Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

  • Size

    44KB

  • MD5

    9d78ab0da1948de3977123755ef0fe7c

  • SHA1

    b000aa9b5df426225a02f208b78416cc2f8dab86

  • SHA256

    7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df

  • SHA512

    9576fdbeb8ad20a8ebcfc3121247f4e70a7e9240bea4122f471b813ea321566e45bc4db86fe5bed11ce17bbe14dc68cb82f29fe9df0cee78f0f6f90b5c756bf1

  • SSDEEP

    768:BMbuPxqzgDwNIH/335cJX2om4VQRIEvmg5+FOKo5O:B1xv/H/335C2ozVQRItgMF4O

Score
10/10
amadeypersistencetrojan

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Downloads MZ/PE file
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
    "C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:2832
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:2840
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:2824
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
              PID:2756
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              2⤵
                PID:1988
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                2⤵
                  PID:2828
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  2⤵
                    PID:2704
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    2⤵
                      PID:2184
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                      2⤵
                        PID:2568
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                        2⤵
                          PID:2720
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                          2⤵
                            PID:2564
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                            2⤵
                              PID:2024
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                              2⤵
                                PID:2680
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                2⤵
                                  PID:2708
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                  2⤵
                                    PID:2084
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                    2⤵
                                      PID:2596
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                      2⤵
                                        PID:1500
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                        2⤵
                                          PID:3040
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                          2⤵
                                            PID:2388
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                            2⤵
                                              PID:2112
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                              2⤵
                                                PID:1136
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                2⤵
                                                  PID:2804
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                  2⤵
                                                    PID:532
                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                    2⤵
                                                      PID:332
                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                      2⤵
                                                        PID:476
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                        2⤵
                                                          PID:612
                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                          2⤵
                                                            PID:568
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                            2⤵
                                                              PID:640
                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                              2⤵
                                                                PID:920
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                2⤵
                                                                  PID:576
                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                  2⤵
                                                                    PID:3012
                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                    2⤵
                                                                      PID:3056
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                      2⤵
                                                                        PID:2092
                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                        2⤵
                                                                          PID:2152
                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                          2⤵
                                                                            PID:2240
                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                            2⤵
                                                                              PID:2128
                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                              2⤵
                                                                                PID:2264
                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                2⤵
                                                                                  PID:2212
                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                  2⤵
                                                                                    PID:2384
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                    2⤵
                                                                                      PID:2428
                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                      2⤵
                                                                                        PID:1904
                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                        2⤵
                                                                                          PID:2228
                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                          2⤵
                                                                                            PID:1836
                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                            2⤵
                                                                                              PID:2896
                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                              2⤵
                                                                                                PID:2528
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                2⤵
                                                                                                  PID:2872
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                  2⤵
                                                                                                    PID:2880
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                    2⤵
                                                                                                      PID:1248
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                      2⤵
                                                                                                        PID:1276
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                        2⤵
                                                                                                          PID:2612
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                          2⤵
                                                                                                            PID:2784
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                            2⤵
                                                                                                              PID:2604
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                              2⤵
                                                                                                                PID:2808
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                2⤵
                                                                                                                  PID:2876
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                  2⤵
                                                                                                                    PID:2864
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                    2⤵
                                                                                                                      PID:2908
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                      2⤵
                                                                                                                        PID:2868
                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                        2⤵
                                                                                                                          PID:2376
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                          2⤵
                                                                                                                            PID:2448
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                            2⤵
                                                                                                                              PID:1844
                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                              2⤵
                                                                                                                                PID:1032
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                2⤵
                                                                                                                                  PID:2860
                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                  2⤵
                                                                                                                                    PID:1140
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:2848
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                      2⤵
                                                                                                                                        PID:1916
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                        2⤵
                                                                                                                                          PID:348
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                          2⤵
                                                                                                                                            PID:3032
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                            2⤵
                                                                                                                                              PID:2916
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                              2⤵
                                                                                                                                                PID:3016
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                2⤵
                                                                                                                                                  PID:3004
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2904
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2368
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2292
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1772
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1788
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1428
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2108
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1660
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:1796
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1792
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2116
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:2960
                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2728
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2320
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:2332
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2964
                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:2460
                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1036
                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2956
                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:2224
                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:2188
                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:1292
                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:2512
                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:2140
                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:2156
                                                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2164
                                                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:2208
                                                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:844
                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1176
                                                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2200
                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:2444

                                                                                                                                                                                                            Network

                                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                            • memory/2440-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4KB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-1-0x0000000000330000-0x0000000000342000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              72KB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-3-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              4KB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-4-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-5-0x0000000000650000-0x00000000006D4000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              528KB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-6-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-7-0x000000001ACE0000-0x000000001AD50000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              448KB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-8-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                              Download

                                                                                                                                                                                                            • memory/2440-9-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                              9.9MB

                                                                                                                                                                                                              Download