6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Size

647KB
MD5

0b220f8a748fa02e6728cab8a918336e
SHA1

cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA256

6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512

d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
SSDEEP

12288:ecA6SbVi42BFx8dU5pbHy/1fweshYAlB4XPKAkP3:eOSb32H6W5pby69F/39f

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tazebama.dl_

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 8 IoCs

pid	Process
900	tazebama.dl_
2028	KHATRA.exe
1972	tazebama.dl_
1120	Xplorer.exe
1784	gHost.exe
824	tazebama.dl_
592	tazebama.dl_
1652	OUTLOOK.EXE

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
672	netsh.exe
564	netsh.exe

Loads dropped DLL 27 IoCs

pid	Process
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2028	KHATRA.exe
2028	KHATRA.exe
2028	KHATRA.exe
524	WerFault.exe
524	WerFault.exe
524	WerFault.exe
1120	Xplorer.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1120	Xplorer.exe
1120	Xplorer.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1784	gHost.exe
1784	gHost.exe
1784	gHost.exe
524	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\f:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1800-88-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/2028-96-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/1120-124-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/1784-127-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/1800-154-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/2028-155-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/1120-156-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral1/memory/1784-157-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\OUTLOOK.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	tazebama.dl_

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Xplorer.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\system\gHost.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\KHATARNAKH.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\System\gHost.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
524	1972	WerFault.exe	30
636	1652	WerFault.exe	60

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	tazebama.dl_
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1784	gHost.exe
1120	Xplorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Token: SeIncBasePriorityPrivilege	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Token: 33	2028	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2028	KHATRA.exe
Token: 33	1120	Xplorer.exe
Token: SeIncBasePriorityPrivilege	1120	Xplorer.exe
Token: 33	1784	gHost.exe
Token: SeIncBasePriorityPrivilege	1784	gHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2028	KHATRA.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2028	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 900	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	28
PID 1800 wrote to memory of 900	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	28
PID 1800 wrote to memory of 900	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	28
PID 1800 wrote to memory of 900	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	28
PID 1800 wrote to memory of 2028	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	29
PID 1800 wrote to memory of 2028	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	29
PID 1800 wrote to memory of 2028	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	29
PID 1800 wrote to memory of 2028	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	29
PID 2028 wrote to memory of 1972	2028	KHATRA.exe	30
PID 2028 wrote to memory of 1972	2028	KHATRA.exe	30
PID 2028 wrote to memory of 1972	2028	KHATRA.exe	30
PID 2028 wrote to memory of 1972	2028	KHATRA.exe	30
PID 1972 wrote to memory of 524	1972	tazebama.dl_	31
PID 1972 wrote to memory of 524	1972	tazebama.dl_	31
PID 1972 wrote to memory of 524	1972	tazebama.dl_	31
PID 1972 wrote to memory of 524	1972	tazebama.dl_	31
PID 2028 wrote to memory of 1120	2028	KHATRA.exe	32
PID 2028 wrote to memory of 1120	2028	KHATRA.exe	32
PID 2028 wrote to memory of 1120	2028	KHATRA.exe	32
PID 2028 wrote to memory of 1120	2028	KHATRA.exe	32
PID 1120 wrote to memory of 824	1120	Xplorer.exe	33
PID 1120 wrote to memory of 824	1120	Xplorer.exe	33
PID 1120 wrote to memory of 824	1120	Xplorer.exe	33
PID 1120 wrote to memory of 824	1120	Xplorer.exe	33
PID 1800 wrote to memory of 1784	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	34
PID 1800 wrote to memory of 1784	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	34
PID 1800 wrote to memory of 1784	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	34
PID 1800 wrote to memory of 1784	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	34
PID 1784 wrote to memory of 592	1784	gHost.exe	35
PID 1784 wrote to memory of 592	1784	gHost.exe	35
PID 1784 wrote to memory of 592	1784	gHost.exe	35
PID 1784 wrote to memory of 592	1784	gHost.exe	35
PID 2028 wrote to memory of 576	2028	KHATRA.exe	36
PID 2028 wrote to memory of 576	2028	KHATRA.exe	36
PID 2028 wrote to memory of 576	2028	KHATRA.exe	36
PID 2028 wrote to memory of 576	2028	KHATRA.exe	36
PID 576 wrote to memory of 696	576	cmd.exe	38
PID 576 wrote to memory of 696	576	cmd.exe	38
PID 576 wrote to memory of 696	576	cmd.exe	38
PID 576 wrote to memory of 696	576	cmd.exe	38
PID 2028 wrote to memory of 788	2028	KHATRA.exe	39
PID 2028 wrote to memory of 788	2028	KHATRA.exe	39
PID 2028 wrote to memory of 788	2028	KHATRA.exe	39
PID 2028 wrote to memory of 788	2028	KHATRA.exe	39
PID 788 wrote to memory of 1372	788	cmd.exe	41
PID 788 wrote to memory of 1372	788	cmd.exe	41
PID 788 wrote to memory of 1372	788	cmd.exe	41
PID 788 wrote to memory of 1372	788	cmd.exe	41
PID 1800 wrote to memory of 1696	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	42
PID 1800 wrote to memory of 1696	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	42
PID 1800 wrote to memory of 1696	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	42
PID 1800 wrote to memory of 1696	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	42
PID 1696 wrote to memory of 1788	1696	cmd.exe	44
PID 1696 wrote to memory of 1788	1696	cmd.exe	44
PID 1696 wrote to memory of 1788	1696	cmd.exe	44
PID 1696 wrote to memory of 1788	1696	cmd.exe	44
PID 1800 wrote to memory of 1748	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	45
PID 1800 wrote to memory of 1748	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	45
PID 1800 wrote to memory of 1748	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	45
PID 1800 wrote to memory of 1748	1800	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	45
PID 1748 wrote to memory of 1980	1748	cmd.exe	47
PID 1748 wrote to memory of 1980	1748	cmd.exe	47
PID 1748 wrote to memory of 1980	1748	cmd.exe	47
PID 1748 wrote to memory of 1980	1748	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
"C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 328
      4⤵
      Loads dropped DLL
      Program crash
      PID:524
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:564
- C:\Windows\System\gHost.exe
  "C:\Windows\System\gHost.exe" /Reproduce
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:1380
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:672

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Executes dropped EXE
PID:1652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 136
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE

Filesize
19.9MB

MD5
917508749d04b459dc3eb87eb8bd2dd3

SHA1
aa57ef5b51a5087c5e7e8224c833beab29005d1d

SHA256
3da97e1464858bb84d807c486431ec5adff1a95d1affc192ead8ee707e17f4fc

SHA512
eca153d6ecee35550642774563c633e71a1ece4521b1f23c87bd872a6add84d94ec9e3ad7f6b4b455ee9a2f32c38ae57da635c8245729ec4f406ced307c389ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
606efc4eab23547240dc3ed6f1563df0

SHA1
1c8aa5d26353258edf4a8f6e8e8189d8dcd7d391

SHA256
07628fa5ca11bd7269a0e1e1f5b42221f8ff628a94ab0a275cf8e3405eb2cad0

SHA512
33b5a68680369782fe7bcf78556a7f59d913ec84b408d3d63e8e223ceb938cae8c130de2770e05c358e048b86740ac05c604b61ed6bc8941be95f83657b37497

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\system\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\system\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
149KB

MD5
d5a9b8f260383da96191cae974ca241c

SHA1
9c5160578a6e94dd640c0ce2ffd31b7b620f874c

SHA256
b2025ca254df3763becb25547d537af3c0d1d4be0b29caa98419b0e60249db99

SHA512
e6c36b1b63b83fb51ae13e9241db7e2974a79622d4af7e927fd5bc01d288e88a29938e84e2eee9924e3be11ebfa2241825bab8b6da49019b536b221032180c70

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Filesize
15.3MB

MD5
e3fdb6efab85edaee11e6c8ef1e4b6a0

SHA1
f1a8e4301adc62ca7a258188b3bd9c8f557dc4db

SHA256
e6b1fe5dfcd0fc78c81e34e1b550a1fb65f779c707ebd6bd0ec8f52c521fcf18

SHA512
6e2279852298a09d4e99efc2cfa1326512b6320c3f2dcbd00305f2bfe8610e68ad6a8271963b6c568ebacb0cbe136aa91b9693554f20485d265af8ba1cc9524f

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
\Windows\system\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
\Windows\system\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
memory/592-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/824-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/900-59-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/900-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1120-126-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/1120-125-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/1120-124-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1120-156-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1652-168-0x000000002F6F0000-0x000000003061A000-memory.dmp

Filesize
15.2MB

Download
memory/1784-157-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1784-127-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1784-128-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1800-89-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1800-154-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1800-169-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1800-88-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1800-170-0x0000000004310000-0x00000000043D5000-memory.dmp

Filesize
788KB

Download
memory/1800-90-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1800-91-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1800-92-0x0000000004310000-0x00000000043D5000-memory.dmp

Filesize
788KB

Download
memory/1972-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-96-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2028-123-0x0000000003E90000-0x0000000003F55000-memory.dmp

Filesize
788KB

Download
memory/2028-155-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2028-171-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download