Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 16:43
Static task
static1
Behavioral task
behavioral1
Sample
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
Resource
win10v2004-20220901-en
General
-
Target
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe
-
Size
275KB
-
MD5
0ff2d18f373246c3a611c0996d0452d9
-
SHA1
b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
-
SHA256
31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
-
SHA512
e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
SSDEEP
6144:yniHo6nx2QY7slAFRWNBfrrWK0uTNRiuooqp6pfwWm+gIdJI7l:ySo6xg5kN530xuooqMVwsgN
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 44 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe -
Disables RegEdit via registry modification 22 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Executes dropped EXE 23 IoCs
pid Process 3852 KHATRA.exe 3392 Xplorer.exe 2844 gHost.exe 1536 KHATRA.exe 4888 KHATRA.exe 3396 KHATRA.exe 2760 KHATRA.exe 2524 KHATRA.exe 1988 KHATRA.exe 3532 KHATRA.exe 4832 KHATRA.exe 2088 KHATRA.exe 1528 KHATRA.exe 4696 KHATRA.exe 2352 KHATRA.exe 3852 KHATRA.exe 1616 KHATRA.exe 4592 KHATRA.exe 1300 KHATRA.exe 224 KHATRA.exe 2012 KHATRA.exe 3748 KHATRA.exe 1316 KHATRA.exe -
Modifies Windows Firewall 1 TTPs 22 IoCs
pid Process 4552 netsh.exe 2708 netsh.exe 3828 netsh.exe 4528 netsh.exe 4368 netsh.exe 2980 netsh.exe 3824 netsh.exe 3856 netsh.exe 4456 netsh.exe 1144 netsh.exe 4432 netsh.exe 4528 netsh.exe 4000 netsh.exe 5024 netsh.exe 1428 netsh.exe 4108 netsh.exe 3368 netsh.exe 2452 netsh.exe 3396 netsh.exe 1176 netsh.exe 5060 netsh.exe 768 netsh.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe" KHATRA.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\f: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\a: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\z: gHost.exe -
Modifies WinLogon 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 46 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1580-132-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3852-138-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3392-147-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2844-148-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3852-171-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1580-170-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1536-174-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1536-186-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4888-190-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4888-201-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3396-205-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3396-216-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2760-223-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2760-231-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2524-246-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1988-248-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1988-252-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3532-255-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3532-259-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4832-261-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4832-262-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2088-263-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2088-264-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1528-265-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1528-266-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4696-267-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3392-268-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2844-269-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4696-270-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2352-271-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2352-272-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3852-273-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3852-274-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1616-275-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1616-276-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4592-277-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/4592-278-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1300-279-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1300-280-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/224-281-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/224-282-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2012-283-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/2012-284-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3748-285-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/3748-286-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe behavioral2/memory/1316-287-0x0000000000400000-0x000000000049C000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 22 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe -
Drops file in System32 directory 43 IoCs
description ioc Process File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\System\gHost.exe 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\System\gHost.exe KHATRA.exe File created C:\Windows\System\gHost.exe KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\INF\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\Xplorer.exe KHATRA.exe File created C:\Windows\KHATARNAKH.exe KHATRA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3392 Xplorer.exe 2844 gHost.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 3852 KHATRA.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 3852 KHATRA.exe 1536 KHATRA.exe 1536 KHATRA.exe 4888 KHATRA.exe 4888 KHATRA.exe 3396 KHATRA.exe 3396 KHATRA.exe 2760 KHATRA.exe 2760 KHATRA.exe 2524 KHATRA.exe 2524 KHATRA.exe 1988 KHATRA.exe 1988 KHATRA.exe 3532 KHATRA.exe 3532 KHATRA.exe 4832 KHATRA.exe 4832 KHATRA.exe 2088 KHATRA.exe 2088 KHATRA.exe 1528 KHATRA.exe 1528 KHATRA.exe 4696 KHATRA.exe 4696 KHATRA.exe 2352 KHATRA.exe 2352 KHATRA.exe 3852 KHATRA.exe 3852 KHATRA.exe 1616 KHATRA.exe 1616 KHATRA.exe 4592 KHATRA.exe 4592 KHATRA.exe 1300 KHATRA.exe 1300 KHATRA.exe 224 KHATRA.exe 224 KHATRA.exe 2012 KHATRA.exe 2012 KHATRA.exe 3748 KHATRA.exe 3748 KHATRA.exe 1316 KHATRA.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 3852 KHATRA.exe 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 3852 KHATRA.exe 1536 KHATRA.exe 1536 KHATRA.exe 4888 KHATRA.exe 4888 KHATRA.exe 3396 KHATRA.exe 3396 KHATRA.exe 2760 KHATRA.exe 2760 KHATRA.exe 2524 KHATRA.exe 2524 KHATRA.exe 1988 KHATRA.exe 1988 KHATRA.exe 3532 KHATRA.exe 3532 KHATRA.exe 4832 KHATRA.exe 4832 KHATRA.exe 2088 KHATRA.exe 2088 KHATRA.exe 1528 KHATRA.exe 1528 KHATRA.exe 4696 KHATRA.exe 4696 KHATRA.exe 2352 KHATRA.exe 2352 KHATRA.exe 3852 KHATRA.exe 3852 KHATRA.exe 1616 KHATRA.exe 1616 KHATRA.exe 4592 KHATRA.exe 4592 KHATRA.exe 1300 KHATRA.exe 1300 KHATRA.exe 224 KHATRA.exe 224 KHATRA.exe 2012 KHATRA.exe 2012 KHATRA.exe 3748 KHATRA.exe 3748 KHATRA.exe 1316 KHATRA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3852 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 82 PID 1580 wrote to memory of 3852 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 82 PID 1580 wrote to memory of 3852 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 82 PID 3852 wrote to memory of 3392 3852 KHATRA.exe 83 PID 3852 wrote to memory of 3392 3852 KHATRA.exe 83 PID 3852 wrote to memory of 3392 3852 KHATRA.exe 83 PID 1580 wrote to memory of 2844 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 84 PID 1580 wrote to memory of 2844 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 84 PID 1580 wrote to memory of 2844 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 84 PID 3852 wrote to memory of 1384 3852 KHATRA.exe 85 PID 3852 wrote to memory of 1384 3852 KHATRA.exe 85 PID 3852 wrote to memory of 1384 3852 KHATRA.exe 85 PID 1580 wrote to memory of 2708 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 87 PID 1580 wrote to memory of 2708 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 87 PID 1580 wrote to memory of 2708 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 87 PID 1384 wrote to memory of 5044 1384 cmd.exe 89 PID 1384 wrote to memory of 5044 1384 cmd.exe 89 PID 1384 wrote to memory of 5044 1384 cmd.exe 89 PID 2708 wrote to memory of 4212 2708 cmd.exe 90 PID 2708 wrote to memory of 4212 2708 cmd.exe 90 PID 2708 wrote to memory of 4212 2708 cmd.exe 90 PID 1580 wrote to memory of 4268 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 91 PID 1580 wrote to memory of 4268 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 91 PID 1580 wrote to memory of 4268 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 91 PID 3852 wrote to memory of 2292 3852 KHATRA.exe 92 PID 3852 wrote to memory of 2292 3852 KHATRA.exe 92 PID 3852 wrote to memory of 2292 3852 KHATRA.exe 92 PID 4268 wrote to memory of 1108 4268 cmd.exe 95 PID 4268 wrote to memory of 1108 4268 cmd.exe 95 PID 4268 wrote to memory of 1108 4268 cmd.exe 95 PID 2292 wrote to memory of 4080 2292 cmd.exe 96 PID 2292 wrote to memory of 4080 2292 cmd.exe 96 PID 2292 wrote to memory of 4080 2292 cmd.exe 96 PID 3852 wrote to memory of 4184 3852 KHATRA.exe 97 PID 3852 wrote to memory of 4184 3852 KHATRA.exe 97 PID 3852 wrote to memory of 4184 3852 KHATRA.exe 97 PID 1580 wrote to memory of 1152 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 98 PID 1580 wrote to memory of 1152 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 98 PID 1580 wrote to memory of 1152 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 98 PID 4184 wrote to memory of 2412 4184 cmd.exe 101 PID 4184 wrote to memory of 2412 4184 cmd.exe 101 PID 4184 wrote to memory of 2412 4184 cmd.exe 101 PID 1152 wrote to memory of 4528 1152 cmd.exe 102 PID 1152 wrote to memory of 4528 1152 cmd.exe 102 PID 1152 wrote to memory of 4528 1152 cmd.exe 102 PID 3852 wrote to memory of 4584 3852 KHATRA.exe 104 PID 3852 wrote to memory of 4584 3852 KHATRA.exe 104 PID 3852 wrote to memory of 4584 3852 KHATRA.exe 104 PID 1580 wrote to memory of 2624 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 103 PID 1580 wrote to memory of 2624 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 103 PID 1580 wrote to memory of 2624 1580 31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe 103 PID 2624 wrote to memory of 2452 2624 cmd.exe 108 PID 2624 wrote to memory of 2452 2624 cmd.exe 108 PID 2624 wrote to memory of 2452 2624 cmd.exe 108 PID 4584 wrote to memory of 4552 4584 cmd.exe 107 PID 4584 wrote to memory of 4552 4584 cmd.exe 107 PID 4584 wrote to memory of 4552 4584 cmd.exe 107 PID 3392 wrote to memory of 1536 3392 Xplorer.exe 112 PID 3392 wrote to memory of 1536 3392 Xplorer.exe 112 PID 3392 wrote to memory of 1536 3392 Xplorer.exe 112 PID 1536 wrote to memory of 3836 1536 KHATRA.exe 113 PID 1536 wrote to memory of 3836 1536 KHATRA.exe 113 PID 1536 wrote to memory of 3836 1536 KHATRA.exe 113 PID 3836 wrote to memory of 5052 3836 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe"C:\Users\Admin\AppData\Local\Temp\31ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799.exe"1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe2⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:5052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3552
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:2620
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4392
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:3824
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2128
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3980
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:228
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:936
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:3856
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4216
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1216
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:2772
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:5032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:2452
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4456
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:3712
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:3644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1952
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3564
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:3424
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:1144
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:1316
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:4992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3676
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:1356
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1812
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:2708
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4720
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:3856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:728
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3996
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4564
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4528
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2356
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:1176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:5032
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4872
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4360
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:3396
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:1760
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:3756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4640
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:3624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4076
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4544
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4432
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:3044
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:4828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3032
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:3740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4352
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1620
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:3828
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:1384
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:2256
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:2524
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:944
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4000
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2492
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3904
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:3668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4564
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:3292
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:1176
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2432
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4552
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:2452
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1088
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:5060
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2872
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3988
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4556
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4280
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:5024
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4832
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3060
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:3740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4276
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:5044
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:768
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:3980
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4212
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3964
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:3008
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:3368
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4268
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4248
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4948
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:2636
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4528
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:3924
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:4908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1524
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:4584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:4852
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:1348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4872
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:1428
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2552
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3756
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:5032
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:3788
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4368
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4556
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:4072
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3852
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:3648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:4816
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:4108
-
-
-
-
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:4084
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:3800
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:3216
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:4960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1616
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:2980
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:5044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll3⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵
- Modifies Windows Firewall
PID:4552
-
-
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:2844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:4212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe3⤵PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll3⤵PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System2⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System3⤵
- Modifies Windows Firewall
PID:2452
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50bf1e564321d43c170bbbfaa30a9a2a1
SHA1e5ed6a27f5efabdfed567630e31c55d055b015b4
SHA2569ee9e6b8d61448b0bdabaf2f0a707717d0dbf8570298436fa0b4b2636ca74455
SHA512ca48fdd25cd51b76bfc93b68cc0fddc0b403a5b816f309ced5f62fd37cf488e06ef881e8a534e3e5cc337dbda6c0718e0edaedc4555f0020f86a3bf2b2f11380
-
Filesize
1KB
MD50bf1e564321d43c170bbbfaa30a9a2a1
SHA1e5ed6a27f5efabdfed567630e31c55d055b015b4
SHA2569ee9e6b8d61448b0bdabaf2f0a707717d0dbf8570298436fa0b4b2636ca74455
SHA512ca48fdd25cd51b76bfc93b68cc0fddc0b403a5b816f309ced5f62fd37cf488e06ef881e8a534e3e5cc337dbda6c0718e0edaedc4555f0020f86a3bf2b2f11380
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
275KB
MD50ff2d18f373246c3a611c0996d0452d9
SHA1b0e39cb91ddcd2b87d56122cb243b7e2faae1a18
SHA25631ff1e523eb2d73423c1487d86cb832c3001576a9ee8510752dc01da0dd8a799
SHA512e6ac7fe29e0bdf41528bbd140e2ce442cd4fa30738c685335f21e81a4da8ca588ec87e4877462d88179ec23afdd07acdd463683ba86a86186214e319c3f1e95b