Analysis
-
max time kernel
174s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
Resource
win7-20220901-en
General
-
Target
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe
-
Size
722KB
-
MD5
1a215650cb80822806662b810a828934
-
SHA1
351b0cf0fee6c325e23c7905a60b93d976dab254
-
SHA256
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
-
SHA512
e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
SSDEEP
6144:PBaZA6AM5tm1BS4i4jARHKhyFxQZZxbDGABUs4r110glX1Wt10grAdRgK0EQ:PcA6SbVi42BFx8dDlMB1fe1nAdmn
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 36 IoCs
Processes:
KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe -
Disables RegEdit via registry modification 18 IoCs
Processes:
KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 59 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeXplorer.exegHost.exeXplorermgr.exegHostmgr.exeWaterMark.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exepid process 1752 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 4836 WaterMark.exe 2220 KHATRA.exe 4772 KHATRAmgr.exe 1160 WaterMark.exe 4552 Xplorer.exe 4424 gHost.exe 1236 Xplorermgr.exe 4764 gHostmgr.exe 2940 WaterMark.exe 728 WaterMark.exe 1780 KHATRA.exe 2832 KHATRAmgr.exe 2316 WaterMark.exe 3668 KHATRA.exe 5084 KHATRAmgr.exe 4800 WaterMark.exe 3920 KHATRA.exe 3992 KHATRAmgr.exe 2484 WaterMark.exe 2032 KHATRA.exe 4880 KHATRAmgr.exe 4124 WaterMark.exe 5592 KHATRA.exe 5612 KHATRAmgr.exe 5656 WaterMark.exe 5308 KHATRA.exe 5300 KHATRAmgr.exe 804 WaterMark.exe 6084 KHATRA.exe 6072 KHATRAmgr.exe 5164 WaterMark.exe 5376 KHATRA.exe 5476 KHATRAmgr.exe 5568 WaterMark.exe 5756 KHATRA.exe 5372 KHATRAmgr.exe 5684 WaterMark.exe 540 KHATRA.exe 5752 KHATRAmgr.exe 5376 WaterMark.exe 3124 KHATRA.exe 2440 KHATRAmgr.exe 2316 WaterMark.exe 5604 KHATRA.exe 5708 KHATRAmgr.exe 5144 WaterMark.exe 3908 KHATRA.exe 4560 KHATRAmgr.exe 4384 WaterMark.exe 5884 KHATRA.exe 460 KHATRAmgr.exe 2308 WaterMark.exe 2416 KHATRA.exe 5316 KHATRAmgr.exe 5440 WaterMark.exe 6040 KHATRA.exe 5592 KHATRAmgr.exe 5348 WaterMark.exe -
Modifies Windows Firewall 1 TTPs 17 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 5404 netsh.exe 6120 netsh.exe 5512 netsh.exe 100 netsh.exe 4660 netsh.exe 5740 netsh.exe 4312 netsh.exe 4152 netsh.exe 816 netsh.exe 5592 netsh.exe 5312 netsh.exe 6112 netsh.exe 3472 netsh.exe 2124 netsh.exe 5844 netsh.exe 5052 netsh.exe 2640 netsh.exe -
Processes:
resource yara_rule behavioral2/memory/1752-137-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1752-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1752-141-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4836-150-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-152-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-151-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-153-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4772-166-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1160-176-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1160-177-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1160-178-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1236-204-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4764-210-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2940-216-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-219-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-220-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-226-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-224-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-228-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-229-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-239-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-248-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-249-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-250-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4836-274-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2316-277-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1160-278-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1160-279-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1160-280-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-285-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-288-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-286-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-291-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-292-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-293-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2940-294-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/728-298-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-300-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2316-302-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-323-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-324-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2484-359-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2484-360-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2484-361-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-370-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-371-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4800-372-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4124-385-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4124-386-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4124-387-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Adds Run key to start application 2 TTPs 60 IoCs
Processes:
KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
gHost.exedescription ioc process File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\z: gHost.exe File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\w: gHost.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
KHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4940-149-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/2220-175-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/4552-213-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/4424-215-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/4940-253-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/2220-256-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/1780-276-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmp autoit_exe behavioral2/memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmp autoit_exe behavioral2/memory/1780-303-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmp autoit_exe behavioral2/memory/3668-339-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/3920-358-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/3920-374-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe behavioral2/memory/2032-384-0x0000000000400000-0x00000000004F0000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 18 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
KHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 52 IoCs
Processes:
KHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRAmgr.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe -
Drops file in Program Files directory 41 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exegHostmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeXplorermgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exeKHATRAmgr.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxDC6A.tmp ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE9E8.tmp gHostmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px38FD.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxAF94.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE489.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px69A7.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px8637.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA8D3.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe Xplorermgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px74BE.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px361.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF90.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE416.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxFD8A.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px445C.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px5ACD.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE951.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE94B.tmp Xplorermgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px179A.tmp KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe gHostmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px8DC4.tmp KHATRAmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px1C58.tmp KHATRAmgr.exe -
Drops file in Windows directory 64 IoCs
Processes:
KHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exedescription ioc process File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\Xplorer.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2484 1436 WerFault.exe svchost.exe 2820 4088 WerFault.exe svchost.exe 588 4796 WerFault.exe svchost.exe 4280 3716 WerFault.exe svchost.exe 4280 4468 WerFault.exe svchost.exe 3896 4116 WerFault.exe svchost.exe 3076 2472 WerFault.exe svchost.exe 1932 3920 WerFault.exe svchost.exe 5744 5692 WerFault.exe svchost.exe 5412 2632 WerFault.exe svchost.exe 4320 5124 WerFault.exe svchost.exe 3348 5400 WerFault.exe svchost.exe 3972 4612 WerFault.exe svchost.exe 5512 4272 WerFault.exe svchost.exe 5368 5288 WerFault.exe svchost.exe 5320 404 WerFault.exe svchost.exe 5652 5440 WerFault.exe svchost.exe 100 2316 WerFault.exe svchost.exe 4736 1884 WerFault.exe svchost.exe 1028 1760 WerFault.exe svchost.exe -
Processes:
iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEKHATRA.exeIEXPLORE.EXEKHATRA.exeiexplore.exeKHATRA.exeiexplore.exeIEXPLORE.EXEKHATRA.exeiexplore.exeIEXPLORE.EXEKHATRA.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeKHATRA.exeKHATRA.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEKHATRA.exeKHATRA.exeiexplore.exeiexplore.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1879203526" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1972328810" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99428C89-6B5B-11ED-B696-E64E24383C5C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1848422798" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998376" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1972796861" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998376" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1878890402" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WaterMark.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exepid process 4836 WaterMark.exe 4836 WaterMark.exe 4836 WaterMark.exe 4836 WaterMark.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Xplorer.exeiexplore.exegHost.exepid process 4552 Xplorer.exe 4816 iexplore.exe 4424 gHost.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
Processes:
WaterMark.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeWaterMark.exeXplorer.exegHost.exeWaterMark.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exeKHATRA.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 4836 WaterMark.exe Token: 33 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Token: SeIncBasePriorityPrivilege 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe Token: 33 2220 KHATRA.exe Token: SeIncBasePriorityPrivilege 2220 KHATRA.exe Token: SeDebugPrivilege 1160 WaterMark.exe Token: 33 4552 Xplorer.exe Token: SeIncBasePriorityPrivilege 4552 Xplorer.exe Token: 33 4424 gHost.exe Token: SeIncBasePriorityPrivilege 4424 gHost.exe Token: SeDebugPrivilege 2940 WaterMark.exe Token: SeDebugPrivilege 728 WaterMark.exe Token: 33 1780 KHATRA.exe Token: SeIncBasePriorityPrivilege 1780 KHATRA.exe Token: SeDebugPrivilege 2316 WaterMark.exe Token: 33 3668 KHATRA.exe Token: SeIncBasePriorityPrivilege 3668 KHATRA.exe Token: SeDebugPrivilege 4800 WaterMark.exe Token: 33 3920 KHATRA.exe Token: SeIncBasePriorityPrivilege 3920 KHATRA.exe Token: SeDebugPrivilege 2484 WaterMark.exe Token: 33 2032 KHATRA.exe Token: SeIncBasePriorityPrivilege 2032 KHATRA.exe Token: SeDebugPrivilege 4124 WaterMark.exe Token: 33 5592 KHATRA.exe Token: SeIncBasePriorityPrivilege 5592 KHATRA.exe Token: SeDebugPrivilege 5656 WaterMark.exe Token: 33 5308 KHATRA.exe Token: SeIncBasePriorityPrivilege 5308 KHATRA.exe Token: SeDebugPrivilege 804 WaterMark.exe Token: 33 6084 KHATRA.exe Token: SeIncBasePriorityPrivilege 6084 KHATRA.exe Token: SeDebugPrivilege 5164 WaterMark.exe Token: 33 5376 KHATRA.exe Token: SeIncBasePriorityPrivilege 5376 KHATRA.exe Token: SeDebugPrivilege 5568 WaterMark.exe Token: 33 5756 KHATRA.exe Token: SeIncBasePriorityPrivilege 5756 KHATRA.exe Token: SeDebugPrivilege 5684 WaterMark.exe Token: 33 540 KHATRA.exe Token: SeIncBasePriorityPrivilege 540 KHATRA.exe Token: SeDebugPrivilege 5376 WaterMark.exe Token: 33 3124 KHATRA.exe Token: SeIncBasePriorityPrivilege 3124 KHATRA.exe Token: SeDebugPrivilege 2316 WaterMark.exe Token: 33 5604 KHATRA.exe Token: SeIncBasePriorityPrivilege 5604 KHATRA.exe Token: SeDebugPrivilege 5144 WaterMark.exe Token: 33 3908 KHATRA.exe Token: SeIncBasePriorityPrivilege 3908 KHATRA.exe Token: SeDebugPrivilege 4384 WaterMark.exe Token: 33 5884 KHATRA.exe Token: SeIncBasePriorityPrivilege 5884 KHATRA.exe Token: SeDebugPrivilege 2308 WaterMark.exe Token: 33 2416 KHATRA.exe Token: SeIncBasePriorityPrivilege 2416 KHATRA.exe Token: SeDebugPrivilege 5440 WaterMark.exe Token: 33 6040 KHATRA.exe Token: SeIncBasePriorityPrivilege 6040 KHATRA.exe Token: SeDebugPrivilege 5348 WaterMark.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeiexplore.exeiexplore.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exepid process 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 2220 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 1212 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 2220 KHATRA.exe 1780 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 1780 KHATRA.exe 3668 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 3668 KHATRA.exe 3920 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 3920 KHATRA.exe 2032 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 2032 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 5592 KHATRA.exe 5592 KHATRA.exe 5308 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 5308 KHATRA.exe 6084 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 6084 KHATRA.exe 5376 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 5376 KHATRA.exe 5756 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 5756 KHATRA.exe 540 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 540 KHATRA.exe 3124 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 3124 KHATRA.exe 5604 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 5604 KHATRA.exe 3908 KHATRA.exe 4816 iexplore.exe 4816 iexplore.exe 3908 KHATRA.exe -
Suspicious use of SendNotifyMessage 35 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exeKHATRA.exepid process 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 2220 KHATRA.exe 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe 2220 KHATRA.exe 1780 KHATRA.exe 1780 KHATRA.exe 3668 KHATRA.exe 3668 KHATRA.exe 3920 KHATRA.exe 3920 KHATRA.exe 2032 KHATRA.exe 2032 KHATRA.exe 5592 KHATRA.exe 5592 KHATRA.exe 5308 KHATRA.exe 5308 KHATRA.exe 6084 KHATRA.exe 6084 KHATRA.exe 5376 KHATRA.exe 5376 KHATRA.exe 5756 KHATRA.exe 5756 KHATRA.exe 540 KHATRA.exe 540 KHATRA.exe 3124 KHATRA.exe 3124 KHATRA.exe 5604 KHATRA.exe 5604 KHATRA.exe 3908 KHATRA.exe 3908 KHATRA.exe 5884 KHATRA.exe 5884 KHATRA.exe 2416 KHATRA.exe 2416 KHATRA.exe 6040 KHATRA.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 4816 iexplore.exe 4816 iexplore.exe 1212 iexplore.exe 1212 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE 2344 IEXPLORE.EXE 2344 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 1584 IEXPLORE.EXE 1584 IEXPLORE.EXE 1584 IEXPLORE.EXE 1584 IEXPLORE.EXE 1800 IEXPLORE.EXE 1800 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE 204 IEXPLORE.EXE 204 IEXPLORE.EXE 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 2344 IEXPLORE.EXE 2344 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 4816 iexplore.exe 1800 IEXPLORE.EXE 1800 IEXPLORE.EXE 3976 IEXPLORE.EXE 3976 IEXPLORE.EXE 3976 IEXPLORE.EXE 3976 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 40 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeXplorermgr.exegHostmgr.exeWaterMark.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exeKHATRAmgr.exeWaterMark.exepid process 1752 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe 4836 WaterMark.exe 4772 KHATRAmgr.exe 1160 WaterMark.exe 1236 Xplorermgr.exe 4764 gHostmgr.exe 2940 WaterMark.exe 728 WaterMark.exe 2832 KHATRAmgr.exe 2316 WaterMark.exe 5084 KHATRAmgr.exe 4800 WaterMark.exe 3992 KHATRAmgr.exe 2484 WaterMark.exe 4880 KHATRAmgr.exe 4124 WaterMark.exe 5612 KHATRAmgr.exe 5656 WaterMark.exe 5300 KHATRAmgr.exe 804 WaterMark.exe 6072 KHATRAmgr.exe 5164 WaterMark.exe 5476 KHATRAmgr.exe 5568 WaterMark.exe 5372 KHATRAmgr.exe 5684 WaterMark.exe 5752 KHATRAmgr.exe 5376 WaterMark.exe 2440 KHATRAmgr.exe 2316 WaterMark.exe 5708 KHATRAmgr.exe 5144 WaterMark.exe 4560 KHATRAmgr.exe 4384 WaterMark.exe 460 KHATRAmgr.exe 2308 WaterMark.exe 5316 KHATRAmgr.exe 5440 WaterMark.exe 5592 KHATRAmgr.exe 5348 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exeababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeWaterMark.exeKHATRA.exeKHATRAmgr.exeWaterMark.exeXplorer.exegHost.exeXplorermgr.exegHostmgr.exeWaterMark.exedescription pid process target process PID 4940 wrote to memory of 1752 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 4940 wrote to memory of 1752 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 4940 wrote to memory of 1752 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe PID 1752 wrote to memory of 4836 1752 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 1752 wrote to memory of 4836 1752 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 1752 wrote to memory of 4836 1752 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe WaterMark.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4836 wrote to memory of 1436 4836 WaterMark.exe svchost.exe PID 4940 wrote to memory of 2220 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 4940 wrote to memory of 2220 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 4940 wrote to memory of 2220 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe KHATRA.exe PID 2220 wrote to memory of 4772 2220 KHATRA.exe KHATRAmgr.exe PID 2220 wrote to memory of 4772 2220 KHATRA.exe KHATRAmgr.exe PID 2220 wrote to memory of 4772 2220 KHATRA.exe KHATRAmgr.exe PID 4772 wrote to memory of 1160 4772 KHATRAmgr.exe WaterMark.exe PID 4772 wrote to memory of 1160 4772 KHATRAmgr.exe WaterMark.exe PID 4772 wrote to memory of 1160 4772 KHATRAmgr.exe WaterMark.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 1160 wrote to memory of 4088 1160 WaterMark.exe svchost.exe PID 2220 wrote to memory of 4552 2220 KHATRA.exe Xplorer.exe PID 2220 wrote to memory of 4552 2220 KHATRA.exe Xplorer.exe PID 2220 wrote to memory of 4552 2220 KHATRA.exe Xplorer.exe PID 4940 wrote to memory of 4424 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe gHost.exe PID 4940 wrote to memory of 4424 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe gHost.exe PID 4940 wrote to memory of 4424 4940 ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe gHost.exe PID 4552 wrote to memory of 1236 4552 Xplorer.exe Xplorermgr.exe PID 4552 wrote to memory of 1236 4552 Xplorer.exe Xplorermgr.exe PID 4552 wrote to memory of 1236 4552 Xplorer.exe Xplorermgr.exe PID 4424 wrote to memory of 4764 4424 gHost.exe gHostmgr.exe PID 4424 wrote to memory of 4764 4424 gHost.exe gHostmgr.exe PID 4424 wrote to memory of 4764 4424 gHost.exe gHostmgr.exe PID 1236 wrote to memory of 2940 1236 Xplorermgr.exe WaterMark.exe PID 1236 wrote to memory of 2940 1236 Xplorermgr.exe WaterMark.exe PID 1236 wrote to memory of 2940 1236 Xplorermgr.exe WaterMark.exe PID 4836 wrote to memory of 1212 4836 WaterMark.exe iexplore.exe PID 4836 wrote to memory of 1212 4836 WaterMark.exe iexplore.exe PID 4764 wrote to memory of 728 4764 gHostmgr.exe WaterMark.exe PID 4764 wrote to memory of 728 4764 gHostmgr.exe WaterMark.exe PID 4764 wrote to memory of 728 4764 gHostmgr.exe WaterMark.exe PID 4836 wrote to memory of 4816 4836 WaterMark.exe iexplore.exe PID 4836 wrote to memory of 4816 4836 WaterMark.exe iexplore.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe PID 2940 wrote to memory of 4796 2940 WaterMark.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeC:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 2045⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:345090 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82948 /prefetch:25⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17412 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:279556 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82954 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17422 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82966 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17444 /prefetch:25⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82976 /prefetch:25⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:82994 /prefetch:25⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:83002 /prefetch:25⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:148490 /prefetch:25⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17488 /prefetch:25⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:17500 /prefetch:25⤵
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorermgr.exeC:\Windows\Xplorermgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 2128⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 2128⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\KHATRAmgr.exeC:\Windows\SysWOW64\KHATRAmgr.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 2048⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\gHostmgr.exeC:\Windows\System\gHostmgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1436 -ip 14361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4088 -ip 40881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4796 -ip 47961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3716 -ip 37161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4468 -ip 44681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4116 -ip 41161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2472 -ip 24721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3920 -ip 39201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5692 -ip 56921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2632 -ip 26321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5124 -ip 51241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5400 -ip 54001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4612 -ip 46121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4272 -ip 42721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5288 -ip 52881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 404 -ip 4041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5440 -ip 54401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2316 -ip 23161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1884 -ip 18841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1760 -ip 17601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5e7bb95fa16ffe8901b6bf08f4cabafeb
SHA176a9977592219169c24b0aef8960e3281e7d94d0
SHA256ba80f8cf9f26665101f0d5b70dc79a2d666b6aedfef8d9680b7019fa6078ad8a
SHA5126615ff42e1b280b02a8f3c3f4d7bddbdef74d08713a7f1f3527ff543a6e0b9cb80469747d6a46d228f31d22d362c748c2741f48783586ae094d71c999c2feb0c
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5ee55e10040d737d75b8fb500e3d0d78d
SHA10741214732e61a8033ce9f2d1ce3a1a69e02cbce
SHA25693c9bed20e5de83be95a01efb5e3608889656d22a834a5855cec2701c51b4712
SHA512e8c4e8afa7946eec581c531a0240e919f676d4d62ee7a035bf3eea65cd2fd373ff0dcbc8ea699bd2fec12f852b8ebc7f9aeb3dc79b619227056238651e827230
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5131f3197b3413435f446e373aac848d0
SHA1d8067d4598aea39a28116d8ebbc126830707efd2
SHA2563d7c6f3650b0d671b46f6035a1428d963ff2421d764d8696d47f8fafdd79bf58
SHA51275d6281b3d282bb04c44247ca8ae4cf8722139f8be31897761737d02590031faa6748c7724f940ad3b0071438e61adec6ab4898f477c15250c7bad7d2992911e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD57be61ea4586cc15583ca0db5df4306c3
SHA1b7b34eda21b2c4e601ab611b0accf9176fa42a14
SHA2568ed355d538f37505ce135646315d2d57c4cc31dd7d56a706b640abc026084ac0
SHA512822719e9f53cf3d2c4d68d74c5c34f141363b3477b7360e13b18282aac206dad0d6a532cb898ffe0b6ec2727f6fb8d31c3de831c9d10eaf28f2edc0c26e2850d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5e32d02ce684c01ef3af05fae9066160e
SHA129c7a6e8ed553ac2765634265d1db041d6d422ec
SHA256b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71
SHA512e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5f8acc33c67ebdd2c4540a16346772b3f
SHA13ae0c33ca027d6f2ca6b58c61856bca9f4ec841b
SHA2568947a90e20a7c3522a3090eb5b95438c39de77da856585ad02be74b49f18e038
SHA51298d8285481e5074da9d1334163764082a3d0b02676844df6ec41317afde8d702706ad143f8d0a8c6ab7ba7d784b88c8b2a44a4fd0207c1e911b27d3b52475dc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5940f328d666163ff83dfd4eb65ccfa69
SHA17562db27140f776d1600fddec4f01bf734b964ae
SHA256fc79785e07f7dda03359d58ab5d323cfda4657ecd0cfebab3170affc298833fa
SHA5124fd7af4703dc049a6601db4ed5a3ebaf35a9d00efc80fae289e1000c52cc9a2d158dd3e420743fe19058ea25515ebdb5ff55e71ec23f6a67743afbaf051b4a55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5940f328d666163ff83dfd4eb65ccfa69
SHA17562db27140f776d1600fddec4f01bf734b964ae
SHA256fc79785e07f7dda03359d58ab5d323cfda4657ecd0cfebab3170affc298833fa
SHA5124fd7af4703dc049a6601db4ed5a3ebaf35a9d00efc80fae289e1000c52cc9a2d158dd3e420743fe19058ea25515ebdb5ff55e71ec23f6a67743afbaf051b4a55
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99426579-6B5B-11ED-B696-E64E24383C5C}.datFilesize
5KB
MD573d417742461cbf3eb52d49e226267f5
SHA110281f7188bd1974a903e08e315b40f8dccb12f4
SHA2569ba484568b54df36c30488ad58505a4efb9b3530edf824d1f8449d9ad164c884
SHA5124fbb035149fbf59d579f10f419365b637b531d12add11486ff6035efb3c5b8c19d043caf46da660bca9fbd8812fca39329b4b22e222d4412e120fa3762852814
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{99428C89-6B5B-11ED-B696-E64E24383C5C}.datFilesize
3KB
MD5bf4eeed9d0611f947ccb520e2572d3db
SHA1ed2f4358b2ace86f854dbc29f007093e330f8a60
SHA2565bb95d82c2f575b9b9d78969f4dbf58435e20a3dae05d23fa9dcbc6eba7089d1
SHA51291357739f31653d246ce94c186137343f6ee66704a2599a4ff43342bc48c847f42527332b4200baf256b9c43fcf16186789fd841818cdcbd73ddf546fc8acd69
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Users\Admin\AppData\Local\Temp\ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720mgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\KHATARNAKH.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\SysWOW64\KHATRAmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\System\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\System\gHost.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\System\gHostmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\System\gHostmgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorer.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
C:\Windows\Xplorermgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\Xplorermgr.exeFilesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\\KHATRA.exeFilesize
722KB
MD51a215650cb80822806662b810a828934
SHA1351b0cf0fee6c325e23c7905a60b93d976dab254
SHA256ababa65b110ae74af74bfd4a9089f1ad8cd4b6837479a2c7003ef983ac293720
SHA512e30392841335dcc90b283edee0f6fe1f45b936ea48753374593ccda9d32aed64c5cfd4dc9d2e6896432d9eef3d8af60afc9eb23f1e75b4e0c3d2e974a316af0d
-
memory/32-245-0x0000000000000000-mapping.dmp
-
memory/100-299-0x0000000000000000-mapping.dmp
-
memory/452-233-0x0000000000000000-mapping.dmp
-
memory/684-231-0x0000000000000000-mapping.dmp
-
memory/728-219-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-239-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-291-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-205-0x0000000000000000-mapping.dmp
-
memory/728-298-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-292-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-220-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/728-224-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/768-366-0x0000000000000000-mapping.dmp
-
memory/912-234-0x0000000000000000-mapping.dmp
-
memory/1160-177-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-279-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-176-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-280-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-178-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-278-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1160-164-0x0000000000000000-mapping.dmp
-
memory/1236-186-0x0000000000000000-mapping.dmp
-
memory/1236-204-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1376-330-0x0000000000000000-mapping.dmp
-
memory/1408-244-0x0000000000000000-mapping.dmp
-
memory/1436-148-0x0000000000000000-mapping.dmp
-
memory/1752-141-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1752-132-0x0000000000000000-mapping.dmp
-
memory/1752-138-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1752-137-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1780-257-0x0000000000000000-mapping.dmp
-
memory/1780-303-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1780-276-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1852-364-0x0000000000000000-mapping.dmp
-
memory/1976-334-0x0000000000000000-mapping.dmp
-
memory/2012-295-0x0000000000000000-mapping.dmp
-
memory/2032-384-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2220-256-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2220-175-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2220-154-0x0000000000000000-mapping.dmp
-
memory/2316-300-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-286-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-266-0x0000000000000000-mapping.dmp
-
memory/2316-302-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-288-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-277-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-301-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2316-285-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2472-356-0x0000000000000000-mapping.dmp
-
memory/2484-361-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2484-360-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2484-349-0x0000000000000000-mapping.dmp
-
memory/2484-359-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2632-235-0x0000000000000000-mapping.dmp
-
memory/2712-297-0x0000000000000000-mapping.dmp
-
memory/2720-332-0x0000000000000000-mapping.dmp
-
memory/2832-259-0x0000000000000000-mapping.dmp
-
memory/2940-293-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-228-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-200-0x0000000000000000-mapping.dmp
-
memory/2940-229-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-216-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-226-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-294-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/2940-284-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3040-287-0x0000000000000000-mapping.dmp
-
memory/3124-232-0x0000000000000000-mapping.dmp
-
memory/3184-369-0x0000000000000000-mapping.dmp
-
memory/3308-365-0x0000000000000000-mapping.dmp
-
memory/3360-227-0x0000000000000000-mapping.dmp
-
memory/3364-283-0x0000000000000000-mapping.dmp
-
memory/3472-247-0x0000000000000000-mapping.dmp
-
memory/3604-241-0x0000000000000000-mapping.dmp
-
memory/3668-304-0x0000000000000000-mapping.dmp
-
memory/3668-339-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3668-306-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3716-223-0x0000000000000000-mapping.dmp
-
memory/3860-240-0x0000000000000000-mapping.dmp
-
memory/3920-374-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3920-358-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3920-340-0x0000000000000000-mapping.dmp
-
memory/3992-342-0x0000000000000000-mapping.dmp
-
memory/4080-331-0x0000000000000000-mapping.dmp
-
memory/4088-172-0x0000000000000000-mapping.dmp
-
memory/4116-321-0x0000000000000000-mapping.dmp
-
memory/4124-385-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4124-386-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4124-387-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4152-246-0x0000000000000000-mapping.dmp
-
memory/4256-230-0x0000000000000000-mapping.dmp
-
memory/4328-290-0x0000000000000000-mapping.dmp
-
memory/4424-215-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/4424-185-0x0000000000000000-mapping.dmp
-
memory/4468-273-0x0000000000000000-mapping.dmp
-
memory/4532-243-0x0000000000000000-mapping.dmp
-
memory/4552-213-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/4552-183-0x0000000000000000-mapping.dmp
-
memory/4572-242-0x0000000000000000-mapping.dmp
-
memory/4632-328-0x0000000000000000-mapping.dmp
-
memory/4648-373-0x0000000000000000-mapping.dmp
-
memory/4660-335-0x0000000000000000-mapping.dmp
-
memory/4764-210-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4764-191-0x0000000000000000-mapping.dmp
-
memory/4772-296-0x0000000000000000-mapping.dmp
-
memory/4772-166-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4772-157-0x0000000000000000-mapping.dmp
-
memory/4796-221-0x0000000000000000-mapping.dmp
-
memory/4800-323-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4800-372-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4800-314-0x0000000000000000-mapping.dmp
-
memory/4800-322-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4800-324-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4800-371-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4800-370-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-153-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-248-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-274-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4836-150-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-250-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-139-0x0000000000000000-mapping.dmp
-
memory/4836-152-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-151-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4836-249-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4940-149-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/4940-253-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/4964-333-0x0000000000000000-mapping.dmp
-
memory/5044-225-0x0000000000000000-mapping.dmp
-
memory/5084-307-0x0000000000000000-mapping.dmp
-
memory/5096-329-0x0000000000000000-mapping.dmp
-
memory/5096-289-0x0000000000000000-mapping.dmp