ramnit | ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

Analysis

max time kernel
174s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Size

722KB
MD5

1a215650cb80822806662b810a828934
SHA1

351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512

e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
SSDEEP

6144:PBaZA6AM5tm1BS4i4jARHKhyFxQZZxbDGABUs4r110glX1Wt10grAdRgK0EQ:PcA6SbVi42BFx8dDlMB1fe1nAdmn

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Adds policy Run key to start application 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 18 IoCs

evasion

Processes:

KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 59 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeXplorer.exegHost.exeXplorermgr.exegHostmgr.exeWaterMark.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exe

pid	process
1752	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
4836	WaterMark.exe
2220	KHATRA.exe
4772	KHATRAmgr.exe
1160	WaterMark.exe
4552	Xplorer.exe
4424	gHost.exe
1236	Xplorermgr.exe
4764	gHostmgr.exe
2940	WaterMark.exe
728	WaterMark.exe
1780	KHATRA.exe
2832	KHATRAmgr.exe
2316	WaterMark.exe
3668	KHATRA.exe
5084	KHATRAmgr.exe
4800	WaterMark.exe
3920	KHATRA.exe
3992	KHATRAmgr.exe
2484	WaterMark.exe
2032	KHATRA.exe
4880	KHATRAmgr.exe
4124	WaterMark.exe
5592	KHATRA.exe
5612	KHATRAmgr.exe
5656	WaterMark.exe
5308	KHATRA.exe
5300	KHATRAmgr.exe
804	WaterMark.exe
6084	KHATRA.exe
6072	KHATRAmgr.exe
5164	WaterMark.exe
5376	KHATRA.exe
5476	KHATRAmgr.exe
5568	WaterMark.exe
5756	KHATRA.exe
5372	KHATRAmgr.exe
5684	WaterMark.exe
540	KHATRA.exe
5752	KHATRAmgr.exe
5376	WaterMark.exe
3124	KHATRA.exe
2440	KHATRAmgr.exe
2316	WaterMark.exe
5604	KHATRA.exe
5708	KHATRAmgr.exe
5144	WaterMark.exe
3908	KHATRA.exe
4560	KHATRAmgr.exe
4384	WaterMark.exe
5884	KHATRA.exe
460	KHATRAmgr.exe
2308	WaterMark.exe
2416	KHATRA.exe
5316	KHATRAmgr.exe
5440	WaterMark.exe
6040	KHATRA.exe
5592	KHATRAmgr.exe
5348	WaterMark.exe

Modifies Windows Firewall 1 TTPs 17 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
5404	netsh.exe
6120	netsh.exe
5512	netsh.exe
100	netsh.exe
4660	netsh.exe
5740	netsh.exe
4312	netsh.exe
4152	netsh.exe
816	netsh.exe
5592	netsh.exe
5312	netsh.exe
6112	netsh.exe
3472	netsh.exe
2124	netsh.exe
5844	netsh.exe
5052	netsh.exe
2640	netsh.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1752-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1752-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1752-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4836-150-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-152-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-151-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-153-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4772-166-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1160-176-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1160-177-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1160-178-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1236-204-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4764-210-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2940-216-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-219-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-220-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-226-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-224-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-228-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-229-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-239-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-248-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-249-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-250-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4836-274-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2316-277-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1160-278-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1160-279-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1160-280-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-285-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-288-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-286-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-291-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-292-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-293-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-294-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/728-298-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-300-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2316-302-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-323-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-324-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2484-359-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2484-360-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2484-361-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-370-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-371-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4800-372-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4124-385-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4124-386-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4124-387-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gHost.exe

description	ioc	process
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\f:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

KHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4940-149-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2220-175-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4552-213-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4424-215-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4940-253-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2220-256-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/1780-276-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmp	autoit_exe
behavioral2/memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmp	autoit_exe
behavioral2/memory/1780-303-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmp	autoit_exe
behavioral2/memory/3668-339-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/3920-358-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/3920-374-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2032-384-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 18 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

KHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

description	ioc	process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 52 IoCs

Processes:

KHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRAmgr.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Program Files directory 41 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exegHostmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeXplorermgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxDC6A.tmp	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE9E8.tmp	gHostmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px38FD.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAF94.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE489.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px69A7.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8637.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA8D3.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	Xplorermgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px74BE.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px361.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF90.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE416.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD8A.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px445C.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5ACD.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE951.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE94B.tmp	Xplorermgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px179A.tmp	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	gHostmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8DC4.tmp	KHATRAmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1C58.tmp	KHATRAmgr.exe

Drops file in Windows directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2484	1436	WerFault.exe	svchost.exe
2820	4088	WerFault.exe	svchost.exe
588	4796	WerFault.exe	svchost.exe
4280	3716	WerFault.exe	svchost.exe
4280	4468	WerFault.exe	svchost.exe
3896	4116	WerFault.exe	svchost.exe
3076	2472	WerFault.exe	svchost.exe
1932	3920	WerFault.exe	svchost.exe
5744	5692	WerFault.exe	svchost.exe
5412	2632	WerFault.exe	svchost.exe
4320	5124	WerFault.exe	svchost.exe
3348	5400	WerFault.exe	svchost.exe
3972	4612	WerFault.exe	svchost.exe
5512	4272	WerFault.exe	svchost.exe
5368	5288	WerFault.exe	svchost.exe
5320	404	WerFault.exe	svchost.exe
5652	5440	WerFault.exe	svchost.exe
100	2316	WerFault.exe	svchost.exe
4736	1884	WerFault.exe	svchost.exe
1028	1760	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEKHATRA.exeIEXPLORE.EXEKHATRA.exeiexplore.exeKHATRA.exeiexplore.exeIEXPLORE.EXEKHATRA.exeiexplore.exeIEXPLORE.EXEKHATRA.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeKHATRA.exeKHATRA.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEKHATRA.exeKHATRA.exeiexplore.exeiexplore.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1879203526"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1972328810"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99428C89-6B5B-11ED-B696-E64E24383C5C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1848422798"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998376"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1972796861"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1878890402"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WaterMark.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe

pid	process
4836	WaterMark.exe
4836	WaterMark.exe
4836	WaterMark.exe
4836	WaterMark.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

Xplorer.exeiexplore.exegHost.exe

pid process

4552 Xplorer.exe
4816 iexplore.exe
4424 gHost.exe

pid	process
4552	Xplorer.exe
4816	iexplore.exe
4424	gHost.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

WaterMark.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeWaterMark.exeXplorer.exegHost.exeWaterMark.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exe

description	pid	process
Token: SeDebugPrivilege	4836	WaterMark.exe
Token: 33	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Token: SeIncBasePriorityPrivilege	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Token: 33	2220	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2220	KHATRA.exe
Token: SeDebugPrivilege	1160	WaterMark.exe
Token: 33	4552	Xplorer.exe
Token: SeIncBasePriorityPrivilege	4552	Xplorer.exe
Token: 33	4424	gHost.exe
Token: SeIncBasePriorityPrivilege	4424	gHost.exe
Token: SeDebugPrivilege	2940	WaterMark.exe
Token: SeDebugPrivilege	728	WaterMark.exe
Token: 33	1780	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1780	KHATRA.exe
Token: SeDebugPrivilege	2316	WaterMark.exe
Token: 33	3668	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3668	KHATRA.exe
Token: SeDebugPrivilege	4800	WaterMark.exe
Token: 33	3920	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3920	KHATRA.exe
Token: SeDebugPrivilege	2484	WaterMark.exe
Token: 33	2032	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2032	KHATRA.exe
Token: SeDebugPrivilege	4124	WaterMark.exe
Token: 33	5592	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5592	KHATRA.exe
Token: SeDebugPrivilege	5656	WaterMark.exe
Token: 33	5308	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5308	KHATRA.exe
Token: SeDebugPrivilege	804	WaterMark.exe
Token: 33	6084	KHATRA.exe
Token: SeIncBasePriorityPrivilege	6084	KHATRA.exe
Token: SeDebugPrivilege	5164	WaterMark.exe
Token: 33	5376	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5376	KHATRA.exe
Token: SeDebugPrivilege	5568	WaterMark.exe
Token: 33	5756	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5756	KHATRA.exe
Token: SeDebugPrivilege	5684	WaterMark.exe
Token: 33	540	KHATRA.exe
Token: SeIncBasePriorityPrivilege	540	KHATRA.exe
Token: SeDebugPrivilege	5376	WaterMark.exe
Token: 33	3124	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3124	KHATRA.exe
Token: SeDebugPrivilege	2316	WaterMark.exe
Token: 33	5604	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5604	KHATRA.exe
Token: SeDebugPrivilege	5144	WaterMark.exe
Token: 33	3908	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3908	KHATRA.exe
Token: SeDebugPrivilege	4384	WaterMark.exe
Token: 33	5884	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5884	KHATRA.exe
Token: SeDebugPrivilege	2308	WaterMark.exe
Token: 33	2416	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2416	KHATRA.exe
Token: SeDebugPrivilege	5440	WaterMark.exe
Token: 33	6040	KHATRA.exe
Token: SeIncBasePriorityPrivilege	6040	KHATRA.exe
Token: SeDebugPrivilege	5348	WaterMark.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeiexplore.exeiexplore.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

pid	process
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
2220	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
1212	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
2220	KHATRA.exe
1780	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
1780	KHATRA.exe
3668	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
3668	KHATRA.exe
3920	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
3920	KHATRA.exe
2032	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
2032	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
5592	KHATRA.exe
5592	KHATRA.exe
5308	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
5308	KHATRA.exe
6084	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
6084	KHATRA.exe
5376	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
5376	KHATRA.exe
5756	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
5756	KHATRA.exe
540	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
540	KHATRA.exe
3124	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
3124	KHATRA.exe
5604	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
5604	KHATRA.exe
3908	KHATRA.exe
4816	iexplore.exe
4816	iexplore.exe
3908	KHATRA.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exe

pid	process
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
2220	KHATRA.exe
4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
2220	KHATRA.exe
1780	KHATRA.exe
1780	KHATRA.exe
3668	KHATRA.exe
3668	KHATRA.exe
3920	KHATRA.exe
3920	KHATRA.exe
2032	KHATRA.exe
2032	KHATRA.exe
5592	KHATRA.exe
5592	KHATRA.exe
5308	KHATRA.exe
5308	KHATRA.exe
6084	KHATRA.exe
6084	KHATRA.exe
5376	KHATRA.exe
5376	KHATRA.exe
5756	KHATRA.exe
5756	KHATRA.exe
540	KHATRA.exe
540	KHATRA.exe
3124	KHATRA.exe
3124	KHATRA.exe
5604	KHATRA.exe
5604	KHATRA.exe
3908	KHATRA.exe
3908	KHATRA.exe
5884	KHATRA.exe
5884	KHATRA.exe
2416	KHATRA.exe
2416	KHATRA.exe
6040	KHATRA.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4816	iexplore.exe
4816	iexplore.exe
1212	iexplore.exe
1212	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1408	IEXPLORE.EXE
1408	IEXPLORE.EXE
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
932	IEXPLORE.EXE
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
4816	iexplore.exe
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
3976	IEXPLORE.EXE
3976	IEXPLORE.EXE
3976	IEXPLORE.EXE
3976	IEXPLORE.EXE

Suspicious use of UnmapMainImage 40 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeXplorermgr.exegHostmgr.exeWaterMark.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exe

pid	process
1752	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
4836	WaterMark.exe
4772	KHATRAmgr.exe
1160	WaterMark.exe
1236	Xplorermgr.exe
4764	gHostmgr.exe
2940	WaterMark.exe
728	WaterMark.exe
2832	KHATRAmgr.exe
2316	WaterMark.exe
5084	KHATRAmgr.exe
4800	WaterMark.exe
3992	KHATRAmgr.exe
2484	WaterMark.exe
4880	KHATRAmgr.exe
4124	WaterMark.exe
5612	KHATRAmgr.exe
5656	WaterMark.exe
5300	KHATRAmgr.exe
804	WaterMark.exe
6072	KHATRAmgr.exe
5164	WaterMark.exe
5476	KHATRAmgr.exe
5568	WaterMark.exe
5372	KHATRAmgr.exe
5684	WaterMark.exe
5752	KHATRAmgr.exe
5376	WaterMark.exe
2440	KHATRAmgr.exe
2316	WaterMark.exe
5708	KHATRAmgr.exe
5144	WaterMark.exe
4560	KHATRAmgr.exe
4384	WaterMark.exe
460	KHATRAmgr.exe
2308	WaterMark.exe
5316	KHATRAmgr.exe
5440	WaterMark.exe
5592	KHATRAmgr.exe
5348	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeXplorer.exegHost.exeXplorermgr.exegHostmgr.exeWaterMark.exe

description	pid	process	target process
PID 4940 wrote to memory of 1752	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
PID 4940 wrote to memory of 1752	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
PID 4940 wrote to memory of 1752	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
PID 1752 wrote to memory of 4836	1752	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe	WaterMark.exe
PID 1752 wrote to memory of 4836	1752	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe	WaterMark.exe
PID 1752 wrote to memory of 4836	1752	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe	WaterMark.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4836 wrote to memory of 1436	4836	WaterMark.exe	svchost.exe
PID 4940 wrote to memory of 2220	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	KHATRA.exe
PID 4940 wrote to memory of 2220	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	KHATRA.exe
PID 4940 wrote to memory of 2220	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	KHATRA.exe
PID 2220 wrote to memory of 4772	2220	KHATRA.exe	KHATRAmgr.exe
PID 2220 wrote to memory of 4772	2220	KHATRA.exe	KHATRAmgr.exe
PID 2220 wrote to memory of 4772	2220	KHATRA.exe	KHATRAmgr.exe
PID 4772 wrote to memory of 1160	4772	KHATRAmgr.exe	WaterMark.exe
PID 4772 wrote to memory of 1160	4772	KHATRAmgr.exe	WaterMark.exe
PID 4772 wrote to memory of 1160	4772	KHATRAmgr.exe	WaterMark.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 1160 wrote to memory of 4088	1160	WaterMark.exe	svchost.exe
PID 2220 wrote to memory of 4552	2220	KHATRA.exe	Xplorer.exe
PID 2220 wrote to memory of 4552	2220	KHATRA.exe	Xplorer.exe
PID 2220 wrote to memory of 4552	2220	KHATRA.exe	Xplorer.exe
PID 4940 wrote to memory of 4424	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	gHost.exe
PID 4940 wrote to memory of 4424	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	gHost.exe
PID 4940 wrote to memory of 4424	4940	ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe	gHost.exe
PID 4552 wrote to memory of 1236	4552	Xplorer.exe	Xplorermgr.exe
PID 4552 wrote to memory of 1236	4552	Xplorer.exe	Xplorermgr.exe
PID 4552 wrote to memory of 1236	4552	Xplorer.exe	Xplorermgr.exe
PID 4424 wrote to memory of 4764	4424	gHost.exe	gHostmgr.exe
PID 4424 wrote to memory of 4764	4424	gHost.exe	gHostmgr.exe
PID 4424 wrote to memory of 4764	4424	gHost.exe	gHostmgr.exe
PID 1236 wrote to memory of 2940	1236	Xplorermgr.exe	WaterMark.exe
PID 1236 wrote to memory of 2940	1236	Xplorermgr.exe	WaterMark.exe
PID 1236 wrote to memory of 2940	1236	Xplorermgr.exe	WaterMark.exe
PID 4836 wrote to memory of 1212	4836	WaterMark.exe	iexplore.exe
PID 4836 wrote to memory of 1212	4836	WaterMark.exe	iexplore.exe
PID 4764 wrote to memory of 728	4764	gHostmgr.exe	WaterMark.exe
PID 4764 wrote to memory of 728	4764	gHostmgr.exe	WaterMark.exe
PID 4764 wrote to memory of 728	4764	gHostmgr.exe	WaterMark.exe
PID 4836 wrote to memory of 4816	4836	WaterMark.exe	iexplore.exe
PID 4836 wrote to memory of 4816	4836	WaterMark.exe	iexplore.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 4796	2940	WaterMark.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
"C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 204
5⤵
- Program crash
PID:2484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:345090 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82948 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17412 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:279556 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82954 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17422 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82966 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17444 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:5852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82976 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:5864

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82994 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:5124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:83002 /prefetch:2
5⤵
PID:5836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:148490 /prefetch:2
5⤵
PID:5720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17488 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:3624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17500 /prefetch:2
5⤵
PID:5232

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 204
6⤵
- Program crash
PID:2820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
PID:3236

C:\Windows\Xplorer.exe
"C:\Windows\Xplorer.exe" /Windows
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\Xplorermgr.exe
C:\Windows\Xplorermgr.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 204
7⤵
- Program crash
PID:588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:4952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
PID:1580

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2832

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 204
8⤵
- Program crash
PID:4280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:3364

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:5096

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:2012

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:2712

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:100

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5084

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:4800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 204
8⤵
- Program crash
PID:3896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:3780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:4632

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:1376

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:2720

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:1976

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:4660

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3992

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 204
8⤵
- Program crash
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:4880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:1852

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:768

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:4648

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:1432

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:2124

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:4880

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:4124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 204
8⤵
- Program crash
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:5436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5096

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:5168

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:5220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5260

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5360

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5404

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5592

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5612

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 204
8⤵
- Program crash
PID:5744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:6040

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:6092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:6108

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5140

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5212

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:816

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5308

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5300

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 212
8⤵
- Program crash
PID:5412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:5816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5376

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:4672

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:4768

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5612

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5740

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6084

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:6072

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 204
8⤵
- Program crash
PID:4320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:4260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:2940

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:5192

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:2316

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5592

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5376

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5476

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 204
8⤵
- Program crash
PID:3348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5616

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:5788

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:5720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5824

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:6044

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:6120

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5756

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5372

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 204
8⤵
- Program crash
PID:3972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:5608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5368

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:4116

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:3348

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5700

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:4312

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:540

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5752

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 212
8⤵
- Program crash
PID:5512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:5148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5364

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:3624

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:5336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5644

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5792

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5844

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2440

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 204
8⤵
- Program crash
PID:5368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:4312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:3236

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:3624

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5620

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5400

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5512

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5604

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5708

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 204
8⤵
- Program crash
PID:5320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:5492

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:5436

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:1892

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:4488

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5052

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3908

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:4560

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:4384

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 204
8⤵
- Program crash
PID:5652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:3576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:2920

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:4588

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:4820

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:5572

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:2640

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5884

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:460

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 204
8⤵
- Program crash
PID:100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:4680

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:4128

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:4700

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:6080

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:5312

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2416

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5316

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 204
8⤵
- Program crash
PID:4736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:4152

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:452

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:4772

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:4404

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
6⤵
- Modifies Windows Firewall
PID:6112

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6040

C:\Windows\SysWOW64\KHATRAmgr.exe
C:\Windows\SysWOW64\KHATRAmgr.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:5592

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:5348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 204
8⤵
- Program crash
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:804

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:844

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
6⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
5⤵
PID:5044

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
6⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
5⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
3⤵
PID:5044

C:\Windows\SysWOW64\at.exe
AT /delete /yes
4⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
3⤵
PID:3124

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
3⤵
PID:3860

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
4⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
3⤵
PID:32

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
4⤵
- Modifies Windows Firewall
PID:3472

C:\Windows\System\gHost.exe
"C:\Windows\System\gHost.exe" /Reproduce
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\System\gHostmgr.exe
C:\Windows\System\gHostmgr.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4764

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 204
6⤵
- Program crash
PID:4280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
2⤵
PID:3360

C:\Windows\SysWOW64\at.exe
AT /delete /yes
3⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
2⤵
PID:452

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
2⤵
PID:3604

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
2⤵
PID:1408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
3⤵
- Modifies Windows Firewall
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1436 -ip 1436
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4088 -ip 4088
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4796 -ip 4796
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3716 -ip 3716
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4468 -ip 4468
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4116 -ip 4116
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2472 -ip 2472
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3920 -ip 3920
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5692 -ip 5692
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2632 -ip 2632
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5124 -ip 5124
1⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5400 -ip 5400
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4612 -ip 4612
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4272 -ip 4272
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5288 -ip 5288
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 404 -ip 404
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5440 -ip 5440
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2316 -ip 2316
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1884 -ip 1884
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1760 -ip 1760
1⤵
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
Filesize
1KB

MD5
e7bb95fa16ffe8901b6bf08f4cabafeb

SHA1
76a9977592219169c24b0aef8960e3281e7d94d0

SHA256
ba80f8cf9f26665101f0d5b70dc79a2d666b6aedfef8d9680b7019fa6078ad8a

SHA512
6615ff42e1b280b02a8f3c3f4d7bddbdef74d08713a7f1f3527ff543a6e0b9cb80469747d6a46d228f31d22d362c748c2741f48783586ae094d71c999c2feb0c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
Filesize
1KB

MD5
ee55e10040d737d75b8fb500e3d0d78d

SHA1
0741214732e61a8033ce9f2d1ce3a1a69e02cbce

SHA256
93c9bed20e5de83be95a01efb5e3608889656d22a834a5855cec2701c51b4712

SHA512
e8c4e8afa7946eec581c531a0240e919f676d4d62ee7a035bf3eea65cd2fd373ff0dcbc8ea699bd2fec12f852b8ebc7f9aeb3dc79b619227056238651e827230

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
Filesize
1KB

MD5
131f3197b3413435f446e373aac848d0

SHA1
d8067d4598aea39a28116d8ebbc126830707efd2

SHA256
3d7c6f3650b0d671b46f6035a1428d963ff2421d764d8696d47f8fafdd79bf58

SHA512
75d6281b3d282bb04c44247ca8ae4cf8722139f8be31897761737d02590031faa6748c7724f940ad3b0071438e61adec6ab4898f477c15250c7bad7d2992911e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK
Filesize
1KB

MD5
7be61ea4586cc15583ca0db5df4306c3

SHA1
b7b34eda21b2c4e601ab611b0accf9176fa42a14

SHA256
8ed355d538f37505ce135646315d2d57c4cc31dd7d56a706b640abc026084ac0

SHA512
822719e9f53cf3d2c4d68d74c5c34f141363b3477b7360e13b18282aac206dad0d6a532cb898ffe0b6ec2727f6fb8d31c3de831c9d10eaf28f2edc0c26e2850d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
f8acc33c67ebdd2c4540a16346772b3f

SHA1
3ae0c33ca027d6f2ca6b58c61856bca9f4ec841b

SHA256
8947a90e20a7c3522a3090eb5b95438c39de77da856585ad02be74b49f18e038

SHA512
98d8285481e5074da9d1334163764082a3d0b02676844df6ec41317afde8d702706ad143f8d0a8c6ab7ba7d784b88c8b2a44a4fd0207c1e911b27d3b52475dc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
940f328d666163ff83dfd4eb65ccfa69

SHA1
7562db27140f776d1600fddec4f01bf734b964ae

SHA256
fc79785e07f7dda03359d58ab5d323cfda4657ecd0cfebab3170affc298833fa

SHA512
4fd7af4703dc049a6601db4ed5a3ebaf35a9d00efc80fae289e1000c52cc9a2d158dd3e420743fe19058ea25515ebdb5ff55e71ec23f6a67743afbaf051b4a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
940f328d666163ff83dfd4eb65ccfa69

SHA1
7562db27140f776d1600fddec4f01bf734b964ae

SHA256
fc79785e07f7dda03359d58ab5d323cfda4657ecd0cfebab3170affc298833fa

SHA512
4fd7af4703dc049a6601db4ed5a3ebaf35a9d00efc80fae289e1000c52cc9a2d158dd3e420743fe19058ea25515ebdb5ff55e71ec23f6a67743afbaf051b4a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99426579-6B5B-11ED-B696-E64E24383C5C}.dat
Filesize
5KB

MD5
73d417742461cbf3eb52d49e226267f5

SHA1
10281f7188bd1974a903e08e315b40f8dccb12f4

SHA256
9ba484568b54df36c30488ad58505a4efb9b3530edf824d1f8449d9ad164c884

SHA512
4fbb035149fbf59d579f10f419365b637b531d12add11486ff6035efb3c5b8c19d043caf46da660bca9fbd8812fca39329b4b22e222d4412e120fa3762852814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99428C89-6B5B-11ED-B696-E64E24383C5C}.dat
Filesize
3KB

MD5
bf4eeed9d0611f947ccb520e2572d3db

SHA1
ed2f4358b2ace86f854dbc29f007093e330f8a60

SHA256
5bb95d82c2f575b9b9d78969f4dbf58435e20a3dae05d23fa9dcbc6eba7089d1

SHA512
91357739f31653d246ce94c186137343f6ee66704a2599a4ff43342bc48c847f42527332b4200baf256b9c43fcf16186789fd841818cdcbd73ddf546fc8acd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\KHATARNAKH.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\KHATARNAKH.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\KHATARNAKH.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\KHATARNAKH.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\KHATARNAKH.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\SysWOW64\KHATRAmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\System\gHost.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\System\gHost.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\System\gHostmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\System\gHostmgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\Xplorer.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\Xplorer.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
C:\Windows\Xplorermgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\Xplorermgr.exe
Filesize
164KB

MD5
1e7fd6957860e5272c6b6866b8775940

SHA1
baa96e2375f1ed39d9848f78442d2ab4cc5feb59

SHA256
538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc

SHA512
4f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF
Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\\KHATRA.exe
Filesize
722KB

MD5
1a215650cb80822806662b810a828934

SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254

SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720

SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d

Download Submit
memory/32-245-0x0000000000000000-mapping.dmp

Download
memory/100-299-0x0000000000000000-mapping.dmp

Download
memory/452-233-0x0000000000000000-mapping.dmp

Download
memory/684-231-0x0000000000000000-mapping.dmp

Download
memory/728-219-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-239-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-205-0x0000000000000000-mapping.dmp

Download
memory/728-298-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-292-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-220-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-224-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/768-366-0x0000000000000000-mapping.dmp

Download
memory/912-234-0x0000000000000000-mapping.dmp

Download
memory/1160-177-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-279-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-176-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-280-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-178-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-278-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-164-0x0000000000000000-mapping.dmp

Download
memory/1236-186-0x0000000000000000-mapping.dmp

Download
memory/1236-204-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1376-330-0x0000000000000000-mapping.dmp

Download
memory/1408-244-0x0000000000000000-mapping.dmp

Download
memory/1436-148-0x0000000000000000-mapping.dmp

Download
memory/1752-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1752-132-0x0000000000000000-mapping.dmp

Download
memory/1752-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1752-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1780-257-0x0000000000000000-mapping.dmp

Download
memory/1780-303-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1780-276-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1852-364-0x0000000000000000-mapping.dmp

Download
memory/1976-334-0x0000000000000000-mapping.dmp

Download
memory/2012-295-0x0000000000000000-mapping.dmp

Download
memory/2032-384-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2220-256-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2220-175-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2220-154-0x0000000000000000-mapping.dmp

Download
memory/2316-300-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-286-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-266-0x0000000000000000-mapping.dmp

Download
memory/2316-302-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-288-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-277-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2316-285-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2472-356-0x0000000000000000-mapping.dmp

Download
memory/2484-361-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2484-360-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2484-349-0x0000000000000000-mapping.dmp

Download
memory/2484-359-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2632-235-0x0000000000000000-mapping.dmp

Download
memory/2712-297-0x0000000000000000-mapping.dmp

Download
memory/2720-332-0x0000000000000000-mapping.dmp

Download
memory/2832-259-0x0000000000000000-mapping.dmp

Download
memory/2940-293-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-200-0x0000000000000000-mapping.dmp

Download
memory/2940-229-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-226-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-294-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3040-287-0x0000000000000000-mapping.dmp

Download
memory/3124-232-0x0000000000000000-mapping.dmp

Download
memory/3184-369-0x0000000000000000-mapping.dmp

Download
memory/3308-365-0x0000000000000000-mapping.dmp

Download
memory/3360-227-0x0000000000000000-mapping.dmp

Download
memory/3364-283-0x0000000000000000-mapping.dmp

Download
memory/3472-247-0x0000000000000000-mapping.dmp

Download
memory/3604-241-0x0000000000000000-mapping.dmp

Download
memory/3668-304-0x0000000000000000-mapping.dmp

Download
memory/3668-339-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3668-306-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3716-223-0x0000000000000000-mapping.dmp

Download
memory/3860-240-0x0000000000000000-mapping.dmp

Download
memory/3920-374-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3920-358-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3920-340-0x0000000000000000-mapping.dmp

Download
memory/3992-342-0x0000000000000000-mapping.dmp

Download
memory/4080-331-0x0000000000000000-mapping.dmp

Download
memory/4088-172-0x0000000000000000-mapping.dmp

Download
memory/4116-321-0x0000000000000000-mapping.dmp

Download
memory/4124-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4124-386-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4124-387-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4152-246-0x0000000000000000-mapping.dmp

Download
memory/4256-230-0x0000000000000000-mapping.dmp

Download
memory/4328-290-0x0000000000000000-mapping.dmp

Download
memory/4424-215-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4424-185-0x0000000000000000-mapping.dmp

Download
memory/4468-273-0x0000000000000000-mapping.dmp

Download
memory/4532-243-0x0000000000000000-mapping.dmp

Download
memory/4552-213-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4552-183-0x0000000000000000-mapping.dmp

Download
memory/4572-242-0x0000000000000000-mapping.dmp

Download
memory/4632-328-0x0000000000000000-mapping.dmp

Download
memory/4648-373-0x0000000000000000-mapping.dmp

Download
memory/4660-335-0x0000000000000000-mapping.dmp

Download
memory/4764-210-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4764-191-0x0000000000000000-mapping.dmp

Download
memory/4772-296-0x0000000000000000-mapping.dmp

Download
memory/4772-166-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4772-157-0x0000000000000000-mapping.dmp

Download
memory/4796-221-0x0000000000000000-mapping.dmp

Download
memory/4800-323-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-372-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-314-0x0000000000000000-mapping.dmp

Download
memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-324-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-371-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-153-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-248-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-274-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4836-150-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-250-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-139-0x0000000000000000-mapping.dmp

Download
memory/4836-152-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-249-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4940-149-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4940-253-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4964-333-0x0000000000000000-mapping.dmp

Download
memory/5044-225-0x0000000000000000-mapping.dmp

Download
memory/5084-307-0x0000000000000000-mapping.dmp

Download
memory/5096-329-0x0000000000000000-mapping.dmp

Download
memory/5096-289-0x0000000000000000-mapping.dmp

Download