Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
03-10-2022 03:43
General
-
Target
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe
-
Size
535KB
-
MD5
6acd1647078d560a5ec3d53f85b5c709
-
SHA1
5d55d16df9e337800c7410a819ee7b56f7b4b31e
-
SHA256
0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
-
SHA512
08dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
SSDEEP
12288:vSo6xg5kN530xuooqMVwsgTo6xg5kN530xuooqT:b6u5030x+gE6u5030xD
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 40 IoCs
-
Disables RegEdit via registry modification 20 IoCs
-
Executes dropped EXE 25 IoCs
-
Modifies Windows Firewall 1 TTPs 20 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 20 IoCs
-
AutoIT Executable 48 IoCs
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file 1 TTPs 20 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 39 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 40 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe"C:\Users\Admin\AppData\Local\Temp\0ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD55b9cb340f13ec70567c333b3ab6c37aa
SHA16229271e28e7dc4b4f35d2c0f12d66199f426a17
SHA2566ccdec87e83b0347b3cea3a7525e9ac59d96210c88bd09b0b5ce4a7bf5fae3d8
SHA51267f04ebefef1b3b4d57d27e192ad491eeaa56de9a8fa50eb2e6ef6704b9158e04c06886d3da8ffc026d0e9fcff6764fc569457f95ee47a7715e85616b359e358
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD55e73ed7962a0f6993cfb417336157d4c
SHA16249badb0d2ef7be473e46b21bd55c033ef91fdb
SHA25642b3fd63ec7278a6bdeca9cd393626a7b20ca33b3f887d628e37be2ce3438873
SHA512b1352d1cacbf1ae3234a1a77985e74e14b0e5c558caa613f007f54534b646c2ad4cb6f69d7abb1be7e51df30fff0c4df06cf5e1318b222f2ec56e8787f1a27a0
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKFilesize
1KB
MD52945d16a3f0ab67b33a14610815edb4d
SHA1b6763f03c1d40e8d617b451754f9b580310a2141
SHA256c1649405628fe553e86d96703bf8de3f34f3cf8baa8c68fb1f7a8ee685ac64fd
SHA512b6fd01b17ca643a17257592a704c8ace2d47eda4943fd5b81cdf1c38de1a9044d3cfbe2adad880d79a1ec83f9f10a3037390bb183d1bc2c5c7decb104cce82fd
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\KHATARNAKH.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\SysWOW64\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\System\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\System\gHost.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\Xplorer.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\Xplorer.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\Windows\inf\Autoplay.inFFilesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
C:\\KHATRA.exeFilesize
535KB
MD56acd1647078d560a5ec3d53f85b5c709
SHA15d55d16df9e337800c7410a819ee7b56f7b4b31e
SHA2560ab40251273af3a0e2c76935d1176ca71e898c5a935d9aed1a8f4b21a0e0d8c9
SHA51208dc141a957f1e5bcd1c92f51093abd1b8dfcfccfccc2f5572a0304282ad93f05ce47900a799b1e8b1705f22e74ad84a6203db89a637333f347974df64fe47a9
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/576-235-0x0000000000000000-mapping.dmp
-
memory/768-187-0x0000000000000000-mapping.dmp
-
memory/800-185-0x0000000000000000-mapping.dmp
-
memory/940-150-0x0000000000000000-mapping.dmp
-
memory/1108-233-0x0000000000000000-mapping.dmp
-
memory/1108-290-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1108-289-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1332-156-0x0000000000000000-mapping.dmp
-
memory/1588-276-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1588-275-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1596-201-0x0000000000000000-mapping.dmp
-
memory/1620-277-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1620-278-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1680-160-0x0000000000000000-mapping.dmp
-
memory/1680-250-0x0000000000000000-mapping.dmp
-
memory/1776-220-0x0000000000000000-mapping.dmp
-
memory/1788-154-0x0000000000000000-mapping.dmp
-
memory/1824-249-0x0000000000000000-mapping.dmp
-
memory/1984-163-0x0000000000000000-mapping.dmp
-
memory/2040-246-0x0000000000000000-mapping.dmp
-
memory/2044-149-0x0000000000000000-mapping.dmp
-
memory/2156-258-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2156-256-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2280-153-0x0000000000000000-mapping.dmp
-
memory/2320-266-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2320-267-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2332-161-0x0000000000000000-mapping.dmp
-
memory/2412-247-0x0000000000000000-mapping.dmp
-
memory/2440-152-0x0000000000000000-mapping.dmp
-
memory/2716-204-0x0000000000000000-mapping.dmp
-
memory/2716-132-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2716-170-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2788-238-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2788-224-0x0000000000000000-mapping.dmp
-
memory/2788-227-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2824-133-0x0000000000000000-mapping.dmp
-
memory/2824-169-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2824-137-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2888-194-0x0000000000000000-mapping.dmp
-
memory/2888-208-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2888-197-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2964-189-0x0000000000000000-mapping.dmp
-
memory/3088-291-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3108-286-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3108-285-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3144-218-0x0000000000000000-mapping.dmp
-
memory/3148-231-0x0000000000000000-mapping.dmp
-
memory/3200-165-0x0000000000000000-mapping.dmp
-
memory/3240-248-0x0000000000000000-mapping.dmp
-
memory/3256-214-0x0000000000000000-mapping.dmp
-
memory/3296-171-0x0000000000000000-mapping.dmp
-
memory/3296-176-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3296-177-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3344-203-0x0000000000000000-mapping.dmp
-
memory/3352-219-0x0000000000000000-mapping.dmp
-
memory/3352-186-0x0000000000000000-mapping.dmp
-
memory/3356-164-0x0000000000000000-mapping.dmp
-
memory/3424-209-0x0000000000000000-mapping.dmp
-
memory/3424-215-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3424-223-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3444-232-0x0000000000000000-mapping.dmp
-
memory/3472-216-0x0000000000000000-mapping.dmp
-
memory/3492-200-0x0000000000000000-mapping.dmp
-
memory/3528-202-0x0000000000000000-mapping.dmp
-
memory/3564-237-0x0000000000000000-mapping.dmp
-
memory/3572-284-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3572-282-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3628-151-0x0000000000000000-mapping.dmp
-
memory/3640-172-0x0000000000000000-mapping.dmp
-
memory/3640-175-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3640-178-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3700-271-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3700-148-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3700-145-0x0000000000000000-mapping.dmp
-
memory/3712-221-0x0000000000000000-mapping.dmp
-
memory/3748-191-0x0000000000000000-mapping.dmp
-
memory/3772-264-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3772-260-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3864-236-0x0000000000000000-mapping.dmp
-
memory/3864-222-0x0000000000000000-mapping.dmp
-
memory/3896-283-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3896-281-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3972-269-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3972-268-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4072-159-0x0000000000000000-mapping.dmp
-
memory/4228-192-0x0000000000000000-mapping.dmp
-
memory/4260-245-0x0000000000000000-mapping.dmp
-
memory/4276-217-0x0000000000000000-mapping.dmp
-
memory/4296-279-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4296-280-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4332-207-0x0000000000000000-mapping.dmp
-
memory/4364-193-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4364-179-0x0000000000000000-mapping.dmp
-
memory/4364-181-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4452-162-0x0000000000000000-mapping.dmp
-
memory/4596-273-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4596-274-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4604-205-0x0000000000000000-mapping.dmp
-
memory/4748-147-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4748-270-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4748-143-0x0000000000000000-mapping.dmp
-
memory/4760-288-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4760-287-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4824-272-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4824-188-0x0000000000000000-mapping.dmp
-
memory/4920-239-0x0000000000000000-mapping.dmp
-
memory/4920-251-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4920-242-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4952-158-0x0000000000000000-mapping.dmp
-
memory/5040-234-0x0000000000000000-mapping.dmp
-
memory/5088-230-0x0000000000000000-mapping.dmp
-
memory/5088-155-0x0000000000000000-mapping.dmp
-
memory/5088-206-0x0000000000000000-mapping.dmp
-
memory/5108-190-0x0000000000000000-mapping.dmp