811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9

Analysis

max time kernel
251s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Size

658KB
MD5

2cd0d704b3e9dcacf36fc2aaf6ade830
SHA1

0249904537f633cca469da2546abebcbbbef0418
SHA256

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9
SHA512

508ba5545455071733dba7349ffc1d28ba84667cb1736a5246d2ca80678386fa5c2f899f9cf1a10150f3f99d0b6748cea69990daa4ce8e3113c9c72e386f49ca
SSDEEP

12288:9HuEA5r6cRuqkN530xuooqMVwsg32MExtD:9HuEA5r6G030x+gBEDD

Score

9^/10

evasion persistence trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\dnsq.dll	acprotect
C:\Windows\SysWOW64\com\netcfg.dll	acprotect
\Windows\SysWOW64\com\netcfg.dll	acprotect
C:\Windows\SysWOW64\dnsq.dll	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 8 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exelsass.exeKHATRA.exeXplorer.exesmss.exegHost.exe

pid	process
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1060	lsass.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1440	lsass.exe
1020	KHATRA.exe
316	Xplorer.exe
296	smss.exe
1492	gHost.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Sets file execution options in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeXplorer.exeKHATRA.exegHost.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	lsass.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Xplorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	KHATRA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	gHost.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/360-55-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/360-59-0x0000000000400000-0x000000000042C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	upx
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	upx
C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	upx
behavioral1/memory/360-65-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1680-73-0x0000000000400000-0x000000000042C000-memory.dmp	upx
\??\c:\users\admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	upx
\Windows\SysWOW64\com\lsass.exe	upx
\Windows\SysWOW64\com\lsass.exe	upx
C:\Windows\SysWOW64\com\lsass.exe	upx
\Windows\SysWOW64\com\lsass.exe	upx
\Windows\SysWOW64\com\lsass.exe	upx
C:\Windows\SysWOW64\com\lsass.exe	upx
behavioral1/memory/1060-94-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1680-95-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1440-99-0x0000000000400000-0x000000000042C000-memory.dmp	upx
C:\Windows\SysWOW64\com\lsass.exe	upx
behavioral1/memory/1440-109-0x0000000000400000-0x000000000042C000-memory.dmp	upx
\Windows\SysWOW64\dnsq.dll	upx
C:\Windows\SysWOW64\com\netcfg.dll	upx
\Windows\SysWOW64\com\netcfg.dll	upx
C:\Windows\SysWOW64\dnsq.dll	upx
\Windows\SysWOW64\dnsq.dll	upx
\Windows\SysWOW64\dnsq.dll	upx
\Windows\SysWOW64\dnsq.dll	upx
behavioral1/memory/1060-158-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/296-160-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1020-161-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1464-162-0x0000000010000000-0x0000000010018000-memory.dmp	upx
\Windows\SysWOW64\dnsq.dll	upx
\Windows\SysWOW64\dnsq.dll	upx
behavioral1/memory/316-165-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1492-166-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1060-168-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1020-169-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1464-170-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/316-171-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1492-172-0x0000000010000000-0x0000000010018000-memory.dmp	upx

Loads dropped DLL 21 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exelsass.exeregsvr32.exeXplorer.exesmss.exeKHATRA.exegHost.exe

pid	process
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1060	lsass.exe
1060	lsass.exe
1060	lsass.exe
284	regsvr32.exe
316	Xplorer.exe
316	Xplorer.exe
296	smss.exe
1020	KHATRA.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
316	Xplorer.exe
1492	gHost.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gHost.exelsass.exe

description	ioc	process
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\f:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\f:	lsass.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1020-125-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/316-157-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1492-159-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

lsass.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Drops file in System32 directory 24 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\com\lsass.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\com\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\7305744.log	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\7305744.log	lsass.exe
File created	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File created	C:\Windows\SysWOW64\00302.log	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File created	C:\Windows\SysWOW64\00302.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log

Drops file in Windows directory 11 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
File created	C:\Windows\System\gHost.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\system\gHost.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\Xplorer.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File created	C:\Windows\KHATARNAKH.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1060	lsass.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Xplorer.exegHost.exe

pid process

316 Xplorer.exe
1492 gHost.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

460
460
460

pid	process
316	Xplorer.exe
1492	gHost.exe

pid	process
460
460
460

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe

description	pid	process
Token: SeDebugPrivilege	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
Token: SeDebugPrivilege	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
Token: SeDebugPrivilege	1060	lsass.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

pid process

1464 811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1020 KHATRA.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exeKHATRA.exe

pid process

1464 811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1020 KHATRA.exe

pid	process
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1020	KHATRA.exe

pid	process
1464	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1020	KHATRA.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exelsass.exe

pid	process
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
1060	lsass.exe
1060	lsass.exe
1060	lsass.exe
1060	lsass.exe
1440	lsass.exe
1440	lsass.exe
1440	lsass.exe
1440	lsass.exe
1060	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.loglsass.exe

description	pid	process	target process
PID 360 wrote to memory of 676	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cmd.exe
PID 360 wrote to memory of 676	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cmd.exe
PID 360 wrote to memory of 676	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cmd.exe
PID 360 wrote to memory of 676	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cmd.exe
PID 360 wrote to memory of 1812	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1812	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1812	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1812	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1292	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1292	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1292	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1292	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	cacls.exe
PID 360 wrote to memory of 1680	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
PID 360 wrote to memory of 1680	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
PID 360 wrote to memory of 1680	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
PID 360 wrote to memory of 1680	360	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
PID 1680 wrote to memory of 1092	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1092	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1092	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1092	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1724	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1724	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1724	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1724	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 628	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 628	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 628	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 628	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 528	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 528	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 528	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 528	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1208	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1208	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1208	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1208	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cacls.exe
PID 1680 wrote to memory of 1904	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1904	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1904	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1904	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1972	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1972	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1972	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1972	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	cmd.exe
PID 1680 wrote to memory of 1060	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1060	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1060	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1060	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1464	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
PID 1680 wrote to memory of 1464	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
PID 1680 wrote to memory of 1464	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
PID 1680 wrote to memory of 1464	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
PID 1680 wrote to memory of 1440	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1440	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1440	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1680 wrote to memory of 1440	1680	811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log	lsass.exe
PID 1060 wrote to memory of 1100	1060	lsass.exe	cmd.exe
PID 1060 wrote to memory of 1100	1060	lsass.exe	cmd.exe
PID 1060 wrote to memory of 1100	1060	lsass.exe	cmd.exe
PID 1060 wrote to memory of 1100	1060	lsass.exe	cmd.exe
PID 1060 wrote to memory of 1540	1060	lsass.exe	cacls.exe
PID 1060 wrote to memory of 1540	1060	lsass.exe	cacls.exe
PID 1060 wrote to memory of 1540	1060	lsass.exe	cacls.exe
PID 1060 wrote to memory of 1540	1060	lsass.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
"C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
2⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
2⤵
PID:1812

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
2⤵
PID:1292

\??\c:\users\admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
"c:\users\admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
3⤵
PID:1092

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
3⤵
PID:1724

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
3⤵
PID:628

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
3⤵
PID:528

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
3⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
3⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
3⤵
PID:1972

C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
4⤵
PID:1100

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:1540

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
4⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
4⤵
PID:540

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
4⤵
PID:1116

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
4⤵
PID:1872

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
4⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
4⤵
PID:1712

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:284

C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
4⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
4⤵
PID:188

C:\Users\Admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe
"C:\Users\Admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe"
3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Windows\SysWOW64\KHATRA.exe
C:\Windows\system32\KHATRA.exe
4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020

C:\Windows\Xplorer.exe
"C:\Windows\Xplorer.exe" /Windows
5⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:316

C:\Windows\System\gHost.exe
"C:\Windows\System\gHost.exe" /Reproduce
6⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
5⤵
PID:1668

C:\Windows\SysWOW64\at.exe
AT /delete /yes
6⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
4⤵
PID:1816

C:\Windows\SysWOW64\at.exe
AT /delete /yes
5⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
4⤵
PID:1540

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
5⤵
PID:1064

C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log

Filesize
658KB

MD5
2cd0d704b3e9dcacf36fc2aaf6ade830

SHA1
0249904537f633cca469da2546abebcbbbef0418

SHA256
811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9

SHA512
508ba5545455071733dba7349ffc1d28ba84667cb1736a5246d2ca80678386fa5c2f899f9cf1a10150f3f99d0b6748cea69990daa4ce8e3113c9c72e386f49ca

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
C:\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll

Filesize
16KB

MD5
83330f5f78aba88487b8258e39d97d7b

SHA1
94d3e30cce6920b303800e27e4aa51ce702c58e4

SHA256
5c1ed9804e9afc0b74922c10d781c85c0b98aa0a1624fb6636d656ce0aa30edf

SHA512
09704a4603f24c8cc7c6b75dab53de9cdd001d57a58ffb06fed30be8b293e0a70cff38dbda104e242d570c3e6be16ff41fe04e1876c2a48f7627927bc8fb1429

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
204a9a29e9f7f72fb01ad93efde7c873

SHA1
131136c4f9d46321733d1ac90bdd6d48654fa3ef

SHA256
1fdecf1d3b3e0236cd6e0b9b101d4a7d03b2095af765cb165dece4546b651078

SHA512
2a88052c99736eedb6653b1d420b3d2a55ed8e1822ba500b5bcd4fe3f65d878e79c4ca5d806a75e9e1f83a89d72b9592b9a1701b92489612243535ef086799f0

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
204a9a29e9f7f72fb01ad93efde7c873

SHA1
131136c4f9d46321733d1ac90bdd6d48654fa3ef

SHA256
1fdecf1d3b3e0236cd6e0b9b101d4a7d03b2095af765cb165dece4546b651078

SHA512
2a88052c99736eedb6653b1d420b3d2a55ed8e1822ba500b5bcd4fe3f65d878e79c4ca5d806a75e9e1f83a89d72b9592b9a1701b92489612243535ef086799f0

Download Submit
C:\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
204a9a29e9f7f72fb01ad93efde7c873

SHA1
131136c4f9d46321733d1ac90bdd6d48654fa3ef

SHA256
1fdecf1d3b3e0236cd6e0b9b101d4a7d03b2095af765cb165dece4546b651078

SHA512
2a88052c99736eedb6653b1d420b3d2a55ed8e1822ba500b5bcd4fe3f65d878e79c4ca5d806a75e9e1f83a89d72b9592b9a1701b92489612243535ef086799f0

Download Submit
C:\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
C:\Windows\Xplorer.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\Xplorer.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\system\gHost.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Windows\system\gHost.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\\KHATRA.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\??\c:\users\admin\appdata\local\temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log

Filesize
658KB

MD5
2cd0d704b3e9dcacf36fc2aaf6ade830

SHA1
0249904537f633cca469da2546abebcbbbef0418

SHA256
811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9

SHA512
508ba5545455071733dba7349ffc1d28ba84667cb1736a5246d2ca80678386fa5c2f899f9cf1a10150f3f99d0b6748cea69990daa4ce8e3113c9c72e386f49ca

Download Submit
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log

Filesize
658KB

MD5
2cd0d704b3e9dcacf36fc2aaf6ade830

SHA1
0249904537f633cca469da2546abebcbbbef0418

SHA256
811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9

SHA512
508ba5545455071733dba7349ffc1d28ba84667cb1736a5246d2ca80678386fa5c2f899f9cf1a10150f3f99d0b6748cea69990daa4ce8e3113c9c72e386f49ca

Download Submit
\Users\Admin\AppData\Local\Temp\811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9.exe.log

Filesize
658KB

MD5
2cd0d704b3e9dcacf36fc2aaf6ade830

SHA1
0249904537f633cca469da2546abebcbbbef0418

SHA256
811d6bc29223b3be6f9255f5cce649b1960f2e7be747a0381304c39dd2dd7da9

SHA512
508ba5545455071733dba7349ffc1d28ba84667cb1736a5246d2ca80678386fa5c2f899f9cf1a10150f3f99d0b6748cea69990daa4ce8e3113c9c72e386f49ca

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
\Windows\SysWOW64\com\lsass.exe

Filesize
91KB

MD5
90b82334e8fd572ce33817b78cf4f3cb

SHA1
1c6d1056d78ec5af32ce255332f6b6e65ad12a94

SHA256
e158d395caf24c157c44b3c968b78340e8d6ca68417ba10d81a7e77bbed028ee

SHA512
f23ea34771cb6d8d4d76103c1f3a5b155cea6fe51b98ead24e1ab024e7a2df9d346003ccbae20b68d133fcbd5d8e428be068bfc91f62d191a4526d8dbbabd559

Download Submit
\Windows\SysWOW64\com\netcfg.dll

Filesize
16KB

MD5
83330f5f78aba88487b8258e39d97d7b

SHA1
94d3e30cce6920b303800e27e4aa51ce702c58e4

SHA256
5c1ed9804e9afc0b74922c10d781c85c0b98aa0a1624fb6636d656ce0aa30edf

SHA512
09704a4603f24c8cc7c6b75dab53de9cdd001d57a58ffb06fed30be8b293e0a70cff38dbda104e242d570c3e6be16ff41fe04e1876c2a48f7627927bc8fb1429

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
204a9a29e9f7f72fb01ad93efde7c873

SHA1
131136c4f9d46321733d1ac90bdd6d48654fa3ef

SHA256
1fdecf1d3b3e0236cd6e0b9b101d4a7d03b2095af765cb165dece4546b651078

SHA512
2a88052c99736eedb6653b1d420b3d2a55ed8e1822ba500b5bcd4fe3f65d878e79c4ca5d806a75e9e1f83a89d72b9592b9a1701b92489612243535ef086799f0

Download Submit
\Windows\SysWOW64\com\smss.exe

Filesize
40KB

MD5
204a9a29e9f7f72fb01ad93efde7c873

SHA1
131136c4f9d46321733d1ac90bdd6d48654fa3ef

SHA256
1fdecf1d3b3e0236cd6e0b9b101d4a7d03b2095af765cb165dece4546b651078

SHA512
2a88052c99736eedb6653b1d420b3d2a55ed8e1822ba500b5bcd4fe3f65d878e79c4ca5d806a75e9e1f83a89d72b9592b9a1701b92489612243535ef086799f0

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\SysWOW64\dnsq.dll

Filesize
31KB

MD5
4f5f1f1e84e66699baae12674d1c53a6

SHA1
9bc4dc1121f2f4e641a8eec424be30a90f9c0428

SHA256
fef1f819acf0ba46071e6b6ed08d8494eed8eab34e51b0a2c8396ca25ac8969d

SHA512
4229c628e70c64bd5051fc1e1925ac1b5fbce97a2b33dfcac453713de85da1b9c7e36ae9f4bfae8be9e16dc2229e71b8202c915f0ba0c32a455055373464dc2c

Download Submit
\Windows\system\gHost.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
\Windows\system\gHost.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
memory/188-173-0x0000000000000000-mapping.dmp

Download
memory/284-130-0x0000000000000000-mapping.dmp

Download
memory/296-135-0x0000000000000000-mapping.dmp

Download
memory/296-160-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/316-165-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/316-127-0x0000000000000000-mapping.dmp

Download
memory/316-171-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/316-157-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/360-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/360-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/360-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/360-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/528-69-0x0000000000000000-mapping.dmp

Download
memory/540-103-0x0000000000000000-mapping.dmp

Download
memory/560-106-0x0000000000000000-mapping.dmp

Download
memory/628-167-0x0000000000000000-mapping.dmp

Download
memory/628-68-0x0000000000000000-mapping.dmp

Download
memory/676-56-0x0000000000000000-mapping.dmp

Download
memory/1020-125-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1020-169-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1020-112-0x0000000000000000-mapping.dmp

Download
memory/1020-161-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1020-126-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/1060-158-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1060-79-0x0000000000000000-mapping.dmp

Download
memory/1060-168-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1060-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1064-152-0x0000000000000000-mapping.dmp

Download
memory/1092-66-0x0000000000000000-mapping.dmp

Download
memory/1100-97-0x0000000000000000-mapping.dmp

Download
memory/1116-104-0x0000000000000000-mapping.dmp

Download
memory/1208-70-0x0000000000000000-mapping.dmp

Download
memory/1292-101-0x0000000000000000-mapping.dmp

Download
memory/1292-58-0x0000000000000000-mapping.dmp

Download
memory/1432-155-0x0000000000000000-mapping.dmp

Download
memory/1440-109-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1440-99-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1440-89-0x0000000000000000-mapping.dmp

Download
memory/1464-170-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1464-124-0x0000000003A50000-0x0000000003ADD000-memory.dmp

Filesize
564KB

Download
memory/1464-123-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1464-98-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1464-162-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1464-86-0x0000000000000000-mapping.dmp

Download
memory/1492-142-0x0000000000000000-mapping.dmp

Download
memory/1492-166-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1492-159-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1492-172-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1540-151-0x0000000000000000-mapping.dmp

Download
memory/1540-100-0x0000000000000000-mapping.dmp

Download
memory/1572-148-0x0000000000000000-mapping.dmp

Download
memory/1668-154-0x0000000000000000-mapping.dmp

Download
memory/1680-62-0x0000000000000000-mapping.dmp

Download
memory/1680-96-0x0000000002CB0000-0x0000000002CDC000-memory.dmp

Filesize
176KB

Download
memory/1680-95-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1680-84-0x0000000002CB0000-0x0000000002CDC000-memory.dmp

Filesize
176KB

Download
memory/1680-82-0x0000000002CB0000-0x0000000002CDC000-memory.dmp

Filesize
176KB

Download
memory/1680-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1712-116-0x0000000000000000-mapping.dmp

Download
memory/1724-67-0x0000000000000000-mapping.dmp

Download
memory/1812-57-0x0000000000000000-mapping.dmp

Download
memory/1816-140-0x0000000000000000-mapping.dmp

Download
memory/1872-105-0x0000000000000000-mapping.dmp

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download
memory/1972-76-0x0000000000000000-mapping.dmp

Download
memory/1996-108-0x0000000000000000-mapping.dmp

Download