Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
23-11-2022 16:03
General
-
Target
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
-
Size
722KB
-
MD5
1a215650cb80822806662b810a828934
-
SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254
-
SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
-
SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
SSDEEP
6144:PBaZA6AM5tm1BS4i4jARHKhyFxQZZxbDGABUs4r110glX1Wt10grAdRgK0EQ:PcA6SbVi42BFx8dDlMB1fe1nAdmn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Adds policy Run key to start application 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 3 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 10 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 3 IoCs
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 20 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 15 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding3⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeC:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe6⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\at.exeAT /delete /yes8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System8⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
memory/284-359-0x0000000000000000-mapping.dmp
-
memory/520-80-0x0000000000000000-mapping.dmp
-
memory/520-78-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-82-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-307-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-102-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/544-308-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/544-111-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/544-309-0x0000000004090000-0x0000000004151000-memory.dmpFilesize
772KB
-
memory/544-88-0x0000000000000000-mapping.dmp
-
memory/544-112-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/672-222-0x0000000000000000-mapping.dmp
-
memory/688-101-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/688-69-0x0000000000000000-mapping.dmp
-
memory/688-306-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/688-110-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/700-121-0x0000000000000000-mapping.dmp
-
memory/768-129-0x0000000000000000-mapping.dmp
-
memory/856-223-0x0000000000000000-mapping.dmp
-
memory/872-127-0x0000000000000000-mapping.dmp
-
memory/992-426-0x000000007315D000-0x0000000073168000-memory.dmpFilesize
44KB
-
memory/992-250-0x000000007315D000-0x0000000073168000-memory.dmpFilesize
44KB
-
memory/1032-120-0x0000000000000000-mapping.dmp
-
memory/1164-420-0x0000000000000000-mapping.dmp
-
memory/1248-151-0x0000000000000000-mapping.dmp
-
memory/1360-413-0x0000000000000000-mapping.dmp
-
memory/1376-113-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1376-98-0x0000000000000000-mapping.dmp
-
memory/1376-1029-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1384-118-0x0000000000000000-mapping.dmp
-
memory/1396-131-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1396-133-0x0000000000000000-mapping.dmp
-
memory/1396-134-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1396-63-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1396-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1396-56-0x0000000000000000-mapping.dmp
-
memory/1396-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1396-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1512-332-0x0000000000000000-mapping.dmp
-
memory/1556-117-0x0000000000000000-mapping.dmp
-
memory/1600-59-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1600-66-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1600-1026-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-1025-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1600-61-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-107-0x0000000004090000-0x0000000004180000-memory.dmpFilesize
960KB
-
memory/1600-1028-0x0000000002420000-0x0000000002430000-memory.dmpFilesize
64KB
-
memory/1600-1027-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-106-0x0000000002420000-0x0000000002430000-memory.dmpFilesize
64KB
-
memory/1612-349-0x0000000002440000-0x0000000002450000-memory.dmpFilesize
64KB
-
memory/1612-314-0x0000000000000000-mapping.dmp
-
memory/1612-323-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1624-236-0x0000000000000000-mapping.dmp
-
memory/1652-336-0x0000000000000000-mapping.dmp
-
memory/1660-322-0x0000000002830000-0x0000000002920000-memory.dmpFilesize
960KB
-
memory/1660-321-0x0000000002830000-0x0000000002920000-memory.dmpFilesize
960KB
-
memory/1660-128-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1660-105-0x0000000000000000-mapping.dmp
-
memory/1660-1030-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1724-142-0x0000000000000000-mapping.dmp
-
memory/1788-352-0x0000000000000000-mapping.dmp
-
memory/1804-125-0x0000000000000000-mapping.dmp
-
memory/1816-115-0x0000000000000000-mapping.dmp
-
memory/1872-327-0x0000000000000000-mapping.dmp
-
memory/1948-124-0x0000000000000000-mapping.dmp
-
memory/2004-114-0x0000000000000000-mapping.dmp
-
memory/2032-343-0x0000000000000000-mapping.dmp
-
memory/2036-237-0x0000000000000000-mapping.dmp