EF7000-memory.dmp

Filesize
92KB

Download
memory/4248-42-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4248-43-0x0000000005DE0000-0x0000000005DF7000-memory.dmp

Filesize
92KB

Download
memory/4248-41-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/4248-40-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/4248-39-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download