30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Size

713KB
MD5

44f760f812725dd21c7761dd7221dfa0
SHA1

d945e95f9dad6ae149a843199db39b76f7138b2c
SHA256

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc
SHA512

c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb
SSDEEP

12288:ySo6xg5kN530xuooqMVwsgS0Tyv9H7efCRyL:+6u5030x+gS0TyvNRyL

Score

9^/10

collection evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\avphost.dll	acprotect
\Windows\SysWOW64\avphost.dll	acprotect
\Windows\SysWOW64\avphost.dll	acprotect

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Executes dropped EXE 3 IoCs

Processes:

KHATRA.exeXplorer.exegHost.exe

pid process

944 KHATRA.exe
1972 Xplorer.exe
1788 gHost.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1380 netsh.exe
1116 netsh.exe

pid	process
944	KHATRA.exe
1972	Xplorer.exe
1788	gHost.exe

pid	process
1380	netsh.exe
1116	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\avphost.dll	upx
\Windows\SysWOW64\avphost.dll	upx
behavioral1/memory/268-101-0x0000000010000000-0x000000001005C000-memory.dmp	upx
\Windows\SysWOW64\avphost.dll	upx

Loads dropped DLL 6 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeXplorer.exeregsvr32.exeregsvr32.exe

pid	process
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
1972	Xplorer.exe
1972	Xplorer.exe
268	regsvr32.exe
532	regsvr32.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

OUTLOOK.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gHost.exe

description	ioc	process
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\f:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/944-64-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/1788-87-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/1972-84-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/848-118-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/944-120-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/1972-122-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe
behavioral1/memory/1788-123-0x0000000000400000-0x00000000004DA000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 19 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeOUTLOOK.EXEKHATRA.exe

description	ioc	process
File created	C:\Windows\SysWOW64\avphost.dll	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\KHATRA.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\avphost.dll	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 14 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exeOUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\Xplorer.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\Xplorer.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\System\gHost.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File created	C:\Windows\KHATARNAKH.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
File opened for modification	C:\Windows\system\gHost.exe	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

Processes:

OUTLOOK.EXE30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXEregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ = "_TaskRequestDeclineItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ = "_OlkListBox"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ = "_Categories"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ = "IFastSender"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ = "Exception"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOSMTP.FastSender.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1716 OUTLOOK.EXE

pid	process
1716	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe

pid	process
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Xplorer.exegHost.exe

pid process

1972 Xplorer.exe
1788 gHost.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exeOUTLOOK.EXE

pid process

848 30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
944 KHATRA.exe
1716 OUTLOOK.EXE
1716 OUTLOOK.EXE
1716 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exeOUTLOOK.EXE

pid process

848 30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
944 KHATRA.exe
1716 OUTLOOK.EXE
1716 OUTLOOK.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1716 OUTLOOK.EXE

pid	process
1972	Xplorer.exe
1788	gHost.exe

pid	process
1716	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exeKHATRA.exeXplorer.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 944	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	KHATRA.exe
PID 848 wrote to memory of 944	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	KHATRA.exe
PID 848 wrote to memory of 944	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	KHATRA.exe
PID 848 wrote to memory of 944	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	KHATRA.exe
PID 944 wrote to memory of 1972	944	KHATRA.exe	Xplorer.exe
PID 944 wrote to memory of 1972	944	KHATRA.exe	Xplorer.exe
PID 944 wrote to memory of 1972	944	KHATRA.exe	Xplorer.exe
PID 944 wrote to memory of 1972	944	KHATRA.exe	Xplorer.exe
PID 1972 wrote to memory of 1788	1972	Xplorer.exe	gHost.exe
PID 1972 wrote to memory of 1788	1972	Xplorer.exe	gHost.exe
PID 1972 wrote to memory of 1788	1972	Xplorer.exe	gHost.exe
PID 1972 wrote to memory of 1788	1972	Xplorer.exe	gHost.exe
PID 848 wrote to memory of 1884	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1884	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1884	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1884	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 1884 wrote to memory of 1148	1884	cmd.exe	at.exe
PID 1884 wrote to memory of 1148	1884	cmd.exe	at.exe
PID 1884 wrote to memory of 1148	1884	cmd.exe	at.exe
PID 1884 wrote to memory of 1148	1884	cmd.exe	at.exe
PID 848 wrote to memory of 1296	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1296	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1296	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1296	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 1296 wrote to memory of 1272	1296	cmd.exe	at.exe
PID 1296 wrote to memory of 1272	1296	cmd.exe	at.exe
PID 1296 wrote to memory of 1272	1296	cmd.exe	at.exe
PID 1296 wrote to memory of 1272	1296	cmd.exe	at.exe
PID 944 wrote to memory of 1360	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1360	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1360	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1360	944	KHATRA.exe	cmd.exe
PID 1360 wrote to memory of 1496	1360	cmd.exe	at.exe
PID 1360 wrote to memory of 1496	1360	cmd.exe	at.exe
PID 1360 wrote to memory of 1496	1360	cmd.exe	at.exe
PID 1360 wrote to memory of 1496	1360	cmd.exe	at.exe
PID 944 wrote to memory of 1216	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1216	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1216	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 1216	944	KHATRA.exe	cmd.exe
PID 1216 wrote to memory of 1808	1216	cmd.exe	at.exe
PID 1216 wrote to memory of 1808	1216	cmd.exe	at.exe
PID 1216 wrote to memory of 1808	1216	cmd.exe	at.exe
PID 1216 wrote to memory of 1808	1216	cmd.exe	at.exe
PID 848 wrote to memory of 1112	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1112	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1112	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 848 wrote to memory of 1112	848	30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe	cmd.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 1112 wrote to memory of 268	1112	cmd.exe	regsvr32.exe
PID 944 wrote to memory of 548	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 548	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 548	944	KHATRA.exe	cmd.exe
PID 944 wrote to memory of 548	944	KHATRA.exe	cmd.exe
PID 548 wrote to memory of 532	548	cmd.exe	regsvr32.exe
PID 548 wrote to memory of 532	548	cmd.exe	regsvr32.exe
PID 548 wrote to memory of 532	548	cmd.exe	regsvr32.exe
PID 548 wrote to memory of 532	548	cmd.exe	regsvr32.exe
PID 548 wrote to memory of 532	548	cmd.exe	regsvr32.exe

outlook_win_path 1 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe
"C:\Users\Admin\AppData\Local\Temp\30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:948
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:1380

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
C:\Windows\Xplorer.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\Xplorer.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\system\gHost.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\Windows\system\gHost.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
C:\\KHATRA.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
\Windows\SysWOW64\KHATRA.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
\Windows\SysWOW64\avphost.dll

Filesize
127KB

MD5
d47ebd342b6906a2fda10d70560bcd5a

SHA1
c1b54deb14d47e539bc6aea1464edb38fad4b87f

SHA256
00a035dd63d4b26ab23ab122899767da8452bf262f61a06f9136513d841feaf2

SHA512
626b00fb28e2b13b6f8fa393051e07da2eb937a164d87affdaac8f9be8aaa02cd3230c5c27648526ecdd1cad8b198f4d7c12f30dd362bf15011d04cadb17e8d1

Download Submit
\Windows\system\gHost.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
\Windows\system\gHost.exe

Filesize
713KB

MD5
44f760f812725dd21c7761dd7221dfa0

SHA1
d945e95f9dad6ae149a843199db39b76f7138b2c

SHA256
30e5babe61ba93f6d84c31cd4ccfe7a81a5e9784423894214b4f8e42b62c73bc

SHA512
c2a0d0fdc2468cc89461c875da0bc00f20b659ad271873620bea681c168178a13103e5f6f126a43111ff72a60af01347126eee662036674443a7100cdfecdcdb

Download Submit
memory/268-97-0x0000000000000000-mapping.dmp

Download
memory/268-101-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/532-103-0x0000000000000000-mapping.dmp

Download
memory/548-102-0x0000000000000000-mapping.dmp

Download
memory/848-118-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/848-63-0x0000000003F40000-0x000000000401A000-memory.dmp

Filesize
872KB

Download
memory/848-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/848-61-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/848-54-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/944-83-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/944-120-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/944-58-0x0000000000000000-mapping.dmp

Download
memory/944-121-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/944-64-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/948-106-0x0000000000000000-mapping.dmp

Download
memory/1112-96-0x0000000000000000-mapping.dmp

Download
memory/1116-110-0x0000000000000000-mapping.dmp

Download
memory/1148-80-0x0000000000000000-mapping.dmp

Download
memory/1216-93-0x0000000000000000-mapping.dmp

Download
memory/1272-85-0x0000000000000000-mapping.dmp

Download
memory/1296-82-0x0000000000000000-mapping.dmp

Download
memory/1360-88-0x0000000000000000-mapping.dmp

Download
memory/1380-107-0x0000000000000000-mapping.dmp

Download
memory/1496-89-0x0000000000000000-mapping.dmp

Download
memory/1700-109-0x0000000000000000-mapping.dmp

Download
memory/1716-114-0x0000000073E0D000-0x0000000073E18000-memory.dmp

Filesize
44KB

Download
memory/1716-117-0x000000006CE21000-0x000000006CE23000-memory.dmp

Filesize
8KB

Download
memory/1716-119-0x0000000073E0D000-0x0000000073E18000-memory.dmp

Filesize
44KB

Download
memory/1716-112-0x0000000072E21000-0x0000000072E23000-memory.dmp

Filesize
8KB

Download
memory/1716-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1716-116-0x000000006D4F1000-0x000000006D4F3000-memory.dmp

Filesize
8KB

Download
memory/1788-76-0x0000000000000000-mapping.dmp

Download
memory/1788-87-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1788-123-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1808-94-0x0000000000000000-mapping.dmp

Download
memory/1884-79-0x0000000000000000-mapping.dmp

Download
memory/1972-71-0x0000000000000000-mapping.dmp

Download
memory/1972-84-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1972-122-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download