Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-10-2022 03:43
General
-
Target
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe
-
Size
457KB
-
MD5
4303740f657093a0dbcc65ffb1896700
-
SHA1
41f6fc777321df9088b468b7a233dfc27276b343
-
SHA256
4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
-
SHA512
eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
SSDEEP
12288:QSo6xg5kN530xuooqMVwsgS0Tyv9H7ef/:Y6u5030x+gS0TyvN+
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 9 IoCs
Detects file using ACProtect software.
-
Adds policy Run key to start application 2 TTPs 36 IoCs
-
Disables RegEdit via registry modification 18 IoCs
-
Executes dropped EXE 19 IoCs
-
Modifies Windows Firewall 1 TTPs 17 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 17 IoCs
-
Adds Run key to start application 2 TTPs 58 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 18 IoCs
-
AutoIT Executable 36 IoCs
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file 1 TTPs 17 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 38 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe"C:\Users\Admin\AppData\Local\Temp\4294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5c12acab3a85f3c1e09b642410a58d718
SHA1df0d4ac1b255ab81e49fd260c43c3810a3ea8512
SHA25694511b2fe81868ff3973d5c22d02661dee7fb97daf001c0db7eb32425cb0d93c
SHA512dbccbaee6bb7de14681d708d69de548050a5ee4cac4d7476cf3a212216ca9c000e885a26269742e9fc5ce39077cee2203097b0037f19ea3f9c8cca8d2667a75b
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD50f22fffb7310acf9850da90a5b4cf6e1
SHA1c05cadc4422d7ea92fb10885c69da5f8a564ea3d
SHA25678ceca811979bcd1c60e996d9dad596a8f7b08f8d89b3f1e26f11d23beffeb04
SHA512f7bf931a5e33a6e6f61ce9ade12d17270f5bc8d0165d55929f48c7be178e24ef067d91900f51a6f92bfcaaaab27d5177cd370d8304aa8f2163dbe14a530c3176
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD5d4789419f0fa4d5e059c154540eb59a2
SHA1b1fb7dd086634e3b1f9596e70fdba82d05095f54
SHA25677762a586f4c6aa6e9fda279afdc8315fbb2f060160a59587ce21bb5c4ad9158
SHA512d8790941ec10638137ec40671327669206e0b8123941418abab16cf9d0613c95d212d20fc8257cf24bd81d0763865667a8ecb72854509da9d3e8871916262c9e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Documents\My Music.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Users\Admin\Documents\My Videos\My Videos.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\KHATARNAKH.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\SysWOW64\avphost.dllFilesize
127KB
MD5d47ebd342b6906a2fda10d70560bcd5a
SHA1c1b54deb14d47e539bc6aea1464edb38fad4b87f
SHA25600a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2
SHA512626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1
-
C:\Windows\System\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\System\gHost.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\Xplorer.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\Xplorer.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\inf\Autoplay.inFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\\KHATRA.exeFilesize
457KB
MD54303740f657093a0dbcc65ffb1896700
SHA141f6fc777321df9088b468b7a233dfc27276b343
SHA2564294637edeceeff8e5db5b9355fd260ad6015a53e0835290140507bbac969415
SHA512eb46a6f36ea29eb987b115c83ba6f4211f03978454a33edb0bea01c8d5845791b7821e7ed23a73c2683eb2447f28cf039c2ae103c550d20122254f6767da7cda
-
memory/176-149-0x0000000000000000-mapping.dmp
-
memory/212-205-0x0000000000000000-mapping.dmp
-
memory/316-150-0x0000000000000000-mapping.dmp
-
memory/480-152-0x0000000000000000-mapping.dmp
-
memory/492-273-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/492-272-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/836-265-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/836-264-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1076-154-0x0000000000000000-mapping.dmp
-
memory/1120-282-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1120-283-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1264-213-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1264-211-0x0000000000000000-mapping.dmp
-
memory/1264-226-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1512-277-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1512-276-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1520-133-0x0000000000000000-mapping.dmp
-
memory/1520-136-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1520-177-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1748-222-0x0000000000000000-mapping.dmp
-
memory/1784-279-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1784-278-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/1812-225-0x0000000000000000-mapping.dmp
-
memory/1836-221-0x0000000000000000-mapping.dmp
-
memory/1836-163-0x0000000000000000-mapping.dmp
-
memory/1840-234-0x0000000000000000-mapping.dmp
-
memory/1844-156-0x0000000000000000-mapping.dmp
-
memory/1856-233-0x0000000000000000-mapping.dmp
-
memory/1860-206-0x0000000000000000-mapping.dmp
-
memory/1936-218-0x0000000000000000-mapping.dmp
-
memory/1956-168-0x0000000010000000-0x000000001005C000-memory.dmpFilesize
368KB
-
memory/1956-164-0x0000000000000000-mapping.dmp
-
memory/2044-193-0x0000000000000000-mapping.dmp
-
memory/2084-254-0x0000000000000000-mapping.dmp
-
memory/2128-162-0x0000000000000000-mapping.dmp
-
memory/2252-263-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2252-260-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2252-192-0x0000000000000000-mapping.dmp
-
memory/2340-219-0x0000000000000000-mapping.dmp
-
memory/2372-147-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2372-270-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2372-143-0x0000000000000000-mapping.dmp
-
memory/2392-274-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2392-275-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2428-170-0x0000000000000000-mapping.dmp
-
memory/2428-236-0x0000000000000000-mapping.dmp
-
memory/2544-169-0x0000000000000000-mapping.dmp
-
memory/2544-269-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2544-268-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2584-161-0x0000000000000000-mapping.dmp
-
memory/2840-256-0x0000000000000000-mapping.dmp
-
memory/2900-200-0x0000000000000000-mapping.dmp
-
memory/3016-209-0x0000000000000000-mapping.dmp
-
memory/3076-151-0x0000000000000000-mapping.dmp
-
memory/3080-217-0x0000000000000000-mapping.dmp
-
memory/3120-249-0x0000000000000000-mapping.dmp
-
memory/3132-243-0x0000000000000000-mapping.dmp
-
memory/3132-250-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3132-258-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3168-185-0x0000000000000000-mapping.dmp
-
memory/3196-155-0x0000000000000000-mapping.dmp
-
memory/3208-227-0x0000000000000000-mapping.dmp
-
memory/3208-230-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3208-242-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/3428-189-0x0000000000000000-mapping.dmp
-
memory/3464-252-0x0000000000000000-mapping.dmp
-
memory/3472-153-0x0000000000000000-mapping.dmp
-
memory/3512-241-0x0000000000000000-mapping.dmp
-
memory/3556-201-0x0000000000000000-mapping.dmp
-
memory/3576-253-0x0000000000000000-mapping.dmp
-
memory/3748-251-0x0000000000000000-mapping.dmp
-
memory/3820-172-0x0000000000000000-mapping.dmp
-
memory/3936-248-0x0000000000000000-mapping.dmp
-
memory/3992-224-0x0000000000000000-mapping.dmp
-
memory/4084-190-0x0000000000000000-mapping.dmp
-
memory/4120-204-0x0000000000000000-mapping.dmp
-
memory/4128-271-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4128-148-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4128-145-0x0000000000000000-mapping.dmp
-
memory/4132-194-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4132-182-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4132-179-0x0000000000000000-mapping.dmp
-
memory/4344-281-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4344-280-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4424-208-0x0000000000000000-mapping.dmp
-
memory/4440-237-0x0000000000000000-mapping.dmp
-
memory/4504-171-0x0000000000000000-mapping.dmp
-
memory/4552-188-0x0000000000000000-mapping.dmp
-
memory/4596-178-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4596-132-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4652-266-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4652-267-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4668-235-0x0000000000000000-mapping.dmp
-
memory/4696-238-0x0000000000000000-mapping.dmp
-
memory/4792-186-0x0000000000000000-mapping.dmp
-
memory/4844-220-0x0000000000000000-mapping.dmp
-
memory/4884-203-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4884-195-0x0000000000000000-mapping.dmp
-
memory/4884-210-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/4948-240-0x0000000000000000-mapping.dmp
-
memory/5040-202-0x0000000000000000-mapping.dmp
-
memory/5060-187-0x0000000000000000-mapping.dmp
-
memory/5068-257-0x0000000000000000-mapping.dmp