Analysis Overview
SHA256
b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486
Threat Level: Known bad
The file b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies firewall policy service
Remcos
WarzoneRat, AveMaria
LimeRAT
Sality
UAC bypass
Warzone RAT Payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops startup file
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
AutoIT Executable
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 06:21
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 06:21
Reported
2022-06-25 07:02
Platform
win7-20220414-en
Max time kernel
91s
Max time network
170s
Command Line
Signatures
LimeRAT
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Remcos
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
WarzoneRat, AveMaria
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppxSip.url | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssignedAccessShellProxy.url | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIHClient.url | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1548 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe |
| PID 1492 set thread context of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1200 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
"C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe"
C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1522427694-1401884223-82412884-149055851113841890588631033311119808744-1501019636"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | seasons444.ddns.net | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| CA | 54.39.245.150:6669 | tcp | |
| CA | 54.39.245.150:6669 | tcp | |
| CA | 54.39.245.150:6669 | tcp |
Files
memory/1548-54-0x0000000075701000-0x0000000075703000-memory.dmp
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
memory/1492-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
memory/1200-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
C:\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
memory/1548-71-0x0000000000590000-0x00000000005AA000-memory.dmp
memory/2172-72-0x000000000040586A-mapping.dmp
memory/1548-74-0x0000000002A80000-0x0000000002A9A000-memory.dmp
memory/2172-75-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1200-76-0x0000000000120000-0x0000000000128000-memory.dmp
memory/1492-77-0x0000000000340000-0x000000000036B000-memory.dmp
memory/2208-78-0x000000000040FD88-mapping.dmp
memory/2208-80-0x00000000020C0000-0x000000000314E000-memory.dmp
memory/2208-82-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1492-81-0x0000000000B70000-0x0000000000B9A000-memory.dmp
memory/2208-83-0x00000000020C0000-0x000000000314E000-memory.dmp
memory/1200-84-0x0000000000130000-0x0000000000132000-memory.dmp
memory/1492-86-0x0000000000370000-0x0000000000378000-memory.dmp
memory/1548-85-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/2208-88-0x0000000000140000-0x0000000000142000-memory.dmp
memory/2172-87-0x00000000008F0000-0x00000000008F2000-memory.dmp
memory/2380-89-0x0000000000408D6E-mapping.dmp
memory/2380-90-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1200-91-0x00000000002C0000-0x00000000002C8000-memory.dmp
memory/2380-92-0x00000000004A0000-0x00000000004A2000-memory.dmp
memory/2208-93-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2208-94-0x00000000020C0000-0x000000000314E000-memory.dmp
memory/1492-98-0x0000000000370000-0x0000000000378000-memory.dmp
memory/2208-99-0x0000000000140000-0x0000000000142000-memory.dmp
memory/1548-97-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/1200-96-0x0000000000130000-0x0000000000132000-memory.dmp
memory/2380-100-0x00000000004A0000-0x00000000004A2000-memory.dmp
memory/2756-101-0x0000000000000000-mapping.dmp
memory/2756-102-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2756-103-0x00000000000B0000-0x00000000000B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 06:21
Reported
2022-06-25 07:02
Platform
win10v2004-20220414-en
Max time kernel
164s
Max time network
168s
Command Line
Signatures
LimeRAT
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Remcos
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
WarzoneRat, AveMaria
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppxSip.url | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssignedAccessShellProxy.url | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIHClient.url | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4516 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe |
| PID 3456 set thread context of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1804 set thread context of 3120 | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zG.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7z.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zFM.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\Uninstall.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
"C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe"
C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 20.44.10.122:443 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | seasons444.ddns.net | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| NL | 8.248.7.254:80 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| NL | 8.248.7.254:80 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| CA | 54.39.245.150:6669 | tcp | |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
| US | 8.8.8.8:53 | grounderwarone.rapiddns.ru | udp |
Files
memory/1804-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
| MD5 | 8b4457fb66a7bfc6473a7b186e1a2dca |
| SHA1 | 6b372c817d41d37c5c866cdd49590f4e7256b194 |
| SHA256 | 5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c |
| SHA512 | 098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663 |
memory/3456-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
C:\Users\Admin\AppData\Local\Temp\Service.exe
| MD5 | 8c23d701fb7cacfcf9fc11a6dcb959b3 |
| SHA1 | b02c49d558e9c1a5a6ecf03736220d5c96cb7d27 |
| SHA256 | 25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48 |
| SHA512 | 4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6 |
memory/4516-136-0x0000000003F40000-0x0000000003F5A000-memory.dmp
memory/2700-137-0x0000000000000000-mapping.dmp
memory/4516-138-0x0000000003F60000-0x0000000003F7A000-memory.dmp
memory/2700-139-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4540-140-0x0000000000000000-mapping.dmp
memory/4540-141-0x0000000001230000-0x0000000001231000-memory.dmp
memory/2700-142-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3456-143-0x0000000001640000-0x0000000001648000-memory.dmp
memory/1804-144-0x0000000003050000-0x000000000307B000-memory.dmp
memory/1896-145-0x0000000000000000-mapping.dmp
memory/3120-146-0x0000000000000000-mapping.dmp
memory/3120-147-0x0000000002F50000-0x0000000003FDE000-memory.dmp
memory/1896-148-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1896-149-0x0000000005880000-0x000000000591C000-memory.dmp
memory/1804-151-0x0000000002F90000-0x0000000002FBA000-memory.dmp
memory/3456-150-0x0000000001650000-0x0000000001658000-memory.dmp
memory/3120-152-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3120-153-0x0000000002F50000-0x0000000003FDE000-memory.dmp
memory/1896-154-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/1896-155-0x0000000006670000-0x0000000006C14000-memory.dmp
memory/1896-156-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/3120-157-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3120-158-0x0000000002F50000-0x0000000003FDE000-memory.dmp