6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

Analysis

max time kernel
152s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Size

647KB
MD5

0b220f8a748fa02e6728cab8a918336e
SHA1

cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA256

6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512

d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
SSDEEP

12288:ecA6SbVi42BFx8dU5pbHy/1fweshYAlB4XPKAkP3:eOSb32H6W5pby69F/39f

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 15 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 40 IoCs

pid	Process
4424	tazebama.dl_
4892	KHATRA.exe
5100	tazebama.dl_
3308	Xplorer.exe
1180	tazebama.dl_
4912	gHost.exe
1020	gHost.exe
676	gHost.exe
1080	tazebama.dl_
5116	tazebama.dl_
220	tazebama.dl_
2908	gHost.exe
5024	tazebama.dl_
1376	KHATRA.exe
1056	tazebama.dl_
4216	KHATRA.exe
4248	tazebama.dl_
5060	KHATRA.exe
3232	tazebama.dl_
2280	KHATRA.exe
3924	tazebama.dl_
5116	KHATRA.exe
2216	tazebama.dl_
3452	KHATRA.exe
3352	tazebama.dl_
1864	KHATRA.exe
5036	tazebama.dl_
2764	KHATRA.exe
624	tazebama.dl_
2288	KHATRA.exe
4912	tazebama.dl_
3644	KHATRA.exe
4864	tazebama.dl_
3304	KHATRA.exe
4936	tazebama.dl_
4200	KHATRA.exe
4236	tazebama.dl_
2428	KHATRA.exe
4972	tazebama.dl_
4188	KHATRA.exe

Modifies Windows Firewall 1 TTPs 15 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5032	netsh.exe
3576	netsh.exe
1716	netsh.exe
1244	netsh.exe
1576	netsh.exe
4460	netsh.exe
4196	netsh.exe
2884	netsh.exe
2256	netsh.exe
816	netsh.exe
2156	netsh.exe
2500	netsh.exe
3752	netsh.exe
3140	netsh.exe
748	netsh.exe

Loads dropped DLL 21 IoCs

pid	Process
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
4892	KHATRA.exe
3308	Xplorer.exe
4912	gHost.exe
1020	gHost.exe
676	gHost.exe
2908	gHost.exe
1376	KHATRA.exe
4216	KHATRA.exe
5060	KHATRA.exe
2280	KHATRA.exe
5116	KHATRA.exe
3452	KHATRA.exe
1864	KHATRA.exe
2764	KHATRA.exe
2288	KHATRA.exe
3644	KHATRA.exe
3304	KHATRA.exe
4200	KHATRA.exe
2428	KHATRA.exe
4188	KHATRA.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\K:	tazebama.dl_

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 43 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2696-136-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2696-138-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4892-148-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3308-162-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4892-163-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4912-185-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1020-186-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/676-187-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3308-188-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4912-192-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1020-193-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/676-190-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2908-208-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2908-209-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2908-215-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2696-221-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4892-225-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1376-236-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1376-237-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1376-250-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4216-264-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4216-273-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5060-277-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5060-278-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5060-287-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2280-291-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2280-296-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5116-298-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5116-299-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5116-300-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3452-301-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3308-303-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3452-304-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1864-305-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1864-307-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2764-308-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2764-309-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2908-311-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2764-312-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2288-314-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2288-315-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3644-317-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3644-318-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 39 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\KHATARNAKH.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4772	4424	WerFault.exe	80
748	1056	WerFault.exe	125
4532	4248	WerFault.exe	144
4300	3924	WerFault.exe	175
4580	2216	WerFault.exe	191
4760	3352	WerFault.exe	207
3952	5036	WerFault.exe	223
3792	624	WerFault.exe	239
2216	4864	WerFault.exe	269
3452	4936	WerFault.exe	285
4740	4236	WerFault.exe	301
3560	4972	WerFault.exe	317

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	tazebama.dl_
4424	tazebama.dl_
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3308	Xplorer.exe
2908	gHost.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: 33	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Token: SeIncBasePriorityPrivilege	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Token: 33	4892	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4892	KHATRA.exe
Token: 33	3308	Xplorer.exe
Token: SeIncBasePriorityPrivilege	3308	Xplorer.exe
Token: 33	4912	gHost.exe
Token: SeIncBasePriorityPrivilege	4912	gHost.exe
Token: 33	1020	gHost.exe
Token: SeIncBasePriorityPrivilege	1020	gHost.exe
Token: 33	676	gHost.exe
Token: SeIncBasePriorityPrivilege	676	gHost.exe
Token: 33	2908	gHost.exe
Token: SeIncBasePriorityPrivilege	2908	gHost.exe
Token: 33	1376	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1376	KHATRA.exe
Token: 33	4216	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4216	KHATRA.exe
Token: 33	5060	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5060	KHATRA.exe
Token: 33	2280	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2280	KHATRA.exe
Token: 33	5116	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5116	KHATRA.exe
Token: 33	3452	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3452	KHATRA.exe
Token: 33	1864	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1864	KHATRA.exe
Token: 33	2764	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2764	KHATRA.exe
Token: 33	2288	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2288	KHATRA.exe
Token: 33	3644	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3644	KHATRA.exe
Token: 33	3304	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3304	KHATRA.exe
Token: 33	4200	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4200	KHATRA.exe
Token: 33	2428	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2428	KHATRA.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
4892	KHATRA.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
4892	KHATRA.exe
1376	KHATRA.exe
1376	KHATRA.exe
4216	KHATRA.exe
4216	KHATRA.exe
5060	KHATRA.exe
5060	KHATRA.exe
2280	KHATRA.exe
2280	KHATRA.exe
5116	KHATRA.exe
5116	KHATRA.exe
3452	KHATRA.exe
3452	KHATRA.exe
1864	KHATRA.exe
1864	KHATRA.exe
2764	KHATRA.exe
2764	KHATRA.exe
2288	KHATRA.exe
2288	KHATRA.exe
3644	KHATRA.exe
3644	KHATRA.exe
3304	KHATRA.exe
3304	KHATRA.exe
4200	KHATRA.exe
4200	KHATRA.exe
2428	KHATRA.exe
2428	KHATRA.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
4892	KHATRA.exe
2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
4892	KHATRA.exe
1376	KHATRA.exe
1376	KHATRA.exe
4216	KHATRA.exe
4216	KHATRA.exe
5060	KHATRA.exe
5060	KHATRA.exe
2280	KHATRA.exe
2280	KHATRA.exe
5116	KHATRA.exe
5116	KHATRA.exe
3452	KHATRA.exe
3452	KHATRA.exe
1864	KHATRA.exe
1864	KHATRA.exe
2764	KHATRA.exe
2764	KHATRA.exe
2288	KHATRA.exe
2288	KHATRA.exe
3644	KHATRA.exe
3644	KHATRA.exe
3304	KHATRA.exe
3304	KHATRA.exe
4200	KHATRA.exe
4200	KHATRA.exe
2428	KHATRA.exe
2428	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 4424	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	80
PID 2696 wrote to memory of 4424	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	80
PID 2696 wrote to memory of 4424	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	80
PID 2696 wrote to memory of 4892	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	84
PID 2696 wrote to memory of 4892	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	84
PID 2696 wrote to memory of 4892	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	84
PID 4892 wrote to memory of 5100	4892	KHATRA.exe	85
PID 4892 wrote to memory of 5100	4892	KHATRA.exe	85
PID 4892 wrote to memory of 5100	4892	KHATRA.exe	85
PID 2696 wrote to memory of 3308	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	86
PID 2696 wrote to memory of 3308	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	86
PID 2696 wrote to memory of 3308	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	86
PID 3308 wrote to memory of 1180	3308	Xplorer.exe	87
PID 3308 wrote to memory of 1180	3308	Xplorer.exe	87
PID 3308 wrote to memory of 1180	3308	Xplorer.exe	87
PID 3308 wrote to memory of 1020	3308	Xplorer.exe	88
PID 4892 wrote to memory of 4912	4892	KHATRA.exe	89
PID 4892 wrote to memory of 4912	4892	KHATRA.exe	89
PID 4892 wrote to memory of 4912	4892	KHATRA.exe	89
PID 3308 wrote to memory of 1020	3308	Xplorer.exe	88
PID 3308 wrote to memory of 1020	3308	Xplorer.exe	88
PID 2696 wrote to memory of 676	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	90
PID 2696 wrote to memory of 676	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	90
PID 2696 wrote to memory of 676	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	90
PID 4912 wrote to memory of 1080	4912	gHost.exe	91
PID 4912 wrote to memory of 1080	4912	gHost.exe	91
PID 4912 wrote to memory of 1080	4912	gHost.exe	91
PID 1020 wrote to memory of 5116	1020	gHost.exe	93
PID 1020 wrote to memory of 5116	1020	gHost.exe	93
PID 1020 wrote to memory of 5116	1020	gHost.exe	93
PID 676 wrote to memory of 220	676	gHost.exe	92
PID 676 wrote to memory of 220	676	gHost.exe	92
PID 676 wrote to memory of 220	676	gHost.exe	92
PID 2696 wrote to memory of 4420	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	99
PID 2696 wrote to memory of 4420	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	99
PID 2696 wrote to memory of 4420	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	99
PID 4892 wrote to memory of 776	4892	KHATRA.exe	98
PID 4892 wrote to memory of 776	4892	KHATRA.exe	98
PID 4892 wrote to memory of 776	4892	KHATRA.exe	98
PID 3308 wrote to memory of 2908	3308	Xplorer.exe	100
PID 3308 wrote to memory of 2908	3308	Xplorer.exe	100
PID 3308 wrote to memory of 2908	3308	Xplorer.exe	100
PID 2908 wrote to memory of 5024	2908	gHost.exe	101
PID 2908 wrote to memory of 5024	2908	gHost.exe	101
PID 2908 wrote to memory of 5024	2908	gHost.exe	101
PID 4420 wrote to memory of 3404	4420	cmd.exe	103
PID 4420 wrote to memory of 3404	4420	cmd.exe	103
PID 4420 wrote to memory of 3404	4420	cmd.exe	103
PID 776 wrote to memory of 3992	776	cmd.exe	102
PID 776 wrote to memory of 3992	776	cmd.exe	102
PID 776 wrote to memory of 3992	776	cmd.exe	102
PID 2696 wrote to memory of 448	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	104
PID 2696 wrote to memory of 448	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	104
PID 2696 wrote to memory of 448	2696	6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe	104
PID 4892 wrote to memory of 3912	4892	KHATRA.exe	105
PID 4892 wrote to memory of 3912	4892	KHATRA.exe	105
PID 4892 wrote to memory of 3912	4892	KHATRA.exe	105
PID 448 wrote to memory of 1788	448	cmd.exe	108
PID 448 wrote to memory of 1788	448	cmd.exe	108
PID 448 wrote to memory of 1788	448	cmd.exe	108
PID 3912 wrote to memory of 3244	3912	cmd.exe	109
PID 3912 wrote to memory of 3244	3912	cmd.exe	109
PID 3912 wrote to memory of 3244	3912	cmd.exe	109
PID 4892 wrote to memory of 4140	4892	KHATRA.exe	111

C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
"C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 740
    3⤵
    - Program crash
    PID:4772
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    PID:5100
- - C:\Windows\System\gHost.exe
    "C:\Windows\System\gHost.exe" /Reproduce
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:3140
- C:\Windows\Xplorer.exe
  "C:\Windows\Xplorer.exe" /Windows
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    PID:1180
- - C:\Windows\System\gHost.exe
    "C:\Windows\System\gHost.exe" /Reproduce
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:5116
- - C:\Windows\System\gHost.exe
    "C:\Windows\System\gHost.exe" /Reproduce
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1376
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:1056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 708
        5⤵
        Program crash
        
        PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:260
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:3576
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4216
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 704
        5⤵
        Program crash
        
        PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4664
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4460
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5060
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:3232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:460
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2584
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1716
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2176
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:2500
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2280
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 704
        5⤵
        Program crash
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3580
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4196
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5116
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 704
        5⤵
        Program crash
        
        PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2684
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2332
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2832
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:2884
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3452
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 716
        5⤵
        Program crash
        
        PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:676
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1252
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1716
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1864
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:5036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 704
        5⤵
        Program crash
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1336
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:704
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:2256
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2764
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 712
        5⤵
        Program crash
        
        PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:260
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:5032
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2288
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2608
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3344
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1244
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3644
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 712
        5⤵
        Program crash
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:640
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1576
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3304
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 708
        5⤵
        Program crash
        
        PID:3452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2176
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:384
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:748
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4200
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 708
        5⤵
        Program crash
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:112
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3208
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:3752
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2428
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 704
        5⤵
        Program crash
        
        PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:8
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2332
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:816
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4188
- C:\Windows\System\gHost.exe
  "C:\Windows\System\gHost.exe" /Reproduce
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4424 -ip 4424
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1056 -ip 1056
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4248 -ip 4248
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3924 -ip 3924
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2216 -ip 2216
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3352 -ip 3352
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5036 -ip 5036
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 624 -ip 624
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4864 -ip 4864
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4936 -ip 4936
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4236 -ip 4236
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4972 -ip 4972
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Documents and Settings\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE

Filesize
2.6MB

MD5
0ec66aeef850662e168a79ae5983b8c5

SHA1
9c3aaac1f6c4be5907d11b427ec75821e1b91280

SHA256
037f5ff2065c83d8c786429b4ce611764b396d0276a11b1f036980913bd46dfe

SHA512
a0d846bada1f220e8f6fd74b727fc57d8a5a6fee973adefbf109971b809bd6a16b8c3aa2be82885a6d04d3dd4863c2671ee3ba956f8a76e3457b63025c70650d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
6a82d52a4acf2fb2edd92f604668df81

SHA1
d318e4e720bcfc10c221f5700148ffe54e86c5c3

SHA256
5084ae5aba9515f7a1086c8af4d9c1691d0dfe919b121bed0344d64d30b31fe5

SHA512
99ddbe92361eb5d11f6d1073423148157f9aae8091650c8ce55f6cbbc5025e5208dfbd9301d3846a79deeacb66a972ae22b6b16d80b41d569d0e56ae7cd1eca2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
fa03d60acbbcbe019f64d0222413dfb3

SHA1
7d85b662bf135717d3ef13180d9b7ef0f8d92755

SHA256
35bdd788c98fe5098316b2e7586c96f4694cb601659725c910b5b34cc12dc78a

SHA512
acb361edde5a24d4910f46dc0a538c24cd997553742a4aae8231bc78b2c9efc1a16e33965e5294d99afb4125caada1c173d60e9a75a87a80e0f64a79fc77dc25

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
e2ac461d557f769e4a0cbb1f63693827

SHA1
a6b31e93bda5c544700effe3b0f6689c938c1cf5

SHA256
c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567

SHA512
312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\\KHATRA.exe

Filesize
647KB

MD5
0b220f8a748fa02e6728cab8a918336e

SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715

SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35

SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
157KB

MD5
888f99254de2c6861490517a960d1e7a

SHA1
ebae42203153abe453edfe407391a3e698e39089

SHA256
a491a193b8332f38143dfe9ca77d02c404ba8442318573ab0bbf627ea95896e6

SHA512
693dec7c8961a1eafac793c6df6ccabf8c829c7196246bd4ecbc67d939504d30810c84b4a0804a1b816cc78da99e95f00f517592c48540abcad6787624d8d6de

Download Submit
memory/220-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/624-310-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/676-187-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/676-190-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1020-193-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1020-186-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1056-238-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1080-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1180-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1376-236-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1376-250-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1376-237-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1864-307-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1864-305-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2216-297-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2280-296-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2280-291-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2288-314-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2288-315-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2696-221-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2696-136-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2696-138-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2764-308-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2764-309-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2764-312-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2908-208-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2908-311-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2908-215-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2908-209-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3232-276-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3308-162-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3308-188-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3308-303-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3352-302-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3452-304-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3452-301-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3644-317-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3644-318-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3924-295-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3924-292-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4216-255-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4216-273-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4216-264-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4248-265-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4424-210-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4424-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4864-316-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4892-148-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-225-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-163-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4912-185-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4912-313-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4912-192-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4936-319-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5024-200-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5036-306-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5060-277-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5060-278-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5060-287-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5100-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5116-298-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5116-300-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5116-299-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5116-183-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download