Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
Resource
win10v2004-20220812-en
General
-
Target
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe
-
Size
647KB
-
MD5
0b220f8a748fa02e6728cab8a918336e
-
SHA1
cb0d4c1a190b15eb8514c42ef3068f724eed2715
-
SHA256
6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
-
SHA512
d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
SSDEEP
12288:ecA6SbVi42BFx8dU5pbHy/1fweshYAlB4XPKAkP3:eOSb32H6W5pby69F/39f
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe -
Disables RegEdit via registry modification 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 40 IoCs
pid Process 4424 tazebama.dl_ 4892 KHATRA.exe 5100 tazebama.dl_ 3308 Xplorer.exe 1180 tazebama.dl_ 4912 gHost.exe 1020 gHost.exe 676 gHost.exe 1080 tazebama.dl_ 5116 tazebama.dl_ 220 tazebama.dl_ 2908 gHost.exe 5024 tazebama.dl_ 1376 KHATRA.exe 1056 tazebama.dl_ 4216 KHATRA.exe 4248 tazebama.dl_ 5060 KHATRA.exe 3232 tazebama.dl_ 2280 KHATRA.exe 3924 tazebama.dl_ 5116 KHATRA.exe 2216 tazebama.dl_ 3452 KHATRA.exe 3352 tazebama.dl_ 1864 KHATRA.exe 5036 tazebama.dl_ 2764 KHATRA.exe 624 tazebama.dl_ 2288 KHATRA.exe 4912 tazebama.dl_ 3644 KHATRA.exe 4864 tazebama.dl_ 3304 KHATRA.exe 4936 tazebama.dl_ 4200 KHATRA.exe 4236 tazebama.dl_ 2428 KHATRA.exe 4972 tazebama.dl_ 4188 KHATRA.exe -
Modifies Windows Firewall 1 TTPs 15 IoCs
pid Process 5032 netsh.exe 3576 netsh.exe 1716 netsh.exe 1244 netsh.exe 1576 netsh.exe 4460 netsh.exe 4196 netsh.exe 2884 netsh.exe 2256 netsh.exe 816 netsh.exe 2156 netsh.exe 2500 netsh.exe 3752 netsh.exe 3140 netsh.exe 748 netsh.exe -
Loads dropped DLL 21 IoCs
pid Process 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 4892 KHATRA.exe 3308 Xplorer.exe 4912 gHost.exe 1020 gHost.exe 676 gHost.exe 2908 gHost.exe 1376 KHATRA.exe 4216 KHATRA.exe 5060 KHATRA.exe 2280 KHATRA.exe 5116 KHATRA.exe 3452 KHATRA.exe 1864 KHATRA.exe 2764 KHATRA.exe 2288 KHATRA.exe 3644 KHATRA.exe 3304 KHATRA.exe 4200 KHATRA.exe 2428 KHATRA.exe 4188 KHATRA.exe -
Adds Run key to start application 2 TTPs 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\K: tazebama.dl_ -
Modifies WinLogon 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 43 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2696-136-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2696-138-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4892-148-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3308-162-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4892-163-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4912-185-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1020-186-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/676-187-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3308-188-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4912-192-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1020-193-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/676-190-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2908-208-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2908-209-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2908-215-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2696-221-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4892-225-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1376-236-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1376-237-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1376-250-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4216-264-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/4216-273-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5060-277-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5060-278-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5060-287-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2280-291-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2280-296-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5116-298-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5116-299-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/5116-300-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3452-301-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3308-303-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3452-304-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1864-305-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/1864-307-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2764-308-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2764-309-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2908-311-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2764-312-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2288-314-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/2288-315-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3644-317-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe behavioral2/memory/3644-318-0x0000000000400000-0x00000000004C5000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 39 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File opened for modification C:\autorun.inf tazebama.dl_ -
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\KHATARNAKH.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File opened for modification C:\Windows\INF\Autoplay.inF 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe File created C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
pid pid_target Process procid_target 4772 4424 WerFault.exe 80 748 1056 WerFault.exe 125 4532 4248 WerFault.exe 144 4300 3924 WerFault.exe 175 4580 2216 WerFault.exe 191 4760 3352 WerFault.exe 207 3952 5036 WerFault.exe 223 3792 624 WerFault.exe 239 2216 4864 WerFault.exe 269 3452 4936 WerFault.exe 285 4740 4236 WerFault.exe 301 3560 4972 WerFault.exe 317 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4424 tazebama.dl_ 4424 tazebama.dl_ 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3308 Xplorer.exe 2908 gHost.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: 33 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Token: SeIncBasePriorityPrivilege 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe Token: 33 4892 KHATRA.exe Token: SeIncBasePriorityPrivilege 4892 KHATRA.exe Token: 33 3308 Xplorer.exe Token: SeIncBasePriorityPrivilege 3308 Xplorer.exe Token: 33 4912 gHost.exe Token: SeIncBasePriorityPrivilege 4912 gHost.exe Token: 33 1020 gHost.exe Token: SeIncBasePriorityPrivilege 1020 gHost.exe Token: 33 676 gHost.exe Token: SeIncBasePriorityPrivilege 676 gHost.exe Token: 33 2908 gHost.exe Token: SeIncBasePriorityPrivilege 2908 gHost.exe Token: 33 1376 KHATRA.exe Token: SeIncBasePriorityPrivilege 1376 KHATRA.exe Token: 33 4216 KHATRA.exe Token: SeIncBasePriorityPrivilege 4216 KHATRA.exe Token: 33 5060 KHATRA.exe Token: SeIncBasePriorityPrivilege 5060 KHATRA.exe Token: 33 2280 KHATRA.exe Token: SeIncBasePriorityPrivilege 2280 KHATRA.exe Token: 33 5116 KHATRA.exe Token: SeIncBasePriorityPrivilege 5116 KHATRA.exe Token: 33 3452 KHATRA.exe Token: SeIncBasePriorityPrivilege 3452 KHATRA.exe Token: 33 1864 KHATRA.exe Token: SeIncBasePriorityPrivilege 1864 KHATRA.exe Token: 33 2764 KHATRA.exe Token: SeIncBasePriorityPrivilege 2764 KHATRA.exe Token: 33 2288 KHATRA.exe Token: SeIncBasePriorityPrivilege 2288 KHATRA.exe Token: 33 3644 KHATRA.exe Token: SeIncBasePriorityPrivilege 3644 KHATRA.exe Token: 33 3304 KHATRA.exe Token: SeIncBasePriorityPrivilege 3304 KHATRA.exe Token: 33 4200 KHATRA.exe Token: SeIncBasePriorityPrivilege 4200 KHATRA.exe Token: 33 2428 KHATRA.exe Token: SeIncBasePriorityPrivilege 2428 KHATRA.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 4892 KHATRA.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 4892 KHATRA.exe 1376 KHATRA.exe 1376 KHATRA.exe 4216 KHATRA.exe 4216 KHATRA.exe 5060 KHATRA.exe 5060 KHATRA.exe 2280 KHATRA.exe 2280 KHATRA.exe 5116 KHATRA.exe 5116 KHATRA.exe 3452 KHATRA.exe 3452 KHATRA.exe 1864 KHATRA.exe 1864 KHATRA.exe 2764 KHATRA.exe 2764 KHATRA.exe 2288 KHATRA.exe 2288 KHATRA.exe 3644 KHATRA.exe 3644 KHATRA.exe 3304 KHATRA.exe 3304 KHATRA.exe 4200 KHATRA.exe 4200 KHATRA.exe 2428 KHATRA.exe 2428 KHATRA.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 4892 KHATRA.exe 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 4892 KHATRA.exe 1376 KHATRA.exe 1376 KHATRA.exe 4216 KHATRA.exe 4216 KHATRA.exe 5060 KHATRA.exe 5060 KHATRA.exe 2280 KHATRA.exe 2280 KHATRA.exe 5116 KHATRA.exe 5116 KHATRA.exe 3452 KHATRA.exe 3452 KHATRA.exe 1864 KHATRA.exe 1864 KHATRA.exe 2764 KHATRA.exe 2764 KHATRA.exe 2288 KHATRA.exe 2288 KHATRA.exe 3644 KHATRA.exe 3644 KHATRA.exe 3304 KHATRA.exe 3304 KHATRA.exe 4200 KHATRA.exe 4200 KHATRA.exe 2428 KHATRA.exe 2428 KHATRA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 4424 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 80 PID 2696 wrote to memory of 4424 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 80 PID 2696 wrote to memory of 4424 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 80 PID 2696 wrote to memory of 4892 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 84 PID 2696 wrote to memory of 4892 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 84 PID 2696 wrote to memory of 4892 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 84 PID 4892 wrote to memory of 5100 4892 KHATRA.exe 85 PID 4892 wrote to memory of 5100 4892 KHATRA.exe 85 PID 4892 wrote to memory of 5100 4892 KHATRA.exe 85 PID 2696 wrote to memory of 3308 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 86 PID 2696 wrote to memory of 3308 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 86 PID 2696 wrote to memory of 3308 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 86 PID 3308 wrote to memory of 1180 3308 Xplorer.exe 87 PID 3308 wrote to memory of 1180 3308 Xplorer.exe 87 PID 3308 wrote to memory of 1180 3308 Xplorer.exe 87 PID 3308 wrote to memory of 1020 3308 Xplorer.exe 88 PID 4892 wrote to memory of 4912 4892 KHATRA.exe 89 PID 4892 wrote to memory of 4912 4892 KHATRA.exe 89 PID 4892 wrote to memory of 4912 4892 KHATRA.exe 89 PID 3308 wrote to memory of 1020 3308 Xplorer.exe 88 PID 3308 wrote to memory of 1020 3308 Xplorer.exe 88 PID 2696 wrote to memory of 676 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 90 PID 2696 wrote to memory of 676 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 90 PID 2696 wrote to memory of 676 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 90 PID 4912 wrote to memory of 1080 4912 gHost.exe 91 PID 4912 wrote to memory of 1080 4912 gHost.exe 91 PID 4912 wrote to memory of 1080 4912 gHost.exe 91 PID 1020 wrote to memory of 5116 1020 gHost.exe 93 PID 1020 wrote to memory of 5116 1020 gHost.exe 93 PID 1020 wrote to memory of 5116 1020 gHost.exe 93 PID 676 wrote to memory of 220 676 gHost.exe 92 PID 676 wrote to memory of 220 676 gHost.exe 92 PID 676 wrote to memory of 220 676 gHost.exe 92 PID 2696 wrote to memory of 4420 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 99 PID 2696 wrote to memory of 4420 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 99 PID 2696 wrote to memory of 4420 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 99 PID 4892 wrote to memory of 776 4892 KHATRA.exe 98 PID 4892 wrote to memory of 776 4892 KHATRA.exe 98 PID 4892 wrote to memory of 776 4892 KHATRA.exe 98 PID 3308 wrote to memory of 2908 3308 Xplorer.exe 100 PID 3308 wrote to memory of 2908 3308 Xplorer.exe 100 PID 3308 wrote to memory of 2908 3308 Xplorer.exe 100 PID 2908 wrote to memory of 5024 2908 gHost.exe 101 PID 2908 wrote to memory of 5024 2908 gHost.exe 101 PID 2908 wrote to memory of 5024 2908 gHost.exe 101 PID 4420 wrote to memory of 3404 4420 cmd.exe 103 PID 4420 wrote to memory of 3404 4420 cmd.exe 103 PID 4420 wrote to memory of 3404 4420 cmd.exe 103 PID 776 wrote to memory of 3992 776 cmd.exe 102 PID 776 wrote to memory of 3992 776 cmd.exe 102 PID 776 wrote to memory of 3992 776 cmd.exe 102 PID 2696 wrote to memory of 448 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 104 PID 2696 wrote to memory of 448 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 104 PID 2696 wrote to memory of 448 2696 6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe 104 PID 4892 wrote to memory of 3912 4892 KHATRA.exe 105 PID 4892 wrote to memory of 3912 4892 KHATRA.exe 105 PID 4892 wrote to memory of 3912 4892 KHATRA.exe 105 PID 448 wrote to memory of 1788 448 cmd.exe 108 PID 448 wrote to memory of 1788 448 cmd.exe 108 PID 448 wrote to memory of 1788 448 cmd.exe 108 PID 3912 wrote to memory of 3244 3912 cmd.exe 109 PID 3912 wrote to memory of 3244 3912 cmd.exe 109 PID 3912 wrote to memory of 3244 3912 cmd.exe 109 PID 4892 wrote to memory of 4140 4892 KHATRA.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe"C:\Users\Admin\AppData\Local\Temp\6968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 7403⤵
- Program crash
PID:4772
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:3244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵PID:4140
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵PID:2192
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
PID:3140
-
-
-
-
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Executes dropped EXE
PID:1180
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:1056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 7085⤵
- Program crash
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:2248
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4228
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:3496
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:260
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:3576
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:4248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 7045⤵
- Program crash
PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:1424
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4224
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:2652
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:4664
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:4460
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5060 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
PID:3232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:460
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2584
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:1716
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:2176
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:2500
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2280 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:3924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7045⤵
- Program crash
PID:4300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:3940
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4656
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:3580
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:1816
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:4196
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5116 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7045⤵
- Program crash
PID:4580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:2684
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2332
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:2832
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:3356
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:2884
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 7165⤵
- Program crash
PID:4760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:676
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4296
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:1252
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:1608
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:1716
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:5036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 7045⤵
- Program crash
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:2132
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2736
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:1336
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:704
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:2256
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 7125⤵
- Program crash
PID:3792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:1320
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2024
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:260
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:2748
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:5032
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:2480
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2608
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:3344
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:1092
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:1244
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3644 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 7125⤵
- Program crash
PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:3148
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:640
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:1940
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:2340
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:1576
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3304 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:4936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 7085⤵
- Program crash
PID:3452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:2176
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:2132
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:5060
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:384
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:748
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4200 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 7085⤵
- Program crash
PID:4740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:560
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:112
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:3592
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:3208
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:3752
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 7045⤵
- Program crash
PID:3560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:8
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4232
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:2332
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:4660
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:816
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4188
-
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Executes dropped EXE
PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵PID:1744
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵PID:1284
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
PID:2156
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4424 -ip 44241⤵PID:3348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1056 -ip 10561⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4248 -ip 42481⤵PID:892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3924 -ip 39241⤵PID:1792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2216 -ip 22161⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3352 -ip 33521⤵PID:1688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5036 -ip 50361⤵PID:2500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 624 -ip 6241⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4864 -ip 48641⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4936 -ip 49361⤵PID:4008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4236 -ip 42361⤵PID:1448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4972 -ip 49721⤵PID:4320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
2.6MB
MD50ec66aeef850662e168a79ae5983b8c5
SHA19c3aaac1f6c4be5907d11b427ec75821e1b91280
SHA256037f5ff2065c83d8c786429b4ce611764b396d0276a11b1f036980913bd46dfe
SHA512a0d846bada1f220e8f6fd74b727fc57d8a5a6fee973adefbf109971b809bd6a16b8c3aa2be82885a6d04d3dd4863c2671ee3ba956f8a76e3457b63025c70650d
-
Filesize
1KB
MD56a82d52a4acf2fb2edd92f604668df81
SHA1d318e4e720bcfc10c221f5700148ffe54e86c5c3
SHA2565084ae5aba9515f7a1086c8af4d9c1691d0dfe919b121bed0344d64d30b31fe5
SHA51299ddbe92361eb5d11f6d1073423148157f9aae8091650c8ce55f6cbbc5025e5208dfbd9301d3846a79deeacb66a972ae22b6b16d80b41d569d0e56ae7cd1eca2
-
Filesize
1KB
MD5fa03d60acbbcbe019f64d0222413dfb3
SHA17d85b662bf135717d3ef13180d9b7ef0f8d92755
SHA25635bdd788c98fe5098316b2e7586c96f4694cb601659725c910b5b34cc12dc78a
SHA512acb361edde5a24d4910f46dc0a538c24cd997553742a4aae8231bc78b2c9efc1a16e33965e5294d99afb4125caada1c173d60e9a75a87a80e0f64a79fc77dc25
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
151KB
MD5e2ac461d557f769e4a0cbb1f63693827
SHA1a6b31e93bda5c544700effe3b0f6689c938c1cf5
SHA256c1cabb41b70ba3c68c7fbc23d1906a3c1d07c4b911c6426bb92a06301dd62567
SHA512312172e87628235fddb6ad12e4e843023abfe7b7c0bd470ed6ed9db5f75f345af1c1b0e7521d543b0cdc77de9076e53a21e3258bbfcfc1eeec4d28af1d094db0
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
647KB
MD50b220f8a748fa02e6728cab8a918336e
SHA1cb0d4c1a190b15eb8514c42ef3068f724eed2715
SHA2566968b5341c630be4df9cb25c486f4f349374fa094b4e070553ce0bfa5d849e35
SHA512d0716cdb34087828a16b6f4413617016d309198efbbf91a93189c824c03aca527614aa674a1e948acbf5d4f4add36405012d1867e1bb32428a8fbfafb6428cdc
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
157KB
MD5888f99254de2c6861490517a960d1e7a
SHA1ebae42203153abe453edfe407391a3e698e39089
SHA256a491a193b8332f38143dfe9ca77d02c404ba8442318573ab0bbf627ea95896e6
SHA512693dec7c8961a1eafac793c6df6ccabf8c829c7196246bd4ecbc67d939504d30810c84b4a0804a1b816cc78da99e95f00f517592c48540abcad6787624d8d6de