luminosity | 22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53474c750c9187e0490082d8e1c11a6d.exe
Size

418KB
MD5

53474c750c9187e0490082d8e1c11a6d
SHA1

a53490817cd28f7f9d3689c1dff73308e39ea8c0
SHA256

22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
SHA512

77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
SSDEEP

12288:qINL5QskZOSBJRVhQKUN3iduyA3fpIyTCP/tkhDzOkZ:n5mZOoJPCF3iduy669ViDykZ

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exesvchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\sWPDSRWP.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\adSbiblK.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\HYAKIUkX.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\291042\\svchost.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\usPkULYQ.exe"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	53474c750c9187e0490082d8e1c11a6d.exe

Executes dropped EXE 5 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

456 svchost.exe
4420 svchost.exe
1300 svchost.exe
3424 svchost.exe
4564 svchost.exe

pid	process
456	svchost.exe
4420	svchost.exe
1300	svchost.exe
3424	svchost.exe
4564	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Adobe Startup Utility = "\"C:\\ProgramData\\291042\\svchost.exe\""	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe53474c750c9187e0490082d8e1c11a6d.exesvchost.exesvchost.exe

description	pid	process	target process
PID 208 set thread context of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 set thread context of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 456 set thread context of 3424	456	svchost.exe	svchost.exe
PID 3424 set thread context of 4564	3424	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe53474c750c9187e0490082d8e1c11a6d.exe

pid	process
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
2240	53474c750c9187e0490082d8e1c11a6d.exe
2240	53474c750c9187e0490082d8e1c11a6d.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe
4564	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.exe

pid process

2240 53474c750c9187e0490082d8e1c11a6d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 4564 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4564 svchost.exe

pid	process
2240	53474c750c9187e0490082d8e1c11a6d.exe

description	pid	process
Token: SeDebugPrivilege	4564	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d.execsc.exe53474c750c9187e0490082d8e1c11a6d.execmd.execsc.exeWaaSMedicAgent.exe53474c750c9187e0490082d8e1c11a6d.exesvchost.execsc.exe

description	pid	process	target process
PID 208 wrote to memory of 1204	208	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 208 wrote to memory of 1204	208	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 208 wrote to memory of 1204	208	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 1204 wrote to memory of 4236	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 4236	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 4236	1204	csc.exe	cvtres.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 3792	208	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 208 wrote to memory of 4940	208	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 208 wrote to memory of 4940	208	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 208 wrote to memory of 4940	208	53474c750c9187e0490082d8e1c11a6d.exe	cmd.exe
PID 3792 wrote to memory of 4988	3792	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 3792 wrote to memory of 4988	3792	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 3792 wrote to memory of 4988	3792	53474c750c9187e0490082d8e1c11a6d.exe	csc.exe
PID 4940 wrote to memory of 5052	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 5052	4940	cmd.exe	reg.exe
PID 4940 wrote to memory of 5052	4940	cmd.exe	reg.exe
PID 4988 wrote to memory of 676	4988	csc.exe	cvtres.exe
PID 4988 wrote to memory of 676	4988	csc.exe	cvtres.exe
PID 4988 wrote to memory of 676	4988	csc.exe	cvtres.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 2240	3792	53474c750c9187e0490082d8e1c11a6d.exe	53474c750c9187e0490082d8e1c11a6d.exe
PID 3792 wrote to memory of 1668	3792	53474c750c9187e0490082d8e1c11a6d.exe	WaaSMedicAgent.exe
PID 3792 wrote to memory of 1668	3792	53474c750c9187e0490082d8e1c11a6d.exe	WaaSMedicAgent.exe
PID 3792 wrote to memory of 1668	3792	53474c750c9187e0490082d8e1c11a6d.exe	WaaSMedicAgent.exe
PID 1668 wrote to memory of 4308	1668	WaaSMedicAgent.exe	reg.exe
PID 1668 wrote to memory of 4308	1668	WaaSMedicAgent.exe	reg.exe
PID 1668 wrote to memory of 4308	1668	WaaSMedicAgent.exe	reg.exe
PID 2240 wrote to memory of 456	2240	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 2240 wrote to memory of 456	2240	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 2240 wrote to memory of 456	2240	53474c750c9187e0490082d8e1c11a6d.exe	svchost.exe
PID 456 wrote to memory of 3864	456	svchost.exe	csc.exe
PID 456 wrote to memory of 3864	456	svchost.exe	csc.exe
PID 456 wrote to memory of 3864	456	svchost.exe	csc.exe
PID 3864 wrote to memory of 4972	3864	csc.exe	cvtres.exe
PID 3864 wrote to memory of 4972	3864	csc.exe	cvtres.exe
PID 3864 wrote to memory of 4972	3864	csc.exe	cvtres.exe
PID 456 wrote to memory of 4420	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 4420	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 4420	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 1300	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 1300	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 1300	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 3424	456	svchost.exe	svchost.exe
PID 456 wrote to memory of 4836	456	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzmjzz-o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E87.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E86.tmp"
    3⤵
    PID:4236
- C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
  "C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hujweysa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8108.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8107.tmp"
      4⤵
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe
    "C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\ProgramData\291042\svchost.exe
      "C:\ProgramData\291042\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azzn0i8i.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FDD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8FDC.tmp"
        6⤵
        
        PID:4972
    - - C:\ProgramData\291042\svchost.exe
        
        "C:\ProgramData\291042\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3424
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iphofgrw.cmdline"
        6⤵
        
        PID:1068
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9192.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9191.tmp"
        7⤵
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HYAKIUkX.exe"
        6⤵
        
        PID:1512
      - C:\ProgramData\291042\svchost.exe
        
        "C:\ProgramData\291042\svchost.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\adSbiblK.exe"
        5⤵
        
        PID:4836
    - - C:\ProgramData\291042\svchost.exe
        
        "C:\ProgramData\291042\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1300
    - - C:\ProgramData\291042\svchost.exe
        
        "C:\ProgramData\291042\svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\sWPDSRWP.exe"
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\sWPDSRWP.exe"
      4⤵
      Modifies WinLogon for persistence
      PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\usPkULYQ.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\usPkULYQ.exe"
    3⤵
    - Modifies WinLogon for persistence
    PID:5052

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\adSbiblK.exe"
1⤵
- Modifies WinLogon for persistence
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HYAKIUkX.exe"
1⤵
- Modifies WinLogon for persistence
PID:4700

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe fb8261b5044935c4a561874b4657a925 BvnN8KeB3kG8aBY7bVt9Gw.0.1.0.0.0
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\291042\svchost.exe

Filesize
411KB

MD5
7584faf6db6eb2511cde281dbb102537

SHA1
73549ecdcd649f735681a26ec6cf8274623360fb

SHA256
063f6cf2f30ff936e831804233cff55a042cff9d58c18e7141085648a653e3eb

SHA512
c6e8463bf269e4fe4a0546ca904835d52632f8a34da04b247eece93395743afd8e23623b6a759aae911d3850482d2d42517d2acbf8de5ea41011e7652c502d83

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
204KB

MD5
e80ab182d5b38ad5ff3c3a5ebd654dd7

SHA1
ec16fe7856191e515a6499d4bc3652a206374666

SHA256
e2253fb299e03d8bd01af8692df95bfed9fd3b5f231d519094301037ee350e72

SHA512
d5de6e21bad69692aefac718c85e8f7f1ae0222fafd0f1dfdda21e3f1e32f285928599b76367fbe3c65bd4be70dffecd1cc88b2a1f5009f43ad261228c68f660

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
162KB

MD5
8b6085db45c2f9432f28f774ad745150

SHA1
91a574ad84e67d2acb4a8b1ca181ff2c2f55e499

SHA256
696f1ae2912aca92ff4ed32eabcdc76ecde46f1265902fd761e19768fd8e7dd1

SHA512
c72cf8a5e72cda3d48d4c623074c0a706b9db4122f8eaa5e3bd792124422b326cb255b78aa1b1dbee9c77d01ff57ac5bdefd65b2af19dc73b0558ca457d3241d

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
130KB

MD5
ef30cfab2ea088cf43173baa0bbe92f1

SHA1
8eab543a7f88904c85e7db6c5d3f89903a650abc

SHA256
6477b82f463136f5ec388c098d008423b68855940ad2786eb0de699b5e609f12

SHA512
9a93a3347ea811656c37ab3064579f09adad9c1d2119c8295a820d8e25d3b500894dda6ab4662a50a17fe8a46b15bf3bbf2b25d9735e4051a3fbbc2a11560bc8

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
245KB

MD5
1b6235c5f739b1316962434f0da98e17

SHA1
d25515877478df97ee7f84e0f433eb20602d2564

SHA256
7247e7b20908f309b040fe807aeaf3b45eadf2a888fe8057ab0edb3580793f51

SHA512
46e7e034cd540269adb70ec68b6d915194035cd3a3604b0a4be6fb0a0d715e1025addb4f5708fbab786a8f1dacd6c7db5a62d61d5b96f6a56fc4d2f88b932a14

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
342KB

MD5
e24a06a70d8ead17a4d3308dae6aec38

SHA1
742e7d5fba76d4758ba5f3c66493b313295c14d6

SHA256
dcf9c186a4471f7048ff15eb8769a49c2741738b51aa708783a91003a798d04b

SHA512
4ee5ffa4c03c7ea7fc7a01d1512281cdce770c402ddb6bce1553b821dc4fb5de1517cd67b5c216ac49baffc9a7bbf49d7a64babffa5c000aa2fd3869324ea854

Download Submit
C:\ProgramData\291042\svchost.exe

Filesize
418KB

MD5
53474c750c9187e0490082d8e1c11a6d

SHA1
a53490817cd28f7f9d3689c1dff73308e39ea8c0

SHA256
22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

SHA512
77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\53474c750c9187e0490082d8e1c11a6d.exe.log

Filesize
223B

MD5
3538636a23f297388f47a85ede8731d3

SHA1
6378c568b16e046fa7a6860475afd435d277e373

SHA256
48dbe85fb952e2ab68e0f4eedc476d55d9e677b9fe33740e5f9280d80c5515f7

SHA512
6a33d6e28f56dd71569119ff8526096e1d2b48d85ec7f2a030d44d5083582a47797388c3a1a1ca8123506b153c39adea6b6bf4df2aa7b4efebb6cc83f2247028

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E87.tmp

Filesize
1KB

MD5
b2af5c698bee91df1565617aae5479bf

SHA1
c280266661019d9c87a88780355296bdd9a12bf5

SHA256
7d7bf740c5e053f375bd4403df94df4edf9ebfc6aa397e4dcb02f169bf78dc13

SHA512
8a8c9d75a2ae039aa6700b1c6fd0a9f9284a4d39a23b96d80dee597fc30640518ef082a0aea9659b0ac3fdb688b43e35a6019d3823f6ca56abcb20f5692873ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8108.tmp

Filesize
1KB

MD5
a24b94ace2ee1cb61ecc0c35725e0823

SHA1
119e54c3883a97873d74d5b11598c02e6d74f3a4

SHA256
0a5b2386319afaaae41bbbeb9e023c7bc0459eacb44d2a86eb05195d412e89e2

SHA512
9c9e9a19945740da5ee3f93b862fdfc6e0e2c2be2f7f005005180b89b8b0b0fe107a7433f61175a12e2f32bb801e9fba5deeb066e6590cd5692d485a5c0c61b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FDD.tmp

Filesize
1KB

MD5
2af3b5cd859673d04e7598e2fb5b66e3

SHA1
4f4792dd88b614dfdb809c298f5f25325cbf6630

SHA256
4e8799974a556f30046598c4bb2925a02137d91f9499f5c364c4080af309179a

SHA512
4a3a37c16ad97ca6d17f25b1887f18bcc0e84b0b009a16ffbb6859f5a841893e6923d94dc9d8b703e045d07542b55ba371aabc65a8c82afdf82f9a0d06257d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9192.tmp

Filesize
1KB

MD5
997ebef304e20c77e456415bcff05b66

SHA1
b8e686881a12cbf354a9075fe85beda5c606e73d

SHA256
555fd7ee3771cd82ed304a6d9b161a16ff89361aeb5d9a54200a7c2a1e264f32

SHA512
c91721bd021301545e84816755c06dbde655de6a70d81d9aced8a9f3ffc536537f96466a7f37ccdeb2357b46d43cf575f2cae8e05b42dbc308af96d44ec0334f

Download Submit
C:\Users\Admin\AppData\Local\Temp\azzn0i8i.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hujweysa.dll

Filesize
337KB

MD5
0cf8166473cabaa6398f273f61f73a14

SHA1
18cc1704006658d6f7f84c347d01d54db32c0d0a

SHA256
17e3dcebce605bf582d68b375c9f56494c56ca9eeb4adb853b9592f6632ae082

SHA512
c41378c0ffbb1cfd9c2e0b37327865447c84b661cf7e7c49c63f6fcd39b50b5f3a99885232eb5c1b0cbb90dc2cb73261e357bc66d15dd5938141f4f694e866d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iphofgrw.dll

Filesize
259KB

MD5
654ab8e6dff6def5848bae8469000a2a

SHA1
00f75222fd6327fbaff7732c3b9bf44c1075cc26

SHA256
c228cda1197c34831d87e15a35dad98351d75eecf23d2d51259b8466da3b5222

SHA512
86950199369a70665bda1199b28a5522b163897381c825fe59384a2523ad4d7d6602cfd2739ff6e291a29f7b235344a1d4abb7f1696370ee5faf2f71afb33248

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzmjzz-o.dll

Filesize
828KB

MD5
8b9b7d1068d130644caf3f573528e1eb

SHA1
e8b947b296b94b12a3f521e4a2a841ef5b4d0415

SHA256
808ff580ca79f961131e0aa8c36afcad7dd00121ccda6afc05b166f88e8936c4

SHA512
9cc840dcacd4ad4feaf8beef0460555cc8af7e399752c5f5a84b3a364b69cf7e1eed93b78fa7f7fb78b3fec7eee9cf79a4f8c3487cd4eb0a62d1c2052b91b580

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7E86.tmp

Filesize
652B

MD5
1c72163664ec31f808a0a2f7d65a362c

SHA1
4f782a94f8ccf77b6f62de6d4c91c372425a33d6

SHA256
cf53227510addcc8856f30086e6ef87252d979971f0bbac49d07773aa7195ad8

SHA512
6cad5f959604721abf480344742897ddde5c2e91230aa3435cd03c83abf71af27766e3a01dbac2b9f954119df558d9db8210496acb639561c6952f823c6c8151

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8107.tmp

Filesize
652B

MD5
82f1344782555f15fc5b6448fb3e8795

SHA1
c37814796f2c395e302b73f76ad9667c88b5f26c

SHA256
9c62b867e6f160f06a19d2b966a09b63d3fd453a992c6edea5ce52d0170974e4

SHA512
f4b984e70639603df073e8ff1c8dc4286a7eaadbd9be234801e66c0151a220e1cf411cbbe688016c10eaeaa277bb91e00a04ca55d7a66b45a9def26dfdf2769b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8FDC.tmp

Filesize
652B

MD5
f8c4b32f24642dfaa204e4c9d056345b

SHA1
41ac13be77faba5f34c622015ec0ed5000d495be

SHA256
118e09d962ddf99a08dc6ea10ddf4fcb844e2f56f09741c2dabcf90c65e3c5c9

SHA512
faa75776a28f8281bead2234a9cfeb645d919d3e22eb8a1d0181ac66edd25d32e8c688a650f9cdacc314fcb50a5c02feec57294004b398edbbe8cc83a3767390

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9191.tmp

Filesize
652B

MD5
d0bc257edb81c6f554257bb530967f05

SHA1
de85b0142e196cc10d8490220cafe657e6fac14c

SHA256
cdd5e11ba9afb958ee0539b4971ca6e4a5e8cc0bf2f1105bf3476e180fbbf2b1

SHA512
693816d25480374e193e60be3136f807d2e35d1b4063b8e6057868212be5514c4ad518ec92d8f51a277f285d66ef71e139a063996d68509e109f0b9935964303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azzn0i8i.cmdline

Filesize
196B

MD5
cea5fd45da0c905bca405151e0b6c895

SHA1
76335ac4b1ea910d0e032a9948a1b8a96efb473b

SHA256
8ae8401515b382faaab097e19a307fb7200553cda8e19247c325477916f88391

SHA512
0b9407c98235721b6a908faee28a86a21597d0a7cad4de21978fd5e95b961d0868d2a4955670e130f73184434213d1f06ebfeed9ff46fb3b0f83fc84023bc5e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hujweysa.cmdline

Filesize
196B

MD5
06ed9c785dbbb67e8adf56153a2dcb31

SHA1
042c74f92d4f7a6e77b5f59e5f4a676ad06d0f5f

SHA256
e1f66d2423660c2b1e604cd5df40d7ce708e498c53b6320a293ab64bedf6b00a

SHA512
9b0ad27d6358575c7362f29980418b7e94e331e0c2f3d496d128ad82e5581b212e9ab9526f0cd4e90d504cb5a18cf8147f408a5ccbe889cf65727ae39338a01b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iphofgrw.cmdline

Filesize
196B

MD5
aa2ce39f7d32dc50b28ea378bc2b48c0

SHA1
567162cd8d0f4fc92dee33b34d19a78941fea515

SHA256
4e356e70379804be5231e1c974e1c12a28584497748d6a705c3bfa03297b21bb

SHA512
c41270351785736d559473674cc7366bfcee0970b3f3e9ffc2823f01d3e83e131ad4cc74ce3c9160c32a193abea1cf5901f640038e398d06cd13f99a88a269b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp7C44.tmp.txt

Filesize
407KB

MD5
3fc0338c5b131613c2d4a8555d9d7775

SHA1
c67542ffa9a87ffd8df40025ccc62c2a15dde83a

SHA256
74af134a8b7df9e7bb5198a3e3a3e957eb49bf2b565e402929c913573cf8300e

SHA512
ef2e8cc5710fb45eefc9a5241d506dac8ceee25ec886efbb262958d64ceaf86e219a6185f20dd13a68fa8c9f3c6c0860fabcea4eb2cfd310a6cac9a051367a56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.txt

Filesize
271KB

MD5
e7311b28ef77fe20a83d1ea042945293

SHA1
3b8edf149437d35e4ba4241ddd85a7140827fcee

SHA256
bfd1b696ef37f194027c9cf109e251fc5ff73de3a09d09ff77aabb4ae77ae534

SHA512
d2711d9dd9b4a61c0db6b238477833ad5a8f56698436fb281fdc8af28d7d66d25de96379ed7a633c32854315891ea0c7a870e635b915c26b2c936cb56c442cc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp8F20.tmp.txt

Filesize
318KB

MD5
56cc0a35dbee572c19af762ead42ec92

SHA1
682919b9fb6fe3c528f19ae5231208069c1bce53

SHA256
61a77d0bb2cafdceba6e9402d9aea1b152deb032e2076027ce8ce2f3ee3168e0

SHA512
e2094e57e4804b9a8bb42a647607c855d5dc67a5ac4ac4c563b76054e6ae915c5160e8d825be135ebbc5549d89edadab3382da84af3cf96bca227dc933f48a5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp90B7.tmp.txt

Filesize
233KB

MD5
0e4adc5c5fdf04c93fb207369b21a90d

SHA1
d80d2209947ad13d34d3e86d8ad4b880f96307b3

SHA256
82fb6d7f458443e58dfc3d1bf482d2ac1ae87f7fd1e94ea893c7371d8b5983d8

SHA512
37374afbaf74bf5e852d8696177752dd75c818263c879fb53dea54e4d1dffc7ec3385e0171985cd9cab10e6867d36224123085d65f6a849e55aff2e606a12e4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yzmjzz-o.cmdline

Filesize
196B

MD5
5d941d67b621d75eb5aa5fbf16c4b15c

SHA1
2bb8530a51a64a7a3c8fc10360ce7132e2050772

SHA256
7c671912a8e63629be75241930a2707948a30c2be87edcf0b9e86ce4536529bf

SHA512
1b78e9d44e59e59af84a2bb18118e9366972d301bf1b37eaecf0b912367123c3babed64e93619604f3934d3d6d58c2361c1cfda4d4b9884b6d8203cb1ee39128

Download Submit
memory/208-0-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/208-35-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/208-2-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/208-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/456-70-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/456-75-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/456-102-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1068-108-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1204-13-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2240-135-0x00000000071B0000-0x00000000071C7000-memory.dmp

Filesize
92KB

Download
memory/2240-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-54-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2240-136-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2240-127-0x00000000071B0000-0x00000000071C7000-memory.dmp

Filesize
92KB

Download
memory/2240-58-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/2240-53-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2240-128-0x00000000071B0000-0x00000000071C7000-memory.dmp

Filesize
92KB

Download
memory/2240-129-0x00000000071B0000-0x00000000071C7000-memory.dmp

Filesize
92KB

Download
memory/2240-131-0x00000000071B0000-0x00000000071C7000-memory.dmp

Filesize
92KB

Download
memory/2240-132-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/2240-130-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/2240-126-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-103-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-122-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-97-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3792-34-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3792-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3792-29-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/3792-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3792-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3792-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3792-57-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3864-80-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/4564-123-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-121-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-134-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4988-38-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download