786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a636c5f728170139fab3c2f91cd38a.exe
Size

566KB
MD5

87a636c5f728170139fab3c2f91cd38a
SHA1

e8255d77f18ac941d669cadf6e038596db1a52c1
SHA256

786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8
SHA512

de0573dbb2d188d895dc6bdceceef2cce6c9bb3543da6e4432511c196f2ab31ee3cf408e0990cd86eb951679c7c17801deed4c3f3ad9abe946b128878d5bb95d
SSDEEP

6144:R7CI1sOm/IuoBXzlII3h/qXzMyM0mfAoSOoqk6pfwWm+g:Fm/NoBXzlB3h/qXLXHoSOoqDVwsg

Score

8^/10

evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	87a636c5f728170139fab3c2f91cd38a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	87a636c5f728170139fab3c2f91cd38a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe

Disables RegEdit via registry modification 26 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4836	netsh.exe
3532	netsh.exe
4764	netsh.exe
1616	netsh.exe
432	netsh.exe
3524	netsh.exe
1784	netsh.exe
2528	netsh.exe
64	netsh.exe
1020	netsh.exe
3992	netsh.exe
1276	netsh.exe
3096	netsh.exe
2428	netsh.exe
2432	netsh.exe
1784	netsh.exe
4248	netsh.exe
4188	netsh.exe
3576	netsh.exe
344	netsh.exe
1800	netsh.exe
3460	netsh.exe
2288	netsh.exe
3144	netsh.exe
1532	netsh.exe
748	netsh.exe

Executes dropped EXE 29 IoCs

pid	Process
4556	KHATRA.exe
4696	Xplorer.exe
3584	gHost.exe
2688	KHATRA.exe
4932	KHATRA.exe
2064	KHATRA.exe
2028	KHATRA.exe
2688	KHATRA.exe
2524	KHATRA.exe
1848	KHATRA.exe
4036	KHATRA.exe
2692	KHATRA.exe
2864	KHATRA.exe
1304	KHATRA.exe
2692	KHATRA.exe
748	KHATRA.exe
2628	KHATRA.exe
2428	KHATRA.exe
2912	KHATRA.exe
4172	KHATRA.exe
2644	KHATRA.exe
2224	KHATRA.exe
548	KHATRA.exe
3980	KHATRA.exe
2568	KHATRA.exe
3688	KHATRA.exe
3448	KHATRA.exe
2868	KHATRA.exe
4484	KHATRA.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe

Modifies WinLogon 2 TTPs 26 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 62 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/948-71-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4556-86-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-103-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-104-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2688-116-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4932-144-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2064-147-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2028-148-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-149-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-150-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2028-151-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2064-180-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-199-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-200-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2688-212-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2524-240-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-242-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/1848-243-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-259-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/1848-271-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-291-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-292-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4036-304-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2692-331-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-417-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-418-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2864-430-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/1304-454-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-468-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-469-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2692-481-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/748-506-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-519-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-520-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2628-532-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2428-556-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-557-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-558-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2912-559-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2912-583-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-597-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-598-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4172-610-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2644-635-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-649-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-650-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2224-662-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/548-686-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-699-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-700-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3980-712-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2568-736-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-737-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3688-738-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-751-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3688-763-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4696-776-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3584-777-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/3448-789-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/2868-790-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4484-791-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe
behavioral2/memory/4484-792-0x0000000000400000-0x00000000004E3000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KHATRA.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	87a636c5f728170139fab3c2f91cd38a.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	87a636c5f728170139fab3c2f91cd38a.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	87a636c5f728170139fab3c2f91cd38a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
948	87a636c5f728170139fab3c2f91cd38a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4696	Xplorer.exe
3584	gHost.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
948	87a636c5f728170139fab3c2f91cd38a.exe
4556	KHATRA.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
4556	KHATRA.exe
2688	KHATRA.exe
2688	KHATRA.exe
4932	KHATRA.exe
4932	KHATRA.exe
2064	KHATRA.exe
2064	KHATRA.exe
2688	KHATRA.exe
2688	KHATRA.exe
2524	KHATRA.exe
2524	KHATRA.exe
1848	KHATRA.exe
1848	KHATRA.exe
4036	KHATRA.exe
4036	KHATRA.exe
2692	KHATRA.exe
2692	KHATRA.exe
2864	KHATRA.exe
2864	KHATRA.exe
1304	KHATRA.exe
1304	KHATRA.exe
2692	KHATRA.exe
2692	KHATRA.exe
748	KHATRA.exe
748	KHATRA.exe
2628	KHATRA.exe
2628	KHATRA.exe
2428	KHATRA.exe
2428	KHATRA.exe
2912	KHATRA.exe
2912	KHATRA.exe
4172	KHATRA.exe
4172	KHATRA.exe
2644	KHATRA.exe
2644	KHATRA.exe
2224	KHATRA.exe
2224	KHATRA.exe
548	KHATRA.exe
548	KHATRA.exe
3980	KHATRA.exe
3980	KHATRA.exe
2568	KHATRA.exe
2568	KHATRA.exe
3688	KHATRA.exe
3688	KHATRA.exe
3448	KHATRA.exe
3448	KHATRA.exe
2868	KHATRA.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
948	87a636c5f728170139fab3c2f91cd38a.exe
4556	KHATRA.exe
948	87a636c5f728170139fab3c2f91cd38a.exe
4556	KHATRA.exe
2688	KHATRA.exe
2688	KHATRA.exe
4932	KHATRA.exe
4932	KHATRA.exe
2064	KHATRA.exe
2064	KHATRA.exe
2688	KHATRA.exe
2688	KHATRA.exe
2524	KHATRA.exe
2524	KHATRA.exe
1848	KHATRA.exe
1848	KHATRA.exe
4036	KHATRA.exe
4036	KHATRA.exe
2692	KHATRA.exe
2692	KHATRA.exe
2864	KHATRA.exe
2864	KHATRA.exe
1304	KHATRA.exe
1304	KHATRA.exe
2692	KHATRA.exe
2692	KHATRA.exe
748	KHATRA.exe
748	KHATRA.exe
2628	KHATRA.exe
2628	KHATRA.exe
2428	KHATRA.exe
2428	KHATRA.exe
2912	KHATRA.exe
2912	KHATRA.exe
4172	KHATRA.exe
4172	KHATRA.exe
2644	KHATRA.exe
2644	KHATRA.exe
2224	KHATRA.exe
2224	KHATRA.exe
548	KHATRA.exe
548	KHATRA.exe
3980	KHATRA.exe
3980	KHATRA.exe
2568	KHATRA.exe
2568	KHATRA.exe
3688	KHATRA.exe
3688	KHATRA.exe
3448	KHATRA.exe
3448	KHATRA.exe
2868	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 4556	948	87a636c5f728170139fab3c2f91cd38a.exe	86
PID 948 wrote to memory of 4556	948	87a636c5f728170139fab3c2f91cd38a.exe	86
PID 948 wrote to memory of 4556	948	87a636c5f728170139fab3c2f91cd38a.exe	86
PID 4556 wrote to memory of 4696	4556	KHATRA.exe	87
PID 4556 wrote to memory of 4696	4556	KHATRA.exe	87
PID 4556 wrote to memory of 4696	4556	KHATRA.exe	87
PID 4696 wrote to memory of 3584	4696	Xplorer.exe	88
PID 4696 wrote to memory of 3584	4696	Xplorer.exe	88
PID 4696 wrote to memory of 3584	4696	Xplorer.exe	88
PID 948 wrote to memory of 1992	948	87a636c5f728170139fab3c2f91cd38a.exe	89
PID 948 wrote to memory of 1992	948	87a636c5f728170139fab3c2f91cd38a.exe	89
PID 948 wrote to memory of 1992	948	87a636c5f728170139fab3c2f91cd38a.exe	89
PID 1992 wrote to memory of 1880	1992	cmd.exe	91
PID 1992 wrote to memory of 1880	1992	cmd.exe	91
PID 1992 wrote to memory of 1880	1992	cmd.exe	91
PID 948 wrote to memory of 4108	948	87a636c5f728170139fab3c2f91cd38a.exe	92
PID 948 wrote to memory of 4108	948	87a636c5f728170139fab3c2f91cd38a.exe	92
PID 948 wrote to memory of 4108	948	87a636c5f728170139fab3c2f91cd38a.exe	92
PID 4108 wrote to memory of 1516	4108	cmd.exe	94
PID 4108 wrote to memory of 1516	4108	cmd.exe	94
PID 4108 wrote to memory of 1516	4108	cmd.exe	94
PID 4556 wrote to memory of 4988	4556	KHATRA.exe	95
PID 4556 wrote to memory of 4988	4556	KHATRA.exe	95
PID 4556 wrote to memory of 4988	4556	KHATRA.exe	95
PID 4988 wrote to memory of 3096	4988	cmd.exe	97
PID 4988 wrote to memory of 3096	4988	cmd.exe	97
PID 4988 wrote to memory of 3096	4988	cmd.exe	97
PID 4556 wrote to memory of 4692	4556	KHATRA.exe	98
PID 4556 wrote to memory of 4692	4556	KHATRA.exe	98
PID 4556 wrote to memory of 4692	4556	KHATRA.exe	98
PID 4692 wrote to memory of 5012	4692	cmd.exe	100
PID 4692 wrote to memory of 5012	4692	cmd.exe	100
PID 4692 wrote to memory of 5012	4692	cmd.exe	100
PID 948 wrote to memory of 3224	948	87a636c5f728170139fab3c2f91cd38a.exe	103
PID 948 wrote to memory of 3224	948	87a636c5f728170139fab3c2f91cd38a.exe	103
PID 948 wrote to memory of 3224	948	87a636c5f728170139fab3c2f91cd38a.exe	103
PID 3224 wrote to memory of 760	3224	cmd.exe	105
PID 3224 wrote to memory of 760	3224	cmd.exe	105
PID 3224 wrote to memory of 760	3224	cmd.exe	105
PID 4556 wrote to memory of 344	4556	KHATRA.exe	106
PID 4556 wrote to memory of 344	4556	KHATRA.exe	106
PID 4556 wrote to memory of 344	4556	KHATRA.exe	106
PID 344 wrote to memory of 1212	344	cmd.exe	108
PID 344 wrote to memory of 1212	344	cmd.exe	108
PID 344 wrote to memory of 1212	344	cmd.exe	108
PID 948 wrote to memory of 4188	948	87a636c5f728170139fab3c2f91cd38a.exe	109
PID 948 wrote to memory of 4188	948	87a636c5f728170139fab3c2f91cd38a.exe	109
PID 948 wrote to memory of 4188	948	87a636c5f728170139fab3c2f91cd38a.exe	109
PID 4188 wrote to memory of 4836	4188	cmd.exe	111
PID 4188 wrote to memory of 4836	4188	cmd.exe	111
PID 4188 wrote to memory of 4836	4188	cmd.exe	111
PID 4556 wrote to memory of 4948	4556	KHATRA.exe	112
PID 4556 wrote to memory of 4948	4556	KHATRA.exe	112
PID 4556 wrote to memory of 4948	4556	KHATRA.exe	112
PID 4948 wrote to memory of 2432	4948	cmd.exe	114
PID 4948 wrote to memory of 2432	4948	cmd.exe	114
PID 4948 wrote to memory of 2432	4948	cmd.exe	114
PID 4696 wrote to memory of 2688	4696	Xplorer.exe	118
PID 4696 wrote to memory of 2688	4696	Xplorer.exe	118
PID 4696 wrote to memory of 2688	4696	Xplorer.exe	118
PID 2688 wrote to memory of 3700	2688	KHATRA.exe	120
PID 2688 wrote to memory of 3700	2688	KHATRA.exe	120
PID 2688 wrote to memory of 3700	2688	KHATRA.exe	120
PID 3700 wrote to memory of 3824	3700	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\87a636c5f728170139fab3c2f91cd38a.exe
"C:\Users\Admin\AppData\Local\Temp\87a636c5f728170139fab3c2f91cd38a.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      PID:3584
    - - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        5⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        6⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        7⤵
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        Modifies Windows Firewall
        
        PID:3460
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        5⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        6⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        7⤵
        
        PID:4188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        Modifies Windows Firewall
        
        PID:1020
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3656
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3728
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2784
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3992
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1784
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Executes dropped EXE
      PID:2028
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:208
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4632
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4252
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2288
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4644
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2660
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3428
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1548
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3144
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4992
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2528
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4292
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3328
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2364
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1532
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3756
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:344
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1436
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2960
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1924
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3424
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:64
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1728
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4484
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4404
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3388
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:4248
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1864
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3168
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4428
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2420
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3472
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:4764
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3864
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1276
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:916
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4796
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3460
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4028
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1800
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3816
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5072
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1616
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4168
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3096
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2436
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5052
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2908
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4676
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3532
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4468
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1236
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2428
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3256
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:432
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4616
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4280
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3844
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:4188
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3232
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4180
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4676
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3576
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2768
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3904
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:3524
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3976
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1532
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2300
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3696
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:748
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Executes dropped EXE
      PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    PID:4836

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
1⤵
PID:3996

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
1⤵
- Modifies Windows Firewall
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
4ce754af68732d2481ff20e2d58eeb3f

SHA1
36b985dbe7b42db711d127b60f5ba27da2025a6f

SHA256
a8bec7852bbf727caa3882639213e85e20e0b5ad2ad33d758284d9f7892abb36

SHA512
5bc929f34292924e8fe597d47bb7ab9f47c0d1c917ca5e8bdb6c53c254756e405c956d39f8cc7c6c09188e3635f455609f3105537ab8ff01b7a024afe20a3aa8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
a6fbd1210a87b5580e4f67072763fae9

SHA1
3165a9a1138c36fe3cf4234fddd7228f98dc5753

SHA256
cd8693fb0c436b59d2ca6af8c5c00e3927559024584efa015115194adfc93e31

SHA512
ea84e2b78eafdd4d611e2e7c59f318d46a462497e84c6b17403c75a0dc8dabd36a5df46a3f58964a5b2c52139d7024fd13b491f9be71cd6b28e5368a879d92e3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
0881dbc33863ad33272c973c0d211d4a

SHA1
cbc2cb8f2c4c5092ee37c0eb4569333f408ce7f5

SHA256
19473d1bd30b67339ec7ee5b24c80f5812961c207711b59dd46e6e63b6db6efa

SHA512
95aa353e93a028616d0d0a236d66e0cdaaf89ec88f39b684f8422de867530675b48beb6ef01ae0ffc314052446d7109618b9ddf3cf7bbbae4f1f22af226b087d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
fa89feb4b12d32527ad3912d5868e46e

SHA1
90a087e129745f401befdcf63617a633a3eb8b7f

SHA256
5440e7daf1d8a43a1d5068d6db13f4edeee245cb496bf62b5e35d7fc4abe9422

SHA512
3b0837322988ae2f0fd6bc427e7ea3aaf3a17ff5a12425ff93e362afd9976695d38ccc2a07b1f94e497d46e8fb52ec8963316990787498d9bcd9b1d0434048e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\autACCA.tmp

Filesize
125KB

MD5
4e43a95d88010accdf635bf6ade9ad05

SHA1
1c7136b3402af411b66288e1f460b9c7447850c3

SHA256
b6b7ede5e5de9c5bf60f8775fcfb1f5bc0faf4aa99c2404fd2090dcfa75f6408

SHA512
090d97c64ebb887353a7386532cec5ca7a84f84c831fc4213d42ce29aed607e535409f2d446dd552cad1d121ac960bb099603c05acb3f1bd168ab1983a5a9c38

Download Submit
C:\Windows\INF\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\KHATARNAKH.exe

Filesize
116KB

MD5
ef4678b379f696bf5b5ed6684d7f2c73

SHA1
dae1f497e512fd99022db1a93fb574f2b3dcaf98

SHA256
c01da92b1f2f060cde6e0c4a0f6fc1825870d78694548b8ebfb6906bd6aaf298

SHA512
b155b0754bc82955781fa79b091f75f8f2dc8b1c4210ccfa0c32cbe82fcf291033591edf7578e94dbdb9febd5abf61dd5f8315728ffe671324b66036c6da606f

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
523KB

MD5
affc77162b420ca6d2baafe99a4497eb

SHA1
a990e653f2480a11bd310f9c0f2660efd478af27

SHA256
559808d7d2bbe500bd0ab73f4481b4aaf878609ccdc3714b33958cddfdc795cf

SHA512
562fa2d7ccbd7d4bd06bd93bff68dc1b709b310903fafefb054b3224db255c1ef920a2e6ab0f9472c545a7ce3479ff7e23548977c344228299d538fa6fc3a588

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
566KB

MD5
87a636c5f728170139fab3c2f91cd38a

SHA1
e8255d77f18ac941d669cadf6e038596db1a52c1

SHA256
786a85dfcaf550f00ffca019d1e3910f0c973064c0bf0b189302d2a6ea1957b8

SHA512
de0573dbb2d188d895dc6bdceceef2cce6c9bb3543da6e4432511c196f2ab31ee3cf408e0990cd86eb951679c7c17801deed4c3f3ad9abe946b128878d5bb95d

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
357KB

MD5
6e1c6ecc6f57300db31a06efba9e2070

SHA1
a8158415f0996ab612423b6807ff8f3f3929da8a

SHA256
23ec95f35ca22fc02192df904378e47fbc1eff00a8185bb5c4bb818193af3735

SHA512
2cf56df0ac124c90be1142646ab8e8f89ec2549d9925e3179119ef57a08e9162e7fc2267fedd70d07181ef13757b93241810f44ff766867c581215ecab3a4488

Download Submit
C:\Windows\System\gHost.exe

Filesize
424KB

MD5
2f6d0f4e1796bfade17204a70fc43df2

SHA1
98057bc4c713b49121d790a5563172e293f3b719

SHA256
018458eb02ca0e3ed5be437dc0c42de8b3e84e6a4d87182bf2851c49fd7583e7

SHA512
62b047b2e87f84a885bed4425a13cd10c17e0519f4560c1f580eaccbda0f4f7151ca0f7810c59d02b4d3f90ade71709c5691b8c2a48a42e5b8ea4d7c5d5ebf31

Download Submit
memory/548-686-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/748-482-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/748-506-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/948-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/948-71-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1304-454-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1848-271-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1848-243-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2028-148-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2028-151-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2064-147-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2064-180-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2224-662-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2224-636-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2428-556-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2524-240-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2568-736-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2628-532-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2644-611-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2644-635-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2688-116-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2688-212-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2688-182-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2692-481-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2692-455-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2692-306-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2692-331-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2864-430-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2868-790-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2912-559-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2912-583-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3448-789-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-418-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-520-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-650-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-700-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-469-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-292-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-598-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-104-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-150-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-751-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-259-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-777-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-200-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3584-558-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3688-763-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3688-738-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3980-712-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4036-273-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4036-304-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4172-584-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4172-610-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4484-791-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4484-792-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4556-25-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4556-86-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-149-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-776-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-699-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-649-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-468-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-417-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-737-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-597-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-199-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-557-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-103-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-242-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-42-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-519-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4696-291-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4932-144-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download