0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Size

647KB
MD5

a34ad183b9144fa2df9e50918a5e2ce0
SHA1

bb00562d2c9e7c28f236233c98c9addf30d8ad48
SHA256

0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6
SHA512

84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a
SSDEEP

12288:IcA6SbVi42BFx8dU5pbHy/1fweshYFKNlkEpQE:IOSb32H6W5pby69blkRE

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Adds policy Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe

Disables RegEdit via registry modification 22 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 47 IoCs

pid	Process
1076	tazebama.dl_
3932	KHATRA.exe
1564	tazebama.dl_
3604	Xplorer.exe
2424	tazebama.dl_
2096	gHost.exe
212	tazebama.dl_
3500	KHATRA.exe
2648	tazebama.dl_
4040	KHATRA.exe
2280	tazebama.dl_
1648	KHATRA.exe
3248	tazebama.dl_
4228	KHATRA.exe
1436	tazebama.dl_
4400	KHATRA.exe
3208	tazebama.dl_
3416	KHATRA.exe
2300	tazebama.dl_
1060	KHATRA.exe
3108	tazebama.dl_
4356	KHATRA.exe
1420	tazebama.dl_
4520	KHATRA.exe
408	tazebama.dl_
1752	KHATRA.exe
1512	tazebama.dl_
1920	KHATRA.exe
1308	tazebama.dl_
3676	KHATRA.exe
3184	tazebama.dl_
544	KHATRA.exe
1420	tazebama.dl_
1148	KHATRA.exe
4152	tazebama.dl_
4300	KHATRA.exe
1476	tazebama.dl_
1248	KHATRA.exe
3560	tazebama.dl_
4972	KHATRA.exe
516	tazebama.dl_
476	KHATRA.exe
1820	tazebama.dl_
1576	KHATRA.exe
3116	tazebama.dl_
2512	KHATRA.exe
3872	tazebama.dl_

Modifies Windows Firewall 1 TTPs 22 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4000	netsh.exe
1592	netsh.exe
2064	netsh.exe
808	netsh.exe
4220	netsh.exe
4516	netsh.exe
4092	netsh.exe
4580	netsh.exe
1884	netsh.exe
4140	netsh.exe
5028	netsh.exe
3008	netsh.exe
2920	netsh.exe
2036	netsh.exe
4000	netsh.exe
1576	netsh.exe
3536	netsh.exe
4040	netsh.exe
4136	netsh.exe
4884	netsh.exe
1084	netsh.exe
4632	netsh.exe

Loads dropped DLL 24 IoCs

pid	Process
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
3932	KHATRA.exe
3604	Xplorer.exe
2096	gHost.exe
3500	KHATRA.exe
4040	KHATRA.exe
1648	KHATRA.exe
4228	KHATRA.exe
4400	KHATRA.exe
3416	KHATRA.exe
1060	KHATRA.exe
4356	KHATRA.exe
4520	KHATRA.exe
1752	KHATRA.exe
1920	KHATRA.exe
3676	KHATRA.exe
544	KHATRA.exe
1148	KHATRA.exe
4300	KHATRA.exe
1248	KHATRA.exe
4972	KHATRA.exe
476	KHATRA.exe
1576	KHATRA.exe
2512	KHATRA.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_

Modifies WinLogon 2 TTPs 22 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 47 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4892-137-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3932-150-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3932-151-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3604-173-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2096-175-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2096-176-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4892-195-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4892-196-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3932-200-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3500-210-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3604-218-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2096-219-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3500-224-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4040-234-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4040-236-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4040-247-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1648-256-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1648-268-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4228-271-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4228-272-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4228-282-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4400-284-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4400-285-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4400-287-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3416-288-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3416-289-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3416-291-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1060-293-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1060-294-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4356-295-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4356-296-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4356-298-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4520-299-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4520-301-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1752-303-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1752-304-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1752-305-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1920-306-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1920-307-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3604-309-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2096-310-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1920-311-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3676-312-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3676-313-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3676-315-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/544-316-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/544-317-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 22 IoCs

pid	pid_target	Process	procid_target
1412	1076	WerFault.exe	82
1192	2424	WerFault.exe
1764	2648	WerFault.exe	123
5072	2280	WerFault.exe	141
3400	3248	WerFault.exe	157
3872	1436	WerFault.exe	174
3884	3208	WerFault.exe	190
4256	2300	WerFault.exe	206
2144	3108	WerFault.exe	222
1464	1420	WerFault.exe	238
4460	408	WerFault.exe	254
4340	1512	WerFault.exe	270
3312	1308	WerFault.exe	286
1028	3184	WerFault.exe	302
2712	1420	WerFault.exe	318
408	4152	WerFault.exe	334
4852	1476	WerFault.exe	350
3656	3560	WerFault.exe	366
3364	516	WerFault.exe	382
4744	1820	WerFault.exe	398
1264	3116	WerFault.exe	414
1456	3872	WerFault.exe	430

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	tazebama.dl_
1076	tazebama.dl_
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3604	Xplorer.exe
2096	gHost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: 33	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Token: SeIncBasePriorityPrivilege	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
Token: 33	3932	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3932	KHATRA.exe
Token: 33	3604	Xplorer.exe
Token: SeIncBasePriorityPrivilege	3604	Xplorer.exe
Token: 33	2096	gHost.exe
Token: SeIncBasePriorityPrivilege	2096	gHost.exe
Token: 33	3500	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3500	KHATRA.exe
Token: 33	4040	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4040	KHATRA.exe
Token: 33	1648	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1648	KHATRA.exe
Token: 33	4228	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4228	KHATRA.exe
Token: 33	4400	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4400	KHATRA.exe
Token: 33	3416	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3416	KHATRA.exe
Token: 33	1060	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1060	KHATRA.exe
Token: 33	4356	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4356	KHATRA.exe
Token: 33	4520	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4520	KHATRA.exe
Token: 33	1752	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1752	KHATRA.exe
Token: 33	1920	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1920	KHATRA.exe
Token: 33	3676	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3676	KHATRA.exe
Token: 33	544	KHATRA.exe
Token: SeIncBasePriorityPrivilege	544	KHATRA.exe
Token: 33	1148	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1148	KHATRA.exe
Token: 33	4300	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4300	KHATRA.exe
Token: 33	1248	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1248	KHATRA.exe
Token: 33	4972	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4972	KHATRA.exe
Token: 33	476	KHATRA.exe
Token: SeIncBasePriorityPrivilege	476	KHATRA.exe
Token: 33	1576	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1576	KHATRA.exe
Token: 33	2512	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2512	KHATRA.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
3932	KHATRA.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
3932	KHATRA.exe
3500	KHATRA.exe
3500	KHATRA.exe
4040	KHATRA.exe
4040	KHATRA.exe
1648	KHATRA.exe
1648	KHATRA.exe
4228	KHATRA.exe
4228	KHATRA.exe
4400	KHATRA.exe
4400	KHATRA.exe
3416	KHATRA.exe
3416	KHATRA.exe
1060	KHATRA.exe
1060	KHATRA.exe
4356	KHATRA.exe
4356	KHATRA.exe
4520	KHATRA.exe
4520	KHATRA.exe
1752	KHATRA.exe
1752	KHATRA.exe
1920	KHATRA.exe
1920	KHATRA.exe
3676	KHATRA.exe
3676	KHATRA.exe
544	KHATRA.exe
544	KHATRA.exe
1148	KHATRA.exe
1148	KHATRA.exe
4300	KHATRA.exe
4300	KHATRA.exe
1248	KHATRA.exe
1248	KHATRA.exe
4972	KHATRA.exe
4972	KHATRA.exe
476	KHATRA.exe
476	KHATRA.exe
1576	KHATRA.exe
1576	KHATRA.exe
2512	KHATRA.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
3932	KHATRA.exe
4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
3932	KHATRA.exe
3500	KHATRA.exe
3500	KHATRA.exe
4040	KHATRA.exe
4040	KHATRA.exe
1648	KHATRA.exe
1648	KHATRA.exe
4228	KHATRA.exe
4228	KHATRA.exe
4400	KHATRA.exe
4400	KHATRA.exe
3416	KHATRA.exe
3416	KHATRA.exe
1060	KHATRA.exe
1060	KHATRA.exe
4356	KHATRA.exe
4356	KHATRA.exe
4520	KHATRA.exe
4520	KHATRA.exe
1752	KHATRA.exe
1752	KHATRA.exe
1920	KHATRA.exe
1920	KHATRA.exe
3676	KHATRA.exe
3676	KHATRA.exe
544	KHATRA.exe
544	KHATRA.exe
1148	KHATRA.exe
1148	KHATRA.exe
4300	KHATRA.exe
4300	KHATRA.exe
1248	KHATRA.exe
1248	KHATRA.exe
4972	KHATRA.exe
4972	KHATRA.exe
476	KHATRA.exe
476	KHATRA.exe
1576	KHATRA.exe
1576	KHATRA.exe
2512	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1076	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	82
PID 4892 wrote to memory of 1076	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	82
PID 4892 wrote to memory of 1076	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	82
PID 4892 wrote to memory of 3932	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	86
PID 4892 wrote to memory of 3932	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	86
PID 4892 wrote to memory of 3932	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	86
PID 3932 wrote to memory of 1564	3932	KHATRA.exe	87
PID 3932 wrote to memory of 1564	3932	KHATRA.exe	87
PID 3932 wrote to memory of 1564	3932	KHATRA.exe	87
PID 4892 wrote to memory of 3604	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	88
PID 4892 wrote to memory of 3604	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	88
PID 4892 wrote to memory of 3604	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	88
PID 3604 wrote to memory of 2424	3604	Xplorer.exe	93
PID 3604 wrote to memory of 2424	3604	Xplorer.exe	93
PID 3604 wrote to memory of 2424	3604	Xplorer.exe	93
PID 3932 wrote to memory of 2096	3932	KHATRA.exe	89
PID 3932 wrote to memory of 2096	3932	KHATRA.exe	89
PID 3932 wrote to memory of 2096	3932	KHATRA.exe	89
PID 2096 wrote to memory of 212	2096	gHost.exe	92
PID 2096 wrote to memory of 212	2096	gHost.exe	92
PID 2096 wrote to memory of 212	2096	gHost.exe	92
PID 4892 wrote to memory of 3524	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	94
PID 4892 wrote to memory of 3524	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	94
PID 4892 wrote to memory of 3524	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	94
PID 3932 wrote to memory of 1408	3932	KHATRA.exe	96
PID 3932 wrote to memory of 1408	3932	KHATRA.exe	96
PID 3932 wrote to memory of 1408	3932	KHATRA.exe	96
PID 3524 wrote to memory of 628	3524	cmd.exe	98
PID 3524 wrote to memory of 628	3524	cmd.exe	98
PID 3524 wrote to memory of 628	3524	cmd.exe	98
PID 1408 wrote to memory of 3328	1408	cmd.exe	99
PID 1408 wrote to memory of 3328	1408	cmd.exe	99
PID 1408 wrote to memory of 3328	1408	cmd.exe	99
PID 4892 wrote to memory of 2268	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	100
PID 4892 wrote to memory of 2268	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	100
PID 4892 wrote to memory of 2268	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	100
PID 3932 wrote to memory of 4280	3932	KHATRA.exe	102
PID 3932 wrote to memory of 4280	3932	KHATRA.exe	102
PID 3932 wrote to memory of 4280	3932	KHATRA.exe	102
PID 2268 wrote to memory of 5072	2268	cmd.exe	104
PID 2268 wrote to memory of 5072	2268	cmd.exe	104
PID 2268 wrote to memory of 5072	2268	cmd.exe	104
PID 4280 wrote to memory of 3724	4280	cmd.exe	105
PID 4280 wrote to memory of 3724	4280	cmd.exe	105
PID 4280 wrote to memory of 3724	4280	cmd.exe	105
PID 4892 wrote to memory of 1228	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	108
PID 4892 wrote to memory of 1228	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	108
PID 4892 wrote to memory of 1228	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	108
PID 3932 wrote to memory of 3336	3932	KHATRA.exe	109
PID 3932 wrote to memory of 3336	3932	KHATRA.exe	109
PID 3932 wrote to memory of 3336	3932	KHATRA.exe	109
PID 1228 wrote to memory of 4764	1228	cmd.exe	112
PID 1228 wrote to memory of 4764	1228	cmd.exe	112
PID 1228 wrote to memory of 4764	1228	cmd.exe	112
PID 3336 wrote to memory of 2552	3336	cmd.exe	113
PID 3336 wrote to memory of 2552	3336	cmd.exe	113
PID 3336 wrote to memory of 2552	3336	cmd.exe	113
PID 4892 wrote to memory of 1064	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	115
PID 4892 wrote to memory of 1064	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	115
PID 4892 wrote to memory of 1064	4892	0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe	115
PID 3932 wrote to memory of 3416	3932	KHATRA.exe	114
PID 3932 wrote to memory of 3416	3932	KHATRA.exe	114
PID 3932 wrote to memory of 3416	3932	KHATRA.exe	114
PID 1064 wrote to memory of 2064	1064	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe
"C:\Users\Admin\AppData\Local\Temp\0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 732
    3⤵
    - Program crash
    PID:1412
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Windows\System\gHost.exe
    "C:\Windows\System\gHost.exe" /Reproduce
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:808
- C:\Windows\Xplorer.exe
  "C:\Windows\Xplorer.exe" /Windows
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops autorun.inf file
    PID:2424
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3500
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 712
        5⤵
        Program crash
        
        PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1592
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1884
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4040
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 708
        5⤵
        Program crash
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:668
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4620
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4884
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1648
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 712
        5⤵
        Program crash
        
        PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4688
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1256
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1576
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4228
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      PID:1436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 720
        5⤵
        Program crash
        
        PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:3536
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4400
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      PID:3208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 716
        5⤵
        Program crash
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4520
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2392
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4672
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4040
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3416
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:2300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 712
        5⤵
        Program crash
        
        PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3760
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4892
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4688
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4140
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1060
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 716
        5⤵
        Program crash
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3248
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:5040
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4220
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4356
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:1420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 712
        5⤵
        Program crash
        
        PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3348
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4492
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1084
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4520
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Drops autorun.inf file
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 704
        5⤵
        Program crash
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:808
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:3008
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1752
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:1512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 704
        5⤵
        Program crash
        
        PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4632
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1920
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:1308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 704
        5⤵
        Program crash
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:5040
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:5096
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:724
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4000
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3676
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 704
        5⤵
        Program crash
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3484
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4136
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:544
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:1420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 704
        5⤵
        Program crash
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:4556
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3580
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:5028
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1148
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:4152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 708
        5⤵
        Program crash
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4464
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:2920
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4300
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      PID:1476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 704
        5⤵
        Program crash
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:740
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4076
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:2036
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1248
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 704
        5⤵
        Program crash
        
        PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3748
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1592
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4972
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 704
        5⤵
        Program crash
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4516
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:476
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 708
        5⤵
        Program crash
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3128
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4404
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4092
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1576
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 708
        5⤵
        Program crash
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4580
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2512
  - - C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      PID:3872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 704
        5⤵
        Program crash
        
        PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:3984
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1076 -ip 1076
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2424 -ip 2424
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 728
1⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2648 -ip 2648
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2280 -ip 2280
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3248 -ip 3248
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1436 -ip 1436
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3208 -ip 3208
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2300 -ip 2300
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3108 -ip 3108
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1420 -ip 1420
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 408 -ip 408
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1512 -ip 1512
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1308 -ip 1308
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3184 -ip 3184
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1420 -ip 1420
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4152 -ip 4152
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1476 -ip 1476
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3560 -ip 3560
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 516 -ip 516
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1820 -ip 1820
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3116 -ip 3116
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3872 -ip 3872
1⤵
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\hook.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Documents and Settings\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE

Filesize
2.6MB

MD5
b30061b25dba50c29819fa3d871fa081

SHA1
1a258bc85711dda0c5b7969e2b7e1a78b0952fca

SHA256
4ba5d8233f1f01e4ccc3089330023007284de732fbcecb792bc12739993434b9

SHA512
33a9d009c5f9316ead98ac58539ff92ab56cfa3bef78f7227e86a500866aa711fe69cb1a5931b03e0cc3af3ad89e872134e6e1607151a74ce582f54fc0549efb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
0bb9190bafd5f286f81219dc27d73e61

SHA1
3fb4bac9b42df4ce6322ff548ffe7eeb0171aab6

SHA256
d269e622c9c5ea87ed992033f492f0efe9500a19fa31957d424848a600f187fc

SHA512
8d748a5737d226e15414988df4bbf026a5ca5a1708c0643ad53a31d918b0be0373fe74341145a5a0a1029be915b5ab36a310a56f8effce0822db94c85e5a0a94

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
6b493ea48320709fbd01351873789dd9

SHA1
23b4903d12c27f73f9b59391ba511b17acd4b8ae

SHA256
d038028f3a3f21470be9936ec3845c51cb28b07c49683103b1774377afacbadd

SHA512
5394b2fd6eb161a5817f2c3c6152ac7ac6413589c9d8797e6c16e9cf6d93f9cfc1e0096e24dd15db34eda55eb2f8e793bdb1fa5ecb456e0ad357269baefb6d3b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
228453419ab434195c6def1b51db1f01

SHA1
567d647508b120377f77e3c19a1a60ae8702fd51

SHA256
aa925c357ec77ded96df2f9846e33d09a01c20f2e12eff5c451c2afc7b7637c6

SHA512
79fb874b9e927e304eab7629e2df536042843aef33da4bed0d3c88a0f2cc8f8c21751379a3780028195342336a92d51a11bf941ebea7cde5485c43971485da6d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
da9cc35767e54f7f319811f4605969f5

SHA1
17872e999110266ad66b45310c337cd4bb8e1b95

SHA256
91587df47dab51fccf18dd8faca17cf15d21b0e6c9313b58ef276a9161d464bb

SHA512
dd79c31037c3105223e4cf7700d678453c16a3ee8165889f8234180bfe2d0ec01a36ef7721db4ee52625a7949e94930b1c1e1dc71c408c07677584dc7835e516

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
3313b6233fb21070bbcc4ae07168c8f1

SHA1
ce29e6535a2dcc7906ccedb64dccbff1345c01c5

SHA256
16e0dbbc786618ff9b935d16c2d75738bc3e5660c306eb1d0bbf0f6d82afafd2

SHA512
e1c7c61026bdee6b31168482c446b0cd0a3ceeae7cb5c35592f7324b988c0b753c5de39fd6e08d7d8322a5469d8096f78432a5f5e9b1a9d854cf05764260cf8a

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\System\gHost.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\Xplorer.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\\KHATRA.exe

Filesize
647KB

MD5
a34ad183b9144fa2df9e50918a5e2ce0

SHA1
bb00562d2c9e7c28f236233c98c9addf30d8ad48

SHA256
0a414caef0dabea20e23958fb882f3a8dcb1d552fd5b522c557e4e59e74204b6

SHA512
84748593ee24f6a518d4692145e9176058003c66228f7cc432c554d8373a02091955032abd8238b79ec102a55f10f5fc86677b5368d77280f12dca4898f0219a

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
157KB

MD5
9b3b3500b261cb16ecdb63939b55204b

SHA1
9e879bd05410724f9d8bf67baf3b9ccc269b7263

SHA256
e2dfb796e690f7b3c7797b9655615e95a4ae04e22799bbfcc5108357713118ef

SHA512
d10881c810def228fe24d9876ebf7d65708a16ba4b2d243d122ca7b09d319c205214319e41621377699dab42682bd38def296fb6da61eeddca3a8f7fb2ed15e8

Download Submit
memory/212-172-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/408-300-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/544-316-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/544-317-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1060-294-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1060-293-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1076-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1308-308-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1420-297-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1436-273-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1512-302-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1564-147-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1648-256-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1648-268-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1752-305-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1752-304-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1752-303-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1920-307-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1920-306-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1920-311-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2096-175-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2096-310-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2096-219-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2096-176-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2280-235-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2300-290-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2648-211-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-292-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3184-314-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3208-286-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3248-257-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3416-291-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3416-289-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3416-288-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3500-224-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3500-210-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3604-218-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3604-173-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3604-309-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3676-312-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3676-313-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3676-315-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3932-151-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3932-150-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3932-200-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4040-234-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4040-236-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4040-247-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4228-271-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4228-272-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4228-282-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4356-298-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4356-295-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4356-296-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4400-285-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4400-287-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4400-284-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4520-299-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4520-301-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-196-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-195-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-137-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4892-133-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download