63340c1887fa5b4a8cfe9b760e80f13b021d600c2e80a30e58f3efdc78cfce9f

Analysis

max time kernel
0s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27784be24de5515a2c100c56060fe098.exe
Size

690KB
MD5

27784be24de5515a2c100c56060fe098
SHA1

1d0046bb0ac032246461019524a64537d8eebe35
SHA256

63340c1887fa5b4a8cfe9b760e80f13b021d600c2e80a30e58f3efdc78cfce9f
SHA512

832d0136f25241038ca029080862374b0d3ec880e5bc8920f68c476e2eecc03292db963e84209a18a073148c525fa849012818aecfd6da0153cb0f5181823859
SSDEEP

6144:TniHo6nx2QY7slAFRWNBfrrWK0uTNRiuooqp6pfwWm+gIdJI7K0clyyvzpvT:TSo6xg5kN530xuooqMVwsgS0Tyv9

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	27784be24de5515a2c100c56060fe098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	27784be24de5515a2c100c56060fe098.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	27784be24de5515a2c100c56060fe098.exe

Modifies Windows Firewall 1 TTPs 26 IoCs

evasion

Windows Service

T1543.003

pid	Process
4184	netsh.exe
2444	netsh.exe
2860	netsh.exe
2316	netsh.exe
464	netsh.exe
4356	netsh.exe
2932	netsh.exe
4852	netsh.exe
3000	netsh.exe
3588	netsh.exe
4492	netsh.exe
2408	netsh.exe
4444	netsh.exe
4856	netsh.exe
4200	netsh.exe
4944	netsh.exe
1368	netsh.exe
1368	netsh.exe
1760	netsh.exe
5100	netsh.exe
2948	netsh.exe
2780	netsh.exe
4264	netsh.exe
4300	netsh.exe
3256	netsh.exe
1396	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	KHATRA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	27784be24de5515a2c100c56060fe098.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	27784be24de5515a2c100c56060fe098.exe

AutoIT Executable 24 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1992-25-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4640-87-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/1992-70-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4028-105-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2180-104-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/3032-117-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/5068-148-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2180-166-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4028-167-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/524-179-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2560-209-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4028-230-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2180-229-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/1540-246-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/312-245-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/1556-242-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/312-248-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4356-250-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/1540-247-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4028-268-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/2180-267-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4356-280-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/524-343-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe
behavioral2/memory/4028-358-0x0000000000400000-0x00000000004F0000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KHATRA.exe	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	27784be24de5515a2c100c56060fe098.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System\gHost.exe	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\System\gHost.exe	27784be24de5515a2c100c56060fe098.exe
File created	C:\Windows\KHATARNAKH.exe	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	27784be24de5515a2c100c56060fe098.exe
File created	C:\Windows\Xplorer.exe	27784be24de5515a2c100c56060fe098.exe
File opened for modification	C:\Windows\Xplorer.exe	27784be24de5515a2c100c56060fe098.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	27784be24de5515a2c100c56060fe098.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	27784be24de5515a2c100c56060fe098.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe
4640	27784be24de5515a2c100c56060fe098.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4640	27784be24de5515a2c100c56060fe098.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4640	27784be24de5515a2c100c56060fe098.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1992	4640	27784be24de5515a2c100c56060fe098.exe	24
PID 4640 wrote to memory of 1992	4640	27784be24de5515a2c100c56060fe098.exe	24
PID 4640 wrote to memory of 1992	4640	27784be24de5515a2c100c56060fe098.exe	24

C:\Users\Admin\AppData\Local\Temp\27784be24de5515a2c100c56060fe098.exe
"C:\Users\Admin\AppData\Local\Temp\27784be24de5515a2c100c56060fe098.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    PID:2180
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      PID:4028
    - - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3420
    - - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4016
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2500
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2240
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1964
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1536
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3880
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2588
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4660
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:312
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4376
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4812
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4552
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2860
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4644
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2944
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:748
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1956
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1164
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3956
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2916
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2948
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3264
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:636
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1180
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2948
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1124
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1180
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3532
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4536
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:5040
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:724
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4284
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1720
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2412
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  PID:3748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  PID:3700

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:184

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3192

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:2488
- C:\Windows\SysWOW64\at.exe
  AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  PID:3780

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:3848

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:4744

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4492

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:4432

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
1⤵
PID:4508

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:508

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:3588

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3700

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:2556

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:2316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4264

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3584

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:4184
- C:\Windows\SysWOW64\at.exe
  AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  PID:3340

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2932

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:508

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:228

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:3352

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2444

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3376

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:4488

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:524

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4852

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3136

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:4340

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:3408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2408

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3780

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3340

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:4812
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  - Modifies Windows Firewall
  PID:4300

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2860

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:1556
- C:\Windows\SysWOW64\at.exe
  AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  PID:3328

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3352

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:4016

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:1764

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:3256

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:1336

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:1368

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:2040

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:1368

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:620

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:436

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2316

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:2236

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:1396

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:312

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4444

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:1572

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:1760

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:528

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:1392

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:4132

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:2120

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3216

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4856

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:2840

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:3420

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:5100

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:3100

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:3992

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:4812

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:5016

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:2688

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:2780

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:1392

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:464

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:2044

C:\Windows\SysWOW64\regsvr32.exe
RegSvr32 /S C:\Windows\system32\avphost.dll
1⤵
PID:972

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4356

C:\Windows\SysWOW64\at.exe
AT /delete /yes
1⤵
PID:4492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4200

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:1136

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
94KB

MD5
0c0bf151e09ce14dc2f732a02846d958

SHA1
07d5505a16ac5e22b4ad680b1e8b92ae921e3da0

SHA256
041c4375364d124f5de66889f2c9cadd112333219f9d5de65beaf7612639d163

SHA512
44668437de660cb1be145dbbdc1eb6ea471ad31261094bc0d66209850049aad4d4671338c29bc492aad8c518ff0345be78f298f43a7d259ed9d81c72da5d310a

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
690KB

MD5
27784be24de5515a2c100c56060fe098

SHA1
1d0046bb0ac032246461019524a64537d8eebe35

SHA256
63340c1887fa5b4a8cfe9b760e80f13b021d600c2e80a30e58f3efdc78cfce9f

SHA512
832d0136f25241038ca029080862374b0d3ec880e5bc8920f68c476e2eecc03292db963e84209a18a073148c525fa849012818aecfd6da0153cb0f5181823859

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
382KB

MD5
c46b6b2f59baa8930f977e6b57c34be4

SHA1
a17d76c3feaaaf46a1e4e417619e37029d89f035

SHA256
43ac1f9d333c9db88314803e10dc6fccd4e19ae9049df6c0a053984f46827cc9

SHA512
74a6ddf5da7c20e9119f93852b97a3ef334883805f3a4d3baefdd70970777d5c9c2b547d862db8fe6d5f1fcc6ff2b4651613bc344a2c44aed48d324c546a22d0

Download Submit
memory/312-248-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/312-245-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-343-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-150-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-556-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-314-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-553-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/524-179-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/724-423-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/724-447-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1136-499-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1136-475-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1540-247-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1540-246-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1556-211-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1556-242-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1572-282-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1572-311-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1700-636-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1700-660-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1944-371-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1944-395-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1956-527-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1956-551-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1992-70-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1992-25-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-409-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-357-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-313-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-267-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-753-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-554-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-726-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-229-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-104-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-461-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-513-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-582-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-622-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-166-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2180-674-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2476-474-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2476-448-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2560-181-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2560-209-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2592-370-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2708-422-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2708-396-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2736-608-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2736-584-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2916-739-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2916-713-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-117-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3032-72-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3132-581-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3536-687-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3536-661-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3656-526-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3656-500-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4016-552-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4016-557-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-410-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-105-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-555-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-583-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-268-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-514-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-331-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-230-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-623-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-462-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-358-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-727-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-167-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4028-675-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4356-280-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4356-250-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4504-609-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4504-635-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4640-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4640-87-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/4932-740-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/5028-688-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/5028-712-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/5068-148-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/5068-119-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download