limerat | b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486

Analysis

max time kernel
91s
max time network
170s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
Size

3.8MB
MD5

6d3d9ba1c944e0c0ae366f559a61e497
SHA1

61ba8c88597523562dc86354ebee6476c0d33c6a
SHA256

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486
SHA512

3381a6e5891a4d7af3ea07a561c317975fc4060933d9b0821bf4a20f70b529c35cafe27d1d87f6b98e77d62abb9ea9927372df3fcaffa0944a38b7f163e0820d

Score

10^/10

limerat remcos sality warzonerat host backdoor evasion infostealer rat trojan upx

Malware Config

Extracted

Family

warzonerat

grounderwarone.rapiddns.ru:5500

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

seasons444.ddns.net:8128

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
window
keylog_path
%AppData%
mouse_option
false
mutex
Office_vgqkluqlnw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Extracted

Family

limerat

Wallets

1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD

Attributes

aes_key
MAXS20
antivm
false
c2_url
https://pastebin.com/raw/vnPLhhBH
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2172-75-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

Amadeus Pro.exeService.exe

pid process

1492 Amadeus Pro.exe
1200 Service.exe

pid	process
1492	Amadeus Pro.exe
1200	Service.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2208-80-0x00000000020C0000-0x000000000314E000-memory.dmp	upx
behavioral1/memory/2208-83-0x00000000020C0000-0x000000000314E000-memory.dmp	upx
behavioral1/memory/2208-94-0x00000000020C0000-0x000000000314E000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppxSip.url	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssignedAccessShellProxy.url	Amadeus Pro.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIHClient.url	Service.exe

Loads dropped DLL 8 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

pid	process
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

Enumerates connected drives 3 TTPs 19 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

description	pid	process	target process
PID 1548 set thread context of 2172	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1492 set thread context of 2208	1492	Amadeus Pro.exe	svchost.exe
PID 1200 set thread context of 2380	1200	Service.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

pid	process
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

pid	process
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2380	MSBuild.exe
Token: SeDebugPrivilege	2380	MSBuild.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

pid	process
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1492	Amadeus Pro.exe
1492	Amadeus Pro.exe
1492	Amadeus Pro.exe
1200	Service.exe
1200	Service.exe
1200	Service.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

pid	process
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1492	Amadeus Pro.exe
1492	Amadeus Pro.exe
1492	Amadeus Pro.exe
1200	Service.exe
1200	Service.exe
1200	Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2208 svchost.exe

pid	process
2208	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
"C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1522427694-1401884223-82412884-149055851113841890588631033311119808744-1501019636"
1⤵
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
memory/1200-91-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1200-76-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/1200-84-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1200-96-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1200-67-0x0000000000000000-mapping.dmp

Download
memory/1492-98-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1492-77-0x0000000000340000-0x000000000036B000-memory.dmp

Filesize
172KB

Download
memory/1492-81-0x0000000000B70000-0x0000000000B9A000-memory.dmp

Filesize
168KB

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1492-86-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1548-74-0x0000000002A80000-0x0000000002A9A000-memory.dmp

Filesize
104KB

Download
memory/1548-71-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/1548-97-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1548-85-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1548-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/2172-75-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2172-72-0x000000000040586A-mapping.dmp

Download
memory/2172-87-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/2208-78-0x000000000040FD88-mapping.dmp

Download
memory/2208-80-0x00000000020C0000-0x000000000314E000-memory.dmp

Filesize
16.6MB

Download
memory/2208-82-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-88-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/2208-99-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/2208-93-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-94-0x00000000020C0000-0x000000000314E000-memory.dmp

Filesize
16.6MB

Download
memory/2208-83-0x00000000020C0000-0x000000000314E000-memory.dmp

Filesize
16.6MB

Download
memory/2380-92-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2380-90-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2380-89-0x0000000000408D6E-mapping.dmp

Download
memory/2380-100-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2756-101-0x0000000000000000-mapping.dmp

Download
memory/2756-102-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2756-103-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 1548 wrote to memory of 1492	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 1548 wrote to memory of 1492	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 1548 wrote to memory of 1492	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 1548 wrote to memory of 1492	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 1548 wrote to memory of 1200	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 1548 wrote to memory of 1200	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 1548 wrote to memory of 1200	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 1548 wrote to memory of 1200	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 1548 wrote to memory of 2032	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2032	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2032	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2032	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2036	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2036	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2036	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2036	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1700	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1700	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1700	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1700	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2004	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2004	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2004	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 2004	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1992	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1992	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1992	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1992	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1016	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1772	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1772	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1772	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1772	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 572	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 572	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 572	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 572	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1124	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1124	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1124	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1124	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1876	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1876	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1876	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1876	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1676	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1676	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1676	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1676	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1996	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1996	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1996	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1996	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1776	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1776	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1776	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 1548 wrote to memory of 1776	1548	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe