Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 03:43
Static task
static1
Behavioral task
behavioral1
Sample
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe
Resource
win10v2004-20220901-en
General
-
Target
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe
-
Size
535KB
-
MD5
6acd1647078d560a5ec3d53f85b5c709
-
SHA1
5d55d16df9e337800c7410a819ee7b56f7b4b31e
-
SHA256
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
-
SHA512
08dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
SSDEEP
12288:vSo6xg5kN530xuooqMVwsgTo6xg5kN530xuooqT:b6u5030x+gE6u5030xD
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeKHATRA.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe -
Disables RegEdit via registry modification 3 IoCs
Processes:
KHATRA.exeKHATRA.exe0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe -
Executes dropped EXE 5 IoCs
Processes:
KHATRA.exeKHATRA.exeXplorer.exegHost.exeKHATRA.exepid process 900 KHATRA.exe 948 KHATRA.exe 552 Xplorer.exe 1364 gHost.exe 844 KHATRA.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 896 netsh.exe 1844 netsh.exe 1312 netsh.exe -
Loads dropped DLL 8 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exegHost.exepid process 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 900 KHATRA.exe 900 KHATRA.exe 900 KHATRA.exe 900 KHATRA.exe 1364 gHost.exe 1364 gHost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
KHATRA.exe0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gHost.exedescription ioc process File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\z: gHost.exe File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\q: gHost.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1564-61-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/900-66-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/948-81-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/552-82-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/1364-95-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/948-103-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/900-122-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/844-135-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/1564-148-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/552-150-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe behavioral1/memory/1364-151-0x0000000000400000-0x00000000004CC000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeKHATRA.exedescription ioc process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 18 IoCs
Processes:
OUTLOOK.EXE0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeKHATRA.exedescription ioc process File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\KHATRA.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE -
Drops file in Windows directory 18 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeOUTLOOK.EXEKHATRA.exeKHATRA.exedescription ioc process File opened for modification C:\Windows\Xplorer.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File created C:\Windows\KHATARNAKH.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File opened for modification C:\Windows\inf\Autoplay.inF 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\Xplorer.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File opened for modification C:\Windows\KHATARNAKH.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\System\gHost.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File opened for modification C:\Windows\system\gHost.exe 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
KHATRA.exe0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeOUTLOOK.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ = "_OlkSenderPhoto" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ = "_SimpleItems" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 1612 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exepid process 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Xplorer.exegHost.exeOUTLOOK.EXEpid process 552 Xplorer.exe 1364 gHost.exe 1612 OUTLOOK.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeOUTLOOK.EXEKHATRA.exepid process 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 900 KHATRA.exe 1612 OUTLOOK.EXE 1612 OUTLOOK.EXE 1612 OUTLOOK.EXE 844 KHATRA.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.exeOUTLOOK.EXEKHATRA.exepid process 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe 900 KHATRA.exe 1612 OUTLOOK.EXE 1612 OUTLOOK.EXE 844 KHATRA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OUTLOOK.EXEpid process 1612 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exeKHATRA.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1564 wrote to memory of 900 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe KHATRA.exe PID 1564 wrote to memory of 900 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe KHATRA.exe PID 1564 wrote to memory of 900 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe KHATRA.exe PID 1564 wrote to memory of 900 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe KHATRA.exe PID 900 wrote to memory of 948 900 KHATRA.exe KHATRA.exe PID 900 wrote to memory of 948 900 KHATRA.exe KHATRA.exe PID 900 wrote to memory of 948 900 KHATRA.exe KHATRA.exe PID 900 wrote to memory of 948 900 KHATRA.exe KHATRA.exe PID 1564 wrote to memory of 552 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Xplorer.exe PID 1564 wrote to memory of 552 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Xplorer.exe PID 1564 wrote to memory of 552 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Xplorer.exe PID 1564 wrote to memory of 552 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe Xplorer.exe PID 900 wrote to memory of 1364 900 KHATRA.exe gHost.exe PID 900 wrote to memory of 1364 900 KHATRA.exe gHost.exe PID 900 wrote to memory of 1364 900 KHATRA.exe gHost.exe PID 900 wrote to memory of 1364 900 KHATRA.exe gHost.exe PID 1564 wrote to memory of 1832 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1832 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1832 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1832 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1832 wrote to memory of 1396 1832 cmd.exe at.exe PID 1832 wrote to memory of 1396 1832 cmd.exe at.exe PID 1832 wrote to memory of 1396 1832 cmd.exe at.exe PID 1832 wrote to memory of 1396 1832 cmd.exe at.exe PID 1564 wrote to memory of 1416 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1416 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1416 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1416 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1416 wrote to memory of 1628 1416 cmd.exe at.exe PID 1416 wrote to memory of 1628 1416 cmd.exe at.exe PID 1416 wrote to memory of 1628 1416 cmd.exe at.exe PID 1416 wrote to memory of 1628 1416 cmd.exe at.exe PID 900 wrote to memory of 2008 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 2008 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 2008 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 2008 900 KHATRA.exe cmd.exe PID 2008 wrote to memory of 1272 2008 cmd.exe at.exe PID 2008 wrote to memory of 1272 2008 cmd.exe at.exe PID 2008 wrote to memory of 1272 2008 cmd.exe at.exe PID 2008 wrote to memory of 1272 2008 cmd.exe at.exe PID 900 wrote to memory of 1752 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 1752 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 1752 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 1752 900 KHATRA.exe cmd.exe PID 1752 wrote to memory of 1636 1752 cmd.exe at.exe PID 1752 wrote to memory of 1636 1752 cmd.exe at.exe PID 1752 wrote to memory of 1636 1752 cmd.exe at.exe PID 1752 wrote to memory of 1636 1752 cmd.exe at.exe PID 1564 wrote to memory of 1844 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1844 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1844 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1564 wrote to memory of 1844 1564 0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe cmd.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 1844 wrote to memory of 1808 1844 cmd.exe regsvr32.exe PID 900 wrote to memory of 864 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 864 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 864 900 KHATRA.exe cmd.exe PID 900 wrote to memory of 864 900 KHATRA.exe cmd.exe PID 864 wrote to memory of 1900 864 cmd.exe regsvr32.exe -
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe"C:\Users\Admin\AppData\Local\Temp\0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Executes dropped EXE
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5275dba3380d67058985e708ab3744d6e
SHA10634ee49b2dbb29421182513d83b5f7f14f83e5c
SHA256d5886fcc229e42776ee5dddf00679aa981cd3cfb78dc929cf30e2745b57fa47e
SHA512f8e38f4069a56ac56356dad8591cbe1cb09526bd4ae97e99c7d2e106994e5e97fd727de35e22290a030f838abcbff57b81a24e4f52f12d723dea4784feffc5c4
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\Xplorer.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\Xplorer.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\system\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\system\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\system\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\Windows\system\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
memory/552-76-0x0000000000000000-mapping.dmp
-
memory/552-150-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/552-82-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/596-141-0x0000000000000000-mapping.dmp
-
memory/844-136-0x00000000003B0000-0x00000000003C0000-memory.dmpFilesize
64KB
-
memory/844-126-0x0000000000000000-mapping.dmp
-
memory/844-135-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/864-106-0x0000000000000000-mapping.dmp
-
memory/896-113-0x0000000000000000-mapping.dmp
-
memory/900-122-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/900-66-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/900-123-0x0000000003E40000-0x0000000003F01000-memory.dmpFilesize
772KB
-
memory/900-57-0x0000000000000000-mapping.dmp
-
memory/900-80-0x0000000003E40000-0x0000000003F0C000-memory.dmpFilesize
816KB
-
memory/900-79-0x00000000008E0000-0x00000000008F0000-memory.dmpFilesize
64KB
-
memory/912-133-0x0000000000000000-mapping.dmp
-
memory/948-81-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/948-73-0x0000000000000000-mapping.dmp
-
memory/948-103-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1068-142-0x0000000000000000-mapping.dmp
-
memory/1260-111-0x0000000000000000-mapping.dmp
-
memory/1272-96-0x0000000000000000-mapping.dmp
-
memory/1296-144-0x0000000000000000-mapping.dmp
-
memory/1312-112-0x0000000000000000-mapping.dmp
-
memory/1320-132-0x0000000000000000-mapping.dmp
-
memory/1364-130-0x0000000002490000-0x000000000255C000-memory.dmpFilesize
816KB
-
memory/1364-127-0x0000000002490000-0x000000000255C000-memory.dmpFilesize
816KB
-
memory/1364-151-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1364-95-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1364-85-0x0000000000000000-mapping.dmp
-
memory/1396-89-0x0000000000000000-mapping.dmp
-
memory/1416-91-0x0000000000000000-mapping.dmp
-
memory/1564-148-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1564-147-0x0000000003B50000-0x0000000003C1C000-memory.dmpFilesize
816KB
-
memory/1564-149-0x0000000000380000-0x0000000000390000-memory.dmpFilesize
64KB
-
memory/1564-61-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1564-65-0x0000000003B50000-0x0000000003C1C000-memory.dmpFilesize
816KB
-
memory/1564-62-0x0000000000380000-0x0000000000390000-memory.dmpFilesize
64KB
-
memory/1564-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1612-140-0x00000000736ED000-0x00000000736F8000-memory.dmpFilesize
44KB
-
memory/1612-121-0x000000006C5C1000-0x000000006C5C3000-memory.dmpFilesize
8KB
-
memory/1612-116-0x0000000072701000-0x0000000072703000-memory.dmpFilesize
8KB
-
memory/1612-117-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1612-118-0x00000000736ED000-0x00000000736F8000-memory.dmpFilesize
44KB
-
memory/1612-120-0x000000006CDD1000-0x000000006CDD3000-memory.dmpFilesize
8KB
-
memory/1628-92-0x0000000000000000-mapping.dmp
-
memory/1636-101-0x0000000000000000-mapping.dmp
-
memory/1636-138-0x0000000000000000-mapping.dmp
-
memory/1752-100-0x0000000000000000-mapping.dmp
-
memory/1776-137-0x0000000000000000-mapping.dmp
-
memory/1808-105-0x0000000000000000-mapping.dmp
-
memory/1832-88-0x0000000000000000-mapping.dmp
-
memory/1844-145-0x0000000000000000-mapping.dmp
-
memory/1844-104-0x0000000000000000-mapping.dmp
-
memory/1900-108-0x0000000000000000-mapping.dmp
-
memory/1996-110-0x0000000000000000-mapping.dmp
-
memory/2008-94-0x0000000000000000-mapping.dmp