Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Resource
win7-20220901-en
General
-
Target
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
-
Size
722KB
-
MD5
1a215650cb80822806662b810a828934
-
SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254
-
SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
-
SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
SSDEEP
6144:PBaZA6AM5tm1BS4i4jARHKhyFxQZZxbDGABUs4r110glX1Wt10grAdRgK0EQ:PcA6SbVi42BFx8dDlMB1fe1nAdmn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe -
Disables RegEdit via registry modification 3 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 6 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeXplorer.exegHost.exeKHATRA.exepid process 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 688 WaterMark.exe 544 KHATRA.exe 1376 Xplorer.exe 1660 gHost.exe 1612 KHATRA.exe -
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1164 netsh.exe 2036 netsh.exe 1624 netsh.exe -
Processes:
resource yara_rule behavioral1/memory/1396-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1396-63-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1396-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1396-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/688-101-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/688-110-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/688-306-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 10 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeXplorer.exegHost.exepid process 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1376 Xplorer.exe 1376 Xplorer.exe 1660 gHost.exe 1660 gHost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
KHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\Xplorer.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gHost.exedescription ioc process File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\z: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\l: gHost.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1600-59-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/544-111-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1376-113-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1660-128-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/544-308-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1612-323-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1600-1025-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1376-1029-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral1/memory/1660-1030-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exedescription ioc process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 20 IoCs
Processes:
OUTLOOK.EXEababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exesvchost.exeKHATRA.exedescription ioc process File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\KHATRA.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE -
Drops file in Program Files directory 10 IoCs
Processes:
svchost.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px190D.tmp ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe -
Drops file in Windows directory 18 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeOUTLOOK.EXEdescription ioc process File created C:\Windows\KHATARNAKH.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\system\gHost.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\Xplorer.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\Xplorer.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Windows\System\gHost.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\KHATARNAKH.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\inf\Autoplay.inF ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
OUTLOOK.EXEKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ = "_NavigationFolders" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ = "_TaskRequestAcceptItem" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ = "_OrderField" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ = "Actions" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ = "_NameSpace" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 992 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WaterMark.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exepid process 688 WaterMark.exe 688 WaterMark.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Xplorer.exegHost.exeOUTLOOK.EXEpid process 1376 Xplorer.exe 1660 gHost.exe 992 OUTLOOK.EXE -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeWaterMark.exeKHATRA.exeXplorer.exegHost.exesvchost.execmd.execmd.exenetsh.exenetsh.exeOUTLOOK.EXEKHATRA.execmd.execmd.exeat.execmd.execmd.exenetsh.exedescription pid process Token: 33 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Token: SeIncBasePriorityPrivilege 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Token: SeDebugPrivilege 688 WaterMark.exe Token: 33 544 KHATRA.exe Token: SeIncBasePriorityPrivilege 544 KHATRA.exe Token: 33 1376 Xplorer.exe Token: SeIncBasePriorityPrivilege 1376 Xplorer.exe Token: 33 1660 gHost.exe Token: SeIncBasePriorityPrivilege 1660 gHost.exe Token: SeDebugPrivilege 1396 svchost.exe Token: SeDebugPrivilege 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Token: SeDebugPrivilege 688 WaterMark.exe Token: SeDebugPrivilege 544 KHATRA.exe Token: SeDebugPrivilege 1376 Xplorer.exe Token: SeDebugPrivilege 1660 gHost.exe Token: SeDebugPrivilege 856 cmd.exe Token: SeDebugPrivilege 672 cmd.exe Token: SeDebugPrivilege 2036 netsh.exe Token: SeDebugPrivilege 1624 netsh.exe Token: SeDebugPrivilege 992 OUTLOOK.EXE Token: SeDebugPrivilege 1612 KHATRA.exe Token: 33 1612 KHATRA.exe Token: SeIncBasePriorityPrivilege 1612 KHATRA.exe Token: SeDebugPrivilege 1872 cmd.exe Token: SeDebugPrivilege 1652 cmd.exe Token: SeDebugPrivilege 2032 at.exe Token: SeDebugPrivilege 1788 cmd.exe Token: SeDebugPrivilege 1360 cmd.exe Token: SeDebugPrivilege 1164 netsh.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeOUTLOOK.EXEKHATRA.exepid process 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 544 KHATRA.exe 992 OUTLOOK.EXE 992 OUTLOOK.EXE 992 OUTLOOK.EXE 1612 KHATRA.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeOUTLOOK.EXEKHATRA.exepid process 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 544 KHATRA.exe 992 OUTLOOK.EXE 992 OUTLOOK.EXE 1612 KHATRA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OUTLOOK.EXEpid process 992 OUTLOOK.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exepid process 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 688 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeXplorer.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1600 wrote to memory of 1396 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 1600 wrote to memory of 1396 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 1600 wrote to memory of 1396 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 1600 wrote to memory of 1396 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 1396 wrote to memory of 688 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 1396 wrote to memory of 688 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 1396 wrote to memory of 688 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 1396 wrote to memory of 688 1396 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 688 wrote to memory of 520 688 WaterMark.exe svchost.exe PID 1600 wrote to memory of 544 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 1600 wrote to memory of 544 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 1600 wrote to memory of 544 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 1600 wrote to memory of 544 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 544 wrote to memory of 1376 544 KHATRA.exe Xplorer.exe PID 544 wrote to memory of 1376 544 KHATRA.exe Xplorer.exe PID 544 wrote to memory of 1376 544 KHATRA.exe Xplorer.exe PID 544 wrote to memory of 1376 544 KHATRA.exe Xplorer.exe PID 1376 wrote to memory of 1660 1376 Xplorer.exe gHost.exe PID 1376 wrote to memory of 1660 1376 Xplorer.exe gHost.exe PID 1376 wrote to memory of 1660 1376 Xplorer.exe gHost.exe PID 1376 wrote to memory of 1660 1376 Xplorer.exe gHost.exe PID 1600 wrote to memory of 2004 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 2004 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 2004 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 2004 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 2004 wrote to memory of 1816 2004 cmd.exe at.exe PID 2004 wrote to memory of 1816 2004 cmd.exe at.exe PID 2004 wrote to memory of 1816 2004 cmd.exe at.exe PID 2004 wrote to memory of 1816 2004 cmd.exe at.exe PID 1600 wrote to memory of 1556 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 1556 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 1556 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 1556 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1556 wrote to memory of 1384 1556 cmd.exe at.exe PID 1556 wrote to memory of 1384 1556 cmd.exe at.exe PID 1556 wrote to memory of 1384 1556 cmd.exe at.exe PID 1556 wrote to memory of 1384 1556 cmd.exe at.exe PID 544 wrote to memory of 1032 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1032 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1032 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1032 544 KHATRA.exe cmd.exe PID 1032 wrote to memory of 700 1032 cmd.exe at.exe PID 1032 wrote to memory of 700 1032 cmd.exe at.exe PID 1032 wrote to memory of 700 1032 cmd.exe at.exe PID 1032 wrote to memory of 700 1032 cmd.exe at.exe PID 544 wrote to memory of 1948 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1948 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1948 544 KHATRA.exe cmd.exe PID 544 wrote to memory of 1948 544 KHATRA.exe cmd.exe PID 1948 wrote to memory of 1804 1948 cmd.exe at.exe PID 1948 wrote to memory of 1804 1948 cmd.exe at.exe PID 1948 wrote to memory of 1804 1948 cmd.exe at.exe PID 1948 wrote to memory of 1804 1948 cmd.exe at.exe PID 1600 wrote to memory of 872 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe PID 1600 wrote to memory of 872 1600 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding3⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeC:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe6⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\at.exeAT /delete /yes8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System8⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
\Windows\system\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
memory/284-359-0x0000000000000000-mapping.dmp
-
memory/520-80-0x0000000000000000-mapping.dmp
-
memory/520-78-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-82-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-307-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/520-102-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/544-308-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/544-111-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/544-309-0x0000000004090000-0x0000000004151000-memory.dmpFilesize
772KB
-
memory/544-88-0x0000000000000000-mapping.dmp
-
memory/544-112-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/672-222-0x0000000000000000-mapping.dmp
-
memory/688-101-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/688-69-0x0000000000000000-mapping.dmp
-
memory/688-306-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/688-110-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/700-121-0x0000000000000000-mapping.dmp
-
memory/768-129-0x0000000000000000-mapping.dmp
-
memory/856-223-0x0000000000000000-mapping.dmp
-
memory/872-127-0x0000000000000000-mapping.dmp
-
memory/992-426-0x000000007315D000-0x0000000073168000-memory.dmpFilesize
44KB
-
memory/992-250-0x000000007315D000-0x0000000073168000-memory.dmpFilesize
44KB
-
memory/1032-120-0x0000000000000000-mapping.dmp
-
memory/1164-420-0x0000000000000000-mapping.dmp
-
memory/1248-151-0x0000000000000000-mapping.dmp
-
memory/1360-413-0x0000000000000000-mapping.dmp
-
memory/1376-113-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1376-98-0x0000000000000000-mapping.dmp
-
memory/1376-1029-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1384-118-0x0000000000000000-mapping.dmp
-
memory/1396-131-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1396-133-0x0000000000000000-mapping.dmp
-
memory/1396-134-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1396-63-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1396-62-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1396-56-0x0000000000000000-mapping.dmp
-
memory/1396-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1396-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1512-332-0x0000000000000000-mapping.dmp
-
memory/1556-117-0x0000000000000000-mapping.dmp
-
memory/1600-59-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1600-66-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1600-1026-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-1025-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1600-61-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-107-0x0000000004090000-0x0000000004180000-memory.dmpFilesize
960KB
-
memory/1600-1028-0x0000000002420000-0x0000000002430000-memory.dmpFilesize
64KB
-
memory/1600-1027-0x0000000000120000-0x0000000000166000-memory.dmpFilesize
280KB
-
memory/1600-106-0x0000000002420000-0x0000000002430000-memory.dmpFilesize
64KB
-
memory/1612-349-0x0000000002440000-0x0000000002450000-memory.dmpFilesize
64KB
-
memory/1612-314-0x0000000000000000-mapping.dmp
-
memory/1612-323-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1624-236-0x0000000000000000-mapping.dmp
-
memory/1652-336-0x0000000000000000-mapping.dmp
-
memory/1660-322-0x0000000002830000-0x0000000002920000-memory.dmpFilesize
960KB
-
memory/1660-321-0x0000000002830000-0x0000000002920000-memory.dmpFilesize
960KB
-
memory/1660-128-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1660-105-0x0000000000000000-mapping.dmp
-
memory/1660-1030-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1724-142-0x0000000000000000-mapping.dmp
-
memory/1788-352-0x0000000000000000-mapping.dmp
-
memory/1804-125-0x0000000000000000-mapping.dmp
-
memory/1816-115-0x0000000000000000-mapping.dmp
-
memory/1872-327-0x0000000000000000-mapping.dmp
-
memory/1948-124-0x0000000000000000-mapping.dmp
-
memory/2004-114-0x0000000000000000-mapping.dmp
-
memory/2032-343-0x0000000000000000-mapping.dmp
-
memory/2036-237-0x0000000000000000-mapping.dmp